 Hello So, let's get started. So we have Norbert's today and Yeah, and we have all like session on understanding it's PK. I'll Handle over to Norbert now. Yeah Thank you That's what Alice says. So my name is Norbert. Welcome everyone. And today I'm going to talk about Hebrew public encryption Which can send the first message encrypted without like prior. Oh communication. I forgot to show my my presentation I'm sorry about that So perhaps yeah, today is is not my day for the technical stuff. I see Let me just open the presentation really quick In the browser It's loading screen is not properly visual. Yeah, it's now is it is it better? Not better. Yeah, this is this is better Just yeah Okay, so yeah, let's talk about HPK for now So actually it's a hybrid hybrid public key encryption, it's an encryption scheme, which means It uses a symmetric and a symmetric cryptography It it combines the advantages of the asymmetric encryption and the performance benefits of the of the symmetric cryptography the first draft was made in January 2020 and we are actually now at the 12th And it came out today. So it is going really quickly For now the changes are not so big Well, I just like formal and and typos, but they are still still changes in the in the in the draft The draft is proposed at IRTF By the crypto forum research group and they are more hybrid Encryption schemes out there But why is HPK so Good, let's say Compared to to the other ones HPK provides authentication mode It it says to be in CCA to secure and Using current primitives like elliptical diffie helmet HKDF and SHA to So let's talk about the modes HPK comes with four different modes. There is the basic mode Then the the authentication mode, so the messages can be authenticated with an asymmetric key and An authentication mode with with a preset key and then we just can combine the these two To actually like authentication and with the preset key The The encryption scheme comes With like more modes like there is a single shot a pie which means that the Messages can be sent Like there is just only one message which can be sent no more That's why it's single shot a pie. So that means a Context is created one message is sent and it's closed Multi-shot a pie is like for multiple messages. I have to state that the message direction is only unidirectional So the sender can send to the recipient but not vice versa if we have to achieve Or by directional communication, it's a possibility By exporting exporting the secret and using that but The proposed like the main Goal of the HPK is just unidirectional communication. So what what is it consisting of? HPK has three main building blocks the K derivation function the K encapsulation mechanism and authenticated encryption with associated data As you can see on the on the feature The first part the chem uses a symmetric cryptography and the AE ID using symmetric The K encapsulation mechanism creates a shared secret using the K schedule Which is later on used for for encrypting the messages The HKDF or so the K-direction function uses age map In both parts in the chem and later on in the case schedule To To achieve the main separation because like we use a K-direction function in two separate Places we want to achieve the main separation. So the functions will look like Different like different functions That's why HPK are using labels Oh, so when the the K is Derivated like there is There are not not the same because of the labels So let's see That's what I talked about when we have the KDF there they are labeled and We have to state if we want to use The label for the chem or for anywhere else in the in the HPK There are two main function the extract and expand so the extract Yeah extracts a key from a cane material which should be random and The second one expands a key to our desired length The K encapsulation comes with encapsulation and the encapsulation And there are two different versions for the basic and the authenticated mode The AID is comes with seal and open One for encryption and other one is for the decryption of the message and There is one more or Exporting the secret which I said if we need to use Bidirectional or any other reason we can export a secret from the context and use it So let's see how the encapsulation works As I said before The messages are sent encrypted Without prior communication Which is true, but We still need the public key of the receiver So let's suppose that we when we start the scheme we already have The public key of the receiver and we don't care how to hope we get that Then we have to derivate or key pair As you can see I use E Here which means fmrl So it's only generated for the K encapsulation and then it's throw away and Never use the key Then we compute the Diffie-Hellman from the Public key of the receiver and our private key and create a chem context by concatenating the Public key of the receiver and and our public key of the I mean the sender's public key From that we compute again Using the K derivation and by that we can get the shared secret The output of the encapsulation is the public key and the shared secret Okay, so Why do we have to output the public key when I said that we have to throw it away? The answer is really easy We have to decapsulate So from the on the on the other other side of the sender Sorry on the receiver. We already have the key pair But to create the chem context we need we need both key pairs Both public key pairs the fmrl and the receivers So we send over the the public key the fmrl public key So the the receiver can create the the context and the shared secret too So there is a little example using the library. How can we Set up a context and use Use encryption So we're using HPK context here to set up the context we are using Functions functions like HPK set up base at the end the nodes like is it the sender or the receiver Then we have to denote the the mode we want to use base authentication psk or both We have to tell it the public key of the receiver some info and then we have to state which Algorithms we want to use for the chem kdf and the AEAD these have to be Said like before the two two parts have to agree on On the same algorithms here It should be implementation Well, say in the implementation To creating the context for the center we have to provide a random function Because we are generating the fmrl at this part So to create the the context for the receiver. It's almost the same We are providing the the fmrl and or public keeper public and private key pair Then actually the the arguments are the same So when we have a context We can use it for encryption and decryption So there are the the two functions for that As you can see it's it's almost a mirrored. It's just only the the only difference is The output and the input the plain text of the c4 text and We got here some a ad or associated data as you read through the slide you can perhaps see that There are like vulnerabilities and just like two secure parts Yeah, we can say that Like there is no perfect system So there are all the time like some imperfections, but let's start With the secure part. So as I said before There is the indistinguishable vt cypher text Choose zen attack Which is secure for That means that the attacker Can adaptively choose the c4 text attack the c4 text Get them decrypted And then it can choose like again some cypher text will be decrypted and he can analyze it There's the mass operation I was talking before at the kdf Yeah, and there are some things that are somewhat secure about there is replay protection Which is not quite protection, let's say but messages created by by open should be Oh, sorry The encryption created by seal Should be opened in order As they were created at the open part This gives Some what protection but nothing else So they are vulnerabilities Uh, there's the k compromise impersonation, which means if the case Get stolen then like everybody can or Everybody who who stole the keys can Uh, decrypt the messages Like all the time which were sent they can be decrypted Um, and yet there is forward secrecy which should Should be in somewhat secure because um It's not secure When the recipient is compromised Uh in any mode But it is secure when the sender is compromised because we are using fmrls um So as I said there like there is no perfect system The hpk's goal and focus Are these So the focus is message secrecy Export uh case secrecy and sender authentication For the future, um, the project is proposed as an integration to nettle And uh implementation of the of the single shot api because for now It's only the multi-shot api available And there are other systems which are already looking for hpk And these are the mls and The client hello in tls 1.3 Here you can see some references the the draft and analysis of the Of the protocol I want to thank Daiki For my mentor. We were working on this together and uh, he was a really good help And yeah, thank you So thank you for For being here And if you have any questions, uh You can ask them In general word, it was a great session. Please feel free to put a question and give an a section If you're in any Let's wait for a couple of minutes See if you have any questions Yeah, sure. I will update the slides, uh on the on the schedule later on sure Can you ping your, uh, like Where here he or she can connect with you