 Hello everyone, my name is Shi Feng Sun from Monash University and the data system. Today I will give a talk on public key punctual encryption, modular and compact constructions. This is a joint work with army sector at Ron Stamfield, Joseph Liu from Monash University and Dao Gu from Shanghai Jiao Tong University. So what is public key punctual encryption, PPE for short. Informally it is a new form of public key encryption that supports the verification of the decryption capability for specific messages. It consists of four polynomial time algorithms, key generation algorithm, punctual algorithm, encryption algorithm and decryption algorithm. A user can use a key generation algorithm to generate her public key and a secret key. When some others would like to send some sensitive messages to this user, they encrypt these messages and this user's public key are the text associated with the messages, are then sent out to the self test. After receiving the self test, the user can use her own secret key to decrypt all the self tests. Additionally, she is able to selectively revoke the ability to decrypt some self tests with specific texts. This is realized by running the punctual algorithm repeatedly and sequentially. The punctual algorithm takes as input the current punctual secret key and a new text to be revoked and outputs a new punctual secret key. With a punctual secret key for a set of texts, say for text T1 and T3, we can still decrypt the self test encrypted and other texts rather than T1 and T3, but can no longer recover the messages encrypted and text T1 or T3. The security of PPE ensures that even giving a punctual secret key on a set of texts P, any efficient adversary cannot learn anything about the message encrypted at anti-tech in P. In practice, each message may be associated with a set of texts. In PPE, the message can be encrypted at the set of texts. In this work, we focused on the conversion of PPE, that is the punctual key encapsulation mechanism. It came for short. In P-CAM, the encapsulation algorithm takes as input a public key and a set of texts and outputs a self-test and un-encapsulated key. The security of P-CAM ensures that any efficient adversary are given a punctual secret key or a set of texts P and not distinguish un-encapsulated key from a random key, where the encapsulated key is generated and some tag in P. The state of the art is the bloom-fit encryption proposed by Dylan and others in 2018. Actually, it is a relaxed variant of PPE, where the relaxed message, the correctness error is allowed to be non-negligible. Beyond the concrete construction, they also presented two generic constructions, from self-test policy attribute encryption and identity-based broadcast encryption. Their constructions enjoys both efficient puncture and decreasing procedures, but support only when punctured per message. In addition, the number of punctures needs to be predetermined and responded. In contrast to the public key punctual encryption scheme proposed by Green and Myers in 2015, it was the above drawbacks, but it is constructed in the random model. Moreover, the maximum number of texts per message is predetermined as a system setup. Under the communication and computation overheads like the public key size, the self-test size, encryption time and puncture time are linear with the number D. Also, some other works were proposed, like the scheme proposed by Koho and others in 2015. Those schemes support only two punctures, and it is constructed from the indistinguishability of fast gaiting. So their construction is more a theoretical result than a practical solution. So, another question is that how to design efficient PPE or big cam schemes with as many large properties as possible, like meeting both unbounded punctures and compacted self-test. Another question is, is it possible to generically constructed PPE from other cryptography primitives, like the work on bloom fit encryption, but with negligible correctness errors? To answer these questions, we first proposed a refined form of identity-based revocable encryption, namely key homophic identity-based cam with extended correctness. Further, we present for the first time a generic construction of puncture cam from the refined primitive in the standard model. Our generic construction enjoys the following features. It supports unbounded level punctures, multi-text per message, and does not suffer from non-negligible correctness error. By instantiating the refined primitive from different number theoretical assumptions, we obtain several peak cam schemes with enough features beyond the above, such as compacted self-test and unbounded text per message. Next, let me show our main approach. Before that, let's first recall the notion of identity-based revocable cam. Actually, it is the cam version of identity-based revocable encryption. It consists of four polynomial algorithms, the master key generation algorithm, the key extraction algorithm, the encapsulation algorithm, and decapitation algorithm. In an identity-based revocation system, a trusted party with a master secret key and a master public key generates a profit key for each user in the system. When a user broadcasts a message, I would not like some specific users to access this message. So it generates an encapsulated key and a revocation list are containing those specific users. Our then broadcast the self-test. After receiving the self-test, the user not containing the revocation list can decapitate the self-test and get the metric key. The security of peak cam ensures that even the revocable users could not distinguish the un-incapitated key from a random key. Now let's into our approach. Our approach starts from the observation that peak cam supporting only one puncture can be derived directly from any R-cam. Particularly, the key generation algorithm and the encapsulation algorithm of peak cam are identical to that of R-cam. For the puncture algorithm, it is realized by the key extraction algorithm of R-cam. Particularly, to puncture the secret key at tag t, we simply run the key extraction algorithm of R-cam to get the corresponding private key, SKT. And that is as the puncture secret key. For the decapitation algorithm to decapitate a self-test with the punctured secret key as key 1. If the set of tags associated with the self-test does not contain the tag at which the secret key is punctured, which means this tag is not revoked, then the un-capitated key can be correctly recovered due to the correctness of R-cam. Now the question is, can we make it support multi-punctures? Yes. The idea is to achieve it by distributing the decapitation algorithm across all punctures. A triple solution is like this, to support impunctures. We sample any R-cam masked key pairs. Each masked secret key is used for one puncture to generate un-capitated key. We run in-times R-cam encapsulation algorithm and different masked public keys under the same tag list t. Then we will get in pair for self-test and un-capitated key from C1 key 1 to C1 key n. All the self-tests constitute the self-test of the P-cam. And the un-capitated key is set as the multiplication of key 1 to key n. Here we assume that the un-capitated key space forms a group. And this notation denotes the group operation. For puncture, we use each masked secret key to clear out a puncture. More specifically, to puncture the original secret key at tag t1, we use MSK1 to generate a corresponding private key SKT1. By ranging the key extraction algorithm of R-cam. The private key SKT1 gets with the remaining masked secret keys, constitutes the current punctured secret key. By repeating this process, we can clear out multi-punctures for the decryption process. To decrypt our self-tests with punctured secret key, we ask here is for the set of tags from t1 to ti. If the set of tags attached to the self-tested CT does not contain any tag at which the secret key has been punctured, which means each TJ is not revoked. Then we can use the private key SKTJ to decrypt the self-tested CT and recover the key share KJ. With the remaining masked secret keys, we can also recover the corresponding key shares. Then by combining all these key shares, we can recover the un-capitated key. Although these solutions support multi-punctures, its communication and computation overheads are linear with the number of punctures. So the question is how to overcome these drawbacks and get a better solution. The idea is to use only one R-cam instance to generate the un-capitated key. And then split it into multi-shears. By this way, the public key sets and the self-tested sets are independent of the number of punctures. To do so, we assume that the un-capitated key is in this form. That is, it is a function of SK and S, whereas it's the random currency used in the R-cam encapsulation algorithm. Further, we assume that F is homophobic with respect to SK. In this case, the un-capitated key can be split into as many shares as the number of punctures. Here, the MS keys are determined during the puncturing procedure. And they are used for punctures. Each one is used for one puncture. In this case, we assume that MSK is randomly chosen and the MPK can be derived from MSK. As they are density-based encryption, considered by Belial and others in 2012. For the puncture algorithm, whenever carrying out one puncture, a fresh master secret key is chosen and used for this puncture, particularly to carry out the first puncture at a tech T1, which randomly chooses a master secret key MSK1, and uses it to generate a private key SKT1. The SKT1 and the remaining master secret key constitute the current punctured secret key. Similarly, we can choose another master secret key to puncture the current punctured secret key SKT1 at a second tech T2 and get a new punctured secret key consisting of SKT1 and SKT2 at the remaining master secret key. By repeating this process, the secret key can be punctured at as many techs as we want. Before looking at the decapitation process, we first recall that process in the previous solution. In that solution, each private key SKTJ and the self-tested CJ are computed from a related master secret key and a public key pair. So if the set of a text attached to the self-test does not contain the tech TJ, at which the secret key has been punctured, then we can use the private key SKTJ to recover, to decapitate the self-test CJ and recover the corresponding share as MSKJ-SJ. However, here we only have one self-test. And the self-test and the private keys are generated from different master key pairs. So the question is, is there any method enabling us to compute the key shares from the private keys and the self-test? If so, we can buy a companion of these shares together to recover the encapsulated key. Fortunately, we found that in many existing outcome schemes, the outcome decapitation algorithm satisfies this requirement as well. Then we call the outcome scheme with this property extended correct. In other words, the property extended correctness ensures that a valid encapsulated key can be computed by decapitating other self-tests generated under the same random coins. With the identity-based revocable cam meeting these two properties, we can get a generic construction of the cam following the above approach. Our generic construction following that way features the above properties. It ensures an abundant level of punctures, multi-text per message, and negligible correctness error. Regarding security, it can be reduced to the security of the underlying outcome without additional assumptions. We also present several instantiations, which are summarized in the table below. The first construction enjoys a compact self-test. The second instruction enjoys a compacted security key. The fourth construction also enjoys a compacted self-test, but can be proved secure under standard assumptions. The third construction has both compacted public key and compacted security key. In addition, it supports an abundant level of text per message. The third construction is actually the conversion of the identity-based revocable encryption proposed by Leaco and others in 2010 with a slight modification. The others are derived from non-linear product encryption schemes by applying the embedding lemma. The detailed comparisons are shown in the following tables. We can see that our first construction enjoys a very compacted self-test, which consists of only two group elements. The third construction enjoys a compacted public key size, and it supports an abundant level of text per message. However, these two constructions can only be proved secure under non-standard assumptions. In contrast, the second and the fourth construction can be proved secure under standard assumptions. Also, we can see that the description overheads of our constructions are linear with the number of punctures. Fortunately, the decomposition algorithm of our constructions are hardly parallelized, so they can be optimized by parallelization. Here, I'm not going to explain too much here. Finally, I'll end this talk with a brief summary. In this work, we propose a refined notion of identity-based revocable encryption. Then we present a generic construction of PICCAM from the refined IRCAM. Finally, we give several concrete constructions, enjoying different distinct properties. There are still some open questions. For example, one question is how to design efficient PICCAM meeting both compact keys and self-test under standard assumptions. Another question is how to design post-quantum like lattice-based PICCAM supporting abundant number of punctures. Thanks for your attention.