0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/98 Thanks! 1 00:08:15,210 --> 00:08:16,769 Involved, so I'm going to define the 2 00:08:16,770 --> 00:08:17,839 special notion of 3 00:08:19,890 --> 00:08:21,929 equality just for a bit. 4 00:08:21,930 --> 00:08:22,930 Oops. 5 00:08:24,060 --> 00:08:25,739 So this is a violation. 6 00:08:25,740 --> 00:08:27,089 This is again a genotype 7 00:08:28,770 --> 00:08:30,269 that takes two bits. 8 00:08:31,470 --> 00:08:33,959 And then there is there is two ways. 9 00:08:33,960 --> 00:08:35,939 Two bits can be equal easily. 10 00:08:35,940 --> 00:08:38,249 Both are equal to zero. 11 00:08:38,250 --> 00:08:39,658 They both are zero. 12 00:08:39,659 --> 00:08:40,659 So then 13 00:08:43,020 --> 00:08:45,419 they're going to look like that. 14 00:08:45,420 --> 00:08:47,519 So you can read this as kind 15 00:08:47,520 --> 00:08:48,520 of rules. 16 00:08:49,650 --> 00:08:51,869 So there is one rule that says that zero 17 00:08:51,870 --> 00:08:53,219 is equal to zero. 18 00:08:53,220 --> 00:08:54,809 So basically, when there is this endless 19 00:08:54,810 --> 00:08:56,819 calls, this is this what we call mixed 20 00:08:56,820 --> 00:08:59,489 fixed notation, where 21 00:08:59,490 --> 00:09:02,069 basically the arguments goes, where 22 00:09:02,070 --> 00:09:04,859 it goes. So I can write this, this syntax 23 00:09:04,860 --> 00:09:07,049 where the the wall name is 24 00:09:07,050 --> 00:09:09,179 bit brackets equal bracket 25 00:09:10,590 --> 00:09:12,809 and and then it's use like like 26 00:09:12,810 --> 00:09:15,869 it's like on a like for zero here, 27 00:09:15,870 --> 00:09:17,429 then same thing for one 28 00:09:18,480 --> 00:09:20,699 that one can be. 29 00:09:20,700 --> 00:09:22,889 It can be equal 30 00:09:22,890 --> 00:09:24,959 to is equal to one 31 00:09:24,960 --> 00:09:26,900 here. Here you go. 32 00:09:28,620 --> 00:09:30,059 Also in in incognito. 33 00:09:30,060 --> 00:09:31,199 We like Unicode. 34 00:09:31,200 --> 00:09:33,119 That's why there is all this. 35 00:09:33,120 --> 00:09:34,259 OK, so I got 36 00:09:35,850 --> 00:09:38,729 tricked by this indentation thing. 37 00:09:38,730 --> 00:09:40,829 OK, now I can use this crucial predicate 38 00:09:40,830 --> 00:09:42,959 that I've just defined the special 39 00:09:42,960 --> 00:09:45,629 relation that says when two bits 40 00:09:45,630 --> 00:09:47,369 are equal. 41 00:09:47,370 --> 00:09:48,629 OK, great. 42 00:09:48,630 --> 00:09:50,819 OK, so now I do 43 00:09:50,820 --> 00:09:52,379 a case analysis on X 44 00:09:55,380 --> 00:09:57,479 and then I then I and there is a special 45 00:09:57,480 --> 00:09:59,219 thing that will refine when this is 46 00:09:59,220 --> 00:10:01,440 obvious which one to pick. 47 00:10:03,120 --> 00:10:04,120 Oops. 48 00:10:04,470 --> 00:10:05,470 And this is 49 00:10:06,660 --> 00:10:07,559 OK. 50 00:10:07,560 --> 00:10:09,509 So here is a proof that 51 00:10:10,560 --> 00:10:13,439 that not not X is equal to X 52 00:10:13,440 --> 00:10:14,579 when X is zero. 53 00:10:14,580 --> 00:10:16,799 The reason for why it's zero, 54 00:10:16,800 --> 00:10:18,419 it's because of computation. 55 00:10:18,420 --> 00:10:20,939 The X is zero. So on, so not will compute 56 00:10:20,940 --> 00:10:23,039 to one and then not we'll compute 57 00:10:23,040 --> 00:10:24,149 again to zero. 58 00:10:24,150 --> 00:10:25,739 And then I just have to say that that, 59 00:10:25,740 --> 00:10:27,299 yeah, zero is always equal to zero. 60 00:10:29,190 --> 00:10:31,679 OK, so does this proof 61 00:10:31,680 --> 00:10:33,809 is so, so sort. 62 00:10:33,810 --> 00:10:36,149 If it's so easy that 63 00:10:36,150 --> 00:10:38,279 there is the yeah, 64 00:10:39,540 --> 00:10:42,329 I can ask the kind of auto mode 65 00:10:42,330 --> 00:10:44,460 to find it for me. 66 00:10:45,630 --> 00:10:47,609 This is not necessarily that impressive, 67 00:10:47,610 --> 00:10:49,889 but generates 68 00:10:49,890 --> 00:10:51,539 this. This is good. 69 00:10:51,540 --> 00:10:52,710 OK. So, 70 00:10:56,370 --> 00:10:58,559 OK, let's have another 71 00:10:58,560 --> 00:11:00,509 example with with bits, but let's let's 72 00:11:00,510 --> 00:11:02,639 move on to the next bell. 73 00:11:02,640 --> 00:11:04,139 Then I have not shown no. 74 00:11:04,140 --> 00:11:06,209 Usually I use Unicode everywhere, but 75 00:11:06,210 --> 00:11:07,620 I'm not going to 76 00:11:08,820 --> 00:11:11,669 push myself into too much 77 00:11:11,670 --> 00:11:12,670 typing 78 00:11:13,760 --> 00:11:15,929 in this sitting. 79 00:11:15,930 --> 00:11:16,979 Yes. 80 00:11:16,980 --> 00:11:19,739 All the typos I do. 81 00:11:19,740 --> 00:11:22,259 This is again, some annotation 82 00:11:22,260 --> 00:11:24,209 thing. OK, so there is an natural 83 00:11:24,210 --> 00:11:25,409 numbers, right? 84 00:11:25,410 --> 00:11:26,349 Zero one two. 85 00:11:26,350 --> 00:11:27,249 And they are they are. 86 00:11:27,250 --> 00:11:29,039 They are defined with this data dove that 87 00:11:29,040 --> 00:11:31,649 is there zero, then six zero zero, then 88 00:11:31,650 --> 00:11:33,809 then this one and six zero, then it's 89 00:11:33,810 --> 00:11:35,669 two extra oops. 90 00:11:37,140 --> 00:11:39,539 Then this is not your numbers. 91 00:11:39,540 --> 00:11:40,540 What I want 92 00:11:41,820 --> 00:11:42,990 is addition. 93 00:11:44,430 --> 00:11:45,720 I'm going to need it later on. 94 00:11:47,100 --> 00:11:49,199 OK, so addition takes 95 00:11:49,200 --> 00:11:50,370 to natural numbers. 96 00:11:51,510 --> 00:11:52,770 Yes, trade. 97 00:11:56,200 --> 00:11:57,459 Eggs, my. 98 00:12:00,940 --> 00:12:01,940 Yes. 99 00:12:05,320 --> 00:12:06,759 Can I have this? 100 00:12:06,760 --> 00:12:07,760 It's. 101 00:12:10,500 --> 00:12:11,489 OK. 102 00:12:11,490 --> 00:12:13,169 So for this, 103 00:12:15,540 --> 00:12:17,339 I will do a case analysis on the first 104 00:12:17,340 --> 00:12:20,069 one. It is either zero or successor, 105 00:12:20,070 --> 00:12:22,110 then zero plus why I know it's 106 00:12:23,580 --> 00:12:25,740 why that's fine. 107 00:12:26,760 --> 00:12:28,919 And and if I knew that 108 00:12:28,920 --> 00:12:31,229 the first argument is made of a successor 109 00:12:31,230 --> 00:12:32,969 and I know that the result is made of a 110 00:12:32,970 --> 00:12:35,069 successor, so I go for 111 00:12:35,070 --> 00:12:36,070 that. 112 00:12:36,990 --> 00:12:39,839 I can build a program incrementally 113 00:12:39,840 --> 00:12:41,039 and then I make do it yourself. 114 00:12:41,040 --> 00:12:42,659 Call on the rest. 115 00:12:42,660 --> 00:12:44,769 So here you have to really think of this. 116 00:12:44,770 --> 00:12:47,039 This one is being turned to this 117 00:12:47,040 --> 00:12:48,040 like that. 118 00:12:51,170 --> 00:12:53,239 And Soledad, the recursive call 119 00:12:53,240 --> 00:12:55,129 of the plus function is made on something 120 00:12:55,130 --> 00:12:56,219 smaller. 121 00:12:56,220 --> 00:12:58,309 So that's why it's it's accepted only 122 00:12:58,310 --> 00:13:00,679 accepts this terminating functions 123 00:13:00,680 --> 00:13:01,609 that are defined everywhere. 124 00:13:01,610 --> 00:13:04,189 If I if I miss one case, 125 00:13:04,190 --> 00:13:06,140 then it says that it's time is one case. 126 00:13:07,400 --> 00:13:08,400 OK, 127 00:13:10,010 --> 00:13:12,529 OK, no. Now list, 128 00:13:15,980 --> 00:13:18,199 or maybe I go directly OK, I 129 00:13:18,200 --> 00:13:20,479 have the time for list and 130 00:13:20,480 --> 00:13:22,739 then maybe I 131 00:13:22,740 --> 00:13:23,990 I show it on the 132 00:13:25,850 --> 00:13:27,559 complete fine. 133 00:13:27,560 --> 00:13:29,330 Then I will load this. 134 00:13:31,580 --> 00:13:33,289 When load is complete fine, I will do the 135 00:13:33,290 --> 00:13:35,119 magic trick again. 136 00:13:38,420 --> 00:13:40,609 OK. So this is sort of the same thing 137 00:13:40,610 --> 00:13:42,679 that we've seen and used to be different 138 00:13:42,680 --> 00:13:44,599 names. But anyway. 139 00:13:44,600 --> 00:13:46,490 OK, so there is the natural numbers 140 00:13:48,380 --> 00:13:50,449 and additional natural numbers. 141 00:13:50,450 --> 00:13:51,450 And then 142 00:13:52,760 --> 00:13:54,819 here is where we can define list. 143 00:13:54,820 --> 00:13:57,019 They are either empty or 144 00:13:57,020 --> 00:13:59,299 they are made of one element, followed 145 00:13:59,300 --> 00:14:00,799 by a list. 146 00:14:00,800 --> 00:14:03,019 OK, this is the case, 147 00:14:03,020 --> 00:14:04,979 and on this list we can define the lens 148 00:14:04,980 --> 00:14:06,889 function that is basically, if you think 149 00:14:06,890 --> 00:14:08,479 about it, it's going from a list to 150 00:14:08,480 --> 00:14:10,729 natural numbers and it's actually sort 151 00:14:10,730 --> 00:14:12,979 of forgetting about elements of the list. 152 00:14:12,980 --> 00:14:14,299 But preserving the structure. 153 00:14:14,300 --> 00:14:15,769 Its maps need to zero. 154 00:14:15,770 --> 00:14:17,229 And it maps comes to sick. 155 00:14:20,330 --> 00:14:21,950 Then on this list, one can 156 00:14:23,240 --> 00:14:25,639 build a crooked initial function 157 00:14:25,640 --> 00:14:26,899 up and function of two list. 158 00:14:28,250 --> 00:14:30,419 And one kind of proof that we can have 159 00:14:30,420 --> 00:14:33,019 is to show that the 160 00:14:33,020 --> 00:14:34,459 sum is improved, that we can have this we 161 00:14:34,460 --> 00:14:35,460 should add 162 00:14:36,760 --> 00:14:39,229 the the length 163 00:14:39,230 --> 00:14:41,719 of the of the 164 00:14:41,720 --> 00:14:43,939 coordination of two list is the same 165 00:14:43,940 --> 00:14:46,099 of the length and the 166 00:14:46,100 --> 00:14:48,619 proof collegues as this two line 167 00:14:48,620 --> 00:14:50,959 function that is defined by my case. 168 00:14:50,960 --> 00:14:52,539 And that's this. 169 00:14:52,540 --> 00:14:54,119 And this is a proof. 170 00:14:54,120 --> 00:14:55,999 And at the same time, if you read that as 171 00:14:56,000 --> 00:14:58,129 a function, it's it's also as as 172 00:14:58,130 --> 00:14:59,659 a function. That's that's what I that's 173 00:14:59,660 --> 00:15:01,689 what I mean by it, by one system. 174 00:15:01,690 --> 00:15:04,009 We have a sort of the two 175 00:15:04,010 --> 00:15:06,769 are the proofs and programs are 176 00:15:06,770 --> 00:15:07,770 consistent 177 00:15:09,200 --> 00:15:10,829 in unified. 178 00:15:10,830 --> 00:15:11,830 OK. 179 00:15:12,760 --> 00:15:14,929 OK. And then then to finish 180 00:15:14,930 --> 00:15:16,820 with this, we have this 181 00:15:18,260 --> 00:15:20,599 demo victors. 182 00:15:20,600 --> 00:15:23,359 So Viktor's is some kind of the first 183 00:15:23,360 --> 00:15:25,429 basic example that we have of dependent 184 00:15:25,430 --> 00:15:27,589 types inside on the side 185 00:15:27,590 --> 00:15:29,779 of programing because dependent types 186 00:15:29,780 --> 00:15:32,269 we actually use in all the proofs 187 00:15:32,270 --> 00:15:33,349 here. 188 00:15:33,350 --> 00:15:35,249 So the Typekit Viktor's is a bit like the 189 00:15:35,250 --> 00:15:37,339 dipole list, except that it tracks 190 00:15:37,340 --> 00:15:39,469 the length of of it, of this 191 00:15:39,470 --> 00:15:41,539 vector in as a as 192 00:15:41,540 --> 00:15:43,759 an index. This is the second 193 00:15:43,760 --> 00:15:45,589 thing there is, for instance, the empty 194 00:15:45,590 --> 00:15:47,689 list A. Victor is off size 195 00:15:47,690 --> 00:15:49,759 zero and the 196 00:15:49,760 --> 00:15:51,949 Combes case takes a victory of size 197 00:15:51,950 --> 00:15:54,169 n and makes a vector of size six 198 00:15:54,170 --> 00:15:55,760 zero. So one plus n, 199 00:15:57,650 --> 00:16:00,709 obviously we can turn vectors into list, 200 00:16:00,710 --> 00:16:02,799 sort of forgetting the the 201 00:16:02,800 --> 00:16:04,759 static knowledge that we have of the of 202 00:16:04,760 --> 00:16:06,019 the length. 203 00:16:06,020 --> 00:16:08,179 We can also prove that when we when 204 00:16:08,180 --> 00:16:09,739 we take the length of 205 00:16:12,020 --> 00:16:13,429 of this, of this, 206 00:16:14,540 --> 00:16:16,939 of this target, of this conversion 207 00:16:16,940 --> 00:16:19,129 of vector from vectors to list, then 208 00:16:19,130 --> 00:16:20,059 we get n. 209 00:16:20,060 --> 00:16:22,189 This is the this was the original size of 210 00:16:22,190 --> 00:16:24,319 the list showing that we have not 211 00:16:24,320 --> 00:16:26,239 followed any elements when we were 212 00:16:26,240 --> 00:16:27,439 converting this function. 213 00:16:27,440 --> 00:16:29,539 So this when you might get this function 214 00:16:29,540 --> 00:16:32,179 wrong, if you, for instance, forget 215 00:16:32,180 --> 00:16:33,180 this path here, 216 00:16:34,820 --> 00:16:36,709 but then then then the proof will will 217 00:16:36,710 --> 00:16:38,059 complain on. 218 00:16:38,060 --> 00:16:40,279 So some parts are crucial 219 00:16:40,280 --> 00:16:41,209 because you can. 220 00:16:41,210 --> 00:16:43,339 This other specification is under the 221 00:16:43,340 --> 00:16:44,269 the meaning of things. 222 00:16:44,270 --> 00:16:46,669 And then and and then the proofs 223 00:16:46,670 --> 00:16:48,799 on the fact that if it's accepted, then 224 00:16:48,800 --> 00:16:50,929 it's then it's it's 225 00:16:50,930 --> 00:16:51,949 OK. 226 00:16:51,950 --> 00:16:54,229 OK. And finally, the 227 00:16:54,230 --> 00:16:56,509 you can happen to vectors 228 00:16:56,510 --> 00:16:58,789 and here this is where the 229 00:16:58,790 --> 00:17:01,129 dependent types truly shines as 230 00:17:01,130 --> 00:17:03,229 the first vector is off size M and 231 00:17:03,230 --> 00:17:05,358 the second is of size N and the 232 00:17:05,359 --> 00:17:07,459 resulting victor is off size M plus 233 00:17:07,460 --> 00:17:09,799 N. And this is the place that we defined 234 00:17:09,800 --> 00:17:12,049 earlier. This was on program side 235 00:17:12,050 --> 00:17:13,119 and now it's in the times. 236 00:17:14,300 --> 00:17:16,159 And when you define this function, it's 237 00:17:16,160 --> 00:17:17,659 still exactly defined. 238 00:17:17,660 --> 00:17:19,368 I don't know if we can f both on the same 239 00:17:19,369 --> 00:17:21,439 screen, but it can be 240 00:17:21,440 --> 00:17:23,059 defined exactly in the same way that the 241 00:17:23,060 --> 00:17:24,828 apon function on list. 242 00:17:24,829 --> 00:17:27,419 So the fact that this function is 243 00:17:27,420 --> 00:17:29,929 is precise about the length of things 244 00:17:29,930 --> 00:17:31,429 is really sort of free. 245 00:17:31,430 --> 00:17:33,559 Here we have the same code 246 00:17:33,560 --> 00:17:35,689 that we add for upand it 247 00:17:35,690 --> 00:17:37,759 really relies on the on some kind 248 00:17:37,760 --> 00:17:40,039 of engineering of the definition. 249 00:17:40,040 --> 00:17:41,779 So there's that append function that we 250 00:17:41,780 --> 00:17:43,999 define work from the left on 251 00:17:44,000 --> 00:17:45,949 the first document and the plus function 252 00:17:45,950 --> 00:17:47,989 works on the on the on the first document 253 00:17:47,990 --> 00:17:49,869 as well. That's why. 254 00:17:49,870 --> 00:17:51,699 Everything sort of works works out 255 00:17:51,700 --> 00:17:52,700 nicely. 256 00:17:54,700 --> 00:17:57,279 And yeah, that's the that's the end of a 257 00:17:57,280 --> 00:17:58,359 of the deal. 258 00:17:58,360 --> 00:18:00,130 OK, so let's get back here. 259 00:18:02,020 --> 00:18:04,719 OK, now and this was kind of general 260 00:18:04,720 --> 00:18:06,849 ag thing. 261 00:18:06,850 --> 00:18:09,699 And now let's let's go more into security 262 00:18:09,700 --> 00:18:10,700 and 263 00:18:13,630 --> 00:18:15,609 and. OK, so OK. 264 00:18:15,610 --> 00:18:17,689 Briefly, everyone knows about public 265 00:18:17,690 --> 00:18:19,839 key encryption. I hope here soon we 266 00:18:19,840 --> 00:18:22,239 have just a brief 267 00:18:22,240 --> 00:18:24,309 recap of the notation I use to 268 00:18:24,310 --> 00:18:26,379 ask for the private key public 269 00:18:26,380 --> 00:18:28,209 PDA for the public key. 270 00:18:28,210 --> 00:18:29,919 And so we have an encryption function 271 00:18:29,920 --> 00:18:32,139 going, and I don't put 272 00:18:32,140 --> 00:18:34,089 any parentheses to pass arguments to a 273 00:18:34,090 --> 00:18:35,049 function like to. 274 00:18:35,050 --> 00:18:37,149 And PEKWM 275 00:18:37,150 --> 00:18:38,799 takes the public key in a message and 276 00:18:38,800 --> 00:18:40,329 produce the cipher taxi and the 277 00:18:40,330 --> 00:18:42,789 decryption can do do the reverse 278 00:18:42,790 --> 00:18:44,259 and needs the the private key. 279 00:18:44,260 --> 00:18:46,319 OK, so this is pretty 280 00:18:46,320 --> 00:18:47,469 straightforward. 281 00:18:47,470 --> 00:18:49,599 Then you have to know this. 282 00:18:49,600 --> 00:18:51,459 This picture is not as nice as I wanted 283 00:18:51,460 --> 00:18:53,390 to to be. This is the 284 00:18:54,600 --> 00:18:56,559 an important notion. 285 00:18:56,560 --> 00:18:58,779 This is the security notion, 286 00:18:58,780 --> 00:19:00,789 and this is defined as some kind of a 287 00:19:00,790 --> 00:19:02,889 game that which works as 288 00:19:02,890 --> 00:19:04,369 follows. 289 00:19:04,370 --> 00:19:06,999 There is there is two participants 290 00:19:07,000 --> 00:19:08,710 the the challenger and the adversary. 291 00:19:10,390 --> 00:19:12,339 So the challenger represents the the the 292 00:19:12,340 --> 00:19:14,439 good guy and and also the, let's 293 00:19:14,440 --> 00:19:16,529 say, the the host system, the 294 00:19:16,530 --> 00:19:18,729 the network and all the all the 295 00:19:18,730 --> 00:19:20,469 console that we trust, let's say. 296 00:19:20,470 --> 00:19:22,989 And the adversary here represents 297 00:19:22,990 --> 00:19:25,659 all the the bad guys colluding 298 00:19:25,660 --> 00:19:27,729 between the each other. 299 00:19:27,730 --> 00:19:29,919 OK, and the game works 300 00:19:29,920 --> 00:19:31,929 as follows the the challenger starts by 301 00:19:31,930 --> 00:19:33,730 generating a key pair 302 00:19:34,870 --> 00:19:37,029 of ESC and piqué and 303 00:19:37,030 --> 00:19:38,349 then sends the public key to the 304 00:19:38,350 --> 00:19:39,350 adversary. 305 00:19:40,270 --> 00:19:42,339 Adversary can now encrypt 306 00:19:42,340 --> 00:19:44,949 as many messages as you want because 307 00:19:44,950 --> 00:19:46,839 as we know, you only need the public key 308 00:19:46,840 --> 00:19:49,029 to encrypt then the adversary 309 00:19:49,030 --> 00:19:51,349 as to send two messages and you add 310 00:19:51,350 --> 00:19:52,930 one to the challenger. 311 00:19:54,040 --> 00:19:56,709 You can pick the the messages 312 00:19:56,710 --> 00:19:58,299 as he as he wishes. 313 00:19:58,300 --> 00:20:00,609 This is chosen plaintext 314 00:20:00,610 --> 00:20:01,610 attack. 315 00:20:02,770 --> 00:20:04,929 Then the the challenger 316 00:20:04,930 --> 00:20:07,029 will encrypt one of the one of the 317 00:20:07,030 --> 00:20:09,489 two messages with the with the encryption 318 00:20:09,490 --> 00:20:10,449 function. 319 00:20:10,450 --> 00:20:12,519 And so let's let's say 320 00:20:12,520 --> 00:20:14,709 that encrypts and b where b 321 00:20:14,710 --> 00:20:15,789 some kind of secret bit. 322 00:20:15,790 --> 00:20:17,709 So it's either in zero and one that gets 323 00:20:17,710 --> 00:20:19,839 encrypted and sends this cipher 324 00:20:19,840 --> 00:20:21,849 like C to the adversary, then the 325 00:20:21,850 --> 00:20:23,919 adversary is to tell 326 00:20:23,920 --> 00:20:25,749 which one has been encrypted. 327 00:20:25,750 --> 00:20:28,419 OK. And we say that if 328 00:20:28,420 --> 00:20:30,549 if the adversary can do 329 00:20:30,550 --> 00:20:31,550 can guess 330 00:20:33,280 --> 00:20:36,399 in a sufficiently often, 331 00:20:36,400 --> 00:20:38,559 then we can claim that the encryption 332 00:20:38,560 --> 00:20:39,670 has been has been broken. 333 00:20:41,050 --> 00:20:42,999 So formally only this is defined that 334 00:20:43,000 --> 00:20:45,099 there is the probability of the adversary 335 00:20:45,100 --> 00:20:46,239 of winning. 336 00:20:46,240 --> 00:20:48,519 So if guessing the right bit 337 00:20:48,520 --> 00:20:50,739 and we want to see the distance 338 00:20:50,740 --> 00:20:52,899 of this probability to one half, that 339 00:20:52,900 --> 00:20:55,089 is what we call the advantage. 340 00:20:56,800 --> 00:20:58,869 So if if you get really, 341 00:20:58,870 --> 00:21:00,969 if you guess, always 342 00:21:00,970 --> 00:21:02,829 good and then then you have 343 00:21:04,150 --> 00:21:06,039 a good advantage and a good advantage is 344 00:21:06,040 --> 00:21:08,319 being is being away from one half 345 00:21:08,320 --> 00:21:10,779 and one half is when we interact on them, 346 00:21:10,780 --> 00:21:12,640 when you answer, always the same thing. 347 00:21:14,320 --> 00:21:16,299 So the worst is advantage zero and the 348 00:21:16,300 --> 00:21:17,619 best is advantage one half. 349 00:21:19,360 --> 00:21:20,360 OK, 350 00:21:23,920 --> 00:21:26,109 so so we, 351 00:21:26,110 --> 00:21:28,239 we we we can model this, this 352 00:21:28,240 --> 00:21:30,579 adversary, and there is this way 353 00:21:30,580 --> 00:21:32,769 of doing so. But one way would 354 00:21:32,770 --> 00:21:34,899 be to say that the adversary comes 355 00:21:34,900 --> 00:21:36,250 into to bat 356 00:21:37,280 --> 00:21:39,009 the parts that that computes. 357 00:21:39,010 --> 00:21:41,169 There's two messages and you win em 358 00:21:41,170 --> 00:21:43,419 one. This is the this is then 359 00:21:43,420 --> 00:21:46,449 modeled as a as a record here and 360 00:21:46,450 --> 00:21:48,759 off to bounce em and be primed. 361 00:21:48,760 --> 00:21:51,399 And the first path takes 362 00:21:51,400 --> 00:21:53,469 the public key. As I say, some randomness 363 00:21:53,470 --> 00:21:55,599 in this the I'm going to speak 364 00:21:55,600 --> 00:21:56,619 a bit more, but they're running this 365 00:21:56,620 --> 00:21:57,849 later. 366 00:21:57,850 --> 00:21:59,679 Let's keep that for for now, and that's 367 00:21:59,680 --> 00:22:01,809 to return a pair of messages, then 368 00:22:01,810 --> 00:22:03,969 be prime and take some takes. 369 00:22:03,970 --> 00:22:06,189 The basically there is no stage 370 00:22:06,190 --> 00:22:08,229 for this adversary, so we pass him back 371 00:22:08,230 --> 00:22:10,359 all the all the all what he got 372 00:22:10,360 --> 00:22:11,259 before. 373 00:22:11,260 --> 00:22:13,479 So. So it gets the same public 374 00:22:13,480 --> 00:22:15,759 key again and it gets the ciphertext 375 00:22:15,760 --> 00:22:18,249 and he gets to to pick two to decide 376 00:22:18,250 --> 00:22:19,869 which which bid was 377 00:22:21,880 --> 00:22:22,989 OK. 378 00:22:22,990 --> 00:22:25,329 And it doesn't does anyone a 379 00:22:25,330 --> 00:22:27,819 and doesn't does this game previously 380 00:22:27,820 --> 00:22:29,410 sounds trivial to break, 381 00:22:30,550 --> 00:22:32,229 though it is that it's supposed to be 382 00:22:32,230 --> 00:22:34,629 defined so that all the trivial attacks 383 00:22:34,630 --> 00:22:36,879 do not work and that all the 384 00:22:36,880 --> 00:22:39,249 all the remaining depends on the way to 385 00:22:39,250 --> 00:22:40,839 the encryption works. 386 00:22:43,540 --> 00:22:44,859 So there is one trivial attack 387 00:22:46,210 --> 00:22:48,339 that is emerging that you 388 00:22:48,340 --> 00:22:49,599 and encryption. Function is 389 00:22:49,600 --> 00:22:51,919 deterministic, then 390 00:22:51,920 --> 00:22:53,689 then it's pretty easy. 391 00:22:53,690 --> 00:22:55,929 And my adversary can pick 392 00:22:55,930 --> 00:22:58,029 any two messages and one in one 393 00:22:58,030 --> 00:22:59,679 as long as they are different. 394 00:22:59,680 --> 00:23:01,869 And then the my test to the full 395 00:23:01,870 --> 00:23:04,509 to be prime would be to simply compare 396 00:23:04,510 --> 00:23:06,819 the ciphertext I receive with my 397 00:23:06,820 --> 00:23:08,949 own encryption of M1 because I 398 00:23:08,950 --> 00:23:11,109 choose the message and I can encrypt them 399 00:23:11,110 --> 00:23:13,089 so I can. I can compare and live. 400 00:23:13,090 --> 00:23:14,229 This encryption function is 401 00:23:14,230 --> 00:23:16,359 deterministic. Then this works, and 402 00:23:16,360 --> 00:23:18,759 the the proof sketch would be sort of 403 00:23:18,760 --> 00:23:21,699 as follows that the 404 00:23:21,700 --> 00:23:23,769 encryption, if it isn't deterministic, 405 00:23:23,770 --> 00:23:25,809 then it means that number is equal to M1. 406 00:23:25,810 --> 00:23:27,279 Therefore, that being equal to one and 407 00:23:27,280 --> 00:23:30,149 therefore that that I guess be 408 00:23:30,150 --> 00:23:32,439 two. Why is this game 409 00:23:32,440 --> 00:23:34,279 still used if there is this? 410 00:23:34,280 --> 00:23:36,400 The point is that we are not supposed to 411 00:23:37,840 --> 00:23:39,519 to have an encryption function that is 412 00:23:39,520 --> 00:23:41,229 deterministic. I mean, at least then it 413 00:23:41,230 --> 00:23:43,089 will fulfill different security 414 00:23:43,090 --> 00:23:45,579 criterion, but not the semantic security 415 00:23:45,580 --> 00:23:47,769 of in s.p.a and all what 416 00:23:47,770 --> 00:23:49,419 is above it. 417 00:23:49,420 --> 00:23:51,609 So, so does the 418 00:23:51,610 --> 00:23:53,139 encryption should be randomized. 419 00:23:53,140 --> 00:23:55,269 But if you think of it of the what 420 00:23:55,270 --> 00:23:57,339 do we call now? Text book RSA, 421 00:23:57,340 --> 00:23:58,719 it's defined like that. 422 00:23:58,720 --> 00:24:00,849 That is the public keys as 423 00:24:00,850 --> 00:24:02,949 a pair of E the exponential, 424 00:24:02,950 --> 00:24:04,719 the encryption exponent and end the 425 00:24:04,720 --> 00:24:06,819 modulus and then encryption 426 00:24:06,820 --> 00:24:08,889 is just added to the 427 00:24:08,890 --> 00:24:09,999 module end. 428 00:24:10,000 --> 00:24:11,649 This is completely deterministic. 429 00:24:11,650 --> 00:24:12,909 This thing. 430 00:24:12,910 --> 00:24:15,129 So yes, RSA, if 431 00:24:15,130 --> 00:24:17,109 it's implemented like that, it's not 432 00:24:17,110 --> 00:24:18,310 secure. According to this 433 00:24:19,400 --> 00:24:21,189 in s.p.a definition. 434 00:24:21,190 --> 00:24:23,109 That is, you can have an adversary that 435 00:24:23,110 --> 00:24:25,569 can pick the two messages and that can 436 00:24:25,570 --> 00:24:27,369 have a clue about which one you encrypt 437 00:24:27,370 --> 00:24:28,370 it. 438 00:24:28,900 --> 00:24:31,179 The thing is that RSA is not 439 00:24:31,180 --> 00:24:33,159 good at encrypting and encrypting 440 00:24:33,160 --> 00:24:34,419 particular messages. 441 00:24:34,420 --> 00:24:36,369 It's only good at encrypting random 442 00:24:36,370 --> 00:24:38,829 messages, then it's fine if 443 00:24:38,830 --> 00:24:40,269 Em is picked out on them. 444 00:24:40,270 --> 00:24:41,949 So that's why now it should. 445 00:24:41,950 --> 00:24:44,349 RSA should be used as 446 00:24:44,350 --> 00:24:46,989 you encrypt, you pick 447 00:24:46,990 --> 00:24:48,519 em at on them. And this this. 448 00:24:48,520 --> 00:24:50,649 This is not your message, but 449 00:24:50,650 --> 00:24:52,929 is some kind of secret key for some other 450 00:24:52,930 --> 00:24:54,319 encryption. Let's say a symmetric 451 00:24:54,320 --> 00:24:55,320 encryption scheme 452 00:24:56,680 --> 00:24:57,609 anyway. 453 00:24:57,610 --> 00:24:59,709 So randomness is paramount. 454 00:25:03,010 --> 00:25:04,889 Okay, so now we can see. 455 00:25:04,890 --> 00:25:07,029 So this way, I sort of eden 456 00:25:07,030 --> 00:25:09,189 this one on this thing before and 457 00:25:09,190 --> 00:25:10,899 now that is made explicit. 458 00:25:10,900 --> 00:25:12,939 So the way we can, we can represent this 459 00:25:12,940 --> 00:25:14,259 game with the two boxes. 460 00:25:14,260 --> 00:25:16,959 We going to represent it in with this 461 00:25:16,960 --> 00:25:19,209 expert function that takes 462 00:25:19,210 --> 00:25:21,379 the baby and 463 00:25:21,380 --> 00:25:23,679 we can choose the mode where 464 00:25:23,680 --> 00:25:25,899 be zero in the mode where B is one, 465 00:25:25,900 --> 00:25:27,159 then it takes an adversary. 466 00:25:27,160 --> 00:25:29,379 This is a and then it takes 467 00:25:29,380 --> 00:25:31,119 all the randomness that is necessary in 468 00:25:31,120 --> 00:25:32,120 this game. 469 00:25:33,180 --> 00:25:34,180 So 470 00:25:35,290 --> 00:25:37,389 one one, one point of this 471 00:25:37,390 --> 00:25:38,919 of this exercise is that usually the 472 00:25:38,920 --> 00:25:40,899 randomness can be made a sort of implicit 473 00:25:40,900 --> 00:25:42,219 in the in the discourse. 474 00:25:42,220 --> 00:25:44,409 But here we really make it explicit 475 00:25:44,410 --> 00:25:46,519 as we think it's a it's 476 00:25:46,520 --> 00:25:49,029 it's it's really necessary 477 00:25:49,030 --> 00:25:51,399 to to clearly 478 00:25:51,400 --> 00:25:52,659 see things. 479 00:25:52,660 --> 00:25:54,519 So anyway, so this this game's policy, 480 00:25:54,520 --> 00:25:56,319 like there is this full lines, PCA is 481 00:25:56,320 --> 00:25:58,419 created out of the generator, then 482 00:25:58,420 --> 00:26:01,059 it's sent to the to the adversary, 483 00:26:01,060 --> 00:26:02,470 to empath, then 484 00:26:03,610 --> 00:26:05,889 the end, the message is encrypted and 485 00:26:05,890 --> 00:26:08,139 gets called C, 486 00:26:08,140 --> 00:26:10,209 and then we can pass C to the adversary 487 00:26:10,210 --> 00:26:13,029 again to get the resulting 488 00:26:13,030 --> 00:26:14,030 bit. 489 00:26:15,010 --> 00:26:16,929 Then then the little B in the game 490 00:26:16,930 --> 00:26:18,759 function just below. 491 00:26:18,760 --> 00:26:20,949 Now it takes part, becomes part of 492 00:26:20,950 --> 00:26:23,409 the randomness. We pick this B at random 493 00:26:23,410 --> 00:26:25,599 and and then we obtain the the game 494 00:26:25,600 --> 00:26:26,739 I was I was mentioning, 495 00:26:29,680 --> 00:26:31,839 OK, so there is another trivial attack 496 00:26:31,840 --> 00:26:34,689 that that is what if 497 00:26:34,690 --> 00:26:36,459 what if the size gets to, 498 00:26:38,080 --> 00:26:40,179 uh, the size gets to 499 00:26:40,180 --> 00:26:41,180 lick? 500 00:26:42,370 --> 00:26:44,650 So basically, if you want one 501 00:26:46,000 --> 00:26:48,129 any messages as they are different 502 00:26:48,130 --> 00:26:50,259 size, then 503 00:26:50,260 --> 00:26:52,329 then a way of of seeing 504 00:26:52,330 --> 00:26:53,799 which one has been encrypted is just to 505 00:26:53,800 --> 00:26:55,959 look, is this the the size 506 00:26:55,960 --> 00:26:58,569 of the ciphertext I get of the same size 507 00:26:58,570 --> 00:27:00,339 of the encryption of M one? 508 00:27:00,340 --> 00:27:02,739 So even if i m one with a different 509 00:27:03,820 --> 00:27:05,979 randomness, then then 510 00:27:05,980 --> 00:27:07,030 it will usually 511 00:27:08,290 --> 00:27:10,809 keep two schemes that preserve the size 512 00:27:10,810 --> 00:27:13,209 and the size do not depend on the runner. 513 00:27:13,210 --> 00:27:15,099 So. So this would work. 514 00:27:15,100 --> 00:27:17,350 So that's why in the actual definition of 515 00:27:18,910 --> 00:27:21,039 of of 516 00:27:21,040 --> 00:27:23,189 NCBA is actually to 517 00:27:23,190 --> 00:27:24,819 where the two messages to be of the same 518 00:27:24,820 --> 00:27:25,789 size. 519 00:27:25,790 --> 00:27:27,249 Right. So the of course, they knew about 520 00:27:27,250 --> 00:27:29,259 that. So the the the real definition of 521 00:27:29,260 --> 00:27:31,329 s.p.a that M01 in one of the same 522 00:27:31,330 --> 00:27:32,330 site 523 00:27:33,500 --> 00:27:35,889 and that we only consider 524 00:27:35,890 --> 00:27:37,209 on Thembi's encryption. 525 00:27:37,210 --> 00:27:39,789 OK to define this to trivial attacks? 526 00:27:39,790 --> 00:27:42,069 OK, so now let's let's speak about a bit 527 00:27:42,070 --> 00:27:44,259 a compression 528 00:27:44,260 --> 00:27:46,029 together with encryption. 529 00:27:46,030 --> 00:27:48,219 OK, so what if both are good and 530 00:27:48,220 --> 00:27:49,639 we want privacy? 531 00:27:49,640 --> 00:27:51,079 We want to save some bandwidth 532 00:27:52,460 --> 00:27:54,139 on this storage. 533 00:27:54,140 --> 00:27:55,819 So let's put them together. 534 00:27:55,820 --> 00:27:58,219 So first attempt we come, we 535 00:27:58,220 --> 00:27:59,690 encrypt and then we compress. 536 00:28:00,710 --> 00:28:03,529 This is useless because 537 00:28:03,530 --> 00:28:06,499 compression after basically 538 00:28:06,500 --> 00:28:08,119 encrypted data looks like on them. 539 00:28:08,120 --> 00:28:10,189 And there's one thing that 540 00:28:10,190 --> 00:28:12,289 compression can't always 541 00:28:12,290 --> 00:28:13,829 do as well encrypt random. 542 00:28:13,830 --> 00:28:15,499 This is a matter of entropy. 543 00:28:15,500 --> 00:28:17,089 It's so basically 544 00:28:18,200 --> 00:28:20,420 it works, but it doesn't compress much. 545 00:28:21,830 --> 00:28:22,830 So let's do the opposite. 546 00:28:24,260 --> 00:28:26,419 So encryption after compression and one 547 00:28:26,420 --> 00:28:28,609 way to think of it is to say that 548 00:28:28,610 --> 00:28:31,909 you take we take an encryption scheme and 549 00:28:31,910 --> 00:28:33,949 then you produce a new one that will 550 00:28:33,950 --> 00:28:36,529 systematically just before encrypting. 551 00:28:36,530 --> 00:28:38,869 We systematically compress the message 552 00:28:38,870 --> 00:28:40,939 like, like, you don't 553 00:28:40,940 --> 00:28:42,979 think it always you compress and then you 554 00:28:42,980 --> 00:28:43,980 encrypt. 555 00:28:44,690 --> 00:28:48,019 OK, so we get this information, 556 00:28:48,020 --> 00:28:49,670 and that's the part that is broken. 557 00:28:52,070 --> 00:28:54,489 So this is the this is what 558 00:28:54,490 --> 00:28:56,599 the where the conversion 559 00:28:56,600 --> 00:28:57,920 oracle comes in. 560 00:28:59,210 --> 00:29:00,410 So basically, 561 00:29:01,610 --> 00:29:03,289 the pair of messages can be any two 562 00:29:03,290 --> 00:29:05,689 messages that have the same size 563 00:29:05,690 --> 00:29:08,299 right to fulfill the requirements of this 564 00:29:08,300 --> 00:29:10,339 game, but will compress off a different 565 00:29:10,340 --> 00:29:11,269 site. 566 00:29:11,270 --> 00:29:14,089 And I bet that any, 567 00:29:14,090 --> 00:29:16,249 any pair of any, any kind 568 00:29:16,250 --> 00:29:17,900 of compression scheme better 569 00:29:19,160 --> 00:29:21,409 be able to to compress better so messages 570 00:29:21,410 --> 00:29:23,119 than some others because we know that it 571 00:29:23,120 --> 00:29:24,709 comes, compress all of them. 572 00:29:24,710 --> 00:29:27,169 So. So basically, one miss NGO 573 00:29:27,170 --> 00:29:29,359 could be sort of plenty of zeros 574 00:29:29,360 --> 00:29:31,789 and an M-1 575 00:29:31,790 --> 00:29:34,009 could be some random bits 576 00:29:34,010 --> 00:29:36,169 string of that's of that same site. 577 00:29:36,170 --> 00:29:38,299 One will compress very well and the other 578 00:29:38,300 --> 00:29:39,300 will not. 579 00:29:40,850 --> 00:29:42,099 And so, 580 00:29:43,730 --> 00:29:45,829 so that way we can write the adversary is 581 00:29:45,830 --> 00:29:47,929 just to look at the size of this 582 00:29:47,930 --> 00:29:49,069 ink function. 583 00:29:52,700 --> 00:29:54,859 So, so this is well known for for a long 584 00:29:54,860 --> 00:29:57,309 time as some kind of a surgical attack 585 00:29:57,310 --> 00:29:59,749 that because in S.p.A 586 00:29:59,750 --> 00:30:01,819 is not predicting the length 587 00:30:01,820 --> 00:30:02,809 of the message. 588 00:30:02,810 --> 00:30:04,939 If you can and could, if you can 589 00:30:04,940 --> 00:30:07,249 make the length depend on the 590 00:30:07,250 --> 00:30:09,619 on the on the content, then 591 00:30:09,620 --> 00:30:12,259 then the intrusion plain text that I can, 592 00:30:12,260 --> 00:30:14,059 then then wear it again. 593 00:30:18,170 --> 00:30:19,579 And this works basically for any 594 00:30:19,580 --> 00:30:21,499 compression compression scheme 595 00:30:23,030 --> 00:30:25,459 and this assume from any encryption 596 00:30:25,460 --> 00:30:27,679 scheme, which is you can can even 597 00:30:27,680 --> 00:30:29,989 be in situ. 598 00:30:29,990 --> 00:30:31,109 The biggest one? 599 00:30:31,110 --> 00:30:32,149 Yeah. 600 00:30:32,150 --> 00:30:34,309 And we limit the size of the 601 00:30:34,310 --> 00:30:37,369 plain text message by encrypting. 602 00:30:37,370 --> 00:30:39,079 And basically that the cipher takes does 603 00:30:39,080 --> 00:30:40,339 not depend on the anonymous. 604 00:30:40,340 --> 00:30:42,559 That's a technicality that that's usually 605 00:30:42,560 --> 00:30:43,560 OK. 606 00:30:45,760 --> 00:30:47,989 OK, so now we get closer to this 607 00:30:47,990 --> 00:30:50,409 breach at that is 608 00:30:50,410 --> 00:30:52,329 that was first was clear. 609 00:30:52,330 --> 00:30:53,569 It was the. 610 00:30:53,570 --> 00:30:56,779 In 2012, it was the crime attack 611 00:30:56,780 --> 00:30:58,999 which was targeting 612 00:30:59,000 --> 00:31:01,429 the competition that was building in 613 00:31:01,430 --> 00:31:03,119 as was not widely used. 614 00:31:03,120 --> 00:31:05,329 So this just got turned off 615 00:31:05,330 --> 00:31:07,309 and this was mitigated. 616 00:31:08,630 --> 00:31:09,630 OK, 617 00:31:10,820 --> 00:31:11,820 bridge. 618 00:31:13,190 --> 00:31:15,409 So and so 619 00:31:15,410 --> 00:31:17,209 it's an improvement on the. 620 00:31:18,440 --> 00:31:20,659 So so what we saw is that in theory, this 621 00:31:20,660 --> 00:31:22,729 was this was broken since the since the 622 00:31:22,730 --> 00:31:24,859 beginning. Each time you countries, 623 00:31:24,860 --> 00:31:26,959 whatever you do, each time you compress, 624 00:31:26,960 --> 00:31:27,960 then you encrypt 625 00:31:29,150 --> 00:31:30,739 in CPR, it doesn't help you. 626 00:31:30,740 --> 00:31:32,390 It's an 627 00:31:33,500 --> 00:31:35,479 injury and it is considered kind of the 628 00:31:35,480 --> 00:31:38,180 the lowest surgical 629 00:31:40,730 --> 00:31:42,199 security solution for an encryption 630 00:31:42,200 --> 00:31:43,369 scheme. 631 00:31:43,370 --> 00:31:45,439 So it works full and this bridge attack 632 00:31:45,440 --> 00:31:46,609 works. And so what? 633 00:31:46,610 --> 00:31:48,569 I mean, so the so this kind of attacks 634 00:31:48,570 --> 00:31:50,299 that they they go further, they they they 635 00:31:50,300 --> 00:31:52,999 use a lot of ingenuity and and 636 00:31:53,000 --> 00:31:55,099 and tricks to to not 637 00:31:55,100 --> 00:31:57,439 only make this work in theory, 638 00:31:57,440 --> 00:31:59,959 but works in fact practice 639 00:31:59,960 --> 00:32:02,059 and not only to recover yourself one 640 00:32:02,060 --> 00:32:03,529 bit in the case where you repeat the 641 00:32:03,530 --> 00:32:06,529 messages, but recover all the secret. 642 00:32:06,530 --> 00:32:09,799 That's that's what gets interesting. 643 00:32:09,800 --> 00:32:12,139 So this bridge attack works on the 644 00:32:12,140 --> 00:32:13,369 on. 645 00:32:13,370 --> 00:32:15,739 It should be responses and 646 00:32:15,740 --> 00:32:18,049 can get secrets 647 00:32:18,050 --> 00:32:20,119 like CSI of tokens 648 00:32:20,120 --> 00:32:21,469 because they are, they are. 649 00:32:21,470 --> 00:32:22,819 They appear into responses and they 650 00:32:22,820 --> 00:32:25,249 usually reflect part of the 651 00:32:25,250 --> 00:32:26,250 part of the input. 652 00:32:30,590 --> 00:32:32,599 OK, so from the from the paper, we can 653 00:32:32,600 --> 00:32:35,059 explain the ODIs 654 00:32:35,060 --> 00:32:36,500 this year 655 00:32:38,380 --> 00:32:39,380 and make it bigger. 656 00:32:40,940 --> 00:32:43,489 This this attack works is that 657 00:32:43,490 --> 00:32:45,589 the first thing is is, is, is, 658 00:32:45,590 --> 00:32:47,809 is a you al where there 659 00:32:47,810 --> 00:32:49,049 is, where you get, you have. 660 00:32:49,050 --> 00:32:50,880 In the perimeter zoo, you can 661 00:32:52,020 --> 00:32:54,419 you can put something that looks like 662 00:32:54,420 --> 00:32:57,179 this can areas is as 663 00:32:57,180 --> 00:32:59,249 could be CSI if token 664 00:32:59,250 --> 00:33:01,319 equal. This is something that that is 665 00:33:01,320 --> 00:33:03,479 just the prefix before the secret 666 00:33:03,480 --> 00:33:04,679 that that is known. 667 00:33:04,680 --> 00:33:07,259 Then you put your guess and 668 00:33:07,260 --> 00:33:08,670 then you, you will get 669 00:33:10,590 --> 00:33:12,989 you will get as the response, something 670 00:33:12,990 --> 00:33:15,029 that includes your guess. 671 00:33:15,030 --> 00:33:18,149 And that also contains the secret 672 00:33:18,150 --> 00:33:20,369 below this canary 673 00:33:20,370 --> 00:33:21,809 the sick. 674 00:33:21,810 --> 00:33:23,949 So the secret is these six three four 675 00:33:23,950 --> 00:33:24,839 zero. 676 00:33:24,840 --> 00:33:26,969 And the thing is that if your guess is 677 00:33:26,970 --> 00:33:29,669 good, then the competition 678 00:33:29,670 --> 00:33:30,670 will work better. 679 00:33:31,650 --> 00:33:34,019 And so just by looking at the size 680 00:33:34,020 --> 00:33:35,519 of that, because you don't get this, this 681 00:33:35,520 --> 00:33:37,439 this this response in clear text, this is 682 00:33:37,440 --> 00:33:38,619 not meant for you. 683 00:33:38,620 --> 00:33:40,469 The set up works like that. 684 00:33:42,750 --> 00:33:44,489 And there is. 685 00:33:44,490 --> 00:33:46,229 So there you have a real man in the 686 00:33:46,230 --> 00:33:48,549 middle. You can just sniff the 687 00:33:48,550 --> 00:33:50,099 the the resulting 688 00:33:52,320 --> 00:33:55,139 from the resulting responses 689 00:33:55,140 --> 00:33:57,479 encrypted and just the size of it. 690 00:33:57,480 --> 00:33:59,429 This is what you need. 691 00:33:59,430 --> 00:34:02,369 So you will make a request 692 00:34:02,370 --> 00:34:04,739 that you can do either by forcing the 693 00:34:04,740 --> 00:34:06,989 the victim to do it or 694 00:34:06,990 --> 00:34:09,059 while in Syria, you can do it because you 695 00:34:09,060 --> 00:34:11,039 have the public key. So if it's if it was 696 00:34:11,040 --> 00:34:12,839 just a matter of public encryption, then 697 00:34:12,840 --> 00:34:14,218 you have the public keys or you can send 698 00:34:14,219 --> 00:34:16,138 messages to the to the server. 699 00:34:16,139 --> 00:34:18,209 In practice, there is 700 00:34:18,210 --> 00:34:19,679 enough stuff that makes 701 00:34:20,730 --> 00:34:21,629 makes this difficult. 702 00:34:21,630 --> 00:34:23,579 So let's say that that you fall the 703 00:34:23,580 --> 00:34:25,800 victim off to send a particular 704 00:34:27,030 --> 00:34:29,189 request and then all of the 705 00:34:29,190 --> 00:34:31,419 responses, you can only get the length. 706 00:34:31,420 --> 00:34:32,420 But 707 00:34:34,770 --> 00:34:36,839 but when you get when your 708 00:34:36,840 --> 00:34:38,939 guess is when the first bite of 709 00:34:38,940 --> 00:34:41,339 your guest is right, then it will likely 710 00:34:41,340 --> 00:34:43,468 to compress better then 711 00:34:43,469 --> 00:34:45,509 than when it's not because there is there 712 00:34:45,510 --> 00:34:47,999 is patterns that repeat and that's what 713 00:34:48,000 --> 00:34:49,260 compression is here for. 714 00:34:50,520 --> 00:34:52,738 So you can then therefore recover bye 715 00:34:52,739 --> 00:34:54,839 bye bye buys all the all 716 00:34:54,840 --> 00:34:57,299 the secrets in this way. 717 00:34:57,300 --> 00:34:59,309 So there is technicalities 718 00:35:01,230 --> 00:35:03,329 that I will mention a bit later 719 00:35:03,330 --> 00:35:04,330 on. 720 00:35:05,250 --> 00:35:07,529 OK, so this was the set up. 721 00:35:07,530 --> 00:35:09,499 No, I need something similar. 722 00:35:10,620 --> 00:35:11,620 Yes. 723 00:35:12,000 --> 00:35:13,000 So 724 00:35:14,250 --> 00:35:15,149 so basically, it is. 725 00:35:15,150 --> 00:35:17,669 This would be some kind of a 726 00:35:17,670 --> 00:35:19,619 mock up. This is some kind of a mock up 727 00:35:19,620 --> 00:35:21,809 of what is of what the base version 728 00:35:21,810 --> 00:35:24,269 of of breach would look like in 729 00:35:24,270 --> 00:35:26,099 in regard to this. 730 00:35:26,100 --> 00:35:27,100 So this this 731 00:35:28,620 --> 00:35:31,589 so I use this this 732 00:35:31,590 --> 00:35:32,519 for this presentation. 733 00:35:32,520 --> 00:35:34,169 I thought it was more fun to speak about 734 00:35:34,170 --> 00:35:35,520 an attack mode and speak about 735 00:35:38,340 --> 00:35:40,439 an encryption scheme on 736 00:35:40,440 --> 00:35:41,440 the construction. 737 00:35:42,380 --> 00:35:43,380 Yeah, 738 00:35:44,540 --> 00:35:46,589 it's more fun to see to see an attack 739 00:35:46,590 --> 00:35:48,449 than to see why something is secure. 740 00:35:48,450 --> 00:35:51,389 And usually it's more technical and 741 00:35:51,390 --> 00:35:53,459 to see why the proof of when something 742 00:35:53,460 --> 00:35:55,799 is so in the end, this 743 00:35:55,800 --> 00:35:58,349 is what I have about breach. 744 00:35:58,350 --> 00:36:00,629 Really, Nanda is basically just a just 745 00:36:00,630 --> 00:36:03,479 a mock up, but 746 00:36:03,480 --> 00:36:04,920 and also this compression 747 00:36:06,750 --> 00:36:09,159 rifle that we saw before, that was 748 00:36:09,160 --> 00:36:11,519 the theory behind it. 749 00:36:11,520 --> 00:36:13,289 So in the real bridge, there is lots of 750 00:36:13,290 --> 00:36:14,939 technical challenges that they are to 751 00:36:14,940 --> 00:36:17,159 overcome the fact that there is not 752 00:36:17,160 --> 00:36:19,349 only the compression works 753 00:36:19,350 --> 00:36:21,539 in in two layers and there is some of 754 00:36:21,540 --> 00:36:23,339 my encoding that that makes the 755 00:36:23,340 --> 00:36:25,439 difference this this the 756 00:36:25,440 --> 00:36:26,409 the basic version. 757 00:36:26,410 --> 00:36:28,319 So then there is this to transmit it. 758 00:36:28,320 --> 00:36:30,569 So I just want to to to 759 00:36:30,570 --> 00:36:32,499 in case in case you don't know bridge 760 00:36:32,500 --> 00:36:34,889 well that that don't get confused 761 00:36:34,890 --> 00:36:37,259 by this simple knock. 762 00:36:37,260 --> 00:36:39,480 This is more advanced than this 763 00:36:43,500 --> 00:36:44,500 is. 764 00:36:45,120 --> 00:36:47,369 So block ciphers, can I the length, but 765 00:36:47,370 --> 00:36:49,469 not totally. 766 00:36:49,470 --> 00:36:51,899 Sometime you, you can only make 767 00:36:51,900 --> 00:36:54,839 a guess on the smaller 768 00:36:54,840 --> 00:36:55,840 pair of time. Or 769 00:36:58,050 --> 00:37:00,239 anyway. So yeah, we have plenty 770 00:37:00,240 --> 00:37:01,499 of time for creation. 771 00:37:01,500 --> 00:37:03,510 So as a as a, as a future work, 772 00:37:04,680 --> 00:37:06,919 so this we we work on, 773 00:37:06,920 --> 00:37:07,920 on 774 00:37:09,200 --> 00:37:11,369 or end goal would be to verify 775 00:37:11,370 --> 00:37:13,439 a voting scheme based 776 00:37:13,440 --> 00:37:15,000 on on on cryptography. 777 00:37:16,050 --> 00:37:18,179 Examples of that he'll use or 778 00:37:18,180 --> 00:37:20,249 put out, they are somehow based 779 00:37:20,250 --> 00:37:21,479 on the mixed net. 780 00:37:21,480 --> 00:37:23,549 And to do this, we need to 781 00:37:23,550 --> 00:37:26,009 sort of verify all the all the basic 782 00:37:26,010 --> 00:37:28,469 blocks of offer of encryption 783 00:37:28,470 --> 00:37:30,539 before there is emblematic encryption on 784 00:37:30,540 --> 00:37:33,809 interactive zone knowledge proofs, 785 00:37:33,810 --> 00:37:36,389 things like the now transform. 786 00:37:36,390 --> 00:37:38,879 There is plenty of roadblocks 787 00:37:38,880 --> 00:37:41,489 before that, but we we are we are getting 788 00:37:41,490 --> 00:37:42,490 we are getting closer. 789 00:37:47,590 --> 00:37:49,629 That's the end of my talk, and I we have 790 00:37:49,630 --> 00:37:51,550 plenty of time for four questions. 791 00:38:01,570 --> 00:38:02,889 Thank you. 792 00:38:02,890 --> 00:38:04,299 Are the questions from the internet? 793 00:38:04,300 --> 00:38:05,469 Yes, there are. 794 00:38:05,470 --> 00:38:06,470 Go ahead. 795 00:38:17,570 --> 00:38:18,570 I 796 00:38:20,690 --> 00:38:22,809 do I get this right that, you 797 00:38:22,810 --> 00:38:24,889 know, you have this you are like 798 00:38:24,890 --> 00:38:26,779 structure where you have. 799 00:38:26,780 --> 00:38:28,699 I am a second person from the internet. 800 00:38:28,700 --> 00:38:30,859 Oh, sorry. But you 801 00:38:30,860 --> 00:38:33,649 OK? Question from IAC. 802 00:38:33,650 --> 00:38:35,809 Why did you decide to leave France 803 00:38:35,810 --> 00:38:37,609 for computer science research? 804 00:38:41,930 --> 00:38:44,329 OK, you didn't read them. 805 00:38:45,360 --> 00:38:47,659 So in short, I didn't 806 00:38:47,660 --> 00:38:49,909 left for necessarily for for 807 00:38:49,910 --> 00:38:50,869 long. 808 00:38:50,870 --> 00:38:53,239 This is quite common after Europe ready 809 00:38:53,240 --> 00:38:55,669 to do the postdoc 810 00:38:55,670 --> 00:38:58,429 somewhere else in a in a 811 00:38:58,430 --> 00:38:59,929 in some of our country to get more 812 00:38:59,930 --> 00:39:01,129 international experience. 813 00:39:01,130 --> 00:39:03,259 And and I I hope to get a 814 00:39:03,260 --> 00:39:04,399 position back in France. 815 00:39:04,400 --> 00:39:06,529 But but I'm not that. 816 00:39:06,530 --> 00:39:08,629 I'm mean, the place doesn't matter 817 00:39:08,630 --> 00:39:10,879 much more than like the context on 818 00:39:10,880 --> 00:39:11,880 the team and all that. 819 00:39:15,420 --> 00:39:17,059 But the breach attacks still work. 820 00:39:17,060 --> 00:39:19,609 If this URL includes 821 00:39:19,610 --> 00:39:21,709 kind of randomly created such 822 00:39:21,710 --> 00:39:24,349 an idea because then your guess 823 00:39:24,350 --> 00:39:26,419 compresses together with the secret 824 00:39:26,420 --> 00:39:28,519 or or and the 825 00:39:28,520 --> 00:39:29,520 Session ID. 826 00:39:31,220 --> 00:39:33,529 So you think in the case where 827 00:39:33,530 --> 00:39:35,599 where decision I'd as 828 00:39:35,600 --> 00:39:37,799 some patterns that will repeat with 829 00:39:37,800 --> 00:39:39,289 the with the guess. 830 00:39:39,290 --> 00:39:41,479 Yeah, I think 831 00:39:41,480 --> 00:39:43,879 this is this is sort 832 00:39:43,880 --> 00:39:45,709 of unlikely. 833 00:39:45,710 --> 00:39:47,419 And if the sort of thing is that if 834 00:39:47,420 --> 00:39:49,909 decision it is the same over 835 00:39:49,910 --> 00:39:52,309 request, then I think it doesn't 836 00:39:52,310 --> 00:39:53,849 help it. 837 00:39:53,850 --> 00:39:55,339 It's also the same one of the secret 838 00:39:55,340 --> 00:39:56,389 changes every time. 839 00:39:56,390 --> 00:39:57,949 Yeah. So if the secret changes every 840 00:39:57,950 --> 00:40:00,139 time, this is one of the way off to meet 841 00:40:00,140 --> 00:40:01,409 it. Is this headache? 842 00:40:01,410 --> 00:40:02,410 Yes. 843 00:40:02,690 --> 00:40:03,919 Okay. We have another question from the 844 00:40:03,920 --> 00:40:04,920 internet. 845 00:40:05,720 --> 00:40:07,849 One more question from IAC 846 00:40:07,850 --> 00:40:10,159 typically proving a protocol need 847 00:40:10,160 --> 00:40:12,859 to explore a big database. 848 00:40:12,860 --> 00:40:15,139 How do you prove that your exploration 849 00:40:15,140 --> 00:40:17,480 function is exhaustive? 850 00:40:19,070 --> 00:40:21,409 So there is two to two main 851 00:40:21,410 --> 00:40:23,689 ways of doing this kind of proof. 852 00:40:23,690 --> 00:40:26,859 That is, and 853 00:40:26,860 --> 00:40:28,639 these are relying on what we will call a 854 00:40:28,640 --> 00:40:30,199 model of chicken and the other. 855 00:40:30,200 --> 00:40:32,419 It usually depends on really exploring 856 00:40:32,420 --> 00:40:33,499 that, that space. 857 00:40:33,500 --> 00:40:35,629 And in crypto, we would like 858 00:40:35,630 --> 00:40:37,759 to have huge spaces because like the the 859 00:40:37,760 --> 00:40:40,159 keys are usually not 860 00:40:40,160 --> 00:40:41,749 you can't really explore them. 861 00:40:41,750 --> 00:40:44,389 The idea is that we do more of symbolic 862 00:40:44,390 --> 00:40:46,459 reasoning where we can deal 863 00:40:46,460 --> 00:40:48,169 with this, with this functions that 864 00:40:48,170 --> 00:40:50,239 really do in 865 00:40:50,240 --> 00:40:52,579 that we do explore 866 00:40:52,580 --> 00:40:54,859 everything, I mean, like every of two 867 00:40:54,860 --> 00:40:58,219 power to the two to 256 868 00:40:58,220 --> 00:40:59,239 bit space. 869 00:40:59,240 --> 00:41:01,579 But but we don't run these programs, 870 00:41:01,580 --> 00:41:03,109 we run them only symbolically. 871 00:41:03,110 --> 00:41:05,209 We make them make that they are defined 872 00:41:05,210 --> 00:41:06,889 by induction on their own there. 873 00:41:06,890 --> 00:41:08,239 So basically, yes, we can. 874 00:41:08,240 --> 00:41:09,949 We can do proofs 875 00:41:12,590 --> 00:41:14,779 which will air about programs that 876 00:41:14,780 --> 00:41:16,969 do enumerate a space that 877 00:41:16,970 --> 00:41:19,159 is much bigger than that where we can 878 00:41:19,160 --> 00:41:20,160 compute. 879 00:41:24,010 --> 00:41:26,829 Next question could 880 00:41:26,830 --> 00:41:29,229 be used for reverse engineer 881 00:41:29,230 --> 00:41:31,359 to prove the identity of two different 882 00:41:31,360 --> 00:41:32,360 implementations. 883 00:41:35,110 --> 00:41:37,059 I don't get why reverse engineer 884 00:41:38,200 --> 00:41:40,029 but but yes, I mean this, this can. 885 00:41:42,790 --> 00:41:44,229 This can be useful for this kind of 886 00:41:44,230 --> 00:41:46,329 thing. I mean, it's a if you if you think 887 00:41:46,330 --> 00:41:48,339 of functional programing, it's a bit like 888 00:41:48,340 --> 00:41:51,049 Haskell Plus 889 00:41:51,050 --> 00:41:53,199 plus proofs that that not only 890 00:41:53,200 --> 00:41:54,669 you can write a programs, but you can 891 00:41:54,670 --> 00:41:56,419 also write proofs about it. 892 00:41:56,420 --> 00:41:58,299 Instead of just testing that there's two 893 00:41:58,300 --> 00:41:59,559 functions that are doing the same, you 894 00:41:59,560 --> 00:42:01,449 can also prove that they are doing the 895 00:42:01,450 --> 00:42:02,329 same. 896 00:42:02,330 --> 00:42:03,330 Oh 897 00:42:06,370 --> 00:42:08,549 yes, OK. 898 00:42:08,550 --> 00:42:10,629 And there's a familiar 899 00:42:10,630 --> 00:42:11,630 way for you, sir. 900 00:42:18,710 --> 00:42:20,869 So I like the general idea very much, 901 00:42:20,870 --> 00:42:23,479 but the weakest concept seems to be 902 00:42:23,480 --> 00:42:25,879 that there is no real concept 903 00:42:25,880 --> 00:42:27,320 for entropy in the whole 904 00:42:29,030 --> 00:42:30,289 system of a form of proof. 905 00:42:30,290 --> 00:42:32,420 So can you deal with 906 00:42:33,890 --> 00:42:36,289 weak random generators and 907 00:42:36,290 --> 00:42:38,179 say anything about the complexity? 908 00:42:38,180 --> 00:42:40,489 How long do we have to listen 909 00:42:40,490 --> 00:42:42,859 to this, or how complex an attack 910 00:42:42,860 --> 00:42:45,079 has to be to 911 00:42:45,080 --> 00:42:47,419 give total breaks 912 00:42:47,420 --> 00:42:49,409 a cryptography you as a given probability 913 00:42:49,410 --> 00:42:51,559 or something like this? 914 00:42:51,560 --> 00:42:54,349 This seems extremely difficult to me. 915 00:42:54,350 --> 00:42:56,959 Yeah. So I 916 00:42:56,960 --> 00:42:58,879 expect the thing to be sort of I mean, as 917 00:42:58,880 --> 00:43:01,019 we usually do to be 918 00:43:01,020 --> 00:43:03,289 in mid-July as in when 919 00:43:03,290 --> 00:43:05,239 when you have a particular thing that 920 00:43:05,240 --> 00:43:06,949 requires Londoners would say, Oh yeah, we 921 00:43:06,950 --> 00:43:08,119 pick on the numbers. 922 00:43:08,120 --> 00:43:10,369 And then in practice, we use a 923 00:43:10,370 --> 00:43:13,609 pseudo them generator, which is better 924 00:43:13,610 --> 00:43:15,049 be secure. 925 00:43:15,050 --> 00:43:16,050 So. 926 00:43:17,430 --> 00:43:19,339 So the proof of that, the pseudo on them 927 00:43:19,340 --> 00:43:21,289 generator is secure is when you can't 928 00:43:21,290 --> 00:43:23,629 computationally distinguish it from 929 00:43:23,630 --> 00:43:25,609 real random generator. 930 00:43:25,610 --> 00:43:27,919 So if if the two components where 931 00:43:27,920 --> 00:43:29,869 we're self proof secure with competition 932 00:43:29,870 --> 00:43:31,909 or bounce, then you could merge them 933 00:43:31,910 --> 00:43:33,980 together and get the final 934 00:43:35,930 --> 00:43:38,029 moment. It's true that in practice, 935 00:43:38,030 --> 00:43:40,099 there is always this assumption that you 936 00:43:40,100 --> 00:43:41,419 pick something that's random and then in 937 00:43:41,420 --> 00:43:43,309 practice you begin with a pseudo wonder 938 00:43:43,310 --> 00:43:45,019 narrator and then maybe it's not that 939 00:43:45,020 --> 00:43:46,159 good. I mean, there's always this 940 00:43:46,160 --> 00:43:47,839 assumption that there is there is a lot. 941 00:43:47,840 --> 00:43:49,729 And then there's the security where the 942 00:43:49,730 --> 00:43:51,849 best victor attacks comes in. 943 00:43:51,850 --> 00:43:53,869 This to look at the assumptions that that 944 00:43:53,870 --> 00:43:56,149 we're not really sort 945 00:43:56,150 --> 00:43:58,129 are deeply but. 946 00:43:58,130 --> 00:44:00,319 But this is I don't see it as a 947 00:44:00,320 --> 00:44:01,849 as a limitation. It's a challenge. 948 00:44:01,850 --> 00:44:02,839 Yes. 949 00:44:02,840 --> 00:44:05,389 And then randomness is really paramount 950 00:44:05,390 --> 00:44:06,769 in cryptography. 951 00:44:06,770 --> 00:44:08,150 And I would say to them, the main, 952 00:44:11,180 --> 00:44:12,180 the main thing. 953 00:44:15,550 --> 00:44:16,809 OK, next question again, from the 954 00:44:16,810 --> 00:44:17,829 internet, 955 00:44:17,830 --> 00:44:20,109 there is another follow up question 956 00:44:20,110 --> 00:44:22,239 regarding protocol proofs, is 957 00:44:22,240 --> 00:44:24,339 there any particular reason to 958 00:44:24,340 --> 00:44:26,499 do protocol proofs in Acta rather 959 00:44:26,500 --> 00:44:28,089 than Cocu? 960 00:44:28,090 --> 00:44:29,090 Yes. 961 00:44:29,770 --> 00:44:31,989 So this this this is a good question. 962 00:44:31,990 --> 00:44:34,569 And when we started this project, we were 963 00:44:34,570 --> 00:44:36,739 we knew about the professor 964 00:44:36,740 --> 00:44:37,740 system, but 965 00:44:39,190 --> 00:44:41,290 we're not really experts in it. 966 00:44:42,550 --> 00:44:44,739 And but mainly the 967 00:44:44,740 --> 00:44:46,809 the the two main reasons why we switched 968 00:44:46,810 --> 00:44:48,399 to a two track, the 969 00:44:49,620 --> 00:44:50,719 more light into switch. 970 00:44:52,360 --> 00:44:55,119 OK, so we switched to Wagner 971 00:44:55,120 --> 00:44:57,309 because we like the way the 972 00:44:57,310 --> 00:44:58,719 dependently deprogramming programing is 973 00:44:58,720 --> 00:45:00,399 better integrated. 974 00:45:00,400 --> 00:45:01,899 But then there is why? 975 00:45:01,900 --> 00:45:04,179 Why not reuse what has already been done 976 00:45:04,180 --> 00:45:06,379 in court, like with the 977 00:45:06,380 --> 00:45:07,959 Russian team? 978 00:45:07,960 --> 00:45:10,419 They did this safety kit project 979 00:45:10,420 --> 00:45:12,219 and then this easy crypt project. 980 00:45:12,220 --> 00:45:14,139 So in short, there is there's two things 981 00:45:14,140 --> 00:45:16,359 in in subject him that we didn't 982 00:45:16,360 --> 00:45:18,549 like is that they try 983 00:45:18,550 --> 00:45:19,929 to speak about probabilities. 984 00:45:19,930 --> 00:45:21,369 They have to speak. I mean, we sort of 985 00:45:21,370 --> 00:45:23,739 have to speak about real numbers and 986 00:45:23,740 --> 00:45:26,619 real numbers in this kind of conflict of 987 00:45:26,620 --> 00:45:28,779 logic. It's it's a mess. 988 00:45:28,780 --> 00:45:31,119 And so you end up with ex-roommate, 989 00:45:31,120 --> 00:45:33,459 an axiomatic version of the traumatic 990 00:45:33,460 --> 00:45:35,139 version of your numbers. 991 00:45:35,140 --> 00:45:36,339 And this we didn't like. 992 00:45:36,340 --> 00:45:38,409 So we said we don't get 993 00:45:38,410 --> 00:45:41,289 any need to heal numbers because in 994 00:45:41,290 --> 00:45:42,609 in cryptography, the kind of 995 00:45:42,610 --> 00:45:44,019 probabilities we do, they are only 996 00:45:44,020 --> 00:45:46,509 discreet so, so 997 00:45:46,510 --> 00:45:48,969 screwed at. And let's not delve 998 00:45:48,970 --> 00:45:51,339 into hell, no, we want something 999 00:45:51,340 --> 00:45:53,169 with absolutely no accident. 1000 00:45:53,170 --> 00:45:54,429 This was the first reason. The second 1001 00:45:54,430 --> 00:45:55,989 reason is that usually these games, they 1002 00:45:55,990 --> 00:45:58,089 are represented as as 1003 00:45:58,090 --> 00:46:00,229 imperative programs and that 1004 00:46:00,230 --> 00:46:01,689 we don't like imperative programs in 1005 00:46:01,690 --> 00:46:03,639 particular because we know how difficult 1006 00:46:03,640 --> 00:46:05,829 it is to write proofs about it. 1007 00:46:05,830 --> 00:46:07,539 So we wanted something that would be more 1008 00:46:07,540 --> 00:46:09,969 functional and less dramatic. 1009 00:46:09,970 --> 00:46:11,949 So that's that was the main reasons for 1010 00:46:11,950 --> 00:46:14,259 for for starting over with, 1011 00:46:14,260 --> 00:46:16,629 with different foundations, 1012 00:46:16,630 --> 00:46:18,789 then what was in in in such a good? 1013 00:46:23,570 --> 00:46:24,619 Could you go to the microphone? 1014 00:46:33,740 --> 00:46:35,869 I sorry, if I got you right, said the 1015 00:46:35,870 --> 00:46:38,209 result of the compression should be 1016 00:46:38,210 --> 00:46:39,439 completely random. 1017 00:46:39,440 --> 00:46:41,420 So to have a perfect 1018 00:46:44,150 --> 00:46:45,949 encryption after that. 1019 00:46:45,950 --> 00:46:48,679 So but I would assume that 1020 00:46:48,680 --> 00:46:50,509 the result of compression can never be 1021 00:46:50,510 --> 00:46:52,039 completely random because there is no 1022 00:46:52,040 --> 00:46:53,839 perfect compression. 1023 00:46:53,840 --> 00:46:56,059 So you you 1024 00:46:56,060 --> 00:46:58,849 may have got close to it if you 1025 00:46:58,850 --> 00:47:01,759 put this compression scheme 1026 00:47:01,760 --> 00:47:02,900 into that 1027 00:47:04,610 --> 00:47:06,809 piece of data, but then you 1028 00:47:06,810 --> 00:47:09,349 you that's not random anymore. 1029 00:47:09,350 --> 00:47:10,909 And if you if you don't, where where 1030 00:47:10,910 --> 00:47:12,949 would you put the compression scheme? 1031 00:47:12,950 --> 00:47:14,839 Because that scheme can't, can't be 1032 00:47:14,840 --> 00:47:16,699 random data now. 1033 00:47:16,700 --> 00:47:18,979 So so I'm not exactly sure I 1034 00:47:18,980 --> 00:47:21,589 get. I get I think I get the idea of. 1035 00:47:21,590 --> 00:47:24,229 But I mean, this is this is a fundamental 1036 00:47:24,230 --> 00:47:26,659 issue like compression. 1037 00:47:26,660 --> 00:47:28,399 If we want to use compression is because 1038 00:47:28,400 --> 00:47:31,459 it makes some messages 1039 00:47:31,460 --> 00:47:32,449 smaller. 1040 00:47:32,450 --> 00:47:34,639 But we know it can't make them all 1041 00:47:34,640 --> 00:47:37,639 smaller and they can't compress 1042 00:47:37,640 --> 00:47:39,059 messages in the same way. 1043 00:47:39,060 --> 00:47:40,979 And some will be compressed well, some we 1044 00:47:40,980 --> 00:47:43,099 won't and some won't be compressed 1045 00:47:43,100 --> 00:47:45,049 at all. And we led the way with this 1046 00:47:45,050 --> 00:47:46,609 dictionary at the beginning that makes 1047 00:47:46,610 --> 00:47:49,429 things bigger. So if we go to the worst, 1048 00:47:49,430 --> 00:47:51,499 worst case, then you would have 1049 00:47:51,500 --> 00:47:53,839 to never. I mean, if you want to pad 1050 00:47:53,840 --> 00:47:55,999 the messages so that they all 1051 00:47:56,000 --> 00:47:57,859 end up with the same size, then you end 1052 00:47:57,860 --> 00:47:59,570 up not compressing at all. 1053 00:48:01,730 --> 00:48:03,949 So, yeah, so 1054 00:48:03,950 --> 00:48:06,019 I think that there there is the only 1055 00:48:06,020 --> 00:48:08,329 way is to sort of to to either 1056 00:48:08,330 --> 00:48:09,949 the the length of 1057 00:48:11,030 --> 00:48:13,219 off after by adding 1058 00:48:13,220 --> 00:48:15,799 some random amount off 1059 00:48:15,800 --> 00:48:17,839 of that. But even that is usually not 1060 00:48:17,840 --> 00:48:19,249 helping much because then 1061 00:48:20,270 --> 00:48:22,279 then it's just a bit more difficult to 1062 00:48:22,280 --> 00:48:24,649 see because we are not going to add one 1063 00:48:24,650 --> 00:48:26,779 one gigabyte of a fondness 1064 00:48:26,780 --> 00:48:28,249 just in case. 1065 00:48:28,250 --> 00:48:29,539 Then you can defeat the purpose of 1066 00:48:29,540 --> 00:48:30,540 compression again. 1067 00:48:33,470 --> 00:48:34,849 This is really the fundamental issue of 1068 00:48:34,850 --> 00:48:37,489 that. Combining this to this to 1069 00:48:37,490 --> 00:48:38,490 this two features 1070 00:48:39,680 --> 00:48:41,719 compression and encryption. 1071 00:48:41,720 --> 00:48:43,609 OK, last question. 1072 00:48:43,610 --> 00:48:44,610 Anyone? 1073 00:48:46,610 --> 00:48:47,689 OK, thank you so much.