 Okay, thank you for the introduction. The construction of public encryption schemes, which are both efficient and secure, has been a fairly successful research area, and we have a number of efficient, concrete schemes. A very practical and efficient approach to the construction of these is hybrid encryption. And in a hybrid encryption scheme, we have two components. We have a key encapsulation mechanism, a chem, and a data encapsulation mechanism, which we call a DEM. And a chem is defined by these algorithms, and it will allow the encryptor to compute an encapsulation of a random key K, and it will then later allow the decryptor to recover this key from the encapsulation. The DEM is simply a symmetric key encryption scheme, and when you combine these two components in the obvious way, you will obtain a public key encryption scheme. Now if the chem is in CCA secure, and the DEM is one-time CCA secure, we will obtain an in CCA secure encryption scheme. Alternatively, we could use a slightly weaker chem, and if this is constrained in CCA then we will have to use an authenticated DEM to achieve in CCA security. So in this talk, I'm going to focus on the problem of minimizing ciphertext overhead. And in the hybrid encryption scheme, the ciphertext overhead is dominated by the chem, so we are going to focus on the chems. And this is a table of the currently most efficient chems defined in primordial groups. We can see that we can obtain in CCA security based on a non-interactive assumption with an overhead of three group elements. If the chem is only required to be constrained in CCA secure, then we can reduce the overhead to two group elements. And if we are willing to go to interactive assumptions or groups in which we have a pairing, then we can obtain full in CCA security with overhead of two group elements. So looking at this table, it seems fairly natural to ask, is it possible to construct a chem which is in CCA secure and which has a ciphertext overhead of less than two group elements? And we might hope that it's possible to construct a chem which has an overhead of just a single group element and some short string. Let me try to motivate that idea. Here's the Kremershub chem, which has an encapsulation consisting of three group elements. In this chem, the decapsulated key is only going to depend on the first group element. And the remaining group elements in the encapsulation is just used for checking validity. If you want to compress the ciphertext overhead of this scheme, we might look for a way to do a more efficient validity check. And we might, for example, try to apply a hash function to a part of the encapsulation. And if the output of this hash function is less than a group element, we will have reduced ciphertext overhead. The question is, of course, will the scheme remain secure when we do this? And in this particular case, if we assume that H prime is a target collision-resistant hash function, it is actually still possible to prove the security of this chem based on the DDH problem. This is actually slightly surprising, but we would like something that is more efficient. This will reduce the overhead of, with approximately half a group element. So let's consider the Huff-Hein skills chem. This chem will have an encapsulation of just two group elements. And we might want to apply or try to apply a similar trick. And we can hope that the resulting chem will still be secure. However, what we are showing is that this type of chem cannot be proven in CSA secure, assuming you want a black box reduction and a non-interactive problem. So more specifically, what we show is that there is no algebraic black box reduction from the one-way CSA security of a class of chems with ciphertext consisting of just a single group element and a string to the hardness of a non-interactive problem. And let me try to go through some of the details of this statement. First of all, the class of chems we consider consists of chems defined in a primordial group. And we assume that the public key consists of a number of group elements and some auxiliary information which is assumed not to contain any group elements. And by small y, we are going to denote the discrete locks of the group elements in the public key. This may or may not correspond to the private key of the chem. We then consider an encapsulation which consists of a single random group element and a string which is output by this function of tilde. And the corresponding encapsulated key should be derived in some algebraic way from the public key. Now, these functions f0, fi, and f tilde are assumed to be scheme-specific. And the only requirement here is that they are efficiently computable. So a decapsulated key is assumed to be of this form. And again, the psi 0 and psi 1 functions are assumed to be scheme-dependent. But in this case, we assume that they are liner in the values y1 to yn. And assuming that this chem should be correct, satisfy correctness, this is actually a very mild assumption. Lastly, we assume that the last component of the encapsulation can be recomputed if you know the y values. So we believe this is an interesting class of chems since it captures a lot of the structure of the existing chems which are defined in primordial groups. So the type of security we consider for this chem is one-way CCA security. And let me just briefly remind you how that is defined. We consider an adversary which is given access to a decapsulation oracle. And given a challenge encapsulation, he will produce a key. And we define the advantage of this adversary as the probability that the key he produces actually corresponds to the encapsulated challenge key. So the non-interactive problems I referred to is assumed to be satisfying following description. We have free algorithms, an instance generator which will generate a problem y and a witness w. And then we have a verification algorithm which will give a solution x and a problem and a witness would either output accept or reject. And then we have a trivial solution algorithm which given a problem will output a solution. Now we define the hardness of a non-interactive problem by considering an adversary which given a problem will output a solution. And we say that he wins if this is a valid solution that is accepted. And we define the advantage of this adversary as the probability that he wins minus the probability that this trivial solution algorithm wins. So he needs to be better than the trivial solution algorithm to have an advantage. So the problems we can capture with this definition is essentially all the problems which we normally use to base the security of chems on. But we can actually also capture the NCAA security of a chem with this definition. So lastly, we need to consider the reductions and the type of reductions which we consider are black box reduction. And in our case, if you have a black box reduction from the one-way CCA security of a chem to a non-interactive problem, it means that we have an oracle probabilistic polynomial time algorithm such that for any adversary, and this might be an inefficient adversary, it's not required that he's polynomial time, if it's true that he has a non-negligible advantage in attacking the chem, then the reductions should have a non-negligible advantage in solving the problem P given oracle access to this adversary. This is also known as a fully black box reduction. So lastly, we require this reduction to be an algebraic algorithm. Consider an algorithm which is given as input some group elements and uses randomness R and then produces another group element. Then we say that this algorithm is algebraic. If there exists an extractor, which given the same input produces a description of Y in terms of the original input group elements. So I have to emphasize that the security reduction, we assume, is algebraic. This is not an assumption which you make about an adversary adversary. I also want to highlight that the security reductions of the existing chems are in fact algebraic. So this doesn't seem like an overly restrictive assumption. So given this, hopefully it's slightly more clear what we are actually showing. So let me just restate our main theory. For all the chems in this chem class which I defined and for all the non-interactive problems satisfying the description I gave. If P is hard, if the problem is hard, then there is no algebraic fully black box reduction from the one way CCA security of the chem to the problem P. And the way we show this is by using a oracle separation. We couldn't actually show this using just a single oracle. So we have to rely on a distribution of oracles. So our main theorem is based on the following lemma. Assume we have an oracle distribution denoted by this cloud such that for all the chems in our chem class that exists an algebraic adversary such that when we draw an oracle from this distribution the expected advantage of the adversary in attacking the chem is not negligible when he's given access to this oracle. So furthermore, assume that for the problems in our non-interactive problem class and for all algebraic algorithms which try to solve these problems that there exists simulators such that when we draw an oracle from the distribution the expected advantage of this algorithm in solving the problem is bounded by the advantage of these simulators. If those two conditions are true for this oracle distribution, we can conclude and we show this in the paper that there cannot be an algebraic and fully black box reduction from the one way CCA security of the chem to the problem P. And to use this lemma we of course need to define this distribution and then define our chem adversary and lastly define these simulators. So the very basic idea here is that we are going to define an oracle which essentially breaks the chem which makes this adversary trivial to define and then we are going to use the algebraic properties of this algorithm to essentially simulate the oracle when showing this bound. Unfortunately I don't have the time to go into all the details of this but please have a look at the proof in the paper for these. And if you do look at the proofs in the paper you will discover that the statement which we can actually prove is slightly stronger because of the way we define the chem attacker. More specifically if we assume that the public key contains n-group elements we can rule out a reduction from the bounded one way NCCA security of the chem to the non-interactive problem. And in a similar way we can use the equivalent between non-malability and indisquisitability under a single parallel decryption query to obtain the result that you cannot have a reduction from the non-malability of the chem to the non-interactive problem either. So this is just small enhancements of the theorems which you can derive from the way we actually we prove the main theorem. So let me say a little bit about programmable hash functions as well because these results have some implications for these. These programmable hash functions were introduced by Huff-Einz and Kiltz and they are fairly useful because they provide a level of programmability in the standard model which we normally only have in the random orbital model or at least a flavor of programmability. And the main application for these was short signatures but there might be many other applications. So what we are showing is that if you have a poly-K programmable hash function and this essentially indicates the level of programmability you have for the programmable hash function, if you have one of these you can construct a chem which is in CCA secure based on the decisional DGH problem. And this chem will have an algebraic black box security reduction and it will have a cyphysicistoid of just a single group element. So this actually fits the previous or the description of the previous impossibility result. So this type of chem shouldn't actually exist. So what we can conclude is that cannot exist an algebraic poly-K programmable hash function in a primordial group because that would contradict our impossibility result. Playing around a little bit with the bounded in CCA security of this chem we define, we can actually get a slightly more detailed or slightly stronger statement. And that is for any N and any K, there exists no algebraic NK programmable hash function which has a hash key containing less than N group elements. So it kind of creates a bound for the length of the programmable hash function, hash key if you like, yeah? So to sum up, we have shown that there exists no algebraic back box reduction from the one way CCA security of a class of chems to non-insective problem and we believe that this class is fairly interesting since it does seem to capture a lot of the structure of the existing very efficient chems. So it's kind of indirectly saying that perhaps the existing techniques for proving these chems to cure cannot be used if you want to compress the ciphertext overhead further. And this has some implications for programmable hash functions. This work leaves a lot of open problems. For example, you might be interested in trying to show whether or not it's possible or impossible to have an in CCA secure chem which is defined in a standard primary order group which doesn't have any pairings and which will be based on a non-insective assumption but still has a ciphertext overhead of just two group elements. It's also an open problem to extend the results to constrain CCA security. Our current result is actually only for the ordinary CCA security. But after having looked at this for a little while, we believe or it seems possible to simply extend our results to also cover the constrained CCA security case. And lastly, our class of chems assume that the key is actually a group element. So it doesn't capture the chems which are making use of key duration functions. We have a small discussion of what we might be able to conclude about these in the paper. So if you're interested in this, please have a look at the paper. There's a very brief discussion about this. So this was all I wanted to tell you, so thank you for your attention.