 Hello everyone, I'm Rupen Yang, and my talk today is about public key increase scheme with receiver select opening security in multi-channel setting. This is based on joint work with Jun Zuo-Lai, Zheng An-Huang, Man-Hou-Ao, Qiu Liang-Xu, and Vinny Su-Shi-Lou. So we are all very familiar with the notion of public key encryption. Generally, it consists of three algorithms, namely the key generation algorithm, which produces public key and secret pair. The encryption algorithm which encrypts a message to get a self-text, and the decryption algorithm which decrypts the self-text to get a message. Its correctness requires that the decryption algorithm can always recover the incorrect message from an honestly generated self-text. And its security requires that no one could learn anything from self-text. This can be defined by requiring that the outputs of an adversary, who can see the public key and self-text, can be simulated by a simulator that takes nothing as input. So in practice, a public key encryption scheme is usually deployed in a multi-user setting. That is, there are many users with different public keys and secret keys. And a sender sends a message to a receiver by encrypting the message on the receiver's public key. So in this case, it's common that some receivers may be corrupted, and the secret keys will be reviewed to an adversary. And in this case, it seems infestable to protect messages that are sent to the corrupted receivers. But we still hope to protect those messages that are sent to the uncrupted users. A Piki scheme that can provide such security guarantee is said to have receiver selective opening security or ISO security for short. So formally, the adversary for the ISO security will first receive a list of public keys. And then the adversary will specify some message distribution. And then the adversary will receive some change of text, encrypt messages sample from this distribution. Then the adversary is able to corrupt some users and receive their secret keys and messages sent to them. Finally, the adversary will upload something. Security requires that output of the adversary can be simulated by a simulator that only takes an input or messages sent to the corrupted receivers. So that's the definition of ISO security. Standard Sematic security is not enough to imply ISO security. And there are many works constructing public key encryption schemes with ISO security. However, in all these works, they only consider a single-channel setting. That is, each public key can only be used to encrypt one-channel message into one-channel self-text. For the standard Sematic security, such single-channel security does imply the more realistic multi-channel security by a standard hybrid argument. But it's unknown if this equivalence still holds for the ISO security. In this work, we formally started a PKE scheme with ISO security in the multi-channel setting. In this setting, each public key will be used to generate multiple-channel self-text. So formally, for the definition of ISO security in the multi-channel setting, the adversary will receive multiple-channel self-text for each public key. And security still requires that the output of the adversary can be simulated by a simulator that only takes an input or messages sent to the corrupted receivers. So that's the definition of ISO security in the multi-channel setting. And now we are ready to present our main results. So we first show that ISO security in the single-channel setting does not imply ISO security in the multi-channel setting by giving a counter-example that is ISO secure with only one-channel self-text. But it's not secure even if the public key is used to encrypt two-channel messages. Then we construct an ISO security PKE scheme in the keychannel setting for arbitrary polynomial PKE. We also give a lower bound on the security lens for any PKE scheme that is ISO secure in the keychannel setting and construct a concrete PKE scheme that nearly satisfies this lower bound. So let's start with our counter-example. The counter-example is built on a semantic circle PKE scheme that additionally satisfies the following three properties. First, we require that the PKE scheme has only one wireless security key for each public key. Also, we require that it is easy to verify if a public key security pair is valid. And finally, we require that the scheme has a perfect correctness. Each PKE scheme can be instantiated by, for example, the algorithmic encryption scheme. So now with this PKE scheme, we can construct our counter-example pair as follows. So the key generation algorithm of the counter-example pair will first produce two independent public key security pair, OE. The public key of the pair will contain both public keys OE. And the secret key of the pair is exactly one of the two possible secret keys OE. Then to encrypt a bit, the encryption algorithm will encrypt the message using the encryption algorithm OE with both public keys. The self-text contains both small self-texts OE. Finally, to decrypt a self-text, the decryption algorithm will decrypt one small self-text with the given secret key. So the scheme is proved to have ISO security in the single-channel setting in precious works. And to see this, we require that those ready for the ISO security in the single-channel setting will first receive in-public keys, and then it specialifies the distribution of in-messages. Then the adversary can receive in-channel self-text that encrypt these in-messages under the in-public keys. Then the adversary can corrupt some users and receive the secret keys and messages into them. And finally, the adversary outputs something. To stimulate the adversary output, the simulator will invoke the adversary as a subroutine and simulate its view in the real world. In particular, the simulator will first generate in-public keys and send them to the adversary. Then it returns the distribution returned from the adversary. Then the simulator will send in-channel self-text to the adversary and corrupts users and specifies the adversary. Then on receiving the messages sent to these corrupt users, the simulator will send them to the adversary and also it sends one key key for each corrupt user. Finally, the simulator just outputs what's the adversary outputs. So we may have noted that the simulator does not know the channel messages when generating the channel self-text. So the question is, how the channel self-text are generated? To do so, the simulator will generate some error from the channel self-text. That is, each of the channel self-text will contain both an encryption of 0 and an encryption of 1 under the basic encryption scheme E. Such error from the channel self-text are indistinguishable from honestly generated ones due to the semantic security of the underlying basic encryption scheme E. Also in the opening phase, the simulator will not send a random secret key from two possible secret keys to the adversary. And instead, it will send the one that decrypts the channel self-text to the correct message. For example, assuming that the first user is corrupted, then the simulator will set sq1 to be sq11 if the message sent to the first user is b1. And it will set sq1 to be sq12 if the message sent to the first user is 1 minus b1. So in this case, the simulator's cheating BVIRs can't be detected by the adversary. And the adversary will just output what it outputs in the reward. So the simulator can succeed in submitting the adversary's output for the ICO security. Okay, so now assuming that the PKE scheme pair is used to encrypt two messages for each property key. And next, we will explain why the above stimulation strategy does not work in this case. So again, the simulator can invoke the adversary as a subroutine, and it can send unpublished and two-in-channel self-text to the adversary. Also in the opening phase, it can send one secret key and two messages for each property user to the adversary. As before, the simulator can set the channel self-text as it will form once. That is, each channel self-text contains both an encryption of 0 and an encryption of 1 under the basic encryption scheme E. Also the simulator will try to send the suitable secret key that decrypt the channel self-text to the correct messages. However, it can't always succeed in doing this. To see this, assuming again that the first user is corrupted, then the simulator can set SQ1 to be SQ1-1 if the messages sent to the first user are B1-1 and B1-2. Also it can set SQ1 to be SQ1-2 if the messages sent to the first user are 1 month B1-1 and 1 month B1-2. However, it can't find the suitable secret key if the messages sent to the first user are 1 month B1-1 and B1-2. Oh, they are B1-1 and 1 month B1-2. So now to transfer our moves above intuition into a formal impossibility proof, we consider the following concrete adversary. The door 3 will output a uniform distribution after receiving in-public keys, and then it sets the set of corrupted users as the hash of public keys and channel self-text it received. Finally, in the last step, the door 3 will output public keys, channel self-text, and secret keys for corrupted users it received in the game. So now consider any simulator, we do not restrict its behaviors here. But due to the security of the hash function, the simulator has to determine all public keys and channel self-texts before corrupting users. As otherwise, the simulator has to invert the hash function or find a collision for it. Also, in the last step, the simulator can choose the secret key for each corrupted user from only a set of two possible secret keys due to the secret key uniqueness of underlying basic encryption scheme E. And then by the perfect correctness of E, the simulator can open the fixed self-texts for each corrupted user to only two possible messages. But the message pair can be sampled in four different ways. So with probability 1 or 2, the simulator will fail in simulating the door 3's will. As we are considering any simulator, so for the PT scheme pair, if the door 3 works as on the left-hand side, then there does not exist any simulator that can simulate its output with an overwhelming probability. So that's our example that separates the RCO security in single-channel setting and that in the multi-channel setting. Next we give a construction of RCO security scheme in the key-channel setting. So the standpoint of our construction is the counter-sample we just mentioned. So recall that security of the scheme comes from the fact that the simulator is able to generate an ill-formed challenge of text, which contains an encryption of 0 and an encryption of 1 under the basic encryption scheme E. And then it can open this self-text to any bit by choosing a suitable secret key. This simulation strategy does not work if the number of possible secret keys is much less than the number of possible messages into each user. So the scheme is not circular in the two-channel setting. To solve this problem, we increase the number of possible secret keys by repeating the scheme pair for k times. The new scheme pair prime works as follows. So the k-generation algorithm of pair prime will run the key-generation algorithm of pi for k times. And the public key and secret key of pair prime will contain all key public keys and secret keys of pi. Then to encrypt one bit, the encryption algorithm of pair prime will first share the message into key parts. And then it will encrypt each part under the encryption algorithm of pi, and the self-text of pair prime will contain all key self-text of pi. Finally to decrypt the self-text, the decryption algorithm of pair prime will first decrypt each part of the self-text to recover share. Then it can obtain the message from these key shares. So that's how the scheme pair prime works. And to see why the scheme is also circular in the key-chain setting, or alternatively, how a simulator can generate key from changed self-text and open them to any key bit. We consider the following simulator. The simulator will generate all parts of these key changed self-texts, honestly, except the ones on the diagonal. So that is to say, for example, to generate a CT1, the simulator will first sample k-1 random bits, and then encrypt them with the second parts to the key's part of the public key. For the part on the diagonal, the simulator will put an ill-formed self-text of the underlying scheme pi there. That is, each part on the diagonal will contain an encryption of 0 and an encryption of 1 under the basic encryption scheme E. So in this case, for each public key, it is only used to generate one cheating self-text. So the simulator can choose the suitable key part that decrypts this cheating self-text to any bit. So the simulator can simulate the adversary's wheel just as before, and finally, it can simulate the adversary's output in the real world. OK, so that's our construction of our Isoc security scheme in the multi-channel setting. And next, we will show the rule of bound on the security lens for any PKE scheme with Isoc security in the kitchen setting. So recall that in our counter example, the main observation is that if the number of possible security keys for each crafted user is less than the number of possible messages sent to him, then the scheme can't be Isoc security. So now considering a PKE scheme with security key lens L, then the number of possible security keys will not exceed 2 to L. Also if the message lens is M and considering a key-channel setting, then the number of possible messages will equal to 2 to MK. So if we hope the scheme to have Isoc security in the key-channel setting, we must have L is greater than or equal to MK. That's our lower bound on any PKE scheme with Isoc security in the key-channel setting. We also give a construction of Isoc PKE scheme in the key-channel setting whose security lens nearly satisfies this lower bound. This is constructed by repeating the current loop in current scheme 4 key times. And we also use some additional tricks to reduce the security lens. And for time-reason, we are not able to cover the construction details here. Please see our full paper for more details. Also in this talk, we will consider trying to play text security. And in our paper, we also consider the trying to self-text attack. Please also refer to our paper if you are interested. Okay, so that's all, thanks for your attention.