 talk about circular security is complete for KDM security. I'm Fuki from NTT. This is a joint work with Takahiro Matsuda from ICE. Keydependent message security, or KDM security for short, is a security notion that captures situations where an adversary can get a ciphertext of secret keys. Such situations naturally occur in many cryptographic primitives. Moreover, until today KDM security has found a number of applications in constructions of advanced cryptographic primitives. This is a definition of KDM security. KDM security is defined by using a security game played by a challenger and an adversary. In this game, the adversary can make a KDM query consisting of two functions f0 and f1 contained in function class capital F. And for this query, the challenger returns an encryption of fb of sk, where sk is the secret key and b is the challenge bit. Then, if no ppt adversary can guess the challenge bit b correctly, with probability significant greater than one half, we say that the scheme is fkdmcpa secure or just fkdm secure. We can similarly define fkdmcca security by allowing the adversary to make decryption queries. The definition I just explained is KDM security in single key setting. We can similarly define KDM security in merge key setting by considering a security game where there are multiple secret keys. One of the most widely studied security notion among KDM security is projection KDM security. Roughly speaking, projection KDM security allows us to encrypt copy and negation of secret key bits. So at first glance, this security notion looks somewhat weak, but approval shows that projection KDM security is complete in the sense that projection KDM secure encryption scheme can be transformed into bounded KDM secure encryption scheme. Boundless KDM security is one of the strongest form of KDM security that allows us to encrypt a message of the form f of sk for any function f of a purely bounded size. This completeness results shown by approval holds for any of cpa or cca secure sk and pke in merge key setting. Also, some recent works showed the power of projection KDM security by showing that projection KDM secure encryption scheme implies in cca secure pke and dv disk. In this work, we tackle the question whether circular security is also complete for KDM security or not. Circular security is a security notion that allows us to encrypt only copy of secret key bits. So circular security is a weaker form of KDM security compared to even projection KDM security that allows us to encrypt both copy and negation of secret key bits. So in other words, the question we study is whether the weakest form of KDM security implies the strongest form of KDM security. Let me talk about some additional motivations. The question we study is interesting from the viewpoint of negation complexity. For example, Goldreich and Isaac showed that one way function can be computed by a monotone circuit, but pseudorandom generator cannot. We believe that it is interesting to clarify whether such a barrier exists for KDM security, namely whether the ability to encrypt both negation and copy of secret key bits is stronger than the ability to encrypt only copy of secret key bits. Also, studying the completeness of circular security gives impacts on the study of public cryptography given some recent results showing the power of projection KDM security. If we can show the completeness of circular security, we can see that circular security is as powerful as projection KDM security. Based on these motivations in this work, we show that circular security is in fact complete for KDM security. Our completeness result holds for any of CPE or CCA secure SK or PKE in market setting, similarly to the completeness results shown by approval. More precisely, we show that we can transform circular secure SK and PKE against chosen pretext attack into bounded KDM CCA secure SK and PKE respectively. So I will talk about the outline of how to obtain our results. I will start with the case of SKE. In the case of SKE, as shown by Parkes et al., we can easily transform bounded KDM CPE secure SK into bounded KDM CCA secure one. So in this setting, all we have to do is to construct bounded KDM CPE secure SK from circular secure SK. We accomplish this task by using targeted encryption. Targeted encryption is a primitive introduced by Barak et al. to achieve bounded KDM CPE secure encryption scheme. This is the outline for SKE. Then we move on to the case of PKE. In the case of PKE, it is not known whether we can transform bounded KDM CPE secure PKE into bounded KDM CCA secure one in market setting. So also it seems that we can construct bounded KDM CPE secure PKE from circular secure PKE via targeted encryption. Similarly to the case of SKE, we need a different way. We accomplish this task by introducing a new primitive that we call conformed targeted encryption. A conformed targeted encryption is a variant of targeted encryption conformed to achieve KDM CCA security. So by using conformed targeted encryption we construct bounded KDM CCA secure PKE directly from circular secure PKE without going through bounded KDM CPE secure PKE. As a corollary of this result, we can see that KDM CPE security and KDM CCA security are equivalent in market case setting. This result improves the result of ourselves appeared in TCC 19 that showed that KDM CPE security and KDM CCA security are equivalent in single key setting. In the rest of my talk, I will talk about the technical details of this work. Especially using the vast majority of the remaining time, I will talk about how to realize targeted encryption from circular secure encryption. For simplicity, I will explain how to construct secret key variant of targeted encryption based on circular secure SKE in single key setting. So I will start with the syntax of targeted encryption. A targeted encryption consists of three algorithms, TKG, TENG and TDEK. TKG is given the security parameter and output secret key SK, the length of the secret key SKBL. The encryption algorithm TENG is given the secret key SK some index i from 1 to L and two messages x0 and x1 are output a ciphertext CT. Finally, the encryption algorithm given the ciphertext CT and secret key SK are outputs only a single message xs, where s is the ice bit of the secret key SK. Targeted encryption should satisfy two security notions. The first one is security against receiver, which guarantees that the ciphertext hides x1 minus s even against the receiver holding the secret key. Second security notion is security against outsiders, which guarantees that the ciphertext hides both x0 and x1 against outside adversaries who do not have the secret key. So, targeted encryption is a primitive similar to a previous transfer, and thus is compatible with garbled circuit. Barclay told us that the combination of targeted encryption and garbled circuit implies bounded KDM secure encryption scheme. So, next I will explain that targeted encryption can be realized naturally from projection KDM secure SKE. So, consider the following natural realization of targeted encryption based on SKE. In this construction, when we generate a secret key of targeted encryption, we just generate secret key of SKE. And when we encrypt two messages x0 and x1 for the ice bit s of the secret key SK, we just encrypt xs by using the underlining SKE in the bit by bit manner as described in the slide. Of course, by decrypting these bit by bit ciphertext, the receiver can correctly obtain xs. The construction satisfies security against receiver. This is because in this construction, the ciphertext is completely independent of the message x1 minus s. Moreover, if the underlining SKE scheme satisfies projection KDM security, the construction satisfies security against outsiders. The reason why we need projection KDM security is as follows. Let the length of messages x0 and x1 be n. We can classify indices from 1 to n into the following four types. We classify an index j as type 1 index if the j speed of both x0 and x1 are 0. And we classify an index j as type 2 index if the j speed of x0 and x1 are 0.1 respectively. And we classify an index j as type 3 index if the j speed of x0 and x1 are 1 and 0 respectively. And finally, we classify an index j as type 4 index if the j speed of x0 and x1 are 1. Then, when encrypting xs in a bit by bit manner into construction, we have to generate the following ciphertext by the underlining SKE for each type of indices. First, for indices of type 1, we see that we have to generate an encryption of 0. And for indices of type 2, we have to generate an encryption of a copy of s. And for indices of type 3, we have to generate an encryption of negation of s. And finally, for indices of type 4, we have to generate an encryption of 1. We can confirm that by decrypting these ciphertexts, the receiver can obtain xs correctly. So in this way, in this construction, we have to encrypt both copy and negation of circuit qubits. So this is the reason why we need projection cadence security to prove security against outsiders. We now try to realize targeted encryption from circular secure SKE, which allows us to encrypt copy of circuit qubits. So as a first try, we modify the construction of targeted encryption based on SKE I explained in last two slides. In this modified construction, when we encrypt xs in the bit by bit manner, for indices of type 1, 2, and 4, we generate a ciphertext of the underlining SKE in exactly the same way as before. But indices of type 3, we replace the ciphertext of the underlining SKE with the special symbol flip. The receiver can decrypt this modified ciphertext in exactly the same way as before, except that the receiver sets the j-skit of xs as the negation of s, namely 1 minus s, for j of type 3 indices. So we can confirm that this construction still satisfies the functionality of targeted encryption. Also in this construction, now we need to encrypt only copy of circuit qubits. So there is a hope that this construction satisfies security against outsiders based only on circular security of the underlining SKE. However, this construction satisfies only leaky security based on the circular security of the underlining SKE. The leaky security means that the receiver and outside adversaries can obtain some leaked information. Concretely, the receiver can clearly know that the j-speed of x1 minus s is s for the indices of type 3 by seeing the special symbol flip. Similarly, the adversary can know that the j-speed of x0 and x1 are 1 and 0 respectively for indices of type 3. Structurally speaking, the receiver additionally can know that the j-speed of x1 minus s are depending on the value of s for either one of the indices of type 1 or type 4. As due to those leakages, though we can enjoy that the remaining bits are hidden against the receiver and outside adversaries, this construction is only leaky targeted encryption. So summarizing discussions so far, we can see that we can transform circular secure SKE into leaky targeted encryption. So in order to achieve our final goal, we propose a transformation from leaky targeted encryption into full-fledged targeted encryption. Concretely, we propose a transformation using weak leaky targeted SKE, which is implied by circular secure SKE. So finally, I will briefly provide that transformation and explain that the needed leaky targeted SKE in the transformation is in fact implied by circular secure SKE. The transformation is a simple hybrid encryption construction where leaky targeted encryption is used as can, and the leaky targeted SKE is used as can. Concretely, when we encrypt two messages x0 and x1 for the ice bit s of the circuit key SKE, we first generate two circuit keys LSK0 and LSK1 of leaky targeted SKE. Then, we encapsulate those circuit keys of leaky targeted SKE into the ciphertext of leaky targeted encryption. Also, we encrypt the messages x0 and x1 by using leaky targeted SKE under the key LSK0 and LSK1 respectively. So the resulting ciphertext consists of three ciphertexts. When decrypting this ciphertext, the receiver first recovers LSKS from the ciphertext of leaky targeted encryption, and then the receiver can obtain XS by decrypting the ciphertext of XS using LSKS. In this construction, leaky targeted encryption leaks information or a partial information of encapsulated keys LSK0 and LSK1, but we can prove that if the underlying leaky targeted SKE scheme is secure against those leakages, this construction satisfies both security against the receiver and security against outsiders. So finally, I will explain that the needed leaky targeted SKE in the transformation is in fact implied by circular secure SKE. Without loss of generality, secret keys of leaky targeted SKE are just uniform random strings. In this case, we have to replace only one fourth fraction of ciphertext of circular secure SKE with a special symbol flip. Then we can see that the leakage amount is only one half fraction for the receiver and one fourth fraction for the outside of bursaries. Also, when secret keys of leaky targeted SKE are uniform random strings, the leakage positions are determined completely at random and is out of the control of bursaries. SKE resilient against such kind of leakages can be achieved from in the CPA secure SKE, which is in town implied by circular secure SKE by using universal hash function and leftover hash lemma. So overall, we can see that targeted encryption can be realized only from circular secure SKE. So by combining the construction with some previous results, we can obtain the circular security's completeness in secret key setting. So in order to obtain completeness of circular security in public key setting, we introduce a new primitive that we call conform targeted encryption. And we construct bounded KDM CCA secure PKE directly from circular secure PKE without going through bounded KDM CPA secure one. For this result, please see our paper. This is the end of my talk. Thank you for your attention.