 Hello, I'm Hao Dongjiang from SES. This is a journal work with Zheng Feng Zhang and Zhi Ma. The title of our paper is on the Nantianness of Merriment-Based Reduction for Key-In-Tap Solution Mechanism in the Quantum Random Occult Model. As we know, the currently deployed public key primitives are Diffie-Harm, Key-Sing-G, ISA, and Lip-Take-Curve cryptosystems. The security of these cryptosystems can be easily broken by a quantum computer. Due to this, many researchers have begun to investigate post-quantum cryptography or usually called PQC in short. The goal of PQC is to design classical cryptographic systems that remain secure in the presence of a quantum adversary. Recently, NIST launched a PQC project and published a couple of proposals, including public key inclusion, that is PKE, digital signature, and key encumber mechanism we call CAM in short in this talk. In particular, more than half of the submissions are CAM. A CAM consists of three algorithms, the key generation in cup solution and decub solution. In practice, we usually need CCA secure CAM. Roughly speaking, the CCA security of a CAM says that. And honestly, generated session key is indistinguishable from a truly random session key, even though the adversary has a valid requiring the decub solution protocol. To construct a CCA CAM, we usually first build a CPE secure PKE from a post-quantum hard problem. And then by a generic transform, we can obtain a CCA secure CAM. As a fundamental primitive CCA CAM can also be used to construct a CCA secure PKE and a key scene. Here we mainly focus on the generic construction of a CCA CAM from a CPE secure PKE. Based on the underlying assumptions, these generic constructions can be grouped into two cases. One is the CAM variants of the FO, and the other is the CAM variants of the react team and transformer. For example, the transformer U. We also call these generic constructions, FO like generic constructions. The FO like constructions are the only node transformer from CPE PKE to CCA CAM. In particular, FO like generic constructions are widely used in the run three CAM submissions. FO like generic constructions are based on an idealized model called a random local model, where a hash function is idealized to be a publicly accessible random local. Generic constructions in the random local model has gathered renewed interest in post-quantum setting because a quantum adversary can execute a hash function arbitrary a superposition of inputs. Therefore, when proving post-quantum security, one needs to prove security in the quantum random local model, where the adversary can query the random local with a quantum state. In general, quantum random model is quite difficult to deal with, since many improved techniques in the random local model will be incompatible with the quantum random local model. In the random local model, the simulator naturally queries to the random local. This is called extra stability, which is widely used in proving security for cognitive systems and computational problems in distinguishable security models. In the quantum random model, the queries can be quantum states, and learning a quantum state means an environment which allows to attract classical information from a quantum state. In modern cryptography, cryptosystem constructions are usually proposed together with a proof of security. Typically, when proving a security of a scheme as, one usually constructs a reduction, or that runs the adversary against us as a subroutine to break the underlying hardware problem. In the random local model, when proving the NDCC security of a PKE cam and various standard assumptions, one usually constructs a core-based reduction that uses a hash query from the adversary to break the underlying hardware problem. In the quantum random model, reading our query means measuring our query, that is, a quantum counterpart of a query-based reduction is called measurement-based reduction, that measures the hash query from the adversary and uses a measurement outcome to break the underlying hardware problem. Tight reductions with a smaller tightness gap are desirable for practice. Let tA, epsilon A, and tR, epsilon R denote the running times and advantages of an adversary and reduction R respectively. The reduction is said to be tight if tA is about tR, and epsilon A is about epsilon R. Otherwise, we call the reduction is non-tight. Reduction is called a black box if it just uses the adversary input-output behavior and does not depend on the internals like the adversary could. In contrast, our non-black box reduction requires the knowledge of the adversary's internals. In general, black box reductions are more popular than the number of box ones in cryptography. Most reductions in the quantum random model are environment-based and have tightness property like this. The tR is about tA, and epsilon R is about 1 over kappa times epsilon A to the power of tau. We call kappa and tau respectively the factor of the security loss and the degree of the security loss. This is the current tennis result for every webcam construction. As we can see, the existing black box reductions from standard CP assumptions are far from desirable due to the quadratic security loss, at least. Although this quadratic security loss can be avoided by the recent work KSS plus 20, but the reduction in KSS plus 20 relies on a new introduced technique called measure, rewind measure that can only apply to a reversible adversary. In post-quantum setting, most adversaries are irreversible, since most articles, for example, decub solution articles in the secret model can only be classically queried. While the existing black box reductions in literature can cover arbitrary adversaries, this is quite different from the results in the random local model, where a linear security loss can be achieved in a black box manner. The quadratic security loss raised from the usage of the rewind heading techniques. The rewind heading technique is an essential technique to prove post-quantum security. It gives a reduction from an extra extraction algorithm against such a problem to a decision problem. Besides the iPhone lack of constructions, the rewind heading was also used to prove the security of case change, max, and signatures, and so on. Recently several works tried to improve the heinous rewind heading, however, as in the case of Evolek cams, the heinous improvements are only restricted to the factor of reduction loss, and the quadratic loss still exists Therefore, a natural question is that for Evolek cams and the rewind heading technique is the quadratic security loss available for measurement-based black box reduction? In this paper, we give an affirmative answer for the above question. In detail, for Evolek cams, we show an environmental-based black box reduction from breaking the standard CBA security of PKE to breaking the CC security of the cam, we are inevitably incurred a quadratic security loss. Such an impossibility result can also be extended to show the quadratic security loss is also inevitable when things are such a problem into a decision problem, where the essential rewind heading technique in a black box manner, that is the kind of black box rewind heading technique is essentially optimal in terms of the degree of reduction loss. Next, we show the main technique. Here, we just take one of the Evolek cam constructions. You, as an example, but it's not hard to extend the result to other Evolek cam constructions under the general one, we do Hylian. In this, in the transform you, the certain K is derived by HMA, HSA is a function and M is a message picked randomly. Our proof scaling is that we first construct a basic quantum adversary with advantage at least square root P, and then we show that any environmental-based black box reduction that runs this specific adversaries as a subroutine to break the WCB security of the energy PKE, we all have advantage at the most P. Firstly, we will show how to construct this specific adversary. As we know, when we attack the security of a cam, the adversary needs to distinguish HMA stuff from uniformly random K. The challenge seven tests, the C-star, is an incubation of a random M-star, and the column B is also uniformly random. We note that the random local has a useful property that if the M-star has not been queried, then the value HM-star is uniformly random in the adversary view. That is, the distinguishing advantage is illegible when making no query to H with M-star. That's to achieve an illegible distinguish advantage, the adversary has to query to query the random local with M-star. In the random local model, the adversary can only make classical queries to the random local. For any real P, if the adversary query M-star to actuate property P, he will learn HM-star with the property P and break the security with advantage about P by testing whether K0 is equal to KB. For reduction against the DPK1VCB security, a natural way is to take the adversary query as a retain. Then with the property P, the reduction will retain the M-star and break the 1VCB security. That is, the advantage of the reduction and the adversary is approximately equal, which is consistent with the currently no type reduction. In the quantum random model, a quantum adversary can make a query to the random local with a quantum state considered the following quantum states. For that, minus 1 is equal to square root P M-star 0 plus square root 1 minus P M prime big sigma. Big sigma is the maximum supervision of all the cases. If we take 7 minus 1 to the random local and then the random local will retain P-star 0, P-star 0 is the same as P-star minus 1, except that the 0 is replaced by K0. A quantum adversary can directly guess the quantum by testing whether the quantum state P-star 0 is equal to a quantum state P-star B. While P-star B is equal to the P-star 0, except that the 0 is replaced by the KB. Testing the quantum state states P-star 0 is equal to the quantum state P-star B can be accomplished using the standard quantum state discrimination method, though as hot term measurements. The advantage is at least square root P. Here is the concrete construction of the classical adversary. The adversary first such a M-star and if no one is found output 1 and terminates the procedure and then sample a real P and uniform M prime. Core is the random local which a quantum state P-star minus 1 performs the hot term measurement on P-star 0 retains the measurement outcome. As the theorem 3.1 says such an adversary can have advantage at least square root P. Next we will show how to bound the advantage of general measurement based black box reduction. Our measurement based black box reduction is that the reduction R receives a challenge as input and run or PVD pre-processing sub-algorithm and then launch the adversary. When the adversary make a query to the random local with the quantum state field, the reduction measures the field in the computation of basis and gets the measurement outcome. Finally, the reduction runs a PVD post-processing sub-algorithm and retains the output. We have two remarks. First, performing an additional quantum operations before measurement is not a lot, but such an additional unitary operation cannot substantially increase the reduction's advantage because otherwise there is an algorithm breaking the 1VCP security of the underlying TPKE efficiently. We also remarked that the considered reduction do not come restrict the simulations of the random locals and other locals that the adversary queries and thus our results can cover the black box reductions in ADK 17, SXY 18, GZC 18 and so on. We use the meta reduction to bound the advantage. Meta reduction usually simulates the adversary parts and runs the adversary and runs the reduction as a sub-routing and breaks the underlying problem directly. That is, meta reduction usually treats the reduction as an adversary itself and reduces the existence of such a reduction to an underlying problem. Concretely, we analysis the advantage of measurement-based reduction in following three cases. For the first case, where the search retains no MSTAN, in this case, the adversary gets the output when without queries to edge to the random local. Thus, the search for MSTAN is one and the adversary can be replaced by an adversary A1 that always outputs one without the search for MSTAN and the query to the random local edge. Therefore, we can easily construct a meta reduction MR1 that simulates A1 and take the reduction R as a subrouting to break the 1VCPU security. In particular, the writing time of MR1 is about the writing time of R and in this case, the advantage of MR1 is about the advantage of R. In the second case, where the search retains MSTAN and the measurement outcome is MSTAN. In this case, we can bound the advantage directly by P. In the third case, where the search retains MSTAN but the measurement outcome is not MSTAN. In this case, the reduction just against M-prime let it to be an adversary that queries economy states like this and outputs one without the search for MSTAN. Thus, the advantage of the reduction under the condition remains unchanged when the adversary is replaced by A2. Just as in the case one, we can also construct a meta reduction MR2 against the 1VCPU security of ADPKE. In particular, the writing time of MR2 is about the writing time of R and in this case, the advantage of MR2 is about the advantage of R. Then according to the above analysis, we can get the following theorem. We can give the upper bound of the general measurement based reduction. That is the advantage of general measurement reduction is less than P plus the advantage of R1 plus the advantage of MR2 approximately. Then combining theorems 3.1 and 3.2, we can directly our main theorem which says that for our specific adversary, the advantage of epsilon A is less than approximately square root of epsilon R minus epsilon MR1 minus epsilon MR2 under the assumption that the advantage of any efficient algorithm breaking the 1VCPU security of ADPKE is illegible. We can have epsilon MR1 and epsilon MR2 illegible. Then we can directly derive epsilon R is less than epsilon A to the power of 2 that is for the transform you or measurement based black box reduction in the quantum run of a model from breaking the standard 1VCPU security of ADPKE to breaking the INDCC security of the result camp. We are inevitably incur quadratic loss of security. Oh here is our conclusion. 540,000 cams. We first show the tannies limits of the black box reductions and prove that a measurement based reduction in the quantum run of a model from breaking the standard CP security of the underlying TKE to breaking the INDCC security of the resulting camp. We are inevitably incur quadratic security loss. In particular, most black box reductions for those appellate cams are always tough and our results suggest an explanation for the lack of progress in improving this reduction tannies in terms of a degree of security loss. This impossibility results can also be extended to show the tannies limits of the general black box when we do heading. Okay that's all. Thanks for your attention.