 Okay, so the next talk is on end QCCA security in the random Oracle model and its applications. It's a paper by Lois Houguenian-Dumitin and Serge Wodenay, and Lois is going to present the paper. Thank you very much for the introduction. So I'll start straight away by defining the co-primitive of this talk, namely in QCCA chem. So first a brief reminder of what a chem is, it's a couple of three algorithms, gen and caps and decaps, where gen outputs of public key, secret key, and caps take the public key and outputs a key in a ciphertext, and decaps take the secret key in a ciphertext and output the key. So now we want to define in QCCA security, so we use a distinguishing game, where the adversary receives a challenge ciphertext and a key, which is either random and simple at random, then like a real key that is encapsulated into the challenge ciphertext. And the goal for the adversary is to distinguish the real key from the random key. And as in in CCA security, the adversary has access to a decapsulation oracle that returns the decapsulation for any ciphertext except the challenge one. And the only difference with the classical or like normal in CCA security is that the adversary is limited to Q queries, where Q is constant and is the Q in the name of the definition. So we can have in one CCA, in two CCA, and so on. Now this notion was first defined by Premarital in 2007. And in that work, they show that it's possible to build a CPA to QCCA transform in the standard model, but this transform is quite inefficient. And apart from this work and a few others, this notion hasn't been very popular, or at least in practice, maybe because it's between in CPA and in CCA security, or maybe because before we could use a Diffie-Hellman, which is a secure against active adversaries, even under reasonable assumptions. But now the crypto game has changed a bit because we want post quantum and forward secrecy. So we want camps instead of Diffie-Hellman for post quantum, and we want FMR keys instead of static keys for forward secrecy. So maybe in some cases in CCA security is not really needed. And actually in several new post quantum variants of existing protocol, we can use in one CCA camps. So for instance, in a PQ TLS 1.3, where we replace Diffie-Hellman with a chem, we can use a in one CCA chem. And also in this nice variant of TLS, which is called Chem TLS, we can use a in one CCA chem for the FMR chem. So there are two camps in that construction. One is for static keys, and the other for FMR. And for the FMR 1, we can use the in one CCA chem. And also there are some post quantum variants of 3DH, where we can also use in one CCA camps, such as the one by Brandon Little. So we see that in these new protocols in CPA might not be enough, but in CCA is not really necessary for the FMR chem. So maybe we can use in one CCA security. And so we wondered whether we could build more efficient in one CCA camps than in CCA once built with the Fujizaki-Okamoto transform. And as you probably know, like in the FMR transform, there is this costly re-encryption check when you decapsulate. So maybe we can do better. And so our contribution, we give two very simple and efficient transforms that take one way secure public encryption scheme and output into CCA chem. We proved that the first one is secure in the cura and the second one in the random oracle model only. And compared to the Fujizaki-Okamoto transforms, there is no de-randomization, which means no re-encryption in decapsulation. And that means that decapsulation is much faster than with the FOD-raffed chems. And also using a similar proof technique that we use to prove the security of the second transform, we show that post quantum TLS 1.3 is secure in the random oracle model. If the chem is only CPA secure, which solves an open question that was raised in a few works, but then it's only a theoretical solution because the bound that we get is very much non-tight. And as a corollary, it means also that classical TLS 1.3 is secure with the computational Diffie-Hellman assumption holds. And we don't need fancier assumptions such as a pure FOD-H if you know it or a strong Diffie-Hellman. So let's see how we can build these transforms. First, we can wonder whether the trivial PK2KM transform work, so by trivial PK2KM transform, I mean the one where the gen is going to be the gen function of the underlying PKE. When we want to encapsulate, we just sample random seed or random message. We encrypt the seed and the key is going to be the hash or the key derivation function or the random oracle applied on the seed. And when we want to encapsulate, we simply decrypt the ciphertext to get the seed, and we hash it. So we can wonder whether this transform outputs in QCCM if the PKE is only one way secure. And the answer is no, because if you take most of the post-quantum schemes and you modify the challenge ciphertext by adding very small noise, you're going to decrypt back to the challenge message. So in one CCA game or in QCCA game, if you call the decapsulation oracle with the challenge ciphertext plus some very small noise, you're going to get back the real key and you can distinguish with very good probability. So a quick fix is to add a confirmation hash to the ciphertext where we add this tag, which is a random oracle applied on the seed and the ciphertext. And when we decapsulate, we simply verify that the tag is consistent with the seed that we decrypted. And now the previous attack is thwarted because the adversary, we need to know the tag for the modified ciphertext and the challenge seed. And unless it can query the challenge to the random oracle, he cannot get it. And more generally, the proof idea is as follow. We can first know that this transform is very similar to the reactions formed by Yokomoto and Pocheval from 20 years ago. What they were building, a transform that was doing one way PCA to NCCA PKE. In our case, we want to get NCCA chem, but the idea of the proof is the same, where one way PCA is one wayness against the plain text checking attacks. It's not very important, so important what it is. But basically, the adversary receives a challenge ciphertext that it must invert. And it has access to an oracle that returns to whether the decryption of ciphertext is equal to some plain text. So yeah, what the oracle does is not so important, but you can note that on every query, the oracle returns one bit of information. So in the second step of the proof, we can just argue that one way PCA with Q queries is the same as just one wayness with a loss of Q security bits. Because we can just make a reduction where we guess the Q bits that are written by the oracle. And that's the bound that we get. So we have a 2 to the power Q factor, which looks bad. Since Q is constant, it's not really a problem in theory, at least. But now in practice, it's going to be only suitable for small Q. Like for in 1CCM, we're going to get just a 2 factor in the bound. And then we build the second transform, where the idea is to get rid of the tag. And so now we hash the seed and the ciphertext directly in the key. So that's very similar to the trigger transform, except that we have the ciphertext in the key as well. And again, the previous attack doesn't work, because if you encapsulate the modified ciphertext, you're not going to get back the real key in the QCC game. And we can also build the chem variant of this transform, so like chem to chem instead of pKa to pKa. And this transform is even simpler. We just call the underlying and caps of the underlying chem to get the ciphertext and the seed. And the key is going to be this hash of the key material of the seed and the ciphertext. And what's nice about this transform is that it preserves the symmetric structure of the underlying chem if it exists. So by symmetric structure, I mean like in Diffie-Hellman or like in SIDH, where the ciphertext does not depend on the public key. Or like Alice's share does not depend on Bob's share. And so the chem that is output by this transform will preserve this symmetric structure, which is nice, because in the first transform, it's not the case. And in the Fujisaki-Okamoto transform, it's not the case either. And again, we get this type of security bound, where QH is the number of queries you can do to the random miracle. And you can look in the paper if you are interested in the details of the probe, but basically it requires quite a lot of random miracle programming. And careful guessing in the reduction because we want the factor to be exponential in Q, which is constant, and not QH, which grows with the security parameter or can grow with the security parameter. Okay, so I'll talk about Post.com CS1.3 and whether CPE security is sufficient for it. This is a very high level overview of the CS1.3 handshake whether the client and the server do a CINAC. Then they do Diffie-Hellman key exchange. The server can compute the key and then send its own share to the client with an encrypted certificate signature and a Mac over the transcript. Then the client can send the client finished message which is also a Mac on its own transcript. And finally, the CINAC exchange some encrypted data. Now to make this post-quantum, we can simply write Diffie-Hellman as a key. So now the client simply calls key gen to get a secret key public key, sends the public key to the server and the server encapsulates against the public key to get the ciphertext and the key. It sends a ciphertext and the client can compute the key. And obviously, if we want post-quantum authentication, we need also PQ signatures. And now if we look at the original proof of CS1.3 security by dialing at all, it's quite trivial to see that we can just use a in one CC cam instead of Diffie-Hellman. There are a few details in the proof but basically it just goes through. And so what we want to show now is that we can even use in CPA or like one way CPA cam in the random oracle model and the PQT LS1.3 handshake will still be secure. And just a few words on the security model. We use the same security model as in the original proof which is called multi-stage security. In this model, the adversary can send, receive and expose using some oracles. And when a key is derived and ready for use, we say it is accepted. And on acceptance of a key, the protocol poses gives back the hand to the adversary that can then call some oracles before continuing the handshake or the protocol. Now this is what we get if we write relevant part of the CS1.3 handshake in this model. First, we assume that everything is random oracle. So we know from like this Tuesday's talk that we have to be a bit careful about that. But basically, so the client on the server they send the public key ciphertext and the client derive some key. And then they apply some complicated key schedule to get some other keys. And since we want to prove that one way CPA is enough, at some point we're gonna have to make a one way CPA reduction where we have an adversary that doesn't have access to any oracle. And this adversary needs to correctly simulate the view of the underlying multi-stage adversary. And for some reasons in the proof we will need to simulate the client's behavior upon receiving one ciphertext for which we don't know the secret key. And in particular, we will need to simulate the computation of these two transaction keys, TKC and TKS that themselves depend on some other values. Basically, the idea is that these keys will depend on some hash of the key material and some hash of the transcript that contains the ciphertext. So overall, except that there are some nested random oracles, this is very similar to what we had in the second transform where the key was just the hash of the seed or the key and the ciphertext. And so using a similar proof techniques that is a bit more complicated because now we have nested random oracles but we can correctly simulate one decapsulation query. And the last remaining problem is the proof is this a value DHS that does not depend on the ciphertext. So we cannot use the same proof technique. But then we can notice that DHS is used only after the MAC verification at the bottom here. And so in the proof we can argue that either the underlying adversary carried the key to the random oracle and knows the key for the MAC or like the MAC is gonna fail and the client is gonna abort. So in the reduction, we can either abort or recover the key and that's how the proof goes through. Again, if you're interested in the details I would encourage you to read the paper. And so that's the bound that we get. So in theory, it shows that when we CPA came so sufficient for CS20.3 to be secure then you can see that the bound is very much non tight because we have like number of queries to the random oracles like nearly to the sixth in the bound. So the result is theoretical but still that solves the no point question. And as I said before as a color arrangement that CDH assumption is sufficient for CS20.3 to be secure if the other primitives are secure as well, obviously. So I'll just conclude by talking a bit about the impact and the open questions. So we saw that in one sequence can be used in several post quantum protocols such as PQ CS20.3 or MTS and so on. And compared to current solutions based on in CCCAMS derived with the Frieza-Kirke motor transform it's half of the decapsulation time at least. So here are some very quick benchmarking results for some of the PQ schemes. On the left you have the decapsulation time for the original decapsulation function. And on the right the decaps with no re-encryption which is very close to what we would get with our transform. And you can see that the speedup is very good. It's always more than two, seven, six for Frodo. And it's also interesting for side because we go from more than two milliseconds to decaps to roughly one millisecond. And also the CAMS derived with our transforms can preserve the symmetry of the NLNX-CPA secret scheme which can be interesting for SIDH for instance. Also it's a very generic and dropping replacement because we just gonna swap CAMS with CAMS. And the CAMS are quite easy to implement because it's actually like the transform or actually simplification of the Fujisaki Okamoto transform. And maybe the main obvious downside is that in QCC, CAM can be vulnerable to misuse or reuse attack. So that means that if you implement your FMR key CAM and you reuse the FMR key multiple times then maybe after a few thousand of reuses an adversary can recover the secret key as was shown in many other works. So we have to be very careful in implementing protocols that the FMR keys are really used only once. And I guess as future work it would be nice to prove the QAM security of the second transform and of the TLS result. The challenge is that there is a lot of random oracle programming in the classical proof. So that might not be so easy to transpose to the QAM setting. And for the TLS result there is a lot of nested random oracles as well. So that can be tricky. My best guess is that it would hold but maybe the security bound would be worse. And also to get a better bound for this TLS result that we had because it's very much non tights at the moment. Thank you very much. Questions for the speaker. Thanks a lot for the nice talk. So you talked about these losses, basically this loss which has a power equal to the number of the QAM queries for the second transform, right? So which one? For the second transform you had a power, like a number of random oracle queries to the power Q which is the number of CC queries. Yes. Do you have any idea whether this is an artifact or is it known in the classical setting whether this is an artifact of the proof or are there attacks that exploit this looseness? So I think like in FOLI transform proof you always have at least a factor QH or like QH plus something because we use one wayness of the CPA. And at some point when we in the reduction we will need to make a guess of which queries to the random oracle was the correct one. And overall we get a correct probability with one over QH or QH plus one something. So we will have always this I guess at least one of the QH plus one factor here. I'm not sure about the second one if we really need like a square. This is an artifact of the proof or not but at least one factor QH, yes, I think. Okay, yeah, thanks. Other questions? Hi, thanks for my talk. So sort of a follow up question but if you let the PKE security notion on the right remain one way PCA, does the bound get tighter? So if it's a one way PCA, yes, you don't get the Q, the exponential Q factor actually. Okay, thank you. Okay, let's thank the speaker again and continue with the next one.