 Hello everyone, I'm Eson and Raimi and postdoctoral research and I'm working in the Department of Computer Science. I'm telling you about our paper that is accepted to PKC 2022. For the rest of the presentation, I will turn off my video since I might cover some part of the study. All right, so OAP is a transformation that uses two random variables and partial demand one-way permutation to obtain and distinguish your CCA secure encryption scheme. How does it work? In order to encrypt message M, we append a 0-bit string of length K1 to M and choose randomness R, then we query G on R to get G of R and XOR with the message. This part is called S, then we query H on input S and XOR with R, this part is called T, and then apply it on input S and T to get the ciphertext. How the decryption works? We use the inverse of F to get S and T and then H of S XOR with T gives us the randomness R and XOR in S with G of R gives us the message back. But what is in distinguishable CCA security means in a random local model? Possibly you are familiar with this security notion, so I briefly explain it. Here both adversary and challenger have access to random local adversary, given PK has access to decryption queries, also and later the adversary outputs two messages to M0 and M1. The challenger encrypts one of them randomly to get CSOR and sends CSOR to adversary and adversary's goal is to guess which message has been encrypted. Obviously, adversary is not allowed to ask for decryption of CSOR because sharing the adversary can get, can obtain B with the probability one. If it's allowed to make a decryption query on input to a CSOR. How security proofs are done usually in the random local model. So the assumption is that there is a public truly random function that all parties including adversary can decrypt. And in the security proof usually list of inputs and output queries to random local is needed. And also we need to adapt to the change the random local in the security program or a program random local in the security proof. I'll give you, I give you a reason why we need to consider quantum random local model. So since in the real world applications, the random local will be replaced with the cryptographic hash function. And the code of this hash function is public. The quantum adversary can implement this hash function is quantified. So we need to consider the proposition access or supposition queries to the random local. The second argument may not work too really because recording quantum queries are not possible in general due to no quantum theorem. So this this parties is difficult to hold the quantum case. The third property, or that adopting adaptively programmed random local might not be obvious as well since the single superposition query can contain all the inputs outputs of random local and the programming random local, otherwise might not be possible. So let me say make such a query and then we try to change the output of random local in one specific input or a program random local. Then this might be the technical that say since it has been created for existing research prior to our work shows that a modified OAP that is called Q OAP is in this thing which you see here in the quantum random model. Q OAP uses an extra random local in this way. So it's almost the same as OAP accepting the Cypher Texas C2 that is obtained by querying a new random local H prime. So querying H prime input S and T gives us the second type of Cypher Texas C2. This extra random local is needed to overcome the recording barrier in their paper and it has been used for extraction of S and T in the security proof. For the third challenge, one way to hiding them has been used that is it's a tool to to overcome the third challenge. So we improve the existing result in two fronts. First we show in this thing which is QCCA security that is a stronger than this thing which is CCA. Second, we show the post counter security on modified OAP and the technique that the techniques that have been used in our paper chapter is recording technique and it's follow up works and gentle measurement. So what is in this thing which is a security in the quantum random local model. It's shown in this slide. The quantum adversary here has superposition access to the random local also the decryption local. And adversaries goal is to get the bit of it. I will explain this quantum masses in the next slide. So canonical way of query the classical function H, the classical function H or implementing H. Quantum can produce to prepare two registers one input register and one output register and then the basis is stated cat x and y goes to cat x and y x or fx. So evaluation of f on input x is stored in the file just for decryption queries is similar with the difference that if the challenge query C star is defined and submitted as a query the decryption query as a decryption query, then the decryption standard local returns but so it doesn't doesn't decrypt the C star and C star is classical so this unitary is defined is well defined. I give you very short introduction to the compressive standard local of course I'm not the right person to present this and more for more information is available in the original paper. The goal is, if I want to summarize as properties is efficient with the source input and output of queries in a shared database shared I mean it's shared with adversarial local as perfectly in distinction from the standard. The high level idea of the CSDO this representation like details and it's not. And in this representation, the implementation is not efficient it just to build intuition behind the CSDO. The standard way of considering the quantum random model is to the local choose a random function from the set of all functions and the answer the queries with the unitary use of H that is like standard way of implementing H on a quantum computer. The other perspective is that the Oracle puts uniform superposition of all functions in his private register and answer the query. As shown in the slide. These two perspective or are the same since if first I measure the Oracle basically Oracle measures the it's private register perspective to then it gets the same ensemble of quantum state as the perspective one or you can say that one. One is the purification of the other one. If we apply qft quantum fully transform. On why is before and after. query. We'll get the face or with the change of notation from a random function edge to its truth table and considering the point function and piece of exit why. Well the point function is a function that like piece of x and y is a function that it's why input x and it's zero elsewhere. We will get the state showing the slide differences has been shown by the blue color. So if the local applies qft on his priority just said the point function is stored in the Oracle state. In other words, the pair x, the pair x and y is stored in the Oracle just. Yeah, of course this is the high level, high level idea of the CSTO and its original original original representation and definition is quite different from here. But at the end, we will get something like this that there is a database. There is a share between adversary and Oracle, and the queries are stored in this data. Basically, the data was entangled with both parties. I'll give you the overview of the proof. So we start with indistinguishable PCCA game in the quantum model model. Then we introduce a sequence of, or indistinguishable games to reach the last game for which the success probability of that series is half. And that finishes the proof because the games, basically the games that were introduced or indistinguishable and the last game of the success properties have so we get the overall probability of winning that winning the game indistinguishable PCCA game is one half plus negligible. So game zero is indistinguishable PCCA game in a quantum model model. The first time is for assigning the random elements and the rest is the attack in which a wants to guess the B2B that it shows in random. In game one, the random local H is replaced with compress the sample H and random local G is replaced with the random injective function. Since these replacements are indistinguishing for a for a full time quantum and we say then to do two games zero one or a single. In game two, we replace the normal decryption local with a new decryption that is called you deck one use up the one for any decryption queries first applies the purified measurement and the edge. And then it applies a normal decryption of you deck of inverse and applies the empty edge, the purified measurement mdh again, the purified measurement mdh search for for for a database of edge for the pairs of pairs of s and h h of s such that the diagram in this line. So in other words, the, in other words, the mdh uses the inverse of F to get only T. And then, when getting T it search for the database of the edge, just to find the pairs of pairs of s and h of s such that. The T x or h of s x or with s gives us the zero, the biggest thing of zero here. So basically, for the pace that the decryption succeeds. There is such a there are such as then the smallest s will be the output mdh and if there is no such as then the output mdh will be at two games are indistinguishable because m sub the edge. And the decryption of the deck of inverse almost commute your to your due to a recent result. And, and because mdh is an evolution. So if we commute one of one mdh with you deck of inverse then they will cancel out and we will get the you deck of inverse. So these two games are indistinguishable. In game three we replace the random local g with the compressed standard local g. So CSTOG. And obviously game two and two are indistinguishable because of the genre so CSTOG and standard local g are indistinguishable. Before we use a new decryption it's called you deck two. And then the first this new decryption first basically applies to purified measurements that mth is the same with the previous aside, and then you provide measurement mdh that search the database of the g. So the purified measurement mdh is searching the database of the g for pairs r and u of r such that the diagram in the side holes in other words it uses f inverse to get s and then it search over the database of the g to find g of r such that XOR with s gives k1 bits of 0. So in search it basically it uses inverse of f to get s and then search over the database of the g for pairs that decryption succeeds. The output of mdh will be the smallest r and if there isn't such r then the output will be empty. So two games of three and four are indistinguishable because of recent results that mdh and u deck have inverse almost commute and since mdh has an evolution then if we commute they will cancel out and then we will get u deck one. We change the decryption rule further in game five to get a new decryption rule named u deck three. This new decryption returns bottom if at least one of the measurement mdh or mdh is not successful. Otherwise it executes the normal decryption rule. So if both measurements are successful then it executes the u deck f inverse. The higher intuition why game four and why we're indistinguishable is because the adversary is not able to output a valid cyber disk with high probability unless it executes the random local queries. In game six we use a new decryption rule in which it only uses database of the h and dg for decryption. It doesn't use f inverse anymore. So how does it work? It sets over the h and dg to find pairs s h of s and r g of r such that c is equal to f of s and r x of h of s and g of r x of s gives us a one bits of zero. And if both condition holds then the n most significant bits of g of r x of s will be the output of decryption. So this decryption doesn't use the inverse of f at all and it checks if there are pairs of in a database that these two condition holds. It's not difficult to see these two decryption turns the same up because the pure pure five measurements and the h and dg also looks for such a pairs in a database. And once there are such such a pair is then basically the output of u deck f inverse and and output of this new decryption or exactly the n most significant bits of g of r x of s. And finally, in the last game we measure the queries random or g when the projected measurement m or a star. So the output of the measurement is one if if the post measurement is our store and otherwise it's zero. If the output is one. One of the measurement is one. Then we are bored return random bit. Otherwise, we can see. So this is the way to prevent adversary to to query the or assault the random or glitch for to show that game six and seven are in distinguishable for the queries before the challenge query, we use a gentle measurement and for post challenge queries we are in use. We use it, we use it to the portion of the one way in some of the notation F. So, like, with another bits and adversaries that distinguish these two games we construct and we say that breaks the security of the presentation. Now, here, the decryption queries are answered with the only database of the H and the G so it doesn't use the rest of F. So the reduction can be done, because of this, because every way we don't, we don't need the the basically the secret key to to answer the decryption queries. The only final step is, since the success probability of the adversary games, seven is one or two, and the games are in this single show the proof is complete. So the success probability in 70s is one or two, because RSR and subsequently Joke RSR is basically that they are a random value from the adversaries perspective so the B2P is hidden information to what if you from under the city. So GSR. Geo G are a star. Heights. And being zero pay. And beside the theoretical importance of our result. This, this answers to an open question posted in the entry submission, one of the finalists of the needs competition. Thank you a lot for the listening. Thank you.