 Thank you for introduction. I'm Takashi Yamakawa from the University of Tokyo and I. Today I'm talking about other water-dependent Lossy Traptor Function from Hardness of Fracturing Sim-Smooth Earthly Subgroup Modules. This is a joint work with Shota Yamada, Goichi Ohanoka, and the book. The main topic of this work is Lossy Traptor Function, LTDF, for short. LTDF was first introduced by Picard on water in 2008. And it is known that LTDF can be used for constructing various kinds of primitives such as collision resistant hash function, CC secure public key encryption, oblivious transfer, deterministic public key encryption, selective opening attack, public key encryption, and so on. On the other hand, it is also known that LTDF can be constructed based on various kinds of assumptions such as DDH, LWE, QR, DCR, and so on. So LTDF can be seen as a cooperative in cryptography, and so it is important with a topic to study more on LTDF. So this is a definition of Lossy Traptor Function. LTDF is defined as a pair of functions of two modes, Injective mode and Lossy mode. In the Injective mode, a function is injective and invertible efficiently by using a trapdoor. On the other hand, in the Lossy mode, a function is Lossy. That is, the image size of the function is much smaller than the domain size. And in that case, it is information theoretically impossible to involve the function. And additionally, we require indistinguishability of these two modes. This means that our function generated in Injective mode and Lossy mode are computationally indistinguishable. If these properties are satisfied, then the scheme is Lossy Traptor Function. So this is our motivation. Although there are many known constructions of Lossy Traptor Function, until now, there is no known construction of LTDF solely based on the factoring assumption, which claims that it is hard to factorize a large number. There are some known factoring related constructions of Lossy Traptor Function. However, all of them are based on stronger decision assumptions such as QR, DCR, DRCA by hiding, and so on. Compared with these assumptions, the hardness of factoring is much more classical and reliable assumption. So for free, we want to have a construction of LTDF solely based on the factoring assumption. This is the motivation of our work. And this is a summary of our result. Unfortunately, we couldn't construct LTDF based on factoring assumption. However, we took a step toward the goal. In particular, we tried to relax the notion of Lossy Traptor Function, LTDF, to define which we call AdWalker-dependent Lossy Traptor Function, AD-LTDF, for short. And we showed that AD-LTDF is still sufficient in many applications of LTDF, such as collision-resistant hash function, CPEA public encryption, and dynamic public encryption. And then we constructed AD-LTDF based on the factoring assumption for semi-smooth RLC subgroup module, SS module for short, which is a special type of RLC module. As a result, we obtained the first construction of deterministic public encryption based on factoring. And as a side result, we also constructed CC secure public encryption scheme with compact ciphertext. From now, I will explain the details. First, I will explain how to relax the notion of Lossy Traptor Function to define AdWalker-dependent Lossy Traptor Function, AD-LTDF. AD-LTDF is also defined as a pair of Injective Mode and Lossy Mode. However, in AD-LTDF, Lossy Mode is indexed by some index i. In Injective Mode, the function is Injective and invertible by Traptor as well. And Lossy Mode, in Lossy Mode, for any index i, the function is Lossy, and so the image size is much more than the domain size. However, the indexability is defined a bit differently from the usual LTDF. For the indistinguishability of AD-LTDF, we require that for any polynomial time adversary, there exists index i such that two modes are indistinguishable by that adversary. In this definition, what is important is that the index i can depend on the adversary. And so this means that the generation algorithm of Lossy Function can depend on an adversary. In this meaning, we call this notion AdWalker-dependent Lossy Traptor Function. So it seems that AD-LTDF is a significant relaxation of the usual notion of LTDF. However, we show that AD-LTDF is still sufficient for many applications of LTDF. This can be seen by the following reason. In many applications of LTDF, Lossy Function appears only in security proof, and they often don't be used by the real construction of protocol. In that case, in security proof, we construct a reduction algorithm by using adversary, and so the construction of a reduction algorithm can depend on the adversary. So if Lossy Function is only used by reduction algorithm, Lossy Function can depend on an adversary. So in such cases, AD-LTDF can be used instead of LTDF. So AD-LTDF is still useful. Now I'm talking about how to construct AD-LTDF from the partnering assumption for ASIS module. To do so, we introduce a new assumption, which we call AD-DRS assumption, AdWalker-dependent Decisional RLT assumption. We will show that the AD-DRS assumption can be reduced to the partnering assumption, and we also show that we can construct AD-LTDF based on the AD-DRS assumption. As a result, we obtain AD-LTDF based on the partnering assumption for ASIS module. So now I will explain the notion of semi-smooth RLT subgroup module, ASIS module, which we use in this work. ASIS module N is written as N equal capital P capital Q equal to P P prime plus 1 to Q prime plus 1, where capital P, capital Q, P prime, Q prime are distinct primes, and P and Q are smooth numbers. That is, they are products of small primes. And in this work, we assume that all these primes are LB bit, where LB is order of log lambda. And for ASIS module N, the group of quadratic residue denoted by QRN is a high-click group of order PQ, P prime, Q prime, and can be written as a direct product of two groups, G and G-PAP, whose orders are P prime and P prime, Q prime and PQ respectively. And we will use two facts about ASIS module. The first one is that partial discrete logarithm can be solved efficiently when given factorization of N. This is because the order of the group G-PAP is smooth, and so it is easy to solve the discrete logarithm on that group. And the second property is that if we pick G uniformly from QRN, then the distribution of G to the P1, P2 to P capital M is uniform on G, where P1, P2 to P capital M is all LB bit prime, and so capital M is the number of all LB bit primes. And now I will introduce the direct assumption which was introduced by growth. This assumption is a kind of subgroup decision assumption with respect to ASIS module, and this assumption states that a random element of QRN is indistinguishable from a random element of its subgroup G. Equivalently for ASIS module N, this assumption can be stated like this. When G is uniformly sampled, the distribution of G and G to the P1, P2 to P capital M is computationally indistinguishable. This assumption was used in previous work. Shui et al constructed LTDF based on this assumption. However, this is a kind of subgroup decision assumption, and we don't know how to reduce this assumption to the classical factoring assumption. So there are constructions that is not factoring based construction. Our focus in this work is to constructions based on, solely based on the factoring assumption. So we consider a more relaxed adverse-dependent version of the direct assumption. So this is the definition of adverse-dependent direct assumption which we introduced. The AD direct assumption is parameterized by some integer m, which is smaller than capital M, and the mAD direct assumption states that for any PPT adversary, there exists a choice of m capital of LBBT prime, P1 to Pm, such that the distribution of G and G to the P1, P2 to Pm are indistinguishable. And because these m primes are chosen out of capital M LBBT prime, there are many possible choices of these primes, and each choice of P1 to Pm gives a subgroup of Q and N. So this assumption states that for any adversary, there exists a subgroup of Q and N such that a random element of that subgroup is computationally indistinguishable from a random element of Q and N. And what is important is that that subgroup can depend on an adversary. In this meaning, we call this assumption adverse-dependent direct assumption. So from now, I will talk about these two reactions. And first, I will talk about this part because this part is a little simpler. So as mentioned earlier, in previous work, there is a construction of usual NTDF based on the usual direct assumption. And actually, our construction is a slight modification of the construction. And we will prove this theorem. AD-LTDF exists under the MADDF assumption for sufficient large M. The first, we review the construction of usual LTDF from usual direct assumption in the previous work. The construction is given like this. And why is this lucrative function? Correctness can be seen by the fact that partial discrete logarithm is solvable given the factorization of N, and so this is invertible. And lossness can be seen by the fact that the description of the loss function is G to the P1, P2 to P to the P capital M, which belongs to G. And G is much smaller group than Q or N, and so lossness also holds. And indistinguishability is actually the direct assumption itself. So these three properties are satisfied, and so this gives us LTDF. So next, I am talking about how to modify the construction to obtain AD-LTDF from the ADDF assumption. This is the construction of our scheme. And the difference from the previous construction is lossy mode. In AD-LTDF, lossy mode is indexed by some index i. And in our construction, index i is given as M capital of LBBT prime P1 to Pm. And the lossy description of the lossy function is given as G to the P1, P2 to Pm. And we show that this is actually AD-LTDF. This is actually very similar to the previous one. And the lossiness is exactly the same as the previous construction. And lossiness is almost similar because G to the other description of lossy function is G to the P1 to Pm. And this belongs to a subgroup GI of Q or N, where the subgroup GI is defined by index i equal P1 to Pm. And if M is sufficient in loss, then we can show that the order of the group GI is small. And so in that case, we can show lossiness. And for indistinguishability, actually the indistinguishability is actually the MADDF assumption itself. So these three properties are satisfied. So now we obtained AD-LTDF from the ADDF assumption. Next, I'm talking about how to reduce the ADDF assumption to the partnering assumption for ACID module. ADDF assumption is a kind of subgroup decision assumption. On the other hand, partnering assumption is a touch assumption. So it seems very difficult to reduce this assumption to partnering assumption. So this part requires a new idea. And this is actually taking a core of our work. So when we prove this theorem, the MADDF assumption holds under the partnering assumption for sufficiently small M. So now we recall the definition of MADDF assumption. This assumption states that for any PPT-Azba-3, there exists an m-tuffle of LB-beta-primes P1 to Pm, such that the distribution of G and G to the P1, P2 to Pm are computational indistinguishable. So if this assumption is broken, then this means that there exists a PPT-Azba-3 which distinguishes these two distributions for any choice of LB-beta-primes P1 to Pm. From now, I will construct a factoring algorithm based on this advertory. If this is done, this means that the MADDF assumption is reduced to the factoring assumption. So from now, I will describe the description of factorizing algorithm. Factoring algorithm is given in combination number N and as a first step, it generates two lists L and L-primes. Each set L other all LB-beta-primes and L-primes to be an empty set. And as a step two, while the size of L is larger than or equal to M, it repeats the following. It first chooses m-tuffle of LB-beta-primes P1 to Pm from L randomly. And then for this P1 to Pm, because we assume that this advertory breaks the MADDF assumption, this advertory distinguishes these two distributions. And by the hybrid argument, there exists i such that the advertory distinguishes the distribution of G to the P1, P2 to Pi-1 and G to the P1, P2 to Pi. And for such i, the factorizing algorithm removes Pi from L and adds Pi to the other list L-primes. Here I remark that we have Pi divided Pi of N with overwhelming probability. Because otherwise the distributions of these two distributions are exactly equivalent and any advertory cannot distinguish these distributions. So we have Pi divided Pi of N. And repeat this procedure while the size of L is larger than or equal to M. So when this step finishes, the size of L becomes M-1. And the total number of LB-beta-primes is capital M. So at that point, the size of L-primes is capital M minus M plus 1. And then the factorizing algorithm as a step 3 computes the total multiple E of prime contained in L-primes. Because all primes contained in L-primes divide Pi of N with overwhelming probability so the multiple E of them also divides Pi of N with overwhelming probability. And L-primes contain capital M minus M plus 1 LB-beta-primes. So the multiple of these primes, E, is larger than 2 to the capital M minus M plus 1 times LB minus 1. Here it tries to factorize N by using Coppersmith method. Coppersmith method in our scenario means that given E such that E divided Pi of N and E is larger than square root of N, N can be factorized efficiently. And we already have E divided Pi of N with overwhelming probability and E is larger than 2 to the capital M minus M plus 1 times LB minus 1. And we show that M is sufficiently smaller than E is larger than square root of N and so the Coppersmith method can be used and N can be factorized. So by this way we show that the MADDF assumption can be reduced to the factoring assumption. By now we first these two theorem. The first one is that ADLTDF exists under the MADDF assumption for sufficiently large M and the second one is that the MADDF assumption holds under the factoring assumption for sufficiently small M. And we show that there exists a choice of M such that both theorems are applicable. So by choosing such M we can combine these two theorems and obtain our main result. In the case that ADLTDF exists under the factoring assumption for this module. In the actual proof we have to set parameters carefully. For the detail of this point please refer to our paper. Next I'm talking about application of ADLTDF. As mentioned earlier in the application of ADLTDF we can replace ADLTDF with ADLTDF in collision relation hash CPAPKE damage to public encryption. And in those schemes especially we construct the fast dynamic public encryption scheme that satisfies the security notion defined by bold elevator under the factoring assumption. I will not give the detail of our construction. However our scheme can be obtained simply replacing the ADLTDF with ADLTDF in the previous construction. And besides direct application of ADLTDF by using a similar technique we construct CC secure public encryption scheme based on the factoring assumption for ASS module through the ciphertext overhead is the shortest amount scheme based on the same assumption. And in particular the ciphertext overhead of our scheme consists of one group element and one MAC. And the construction of our scheme is a variant of CC secure came from hash proof system proposed by Hoffman and Keith. Intuitively we instantiate the construction based on the ADLTDF assumption. So this is the summary of my talk. This is the end of my talk. Thank you for your attention.