 Hello everyone, welcome to the short video abstract on the paper Privacy Preserving Authenticated Key Change in the Standard Model, I am You Lv from Shanghai Jiao Tong University. This is a joint work with Sheng Liliu, Shuai Han, and Da Wu Gu. We recall the authenticated key change first. AKE allows two parties to authenticate each other and securely share a session key. It has been widely used in data sharing electronic notebooks. In some cases, the interacting parties may want their identities kept secret from others. However, their transcripts sent in the channel may contain information about their identities. Thus, the concept of Privacy Preserving AKE is proposed. It requires anonymity, which means the adversary cannot identify the users who are communicating. Most AKE protocols are not Privacy Preserving. For example, the well-known signed DH protocol is not PPAKE. In signed DH, each party uses a different human key exchange to agree on a key and use its signatures to authenticate each other. The signature links the identity of both initiator and responder. To solve this problem, SSL20 proposed a way to protect the identity of users with PPAKE. It considers the server-to-server scenario. Both the initiator and responder are agent servers, and behind each agent server, there are many users. The adversary controls the server-to-server channel but does not control the user-to-server channel. Anonymity in this scenario requires the adversary cannot distinguish which user sits behind the agent server. However, their approach cannot apply to the user-to-user scenario. Hence, a question is how to design a PPAKE protocol for the user-to-user scenario. In the user-to-user scenario, there are no agent servers. We also consider the broadcast channel, just like the scenario of Bluetooth, VLAN, and Apple's AirJob. The adversary can see the message and you in the broadcast channel. The key idea of our construction is to make PPAKE robust. We see a PPAKE protocol is robust if each user can make sure that the first-round message is for him or her. With robustness, the communication and computation complexity can be reduced. We propose a generic construction from a signature scan, a cam, a mac, and symmetric encryption. In particular, we require the cam for two more properties. One is anonymity. The other is robustness. Anonymity for cam means given a ciphertext C and two public keys, the adversary cannot determine the ciphertext is generated by which public key. Robustness for cam means if a ciphertext is generated by one public key, then using another secret key to decrypt it will output failure. Here is our construction. Suppose UI is the initiator and its target recipient is user UJ2. It will first encrypt a key K1 using the public key of UJ2, then it will broadcast J to the power of A and the ciphertext C. After receiving the first message, each user tries to decrypt the ciphertext C using its own secret key. Only user UJ2 will get key one. Other users will get a failure due to the robustness of cam. Next, user UJ2 computes a different human key and uses key one to authenticate the message it receives and the message it sends. The other users will keep silent during the process since they are not the target recipients. So in the third round, user UI computes the same different human key and uses K2 to encrypt its signature. Finally, they share the same session key K3. Now we discuss the anonymity of all construction. The initiator's identity is only contained in the third round message. This message is encrypted by the Diffie-Hellman key, so it is protected well. The responder's identity is only contained in the first round message. Due to the anonymity of cam, the adversary cannot know the ciphertext C is encrypted by which public key. At last, we compile our work with other related works. As shown in the table, the communication and commutation complexity are independent of number of users due to the robustness. To conclude, we propose a PPAKE scheme, especially for the broadcast channel. For more details on our work, please come and watch our presentation in the conference. Thank you.