 Thanks for the introduction. Hi everyone, I'm Navit and I'm going to talk about separate separations of CPN circular security for any cycle length. This stock is based on two independent works, one by me and Chris Picard and one by Venkatakopula and Brent Waters. Okay, let's get started. Back to classical notions of security, we have two well-known definitions. One is CPS security, which says that encryptions of adversarially chosen messages are computationally indistinguishable. You know the attacker submits two messages and receives the challenge ciphertext and it has to determine which one is encrypted under public key. And one is CPS security, which is defined similarly except that the attacker has access to the encryption oracle. So the question is what is common in both of these definitions and the point is that both of these notions only consider the message that can be generated by the attacker. So let's consider a situation in which we have encryption of secret keys. In this figure, each directed edge shows that tail secret key is encrypted under heads public key. For example, an edge from Bob to Alice shows that Bob secret key is encrypted under Alice's public key. So as long as there is no cycle, we can say that CPS security of each individual encryption scheme suffices for the CPS security of whole system. This is observed by Goldwasser and McCully and now the question becomes what if we have a cycle? To answer the question what if we have a cycle, it turns out that hybrid argument breaks in this setting and we have uncertain security in general. So it might be secure or it might be not. To see that this example is not just a superficial thing. We have a few applications which use key cycles like password managers and disk encryption utilities. Anonymous credential schemes which was introduced by Kaminesh and Lysianskaya and proven computational soundness of symbolic protocols by Edaw et al. And more recently, and maybe the most famous example is bootstrapping technique for obtaining unbounded fullyomorphic encryption by Gen 3. So what kind of definition captures this requirement? Let's see. We said that the public encryption scheme is case circular secure if an encryption cycle is indistinguishable from encryption of junk message. So in other words, if you encrypt first secret counter, second public key, second secret counter, third public can so forth and then cycling back case, secret counter, first public key should be indistinguishable from encryption of all zeros. This definition can also be strengthened to key dependent message security which considers functions of one or more secret keys. Now the main question becomes does CPA or CCA imply case circular security? The answer is negative and we have a few separations based on different assumptions. Let's have a look on prior separations. We have this folklore result for one circular security which says that any CPA secure scheme can be transformed to one that is still CPA secure but not one circular secure. For K-Quals 2, there are separations based on standard assumptions. Earlier works were based on a 60-H assumption on bilinear groups and more recently, we have kind of examples from learning with errors and decision linear assumption. And then despite good progress for K-Quals 2, only now separations for K-Quals 2 are based on somewhat strong obfuscation assumption. One uses virtual black box obfuscation which later they refine their scheme to rely on IO and one uses indistinguishability obfuscation. Okay? The question is can we get read-up obfuscation assumption for the case K-Quals 2? And here is the main theorem which asserts that for any K greater than one, there exist CPA security schemes which are not K-Circular secure based on learning with errors and its ring variant for entity K approximation factors. These are first separations for K greater than 2 that do not rely on obfuscation assumptions and constructions are not specific for just K. They are also K-prime circular insecure for K-prime less than K. We use the few new techniques to achieve these results such as telescoping products for learning with errors which is sort of the main idea in both works and tensile LWE to get commutativity of the LWE secrets. Here we see features of both constructions at glance. Allomatic pie card constructions which we also call AP constructions are somewhat simple and direct especially in ring setting. We will see it soon whereas KW constructions are more complicated. However, it comes with some benefits. AP constructions has smaller public keys, secret keys and cipher text in ring setting whereas KW constructions is more efficient in plain LWE version and AP constructions use common random string whereas KW construction has no common random string. And finally, AP constructions handles just constant cycle length in plain LWE version whereas KW constructions handles polynomial cycle length. Okay, before going into the construction let's say useful abstraction which is called cycle tester and introduced by Bishop, Hohenberger and Waders. We say that the tuple of randomized algorithms, gen, nk and test together is a cycle tester when gen and nk is CPA secure. Note that definition of CPA security does not involve any decryption algorithm so we are not concerned with decryption and given K public keys and corresponding cipher text, test distinguishes cycles from non-cycles with noticeable advantage. Here is the algorithm from BHW 15 which simplifies our job to make a counter example. It says that a K cycle tester plus essentially any CPA secure or CCA secure scheme implies separation of K circular from CPA or CCA security and again by separation we mean a scheme which is CPA or CCA secure but not K circular secure. Okay, let's have a quick review on lattice trapdoors. Gen trap is a randomized algorithm which uses A bar as common random string and R as random coins which also we call it trapdoors to generate matrix A where A has A bar as its prefix. Once you know the trapdoor for matrix A it allows you to compute short random x such that A x equals any arbitrary right hand side. Note that this inverse operation is not a normal inverse operation and it's a rather randomized procedure and finally this A inverse operation is also known as Gaussian pre-image sampling which has been used in many cryptographic contexts. Now let's get into the construction. Here the message space is identical to the secret key space. First to set up we sample a uniform A bar as common random string. So key generation is very simple. To generate a key you sample a trapdoor from randomness space and then you run gen trap on A bar and R. So A is our public key and R is our secret key. Encryption algorithm is more interesting to encrypt a message which we viewed as a trapdoor under public key A. We run gen trap on A bar and message to get the matrix A tilde and then we choose a short matrix S. So the ciphertext would be a tilde inverse of noisy SA or we can view it as Gaussian pre-major of LWE sample for which S is short secret. And finally to test the cycle we simply compare prefixes of two products where each product is one public key multiplied by all of the ciphertext. Note that here two public keys are arbitrary and we can use any two different public keys as long as they have different index. Okay let's see why cycle tester works. First when we encrypt secret key R i minus one under next public key AI we run gen trap on A bar and R i minus one to get A i minus one and then the ciphertext would be A i minus one inverse of noisy S i A i or again the ciphertext can be viewed as a Gaussian pre-major of noisy LWE sample. Okay let's see what cycle tester computes. If we have a look on terascoping product for k cos 3 in the first line we could rewrite C0 as A2 inverse of S0 A0. Here we see that A2 and A2 inverse annihilate each other and what left is S0 A0 C1 C2 up to smile nose. In the second line again we can rewrite C1 as A0 inverse of S1 A1 and then A0 and A0 inverse annihilate each other and then doing similarly finally we get S0 S1 S2 A2. If we do the same thing similarly for the other chunk what we get is S1 S2 S0 A0. So tester gets almost equal chunks except with different public keys and different order but it's not so difficult to address these issues. The first point is that thanks to gen trap all of the public keys have common prefix A bar and the second point is that in ring LWE we know that the si correspond ring elements so they commute under multiplication so that's why cycle tester works in ring setting. However unlike other cryptographic constructions the ring based version does not immediately translate into plain LWE mainly because matrices si do not commute. Using tensor ring technique for LWE we get commutative of this i and then consequently we get plain LWE construction. I'm not gonna get into that because of time but you can refer to the paper to see more details. Now I want Venkata to continue the talk on KW construction. Thanks. Hi so this separation will be based on joint work with Brent Waters and in this part we show an LWE based encryption scheme which is not K circular secure and this K could be any polynomial in the security parameter and while both separations have some common features the two constructions are inherently different and as a result each has its own pros and cons. In particular our scheme is more complicated but it does not require the common random string, does not require commutativity and can handle poly length cycles. So as a warm-up I'll first present a separation for K equals to 1 and as Navid mentioned separation for K equals to 1 is pretty trivial. You can convert any in-CPS scheme into one that is still in CPS secure but not one circular secure. But the reason I'm presenting this is because it has more structure and it will lead to a more general K circular secure counter example. So we need to present three algorithms the key generation encryption and the testing algorithm. First the key generation. This chooses a large number of random matrices r1 to rl uses each of these matrices as randomness for generating the ai matrices using the GenTrap algorithm. Next it chooses a large number of matrices x1 to xl and plus minus 1 scalars y1 to yl which are random subject to the condition that summation yi times xi is equal to 0. The public key consists of two l matrices the first lr yi times ai's and the remaining lr the xi matrices. And the secret key is simply the randomness used for generating the ai's. Given this public key let's see how the encryption works. The encryption also consists of for each message consists of l components and each of these components is used as randomness for GenTrap. So each of these components mi gives us a matrix zi. Next you choose a short matrix s and the ciphertext consists of l components where the ith component is zi inverse of an approximation of s times xi. So given this public key and the ciphertext let's now see how the test algorithm works. The test algorithm is really simple. It takes the it takes the ith component of the public key multiplies it with the ith component of the ciphertext and then checks if the sum is close to zero to see why this works. Let's look at the encryption of the secret key. So the ith component is ai inverse of an approximation of s times xi. So now if you multiply this ith component with the ith component of the public key you'll get yi times ai times ai inverse of s times xi. So this is nothing but yi times s times xi. So if you sum them all up it is approximately s times summation yi xi which is equal to zero. So in this way if you have an encryption of the secret key then the test algorithm outputs zero or a short matrix and instead if you have an encryption of zeros then the final matrix that you get is some large matrix and hence you can distinguish between the two scenarios. So now how do we go from k equals to one to k greater than one? So for this we need to modify our construction and for this our scheme will have the key gen and the encryption algorithms will have two modes of operation and the test algorithm will be using the first public key and the k ciphertext. So this is what it will look like and for simplicity for now let's assume that the first public key and the first ciphertext are of the form that we've already seen. The remaining ciphertexts are computed in such a manner such that if they form an encryption of the secret key then if you combine each column then you get yi times xi for each column. So if these form encryptions of the secret key then if you combine each column then at the bottom you get via some matrix times yi times xi. So actually the main action is happening with only with the first public key and the first ciphertext. The other ciphertexts are merely propagating the yi values. So let's see how to implement this. For this we will first extend the cycle tester framework of BHW to have two special modes called the leader mode and the follower mode and the leader mode is what we've already seen. So in this abstraction we have five algorithms two for the leader mode, two for the follower mode and one the tester algorithm. The keygen and the encryption algorithms work as expected. The keygen gives out public keys and secret keys and the encryption gives out ciphertext. And we require in CPS security for both the leader mode and the follower mode and the test algorithm must be able to distinguish between case cycles and encryptions of non-cycles if the first public key and the ciphertext are in the leader mode. So if we can construct these five algorithms then it's easy to see how it's easy to see how this implies a case cycle tester. I won't talk about that in this talk but it's easy to transform the case cycle tester with leader follower setup to one to the BHW case cycle tester. So let's now look at the five algorithms. First we'll look at the leader mode which is very similar to the one cycle separation that we already seen. The key generation algorithm chooses a bunch of matrices using the gen-trap algorithm and then it chooses the xi matrices these yi scalars and construct the public key as shown. And the leader encryption algorithm is also as we've seen, we'll use the message components as randomness for gen-trap, compute zi matrices, choose a short matrix and the ciphertext consists of zi inverse of an approximation of s times xi. The follower mode is also really simple to generate a follower mode public key, you first choose l matrices using the gen-trap algorithm. These matrices correspond the public key and the randomness is the secret key. And finally the encryption algorithm uses the message components as the randomness for gen-trap, it computes the matrix zi, chooses a short matrix s and the ciphertext is consists of zi inverse of s times ai. So note that this is very similar to the leader encryption except that we are using s times ai instead of s times xi. For the test algorithm we have these, we have the first public key and the k ciphertext we compute the product of each column and then check if the sum of the products is close to zero. To see why this works let's look at the case for k equals to 3 and we have the three public keys where the first one is in the leader mode, the remaining two are in the follower mode and we have the three ciphertexts where the first two ciphertexts are in the follower mode and the last one is in the leader mode. So now let's look at the first ciphertext which is an encryption of sk1 using pk2. This is nothing but a1i inverse of an approximation of s2 times a21. Similarly the second ciphertext ct3 is consists of components of the form a2i inverse of an approximation of s3 times a31. The last one is in the leader mode and it is a31 inverse of a3i inverse of an approximation of s1 times xi. So now if you multiply each column let's look at the first column then if you multiply the first two terms you get y1 times s2 times a21 then multiply that with the third term you get y1 times s2 s3 times a31 and then if you multiply all of them you get y1 times s2 s3 s1 times x1 and so on yl times s2 s3 s1 times xa. So if you sum these all up the sum is close to zero because summation yi times xi is zero. So that concludes the construction I won't talk about the proof. To conclude we show separations between cpa and cca security and ksocular security and some of the techniques used are telescoping products and tensoring lw and looking back so testing cycles can be seen as a very simple form of computation on encrypted data. So a question natural question is can we use these techniques for richer computations on encrypted data. That concludes the talk. Thank you.