 Greetings! In this talk I will be talking about Gladius, our LWRP's hybrid safer, which supports fast-distributed decryption. This is work by Giron Kong, myself, Varun Maran and Professor Nigel Smart. So, securely distributing decryption means that several distrustful parties want to jointly decrypt some cycle text. And the way you do that is by secret sharing the key among the parties. So, each party will hold a secret share of the secret key, and by that you can define some access structure. So, for example, if you have a threshold T, then it means that any subset of at least the parties can use their shares and recover the secret key. So, those are the qualified parties, and on the other hand, less than T parties can't use their shares in any way. So, those are the unqualified parties. So, the parties with the shares engage in a protocol which implements the decryption functionality. And since they don't trust each other, the communication has to be secured. So, intuitively this means that the protocol should be as secure as the primitive that it implements. So, for example, if the underlying encryption scheme is in CCA, security means that an adversary was given access to the decryption oracle shouldn't be able to distinguish between cycle texts without possessing the secret key. And similarly, at the level of the protocol, the adversary that controls some unqualified party, and is given access to the decryption oracle coming from the functionality shouldn't be able to distinguish between cypher texts without possessing the qualified parties shares. So, we want to construct a public key encryption for which we can implement the decryption algorithm using a secure protocol. And we want to do that efficiently. So, we start by fixing some requirements from the underlying primitive. So, the public encryption should be in CCA secure, should be post quantum and should be able to encrypt messages of any length. So, what we are really looking for is an hybrid construction. So, in an hybrid construction, it is not enough to design a fast distributed decryption for the chem part only because the chem part is embedded in a larger circuit and the other components might be quite expensive for distributed computing. And indeed, it has been an open problem for quite a long that of having an unhybrid constructing constructing and hybrid. Having the the world encryption circuits optimized for multi-party computation techniques. In this paper, we try to solve this problem. So, the most famous hybrid is that from Kramershop. It combines a chem and a dem into a public encryption. Key generation is that from the chem and to encrypt a message. You first generate a small session key. You encrypt, you encapsulate it using the chem and the public key. And this will form the first ciphertext, while the message is efficiently encrypted with the them components in the session key. And this will be the second ciphertext. With that, the encryption is quite obvious. So you first encapsulate K from the ciphertext and you will use the session key to decrypt the second ciphertext and get the message. So, we get in CCA security. If we start with in CCA components. And we are able to encrypt messages of any length because we can simply use any symmetric key cipher in a mode of operation. The problem it comes when we try to distribute the encryption algorithm. So everything that involves the secret key needs to be implemented as a secure protocol. So, we start by securely computing the decapsulation. And the result is super key is should still be kept secret. And this means that we also need to implement as a secure protocol the decryption of the them. Now this last step is the problem, especially for long messages when you are using. I don't know as in a mode of operation, the decryption under general multi-party computation techniques is quite expensive. So it would be great if we avoided this last step. So the name idea is to just simply release this the session key. Make it public so that we can perform the decryption over clear data. So no need of any secure protocol. What I mean is that once we get the secret key, we just reveal it. So we can perform the decryption over clear data. And yeah, the problem is that the reason of this CC attack because an adversary who gets the challenge C1 star C2 star then forms this cipher text C1 star C2 where C2 is a completely random cipher text. And he queries the decryption Oracle on this cipher text, which is allowed because it is different from the challenge. So let's look. Let's see what happens on when he queries the Oracle. So the first component will be correctly decrypted by definition. And yeah, following our strategy, the decision key will be revealed and yeah, the second component probably will result in error because it's random, something completely random. So the adversary high probability will get the valid session key and error message, whatever the second component is. So we will just use the session key to decrypt the second challenge and get the full message. So security is completely broken. Now, our hybrid, our proposal comes from is the result of trying to fix this security flow. And yeah, this is what we propose our hybrid construction. Again, we are combining a public key encryption with a symmetric encryption. It's very similar to kind of show. And the difference is we are using a secure hash function here. So after generating a session key and encapsulating it and after the encryption of the message we authenticate the session key using this hash function. So we are linking K to the second cipher text. As a result we get an additional cipher text here. The effect of this on the encryption algorithm is that we will need to perform a verification of the hash. So if this verification passes. Namely evaluating the over C2 and K will produces the third cipher text, then we will reveal, we will broadcast K, along with the message. Otherwise, we will return just an error message. And if you already guessed that by using on hash function this way. We are basically preventing the previous attack. Indeed, if the adversary follows the previous strategy, so by submitting something like challenge and other stuff. In reality, the verification here will fail. And the adversary will get nothing. So the only way for the adversary to get the session key is either of course submitting the challenge but this is not allowed, or by finding a collision in the hash function. So the previous attack is prevented. So notice that's by placing on a hash function here. Authenticated K here. We have the following advantage that we don't need the randomness from our public encryption. And indeed we can just use a deterministic public key encryption. We should be still secure enough, so as to prevent some brute force attacks on the first cipher text. So the right security notion we are interested in is one way CPA. So, putting everything together we are able to prove that leaking the key this way. Still, it is secure produces something secure, namely, if we start with a one way CPA deterministic public key encryption, and a one time in CPA symmetric encryption, then we will get a public encryption which is secure in the random model. Now, let's go to the protocol, secure protocol that implements the distributed description of this hybrid. So this is a picture that gives you the idea of what should be performed in a secure way. So everything that involves the secret key or the session key should be done securely. So these operations are marked with thread. So, first week decrypt the first cipher text using the key, the result is the session key which is still secret, which is then passed to the hash function gene which will verify that the session key comes from a valid encryption. And if this verification passes, then we are able to leak broadcast the session key and pass it to the decryption and execute this decryption the clear the decrypting the second components, the cipher text and get the message. Now, in order for this to be efficient as a secure protocol, we basically need two things, evaluating efficiently g over secret data and evaluating performing a secure protocol efficiently for the public encryption. So, the first requirement is can be easily met by using any MPC friendly hash function as a gene. So, the only thing that is left to do is to find a good candidate for this public encryption. So, we are also presenting, we are also proposing the second hybrid, which is exactly the same as before, except we now add two more hash functions, one here and one here, producing a fourth cipher text. And also, we will need to redo this hash functions evaluations in the, in the decryption. So, if we do so, then the previous statements holds in the quantum random Oracle model. The reason for this is quite technical and you can find the details in the full version of the paper. Also, we can provide a general distributed circuit for the decryption of the second hybrid, which is similar to the previous one, except now we need to implement as a protocol these two additional hash evaluations. So, they need to be evaluated over the secret session key. So, again, for. So everything is almost exactly as before. And the only things that need to be implemented as secure protocols are the decryption and the actual evaluations. So, first we can use again NPC hash functions. And for this we need to find a good public encryption for which we can do the decryption efficiently with a protocol. So, what is left to do is to find a public key encryption which is that a mistake, but still one way CPA secure. We would like it to be post quantum pose. If we plug something a pub, a public key encryption, which is post quantum based on post quantum assumptions in second hybrid then we will get. We will get the, the, the unhybrid public key encryption, which is also going to. So, the standard way of having of getting a deterministic public key encryption is by the randomizing probabilistic encryption. There is a technical encrypt with hash, which basically takes a probabilistic in CPA public encryption and gives you a deterministic one way CPA public encryption. Basically, you replace replace the randomness with the hash of the message. To get the one way CPA security, you have to redo these operations again in the decryption. So, this is basically what the, what one of the variants of the fush is actually come out to transform that. And so, again, we have a problem if we try to do this in a distributed way. And the reason is that this message in our case is going to be the session came which is still secret at this point so we would need to reevaluate the hash function over secret data and use it as a seed. For the randomness of the encryption, encryption which has to be computed over the secret session key. So, especially when the encryption algorithm is using some weird probabilistic probability distribution them this operation is really expensive for general multi-party computation techniques. So, I hope you are convinced that this approach doesn't really work in our case. So, we would like to find something that doesn't use randomness to get security. So, one operation that is intrinsically secure intrinsically random is the running map. So for two integers p and q where p is less than q. So, this running map that takes an integer and scales it by p over q and approximates it by the nearest integer. And this hides the lower bits of the input. If the input is sufficiently random. So, this running map is basically one way. So, we have something that doesn't need additional noise or randomness to be one way to be secure. And that's perfect we want to base our encryption on that. So, here is an assumption based on such constructions, which is related to the learning with others problem. And guess what the name is learning with this problem. So, here, instead of having a nice linear system, you have a rounded linear system. So, the basic version of the decision learning with roundings says that for a secret vector on the public matrix, this rounded matrix by vector product looks indistinguishable from a completely random vector. We also have the decision ring LWR. If you consider the same problem over polynomial rings, and the decision module LWR. If you are considering adding more structure and considering matrices of polynomial rings. You have the search LWR problem, which says that it's difficult to retrieve S from many LWR samples. So, on top of that, we are able to construct our public key encryption. So, it's really simple. The encryption, so is probably is deterministic. And this comes from the fact that we are base, we are basing the encryption directly on the running map. So, you see that we don't need any we are not using any randomness. And the, the encryption is quite fast for distributed techniques because and the reason lies on the fact that we are using LWR techniques constructions in the key generation. Now, what is left to do is to argue the one way CPA security. And this is just a combination of search LWR here, because this is saying our public key is undistinguishable from a pair of random matrices, and the search LWR, which is basically the fact that the encryption is our encryption is a one way map. So we are done. All right, we started with the problem of finding constructing the public key encryption, for which we could do the decryption in a distributed way quite efficiently. So, as I mentioned, this problem reduces to that of considering hybrid cypress. So we started looking at the kind of shop hybrid, which was the problem of requiring one to evaluate the description of the them over the secret session. This operation is costly for in in a distributed way. Also, it requires some components so quite demanding. So the idea is that we leak the session key before doing the decryption so the decryption then becomes just an operation over clear data so there is no need for any secure protocol. And we are able to do that without consequences securely so we can leak the key securely because we are using hash function as an authentication for the session key. So this hash function is useful because we can use minimal assumptions for our public key encryption, we just need a deterministic public key encryption. So what we get. The end is a very general transform that takes a deterministic one way CPA public encryption with a one time in CPA them and gives you a in CCI public encryption in the random oracle model. We can get full security in the quantum model if we had two more fashions. Finally, we are able to show that these possible to construct a public encryption which is deterministic at steel on the way CPA secure. Based on the LWR assumption. We are basing encryption directly on the rounding map, which basically is avoiding us doing expensive the randomization procedures. Putting everything together. We get the first practical. Post quantum public encryption, for which we can implement the decryption using a secure protocol in in efficient way in very efficiently. So this concludes my talk if you have questions about paper, please feel free to contact me by email. Take care.