 This work is about statistical apps and new oblivious transfer protocols. I'm Zhong Zhongjin from Johns Hopkins University. This work is joined with Wipo Goyo, Epshack Gen, and Julio Malavota. In this work, we study statistical security in two-party protocols. The statistical security can provide everlasting security, such that even for computational unbounded adversary, it cannot break the scheme. However, such security notion is hard to achieve. For example, it is impossible for both parties to achieve statistical security for general functionalities. So, the focus of this work is on the one-side statistical security. We study two specific cryptographic protocols. The first protocol we study is the interactive proof systems. And here, we care about the statistical privacy for the prover. The second protocol we study is the oblivious transfer. And in this setting, we care about to achieve statistical privacy for the receiver. Recall that in an interactive proof system, there is a prover and a verifier. The prover tries to convince the verifier that some statement X is in an MP language L. To achieve this, the prover needs to interact with the verifier using the witness omega of the statement X. At the end of the interaction, the verifier decides to accept or reject the prover. We require an additional property of the interactive proof system, which is the witness indistinguishability. It is defined as follows. For any malicious verifier, it cannot distinguish between the following two cases. In the first case, the prover uses a witness omega to compute the protocol. And in the other case, the prover uses another witness omega prime to compute the protocol. Unlike the zero-knowledge property, witness indistinguishability can be achieved in only two rounds. In this work, we study ZEPs, which is a two-round public coin witness indistinguishable protocol. In such protocols, the verifier sends some uniform random coins in the first round. And then the prover responds with some proof. And these proofs can be publicly verifiable. The public coin property requires that the verifier only uses public random coins. Note that this primitive is very important in cryptography and has many applications. Since it only has two rounds, it is used in the wrongly efficient secure multiparty computation. And since it is publicly verifiable and the verifier's first-round message is reusable for different proofs, it is also used in the resettable secure protocols. In the work of Dwork and Naur, they show that the ZEPs and the Nizik proofs in the common random stream model are equivalent. So, combining this result with the Nizik construction from quadratic residuality assumption, trample-dough permutation, and a decision-only linear assumption, we can get ZEPs construction from these assumptions. And also in the recent work of VP15, they construct ZEPs from indistinguishability obfuscation. However, all above works are computational ZEP proofs. So, our first question is, does there exist statistical ZEPs? And our first result is the statistical ZEPs from cross-pondomial hardness based on the learning with arrows. And in the work of KS18, they achieve statistical private-dough coin witness indistinguishable protocol. The second protocol we study is the Oblivious Transfer, which is a two-party protocol with a sender and a receiver. The sender has two messages, M0 and M1. The receiver has a single bit beta. So, after some interaction, the receiver can get one of the two messages. The receiver can only get M subscript beta. And for the sender's privacy, we require that the other message M subscript 1-beta is hidden. For the receiver's privacy, we require that its input beta is hidden to the sender. The Oblivious Transfer is also a very important primitive in cryptography, and it also has many applications, such as secret multiparty computation, the two-round witness indistinguishable protocol, and non-manable commitment. There are many previous works on constructing Oblivious Transfer. In these previous works, they construct two-round statistical sender-private Oblivious Transfer in the plan model. So, one natural question is, can we construct two-round statistical receiver-private Oblivious Transfer? And it turns out that it's impossible. Consider the following scenario, where there is a sender and a non-uniform malicious receiver. Since the receiver side is statistically hidden, the malicious receiver can find a first-round message, OT1, such that it both equals to a first-round message for beta equals to 0, and a first-round message for beta equals to 1. Then the sender completes the protocol using some messages M0 and M1. So, the malicious receiver can get both of the two messages, and this compromises the sender's privacy. Now we know that two-round is impossible. So, can we construct a three-round protocol? Then in the recent work of KKS-18, they construct a three-round protocol from super-polynomial hardness assumptions. So, our second question is, based on the polynomial hardness assumptions, does there exist a three-round statistical receiver-private Oblivious Transfer in the plan model? And our second result answers this question positively. We show two constructions. Our first construction is from any two-round statistical sender-private Oblivious Transfer. And our second construction is based on the computational Delphi-Helmen assumption. We also note that our first construction is also an OT reversal. It means that we transform from the statistical sender-private OT to a statistical receiver-private OT. Now we go to the technical details for the statistical steps. Recall that the statistical steps is a two-round public calling with this indistinguishable protocol. To construct the steps, our starting idea is to compress a sigma protocol where correlation intractable hash hk, where k is the key for this kind of hash function. We will give the definition of this correlation intractable hash later. So for the sigma protocol on the left-hand side with the message alpha, beta, and gamma, the compressed protocol works as follows. The welfare sends a cahk in the first round. Then the provere prevale is the first-round message alpha for the sigma protocol. And then the provere applies the cah to the message alpha and gets the second-round message beta directly. Next, the provere computes its third-round message gamma and sends it with the first-round message alpha. And this completes the protocol. The correlation intractable hash defines as follows. A correlation intractable hash function, hk, must satisfy the following property. For any fixed circuit c, if we sample the key k uniformly at random, then it is hard for the adversary to find input x such that h subscript k of x equals to c of x. Now we give a breathing idea for the security. In fact, we require the first-round message alpha of the sigma protocol to be a commitment of some message m. If you are familiar with the sigma protocol for graph Hamiltonian city, then this message m is in fact some random cycle graphs. Then it is easy to see that the witness indistinguishability follows from the hiding property of such commitments. And the tricky part is how to prove for the soundness. So to prove for the soundness, let's consider a cheating provere who tries to convince the verifier that some false statement x is in the language l. To achieve this, the cheating provere need to provide the proofs alpha star and gamma star. So the first step to proving the soundness is to extract a malicious message m star from this first-round message alpha star using a trapdoor. Now from the special soundness of the sigma protocol, we know that given such m star, the only accepting beta star is efficiently computable. So if we combine these two steps, then we know that there exist efficiently computable circuits c such that beta star equals to c of alpha star. Now, if the verifier accepts the proof, then beta star equals to c h h of the alpha star, which is also equals to c of alpha star. And this contradicts to the definition of correlation interactability. Note that such commitment scheme with hiding and extractability can be built in the CRS model. For example, using a public key encryption. And this would imply the apps in the CRS model. However, we need to build such hiding and extractability in the plan model. So the idea is to use a two-round statistical sender private oblivious transfer. So the idea is to have both parties to sample a single bit b and b prior, respectively, and have the verifier to fit its random bit b to the receiver. Then the receiver generates its first-round message for the OT protocol. And then the prover attacks the sender and prepares the message for the sender. So the prover puts the message m in the b-primes position and put a bottom in the other position. And the prover completes the protocol with these messages. Now on the receiver side, with probability half, b would be equals to b prime. And in this case, the verifier can extract the message m. So we have the extractability. And also, with probability half, b would not be equals to b prime. And in this case, the message m is hidden. So the verifier can only get a bottom. Next, we show how to combine this scheme with our Sigma protocol and correlation intractable hash to get a weakly secure statistical zaps. We will amplify the security later. So the compressed protocol works as follows. We have the both parties to sample a single bit b and b prime, respectively, and have the verifier act as the receiver with the input bit b. Now the receiver generates its first-round message ot1. So the verifier sends it with a uniform random chk to the prover. Now on the prover side, instead of preparing its first-round message alpha directly, the prover prepares the message m and act as the sender. Then apply the correlation intractable hash to the ot2 message. And finally, computes its third-round message gamma. And send it with the ot2 message to the verifier. Now for this protocol, we can achieve statistical witness indistinguishability with the error approximately half. And we can also prove the soundness as before. However, this statistical error is too large. We need to amplify the security. The idea to amplify the security works as follows. So instead of having the both parties to sample a single bit, we have the both parties to sample a string of L. After the first round, on the sender's side, it has 2 to the L positions. So the sender put the message n on the b prime's position and put a bottom on all other positions. Then the sender completes the protocol. Now on the receiver's side, the receiver can only read the b's position and all other positions are hiding. So again, there are two cases. With probability 1 minus 2 to the negative L, b will not be equal to b prime. In this case, the message m is hidden. So we have the hiding property. And also with probability 2 to the minus L, b would be equal to b prime. In this case, the receiver can get the message m. So we have the extractability. Note that this kind of skin can be extracted as a two-round statistical hiding extractable commitment in the work of KKS-18. Now we show how to combine such a skin with a sigma protocol and the correlation extractable hash to get a construction of seps. So as you can see in the figure, the only changes we made are in the red color. So we changed the bit to our strings of L. Now for the statistical witness indistinguishability, we have error approximately 1 over 2 to the L. So this value can be made negligible. And for the soundness, we can prove the computational soundness we are complexly leveraging. Due to the same constraint, I cannot cover this in detail. But if you are interested in this, you can refer to our paper. For the public calling property of this protocol, it follows from the pseudo-randomness of OT1 message. Now this concludes our construction of statistical seps. For the second part of the technical details, I will talk about overviews transfer. Here is an overview of our construction. To construct a three-round statistical receiver-private OT, we propose a new notion. We call it statistical hash commitment. And we have two constructions of such commitment scheme. Our first construction is from the two-round statistical sender-private OT. And our second construction is from the computational Delphi-Helman assumption. Due to the same constraint of this talk, I will only cover the first result. We call that a statistical receiver-private OT is a two-party protocol where there is a sender with two messages M0 and M1 and a receiver with a single bit beta. So after some interaction, the receiver can only get M subscript to beta and the other position is the heading. Now we care about the statistical receiver's privacy, which requires that the receiver's input beta is statistically hidden to the sender. To construct such a commitment scheme, our main tool is a statistical hash commitment. In such a commitment scheme, there is a receiver and a committer. The committer has a bit beta and there is a two-round committing phase. So after the committing phase, the receiver uses the transcript in the committing phase to get two hash values for beta equals to 0 and beta equals to 1. And in the opening phase, the committer opens his input bit beta and also sends some values in the green box. And on the receiver's side, he simply checks if the hash values for the beta equals to the green box value. We further request the commitment scheme to be statistically hidden. It refers that for any malicious receiver, it cannot distinguish between the case when beta equals to 0 and beta equals to 1. And we also require such commitment scheme to be computational binding. It requires that for any malicious committer, after the committing phase, the receiver can get two hash values for beta equals to 0 and beta equals to 1. And the computational binding property requires that the malicious committer cannot find for both these two hash values. Next, we show how to construct such three-round statistical receiver-private over-rebuild transfer from such a commitment scheme. So the idea is to have the receiver act as the committer and have the sender act as the receiver. So the receiver commits its input bit B to this commitment scheme. And after the committing phase, the sender gets two hash values for the opening. Next, the sender applies the Godrej11 hardcore predicate to both of these hash values and x-coism with its message m0 and m1. And sends these two values to the receiver in the third round. Now, since the commitment scheme is statistically hiding, the receiver's bit beta is statistically hidden. So we have the statistical receiver privacy. And also, since the commitment scheme is computational binding, the receiver cannot guess both of the hash values simultaneously. So we have the computational sender privacy. Next, we show how to construct such statistical hash commitment scheme from any two-round obli-ville transfer. So the idea is to have the receiver and the committer to run a secure two-party computation. And such two-party computation can be constructed from the two-round obli-ville transfer. For the committer, its input to this two-party computation is the bit beta and a uniform random blue box. For the receiver, its input to this two-party computation is a uniform random black box. This two-party computation only has output to the receiver. And it depends on the bit beta. If beta equals to zero, then the two-party computation outputs the blue box on the top and the red box on the bottom. Where the red box is defined as the XOR with the blue box and the black box. And in the other case, when beta equals to 1, then we switch the position of the blue box and the red box. Now since the from the statistical sender privacy of the OT protocol, this beta can be statistically hidden. So we have the statistically hiding property. And also, from the computational hiding property of the random black box value, we can get the computational binding property. Now here is a summary of our results. If you are interested, please refer to our paper in the full version. Thank you.