 I'm Shen Liu from Shanghai Jiao Tong University. This is joint work with Shuai Han, Lin Lv, and Da Wugu. In this talk, I will introduce public encryption and its tightly resilient multi-challenged security. Then I will introduce a new concept, namely quasi-adaptive hash proceeding and define two new properties for this hash proceeding. Then I will show generic construction of public encryption from quasi-adaptive hash proceeding and show how to achieve tight, leakage, resilient, multi-challenged CCA security. I also give some installations of quasi-adaptive hash proceeding and can lose the talk. Now, a public key encryption scheme consists of three algorithms, key generation, encryption, and decryption. While it happens that under the same public key, there might be a lot of self-attacks. For example, if a server may receive a lot of self-attacks added for him sent by the client, so how to protect the message hidden in the huge amount of self-attacks? So for public encryption, we define the traditional standard of seclusion is CCA security. So it is indistinguishable security against the chosen self-attacks attack. It is characterized by a security game played by a challenger and an adversary. For the adversary, it knows the public key. It has access to multiple access to encryption oracle and decryption oracle. For encryption oracle, it will output a sequence of challenger self-attacks. And for the decryption oracle, it will do decryption services for the adversary, but it reveals to decrypt the challenger self-attacks. The CCA security requires that the sequence of a challenger self-attacks, it should be hard for the adversary to tell whether the challenger self-attacks are the encryption of the left messages or the encryption of the right message. Even the two sequences of messages are chosen by the adversary. CCA security, usually, is done by a security reduction. If there's an adversary A, breaks the CCA security game, then we construct another algorithm, a PPT algorithm B, which saw a hard problem. This is usually shown that the security reduction usually up-bonded by a security loss factor L times the advantage of B. And the security loss factor, if it is a constant or at least linear to the security parameter, then we call it a tight security reduction. With a tight security reduction, it is desirable because we can avoid security arguments at impulse into the publicist game. So we can make it more efficient. That's why we focus on tight security reduction. It's well known that the single challenger CCA security implies multiple challenger CCA security by simple hybrid arguments. We can prove this security reduction. And the security reduction parameter is Q, where Q is a number of the challenger CCA attacks, or the number of the increment query made by the adversary. This security reduction is not a tight one. Recently, there's a lot of work focusing on how to achieve multi-challenged CCA security. Most of them use two approaches. One approach is to make use of a non-interactive zero-knowledge proof system. And the other use variants of harsh proceeding. On the other hand, we can also adapt the multi-challenged CCA security into a liquid resilient setting. It deals with the adversary who can implement such a channel attack. In that case, the adversary may know some information about the secret key. So to model that, we allow the adversary to query a liquid oracle. And the oracle will reveal some information of the secret key to the adversary. Of course, we have assumption that the total amount of liquid is bounded. So it is a liquid bounded model. So in this way, we can define a liquid resilient multi-challenged CCA security notion. Up to now, there's only one work that achieves efficient and tightly liquid resilient multi-challenged CCA security public encryption. That is done by RB, ETL, in 2013. It makes use of a non-interactive zero-knowledge system to achieve with attached security. But the size of the public key and several types of overhead is very large. So in this work, we will try to solve the problem in another way and the resulting more efficient public key encryption. So in our approach, the building, the technical building block is quasi-adaptive harsh-proceeding. So for such a harsh-proceeding, it defines a harsh function over set X. And the harsh function is indexed by the secret key, SK. And on the other hand, it is associated with a collection of languages. Remember that for the traditional harsh-proceeding introduced by Kramshup, for each harsh-proceeding, it is associated with a fixed language. But now, we are associated with a collection of language. And we can project the secret key into different languages. As a result, we have a collection of production keys. And each production key depends on the languages. That's why we call our harsh-proceeding quasi-adaptive. Similarly, for each instant in the set X, we can evaluate the harsh value with the secret key. But if the instance in the language LI, for any language LI, we can evaluate the harsh value by the projection key on the language, together with the witness of the instance. So there are two modes to evaluate the harsh value if the instance in the language, as in L0, L1, L2. Now, we define such a harsh-proceeding with two new properties. And the properties are parameterized statistical property. The first one is L0, L1, universal property. It's said that given that two projection keys are language 0, L0, and L1, for any instance that not in the language 0 and L1, then the harsh value is uniformly distributed. So what does it mean? It means if the secret key is uniformly distributed, so it has a full entropy. So given two projection keys on two languages, then we have a security loss. However, the remaining entropy in the secret key will guarantee that the harsh value of X is uniformly distributed, as long as the instance is chosen neither in language L0, nor in L1. So this is a universal property. So another property is L0, L1, case-reaching property. Or it says that given two public projection keys on language L0 and L1, it is statistically close to two projection keys on the language L0, L1, but with two independent secret keys. More precisely, if the secret key is uniformly distributed, we can compute the two projection keys. But we can always replace the two projection keys to another one, another two. Another two, each of them is protected from an independent secret key, so two independent. So one secret key is replaced to two independent secret keys. Another important property is L0 multi-directing properties. It said when the secret key is uniformly distributed for several instances randomly chosen from language L0, then the harsh values of those instances are still random. We can always extend the two properties for quasi-adaptive harsh of precetium into leakage-resilient sightings. That means if the two properties, universal and case-reaching, is also held in the presence of a key leakage, then we call the two properties a leakage-resilient universal and a leakage-resilient case-reaching. And then the harsh of precetium becomes a leakage-resilient one. Now we are ready to show our construction of public encryption from quasi-adaptive harsh of precetium. It makes use of three quadratic adaptive harsh of precetium. So the secret key consists of the three keys. So three harsh of precetium has three keys. And the public key of the PKE consists of the three projection keys of the three secret keys. And all the projection keys are of the same language L. Now let's see how to encrypt a message M. To encrypt a message M, first we run them into the instance from language L. Then we compute the three harsh values because we have three harsh precetiums. The first harsh value is used to hide the message. So we compute D. D is the first harsh value plus M message. And then we prove that this is a separate value. We compute the second harsh value on the third harsh value. And we add them together. And the value is funded to approve pi. So the separate tax is instance X, D, and pi. To decrypt a separate tax, a separate tax is X, D, pi. And we can always use the three secret keys for the three harsh proof precetiums to compute three harsh values. One harsh value to re-encumber the message. And the other two harsh value to add them up, gets the value to check whether it is equal to the proof of pi in the separate tax. If it is, then we output the message. Otherwise, we take it as an invalid one and reject it. So the correctness is also followed from the correctness of the three harsh proof precetiums. Now, let's see how to achieve a tight, multi-talented CCA security. Remember that in our CCA security game, the adversary has, he can see the public key. He has the medical queries on encryption oracle and decryption oracle. So now let's, to prove, the proof procedure is five steps. The first step is that we make a change in the encryption oracle. Instead of evaluating the harsh value, the three harsh values, we may encrypt the three harsh values. We do not use the public evaluation mode by the project key. Now we use the secret key to compute the three harsh values. So it's always OK, because the instances are chosen from language L. So they are equivalent. The second step is also a change in the encryption oracle. Now, we change the language in the encryption oracle from language L to another language L0. So that means when we generate the challenge of subtext, we choose instance X, not from L, but from another language L0. This is also OK, because of a subset membership problem. The third step is we do a change in the decryption oracle. For the decryption oracle, when we decrypt the subtext, which is x d pi, we will check the instance X. If it is not in the language L, we reject it immediately. And we will show this change is indistinguishable, because of a rejection lemma. This lemma, we will be justified later. Now we skip it, because it's too complicated. OK, now. So in encryption oracle, only work on language L0. The decryption oracle only work on language L. OK. So the behavior of the two oracles, in fact, can be categorized by the projection keys on language L0 and L. Now we can use the LL0 keys meeting property of the first hash procedure. That means the two projection keys and the same secret key can be replaced by two projection keys, but with two different independent secret keys. So we change the secret key working on language L0 in the encryption oracle, in the encryption oracle. Change it into a totally new secret key. OK, now the encryption oracle use a new key that is different from the secret key in the public key, different from the key used in the decryption oracle. So this new key is used to compute the hash value, which is hide the messages in the server text. Now according to the L0 multi-extracting property of the first hash procedure, all the hash values are pseudo-random. We can replace them into truly-random values. If they are truly-random values, then they are perfectly hide all the plain text. Then the server tag, then we are done. The CCA security, we are done. But we are almost done because we skip an important lemma, which is redacted lemma. So we go back to step three. In step three, we see that if, for decryption, given a server text, if the instance in the server text is not belong to the language L, we reject it immediately. Now we show that if X does not belong to language L, then this equation, the checking equation, will not hold. So this is a redacted lemma. So we define the event by bad. We will show that bad happens hardly. So with the probability that bad happens is negligible. So this is our goal. Now let's see, in step three, we see in-cryptin article only work on language L0. Decryptin article only work on language L. So all the behavior are characterized by the projection keys on L0 and on L. Then according to the LL0 universal property of the second hash procedure, then for any instance that is not in the L0 language, then this hash value will be uniformly distributed. So this equation will not hold. The bad will not happen. So we can always put X from L0 in this condition and when we check the bad, only this condition is satisfied. Can we check a bad? In that case, when we check a bad, we also use projection keys on L0. So decryptin article will check bad. The three parts, the three places only use projection keys on language L and L0. Now according to LL0 key switching property of the second and the third hash procedure, we can always change the case now. We change the case that appears in L0. Now we only change the case for the second and the third hash procedure. The original one is SK hat SK tilde. Now the new one is SK tilde prime. So for language L0, we replace with two new secret keys. OK, now let's see. Now in decryptin article, we have a new case, old case. But the new case, old case, they are all projected on L0 or L. So according, again, we can use. So now we can partition the instance in decryptin article when generating the challenge of self-tax. For all the challenge of self-tax, all the instances now, originally they are from L0. Now we partition it into two languages. So half of them will come from L0, and the other half will come from L1, according to the serial number of the challenge of self-tax. If there are four challenge of self-tax, we will choose the first one, first two instances from L0, and the other two instances from L1. In that case, in decryptin article, the new secret key are projected now, not only in unlanguage L0, but also on L1. Now we can use L0, L1, universal property of the second hash procedure and put a condition in check or bid. Only x belong to the union of L0 and L1 do we check a bid. And this is next. Let's see. All the projection case are working on L0 and L1. Now we can use the key switching property. We can put one case into two case for the third hash procedure. Similarly, we now repartition all the instances in the decryptin article. We partition the instance according to the second bid of the serial number of the challenge of self-tax. In that case, all the new case now are projected in L0 and L1. Now we use the key switching property again. Then two new case becomes four case. We carry it on and on. Then four becomes eight, eight becomes 11. Then after log Q steps, Q is the number of the challenge of self-tax, then we will fully randomize all the secret keys used in the third hash procedure. And when we check a bid, we all reuse the newly secret key. And those key only use once there. So with different input, this will be randomly distributed. So bad will never happen. Then we have finished the rejection lemma. Now let's have a quick conclusion. The summary of the proof will be used as universal under case switching property. And then we only use log Q steps. So we only use log Q subset memory problem. That's why we can achieve a tight secret reduction. But if we can use the liquid resilient universal or case switching, then our proof can become liquid resilient. The multi-challenged security is also tight. The initiation can be as a hash procedure can be instantiated from a symmetric powering group. We skip it here, and let's go to the conclusion. We introduce the concept of quasi-adaptly hash procedure, which generalization of hash procedure introduced by Krem and Schrupp. We define two new properties, and we also gave a modular construction of public encryption from this new hash code setting. And the efficient initiation of a symmetric group shows that our scheme is very efficient. So the public key only have four elements, and the self-adaptly overhead only seven elements. And the other problem is symmetricity problem. So this is by far the most efficient public encryption. Thank you. We have time for a question, and if there is none, then let's thank the speaker again.