 Okay so welcome. Before delving into the details, I will give a very brief introduction to the UC framework. So the UC framework is a security framework for cryptographic protocols following a so-called simulation paradigm. In this setting, a protocol is said to be secure if for every adversary in the real interacting with the cryptographic protocol, there is a simulator interacting with an ideal process where a trusted third party carries out the desired cryptographic task in such a way that for every interactive distinguisher called environment, this distinguisher cannot distinguish between these two worlds. And so the main benefit, the main advantage of UC is that its security notion is closed on a general protocol composition which implies that a UC secure protocol is secure when run in an arbitrary network. And furthermore, it implies that the security can be proven moderately. However, as it turned out, UC security is a very strong security notion because set of assumptions are required for many cryptographic tasks. For example, for commitment schemes. And therefore, in order to get rid of these set of assumptions, new frameworks have been sought after and proposed relaxing UC security. And two of the most prominent notions are SPS and angel-based security. In SPS security, the simulator may run in super polynomial time. The environment and adversary remain polynomial, however. And in the angel-based setting, the simulator is given superpoly powers for specific computational tasks only. And there are also other frameworks but these are not part of this talk. So granting a simulator superpoly powers still implies a meaningful security notion because, in fact, many ideal functionalities are information theoretic in nature, for example, commitment schemes. And can therefore not be broken by a superpoly simulator. And furthermore, general NPC in the playing model, meaning without set up, apart from authenticated channels, is possible with SPS security, even both in constant rounds and based on standard polynomial time assumptions. However, SPS security is not closed on a general protocol composition. Angel-based security on the other hand is. But there are known constructions of general NPC protocols in this setting that are both constant round and based on standard polynomial time assumptions. And so what we propose is a new security framework for concurrently composable security that lies strictly between angel-based and SPS security while being compatible with UC security in the sense that a UC secure protocol remains secure in our framework. Furthermore, our notion is closed under a general protocol composition, implying concurrent security with SPS simulators. And while our composition theorem does not directly imply modular composition for some technical reasons, modular composition can be achieved via constructing protocols with strong composition features. I will elaborate on this. And as a proof of concept, we constructed a commitment scheme in the playing model that can be plugged into a large class of UC secure protocols in such a way that the composite protocol is secure in our framework. And there are two constant round instantiations, one based on one re-permitations and another one fully black box construction based on homomorphic commitment schemes. And using this commitment scheme, we can show that general NPC in the plain model is feasible in our framework, both in a constant number of rounds as well as based on standard polynomial time assumptions. And we give two constructions, a non-black box construction based on enhanced traptor permutations and a fully black box construction based on PKE with oblivious public key generation and homomorphic commitment schemes. And the latter, to the best of our knowledge, is the first one that is concurrently secure in the plain model, black box and constant round and based on standard poly time assumptions. And furthermore, all our constructions are based on the relatively weak primitive of parallel CCA commitment schemes. These are commitment schemes where the hiding property that remain hiding, even the presence of an adversary that can make non-adaptive queries to a decommitment oracle. And this is in contrast to angel based or protocols in the angel based setting that generally need fully fledged CCA secure commitment schemes as a building block. So the starting idea of our framework is to give simulators also superpoly powers for specific tasks, just like in the angel based setting, but additionally restricting access to the superpoly powers. This is modeled in the following way by a so called shielded oracle that is a interactive Turing machine that may freely interact, directly interact with the simulator as well as the functionality where the interaction between the shielded oracle and the functionality cannot be monitored by the simulator. And in addition, environments in our framework can invoke, apart from the challenge protocol, also polynomial many instances of certain ideal protocols involving shielded oracles. And we call these environments augmented environments. And we use this notation for pi realizes a protocol phi with respect to environments that may invoke polynomial many instances of the functionality fo, which is the functionality defined by f and the shielded oracle. And so these augmented environments imply a composition with protocols that may also be in the fo hybrid model. So we have a generalized composition theorem here. And in order to cope with these augmented environments that are super polynomial in nature, we use the following technique, which is the main technique. Our main technique, namely we replace superpoly nominal entities by polynomial ones in security proofs, and in particular in reductions to polynomial time assumptions, and thereby make the augmented environments efficient. The intuition behind this being that shielded oracles in a way look polynomial time from the outside because all superpoly powers are encapsulated or shielded away from the outside. And therefore, the functionality fo can be replaced by a polynomial time machine in such a way that a augmented environment does not notice a difference, and can therefore be replaced by a fully polynomial time UC environment. Okay, so now let me present our secure commitment scheme, namely a protocol that realizes FCOMO with respect to FCOMO augmented environments for a yet to be defined shielded oracle O. So in order to be secure in our framework, this protocol needs to fulfill two properties. It needs to be extractable and equivocal in polynomial time, meaning that the binding and hiding property can be broken with superpoly powers. And as a building block, this commitment scheme uses a tag-based commitment scheme, CR, which needs to fulfill or needs to have the following properties. It needs to be immediately committing in the sense that the first message comes from the committer, and this message already perfectly determines the committed value. And this already implies that the commitment scheme is extractable in superpoly powers with superpoly powers. And in addition, the underlying commitment scheme, CR, needs to be parallelized as a secure as mentioned previously. And then extractability of the larger protocol, PI, follows directly from the extractability of the underlying commitment scheme, and equivocality can be obtained by using the idea of Dom Gregskifuro, namely letting the receiver commit to a equivocation trapdoor at the beginning of the protocol. Okay, so now we're ready to define the shield oracle. So in the case of a corrupted sender, O plays the role of an honest receiver, and after the commit phase is over, extracts the committed value, if possible, and sends this value to the functionality. And in the case of a corrupted receiver, O plays the role of the sender, extracts the equivocation trapdoor, commits to zero in the commit phase, and can then use the equivocation trapdoor to open this commitment arbitrarily in the unveil phase. Okay, so now we can state the theorem again. So if the underlying commitment scheme of PI is immediately committing and parallelization as a secure, then PI realizes F, with respect to F, committed environments for the shield oracle as defined previously. Okay, to give some intuition for the proof, consider the following. Let the sender be corrupted, and consider environment that commits to a value V in the commit phase, and somehow manages to unveil a different value W in the unveil phase. Then in the unveil phase, the receiver, the honest receiver, will output W. But in the ideal model, the receiver will output V, the value extracted by O in the unveil phase. And so if this happens, if this event occurs, and we call this event a discrepancy, then the environment can easily distinguish between real and ideal, and we must somehow prevent such an attack. One conceivable way the environment could possibly cause a discrepancy is by invoking an additional session, FCOMO session, with a corrupted receiver, because in this case, the oracle can cause a discrepancy. It can extract the equivocation trapdoor and thereby open arbitrarily in the unveil phase. And so this already shows that the underlying commitment scheme of PI needs to have some kind of non-malleability, some form of non-malleability to prevent this attack. And this form of non-malleability is provided by parallel CSA security. Okay, so the main part in our proof is, in the security proof is to show that no augmented environment can cause a discrepancy, at least except with negligible probability. And so the proof is by contradiction in two steps, assuming that a augmented environment can cause a discrepancy, one first makes it efficient, this environment efficient, in a sense that it only interacts with only one FCOMO session with a corrupted sender and then proves that this efficient environment cannot cause a discrepancy. And the tricky part in the proof is to show the first step, that one can make this environment efficient. That's the difficult part. And very roughly, the way you do this is you replace the additional session, FCOMO sessions, iteratively in a specific order with the real protocol, making non-uniform, and that's very important, non-uniform reductions to the parallel CSA security of the online commitment scheme. But unfortunately, this proof is a bit too technical and too long for this talk, so I need to skip it. Okay, next what we've shown is that if the underlying commitment scheme has an additional property, then one can do the following. Given a UC secure protocol in the FCOM hybrid model that is concert round and can be broken down into phases, a commit phase and a compute phase, parties may only commit via calls to FCOM and the compute phase, arbitrary interaction is allowed, but not calls to FCOM apart from unveil messages. And with this premise, one can in fact plug our protocol into row and such that the composite protocol is securing our framework. One can find a shield oracle such that row composed with pi emulates TO prime with respect to TO prime, augmented environments. And this structure being, you can break down this protocol and the compute phase, you can always achieve this because you can always compile such a protocol, arbitrary protocol into one having such a structure by replacing commitments, randomized commitments. Okay, and using this composition theorem from pi, we can effectively import UC results into our framework and that's effectively what's going to happen. But first let me talk about the instantiations of a protocol pi. So the underlying commitment scheme of pi can be insensit with a modified version of the 8 round construction by Goyal et al 2014. This can be based on one reprimitations, yielding a concert round protocol and it can also be based on verifiable perfectly binding homomorphic commitment schemes, verifiable meaning that the validity of the commitment key is publicly verifiable and therefore the commitment key can be generated and sent by the committer and not necessarily by a trusted setup. And the latter then yields a concert round black box construction, a black box instantiation of the protocol pi. Okay, and with these two concert round instantiations of pi, we can do the following. We can now plug them into appropriate UC results, general NPC results and then we get the following. So, we can use our instantiation based on one reprimitations and plug it into an appropriate protocol and get a general NPC protocol in our framework and the plain model that is concert round and based on enhanced trap deprimitations. And we can also use for instance the protocol by Hazayet al 2015 that is concert round and black box and plug our black box instantiation of pi into this protocol and get a protocol secure in our framework and the plain model that is concert round, black box and based on crypto primitives with poly hardness. Okay, so let me summarize. So, we proposed a new universally composable security framework that is based on the idea of granting simulators restricted access to specific computational tasks. We have constructed a commitment scheme secure in our framework that has fulfilled a certain model composition property. Using this commitment scheme we were able to show that concert round black box general NPC in the plain model based on standard pulley time assumptions is feasible in our framework. And we also, and also it's interesting to note that all results, all our constructions are based on only paralysis ASIC or commitment schemes. Okay, so I am done with my talk. So, thank you. Thank you. We have time for questions. While people are thinking of questions, maybe the next person can start coming up. So at some point you said that you are using a construction of GRRV as a sub protocol. Yes. In particular, why don't you use any commitment as a sub protocol? Which properties from GRRV you need in your construction? It's a round, but what do you need? Yeah, well, to be honest with GRRV was the first one we encountered that we believe fulfills our, these premises to be paralysis ASIC and immediately committing. What we need is, we need a certain extractor. So our extractor needs to be able to cope with non adaptive, a non adaptive paralysis ASIC or commitment scheme to make this an adversary plus a paralysis ASIC or decommitment oracle polynomial time. And this can be done in constant rounds as opposed to fully fledged ASIC, where I think there is some impossibility result by Kiyoshima, where this is not possible at least making black box reductions to standard poly time assumptions or false survival assumptions at least in constant rounds. So this was the first one we encountered and yeah, there might be others that are possible, but yeah, it works.