 Hello, everyone. My name is Yu Yu Wang. I'm from UESTC. Our title is Impossibility on Temporary Resilient Cryptography with Uniqueness Properties. It's a joint work with Takahiro Matsuda, Goi Chihonaga, and Keisuke Tanaga. First, we will call the Temporary Resilient Model. Improving security of a cryptographic scheme, we usually assume that the keys are perfectly protected. However, in the real world, an adversary may change the keys by executing temporary attacks such as hitting up devices and injecting thoughts. And the adversary may observe the ciphertexts or the signatures generated by the temporary keys. Then the adversary may get some extra advantage to break the security. There have been many examples of successful temporary attacks such as the ones on RSA, DES, and AES. And we want to consider the temporary model which captures these attacks. There have been several positive results which show the existence of temporary resilient primitives in the common reference stream model. In this model, the adversary can temper with both the public keys and the secret keys in any way it wants. But it's assumed that there are temporary proof common reference streams. However, it's still unclear whether we can have secure schemes in the blame model where we do not assume any temporary proof CRS. In this work, we show that it's impossible to derive the temporary resilience of a broad glass of primitives from any common assumption by black box reductions. Before going to more details, we first define two extremely weak security notions. The first one is weak compatibility which holds if the adversaries cannot forge a message signature pair without seeing any use for information, even including the verification key. One can easily see that this security notion is weaker than the standard security notion such as the CMA security, the RMA security, the one-time CMA, and the one-time RMA. The second one is weak one-winness which is the same as standard one-winness except that we don't give the public key to the adversary. And it's obvious that this security is strictly weaker than standard one-winness. Now we give more details on which class of primitives we consider. First, our negative results capture two types of signatures which are unique signature and signature with unique signing keys. Here, we require that the signatures should satisfy the weak compatibility but this requirement is very natural since the security is extremely weak as we explained before. For unique signature, there exists only one valid signature for each pair of verification key and message. And for signatures with unique signing key, there exists only one valid signing key for each verification key. It captures many instantiations such as the L-Gamma signature and the DSA and the CMA signature. We also obtained negative results on injective one-way functions, verifiable random functions, and also PKE with unique message satisfying weak one-winness. Similar to the case of weak compatibility, any meaningful PKE should satisfy weak one-winness. Here, by PKE with unique messages, we mean that for each ciphertext, all the valid secret keys of the same public key lead to the same decryption result. As examples, we showed how it captures the CMA scheme and all the unique key PKE schemes in our paper. And in this presentation, we will focus on the negative result on unique signature for simplicity. We now define temporal resilience in the plain model. Since we consider negative results in this work, the weaker the security is, the stronger our results are. An adversary in this model consists of three parts, which are temporal, break one, and break two. They are not allowed to communicate with each other. Tempor is a selective tampering function which takes as input a public key, a secret key, and outputs a tamper key escape prime. Break one takes as input a public key and makes a signing query which is m. Break two takes as input the public key, a signature generated by a tamper signing key, and tries to forge a message signature pair. If the probability that the forgery is valid is negligible and the message in the forgery is not the signing query, then the temporal resilience in the plain model is said to be satisfied. One can see that the security is very weak since we only allow the adversary to tamper with the key ones and make only one signing query. But again, since we only consider the negative results, the weaker it is, the stronger our results are. We now recall the black box reduction from common assumptions to temporal resilience. The reduction has black box access to the adversary and can make queries adaptively in any order to the three components of the adversary. If by making use of a successful adversary, the reduction breaks the underlying assumption successfully, then we can conclude that the temporal resilience holds under the assumption. We now give the intuition on how we show impossibility on black box reduction for temporal resilience unique signatures. To show this, we just have to prove that the reductions do not benefit from having access to the adversary. We consider two cases. In the first case, the reduction gives correct keys to the first component which is tamper. In this case, the reduction already knows the signing key and can forge the signature by himself. And due to uniqueness, this signature computed by reduction should be the same as the one generated by break 2. Thus, the adversary does little help to the reduction. And the reduction can break the underlying assumption by himself, which gives us the conflicts. We now consider the case that the reduction does not give the valid keys to the adversary. In this case, the keys may not pass the verification by the adversary. And then the adversary does not have to give a tamper key to the reduction. In this case, the reduction will learn no information on SK prime, which is the tamper key. Then due to the weak compatibility of the unique signature, the reduction cannot answer the signing query correctly. Since the reduction cannot simulate the view of the adversary now, the adversary does not have to give a valid forgery to the reduction. As a result, the reduction cannot use the adversary in a meaningful way. This is the intuition of our idea. And to show the strict proof, we have to take care of two points. The first one is that the reduction can make adaptive queries to the three components in any order. And the second one is that we have to find a way for a tamper, which is the first component, to check the validity of the keys. To give the formal proof, we use the framework of simulatable attacks by Wix. In this framework, we first need to construct a computationally unbounded adversary to break the tamper resilience. Then we define the simulator, which runs in polynomial time, but is indistinguishable with the adversary. Notice that the simulator doesn't have to run in a legal way. It just has to simulate the adversary. It doesn't have to follow the game. The distinguisher can make adaptive queries for any time and in any order. And if the simulatable attacks exist, which means that if we can construct the adversary and the simulator, then there exists no black box reductions from standard assumptions. The reason is that if there exists a reduction that breaks the assumption by having black box access to the adversary, then it can also break the underlying assumption by having access to the simulator, which runs in polynomial time. This means that the underlying assumption can be broken in polynomial time, which gives us the conflict. We now show how we construct the adversary. The three components of the adversary share a random function in the start of the game and cannot share any common state anymore. All the three components compute fpk to obtain the run coins, which are rg, ris, mstar, and m. rg is used to generate the tamper keys. rs is used to forge the signature. mstar is the message in the forgery, and m is the signing query. Tamper will check the validity of keys by checking whether the signature for mstar generated by using the run coin, rs, and the circuit key, sk, can pass the verification. If the check works, then tamper generates sk prime by making use of the run coin, rg. Notice that pk and sk do not have to be a valid key pair for any message. They just have to be valid for the message mstar. Then break two checks whether the signing query is correctly responded. If the check works, it uses brute force to search a valid signature, s, which passes the verification. Due to correctness, the adversary must be able to break the tamper residence if the challenger runs in the onest way. We now consider the communication between the distinguisher and the adversary. If the key is given by the distinguisher did not pass the verification by tamper, then the distinguisher will learn no information on pk prime and sk prime. In this case, no matter how the distinguisher makes queries, it cannot answer the signing queries due to unique unforgeability, and then break two will not forge the signature by using brute force. This means that we can simulate the adversary easily in polynomial time. We now consider the case that the distinguisher has given keys passing the verification. In this case, to simulate the adversary, a simulator does not have to use brute force as well. It just uses sk, which is given by the distinguisher to generate a forge signature. The forge signature must pass the verification. The reason is that we have checked the validity of the secret key, which is sk before. Also, the signature, which is you must start generated by the simulator will be the same as the one generated by the adversary by making use of brute force. This is because of the uniqueness of the signature, and this will hold no matter in which order the distinguisher queries. As a result, we can simulate the unbounded adversary in polynomial time anyway, which means that the simulator attack exists. Now we give the conclusion. This presentation shows that there exists a simulatable attack for unique signatures. This means that it's impossible to prove temporal resilience for unique signatures by black box reductions. In similar ways, we can also construct simulatable attacks for signature with unique signing key, pke with unique message, verifiable random function, and injective one-way functions, which means that it's impossible to derive the temporal resilience of these primitives by black box reductions. Thank you for your attention.