 So, now it's time for the third and final talk of this session, which is going to be anonymous robust post-quantum public key encryption by Vaughan Maram and Varun is here. So I will let him introduce his co-author and welcome him to the stage, so please go ahead. Thank you, Martijn, and I would like to thank everyone present here, because I know that it can be a bit of a pain to attend these morning sessions during a conference. So I hope to make this less boring for you guys. So here I'm going to talk about anonymous and robust public key encryption schemes in a post-quantum setting. So in my talk, I'll be giving an overview of some of our main results. And this is based on a joint work with Paul Grubbs from University of Michigan and my PhD advisor Kenny Patterson. So, yeah, so the main setting of our work is related to NIST's ongoing post-quantum cryptography standardization process, where we have the four finalists and five alternate candidates that are currently being considered for standardization in the public key encryption category. And the main criteria of evaluation for these schemes was on how well these schemes achieve the so-called NCCA notion of security. And rightfully so because NCCA security is usually considered to be like a gold standard because it suffices for most cryptographic applications. But in this work, we are mainly interested in evaluating the relative fitness of these candidates in other important applications that require security properties beyond NCCA. So one such property that we considered was so-called anonymity or ANOCCA security to be more formal. So anonymity roughly guarantees that the ciphertext does not leak the public key which was used to encrypt the corresponding message. So for example, in the setting with Alice, so if Alice wants to send a message M to Bob and she wants to hide the fact that she's communicating with Bob from other third parties like Eve, then what she does is that she encrypts the message under Bob's public key and then somehow broadcasts the ciphertext to a subset of user, including Bob, since that the resulting ciphertext Eve cannot be able to figure out who was the intended receiver of Alice's message. That is, Eve should not be able to figure out which public key was used. And anonymity was formalized by Bellaria et al. in 2001 and it was shown to be it's pretty much considered to be a standard security notion at this point. And it's also an important component in different modern applications, such as private cryptocurrencies like Zcash. But maybe on hindsight, I should have removed this from my slide after listening to the community's thoughts on cryptocurrencies from the room session. But it has other important applications, such as in digital auctions and anonymous credentials and other applications. If your application requests anonymity in some form, then chances are you would require a PK scheme, which satisfies this notion of anonymity. Now, let's come back to the same example. Now, because of anonymity, even the users, Karel and Dave, should not be able to tell who was the intended receiver of Alice's message. So the naive thing that all of these users would do is that they just try to decrypt the received ciphertext using their respective secret keys. So for example, in this setting, if Dave upon obtaining the ciphertext c from Alice, if he decrypts the ciphertext using his own secret key and requires some valid message M double prime, then he might mistakenly think that Alice wanted to send the message M double prime to him, which is not the case. So to prevent such ambiguity, we additionally require another complementary security property known as robustness or a strobe CCA to be more formal. So strong robustness guarantees that it's hard to come up with the ciphertext such that it decrypts validly under two different secret keys. So in this setting, if Karel and Dave try to decrypt such a ciphertext, then they should get back in error, which implicitly means that the message is not intended to them. Again, robustness was formalized by Abda Etal in a public key setting in 2010. And it's also an important security property in its own right, for example, in searchable encryption schemes and other important applications. All right, so now let's come back to our NIST candidates. So all of these NIST candidates, they construct their NCC secure PKE schemes by first constructing an NCC secure chem. And then they compose these chems in a standard way with one time authenticated encryption scheme to obtain the final PKE. Here I'm assuming familiarity with chems and their security properties. And yeah, so just to put things in a brief way, so if Alice wants to send a message to Bob, then what she does is first she runs this asymmetric chem component to generate this key K using Bob's public key, and then this key is actually used to encrypt the message using the symmetric chem component. And in this context, such PKE schemes are known as hybrid PKE schemes, right? And it's pretty well known that if you have an NCC secure chem, you compose them with an authenticated encryption scheme, and then you get an NCC secure PKE scheme, thanks to Kramer and Schup. But now, what if in addition to NCC security, I want my hybrid PKE scheme to satisfy anonymity? At least in this talk, we'll be focusing only on anonymity and not robustness because of time restrictions. So yeah, and just to put things in an informal way, so to speak by anonymity, I mean that encryption of a message M under Bob's public key should be somehow indistinguishable from the encryption of the same message under a different public key, say Dave's public key. So one of our main results in this work was to show what additional properties we require of our chem to ensure that the final PKE scheme is satisfies anonymity. So we showed that if our chem, if it's NCC secure as before, but if it also satisfies a notion of anonymity, where here I mean that the encapsulation under Bob's public key should be indistinguishable from the encapsulation under a different public key. And if the chem also satisfies a notion of robustness, that is, if you encapsulate under Bob's public key, but then you decapsulate using a different secret key, you get back an error. So if our chem satisfies these two additional security properties, then if our dem is again a standard authenticated encryption scheme, then the final PKE scheme that does satisfy anonymity. This was one of our main results. And we'd like to point out that this result is a generalization of Muhazel's result back in 2010 because he considered specific chems which are constructed directly from PKE schemes. So I started the PKE scheme and to construct my chem, I just encrypt a random message from the message space and that would be my chem. But here we consider a general class of chems because we know that NIST chems are not constructed in this way that Muhazel considered. So technically speaking, Muhazel's result does not really apply to the NIST candidates. So now let's try to zoom in on this weak robustness requirement that we require of our chem. In our work, we also show that not only is this weak robustness requirement sufficient, but it's also somehow necessary because we constructed an artificial example of a chem which satisfies NCC security anonymity but not weak robustness, such that if you compose it with a dem which is a one-time authenticated encryption scheme, then the resulting PKE scheme does not satisfy anonymity. And the counter example holds no matter how clever, how strong you make your dem. So this shows that somehow your weak robustness is necessary and sufficient. And now, then recall that weak robustness requires that you encapsulate under Bob Swabili key but decapsulate under a different secret key. You should get back an error. So implicitly, this means that if a chem is robust, then the decapsulation algorithm should be capable of returning an error symbol. Unfortunately, like all of the NIST candidates except HQC are so-called implicit rejection chems. By implicit rejection, I mean that the decapsulation algorithm never returns an error symbol. It always spits out some bit string but never error. So hence, yeah, our chem dem composition result looks cool and nice and all, but if you want to apply this to the NIST chems, it does not apply. So hence to somehow salvage this, we took a closer look of how these implicit rejection chems are constructed in the first place by these NIST candidates. So these NIST candidates, they construct the NCC secure chems via a generic technique known as the Fudusaki Okamoto transformation. So what they do is they first construct a weakly secure base PK scheme, which satisfies one witness against CPA attacks. And then they compose the PK scheme with a couple of hash functions in a very clever way such that the resulting chem is NCC secure. But for this weak security to strong security transformation to work, we additionally need to assume that our hash functions behave as so-called quantum random oracles. That is, we should be able to query these quantum random oracles on a superposition of inputs and get back a superposition of random outputs. And now let's focus on the NIST finalists for the moment, these four NIST finalists. Now each of these finalists use variants of this generic FU transformation to construct their chems. So more specifically, the first three candidates, classic McCleary-Skyver and Saber, they use variants of this FU transformation in the literature. It's called FO superscript not bought. I'll just call it FO in this presentation. You don't have to look at how this scheme works. We'll come back to this later. But these three schemes use variants of this standard FU transformation in the literature to construct their chems. Also, another alternate candidate for a chem also uses a variant of the specific FU transformation. So in our work, we focused on these three NIST finalists and this alternate candidate. And now it was shown by Jiang Etal in 2018 that the standard FU transformation does result in NCC secure chems in the quantum random oracle model. And in our work, we showed that if the base PK scheme satisfies some additional mild security properties, namely that of weak anonymity and some kind of weak robustness, then the resulting chem also is anonymous. So I won't be going to detail details what these properties exactly are, but for the purpose of this presentation, you can think of them as some CPH style weak properties. But then in the end, you get some strong anonymity guarantees. Towards this result, at least on a high level, we extended Jiang Etal's proof techniques in a single key pair setting in the context of NCC security and we extended to a two key pair setting in the context of anonymity. Because if you recall in the NCC security game, the challenger samples a single key pair, but in the anonymity setting, the challenger generates two key pairs. I mean, this change looks small, but in the context of performing security analysis in this two key pair setting, it creates some additional headaches. Okay, so now let's zoom out. And again, let's come back to our Kimdom composition result, which unfortunately does not apply to these scams because of this weak robustness requirement. And one good news is that in our work, we showed that for, we can overcome this generic impossibility result by focusing on a specific class of scams, which are obtained by this standard for non-word transformation. So we showed that you can somehow replace the weak robustness requirement with the gamma spreadness requirement of your base PK scheme. Now for those of you who don't know, so gamma spreadness means that if you have a randomized base PK scheme, so for any message and for any fixed message and for any fixed public key, if you encrypt the message, then the ciphertext distribution should have sufficiently large entropy. And gamma spreadness is a very standard property in the NIST PK schemes, for example. So yeah, so now we have a good news. So we have at least now some hope of obtaining anonymous PK schemes when we have our starting chem to be a NIST chem, which is implicitly rejecting. So now then we, in our work we wanted to apply, we wanted to do a case study of these four schemes. So first we focused on classic McKellies. Unfortunately, the base PK scheme used by classic McKellies is a deterministic scheme. So by definition, it does not satisfy the notion of gamma spreadness. So again, we are in an unfortunate scenario, where again, the result looks cool, but it does not apply to the concrete scheme of classic McKellies. But now let's focus on robustness. So what can you say at least robustness of classic McKellies PK scheme? Because I did mention in the earlier on in my talk that robustness is an important security property in its own right. Now I won't be going into the lower level details, but we showed that because of the way the base PK scheme of classic McKellies is defined, we can export some of its properties to show that for any message M that Alice wants to send to Bob using classic McKellies, we can construct a hybrid ciphertext C, since that if we try to decrypt the same ciphertext, not only using Bob's secret key, but any secret key in the classic McKellies system, not only do we get a valid message, but we get back the same message M that Alice wanted to send to Bob. So this is a peculiar property, but it is sufficient to break the formal notion of strong robustness for classic McKellies. And this result holds no matter how clever, how strong you make your demo. But in subsequent work two hours, so Kusagawa was able to show that classic McKellies PK scheme can be somehow made anonymous by choosing an appropriate demo. So this would be the only spoiler in my talk if you're really interested in this. So Kusagawa will be presenting his results in the last session of the day. I highly recommend attending his talk if you're interested in this line of work, but I'll be just talking a bit about his work. So on a high level, so we have been focusing on this two key paired notion of anonymity, which makes analysis a bit non-trivial, but Kusagawa relied on a single key paired notion known as strong pseudo randomness. And it turns out that if a PK scheme satisfies this strong pseudo randomness, then it automatically satisfies anonymity. You get anonymity for free. So then since you can focus all of your analysis in the single key pair setting, it makes analysis a bit tractable. But one final thing I want to remark about Kusagawa's talk because Kusagawa will be talking more about his results later on, is that he was able to show anonymity of classic McKellies by somehow modifying the assumptions used by classic McKellies for its NCCA security. Whereas in our work, wherever possible, we want to stick to the same assumptions used by these NIST candidates for the NCCA security. We don't want to introduce any new assumptions, right? So this is it for classic McKellies. So now let's move on to Kyber and Saber. So the reason I grouped these two schemes together will be made clear later on, but now here is again our Chemtime composition result and it can be shown that the base PK scheme used by Kyber, both Kyber and Saber does satisfy gamma spreadness for a graphically large gamma. So that's great. So now we only need to show that if these schemes satisfy anonymity, then we get back a PK scheme with the desired properties. Now here was the effort plan some that I showed earlier on from the literature for which we do have some positive anonymity results. However, the effort plan some used by Kyber and Saber, they differ from the standard effort transformation in the literature in quite significant ways. So just to give you a high level overview. So in the standard effort transformation literature, the key derivation works by first sampling a random message and clipping the message, then you have the message M and the ciphatec C and then you hash M and C to get your key. But in Kyber and Saber, you first hash the message G of M and then you also hash the ciphatec F of C and then you hash both those hashes, like there's too much hashes going on, like why? And because of these additional layer of hashing, unfortunately we couldn't extend our positive results with respect to the standard effort transform to this specific weird transform of Kyber and Saber. But what's more interesting is that the same barriers should also apply when you try to extend the NCC security proof of Jiang et al of the standard effort transformation in the literature to the specific effort transform used by Kyber and Saber. At least to end things on a somewhat brighter note, we were at least able to show that when you come to robustness, the chem used by the chem of Kyber and Saber, it does satisfy some robustness in double quotes because recall that implicit rejection chems cannot be robust by definition, but somehow they satisfy this weak property that it is hard to come up with the ciphertext such that if you decapsulate using two different secret keys, the outputs should not be the same. The outputs would be valid for sure, but it should not collide. And you showed that this requirement is enough to show that if you choose your dem appropriately, then your final PK scheme can be made strongly robust. So there is some hope, there is a way to achieve strong robustness in the PK schemes of Kyber and Saber, but this is in contrast to classic Middle East because no matter how clever, how strong you make your dem, classic Middle East PK schemes cannot be made robust. And finally, let's come to Frodochem, the alternate candidate. Again, it can be shown that the base PK scheme used by Frodochem does satisfy this notion of gamma spreadness. And now the only thing that needs to be looked at is does it satisfy anonymity? Again, this is the standard effort transformation in the literature, and this is the weird effort transformation used by Frodochem. Again, it differs things, again, there are some subtle differences. So again, in effort, the key is derived as hash of MNC, but here now there's only one hash, there's only the messages hash in a nested way, but the ciphertext is left alone. So it's slightly a good thing because only a nested hashing of MNC. Because even though again, the prior proof techniques does not necessarily apply to Frodochem in a direct way, we were able, in our work, we were able to recover the NCC security guarantees of Frodochem with the same proof, with the same concrete bounds as stated in the specification document, solely because of the fact that the ciphertext is untouched, but the message is hashed in a nested way. And the hash is also a length preserving hash as in G of M, G of M has the same length as that of M. So I won't be going into details, but if you're interested, I would encourage you to read our paper. And this way of, because of the way that we recovered NCC security guarantees of Frodochem, it also allowed us to prove anonymity of Frodochem as well in the Q-ROM with concrete bounds. And hence, if you again care about robustness, as we have seen for cipher and cipher by choosing over them appropriately, we conclude that Frodochem does result in anonymous and robust speaking schemes in a post condom setting, our goal that we set out with in the beginning of this talk. And for a few other contributions, so we have been focusing on effort transformations which result in implicit rejection chems, but there is an effort transformation in the literature which results in explicit rejection chems, note here that the decapsulation does result an error, such that, so Jiang, Zhang and Ma, they showed that this transformation does have provable security guarantees in the Q-ROM. It does result in NCC security chems. In our work, so the only difference in the HFO transformation is that now your ciphertext has an additional hash here, C2, where you hash the M as well. So this is a more called the plaintext confirmation hash. So your ciphertext is a bit longer, but it's fine at least to prove security in the Q-ROM. In our work, we showed that if you replace this hash by another hash like where you also hash the C1, then it turns out that this transformation, not only does it result in NCC secure chems, but also anonymous and strongly robust chems in the Q-ROM. And it's nice thing because now we can just take such a chem and apply our earlier chem dem composition result without caring a lot about the internal workings of the chem in a non-black box manner. So to conclude my talk, so here we started by showing that how one can hope to achieve anonymous and robust hybrid PK schemes when the starting chem is an implicit rejection chem as is the case for most NIST candidates. And the main thing that we showed is that we can overcome such impossibility results by looking at such implicit rejection chems in a non-black box manner. So, namely, we focused on a chems which are obtained by this effort transformation, and then we showed that such effort-based chems do result in anonymous and robust chems in a post-quantum setting, and which could also result in anonymous robust hybrid PK schemes in the end. And then we did a case study of the NIST finalist. So here's our summary again. So we showed that classic McKellies hybrid PK schemes cannot be robust, unfortunately. But they can be made anonymous as shown by Kusagawa. Again, if you're interested, please do attend his talk, which later on. Then coming to Kyber and Saber, we identified some barriers towards proving their NCC security and also anonymity. But somehow we were able to show that they do result in strongly robust hybrid PK schemes. So one thing worth pointing out is that even Kusagawa leaves proving anonymity of Kyber and Saber to be an open problem. And finally, to end things on a positive note, we showed that the alternate candidate for your chem does result in anonymous and robust hybrid PK schemes in the Q-ROM. Yeah, so this brings me to the end of my talk. Thanks for your attention. Thank you very much. So if there's any questions, please either type them in Zulip or go to a microphone. Yes. You mentioned that in the security proof for Frodochem here, you derived some concrete parameters or some security losses. Can you comment on roughly how big they are? Yeah, so generally, security proofs in the Q-ROM tend to be non-tight compared to their ROM counterparts. So one, not sure if it's a fortunate or unfortunate thing is that, yeah, security proofs in the Q-ROM tend to be non-tight, but if you look at these concrete parameters in their nest candidates, like in their nest specification documents, they choose a parameters not based on the tightness of the security proof, but on the worst on the best known attacks on their underlying lattices. So yeah, maybe from a very pessimistic point of view, you can say that maybe these tightness of the security proof hasn't really mattered in choosing the concrete parameters in the scheme, but still it should at least give us some confidence in terms of provable security guarantees. So yeah, I would say that the proofs are non-tight, but they're not used to set the parameters. So just a bit more specifically, is it like linear in the number of quantum nanoracal calls? It's quadratic. Quadratic, okay, thank you. Okay, there's time for one small question here. Please go to the microphone. We said that to get, certainly even if you start from CCA secure and CCA anonymous chem, it would transformation to CCA anonymous encryption, somewhat surprisingly requires some form of robustness. I don't believe you gave an explanation why. Yeah, so yeah, that's a good question. So I did talk about earlier on that this robustness somehow, not only sufficient, but also necessary because we came with an artificial counter example where if you have a chem, which satisfies anonymity in the CCA, it's like that. Intuitively, okay. Yeah, so I'm going to the nitty-gritty details of the security proof, but let's say, okay, so the ciphertext, the hybrid ciphertext, it's made up of a chem component and a dem component, right? And you want to reduce it to the anonymity of the chem, right? So now somehow you want to make sure that, so if you are the adversary against the anonymity of the chem, you only have the decapsulation access to a decapsulation oracle and not access to the hybrid decryption oracle. So you somehow want to make sure that if the adversary against the anonymity of the hybrid scheme, if he gives you a ciphertext, which has the chem component to be the challenge ciphertext, but the dem could be anything, you want to return an error with respect to both decapsulation oracles against SK0 and SK1. So for that, you somehow need recrobustness. I'm sorry if I have to be very, but we can discuss it often if you're really interested. I'll be present, I won't be hiding in the coffee break. I'll grab hold of him for you so he can't escape. So with that, that concludes the session. So let's thank the speaker again.