 Hello, everyone. This is Eden from Chinese Academy of Sciences. I now talk about my paper tied to the individual simulations. This is the outline of this talk. First, we will give you a brief introduction to the problem. I would like to start with a formal statement of a typical theorem, which usually states that if an assumption X holds then the construction Y is skewed. We often pull such a theorem by a universal reduction where we simply construct a reduction R, such that for any adversary A that breaks Y, the reduction R can break the underlying assumption X. However, for most security definitions, it switches to quantifiers and requires only existential proof. That is, we just need to show that for every adversary A that exists, there exists a reduction R. And then we also note that there may be a huge gap between these two reduction methods. In the universal reductions, R has only access to its codos, the adversary A, but in individual reductions, R may depend on any properties of the function to your way. In this paper, we will focus on simulation-based security. Up to date, almost all simulation strategies are universal. This includes black box simulation techniques and black box non-black box simulation techniques. It seems to us that the individual simulation seems to be much powerful. And this is implicitly mentioned in several works such as Chang-Lei-Pos in TCC-15, then in Your Equivital, 17. In this paper, we mainly develop such a simple individual simulation technique and then construct two protocols that breaks the long black box barriers for the first time on the standard assumption. And this part of us enjoys a somewhat weaker security called TAPS security, where the simulation depends on the size of the distinguish and the error probability we tolerate. And we also simplify the constructions and the security pool through the existing low-round, weak-zooner protocol in the play model. Now we talk about our simulation technique. For now, we just assume we already have a two-round protocol AB with two good properties. This construction is similar to recent breakthroughs in weak-zooner protocol and the constructions that use condition disclosure schemes. In this protocol, the party B simply samples an MP instance Y to a send-back MSCM. We assume the protocol enjoys two properties. The first is low-round witness to Y enables us to give a successful simulation. The second is distinguishing an honest MSCM from a dummy MSCM is equivalent to extracting a witness Y. Now we can see the absolute adversary B and our question is how to simulate the honest party A. Here we just want a long-defined simulate rather than distinguish dependent one. We note that the two cases in which the simulator will be the first is the simulator succeeds to extract a witness to Y, second one is if the simulator fails then we need to make sure that no other efficient algorithms can succeed and of course the black box extractor would fail in this set because we cannot extract the witness by rewinding the adversary B. What about the individual extractor? We just mentioned such an extractor knows the randomness of B and can depend on any properties of the functionality of B. However, these two cases in which the simulator will win indicates that we may need an optimal individual extractor that outperforms all other efficient algorithms. The problem with this approach is that it seems hard to bond the sides of the extractor and it may run in super polynomial time. For this reason we resort to the weaker simulatability called T-epsilon simulatability. Now we just need a T-epsilon optimal extractor that outperforms all sets of sides T acceptable for probability epsilon. Fortunately, we are able to show the existence of such an optimal extractor. The procedure for constructing such an extractor is as follows. Firstly, we can pick an option algorithm E and then for i from 1 to 1 over epsilon we ask a question at each step i. Does it exist a 6co size T such that the probability that the current extractor fails to extract a weakness but the 6c wins. It's greater than epsilon and if the answer is yes then we now have a new extractor by simply combining these two sets which output a valid witness if one of these two sets output a valid witness. Compared to the extractor we have at the beginning with step the success probability of the new extractor increases by at least epsilon. Thus, if for any step i the answer is yes then at the end of this procedure we will have an extractor with success probability 1 which is of course optimal. Otherwise, if for some step i the answer to this question is no then we also have a T epsilon optimal extractor. The final extractor returned by its procedure is of size at most T over epsilon. So we prove that for any mp instance sampling algorithm B we have a T epsilon optimal extractor E and we now give two examples to explain how the extractor E depends on the functionality of B. We can see that y is an image of one-way permutation f and in the first example the algorithm B chooses an r from the domain of f and then compute f r. For this algorithm we have an optimal extractor E that takes r and y as input and just outputs r. In the second example the algorithm B simply samples an r from the range of f and then outputs r. For this algorithm B an arbitrary algorithm can also be optimal. This is because f is one-way and low algorithm can compute a random y. For the purpose of our applications we need to consider T instance sampling algorithm B that outputs T instance simultaneously. For such a sampling algorithm B we want a robust T epsilon optimal extractor that outperforms any sexy C of size T except for probability epsilon in each co-ordinate. We also require these to hold even if the sexy takes the output of the extractor as input. For such a T instance sampling algorithm B we also have an T epsilon robust T epsilon optimal extractor of polynomial size which is optimal in every co-ordinate high. Here allows us to allow the sexy to take the output of the extractor as input. For this change we need to make some careful modifications to the various procedures for constructing an optimal extractor. Now if the protocol A B satisfies these two properties then with the T epsilon optimal extractor we can achieve T epsilon similar to B native 4A. Here the simulator simply applies the extractor and tries to extract the witness to why and if the extractor succeeds then we are done and if the extractor fails then the simulator can send back a dummy message which is indistinguishable from the real world. This is because of the second property of the protocol A B. We now tend to our constructions. A key ingredient for constructions with these two properties is a variant of Robin's encryption scheme which is basically a regular approach to encryption. The public key is the Blumint to M and the secret key is the prime factor when this defines the trapdoor of a permutation F which maps the quadratic residue S to S squared modulo N. To encrypt a bit M one chooses R and then compute F R as the first part of the self-tax. The second part of the self-tax is the hardcore R, XOR, B to M. Implied by the REC, COMPRA and VOR we have that for any integer N. Distinguishing self-taxes is equivalent to extracting a prime factor of N and we will use these properties to establish the second property of protocol A B. And here we just let the party B send a public key N to A and then the party A sends back a self-tax under the public key N. With these ideas we now give two constructions. The first is the two-round SOI skill commitment scheme. We use two primitives, encryption scheme just mentioned and trapdoor commitment schemes defined over the public key N. And trapdoor is the secret key P. That means if one loads the secret key P then it can open a given commitment to any value at its wish. In the committing phase, the receiver sends a long integer N to the sender. Then the sender computes a commitment to B and encrypts this commitment C and sends it back to the receiver. And in the opening phase, send computes openings and sends B and a decommitment to the receiver. And the receiver first decrypts the self-tax he received in the committing phase and then check that B and decommitment is a valid opening for C. Bidding property follows from the fact that two valid openings need to affect N. And the T-epsilon SOI security follows from the following two observations. We first observe that this scheme is almost critical in the known settings. Here we think about it. We are given a commitment. And then we can apply the T-epsilon optimal extractor and try to extract the effect. If the extractor succeeds, then we can use the trapdoor to open the given commitment to any venue. And if the extractor fails, then we can also open it to any venue B. This is because the failure with the optimal extractor implies that low other sects can extract the secret key or the prime factor when, which in 10 implies that low other sects of size T can decrypt the self-tax received in the committing phase. And then in this setting, we can pretend that actually B and decommitment is a valid opening for some commitment C, which may not be related to the plain text encrypted in the self-tax sent by the send in the committed phase. Now we take a close look at the SOA attack in which the adversary receiver or star is allowed to initiate sessions for some polynomial T. It stops when T integers 1, 2, and T. And then the send sends back T commitments of that the receiver or star asks the send to open a subset of these commitments. And now we can apply the robust tips to the optimal extractor to such a receiver or star. And combining the observations to further observations we will have two absolute simulators for the attacker on the parallel repetition. We now tend to the three-round concomitance of knowledge in the BPK model. And here we use the same encryption scheme and the three-round schema protocol we denote the three messages exchanged in a session by A, E, and C. And in the key generation phase we have to verify write a pair of public key on the public file F. And in the proof phase P and V execute the three-round sigma protocol to prove that X is in L. Or I know a secret key of N0 and 1 to achieve the concomitance of knowledge we have we modify this protocol slightly and they have the pool where encrypt the last message twice on the each public key. At last they verify decrypt this side text and then check C for these two plain texts are equal and A, E, Z is accepting. The concomitance soundness is similar to the soundness pool for the classical function of protocol in the plain model, which essentially says a break in concomitance soundness needs to factor in integer M. And using this reasoning similar to SOSQ commitment scheme we can also construct a T-absorbed simulator for an adversary verify. We disseminate it first applies the T-absorbed optimal extractor to the key generation phase of the verify and tries to extract a prime factor for each parallel public key. Now if the extractor succeeds then we are done. And if this extractor fails for some parallel public key then the disseminate can encrypt all zeros in the last step of the session on this public key, which is indistinguishable from the real-world execution. We can also apply these ideas, tactics to construct a two-round T-absorbed simulator for Zoology in the plain model and these techniques can also be used to simplify the security proofs of the existing Zoology in the plain model. Here in summary we developed a very simple simulation technique and constructed two simple protocols that breaks the lone black box barriers for the first time and we also simplified the constructions and the security proofs of the existing Zoology in the plain model. Thank you.