 Hello everyone, my name is Qiqi Lai, I'm very happy to give the presentation for a paper Almost Titan Security in Lattice with a polynomial module. This is a joint work with Fenghao and Jordan and was done when I visited FAEU. The reduction framework is a proposal to analyze security of our crypto construction by relating its security to some suitable hard problems. This framework can be described roughly as follows. Assume there is this TA-Epsilon-A-Adversary-A that break crypto construction Then we can construct a TB-Epsilon-B reduction algorithm that use A as subrouting and solves the underlying hard problem. To evaluate how tight the security of the crypto scheme is with respect to the harness of the underlying problem we establish analysis of bound in the form A-Epsilon-B is larger than A-Epsilon-A-Divide-Theta and TB is smaller than TA plus TA and then use k times theta as a measure of a time list. In particular, the crypto scheme is considered to be tight if k-theta equals constant almost tight if k-theta equals a small polynomial of the security parameter which is independent of the adversary. If k-theta depends on the adversary for example, k-theta equals q times polynomial lambda where q is the number of queries conducted by the adversary. Achieving tight security is a meaningful task particularly when one can prove the same or happen slightly less efficient scheme has a tighter reduction than a non-tight one from a theoretical point of view. Tightness means that the security of a crypto scheme is extremely closely related to harness of the underlying hard problem This is the optimal case we can expect from the provable security theory In practice, by knowing the almost tight relation we will know how aggressively we can set the security parameter which is important for practical efficiency. This subject has drawn a large attention We have known how to construct almost tight PRF, IBE, PKE, signature and so on from DDH or filtering While research in this line is active most results were with respect to assumptions on groups or filtering For other important or post-quantum assumptions such as lattices only a few results are known even for almost tight security For symmetric key primitives there are only several almost tight PRF from LWE For public key primitives Boi and Li constructed the first almost tight IBE based on LWE then Boi and Li and Libert et al constructed almost tight or but many lost capital functions from LWE Even with these excellent advances however, we notice a common drawback in all prior almost tight lattice based results they all require super polynomial moduli From above all we notice that for the tight security in lattice some work are essentially almost tight but with super polynomial moduli Other work can work with the polynomial moduli but just have non tight security In fact, either super polynomial moduli or non tight security will result in much larger dimension N This is clearly a negative factor for efficiency Therefore, we ask Is super polynomial key is inherent for achieving tight security? In this work, we answer this question in a positive way for the following important primitives PRF, IBE and about many lost capital functions In particular, we construct and prove almost tight security of all those primitives from LWE with polynomial moduli Now, let us first focus on the first part of all paper, PRF Basically, PRF is a family of deterministic functions such that even given adaptively blackspot query a polynomial time adversary cannot distinguish it from real random functions Of course, PRF is quite significant and has many applications such as efficient encryption, identification, authentication and so on Next, let us recall some prior work on PRF The first type of PRF is heuristic construction For instance, AS, which is widely deployed in practice However, they don't have rigorous security argument In order to establish formal proof for PRF GGM and NR95 constructed PRF from more fundamental primitives such as PRG and synthesizer which can be instantiated based on group and filtering assumptions Then, with consideration of post quantum security many excellent PRF such as synthesizer based direct tree based key homomorphic constructions have been proposed Here, we want to especially mention a concurrent work by Stamkin in Eurocruital 2020 which also achieves almost tight cycle PRF from LW with polynomial modulus but this construction seems to be sequential inherently Now, the state of art is that On the one hand, GGM based construction has polynomial modulus but is not non-tight security and inherent sequential On the other hand, non-GGM based construction is almost tight and has low depth circuit but its modulus is super polynomial For Stamkin's work, it has polynomial modulus almost tight but its circuit is just included in NC2 Therefore, we see it does not have perfect low depth Thus, we would like to obtain PRF with polynomial modulus almost tight security and post quantum security And we thought in this part is how to achieve the desired properties from GGM based PRF Next, let us recall the GGM based PRF This is its construction from double length PRG Generally, the very known GGM based PRF is proved from LW to PRG to QPRG to PRF Where Q is the query times conducted by the adversary Here, we use QPRG to indicate that all Q outputs of PRG are indistinguishable from uniform As we always need to use hybrid argument to prove PRG to QPRG the reduction loss Q seems to be inherent In this paper, we adopt a novel approach from LW to NLW to QRWR to PRF Here, we manage to eliminate the reduction loss Q from NLW to QRWR More formally, LWR stated that Given matrix A, the rounding of vector S times matrix A is indistinguishable from the true random vector U Then, it is natural for us to get QRWR or multi-secret LWR This means the rounding of multi-vectors times matrix A is also indistinguishable from the true uniform Hence, we can use QRWR to represent QPRG Furthermore, we consider how to eliminate Q in the security loss of QRWR from LW In order to clarify or technique details more naturally let us first recall the proof of LWR by Alvin et al Given a matrix consisting of column A1, A2, and AM the first step is to break matrix A into matrix A' and vector A and then switch A' into LWR A' Then, the second step is to prove this approach through using a randomness extractor The third step is to switch A' back to A' Then, we repeat the above three steps for each column of A and finally switch each column of A into uniform Then, let us analyze the reduction laws in this process Basically, the first step leads to absolute security loss The second step is statistically close and the third step leads to absolute security loss As a result, the overall security loss is 2 times epsilon plus 2 to negative n times m Then, we look how to eliminate the dependency on Q in the security proof of QRWR In contrast to original proof of Alvin et al we just replace a single vector with a block source S1 to SQ Due to Q is relative to statistical indistinctability the overall security loss is still 2 times epsilon plus 2 to negative n times m which is independent of Q This essentially implies almost tight security but the security loss still skew up with the parameter m due to the hybrid argument Next, we focus on how to remove the dependency on m We observe that the bulk proof is that of switching only one column each wrong It is a natural approach to try to switch many more columns each wrong Clearly, in this way, we can eliminate the dependency on parameter m Putting things together We get nLWE to PRF with reduction loss key where key is the reduction input length of PRF Furthermore, through applying domain extension by doting we achieve nLWE to PRF with reduction loss small omega log key Up until now, we have finished the presentation on PRF Next, we focus on the part to get IBE with standard model Adaptive security, almost tight security, post quantum and polynomial modelers Similarly, in order to clarify or turn it more naturally let us first recall the almost tight IBE by Boynley which is the only one adaptive IBE with almost security from lattice in the standard model but each modulus is super polynomial First, we recall the standard app algorithm It first runs trap gene algorithm to get matrix A under each trap draw TA and then select random matrices A0 A1 random PRF key matrices B1 to Bk random PRF input matrices C0 C1 Next, select a random vector U Furthermore, select a circle PRF and select a PRF key from Kbit Finally, output master public key and master secret key Then, for a key gene algorithm with ID from Tbit as input compute PRF over ID to get a 1-bit B compute matrix A from public homomorphic evolution of PRF over matrix BI and matrix CXI set matrix FID 1-B in the following way Finally, run sample left algorithm to sample vector DID such that matrix FID 1-B times DID equal vector U For encryption algorithm with ID in Tbit stream as input compute matrix A as public homomorphic evolution of CPRF over matrix BI and CXI set matrix FID B in this way for B equals 0 and 1 and then use do regave twice for encryption Then, through analyzing the above-bornly IBE we know the core torque of almost-tight IBE is the homomorphic computation of a circle IBE of a circle PRF and we know black box framework ABE plus and almost-tight PRF with polynomial modulus will imply the desired IBE Next, we consider which PRF works for this black box construction Clearly, the existing almost-tight PRF with super polynomial not work here and how about all new result on GGM-based construction and Kim's concurrent work Unfortunately, both two work are still not in NC1 Thus, they cannot be directly used to obtain the desired IBE However, we have an important observation it is not necessary to use PRF in NC1 In other words, it suffices to have almost-tight PRF that are computable in poly-size circuit Generally, our new idea is to use both trapping and PR and FHE More detailedly, we set MPK as matrix A matrix B1 to BL and the matrix C equals the FHE encryption of PRF secret key and matrix BI equals GSW encryption of FHE secret key and the homomorphic computation of PRF is conducted as the two steps First, use the FHE scheme to compute the PRF circuit and then use the both trapping method switch it back to the required GSW server test Hence, we just need the decryption circuit of the used FHE scheme in NC1 Then, beyond the IBE, using the similar idea to about many loss-trapped functions and signature will result in almost-tight security too Thank you