 Hi, so I'm Rikta Swanbrook and I'll be telling you about our work on universally composable end-to-end secure messaging. So Signal is a secure messaging protocol used to transmit hundreds of billions of messages each day. And one of its key innovations is it has a continuous key agreement with both post-compromise and forward security. And recall that forward security protects the data transmitted before a compromise, post-compromise security protects data transmitted after the exposure event. And so in a number of settings, the Signal protocol is combined with other cryptographic protocols, or parts of it are repurposed for other applications. And so in order to understand the security guarantees of Signal in these various settings, we need a composable security analysis. So in this work, we formulate the ideal functionality that captures secure messaging. And we then decompose the secure messaging functionality into sub-functionalities that are congruent with the Signal protocol design. And importantly, the sub-functionalities must be subroutine respecting so that we can then apply our composition theorems. And lastly, we show how to realize these individual components using standard primitives and minimal hardness assumptions. All right. So in this process, we need to get around a number of technical difficulties. And in this brief talk, I'll just mention two of them. So one is untangling Signal's inherent circularity. And the second one is dealing with adaptive corruptions. And for details on this third point, see our paper. So let's begin with our secure messaging functionality. So when Alice wants to send a message, she asks FSM. And in response, she'll get a CypherTex header pair. And then Alice herself sends the pair over the network. And later, when Bob receives the CypherTex and header, he can ask FSM for their original message back. So FSM has several desirable properties. First, Alice and Bob are guaranteed immediate encryption and decryption, even for out-of-order messages. And even against a fully adopted adversary, the parties will eventually heal from a state compromise. And their messages are protected by forward secrecy. And note that determining the exact moment where security is regained post-compromise is one of the analytical challenges of this work. All right, so let's decompose this ideal functionality. So the Signal protocol achieves forward and backward secrecy via a public ratchet and a symmetric ratchet. So the public ratchet functionality persists for the entire communication session. And it guarantees that parties will heal after compromise. And then within each epoch, we have a symmetric ratchet functionality that performs authenticated encryption and decryption of several messages with key evolution between them to provide forward security. And this is the original signal design that we echo in our modular breakdown. So next, we can further decompose the symmetric ratchet into a per message authenticated encryption functionality that does the encryption. And so at this point in our modeling, there's a problem of circularity that comes up. So the way that the Signal public ratchet works is it only advances its state if the incoming message authenticates. And the problem is that the incoming message is authenticated using a key that is derived from the message itself. So the behavior of the public ratchet depends on the message authentication and vice versa. And this is a problem when decomposing signal in a modular fashion. So it requires care in our modeling. So to break the circularity between these modules, we have the public ratchet functionality give out random nonsense authentication keys to the message key exchange module if the incoming message was mauled. And crucially, these random junk keys are mutually pseudo random. So the public ratchet then lets the caller decide when the public key is correct. Finally, we sketch the issue of realizing these functionalities under adaptive corruptions. So let's start with a public ratchet. So to realize the ideal functionality against an adaptive adversary, all of those random nonsense keys that we gave out need to be consistent with the true internal root key that is used to generate the message chain keys. And so one easy way of guaranteeing the consistency while also providing adaptive security is to use a random oracle to model this public ratchet. However, instead we introduce a new primitive that we call the cascaded PRFG. It can be constructed from puncturable PRFs and it allows us to simulate adaptive corruptions. So see the paper for more details on this interesting primitive. And next we can realize the authenticated encryption functionality with any adaptively secure encryption scheme like one time pad plus Mac. And here we do need a random oracle to guarantee adaptive security. And lastly, we make the public ratchet component a global UC functionality. And this allows us to compose all of these sub protocols into the original signal protocol. All right, so I'll just flash this slide of related work and you can pause the video if you wanna read it. But I'll just end by saying, please watch our 25 minute talk and read our paper for more details and also use our functionalities and analyses in your future papers. Thanks.