 Our next talk will be about Identity-Based Encryption, Resilient to Continual Auxiliary Leakage, by Chi Hon Yen, Sherman Chao, Ye Zhang and Xu Mingyu, and Chi will give the talk. Resilient to Continual Auxiliary Leakage, and this is a joint work with Sherman Chao, who is also here today, and Ye Zhang and Xu Mingyu. In this presentation, I'll firstly talk about the problem that we tackled. And then, before we present our actual construction, we start with the Identity-Based Encryption with Auxiliary Inputs, using our techniques. And then finally, we will go to the Continual Auxiliary Leakage model. Firstly, the central notion of modern cryptography relies on the secrecy of the secret key. However, in practice, this paradigm is subject to some threats of the side-channel attack like the power analysis. Because this attack will try to leak the secret keys, so it breaks the notion of securities in most critical systems. So leakage-resilient cryptography was introduced to provide some formal guarantees, even when the secret key leaks. And in this talk, we only consider about the memory leakage. So in these models, the adversary is allowed to specify an efficiently computable leakage function F such that the adversary can obtain the output of F applied to the secrets. So it aims to model all the possible leakage in practice, including those side-channel attacks. So a major open problem in this field was discussed in here, Eurocrip, a few years ago, and they state that it wants to allow for continuous unbound leakage and without additionally restricting its type. So there are two different main categories here, and there are lots of words to follow on in these few years. And there is a line of research on the second, which is the second restriction, which is on the types of leakage that are allowed. And firstly, the model will restrict the output of the leakage function with less than L bits, where L is usually strictly smaller than the size of the secret key. So the leakage function cannot directly leak the secret key. And then later on, there is an improvement to the leakage function that only allows to lower the entropy of the secret key by less than L bits. So to sum up, L is considered as a fraction of the key, either in terms of bit size or the entropy. And the next, we have the bind to retrieve model proposed in 2010. They allow the leakage is still in L, but L is now considered as the system parameters. So the size of the secret key will increase with L. However, L does not affect the property size, the communication, and the computation complexity. And in these models, we hope that the attack is detected and stopped before leaking L bits. But this may not be good enough because it's quite difficult to stop those leakage after obtaining L bits. So therefore, the auxiliary input model was proposed in 2010. In this model, we consider any leakage function F that no polynomial time adversary can invert. For example, we can consider a one-way permutation is a kind of leakage function that allowed in these auxiliary inputs. In one-way permutation, no polynomial time adversary can invert the permutation. But this one-way permutation is not allowed in the previous relative leakage model because they will leak the whole secret key information theoretically. And of course, we have the first property key encryption scheme with auxiliary input proposed in 2010. And both this auxiliary input model and as well as the relative leakage model, they are all bound to leakage throughout the entire lifetime of the secret key. So this only answers half of the open cache questions that I've taught before. And the second half of the open question that we taught before is about continual leakage. It means that the user will continually update or refresh his secret key and the adversary is allowed to obtain leakage in each period of time. And leakage between updates are still bounded. But overall, in the long run, the number of leakage is unbounded. So there are quite a lot of different scheme work in this model in signature identification, property encryption, and so on. And in this paper, we will consider the identity base encryption with auxiliary inputs. This is because IBE has found many applications like anonymous IBE, chosen cyber test security of property key encryption from IBE, and so on. And IBE with auxiliary input model provide the leakage resilient with the composition of those ID base systems. As long as those systems are secure in the standard no leakage model, this is because we can always model those other ID base scheme as some sort of leakage of the secret key. So another advantage of auxiliary input model in IBE is that it can give a clean definition, which means that we are free from numeric bonds, such as the number of bits that can be leaked from the master secret key. And compared with the current papers with continued leakage resilient IBE, the current papers only model the IBE that consider leakage of the current secret key for a given time only. So in other words, after a user has compute a new secret key for the next time period, the leakage from the key update query is the last chance for the adversary to get it. So it implies that all secret key should be securely erased. However, with those frequent secure evasion, it is less disastrous to have the memory leakage. And this greatly diminishes the benefit offered from the formal leakage resilient guarantees. And therefore, in this paper, we want to tackle the problem of allowing for continuous unbound leakage without additionally restricting the type of leakage we have. And there are quite a few papers that work in either PKE or IBE, but they cannot tackle this problem completely. And our contribution is to, firstly, is proposed such a continued auxiliary leakage model. And we think we provide a minimal restriction is that no polynomial time algorithm can use the leaked information to output a valid ID base secret key. And in this model, the adversary can leak from all refreshed master secret keys as well as the ID base secret keys. So this model is a cleanup security model because there is no version numbers of the secret key compared with the previous models. And it may be the ultimate model for IBE. Before we are going to this continue auxiliary leakage model, we first give the first IBE that is secure in the presence of auxiliary input only. So we provide the adaptive security in the standard model. Our scheme is based on static assumptions with a moderate cost in terms of surface size and computation complexity. And these nice features are inherited from some previous schemes. And like those previous schemes in auxiliary input model, we are based on this GL theorem. And firstly, this original GL theorem is defined over the GF2 field. Is that given some uninvertible function h and the hash of e and a uniform random number y, the inner product in GF2 is a pseudo random number. And the modified GL theorem is that if one can distinguish the inner product from the uniform distribution, then we can find a PPT algorithm that can inverse the function h. So we want to build a auxiliary input secure IBE. So firstly, we start with an auxiliary input secure PKE. So in the PKE, we have a lambda bit number used as the secret key of this PKE. And in this model, we allow leaking an invertible function of the secret keys. And in this scheme, the inner product of the secret key and the randomness of the cipher test will hide the message based on the modified GL theorem. If there is a distinguish that can distinguish between two messages, then it means that there exists an inverter that can invert the function in time polynomial time. However, it is a contradiction to the definition because the leakage function should be uninvertible. However, we cannot directly apply this PKE and turn this into IBE because ID base secret key has certain structure. And firstly, it is not a resources random number bit number. And secondly, the secret random factors hidden in the ID base secret key are not chosen in the domain. If it's just chosen from this model domain, then it will lead to a brute force attack. And next, we try to add the leakage resilient IBE with the auxiliary input secure PKE. But this is not straightforward as well because in the leakage resilient IBE, we will leak the semi-functional keys in the simulation. So semi-functional key is produced from a real key by M binding factors from set P, where P is of size 2 to the lambda. So since P is quite large, so by the modified GL theorem, the inverter is inefficient. And therefore, we cannot give the correct security proof. And in our paper, we give some countermeasures for those problems. And look, since these countermeasures only appears in the security proof, but not in the real scheme. And then we will talk about the security model. So the security model is quite similar to the normal adaptive ID secure model for chosen plain test attack for IBE. The difference is that we have an additional leakage model, which takes an input of a function F in the family capital F. And it will return the function applied on the master secret key as well as the ID-based secret key. And we do not allow any leakage oracle after the challenge phase. And we define the family of leakage. Capital F is that given the master proper key, the challenge ID, the leakage output, and a set of secret key leads from the key expression oracle, then no PPT algorithm can output the secret key of the challenge ID. And what's the difference between our model and the length bond leakage model for IBE? Is that we combine two separate leakage oracles from the length bond leakage model previously. We allow leakage from the master secret key as well as the ID-based secret key at the same time. And we model it in this way because they may share the same randomness. And moreover, we do not need to store the amount of leakage for master secret key and the ID-based secret key. And so we don't need a set of handles of key as in previous papers. So this is the roadmap of our construction. And we construct our scheme following some previous works. And firstly, it follows the LW-adaptive ID IBE. They use the dual system encryption technique for the security proof, which instantiate the BB-IBE in composite order group. And in that paper, the dual system is used for the adaptive ID security. And then we also try to use the CDRW-IBE. In that paper, the single user secret key leakage is done through a single tag. And later on, the LRW-IBE, they use a multiple test for a multiple leakage. And the ID-based keys for undetermined ID will be referred to the master secret key. And we will try to use those techniques in this paper to construct our scheme. We use the multi-placing idea as user key level. And then we try to do it again as the master key level. But how to get our leakage resilient and adaptive ID security? The answer is that we know how to fake everything by the dual system method, because we can use the dual system to construct some fake secret keys and we can leak them. But we should be careful that such a leaking should not be spoiled the faking. This is because the correlation between the semi-functional objects is information theoretically hidden by the definition of our leakage, because the leakage per key is suitably bounded. We have some further design constraint. Firstly, by the modified GL theorem, we should only use a small binding factor in the semi-functional keys. And secondly, we are relying on the information theoretic argument where the key is extracted. So we extend our one equation to a non-argument in the LW-IBE to 3M equation, 3M plus 2 unknown in our security proof. When the secret key is leaked, an invertible function of the key can be created from an invertible function of those binding factors. And the inner product equal to 0 in the modified GL theorem will imply the exponent in the subgroup is equal to 0. So it can be used to simulate the semi-functional keys. And our next contribution in this paper is to construct the first hierarchical IBE with auxiliary inputs, and of course, the first IBE in continue auxiliary leakage model. And we extend our basic scheme to support the leakage of randomness during setup. We use in that scheme, we use a lattice-based assumption in our pairing-based construction. And then we will propose the continue auxiliary leakage model. Firstly, the setup is split into the common reference string generation and the master key generation algorithm. Compared with the model I taught previously, we add two additional oracle, which is called the update master key and the update user secret key. These two models are provided to the adversary as well in the security game. And we change the definition of the leakage function family as well. So in the original and the model, the leakage function only applies on the master secret key as well as the IBE secret key. And now in our continue auxiliary leakage model, we allow the leakage of a list of master secret key and a list of IBE secret key as well. And those lists are containing those keys that are ever produced. And additionally, our model can be modified to keep leakage during setup as well. From the construction, this is relatively similar to our basic model without continuous leakage. So we just add the re-randomized factor component in the cipher test as well as the secret keys. And if we want to extend our scheme to a hierarchical IBE, we just change the structure of the components relates to the identity. And finally, we give our extension to support the leakage during setup phase. So in this setup, we have a matrix of v used as a randomness and some slanted bits alpha j also as the randomness. And we define the q as a product of those matrix to power the alpha. So the master secret key is a pairing of these numbers. And we have an anchor piece of them in the scheme. And by this matrix type construction, we need to use the LaTeC base assumption. And as a result, we need that assumption in our security proof. And of course, our public parameters will be now in size O lambda, where lambda is the security parameters. And finally, so this is the end of my presentation. And we would like to thank Alfred and Jonathan for the helpful comments. And this is the summary of our paper. So we can see that a scheme provides more tolerance to the leakage. And of course, the complexity is slightly more complex than the previous paper in TCC 2011. But we think it's still not too complex. And we think it allows more leakage. And that's the end of our presentation. And questions are welcomed.