 And I'm going to talk about self-correcting run oracles and these are cryptographic applications. This is joint work with Alex Russell, Marty Young, and Hong Sun Zhou. Actually, we are now in a crypto crisis. Not only we need to worry about quantum computers, we also need to worry about big brothers. And the concept of kleptography was invented 20 years ago that has not been taken so seriously. Suddenly, this gentleman tells the world kleptography can actually be true. And in the Snowden Revolution, actually, he demonstrated a real-world example that a subverted implementation can actually generate subliminal channel to break the security of the underlying crypto primitive, even if the underlying crypto primitive is provably secure. So after the Snowden Revolution, communities start to react, and several lines of very interesting works significantly advance the status of ours for defending mechanisms. The first line, starting with BPR-14, let's focus on the deterministic algorithm because bias randomness use the malicious implementation. And also another line of interesting work suggesting a model that assumes trusted rerandomizer in the reverse firewall model so that they can achieve interesting feasibility results. Yet we want more. We want more crypto functionalities, crypto properties, and with less trust. So we also start developing another line of work we call kleptography, which means clipping the power of kleptographic attacks. So in this model, we insist that every functional component can be subverted by the adversary. So last year in Azure Crypt, we show how to mitigate such subliminal channel using, by formalizing nothing on my sleeve, conventional wisdom for PRG and digital signature. And for semantic security, we propose a general tool to destroy subliminal channel by using a fine-grained modular design principle which will be presented in the coming success. So this leads us to a natural next question. Can we actually generally correct adversarial random sources or random oracles? So in this work, we start exploring how to self-correct random oracles. What do we mean by this? We start with our hash specification. For example, shy 256, which can be modeled as a random oracle. Then a malicious implementation will disagree with the specification for a negligible fraction of inputs. Now next we want to correct the back. So the target will still be usable as a random oracle. The point here is that we only want to use a fixed number of public randomness. So the model in a bit more detail that a random oracle is drawn, then malicious implementation will be generated and supplied to the challenger. So here the malicious implementation only disagrees with a negligible fraction of inputs. Then the challenger, the good guy, gonna wrap around the bad implementation using only public randomness, then reveal the public randomness. Then the adversary can do the regular query and try to distinguish. The high level idea is that as long as the adversary has not explicitly learned our value of the certain input, it will still look uniform to the adversary, even conditioned on all the previous transcript. So this brings us the close attention to a seminal oracle self-correcting programs which due to Bloom-Luby and Rubinfield back to the 90s, that in their setting there's a specification and then a buggy implementation might be wrong at negligible fraction of inputs, then they won't correct the whole program to be correct at every point with overwhelming probability. Essentially our problem can be viewed as a distributional version of the self-correcting program by using only public randomness. So I give a quite intuitive construction but the special care is needed that if we disperse the point to a large subset of independent points, if the number is not big enough, we can actually show an explicit attack. The analysis is actually quite involved. It's not something you want to hear now in the RAM session, but it's due to the two facts that the malicious implementation actually can adapt to the query run oracles so it makes the condition very hard. On the other hand, the malicious implementation can do rejection sampling so that trying to bias the final distribution. And with the strong machinery at hand, we can show a bunch of interesting applications to defend against the big brother. And as a summary, the cryptography in the post-Snowden era is important and challenging to call for a community-wise effort. An interesting next step might be join us at the coming CSS for a three-hour tutorial. Thanks.