 Yeah, thanks for the introduction. So I will talk about on the run complexity of OT extension But before I go into the technical details I want to talk a little bit about secure multiparty computation Because that's the reason why it's so important why oblivious transfer is so important in this picture You can see two parties. So it's a simplified setting of secure multiparty computation We have a party R which has an input X and we have a party S Which has an input Y and they want to compute some functionality F and In the end of the protocol the party R wants to receive the output or the evaluation of the functionality on the inputs X and Y So in this talk I in particularly want to focus on a special round complexity Which is just two messages. There will be only one message sent by the receiver and a second message sent by the sender Realizing multiparty computation is easy until we consider security Security really makes it a non-trivial thing to construct and what do we ask for security? We want to have that the receiver only learns the very minimum You should only learn the functionality evaluated on the input X and Y But you shouldn't learn anything beyond that in particularly. You should not learn anything about the sender's input Y Further for the sender or for the party S It should learn nothing. It should not learn anything about the input of the party R Oblivious transfer can be seen as a special case of secure multiparty computation Where I have a very very simple functionality and this functionality it just takes as input to input strings Y 0 and Y 1 and the choice bit X which selects one of the input strings and outputs the selected input string So in case of oblivious transfer I will call this party R the receiver and the party S the sender and the sender will have these two input strings The receiver choose ones one of them and learns it While it doesn't learn anything about the other input string. That's required for security As well as the sender shouldn't learn anything about the choice bit anything But you shouldn't learn which of the string the receiver has learned So this is a very very simple functionality that we realize here But the very interesting fact is that this is a fundamental building block of realizing secure multiparty computation for any functionality And that was shown for example by Kylian, but also by Isai Prabhakaran and Sahay That's really amazing because we want to have multiparty computation for much more complex functionalities But it can really focus on the case of oblivious transfer But there's still kind of a drawback or the bottleneck that we need to consider and that is efficiency That brings me to the next question. How efficiently can we realize secure multiparty computation when we base When we use this fundamental base building block of oblivious transfer and the first observation that you make is The secure computation typically needs a large amount of oblivious transfers usually are like several thousands And there's another bottleneck namely that oblivious transfer implies key exchange and that means that it requires public key operations because Key exchange was separated from one-way functions by the result of impact lezio and rudic That is really one of the obstacles for realizing secure multiparty computation in practice But there is a nice way to bypass that issue and increase the efficiency by a lot By using OT extension. So what is OT extension and what is the goal of OT extension? the goal is that I start with a critical mass of oblivious transfers and Extended very efficiently to a much larger amount For example, if you consider a security setting where I have 80 bits of security I need to start with around 80 ot's and I need to use public key operations to construct these 80 ot's But in starting from these 80 ot's I can extend them very efficiently to thousands of ot's But what do I mean with efficiently here? Obviously, I don't want to use public key operations and I want to restrict myself to only symmetric operations And this is in fact also necessary because we cannot realize OT extension in an information theoretically secure way That was shown by weaver and later it was extended by lindel and sarasim showing that OT extension in fact Implies one-way functions. So one-way functions is the bare minimum that we need to assume and There are basically two kinds of constructions for OT extension one uses a PhD which can be constructed from one-way functions and the other construction uses some special kind of a hash function and in the following two slides I want to Go into the detail or a little bit more into the details of the two these two OT extension constructions the first one was done by beavers get by beaver and the great The great merit of this construction is that it only uses two messages when I start with a two message OT So I don't increase the round complexity and I preserve it and that's really really nice But it also has a drawback Namely that it uses non black box techniques and what do I mean with non black box techniques With black box access to a cryptographic functionality. I mean that we only look at the in and output behavior of the cryptographic functionality for example in that picture you can see that that I treat PRG as a black box. I don't look how the PRG operates internally I just care about the input which is the seat and the output which is the PRG evaluated on the seat and that is Typically the way we use cryptography, right? We just look at the input and the output but not at the code how the cryptographic primitive is implemented But unfortunately for the beavers construction, that's not the case I really need to look into the code of the PRG or better say set on the circuit and Even further I need to perform cryptographic operations for every gate of the PRG circuit And that's definitely an efficiency drawback, which makes this OT extension less relevant for practice But there's an alternative construction and that was is called the IKMP construction named after the authors who are Ishae Kylia and Nisman Petrang and the great merit of that OT extension is that it is black box Which makes it very efficient and that's also the reason why this is the one that people use to realize the key your multi-party computation in practice But it also has a drawback And the broad drawback is that it requires three messages when I start with a two message oblivious transfer That's really something that I wouldn't like to have in particular We already know an OT extension that only takes two messages that brings up a very natural question of Yeah, that brings up the very natural questions of can we get two message black box? OT extension And that's the thing that we really tried to solve and we somehow didn't manage to solve it and Then Mohammed Mahmoudi was visiting and then it was a natural question is it even possible and it turned out Yeah, unfortunately is not possible and We were able in fact to prove a very strong impossibility result and this is our main result in the paper There in one which says there is no secured to message black box or tea extension even if I start with an arbitrary amount of base or tease and I even if I would just want to increase the amount of a tease by a single one and That theorem might sound really surprising to you because how would you potentially prove such a result? Because we have all these constraints that we only want to look at round preserving or two message or tea extensions We also want to have black box constructions. We have some base or tease that we need to consider But at the same time we only want to allow Additionally to the base or tease only symmetric key operations to make the whole thing efficiently So before even trying to prove such a result We need to come a model that captures all of these constraints And in the following slides, I want to go a little bit more into the details how this model looks like So we have for our model. We need to consider the following or need we need to capture the following constraints The first constraint is that we want to allow only black box access to symmetric Operations because we want to have an efficient OT extension scheme the same time we want to allow only black box access and We also don't want to do allow any public key operations But of course I need to allow some public key operations because I need to start with this critical amount of base OTs in order to extend them so I also need to allow black box access to a certain amount of OTs and Further I also want to consider the round complexity. I only want to allow two messages So how do I capture these constraints the next three slides? I will go through all of these three points starting with the first point We only want to allow black box access to symmetric cryptography The straightforward way of doing that is giving access to a random oracle and Assuming an unbounded adversary in the sense in terms of time But we want to restrict the amount of queries that that adversary can make to the random oracle. So what is a random oracle? Random oracle is functionality that every party can query and some input Q and the random oracle will return a Uniform unique string that is consistent for all parties H of Q And it is well known that this Random oracle implies symmetric cryptography because it can be seen as an ideal version of a one-way function or hash function But this of course is only the case if I restrict the adversary to make only a polynomial amount of query queries But in general we really want to have an unbounded adversary in order to break all public key operations That one might use to construct an OT extension scheme But as I mentioned earlier, we need to allow a critical mass of oblivious transfers And that brings us to the second point So how would I incorporate? these these base OTS and The idea is to use a simple similar approach. I will model these base OTS as an ideal functionality And I allow the sender and the receiver to send their inputs to these this ideal functionality Which could be seen as a trusted third party and this trusted third party or the ideal OT will simply output the output of the oblivious transfer to the receiver and Again, this only allows black box access because here we only look at the in and output behavior There is no code of implementation but now to the third point that's maybe The least straightforward because how can we ensure that we you can only make two messages that there will be only one message sent by the receiver and another message sent by the sender and The way how we deal that is that we enforce that the Output of the ideal OT is sent after all the transcript is completed and after the Receiver has or the sender has sent the last message What do I mean with that? Let me be a little bit more explicit With a picture so we have a sender and the receiver both submit their inputs to the ideal OT functionality Then they are allowed to have some interaction and in the very end after the interaction is done The ideal OT will submit its input output to the receiver And that really ensures that we preserve the round complexity Because we can run the transcript in parallel to the interaction that is required when implementing the ideal OT in particularly, we don't need to wait until the Ideal OT has finished it or finished or sent their Output in order to compute some of the messages and that really captures what we want to have When we say when we want to have two message or t extension or around preserving or to extension So this is an overview over our model and now we can think of How could we potentially? Yeah prove prove it using that model and in our paper we Basically do two steps the first step is an information theoretic attack When we don't consider any random oracle, so we will only have access to the ideal OT But we don't consider a random oracle for simplicity and that will really help us to get Get this information theoretic attack in a very simple way and that on its own is not an interesting novel thing Because it has been known previously that we cannot have an information theoretically secure OT extension And further we also know That OT extension at least implies on-way functions But the merit of this attack It's really that we can easily extend it to the random oracle model And that's the reason why this attack is so nice And it's because it's like also really tailored to the specific case of oblivious transfer And in the following slide I want to give you an overview how this attack looks like In attack I will in particularly assume that the receivers input is picked uniformly at random Which is the input string B and there is also this string D which serves as the input to the ideal functionality So the standard in the receiver they both submit their inputs to the ideal OT functionality They have some interaction and after the interaction is done The receiver will receive the output of the ideal OT functionality So now how does this attack looks like I will use an entropy argument over the input of the receiver Which is this uniform string B, which has N plus one bits of entropy so first as a first idea I will look at Look whether the transcript is correlated with that input So I look at B conditioned on the transcript and If I lose some entropy when I condition on the transcript that would be a bad thing It would be a bad thing because because that would mean that there is some information contained in the transcript About the receivers input and of course an unbounded Sender could exploit that and learn apart some partial information about the receivers input And that would definitely constitute an attack against the security of a no take extension scheme Because the sender should not learn anything about the receivers input So let's assume that this is not the case that there is no attack by the sender That means that the end the receivers input conditioned on the transcript has still full entropy But what does that mean that allows me to also condition on the input to the ideal OT functionality D which has just n bits at maximum n bits of entropy because it's an n bits string So that means there is at least one bit of entropy left and that actually leads to an attack by the receiver and that's also Yeah, a bad thing, but why is this the case? If you look at the receiver if the receiver has still some entropy left in its input even conditioned on the in and outputs to the ideal OT functionality and even conditioned on the transcript that means that there are multiple inputs for which the receiver can can Execute the it's code right while using the same transcript and in an output of the ideal OT So there are at least two inputs for which he can compute It's output the outputs of the n plus one or t's that means There's at least one bit position where these two inputs don't match where the receiver can learn both of the input strings therefore in therefore if we have the be conditioned on the transcript has full entropy the Sender will able at the receiver will able to be attacked to attack the sender security by learning multiple inputs Which is also a bad thing But now how can we extend that to the random oracle model and the issue with the random oracle model is That the entropy argument fails because we cannot only look at the transcript anymore because the random oracle It creates additional correlations between the senders and the receivers view so far. We could use an argument Saying that if we condition the view on and of the sender in the receiver and the transcript They are independent But that's not the case anymore as soon as I consider a random oracle because they can query some functionality Which gives them some common entropy and we really need to incorporate that fact The way you typically deal with that is using black box separation techniques, which have also been used previously And it's really a nice way in a straightforward way of handle these correlations But in our setting this unfortunately does not work Because we also have access to this ideal OT functionality, which allows us to do arbitrary public key operations We could run some multi-party computation for arbitrary functions And we could also run some key exchange which also creates some some hidden entropy for that the sender and the receiver share So this is really an obstacle and that's also one of the main challenges that we are solving in our paper We don't need to only yeah, we can easily deal with the ideal OT as I have shown in the previous information theoretic attack And it's also easy to deal just with a random oracle because that's basically the result of impact last year in erotic that That OT is separated from one-way functions But the challenge is really to bring both of these ideal primitives together And here we really need to exploit that we want to preserve the round complexity And as I have shown you previously the way we deal with that is that we submit the Output of the ideal OT in the very end after the transcript is finished to the receiver And that allows us to use these black rock separation techniques before this output is being submit Because before this output being submit the ideal OT is actually not present It doesn't have any impact on the interaction of the standard in the receiver. That's really one of the key ideas I won't go into the technical details here But I would like to refer you for that to the paper and I'm also happy to to discuss that with you if you have questions On my last slide I want to repeat again our theorem Which is a very strong impossibility result saying that we cannot have two message black box OT extension and that Impositability result holds in a very strong sense because we were using this entropy argument just over the receivers input That actually allows us to do it for an arbitrary string length So even if you would start with a really long string length of The receivers input strength and even if you would like to extend that to n plus 1 ot's of a single bit string length It would be impossible Also, this result holds also in the common reference string model and it holds for all round complexity So if you start with a K round oblivious transfer, you cannot have a K round OT extension or you cannot Have a fixed amount of public key operations to have an arbitrary larger amount of oblivious transfers So thanks for your attention. I'm happy to answer your questions