Yeah, quick recap of what we did last week.

I remember that there were a couple of faces looking at what we were doing and I think

it is very important to get the intuition for what the construction of forward secure

key encapsulation mechanisms based on hierarchical identity based encryption looks like.

And so this was basically the full content of last week.

So we started with defining what does a key encapsulation mechanism look like that achieves

forward security and the technique to achieve forward security is basically by updating

the secret key.

And so the secret key whenever it is used to decapsulate a ciphertext is removing all

of its information that was necessary to decapsulate that ciphertext such that whenever the secret

key is ever corrupted, the secret key does not reveal any information on previously decapsulated

keys.

We had a couple of reasons and we talked about that in the exercise today or in the tutorial

today why, and we talked about this last lecture too, why corruptions are relevant and why

we should take care of corruptions.

And then our main construction idea was to use something that is called hierarchical

identity based encryption.

And so just as a reminder and as an option for you to ask questions, the construction

that we saw last week looked as follows.

We have a GEN algorithm for the key encapsulation mechanism that just internally executes the

for the H-I-B-E scheme and outputs the secret key and the public key of the H-I-B-E scheme.

A reminder on H-I-B-E, an H-I-B-E has a public key and a secret key tree.

So the secret key has a bunch of layers or hierarchies and for each node in that hierarchy

it can delegate secret keys to lower levels by specifying the identities for these lower

levels.

And the public key of the H-I-B-E scheme can be used to encapsulate to any of the nodes

in that tree by just specifying the identity string, which is probably a concatenation

of multiple sub-identity strings in that tree.

And this is what we use here.

So Alice, when she wants to encapsulate with the forward secure cam, she first samples

a random nonce of length L and L is the depth, the entire depth of that tree.

And so basically the nonce of Alice consists of L bits.

Each of these bits or each of these components is just a bit.

And as a result, the tree that we are looking at for this particular construction here is

a binary tree.

So each secret key can just delegate twice to the lower levels.

We had as an example last week for motivating why H-I-B-E is by itself also interesting

the domain name system where we were talking about an email address that consists of the

name before the ad and then after the ad we have a long domain that consists of multiple

sub-domains.

I think the example was that Bob had an email address, bob at chairofappliedcryptography.technicalfaculty.fau.de.

And so DE is the first level of hierarchy.

The second level of hierarchy is the FAU.

There might be multiple other domains from which you can delegate from DE to like my

previous university, Ruhr Universität Bochum, or my own website.

And then you can delegate from each of these websites to lower levels like the technical

faculty.

The technical faculty can delegate to the chair of applied cryptography and the chair

of applied cryptography can delegate down to Bob.

In that domain name system you have long strings of real characters so each of these delegation