 Okay. So the next talk is random oracle reducibility and it's by Paul Becher and Mark Fishland. I hope I said your name correctly, but you can correct it. And the tech person, I thought you were on your way to me. I'm stuck here. Okay. Okay. They put a person who has no technical skills at the first chair. Okay. Paul? Paul? Yeah. Well, you're getting ready. I want to draw your attention to the fact that there is a monitor there with the time. It seemed like Evgeny was missing it. So you see it on the floor? Yeah. Okay. You are ignoring it. Okay. Sorry. Okay. Okay. So there you go. Okay. Thanks for the introduction. This work is joint work with Mark Fishland and is in a nutshell on relating the random oracles of two cryptographic schemes. But let's start at the beginning. So consider this situation. We have two cryptographic schemes, A and B. And these schemes come with a proof, as they should be, under certain assumptions. So for scheme A, we have some set of assumptions A. And for scheme B, we have possibly a different set of assumptions B. So if we assume furthermore that these schemes are for the same purpose, we may ask ourselves which one of this scheme is better. So for example, one may be more efficient than the other. Or the assumptions of the one scheme might be milder or even subset of the assumptions of the other scheme. And there are purpose-specific properties such as the ciphertext size, for example, if we're talking about an encryption scheme. So this is rather easy to assess in the standard model if we want to see which one of the schemes is better. Now, if we consider the very same situation, but this time these proofs come in the random-oracle model. So scheme A is proven secure under A in the random-oracle model, and scheme B is proven secure under B in the random-oracle model. It is now much less clear which one of the schemes is better. So the comparison is kind of biased by this random-oracle dependency. What do we mean by that? For example, we could have the case that scheme A, the assumptions of scheme A are a strict subset of the assumption of scheme B. But scheme A might use more of the power that the random-oracle gives it. So, for example, it might need that the hash function is perfectly one-way or collision-resistant or has some other properties which we don't know or cannot assess. On the other hand, scheme B could use this random-oracle to, could use much less power than we're given by this random-oracle. Or in the extreme case, the random-oracle of scheme A might even be uninstangible. So what's the solution to this? We could look at how the random-oracle is being used by isolating all the properties that are being used. But this is sometimes not clear how to do this, or it can be very tedious. Instead, what we propose here in this work is the standard cryptographers approach. That is, we want to use a reduction. And we want to be able to make statements such as if scheme A, given access to random-oracle H, is secure, then scheme B is secure using the very same random-oracle. So intuitively speaking, we want to say that any hash function that makes scheme A secure also makes scheme B secure. And from this it follows that if the random-oracle of scheme B is uninstangible then the random-oracle of scheme A is uninstangible as well. So you might have noticed this function H, this article T here, which we would like to view as a transformation function because the random-oracles of two schemes are not necessarily compatible in the sense that in the one scheme we may want to have bit strings of a certain length and in the other scheme we might work with some group elements. So we slot in here a transformation function that guarantees this structural compatibility. So what we get with this notion is a relative security notion. That is, we're not saying scheme A is secure but if scheme A is secure with this hash function then scheme B will be secure with this hash function as well. So let's look at this in a more formal way. We say that scheme A reduces to scheme B. If for every hash function there exists a transformation such that, and here's the first kind of reducibility we have, strictly if A is secure under some set of assumptions then B is secure using this very same hash function under a possibly different set B. This is very strong as we will see and therefore, so our G defines a security game. So for the sake of this talk we can think of this as say IND, CCA, security game for example. So this is the very strict notion. We also propose a WECA notion which says if scheme A is secure under A then scheme B is secure under A and B. So here we allow that, we allow that proving this we can assume that both sets of assumptions hold at the same time. And we also have a notion that is in between these two worlds that is if A is secure under A then B is secure under A union B. But B could also be secure for some other function assuming only B. So but maybe assuming some other assumptions for the hash function. So how does this work? Our main example is an encryption scheme. And we are looking here at the twin hashed algorithmal encryption scheme due to cache kilts and chub which is an extension of some other original hashed algorithmal encryption scheme. But it comes with Milo assumptions specifically to prove the twin hashed algorithmal encryption scheme secure is sufficient to assume the computational Diffie-Hellman assumption as opposed to the strong computational Diffie-Hellman assumption. And the security then follows if we furthermore assume that we have a symmetric encryption scheme that is CND, CCA, and secure. So this is an example where we have such a situation where one might be tempted to say that this other scheme is clearly better than the original scheme. And it turns out our example here is we look at a variant of this twin hashed algorithmal scheme and it turns out that this variant is in fact strongly reducible to the original scheme. Some details. The proof is done in two steps. So first to show that we have a weak reducibility from the twin scheme to the original scheme and then we prove that the twin scheme itself on its own is secure in a random oracle model by which we conclude that we also have a strong reducibility. So I won't go into the full details of these two schemes but I would like to draw your attention to the use of the random oracle which is being used to derive a symmetric key here from two group elements randomness and the public key to the y to randomness. And in the twin hashed algorithmal scheme we have three group elements. We then use only half of this key to encrypt the actual message. So here it is clear that we cannot use directly this hash function because we have here three group elements as opposed to two group elements. So this is where we need some kind of transformation function. And it turns out that this transformation function which takes triples of group elements and applies the hash function to the oracle here twice and concatenates is indeed a good transformation function for this. So let's have a look at the proof. So we assume we have an adversary against the twin the twin hashed algorithmal scheme and this adversary is going to ask hash queries random oracle queries and this will be triples. So we are going to construct an adversary A that attacks the original scheme and this adversary has to answer these queries and it does this by simply implementing the transformation function. So that is for a given triple ABC it will ask two queries to its own hash oracle AB and AC and simply concatenate the results just like this transformation function. A will also have to handle decryption queries. We have one public key from the original scheme. The other public key which is used in the twin hashed algorithmal scheme. This one we simulate ourselves. So we have the private key X1. We give the two public key parts to adversary B and B will ask some kind of decryption queries which are these. Since we simulate the one half of the key by ourselves which is this part, we can check if this is indeed, this is indeed a properly, proper safer text and we will do this by reusing the randomness that we obtain here and taking this to our private key. So if this is equal we will go on and ask our own decryption oracle about this randomness and the safer text and simply return the message. We return but if this is not equal here because then we can be sure that the safer text is not properly calculated. The challenge query is answered analogously. So we are given two messages M1 and M0. We forward these to our own encryption oracle, get back a safer text Y which is the randomness and C. We use again this randomness to calculate our part of the key and simply feed this back to the adversary B. Finally the attacker A outputs whatever B outputs and it turns out that this simulation is perfect. So adversary A is successful whenever adversary B is successful and by that we get that we have a weak reducibility from the twin hashed algorithm scheme to our variant of the scheme to the original scheme. The next step of the proof would be to show that this variant is also secure on its own which is a bit more technical so we will have to look at the paper for that and by these two results we then conclude that we also have a strong reducibility. We have some more applications of this notion. Specifically we have that variant of probabilistic RSA FDH signatures is reducible to GQ signatures. We have also that probabilistic RSA FDH signatures are reducible to PSS signatures and finally that Schnorr signatures are reduced to BLS signatures. These reductions are all strict and since this notion allows us to argue about un-instantiability, yeah this is very interesting for these schemes. Okay so I saved some time. I would like to thank the sponsors for the stipends and I would like to thank you for your attention. We do have time for a question. Okay so thank you again.