 So, the next presentation is about efficient public key cryptography with bounded leakage and temporary resilience. This is by Antonio Faunio and from Ahros University, Denmark, and Daniela Venturi from University of Trento, Italy. And the work would be presented by Antonio. Hi everyone. Thanks Oliver. So, this is a probably secure cryptography before physical attack. Everything was very well shaped if it's working. Now? Okay. Thanks. Okay. Probably security before physical attack, everything was very well defined. So there was a player P1, a player P2, they were interacting, doing some kind of cryptographic primitives and there was the adversary, the adversary could interact with player P1 and P2. They were very well defined way to define how the attacker was doing his attack. So he could corrupt P1, he could interact with P2, he could see the transcript and so on. Nothing. That's how it was. Instead with physical attacks, things really look more messy. As you can see, now there is no very well nicely shaped black box, but instead player P1 and player P2 will be implemented on very old, rusty computers. And these very old, rusty computers will make some noise, which more often will be correlated to the secret material that they use. So the adversary, which is marked, could leak this information. And for example, there is the very famous attack of timing attack of culture in the 1996, which showed that you could infer some extra information and break the protocol. You could be even more smart. In fact, one year after, they showed that Bonet et al showed that you can do some active attack. You can inject fault in the computation and you can break cryptographic system. So the things here are much more messy than before. So we are interested mostly in tamper resilience. So let's give you some minimal related work. So when you want to do tamper resilience, the first thing that you want to think is which kind of tamper resilience you want to get on the circuitry, the circuitry of the cryptographic protocol, or the memory that contains the secret state. So in the case of circuit, there is this very famous work of Ishaï et al. Then in the case of memory, there is this seminal work of Jenar et al. He gave some impossibility result. But more importantly, they gave some impossibility result. The impossibility result say that if the adversary can tamper with an unrestricted way in the sense that the tampering function is any polynomial bounded function, and he can tamper for an unbounded time of time so he can apply many tampering functions, then there is no way to achieve many cryptographic tasks. So how to avoid this impossibility result? Let's consider the restricted sense. So you restrict the kind of function that can be applied on the secret state. And there is this work of Zembowski et al. On normal level code, or for example, there's this work of Belar et al. On related K attack. So another way to avoid this impossibility result is to consider instead bounded amount of tampering. Here, the assumption is that you have this smart card, you are throwing a laser on this smart card, you do it once, you do it twice. At some point, this smart card will just break down. And you won't be able to do more than a bounded amount of tampering. So in this setting, there is this work of Damgard, Faust, Mukheri, Venturi in 2013. They gave a definition of bounded tamper and leakage resilience. They show an identification scheme and a signature scheme in the random oracle model. And that's what they propose, CCA secure public encryption. OK, so our contribution are two. The first contribution is a signature scheme in the standard model. Why we care about the standard model? Well, a part of it's always nice to have something in the standard model. But that's because the impossibility result of general et al. does not hold in the random oracle model, which means that somehow the random oracle model methodology in this setting is not very sound. The second contribution is that there is a CCA public encryption. So the public encryption of the paper of Damgard et al. was based on Naor Young, which means that it wasn't very efficient. You had to use very inefficient zero-knowledge proof, non-interactive zero-knowledge proof. So we just thought, can we do it with Kameshup? Kameshup is much more efficient. And the answer, of course, yes. So for matter of time, I'm going to present you only the CCA public encryption. So this is CCA public encryption generically. So you have this adversary. The adversary can interact with the oracle. This is a decryption oracle. So the adversary can go to the oracle and ask for cyber text, and we receive the message back. At some point, the adversary outputs two messages, M0 and M1. The challenger chooses a bit and encrypts one of the two messages. And the goal of the adversary is to understand which message was encrypted. So now we want to enhance this setting to a more general setting of tamper and ligature sealants. So what we do is that we give to the adversary much more powerful by giving him some extra oracle. So the first oracle that we give is a leakage oracle, which means that the adversary can leak some information about the secret key. And then we say to the adversary that the adversary can instantiate up to the decryption oracle, which we call tampered decryption oracle. Basically the adversary can go to the challenger with a tampering function. The challenger will apply the tampering function on the secret key, and he will instantiate a new decryption oracle with this tampered secret key. And the adversary can talk for an amount of time with this tampered decryption oracle. There is something that we need to notice. So the first thing is that both the leakage and the sensation of the challenge need to be done before you see the challenge, the sensation of the tampering oracle, sorry, need to be done before you see the challenge. This is because otherwise there is an impossibility result. If you can leak one bit, you can always break CCA security. And leakage and tampering, at least, I love you to leak this one bit, the chosen bit. Then another thing that is important to notice is that, as you can see, here the adversary get some public parameter from the sky. And this public parameter, we assume that they are tampered free. So you cannot tamper with this public parameter. The idea is that this public parameter are going to be completely independent from the secret key. So you first set the public parameter, and then you pick your secret key. And the idea of this public parameter generally should be the description of the group, the description of an hash function, something that we fixed there once. And the thing is that we need this thing, otherwise it's very hard to make construction in general. This is not an assumption that only us need. And it seemed very hard, otherwise, to do cryptography without. Okay, so when we started with this project, we wanted to do CCA security. We wanted to do this Kramerschup kind of paradigm. We knew that we needed to have some leakage resilience because tampering resilience itself is a form of leakage resilience. So we went to see the literature, which was the most efficient public encryption scheme out there, which was also leakage resilience. It used Kramerschup. It happened to be this work of QE-LIN, 2013 in Asia Crypt. So what are the building blocks? The first building block, of course, is an hash proof system. Since we use Kramerschup paradigm. And okay, so we already saw in the last talk what is an hash proof system. But let me recall you. So an hash proof system is made by my projective hash function, a keyed hash function, which is projective. In the sense that you can define a public key given the secret key. And thanks to this, this hash function can be evaluated in two way. The first way is like the secret way, which can evaluate the hash function in all the domain. Otherwise, you can evaluate the hash function in a public way using the projective key. And the thing is that you can evaluate the hash function in the public way only for a subset of the domain, which we call the set of the valid ciphertext for the hash proof system. And yes, since it's a proof system, it's complete in the sense that if you evaluate it with, if you take a valid ciphertext, you evaluate it either in the public way or in the secret way, you will get the same hash value and it's sound. So as you can see, there are many ways to define soundness. We hope for this definition that use the min entropy because it's the one that somehow it's much better with the legal resident setting. Here, the idea is that outside of the valid ciphertext, if you take an invalid ciphertext and you use the hash function, the key that you will get is something which looks really, really random. What I mean with that is that even given the projective key, the min entropy of the hashed key for a ciphertext, which is outside of the valid, it's an invalid ciphertext, will have enough min entropy. The amount of min entropy will be minus log epsilon. Of course, the smaller epsilon it is, the better it is for us. And then there is the last property of an hash proof system which is called that it has to have a set membership problem. Basically, it's hard to distinguish when an element belongs here or here. Then the second building block is an extractor. So an extractor is a function that take a source and take a seed and output a string. And the idea is that when the source has enough min entropy in the sense that, once again, since here we are in the setting of leakage resilience, the best way to define the min entropy of a source is to think of a source which might be like a uniformly random string, but then you can get some side channeling information about the string and you want that even given the side channeling information, you have at least enough min entropy. So you have delta min entropy. And if this hypothesis is satisfied, then the output of the extractor will look like a uniformly random string, even given all the side information, including the seed. Then the third building block is a one-time lossy filter. Lossy filter is a key function which has a domain attack, domain X, and a domain, a co-domain Y. And the idea is that you have two different ways to sample tag, so there is a red way to sample a tag. And now if you fix this tag, this function that goes from X to Y is an injective function. Then there is another way to sample tags, which is the blue way. And in this setting, instead, the function will be non-injective. So what do we want to have from this one-time lossy filter is that, first of all, it's lossy, in the sense that in the blue way, then given a point in the image, the pre-image of this point will be a set which is pretty big. It has at least two to the L different point for a parameter L for the lossy filter. The second property that you want is that there is indistinguishability between the tags. So it's indistinguishable to see if a tag is blue or if a tag is red. This is implied that in particular, this lossy filter is a trapdoor function. And actually, the structure of the tag is a kind of particular structure. So the first part, so that you can divide the tag in two pieces. The first tag is the auxiliary part, which is just a string. You can imagine a string of some size. And then there is the core part, which is the important part of the tag. Then there is the third property that this lossy filter have is called evasiveness. And this is probably the most interesting property that they have. The idea is that I give to you a lossy tag and now you need to produce another lossy tag. And an adversary that doesn't know the trapdoor shouldn't be able to do that. So it's hard to find a lossy tag even given another lossy tag. Okay, so now let's give the construction. So the construction basically works as follows. So you have this ciphertext C. So the first thing that you do is that this is a ciphertext C for the hash proof system. And the first thing that you do is that you hash the ciphertext using this hash proof system. And then you get this key. Now this key will have some min entropy. So what we do, we extract all the min entropy and we get a uniformly random pad. Now we use this uniformly random pad to pad the message in a one time fashion. And we get this phi, that's the, yeah, that's phi. Now we take all this part of the ciphertext and this will make the first part of the tag. In this way we kind of bind together the two part of the ciphertext. Then we can sample a tag, which will be an injective tag. And we can instantiate the lossy filter. Now we take the key and we pass the key through the lossy filter. The idea is that since this thing is injective, since this thing is traptor, this element phi will be a kind of pi, will be an authenticator. Some form of authentication offer key. Okay, so out of the grip, well the obvious way, instead of using the public evaluation, we use the secret evaluation of the hash, you get the key, you can extract the message. Now before opening the message, we output the message if only if, if you take the key and you hash it through the, you pass it through the lossy filter and you get the value pi. So as you can see, this is like, I'm authenticating this ciphertext using this pi. Why this thing is secure? Well, you can show very easily that this is CPS secure. So for CPS security, if you consider only this part of the ciphertext, basically what you get is the construction of Naur and Segev. The idea is that we are really using the fact that the soundness of the hash proof system is a statistical soundness. So during the reduction, the ciphertext c, which we chosen to be invalid. So since it's invalid, what happens here is that this key will have a lot of min entry even given the public key. Well, there is some leakage because we are considered leakage resilience. But if we set the parameter correctly, then even given leakage, these keys, we still have some non-trivial min entropy. Therefore, we can extract this min entropy and get a uniformly random path. Queen and you show that so that the scheme is CCA. Basically, the idea is that all the ciphertexts made by the adversary will be injective so the authentication will work as it's supposed to be. But for the challenge, we will set the lossy filter to work in the lossy mode. In this way, the amount of information of key that will be lost will be not so much. So we will lose fact L bits of information about the key. And therefore, if the extractor is good enough and this min entropy will be enough to extract a uniformly random path. And then again, we have security. So the only thing that we needed to manage is how to get tamper resilience. So to get tamper resilience, basically we use this idea which is recurrent in a lot of work on tamper resilience starting from the work of Vishay et al. That tampering can be reduced to some form of leakage. Maybe you cannot do it in a black box way but somehow a tampering is a form of leakage. So we want to simulate the decryption oracle, the tampered decryption oracles, meaning the decryption oracle is insulated with this tampered secret key. The idea is to come out with a new oracle which we need to define in our simulation which behave more or less like the decryption oracle. But in order to do that, we necessarily need to leak some information about the secret key. This is because otherwise we will go against the impossibility result. So the idea is that if we can minimize the amount of leakage that we need to simulate this oracle, then we can instantiate a lot of tampering oracle. So the key point here is that while the decryption oracle can give an abundant amount of information, abundant amount of bits about the secret key, we want to restrict the amount of information that it can possibly give. So if we can find such a kind of thing, then an decryption oracle cannot give more information than the size of the auxiliary information that we used to simulate it. So let's try to do that. So one nice thing to notice about the scheme of Queen Elu is that the only key material is the Ashbrough system. So the only thing that we need to protect against tampering is the Ashbrough system itself. Only the other thing are some publicly evaluable functions. So okay, this is a good observation. So we have this tampered secret key. So now we want somehow to simulate this decryption oracle, how can we do? So let's try to leak the projective key associated to this tampered secret key. So remember that the ciphertext is of this form, but the most important part of this ciphertext is the ciphertext of the Ashbrough system C. So there are two cases. So the ciphertext is a valid ciphertext. Then, at least in an information theoretical sense, the tuple C projective key of the tampered secret key fully define the key itself. So now if we can brute force the key itself, then we can execute the decryption oracle as it is. This is good. So this is the easy part. Then the hard part is when the ciphertext is an invalid ciphertext. Now the projective key doesn't tell you anything about the ciphertext. So what can we do? Well, here the idea is that we try to use the same analysis that was used by Kramerschup to prove CCH security. Basically, the idea is that we analyze this value. So this is the mean entropy of the Ashbrough key for an invalid ciphertext given the view of the adversary. Then there are two cases. If this mean entropy is a lot, so this value is big, then this thing will be, this key will be kind of pretty random. So it will be very hard to guess the authenticator. And so the most probable answer is both. So the simulation will just say both. Then there's the other case that can happen is that this mean entropy is small. And the idea here is that if the Ash value has low mean entropy, then since this is a function of the tamper-secret key, we can prove that also the tamper-secret key has low mean entropy. Which means that gives very low information about the, okay, thanks. Very small information about the secret key, the original secret key itself. So you know what? It doesn't tell you a lot about the secret key. So just let's leak it all of it. So basically now we can leak the tamper-secret key itself. And once we have this tamper-secret key, then we can simulate the tampering oracle kind of straightforwardly. So yeah, but what do big and small even mean? So this is basically the hard part of the technical, our technical part of this proof is try to understand what small and big mean. I don't have a lot of time here to tell you about, so I will just say you a couple of words about. So basically during the simulation, we set a threshold and this threshold will go down, up and down, depending on how the adversary behaves. So we follow the adversary during his attack and we will set what big and small will mean. Well, as I told you, I don't have enough time to tell you about. Actually I did, but I don't have this light. So after some step of mathematics, what you get is that as I told you, the important part of this encryption scheme is that you rely on the hash proof system that you use. We can show that we can find for some parameters of the hash proof system, which we would call alpha and beta, we can have a low, an number of possible tampering oracle which is equal to alpha plus beta, well S, which is the size of the secret key divided by alpha plus beta. So what is this alpha and beta? Alpha is the size of the projection key of the hash proof system and beta is the difference between the size of the secret key and the amount of mean entropy that the hash key has in the case of invalid ciphertext. So say that in another way, we need to pay alpha plus beta bits of leakage for each tampering oracle that we want to instantiate. Actually we had kind of our time to find a hash proof system that had this value. So as you can see, this value need to be very small. We had a hard time to find a hash proof system that had this property. So we found, eventually, a hash proof system based on the refined subgroup indistinguishability assumption. So there are a couple of open problem. First problem is that, so the tampering rate that we get, meaning the number of tampering that we can do divided by the size of the secret key is one over key where key is the security parameter. While we don't know if this thing is inherent of our strategy or if we can get it better. And another thing which would be very interesting to see if we can find better hash proof system, better assumption, faster, whatever. Okay, thanks. Thank you. So we have almost no time for a short question or a comment. All right, thank you. Speak here again.