 Hello, I'm Shuaihan. I'm going to talk about key encapsulation mechanism with tight enhanced security in the multi-user setting. Impossibility results and optimal tightness. This is a joint work with Sheng Yiliu and Da Wu Gu. In this talk, we will first record the syntax of CAM and its enhanced security, record existing impossibility results on tight security. Then, we will introduce our new technical tool called CAM's rank and show how to use it to obtaining our impossibility results. First, let us record CAM. Key encapsulation mechanism, or CAM for short, is a public key cryptographic primitive. CAM has reprobabilistic polynomial time algorithms. With a key generation algorithm, Alice generates a pair of public key and secret key, and publishes her public key pk. With Alice's public key pk, Bob can invoke the encapsulation algorithm to produce an encapsulated key and a cipher test, and send the ciphertext c to Alice. After receiving c, Alice can use her own secret key to decapsulate c and recover the encapsulated key k by invoking the decapsulation algorithm. This way, Alice and Bob establish a shared encapsulated key k and can use it for later use. CAM has many applications, such as in constructing public key encryption, authenticated key exchange protocols, etc. In real-world scenarios, there might be many users, each of them generates their own keys, and each two of them might communicate and send many cipher tests to each other. This is called the multi-user setting. In this setting, an adversary is able to see all users' public keys and all cipher tests sending over the public channels. Moreover, a powerful adversary may even crop some users and obtain their secret keys, and may obtain some keys encapsulated in some cipher tests. The security of CAM would ask the unreviewed keys under uncrafted users to be sued randomly. Such a strong yet realistic security is called enhanced security in our work. We formalize two enhanced security notions, enhanced CPA and enhanced CCA. In enhanced CPA security model, an adversary can obtain all users' public keys. Then it can implement several queries. Through in-cap queries, the adversary can obtain newly generated cipher tests CI from the challenger. Then the adversary can ask to review the key KI encapsulated in CI through key review queries. The adversary can also adaptively crop some users and obtain their secret keys SKI. For unreviewed keys, under uncrafted secret keys, the adversary can ask text queries and receive a challenge, which is either the real key KJ encapsulated in CJ or a uniformly independent key, depending on the challenge beats B. Finally, A outputs a guessing beat B' The probability that B' equals B should be negligibly close to 1 over 2. To prove the security of a cryptographic scheme like CAM, a common way is to base scheme's security and hardness of a well-studied program through a security reduction. A security reduction turns any adversary A running in time TA, breaking scheme's security with advantage epsilon A into an adversary B, running in time TB, solving the hard problem with advantage epsilon B. A reduction establishes an inequality between TB over epsilon B and TA over epsilon A with a factor L. The L, called the security loss factor, measures the quality of the reduction, and is smaller the better. It is desirable to have L to be a constant. If a cryptographic scheme has a security reduction with a constant loss factor, then we call it has a tight security. It is desirable to have tightly secure schemes. However, many existing works proved impossibility results on tight securities of many primitives. For example, Morgan-Pass-Shi showed that for deterministic message authentication code and deterministic digital signature, it is impossible to achieve tight security under adaptive corruptions from bounded-round assumptions. For digital signature, public key encryption, and CAM, starting from the same network by CORON, there is a line of research, including, CalCiv, QTS, Buzzer, Jagger, Lee, SanSheng showed that tight security under adaptive corruption is impossible to achieve if the relation PK-SK is checkable and one of the following two conditions hold. The first condition requires SK has key uniqueness. Namely, for every PK, there exists at most one SK corresponding to it. The second condition requires SK has key re-randomization. Namely, given a SK-1, one can efficiently sample a uniform SK from all secret keys corresponding to the PK-1. Existing impossibility results rule out some CAMs on their tight security under adaptive corruption, thus also their tights enhanced security. For example, the L-Gamma CAM satisfies the SK key uniqueness. HPK has a unique SK, thus it is impossible for L-Gamma CAM to have a tight enhanced security. However, many well-known CAMs, including the most efficient Kramshub and Cruzava Desmet CAMs from Decisional Defile Hammond Assumptions, their SK has neither key uniqueness nor key re-randomization. For example, their PK equals G1 to X1 times G2 to X2. There are many secret keys X1, X2 correspond to a single PK. However, it is inefficient to do re-randomization unless the discrete logarithm of G1 and G2 is easy to solve. Therefore, for many well-known CAMs, we do not know whether they have tight enhanced security. Or not, by existing works. Determining whether tightness impossibility holds for such CAM schemes needs new techniques. Next, we show our main technical tool in this work called CAMs rank, which is crucial in establishing our impossibility results. Firstly, we study the equivalence of secret keys for CAM schemes when de-capsulating a set of cipher tests X. For a set of cipher tests X consisting of C1, C2, and CQ, we define an equivalence relation on the secret key space. SK and SK prime are de-cap equivalent with respect to X. If for every cipher test C in X, the de-capsulation of C using SK equals the de-capsulation of C using SK prime. In other words, SK and SK prime has the same de-capsulation functionality on the whole cipher test set X. With this de-cap equivalence relation, we can partition the secret key space into many equivalent classes. With different X, we may have different equivalence relations on secret key space. In particular, with more cipher tests in X, it may partition the secret key space into more equivalent classes. And with fewer cipher tests in X, it may partition the secret key space into fewer equivalent classes. For set X and element C1 in X, if X defines a strictly defined equivalence relation than X set minus C1, then we call C1 is an independent element in X. There is another situation that X defines exactly the same equivalence relation with X set minus C1. In this case, we call C1 is a dependent element in X. So, starting from a cipher test set X, we can drop all dependent elements in it, without changing the equivalence relation it defined. In the end, every elements left are independent elements. Then we call the resulting subset X prime of X an independent set. X prime is a subset of X, but it consists of only independent elements and defines the same equivalence relation with X. For set X, it might have many independent subsets X prime. We define the rank of X and the size of the largest independent set of X. By taking X as the whole cipher test space Ct, we define the rank of cam, which is the rank of the cipher test space of cam, and equals the size of the largest independent set of the whole cipher test space. Intuitively, the relation between independent set and Ct is endless to the relation between a basis and a linear space. And the rank of cam is endless to the size of the basis of a linear space, namely the dimension of a linear space. However, we note that in general, the decapsulation algorithm of cam is not a linear function, especially for CCA circular cams. So the rank of cam is different from the dimension of Ct, even if Ct is indeed a linear space. With the notion of rank, we establish a core technical lemma, which says that if we uniformly pick a cipher test C from X, the probability that X set minus C and X define a same equivalence relation, or C is independent in C, is at least 1 minus cams rank over the size of X. Finally, we show how we establish our impossibility results using our technical tool cams rank. Our impossibility result is built upon a line of research on using mental reductions starting from the current at Eurocrypt 02. The high-level idea of the mental reduction paradigm works as follows. It are the early reduction algorithm from the security of cams enhanced security to early non-interactive hard problem. Firstly, we will construct a hypothetical inefficient adversary A star that breaks the security of the primitive with advantage epsilon A star. Then, by the security reduction R, which interacts with the hypothetical A star, we get a lower bound on the security loss factor L by A star's advantage over R's advantage. Finally, we will construct an efficient mental reduction algorithm B, which emulates A star while running R. Suppose that B perfectly emulates the interaction between R and A star, except with probability delta. Then, the lower bound of L is epsilon A star over delta, assuming the underlying problem is hard to solve so that epsilon B is negligible. With the mental reduction paradigm, we will show our construction of the hypothetical adversary A star and our construction of the mental reduction algorithm B. By analyzing epsilon A star and delta, we will obtain the lower bound of L, thus establishing our impossibility results. In step one, we show our construction of the hypothetical inefficient adversary A star. In the enhanced security model, A star will first receive public keys of all users from the challenger. Then, for each user, A star issues Q encapsulation queries and receives the encapsulations Cij from the challenger. Next, for each user, A star issues Q-1 key review queries and receives the keys Kij encapsulated in Cij. Here, the indices of the unreviewed keys are uniformly chosen. Then, A star crafts all but one users and obtains their secret keys SKI. The uncrafted user, A star, is uniformly chosen from 1 to n. With the secret keys SKI, reviewed encapsulated keys Kij and Cyphrotest Cij, A star can check whether Kij is a decapsulation of Cij under secret key SKI. Clearly, if the challenger is honest, then the checks always pass. If the check does not pass, A star abodes. Finally, A star will ask to test the unreviewed key of the uncrafted user. A star will receive a challenge T, which is either the real key encapsulated in Cij2 or a random key. A star wants to output a guessing bit. A star is an inefficient adversary so far. The only inefficient part is how A star computes the final guessing bit. A star will use brute force search to find a secret key SK star and test whether the challenge T is a decapsulation of I star 2 under SK star. If it holds, then T equals Kij2 and A star outputs 1 to the challenger. Otherwise, T is random and A star outputs 0. So how A star chooses SK star? For the uncrafted user I star, since A star obtains Q-1 reviewed keys Kij1, Kij3 to KijQ. By the correctness of CAM, the real secret key SKI star of user I star must decrypt Cij1 to Kij1, decrypt Cij3 to Kij3, decrypt CijQ to KijQ, etc. A star will choose a random SK star from all secret keys, which decrypt Cij1 to Kij1, decrypt Cij3 to Kij3, etc. In other words, SK star is chosen from the equivalence class, where the real secret key SKI star belongs to. And the equivalence relation is defined by CS star 1, CS star 3, 2 CS star Q, or X Z-CIS star 2. Now, we analyze A star's advantage. We know that SK star chosen by A star and the real secret key SKI star are in the same equivalence class defined by X Z-CIS star 2. If the equivalence class defined by X Z-CIS star 2 is the same as the equivalence class defined by X, then SK star and SKI star will also be in the same equivalence class defined by X. This means that using SK star or using SKI star to decrypt CS star 2 would lead to the same result. So, in this case, A star using SK star can successfully tell whether the challenge T is the real key encapsulated in CS star 2 or a random key. Thus, it wins. Therefore, A star's advantage is lower bounded by the probability that X Z-CIS star 2 and X define the same equivalence relation, where CS star 2 is uniformly chosen from X. Then, by our column, this is lower bounded by 1 minus cams rank over Q. This is our construction of A star and its advantage. In step 2, we show our construction of the mental reduction algorithm B, which emulates the interaction between R and A star in an efficient way. First, B receives the public keys of all users from R. Then, B proceeds exactly the same as A star. B issues Q in cap queries per user and receives Cij from R. And for each user, B issues Q minus 1 key review queries and receives the keys Kij encapsulated in Cij. Again, the indices of the unreviewed keys are uniformly chosen. Then, B also craps all but one users and obtains their secret keys SKI. With the secret keys SKI, reviewed encapsulated keys Kij and cipher test Cij, B can also check whether Kij is a decapsulation of Cij under SKI for all reviewed keys and all crafted users. B abodes if the check feels. So far, B proceeds exactly the same as A star, since this part of A star is efficient. Finally, B will ask to test the unreviewed key of the uncrafted user. B will receive a challenge T, which is either the real key encapsulated in Cij star 2 or a random key. B wants to distinguish which case it is. However, B cannot emulate A star, since A star uses brute force to find a secret key SK star. Alternatively, B will resort to the efficient revinding to find a secret key of user I star. B will revind the corruption procedure M minus 1 times. In the first revind, B will craft all users but the first user. In the second revind, B will craft all users but the second user, etc. So, through revind, B will craft user I star and receive the secret key SKI star from R. Note that this SKI star is output by R, so it may not be the real secret key of user I star. But this SKI star also decrypts Cij star 1 to Kij star 1. Decrypts Cij star 3 to Kij star 3 and decrypts Cij star 2 to Kij star 2. Since B will check this in each revind. This means that this SKI star returned by R also belongs to the same equivalence class as SK star chosen by A. Now, we analyze the probability delta that B does not emulate A star and R perfectly. We know that the SK star chosen by A star and the SKI star used by B returned by R are in the same equivalence class defined by X Z minus Cij star 2. If the equivalence class defined by X Z minus Cij star 2 is the same as the equivalence class defined by X, then SK star and SKI star will also be in the same equivalence class defined by X. This means that using SK star or using SKI star to decap Cij star 2 would lead to the same result. So, in this case, B perfectly emulates A star. Overall, B might emulate A star imperfectly if one of the two band events occur. The first band event is that B feels to get SKI star from R during the revind, which may happen with probability at most 1 over N. The second band event is that X Z minus Cij star 2 does not define the same equivalence relation as X. By our code Emma, this can happen with probability at most Kems rank over Q. So, the probability delta that B's simulation is imperfect is bounded by 1 over N plus Kems rank over Q. This finishes our construction of mental reduction B. In step 3, we can establish our impossibility results under tightly enhanced secure camp. The security loss L is lower bounded by epsilon A star over delta. If Kems rank is a polynomial, then we can always set Q equals N times polynomial so that Kems rank over Q is no more than 1 over N. Consequently, L is lower bounded by big omega N. This suggests that as long as Kems has a polynomial rank, then it is impossible to achieve a tight enhanced security based on non-interactive assumptions, and the security loss is at least linear in the number N of users. Then, we apply our impossibility results to many well-known Kems by showing that their rank is polynomially bounded. For example, for the Kremschub CPA secure camp, with two cipher tests, we can partition the secret key space completely. So, the largest independent set consists of only two cipher tests, and the rank of the Kremschub camp is 2. In the full version of our paper, we analyze more Kems schemes, including L-Gama, CCA secure Kremschub, Crossover Desmet, Gay Hoffens, Kills We, Han Liu, Yu Gu, and the now young double encryption paradigm. We show that all of these Kems schemes have a constant or a polynomially bounded rank. Therefore, by applying our impossibility results, it is impossible to achieve tight enhanced security for these Kems schemes based on non-interactive assumptions, and the enhanced security of these schemes inherently suffer from a security loss factor at least in the number N of users. We also show that the linear security loss all N is achievable by giving two reductions. For example, it implies that the L-Gama camp has security loss factor all N for enhanced CPA security, and the camp proposed by Hoffens and Jagger has security loss factor all N for enhanced CCA security. These together with our impossibility results show that for Kems with polynomially bounded rank, the linear security loss factor for enhanced security is optimal. Let me now conclude the talk and sum up our contributions. We define the realistic enhanced security models for KEM, which considers adaptive user corruptions and adaptive encapsulated key reviews in the multi-user and multi-challenge setting. We develop a new technical tool called Kems rank to identify a class of KEM schemes for which impossibility of tight reduction holds. We prove that as long as the rank of a KEM scheme is polynomially bounded, the incurred security loss factor is at least linear in the number N of users when reducing to any non-interactive assumptions. Our impossibility results rule out the tight enhanced security of many well-known KEMs, including Kremship Crusader Desmet, since the ranks of their KEM are polynomially bounded. Finally, we show the linear security loss is achievable and optimal for Kems with polynomially bounded rank. For more details, please check out our paper and e-print. That's all. Thank you for your listening.