 Hi. Thanks for the introduction. So this talk is titled, Mini-Crypt Primitives with Algebraic Structure and Applications. And this is joint work with Navid, Hart, and Anup. This is an outline for the talk. So I'll be giving a brief overview of our main results. And then I'll talk about how these results imply an alternative approach for designing crypto primitives, as well as a very interesting cryptoplexity hierarchy in cryptomania. I'll then present a brief overview of our techniques. And I'll end with summary and open questions. So as the name suggests, the key building blocks for this work are primitives in Mini-Crypt that we're all very familiar with, namely one-way functions, weak unpredictable functions, and weak pseudo-random functions. And these are essentially unstructured primitives in some sense. So what we do is we essentially strengthen these primitives by imposing some form of algebraic structure on them. And the algebraic structure that we consider is essentially a homomorphism between the input and output spaces of these primitives. And so what we study in this work are homomorphic one-way functions, input homomorphic weak unpredictable functions, and input homomorphic weak pseudo-random functions. Some very short definitions. So a homomorphic one-way function is essentially a one-way function. It satisfies the security properties of any one-way function. Additionally, the input and output spaces for this function are groups which are efficiently sampleable and have efficiently computable group operations. Similarly, for an input homomorphic weak unpredictable function, we have the input and output groups which are efficiently sampleable. Note that we do not assume any structure on the key space for this primitive. And the same goes for a weak pseudo-random function. We also consider a notion of bounded homomorphism in this work, wherein we put an upper bound on the number of operations that we allow in the input and output spaces for this homomorphic relation to hold. And this is primarily done to take into account some assumptions, such as lattice-based assumptions, where we have the concept of noise, and so exact homomorphic relations may not necessarily hold. All right. With this background, I would like to go on to the main results of this work. We essentially show that when these primitives, these mini-crit primitives, are endowed with additional structure, they end up implying some very, very strong primitives which are typically considered to be part of cryptomania. This includes primitives such as non-interactive succinct commitments, public key encryption, and primitives which imply even stronger cryptographic primitives, such as trapdoor functions, IBE, key-dependent message secure public key encryption, and generic conversions of CPA to CCS security for attribute-based and predicated encryption. And we actually show that an input homomorphic weak unpredictable function implies a homomorphic one-way function under some special conditions, namely that the underlying group is abelian. And when we strengthen the unpredictability to pseudo-randomness, we get even more primitives, including private information retrieval, lossy trapdoor functions, oblivious transfer, and multi-party computation. So our results essentially imply a certain departure from the traditional notion that we have of building cryptographic primitives. Typically, we have assumptions on the one side, which are concrete number theoretic assumptions. And then we have primitives with certain security notions that we want to achieve. And what we often end up doing is building these primitives explicitly from these assumptions. And the techniques that are used for building these primitives are often very specific to the assumptions that we build them from. For example, we knew way back in the 1980s, 1970s, and 1980s, that trapdoor functions are implied by RSA. It took us 30 years to understand that trapdoor functions are also implied by other assumptions, such as DDH and LWE. And only last year, we realized that trapdoor functions can actually be built from CDH. In this work, what we propose is a different approach, which we call a narrow-based approach. Namely, instead of trying to build various cryptographic primitives directly from concrete assumptions, we could try to build them from some of these generic mini-crypt primitives with structure. The advantage being that in terms of feasibility results, once we show that one of these generic primitives implies a certain cryptographic primitive, we immediately know that this cryptographic primitive is implied by all the assumptions that are known to imply this generic primitive. So if we came up with a new primitive in the future with some desired security guarantees, we could try to build this from, say, an input homomorphic weak PRF. And we would immediately know that the assumptions on the left, such as DDH, QR, DCR, LWE, and others, would immediately imply this primitive. Additionally, if we came up with a new assumption in the future, for example, a post-quantum secure assumption, and we could show that it implies one of these generic primitives, then we get all these interesting cryptographic primitives from this assumption for free. We do not need to go and show each of these primitives individually from each of these assumptions. So let's take a concrete example. In a very recent work, Coppula and Waters proposed a certain primitive called hinting PRGs. This is a beautiful primitive, and it is known to imply a generic conversion from CPA to CCA security for attribute-based encryption and predicate encryption. And in fact, in some more follow-up works, this primitive has been shown to have other interesting applications. Now, the authors showed that this primitive can be built concretely from the CDH and the LWE assumptions. In this work, we showed that this primitive can actually be built in a generic manner from a bounded input homomorphic weak unpredictable function. The advantage being that at least in terms of visibility results, this immediately implies that this primitive can be built from all these other assumptions. Now, this construction may not be the most efficient possible from these assumptions. And so if you are looking for efficiency, you might still want to go for direct constructions. But if all you are interested in is feasibility, then this seems to be a nice approach in some sense. So this is like a narrow-west approach, and these primitives seem to act as the TCPIP of cryptography in some sense. There's also an interesting cryptoplexity perspective of these results. Typically, in cryptography, we are interested in these two worlds, namely the mini-crypt and the cryptomania worlds. And the mini-crypt world is quite well understood in the sense that it consists of primitives that are implied by one-way functions. And that also, in some sense, imply one-way functions. So one-way functions are essentially mini-crypt complete. And it seems unlikely that we can have such a complete primitive for cryptomania. But an interesting question is, can we have some kind of a structural hierarchy between the primitives in cryptomania? So it seems that there is a hierarchy of the amount of structure that we need to get these primitives, and it would be nice to flesh out such a structure. So in this work, we actually try to flesh this out by imposing increasingly richer structure on some simple mini-crypt primitives and try to see what this implies. So we start off with a very simple notion, which we call as dual computability. I would encourage you to go through the paper for the details. But it turns out that this is almost exactly equivalent to two-party non-interactive key exchange and public key encryption in some sense. When we strengthen this further to input homomorphism, we see that we get all these new primitives. We strengthen this further to something called a ring-input homomorphism. That is, the homomorphism now doesn't hold over general groups but also over rings. And we see that this primitive is actually kind of equivalent to fully homomorphic encryption. And kind of the richest structure that we consider is something called an L-composable input homomorphic weak PRF, where you have L-different weak PRFs that compose with each other. And the homomorphism kind of transcends across these compositions. And we see that this is actually strong enough to imply something like a multi-party non-interactive key exchange. So it seems like there's a gradation of the structure that we need to achieve each of these primitives. And this gives us a kind of hierarchical view of the primitives in cryptomania. All right, so let me get to some techniques that we use. So this is something that we all are familiar with. This is a very simple two-party non-interactive key exchange based on the computational Diffie-Hellman assumption. Now you'll see that this construction, in some sense, uses the structure of the underlying group, namely the fact that the group is cyclic. And this plays a very important role in the efficiency of this construction. So we could, for example, try to have a slightly more inefficient construction and maybe try not to use the cyclic property of the group, which is that we have multiple generators, a very large number of them instead of a single generator. And then Alice essentially samples a secret exponent and exponents all these elements to this secret exponent. Now Bob does something different. Namely, Bob samples a string, a uniformly random string, binary string, and uses this to perform something like a subset product operation on these group elements. And then Alice simply goes ahead and exponents the elements and across by Bob with this secret. And Bob basically takes all the elements and across by Alice and performs the subset product using the same secret string. And in some sense, the exponentiation operation distributes over the subset product operation, which is why they both end up with the same quantity. And then they can basically extract a Goldrack-Levin hardcore bit from this. Now why is this secure? This is secure because by the leftover hash lemma, this quantity sent across by Bob is statistically indistinguishable from a uniformly random group element. And so by the computational Diffie-Helman assumption, the quantity computed by Alice and Bob is unpredictable. And so if we extract the hardcore bit from that, it's pseudo-random. And that contributes to the security of this protocol. Now we would like to take this inefficient protocol and show how to transform this from CDH to any generic input homomorphic weak unpredictable function. And the approach goes somewhat like this. On the left, we have this group. And we have a bunch of group elements. On the right, we have this weak unpredictable function with the spatial structure on the input and output spaces. And we sample a number of uniformly random elements from the input space. In the CDH case, Alice sampled a secret key and exponentiated all these group elements to the same exponent. The corresponding operation that we do on the right-hand side is that Alice samples a secret key from the key space of the unpredictable function and applies this key to all the input elements that are publicly available. And Bob does something similar in both cases. In the CDH case, Bob performed a subset product of the publicly available group elements using a uniformly sampled string. On the right, Bob basically does something called like a subset sum. It's a subset group operation, essentially, on the publicly available elements in the input space. And the nice part is that in either case, we could apply the leftover hash lemma and argue that this group element created by Bob is statistically indistinguishable from random. So how does the overall protocol look like? So we have the description of this unpredictable function, which is publicly available, along with these very large number of uniformly sampled group elements. Alice samples a key, applies the key to all these group elements, and sends across the outputs to Bob. Bob samples a secret string and performs a subset group operation or the subset sum-like operation on the publicly available elements. And then Alice basically takes this element sent across by Bob and applies the secret key to it, while Bob takes the element sent across by Alice and performs a subset, again, a group operation, on the output space of the UF. And this is correct because of the homomorphism property. Namely, you could first perform a subset sum and then apply the UF. On the other hand, you could first apply the UF on all these individual elements and then perform the subset sum. And the homomorphism ensures that you have the same quantity. Now, how do we argue security? First of all, by the leftover hash lemma, these group elements sent across by Bob is statistically indistinguishable from random. And so even after you have seen the evaluation of the UF on several uniformly random elements, the evaluation of the UF on this quantity remains unpredictable. And so you can extract the gold-right-levin hardcore bit, and you have secure key exchange. It turns out that we can extend this approach to take any protocol that we know from CDH or DDH, and we can actually base it on a generic UF or a PRF with this special structure. The idea is to view this protocol in this form. Namely, you start off with a bunch of uniform generators. Then you perform some subset products, followed by an exponentiation by a secret. Alternatively, you could exponentiate it by the secret first, and then perform a bunch of subset products. And the outputs of the left and right branches are guaranteed to be equal. In exactly the same way, you could start from a bunch of uniformly random input elements for the UF or the PRF. You could then perform subset sums, and then go for the function evaluation. Alternatively, you could evaluate the function directly on these elements, and then go for the subset group operation. And again, the left and right branches are guaranteed to be equal by the homomorphism property. And this kind of is the approach that we follow to show all these very nice primitives directly from these generic primitives. So to summarize, what we show in this talk is basically that you can build many rich crypto primitives starting from very weak generic assumptions, namely mini-crypt primitives with some kind of algebraic structure. The advantages of using this approach are twofold. Namely, you could automatically achieve potentially new crypto primitives from a very large number of concrete assumptions, including new ones, without trying to build this primitive explicitly from each of these assumptions. It also kind of presents to us a hierarchical view of the primitives in cryptomania in terms of the structure that seems to be inherent in achieving these primitives from different assumptions. And of course, I would like to stress that still, if you want efficient constructions, then this may not be the best approach. But if you want to test feasibility, then this seems to be a reasonable and economical approach to building crypto primitives from assumptions. I would like to end with some open questions. And I'd like to stress on a couple of them. The first being whether we can show some black box separations between the generic primitives that we discussed in this work. For example, could we show that a homomorphic one-way function is black box separated from an input homomorphic weak unpredictable function? This is interesting because this could essentially divide the world of cryptomania into what we could potentially call as different continents. And then you could have one complete primitive for each continent of cryptomania in some sense. The other interesting open question is whether we can consider other symmetry key primitives with structure. For example, what if the structure is on the secret space instead of the input space? In particular, what about key homomorphic pairs? It turns out that we did make some progress on this last question. And we do have a result which is to appear in crypto 2019. And I guess we'll hear more about this at Santa Barbara. So see you there. Thank you. And I would be happy to answer any questions that you might have. Any questions? We have plenty of time for questions. So my understanding of your Nike is that it's a generalization of regress encryption scheme for LWE. But as far as I know, you can't build Nike from LWE without your knowledge proofs because you need to prove that the shares are actually honestly generated. How do you get around that in your framework? Yeah, so basically what we do is we essentially use the two. So to instantiate this primitive, we first use a bounded input homomorphic weak unpredictable function. And we essentially use a super polynomial modulus of LWE to instantiate this primitive. Any more questions? OK, so well, if not, let's thank Sikhar and all of the speakers of this.