 OK. Čakaj. Sasa Sedel je tudi o kryptografičkih sensičnih. Tukaj je tukaj vzajal Kusejalku Šilevc, Afrijl Strovski, Rafael Strovti in Amica Hai. Tukaj je tukaj vzajal tukaj vzajal tukaj vzajal tukaj vzajal tukaj vzajal kripto in tukaj vzajal kripto in tukaj vzajal kripto in tukaj vzajal kripto in tukaj vzajal kripto in tukaj kripto Kaj pa se? Z njih zelo, da to vzal, sem da je začut' svojo občat. Ta vzala priassa a nekaj občat, da svečim vzajamo Zelo vzajal tukaj vzajal kripto in tukaj vzajal kripto dejta zahvali kriptotaskar ;) in taj franččan klas F, če vratilo slažitek včistma klas X v obrovnih pomah vklažiti ZF. V tem, kako bi smo tegda v nekaj vrižgeljših klases F, ki bi bil vse porudnosti tudi, logi bi bom ktora našto i izvenil, lahko si bo vse je oprešit, kako vse se obrovno imajo kostet in inart. in izgledenja taj ještje. In áštjevac je na prejimitiv, o če bo se prišli, je prijezna, in je kriptičnja. Zame tudi poživljeni ljubi rizv, nebo včasne, kriptografije, pričinja, kriptografije, všeč vzivni, vzivno vsečno, kriptografije in vsečenih interakcija kriptične, kriptične vsečne, kriptične, kriptične vsečne. Food is quite different and I'll go straight to describing it via this cryptographic flashlight metaphor. Let's first consider a standard flashlight. There is an object X that we want to sense or observe. In this end we shoot at the object these misspelled photons, f i, you can think of each f i as a function se tkaj tudi tudi početno težnosti umeljamo za vse in danes obelo. IEven ki postoje obeljimo, kdajoute je, da je kajta tako očesnja. Vse je, da bo, in vse je, da je tako očesnja, poslutne Afrovis, pa prej. Prostočno i se, da se se vsi so vse sredal, in ima začina, da je priživa, če naj stril v tvoj term, ali z Катимib, pa bolj, venom. Če so prav. Taj bo, da ne obeljimo, In da sem tudi še, da je tudi ono. Ok, zelo všeč je, da bomo počkot nekaj občat, ki je pričo, da se pričo občat, da bi je vse na ngeliidini nene. Jel je to, da ima, da tukaj vse nekaj glas, ki je zelo vse občat, kaj je pričo občat pričo vse na kratične. Desno, je pričo kriptografično. Okay so what is the first solution that comes to mind is to rely on just any form of public pollution, right, so I can shoot these type of functions, fii, that will give you me a bit by bit Princess in a public encryption I'm basically telling the flower please send me an encryption of yourself and if the flower happens to grow ya nno on an Old kamak, zato je unistil in zapotržen od vseboj in odveč sem ki bo, kdaj sem kanjalod nekaj, u prekretnih kuljetjih. Tako je broj jebe gleda, zato je tudi so pideče v komputer, poznašč ej je, da drug vsezme nogačna prosece izplavne materijalne poslapovatega. Z 조leda o potrebno poslapovane prosece In češčo modeluje, poti čust. Vživte, Slonje, z vrste, proti proti prikor, to je porno več z farmers'jih, ko smo zieču. To nisi ne jaz kako pri�elišo se prednjunjavega. Prednjemno občastve, kako jaz poti povihljamo in ne zapevaro od te barvene informacije, ki so bo neč kzusti in nakwarimo. Pa se v tijema, kako bi ne izvajel in ne ležimo, če se večne informacije, tudi tudi za izvoljitek. Nače, sem je vzaj, da pa čudovom tega je hisi jasnev. Se bo, da je zelo. Zelo, da je treba bož, res ne zelo. Sred ni so. Tve je bolj. In... Ne zelo. Ne je. Ne. Ne. Ne. Ne. Ne. Ne. Ne? pusje vzpečnji vzpečnja, način paina v zrbini, potem ste lahko tukaj, da se spreatoš fove. Sej pogledajte tebi tako države vzpečnje vzpečnje lač, lači so, da bi imel sigari tako narovne zpravitvega chopped vzpečnja vzpečnjo pattern zazvodnje za zaštianje vzpečnji. Svadi je to, da nam vzpečnju obrečne vzpečnja, nači, da nekaj nekaj nečo informacij, pa odpronu, to je vzivno vzivno. Vojte, da se povede v mroju da pomeče, način je povede v normaciji zvonji, način, da pripovali način. Ako povede način, tudi vsačaj, da vse način je zo drugi. A daj vse povede, da drugi, da povede vse, da zelo se pričo, da se predajte, greši, in leži izgledo všeč, da vedimo nekaj dve informacije. Jeri tukaj tega ideja za fizikalne realizacije s kratograficnimi sensami. En tukaj se in izvrša vsega vsega in vsega in vsega in vsega in vsega. Zato je tukaj počeš tukaj vsega o sej sem zvokovati, o sej sem vseg. S here, the secret is some concept of FX in a function class capital F, say. a CNF formula, And here you just make a, you pick a contrived or carefully liquids set of a questions or theories to the function that will allow you to figure out what this function f is being a computationally bound to learning algorithm. Yet, pay you know a great external observer. the entire training sample is not in makes sense just because they don't know the line of that led you to pick this particular Weris. Ok, so this is the dual interpretation. In the rest of the talk for which stick to the sensing formulation it is the learning formulation, it is more problematic to talk about entropy. It is more more sensitive to representation issues. In ki, da pošli, prejda smo, že je tunička danas, očač jaz omre trophy, ko da se najte tablespoons in shitje, zelo, da se pogleda. In, da se nekaj pošli, da se zelo, da se nekaj pošli, če so spoživate, če mu se kalit, ki semšljate, da se posložimo. A kater me so dovolj nekaj pošli. Daj mi, da se posložimo. pa je zelo iz 전strmalo lab. Tršeli smo preven why this lab for selling the results of our experience, of our experiments and making them useful for our competitors. In v takva kompetenja je to ali dobril eni stvar močen v litaj in for just any benefit for learning the questions and answers that we learned. ONE So how do we define security. In yesterday we followed the common approaches in cryptography for public encryptions. Minimum notions would be 1-way security where we assumed that the object is completely random. We required that the adversary could not guess the object exactly. Of course a computationally bounded adversary. You can consider something which is perhaps the most realistic option in this context, ki je entropic security. So, basically, you assume that the object is hidden as long as it has sufficient entropy, and our goal is to make this entropy as threshold as low as possible. And, I would say, a kind of intermediate notion, which follows from its weaker than entropic security, is this notion of semantic security with background noise, where we basically conduct joint measurements to the object and surrounding noise, and we draw entropy from the noise. So, here you can consider different flavors, depending on whether the noise is assumed to be uniform or just to have sufficient entropy, and whether the noise is independent of the object or it can be dependent. OK, but this sounds like a realistic notion in context of measurements of physical objects. And this is the correspondence to classical flavors of public encryption. Another useful relaxation is to settle for some form of approximate correctness. So, instead of getting the exact picture of the object, we may be willing to get some blurry version of the object, slightly blurry version of the object with respect to symmetric. And we still insist that the adversary doesn't get any signal. OK, so we settle for getting a weaker signal, but we still don't want the adversary to get any signal. And there are two goals for this. One goal is a more classical goal of better efficiency, say, in the context of compressed sensing. This is what is being used. A small number of linear measurements give you a good approximation of pictures. But in a cryptographic context, perhaps the main advantage is to really get better security by substantially reducing the entropic requirements. So if we get the weaker signal, there is more conditional entropy in the object. OK, so still, having said all the disclaimers and relaxations, it still seems pretty crazy. So ignoring the personal insult, I would like to argue that it's not as crazy as it may sound. OK, so, for one thing, we know that even if we take traditional public encryption schemes and we settle for outputting some other representation or encoding of the ciphertext, then we can push them into very low complexity classes, like NC0. In our language of sensing, NC0 means that every function fi will compute something like the end of three bits in the object, x-word with, say, a fourth bit. This is still not very realistic, both because x-or, you know, addition is realistic, x-or is not so realistic in natural context, and also if these bits are far apart from each other, it seems a bit tricky to physically realize this particular type of measurement, but from a complexity theoretic point of view, it's pretty simple. The other point is that another objection that this model raises is that if we consider very simple classes of functions f, these functions are learnable. And if they're learnable, then there is no advantage that the learning algorithm can have over an external observer who can just learn whatever the observer learns. And the point here is that there is some gap or some misconception about the learnability of simple complexity classes, so some of the negative results in this area, like the linear Mansoor-Nissan result for AC0, only applies with respect to uniformly chosen inputs, and if you're allowed to choose a contrived distribution of inputs, in fact, it's an open question of how low we can get, say, in complexity classes in AC0 without implying learnability. And finally, in the paper, we also propose a distributed model where you can use, say, two different labs and only insist that each individual lab learns nothing from the experiments it conducts. And in this setting, there is no PKE barrier. OK, so now let me focus on the simple class of linear functions. Here we view the object as a vector in 0, 1 to the n, think of it as black or white, whole, no whole. And a measurement is defined by a linear combination over the integers with coefficients a, i. I believe, I hope I convinced you that this is physically realizable, at least when the a, i's are small. This can correspond to intensity of the water stream or size of a ping-pong ball. And something that immediately comes to mind is to apply lattice-based crypto. And indeed, you can get some results of this type by using in a black box way results from the lattice-based crypto literature. However, these results, as stated, are both complex and also not good in terms of parameters for our purposes. And still, if you know about this stuff, whatever I'm going to say next will be an easy exercise, so please forget what you know and try to follow things slowly. OK, so let's start as a warm-up by looking at, not as a warm-up, this is the main technical part, but it's still not our final goal. Our final goal is to use linear functions over the integers. And now let's consider the simplest setting of linear functions, modulo q. Where here q, we consider it as a polynomial-size modulus in n, the dimension of the object. OK, so the first reaction, if you talk to a non-cryptographer, say that this goal is impossible. Why? Because linear functions, even mod q, are learnable. And if the adversary can observe y equals a times x, this is the result of a bunch of linear measurements, mod q, the adversary can just solve linear equations and observe the object. The issue is that this is not the case when the system is undetermined. So when the system is undetermined, you can have exponentially many solutions in zq to the n, yet only a single solution in 0,1 to the n. And this is really a central idea in lattice-based cryptography. And so if we can generate these linear measurements, a, we use a secret trapdoor that allows the efficient decoding of this unique x, then we might be in a situation where, even if the adversary can try to sample x primes, many x primes from this space of consistent objects, none of them will be correlated with the real object. So the adversary will be totally in the dark. OK, that's the hope. OK, so our solution usually relies on lossiness, on getting an approximate version of the output, and it's really a simple version of the regular cryptosystem for those who know it. So we settle here for good approximate recovery via linear sketching. So instead of learning the entire x, we learn a small number of linear combinations over the integers of the bits of x. And this is enough for good resolution of picture using non-sketching techniques. And now the security goal is that we get this entropic security, where the entropy bound is roughly the size of the output of the sketch. So the more sketchy the sketch is, the shorter the sketch is, then the better security we get, but the picture becomes more blurry. OK, it's a trade-off between sharpness of the picture and the level of security. OK, and using Chinese remaindering, it's enough to recover this sketch modulo 2, modulo 3, modulo 5, so let's see how we can learn the parity of any subset of the bits of x. OK, so first we call the leftover hash lemma. The leftover hash lemma says that if we multiply x by a k by n matrix A, random k by a matrix A, then the result of A times x looks random, assuming that x has more entropy than the number of rows in A. OK, this is roughly true over zq. You have to multiply the entropy by log q, but it's approximately true when q is polynomial. So the idea is that if we want to get the inner product of A and x modulo 2, it suffices to learn the inner product of A prime and x modulo q, where A prime roughly contains up to some small amount of noise, contains something close to 0, whenever A i is 0 and close to q over 2, whenever A i is 1. OK, so if you get this inner product modulo q of A prime and x, you can easily recover the inner product modulo 2 of A and x. OK, so that's one idea. And the second idea is that we can easily span such a noisy A prime by a matrix A, by the rows of a matrix A that looks random. OK, and this is under the LWS assumption, and this looks random is in a computational sense. OK, so the punch line is that this matrix A prime, which is a random matrix whose rows span this noisy A prime, this defines linear measurements modulo q that allow us to learn the party without revealing anything, assuming that the entropy is roughly this parameter k. OK, how do we move from mod q to the integers? Well, there is a natural approach that, again, as you most people here have used at some point, which is if we only are allowed to do mod q operations, we can do operations... Sorry, if we're only allowed to do operations over the integers, we can emulate mod q operations by adding to the result over the integers a large secret multiple of q. OK, this is a standard idea. And whenever q is polynomial, the coefficients that we will need for this approach will only be polynomial. So this is still consistent with being physically realizable, and we draw this entropy from the background noise. So this gives us a solution in the model of semantic security with background noise. There are some inherent limitations that you can prove. For instance, here you only get one over poly security, which you cannot make negligible, because if you change, say, a single zero to one, it already creates some non-negligible difference. And also you can show that even if you settle for one over poly security, you cannot get entropic security, essentially because you have to leak the level of brightness of the object. And we leave it open whether you can actually achieve this notion of entropic security with leakage. OK, so in the paper we have more positive results, we have negative results for a suitable notion of strongly learnable f, and we have some positive results for the distributed version, in particular for learning junta. And there are actually quite a few open problems on the foundation side. I think that it relates to some relatively unexplored areas of cryptography and its interaction with learning theory. For instance, a problem I already mentioned, of learning under exotic input distributions, is related to a notion of encoded input PRFs from a recent work with Bonetal from last CCC. We do not understand these questions even for simple complexes, even for simple classes like CNF or DNF formula. Understanding the classes F that support randomized encodings of functions, so NC0 corresponds to the class of local functions. What can we say about other classes of functions? Can we come up with combinatorial characterizations, positive and negative results about that? I don't think that anybody has studied it systematically. What about adaptive queries? The example I've shown doesn't make use of adaptivity. There are quite a few open questions about improved results for linear functions over the integers, better parameters, weakened independence, we assume independence between the background noise and the object. This relates to all kinds of questions that seem non-trivial, that are analogs of classical questions, but over the integers and it's actually related to a recent line of work on applying PRGs over the integers for the purpose of obfuscations. So some of these questions seem technically related. And in general, there seems to be room for more fear of crypto over the integers. In terms of applications, looking for more application scenarios, especially in the context of machine learning, and understanding which measurements can be physically realized without looking at much additional information. So for instance, if you want to directly implement mode queue measurements, you can think of using waves. However, waves don't just add the phase, but also the amplitude, so we weren't able to say, we didn't try very hard, but we weren't able to use waves to get directly a linear functions model of queue without looking everything. And really, this is the final question, will somebody ever build a cryptographic flashlight using some physical measurement? Really, if the parameters are tightened, I don't see any inherent impossibility. Thank you. Questions, yeah? Yes, Ali? You consider, in your model, only classical physics. Once you think about quantum physics, I'm here. Once you think about quantum physics, you can say... Oh, OK. I mean the dark, you know. I don't have a flashlight. You can say that nature is performing some kind of encryption. For example, the single photon cannot be viewed by the free loader if I measure it and destroy the information. You do the low cloning theorem. So have you considered natural cryptography, which is done by the quantum world? No, and it sounds like a great direction to explore. Yeah. Are there questions? OK, let's thank the speaker again.