 I'll quickly proceed to the next and final talk of the conference. So the title is Public Key Cryptosystems, Resilient to Continuous Tempering and Leakage of Arbitrary Functions, Eishiro Fuzizaki and Keita Zakawa from NTT Japan, and the talk will be presented by Eishiro. Are you using this microphone? Yeah. Thank you for your introduction. My name is Eishiro Fuzizaki. This is joint work with Keita Zakawa from NTT Secure Platinum Laboratories. First, a part of this talk is closely related to Antonio's previous talk. We also analyzed the Queen-Lew PK scheme in the tampering attack with a different setting. And also, impossibility result signature complement their result on signature. And this is a agenda of my talk. First, we have already, Antonio already explained the tampering attack, so we just briefly explain, yeah, I won't, anyway, yeah, tampering attack is just a attack that allows the adversary to modify the secret of the target critical device and observe the effect of the change at the output. Genaro, Rizukai Natsukaya, Marukin, Mikari, and Rabin, and Berari and Kono are the first, I mean, the first pulverasecure system against tampering attacks, yeah, of course, tampering attacks are known before, but they are the first pulverasecure, they make the first pulverasecure systems, and so, yeah, and just to consider the amount of tampering attack on the in the CCA game, the adversary can now send the tampering function phi with a cipher text to the decryption oracle, and decryption oracle now returns the decryption of cipher text under the modified cipher, modified secret phi SK, and that case, the goal is equivalent to the in the CCA 2 game, and that case, in this paper, we focus on the tampering attack with the arbitrary function, then we, some restriction are required, there is strong impossibility result, there is no in the CCA secure PK, nor EUFCM secure signature scheme resulting to unbounded polynomial tampering of arbitrary function, even in the stronger model than CRS, so proof is very simple, just consider this kind of tampering queries, then by querying these functions, adversary can retrieve the whole secret key from the output of the decryption or a signing oracle, so, and to bypass those kind of, that impossibility result, one way is to only allow a bounded number of tampering queries, the Antonius talks categorized in this, in this, and another way to avoid this attack to allow a unbounded number of tampering queries, but to allow a device to self destruct if it detects tampering, this is called a continuous tampering with a self destruction mechanism, this talk belongs to this category, and also, yet another way is to allow a unbounded number of tampering queries, but allow a device to update its secret key, it's called continuous tampering with key update mechanism, and one of our, our scheme belongs to this category, now, also there is a further classification, persistent tampering and non-persistent tampering, persistent tampering means a tampering is applied to the current version of the secret, that is overwritten by the previous tampering function, just see this, like this, if queries like this, in this order, then adversely get, obtain this kind of result, then another type of tampering attack is non-persistent tampering attack, tampering is always applied to the original secret, that case, for the same series of queries, adversely receives this kind of result, here do you, remark, if we allow a key, we cannot allow a key update, then no persistent tampering attack is always stronger than persistent attack, because one can simulate the persistent query in the non-persistent attack, and if we, if we have a key update, then it is a non-feature stronger, so there is another impossibility to specific, to public key encryption, there is no in the CCA secure PK scheme, even one post-challenge tampering query of arbitrary function, choose this kind of tampering function, then you can break indistinguishability of a public key encryption scheme, this attack is unavoidable, even with a self-destruction key updating and bounding the persistent non-persistent tampering attack in the more strong model, so other, yeah, in this paper, we concentrate the CRS model because we can treat a tampering of arbitrary function, if with weaker, with model than CRS, then we must restrict the class of tampering function, so we concentrate on the CRS model. Now, this is a summary of previous work. This talk, consider this, and our result is, we showed the first CCA secure PK scheme resilient to continuous tampering of arbitrary function, and one is a continuous tampering and continuous memory leakage, with a key update mechanism, and also we showed the impossibility result, there is no signature scheme resilient to continuous non-persistent tampering, even with a self-destruction mechanism, and if key update mechanism works only if tampering is detected, there are no signature scheme even with a key updating mechanism, this is our result. So, for the continuous tampering and bounded leakage CCA scheme, now, just to finish on continuous tampering bounded leakage CCA scheme, it's similar to the bounded tampering leakage CCA game, the only difference is the adversary may submit many tampering queries to the decryption work, and until the decryption algorithm self-destruct, decryption algorithm self-destruct thing, it output rejection symbol, then in that case adversary cannot access the decryption work anymore. First, just consider, just consider bounded leakage CCA PK scheme, this means a continuous CCA secure PK scheme resilient to bounded memory leakage, and that kind of, for any bounded leakage CCA secure PK scheme, this holds, if the size of message is smaller than the limit of bounded leakage, then any bounded CCA secure PK scheme is resilient to at least one bounded number of tampering, yeah, of course to reveal this is, because one can simulate tampering oracle by using a leakage oracle as like this. So, however, this does not work for continuous tampering, and even for bounded tampering, this black box usage is very, gives a very bad band, so Antonio also does not use this kind of things. Now, we, so to go to the construction, we prepare two primitives, one is a hash proof system, Antonio already explained and also previous talk also explained hash proof system, so I just almost skipped explanation anyway lambda is a project and gamma entropic hash is called a projective and gamma entropic hash, and hash proof system means there is a public evaluation algorithm and private evaluation algorithm to output of projective and projective hash, yeah, you know, this is very popular system, so I skip the explanation and also I use all about one injective function, yeah, this is just, in the previous presentation, this is cause one, one time bossy filter named in the queen under the paper, but this function is just weaker version all about one trap the function, trap the function is just replace an injective function and let A be a, A be a function, it's a public, it's a kind of public key and only one tag, A on T is lossy, while all other tags, A on T prime is injective and one cannot distinguish lossy branch T from the injective branch T prime, that is assumed to by definition. Now, just to go back to the queen-due PK scheme at Asia Crypt 2013, queen-due propose PK schemes and which is in the CCA secure and resident boundary, anyway, that means a boundary-due CCA secure. A queen-due scheme is constructed by combining a hash proof system plus all but one injective function. Actual construction is like this, this is, okay, M is a message, K is a hash key of hash proof system and hash key is filtered by all but one function and VK is a one time signature and sigma is a one time signature on the first four items, first four items. Yeah, so our claim is that put hash proof system parameter under all but one injective public key of all but one function in the CRS then queen-due scheme is a continuous sampling and boundary-due CCA secure if it has a self destruct mechanism. Proof is very simple, just first consider this kind of a very simple lemma for any random variables, this in equation 4, proof is easy like this, then just consider the query ciphertext of queen-due PK and K-star is a challenge hash in challenge ciphertext. In the simulation, C-star does not belong to V, so K-star has a large entropy and then when CT is submitted to the decryption oracle with a tampering function phi, decryption oracle computes and if this is, this is ciphertext is rejected then what is repeated from K-star? This is just this, this for case one is easy because a decryption oracle just output rejection symbol so case one immediately falls from the useful lemma but how about case two? Case two is a decryption oracle does not reject ciphertext so decryption oracle also reveal message this must have a entropy so however the entropy of that message is actually zero given ciphertext because this function is injective on the challenge and on the VK therefore this kind of equality holds and case two holds so now let PI be a probability that D does not reject ice query ciphertext let PL be the probability that D rejects query ciphertext note that there is a trade between leakage bit log of one over P and probability P namely if the log of one over P is big then P is small and vice versa so if the total leakage bit from all tampering queries is exceed omega log K or is omega log K then probability that occur is just negligible so queen duPK system reveal at most omega log K bit against tampering attack with overwhelming probability so to sum up queen duPK system reveal at most omega log K bit against tampering attacks queen duPK is a proven bounded leakage secure and can afford all the K bit memory leakage so combine this queen duPK is a continuous tampering and bounded leakage secure this proof can be applied to Antonio's scheme also and now we go to the continuous tampering leakage secure PK scheme just consider continuous tampering bounded leakage security security notion does not imply in the CCA security notion because the decryption oracle self destruct even when it will be the invalid ciphertext or no no it receives the invalid ciphertext and the original secret is K the reason is that decryption oracle cannot distinguish tampering query from a normal decryption query so the continuous tampering leakage security notion implies however continuous tampering leakage security notion implies in the CCA security notion so it's better and just definition PK is a key update mechanism this is very simple it's the first three algorithm forms a standard PK and there is a key update algorithm takes SK and update it to the new secret without changing PK such as PK is called PK is key update mechanism so continuous tampering leakage secure game is almost easier to follow it's just differences except instead of D D is a D self destruct D update the secret key and also leakage query leakage query is a yeah this red part is a different part of the continuous tampering bounded leakage secure yesterday you can easily imagine games so I skipped and now we just go back to the fight QueenDupk scheme is like continuous tampering and bounded leakage secure remember QueenDupk scheme is constructed by combining hash proof system with all but one function hash proof system makes a bounded leakage secure PK and all but one function transform BLCPA secure PK to BLCCA secure one it is proven by a Queen and Liu and also keep it small to reveal secret key by answering one tampering query however also leakage is small for one tampering it is leaked step by step so the self destruction is needed the destruct the decryption algorithm can detect the tampering before it is too much so observation if there is a hash proof system with a key update mechanism then by combining it with all but one function we can construct a continuous tampering leakage secure PKE now so there is no such hash proof system hash proof system unfortunately so we but Aguiles do this by Kuntala-san who takes PKE scheme is very close to this such hash proof system with a key update mechanism their scheme is a hash proof system based PKE scheme resilient to continuous leakage in the floppy disk model floppy disk model is there are two secret keys and so one secret key that is not revealed and is not only used to update the secret so goal is to modify the secret key update algorithm in the floppy disk model to one in the key update model in the sense of brackets key update or such as this kind without usk so there are two steps hash proof system in Aguiles is defined on the ordinary prime order group we translate it in the binary groups which makes it possible to key update without other secret for security proof we modify the random subspace lemma Aguiles version of random subspace lemma is like this and we prove random subspace lemma in this world then we succeed in constructing scheme now impossibly that there is no EFCM signature scheme to resilient to unbounded polynomial many non-passage tampering of arbitrary function even with a key destruction mechanism this is easy to follow just adversely make this random key generation method to make a two pair of legitimate algorithm and set this kind of function so for queries that was I can obtain ice bit of escape but the signing order cannot detect tampering so she cannot self-destruct and repeat the whole secret now conclusion it's a summary again and this is comparison and this is reference and this is thank you for listening thank you very much maybe a short question or comment right so let's thank all the speakers from this session again and it is complete a session so enjoy the farewell lunch thank you all and hope that I do hope that you enjoyed the conference the friendly atmosphere in Tanoi is the night weather and so now we have lunch and have a good trip back and see you next time thank you