 Okay, let's start the next session, the fourth session on post quantum cryptography. So the first talk in the session is about the anonymity of NIST PQC round three camps by Keita Xagava. Yeah. Thank you for introductions, can you hear me? Yes. Okay. Let me start. Thanks. So thank you for the introductions, I'm Keita Xagava from entity to social informatics laboratories. So today, so I want to talk about anonymity of gems in NIST PQC standardization, following the Maram's talk. Let me first talk about the background. So we know that several companies and organizations have been developing quantum computers. So for example, so Google, IBM and the UCSD and so on. So they constructed the approximately 100 physical qubits quantum machines. So Google plans to develop one million physical qubit machine in 2030. And IBM plans to develop force for certain physical qubit machine in 2025. And we also know that the showers algorithm serves the factoring program and the distributed algorithm program in polynomial time over quantum machines. And in addition, so according to Disney and Echara's estimations. So if the error rate is 0.1% and it runs with about one kilohertz, then so it can factor as a 2048 bit RSM modulus by using the 20 million physical qubits in eight hours. So thus, so if adversary has efficiently has a chance to scalable quantum computers, so then the current public key cryptography will be broken. And the countermeasures in the right hand side. So the one promising countermeasure is a post quantum cryptography, so PQC in short. So therefore the NLST in the US have been standardized and PQC is primitives. So here, so we have the chems and the signatures. So key encapsulation mechanism and the signatures. So four chems, so they select the four finalists and five alternates in the left hand side. So while NLST needs to say that they would announce the result in March, but we don't know yet the result yet. So the standard, so here so we consider the security of the chems scheme. And the standard security notion for PKE and chem is indistinguishability against a chosen cyberattacks attack, so the left hand side. And all new PQC run through chems achieves industry security in the random local model, classical random local model. So roughly speaking, so the industry security implies that we cannot distinguish a ciphertext to the real key and the random key. So this case is a real key and the K1 is a random key in the chem context. So unfortunately, the industry security doesn't imply the recipient's privacy. So for example, so let us consider the chems scheme for the ciphertext contains a public key. So in this case, so it can achieve industry security, but such ciphertext apparently reveals the recipient. So therefore, so we consider anonymity, so it's an anonymity against the chosen cyberattacks attacks. So this captures the privacy of recipients because so if the adversary, so two encryption key, EK0 and EK1, but so it cannot distinguish which encryption key is used to generate ciphertext and key. So this is defined, this defines the anonymity of chems scheme. So they have a lot of applications of anonymity, for example, anonymous credential and auction and anonymous authenticity encryption and so on. So privacy enhancing technologies. So we have natural question of whether the chem candidates of NIST PQC run through achieve anonymity, this anonymity is a quantum random model, so because we consider the PQC. So this is the summary of the result in Grabs, Maram and Pedasone, so in this eurocrypt. So they study natural question obtained the following tables. So they show that the variant of FRO, this FRO with implicit rejection has anonymity. And so it reads robust hybrid PKEs. But unfortunately, so there's a lot of problems on the four finalists. So for example, so classic merciless doesn't have anonymity and the kyber and the sabre has no anonymity results and the N2 has no anonymity results. So they fortunately shows that for the chem, it satisfies the industry security in Qrom and anonymity in Qrom and collision fridges in Qrom and the PKE, the results hybrid PKE is also satisfied anonymity, but unfortunately, so we don't know nothing for finalists or anonymities. So what's the problem? So the problem is, so roughly speaking, so we need to simulate two decapitulation work and decryption work. So in the case of classical merciless, so they have an obstacle that the classical merciless is not collision free. And in the N2 case, so N2 uses a 6-5, so which uses H over M to generate key. So this is an obstacle to apply their techniques. And in addition, so they find that the tricks of refuel in kyber and sabre are obstacles to showing their anonymity and even their industry security. So that's according to this table. So we know nothing on anonymity of four finalists or N2 PKE strands. So following Grabs et al. study, so we show that the following result. So we use a strong shooter randomness instead of anonymous anonymity. So at first, we show that the strong shooter randomness, it immediately implying anonymity. And the next, so we show that for chem demo frameworks for strong shooter random hybrid PKEs. So roughly speaking, so we show that SPRC came with implicit rejection as some additional property implies that such SPRC hybrid PKE and then so we have anonymous PKE, hybrid PKE. So on robustness, we omit the details, but we can use the robustness results of Grabs et al. And third, so we show that the strongly distanced simulator will PKE implies so SPRC such strong shooter and chem schemes. And then so forth. So we apply them to N2 PKE and 3 chem. And then we obtain this result. So fortunately, so we show we can show that the anonymity of classical marketplace and the anonymity of hybrid PKE. But so as today some alarm sets that so it fails to achieve a robustness of PKE. And we show that N2 like this one and the bike, HQC and N2 LP N prime and the cycle. So unfortunately, so HQC, one parameter of HQC doesn't achieve the anonymity also because it makes the parity of the increase point key. And so additionally, so we note that so the Dunn-Bernstein pointed out that the problems would be solved if you employ the Chandrith quantum indifference entity on that's a combination of random markers. But we I didn't check the details, but this is a promising approach to show to fill out this question mark by yes. Mark. Okay, so because of the time limitation, I want to talk about the point one and point three. Okay. In order to do so, so I want to review SXY. So SXY is a conversion from a deterministic PKE into the industry check-in scheme. So let us consider a deterministic PKE gen and NG and DEC. And we say that PKE is strongly distraint simulatable. So if the random, our cipher takes to the random plane takes this one, it's in this computationally indistinguishable from a cipher test generated by simulator. And in addition, so we require that such a cipher test generated by simulator isn't really lies in a cipher test space of this one. So that is so we require to this, this or this. So by using such a deterministic PKE, so chem scheme is defined as flows. So in the gen of the game, we first designate the encryption key and the decryption key by using PKE's gen. And then we additionally choose this random sheet. So in encapsulation, we, it randomly selects this plain text and it encrypts the same by using the EKE and obtain the CT and for a session key of the chem scheme. So it computed K as this H of M and then returned it, returned cipher text and K. So in the encapsulation, so receiving a cipher text, it first compute the M prime at the decryption result. Then so it, if the receiving cipher text is a re-encrypted M cipher text, then so it's output K as a hash of M prime. So otherwise, so it's output random, should random this K. So this is a SXY. So in order to, so the main problem of to show industry security, so we need to simulate a decapitation work of chem. So in order to do so, so SXY using this approach, so they define the hash of M as another hash of Q of encryption of EKE and M. So by using this approach, so we can simulate decapitation work as a HQ of cipher text. And in addition, so if we replace a real cipher text with cipher text generated by simulator, so then this will be looks random from the adversary. So by using this approach, these facts, so SXY proves industry security of chem scheme as follows. So we want to show that this line is equal to this line, commutationally distinguishable, this line. So in order to do so, we constant hybrid games between these three hybrid games. And so we can show that at first we replace the decapitation work with H of Q by simulating decapitation work. Then so we can replace this cipher text with simulate cipher text generated by simulator. Then so we can, we can show that this K, real K is indistinguishable from random K. Then so replacing by using a reverse approach. So we obtain this final line. So this is a fact SXY did in to show the industry security. So by using this approach, so let us consider the facts, graphs and Malam and Peters on this. So let us consider the apply, grab set words approach to show that ANOCCA security on SXY. So in the case, so we need to simulate to decapitation work, since we don't know DK0 and DK1. So therefore, so in order to do so, so GMP, I use as a modifying the hash function as this one, K as this one. So instead of H of M, so they use the H of M and C. And so they define H of M, C as H, I of C, if encryption of E, K, I and M is a input cipher text. And otherwise, so it are to put H of Q, HQ of C. So by using this definition, so the decapitation oracle for DK0 is a simulated binary, this H0 of CT and the decapitation oracle for DK1 is a simulated binary H1 of CT. Well, this is a grab set words approach. So unfortunately, so there's a problem. So this, this simulation require a weak robot robustness. So this means that the underlying PK, so with this green PK is collision-freeness. So therefore, so we cannot apply this approach to the classical, classical, classical market is, because classic market is, is not collision-free. And in addition, so to show anonymity, so we need to modify this H, H of M instead of, so we need to modify H of MC instead of H of M. So since M2 uses the original XS quite, so this is another obstacle to show the anonymity of M2. So we sort of, this problem by you considering a strong shield randomness. So here, strong shield randomness means that this cipher text, pair of cipher text K, generated by real encapsulation is indistinguishable from a cipher text generated by simulator and the K chosen from random. And this, so this is a recap of chemist anonymity. So in order to do, in order to show anonymity, ANOC security, so we want to show that this and this is a computational indistinguishable, so we consider two hybrid games. So, and so in the first two lines, computation indistinguishable also because of strong shield randomness on EK0. And then so we here, so we can use DK1. And in this line, so we use DK0. But so this switch of decapitation key is a computational statistically indistinguishable. Then so we replace this cipher text and K as a real one generated by EK1. So this is justified by the strong shield randomness on EK1. So therefore, so we can show that this SPRCCA immediately implying ANOCCA in the chem case. So we want, therefore, so we want to show SXY implying the SPRCCA security. So in order to do so, so we, we back to the industry security of SXY. So this is a SXY approach of hybrid games. And so we want to show that SDS, Strong Distant Simulatability implying the SPRCCA security of the chem scheme. So therefore, we want to show that this is computationally indistinguishable, this one. So then so we recall that the industry security hybrid games of industry security. So then we obtained this one and the next game and third game, this game. So now seeing this game and this game. So the difference is how to simulate decapitation or code. So in this game, so we use the H2 of Q, but in this game, so we use the real DK, but apparently so we can replace this one and this one because we define, so, because so this is a corresponding to this approach. So therefore, we just obtain this SPRCCA security as a industry security of SXY. Okay, let me wrap up. So this is summary. So we show that, so in order to consider anonymity, so we first intermediate security notion, so strong-shoot randomness. So then so we first show the strong-shoot randomness implies anonymity. Then so we construct the Camden framework for such SPR hybrid PKEs. And fortunately it's on robustness, so Grabsite World already shows that, show such hybrid Camden framework. And then so we use such robustness framework. Then so to construct such SPR-CCC chem schemes, so we consider an SXY and HU and HU and so on. Then so we can show that strong-read simulator PKE implies SPR-CCC chem schemes. Then we apply them to NIST PQC land-free chems to obtain these tables. So as an open province, we have two open province. The one is showing SPR or strong-shoot randomness or anonymity of Kaibara, Saber, and the Sturdy Brand N2L Prime without the quantum indifinitability. So this is an open province by Grabsite World. And then the second open province is showing strong-shoot randomness or anonymity of a flow, tightly as a, so because we obtain such tightly indecisive security in the two quantum random models in being there at war and the Kuchitai at war. Thank you. Any questions for the speaker? Okay, let's thank the speaker again and proceed with the next talk.