 Thanks, Krzysztof. Thanks everybody for waking up after the ROM session. So I'm going to talk about cryptography with updates, which is work with Prabhanjananth and Abhishek Cain. So let's start by talking about garbled circuits. In a typical setting for garbled circuits, there's two parties, Alice is on the left, and she has some circuit C that she wants Bob to be able to compute on an input X. So Alice is going to, before she knows the input X, she's going to garbled the circuit and send it over to Bob. And then, and this operation can take time, this operation can take time proportional to the size of the circuit, and then later she's going to get the input X, and she wants to quickly send that over to Bob, garbled, so that Bob can learn C of X and nothing else. So for example, C might capture Alice's knowledge or beliefs about the value of Apple stock. So tonight Alice is going to garbled the circuit that captures this belief and send it over to Bob, and tomorrow morning, depending on X is like the stock price or something, and C of X will be buy or sell. So this is well and good, but maybe tonight Alice is going to learn something about Apple. You know, something that changes her valuation of Apple stock. You know, she sees a really cool picture of an iPhone. They got left at a bar. And now she wants to update her circuit. You know, she updates her belief. She wants to make some small change to the circuit C and make it C prime. If Alice wants to do this, so she can just garbled the circuit C prime from scratch, is there anything better that she can do? So in particular, if Alice just wants to change one circuit, one gate of the circuit C, can she do any better than garbling the whole circuit from scratch or is it hopeless? So she has to spend time proportional to C. Or instead, maybe there's some small thing, this purple thing that Alice can send to Bob, that Bob can combine with the garbled circuit C to get the garbled circuit C prime, but that computing this purple thing would be much easier than garbling the circuit from scratch. We're going to call this thing an updateable garbled circuit. So this is a very natural question, and it immediately raises a bunch of other natural questions. So we can think about the same question, not only in garbled circuits, but in obfuscation. If I obfuscate a circuit C, and then I want to obfuscate a circuit with one gate change, do I have to obfuscate all over again to have to spend time proportional to C? Or is there some way I can leverage the work I've already done? Or in the setting of attribute-based encryption, if I've already generated a secret key for some policy, do I have to generate a whole new secret key if I want to change just one gate in the policy? Or for non-interactive proofs, you know, Nizics or Witness and Distinguishable proofs, if I want to, if I've already proved some NP statement to you, do I have to take time, do I have to do it all over if I want to change a very small piece of the statement? And this problem has been studied only in the set, this problem as, this problem has only received sort of limited attention, mainly in the setting of obfuscation. Provenzion is going to talk about some of that work tomorrow, later today, later today. But basically these types of questions haven't really been studied before. In this work, we construct, we show how to do updatable garbled circuits, which will allow you to change any gate of the circuit that you want, only spending time sort of proportional to the number of gates you're going to change. And we can build this from lattice assumptions, like learning with errors. And moreover, we study another notion, which is a little confusingly named, these two maybe, which we're going to call updatable randomizing codings, the distinction will become clear. Is there a mouse on the screen? Sorry. I see a mouse. And we can do updatable randomizing codings for an even larger class of updates from functional encryption. And if you only want to update 100 times instead of unboundedly many times, we'll talk about what that means in a second, we can do it from one way functions. And lastly, we show that updatable randomizing codings are going to suffice for all the applications on the left. So for example, given attribute-based encryption and updatable randomizing codings, you can get an updatable attribute-based encryption. So I'm going to start by defining updatable randomizing codings, telling you about what related work there is, and then show you how to do this transformation just sort of by example. And then we're going to go back to, if we have time, Christoph is looking at his watch, we're going to go back to updatable garbled circuits at the end and see how to construct them from analysis. So updatable randomizing codings, so what does it mean for a circuit to be updatable? What's an updatable circuit? So your intuition is the right thing. It's a little annoying to formalize, so I'm not going to do it formally, but if you have a circuit and an input, we're going to think for randomizing codings we'll think of circuits and inputs together, as is typically done. So if you have a circuit and an input, see an X. And some update U, this update could be change a gate of the circuit, change a bit of X. And there's some way to apply this to the C and X to get a new C prime, X prime. And we can really do sort of a large class of updates, anything that the application, the plus sign, can be sort of computed by a circuit of a fixed size. So whatever your representation is, as long as that's true. But think of like changing a gate or changing a bit of the underlying representation. Okay, so what's a randomizing coding? Randomizing coding is a way to encode a circuit and an input. So into this green box CX over there, where encoding takes, is not too much time. It's easier to do the encoding than to compute the circuit. But this encoding still only reveals the value C of X and nothing more. So we want to also find a way to encode the update. This is sort of the main idea. We want to encode the update into this purple box on the right, so that there's a way to combine the original randomizing coding and the encoded update to get a new randomizing coding for C prime, X prime. Okay. And the sort of the correctness, the thing that we want to hold is that doing it that way, if you go, if you use the encoded update to update the encoding, then you get the same thing as if you, you get a randomizing coding of C prime, X prime, where C prime, X prime, or what you would have gotten if you just did the update on the left in the clear. Makes sense? So it's easy to sort of see why multiple updates now make sense. We're going to think about multiple updates in serial. So if I have C and X, I apply update U1 to get CX1. And then I update U2. I want to be able to do that in the encoding world too. So I want to, I can give you the randomizing coding of C and X, then the encoding of the first update and then the encoding of the second update and you should be able to do the thing that you want to do. And each of the green boxes is the randomizing coding. So you can decode each of the green boxes and get the value C of X, C1 of X1, C2 of X2. And going back just for a second to updatable garbled circuits, updatable garbled circuits is going to correspond to like a single use variant of this where you can just decode the last value. And at the end, I'll show you this picture for updatable garbled circuits and it'll be clear before we do the construction. So the key challenge in all this is efficiency. If we didn't care about efficiency, Alice could just do the randomizing coding of C prime, X prime, fresh. The only thing that isn't, it's only interesting if we have efficiency. So what we want to capture is that if we don't change too much, the size of the encoding, the size of the encoded update is not too large. So we want the encoded update, the thing in the purple, to grow with the size of the update and with K, the security parameter. But basically I can never mention K ever again. And for some of the applications of randomizing coding to build the other updatable primitives, we also need something stronger. If we're considering circuits that have not just a Boolean output but a longer output, we'll also need the encoded update size or the time to generate the encoded update to not depend on the output length of these circuits if we have many bit outputs. I'm going to call this output compactness. This is sort of in parallel to a concept in functional encryption literature. Security can be defined in two natural ways. Simulation security would say, it says that if you have all the values of all the evaluations, then you can simulate the view of the original encoding and all the updates. And the indistinguishability is that if a sequence of evaluations agree, then the original encoding is in the sequence of updates will be indistinguishable. And sort of similar to the functional encryption literature, compactness is impossible in the simulation setting. And there's a generic transformation from an indistinguishable scheme with compactness to a simulation scheme without compactness. And this is pretty parallel to results in functional encryption literature. Okay, so now on to some previous work. So some of you maybe are thinking about incremental cryptography. This sounds a lot like incremental cryptography maybe. So incremental cryptography is like a line of work. It was started by Belar Goldwasser and Goldreich. This is sort of a typical setting of incremental cryptography. You have a signer that has a secret key and he signs a message and then he makes a small change to the message and he wants to sign it again without sort of signing from scratch. He wants to do something faster. So this picture looks a lot like our picture. So what's the difference? The difference is that on the left in incremental cryptography, there's only one party. There's only one party. And the party is doing everything in his head. So he knows the secrets and there's no, he doesn't have to communicate anything with anybody. He outputs one signature and then he outputs the next signature. On the right in our setting, there's an authority and there's a user. The authority knows the secrets, like the randomness for the garbling. But the user is the one who is eventually going to apply the update because the authority doesn't even want to output the new garbled circuit. So the authority has to encode this update in some way and send it to the user. So this R setting requires some sort of stronger security because the user gets to see more. On the left, you only see the two signatures. On the right, you see the two randomizing coatings of the two garbled circuits. Plus this encoded update that lets you transform it from one to the other. But we do somewhere relax efficiency in that the whole process of going from sigma to sigma prime here is fast. Whereas in our setting, the only thing we require is that this arrow, which you can't see that pointer, this arrow here of generating the encoded update is fast. We're sort of relaxed about how long the user, or we're willing to make the user take. And in particular, the user is going to take, in our constructions, the user is going to take time proportional to see to do this computation. Now on to the obfuscation work. So there's these two works about incremental patch of obfuscation. And so both of these works sort of model things slightly differently, whether the type of updates and the types of constructions they get, but I think both of these two works are interesting, and I recommend them, in particular because the first work by Gargan Pandey has this cool lower bound, which is sort of something, nothing like we have. Cool lower bound on how efficient you can make these things. And the patch of obfuscation, which Provence is going to talk about today, I guess I was wrong, where they can do one update, lets you update many obfuscated circuits. So that's very cool. But this is sort of the main related work. And lastly, we think about updating in sort of a serial way. You can also easily imagine updating in parallel. And parallel, updatable randomizing coding closely corresponds to reusable garbled circuits, which have been considered before. Okay, so on to applications. So this is sort of a meta statement, which is not a formal statement. Give me XYZ and updatable randomizing coding, and I'll give you an updatable XYZ. So this is not true as stated. It's not formal enough. But we can formalize it for some large class of XYZ, including attribute based encryption, functional encryption, obfuscation, Newey's garbled circuits. Okay, so updatable randomizing coding is sort of like enable everything to become updatable. So here's sort of the simplest possible application of it, so this is the one I'm going to show you. So let's say I have an indistinguishability obfuscator, and I want to make an updatable indistinguishability obfuscator. So the new obfuscation algorithm is going to take a circuit, and it's going to output an updatable randomizing coding of the obfuscation circuit, the circuit that computes the obfuscation, and the circuit that I want to obfuscate as input. Now to encode an update, I just encode the update, where the update is now going to apply to this input. This is the X that we saw before. And then with this and this, the user can get the updatable randomizing coding of IO and C prime. This thing can be decoded, then you get the obfuscation of C prime, and you're done. The correctness and security are inherited from the correctness and the security of the update of a randomizing coding of the obfuscation. And in this case, efficiency requires compactness, because the circuit in question here is really the obfuscation. And this thing outputs many bits, so it requires compactness. But for example, maybe non-interactive witness indistinguishable proofs doesn't require compactness, so we'll be able to get simulation security. Okay, so I don't know how much time I have, but not quite conclusions before we go to the construction and potentially run out of time. Is that updatable crypto is sort of a meta question that you can think about in lots of contexts. It's largely unexplored except for this work and obfuscation work. And I think we're not necessarily settled on the right modeling or the right set of definitions. In our work, we sort of show that updatable randomizing coding is this huge hammer, but it also requires functional encryption. And in fact, functional encryption I didn't mention, is also necessary. If you have a compact updatable randomizing coding, you can get a functional encryption of the type that we need. But we also see that for garbled circuits we can do something from lattices. So thinking about direct constructions for individual primitives, the ones that you're interested in could do something much better potentially than what we do. And also sort of the new types of questions like the obfuscation works present lower bounds, updating many things at the same time. It's largely unexplored. And now with the four minutes I have, I'm going to try to tell you a construction of updatable garbled circuits from lattices. Okay, so here's the picture I promised. Here's the updatable garbled circuits. So now I'm going to change notation to go back to sort of the notation of garbled circuits where I separate the circuit and the input. So I want to garble the circuit, get this green thing on the right, and then garble the update, which will allow me to take the garbled circuit C to get a garbled circuit C prime. And at the end, the authority is going to garble the input X. And this input is going to allow you to decode C prime of X, but not C of X. You only get, it's a one-shot evaluation. You only get the evaluation at the end. And you need this last thing from the authority. That's the picture. So let's start just with garbled circuits. So Yao is garbled circuit construction. You take a circuit, and for every gate you do, you make this garbled gate on the right. Each gate has a thing on the right. Those are the garbled gates. So let's just try to do it. Let's just try to update. So now let's say I change that or gate to an AND gate. So to generate the update, I have all the secrets. The authority has all the secrets. So just recompute this garbled gate on the right. So certainly you can apply the update. You can take out the one gate and put it in the new gate. And this is all well and good. You certainly get efficiency. I change one gate. I generate one garbled gate. You can get correctness. You can evaluate the new circuit. But you don't get security, because you can still evaluate the original garbled circuit. And maybe you can just break the whole thing and learn the circuit. So now I want to fix security. So how am I going to do it? I don't know how to do many things, but I know how to encrypt. So I'm going to encrypt every garbled gate. And it's a little confusing. I don't mean that the garbled gate has a lot of encryptions inside of it. It does. But I'm going to generate the garbled gate and then encrypt the whole thing with a new symmetric key encryption scheme. Fresh keys for every gate. This is still an attempt. This won't be the final answer. And then at the end, I'm going to give you the new garbled gate. And then I'm going to give you one key for every gate that I didn't update, which will allow you to open those encryptions. So this is great. It's correct still. It's secure. But now I don't have efficiency anymore, right? I give you one key for every gate I didn't update. And I gave you a gate for every gate I updated. So I gave you something as big as the circuit. Okay, so now how do we do better? Let's use a punctured encryption scheme. So this is sort of inspired by puncturing techniques. So I'm going to encrypt all the gates with the same key instead of different keys every time. And when I update a gate, I'm going to give you the decryption key punctured on the gate I updated. So what does it mean for a key to be punctured? It means it can decrypt all the ciphertexts that I wanted to decrypt, except for the one. Except for the one I updated. And the size of this key is not big. It doesn't grow with the size of the circuit. And since I'm in the symmetric key setting, this can be constructed from just puncturable pseudo random functions, which can be constructed from one way function, just the ggmprf. We'll let you do this. So this gets me everything I want, except I can only update once. You know, once I remove all the encryptions, I'm done. I can't go further. So the last idea to get many updates is to use symmetric proxy re-encryption. Okay? So what does proxy re-encryption do? It says that if I want to transform ciphertexts, if I want to let you transform ciphertexts from the blue to the red key, there's some blue-red key I can generate, which will let you compute the transformation. A punctured proxy re-encryption scheme sort of does the same thing, but I can puncture the re-encryption key. So this blue-red key will only let you transform all the ciphertexts, except for the one I don't want you to transform. So in the example, it's punctured at two. I can transform one and three. And then the next key is punctured at one. I can only transform three. The next key is security holds if I give you these two punctured keys and the green key at the end, which will let you decrypt the green ciphertext. So even given all these keys, one and two should be hidden. This is the security property I'm going to need. And such a punctured proxy re-encryption scheme can be built from chemomorphic constrained paragraphs. So symmetric re-encryption can be built from chemomorphic paragraphs. To get punctured re-encryption, you can do it from constrained chemomorphic paragraphs. The construction looks a lot like a construction in the work of Kristoff, my esteemed chair of the session. But we need a stronger security property than they prove. So I'm out of time. What am I going to do? I'm going to encrypt the circuit gate by gate just like I did before. And at every step, I'm going to give you the updated gate. Encrypted under the new key. And the re-encryption key that will let you transform all of the ciphertext from one key to the next. And then you can continue, continue. And at the end, with the garbled input, I'm going to send you the last key, which will allow you to decrypt everything and evaluate. You get efficiency, you get correctness, you get security. That's it. That's the story. Thanks. Thanks a lot for this very nice talk. So we have time for one or two short questions while the next speaker sets up. Any questions? So maybe let me ask one. So what would be like a kill application for? So for any of those. So for updatable garbled circuits, for updatable garbled circuits, I think there's not yet a killer application. I think it's just a supernatural question. It's not clear how to answer when you ask it. For updatable randomized encodings, you get all the applications on the left. And if we're thinking about updatable anything, updatable XYZ, I don't know, pick your favorite application, make it updatable. So I just think that, for example, not having to re-upfiscate if you change one gate, it's a natural property to want to require from an upfiscation scheme. Thanks.