 Okay, now it's been a foundation session. We have three talks in this session, and the first talk is about how to generate the use of universal samples by a case for case people, Yaga, Dakshita, Guhranatha, Amisai, and Brent Waters, and Mark Danduri, but nobody's here. So Sai will talk. Hi, everyone. I'll be talking about universal samples. So my name is Sai Krishna. I'm presenting on behalf of the authors, Dennis, Tibor, Dakshita, Amit, Brent, and Mark. So we know of several applications in cryptography that require a trusted setup, and typically we have a trusted party that generates some parameters a priori and gives it to all the parties that are taking part in this cryptographic protocol, and then using this trusted setup parameters, parties can run whatever protocol they wish to do. For example, you can think of non-interactive zero-knowledge, two-party computation, non-marable protocols, and so on. And what could be these parameters? These parameters could be anything ranging from ciphertext to public keys, signatures, and something even more complicated than this in certain protocols. What is the drawback of this setting? The drawback is that every time you want to run a cryptographic protocol, you need to contact and request for your setup parameters. So if, let's say, few of us want to do it, we again have to contact a trusted party, and every new instantiation of a cryptographic protocol requires back-and-forth communication between the parties and the trusted party. So the motivation behind this work is can there be a universal set of parameters that can just be given by the trusted party once and for all? And using these universal parameters, you can recover whatever specific parameters you need for your specific protocol. This way, the trusted party needs to be online just once initially, and then it can go off to sleep and you can run how many of our protocols you wish. So what is the correctness requirement you would need from such a scheme, from such a universal sampler scheme? Given any input distribution D, you require your universal sampler's output to secure sample from D. So the output could be, again, public key, ciphertext, or anything that you need for your particular application. What would the security requirement be? We would essentially require that the output of the distribution does not reveal the randomness used to sample the output. And we consider two notions of security, which is bounded selective security and unbounded reactor security, and I'll describe the formal definitions a little later. So what is bounded selective security? We'll work in a real ideal paradigm where in the real world, since in the selective setting, the adversary gives the universal sampler generator in the challenge distribution D star, on which he would later require a sample from. So once the challenger gets this D star, it sends the universal sampler program P to the adversary and the output of P on this input distribution D star. Note that the randomness that was used is required to be hidden. And we require that this should be computationally indistinguishable from the ideal world where, again, the adversary gives a challenge distribution D star. But in this case, the challenger responds back with a universal sampler program P star along with an external sample from the distribution D star. You can think of this as the universal sampler program whenever it's given D star as input. It does not run the program on D star, but rather gives out an external sample from the distribution D star. And we require these two worlds to be computationally indistinguishable to the adversary. So let's look at warm-up construction in this setting. And let's assume that for now we have VBB obfuscation, which is the strongest form of obfuscation that we know. So consider the following program that has a PRF key K, hardwired into it. Now given any input distribution D, it just samples randomness by running the PRF using this distribution. And then outputs the distribution on input this randomness. Okay? And let's see whether this is a secure universal sampler if you have VBB obfuscation. Clearly, the value R star when you feed the challenger's distribution D star to the PRF is indistinguishable from random which follows from the security of the PRF. And therefore, when you replace this program to not output to output an external sample from the distribution D star, it's going to be computationally indistinguishable from the distribution from the value D star of R star. And this is because this is D star of R star is going to be indistinguishable from random. So the main bottleneck in this whole approach was that we wanted the PRF key K to be hidden and that is guaranteed to us by VBB obfuscation. So this would be the transformation. But however, we do not want to work in the setting of VBB obfuscation rather we wanted to just assume let's say indistinguishability obfuscation and still make this work. And if we assume just IO then we do not have a guarantee that K is hidden. So we need to come up with other techniques to make the same thing work. And here we can use the help of punctured program that is introduced by Sahay and Waters and it gives us a technique to puncture out the PRF key K and still argues on security. So how do we go about it? First let me tell you what is a puncturable PRF key. A puncturable PRF key is very similar to normal PRF except that you can choose a particular point let's say Z in this case to puncture out the key and now the guarantee you have is that for every point outside this point Z the new PRF key behaves exactly like the old PRF key right it gives the same value and if you give the output of the original PRF on this punctured point it should still be indistinguishable from random given the punctured PRF key. So the punctured PRF key should give you no clue at all about what the output of the original PRF is on the punctured point. So suppose we have such a punctured PRF key how would we go about agreeing security? Now we know the distribution the challenge distribution D star that the adversary has queried and we can just puncture out the PRF key on this particular and to create a new program that if the input is D star alone it outputs the evaluation of this distribution D on a random point. If the input is not the specific challenge D star it runs the same program as before and this is possible because the PRF key is can still evaluate at any point which is not D star. Therefore these two steps are so these two steps are sorry. So these two steps are computationally indistinguishable because the two programs are identical and now we can change the random point R star to not just be the evaluation of the PRF on D star but rather to be a random point and this security follows that these two hybrids are indistinguishable from the PRF security. After this we can now this the red line that is there instead of outputting the distributions value on this random point R star can just program in the external sample P star. Note that these two hybrids are identical because D of R star is the same as programming an external sample and so these two hybrids are also indistinguishable and this was the notion of bounded selective security where we just had one challenge distribution but we can extend this further on to multiple challenge distributions that the adversary can give. For instance instead of just one D star can give D1 star till DK star for any polynomial. But what is our goal? Our goal is to work in the adaptive setting where the challenger is required to give the universal sampler program apriori and then the adversary can ask for whatever challenge distribution it wants. This is the most natural setting because in the motivating example that we spoke about we want the universal sampler program to be given to us apriori and then we can run whatever functionality that we or protocol that we want and we also want this to work for unbounded number of samples because we don't want to contact the trusted party again and get another program. So therefore the challenger would first give the sampler program and then the adversary is required to give the challenge distribution after which the challenger either gives the output of the program on the input distribution D star or it gives an external sample from the distribution D star. So before we get into the construction what are the challenges that we would face. Firstly note that in the selective setting we knew the challenge distribution D star apriori before we gave out the sampler program but now it seems very difficult because you're supposed to give out the sampler program first and you don't even know what distribution the adversary is going to ask you for. You cannot hope to program in for every possible distribution that exists in the universe and notice that suppose the distributions that the adversary is querying for are all uniform distributions and he asks for an unbounded number of such distributions then this simply implies a programmable random oracle and so this shows us that we would have to work at least in the random oracle model because this notion trivially implies a programmable random oracle. Also we would work in observable programmable random oracle model because the only the only tool we have at our disposal is to be able to look at what query the adversary makes to the random oracle. If he did not even look at what query the adversary makes then there's no hope at all for us to somehow program in these values into external samples into our universal sampler program. So now that gives us some understanding about our model for unbounded adaptive security and we'll move on to the construction. So we've decided that we're going to be working in the random oracle model so are there further barriers that exist when we work in the random oracle model? The first thing is that we cannot just randomly we cannot just obfuscate the random oracle inside the program. Firstly because you don't really know how to obfuscate oracle-aided circuits and some recent results show that obfuscating oracle circuits with oracle gates in them is impossible in certain settings. Another bottleneck that we would face is that if you want to handle unbounded samples we need to program in the external samples for all these distributions into the obfuscated program but typically applications of obfuscation do not allow you to hardwire an unbounded number of samples into the program simply because in the size of the program it will become unbounded. So we need to get around this bottleneck as well. However we know that the random oracle especially the programmable random oracle allows us to program in an unbounded amount of information. Therefore this is the main tool that we have at our disposal to program the external samples into the output of the random oracle. But can we directly give out the output of the random oracle as the output of the universal sampler? We cannot because the random oracle only outputs values from uniform distribution but the input distribution of the adversary thing it need not be necessarily be uniform. Therefore the main technical challenge is to ensure some sort of communication between the random oracle and the obfuscated program. That allows the obfuscated program to know what is query to the random oracle and use this value to eventually output something from the input distribution D. And how would we do that? In the ideal world notice that we can observe every query that was made by the adversary to the random oracle and now we would use we would set the output of the random oracle to be some pseudo random encoding of the external sample P star for the input D star. And this obfuscated and the obfuscated program will now look out for whether the input that it gets is this pseudo random encoding and it can proceed accordingly. So this is similar to the sparse hidden triggers of Sahay and Waters and I will explain it little more in detail subsequently. And so in order to we can the authors develop a new technique called delayed drag board programming that helps the obfuscated program to identify that the input it gets is this sparse trigger that was output from the random oracle. So this was our initial attempt the construction for selective secure universal samples and clearly we know that this is not working the adaptive setting. So instead of feeding the input as just the distribution D let us also feed the obfuscated program as the output of the random oracle as well. So initially every party given an input distribution D is required to query the random oracle and get some output U and then now run the obfuscated program on input the distribution D and the random oracle output to generate the PRF value as before and then compute the output to the program. And how would proof of security work we would now puncture out the key at this particular challenge point U star alone which was the output of the random oracle and suppose the input U is equal to U star we will just output the distribution value which is run the distribution on some random input we would not compute the PRF. So this seems like this should be a secured proof but the problem here is that the adversary could severely break security by running the program on not just his distribution D star but some other random some other distribution D prime and the same random oracle output U star therefore he could run it on other distributions and learn whether they were giving out the trapdoor values or not. So what does this tell us this tells us that the obfuscated program should not take as input the distribution D at all the final obfuscated program should somehow be able to take only the output of the random oracle as its input this leads us to a two step approach where the parties first query the random oracle and some input D and obtain the output U now they run the obfuscated program only on this random oracles input random oracles output and now this detects whether the there is some trapdoor that is hidden inside this random oracle output if so it just outputs the trapdoor as it is in the clear if not it proceeds similarly where it computes the output of the PRF and now instead of just outputting the distributions output on the PRF value since we do not have any distribution input here it outputs another program PC what does this program do this program takes as input a distribution D once again samples a random value using the PRF and then computes the distributions output on this random value so we have a two level breakdown in hierarchy here and we can do this for any input distribution D that we have so the universal sampler will just be the initial for the first obfuscated program which when you run it on any input distribution will generate another obfuscated program for you to run so how does the proof work let us consider just one challenge distribution for now and then we can repeat this for other challenge distributions so initially we would create a program G star that corresponds just to this that would work just for the single distribution D star as follows that whenever the input to this distribution this program G star is the challenge distribution D star it outputs an external sample and stops this would work in the ideal world and then we would program the output of the random oracle on input D star to give some output U such that when you decrypt U it has this trapdoor in it which is this program G star itself therefore there would be no PRF computation in the initial program on input distribution D star it would directly output the trapdoor being this program G star and this requires this transformation requires a sequence of hybrids and I am not going to be going into the details but the main idea is to somehow put in this trapdoor value into U such that when you decrypt U you recover the trapdoor and for every other random oracle output you proceed as before what are some applications of universal samplers the first main application is the obvious one that we discussed that it gives a master setup for all cryptographic protocols that you would want but also it also apart from just having this main application it gives rise to simple constructions of ID based encryption non interactive key exchange without setup in the random oracle model and it is also adaptively secure which is not known before this work and adaptive distributed broad class encryption and subsequently several other papers have leveraged techniques from universal samplers for instance one is universal signature aggregators adaptive constrained PRFs proof of human work puzzles for cryptocurrency non interactive key exchange from just polynomial functional encryption and a generic transformation from just aggregate signatures to name a few yeah I could try so in question would like to ask is that what is the benefit of using a setup primitive that in order to run makes calls from other setup which is actually around the model what is the difference than directly calling the setup from the first the master master set I understand the usability of the primitive completely in the bounded case when you go to the unbounded setup it seems that this cannot be solved without making some setup calls to another layer so what is the usability so the use cases exactly as we saw in the sense that gives you a master setup for doing whatever you want and the reason why you have to call a random oracle is because we saw that this anyway implies the notion of random oracle so if you can come up with the construction of a random oracle you would achieve a contradiction so you cannot do away without calling a random oracle in your setup construction in your universal sampler construction does that answer your question not so much but it's okay because actually I was asking what is the meaning of growing such a primitive I understand the technicality why we cannot avoid it I really understand that I just saying that when you move the setup and directly calling setups that are necessary for example a random oracle in order to create this setup maybe the authors could answer that better so let's speak again