 Hello, everyone. My name is Saigahiroka. In this talk, I talk about Contama Encryption with Satradiation, Repetition, Public Key, Attribute Base, and Classical Communication. This work is joint work with Tomo Ikimonimai, Dounishimaki, and Sakashima Kawa. First, let me explain the pre-all work. Secret Key Encryption with Satradiation was introduced by Broadband and Israel in TCC 2020. In this primitive, there is a Satradiation security in addition to the functionality of Secret Key Encryption. This Contama primitive works as follows. First, send arguments a Classical Secret Key. Then, she generates a Contama Cypher text and sends it to the receiver. If he receives a Secret Key, he can receive the Cypher text by running a decoding algorithm on them. On the other hand, after she sends a Contama Cypher text, she can check whether he receives a Contama Cypher text correctly. If she wants to deal with the Contama Cypher text, she requests him to deal with the Cypher text. After that, she receives a Classical Certificate, which guarantees that he deals with the Cypher text. Then, she checks whether this certificate is correct or not using Secret Key. When correct, even if he receives a Secret Key, he cannot obtain the information of Message M correctly. In GTV, this is what Satradiation Security guarantees. More homely, Satradiation Security is defined by the security game between the challenger and the adversary. First, the challenger generates a Secret Key. The adversary generates two Messages and sends them to the challenger. The challenger decides to beat B and generates the Cypher text for the Message MB and sends it to the adversary. The adversary generates a Classical Certificate and sends it to the challenger. The challenger runs the verification algorithm on them and outputs top or bot. The adversary receives the Secret Key and outputs B Prime. We say that the encryption scheme is Satradiation Secure. If it satisfies this inequality, where this top means that the challenger outputs top, this is what Satradiation Security guarantees. We remark that this functionality is classically impossible. In other words, if the Cypher text is classical, it cannot achieve Satradiation Security. This is because the adversary can copy the classical Cypher text. They construct this primitive using BB-8-4 states. For the ease of explanation, I explain the construction where the sender sends only 4 qubits. First, she generates a Random Classical Bit String as a Secret Key. After that, she randomly generates a Computational Basis Quantum State as Horrors. Then, she operates Adama's Gate on them according to this Classical Bit String. After that, she encrypts the message M using the information of bit values of Computational Basis State, where h is a hash function and this zero corresponds to this zero and this one corresponds to this one. These are the quantum Cypher texts of their construction. Then, she sends them to the receiver. We remark that if the receiver has a Secret Key, he can obtain the message M correctly. This is because the Secret Key is information of basis of these quantum states. Therefore, he can obtain zero and one by measuring these quantum states in the Computational Basis. Then, he can decrypt M by computing h of zero and one. On the other hand, if she changes her mind and owns the data Cypher texts, she requests him to measure all these quantum states in the Adama's Basis. The honest receiver measures all these quantum states in the Adama's Basis and obtains the Classical Bit String, where r are Random Classical Bit. Then, the receiver sends them to the sender. Then, she checks whether this certificate is correct or not using Secret Key. When this certificate is correct, even if he receives the Secret Key, he cannot obtain the message M correctly. This is because he has to measure all these quantum states in the Adama's Basis in order to make her accept with high probability. Since even the unbounded malicious receiver cannot distinguish the basis of these quantum states. If he measures the Computational Basis state in the Adama's Basis, these quantum states collapses to the Random Classical Bit and he can no longer obtain the Bit values of Computational Basis state. Their construction has disadvantages as follows. First, their construction is limited to the setting of one-time Secret Key encryption, which means that one needs the same Secret Key to run the Encondigal algorithm and to run the Decoding Algorithm, and the key cannot be reused. It is problematic in some cases. Second, in their construction, the sender needs quantum operations. Third, in their construction, duration is privately believable, which means that the sender needs the verification key kept secret. In their construction, if the verification key is revealed, the malicious receiver can obtain both the correct certificate and the message. In our work, we have improved these disadvantages as follows. More homely results of our work are the following. First, we have constructed public encryption with saturation from in-the-CPS secure public encryption and one-time Secret Key encryption with saturation. Second, we have constructed attribute-based encryption with saturation, assuming the existence of post-contam indistinguishability obfuscation and one-way function, and one-time Secret Key encryption with saturation. Third, we have constructed public key encryption with saturation that uses only classical communication. This is constructed from in-the-CPS secure public encryption and the assumption that the running with errors problem cannot be solved efficiently by a quantum computer. This construction is secure in the quantum random workload model. Fourth, we have constructed public key encryption with publicly believable saturation that uses only classical communication. This is constructed from one-shot signature and extractable witness encryption. But for the time constraints, in this talk, I talk about this and this. First, I talk about public key encryption with saturation. We have constructed public key encryption with saturation using public key encryption and Secret Key encryption with saturation as a building block in a black-spoke way. But for the ease of explanation, I will explain specific construction. Idea of a construction is very standard to encrypt the Secret Key using Secret Key encryption. First, a sender receives a public key and generates a Secret Key, which is same as this Secret Key. Then, using this Secret Key, she generates a quantum ciphertext. At the same time, she also encrypts this Secret Key using public encryption. These are the ciphertexts of a construction. Then, she sends them to the receiver. Note that at this point, if the receiver has or obtains a Secret Key, he can tickle the message and correctly. This can be done by decrypting this ciphertext using Secret Key or public key encryption. And using this Secret Key and this ciphertext, he can obtain a message and correctly. On the other hand, if she changes her mind and wants to decrypt the ciphertext, she requests him to decrypt the quantum ciphertext. And she receives a classical certificate, which guarantees that the receiver decrypts the ciphertext. Then, the sender checks whether this certificate is correct or not using this Secret Key. When the certificate is correct, even if he receives a Secret Key of public key encryption, he can obtain the message and correctly. I explain the adjective proof. Because the Secret Key of Secret Key encryption with certification is encrypted by public key encryption, this ciphertext uses for the receiver. Therefore, in order to make her accept with the high probability, the receiver has to measure all these quantum states in the demand basis. On the other hand, once he measures the computational basis state in the demand basis, he cannot obtain the bit values of computational basis state, even if he receives a Secret Key of public encryption after he measures this quantum state. Therefore, our construction is also secure. This is the intuitive understanding of our security. But for the formal proof, we have to construct a protocol using receiver non-committing encryption instead of public encryption. Technically, this is the most important for our work of public encryption with certification. But for the usable explanation, I skip the formal proof. If you are interested in the formal proof, please read our paper. Now, I finish the first part. Then, as for the second part, there is saturation with classical communication. In the saturation explained so far, the sender needs quantum operations. In this work, we have improved the disadvantage and have constructed saturation that uses only classical communication. In this work, we have used noisy traptor coffee functions F and injective traptor function G and public encryption to construct a protocol. These functions are constructed from LW assumption and have some cryptographic properties. Using these properties, a classical sender can generate a quantum state in a receiver's register. In a nutshell, idea of a construction is to use F-type function and G-type function instead of directly sending VV8 host states with quantum channel. First, I explain how to use noisy traptor coffee functions F to generate a quantum state. A classical sender first generates a traptor and noisy traptor coffee functions F and sends it to receiver. Then, the receiver generates a superposition state and coherently evaluates F of X. Since noisy traptor coffee functions F is 221, if he measures the third register in the computational basis, he obtains this quantum state, where F of 0x0 and F of 1x1 are the measurement outcome Y. If he measures this quantum state in the computational basis, this quantum state collapses to the classical bit string 0x0 or 1x1. On the other hand, if he measures this quantum state in the demand basis, this quantum state collapses to random classical bit string E and D, where E and D satisfies the following equation. Intuitively, once the receiver measures this quantum state in the computational basis, the quantum state collapses to 0x0 or 1x1. Therefore, he can no longer obtain E and D that satisfies this equation. This intuitive is formulated as adaptive hardcover bit property, which guarantees that the contemplation time receiver cannot obtain both this and this at the same time with the probability more than one half. And the adaptive hardcover bit property can be amplified as proven in these papers. Next, I explain how to use injective traptor function G. Injective traptor function G is constructed from LW assumption and has some cryptographic properties. Like noisy traptor coffee functions F, a classical sender can generate a quantum state in the receiver's register. First, the classical sender generates traptor and function G and sends it to the receiver. Note that from the property of injective invariance of the function G, the contemplation time receiver cannot distinguish the function G from function F. This property is very important for construction of certified relation. And then, he generates a superposition state and coherently evaluates G of X. Since the function G is injective, if he measures the third register in the computational basis, the sender obtains this quantum state where G of B and X is equal to measurement outcome Y. If he measures the quantum state in the computational basis, this quantum state collapses to the classical bit string B and X. On the other hand, if he measures this quantum state in the demand basis, then this quantum state collapses to the random classical bit string R. Now, I will explain our construction. Again, in a nutshell, idea of a construction is to generate quantum state using F-type functions and G-type functions instead of directly sending BB8-hole states with quantum channel. Our construction is as follows. First, a classical sender receives public key. And then, generate a classical bit string where 0 denotes the G-type function and 1 denotes the F-type function. Next, she generates G-type functions and F-type functions according to this classical bit string. At the same time, the sender generates a trapdoor. Then, she sends the functions to the receiver. The receiver receives the functions and generates these quantum states in his register. Remember that in order to generate these quantum states, the receiver measures the third register in the computational basis. The receiver sends the measurement outcome to the sender. At this point, she can know the post-measurement quantum state using trapdoor. On the other hand, the receiver does not know the post-measurement quantum states. Therefore, this process is as if she blindly generates a quantum state in the receiver's register without quantum channel. She can increase the message M using the information of B1 and X1 as follows. Where H is the hash function, modelled as a quantum random oracle. At the same time, she increases the location of the functions using public key. Then, sends them to the receiver. These are the ciphertexts of our construction. Now, I check our construction satisfies the correctness. If the receiver has a secret key, he can obtain location of the function by using this secret key and this ciphertext. By measuring this quantum state in the computational basis, he can obtain B1 and X1 correctly. Therefore, he can obtain M by computing H of B1 and X1. Then, I explain how the deletion algorithm works. After she sends the ciphertext, if she changes her mind and wants to delete the ciphertext, she requests the receiver to measure all these quantum states in the other model basis and sends the measurement outcomes to the sender. Where R is a random classical bit and each E&D satisfies the following equation. And then, she checks whether each E&D satisfies this equation using trapdoor. When yes, even if he receives a secret key or public encryption, he cannot obtain the information of message M correctly. Now, I will explain intuitive proof of our security. In our work to prove the security, we have introduced a new property of the noisy trapdoor clock free functions, which we call the cut-and-choose adaptive hardcore property. Intuitively, cut-and-choose adaptive hardcore property guarantees that the quantum polynomial and time receiver cannot obtain this that satisfies this equation and this at the same time. If you admit the cut-and-choose adaptive hardcore property, we can prove the security of our construction in the quantum random oracle model because this ciphertext is encrypted using public encryption. This is useless for the adversary. On the other hand, from the cut-and-choose adaptive hardcore property, when E&D satisfies this equation, he cannot obtain B1 and X1. Because H is a random oracle, if he cannot obtain B1 and X1, he cannot obtain the information of plaintext M. Therefore, our construction is secure if you admit the cut-and-choose adaptive hardcore property. Finally, I will explain the intuitive reason why our cut-and-choose adaptive hardcore property holds. In order to obtain E&D that satisfies this equation, he has to measure these two quantum states in the demand basis. On the other hand, he cannot distinguish these quantum states from this quantum state. Therefore, in order to obtain this E&D, he needs to measure all these quantum states in the demand basis. On the other hand, if he measures this quantum state in the demand basis, this quantum state collapses to the random classical bit swing. Therefore, he can no longer obtain B1 and X1. This is an intuitive proof of our cut-and-choose adaptive hardcore property. In this talk, I explained an intuitive understanding of our results by showing the concrete construction without details. If you are interested in more formal results, please read our paper. Then, I finish my talk. Thank you for your attention.