 Hello, my name is Matilda and I will be talking about puncturable key wrapping and its applications. This is joint work with Felix Ginto and Kenny Patterson. In the full talk at Asia Crypt, I will try to tell you what puncturable key wrapping is, how it can be used, and why we think it's interesting. But in this teaser, I'm going to focus on the last point and tell you why I think we need puncturable key wrapping. So starting with a motivating example, let's take a look at the setting of Cloud Storage. Imagine that you're a user of a cloud storage service and that you have some files which you would like to upload to the cloud. However, the files might be of a sensitive nature, so you'd like to encrypt them before you outsource them. To do this, you generate a unique per file data encryption key, or deck for short, and use this to encrypt the files. Now you can safely outsource the storage of the files in the cloud. However, you're left with a bit of a key management problem because you have to store all of the data encryption keys in some protected storage. To get around this, you can generate what's known as a key encryption key, or a kek for short, and use this to wrap up or essentially encrypt the data encryption keys. Now the data encryption keys are also protected, and you can safely outsource the storage of both the data encryption keys and the encrypted files to the cloud. Now imagine that you want to delete the file and you send this request to the cloud. The cloud might respond that the file has been deleted. However, since the cloud is not trusted, you cannot actually be sure that the file was properly deleted. For example, if the cloud is malicious, it might simply choose to ignore your request to delete the file. And even if the cloud is honest, it might have been compromised by some external adversary that took a snapshot of the ciphertext before the file was deleted. It can also be the case that the file is kept around for backup or disaster recovery purposes, or that it's simply not properly deleted because of faulty processes. And this is a problem if your key encryption key were to get compromised, because it means that all of the files that you keep in the cloud, including the one that you wanted to delete, are potentially vulnerable. And this is a problem because it means that your deleted files lack forward security, which is something that we'd like to be able to provide. So imagine that there was a way for you to make sure that your deleted files were completely gone without having to trust the cloud at all. For example, you could imagine there was a way to punch a hole in your key encryption key to update it in such a way that it could no longer be used to unwrap the data encryption key corresponding to the file that you wanted to delete. Now, if your updated key encryption key was to be compromised, then your deleted file would be secure. This is exactly what punctual key wrapping gives us, namely find great forward security in an efficient and generic way. And with applications, both places like cloud storage, which I show you now, and also things like CLS session resumption. If you found this interesting, which I hope you did, you can learn more. Our paper is on e-print. Here's the QR code in the link, and I'll be giving a talk at AsiaCrypt 2022. Thanks for listening. I hope you enjoyed this video. I'll see you in the next one. Be quick, but there is a price, not forward secure. That's not really nice, but here comes a new scheme to rescue you out. The PSK is punctual, and that leaves no doubt. Don't worry, you really don't have to trust me. We managed to prove this in MSKE.