 Thanks to you for the introduction. Welcome everybody to the last talk of today. I'm Navid and I'll be talking about symmetric primitives with structured secrets. This is a joint work with Hart Montgomery and Chikar Patronubis. Let me start by considering key rotation in the cloud, which is one of the most widely used tools to protect data in the cloud. So key rotation in the cloud is one of the cryptographic applications that we encounter in many scenarios. So suppose that we have some encrypted data in a cloud using symmetric key encryption, and at the security measure, we need to do key rotation in certain time intervals. A naive approach to do this would be downloading all cipher text, re-encryption using a new key, and then uploading all cipher text back to the cloud. However, it's easy to see that such an approach would be overwhelmingly inefficient and it would require more resources. So fortunately, cryptographers came up with a more efficient approach, which is to use cryptographic primitives that allow us to transform a cipher text encrypted under certain secret key SK to another cipher text encrypted under another secret key SK prime using some auxiliary information. And as the security property, we require that the auxiliary information should not leak down the underlying data. Now let's see a couple of examples of such primitives. Maybe the oldest example of such primitives is proxy re-encryption, which has been considered in both symmetric and asymmetric setting. Proxy re-encryption has been proposed by Bonaiz et al. in 98 and subsequent works showed improved versions of this primitive both in terms of efficiency and security. A more recent example is updatable encryption, which has been formally defined by Bonaiz et al. in 2013. And recently, we have seen variants of this primitive with relatively strong security guarantees known as post-compromised security proposed by Lehmann and Taikman in 2018. In a more fundamental level, there's also a primitive called key homomorphic pseudo-random functions, which has been implicitly introduced by Naur, Pinkas, and Reingold in 99 and formally defined by BLMR 13. This primitive has also further applications, such as distributed PRFs and pseudo-random functions that are secure against related key attacks and also updatable encryption. This primitive is particularly interesting because it served as a building block to build other primitives such as updatable encryption. Now, a natural question to ask is, what would bring all these primitives under one umbrella? Although these primitives differ significantly in terms of constructions and proofs, these primitives have some common properties. So the first one is that these are ostensibly symmetric primitives that have structured secret space or extra functionality. For example, in the case of key homomorphic pseudo-random function, the key space is a group which is algebraically structured. Or in the case of updatable encryption, the extra functionality is the capability to transform a ciphertext encrypted under a secret key to another ciphertext under some other secret key. In addition, known constructions of these primitives require relatively strong concrete public key assumptions, such as DDH or Decisional Defilement or Learning with Errors. Even the constructions in the random oracle model need public key assumptions. So this may imply that public key assumptions are inherent to build these primitives. So the main question that we study in this work is are public key assumptions necessary for building these primitives? The answer is yes. And here we have an overview of our results. We show that a key homomorphic weak PRF implies a certain primitive known as input homomorphic weak PRF, which has recently been shown to imply a bunch of primitives, such as PIR, Private Information Retrieval, Lasitraptor Functions, and of course, public key encryption. In addition, we show that a proxy re-encryption with UPD security implies an updatable encryption with UPD security, which in turn implies public key encryption. More specifically, we show that a proxy re-encryption with UPD security implies an updatable encryption with a strong security guarantee known as post-compromise security. And such an updatable encryption is sufficient to realize public key encryption. This means that these primitives belong to the world of asymmetric primitives. So the green arrows are contributions from Europe 19, and the black arrows are the results from our work. In addition, we also show that certain variants of key homomorphic weak pseudo-random functions do not have post-quantum security. Now, for the rest of the talk, I'm going to focus on this particular result, and we will see how to get a key exchange protocol, which is sufficient to realize PKE, from an exact key homomorphic weak pseudo-random function. The ideas for this construction and its proof can be used in similar ways to construct a variety of primitives, such as trapdoor functions or PIR. And I'm going to also quickly recall some of the definitions that we need for this particular result. So if you are not even familiar with the weak PRF, I will show the definition. So we say that a function family is a weak PRF if an attacker cannot distinguish between samples of the form xi and fkxis from xi's and ui's, where ui's are chosen uniformly from the output space of the weak PRF. This is seemingly a weaker version of a plain pseudo-random function, where an attacker gets to see function evaluations on only randomly chosen inputs, instead of adaptively chosen inputs. Now let's see a key homomorphic weak PRF. So we say that a weak PRF is key homomorphic if the key space and output space are groups with efficiently computable group operations. And in addition, it satisfies the key homomorphism property, which is basically given any two keys, k and k prime. And any input x, we have f of k plus k prime x is equal to f of k prime x times f of k prime x. f of kx times f of k prime x. We usually use plus for the group operation on the key space and times for the group operation on the output space. It's long been known that we can build weak pseudo-random functions in a generic manner from any one-way function. But with the result of this paper, it doesn't seem likely that when we augment a weak PRF with key homomorphism, we can build it in a generic manner from any one-way function, because it implies public key encryption. Now let's see a simple example of a key homomorphic weak PRF. So if GBA DDH hard group of order Q or GBA group over which DDH holds, consider the function f whose key space is ZQ and input and output space are both the group G. So if we define the function as f of k h equals to h to the k, which is a single exponentiate group element, it is easy to see that this is a weak PRF based on DDH assumption. In addition, it also satisfies the key homomorphism property, which is f of k plus k prime is going to be equal to f of k h times f of k prime h, where the multiplication is the group operation over the output space. In addition, if you define the function f as f of k x equals to h of x to the k, where h is a random oracle from bit strings to the DDH hard group, so it has been shown that this is a key homomorphic PRF in the random oracle model, which has been shown by Naur, Pinkas, and Rengold in 1999. So the definition that I give you for a key homomorphic PRF requires that the function evaluations on some of two keys is equal to product of function evaluation on each individual key. It's also possible to consider relaxed definitions. One relaxed definition is almost or non-exact key homomorphic PRF. And in this definition, we require that f of k plus k prime x is close to f of k x times f of k prime x instead of being equal. As a simple example, if you consider this function, where the input and key space are both zqn, and the function is defined as the dot product or inner product of these two vectors over zq, rounded some modulus p, this has been shown to be a weak PRF by Banerjee, Peichart, and Rosen in 2012. And it's kind of easy to see that this satisfies almost key homomorphism property. Because for two different keys, s and t, f of s a plus f of t a is going to be very close to f of s plus t a. Now before going into the construction of key exchange from key homomorphic PRF, I'm going to describe some notation that we'll use for the construction and proof. So if y is a vector of group elements and s is a binary vector, I'm going to use yts or sty to essentially denote the subset product over the components of y using the binary vector s. This notation can be similarly generalized into the setting where y is a matrix of group element. So if y is a matrix of group element and this is a binary vector, again, ys is going to be a vector whose components are rows of y, where you do the subset product over the rows of y. For example, the first component of ys is going to be the subset product over the first row of y. Now to make sure that everybody is following the last talk of today, I'm going to show you a key exchange protocol from a key homomorphic PRF where we don't actually use the key homomorphic PRF. So we have some key homomorphic PRF f. And suppose that n is a large enough integer, I'll talk about this later. And y is an abelian group. In addition, suppose that we also have a uniform matrix of group elements. This is a square matrix where each element of the matrix is uniformly chosen from the output group of the key homomorphic PRF. So we assume that y is our common random string. So we have two parties, Alice and Bob, and they want to do key exchange. So Alice samples a binary vector a, and Bob samples an n-bit string binary vector b. Alice sends a transpose y to Bob, which is a subset product over the rows of y. Bob sends yb to the Alice, which is a subset product over the columns of y. It is easy to see that if y is an abelian group, Alice and Bob both compute the final secret mutually, in the sense that 80 transpose yb, where a is the binary vector that belongs to Alice, is going to be equal to 8 transpose yb. So in the first one, we take the subset product over the vector yb using a. And in the second one, we do the subset product over the vector aty using b. So this is a key exchange protocol, and we haven't actually used the key homomorphic PRF. But we are going to use it for the security. To prove the security of the construction, we are going to use the pseudo randomness or hardness of repeated subset products in the output group. So consider these two vectors x and k, where x1 through xm are uniformly chosen elements from the input space of the key homomorphic PRF, and k1 through kn are uniformly chosen elements from the key space. Now, we form a matrix of big PRF outputs in the following way. So we use the key vector in each row, and we use the input vector in each column. Now, if I take a random subset product of columns of s, since f is key homomorphic, I can push the subset product of columns of s to the key space, and I can view it as a subset sum over the key space. This means that fs, using the notation that I described in the previous slides, is gonna be equal to f of k star xi's for some k star that is equal to s1 k1 plus s2 k2 through sn kn. So we use the key homomorphism of f to say that this is equal to f of k star xi's. Now, by the left over hash lemma, we know that if n is large enough, we can say that given k, k star is statistically indistinguishable from uniform. So this means that given the matrix f, fs is computational indistinguishable from random. Or essentially, this means that fs is the weak PRF evaluations on a fresh random key. So we know that f is output of the weak PRF on uniform key input pairs, and in the previous slide, we saw that given f, fs is computational indistinguishable from random. Now, we know that f itself is also computational indistinguishable from random because it's the output of uniform key input pairs. So if we combine these together, this implies that given a uniform matrix y, ys is pseudo-random. So this proof technique has some other interesting implications as well. So notice that so far, we have only used the fact that the number of columns of y are large enough so that we can apply the left over hash lemma. This means that number of rows of y play essentially no role in the proof other than the fact that we need large enough rows to do the key exchange protocol. This means that linear equations with binary coefficients over the output space of a key homomorphic weak PRF is interactable. In particular, this means that there is no exact key homomorphic weak PRF instantiation whose output group is ZQ with plain addition. The hardness of repeated subset products or the pseudo-randomness of knapsack function is versatile enough to build a variety of cryptographic primitives such as trapdoor functions and PIR. As a simple trick, one can use binary matrices instead of binary vectors to get a certain cryptographic primitives. For example, one can define a function f where the input space for the function f is the set of l-bit strings and the key is a uniformly random square matrix where the elements of this matrix lives in the output group and s1 through sl are binary matrices. If we define the function such that on this key and input outputs y times subset product of si by the key homomorphic weak pseudo-randomness of f it can be shown that this is actually as strong pseudo-random function. Although the hardness of repeated subset products is versatile enough to build many cryptographic primitives, it comes with some shortcomings as well. For example, we can use quantum algorithms to determine the structure of any Abelian group. This means that we can use these quantum algorithms to show that exact key homomorphic weak PRFs with Abelian output groups cannot be secure against quantum attack. This means that over Abelian groups approximate homomorphism is the best that we can hope for in terms of post-quantum security. The idea for the attack is pretty simple. We first use the quantum algorithm to determine the structure of the output group which is basically decomposing the Abelian group into its cyclic components and then we use such explicit representation of the output group to solve a linear system of modular equations. Such an attack can be generalized to basically any primitive with exact homomorphism over Abelian groups. I'm gonna conclude the talk with a couple of open problems. Recall that the construction of public encryption or key exchange from an exact homomorphic peak PRF or non-exact bond requires the output group to be Abelian. So the question is, can we construct public encryption from a key homomorphic peak PRF whose output group is non-Abelian? Recall that the pseudo randomness of knapsack function or hardness of repeated subset products holds if the output group is non-Abelian and we only need Abelian property to show the correctness of the key exchange protocol. The next open problem is constructing public key encryption from homomorphic pseudo random generators which is a seemingly weaker primitive. So it is easy to see that any key homomorphic peak PRF implies a homomorphic pseudo random generator just by viewing the key of the key homomorphic peak PRF as a seed for the PRG and leaving the input or inputs as the public parameter. Finally, it's also interesting to consider improved definitions or constructions of updatable encryption that does not immediately imply public encryption. Such an updatable encryption might be helpful to perform certain tasks such as key rotation in cloud using purely symmetric primitives which would be overwhelmingly inefficient. Thanks for your attention to the talk. If you have a question, please come to the microphone. I have one question. You didn't talk about proxy re-encryption and updatable encryption. In the key homomorphic peak PRF case, you use the structure of homomorphic property. But in the case of proxy re-encryption, I... So the rough idea to do that construction is that since we have indistinguishability of updates or something like indistinguishability of tokens, and it gives you the capability to transform Cypher text given under some secret GSK to Cypher text under another secret GSK prime, you essentially use this capability to sort of do a key exchange protocol where you switch the knowledge of secret key to the knowledge of tokens and use this to perform the public encryption or key exchange. Thanks. Thanks. More questions? Let's thank the old speakers again.