 The next talk by Dennis Hofheins and Ibuah Yager is about tightly secure signatures and public encryptions to be presented by Ibuah. Yeah, thanks for the introduction. Good afternoon. So it works. So usually, when we construct a new crypto system, like a public key encryption scheme, for instance, then we construct a scheme together with a security proof, which shows that, under certain complexity assumptions, the scheme has some desired security properties. And a standard outline of such a security proof is the following. We first define a security model, which describes the input to an attacker and the output of a successful attacker. And we show that any such efficient attacker implies an efficient algorithm RFA, so RST reduction, which is able to solve some problem, which is assumed to be hard. And we say that the security proof is tied if this algorithm RFA has about the same running time and the same success probability as the attacker A. One classical security model for public key encryption is in CPA security in distinguishability under chosen plaintext attacks. And the security experiment starts with a public key, which is given to the attacker as input. Then the attacker selects a message and receives back a challenge ciphertext, which either encrypts this message on independent random value. And the task of the attacker is to tell whether a challenge ciphertext contains the real message or random ciphertext. And a stronger security model is CCA security, which is identical, except that the attacker has access to a decryption oracle. And this decryption oracle decrypts any ciphertext for the attacker, except for the challenge ciphertext. And we know many schemes which have a tight security proof in these security models. But the security model is a bit idealized, which means that we have only one public key in this model and we have only one challenge ciphertext. So in the rest of this talk, I refer to these security notions as 1,1 security. In the real world, the situation's, of course, a bit different. We have more than one receiver and a typical application of public key encryption. So we have many public keys and any receiver may receive more than one ciphertext. So we have several ciphertexts received by each receiver. So we have n public keys, l ciphertext, and n and l maybe depending on the application very large. So what we actually need in practice is n comma l security. And this is not a problem because 1 comma 1 security implies n comma l security. And this is a simple and well-known fact. And the proof can be found in a paper by Belarra, Baldi, Raffa, and Michali. But unfortunately, the reduction is not tight. So this means that when going from 1 comma 1 security to n comma l security, then we lose a factor of n times l in the success probability of the n comma l adversary. And if we are working in the asymptotic setting, where n and l are polynomials, then n times l is in the polynomial as well. So we lose a polynomial effect of the success probability. Then this is not a problem. But if you are interested in the concrete security setting, then we have to take the security loss into account. And to illustrate this a little bit, I want to give an example, which is borrowed from this BBM paper. So let us assume an encryption scheme, which has a 1 comma 1 security proof. Let us assume that this security proof guarantees us in the 1 comma 1 setting that any attacker has a success probability of at most 2 to the minus 60. And this concrete value here is, of course, under certain heuristics and so on, but I won't go into detail. So let's just assume the security proof provides this. And let's assume we use this encryption scheme now in a system where we have about 100 users and about 100 ciphertexts per user. Then the security guarantees that we get from the 1 comma 1 security proof is only that the security level that we obtain is only 2 to the minus 46. And if we use the scheme in an application where we have a million users and maybe 1,000 ciphertexts per user, then the security guarantees which are implied by this 1 comma 1 security proof are only 2 to the minus 30. So we lose some security with a growing number of users and ciphertexts. And the question is, of course, can we somehow avoid the security loss? First, there are some trivial solutions. For instance, we can use non-standard or parametrized assumptions, like Q-type assumptions. We can, for instance, assume directly that the scheme is secure in the n comma l sense in the multi-user setting. But this is, of course, a bit cheating. And another way to get tight security proofs is to use the random oracle model. This is the first answer to this question. And the second answer was given by Belache, Bolireva, and Michali in this Eureka paper. And then they have shown that there are examples, like L-R-Mail, which is n comma l in CPA secure. And Kramashub is n comma 1 in CCA secure. So Kramashub scales very well in the number of public keys in the system. But unfortunately not very well in the number of ciphertexts per public key. So our goal is to construct a public key encryption scheme which allows a tight n comma l security proof and a CCA sense in the standard model and based on a standard complexity assumption. Why is it difficult to construct such encryption schemes? Where known techniques exploit that there is only one challenge ciphertext in the security experiment. Two examples are the cryptosystems which are obtained from the narrow young paradigm. So they use usually one-time simulations on non-interactive zero-knowledge proofs, which allow to create exactly one challenge ciphertext. And the different examples are all but one simulations, like for instance, all but one lossy trapdoor functions. And here we are, again, able to create only one challenge ciphertext. In the multi-user setting, the n comma l security experiment, the situation is different. We do not have only one ciphertext, but we have many ciphertexts. And unfortunately, known techniques do not apply directly in the setting. So a question is, can we adopt these known techniques somehow to the multi-user setting to get tight security in the setting? And if we have a look at this narrow young paradigm, which uses one-time simulations on non-interactive zero-knowledge proofs, then we may ask, does it help if we had many-time simulations on non-interactive zero-knowledge proofs? This is the first question. And if this helps, then we have to ask, can we construct them somehow? And this is the starting point of our work. So here's an overview of our approach. We start with constructing a completely different primitive, a signature scheme, which is probably the reason why this talk is in the signature session. And this signature scheme has two properties. First, it is tightly secure. And second, it is structure-preserving. I will explain this in a minute. And then we use the signature scheme in combination with lots of high-proofs to get tightly secure many-time non-interactive zero-knowledge proofs. And then we combine this new tool here with a known primitive, with a tight in-CPA secure encryption, apply it in our young paradigm, and finally, we get our tightly CCACQ encryption scheme. All building blocks that we construct are based on a dealing assumption in groups with a symmetric pairing. And yes, since this is the signature session, I will focus on this part of the construction in the rest of this talk. So very briefly, what are structure-preserving signatures? These signatures have the special property that public keys, messages, and signatures are all elements from the same domain, usually group elements in a bilinear group setting. And the verification of the signature checks a conjunction of pairing product equations. And this property is very nice because it allows to combine structure-preserving in a nice way with lots of high-proofs. And this combination gives them a very powerful tool for efficient cryptographic constructions, like group signatures, for instance. But unfortunately, we do not know any structure-preserving signature scheme, which has a tight reduction to a standard complexity assumption, so we have to construct one. Our starting point is a structure-preserving signature scheme. And to give you an intuition how the signature scheme works, I want to give some more details. So in the SQL, let uppercase G be a group. And we have a pairing, which maps elements or pairs of this group here to some target group, GT. And I will use this notation. So uppercase E applies to a vector of three group elements and one additional group element means that we apply the bilinear map to the first component of the vector with D, to the second component with the vector with D, and to the third component with D. And we construct a signature scheme, which is able to sign vectors of group elements. So the message space or messages are vectors of n group elements. And the public key of the scheme looks like this. We have random group elements, G, H, K, and Z. And we have vectors, U, I, through U, N, and X, which have this special form. And this special form makes these vectors here deline vectors, deline with respect to G, H, and K. The secret key of the scheme are the delox that are marked in red here on the slide. And the signature is computed by computing two group elements, S and T, which satisfy this equation here. And the signature is verified by evaluating, by checking whether this equation here holds for the given messages, for the public key, and for the signature. And we can prove that this forms a tightly secure one-time signature scheme, so secure in the sense of existential unforgeability under one-time non-adaptive chosen message attacks under the deline assumption. And there are two things that you could keep in mind from this slide for the next slide. The first one is that the public key looks like this here. And the second is that the signature scheme has message space G to the N, where N is the number of these U vectors here in the public key. So we use this one-time signature scheme now to construct a tree. So we assign fresh tuples X comma G to each node where X is a deline tuple again, so X consists of three group elements. And for the whole tree, we fix parameters G, H, K, and U1 to U8, so we set N equal to 8. And all these UIs here are deline tuples as well. And the intuition behind this is that this assigns each node with the public key of the one-time signature scheme from the previous slide. So for instance, the node X0, Z0 is assigned with the public key P, K0, consisting of these common parameters for all nodes and the parameters for nodes for this node here. And the reason why we have chosen N equal to 8 in this case here is that each node is identified by four group elements. And the message space now of the signature scheme is eight group elements. So we can use, for instance, this public key here to assign the two childs of this node in the tree. And this gives rise to a simple Merkle tree-based signature scheme, which is structure-preserving. And it has also a tight security proof under the deline assumption. And the intuition here is that we reuse these parameters for the whole tree. And we embed the deline challenge in one of these vectors here. And we lose only a factor of 8 in the security reduction. So we have to guess one of these U values here, where we embed the deline challenge, but that we do not have to guess a leaf or a node in the tree, as usual for these proofs. So to summarize, we have started with a one-time signature scheme, which is structure-preserving. Used this to build a tree-based signature scheme. I used this then in the rest of this construction to finally get a CCA secure encryption scheme. And to finish my talk, I would like to leave some open problems. The first one is, are there further applications of these new tools that we give? So this simulation sound non-integrative knowledge proof, for instance, has already found an application. So we can use it. We can take it, combine it with a KDMCCA secure encryption scheme by Kamanish, Kanran, and Schub. And we just take it, plug it into their construction, and we get a tight KDMCCA secure encryption scheme. The second question is, our signatures are tree-based, which means that the signatures are rather long. So an obvious question is, can we get somehow shorter tree-based signature scheme? And a first step in this direction was made by a Maza-Ukrbe et al. In a paper which will be presented at DCS Asia Crypt. What they do is, among several other things, they construct a more efficient one-time structure-preserving signature scheme, which matches our tree construction. So we can take their scheme, put it into our tree constructions, and we get a more efficient scheme. And finally, of course, it would be great to have a structure-preserving signature with short signatures, ideally constant size for a small constant, and with small public keys, and tight security from a simple assumptions. But I assume that this is the most challenging question on this slide here. So this is the end of my talk. Thank you very much for your attention.