 I will talk about KDM security for the Fujisaki Okamoto transformations in Q-ROM. I'm Fuki from NTT. This is a joint work with Ryo Nishimaki from NTT. KDM security for short is a security notion that captures situations where an adversary can get a ciphertext of secret keys. Such situations naturally occur in many practical crypto systems such as anonymous credentials, formal methods and hard disk encryptions. Recently, KDM security found an application also in quantum crypto. Jan showed that KDM security can be used to realize delegation of quantum computation. This is the definition of KDM security. It is defined by using a security experiment between the challenger and an adversary. In this experiment, the adversary can make a KDM query consisting of two functions f0 and f1. For this query, the challenger returns a ciphertext of fb of sk, depending on the value of the challenger bit b. Then, if any polynomial time adversary cannot guess the challenger bit b, correctly significantly better than random guessing, we say that an encryption scheme is KDM secure. We can define KDM CCA security by allowing the adversary to make decryption queries. KDM security in Maruchiki's setting can be defined similarly. In this work, we tackle the following question. Do existing practical entity PA or CCA secure PK schemes satisfy KDM security in the Q-ROM? Especially, for practical schemes, we focus on Fujisaki Okamoto transformations f0. And we ask whether f0 transformations satisfy KDM security in the Q-ROM without square root security loss. Next, I will review f0 transformations and the square root security loss problem in the Q-ROM. As shown by Hohain's et al., f0 transformations can be decomposed into two transformations t and u. t converts an in-CPA secure PK scheme into a one-way CPA secure deterministic PK scheme by using a random oracle. u converts a one-way CPA secure deterministic PK scheme into an in-CCA secure chem by using a random oracle. Three variants of u have been considered. Then, I will talk about the square root loss problem in the Q-ROM. In the Q-ROM, many security proofs suffer from square root loss. This is because in the Q-ROM, we need to use one-way two hiding lemma proposed by UNRU to justify random oracle programming. Roughly speaking, one-way two hiding lemma says that there exists an extractor D such that the advantage gap caused by random oracle programming can be bounded by square root of the probability that D extracts the programmed point S. Square root loss requires much longer security parameters for building blocks to achieve reasonable security level. As a result, it's significant to erase the efficiency of cryptographic primitives. So we need to avoid square root loss, especially when we study practical schemes. Recently, an improved variant of one-way two hiding lemma was proposed by using it. Coocta et al showed that in CCA security of effort transformation can be proved without square root loss. However, its applicability is somewhat limited. Especially, it is not clear whether we can use it in the context of KDM security due to the circularity issue as we explained later. This is our results. We show the following two results. We show that a PK scheme obtained by combining any variant of FOCAM with one-time path as DEM satisfies KDM CPA security in the Q-ROM without square root loss. We also show that a PK scheme obtained by combining a single variant of FOCAM with one-time path then MAC as DEM satisfies KDM CCA security in the Q-ROM without square root loss. Concretely, for the first result, we can use T together with variants of U called U bot and U not bot. For the second result, we can use T together with a variant of U called U bot key confirmation, also for the second result. We require mild injectivity assumption for the underlining in the CPA secure PK scheme. This additional requirement is the same as that required in previous works used double sided one-way two hiding lemma to prove in CCA security of FOCAM. Next, I will talk about the technical overview of this work. For simplicity, I will focus on KDM CPA security. Bindel et al showed that the one-way CPA security of T can be reduced to the in the CPA security of the underlining PK scheme without square root loss. Also, Coocta et al showed that the in CCA security of U can be reduced to the one-way CPA security of the underlining deterministic PK scheme without square root loss by using double sided one-way two hiding lemma. Our goal is achieved if we can reduce the KDM CPA security of U plus one-time path construction to the one-way CPA security of the underlining deterministic PK scheme without square root loss by using double sided one-way two hiding lemma, similarly to Coocta et al. However, we found that such a reduction seems difficult. More specifically, we found that it is difficult to amplify non-KDM security into KDM security without square root loss by using double sided one-way two hiding lemma due to the circularity issue. Essentially, we found that the double sided property conflicts with the circularity issue in KDM security. We solve this issue and obtain our result as follows. First, we show that the KDM CPA security of U plus one-time path construction can be reduced to the KDM one-way security of the underlining deterministic PK scheme without square root loss. Namely, by using U, we perform amplification from one-way security to insecurity for KDM, not amplification from non-KDM security to KDM security. In this case, we can solve the circularity issue and use double sided one-way two hiding lemma to avoid square root loss. Then, we introduce a variant of T we call THKG and we show that the KDM one-way security of THKG can be reduced to the in-CPA security of the underlining PK scheme without square root loss. Namely, by using THKG, we amplify non-KDM security to KDM security once downgrading into security to one-way security. Our goal is one-way security starting from in-security. We can avoid square root loss by using single sided one-way two hiding lemma called semi-classical one-way two hiding lemma proposed by Ambinis et al. Thus, there is no difficulty due to the circularity issue in this step since we use single sided one-way two hiding lemma, not double sided one. Finally, we show that the KDM-CPA security of the combination of THKG and U implies the KDM-CPA security of the combination of T and U. That is effort transformation with essentially no security loss. By combining these, we can obtain our result. In the rest of my talk, I will focus on our main technical contribution. Concretely, first, I will talk about the difficulty of amplifying non-KDM security to KDM security by using double sided one-way two hiding lemma. Then, I will explain that on the other hand, we can amplify one-way security to in-security for KDM security without square root loss by using double sided one-way two hiding lemma. Before talking about technical details, I will briefly introduce U plus one-time path construction and its simplified KDM security we will consider in the following. U plus one-time path construction is a simple hybrid encryption construction where the chem is a deterministic PK scheme and then is one-time path using a random oracle as described in the slide. Then, we consider a simplified KDM security for this construction that states that encryptions of F0, SK and F1 of SK are indistinguishable for two fixed functions F0 and F1. To see the aforementioned difficulty, I will first explain how we prove the KDM security of U plus one-time path in the classical ROM. Intuitively, U plus one-time path satisfies KDM security since the circularity is not an issue due to the uniformity of output of the random oracle H. In the classical ROM, we can easily prove that this intuition is correct as follows. We start with the original security experiment where an adversary is given the Cyphrex Z which is an encryption of FV of SK under the random coin S described in the slide. Also, in this experiment, the adversary can get access to the random oracle H. There is a circularity in this experiment. Then, we define a modified security experiment where the random oracle H is modified into random oracle V so that there is no circularity. This is possible by programming the output of V on input S to be a uniformly random value that is independent of HS. By using a tool called difference lemma, we can bound the advantage gap caused by this random oracle programming by the probability that the adversary queries the programmed point S to the modified random oracle V. What is important here is that the right-hand side probability of this inequality is with respect to the experiment where there is no circularity. Roughly speaking, probabilities with respect to the experiment where there is no circularity can be bounded by using the one-way CPA security of the deterministic PK scheme. This means that the KDM security of U plus one-time path can be reduced to the one-way CPA security of the deterministic PK scheme in the classical ROM. Of course, this reduction does not incur square root loss. We now move on to the Q-ROM case. Especially, we try to translate the proof in the classical ROM I just explained into that in the Q-ROM. In the Q-ROM, we cannot use the difference lemma due to the following reason. In the Q-ROM, an adversary can get access to the random oracle in superposition, so the event that an adversary queries some input to the random oracle is not well defined. Thus, in the Q-ROM, to justify random oracle programming, we use one-way to hiding lemma. We have two variants. The first one is single-sided one-way to hiding lemma. It guarantees that there exists an extractor D such that the advantage gap caused by the random oracle programming can be bounded by square root of the probability that the extractor D extracts the programmed point, getting access to the programmed random oracle. The other one is double-sided one-way to hiding lemma. It guarantees that there exists an extractor D such that the advantage gap caused by the random oracle programming can be bounded by the probability that the extractor D extracts the programmed point, getting access to both pre-programmed and post-programmed random oracles. We see that to avoid square root loss, we need to use double-sided one-way to hiding lemma to justify random oracle programming. However, it is not straightforward to use the double-sided one-way to hiding lemma as an alternative of difference lemma in the proof of KDM security due to the circularity issue. Suppose similarly to the classical Rome case, we start from the original experiment where there is a circularity and consider a modified experiment where the random oracle H is programmed into V so that there is no circularity. By using double-sided one-way to hiding lemma, the advantage gap caused by this random oracle programming can be bounded by the probability that some extractor D extracts the programmed point S, getting access to both random oracles H and P. However, differently from the classical Rome case, the right-hand side of probability of inequality is with respect to an experiment where there is circularity. If D can get access to only the random oracle V, there is no circularity. However, D can get access to the random oracle H too. H and Z together forms a circularity as the original experiment. Roughly speaking, the probability with respect to the experiment with circularity cannot be bounded by the one-way CPS security of the deterministic PK scheme, thus we cannot complete the proof in the Q-Rome case. In summary, in the classical Rome case, we decompose the adversary's advantage into probabilities with respect to experiments with no circularity and we complete the proof by bounding those probabilities using the one-way CPS security of the deterministic PK scheme. On the other hand, in the Q-Rome, if we use double-sided one-way-to-hiding lemma to avoid square root loss, it seems difficult to follow such a strategy. This is the difficulty for reducing the KDM security of U plus one-time path to the one-way CPS security of the deterministic PK scheme without square root loss. Thus, as stated before, in U plus one-time path construction, we focus on amplification from one-way security to indosecurity for KDM security, not amplification from non-KDM security to KDM security. More precisely, we show that the KDM security of U plus one-time path can be reduced to the KDM one-way security of the deterministic PK scheme without square root loss. In fact, if the deterministic PK scheme satisfies KDM one-way security, we can bound the right-hand side probability of this inequality obtained by applying double-sided one-way-to-hiding lemma and we can complete the entire proof without square root loss. Let's see how to do this. We show that successful Equestrater D can be used to break the KDM one-way security of the deterministic PK scheme. More precisely, we show that it can be used to compute G of SK from an encryption of G of SK where G is a function that outputs S, X or X on input X. Towards this goal, we gradually change the view of the Equestrater D. We focus on the input Cypher XZ and the random oracle H, since they form the circularity. We first change Z and H into Z prime and H prime respectively, as described in the slide. This is a simple change of variables. Concretely, we replace HS with UXOR FB of SK for uniformly random U, and we replace S with SXOR SK, that is G of SK. Since U and S are uniformly at random, the distribution of Z prime and H prime is exactly the same as that of Z and H. According to this change, what we have to estimate is now the probability that D outputs G of SK. Next, we define FB hat X as a function that outputs FB of X, X or S. Then, we further change the random oracle H prime into H2 prime, as described in the slide. From the correctness of the deterministic PK scheme, without negligible probability, the if condition in H2 prime is satisfied by only G of SK. Also, we can check that given G of SK as an input, H2 prime outputs UXOR FB of SK, that is H prime G of SK. From the definition of the function FB hat, such H prime and H2 prime are in fact functionally equivalent. Now, the view of D, that is Z prime and H2 prime, can be simulated from an encryption of G of SK by the deterministic PK scheme. Also, successful extractor D outputs G of SK from them. This means that successful D can be used to break KDM one-way security of the deterministic PK scheme. I explained that the KDM security of U plus one-time path can be reduced to the KDM one-way security of the deterministic PK scheme without square root loss by using double sided one-way two hiding lemma. As stated before, it is enough in order to prove KDM security of FL transformation without square root loss. For the remaining parts, please see our paper. Finally, I will make some remarks on the technical details I explained in this talk. First, I focused on simplified setting where there is only a single KDM function pair and it is fixed beforehand. But in the actual proof, we have to deal with multiple KDM function pairs adaptively chosen by an adversary. To handle this issue, we use adaptively programming technique for the Q-ROM proposed by UNRU. Also, in this talk, I focused on the setting where there is only a single key pair, but in the actual proof, we considered setting where there are multiple key pairs. To handle this issue, we introduce a security notion we call seed dependent message one-way security for deterministic PK schemes and use it instead of KDM one-way security. Finally, the technique I explained in this talk can be used to prove the KDM CCA security of FL transformation without square root loss. Our technique can be successfully combined with the proof technique used by the previous works showed in the CCA security of FL transformation without square root loss by using double sided one-way two hiding lemma. This is the end of my talk. Thank you for your attention.