 All right, thank you very much. So I want to talk about the black box operations for a secret secret encryption. And this is joined with a blue-skate print. So let's start by reviewing the notion of a secret encryption. So in its simplest form, we have the notion of one secret encryption, which is defined as a game between a challenger and adversary in which the challenger has to pay a public secret piece pk and sk, and that the adversary receives the challenger's public key, as well as an encryption of the challenger's secret key under its corresponding public key. And the goal of the adversary is to distinguish between encryption of plain text of her own choice. So I want to mention two points here. So the first point is that we can actually make this a notion stronger by now requiring the adversary to actually distinguish between encryption of secret keys and encryption of fixed plain text. But since one of our goals is to prove separations where the target notion is a secret encryption, if you make the target notion weaker, our results will be stronger. So the second point that I want to mention is that it will be actually important how the secret key is encrypted, namely whether it is encrypted bit by bit or as a block of bits or whether it is encrypted as a whole. And it turns out that the first two cases are the two most difficult cases to handle. And it also, as I will tell you later, the third case can be very easily handled. I will tell you what I mean by that. All right, so more generally, we have the notion of t-secular encryption in which the challenger now has t pairs of public secret keys. And the adversary receives all the public keys as well as an encryption of each secret key under its next public key in a secret fashion. And everything remains the same from this point on. All right, so a question that is raised is whether we can base t-secular encryption on cp encryption. And it turns out that for the case t equals 1 and for the full length case, namely the case in which we can encrypt the secret key as a whole, there is a simple construction in the literature that will work with respect to any cp encryption that has the syntactic property. And the idea is essentially that if you want to build the encryption algorithm e-prime out of e on plaintext x and the public key pk, we first somehow check whether x is a secret key of pk or not. And if it is, we will encrypt a safe plaintext under pk. And if it's not, we will just encrypt x itself. And this way we will reduce encryptions of secret keys to encryptions of safe plaintext under the basis scheme. And the question that remains is that how we can actually do this check in polynomial time. And it turns out that if the base cp, a public encryption, had this property that there is a one-to-one correspondence between the randomness of the Q-generational algorithm and the resulting public key, then we can build another pke under which we can do this check efficiently. But this construction doesn't seem to extend if you're going to encrypt x bit by bit. And it doesn't also seem to extend if you want to make this key secure under t-cycles where t is bigger than 1. All right, so in terms of previous works, one of the main applications of the notion of SQL encryption is in the context of FHE for converting somewhat FHE into pure FHE. And also, we now have constructions of several. So we have construction of circular secure encryption based on various specific assumptions. And on the negative side, we have this result by Rosbloom that shows that you cannot do a black box reduction to prove that any CPA bit encryption scheme is also circular secure. And this result was followed by a series of work that, based on various specific assumptions, give you CPA schemes that are not circular secure. In different settings, like in the bit by bit setting and so on. And finally, we have this result that shows that you cannot go from chapter permutations in a fully black box way to a fully KDM public encryption in which you can securely encrypt any function of the secret key under its public key. OK, so two questions that remain are that whether we can build one circular bit encryption or a T-circular encryption based on CPA encryption. And I would emphasize here that for the T-circular case, we don't insist on having a bit by bit encryption scheme. All right, so while we address these two questions by considering a stronger notion that we called C-circular security, which is exactly the same as circular security, except that now we are going to encrypt the seed of the key generation algorithm under its corresponding public key. And this notion is actually stronger because you might have the key generation algorithm to simply output the underlying seed as the secret key. So what we show are that there doesn't exist a fully black box construction of one seed circular bit encryption from CPA encryption in a fully black box way. And we actually show that this result holds, even if the seed is going to be encrypted as blocks of length or of log in bits. And our second result shows that you cannot go from T-seed circular encryption to a T-plus-1 seed circular encryption, even if the target notion is it's what a weaker case of full lengths. And the base notion is for the stronger case of a bit by bit case. All right. So let me say a few words about fully black constructions. So in cryptography, we really want to show that there doesn't exist a fully black box construction of P out of Q. I mean, no, no, OK. So what I wanted to say is that if you want to prove that there does exist a fully black box construction of P out of Q, you need to first give a black box construction algorithm, which by only having oracle access to any correct implementation of Q gives you a correct implementation of P. And one point that I want to mention here is that since the access to the base implementation is as an oracle, the construction will make sense, even if that implementation is not efficient. And this is a point that will be leveraged in many separation proofs. And we call this the security proof algorithm of black box if the algorithm by having access to any implementation of Q and also by having access to a hypothetical adversary that breaks the construction relative to Q can break the security of a Q. OK. So let's review two common templates that are used in the literature for approving a fully black box separation between two primitives P and Q. Under the first template, we first give an ideal implementation O for Q, which cannot be broken even if you are allowed, which cannot be broken if you are only going to make a polynomial number of queries to O. And even if you are allowed to make expensive offline computation. And at the same time, we show that any possible construction G relative to O for P can be broken by a polynomial number of queries to O. OK. And we cannot use this approach because the most natural way to use this approach is to let O be a random public encryption. And if you think of a random public encryption, it will satisfy any notion of security. That's all you can think of. So we cannot use it. So the second approach is somewhat similar in that in addition to O, we also provide another weakening order called W, which doesn't help to break the Q security of O, but it can be useful for breaking any possible construction for P. And again, we were not able to use this approach. So our separation template follows the template of Gertner at all from O1. And the idea is that basically for every candidate's construction for the target primitive, we provide an order called T, which helps to break the claim security of the construction, but it doesn't help us, but it doesn't help any adversary against an ideal implementation of the base primitive. So let me tell you that that's how the ideal base implementation GED is sampled. It is very easy. So we sample the key generation algorithm and the encryption algorithm at random. And then we define the decryption algorithm accordingly. And we also define two site oracles that we will use in our proofs. So the order called U will decrypt ciphertext relative to public keys. Also, I'm putting the underlying randomness. And the order called W basically checks that whether a given public key is of value or not. And I want to emphasize that in our security proofs. We will not let the adversary to have understicted access to you. OK, so now let me tell you how the order called T works. So the most natural approach for defining T would be to let T accept inputs of the claim public key as well as a claim bit by bit encryption of PK's seed under PK itself. And the T can work by first decrypting the bit ciphertext relative to a matching secret key for PK. And then rerun the key generation algorithm to see that whether we will get PK back. But there are two problems with this approach. The first problem is that the adversary against the base scheme GED, which also has Oracle access to T, can use T in any possible way. So it may not call T on a valid PK. And we cannot simply check for the adversary that whether a given PK is of value or not. Because it will give the adversary a lot of power. And the second problem is that how we can simulate access to T. What I mean by that is that we want to prove that access to T can be simulated by having Oracle access to some safe Oracle. That do not hurt the CPA security of a GED. So our approach starts by first resolving this problem. So what we do is that the Oracle T is going to perform the decryption not relative to O, but relative to some related O-twiddle under which PK is indeed a valid public key. And also O-twiddle is close enough to O in the sense that if you perform random encryptions of bits once relative to O and once relative to O-twiddle using the same random randomness, then with high probability you will get the same output. And this will guarantee that if the inputs to T are correctly formed, then we will get the correct decryption result. So now let me tell you that how we can actually form such an Oracle O-twiddle from O. So while we want to have an Oracle O-twiddle that has these properties, so what I'm going to do is that, OK, so I'm going to first sample a set of query response pairs QG in offline mode such that PK is a valid public key relative to QG. And then I will somehow superimpose QG on G, OK? So I will tell you what I mean by superimposing. And I have just changed the key generation algorithm. So I will keep the encryption algorithm the same. And I will tell you that that's how we can define the decryption algorithm. So what's since E-twiddle is the same as E, so we will obviously have this property. So let me tell you very quickly how superimposing works. So suppose that you want to superimpose a set of query response pairs under G. So suppose that you want to superimpose a set of G-type query answer pairs on function G. So while we define the function G-twiddle to behave as a QG, if the given SK is one of these SKIs, and otherwise, we will let it behave as G. So now I have told you that how we can define the Oracle O-twiddle, so now I can give a more general picture of the Oracle T. So while we first sample a set of query response pairs such that relative to this set of PK is a valid public key, and then we superimpose this set on the base Oracle O to get to O-twiddle. And then we perform the decryption relative to O-twiddle to get S. And then at the end, we are going to do an additional check, which will make sure that the Oracle T is simulatable under some safe Oracle. And the idea is basically that we are going to run the key generation algorithm under S to see whether we get PK as an output, and then we will check that whether all valid public keys that are embedded in the set on QG are going to appear during this execution. And then we'll have two theorems that will show that the Oracle T is useful for... OK, thanks very much. We have time for questions. So maybe you can ask one. So you showed the separation from the seed circular. So is this because you can't prove it for the normal circular? Right. Oops, sorry. Yeah, so while we tried to provide standard public encryption, but we couldn't do it. And if I want to tell you quickly that's why we need seed circular Ds, that we want to be able to regenerate the public key under the recovered public key, under the recovered information. And you cannot, in general, go from the secret key of an encryption scheme to its corresponding public key. But you can do it if you have the underlying seed. And that is the main reason, informally speaking, after why we were able to do it for seeds. So would it be sufficient just to assume that you can generate the public key from the secret key? Yeah, yeah, something like that, yeah.