 This talk is about constant ciphertext rate non-committed encryption from standard assumptions. I'm Pedro, and this is joint work with Zvika Brackersky, Niku Dotlin, Sanjam Garg and Julio Malavota. Non-committed encryption is a special type of encryption which has two modes. In the first one, which we'll call the real mode, NCE behaves essentially as a standard public key encryption. Here we assume two parties, Alice and Bob. Alice starts by generating a pair of public and secret keys using random coins S. Bob generates a ciphertext using the encryption algorithm for message M and random coins R. Finally, Alice can decrypt the ciphertext using the secret key. The transcript of this protocol is composed by the public key and the ciphertext. This transcript is committing to M and can be explained by the random coins S and R. That is, given the transcript, the message and the random coins, we can re-run the key generation algorithm with random coins S and check that the public key is well-formed, run the encryption algorithm with random coins R to check that the ciphertext is well-formed and finally run the decryption algorithm to check that the secret key is well-formed. In the second mode, which we'll call the ideal mode, we have two additional algorithms. The first one, SIM1, creates a transcript composed by a public key and a ciphertext without receiving any message as input. Later, a second algorithm, SIM2, receives any message as input and outputs random coins that explain the transcript with respect to this new message. That is, we can run the key generation algorithm, the encryption algorithm and the decryption algorithm as before and check that the values are well-formed. We additionally require that the coins generated in the ideal mode are computationally indistinguishable from coins created in the real mode. One of the main reasons to study NCE is its applications in the design of multi-party computation schemes which are secure against adaptive adversaries as shown by Canary at all. Recall that an adaptive adversary is a type of adversary that can corrupt any number of parties at any point of the protocol and is usually considered the most realistic notion of security. One of the measures of efficiency for NCE is its communication efficiency that is the size of its public key and ciphertext. This has a direct impact on the complexity of the resulting NPC scheme. In this work, we focus on improving the ciphertext rate of NCE, where the ciphertext rate is defined as the ratio between the ciphertext size and the message size. Specifically, we show how to construct non-committed encryption with constant ciphertext rate in the plain model from standard assumptions such as learning with errors, decision of the fielmen and quadratic residuality. To achieve our result, we first introduced a new cryptography primitive which we call packed encryption with partial equivocation, or PEP for short. We then show that rate 1 PEP implies constant ciphertext rate non-committed encryption. Finally, we present constructions of rate 1 PEP along the hardness of LWB, DDH or QR. Our result improves upon a long line of works on the ciphertext rate of NCE. This line of work is installed at polylogarithmic rate from assumptions such as LWB or DDH. I'd like to mention that we can build rate 1 NCE in the CRS model if we consider the non-standard assumption of IO. Interestingly, in a concurrent work accepted at this year's Asia Crypt, Yamada et al. proved an identical result to ours, however using completely different techniques from the ones we used. Before presenting our construction, let me recap the construction of Hem and Way et al. or HORR, which achieves polylogarithmic ciphertext rate from the LWB assumption. The key generation algorithm of the AOHR starts by generating a public key of the PECT-REGF scheme, composed by a matrix A and vectors VEI. A random subset of these vectors is created together with a trapdoor. The remaining ones are chosen uniformly at random. To encrypt the message M, we first encode it using a properly chosen error-correcting code. This code needs to correct almost a half fraction of errors. We then choose a subset IS, and we consider the modified string W that agrees with Y on positions on IS, and it is uniformly random otherwise. We then encrypt W using a noisy version of the PECT-REGF scheme. To decrypt the message, we note that the receiver has the secret key for the positions in IR, so it can recover the true encrypted value WY. For the remaining positions, the receiver sets WY to be a uniformly random bit. We can then use the error-correcting code to recover the message M. Correctness holds because the intersection between the subsets IS and IR is non-ante except with negligible probability. Thus, the number of errors will be slightly smaller than one-half, and the coding succeeds. To generate a public key in the ideal mode, the simulator starts by sampling a matrix A together with the Gaussian sampler trapdoor. This trapdoor will allow to equivocate some positions of the ciphertext. To simulate a ciphertext, the simulator simply encrypts a random string Z using the encryption algorithm. To open a message M, note that the encoding Y of M and the encrypted string Z agree on approximately 50% of the positions. For the remaining ones, we will be able to use the Gaussian sampler trapdoor to reprogram some of the components of the ciphertexts as encryptions of YI instead of ZI. This will allow us to obtain the right statistics over the encryption random coins for a message M. Our first contribution is the definition of a new cryptographic primitive which we call packed encryption with partial equivocation, or PEP for short. This primitive essentially captures the main ideas in the age of our construction. Namely, it allows us to encrypt a message M using random coins R E and later find different random coins R E prime such that the encryption of a different message M prime coincides with the encryption of M. This holds conditioned on the fact that M prime and M differ only in some predefined positions. Formally, a PEP has a key generation algorithm which receives a subset of indexes I and the bit B and outputs a pair of public and secret keys on either the real mode if B is equal to 0 or on the ideal mode if B is equal to 1. This algorithm has the following properties. If the secret key is set on the real mode then it allows to decrypt some positions of an encrypted message. On the other hand, if the secret key is set on the ideal mode it allows us to equivocate some positions of an encrypted message. Finally, public keys set in different modes should be computationally indistinguishable. PEP has also an encryption algorithm which simply outputs a ciphertext and the decryption algorithm which outputs an encrypted message for the positions in I. One might think that PEP directly implies NCE because this new primitive already supports some form of equivocation. However, there are huge differences between both primitives. In PEP, only a subset I of positions can be equivocated and this subset is chosen at key generation time. Moreover, the subset I cannot meet the set of all coordinates otherwise we lose both the encryption and the encryption functionalities. On the other hand, NCE should allow to equivocate the full message and not just part of it and this needs to be done while preserving the encryption functionality. Despite their huge differences, in the next slide we show how to bootstrap a PEP into a full-fledged NCE. We show that PEP together with a properly chosen error-correcting code implies non-committed encryption. The construction follows the AGO-RR construction with the following replacements. The PEPT-REGF scheme is replaced by our PEP encryption. The real and ideal mode key generation of the AGO-RR is replaced by the PEP key generation algorithm. The Gaussian sampling used to equivocate ciphertexts in the AGO-RR scheme is replaced by the PEPA equivocation algorithm and finally the use of the error-correcting code is identical in both constructions. The rate of the resulting NCE depends on the rate of the error-correcting code which we know how to instantiate with constant rate and on the ciphertext rate of the PEP scheme. For the rest of this talk, we'll show how to construct rate 1 PEP from several standard assumptions. We'll start by the LW case. In fact, the AGO-RR construction immediately gives us a PEP scheme. As we mentioned before, the ciphertexts of this scheme are PEPT-REGF ciphertexts which originally imply the polylogarithmic ciphertext rate. Now, using the compression technique recently introduced by Brackersky at all, we can compress such ciphertexts down to asymptotically rate 1 ciphertexts. We thus obtain a PEP scheme with ciphertext rate 1 from LWE. We now show the underlying ideas of our DDH-based construction. In the following, let G be a generator of a cyclic group of order P. Recall that the DDH assumption states that given G to the A, where A is a uniform random ZP vector, the distribution of G to the WA for a uniform random ZP value W is computationally indistinguishable from the distribution of G to the U for a uniform random vector U. Our DDH-based construction shares some similarities with the LWB case. Here, to generate a public key in the real mode, we first sample a vector H composed by N-group elements chosen uniformly at random. The public key is composed by the vector H and vectors ZEI. These vectors are such that we know their D-log value with respect to H for positions in I. Otherwise, they are obliviously sampled at random from the group. The secret key is composed by the D-log values for the positions in I. To encrypt a message M, we simply perform a packed L-gamal encryption. The resulting ciphertext is composed by L-plus-1-group elements, and in this work, we show how to compress such ciphertext down to rate 1. We believe that our new compression technique might be of independent interest, which achieves perfect correctness and preserves the linear homomorphism of the L-gamal encryption scheme, unlike previous DDH-based compression techniques. The caveat of our compression technique is that it only achieves expected polynomial running time. In the ideal mode, the public key is set in such a way that the simulator knows the D-log of all the components of the public key. We set H to be G to the A for a uniformly random vector A, and the vector Zi to be G to the Vi, where Vi is either Si times A for some positions, or uniformly chosen at random for the equivocable indexes. The public key is composed by the vectors H and vector Zi. The secret key is composed by all the D-log values. To equivocate the ciphertext at some positions, we simply replace the use of the Gaussian sampling used in the LWKs by solving a linear equation system. This can be done since the simulator knows all the D-log values of the public key and of the ciphertext. Concretely, given a ciphertext where C1 is G to the D and Wi is equal to G to the Ki, encrypting a message M, we simply need to find the vector R bar that will open to a new message M' The indexes for which we can solve such a linear system are the indexes where Vi was chosen uniformly at random. Finally, we show that this system has solutions except with negligible probability over the uniform choice of Vi. To wrap up, in this work we introduced a new cryptographic primitive called packed encryption with partial equivocation, or PEP. We show that R1 PEP plus a properly chosen error correcting code implies constant ciphertext rate non-committed encryption. Finally, we showed how PEP with R1 can be constructed from LWE or DDH. We conclude this talk with some open problems. All the LWE based NCE constructions, including ours, HORR and the recent work of Yamada at all, assume the hardness of the LWE in its super polynomial modulus to noise version. So, can we build NCE with constant ciphertext rate from LWE in its polynomial modulus to noise ratio? Another open problem left in this work is the problem of the true rate of NCE. Concretely, can we achieve ciphertext rate 1 NCE or is a constant rate as achieved in this work the best we can hope for? That's all. Thanks!