 One receiver on the side left here and a whole couple of centers on the right-hand side that have the public key corresponding to the secret key all the receiver and all the centers are interested in Picking messages and sending them to the receiver and they want to do that by means of public key encryption So what does it mean? They all pick fresh randomness encrypt the message and send it via some public channel to the it to the receiver Okay, so far so good. So what do we assume? Well, we assume that there's an adversary That observes everything that is sent on the channel meaning he sees all the ciphertexts Plus we assume that the adversary is capable of corrupting some of the senders What does corrupting mean? Well corrupting means the adversary will learn the message sent by these senders that he corrupted plus the randomness used to encrypt and the randomness Obtained by the adversary essentially lost the adversary to recompute and check that the message He just learned is actually contained in the ciphertext. He already observed Okay, and the question is well, what about their security or confidentiality of Messages that were sent by non corrupted parties. So for instance in our case. What about the confidentiality of message M2? Okay, so why is it interesting? Well, it dates back to a Paper published almost 20 years ago and back there it was considered for commitment schemes and called the selective decommitment problem And there's still lots of open questions going on. What makes it interesting is furthermore that the messages might depend on another So what does it mean is your message M2? As you message M2 depends on message and one and if some adversary Obtains the information message of one. He might already obtained some obtained some information on message M2 So we should rephrase do messages of uncorrupted parties remain confidential to do they remain as confidential as they can Okay for quite a long while we didn't know how standard security meaning CPI or CCI relates to selective opening security and Only recently. How friends and I could show that selective opening security whether you go for passive or active attacks is Actually strictly stronger than the standard counterpart of it Okay, so let's turn the scenario we are facing into a Proper security definition and we're going to do that by means of the real ideal paradigm And we're going to start with the real setting so on the left hand side There will be the real game on the right hand side the adversary Okay, so what is going to happen? The real game will generate a secret P will give the public key to the adversary and Really our interest in active attacks meaning the adversary will have access to a decryption oracle with the usual restrictions Okay, what's going to happen now? We allow the adversary to control the message distribution The senders will sample their messages from Okay, so the adversary picks picks the message distribution send us to the real game of the real game will sample and messages accordingly Now the real game will encrypt the messages and send them back to the adversary and Now we're going to model the corruption phase and for historical reasons. We're going to call the corruption phase opening phase So the adversary is allowed to make an open request and the game reveals message MI and Randomness our eye of send our eye Okay, and the address you can do this multiple times and eventually the adversary outputs something that we've just called out and The real game just returns out to and intuitively think of out as some information The adversity tried to derive on non-opened ciphertext Okay, and for the ideal game. We're just going to move Every artifact from public key encryption So we end up in such a game. So there's no key generation. There's no public he sent There's no encryption happening no access to the decryption article and The simulator which we call the adversary in the so the adversary and the real in the ideal game We just we labeled to a simulator Is allowed to make open crease but will only receive a message Okay, and when do we call some public encryption scheme secure well We call it simulation based selective opening CC a secure if you're every efficient adversary There's an efficient simulator that can essentially direct the same information what does it mean the Ciphertext that weren't opened didn't leak any information Otherwise, there wouldn't be a simulator being able to derive the same information as a Okay What I would like to do now is show you how public encryption is ideally done in practice How to obtain efficient public key encryption and This you usually do by the camdem approach meaning you want to use an asymmetric primitive to establish a symmetric key and Then you use some highly efficient mode of operation like counter mods cbc ccm gcm to encapsulate your data You want actually want to protect And this is what you would like to do to obtain efficient public key encryption and we already have some results on the Selective opening security of practical public key encryption Well, or maybe not so there's one paper by Hoya et al that took a look at the hashed algorithm and OAP and they could show that Both transformations or schemes are selective opening secure and a percent notion. We just saw However to obtain the result they had to instantiate in the case of DHIS for OAP It's already done by default. They had to instantiate the dam to be the one-time pad Which severely restricts the practicality of these schemes? because while you're limited to a Message length that corresponds to the output length of the hash function, okay Now I'd like to come back and show you how you could approach a proof for simulation by selective opening security so Remember that for every a we have to show that there exists a simulator that can drive essentially the same information So what we're going to do is we're going to take an adversary that runs in the real game and We will construct a simulator that will internally or internally run a and Can ideally direct the same information as they just by hot putting it And this has been done like that before and we follow this approach Okay, so let's have a closer look at the interaction that will happen on the right-hand side Okay, so the simulator will do something and At some point the address will output a message distribution would just relate to the ideal game then the ideal game will Do nothing because it's the ideal game and not the real game However, the simulator is to output ciphertext to the adversary then The adversary will post open queries which we can still forward The ideal game will answer the message and the simulator is supposed to answer the message and the random is used to encrypt the message and This will happen multiple times and eventually the adversary will output something and we just want to forward it and Well at this point here over here the simulator has to somehow come up with ciphertext and for now We're just going to call it fake ci so the simulator has to find a way to come up with ciphertext and When he eventually learns the message in this step and wants to reveal it to the adversary has to find a way to make sure that the Encryption you already committed to becomes an actual encryption of the message. She just obtained it wants to forward to the adversary Okay, we just call the second step make Okay, now I would like to show you what a practical data encapsulation mechanism looks like and And we're just going to take a look at the cbc mode plus a Mac So your message is pass into blocks passes through the block cipher and the opposite is x odd onto the next message entering the box after again and To obtain integrity. We are going to add a Mac and I want to point out that throughout this talk cable Do not the block cipher key and k prime will Donate some additional key material that will be used by for instance a Mac And if you just have a look at this picture somehow the cipher texts seem to be separated from the messages by the block cipher and This seems to be inherent to the construction of this data encapsulation mechanism And what we wanted to do is we wanted to abstract away the concrete block cipher and just study this Study the structure of the data encapsulation mechanism and this is why we went for the ideal cipher model So still the ideal cipher will be keyed by some key k and we are interested in the structure of the dam ignoring the block cipher that is used within the dam and This leads to the following definition that will help us to do a proof of selective opening security in the simulation definition and So this is Damn as I call it. It's not actually the damn in the paper We call it oracle damn, but for simplicity think of it as a damn But we abstract away the block cipher used within the dam and add it back as oracle access to the block cipher So it turns out to be some some encapsulation mechanism that has oracle access to the block cipher gets as input the additional key material and the message and outputs a cipher text and We are going to say that such a damn is simulatable if we have additional stateful algorithms fake and make Where fake just obtained obtains the additional key material, but not the message and is supposed to output a cipher text and Later on we have some algorithm make that can get information from fake cost their stateful and Get this input a message and it's supposed to output a permutation Okay, and we want to have the following properties namely If we run run fake on some key k prime We obtain a cipher text and then we run run make and obtain some permutation pi tilde Then we want that C is somewhat consistent and by somewhat consistent. I mean if we run the Damn encryption with access to pi tilde on M. We obtain C Plus we want that if we run that we obtain a uniform permutation as output by make Why is it supposed to be uniform because we want to patch it into the ideal cipher at some point? Okay So what can you do with the simulatable damn? well Let's build our way towards it So at the top there will be security notions for a cam below for a damn and at the bottom for some public key encryption So what is going to happen? We all know that if we take some CCS secure a cam and Combined with a one-time CCS secure a damn we obtain a CCS secure public key encryption scheme and As we know by result by the law at all we can break down One-time CCS security of a damn To see PA security plus one time integrity protection of the one-time integrity of the cipher text meaning we got One-time integrity guarantees for the damn Okay, and if you think what the simulatability does intuitively it allows you to come up with cipher text That are completely independent of a message And what you can actually show is that simulatability implies cpa security Okay, so what does it give us well if we stick to a CCS secure cam if we add one-time integrity of the cipher texts Additionally to the damn we should still obtain a CCS secure public key encryption This is all known But what we could show is that under these Given assumptions we can prove simulation based selective opening CCS security So somewhat simulatability allows us to go from CCS security to simulation based selective opening CCS security Okay, this is one of our contributions of the paper The second one would be that we study concrete data encapsulations mechanisms namely the ones standardized by NIST and What we obtain is like take any CCS secure cam Combined with any of these modes of operation You get a simulation by selective opening CCS secure public key encryption in the ideal cipher model You have to be careful when picking the damn cause some of them need to be equipped with a one-time Mac or something like that to obtain the Integrity the one-time integrity protection you would like to have Okay, so how do you prove such a statement? Okay, so let's get back to our picture where the simulator has to take care of the interaction between the ideal game and the adversary run inside the simulator and What I removed by the three dots is something like generation of public key and secret key of the key encapsulation mechanism Plus running the key encapsulation mechanism to obtain The symmetric key and expect encapsulation Okay, the adversary will output a message Distribution will just forward it and Now we can run our fake algorithm on the additional key information to obtain fake ciphertext that we can feed to the adversary then the adversary will like open crease we can just forward them and The ideal game will reveal message MI to the simulator Okay, but what can we do now? Well, we can use make to output a permutation and This permutation will be consistent such that if I run ink with access to pi I on message MI I will obtain the ciphertext CIS output by fake earlier Okay, and then I just take the permutation output by make and we'll patch it into the ideal cipher and then I should be fine I think this can happen multiple times and the randomness that is revealed here would be the randomness used by the key encapsulation mechanism and Eventually the adversary will output out and I'm just going to forward that Make sense Yes, so actually this is yes This is cheating so make is actually not so would be sufficient for make to not output a full permutation but just the the spots in the permutation relevant for Making sure that M Is an encryption? Sorry is the message contained in some ciphertext C so what will actually happen is that make will output something we call a partial permutation and The environment outside of make which will be the simulator in our case will put this part total permutation into the ideal cipher and Will fill up the ideal cipher on the fly by lazy sampling. So yes make is supposed to Partial permutation only. Okay. I'm going to skip over Sorry so I Guess intuitively it makes sense because make and fake are designed such that it's supposed to work the only thing I glossed over is that we want to patch the permutation into the ideal cipher and It's actually not clear if we can do that Because the adversary so what do we have to do we have to make sure that? To patch pie into the ideal cipher the ideal cipher has to be sufficiently free and What I mean by sufficiently free is that it would? suffice For the ideal cipher to be free at the spots where we would like to embed the partial permutation However, it's easy to argue that the whole permutation Ick will be empty and Twice that well at some point we should use the security guarantees of the chem and the dem and this is exactly where they come into play and Just to give you some more detail on that so an ideal cipher is It is a keyed random permutation where for each key got a random permutation and I'm going to denote a key encapsulation of the block cipher key And the additional key material just by K K prime in a box. So think of this as a CCA secure box Okay, and if you use this notion a hybrid encryption of M will contain the first component the chem part That contains the block cipher key and the additional key material plus the data encapsulation that has oracle access to ideal cipher K and Key material K prime and the message Okay, and we want to ensure That the ideal cipher K remains un-evaluated until the adversary opens The respective cipher text so as soon as this happens We can we can we being the simulator we learn the message can run make and Bet the permutation and then we should be fine So we just have to guarantee that until open the adversary will not query any entry in IC in the ideal permutation Okay Okay, so how do we do that? Well intuitively CCA security of the chem will ensure that if the adversary sees the encapsulation of K K prime cannot obtain K or K prime from it So you shouldn't be able to query the ideal cipher on key K and Then we got the damn and another way for the adversary to force an evaluation would be to submit decryption queries that Use as first in entry the encapsulation of K K prime and some other component and Assuming we would process such a query to by decryption We might evaluate the ideal cipher on K On on the permutation K However, the one-time integrity of cipher texts will ensure that we can just Return bought of such a decryption trees And this is why we need the similarity plus the CCA security of the chem and the one-time integrity of cipher texts by the damn which is Yeah, we'll get a bit in a second Okay, so what did we see? so we defined a Structural property of the simulator bill of Dems, which we call simulatability and What does it allows? Well Simulatability seems to lift the security of hybrid encryption schemes from Standard CCA security to simulation based selective opening CCA security Somewhat without additional assumptions, so we have to use the simulatability as another assumption But CCA security plus the one-time security of the the CCA security of the chem plus the one-time integrity of the Dem Have to be assumed to construct CCA security and on top of that we need simulatability of the damn to get to Selective opening CCA security however for lots of practical Dems Simulatability is given So what does it mean for lots of really practical public encryption schemes obtained by the hybrid chem damn paradigm We actually get simulation based selective opening CCA security for free in the ideal cipher model Thanks for your attention. You can find the paper on e print And if there are any questions, I'm happy to answer them and greetings to both of them Give me much. Do you have comment or questions? Can you provide some intuition why this isn't implied by standard? Sorry semantic security even for the CPA case well usually your encryption is committing and Once it is committing it's Impossible to output a cipher text, so I just need a while to get back So what we have to have here is that we want to output cipher texts without knowing the underlying message and Only later on we learn the message and somewhat have to fix it and as soon as the cipher text is committing there's no way To find randomness such that Okay, maybe for the one-time better for practical Data encapsulation mechanisms. It's highly unlikely that you will be able for to open a cipher text for any message Any other comments or questions? Yeah, the assumption are they kind of random or it has cipher random or it's the model and then as a Minimal assumption is that you need to have dropped or dropped the function, right? because they In the public encryption scheme when they came it's It doesn't have to have any Simulability correct. Yeah, so yeah, that's the thing. I I don't know a lot about simulation Selective opening, but what are the minimal assumption for selective opening? Can you do it from trapdoor function or do you need like? Lossy if you're So things that actually if you've gone to go on to go for a standard model results And if you just want to go for let's say selective opening CPA security any new tools like lossy encryption meaning you need lossy trapdoor functions to construct that an alternative would be to go for scheme spelling trip bit wise In practice, you don't want to consider them Well, do you mean a bit wise you mean that well thing is if you encrypt bit wise You might have a chance to find randomness such that a Message combined with this randomness becomes an encryption of the ciphertext you already committed to Just because your message message space is real small There's a notion of committing public encryption as as soon as you go for that You can't be simulation by selective opening secure any other comments or questions quick one. I Just have one quick comment our question Does your technique extend to the receiver select few opening results security results possibly? Okay. Thank you. Okay. Let's thank the speaker game the last talk of this session is Selective opening security in the presence of randomness failures. Those are the beats turn one Johnson cuts the money and Mohammed the hay and Adam will give a talk so I'm going to talk about Selective opening security in the presence of randomness failures. I guess