 Thank you, Vaz, for the introduction. So you all know the classic even-man-sure blocks of a construction, which is built on top of a public random permutation pi and uses two sub-keys, L0 and L1. From this, one can directly channelize this to a t-route construction based on t-public permutations pi1, pi2, and up to pi t, and t plus 1 sub-keys, L0, L1, and so on. So this is the key alternating cypher of KAC construction introduced by Brockman of Eddall. This lovely object has received quite a lot of attention lately. And for the case of 10 routes, you can view it as an ideal abstraction of AES. To capture the security of KAC, one typically models is by the conventional CCA security notion of block cypher. Under this notion, an adversary will be brought into a real world or an ideal world. In either world, adversary is provided with two oracles to encrypt and decrypt. In the real world, the oracles will implement the KAC block cypher and its inverse with a random secret key. In the ideal world, they implement a random permutation app and its inverse. In both worlds, the adversary will get access to the primitives pi1 to pi t. There have been quite a lot of papers dedicated in analyzing the security of KAC. This live work coordinates in a paper by Chen and Steinberger that achieves an asymptotically tight valve for KAC. At the very first glance, the problem is completely solved. But if you look more closely in that, you realize a huge concrete gap between what is proven secure and the best known attacks. And this gap is visualized here for the parameters of AES, meaning there are 10 valves, and the block length is 128. So prior works are not only quantitatively, but also qualitatively. So concern with only security with respect to a single user. But in practice, an adversary will typically attack on Mars, adaptively distributing its resources against multiple users. That adversary will be happy as long as it can compromise somebody. So to model the multi-user security, in the real world, the oracles implement many instances of the KAC block cypher. And likewise, in the ideal world, we don't implement many independent permutations, F1, F2, and so on. If you want to get multi-user security from the existing work, you have to use a higher average. But then there will be a degradation factor proportional to a number of users. For the KAC, this loss appears unnecessary, at least when there are only one or two routes. As recent work have demonstrated. So today, we will show concretely tight bounds for KAC that close the gap between best known bounds and attacks. And our results are for both single and multi-user security. And we show that, indeed, for KAC, multi-user security is quite close to single user case. Underlying our results are the new proof techniques for information theoretic security. They extend and refine existing methods, such as the edge coefficient technique of partnering. The new methods are quite general and might have potential applications beyond the scope of KAC. Specifically, here are the bounds for KAC. In a single user case, we essentially achieve the bounds correspond to the best known attacks. In a multi-user case, as expected, there's some small loss. But our result is much better than what is achieved by a hybrid argument as visualized here. So let me now introduce our proof techniques. So our main quantitative improvement compared to Chen and Steinberger is due to a channelization of the edge coefficient technique that we call the expectation method. When we combine this with a combinatorial dilemma by Chen and Steinberger, it will immediately obtain a concrete type bound for single user security of KAC. If you want to have multi-user security, we give a generic translation from single to multi-user security with strong bounds. I stress that the translation is generic. It has nothing specific to KAC. But of course, because the translation is so powerful, it has to be conditional. Otherwise, there's no hope to be the hybrid argument in all cases. To understand our techniques, we first need to review the edge coefficient technique of Parterine. This proof method aims to bow the distinguishing advantage of two randomized systems, S0 and S1. So when an adversary interacts with either system, it will make queries to receive answers. And this information will be recorded in a transcript tau. The distinguishing advantage is then bounded by the statistical distance between the distributions of the transcript that the two systems produce. Often, we only deal with state list systems, such as the block cipher. And in that case, we can rearrange the order of the queries in a transcript without affecting the probability that the system produces that kind of transcript. And it's why the edge coefficient technique is so powerful in handling adaptivity. So if you want to bow the statistical distance, you first need to classify transcripts by good versus bad ones. The next step is to bow the probability that a random transcript is bad and the maximum over all good transcripts of this formula. Once we are done with that, then the distinguishing advantage is bounded by the sum of these two numbers, S1, 1, and S1, 2. To understand, to have some intuition why this is true, so we call that the statistical distance is the sum of some product. And now if we plot some rectangles whose width are the first term in the product and the height are the second terms, then intuitively, the statistical distance is just the total area of the plotted rectangles. And in this picture, the red areas correspond to the bad transcript, and the blue areas correspond to the good ones. Given this, the edge coefficient technique tells us that you can up about the red area by this orange rectangle and the blue area by the gray one. Now let's try applying the edge coefficient technique on the KAC problem. So recall that the adversary can make two types of queries, either a construction query to the KAC block server or primitive queries to the permutations pi 1 to pi t. So these queries and the answers will be recorded in a transcript like this. For example, here, the transcript tells us that if you encrypt a string y and you get a 7xz, or if you query a string v to the inverse of pi 3 and you get a string u. And pictorially, one can represent a transcript by a graph like this. Now to determine if a transcript is good or bad, when the adversary finishes querying, we'll give it a key and extend the transcript with that key. In the real world, that key is exactly the real key for the block server. In the ideal world, the key just some random string independent of anything else. Now this extended transcript, again, can be represented by a graph. For example, here, the graph tells us that if you x-order sub-key l3 through a string v, then you'll get a string z. We say that an extended transcript is bad. If its graph contains some part that we call a chain as highlighted here. For bad transcripts, it's pretty easy to distinguish. For example, here, this transcript must come from the ideal world. Initially, the transcript tells us that if you encrypt y, you should get z. But then when you actually do the encryption process by following the chain, then we end up with a completely different cybertext, which is a contradiction. And recall that in the edge coefficient technique, you need to bound two numbers, epsilon 1 and epsilon 2. In this case, bounding epsilon 1 is quite simple, but bounding y-order number proves to be difficult. Shannon-Steinberger provides a pretty accurate estimation for the term in epsilon 2. But when you substitute that in the maximum formula, you will end up with a very poor bound. Shannon-Steinberger tried to get around that by some tricks, but as we saw earlier, the bound is only asymptotically tight. So let's pause for a moment and think. Why does the edge coefficient technique fail here? The reason is that it demands a single epsilon 2 for all good transcripts. So if just a few good transcripts misbehave, you will be screwed. To get around that in our expectation matter, we just demand that there must be some transcript dependent g of tau for every good transcript tau. With a computer expectation value of d is about, the expectation is taken over all transcripts, including bad ones. So by doing this, if just a few good transcripts mess up, then our epsilon 2 is still small. And again, the distinguishing advantage is bounded by the sum of epsilon 1 and epsilon 2. To understand some intuition why this is true, so we call that the edge coefficient technique want to bound this blue area by a big rectangle. And that can be a waste in some cases. So now instead, we'll use some custom-made shape to approximate that. If you use a good bound, then you can essentially have a very tight estimation of the blue area here. To use the expectation method on the KAC problem, recall that Chen and Steinberger already provide us with a very good estimation. And now all we need to do is to compute the expectation value of this formula. The formula is kind of complex. But fortunately, its expectation is fairly easy to compute. And we are done with the single-user security of KAC. Now let's move on to the multi-user setting. We will give a generic translation from single to multi-user security. This translation is conditional. I will call the condition point-wise proximity. Specifically, epsilon point-wise proximity means that for any good transcript, for any transcript, the gap between the probability that the ideal system produces this transcript and the probability that a real system produces it must be smaller than epsilon times the ideal probability. Point-wise proximity is a strong requirement because it immediately implies that the distinguishing advantage must be smaller than epsilon. So our result says that if you can establish point-wise proximity for single-user security, then you immediately get a similar bound for multi-user security. So I stress that this result needs some technical conditions on the function epsilon, but these conditions are mine and therefore often match. To understand why this kind of theorem is true, let's first consider a non-adaptive adversary, meaning that there are constants q1, q2, and so on, such that the adversary makes q1 construction queries on user 1 and so on. So in this setting, if we use a hybrid argument, then all we need to do is to create some intermediate system between the real system and the ideal one and then use the single user security bound to queue the gap between x consecutive pairs. This is pretty standard, but we need to be a bit careful in accounting the adversary's resources. For example, consider the systems S1 and S1. Now all we need to care is just the construction queries on the first user. It's why there are only q1 construction queries instead of q, but the construction queries on the other users won't vanish that easily. Internally, they will make some calls to the primitives. And so you have to account for that primitive queries. So the hybrid arguments give us the sum of some epsilon, but what we want is a completely different formula for the desired bound to be bigger than the sum of these epsilon. Then we need the epsilon functions to satisfy some super-editivity requirement. And that's the technical restriction that I mentioned previously. Now the hybrid argument that you just seen only works for a non-adaptive adversary. For an adaptive adversary, there won't be a priori constant, q1, q2, and so on. To resolve that, if we look at an individual transcript, it will provide us with some transcript dependent numbers, q1 tau, q2 tau, and so on. So intuitively, at the high level, all we need to do is to repeat the previous hybrid arguments, but at the transcript level, so that we can exploit these numbers, q1 tau, and so on. But in order for that to work, you need some sort of single user security bound at the transcript level. But that is exactly the point-wise proximity requirement summing up. So today we presented two proof techniques for the KAC problem, namely the expectation method and the genetic translation. The former is very powerful in getting completely tight bounds. And it has applications beyond the scope of KAC. For example, in our paper, we also can see the X or cascade construction, which is a generalization of desks. But there might be other applications. For the genetic translation, I think it's kept elegant, but it needs the point-wise proximity condition. Not all constructions meet these requirements. For example, five-store network. So that would be interesting to extend our results for those unfitting cases. And that's it. Thank you. Thank you very much.