 Hello, welcome to my talk. This talk is about QCCE Secure Generic Key Incap Solution mechanism, with tighter security in the quantum random alcohol model. First, let's recall some background OKEM. The Fujisaki Akamoto transformation is well known and widely used generic KEM. It can turn a CPE Secure PKE into a CCA Secure KEM, and the reduction proof is tightly in the random alcohol model, or ROM. However, facing with the threat of quantum computer, we need to analyze it in the quantum random alcohol model, or QROM. In 2017, Hawthorne and others decomposed the FO into two transformations named UNT. They analyzed the term and their variants in the ROM and QROM. Several works are devoted to improve the reduction tightness in the QROM. But they all suffer from the square root advantage laws. Until last year, QTSTA and others gave an improved one-way-to-hiding lemma named Meijer-Rewind-Meijer, one-way-to-hiding. Using it, the loss is reduced to about D squared. Here, D is the query depth to the random alcohols. On the other hand, Seido and I introduced a new security notion named DS for public key encryption scheme in 2018. They gave a transformation named SXY that contained a DS secure PKE into a CCA secure KEF tightly. This transformation is similar to a viral show-you, except that there is a re-encryption check in the decryption algorithm. They also gave two transformations named KC and T-Punk that can turn one-way or CPE secure PKE into DN secure PKE. However, they all suffer from the square root advantage laws. Besides, they require the underlying PKE to be perfectly correct. Next year, they show that the transformation SXY even can turn DN security to QCCA security tightly. QCCA is a stronger security notion than CCA. It allows the anniversary to make quantum queries to the decap solution alcohol. In our work, we reduced the security loss of KC to about D using the measure-reward-measure one-way-to-hiding. Once more, we removed the requirement of perfectly correctness. And we proved the combined transformation SXY, KC, and T can turn any CPE secure PKE into QCCA secure KEF with loss about D square. The combined transformation SXY and KC can turn any one-way CPE secure deterministic PKE into QCCA secure KEF with loss about D. The following is a comparison of KEF from CPE security. We achieved advantages of previous works at the same time, and our proof doesn't need other requirements. Now, let's focus on the transformation KC. We analyzed it in two cases, or underlying deterministic PKE. The first case is that the underlying DPKE is derived from T. The second case is that it's a general dead-correct DPKE. We call that the transformation T turns a randomized PKE into a deterministic PKE by assigning a hash function to the encryption randomness. The hash function is modeled as a random oracle in the proof. But the correctness notion we used is in the standard model. There should not be random oracles related to it. So these two cases are disjoint. To deal with the correctness error, we use the modified DS notion, which will be described later. And we use an event to separate some bad cases in the proof. In the first case, we define it as a randomly chosen message. There exists another message such that they map to the same several texts. In the second case, we define it that there are some messages that can cause the encryption error. These two events can be proved that they only happen with a small probability. We know that the probability is taken over the generation of key pairs in both cases. Here, we show the definition of DS. We say a PKE scheme is DS-secure if there exists a simulator S given the public key as input, satisfying the following two requirements. The first is statistical disjointedness, roughly saying that the simulator almost always outposts a wrong cipher text. The second is cipher text indistinguishability, roughly saying that for any efficient algorithm A given the public key and the cipher text produced from normal encryption algorithm or the simulator, it's hard to distinguish which in the case. In our proof, to cooperate with the bad event we defined before, we modify the first requirement to disjointedness. Specifically, we remove the maximum and consider it in the average case. Then we can prove that if the bad event doesn't happen, the probability of this draw is very small and the disjointedness can be proved. Before we prove the cipher text indistinguishability, we first recall the measure-reward-measure one way to hiding lemma, let G and H be two random functions with domain X, G is a random value, S is a subset of X, G and H are equal except for the points in this set S. Then for any algorithm A, with local access to G or H, there exists an algorithm D with local access to G and H such that the distinguish advantage of A can be bounded by the probability that D ought to add some elements in S. Now we try to prove the cipher text indistinguishability. In the encryption algorithm of KC, a hash or message is added to the cipher text, but the simulator S chose a random value and the D part. To prove the DNS security, we may want to define a function H' to be H, except for the point M' so that we can invoke the measure-reward-measure one way to hiding to construct a one-wayness attacker against the underlying PKE, but M' is not given to the adversary. Each prion cannot be simulated directly, however, we can replace M' with a set in which are messages that can be encrypted to the challenge cipher text. With this definition, each prion can be simulated by testing whether the acquired message is in this set or not. The cipher text indistinguishability can be proved. Next, we will consider the transformation Sxy corresponding to the proof of KC. We also analyze it into cases. The first case is that the underlying DPKE is derived from KCNT. The second case is that it's a general data-correct DPKE. Case 2 has been proved by Kusagawa and Makawa. We know that their proof also works with the modified DS notion, and case 1 can be proved based on their proof. Specifically, to deal with the correctness error, we insert two intermediate games into their game-based proof. In the first game, we replace the hash function G from T with G' that only outputs good randomness. In the second game, we change G' back to G. This method is used in many works, and the distinguish probability can be bounded by a lemma, named Generic Distinguish Problem with Bounded Probabilities. In the games between about two games, the decryption is always correct, then the proof or case 2 can be reused. Finally, we can combine above results, getting that the combined transformation SXY, KCNT can turn any CPA secure direct-correct PKE into a QCCA secure KEM with loss about D-square. The combined transformation SXY and KCNT can turn any one-way CPA secure direct-correct PKE into a QCCA secure KEM with loss about D. Thank you for listening.