 So, hi everyone. I'm going to talk about this work on building non-interactive, non-malleable commitments from quantum supremacy. What I want to talk about today is how we make use of quantum hardness assumptions to get better results for classical cryptography, which is a technique, using a technique that we believe is interesting and new. And I also, so we use it to build non-interactive, non-malleable commitments, like I said. And we also use it, or more generally, it can be used to replace quantum hardness, sorry, it can be used to replace complexity leveraging with quantum hardness in many situations. And I hope to convey that to you today. Focusing on non-interactive, non-malleable commitments, let me start by quickly recalling what a commitment is. So, a commitment is a primitive that allows Alice, who has a secret input, M, to put this input in a box, lock the box, and send it over to Bob. And the requirement is that this box should not reveal the message M, unless Alice provides a key in the future that allows Bob to check that the message inside this box was indeed M. And we require that, at this later point, Alice shouldn't be able to change her mind about the message in the box. What actually happens in the protocol world is that Alice and Bob, either interactively or non-interactively, generate a transcript. This serves as a commitment to Alice's input. And later on, Alice sends some decommitment information that allows Bob to check that the committed value was indeed this message. And what we will care about in this talk is non-malleability, which is a stronger requirement, which requires that any adversary that has access to this commitment string should not be able to change the string in some way or hammer the box metaphorically to come up with a commitment to a related message. So note that this is stronger than hiding because it's possible that there exist schemes that hide the message M, but there are ways to manipulate the string so that you generate a string that commits to a related message without knowing what this message is at all. And that's what we want to avoid. So more specifically, the situation we want to consider is the following. There are three parties, Alice, Mallory and Bob. Mallory is expecting a commitment from Alice and Bob expects a commitment from Mallory. But what if Mallory turns evil and instead of generating her commitment honestly, she takes the string she got from Alice, tampers with it in some way, and uses the resulting string as her own commitment to Bob. So this is what we want to avoid. And what do I mean by avoiding this? We want to guarantee that the value X that is committed by Mallory is independent of the value A that Alice was committing to. And there's been a lot of work trying to build commitments with such guarantees. They've unfortunately mostly been interactive and there's this whole sequence of work very recently, there were two works, two concurrent works, one of which got two round non-malable commitments, which adds a message to the interaction pattern that I have here. From sub-exponential time rock puzzles and sub-exponential DDH. And so we now have two round commitments from sub-exponential standard assumptions. However, the more interesting question has been can we build non-interactive non-malable commitments from well studied assumptions? And the reason that completely non-interactive non-malable commitments are interesting is because they don't require any back and forth. So they don't require anyone to wait for the other party to respond. And they can be written down, so they can be broadcast on a ledger, they can be stored for future use, they can be relayed or transferred from one person to another. And that's what's really exciting about the non-interactive version of this primitive. And towards answering this question, there was a work of Pandey Paas and Vaikunthanathan that showed that if one assumes the existence of what are adaptive or non-malable one-way functions, which is a very strong assumption on one-way functions, then indeed non-malable commitments that are non-interactive do exist. Subsequently, there was another work of actually ten years later and a year ago from now, there was a work of Bytansky and Lin that showed that if one assumes time lock puzzles and sub-exponential keyless incompressible functions, which are similar in spirit to the keyless multi-collision resistant hash functions that some of you may have heard about yesterday. So with those types of assumptions, one can actually build non-interactive non-malable commitments. However, these are not very well studied assumptions. So can we do better in terms of assumptions? And the work that I'm going to talk about today answers this question. And says that indeed one can assume well-studied standard quantum and classical hardness assumptions and sub-exponential versions of those assumptions. So specifically, we rely on quantum hardness of LWE and classical hardness of factoring and non-interactive witness indistinguishable proofs. And we show that if you assume sub-exponential hardness of all of these primitives, then indeed non-interactive non-malable commitments are possible. So before going on to our construction, let's go back to the definition. And try to understand what it means to say that the value X committed by Mallory is independent of the value A that was committed by Alice. So what we want to intuitively say is that Mallory's behavior is independent of Alice or independent of even the existence of Alice. So how do we, how can we formalize this? Well, one way to do it is the following. Let's imagine another experiment where instead of committing to her input, Alice in this other experiment just committed to zero. So Alice's input didn't even exist in this other experiment. And now let's look at the distribution of values Y that Mallory commits to in this other experiment. If we can guarantee that the distribution of X in experiment one is indistinguishable from the distribution of Y in experiment two, then that means that X is essentially independent of A. Because X is indistinguishable from Y and Y is independent of A because the second experiment is independent of Alice's input A. So that's what we will strive, that's the definition we will strive to achieve. And towards achieving it, let me start with a very simple construction in a simplified setting. So let's assume that there are only two entities in the world, Alice and Mallory. And we will assign to Alice a commitment that is going to be quantum secure. So this is going to be an LWE-based commitment that is conjectured to be secure in the presence of quantum polynomial time adversaries. At the same time to Mallory, we will assign a commitment that is quantum insecure, but classically secure. So no classical adversary can distinguish commitments to input X from commitments to zero. However, quantum adversaries can actually break this commitment and find out the value that was committed. So this construction is binding and hiding according to the definitions of binding and hiding that I informally talked about before. Is it non-mallable? To answer this question, recall that we need to go back to the game with two experiments and argue that the distribution of X in experiment one isn't distinguishable from the distribution of Y in experiment two when Alice just commits to zero. How can we argue this? Well, there exists, so looking at these experiments, if one takes the transcript of an execution of either experiment one or experiment two, given a quantum computer, it's possible to find out what X and Y are. And the reason is that we started with commitments for Mallory that were quantum extractable in polynomial time. That were extractable in quantum polynomial time. So a quantum computer given such a transcript can find out what X and Y are. And if they're different, then we've built a quantum machine that actually distinguishes Alice's commitment to A from Alice's commitment to zero. So let me say that again. Slowly the man in the middle Mallory together with a quantum computer is now a quantum polynomial time adversary that is able to decide between whether it is in experiment one or experiment two. And so if X and Y are distinguishable, we have a quantum polynomial time distinguisher that breaks hiding of Alice's commitments. And this shouldn't be possible because Alice's commitments were quantum secure. And so the distributions of X and Y must necessarily be indistinguishable. Moving on, this was the case when Mallory was malicious. What if Alice and Mallory switch roles and Alice becomes the bad guy? Now note that we had a commitment for Alice that was quantum secure and one for Mallory that was quantum extractable. And this guaranteed that Mallory's message M is going to be independent of Alice's message X but not the other way round. So how do we guarantee security in this reverse situation? Well, we will rely on complexity leveraging now. What that means is we will take Alice's commitment that, so recall that Alice's commitment is quantum secure and Mallory's commitment is quantum insecure. But in addition to being quantum secure, we will make Alice's commitment quasi-pollinomially extractable. So extractable in classical quasi-pollinomial time. And this can be done by relying on, say, the LWE assumption. And at the same time, Mallory's commitment will be set so that it's sub-exponentially secure against classical adversaries. And this can be done by building a commitment that's a non-interactive commitment that's based on sub-exponentially DH. So Alice's commitment will satisfy both properties of being quantum secure and yet classically quasi-pollinomially insecure. And Mallory's commitment will be quantum insecure but classically more secure than Alice's commitment. And by doing this, going back to analyzing non-mallibility for the situation where Alice is malicious, we will see that, again given a transcript of this execution, there exists a quasi-pollinomial time extractor that is able to look at this transcript and find out what X and Y are. And if X and Y were different in both games, then this would be a quasi-pollinomial extractor that distinguishes experiment one from experiment two, which means that Alice, together with the quasi-pollinomial time machine, are a quasi-pollinomial time breaker for Mallory's commitment. And this would be a contradiction, which is how we will argue that it is non-mallible even in case Alice becomes malicious. So this is by the same logic as before. And at the end, we have a pair of commitments where no matter who the bad guy is, these commitments are non-mallible with respect to each other. And Alice cannot mall Mallory's commitment and Mallory cannot mall Alice's commitment. So now to, okay, and these are just to recap. Alice's commitment is based on quantum polynomially secure and quasi-pollinomally extractable commitments. And Mallory's is quantum polynomially extractable, but sub-exponentially classically secure at the same time. So these are two commitments that differ from each other across two different axes of hardness. One is harder than the other across one axis. And so going, so, okay, sorry, just a second. Yeah, so we have now two commitments for two identities that are non-mallible with respect to each other. But what if there are more than two identities in the world or in a cryptographic protocol? And we want to argue that every identity's committed value is independent of values committed by other identities. So we would like to generalize to this identity-based notion of commitments where the adversary can pick any identity that is n bits long. And the honest party can pick any other identity that is n bits long. And as long as the adversaries and honest party's identities are different, we still want to have this independence guarantee. And this is, it turns out that this generalized identity-based notion for identities of size n is identical to the most general notion of, is equivalent to the most general notion of non-mallible commitments, assuming the existence of signatures. And I don't have time to go into why. So you'll just have to believe me on that. But I do want to spend some time on explaining how we achieve this more general definition for exponentially many identities. Towards that, we first have a construction for identities that are in C log log n for a small constant C. And then we have an amplification step that helps us amplify the space of identities exponentially many times to go all the way to identities into to the end. Let me start with the first step. So to get commitments that are secure for non-mallible commitments that are secure for C log log n identities. We'll start with the technique of pass and v. Who said that it is essentially possible to use complexity leveraging to get a sequence of commitments, a C log log n in number, that are progressively harder than the other. And what I mean is that in classical time t1, the commitment with identity 1 is secure, whereas the commitment with identity 2 can be broken. And then the commitment with identity 2 is secure for some other time, some smaller time t2. Whereas the commitment with identity 3 breaks down at this time. And as a result, the sequence of commitments gives us a sequence of non-mallible commitments that are non-mallible whenever the honest identity is smaller than the adversary's identity. By the exact same logic as before, you can break the adversary's commitment and extract his value. And if this is correlated with the honest party's committed value, then you have a distinguisher for the honest party commitment. So it better not be correlated. So we have the sequence of commitments that are progressively less secure in the classical world. We will build another sequence of commitments that are progressively less secure, both in the quantum and classical worlds, by relying on sub-exponential quantum hardness of an assumption like LWE or LPN, or any lattice-based assumption. And so in the quantum setting, this means that we have a sequence of commitments where the last commitment is the most secure one. And therefore, again, by the same logic, these are secure whenever the adversary's identity is smaller than the honest party's identity, which is the opposite of what we saw in the previous slide. So now we have two different sequences of commitments. One is secure when the adversary chooses an identity that's larger than the honest party identity, and the other is secure when the adversary chooses an identity that's smaller than the honest party identity. Now we need to combine these in some way to ensure that we have commitments that are secure whenever the adversary chooses any identity that is either bigger or smaller, or basically any identity that's different from honest party's identity. To do this, we will arrange the two sequences of commitments that we had so far in decreasing order of security, so that all the quantum secure commitments, or the LWE-based commitments, will be less secure than all of the discrete log-based commitments in the classical world. So what I essentially mean is we will set security parameters so that they decrease in this direction. What that gives us is a sequence of commitments that are progressively less secure in this direction in the classical world. On the other hand, in the quantum world, all of these are broken, and they are progressively less secure in this direction in the quantum world. And how do we use that to argue non-malability, or first how do we construct non-malable commitments out of this? So let's do this with an example. Let's say Charlie has identity three. What he will do is he will look at both commitments corresponding to identity three in this sequence. So one is the discrete log-based commitment and the other is the LWE-based commitment, and he will split his message into two parts, into two parts using a two out of two secret sharing scheme. He will use the discrete log-based commitment to commit to the first part and the LWE-based commitment with identity three to commit to the second part. That constitutes a commitment for identity three. And why is this non-malable? So let's do this again with an example. Let's say we have Alice and Charlie who have identities one and three respectively. And you'll see that this is quite, this is a very general example. You could just place two identities anywhere in the system. And we want to argue that they're both non-malable with respect to each other. So how would we do that? Let's say Charlie is the bad guy. We want to argue that the message committed by Charlie is independent of the message committed by Alice. The reason for that is that these commitments are arranged in order of decreasing classical security, which means that the commitment on the top left of the slide is the most secure one. And what this means now is that the value committed by Alice using the commitment on the top left of the slide is secure even in time that's sufficient to extract both the shares of Charlie's commitment, which means that Charlie's values M1 and M2 are jointly independent of one of the shares of Alice's commitment, which in turn means that the message M committed by Charlie is independent of the message A committed by Alice. So that's straightforward in this direction. What about the other direction? So what about the case when Alice is the bad guy? Now note that in the presence of a quantum computer, the discrete log-based commitments break down completely, can be broken in polynomial time. And we arrange things so that the LWE-based commitments are in decreasing order of quantum security from Charlie to Alice. What this means is that it's possible to break all commitments except the one on the bottom right of the slide in quantum time t. And the commitment on the bottom right corner should still remain secure. And this implies that A1 and A2 are jointly extractable in quantum poly time t, whereas M2 remains hidden, which means that A must necessarily be independent of one of the shares M2 of Charlie's message. And therefore, A must necessarily be independent of the message M. So we've been able to argue non-malability in both directions now. And I only have one minute, so I'm going to very quickly give you some high-level insights on how we've managed to amplify this all the way to two to the n identities. The way we do that is by showing that it's possible to non-interactively amplify the space of identities exponentially, assuming sub-exponential and non-interactive witness indistinguishable proofs. Now, amplifying C log log n exponentially just gives something that looks like log n to the power of some constant, which is not enough. So we need to apply this amplification theorem multiple times to go all the way to two to the n, because I don't have much time to go into this. I'm going to hide all the details of the construction under the rug and only mention two features of our construction. So one, that this results in a loss in parameters each time we amplify. And this happens because we are restricted to the non-interactive setting, where we don't really have any techniques to do simulation. And the other is that this only yields non-malable commitments that suffer from a selective abort problem. Which means that the adversary cannot create commitments that are valid and at the same time correlated with the value committed by the honest party. But what he can sometimes do is create commitments where the probability that the commitment is invalid is a function of the message committed by the honest party. So that's something that we cannot deal with at the moment. And that brings me to the open problems. It would be really interesting to remove this limitation on selective abort and get non-interactive non-malable commitments that would, so removing this would result in commitments that satisfy the strongest definition that would be interesting. And another open question is whether we can make them non-malable in the many to many setting, which is true for some of the previous constructions that were from less well studied assumptions, but not true for ours. And finally, can we find some other ways in which we can make quantum assumptions to get better forms of classical cryptography? With that I'd like to conclude. Thank you and I'm happy to answer any questions. Any questions? Okay, let's thank the speaker again.