 Welcome to the second part of this morning's lecture. By the way, the lecture was mostly following Leo's lecture notes for the alternating extraction proof, so this is the link to his notes, or you can just google Raisin and Wohlpert. That's the guy who took the scribes, and this will be the first hint. The girl who took the, sorry. Okay, you have to edit that out otherwise I get it. Yeah, and okay, so let's also shortly go back to this proof that I showed you before for the delta plus epsilon where, you know, I totally intentionally made the mistake and nobody except Woody catched it. So, and it's here, so I give you one more minute to think about what's wrong. So you remember, I kind of, so that's what Staten wanted to show, so that S and extraction for, you know, if we have a delta close, a C that is delta close to uniform, we extract that delta plus epsilon close to S and uniform. And let's see if this works. So we did this, this, this funny trick that we kind of subtracted the probability of you being X and added it back, so this was just equivalence. So here I took the absolute value, and then I could replace delta with one. And then we got this here, and I claimed that this is at most delta. What? One half. What? One half. No? What one half? One half is missing. Yeah. No, it's actually, two is missing, right? Yeah. So the point is this is two delta, which usually is not the big deal, but, you know, the entire point of this thing was to kind of show you how to get rid of the two. So who has an idea how to fix this? So let's see. We want to upper bound this term here, right? So this term, so if you look just at this entire term here. If you just look at this here, so this is, sometimes this is negative, sometimes this is positive, right? So if you want to maximize it without loss of generality, we can assume that this delta here is always zero whenever this is negative. Because if it's not, and I just do that, I will always increase the value. So, but if this is always zero, so then I can, I can rewrite, rewrite. So if we assume that this is the case, I can rewrite this as sum over x where, let's say, but only the x where probability s equals x. This is s equals x is strictly bigger than, so instead of, yeah, so instead of summing over all x, I only have to sum over kind of the ones where this is bigger than this one. So then all terms are positive. Now I can actually replace this delta with one. And that's the statistical distance because now I only have kind of like half of the, right? Half of this probability mass that was, that was 2 delta in here. Now I only count half of it. Yeah? That's, and then, yeah, so you want, yeah. Anyway, that's, okay. Let's switch gears. Okay. So this part of the lecture will be about the conditional chain rules, or conditional chain rule for philanthropy. And let me shortly recap what, so what notation or what wording I want to use during this lecture. Because it's going to be maybe slightly different than yesterday. So we saw that yesterday we saw that many entropy notions, in particular arguably any, any, any notion of entropy, any kind of notion that somehow is measured, the uncertainty contained in the variable. So it satisfies something like a leakage rule, which roughly says the following. H is some kind of entropy measure, and we want to measure the entropy of x condition on some variable A. And this shouldn't be too small. Intuitively what we want is that whenever we condition on something that is say L bits long, the entropy should drop by L. So this here just means the bit length of, of bit length of A. And we know that such a, let's call it leakage rule for now, such a leakage rule holds for all natural information theoretic notions like for Shannon entropy, Min entropy and so on. Even where this, this length of L can be replaced with something small, like H0 of A or things like that. And it also holds for many, it also holds for many computational notions of entropy. In particular yesterday, Leo showed you the, the rule for hill entropy, which said the following. This is hill. So if we start with the variable x, that has, you know, some amount of hill entropy, say this x is indistinguishable from some variable y that has k bits of Min entropy against distinguishes of size s. Right? So every distinguish of size running in time s will have advantage at most epsilon in distinguishing this x from some other variable that has actually k bits of Min entropy. And then I conditioned this on the variable A. Then the Min entropy will indeed just drop by the length of, by the length of this conditional part. So Leo showed a slightly different statement where this was like 1 divided by the probability of the conditional part, some particular value. But this implies this easier to state, but slightly less general rule. And what did we, so this is about the amount of entropy, right? So this, this, so if this is k bits of hill entropy, we conditioned on L bits. What will be left will have k minus L bits of hill entropy. So this is like the chain rule. But there is also this, you know, the subscript is s epsilon. So you remember how hill entropy was defined. X has k bits of hill entropy, if it's epsilon s indistinguishable from some variable having k bits of Min entropy. And we had the degradation in these parameters s prime, s prime epsilon prime. And there are dozens of different proofs that give you different epsilon prime s primes. So it's just for concreteness. One concrete one is, for example, epsilon prime is roughly epsilon. So we can keep the distinguishing advantage roughly unchanged. And we lose in the size of the distinguishes that we can't tolerate. So if the original distribution was indistinguishable by distinguishes of size s, the new one will be roughly secure against distinguishes of size, of size s times, okay, we need, we lose epsilon squared. And then we also lose something exponential in the length of the linkage, right? So if the original, yeah, okay. And you can, in fact, show that relative to some oracles that losses indeed necessary, okay? So this is, this is a leakage rule. And why do I call this a leakage rule and not a chain rule? Because I want to reserve this term for a slightly more general term, leakage chain rule. So if I talk about the leakage chain rule, what I mean by this is that I consider the same statement, the same statement, but where we start with the variable x, that has some entropy conditioned already on some other variable z. And in fact, this doesn't make much difference for most notions. Like for the, this condition, this leakage chain rule still holds for all information theoretic notions, Shannon entropy, Min entropy, all kinds of rainy entropies, computational notions like unpredictability entropy that you will see tomorrow, or Yau entropy, which is not a computational notion. But interestingly, it does not hold for, or it hasn't been known, and it's actually known to be wrong for Hill. In particular, what goes wrong? So Leo yesterday shortly, men, yes? Yeah? That was the men. Yes. Good question. So let's see, you have a seed of n bits. X is a PRG of that seed. And I, you know, if you leak n bits, how much Hill should be left? Not much, right? Or let's say X is even like a gigabyte. It's output as, you know, a PRG on a thousand bit thing. So if I give you this thousand bits, this gigantic thing should basically drop to nothing. Is that true? Yeah, let's, let's see what S becomes. The original PRG was secure because there's always brute forcing, right? So S could not have been possibly bigger than something like two to the thousand, right? But now I lose, if the leakage is thousand, I lose two to the thousand. So, so it's, it's, that you see, so you see it's kind of, exactly. So this, this just shows that if you assume that let's say exponentially hard pseudo random generators exist, once we're the best you can do is brute force the seed until you find it. This already shows that this loss is necessary. Because if I give you some bits of the seed, it will kind of allow you to shortcut things. Right? Good question. So if you remember the proof maybe from yesterday that Leo showed where things went wrong, was that once you started with con, you know, conditioning on some Z, all this, this argument that you had, you needed like for different, you know, different choices of this conditional part, you needed like different thresholds and maybe even, even the sign kind of changed. So you could fix that, but you would have to hard code what to do for every possible seed. So what you would lose is here basically something like, you would basically lose something exponential in this, in Z that you, you know, that you condition, that you started with. In particular, you wouldn't get anything better than starting here with just, you know, replacing X conditional on Z just with X and then considering Z A to be the total leakage. You kind of slightly better than, I think, matching, right? There is a loss with two times to something like times or plus here. What? What is minus? Okay. Okay, not too bad. Sometimes even meaningful, but these are like very recent results that you can actually lose this Z just additively, but still, you know, not what we want because in many applications, this Z is actually huge. So, and if I say many applications, let me just mention some, not applications, but what happened is people really wanted this chain rule for many, many applications. They never could prove it. So what they, in many, for many, fortunately in many applications, they found the kind of a workaround. So Leo showed you on yesterday for a deterministic encryption, which basically hinged on the fact that this conditional part was close to uniform basically, and then so he was able to pull it through. Okay, and because I have actually a lot of time, because I thought that I would still be talking about leakage resilience at this point, let me just restate, restate the definition of hill entropy, right? So I think it doesn't hurt if you see it again. So we said that X conditioned on Z has k bits of entropy if there exists some joint distribution YZ. So we use the same letter Z as above, which means that the marginal distribution of YZ and XZ, if we just look at the second part, is identically distributed, where this Y conditioned on Z has high mean entropy. So this H, this tilde above refers to the average case mean entropy notion that Leo showed you yesterday. He didn't use the tilde, but it's often used because to not confuse it with the more historical notion of worst case conditional hill entropy. But this is the right notion of conditional hill entropy. Moreover, this high mean entropy distribution Y is actually epsilon S indistinguishable from my Z. So what are these notions that people came up with in other applications? So this is conditional hill entropy. So one is relaxed, also Leo mentioned this yesterday, and then relaxed entropy, what we change is, it's not required that there exists a distribution YZ, where the marginal distribution of the second part is identical, but we just allow any Z prime. So there must be any distribution YZ prime. We still want Y conditioned on Z prime to be large. This is the same as before, and we also still want the indistinguishability property. So this stays the same. And it's clear to see if you have a variable X, if X conditioned on Z has k bits of hill, epsilon S. What can you say about its relaxed entropy? It has the same, but the other direction is not true, because Z prime equals to X is a special case, but as we will see it can really help to have this leverage. And if your application is good enough with this notion, you're fine. I mean, you're fine using the leakage chain rule. It's decomposable. I think this is basically the same as the modular hill entropy that we saw yesterday. This kind of strengthens the notion of hill in the sense that X conditioned on Z having hill entropy means that X is hard to distinguish from something with high mean entropy given Z. And decomposable means it's even hard for any particular Z. So for any particular Z, you can have a different prediction algorithm. So what we know, for every Z, this replaces this rule here. So here we said X conditioned on Z is k. Here the starting statement is stronger. Here we want that for every particular choice of the conditional part. So let's, for example, take the example of, let's see what could we take. Just to show you that it's not the same. Let's see what is a natural example. Let's say X is again PRG on some input. So who sees a good distribution which has high decomposable but not high hill entropy? I should have thought that up before. Any suggestions? Yeah. Ah, yeah. You showed it yesterday. So it's conditional. Like that? Yeah. Plain text. Plain text? M conditioned. M conditioned on encryption of message on some secret key. And public key, yeah. Things like that. Yeah, because for any particular public key, right? So for any particular public key, there exists a distinguisher. For any particular public key, there exists a distinguisher that, you know, given a ciphertext tells you if this is M or something different. Because for every particular public key, there exists a secret key. So I can decrypt this and check. On the other hand, if I just, if this is just like a random public key and this is like a ciphertext under that, with the corresponding secret key and they give you the message, you will not be able to distinguish the encrypted message for something uniform. So this is really a much, this, the composable notion is really much less useful notion also. Even though it looks like a conditional notion, basically it says it has hill entropy unconditionally. Because it's like piecewise high hill entropy condition on every part. And then there is a notion that has been used by sampleable, called sampleable hill entropy. It has been used by Kali, Russ, and I forgot the third order, for also a very nice application on something that is called memory delegation scheme. So they also would have, would have liked to have a chain rule for conditional hill entropy. They didn't, but they had like one extra property. Namely, they had this distribution. You see, they had, there was this distribution yz, where y had high mean entropy given z. And they had like one extra property, namely this y, was efficiently sampleable given z. Right, so that's just an extra property you can require from this yz property. So it means that whenever I give you the z part, there exists some algorithm that takes this z and maybe random coins and outputs a sample of y, so that this, you know, the distribution of the output of the sampler with z is, you know, let's say at least statistically close to this yz distribution, the entropy is computationally distinguishable. Okay, so what do we know? The composable and sample will seem to be in compare, yeah? Yeah, pseudo-randomness. So if let's say x is, like if it's maximum, so let's say x is pseudo-random conditioned on z, so it's maximal hill. So y would be the uniform distribution. And the uniform distribution is efficiently sampleable. There are more interesting ones, but I can't... But the uniform is actually important already, right? Because it means that if you start with something that is close to uniform, conditioned on stuff, you actually do get the conditioned change. And I think actually that was the setting in which they used it. So lots of esoteric notions. So decomposable, you know, if you have k bits of decomposable hill entropy, k bits of the normal hill entropy, also sampleable implies the same amount of hill entropy. Decomposable and sampleable I think are incomparable. Normal hill implies relaxed hill. And funny enough, so if let's go back to this leakage chain rule, this leakage chain rule has been proven for all these variants of hill entropy, except for the standard one. So with all these extra, these stronger notions, these weaker notions, it was true in the standard one. And what I want to show you like in the next hour is actually, in fact, the standard one is wrong. And I will take quite a detour. In fact, I will show it with the same way we figured it out. And the way we figured it out was working on something totally different, namely, um, deniable encryption. So what's deniable encryption? Has been proposed by Kaneti Dwork-Naor in 1996. So it's one of these notions that is around for like two decades now and has been annoying people for pretty much as long as it's around because it's arguably a natural notion and people couldn't need a proof that it exists nor that it doesn't exist and, um, yeah. And before I tell you what was, what is or what isn't known, let me define it. Basically, deniable encryption is defined the same way as public key encryption. So you have a sender. Let's see, he gets a security parameter. So let's, let me make that explicit. So there is security parameter n that he gets in unary and he gets a bit b. We will just encrypt one bit for the, that will be sufficient for the sake of this argument. And we have a receiver. Okay. He just gets the same security parameter. Now the receiver and the, the receiver and the sender, like in a public key scheme, both of them can use random coins and let me also make this explicit. So the sender initially samples random coins RS. The receiver will sample random coins RR that they will use for this protocol. Then they can talk for few rounds if they want, like back and forth. Right. And at the end of the day, the receiver has to output a bit b prime. And what properties do we want from such a sender deniable encryption scheme? So we will have three parameters. We will say that the scheme is epsilon n delta n T n sender deniable. If the following is true. So just to look ahead, epsilon n and delta n will be just security parameters, which we want to be negligible for in n and for any, and T will be the running time, basically, or the security against what distinguishes we want to be secure. So for any polynomial T at the end of the day, we want epsilon n and delta n to be negligible. So it's like standard security parameters, but it will be important to keep them explicit here. So we want correctness. Now, in standard encryption scheme, public encryption schemes, we usually want perfect correctness. We want that if nobody interfered with the communication, the receiver should output exactly the bit that the sender put in. Here, necessarily, we will have to relax this a little bit. So what we require is that the bit that the receiver outputs at the end is equivalent to the bit that we kind of put in that the sender got to start with is the same with probably the, at least, you know, epsilon close to 1. So if epsilon is very small, negligible, that's, you know, as good as perfect correctness. Security. Also, this property is defined the same way as for standard public encryption schemes. So let me call this distribution here. Let me call this transcript, transcript input B, RS, RR. So once we fix the bit B, the randomness of sender and receiver, the entire transcript is fixed. So let me just call it like TB, RS, RR. And let me define TB to be the random variable that takes us, you know, the random variable that takes us values this transcripts for, you know, uniform choices of the randomness for the sender and the receiver. So, yeah. So what does security mean for a standard encryption scheme? Basically, if who kind of sees this transcript should not be able to distinguish transcripts that kind of transfer a zero from transcripts that transfer a one. So security simply means delta T. So they want this for any adversary if who runs in time T and she sees this transcript, she cannot distinguish the case where this was a zero bit or a one bit that was kind of communicated in that case, except with advantage delta. So again, if delta is negligible, that's kind of the standard notion. Now comes the, okay, so far everything just standard public encryption schemes or bit agreement schemes, I should say. Now comes the interesting probability, deniability. So this is the extra property that has the, or sender deniability, I should say. But let me mention it, if we have a sender deniable scheme, you can also get a receiver deniable scheme at like the cost of having one extra round in communication. So with outlaws of generality, sender deniability. And this basically means the following. It means that if, you know, the local mafia guy comes to the sender with the gun and he says, listen, I saw the communication that you know, that you send some bits to the receiver. And, you know, I think you were talking about me. Show me what you communicated. So Alice has to kind of open all the randomness and all the bits that she sent over to the receiver. And what deniability means is that she can lie about that. Or formally, there exists some cheating algorithm, let's call it phi. And the algorithm has the following property. Assume the bit B is for any uniform random bit. So the bit is uniformly random. And, you know, the randomness of the sender and receiver was also correctly sampled. So let's see, denote the transcript. So now C is a random variable. So what was that? So this faking algorithm, phi, will take as input, so the bit B that was sent, the randomness of the sender. And that's, you know, Alice, she's shaking because there's the mafios, she has her randomness and the bit that she sent. And the transcript. So this is all information that the sender has. You apply this cheating algorithm and it outputs you some new randomness, r prime s. And this r prime s has a fun property. It looks like the authentic randomness, but for the opposite bit. So what we want is that what happened is Alice chose a bit B, chose randomness rs. And, you know, there was this transcript C. The mafios, he saw the transcript C, comes to Alice and says, what bit did you send? And she would like to lie. She wants to convince him that it was 1 minus B. So there exists this, you know, there exists this faking algorithm that allows her to take the bit B, the randomness r, the transcript C and kind of come up with fake randomness such that this looks exactly, you know, a computation is distinguishable from having sent the bit 1 minus B. Of course, the mafios, you can say, you know, it's kind of suspicious that you use the enable encryption in the first place, but you know, maybe that's how the communication with the banker so was specified. She had to use it, so she did everything honestly. And she, you know, it's deniable. There is like no way she can, you know, there is no way the mafios can know if she really is honest and shows him what she sent or if she actually was using this cheating algorithm. And this can also be actually useful if the sender is not really, I should say, maybe this looks like a terribly useful notion. It's natural, it would be nice to have, but you know, there are some caveats. For example, if we would allow the sender to just delete, if the protocol specifies that you have to delete things, you can get deniability quite trivially. So it's maybe not as useful as it looks like, but it's still, you know, a very natural thing to have and maybe not to have, but to know if it exists or not and if you can construct it or not. So any questions to this definition so far? So in the set, this was defined 20 years, yeah? Okay, I should, what is possible? It's possible, okay, so there are a few things known. So if you allow, if you can, if the protocol allows erasures, it's possible. If you know if the sender can just, because the sender can just delete the randomness and then basically what the sender would have to say is I don't know anything. I sent this message and I don't keep my randomness. So trivial, trivial, right? Another thing that is known is, it's possible if epsilon, I think epsilon, oh no, if delta, if delta is rough, so one over polynomial, if roughly delta is one divided by the communication complexity. So you can have a deniable scheme where, you know, the sender and Alice exchanged theta of n bits and then this delta will be one over theta of n. It's also maybe good enough for many applications. And then there is something else known. So if there's, so here we assume that the sender actually uses the correct encryption algorithm for the communication. You can, it's quite easy to come up with schemes where we have like two encryption algorithm, the honest one and the fake one, or cheating one. Now if the sender uses the cheating one, he can later easily lie about having sent something different with respect to the honest, to the honest encryption algorithm. So if you kind of know that you want to lie late, you can, but this is not, not clear how useful this is, right? So if the mafiosi comes and he will assume that you use the cheating one to start with, you kind of back with this problem. So that's kind of what has been known up to like two years ago. Not much actually, right? So if this is possible or not, it was kind of in particular old. And there have been, there has even been a good paper that, there have been papers constructing these things, but all of them were flawed. And particularly there was Eurocode paper that had the famously flawed proof, which actually we used, I won't show you that, but actually this was the first counter example we, counter example based on ordinary functions we had was actually based on their flawed proof. Because it was still good enough for the counter example, but not good enough for the reliable encryption. Okay. So, so how, you know, how does pseudo entropy and things mean entropy, or entropies come into the picture when we talk about the reliable encryption. So you see, correctness is not perfect. And you can already see immediately that this is necessary, right? Because if correctness was perfect, this means that, what does that mean? If correctness was perfect, this means that no matter what randomness I choose, the, the, the transcript will be just consistent with one possible bit. It's not possible that there are two different randomnesses that are consistent with the transcript for two different bits, because that immediately means that there must be some decryption error, because we could have chosen either of those choices of randomness. So there's going to be like a decryption error, but we want this to be negligible. And let's cast this like in terms of, of the choice, possible choices of randomness for the sender. So assume, okay, so, assume you observe the transcript C. Now let this space here, let's call this RC, let this be all the choices of local randomness for the sender that is consistent, consistent with C. So what does this mean? If I'm the mafiosi, I get this randomness, I see this challenge, I can see, yeah. So for all the, you know, I would have answered the outgoing messages from the sender as in this transcript, given that there's a concrete randomness. And not only do I want this to be consistent with C, I also want this to be choices of randomness where there's no decryption error. So this is going to be the choices of RS, where the sender chooses a random string, a bit B sends it over to the receiver, and the receiver will decrypt, and he will actually get the correct, correct answer. Decryption error. And let's define another set, let me draw it inside here, RC prime, prime, which is defined the same way, but now we have a decryption error. So these are the choices of randomness that the sender could have chosen to encrypt a bit B, such that it's consistent with the transcript, but where the receiver actually would have decrypted wrong. So the same as before, and decryption error. So having said that, what does the faking algorithm do? So remember the faking algorithm, so maybe to correct, this was some query, that the faking algorithm would take some randomness here, and also the bit that was encrypted, maybe this is randomness that corrected the bit, and it would map it to some new randomness that decrypts to the wrong bit. So it would somehow map this RS to RS prime in here. And then we can actually, from again, so it would actually jump to here, then it has to jump somewhere out again, and so on. So if you just apply feedback, that's what the, that's pictorially how we can think what this cheating algorithm does. And now I can actually specify the decryption error, which we know this was epsilon, in terms of the sets RC and RC prime. Because what is the decryption error? The decryption error is the probability that I picked some, this is the, so first of all I will assume that this picture looks the same for every possible transcript, just for the sake of this talk. It could be that for some transcripts the decryption error differs so that there are more choices of random strings, but let's assume for every possible transcript the picture of good and bad random strings that decrypt correctly wrongly, roughly like this. So then I can say the decryption error basically means that I pick a random point in this big circle and I have a decryption error on the side of the receiver if I fall into this small circle R prime C. So the decryption error in terms of the set is simply the probability that I fall into this set, so the size of the set divided by this, you know, by the set of the entire thing. And as said, we want the decryption error to be at most epsilon. Right, so yes? Yes, so then you get here and here this would be phi 1 minus b so the rs prime that we got here and so on. And then you would get the rs double prime that is back then and so on. Yes? Yeah? The what? The set of possible outputs by 5 for a given transcript and the distance. It kind of has to map this big thing to a small thing, right, and it's deterministic, so... No, so you cannot know what the correct output is. So the... the... the Mafiosi guy in the center does not know what the receiver decrypted. We just have a guarantee for the center that if he picks randomness uniformly at random, the decryption error is epsilon. But you will never know if the first thing you picked was in this big circle or the small circle. Alright? Because otherwise we could get the decryption error to 0. If I as a center know that there is going to be decryption error with the random, I will just re-sample. And inherently that's... you're not allowed to know that otherwise. Okay, but that's... okay, so this is like an important observation. Why is it important? Because it means that... it means that the set RC of good random strings has to be sufficiently bigger than the set of... in particular this basically means that RC has to be at least something like R' or let's even... RC' times log 1 over epsilon something like that and this plus, yeah, because we took the log so it's plus yeah, it's... because it's log, it's plus and this has to be omega log n, so super logarithmic because we wanted epsilon to be negligible. So that's basically what I meant explicitly negligible, it has to be 2 to the... sorry, epsilon has to be smaller than 1 over any polynomial which is equivalent to say that log 1 over epsilon has to be super logarithmic. And this observation will already be enough to kind of give you a counter example to the conditional change rule. So what are the distributions? So now I give you the distributions and then we will see that I give you a distribution, you know, A conditioned on B and show late so I will show you that this has like some kind of hill entropy against really high quality hill entropy cryptographic against, you know any polynomial adversary negligible distinguishing advantage and lots of it and then I will condition just on a single bit and it will, you know, destroy a lot of it even if you condition much even if you consider much, much weaker distinguishes so it will be very, very frustrating if I can. Okay, so here is the distribution. I pick a random bit B so uniformly random bit B I pick uniform randomness for the sender I pick uniform randomness for the receiver so this is just what I picked so far I, okay, then I compute something let me compute the transcript that corresponds to these values right, so I have a bit that I want to send sender randomness, receiver randomness and, okay, something that I should mention here I pick the randomness for the sender so that the receiver decrypts correctly so with very small probability I have to re-sample but basically it's RS is almost uniform it's Epson close to uniform it will make the argument slightly more cleaner if we assume that RS and RR are chosen the way that there is no decryption error then I apply my cheating algorithm to this set right now I have a bit B I have the randomness I have a transcript and I call this new variable RS prime okay so what can I say about these variables so I claim that this RS prime has high heel entropy given C in particular what I claim is that this R prime S is computationally indistinguishable like delta T indistinguishable from the uniform distribution on this entire space this is indistinguishable from the uniform distribution on what on this let me so let me introduce this notation so this is a set so this is a set of all the possible choices of the random strings for the sender and actually I assume that it's a correct one this doesn't matter actually so I claim that this string is indistinguishable from the uniform distribution on this huge set and why is it that's the liability probability so if you could distinguish so I pick the random string RS I use the lying algorithm, I got something else but if you could distinguish this from the uniform distribution on this set you could kind of tell that I cheated you could say that this doesn't look like a uniformly chosen this doesn't look like a uniformly chosen RS prime but we assume we explicitly assume it is particularly we assume it's delta T indistinguishable from the uniform uniform and this is true conditioned on the transcript so that simply directly follows from the definition of deniability so but what does that mean this of course means by definition that the hill entropy of R prime S conditioned on C is at least you know so R prime C conditioned on C is indistinguishable from some variable with very high mean entropy namely the variable that is uniform on this set and the variable that is uniform on this set has you know log size of the set so log size of the set mean entropy so it has a lot of mean entropy so now who sees how to distinguish I give you one bit you can condition on one extra bit and I want you to destroy a lot of this nice hill entropy so now there is this R prime S there is this C that everyone sees and I can kind of pretend it's one of those many strings here in this world so now you can give you know somebody there can be like a hardcore spoiler just like one bit that kind of destroys a lot of it so what should you tell me to kind of ruin this what? B yeah so now what happens if somebody comes what can we say about the hill entropy of R prime S conditioned on C and the one single bit B I think I don't need to write this up I think I have to improve if not for that good what I claim is that yeah I claim yeah once I condition on this bit B I claim the hill entropy gets down let's say to log so first of all you see this is the set the small set so this is the set of this is the set here that was a factor you know epsilon of the big set so in particular it has log one over epsilon bits less of hill entropy so what about the quality here to make the counter example even stronger I would like to be this even of much worse quality than this and I claim that you know here I can replace delta say with any constant smaller than one I give you one half so like huge distinguishing advantage and against against some small fixed polynomial size distinguisher and in fact the only thing this distinguisher will have to do is to run the given a transcript verify that a transcript is consistent with with some given random string and because you know to deny encryption has to be efficient so this is going to be a some small fixed polynomial so why is that true so I think the first statement I'm not going to prove I think this follows from definition let's prove this one so the proof is by contraposition assume not assume there exists some you know some why that has you know high mean entropy so the mean entropy of why given CB is really bigger than log right so this is some kind of you know some kind of distribution on strings that is at least one big bigger than the uniform distribution on the string what does it mean it's one bit bigger so the hill entropy is one bit bigger which means so sorry the mean entropy is one bit bigger which means that we will only talk about that distribution so we will so this helps it so this y must look something like this so maybe this y contains all the strings r prime s that's actually a clever thing to do if you want to you know if you want to be as indistinguishable from as possible from the uniform distribution on one r prime c sorry so let's let's take all this but let's take additionally something I don't know so this is y and this y is more than this my slightly more than twice as big as this thing which means that with probability more than one half if I pick something according to the distribution of y with probability more than one half I will land outside of this set r c prime right but if I land outside of the set r c prime I can actually you know distinguish or can immediately tell that this is not a sample from r c prime because it gets the string it's inconsistent with c so either it's inconsistent with c that's when you land here or it's consistent with c but you know but not for this bit b but for the opposite b minus one that's when it's actually landed in r c so there is a distinguisher that can distinguish y from any distribution so with probability one half can distinguish y from the distribution of r prime s so what does that mean should I write this up okay I'm not going to write up but this proves it right so it's not so I have a contraband so it's not true that there exists a distinguisher with probability one half can't be distinguished from the uniform distribution on r c prime by a polynomial size distinguisher because I give you this distinguisher the distinguisher takes the sample checks if it's consistent with the bit actually bit one minus b and the transcript c and you know and say no I think this is a distribution of y not the other one whenever this is not consistent and this distinguisher because y falls outside of r c prime with probability strictly more than one half so it will be inconsistent with you know it will be successful the distinguishing probability will be strictly more than one half okay so summing up what did that show your variables such that so I showed you a joint distribution of three variables namely r prime s cb such that the decrease in hill entropy of conditioning on this additional extra bit b is large namely it's at least log one minus epsilon minus one okay whatever so it was large it was omega log n if we assume that if we assume that epsilon was negligible and not only that also kind of the decrease in quality was massive right so here we have like cryptographic strength in distinguishability and for this after conditioning on this extra bit we don't even have hill entropy against like really really weak fixed polynomial size distinguishes that kind of constant distinguishing advantage okay so where are you going to want to go from here because we still have actually more time than expected so yes exactly so this was actually this presentation follows the historical historical development of this thing and the reason was what happened so we looked into deniable encryption we realized that then we got really excited because then we thought okay now let's prove the conditional chain rule for hill entropy and we killed this object once and for all right so it's a but then we actually realized it's actually not the deniable encryption that's the problem the chain was actually wrong and I will show you now a counter example just from one way functions so once you know it's wrong you can actually find all kinds of counter examples for based on all kinds of assumptions in fact the weakest assumption we need is that NP is not in P-poly then you get the counter example although it's not efficiently sampled the distribution but you can get it from very weak assumptions and actually half a year later after we had this counter example actually there came the first non-broken candidate constructions for deniable encryption based on IO distinguishability obfuscation so now if you had to bet it's probably it exists probably deniable encryption exists and the conditional chain rule for hill entropy is almost certainly wrong unless you believe P equals NP almost certainly wrong in which case all these things be convoyed because then hill entropy is the same as min entropy then it's true so counter example from one way functions in fact I will not do it from one way functions but slightly stronger objects in the injective one way functions so injective one way functions are functions where every bit every input X maps to a different value so there are no collisions and I don't even want to start from injective one way functions but from something even stronger namely perfectly binding bit commitments which we know how to construct from injective one way functions as I okay so what is so I will now show you definition of a perfectly binding bit commitment scheme I will shortly sketch to you how to construct one from any injective one way function and then you construct the counter example from this commitment scheme so maybe okay so who knows what the bit commitment is or commitment scheme so I think if you are the crypt okay so let me go fast so it's a function that takes a bit and it's probabilistic and perfectly binding so it's a function this color is a bit annoying what do you want blue so this commitment function come takes a bit B some random string R probabilistic and output something and the perfectly binding property that we will need says that whenever whenever the output of the commitment is the same so the input was the same and in fact I need a strong notion of perfectly binding typically you only require B to be the same you don't care about the R's I will need the strong notion where it's kind of unique so there are no two random strings for the same bit that kind of map to the same this will be convenient for the counter example and we can construct these things easily from injective one way functions as I said right so in particular this means that once you see the commitment there is no way to open it to two different bits in fact I can even open it to two different choices of randomness which will be useful for us what is usually not required it's computationally hiding what does that mean it means that so Rn is just a uniform random string whose length depends on the security parameter n so we want this to be kind of computationally indistinguishable from the commitment of one right even though those distributions are clearly disjoint as implied by the perfect binding property we want them to be computationally distinguishable so how to construct such a commit also a little detour assume f is the injective one way function to construct such a perfectly binding commitment from an injective one way function here is the construction to commit to a bit B using randomness which will give two parts s and x the following the commitment is the s part of the randomness which we give you apply f to the input x and then the last part is B x or with the inner product of s and x so tomorrow you will see the definition of hardcore bits so if f is a one way function x is uniform and s is random and public you can show that in the product of s and x is a hardcore bit so this is this will be indistinguishable computationally distinguishable from random given f, x and s so then I can and you know once I have this to the random bit here I can use it like a one time path to kind of blind this committed bit B so this shows the hiding property why is it perfectly binding because f is injective so there is given f of x there is just one choice of x and you know once x is fixed like this thing is also fixed and there is only one way in which I can open this commitment so now how to construct like a distribution ABC that kind of contradicts the conditional the leakage chain rule so again let me give the distribution and then we will show this the properties that it has high hill entropy but then if you condition one extra bit B it is again going to bit B which we sample from that random then it will massively drop so we sample this bit B and we sample 3n 3n random strings for our commitment schemes so this is just the you know 3n random strings for the commitment scheme and n is some security parameter actually not secure so n is whatever you want actually so the gap that we will get in the hill entropy is going to be so we will get n bits of hill entropy for one distribution and you condition on one bit and it goes down from n to zero and the length of all the variables and everything will be polynomial in n so now let me define a variable x as follows so we simply commit to 3n bits so first we commit to the bit B I think yeah r1 r2 and so on up to so we commit n times to the bit B and 2n times to the opposite bit so for nothing special right so I chose a bit B I commit n times to the bit B 2n times to the bit 1 minus B and then to kind of hide which bits I kind of sort this 3n strings I sort or randomly permute doesn't matter kind of I I don't and this sorted list of commitments and sorting means it's a commitment I think of this commitments as a bit string as a number and I sort them lexicographically this basic is just to hide which of the commitments commit to B and which commit to 1 minus B so this is my variable x ok so what can I say about this variable x 1 and then I define another variable z and z is going to be the randomness used to commit to the first n bits so I have this 3n commitments n of them commit to the bit B and this randomness for this n commitment is called z that's just random variable ok so what let's check some facts what do we know about the min entropy say of z conditioned on x I give you x you're computationally unbounded as we talk about min entropy but if you're computationally unbounded it's like a perfectly binding commitment and so you can compute B and R because remember that we said that it's you know commitment is injective so you can compute all these B's and all these R's and then you will see ok one so one you will figure out B because there are 2n and the n of them commit to the bit B and commit to the other bit then you pick those n random strings that were used for this commitment and then you're good so this is 0 is it clear so this is just ok let's say they are also sorted just to avoid kind of you have no freedom of choice in which all you ok let's see what else do we know what do we know about the hill entropy of z conditioned on x and B so what does it mean so maybe I tell you about this I claim that this is also going to be basically 0 so what does that mean that means that I know x and B I know this maybe I'm computationally very bounded but I know x and B and now you come to me and you claim that look there is this variable which has non-trivial min entropy and you cannot distinguish any sample of this variable from this correct r1 to rn string but that's not possible because there is I can distinguish so here is the observation I can distinguish r1 from r given x and B I can distinguish r1 to rn from any other variable very efficiently why there are n commitments I just kind of check which of them are which randomness belongs to which one I open them I see if really all this n commitments commits to B and there is only one string there is only one string of r1 to rn which will kind of succeed this test simply because the commitment is injective so just by construction by construction there is simply no freedom I have here Mr. Skeeter should I write this out but I think I claim this is basically 0 even against very weak adversaries even if I just want to have one half here and pull in here but let's go to the interesting case if I don't and now I did it the other way around so I showed you that with the bit B there is nothing once you know which bit B was committed where I can verify but without this bit let me use a blackboard for this so assume you see this commitment this is variable x this is our commitment c1, c2, c3, c4 c5, c6 maybe you just see 3n commitments n is 2 here some of them, so there was a bit B let's say for concreteness it was the bit 0 n of them so this will be some r let's call it r3 it's not the same subscript as there so 2 of them will be for the bit B these two whereas the other ones will be for the bit commitments to the bit 1 minus B so this will be a commitment ok so we have the 6 commitments and 2 of the commitments and there's a bit B 2 of the commitments, let's say these 2 are commitments to the bit 0 I just want 0 and the other ones are commitments to the bit 1 minus B so it's going to be the bit B1 for this concreteness for the bit B0 so this is a variable x, remember 3n commitments n of them to the bit B 2 n of them to the other then I sort them so this will they will be kind of hidden the 0 commitment so as I said before if somebody gives me this x actually it was convenient to see this um now I need to ok so let's see exactly and what is z remember z was the randomness in these two commitments so this was r, maybe call this r1 and maybe this was r2 or maybe it was the other way around so this was this randomness now if you know the bit B if you know this is 0 then r1, r2 from any other distribution by simply checking so I get r1, r2 I have the bit B and I simply check if this randomness I applied the randomness I have I commit to the bit 0 using this randomness and I check if these are these two if these two commitments are somewhere I don't know where they are but they must be somewhere there and I know that there are only two of them because I got the correct bit B so this was the first statement and the other statement that if I do not know B I claim that the hill entropy of z the hill entropy of this of the randomness used to commit to the bit B given these commitments from 1 to 3n is very high and to prove this you have to come up with a distribution that you cannot distinguish from this distribution it's actually not a distribution it's actually just one possible value and my new distribution is to have a high entropy so what could this distribution be so how can you fool me if I don't know B so what would be y so you have to come up with the y such that y, x is indistinguishable from z, x and more of this y should have high support so it should be high mean entropy I can already tell you it's going to be more than n so there should be exponentially many possibilities for this fake choice yeah so if I don't know B what somebody could come to me and say look pretend that B was 1 not 0 but you have to distinguish by the hiding property of the commitment scheme he says look B was 1 I promise and okay so there are going to be two two commitments to 1 hidden somewhere here actually he's lying because he was lying about the B there is not just 2 there are 4 or they're not just n there are 2n so then he kind of says look I give you this randomness and this randomness and I say yeah that looks perfectly fine if B really was 1 I kind of think you know I commit to the B1 using this randomness it looks good or he could give me this randomness here and the randomness here or this one and this one or this one and this one and you get the idea so how many choices does he have there are 2n commitments to the B1 minus B he can't give me any n of them so this y can be uniform over a set of size 2n choose n which if we take the log it's going to be at least n right so I claim that the uniform distribution over these more than exponent 2 to the n possible pairs or n n-tuples of randomness to do the commitment is computationally indistinguishable from this pair if you don't know B so this can prove a hybrid argument using the hiding property of the commitment scheme and once you prove that we have established this distribution y with high mean entropy that is indistinguishable from Z and we've shown that x-condition on Z as high so maybe we should kind of probably need a while to this counter example it takes a while to get your head around it that the chain rule is probably wrong and then so what is going on here basically basically you have this set of commitments the variable you're interested in is an opening of n of them to some bit B that you know is either 0 or 1 and this bit B once you know this bit B there is only one possibility of of n commitments that you can open but if you don't know this bit B you can be easily fooled in fact there are exponentially many choices to open n commitments to the opposite bit and you can't distinguish these two cases so there is lots of mean entropy in this in this variable that is the opening of the correct n commitments but once somebody gives you a bit B he tells you which of the commitments appear only n times not two n times then all this choice is gone so this kind of I think that's the most important thing to understand the computational setting is really possible to just give you one bit that really destroys all this all this beautiful hill entropy that is up there right so that was everything I wanted to say about you know the counter example for hill entropy and you have 15 minutes so what I could do in the last 15 minutes is actually let me do that so are there questions so far we have a lot of time for questions or otherwise I sketch you another construct so I go back to last hour I sketch you another construction of liquid resilient stream cipher which is actually much even simpler than the one we saw before which is not based directly on the chain rule for hill entropy but ok it uses it uses in the proof but more on something that Evgeny told us about namely that weak PRFs are secure even in the model where the keys come from a non-uniform distribution so let me do the other thing no question ok so what is the weak PRF I think all of you know all of you probably know the definition of pseudo random function it's like a family of functions which is indexed by some key k and it has the following property if the key is chosen uniformly at random an adversary who can query the function on inputs of its choice cannot distinguish the output of this function from the outputs of the uniformly random function that's a PRF now ok so so a PRF f if the key k is chosen uniformly at random then an adversary an adversary asking queries cannot tell if this is you know cannot tell if he gets back the PRF queries or something uniformly random now it's natural to ask in the leakage receiving crypto setting what happens if the adversary gets like maybe one bit of information about the key if an adversary gets one bit of information about the key say yes we have some leakage function f and and the one bit of information the one bit of information that the adversary leaks is going to be the first bit of the PRF f with key k on input zero say if you get this one bit of information the security of the PRF is totally gone because now I can distinguish the PRF from uniform simply by querying in the input zero see if the first bit of the output is consistent with what I got as leakage and I have like even with just one bit of leakage I get distinguishing advantage one half so that's a PRF so what is a weak PRF a weak PRF is also like an exponential family of functions that's indexed by key but the security experiment is defined differently now the security experiment is defined as follows so you know this shows uniformity at random and so in the PRF game the adversary chose x and then he got back either fk of x or r is a random function and he had to distinguish these two things and in the weak PRF game we slightly changed the experiment now the input x is not chosen by the adversary but it's actually it's also chosen at random and the input is chosen uniformly at random for the adversary and then the adversary has to again distinguish the output of the PRF from a uniformly random output of uniformly random function the game is not very well shown but you get the idea and what is important here is that this attack that I showed you before doesn't work anymore because now if I get the key k and I can leak something what can I leak so let's say I leak again the first bit of f is the input 0 but now I play the weak PRF game and if the domain of the PRF is sufficiently large typically it's 256 bits or something like that exponentially large in some security parameter there is no chance that the random inputs I get are going to hit this are going to be equal to 0 or whatever other output I chose during the leakage function so there is some hope that such a function f is still indistinguishable from random you query it on random inputs even given some leakage about the key k and in fact that's what that's what Yevgeny actually mentioned last time he showed the following so if f is a no of the key and what you lose is basically you lose something exponential in the key length which is not surprising you have to lose something okay there is also a square root here and you kind of lose a factor of 2 in the number of queries so this is going to be a weak PRF against one random query if you had two queries here more generally if you have two k queries here you will get k queries here so this is just kind of recapping what Yevgeny said two days ago and how can we use this to construct the leakage resilient stream cipher so here's the idea so we take a PRF F which we know is also weak PRF right and we do something very similar like the stream cipher I showed you last hour so we will have some key k0 this we take this and some random input x x0 and actually also some k1 so the initial initial state of our stream cipher will be two keys k0 and k1 for the PRF and some random input x0 actually the x0 does not even have to be secret you can think of this as the first output of the stream cipher and the construction goes as follows in step i you take ki and xi and you output ki plus 2 and xi plus 1 so this is going to be x1 this is k1 this is going to be k3 this is x2 so we get the idea so the important thing is you already recognize this alternating structure as before so if I output the ki and the input I'm going to use the input in the next round but the ki only in two rounds so this will kind of ensure that there is some kind of independence between the xi's and the ki's and you see before we had like a PRG and an extractor but now it's gone so this is the liquid-resilient stream cipher so in the last five minutes let's kind of just recap this argument we did an hour ago so what does it mean it's liquid-resilient it means that the output let me recap the definition it means that we want xi to be indistinguishable from uniform given what? given x1 up to xi minus 1 and leakage so what was the leakage? let's call this leakage 0 yeah let's call this leakage 0 so the adversary chooses some function f and let's call this leakage lambda 0 and so on right so here he gets chooses lambda f2 he gets lambda 1 and so on and the only assumptions we want to make about this function f so first of all this function f can be adaptively chosen in every step so he chooses a function f i plus 1 he gets the output of xi plus 1 on input x i can so on and what we want is that say even given assume this goes back like a million steps even given this leakage here and like the million leakages before this output here x2 should be pseudo-random given all these previous outputs and all the previous leakages yeah let's see yeah this should be lambda minus 1 or something no it's okay right no lambda 1 can compute x2 so it should be up to lambda i minus 2 sorry so the leakage up to the point where it's non-trivial right so let's see it's minus 2 yeah because if you have lambda 1 you can actually compute x2 so sorry given lambda 1 exactly given given everything up to this leakage so you know and x2 the next yeah exactly the next output should be pseudo-random and how does the proof go of the statement so here we will use this we will use the square friendliness of pure apps so assume we are at this step and assume that so far what we guaranteed is let's call this xi and this ki assume you guaranteed that so xi is uniformly random ki has hymen entropy right so ki has hymen entropy so ki has hymen entropy has hymen I'm not going to write it up because it's last three minutes I'm just going to kind of try to sketch the argument so this is ki xi so in the experiment we do something like this ki has hymen entropy and this xi is uniformly random then by the square friendliness of weak pure apps so this is random independent of the ki ki has hymen entropy so this is going to be pseudo-random it's okay pseudo-random now there is this leakage here lambda i so this is no longer pseudo-random but it still has hymen entropy sorry it has hyel entropy so at this point you kind of do again we replace this hyel entropy variables with variables that have hymen entropy and we argue that these two games are indistinguishable and then we have we basically the step as before these variables have hymen entropy x2 is indistinguishable from the ki-ke here which was as hymen entropy and we can go on so I actually cheated a bit because I only showed you that the square friendliness argument only shows that the output of a weak PRF has hymen entropy if the ki has hymen entropy and the input is uniform it's sufficient if both input and ki only have hymen entropy and are independent so the parameters of course get worse so that's you know and this very simple construction is really probably a secure stream cipher just using the square friendliness of the weak PRF okay so I think we can stop two minutes early and you know happy to take any questions