 opening security in the previous talk as well. Yeah, my co-authors are Viet Thanh Hoang, Jonathan Katz, and Mohamed Zahary. So just to give an outline of the talk, first I'll cover background and motivation. I'll cover selective opening security for what's called non-space pke, non-space pke. There's a type of public key encryption that's designed to be robust to randomness failures. I'll talk about what I mean by randomness failures. And then we'll talk about lifting the results to the hedged setting. I'll talk about what the hedged setting is, and then conclusions and open problems. Okay, so what's the motivation? The motivation for our work is, like, consider a situation where you have a receiver with a secret key, and you have various parties encrypting messages to the receiver. Okay? And you have an adversary that wants to know what these messages are, so sees the ciphertext and wants to know what the underlying messages are. Okay, so what can the adversary do? Well, one thing it can do is try to subvert the pseudo-random number generator that the encryptors are using. So try to get it, like, you know, influenced standards or something to make it so that the adversary has a backdoor to the pseudo-random number generator that they're used to generate coins for the encryption algorithm. And then it would be able to recover the messages, or at least have an easier time than if it was not subverted. And the other thing that the adversary can do here is try to break into sender's machines. So here the adversary can recover also the randomness that's used to generate an encryption if it breaks into a sender's machine. In general, other auxiliary information can be recovered related to the messages. Okay, and, you know, an important caveat here is that our goal in protecting against break-ins is not going to be to protect the privacy of messages contained in a machine that was broken into, but rather the other messages, right? So this is similar to what was covered in the previous talk, right, where we care about privacy of the messages for the senders that we're not broken into. And, right, so the point is that we can protect against both of these attacks using appropriate encryption schemes. So there's deterministic, hedged, non-space, PKE. You don't need to know what these are. These are just different types of encryption schemes that are designed to protect against pseudo-random number generator subversion to provide some robustness to this. And you can use selective opening secure encryption schemes to protect against the after effects of break-ins. Again, if the adversary breaks into a particular sender's machine, we give up privacy of that sender's message, but we want to protect the privacy of the other senders that weren't broken into. And in this work, what we want to do is we want to protect against both types of attacks simultaneously. This is a very natural goal because basically different senders can be targeted in different ways, right? So we wouldn't want to only protect against one type of attack or the other. We want encryption schemes that are robust to both types of attacks. Okay? Make sense? Okay, so what is the main theme and results? So the main theme is that can we define encryption schemes and construct encryption schemes that are secure against both pseudo-random number generator subversion and break-ins? And we'll see that the answer is yes. What we do basically in this work is we treat selective opening security of deterministic hedged and non-space pke. And again, deterministic hedged and non-space pke are particular types of public key encryption schemes that are designed to be robust to randomness failures. Okay, so this is basically we add in selective opening security to these types of encryption schemes. Okay? In fact, one of our contributions is defining hedged non-space pke. You know, hedged, and again I haven't covered what these things are, but hedged and non-space pke are kind of different primitive useful in different scenarios. And one of our contributions is to unify these primitives. So we define something called hedged non-space pke, subsuming all of the primitives that have been considered for robustness to randomness failures. And we define and achieve selective opening security for it. Okay. So let me talk a bit about selective opening security for non-space pke. So non-space pke is a relatively recent notion that was defined by Bilari and Takman in 2016. And here what happens is each sender chooses a seed, and encryption does not use randomness, but rather a seed and a nonce. Okay, so now, in addition to the usual key generation algorithm, you have a seed generation algorithm, which outputs a seed. And think of this as a seed for the pseudo-random number generator that the encryptor is going to use to encrypt messages. So now encryption, you can think of it as like a deterministic algorithm that's given the nonce and the seed of the sender. And encryption is oblivious to the nonce and the seed. It works as normal. And what Bilari and Takman define is that security should hold either if the seed is secret and nonces are unique or if the seed is revealed but nonces have high entropy. Okay, so this provides some sort of hardening on the sender side to pseudo-random number generator subversion. Right, because now basically the seed only needs to be generated once, and you can use high-quality randomness for it, so it's harder to subvert the pseudo-random number generator of the sender. Okay. So we're going to define selective opening security for non-space pke. In order to do that, we'll consider a message sampler m that outputs a vector of messages, and we further define what's called mu d entropic message samplers where each message has a monetropy mu condition on any d others. So these are just notions that we need in defining selective opening security for non-space pke. And we also need to consider conditionally resamplable message samplers where any subset of messages can be efficiently resampled condition on the others. Okay, so these will be used in the security game for defining selective opening security for non-space pke. The intuition for the definition is that we test whether the adversary can compute a function of the real messages better than it can compute a function of the messages after conditional resampling. The conditional resampling is conditional on the messages that will reveal to the adversary. Make sense? Okay. Okay, so we have this game. So consider a non-space pke scheme and a conditionally resamplable high entropy, a conditionally resamplable message sampler and a high entropy nonce generator and a function f. The function f is the partial information function that the adversary is going to try to compute about the messages. And the experiment works as follows. The challenger generates a public key and secret key for the non-space encryption scheme. And there's going to be n senders. And just for simplicity, we'll say there's also n messages. So each sender has only one message. So there's n seeds and n messages. And the adversary gets the public key. And it will specify a subset j of senders for which it wants to know the seeds. And the adversary will generate nonces for the senders outside the set. So subject to the constraint, I guess, that the nonces should be unique. The adversary can choose the nonces for the senders for which it does not know the seed as it likes. And the challenger will choose the nonces for the remaining senders. And these will be sampled using a high entropy nonce sampler. So this ciphertext will then go to the adversary. The adversary will select a subset i of the ciphertext. And what we require is that if m is mu d entropic, then the size of i is at most d. So what that means is that if you have conditional entropy for all messages conditioned on d others, you'll need that you open at most d ciphertext. So this means the remaining messages are unpredictable to the adversary. And so in response to that, the challenger gives the messages, the seeds and the nonces for all of these corrupted senders. And the adversary then outputs a guess. This guess is its guess for f of the messages. And again, we test whether the adversary outputs a guess g, which is more likely to be f applied to the actual encrypted messages, so m1 through mn, as opposed to f of a resampling of the messages conditioned on the open messages. And we have this notion n-s-o-c-p-a, which just means selective opening security for non-space p-k-e. And that means that these happen with about the same probability. So the adversary is not really getting any more information about the unopened messages that it would just from seeing the open messages themselves. The question in selective opening security is whether the ciphertext of the open messages get more information. So we have a construction of such a non-space encryption scheme. Our starting point for the construction is the Balarian-Tachman construction of a non-space encryption scheme where you use an underlying randomized public key encryption scheme with synthetic coins. So instead of using truly random coins, you derive what we could call synthetic coins as the hash of the c, the nonce, and the message. What we do here is we use the same construction but with a particular randomized encryption scheme based on lossy trapdoor functions. So I don't want to go into too many details of this lossy trapdoor functions. If you don't know what they are, they're basically trapdoor functions with two key generation modes. One key generation mode generates evaluation keys that induce an injective function under eval. And the other key generation mode outputs, that should say ek prime, the evaluation function is many to one. And these are indistinguishable, these evaluation keys. And a nice thing in terms of practical constructions is that RSA and rabin trapdoor permutations are known to be lossy under suitable assumptions. So what our non-space encryption scheme does is it just uses a uniform seed and encrypts. This is like basically, I mean, it's a classical construction from the picard and water's paper on lossy trapdoor functions. How to encrypt using a lossy trapdoor function. But again, we derive randomness from the seed, nonce, and message using a hash function. So it's kind of a de-randomized version of picard and water's construction. And what we show is that this construction is NSOCPA, which again is the SOA security notion for non-space pKa. We show that this construction meets it in the non-programmable random oracle model. I guess why I'm making a big deal about the fact that it's the non-programmable random oracle model is that typically we don't like to use the programmable random oracle model when we're considering like non-committing or a selective opening secure encryption because it kind of obviates the problem. So we use the random oracle model in this paper, and as a result get practical constructions, but it's the non-programmable random oracle model which gives some non-triviality to the results. Okay. And then so what's the intuition for such a proof? So if we switch to the lossy key generation, it's unlikely that the adversary will query any randomness value underlying the image of the lossy trapdoor function, and this means that the corrupted indices i will be independent of the messages. And if you have that the corrupted indices are independent of the messages, you kind of can prove security easily. The hard thing about proving selective opening security is that the choice of the messages to corrupt or the ciphertext to corrupt can depend adaptively on the messages. Right. Okay. So now let's talk about lifting the results to the hedge setting. So what is the hedge setting? So hedge security for public encryption is another way of getting robustness to randomness failures, which is to say robustness to subversion of the pseudo-random number generator that the senders would be using. And in this context what it means is that we would like to guarantee security as long as the sender's seed nonce and message jointly have high entropy. So, you know, even if the seed and nonce are completely predictable to the adversary, but the message itself has entropy, we'd still like security to be achieved in that case. Okay. And so an interesting thing here is this strengthens security provided by nonce-based pke even in the non-SOA setting. So even without considering selective opening security, if you ask that security is achieved as long as the seed, nonce, and message jointly have high entropy, you're getting more security than what ballerian tacman define even in the non-SOA setting. Okay. But we're going to treat it in the SOA setting. I mean, that's the theme of our work. And so how we achieve it... Oh, so I won't go through the details of the resulting notion, which is called HN for hedge nonce SOCPA. But you can imagine how it might be defined. And the way we achieve it is we compose a nonce-based pke scheme with a deterministic pke scheme. A deterministic pke scheme uses no nonce, no randomness, just encrypts a message. It's like a trapdoor function. It just encrypts a message. Just, you know, the security requirement is more than what you typically want for trapdoor functions. And so what we need is we need to define SOA security for deterministic public key encryption, right? So again, we consider a game, and the game will generate public key and secret key N messages and encrypt these N messages. So this game is a bit simpler than the game for SOA security for nonce-based pke. So maybe I should have sided with this, but I didn't. And so the adversary receives the public key and the N ciphertext, selects subset i of 1 through N to corrupt and gets the messages back. And the adversary then gives a guess g for f applied to the messages. And again, what we test is whether g is more likely to be f applied to the real vector of messages rather than a conditional resampling conditioned on the open messages. An interesting thing here is there was a paper, I think, in pkc last year that showed a selective simulation based selective opening security for deterministic encryption is impossible to achieve. And it gave as an open question how to define an achievable and meaningful notion of selective opening security for deterministic encryption. This is a paper called how secure is deterministic encryption by Bellari et al. And so this definition is one possible answer to this open question. So that's an interesting aside. And so now that we have this definition, we can achieve it again. It's basically a de-randomized version of the nonce-based pke scheme that we used before. So it's using lossy trapdoor functions. And the piker waters construction of pke from lossy trapdoor functions, but de-randomized using a hash function. And so let me just skip this. This just says that basically this construction achieves a de-SOCPA, which is SOA security for deterministic public encryption in the non-programmable random oracle model. The proof involves some subtleties, kind of interesting that the corrupted set I can depend on the public key. And in the context of deterministic public key encryption, you kind of get into trouble when things can depend on the public key. But anyway, we can overcome that. So now let me just show you the nonce and deterministic transform. So this is a way of achieving hedged nonce SOA security for public key encryption by composing a nonce-based pke scheme with a deterministic pke scheme. The intuition here is that as long as the message nonce and seed jointly have entropy, the ciphertext produced by the nonce-based encryption scheme is going to have entropy. And so that'll get picked up by the deterministic encryption scheme. And the deterministic encryption scheme will provide security in that case. So you need a condition that the nonce-based pke scheme is entropy preserving, meaning that the ciphertext preserve entropy of the message nonce and seed. Okay? But otherwise, things kind of go as expected. So let me just wrap up, give a conclusion and some open questions. So what we did in this work is we treated selective opening security of particular types of public key encryption schemes that are designed to be robust to randomness failures, meaning some version of the pseudo-random number generator that the centers are using. And kind of our thesis is that SOA security is natural to consider in tandem with randomness failures because they both represent ways that an adversary can target senders and try to uncover the messages that the centers are communicating in an encrypted way to a receiver. One nice open question from our paper is to construct standard model schemes rather than non-programmable. So all the schemes that we construct in the paper are in the non-programmable random oracle model. And so an open question is to construct standard model, meaning don't use random oracles at all. And another interesting question, which is a bit more esoteric, is whether simulation-based security for SOA security for non-space PKE is achievable. As I mentioned, there's a paper last year or the year before showing that for deterministic public key encryption, simulation-based SOA security is not achievable, but that proof, as far as we can tell, doesn't extend to non-space PKE. So it's an open question whether simulation-based SOA security can be achieved for non-space PKE. With that, I'll conclude and take any questions. Thank you. Actually, we are out of time, so if you have questions for him, please do it offline. So let's thank Adam and all the speakers in the session and all of you.