 Hello, everyone. I'm Xiang Yu Liu from Shanghai Jiao Tong University. Our paper's topic is Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security. Well, let's start from Authenticated Key Exchange, or AKE for short. AKE is the most widely applied technique in public key cryptography. It's the first step for two parties to achieve secure communication in the network. Usually, AKE is an interactive protocol between two parties, PI and PJ. After several rounds of interactions, they obtain shared session keys, KI and KJ respectively, which are used to encrypt payload messages in the next communication. Here we call a message, then from one to the other, a path. AKE is required to have crackness and security. Crackness guarantees that PI and PJ share the same session key after a complete execution, namely, KI equals KJ. Security involves indistinguishability and authentication. Indistinguishability requires that the session key is pseudo-random. Authentication can be categorized into two types. Explicit Authentication and Implicit Authentication. We mainly focus on explicit authentication in this paper. It asks the AKE protocol to detect active attacks during the execution. During improbable security, we construct a cryptographic scheme based on a hard problem. Once there exists an adversary A that successfully attacks the scheme with probability epsilon, we can construct another algorithm B that uses A's ability to solve the problem with successful probability epsilon prime. Here, B and A have roughly the same running time. Since we assume that the problem is hard, namely, there's no efficient algorithm to solve it, hence such an adversary A does not exist. By defining L equals epsilon over epsilon prime, the security loss factor in the reduction. If L is a constant, then the reduction is a tight. A scheme with tight security has smaller elements and universal keyless recommendations. That's why many cryptographic schemes pursue tight security recently. Usually, AKE is deployed in the multi-user and multi-channel setting. That is, there are new users and each user involves L at protocol instance as most. We said the adversary wins if it successfully attacks one targeted instance among all new L instances. Many AKE schemes have low security, namely, a loss factor at least all new L. In practice, new L can be as large as 2 to 30 to 2 to 50. As mentioned above, tight security enjoys its own advantages. Therefore, it's important to pursue the tight security of AKE. Up to now, there are several researches considering tight security of AKE. Bader proposed the first tightly secure 3-pass AKE scheme in the standard model. Later, Josting and Jagger proposed another 3-pass scheme with tight security in the red market model. Both these schemes consider explicit authentication. As for implicit authentication, there are two researches for 2-pass protocols in the random AKE model. Though this scheme can be extended to provide explicit authentication by the key confirmation method, but an extra pass is needed. Explicit authentication joins its own advantages. Once their authentication fails, the protocol executions stops and no subsequent message follows anymore, voiding unnecessary computation and communication. Therefore, the natural question is, can we construct 2-pass AKE schemes with explicit authentication and tight security? Let's see why tight security for AKE is hard to achieve. We review the security model by Josting and Jagger. The security is formalized by an experiment between a challenger C and an adversary A. C holds mu L or equals pi 11 to pi mu L. Or equals pi is formalized by user P i's execution of this S protocol instance. The challenger C simulates the communication of 2 or equals by 8th send queries. Within queries, I can send arbitrary message to any or equal pi i's. And pi i's will execute the AKE protocol according to the protocol specification. With corrupt queries, I can corrupt a party P i and guess its long-term secret key. With registered queries, I can register a new party without public key certification. With review queries, I can observe session keys for a completed protocol instance. The security of indistinguishability is described with the help of the test queries. For query, test i's. The challenger samples random bits B i's and returns the session key i's. If B i's is equal to 1, and the random key advice. At last, A transpose B prime. The guess of B i's star and the guess of B i's star S star for the target session, is B i's star S star of its choice. A B prime equals B i's star S star. We say that it wins. The AKE scheme is indistinguishable if it can win the experiment with only a half probability roughly. Well, a natural idea for AKEs will know and sign the different Hermann protocol as shown in this figure. Party P i sends G to A and its signature sigma 1 in the first path. And then part P j responds with G to B and signature sigma 2. If the verification of signature is passed, then both P i and P j can compute the session key G to A B. However, it's hard for the signed DH protocol to achieve tight security due to the following commitment problem. Let's consider a reduction algorithm B and a specific session i's. B receives a DDH challenge problem G to X, G to Y, and G to Z. If the problem is embedded into session i's, then it cannot be revealed. And if not, then B cannot complete the reduction if A choose i's star S as its target. Therefore, B needs to get the target session from total mule error sessions and embed the DDH problem into it, resulting in a lose security loss at least all mule error. To deal with the commitment problem, Josting and Jager added an extra hash commitment as the first message, resulting in a three-path protocol with tight security in the landmark model. Consider the following DH line cam. The public key is G to A, the site tag is G to B, and the encapsulated key is G to A B. It's easy to observe that signed DH protocol is actually a cam and thick construction. Therefore, to achieve tight security for AKE, we need to solve the commitment problem in cam. More precisely, the underlying cam requires not only that the encapsulated key in the key challenge site tags are should be random, but also that the challenge site tags can be revealed to the adversary to catch the encapsulated key. To solve the commitment problem, we define a new security notion for cam, ndmcpa security with adaptive reviews. This figure shows the experiment of ndmcpa review security. In the beginning, the adversary A receives mule public keys. It's allowed to ask two queries. Using cam queries, A receives a challenge site tag C, along with either encapsulated key K0 or random key K1. Each encamp query is answered with an independent and random bit beta. With review queries, it can get an encapsulated key for arbitrary site tags C prime. Even C prime is a challenge site tag uploaded by the encamp query. Therefore, the review query is different from the encapsulation query. The ndmcpa review security has the pseudorandomness of unrevealed keys. Formally, suppose that A finally outputs a guess beta prime for target site tags I star C star. And we define that A wins if beta prime equals beta and A has not revealed I star C star. The cam scheme is said to be ndmcpa review secure. If A can win the experiment, only with a half probability roughly. To deal with cropped queries in AKE, the underlying signature scheme is required to be ndmcma cropped secure. The security experiment is shown in this figure. First, the adversary A receives mule verification keys from the challenger. Then it's allowed to ask two queries. With sign queries, I can get a signature sigma for message app under user I. With cropped queries, I can get the signings key SKI. A wins if it finally outputs a valid forge for new message m star under some uncropted user I star. With that, the sixth scheme is mule FCMA security against adaptive corruptions. If A wins with a negative probability. Our generic construction of two paths AKE use cam and seek as building blocks. We prove that the security of AKE can be tightly reduced to the ndmcpa review security of cam and the mule FCMA cropped security of seek. More precisely, with a tightly ndmcpa review secure cam, the commitment problem is solved. Since all challenge subtexts can be either served as a final target of A or reviewed to A. Meanwhile, with a tightly mule FCMA cropped security can also handle the corruption queries from the adversary. This figure shows our construction from cam and seek. We can see that all queries from A in the security experiment of AKE including cropped and review queries can be handled now. And A cannot distinguish the real session key from a random key in the test query since cam is nd secure. Well, compared with multi-path AKE, you pass AKE inherently open to replay attacks as shown in this figure. When PI sends a message to PJ, there are only two choices of PJ. Compute a session key and accept or reject it. If PJ accepts, the message can always be replaced to PJ by the adversary. This replay attack does not contradict the explicit authentication in the security model. Since the message does not ordinate from PI, the session key keeps you random to the adversary. However, it does exhaust the computing and memory resource of PJ and weighs bandwidth of the network. Therefore, we introduce a strong security model of AKE. In the stronger model, if a replayed message is accepted by some user, the authentication of AKE is broken. Meanwhile, we add counters to identify the freshness of messages. As shown in this figure, each party maintains a local counter. Initiator PI increase its counter CTRI before it sends a message to PJ. Responder PJ recognizes the freshness of message by checking whether CTRI is greater than CTRI. To respond freshness to respond fresh message, PI will synchronize its counter CTRI equals to CTRI and sends response message back. PI then checks whether CTRI equals to CTRI. In this way, any replayed attacks can be detected immediately to pass AKE. This is our general construction equipped with counters. The counter method is highlighted with gray parts. By the way, our scheme also provides perfect forward security and KCI resistance. Next, we show how our two instantiations of AKE in the random model and standard model respectively. AKE in the random model. The first proposal of CAMP in the random model is PK's G2X1, G2X2, C is G2Y, and K's HPKC, G2X1Y, G2X2Y. It's derived from twin-algamma public key encryption and its IND MCPA reveals security based on the twin DH assumption. We change turn on the CDH assumption. We provide tight security by the random self-reducibility of DH problem and prove its security against the reveal queries by the decision oracle of twin DH. The CIG is related with CIG-DDH by Josting and Jager. And as a result, we obtain the first two-pass AKE scheme with explicit authentication and tight security in the random model. AKE in the standard model. The second proposal of CAMP in the standard model is CAMP-DDH. It's derived from the tightly IND MCPA public key encryption scheme by Pan et al. and its security is based on the MDDH assumption. In the paper, we prove that IND MCPA implies IND MCPA reveal with tight reduction. The installation of CIG is the CIG MDDH by Bedra et al. As a result, we obtain the first two-pass AKE scheme with explicit authentication and tight security in the standard model. The comparison of our AKE schemes with other tightly secure AKE schemes with explicit authentication is shown in this table. You can see that the computation and communication cost is comparable to that in GJ18 or BHJ plus 15 in the random model and standard model, while the number of passes decreased from 3 to 2. And finally, we construct the first two-pass AKE schemes with explicit authentication and tight security in both the random model and the standard models. Well, let's draw a conclusion now. Firstly, we present the stronger security model for AKE. In our stronger model, the adversary breaks authentication as long as a party accepts a replayed message. To detect replayed attacks, we introduce counters for each party as its date. Secondly, we propose a generic construction of two-pass AKE from CAMP and CIG schemes. We formalize a new security notion named IND-MCPAReview for CAMP. And we show that IND-MCPASecurity of CAMP implies IND-MCPAReviewSecurity. The stronger security of our two-pass AKE can be tightly reduced to the IND-MCPAReviewSecurity of CAMP as MUUFCMACRAPSecurity of CIG. Finally, we give two instadiations of tightly secured two-pass AKEs. We present an instadiation of CAMP and proved its tight IND-MCPAReviewSecurity based on the CDH assumption in the random model. Together with the CIG-DDH scheme, we obtain the first practical two-pass AKE scheme with explicit authentication and tight security from the DDH assumption in the random model. When instadiating CAMP with CAMP-DDH and CIG with CIG-DDH, we obtain the first two-pass AKE scheme with tight security based on the MDH assumption in the standard model. Well, that's all for my presentation. Thank you very much.