 I'll proceed to the next talk switch to a completely different subject here All right, right. So the next talk is About cryptographic reverse firewall By a malleable smooth projecting hash functions All right by wrong Mao Chen you move you mean young Willis to see low function girl And Ming Wu Zhang so they are from the University of Wulonggong, Australia, and I guess Ming Wu Zhang is from Hubei University of Technology China and the work would be presented by a Gu Min Thank you for the introduction. So I'm going from University of Wulonggong So today I will present our work on crypto reverse firewall from malleable smooth project hash functions Okay, so first I will give an introduction for the background and then I will briefly introduce what is a crypto reverse firewall and then I will introduce our Notion new notion called malleable smooth project hash So and then we show how to use this new primitive to construct CRF for different functionalities including message transmission, obelisk, signature-based envelope protocol and also the obelisk transfer protocol All right. So the background I think we have heard a lot about Edward Snowden and then the mass surveillance and the back door. So basically all these shows that basically the some powerful actors such as intelligence agencies they can subvert the implementation of a crypto algorithms or protocols and then using the subversion the subverted Mechanism so they can bypass the security protection even if we use a standardized encryption scheme for example, so the good news is now we are all aware of these Incidents now Basically, we have the so-called post Snowden or post quantum post Snowden cryptography So basically we want to achieve meaningful security so even when the implementation of the of those the mechanism have been tempered with by some for example powerful actors like like intelligence agencies or some major IT companies All right, so this is also announcement and the statement published by ICR in Eurocrypt 2014. So basically this statement is calling for research and development of efficient techniques for protecting the leakage of private information through the subverted crypto implementations all right, so so we have heard about some techniques for example the cryptography and all the Deterministic mechanism to prevent the leakage of the secret information So there is another useful tool called a crypto reverse firewall. So this was introduced in Eurocrypt 2015 So what is a quick crypto reverse firewall? So it's just like a normal firewall. So for the normal firewall, basically we so basic functionality is to do filtering Right, so we just filter the message mainly the incoming message the inbound message However for crypto reverse firewall, basically this is to protect the leakage from a crypto algorithm And we call it a reverse firewall because basically we want to prevent the leakage from the inside So because if we have some like a subverted algorithm here, then this algorithm may leak information through some Supplemental channel All right, so basically we if we have some protocol here like for example is so you can have a key exchange protocol You can have a message transmission protocol then we build a shield outside. So basically like a shield outside the Machine then all the message will be Basically processed by this firewall in order to prevent leakage. All right, so this approach is quite different from other approach for example some other approach like like using determinant scheme or using the so-called Calliputography, so they need to maybe modify the implementation But here we don't need to do anything do any modification on the underlying system So basically we just add a shield outside this is a system. All right So this is the basic definition and the nice feature of besides the transparency Basically, we don't need to touch this part the original system and we can also stack the firewall So basically we can build different layers. So all these layers can be and work smoothly That means so if you are you want to be you want to the file to be robust You may put several different firewalls and just like the in the like a mix net if you have one of them working Then your system will be secure. So this is a good feature of a crypto firewall So there are some properties we should satisfy the first property is obvious We should maintain the function functionality of the underlying scheme. So that means the Firewall this crypto firewall should be transparent to the end users. So basically From under and the user's viewpoint. So this firewall should be a transparent and then the second property is a security preserving So the firewall should not Introduce any security problem for the underlying protocol That means if the protocol is secure then this firewall should not destroy the security of the underlying protocol the third Property is obvious. We want to prevent any leakage from the subverted algorithm All right, so I will describe a little bit more about these three properties. So first is a quite straightforward. So basically the firewall If we have a firewall here, it should just so the protocol should just work smoothly as Without a firewall. All right. So this is a quite straightforward for the security preserving So if we have an honest implementation of the algorithm security algorithm So the firewall should not affect security. So this is a again quite straightforward However, so we also consider some like a stronger notion of security for preserving. So here we consider that this is a Algorithms that has been tampered with and we want to still maintain security. Even we have Some subverted algorithm here. All right. So here we have two notion one is called a strong Security preserving that means we want to preserve the security of a protocol even if the protocol has been arbitrary Temporary ways and then we have the weak security preserving that means so the protocol may be template ways But it will maintain the functionality of the original protocol So to give an example of this weak security preserving for example, so we want to encrypt a message Right. So now but I want to maybe Leak one bit of the message being encrypted. So how to how to leak it? So basically, you can just have maybe choose a position one one position So this position is known by the adversary when adversary plant the Backdoor inside system. So for example, the ice position is the bit of the message It's I was the one to leak then the algorithm can simply if it's a randomized algorithm It can simply run Algorithm repeatedly using different randomness until the ice bit becomes a bit It wants to leak then in this case. It's still preserved functionality But however the outsider can from output for example ice ice bit of a ciphertext we can learn Okay, the ice bit of the encrypted message is zero or one So this is the one example of a weak security preserving So strong security preserving means so no matter we we don't care about whether the Supported algorithm maintains functionality or not. Alright, so this is about the security and then we also need to consider the adversaries So we can consider if stop as one type of adversary And also we can consider the peer party as another potential adversary because the peer party may want to learn some secret From from from the other side, so which it should not learn according to original protocol So this is a security preserving and then another notion the third notion is this ex filtration or leakage resilient. So basically the The idea is that so we should not allow any secret information to be leaked. So it's defined using this game. So basically we Let's Adversary choose for example a subverted version of the algorithm and then we wrong So we have two word in this word We run this subverted algorithm and then in the other word we run the honest algorithm So then the output will will be processed by a firewall and then the adversary need to distinguish whether it's in this Subverted word or the other honest word So basically the if we have this ex filtration resistance, that means adversaries cannot distinguish which word it is so basically the Requirement here is that the adversary should not be able to help whether the algorithm behind the firewall is honest algorithm or a modified algorithm. All right, so this is a so-called Exfiltration resistance. So again, we can define strong and the weak exfiltration resistance and we can also Look at the adversary at different levels. So eavesdropper is a weak level and then the peer party can be a stronger adversary All right, so there is also some relationship between this notion and the previous one the security preserving notion because we can easily see that Okay, if the protocol is secure and if we have exfiltration resistance, then it will be a Security preserving especially for privacy or confidentiality related Security notions. So the reason is that so if this is an honest Implementation that means it has some security. It preserves some security and basically the firewall here, so I Need to mention here the firewall will not share any secret with these these Protocols so firewall what the firewall needs is just a threat some fresh random coin So basically if this is honest Implementation and it has some security then this firewall will not violate the security for sure because this is just a public function Using some random coin, so it will not violate for example the confidentiality now. So if we have a subverted algorithm so if From this subverted algorithm, if we can leak information here, then basically we can distinguish this These two world for sure. So once we have this exfiltration Traction resistance that means at once we cannot distinguish these two world and if the underlying protocol is secure then we can Make sure even if this is a subverted algorithm Then it will after the message going through the firewall it will still preserve the security So this is the relationship between this exfiltration resistance and the security preserving so basically This also tells us so when we analyze security if we can have the exfiltration resistance And it implies the security preserving all right, so that's the big background about the Crypto reverse firewall and then in your crypto 2015 where the notion was proposed. So there is a question so We want to find a full categorization of functionalities and the security properties for which crypto reverse firewall exists and this work We try to partially answer this question So basically we build a generic approach for designing Crypto reverse firewalls for functionalities that are realizable by the smooth projective hash from functions so actually this is very useful primitive or like a Secure privacy or confidentiality related functionalities later. We will see the applications that can be realized by smooth projective hash Okay, so The second part so this is a one of the major contribution of this work So we introduce a new notion called a malleable smooth projective hash So first I will briefly introduce. So what is a smooth project hash? So basically the notion was proposed by premise ship in 2002 so So in for a smooth project hash, so we have a domain X and a range Y So actually it's a family of our functions. So if we We can we basically we can define family of functions Which will map element from domain X to the range Y So the domain X can be separated actually actually be separated into two sets. Why is a we call it language L? One is elements Not in the language L. So we have several half functions So first is a hash function and then the projection has hash function hash function will take a secret hash key So for the project hash, we have a secret key, which is a hash key and a projection key which can be derived from the Secret key you can treat this as a like a private key this is by the public key So to compute the hash if the element is in language L That means there is a witness which can prove this element is in language L Then we can calculate the hash in two ways either use using the secret key or the projection key So if we use the public key, we need to use the witness So basically if you look at the encryption, so this is a decryption key and this is like the randomness witness is just a randomness so we can produce a hash either using the witness or the secret hash key However for the elements that are not in the language L So that means we don't have any witness Obviously we cannot use this method because there is no witness or so we can only use the secret hash key All right, so there are several properties first is a correctness So if the element is in L, then the two hash should be the same and the second property is the smoothness So if the element is not in L, then this hash value Is basically unrelated to the project projection key So from the projection key, you cannot learn any information about this hash value, right? So this is basically the this this hash value will be a Statistically statistically indistinguishable from the uniform distribution in this range one All right, so we also require the membership problem subset membership problem to be difficult That means no polynomial time Algorithm can distinguish element from L And outside L So we also require this to be true, even if the adversary knows the secret hash key Even the adversary knows the secret hash key. So these problems should still be difficult, right? So that's the smooth project hash. So in our work We extend this notion to build the so-called malleable smooth project hash. So we introduce a few functions. So these are just some Quite three four functions. So it allows us to sample some randomness used that to generate the hash key and the witness and that these two These four functions are the major functions we will require. So first we have a so-called malleable Key function. So it takes some randomness generated by the first sampling algorithm And then it will just a randomized hash key other the projection key So it will produce a new projection key and then they're For responding to this malleable key function, there is a malleable hash function. So basically we can cash use this same randomness and the word to calculate is Here the hash value. So this is basically Difference the difference between the original hash value for the C and the new hash value using this modified Randomized hash key or projection key. Sorry And then similarly this is for the for the hash key and then and the project key and here we have another two algorithms For the element re-randomization. So we can re-randomize an element using some randomness Sampled from the second sampling algorithm and then we can also similarly calculate This hash value, which is difference between the original hash value and the new hash value for this new New word. So below I will show some pictures to demonstrate these functions. So this is basically the original smooth project hash. So basically we can calculate the hash in two ways if the C is in the language. That means if there exists a witness So we can use a projection hash or we can use a secret hash key to calculate the hash value And these two values must be the same now we Introduce this is a this a malleable key function. That means Even a projection key and some some randomness We sample from this algorithm. Then we can modify this Projection key to a new projection key and we require that so this projection key should be a Independent from the original projection key. That means so in the paper we define security game Adversary will provide two projection key hash HP zero and HP one and then we use this function To randomize one of them and we require that that was we cannot distinguish which from output Which one is the original projection to them by the by the simulator? So this is Make sure this We run as much key is unrelated to the original Projection key and then of course we can we should be able to calculate a new hash value from this if this is a Element C is in the language. Also, we we can use a new Ash key to calculate the hash value. So however, we need to have some relationship between these two hash values So basically we require that we can use this Malleable hash function to calculate the difference So if we combine this difference with original hash value We can get a new hash value and these two values must be the same So this is for the projection key my ability. All right. Similarly, we have the element to re-randomize the ability So given an element so we can re-randomize it using this Re-randomizing element algorithm. Similarly, we require that so for any C So the element C can be in the language or with outside the language so C can be an element in the in the Dominic X so after we do the re-randomization basically this new re-randomized elements should be somehow independent from the original element so we can also define similar game so adversary can choose two C0 and C1 so we don't require C0 or C1 to be in language so they can be any element in the domain X Then we do this re-randomization and then we require that the output from the output adversary cannot tell which Element was chosen for the re-randomization process. So similarly if we have this modified or randomized re-randomized element so we can have calculate the hash value similar to the previous Property for the projection key. So we require that there exists another algorithm that can calculate the difference between the two hash values So if we combine this difference with original one we can Calculate the new hash value. All right. So the third requirement is that this process should not change the membership of the underlying element. So basically we show that if we look at this Smooth project hash defined using the graded ring. So this was proposed by busy in crypto 2013. So we can actually construct a malleable smooth project hash from this Smooth project from the graded ring. So here actually we simplify this Instruction so basically we prove in the in our paper that if this theta is Identity function and then this gamma is a constant function and this Smooth project from the graded ring is actually a malleable smooth project hash and we show a concrete example from the K linear assumption to make sure to show that this malleable smooth project is actually Feasible and the later actually we will see another example, which does not require these conditions So we will see another example. So here we can see actually for quite easily. So for example the element Remandability can be achieved by this hard subset membership problem because here we just if this Gamma is a constant function. That means this will generate a word However, according to the hard subset the membership problem. So this word is indistinguishable from Element from the whole domain X. That means we can use this This we can just simply use a hybrid argument to replace this with Random element from the domain X and this will hide the original word no matter this C is Within language L or not. So this is a to intuition how to prove it So the second part of our contribution is we show how to use This malleable smooth project hash to construct crypto reverse fireworks for different applications So first is a message transmission protocol. So Basically, we can build a secure message transmission protocol using the smooth project of hash so the basically receiver can generate a key pair and then send the projection key to the Sender sender can simply use witness sample a word and witness And then calculate hash value and then use hash value to hide the message and the receiver can recover the message using the secret hash key All right. So now how to build a file firewall. So basically we try to re-randomize is a projection key So we can simply use The two algorithm so first we will sample some randomness and then we use this malleable key Function to re-randomize is a projection key However, so if we do this basically The original receiver cannot recover the message because now the project key has has been changed Oh, that's why we here we need to apply the malleable hash function to are basically removes some this Delta V which is introduced When we Update this projection key So once we remove these parts then the original receiver can just recover the original message So it can be show easily that this will preserve the functionality and then it will provide strong exfiltration resistance because we have the so-called projection key in distinguishability because this Randomized projection key will not leak any information. So through In the through this randomization process, basically this this key will be independent from the original Project key. So there is no information leak leakage from the from this output after Going through the firewall and then for the Alice we can simply similarly do the re-randomization using the these two algorithms So we will randomize the element and then we use this re-randomizing hash function to calculate the difference To calculate a delta V here We can use this delta Vd to hide to re-randomize original cipher tanks. However here we different from the previous one here We don't need to actually do any other process because once you use hash key on the updated element it will automatically calculate The hash value which is a combination of the original hash value V here and the delta V here So we don't need to do a second second process to remove this delta V So this is the difference and however here we can only provide a weak Exfiltration resistance. So the reason is that so if we consider strong exfiltration resistance Then adversaries can arbitrary modify the protocol So adversaries can actually leak information from this message M So there is no way to prevent such kind of leakage because if the arbitrary modified algorithm just the leaked information from this M So replace M with something else and the receiver can definitely recover the leaked information So there is no security against such kind of leakage So however for if this part maintains functionality that means it can deliver the original message Then we can prove that this can maintain the exfiltration resistance So this is the definition of weak exfiltration resistance However for the eavesdropper so we can prove that actually this firewall can achieve the strong exfiltration resistance And then the second protocol is similar. So we We consider the obvious signature base envelope. So it's similar to a message transmission However, so here the language is more complicated So we require the receiver to have some sort of credential only the valid receiver having some credential can recover the original message All right, so I will just go through the slide quickly. So these are the steps are similar So we just re-randomize the word order for the for this receiver and then we re-randomize the Hash key for the sender so in this case and we can have some similar results similar to the secure message transmission and here I just want to show that actually here the language is more complicated. So you can see here as a language is a any Word that is a linear encryption of the water signature So in particular in this for such kind of language. So this a CTA is no longer and it is function but that means we can build malleable smooth prototype hash from different structures mathematical structures All right, so the last part is obvious transfer. So here the obvious transfer so the only difference between for from the obvious transfer and as the first two protocols is that here we need to achieve the so-called Verifiable smoothness because we need to make sure so that the receiver can only receive one of the messages So in order to do so we may need to make sure the two words The tools basically we use two words to do the encryption the two words Only one of them can be in the language. So how to do it? So we use the so-called this these two algorithm one is the sample algorithm one is the pair algorithm so we make sure that so The receiver can generate one word if this is C B is in the language Then the sender can generate another word, which is outside language However, if the CB is outside language, then the C 1 minus B will be inside language So in this way we can make sure so the the sender can make sure that one of the word to these two words will be a Outside the language so that the receiver cannot recover both messages So that's the first modification and the second modification basically here We try to use on trusty setup. That means we ask the receiver to generate the Generators or the basis. So that's the second difference. I know so in order to address this difference. So basically we introduce another algorithm that will Rerandomize the element basis that means even if we have a on trusty setup We can rerandomize the element basis and then the the other part is a similar to the previous protocols All right So this is basically the instantiation of the OT protocol So we we can capture the original OT CIF construction in the eurocrip paper And actually we can build a more efficient variant of this protocol. All right. So that's The major part and I know need to conclude So basically we show how to build the this new notion called a malleable smooth project hash from the greater ring and from the smooth project hash and then we ask whether there is other way to construct it So one difficulty is for example for I say or Q ECR or QR based Structure so basically we cannot easily Rerandomize the modulus. So that's a difficult part for those kind of structures and then we also ask whether we can build other Applications and the corresponding CIFs for from this new notion. So that's all for my presentation. Thank you. Thank you very much All right. We have Almost no time for questions. It's a short question. Perhaps otherwise While we you're preparing. All right, let's thank the speaker again