 Hi everyone and welcome to our video abstract about description failures and the Fujisaki Okamoto transformation. This was joint work with Andreas Hülsing and Christian Marjens. We were motivated by taking another look at how post-quantum key encapsulation mechanisms were built during the NIST standardization process for post-quantum secure crypto. What all of these key encapsulation approaches had in common was that they shared the same recipe how to turn passively secure public key encryption into actively secure key encapsulation mechanism. This recipe by now is quite well known. It's the Fujisaki Okamoto transformation that was recently revisited at TCC in 2017. And the revisiting happened to allow for public key encryption schemes where decryption sometimes fail, which can happen for example for letters or code based schemes. And the revisiting also considered different rejection methods, meaning methods of how to deal with ciphertexts that do not look well formed. One approach is to simply during the encapsulation answer with a dedicated rejection symbol like bottom. The other approach is to hide that the ciphertext was not accepted by replying with an pseudo random value. Of course by now the Fujisaki Okamoto transform has also been revisited in the quantum random oracle model because we are now interested in post-quantum secure schemes. And if you take a look at the quantum random oracle model results we've seen so far, there are some things that at least we found kind of intriguing. The first thing is that while random oracle model results are kind of agnostic to the rejection method meaning regardless of whether you return bottom or pseudo random value, the security bound does not change. And the quantum random oracle model implicitly rejecting variants had vastly better security bounds than explicitly rejecting variants. Another thing we found kind of surprising was that all security bounds so far contained a Grover-like search term that was relative to data in the error probability even though it is not clear how an attacker could do a full quantum search because a decryption failure usually depends on the secret key to which the attacker has no access. So all in all we were wondering whether the bounds we've seen so far might be suboptimal. A more interesting part of our observations probably is that we encountered an applicability issue. By that I mean that the definition of the error probability delta that we require for our security proofs does not match the estimations of delta that were given for concrete schemes like Kiber and I'll be talking a bit more about this in the full talk. So what this work does is that it aims to deal with all of these weird things and problems to achieve more optimal bounds and also to give a security proof that is actually applicable to the estimations of data we've seen so far. And on the way we also pick up some cool new Q-ROM techniques that allow you to lift certain types of random oracle model proofs into the Q-ROM. On the technical side we were faced with a problem that we had two existing techniques an extractable quantum random oracle model simulator and the so-called one-way-to-hiding lemma but naively they cannot be combined in the way we wanted to combine them. So we opened the black boxes and proved a new one-way-to-hiding lemma for the extractable quantum random oracle model. In addition when we wanted to characterize the behavior of public key encryption schemes with decryption errors under deramblimization we needed query lower bounds for a task that is related to search but it's not exactly search it's the task of finding input output values of the random oracle that evaluate to large values under some predicate function. So we generalized some proof techniques to prove such query lower bounds. If this short teaser made you curious then I recommend you come to our talk and we'll be given by Catherine Heuvelmann's here you can see when and where it will take place. Thanks.