 Hello, everyone. I'm Yifu Light. Today, I'm going to talk about compact, efficient, and user-secure ASA journey-based ability transfer. This is a joint work with Stephen Galbraith and Stephen Thepeg, the sense-boyhead. Firstly, we recall the circumstance of an ability transfer protocol. There are two parties, Alice and Bob or said sender and receiver. Alice has two messages, and Bob would like to know one of them, and they're doing some steps here. After the execution, there are two requirements. The first one is that Bob gets one and only one message. The second one is that Alice doesn't know Bob's choice. Keeping in mind that this is a classical requirement for MOT skin, given the importance of an ability transfer protocol as a cryptography tool, we need a stronger security definition that takes composition into account. The security notion is called universally-compossible security, or UC security, which is proposed by Kennedy. This is a simulation-based security definition, and this security definition, the simulator, doesn't simulate for the adversary buffered M environment machine. An environment machine is, as described, an environment machine will observe everything in this wall, and an environment machine will interact with a real-world machine, or an ideal-world machine, but he doesn't know which one is it. And in the real-world machine, there's an adversary and the protocol you design. And in the ideal-world, there's a simulator, I think, black box access to the adversary. And in this ideal-world, everyone interacts with a trustee party. So you can find that everything in this world is super secure because every computation is processed by this trustee party. So if you can show that your protocol in the real-world machine is indistinguishable to the one created by the simulator in the ideal-world machine, then you can say that your protocol has UC security. There are two as a journey base, previous OT, as follow, and they achieve UC security against semi-units adversaries, which means that the adversary will follow the protocol execution, but they try to learn more information from the execution. Based on this, by adding a UC security around the proof or using some generic transform like this, the protocol can upgrade to UC security against malicious adversaries. But this malicious adversary means that the adversary is not required to follow the protocol specification. But it will take a polynomial number of esoteric computations because at the current stage, some CSI-relephant or SIDS-relephant, Neural Energy Proof, or Cisco Energy Skin, they will take a polynomial number of esoteric computations. So our research question is that can we have an esoteric base OT that is UC secure against malicious adversaries and takes only a constant number of esoteric computations? And next, for our protocol system, the esoteric tool we rely on is called CSI. So here we give a fast recap of CSI. If an R prime P and Mongolian curve is one variable is defined as the following form. In a little curve defined in a prime field, it's said to be super singular if the group order is P plus 1. And let all be an order of imaginary quadratic field and let pi be an element in this order. We let this set, Mexico E, collect all super singular defined over Fp and module Fp isomorphism. And these curves and the morphisms defined over Fp are isomorphic to this order. And where this order element pi corresponded to the Frobenius map, which means it maps to map X, Y to X to the P and Y to the P. We know that the ideal class group of this order will act freely and transitively on this set. And we also use some proposition of quadratic twist in our work. So here we recall the definition of quadratic twist. A quadratic twist of curve defined over Fp is after the following form. There's one more coefficient in front of Y square. And this coefficient is quadratic non-receptive. And there are three following propositions for quadratic twist. The first one is that if you take a twist for Ae, then you got a inverse e twist. And more often, if when P equals to 4, if you take twist of E0, it's still E0. And Ea twist equal to Ea negative A. And equality here means Fp isomorphic. So accordingly, when P equals to 4, if you take twist of Ae0, you got a inverse E0 for any group element in this ideal class group. And we will need to simplify the notation as the following way, the group and the set. And we also ignore the class notation. We also assume that we have few uniform sampling of this ideal class group. If you can do this by using like C-Fish parameter or say C-Side 112 parameters. And to have a crypto system, we have some computational assumptions. The first one is the most well-known one that is called computational C-Side problem. You are given three curves, E and Ae and Be. And your test is to find Abe. This is quite similar to Dphillian problem. You are given G and G to the A, G to B. Your test is to find G to the A, B. And we have another relaxed version that is called square C-Side problem. You are given one curve only, Ae. And your test is to find a square E. But actually, if you are given the order of this ideal class group, then these two problems are equivalent. A proof for this case is, for case P equals to 4 can be found in this C-Sides. And for the other part of the proof, it can be found in our appendix. The proof using the fact that the C-L2 subgroup of this ideal class group is of rank one. And next, we introduce a new assumption that is called reciprocal C-Side problem. The reciprocal C-Side problem is a two-round experiment defined as the following way. There is also a public curve, E, and two parties, Ae and Be, also the challenger and the adversary. And the other adversary sends a curve to the challenger first, and challenger will send Ae to Bob. And Bob's test is to find Ae and Ae first, E. The reciprocal C-Side problem looks a bit weird. But actually, you can see that this problem is as hard as the square C-Side problem. Firstly, we're going to show that the reciprocal C-Side problem is not harder than square C-Side problem. So you are given the curve. And we let the adversary come into the same public curve. And then you obtain a challenge, Ae, and your task now is to find Ae and Ae first, E. But actually, you can find that you already got Ae. So your test now is just to find Ae first, E. We invoke the square C-Side oracle, and we obtain a C. We're going to show that C is equal to Ae first, E. Because you can write E as Ae first, Ae, so the square C-Side oracle will square this bar. So that's why you got Ae first, E. And next, we're going to show that the reciprocal C-Side problem is not easier than square C-Side problem. In this proof, we'll show this by using Rewind the argument. Say the challenge is E and Ae, and now your task is to find A square E. We invoke the oracle with the public curve Ae. And after oracle comes into a curve X, we give it as the challenge to the oracle. And then we got the output. We extract the first entry, and we rewind the oracle, and we replace the challenge from E to be the first entry we just got. And then you execute the oracle. You got two curves, and we extract the second one. We are going to show that the second entry X2 prime is equal to A square E. Since we can write E as Ae first, Ae. So we have X1 equal A in first, Ax. And thanks to the transitive action, we can write X as small xe. So you can write X1 as the following way. And by definition, the oracle will inverse this part and acts on X. So that's why you got A inverse, sorry, A square E. So we have shown that the reciprocal C-Side problem is as hard as square C-Side problem. So when you are given the order of this group, you can say the reciprocal C-Side problem is as hard as the computational C-Side problem. And next, we are going to show our construction of our belief field transfer. Firstly, we have two parties. We start from a three-round construction, and Alice and Bob also the sender and receiver. And Alice has two messages, and Bob would like to know one of them. Firstly, Alice sends Ae to Bob, and Bob computes BE or BA and sends to Alice. Alice then computes AB and A inverse B as the decryption keys for these messages. She encrypts this message with using discrete keys. So in this way, Bob can decrypt one and only one message. The idea can be visualized as the following graph. Here's Alice and Bob, and Alice has to, Alice sends this Ae to Bob, and Bob can compute ABE or BE to Alice. If Bob sends ABE to Alice, Alice then computes these two curves as the decryption keys. And as for Bob, he can compute this key, but he cannot compute this one, unless he can solve a square C-Side problem. So in this case, you can show, you can see that that's why Bob can decrypt one and only one message. And the same argument can apply to the other case. The next step is that we use quadratic twist to compress the round of our protocol from three rounds into two rounds. Firstly, Bob computes BE or BE twist send to Alice, where BE is the public curve. Then Alice again computes AB or A inverse B and uses these curves as the decryption key to encrypt the message and send the ciphertext to Bob. In this case, Bob can also get one and only one message. We can visualize in the same way. Here is Bob. Bob will compute BE or BE twist to Alice, and Alice will compute ABE to Bob. In this way, Bob can compute this decryption key, and he cannot compute the other decryption key, unless he can solve a computational problem. And the same argument can apply for the other case. But remember that this is not a rigorous tool, but it gives you an intuition how this cryptosystem can work. And next, to have user security, we need to simulate for the corrupt receiver and corrupt sender. To simulate corrupt receiver, we use a standard approach by using the non-community encryption or one-time path for a sample. And we produce the ciphertext and produce the corresponding key later. We add a mechanism for this, so it will take one additional round for our cryptosystem. So our final product is three rounds instead of two rounds. And next, for the other side of simulation, we develop a new tool for as a gene cryptography that is called quadracket twist trapdoor. The key idea here is we set up a trapdoor reciprocal seaside problem. So how to set up a reciprocal seaside problem trapdoor? Firstly, we compute a random group element, and we use this curve as the public curve for this problem. And then the adversary come into a random curve by generating a random group element. After receiving E prime from the challenger, you return this bound trap since. And you can observe that the first entry is correct. So we only need to show the correctness for the second entry. Because of transitivity, we can write E prime as the following way. And because x equal BE, so it suffices to show that it satisfies the following form. And then by using the proposition of quadracket twist, we just mentioned, we can write, we can see that the left hand side is equal to right hand side. So we show the correctness of this trapdoor algorithm. So how to use this trapdoor algorithm to complete the other half of simulation? Firstly, the circumstance like this and adversary corrupt the sender Alice. Alice has two messages, but she may not encrypt these two messages. She can do anything she wants. So firstly, we set out a trapdoor for the public key curve E here. And then we invoke the reciprocal seaside problem solver to generate this BE element for the Bob or say the receiver. And then apparently receiving this curve AE from Alice, then we invoke the problem solver to extract two curves. And we use these two curves as the decryption key to decry the ciphertext. And then the simulator send these two messages to the trapdoor party in the idea wall and complete the simulation. So in this wall, we have shown that we have given ascertaining base oblique transfer that is used to secure against malicious adversaries. And it takes only a constant number of ascertaining key computations. In particular is five ascertaining computation for the sender and four for the receiver. And these two are the previous work we just mentioned. And the third one is a concurrent work, but their main focus is now oblivion transfer. They just mentioned an OT construction. So we take their construction into this table. And more often our underlying assumption for our crypto system, the reciprocal seaside problem is as hard as the computational seaside problem. But keep it in mind that the reduction is not tight. You need to call the Oracle several times. And finally, we also point out some open problems relevant to this topic. The first question is that can we have quantum friendly reductions between reciprocal seaside problem and the seaside problem? This is because the reduction we just used, we used rewind the argument, we take an input out, we measure it, and we rewind Oracle and take the output back. So there's no such operation in a quantum machine. So our question is that can we have a quantum friendly reductions between the reciprocal seaside problem and the computational seaside problem? And the second question is that can we have a run optimal efficient ascertaining base OT? Run optimal means two rounds because our final product is three rounds. We want to simulate the corrupt receiver. So the additional mechanism takes one more round for this. So our question is that can we have a two round efficient ascertaining base OT? The second question is that can we have an efficient adaptive use of secure ascertaining base OT? Adaptive adversary means that the adversary can choose who to corrupt of the execution. And the adversary we deal with is called static adversary. The adversary will choose who to corrupt at the beginning of the execution. So this makes the security proof a bit different. So our question is that can we have an efficient adaptive use of secure ascertaining base OT? And thanks for listening. Bye bye.