 Hello everyone, I'm Xiao Liang, I'm here to give a short overview of our results on post-quantum semi-littable extraction. This is a joint work with Nehuicha, Kanmin Chong, and Takashi Yamakawa. Extractable commitments are very basic and important cryptography primitive. It requires the existence of an extractor. Given the malicious commuter C-star, the extractor talks to the C-star. It may potentially rewind C-star, but at the end of the execution, the extractor is able to extract the value M-star committed by the malicious C-star. Here I want to remark that in the classical setting, this primitive enjoys some property that we usually take for granted. That is, the extractor is able to not only extract the committed value M-star, it can also simulate C-star's post-extraction state. This property is particularly important for protocol composition. For classical protocol, this is usually easy to do because extractor can just pretend to be the honest receiver to execute the protocol with C-star. And then the extractor can rewind the C-star back to the beginning of the execution and start the extraction procedure. However, what if the C-star now is the quantum industry? In this setting, simulating C-star's post-extraction state turns out to be a hard work. Due to no cloning theorem, we cannot record C-star's state and rewind it back. Now let's take a look at a typical construction of extractable commitments. To commit a value, we commit our first sample to random strings a10 and a11, which acts over to the message M. This actually forms a secret sharing of the message M. Then, the commitor repeats this procedure for N times, where the N is a security parameter. Next, the commitor commits to these shares independently. Next, the receiver samples a random string of length N. The receiver simply sends the random string C to the commitor. The commitor dignifies to its initial commitment, according to the receiver's string C. Now let us recall how to extract the committed value if the commitor C is malicious. Our extractor simply samples a new random string C prime, send it to the C-star, and learn the corresponding decimitements. As you can see, as long as C and C-star are not identical, there will be one column in this matrix, where the commitor decimits to both positions in one column. These two decimitements will allow us to recover the committed message M. This is how the extractor works in a classical setting. Now let's consider the scenario where the malicious C-star is a quantum machine. In this case, it might be still possible to extract the committed value M-star, using, say, the techniques developed by Ong Ru for post-quantum proof of knowledge. However, it is unclear how we can simulate the malicious C-star's post-quantum extraction state. At this moment, you're missing that maybe this construction is not good. If we choose another construction of extract documents, maybe we can extract the committed value while simulating the C-star's post-extraction state. However, it is worth noting that this construction is popular for some reasons. For example, it makes use of only minimal assumptions. Also, it is constantly run and makes black box use of all functions. The last two properties are particularly important for efficiency concerns. So if you want to find an alternative construction for extractable commitment in a post-quantum setting, you may also want to maintain these advantages. Now let's look at the state of the arts, if we want all the properties mentioned earlier. Basically, there are four non-constructions so far. Only the last construction makes black box use of the underlying primitive and only the second construction manages to achieve constant runs. In this column, I also show if these constructions require quantum power for communication and computation. Moreover, the first construction is based on assumptions as strong as oblivious transfers. The second construction needs algebraic assumptions. In particular, it requires the existence of fully homomorphic encryption for quantum circuits as well as the LWE assumption. So it looks like the current state of the arts are not satisfactory. Actually, there is a reason. This problem is hard even if we only require constant run constructions and simulate both C-stars post-extraction state. The reason is such an extractable column satisfying only these two properties would imply constant run zero knowledge, for which we have negative results. Due to time limit, I won't explain these conditions for now. If you are interested, you can check this paper in our reference. Due to the lower bound mentioned earlier, we cannot achieve all the desired properties. Therefore, we choose to emit a weaker notion for simulation called epsilon simulation. That is, instead of trying to simulate the post-extraction state STC star with negligible error, we now allow a noticeable error gap. More accurately, we require the existence of a simulation extractor SE. SE takes a noticeable function epsilon as a parameter. Now we compare two words. The first word is the real execution. We denote STC star as a state of the malicious committer at the end of the execution. We use this notion to denote the transcript which consists of all the interaction messages between C-star and R. In the real world, we concern this tubal. This value denotes the message committed by C-star. You can think of it as bounded in this transcript. The second word is the simulation extraction word. This SE talks to C-star. It can potentially revan C-star. At the end of the interaction, the SE outputs a tubal, which is supposed to be the simulated post-extraction state, and the message committed by C-star. We say that an extractable condiment is epsilon simulatable if these two tubals are epsilon closed for any noticeable function epsilon. I want to remark that this weaker notion of simulation is still useful, because epsilon simulation is always sufficient to imply ND-based or game-based security. Here, a typical example is that epsilon simulates both your knowledge, already implies witness indistinguishability. Now we ask a question. If we are happy with this relaxed notion for simulation, can we build extractable commitments that maintain all the other advantages? And the answer is yes. In this work, we build such an epsilon simulatable extractable commitment. To execute our protocol, the honest part is doesn't need to be quantum, but it is secure against even quantum malicious commuters. As applications, our extractable commitments imply two-party coin tossing zero-knowledge argument of knowledge for NP and zero-knowledge arguments for QMA, and eventually we also obtain secure two-party computation. All these protocols also enjoy the advantages shown here, but since our extractable comm is only epsilon simulatable, we only manage to achieve epsilon simulatable version of these protocols. If you are interested, please look forward to our talk at full length. Here is the information for our talk, and you can also find the full version of our paper at this link. Thank you for your attention.