 Welcome to this talk about Receive Anonymity in Randomizable RCC Secure Crypto Systems for Crypto 2021. I'm Yi Wang and this is a joint work with Rong Maocheng, Guo Mingyang, Xin Yi Huang, Baosheng Wang, and Moti Yang. A lovely key encryption consists of three algorithms for key generation, encryption and decryption. In the message communication scenario, suppose Alice wants to send a message M to Bob. First Bob uses key gen to generate a public secret key pale, pk and desk8, and sends the public key pk to Alice. Then Alice encrypts M under the pk and sends the advertised C to Bob. Finally, Bob can use the secret key sk to decrypt the advertised and obtain the message M. RCC security has been widely considered as a golden security standard for public key encryption, pkE. However, it is evident that for some practical purposes, a somewhat weaker security notion than RCC security is already sufficient. To this end, Gnety and Coossus introduce the notion of replayable RCC security. RCC security is the same as CCC security, except that the adversary is allowed to modify or self-attached into a new one of the same plain text. So it is a relaxation of CCC security. The relaxation in those pkE with desirable features when recognizable RCC security is one of them. We say a pkE scheme is randomizable if there exists an efficient algorithm we rent that takes as input public key pk and the advertised C and outputs a new advertised C prime of same public key and plain text. If the randomization does not need public key, then we say this pkE is universally randomizable. Rent RCC security turns out to have numerous applications such as MixNet, Controlled Mediable and IDK, and Cryptographic Reverse Filework. However, for some privacy-oriented applications, rent RCC security alone is not enough. Taking the MixNet-based anonymous communication as an example, in the MixNet the MixNet receives a batch of self-attached from sender A1 to AM and then the MixNet randomize them and send them to the receiver B1 to BM. The universal randomization performed by MixNet or links self-attached CI and the CI star in terms of content such that the adversary cannot correlate the sender and the receiver. However, we notice that the underlying public key of self-attached does not change after randomization. So if the pkE is not receiver anonymous, that is, the adversary can obtain some information about the underlying public key from the self-attached, then the adversary may still be able to correlate the self-attached for the same receiver. Therefore, randomizability and receiver anonymity are both required for the MixNet-based anonymous communication. It is capable to achieve both for under-CPA security, but it is not the case for CCA security because it permits strong adversary to curate the de-question oracle, that is, the adversary can probe the system with self-attached. The first perfect and universal random RCC pkE in the standard model was proposed by ProbeHarrican and Russell Lake at Crypto 2007. We call this construction the PR scheme for short. Unfortunately, the PR scheme does not achieve receiver anonymity and how to construct a receiver anonymous random RCC pkE was left as an interesting open problem. Some more surprisingly, even after many years, this open problem remains unsolved to date. The main technical challenging of achieving RCC receiver anonymity arises from the fact that the de-question oracle in the game would output replay if one of the de-question results equals to the challenge plaintext mstar. So the adversary can guess the bit B and the guess the bit can guess the bit B star and encrypts the challenge sabotaged C star with pkB with pkB star and curates the de-question oracle to verify its guess. If it gets the B correctly, the de-question oracle would return a bot. If the otherwise, if the adversary gets the bit B correctly, the de-question oracle would return a replay. Thus, to defend against this attack, it is required that the randomization of self-attacks should not involve the public key. That is to say, universal randomization is required. However, achieving receiver anonymity is more challenging than realizing universal randomization. An example is the PR scheme. It is universally randomizable but not receiver anonymous. To explain why the PR scheme does not satisfy receiver anonymity, we review this scheme briefly. The sabotage of the PR scheme is composed of four strands. The strand C1 carries the message, while the strand C2 is to help randomize C1 without public key. The encrypted mask U, shared between C1 and C2, disables the adversary to mix the gathered strands from two different sabotages to obtain a valid sabotage. The components of the strand C1 are perturbed by an additional vector Z to restrict the manner of recombining those two strands. Here, the blue arrows illustrate the only way to randomize C1 and C2. However, one can note that there is no such mask or vector in strands C3 and C4. So, those two strands can also be randomized with public keys, which means the adversary is able to guess the public key and verify its guess via curing the decryption oracle. So, the partition randomizability of sabotage breaks the receiver anonymity of the whole scheme. To achieve RCC receiver anonymity, we have to disable the randomization of strands C3 and C4 employing the public key. Note that randomization of strands C1 and C2 is restricted by mask U and vector Z. If we also apply this technique to C3 and C4, extra strands are required to encrypt the mask in C3 and C4, which would incur the partition randomization of sabotage employing the public key again. Because by this problem, we move the mask and additional vectors to the validity checking part. Since this part contains only one component, no additional component is appended to each strand for perturbation on the validity checking part. The randomization of strands C1 and C2 is still restricted by mask U and vector Z1 and Z2. As for strands C3 and C4, their randomization is restricted by mask U and vector C bar 1 and Z bar 2. The blue errors illustrate the only way to randomize sabotage. Note that the sabotage construction of our variant still shows some similarities with that of the PR scheme. It is essentially a double strand of crema soup sabotage. So, we turn to explore whether it is possible to generalize our treatment following the crema soup paradigm. So next, we will start by recalling the crema soup paradigm based on smooth projective hash function sphf and then seeks to extend the notion of sphf to interpret our proposed variant and its security. Smooth projective hash function sphf was originally proposed by crema and the soup for generally constructing practical cc secure pke. Roughly, sphf is a family of hash functions h indexed by k that match the element set x onto the hash value set pi. hs sphf is associated with an np language ale where elements in ale are computationally indistinguishable from those in long language set x-ale. This is the hard subset membership problem. For any language element x in ale its hash value hskx could be efficiently computed using either the hash key sk or the projection key pk with the witness w to the fact that x belongs to ale. Every sphf should be smooth one, that is to say conditioned on fixed projection key pk for any long language element x. Its hash value is statistically indistinguishable from the uniform distribution over the space pi. Some sphf satisfies stronger smoothness smooth too. It is to say conditioned on fixed pk and the hash value of any non-language element x star. For any other non-language element x, its hash value is statistically indistinguishable from the uniform distribution over the space pi. The notion of sphf could be generalized to tag sphf where a tag tau is also taken as an auxiliary input by hash function h algorithms priv and the pub. The regular sphf can be regarded as a special case of tag sphf with empty tag space. The Krimer-Sup paradigm is based on a smooth one sphf i and a smooth two tags sphf i hat. The public key is pk and pk hat and the several tags consist of three parts the language element x m times hash value h skx and hash value h hat sk hat x tau. Where the tag tau is the hash value of the first two parts. To make our later argument easier to follow below we first provide an overview of justification of cc security from sphf. Considering the challenge self-attached zeta star in the cc security game namely game zero in game one due to the hardness of subset membership problem we can replace the language element x star with non-language element and compute pi star and the pi hat star using the hashing key. In game two the dictionary oracle also reject also rejects all the all the better self-attached with non-language element x by the smooth two property of sphf i hat. In game three we can replace pi star with random hash value from set pi by the smooth one property of sphf i. Now the challenge self-attached zeta star perfectly hides mb which yields the cca security. Following the idea of Grimoire paradigm we also can interpret our construction from sphf. Taking strength c1 and c2 as example they can be generalized using three different sphf. The bx and by are the hash values of x and y on same hash function h. The validity checking parts of c1 and c2 are the hash values of x and y under two different hash functions h hat and h-tilder. Well the h-tilder can be viewed as a special case of h hat with vectors z1 and z2 equals to zero. Now from the perspective of sphf the self-attached randomization can be regarded as the randomization of hash values. Meanwhile one can note that there are two kinds of randomization the self one within same sphf and the pairwise one between different sphf. Motivated by those observations we put forward the notion of randomizable sphf res sphf which is the regular sphf augmented with self and pairwise randomizability. Based on the typical definition of sphf we formalize three extra algorithms namely rent x rent t and the rent h to capture both cases of randomization. Let crxx denote the set of all randomization of x obtained via rent x. crx x prime denote the set of all randomization of x obtained via rent x with x prime and the crt tau denotes the set of all randomization of tau obtained via rent t. Similar to the classification of randomization we redefine two types of smoothness for res sphf as below. The controlled self-randomizable smoothness says that conditioned on fixed pk and the hash value for any non-language element x star and any tag power star for any non-language element x and the tag tau the hash value is statistically indistinguishable from the uniform distribution over the space pi. It is required that the x does not belong to crxx star or tau does not belong to crt tau star. The controlled pairwise randomizable smoothness says that conditioned on fixed pk hat the hash value h hat h hat h hat sk hat x1 star tau star h star the sk tau star x2 star tau star for any non-language element x and the tag tau the hash value is statistically indistinguishable from the uniform distribution over the space pi hat. Also it is required that the x does not belong to crxx1 star x2 star or the tau does not belong to crt tau star. Meanwhile, we also define two new smoothness as this smooth one means that conditioned on fixed pk for two random non-language elements x1 and x2 and random tag tau the hash value are uniformly distributed over the space pi. The powerwise twin one smooth means that conditioned on fixed pk for two random non-language elements x1 and x2 and random tag tau the hash values are uniformly distributed over the space pi hat and the pi tau star respectively. Though all construction is based on six different resphs we now show how to realize RCC security and the receiver anonymity with those new smoothness. Similar to the security justification of Krimerser paradigm, we provide the argument to justify the RCCA security of our variants. Let game 0 be the RCCA security game. In game 1, due to the hardness of subset membership problems, we replace all the language elements in challenge to server test zeta star with non-language elements. In game 2, by the CSR and the CPR smooths, the decryption oracle also rejects all the bad server tests. That is, the oracle would not reveal more information about the security key. In game 3, by the ST and PT smooth one, we replace all the hash values in challenge to server test with random ones. Now, the zeta star perfectly hides MB and the RCCA security of our construction holds. The justification for receiver anonymity is indeed similar to above argument. In particular, the decryption oracle also relies on CSR and the CPR smooths properties to reject all the bad server tests. In the end, the uniform distribution of all the hash values in zeta star imply the receiver anonymity in RCCA setting. In this table, we compare our scheme with previous works. Besides our exclusive property of receiver anonymity, compare with the recent work of file or file new and the co-authors. Also, our too linear based instantiation is based on special groups which are larger than a regular setting, but it does not involve any pairing computations. So, in this work, we provide the first receiver anonymous RCCA PKE and resolve the open problem. Then, we design a modular framework for constructing receiver anonymous RCCA PKE via our newly extended SPHF and rigorously prove its RCCA security and receiver anonymity. Finally, we instantiate the framework with k-linear assumption and the grid ring and improves the PR scheme with more general hardness assumption. Okay, that's all. Thank you.