 Hi, everyone. Thank you for taking the time to view the studio. This is a longer version of the talk that I'm presenting during the proceedings of TCC 2021. This is about my work on updateable public encryption in the standard model and this joint work with you, Kenny Todes and Daniel Wicks. Without much ado, let's quickly jump into it. Let's begin with a quick refresh of public encryption and motivate forward secure public encryption using it. And then we will tie it up with our primitive of updateable public encryption. Let us recall the setting of updateable public encryption. You have Alice and you have Bob. Bob wishes to communicate with Alice in order to facilitate that Alice generates a public key secret key pair keeps a secret key for herself and communicates a public key to Bob. With knowledge of the public key can choose to encrypt a message M not with the big public key to get cipher text C zero and communicates that cipher text to Alice. Alice with knowledge of the secret key is in a position to decrypt C zero and recover the underlying message M not. And Bob can do it repeatedly. And at some point of time we assume that there is an attack. And then there is an adversary who is capable of corrupting the user. And you're, if chooses to cut up Alice and recover the secret key info. Now it is obvious that if Eve has kept track of messages C not through C for can use a secret key to decrypt the cipher text to recover the underlying message M not through M for making all of them insecure. Now, the question we ask ourselves is can we protect the messages. So more granular look at when the compromise happens. And let us assume that the compromise has happened sometime between Alice decrypting C one and Alice decrypting C two. Now, the problem is that the messages from M to and M three and M four are impossible to protect, whereas the goal of forward secure encryption is to protect M not an M one, because those messages were received before the corruption happened. This is the forward secure public encryption. Alice generates a public key secret key pair for a particular time period, same time period zero, keep secret key SK zero for herself and communicates PK zero to Bob. Bob with knowledge of PK not can encrypt a message M not have its choice to communicate the cipher text C not to Alice. In addition, Bob also moves the public key from PK not to a new time period, PK one. Now Alice with knowledge of the say our secret key SK not, and having received the cipher text C not can decrypt the message to get M not, and also moves the public secret key that she has from SK not to ST one. Bob does this repeatedly. Now, if SK two is corrupted, the goal of forward secure encryption of public encryption to be precise is that M not an M one remain secure and M two and three and M four are basically impossible to protect because those cipher texts were were received after the compromise has happened. Now let us quickly take a look at related work in FS literature, pretty much a state of the art is the work by Kennedy et al. Where they propose constructions of public encryption from her article identity based encryption. Now most recently in crypto 2018 you had work. Your two words that propose a notion of key updateable public key encryption schemes, right now the key updates can be labeled by arbitrary strings but once again the constructions work from hype. Now I've schemes that often more complicated and inefficient when compared to the public encryption counterparts. What can we confront in this paper in this research is can we close the efficiency gap by suitably weakening the security definition in specifically what we want this to use the cipher text that the sender is communicating with the receiver to help achieve maybe a weaker notion of forward secrecy. Now let us take a look at how this would look. And this most simple setting to visualize would be the symmetry key setting. So Alice has a key K naught and Bob also has a key K naught. Now, one simple thing that Bob can do is when Bob is encrypting a message and not of this choice will also encrypt the new key K one. So Alice with knowledge of K naught will be in a position to decrypt and recover both M naught and K one. And this can happen repeatedly. This is a very simple setting and very simple scheme indeed. However, the symmetric scheme is inherently one center one receiver. And if we need for if we needed to support multiple centers. We would have to rely on some kind of a public key primitive. So let us take a look at a direct counterpart of symmetric encryption where I'm just replacing all of the keys. With public key secret key pair. So this is how it would look. Where I'm replacing. In this manner. So what has happened is that Bob chooses a PK one SK one pair, and then sends SK one along with PK one to Alice. Now Alice can decrypt the message to recover M naught and SK one and can simply make sure that SK one and PK one are consistent and so on and so forth. However, we recall that the issue that we had was that we wanted to support multiple centers. So what if we have some kind of a another user Charlie who wants to also participate in sending messages to Alice. And one issue that is immediate is that Charlie needs to keep track of the most recent message so that Charlie knows the public key that is most current and can use that public key to encrypt messages. So specifically, Charlie needs to keep track and make sure that Charlie knows PK to to intervene at this point to encrypt the message using PK to. In essence, this requires strong synchronization. However, all is not lost, because for some applications such as a care messaging this is not a huge problem we can assume some kind of serialization. So are we done with the setting. Is it a case of, is it the case of undisputed securely after, unfortunately, not as with any message as with any scheme that are lurking trust issues here. And what is the trust issue here. Let us now look at multiple sender when both Bob and Charlie wish to communicate with Alice. So this is how the scheme would look if you have Alice we have Bob and we have Charlie. Now Bob begins the first message, sending by first moving PK zero to PK one and encrypting the new secret ksk one that is consistent with PK one, along with the message I'm not of this choice. Now we are assuming that these public keys are written in a public manner, so that Charlie can quickly recover the most recent public. Now Alice with knowledge of SK not as before can decrypt to get M not an SK one. Now, Charlie will retrieve PK one, generate a new SK to PK to pay and send a message of this choice which is M one, and also move the public record to PK to. Now Alice is in a position to decrypt the message. Now we spoke about trust. So, let's look at who can Charlie trust in the setting, Charlie can trust himself and Charlie can trust the receiver, because Alice is the one he's communicating with and the palace is a corrupt entity anyway the messages are insecure at the point of time. However, we need to trust actually. It is quite obvious to see that Charlie also needs to trust Bob in the setting. And which might be fine. Unless Bob is a malevolent entity, in which case we clearly have a problem. It is a big problem, even if you assume an honest but curious model, because either Bob can choose randomness which could be corrupted later, or Bob can choose bad randomness, or simply Bob can choose not to erase SK one, because if Bob still had SK one Bob can decrypt the message that's being sent by Charlie, the recovering the time message so this is basically on an on a protocol where we expect the users to generate the new public security pair and immediately erase secretly that has been generated from his memory from his or their memory. Now, the goal that we have to ask is reasonable security even under compromised senders, and the solution is quite simple. The cipher takes will aid in producing the secret keys chain and not contain the secret keys themselves, and this is what we call updateable public encryption. So let us take a look at the updateable public encryption, the primitive with its syntax and security. So let us the setting here as before we assume that some kind of a serialization mechanism has happened, where every user receives the same order sequence of ciphertext, which is to be decrypted by the receiver. We can either assume it's a one sender or there's some external mechanism to serialize in a nutshell sender or senders possibly produce a public key chain. We will receive the help the receiver produce a secret key chain, and the both the chains need to be consistent. However, the key point here is that the public key chain is not fixed here priority. So therefore, what we get is a security requirement that any good ciphertext within within quotes restore security irrespective of what happens between them. So let's formalize this intuition with the syntax and security just a few slides. So, let us look at take a look at the syntax of UPK UPK much like any public encryption will have the three key algorithms of Jen and corruption and the original updateable public encryption which is proposed by Joe's and others use three additional algorithms one to generate some kind of an update token, want to use the update token to generate the update the public key, and one which uses the tokens to update the security. The work by Alvin and others simplified it where they just assume that an update happened every after every message so they combine the update process and the encryption process together update public key to be precise and and the decryption process together. However, for clarity we have tried to take the middle ground where we will assume that there are five algorithms as opposed to six, which is a huge saving. And these are our algorithm. We are old as mentioned we have a general gen algorithm that will generate the public key secret key pair and encryption algorithm that will take a public key and message him, and they use some randomness to generate the ciphertext in the ciphertext space. Decryption will have a secret key, and will be in a position to decrypt the secret, the ciphertext C to recover the underlying message. In addition, we have two other algorithms which is update public key, which is a randomized algorithm that takes public key the old public key and produces the new public key PK pride, and something called we call as the update ciphertext. Now the update secret key will take the old secret key and the updates I predict that was produced here to produce a new secret key escape prime that is consistent with PK prime hence the colors. So what is the correctness requirement. The correctness requirement is that if a message is encrypted with a public key. It is decrypted by the corresponding secret key very very naive extension of a standard PK correctness. So what is the security what is our security model. We are what we present here is something called as INDC RCPA star. Well you know what INDCPA white mean the CR and the star are notations that we will explain in the very next slide but let's take a look at the security definition. So we have the challenger, and we have the adversity. Now, the challenger will generate a public key secret key pair for time period zero and also chooses the random bit for the CPA part of the game. It will communicate the public key PK not to the adversary. The adversary will provide a sequence of randomness are I say q such randomness, along with its challenge messages m not star and m one star. Now this is what the challenger does. It will sequentially update the public key. Q times from PK not to PK q and similarly, update the secret key as well so as follows, so it will take our one PK not to produce a new public key PK one and the updates I protects up one up one becomes in becomes an input to the update secret key algorithm along with a state not to produce a step one. This happens repeatedly. At which point, what the adversary what the challenger does is that challenger will choose a randomness R star of his choice and produce the corresponding PK star and SK star. In essence, what is happening is that this R star corresponds to a good ciphertext where it's not an adversarily controlled randomness so as long as this has happened, security is restored is what our security cave will capture. What does the adversary receive the adversary will receive PK star and the secret key wherein there is a compromise that has happened which has made the adversary possible to receive the secret key. Along with an update ciphertext that was actually used up star and the challenge ciphertext which is an encryption of PK key MB start under PK q. Okay, so the idea here is that as long as there is one good randomness. Even if everything that before was adversarily controlled and possibly zero randomness went into it. There is still security. It's a fundamental goal. Now the adversary will respond to be pride and the probability that they are the red attack of Vince is probably that be is equal to be prime and this is standard advantage definition. So, this is our security definition, but as I said, what does CR me and why the start with something you will look at right now. But before that we will quickly look at differences some subtle differences from existing definitions of the security game to begin with just another's does not provide the malicious randomness. What it allows us for the adversary to expose randomness instead. And the original definition of the other definition of Alvin and others were included the best. Am I because we call that some of the update public encryption update public operation and the encryption were combined together, but as it's quite unnecessary for our model. So let us look at the security model. CR is basically a short purchase in randomness. Basically, the adversary chooses the randomness as indicated by our idea. This is something that's adversely chosen. I am the CR CPA start is a very simplified model presented here. And what is why what does a simplification, we assume that the secret key is revealed right after the challenge message. So basically, PQ is used to encrypt the challenge message. And there is a good update that happens, which gives you the secret key right here. However, a more generic assumption would let you choose. Let the adversary process provide for more randomness between the challenge phase and the expose phase or the reveal to our face of the operation. And we present this more generic question in a full version. Additionally, we also look at the CC extension of this definition, which will allow for decryption queries. This is available in the full version. And there is a stronger security model where beyond chosen randomness which we refer to as chosen update a bridge with seeing you. And here, the adversary provides update. So rather than just providing randomness are I the adversary provides an update ciphertext and a public key consistent with the update. What do I mean by public are consistent public consistent with the update is that the new public key. And when the receiver is decrypts the update ciphertext to and then updates its secret key from SK not to SK one, SK one and this provided publicly pk one are consistent. And this is a stronger model. And we present constructions and study this thing a little more detail in the full version of the paper which we call as I and VCU CPA, and it's easy to count about I and VCU CCA. So let us look at where UP case stands between public key and forward secure public encryption and just a quick comparison in a very zoom dot. We will compare along three axes, the efficiency, the assumptions and the public security security, it's very efficient. You have a whole bunch of assumptions did he had CDS factoring out the beauty and by definition it's clearly not forward secure. But as fsp ke on the other hand is inefficient because most construct all the constructions are from height. Now it has more and more high constructions were built they were consequently more and more fsp ke constructions from a wide swath of assumptions. And by definition this is forward secure. The upk that was proposed by Joe's and others is roughly the same efficiency as a pk scheme, we will look at that construction just a few slides. I've got the very next slide. And the assumption here is that it requires a little bit of synchronization as we discussed, and the final piece of the puzzle is that it is from the CDH assumption. And it is in the random model model. However, this will serve as a very useful launchpad for our construction and where we will eventually get to. So this is their construction. So they have a general algorithm that will basically the public key secret key s and compute public key SG to the S encryption is uses a randomness, and then hashes the randomness and the encryption is basically the entire scheme is similar to the standard has to come out of it. However, the update public encryption they have is they use to randomness, one to generate randomness R one, using randomness R to generate actually a cyber text, and then update the public key h prime corresponding to G to the R one. So in essence R one is the offset with which you will update the secret key. The update secret key is basically decrypting and then updating the secret key as escape was R one. Now, what is the intuition that's happening here, let's just take a very zoomed out look update public key is basically this. Essentially think of it as there is some secret gig offset R one, which is also which you can use it to update escape prime as escape plus R one that's the key idea. So now somehow, the update pk should communicate R one so that the adversary are the receiver can decrypted to recover the offset. So, this is what happens, and the key idea here is that it uses this homomorphism property where the public key component h is nothing but G to the s which is a function of f of s. So that f of escape star of f of R one is basically pk times f of R one times being the star operation. So there is some kind of homomorphism, and for us it's very simple as pk times G to the R one. So now why is it secure just a very high level intuition is that let's assume q is equal to zero. What information does the adversary learn. So now the adversary q is equal to zero recall means that the adversary has not provided any randomness. So, just quickly goes into challenge phase that does a secret key s, and it receives pk not as G to the s. It produces. And then m one star and receives all of these public key pk star the SK star C star and abstract, and then it responds would be bright. So let us take a look at each of these terms. So what is SK star SK star is nothing but s plus some delta. In essence, it's a leakage function of SK. That's what the adversary receives. And what is up star actually up star is an encryption of delta star. The message is dependent on the secret key s, because the message is encrypted but with pk not corresponding with s, and the message itself is nothing but SK star minus s star s. Okay. So, what we have is that delta star is random. And fortunately, which means that the leakage is trivial. No leakage, you can prove it. And the other on the other hand, the hash function which is modeled as a random oracle will ensure cadm security. So this will be the intuition that we will use to launch towards us try and send more constructions. The cadm security will allow adversity to obtain an encryption of a function of G of the secret keys and a particular public key. And fortunately, we only need circular security that is an encryption of the secret key, and use some additional homomorphisms. When we go forward to a standard model. So here we have a vector secret key, say and and components law. And we can use both BHH or crypto system and you will require crypto system for this purpose. So delta bit by bit. So delta is a vector is an end bit vector, which is either zero or one. And this seems to be very inherent and we will see why when we get to the constructions. And the problem now is that the leakage SK I start is no longer trivial, because I'm taking a component, even if SK one SK to SK three might be an element in ZP the delta itself is either zero or one so if you are if you get the output you can easily recover the input. And so what we need is some kind of a simultaneous circular security and leakage resilience. What is circular security and leakage resilience security is that given an encryption of the secret key s and any bounded entropy leakage on as the scheme is still particularly secure. Okay, so let us now that let us now look at our contributions, and we will look at the needy edge construction. We will prefer you to the full version of the paper for a more robust security proof. We will only present a very high level intuition on what is happening. So this is our contributions. We built to efficient be up case case in the standard model, the constructions in the other two papers but in the random or a model, we have one construction from the DDS assumption which is based on the BHHO construction construction to is from the LWE assumption which is based on the dual system. And this is where our efficiency assumptions and forward security line. Well, we are going to have the synchronization, which seems to be inherent to this paradigm. So we have the assumptions we have CDS like CDH and LWE, and we inherited a security parameter loss in efficiency though, but it still seems to be better that FSB K constructions from similar assumptions though. And one key thing to note is that we have identified a similar blueprint, even though we haven't, we don't have a generic construction there. And that seems to be inherent limitations and trying to come up with a generic construction because of the way each construction treats what's the, how the update happens and the assumptions are for the omomorphism that we need. Okay. So let us take a look at the DDS construction very quickly. So this is a quick refresh on the DDS assumption. And we will go quickly into the BHHO crypto system. The idea here is that this is just a variant of the original crypto system. The idea here is that the secret key is L bit strength, along with that there is also G1 through GL which is a public key components. And there is another public key component computed as a product of GI to the SI where SI is just a bit to begin with. And the public key, secret key are returned. We'll just choose a randomness R. And we'll compute each component as GI to the R. And then finally compute C is equal to much to the R times M. And then return these L plus this L plus one group element. And this was the secret key of it will simply decrypted as C times the inverse of each FI to the SI. And these are G is basically a fixed generator of a cyclic group G with primordial P to be precise it's G1 through GL. So what is our DDS construction actually our DDS construction is as follows. As before, we will just sample L offsets as indicated before so delta is basically a bit string. And then I will compute the new public key offset as GI to the delta I and new public key as H times H prime, which is computed here. And we will also encrypt each delta bit by bit, but in the in the exponent, which is important for the key dependent message security. And we will return pk prime and updates hypertext. Now, the update secret key will be in a position to decrypt each delta I. And that's one of the beauty. That's why we need delta to be a bit string to make this decryption this discrete log possible. And then we'll update the secret key S prime as S plus delta, where it's an addition element by element over ZP and will return S prime. Okay, so what has happened is that even though we started off with a bit string. The the the resulting secret key that evolves basically grows slowly over ZP. And this is just a quick example of how it grows. So this is our DDS construction. Let us quickly move on to discussing the outline of the security proof. In the lack of time, I will only look at introduce a CS plus a large security game, and then discuss how we reduce the upk security to CS plus a large security and introduce the various assumptions that we have along the way such as more systems that we need. So this is the CS plus a large security as before we have an adversary or we have a challenger we have an adversity, the challenger generates pk and sk. Receives pk from the challenger and in response the adversity provides L M not an M1 your L is a leakage function which can possibly even be randomized. And then the adversary or the challenger will choose random it be will encrypt it as before, and will also encrypt the secret key under the public, though in our case we will have it bit by bit encryption but that's just a side subtle and then it will respond with C0 C1 and L of sk and the adversary now has to guess and the similar advantage as defined before. So in essence, what does the adversary get the adversary gets an encryption of the challenge message and an encryption of an encryption of the secret key itself. So, and this is, as I mentioned L can even be probabilistic so we only need that, that is, there is at most lambda bit loss in entropy when when we condition the secret key on the leakage function. So now we will reduce the UPK security to the CS plus LR security case. So this is how it proceeds so we will have CS plus LR implies UPK so we'll have the challenger, we'll have the, the purplish adversity which plays playing the UPK game and the bed adversity playing the CS plus LRK. The challenger will produce the public key secret key pair and send PK naught to the red adversary, which forwards it to the purple adversary. Now, in return, the purple adversity will provide Delta one and not start and then won't start. I should mention here that here I'm assuming that Q is equal to one just to just capture the essence of the game. Even though you can refer the paper for the full version of the proof. So what the adversity are playing the CS plus LR game does the red adversary is that it has to choose a leakage function. And the leakage function is a deterministic is a probabilistic leakage function, where you choose, I asked the challenger to choose around Delta of its choice delta star to be precise, and then do X plus delta star where X is the secret key. Recall that it's L bits long. So you're what I'm doing is that I'm implicitly sending a setting Delta star as a randomness for the security updates or the R star that we saw in the UPK security game is what I'm calling Delta star here. And now, the red adversary will send L and not start and then won't start. And in response, this is what the red adversary receives. It receives a secret key. L of escape, the leakage on secret key L of escape, which is some L, L, L vector, sorry, a vector of length L, which is defined as S naught plus Delta star where S naught was the original secret key which is L bits, Delta star is another L, L bits and then it does this bit by bit addition. It also receives the C naught, which is an encryption of one of the challenge messages and M not start at M one star, and also receives the secret key, or an encryption of the secret key to be precise. And we will call this as N prime, because what N prime is that it's basically a bit by bit encryption of S naught in the exponent. Okay. And so this is what the red adversary has. And we will now look at what the purple adversary needs and how the red bird bursaries in a position to generate it for the purple adversity. So it needs S star is equal to S naught plus Delta one plus Delta star, which is the new secret key which is corresponding to the fresh randomness Delta star. Fortunately, the red adversary already has Z, which is S naught plus Delta star so, and the red adversary knows Delta one because it receives Delta one from the purple adversity so it simply does an addition. So we have a check there. Now, now the red adversary has an encryption of the message challenge message MB subject to a public key PK naught. Okay, and this PK naught corresponds to a secret key S naught. However, what the adversary, purple adversary needs is an encryption of MB corresponding to the key S one and PK one. So what we have is a key mismatch. Okay. So this is what key homomorphism is is basically given a ciphertext and a public key pair corresponding to a secret key S. I will choose a delta. And it's in a position to generate a public key secret key pair corresponding to the secret key public key ciphertext pair corresponding to the secret key S plus delta. Okay. So let us look at the construction of key homomorphism keyomorphism is this perimeter is this function definition. And this is what we have we pass PK as the L plus one vector. And then for CT also as the L plus one group element, and it will compute h prime as h times GI to the delta I similar to what you saw in the update public key algorithm. And compute C prime also by updating this offset alone, and therefore will set PK prime and CD prime as follows and then communicates PK prime and CD prime as the return value. So what the red adversity will do is it will simply compute key homomorphism on PK naught and C naught, and it knows S delta one and provides that as the offset. Therefore, you will get C naught prime, which is also correct. So now let us look at the final one of the final components which is C one, which is bid by bid encryption as noted here. However, what the adversary playing the UPK game needs is each bid by bit of Delta star. So D one through D L is the offset that is used corresponding to the L L bits in Delta star. So here we not only have a public key mismatch the key we also have a message mismatch so you need message on the water with some in addition to the model. The message homomorphism is this given as hypertext that encrypts you to the x, you are given x prime, you want to be in a position to generate a hypertext that will now include cheap to the x prime minus x. And this is the construction. And we will not go into the details, you can verify the details due to pause at the time. However, we have this construction of message homomorphism. So now that the adversary will do is use first the key homomorphism to update it to the correct key, and then use message homomorphism to generate each and every component that is needed by the purple adversity. And the final component that the purple adversary needs to speak a star, which is easy to generate from just a star. And therefore, it simulates that also perfectly. So the purple adversity will respond to be prime, and then adversity just forwards that guess, this is the simple reduction that we have. And so, so far what we have seen is that we have seen how to reduce UPK security to CS plus the last security. So the missing part of the puzzle is to prove that our scheme is actually CS plus a large secure, which we will invite you to look at the full version of the paper, it's available online where we go into the details of the proof and summarize the hybrid arguments to prove it to be secure. So with that said, we will move on to the conclusion. We do not have time to go over the other reconstruction. However, we will invite you to again refer to the full version of the paper. So what have we done this stuff and this paper, we presented an updateable public encryption definition and security model. In our paper we presented to you PK constructions and standard model one from the DDS assumption and one from the other is option, which is believed to be post quantum secure. And two constructions were simultaneously secure and make it resilient. And we presented a possible abstraction and going from PK to PK, where we said a PK you will need CS plus a large security, some kind of keyword and some kind of message and that's the question if we can come up with a more construction that goes from any PK that has these properties to you PK. And that's all I have time for you. That's all I have time for. Thank you so much for taking the time to again see the full version of the video. I will take questions during the talk. Thank you.