 Hello everyone, my name is Rato and today I'm going to talk about simulation sound arguments for learning with errors and applications to key dependent message security against chosen ciphertext attack. And this is joint work with Benoal Iber, Koanguien and Alampas Leg. In this talk I'm going to focus on our main result, which is a generic compiler that works for the same language. And in the simple form, this compiler takes as input the trapdoor sigma protocol and outputs a multi-theorem non-interactive zero-knowledge argument system that achieves statistical zero-knowledge in the common random stream model. We can upgrade this compiler to take as input a trapdoor sigma protocol and to produce an unbounded simulation sound NISIC. A key feature of our transformation is that it works for the same language in the sense that the resulting NISIC works for the same underlying language as the initial trapdoor sigma protocol. And our compiler is direct in the sense that it doesn't have to go through some expensive reduction to some NP-complete language. Moreover, we can make the security proof of the unbounded simulation sound NISIC tight in the sense that the security loss of the reduction is independent of the number of queries that the adversary makes to the simulation oracle. And finally, we can instantiate our compiler under the LWE assumption. And we can do so without contradicting any possibility results from the literature. And this is because our resulting NISIC either achieves non-adaptive soundness or it works for trapdoor languages. Another result that we obtain using our compiler is that we can instantiate the Naur Jung transformation under the learning-with-error assumption in a direct manner. And this gives us the most efficient LWE-based KDM CCA2 security, secure public key encryption that we know so far. Let's start by recalling what non-interactive zero-knowledge arguments are. Assume that we have a prover that wants to convince a verifier of the validity of some statement. We say that the statement X is true if it belongs to some language L. And the prover also knows a witness, W, that certifies the fact that the statement is true. For instance, you can think of the statement X as being a mathematical proof, for instance, and the witness in this case would be the actual proof of the theorem. So the prover wants to convince the verifier that the statement is true and he wants to do so without revealing anything about the witness W, except that the statement is true. And in the non-interactive setting, the prover wants to do so by only sending one message to the verifier and he is not allowed to further interact with the verifier. Therefore formally, such a system has to also satisfy three requirements. The first one is completeness, which states that the verifier must always be convinced of the validity of the statement as long as it interacts with an honest prover. Prover knowledge means it just means that the verifier does not learn anything else about the witness except the fact that the statement X is true. And this intuition is captured by the existence of a simulator, which is able to simulate proofs without the knowledge of the witness. And those proofs, the simulated ones are indistinguishable from honestly generated proofs in the eyes of the adversary. And finally, such a system has to provide soundness, which means that no cheating prover should be able to convince a verifier of the validity of a false statement. So a false statement is just a statement X that does not belong to the language L. Non-interactive zero-knowledge argument systems are really useful in cryptography as they can be used to construct group signatures or ring signatures or public key encryption that is secure against chosen ciphertext attacks. And one way to obtain CCA security for public key encryption is to use Naoryung double encryption transformation, which takes as input a chosen plaintext public key encryption key which is secure against chosen plaintext attack and combines it with a non-interactive zero-knowledge proof system and yields public key encryption scheme which is secure under chosen ciphertext attack. And the transformation is quite simple and it involves two instantiate instances of the in-CPA secure public key encryption scheme. So we generate two key pairs and a non-interactive zero-knowledge argument system for the language which certifies that the same message M has been encrypted with the first public key and the second public key. And to encrypt the message M under the Naoryung transformation, we just encrypt the same message with the different public keys and compute a proof using our Isaac that certifies the fact that the same message M has been encrypted in both ciphertexts. The high showed that if we replace the non-interactive zero-knowledge argument system with an Isaac that achieves simulation soundness, instead of regular soundness, we can improve the result by having CCA2 security and a similar argument shows that if we use key dependent message security which is secure against chosen plaintext attacks with unbounded simulation soundness, we get KDM CCA2 security. In a simulation soundness, no cheating prover should be able to produce valid proof for a false statement despite the fact that he has access to an oracle that simulates proofs. So in this setting, the prover is allowed to make only one oracle query to an input of his choosing to which the oracle replies with a simulated proof for that statement. And even with this extra information that the oracle provides, the prover should not be able to produce any valid proofs on false statements. In the unbounded simulation setting, the prover is allowed to query the oracle predominantly many times. The Fiat-Shamir heuristic is a very well-known technique that can be applied to interactive protocols to obtain non-interactive protocols. For instance, if we start with a three-move interactive protocol in which the prover sends a first message A and the verifier sends a random challenge E to which the prover replies with a response Z. We can make this protocol non-interactive by replacing the random challenge of the verifier with the evaluation of a hash function on the input X and the first message A. And it can be proved that if we start with a sigma protocol, which is a three-move interactive protocol and we model the hash function as a random oracle, we get a non-interactive zero-knowledge Armin system. Sigma protocols are just three-move interactive protocols that satisfy the three requirements of completeness, special zero-knowledge and special soundness. Completeness, as before, is the property that the verifier should always accept honestly generated interactions with the prover and special zero-knowledge refers to the fact that the verifier should not learn anything about the witness W that certifies that the statement is in the language. This is formalized with the help of a simulator which generates with simulates transcripts which are indistinguishable from honestly generated transcripts. And finally the special soundness property states that for any false statement X and any first message A, there is at most one challenge E which is called a bad challenge for which an accepting transcript exists. This property implies the fact that for all challenges except one, a cheating prover should not be able to produce valid transcript because it actually does not exist. So when the challenge is uniformly randomly sampled, a cheating prover should not be able to produce an accepting transcript almost always. Trapdoor Sigma protocols are just Sigma protocols for which the bad challenge function or the bad challenge input E is efficiently computable with the help of some Trapdoor Sigma tau Sigma. The Fiat-Chameleuristic can actually be instantiated without the use of the random oracle model and this has been proved in some recent works of Kaneti et al and Peikert and Shenya and in this work they show that you can start with the Trapdoor Sigma protocol and instead of using random oracles you can just use the class of hash functions called correlation intractable hash functions which yield non-interactive zero-knowledge argument systems without the use of random oracle and in fact Peikert and Shenya showed that we can build correlation intractable hash functions just assuming the LWE problem and one consequence of this fact is that we can get non-interactive zero-knowledge argument systems under the LWE assumption for all NPA languages which is a nice result. We are now ready to discuss our results in a little more detail. Our main result is a generic compiler that takes as input a Trapdoor Sigma protocol for some Trapdoor language L and transforms it into an unbounded simulation sound Nizek for the same underlying language L. Before our work the way to do this was to apply general Nizek techniques to obtain unbounded simulation soundness but these techniques require to go through some expensive reductions to some NP-complete languages. For example we can apply Fiyash Amir to the Trapdoor Sigma protocol to obtain single-theorem Nizek after which we can apply the ORTIC of FLS and the transformation of the Santis et al to actually obtain unbounded simulation soundness for the initial language L. Unfortunately such a transformation would require a reduction to an NP-complete language L' which is different from the language L with which we have started with and this can be expensive. Instead our compiler is a direct one in the sense that it avoids these reductions to NP-complete languages and on top of this our compiler preserves the language in the sense that the resulting language is the same as the language of the initial Sigma protocol that we have started with. We also obtain a tight security for the proof of the unbounded simulation soundness and our compiler can be actually instantiated using standard learning with errors assumption. From a technical point of view our compiler requires the use of correlation intractable hash functions, equivocable lossy encryption, which is a technique that Damgard used in EuroCrypt 2000. We also use admissible hash functions and one-time signatures. As I said before we start with the Trapdoor Sigma protocol for some Trapdoor language L and we start the transformation by encrypting the interactive prover's first message A' using a form of encryption called lossy encryption with equivocable lossy boat. Such an encryption scheme assumes that there are two ways or two modes in which we can generate the keys, an injective mode and a lossy mode. In the injective mode ciphertexts are actually commitments to the messages whereas in the lossy modes ciphertexts are equivocable which means that any ciphertext can be explained as the encryption of any message of our choosing. For instance in this slide given a ciphertext A which is initially thought as the encryption of the message A' can actually be explained as the encryption of another message A' using the open algorithm and this algorithm returns a value r second which is just the which is randomness which we can use to explain A as the encryption of A second. Now in the next step we make the Trapdoor Sigma protocol non-interactive by using the Fiat-Shamir trick and for this we compute the challenge randomness E with correlation intractable hash functions and in the final step we compute the response of the interactive prover just as in the interaction and the prover sends to the verify the initial message A' the final message Z and the randomness r' which was used to encrypt A' notice that the verifier is actually able to compute A by encrypting A' with the randomness r' and the public key and after that you can compute E just by applying the correlation intractable hash functions on top of the statement X and the the cobitment A. The the idea for how the our simulator works is the following. Notice that the simulator does doesn't actually know the witness w and this means that we cannot use the prover to generate the first message of the interactive protocol. Instead we just encrypt a dummy message and we use that to compute the randomness or the challenge randomness by applying the correlation intractable hash function on on top of this and the statement X and again since the simulator does not know the the witness w we cannot use the interactive prover to generate the final message of the interactive protocol. Instead we use the zero null simulator of the trapdoor sigma protocol to generate the first message A' and the final message Z and to make everything consistent we have to explain the initial encryption of the dummy message as the encryption of A' with some randomness r' and finally we send A' Z and r' to the verifier and notice that the using lossy ciphertext in the simulation is crucially exploited in our construction. As I've said before the simulator heavily relies on using the lossy mode of the lossy encryption and in the proof of the simulation soundness we actually switch to injective keys and to prove unbounded simulation soundness we use a flavor of lossy encryption called r lossy encryption with efficient openings and this enables us to use besides injective and lossy keys we use injective and lossy tags to determine if a ciphertext is lossy or injective and by using these additional tags we can actually use the injective mode during the unbounded simulation soundness proof while still being able to run our simulator by using lossy tags. And we also give two flavors of r lossy encryption with efficient opening under learning with errors assumption and the second one which corresponds to the relation induced by an LWE based PRF this version is used to prove the tight variant of our argument. We can use our compiler to get more efficient LWE based public key encryption schemes that are key dependent message secure against chosen ciphertext attacks and we do this by instantiating the now our young transformation under the LWE assumption. First recall that the primal regif cryptosystem that is LWE based is in fact KDMCPA secure and for our second result we give a trapdoor sigma protocol that proves that primal regif encryptions under different public keys encrypt the same message and we can use this trapdoor sigma protocol to get an unbounded simulation under the LWE assumption for the same underlying language. And now we are ready to use the now our young transformation applied to the KDMCPA encryption and this yields a KDMCPA encryption under the LWE assumption and this construction is more efficient because the construction of KDMCPA2 encryption was implied by the result of Picard and Shenyang but to apply their results we are required to go to we are required to do transfer reductions to some NP-complete language so our construction is much more efficient. Thank you.