 Eu vou responder algumas perguntas no longo termo sobre o poder de ataques open selectivo. Este é um trabalho jointe com Mihib Bellari, Brant Waters e Scott Lack. As ataques open selectivo podem ser consideradas por muitos primitivos, mas o compromisso tem uma mesma que é a mais básica e fundamental. Então, eu vou começar com isso. O compromisso de Kim Farrows vai ser dado por um único algoritmo polinômico. O compromisso tem que ser dado por uma mensagem M, e algumas coisinhas R, e produzir algumas cifratés C. Em termos de usagens, há duas fases. Para convidar-se a uma mensagem M, o sender pica algumas coisinhas e produzir as cifratés. Depois, ele pode abrir a mensagem, enviar a mensagem e a renda para a receita. A receita then checks that the cifratés was correctly generated. Há dois requisitos de segura. Há uma garantia de segurança para o sender, e ele pergunta que a receita não deveria aprender nada sobre a mensagem devido as cifratés. A renda é uma garantia de segurança para a receita, e ele pergunta que a renda não deveria poder generar um comitmo que pode depois ser aberto para duas mensagens diferentes. Nós chamamos dessa notícia de segura, a renda e a renda. Comitment schemes are a base and widely used to in cryptography. They are used for instance for zero knowledge proofs. There are many constructions. To be more concrete, we recall some of the constructions since our results we applied to them, as well as other constructions. The first one is a partisan commitment. Prime order group and some generators G and H are public. And the commitment corresponding to some message M and some coins R is given by G to the power M times H to the power R. One can also use a collision-resistant hash function and a strong structure to obtain a commitment scheme. Our result will say that both these schemes are not selective open secure. Selective open secure is a strong form of hiding, so we begin by recalling in more detail the standard hiding definition. There should be some message distribution and the security guarantees that the adversary cannot figure out anything about the message other than what is implied by the message distribution itself. This is a semantic security style definition and can be formalized by asking that there should be a simulator that don't see the Cypher test, but it does as well as the adversary. Selective open attacks is about what happens in scenarios where there are many possible related messages being committed to. So we introduce some vector notation. M is the vector of messages. The components may be related to each other. R is a vector of independent coins. We also use some short-hand notation for the operation of committing to many messages element-wise. We committed to the first message using the first coins and so on. And C is the resulting vector of commitments. In order to better explain the difficulties in achieving selective open security, we start with an example in which the difficulties are absent, namely, this selective open and the message-only openings. The challenge picks some message according to the distribution D and the adversary can select some set of the message to be open and he receives this message but not the others. And the security guarantee is that the adversary should not be able to figure out anything about the unopened message. That means anything besides what is implied by the distribution and the open messages. And the basic question there is, does hide and bind security imply selective open security in this scenario? The answer is yes. The proof is a hybrid argument one and exploits the fact that the adversary is not given proof of corrective open. But this is not the case in which selective open, the case of selective open where the difficulties arise. So now we present the selective open scenario in which we are interested. Namely, now the coins are also open. The security guarantee that we want to achieve is the same. Now the important question is, if hide and bind security implies selective open security in this scenario? This is a long-standing open question. There was no proof of the implication, but also no counter-example. Our result for commitment is that there is some commitment scheme for which is hide and bind security but not selective open security. Okay, this answers the long-standing open question. But are the counter-examples artificial? Is it the case that all the real, used in practice, schemes are selective open security? In fact, not. Our result is much stronger. We prove that all commitment schemes that are hide and bind security are not selective open security. In particular, the schemes that we present before. So given any hide and bind security commitment scheme we present an attack in breaking the selective open security. We also have investigated the problem for encryption schemes, and there we prove that there are some real encryption schemes that are not selective open security under coins openings. And also there are some real encryption schemes that are not secure under key openings. We will define this later. Okay, what was present before? We have a technical explanation. In order to state the result, we need to see the definition of security in more detail. The security definition that we use is the one introduced by Dioc, now Ryan Gold and Stockmire. The real game goes as indicated previously, but now there is also a relation. And the adversaries should output some string that satisfy the relation. A relação basically takes as input, the deficit output, the message vector, and the set of open messages and outputs a boolean. The deficit wins if the relation outputs true. But now there is also a simulator that plays the game in the ideal game. The simulator doesn't receive any commitment and then it should choose some set to be open and should also generate some output that's shackled by the relation. The simulator also wins if the relation returns true. And we can define the selective open advantage as the difference between the winning probability of both of them. A commitment scheme is said to be selective open secure if for every efficient adversar A that is an efficient simulator such that the selective open advantage is negligible. So our result basically assumes the existence of a collision-resistant hash function. And we take any hide-and-buy commitment scheme. And we show that there are some messages distribution D, some relation, and some adversaries such that all simulators will imply a high selective open advantage. We should also stress that the message that we consider independently and uniformly distributed. We are present an attack against the selective open security. We should also highlight that we don't assume that the simulation is black box. Okay, so selective open security for commitment was first investigated by the Orc and our Hangold and Stockmire. In a recent work Huff and Heist have showed some impossibility results for black box reductions for standard assumptions. But this doesn't roll out the existence of such schemes because the security reduction could be non-black box or a scheme could be reduced to some non-standard assumption. So our results are not about the difficulties involved in improving selective open security. They are about the impossibility of obtaining such schemes. In particular, the schemes that we present before are not secure. So we are not finding artificial examples. We are saying that the real used in commitment schemes are not selective open security. It was believed that the difficulty of achieving selective open security was due to the fact that the message could be related to each other. But in our case, they are not. So it was proved before that for independent messages, hide and bind security implies selective open security, but in a restrictive version of the security definition. So our result is implying that these will not be standard to the full definition. So there is no contradiction. And okay, what about the random oracle model? We know that it's possible to obtain efficient schemes that are selective open security in the programmable random oracle model. Our result says that this is not possible in the standard and non-programable random oracle models. So let's take a look at the previous separation results. Nielsen showed that for non-committal encryption, efficient schemes can be achieved in the programmable random oracle model, but not in the standard and non-programable random oracle models. But our result is not about efficiency. It's about feasibility. In terms of feasibility separations, Dodds, Katz, Smith and Valfish proved a separation result for deniable authentication. Okay, we are pressing all the results for the one-shot scenario, but this can be standard if the messages are super logaritmo in the secret parameter. Okay, so the idea of the proof is the following. We use some collision-resistant hash function without put length h, and the challenge sets the number of senders should be 2 times h and pick independent and uniformly distributed messages. The adversary hashed the cyphertest vector to obtain some string, and he chose the vector of senders to be corrupted in the following way. He corrupts half of the senders, and basically the important point here is that the set of corrupt senders is an encoding of the hash output. This is the most important part here. Okay, and when he receives the message and the coins, he just outputs all the cyphertests that were received and the coins also. The relation basically recomputes the hash and checks two conditions. First one, if the set of corrupt senders was correctly generated. Second one, if the openings are correct for the corrupt senders. Okay, so they specify that the adversary always makes the relation return true. Now suppose that some simulator could also make the relation return true with high probability. We will show that this would imply that either the simulator can be used to break the collision-resistance of the hash function or to violate the binding condition of the commitment scheme. The idea is to execute the simulator until the point where it selects the set of senders to be corrupted. And then we run two different executions, sampling different message vectors. Okay, and we can use the reset lemma to relate the probability, the winning probability of the original simulator to the probability that both executions succeed and we have at least one message that is different in the open positions. Okay, but if this decays, then either the cyphertests vectors are different and this implies a collision in the hash function or the cyphertests vectors are equal and this implies a violation in the binding condition. Okay, I will now talk a little bit about selective open attacks for encryption schemes. The problem first appeared in the context of encryption, but it was soon noticed that the problem is really... the core of the problem is that most typical encryption schemes are committing. So this led to the focus on the commitment problem that we just showed that's impossible to achieve. But for encryption, it's possible to build efficient schemes. They have been built based on loss encryption, denial encryption, also based on non-commit encryption, but in this case they are not efficient. Okay, but the basic question is still open. Is it the case that all ICPA secure encryption schemes are also selective open secure or we really needed these specific constructions? I don't approve, for example. So, for instance, is Elgamal selective open secure? So our result for encryption schemes is that there is some encryption scheme that is ICPA secure but not selective open secure. In fact, it's much stronger. We say that every committed encryption scheme is not selective open secure. We define what committed means in the paper. So the result applies for Elgamal or most typical encryption schemes, so we are not finding artificial control samples. We should mention that there is also an indistinguishable style definition of security for selective open and we will show some relations between these different notions. So our result implies that ICPA implies selective open according to the simulation definition. It was already known that the simulation definition implies the indistinguishability one. The converse is not true because our theorem holds for independent messages and it was also known that selective open implies ICPA but the important open question is whether ICPA implies the indistinguishability definition of selective open security. In recent work, the relations have been further clarified but this question is still open. Okay, in the context of encryption, we can also define the problem where the receivers instead of the senders are corrupted. In this case, the secret keys are open instead of the coins and we can formulate similarly the problem. And the question is also the same like does ICPA implies selective open in this scenario? This question was also open and we defined the notion of decryption verifiability. This is a weak form of robustness. For instance, Elgamal is not robust but is decryption verifiable and we proved that all encryption schemes that are decryption verifiable are not selective open on the key openings. So this raises the question of whether it's possible to achieve efficient schemes in this scenario or not. Nielsen proved that any non-commitment scheme encryption scheme should have long keys in the sense that the keys should be larger than the total size of the messages ever encrypted using the scheme. And we know that non-commit encryption implies selective open under key openings but the converse is still open. So one could hope that it's possible to achieve some efficient scheme in this scenario. But that is an additional result. Basically, schemes that are efficient that are selective open under key openings should have long keys. This is not in the abstract. Okay, so to finish I will repeat the results again. First, every hide and bind security commitment is not selective open secure. Every committing encryption scheme is not selective open under coins openings. So we really needed the schemes that are specifically designed to be selective open secure. Every decryption verifiable encryption scheme is not selective open under key openings. And schemes that are selective open secure under key openings should have long keys. Thank you for your attention. We have time for questions. Thank you. So you showed that the schemes which are not selective open secure are not artificial because they are actually. But should I repeat my question? Sorry. Alright, let me try again. You showed that schemes which are not selective open secure are not at all artificial. My question is is the relation that shows that they are not secure? Is that relation real? Is that one artificial? Sorry, I couldn't understand the question. Sorry, let me try again. Which relation you mean? In order to show that these schemes are not selective open secure you needed to define this relation real which makes it fail, right? Yeah. My question is the schemes are not artificial is that relation artificial? I mean for the security definition you can consider any relation is the point. Yeah, I understand. Alright, forget it. Yes, please in the back. This is for no interactive commitment schemes that are positive results for no interactive sorry that are positive results for interactive ones. Yeah. So maybe taking the first question again but perhaps try to express it in a different way. One of your conclusions on the previous slide is that because the existing constructions don't give you selective open security maybe you need new specially designed constructions that will. Yeah. But I guess maybe the question back is is the notion of selective open security actually correct if it took such an artificial relationship to prove it prove it wrong do we really care about relationships like that or is actually the is the target too high to does the definition need changing? I mean the distinguishability definition of security for instance is weak in the sense that it cannot it don't work for all message distributions so for instance in my opinion a good question here is to investigate definitions that are in the middle between the simulation and the distinguishability one and see what happens there. Ok, if there is no more question let's thank Raphael again.