 I'm Lone from Chinese Academy of Science. This is a joint work by Hao Dongjiang, Zheng Feng Zhang, Hong Wang, and Zhi Ma. And our presentation consists of four parts. The first is the background, and the second is where we introduce our main contribution. The third, I will give a brief view of our main techniques. And finally, I will give a conclusion. First, I will introduce the basic background. As we all know, the public key in cryptography consists of three primary primitives. The first is public encryption, second is digital signature, and the third is key encapsulation mechanism. And the most current deployment is Diffie-Harman-Kick's change, RSA cryptosystem and ellipse curve cryptosystem. However, in 1994, Peter Scherl provided a brilliant algorithm to attack all the Diffie-Harman system and the facting in polynomial time on the quantum computers. So with rapid developing on quantum computer. In quantum computer, it is very necessary to provide a new public key cryptosystem to prevent a practical attack. So next year, NIST has launched a post-accomputing crypto competition, and this is the timeline. And in 2017, NIST has completed the first run submissions. Just as Moody says, the ship has failed. Around the first run one submissions, there are 69 submissions including public key, PKE, digital signature, and CAM. Around most of them are CCA security CAM. They have 75 submissions. And among the 75 submissions, there are 25, the same majority, to use the generic transformation from the Ronarco model to get the CCA security CAM. And this periphery work is provided by DENT in 2003, and Huffing, Harman, and Kiehl's in 2017. According to the state of art, there are two categories of transformations. The first transformation is for the Saka or Komoto transformations. We list a lot of them, and another category is modular F-O transformations. And I will introduce the symbols here. When we talk about F-O, when we use the symbol console part, we mean that in the decryption algorithm, the rejection is implicit. And if we use this symbol as part, we mean the rejection is explicit. And if we add m here, we mean in the KDIF functions, we just use hm, and if we do not have m here, that means the KDIF function uses h under m and the self-text c. And if we use q here, that means this transformation adds additional hash oracles and additional hash functions after the self-text. Also, the modular transformation is similar to previous F-O transformations, but they have some additional properties. They are start not from CPS security, but also need some properties like Pentax check and self-text validation. Although we all know in the quantum settings, the adversary can access the quantum run oracle. That means they can compute the hash functions to give us input at the super provisions. So in the real world, we should consider the quantum run oracle model. The quantum run oracle model is originally provided by Bonnet and out in Ashok Crabbe 2011. And there are a lot of following words that we list a lot of them. And whenever we have noticed that in the quantum run oracle model, there are much different proof techniques to the run oracle model, the main observation is in the classical run oracle models, we already use adaptive programming or extract abilities, but these techniques cannot be used in quantum run oracle model because the input of the quantum run oracle is at super positions. And the following, we have already proved that the previous work has already proved that QFO and QU, these four transformations can satisfy the security under quantum run oracle model, but the more important problem is they should add additional hash functions after the self-text. And another problem is they approve the non-tight securities. So based on these observations, we give this work. And in this work, we provide the F-O transformation and the modular F-O transformation in quantum run oracle model and our goal is to removing the additional hash and making the security reduction more tighter. And this is the table of our main results. We can see in our F-O transformations, we are starting security is one-way CPA and we are security bound is just a square of epsilon. The epsilon is the advantage of the CPA adversary. And also we consider of the crackness, that means the crackness, if you encrypt a message and when you decrypt, the decryption can be failure with some probabilities. And we denote the probability to be data here and our transformation do not need additional hash. So comparing with the previous work, our work do not use additional hash and our security bound is more tighter. And also we provide modular F-O transformations. We can see we provide a sequence of transformations on the different assumptions. In our paper, we defined the one-way queue, a quantum CPA security, quantum PVC security and so on. And also all these transformations do not need additional hash comparing with the previous result. And we have reviewed all the modular transformations or F-O transformations in the NISA submissions. And we can see that this is the transformation previously they used and this is the crackness if their schemes have crackness error and this is about whether their public encryption is the term is kick and this line is about do they consider the Rondon-Orchor model? After, because conclusion is we have 16 CAM transformations including Frodo CAM can be simplified by cutting the additional hash Rondon-Orchors and improving and give improvement in the performance in respect to speak and size. So also we have proved that the solid quantum security are guarantees for these two submissions as luck and the seeker without any additional self-attacks overhead. Also, we have modular transformations can be used for these three submissions that Audit, Massent, Classic McAries and the LIDAR came but also our modular transformations can help the researchers to give transformation from different assumptions and from different schemes. Then we'll give a preview review of our main techniques. This is the basic F-O transformations. We can see we originally have in the CPA transformations which we used here, but one different here is use, we use hash functions G that to encrypt M to get the Rondon-Es from M and after that we use another Rondon-Orchor H here that to get the final session key. And in the decryption oracle the algorithm will check whether C is correct and if only return return the crackiness session key when the encryption crackiness is checked and finally we'll get the session key. And this is our main result. We have proved that under the one with the PA securities we have the C, and the CCS securities the most important here is we have a square of security loss here. And give a brief interview of the proof. Many we will use CPI adversary to, we use a CCI adversary, oh, sorry. We use a CCI adversary to attack a CPI scheme that means we, the CPI adversary we need to pry the two Rondon-Orchor here and decryption oracle here to answer his queries and he use this result to attack the CPA game. That's with, so the main challenge in our proof is in the classic Rondon-Orchor models we, the Rondon-Orchor queries I simulate used in the decryption oracle but in the, but in fact we, if the adversary to answer decryption oracle we use a list, a Rondon-Orchor list to answer the decryption oracle that means we can check whether the, whether the encryption is correct. So, however, in the Rondon-Orchor models when I have every input to the Rondon-Orchor is a simple position that, that means we cannot use the Rondon-Orchor list to answer the queries and answer the decryption oracles. This is mouse obstacles. So previous work, Taki and the, Taki and Eurora circumvented this problem by additional, additional less proven hash to the, to the self-text and that means we can use the less proven hash to, we can use, we can use functions to simulate the length, the less proven hash function and the, this function is, is injective. So we, we can use, we can use technique to answer the decapitulation oracle. And, and to remove the addition, but however in the Rondon-Orchor model, we, we should, well, among positions we, in fact, we can remove the additional hash. In our proofs, we, we, we can, we use a technique with provide by damp, dampening, ash, ash equipped to work is, is, we can view the hash consist of two parts. It is, it is with, it is a function g and h prime. The h prime can be used with a decapitulation functions and the g is injective functions. In fact, in the proof, it can be viewed as the encryption oracle. So we, so in this way we can, we, we can scan, we can answer the decryption oracle and there's no need to answer the, get to the address, there's no need to add the Rondon-Orchor hash mod hash. And another problem is we have lower security boundaries. So, but in the previous work, they, they need to one-way CPS, PKE, to one-way PCS, PKE, the PCS, PKE means they have to check oracle to check whether the, the, the self-tax is, is corresponding to the plantax. And then they get IND-CCS security. So they have two, two reductions. So the security laws will be very, very high. And in our models, we just directly from the one-way CPS, PKE, to IND-CCS, PKE-CCS-ICAM. And to overcome this problem, we need, we just use a lemma called one-way to, to hide lemma. In this lemma, it just, it talked about if we just modify a Rondon-Orchor in some, in some point, we can, then we can find if, if an adversary can, can, can distinguish these two Rondon-Orchors that we can get adversary to find which point have be detected. So in the reduction, we can reduce this problem to, to the, the one-way CPS security. So, oh, with this technique, we can, we can guaranteeing the consensus for Rondon-Orchor and we do not need to the one-way PKE here. And so, so in this proof, we, we need to develop a new one, new one-way to hide lemma that we, in our one-way to hide lemma, we add a redundant Rondon-Orchor. So with this Rondon-Orchor, we can directly prove this. So that's giving me a brief conclusion that we can prove Rondon-Orchor securities we can remove the additional hash and we can get a tighter security reductions. And our results, results have already applied to these the Rondon-Orchor submissions. And, and also our modular securities can be obtained by a variety combination of transformations with different queries and properties. And, and we should, we really think that we, our papers provide some new, new techniques can be inspired by other schemes. And our skills are two open problems. The first is whether we can get the, the tight security for F-4 transformations. As we now know, our transformation, the security loss with the square, but we do not know whether we, we can find a transformation with, without security loss. And then another, we can prove that, the explicit rejections for, for F-4 transformations. In our work, we just prove the implicit rejections but not the explicitly, explicit one. Here is, here is the result, the result work. Thank you for your attention.