 The first one is a tour of Haiti from approximate SPH and instantiation from Nazis by Jan Chan and Yu Yu and Jan will be the presentation Thanks for your introduction Good morning everyone, my name is Jan Chan and this is a joint work with Yu Yu from Shanghai John Hume University So What I consider is a scenario where there are two parties over the internet and they want to Step to a session key by using their own password Then the first to choose some new from number is RA and RP and exchange some public information over the internet Finally, they will take all their private and public information to a key derivation function to a general session key We have two basic goals If both parties have the same public key, then the session key is computed by the two parties have to be equal and for security we mostly the cause of the other parties is the low the session keys computed by the exact two parties Because there are many many key exchange protocols based on high mean entities, symmetric keys such as a key of the ADS and one may wonder if we can simply use the password as a symmetric key to obtain a security protocols by by in those protocols Unfortunately as shown in the literature is a secure to do so And the way actually the different approaches were careful security arguments when designing PAP protocols and in 1992 They will win and married first considered the only password setting and Proposed as a well EP protocols there are also papers and considered as a security model and the Concrete protocols in the hybrid keys. We're the server one of the two parties holding on top of key They form a security bundle for take a was proposed by Blair and the boy boy in 2007 In 2007 and three years later Cancelo proposed the first PAP protocol is done well and we're very patient and which was then abstracted out by Gineo and Mindel to PAP from work three on PAP from work from smooth project patching functions and in the last decades and then papers followed this approach to Construct PAP with better efficiency or stronger functionality But most of them are based on classic assumptions and we shall be to be insecure as common commuters are available and In Asia for the 2009 catapact Allison Proposed the first to PAP protocol from Nazis, which by introducing by introducing approximate sketch And by adapting the jail for work. We will talk about later In this talk, we will give a tool on the daily for ESPH and Infection and stationation from Nazis So we begin with the definition of a public key or Piki's game has very aggressive key generation encryption and deflation One can use a key generation to join a pair of public key and secret key and using the public key We can produce subtexts of any given message. They do push up as it can be used to recover the message from the suffix No, no Then the practice of the PKE loop will look at that the picture will always works correctly and they will cover the Messages from the suffix. Yes, even a key panel PK and a separate key we can define the space of value suffix Which are all the possible outputs of the English address algorithm Then we defends reset X L and L bar where X contains all the suffix message powers And the L is a subset which satisfies the encryption relation The last one is actually the those two suffix message powers satisfying the Decryption relation before PKE screen is perfectly correct Then any subtext can be created So we have have this relation here in the subset of L bar, which is then a subset of X now a PKE smooth project passion over X is actually a keyed hash function with Projective function alpha from the key space and the subtext space to projection key Even on harshing key one can add any elements in X to a hash value Moreover, if we the input is also satisfied the encryption relation Then we can compute it by using the learnings, corresponding learnings for producing the suffix and the projection key S equals alpha kc We have this This property is for any subtext message payout satisfying the encryption relation Then the hash values computed by the two different ways must be equal Second for those does not satisfy the encryption relation We have the harshing harshing values computed by using the harshing key is used for mid-range even given the Even the projection key alpha kc Now we first recall the jail from work from a sketch Here we have two parties the whole sharing the same password and we have a common difference trail Which is a public key in order to establish your session key and it's first to generate a pair of Public verification key and a secret key for one time signature and then he will send the verification key Waking and an impression say one of its own of his current one password and send it to Bob Bob We choose a harshing key and the computer the projection key as one and send the S1 and an impression of the its his own password to Alice as We do the same choosing another harshing key computes a projection key and And send it by the projection key S2 as well as the signature Those are we have send the Reflection key in the first message. So we can create a signature in the third message of all the transcripts of the protocol I've been doing this as can come set his Here session key as XOR of the hash values with respect to the two harshing keys chosen by the two parties And we actually I can do this Yes, because he knows about the harshing key and he also knows the volume is for one of the subtexts and The projection key from the other party Bob on what side it will first Check the value of the subtext and set the session key as XOR of the hash values By the correctness of the signature under the SPS. We know that the session key is completed by the two parties should be equal and The security of the protocol is actually connected by the signature The opportunity of the signature. This is a security of the encryption and the smoothies of the SPS It will be actually if the adversary does not hold it Correct password then they all the inputs that he uses to compute the harshing functions will not satisfy the Influential relation because he actually because he actually does not know the corresponding messages. Yes So by the smoothies of the SPS we we have the session keys compared to the two parties actually Uniform learning. So if we have a SPS analysis, we actually have a lot of space like PAP. Yes Unfortunately, it is still an open problem to instantiate the SPSG from access in to in order to bypass this and To cut and by plan is actually relaxed the definition of a SPH to approximate SPH in the sense that when the The graphics hold hold in the sense that the hash values Come pureed by the two parties put two different ways No longer equal, but they only have little differences when parsed as BST This is the first probably second we look out the smoothies called for those those inputs does not satisfy the deep connection By doing this Cali cat and my parents actually Manager to give a lot of space to keep it from talk about a first give a three-round PAP From a SPH as you can see the first two messages of Their skin is actually the same as the jail problem from work Now they have the X1 of the hash values are no longer equal by the two parties that because we only have Approximately our problem correctly, so however We know that the hash values can be computed by the two parties or have have little differences This feature allows us to use the opening error Correcting code to send the London to the session key specifically I scan first to the London session key SK And they use the hash values as a bottom-pad key to Increate the I mean code of the SK after doing this Boke actually can first computer the XOR of hash values Which is approximately equal to TK and they are correct code allows us to remove the differences between the two values Yes for security with because then the data party is the actual one time high part Which can be easily modified to another data plan which corresponds in the same session key. Yes So we we must include it into the signature to protect the integrate as they say credits of the scheme by the practice of the signature error claim code and they are boxed and made the crackiness and the security is on is almost as before This this problem allows them to obtain the first the KP protocol from access So when they wonder if we can obtain more efficient or to learn the KP for one from access and Actually, it seems hard to do so by using the techniques in Kassel of Afghanistan. There are two main reasons first We can only compute the one time high key after one of the two parties have all the majorities to compute a high function Yes for to learn the PAK protocol. It means that we must Fix the message exchange in a single message in the first message Which is actually impossible impossible for the current definition of a stage because because the harshing key Also depends on the samples sent from the other party. So we can only do this after a second message exchange second the Typical we use a signature to protect the one time high part delta is You sense to be useless for two long kp protocol because if we will send the Verification D under the signature in a single message that also can easily replace them at the same time We solve this problem by introducing a spritle PKE and enhance the underlying edge patch in the following Informing a spritle PKE says that the samples of the English app can be split into two parts And they can be independently computed by using two polynomial functions of F and G We are F is designed for analyzing the functionality of the encryption face Message and the second one part in the G is designed for providing the non-minability of the CCA security which is the is the lecture and Then we Can pass the approximate as pH in this case we are with the cloud harshing key only depends on the projection key only depends on the harshing key Not depends on the surface then the harshing virus Because we require the first part of the suffix already fix they fix the message So we can look out the harshing virus can be computed without using the second part suffix and the first mostly is when you call the smoothies even hold the in when they input suffix message pairs does not satisfy the depletion relation and Do dependent make dependent on the projection key which is not recovered in progress separation because in There the projection key can only be computed but after they suck as effects about the for our case This is we are harshing our projection key does not depend on the second store. This is a stronger smoothies Here comes our actual objective for work. Our service is a still public key and for Generation of session key I suppose to do a harshing key can be it's a project key and let's Include this password here your password send the suffix to Bob Bob will first the children harshing key computes the projection key and Compute the first part first part of the separate separate of his password after doing this Bob can already compute the harshing virus because our high five only depends on the first part Then you'll see the two incorrect. They are one of the children session key to obtain a data part family, but Bob will use all the information as in particular the data part as input to join the separate second separate part way to and Said as to say to and data to Alice actually this is we actually Well, I'll basically use to use the non-med video the CCA security to protect the data part because it is also to join the Starbucks and As I see the kind of company the harshing virus and be called the long session key and the sixth the practice is guaranteed by the ECC and ASPH and security is Implied by the split process a security of E of PKE and the long adaptive as well as a stronger smoothness of a sketch. So This is our tool on the PKE problem for work Actually several TVU is a sketch a national set by the organization and it can be used to instantiate our To run the protocol will not show how to efficiently instantiate from masses Here is the L1 ve which is the top of the first one is a lot more and the second one is a lot is a Product and the literature shows that the LW problem is hard under some hard life problems And however, if we use a type of generation operation to generalize the first part With the chapter then we can use the chapter to solve the LW instance This is some basic facts Here we actually build our ASP as she weighs from the The one by Katz and my plan is there was two More building blocks first will observe that the larion from safety and to CCS transform Actually actually satisfy the split property where we can define the A part as the PKE part and the G part as the long internal logic second we show Standard smooth this name which inform it says that for all metrics be and the following chosen error from the Gaussian distribution given P E and For any unbounded function for any unbounded function H we copy the Z equals the HPE Such that as far from the lari says is generated by B for any non inter integer run their integer a Then the inner product of the Z and a E is still useful Which we see the word very strong By using this here comes our counter construction Which is actually very simple it consists of two LW Includes as well as an IZK to prove that they are chosen as they for the same message W Actually, the red one is the F part and the blue one is the G part The difference and the first to verify the the proof and the deep So of the LW instance to recover the messages This is the PKE and the ASP issue of our protocol the HPE is simply chosen from the B square and Gaussian and the projection key is the inner product of a metrics B and XI where B is from the part of the public key and To compute the hashing key we first compute the AI as this formula where C is the Where C is the sentence and W is our message After this we determine each output bit of the hash functions by comparing the AI with zero This to giving a hashing Projection key R for K we directly compute the AI prime the blue one as the inner product of the Projection key and the volume is of the sub-axis as zero Then we turn in the output of the hash function by the same as before by comparing the AI with zero for practice the way And for any job only select your Sometimes we always cannot see there as this the equation This means that if we subtract this part we we would give this one And this means that the AI and the AI prime is equal up to some small arrows. Yes This allows us to show the approximate properties of our our sketch and For smoothness because the output is short put a bit of the high function is actually permanent by the they are Which is sufficient to show the AI is uniform learning. Yes Actually for any surface message fail we can show that AY defined by this formula is far from the last General by B for any non zero into your A By our stronger Productive smooth with Emma this actually shows that we come up with a as this way actually only from London This but she was our smoothies So there is a summer we give a two other JPE Prologue and I in special efficient specialization for analysis and that's common. Actually It is relatively inefficient and Is a lot of the one I say that we use to Instatio is our KB actually was that they they not work or one proposed by Huala in PPC I Think to to instantiate the which is saved all about the log on title of comparison to progress Skins, thank you for me is for patients. Do we have any So you have a the other Construction for to go baby from a SPH, right? Yes, and your instantiations From that you seem to rely on a random over model. Yes. Yes, so Could you tell something about the difficulty of? Related it from lattices without Without learning more come on. Yes. Actually It is still an open problem to to construct an SDK from last we we actually try to try to do it Almost several years to to solve this problem I know and as many many people and this in this area actually said to stop it for and however for As a came with no general is that if we we have we have to stop the permutation then we have a nice thing But we still do not know how to find an Inhex the permutation from not so do you have to do from not so section? Yes But if you use the general assumptions, we have one Any other questions or comment if this knows in this time, it's okay