 Okay, great. So the next paper is on anamorphic encryption, private communication against a dictator by Pino Parciano, Duong, Heon Fan and Moti Jung, and Pino will give the talk. Thank you. Thank you for being here. Almost the last session. Okay, so this is anamorphic encryption, it's work with Heon Fan and Moti who is not here. Okay, so let's see how this work. Okay, so privacy is a basic human right. And, okay, it's in the United Nations Declaration of Human Rights. It's very well taken as a basic human rights in most countries. And cryptography, we are proud to have done, you know, been very successful in providing tools for encrypting. So for example, just to mention one, it's the signal protocol and the app which most of us have on the cell phone, which will give us some degree of privacy communication. But we observe in this paper that the success of cryptography in protecting privacy relies on two assumptions that are very, you know, they are quite obvious we take them from granted, but they might be challenged in a dictator in a dictatorship. Okay, so bear with me for two slides. These are quite obvious. First of all, so encryption guarantees privacy of the message only with respect to parties that do not have access to the secret key, obviously. Okay, this is codified in the industry game. And the assumption is that the receiver, the owner of the secret key is able to keep the secret key in a private location. Okay. The second observation with an ensuing assumption is that the cipher text carries the message that was encrypted, not the message that the sender wished to encrypt, obviously. And the assumption is that the sender is free to pick the message to be encrypted. So we have these two assumptions that you can keep your key secret and that you are free to pick the message to encrypt. Okay, so, so why is this the problem is, you know, or most of our results are conditional anyway so maybe, you know, this is a classical theorem from, from, from a textbook instead of saying you know assume existence of one way functions and then you say oh assume existence of one way function and receiver privacy, then there exists a secure symmetric encryption schemes, something like that. So we have to assumption web one way function we just make it explicit ability to hide my key. Okay, the problem is that the two assumption are quite different in nature. The first assumption existence of one way fashion derives from our understanding of nature. And it's something that if true is going to be there and it's enforced by nature and nobody can do anything about this. And if it's false if there are no one function that there are no one way function for anyone. Okay. The second assumption is that is enforced by political power. In the sense it can be changed by law and decrees like, you know, if I became a dictator I could dive a decree and say, Oh, it's illegal for you to hide your secret key from me. And then it could and then in this change in this sense it changes, but not for everybody just for some of us, but not for all, and especially will create an asymmetry between the dictator and the regular citizens. So, so this is a different between law nature like existence of one way function and normative prescriptions. Okay. So, both assumptions are realistic in normal settings I'll elaborate a little bit more on this. And so no wonder since we live in, in good countries in a sense and this, you know, most of cryptography has been developed under this assumption. But this is not always true like in a dictatorship there is a very famous XKTD cartoon which I think most of us know that, you know, let's say, you know, this is what we crypto nerds imagination say oh my god it's encrypted with RSA is going to take, you know, millennia to to break and then the guy on the right that's okay just hit him on the head until it gives you the secret key. This is what you know that's what we think we are and that's on the right that's what we want to achieve even if someone is going to hit us on the on the head with the key with with the with the ranch then we're not going to surrender the key or if we do that will be useless. That's for a civil person also for sender freedom citizens might be invited to send some messages like for example I don't know if you have followed. There was a case which is not clear about a tennis player, which send messages to the president saying that she's fine but it's not clear if that message was was was a real message or was something she was invited to send. Okay. The case is clear for dictators but also in what I call the regular countries or other countries that has been an ongoing thread of activities that tried to regulate limit cripple encryption and this became more or less evident in the mid 90s. With the clipper the clipper chip initiative by the US, and this go under the name of crypto wars. There is this war between mostly law enforcement that you know they fear that encryption will give an advantage to the bad guys, and they want somehow to limit and regulate the use of encryption. And in fact, there have there has been a lot of work in the community. I just mentioned to, you know, the earliest work that I'm aware of it's by Silvio Micali in 92 about fair crypto system. And there is from last Euro Crypt. This work about areas and they try to use cryptographic tools and normative normative prescription to try to, you know, limit the use but under the rule of the judiciary. The problem is that in the dictatorship, there is no independent judiciary system. So there is no one where the police or the dictator should go and get, you know, a war and say, Okay, now you are going to give me your keys. And, and it's not clear that if we put these teams in place, then maybe the political regime will change and then we'll give a very strong tool to the dictator. The concept of crypto wars is also related to kleptography a concept invented by Adam young and multi young. And also there is some a very related stream of war comes a vertical encryption, which actually is tries to address the dual problem that we're trying to address. Okay, so how can we fix this suppose that we want to, to give tools that can be resistant to dictators. Of course, we cannot. This is the first observation we cannot just come up with a new team, because then what is the dictator going to do suppose that I come up. Okay, there is this crypto paper and you know dictator this crypto paper is gives you an encryption scheme which, you know, even if you try to get a ticket key even if you force me, we can get around the first thing the dictator will do is going to make this game illegal. Okay, so rather with the jet we should look at the existing scheme existing schemes and show that these teams as they are, they can be used as they are or modified in an undetectable way can be used to get around these two problems. Indeed existing schemes cannot be disallowed because they've been already deployed and there are some legitimate use, but even if he wants to disallow the schemes, then we'll make the dictator really registered to every Euro Crypt and crypto to check what what we've been doing and then keep a list of what is going to be which is very inconvenient if you're a dictator. At least that's what we hope. So what is our approach. Let's look at the receiver privacy receiver privacy when you get hit on the head. Okay, to surrender your team. So, there are two constraints like the dictators as the secret key, and it can decrypt and read the message, but okay this works in our favor, only messages that are being encrypted with the key that is given to the, to the to the dictator. Our approach is to have to dream of something like a cipher text is actually associated with two keys. And the cipher text carries two messages one with respect to each of the two keys and zero and one. And in a sense, that is no second key. In a sense, that's at least what the dictator thinks that there is no second key. And that's what we can quite easily deny that there is such a key. I'll just give you an example right now. This example also appeared under different name in the literature. Like for example, he's on the work by Bellard Patterson and Rockaway in crypto a few years ago, and it's for the dual problem for subvertible encryption. And it also appeared very recently in the in the in this working in the innovation to the computer science by Horrell Park, right. So on and by Kuntan and I must. Okay, we know. Okay, so just take any encryption scheme. Okay, this is the normal mode. I don't have to go through the bullets because that's what what we have now suppose that Alice wants to send a message, you know, glory to our leader. Okay, but she wants to read just for the sake of this example just she wants also to send. No, that's Bob Bob wants to send one bit to Alice. Okay. So how does he do it. Okay. So Alison Bob share the a seed K for a pseudonym function. So when Bob stands the message glory to our leader, he keeps sampling ciphertext until he gets a ciphertext that evaluates to be the beats that he wants to send under the shared seat. Okay. As you can see this. This is going to work because, you know, he, that's just a regular just think of it as as for example for secret key, or, you know, I don't know whatever you know RSA or AP. And the dictator justice normal communication and even if Alice surrenders the key for the encryption scheme. Then, you know, the dictator will see all glory to our leader. And if the dictator say, oh, okay, no, no, give me the seed that you shared with Alice. With Bob Alice could say, you know, what seed there is no seed. Okay, I'm just using a yes I'm just using RSA or AP. Okay, so this is a feasibility in a sense that what we're dreaming of actually actually exist. Yeah, this is a theorem. And of course there are some. There are some restriction as you can imagine like it can be extended to any length you just keep sampling but of course this is going to be exponential the extended time is going to be exponential in the length we call this we call it receiver anamorphic why because you know there is a normal mode and anamorphic mode anamorphic images are those that you know give you different images depending on the angle on which you look at them. Okay, so, so for the dictator it's the normal mode for Alice and Bob there is the anamorphic mode so we call them receiver anamorphic and then will be sender anamorphic to address the second problem the sender freedom in fact these are the our two technical contribution we're going to give a receiver anamorphic for many beats polynomial time. rejection sampling only works for a few beats. And we're going to give standard anamorphic with no shared key remember that in rejection sampling as well in the one that we're going to show next. We're going to have to agree on on the seat. Okay, here instead in standard and more anamorphic. We are going to do, we're going to do this completely with no prior communication. And for this we need some extra property we'll see those. Okay, we take the now or young encryption scheme this is an encryption scheme that provides CCA security CCA one CCA two depending on the strength of the needs and we're not going to this detail. But this is the slide that describes now or young I think that most of us, you know they keep it in mind but that they remain but you know just for to refresh there are two public keys, but there is only one secret key. Okay. And actually this is crucial in the in the proof of security. So if you want to encrypt a message like glory to our leader. So you will do you do you encrypt it with the first public key encrypt it with the second public key, then you produce a proof that the two are consistent, and then you send it upon the crypto, you know upon arrival of the cypher tech Alice checks the proof, and then it decrypts the first one. Alice has no second decryption key. Actually, you know, for example for El Gamal you can sample a public key without having the corresponding secret key but. Okay, so this is the normal mode what is the. I'm sure that now it comes, you know, most of you got it already because what is the anamorphic the anamorphic is the following like, okay, Alice actually keeps both secret keys. Okay. And now, when Bob wants to send a message, he sends on the first secret key, you know, the official security, you know, glory to our leader. And then he sends, you know, fine to our leader, you know, just find our leader for illegal parking maybe that I don't know what they mean. Okay. And the secret, the secret shared information is the simulator trap door. Okay. So, instead of having a Sigma a truly random string, or, you know, a string from the right distribution depending on the underlying needs. So what they do, Alice runs the simulator gets a string which is indistinguishable from what it should be and gets a trap door. Bob shared the trap door that allows Bob to produce a needs a fake needs a cheating needs that the two messages are equal. Okay. So now, when the dictator knocks on Alice door, though, you know, said, okay, yes, I have SK zero that's all, you know, that's what now you told me to do. Okay. And that's it. And the dictator, the creeps and say, oh, go, go to tower, you know, these are good kids. Okay. And while Alice has also SK one and the creeps and the creeps the real message. Okay. Let's find the our leader. Okay. Now you can see that. Okay, why does this work. Okay, the properties of needs different flavors of needs that you want to do simulation sun so depending on that, but this implies that anamorphic and normal public is very indistinguishable. Our needs plus in the CPA imply that the cipher text are indistinguishable. So the fact that they are not the same cipher text but they are deep. Of course, this is hidden. And this is what I said, PK one could be generated without associative secret key so Alice could, you know, oh, no, I'm just following the protocol. I'm just, you know, following the wall from the paper, and I have no SK one. Okay. And the other line PK zero PK one Sigma now helps is the trap door is can be proved to be a significant encryption keys or all the proofs are in the paper. The paper is only print and in the proceedings so but I'm not getting into proofs now. Okay, so let's come to the to the final, the sender freedom assumption. Here we assume in this assumption the sender is free to pick the message, which you can you know you can be fought like you have a gun at your head and then you say okay just let the message that everything is fine. Okay, that you're free to move and then you know nobody should worry about that. Okay, so this is a story of Oscar and john Oscar is a political you know position leader. Okay. So at this point, there are, you know, all these opposition leaders being persecuted by the data, the data wants to look good to the, to the world public opinion. So it just goes to Oscar say Oscar, why don't you send a message. I'm fine and in good health. Okay. So what we need to do with the to a forced public key fpk fpk could be you know like the public key over some media outlet, you know, Bloomberg, you know, right or whatever. Oscar wasn't wants also to send a message. Hey, I'm in prison, and he wants to send a message to his friend or to a journalist, not necessarily his friend called john. Okay. And john has, you know, is publicly depicate the public is up there it's well known to everybody it's it's on the on the website, and Oscar and john have not talked beforehand he just is okay. Oh, there is this guy that seems to look good. Okay. And john so Oscar computes. Oscar. Oscar does the following. He computes some special coin tosses are stars. Such that the cyber tech city encrypts a message and zero that's the dictator picked message, say, oh, I'm fine and in good health, and he sent to the force publicly so that you know the official media outlet gets this message, our star. And it also holds that if john tries to decrypt the same cypher text but with this secret key, then he gets M one. So this is again an amorphic depending on under which angle you look at the cypher text. And you know, depending on which secret key you're going to use to decrypt, you get two different messages, but it's one cypher text. And of course john knows that his key might be used to. Some messages from opposition leaders, and then it decrypts also messages that he sees broadcast on the network. Okay. And I want to stress that there is no prior shared knowledge between Oscar and john. Okay, they don't tell you know this is different from now or young and rejection sampling. Okay, can we achieve this. Of course, like our star is going to be chosen by Oscar because if the dictator picks the randomness and the message of course there is no no room to maneuver of course they know that it becomes a deterministic function and there is nothing we can do. Okay, so before you know giving you the result. So I want to just elaborate about send an amorphic and then I want encryption. First of all, if you remember the denial encryption from 97 that they can add the credit at all paper that that applies to the same public key. Okay, and, and this is it's impossible for standard encryption. Okay, which contradicts one of our main objectives. So send an amorphic can be used to provide some form of the liability, but this is in a different context. Now, the context is messages being broadcast on the network while the niobal encryption was for point to point communication, which in a sense, justifies the assumption of being denied with the same public key. Okay. So we have certain conditions for send an amorphic with no shared key. Okay, so we have these three conditions which are quite, quite reasonable. First of all, we have this property common randomness property like for any plain text and any other public key pk prime or refer to three is the valid cipher text also under pk prime. The second properties message recovery from randomness that if I give you cipher text and the randomness that has been used then you can recover the message and the third is equal distribution of plain text, meaning that even see for randomly generated SK, the probability that see is an encryption of zero and encryption of one as more or less the same. Okay. So under this, we prove that these three conditions are sufficient for what we want to achieve. And then we go on and prove but details are in the paper but and I'm not going to discuss this that two very well known encryption schemes based on LWE reggae from 205 and the Gentry piker and Vinod from 208. They satisfy this three condition, and that they can be used as standard an amorphic encryption schemes. Okay. I'm now to the last slide and. Okay, so I'm doing pretty well on time, I guess, yep. We started a little bit earlier but. Okay, so these are the conclusion so we introduced two new concepts receiver anamorphic and sender anamorphic so the receiver anamorphic is useful in in settings where the receiver. All the communication is under the dictator's control, while the sender anamorphic is when at the center of the message is under the dictator's control. Okay. We show implementations of these two concepts with existing crypto system from the literature. Okay, so that we, you know, I don't know if anybody's using in our union right now but you know, in principle, you could use it. And, and that's the, I think that we think the most important point of our of our work is that we give technical evidence that this the futility the stupidity of the crypto wars, like encryption is the technology that is there. And there is no point in trying to regulate to make it weaker or to have a control state control on that like encryption is saying is there and then if you try to do something there is something. You know, we have a way to go around whatever the dictator or the good government does for your own good. And, and if the dictator really wants to pursue this, at least he'd like to register to our crypto and Euro crypto and read all the proceeding is it should get a PhD in crypto and okay, and that could be also a good, a good result. How I saw how how this is going to affect policy law, and that are societal aspects of course this is beyond, you know, our expertise it's not in our ballpark this is not the right forum, but it's just a technical contribution like, you know, none of the three of us is is a social scientist that I know. And so, of course, but I think that it's important to, to say that you know encryption is here to stay. It's like, you know, when fast cars were introduced like, I don't know if back then, you know, the police complain oh now they have fast cars. Instead of horses, you know, in the horses, you know, you could, you know, just go there and then now with fast cars, so who knows they're going to rob a bank, and then let's pass the law by which no car can be faster than the police car which, you know, now, you know, said like that is completely, you know, very silly. And that's in a sense what they're trying to do with encryption. Okay. Also, the last bullet is that an amorphic encryption is not a bizarre phenomenon like we have seen it in some very well known and studied crypto system there is nothing pathological in our constructions. And, you know, there is more to come there is work in progress, and we would like to see, you know, more non crypto system to be proved to be an amorphic. And just to complete the whole program of showing the futility of the crypto wars. And this is what I wanted to say, thank you for your attention. Thank you for being here in the last session. Questions. Maybe you can use this one. Thanks for the great talk. So, on the technical level it seems that to achieve receiver anamorphic encryption, or even the sender anamorphic encryption, you need to share some information between the parties so in particular, for the receiver case you need to share the trap door for the music. And for the sender you need to share the randomness right now. No, no, no. But at least for the receiver you need to share the trap door. So, how do you assume that to do you assume like an underlying anamorphic key exchange or a key transport protocol that does it. Okay, that's a good question. Okay, first of all, I want to make sure that maybe I was not. I didn't say clearly here. No, it's not this one. Okay, so. I cannot find the job. So for sender anamorphic there is no shared communication like the sender by himself by himself picks a special R star, but there is no way there is no need to agree on the outside beforehand with with with the receiver. For how do you get how do you like for receiver how do you agree on on the seed of the pseudo random function or on on the trap door of the random. Okay, so, so we think the setting the 20 minus that this is a group of opposition leaders, opposition activists, and that they get together at one point, and they just share the the, you know, this information. I must say that the paper of Horrell et al. That's exactly what you want to what you describe it in the sense that they have some sort of stegan, stegan graphic key exchange. Okay, about, you know, you have to see maybe different settings things that different ways but then you first of all you have to start a secret sharing a key sharing protocol. Which might attract some stuff, you know, some suspicion from the dictator, and also it's very low rate, the so they take some time to agree to agree on the key. And suppose our so we have this concept in the paper about latency, how our sense zero latency the moment you have the two keys that you can start. But you know, these are very good questions. Thank you. Thanks for the interesting talk. My question is about the non interactive zero knowledge proof that the dictator verifies. So, is it only specific kind of non interactive zero knowledge proof techniques can be used in anonymity encryption schemes or any schemes. No, any needs. Then a bit. Okay, of course you should get you know if you want to say to you want simulation soundness, you know, but any needs will work. It's genetic in that respect, any needs for which there is a simulator. Okay, so it has to be zero knowledge. Thank you. Thank you. You know, great. I love this name. I'm not sure if I love this name exactly it's very catchy it's kind of cool. I'm not sure if you're aware in the mid 90s there was another paper called plausible deniability which took the same tack, which is kind of looking at a crypto system and finding ways to use it in deniable method, kind of like CDN O post dated CDN O. The idea was to say let's use this in a way that people are not expecting it to be used. So there's there's this one aspect of this it was about the wheat about the time that wheat and chaff came out as published in Progercript I'm wondering what the differences there might be it also is using sort of a trap door thing. Yeah. And the other half of it to is the other question which is maybe a more uncomfortable question, which is how do these things really resist sort of the screwdriver attack, which is the dictator just comes and says what is your alternative key what is your alternative key what is your alternative key and applies a screwdriver every single time until you actually give it up. Okay. Okay. Yeah. Okay. You know, two good points about the second one. Yeah, but if the dictators does that he could really, you know, very well get into someone who is innocent and doesn't have a key. So, and he's going to create a client, you know, terror in the population, which is something that he might enjoy, by the way. So, so I'm not saying that, you know, this is going to solve all the problems but at least there is reasonable doubt that, you know, I'm just using as there is no speed. Okay, leave me alone so but that's about the first time maybe we should talk because maybe we missed we know there are several references and we do compile so maybe we take it offline with take it off side and we discuss it. Thanks. Okay, I got a screwdriver. Okay, okay. Thanks so much for this talk. It's really, really interesting. One thing that occurred to me well sing to your talk is that dictators do show up at Euro Crypt and crypto. We know, with a lot of certainty there's records from the NSA during the Snowden leaks that they come to Euro Crypt and we're like hey they're not working at the interesting. Don't worry about it keep going. And certainly encompassing the US there's always a DoD person who shows up in the back of the room. And so in light of that I'm wondering to what extent you've been able to characterize the necessary conditions for these kinds of communication protocols anamorphic encryption like do we know that if we don't use anything if the government says no LWE ever we're done with LWE. Can we not do anamorphic encryption? Is there some kind of like minimum entropy in a channel that we need similar to like steganographic techniques or is that kind of like an open question that's that's we want to look at next? Yeah, no, no, right. Terrific questions. These are all questions for next work and these are great. I don't know. I'm looking at back rows. Maybe they don't come to Europe. I don't know. It's hard to get a visa or something. Okay, okay, okay, so we'll see in 15 years when we release that. Thank you, thank you. So have a quick question. So what is the connection to steganography? Steganography also says that you can take basically any randomized encryption and by playing with the randomness you can encode arbitrary messages in the ciphertext. So what is the connection? Yeah, in a sense like that, if the, yeah, steganography, the dictator could get in and say, okay, you're using steganography show me this and also with steganography on the receiver side, it could have, you know, you could get the key and the sender on the sender or pick we have this property where you can send it to any other secret public key, which for which you had to know why steganography you cannot do that like steganography is point to point. So there are some differences which but I agree it's it's very common. They're very close as concept but you know our emphasis on is on existing scheme is not on designing new schemes. So we are anyway out of time. So this is the end of the session. Let's thank both the speakers again.