 Alright, so hello everyone, I'm Rufian Yang, and today I'm going to talk about how to define and construct public key inference schemes with VAR-selected coin security. This is based on a joint work with Jun Zuo-Lai, Zheng An-Huo, and Jiang Wen. So a PD scheme contains three algorithms, namely the key direction algorithm, which produces a pair of public key and secret key, the encryption algorithm, which includes a message with public key, and the secret algorithm, which decrees a subtext with a secret key. Its correctness requires that the secret algorithm can always recover the correct message from an honestly generated subtext, and its security requires that the author can learn anything from the subtext. This can be defined by requiring a simulator that simulates the view of the author without seeing anything. So in practice, PD schemes are already applied in a multi-user setting. That is, there are many senders and receivers, and each receiver has its own public key and secret key. A sender sends messages to a receiver by using the receiver's public key to increase the message. So in this setting, it's common that some users are corrupted. In this case, it seems inflexible to protect messages that are sent by a corrupted sender and the messages received by a corrupted receiver. However, we still hope to protect messages that are transmitted between uncorrupted users, especially in the case that the corrupted messages and the uncorrupted messages are related. So in the literature, we have formally studied sender-selected opening security, where only senders can be corrupted, and receiver-selected open security, where only the receivers can be corrupted. However, we have not formally defined construct key schemes with bi-selected opening security, where both the senders and the receivers may be corrupted. So in this work, we formally studied bi-selected open security for key schemes. Our results include four parts. First, we give formal definition of bi-selected open security for key schemes. Then we construct key schemes with bi-selected open security in the right-warker model. We also consider a weaker notion of bi-selected open security and construct key schemes with this weaker guarantee in the play model. So let's start with our definition. So in the definition, the adversary is given a set of publications beginning, then it specifies a message distribution, then it will receive Chinese self-text that includes messages sampled from this distribution, then the adversary will choose to senders and receivers to corrupt. For each corrupted sender, it will receive the message sent by the sender and the randomness used to encrypt a message. And for each corrupted receiver, the adversary will obtain the message received by the receiver and the receiver's secret key. After seeing the opening information, the adversary will output something. The security requires that the adversaries are pulled and stimulated by a simulator that only sees the corrupted messages. We can also define trend self-text security in the setting, and in this case, the adversary is further given a decryption oracle that decreates the self-text submitted by the adversary. So next we will see how to construct key schemes with bi-selected open security. So the construction is built on a secure key encapsulation mechanism and a hash function modeled as a random local. The public key and secret key of the PKE scheme is just the public key and secret key of the camp scheme. And to encrypt the message, the encryption algorithm first runs the encapsulation algorithm of the camp scheme, and then use the hash of the required key to our message message. To see why the scheme is secure in the bi-selected opening security, we recall that the adversary will receive a public key in the beginning, then to specialize in the secret key of the camp scheme, and then use the hash of the required key to our message message. To see why the scheme is secure in the bi-selected opening security, we use the hash of the message message distribution, then it will receive a set of tensile text, and then it chooses some senders and receives crops and receives their interstates. Finally, it outputs something. To simulate the adversary's output, the simulator will invoke the adversary as a subroutine and simulate its view in the reward. So in more detail, the simulator will first send a public key to the adversary, and then it outputs the distribution of special files by the adversary. Then it sends tensile text to the adversary, and corrupt users specialize by the adversary. Then on receiving the corrupted messages, the simulator sends the corrupted messages and the interstates of the corrupted users to the adversary. Finally, it outputs what the adversary outputs. So in this case, the simulator does not send messages when generating the tensile text, so it has to cheat here. In more detail, the simulator will first run the encapsulation algorithm of the camp scheme honestly to generate the first part of the self-text, but it samples the second part of the self-text uniformly at render. This is indisputable from only sergerated China self-text due to the security of the camp scheme and the fact that the renderer code will output a random module on an input that has not been created before. Then in the opening phase, the simulator will send the correct interstates of the senders and receivers. That is, for each corrupted sender, it will send the reminisce used in the encapsulation of the camp scheme to the adversary, and for each corrupted receiver, it will send the correct security of the receiver to the adversary. It should also program the renderer code to make the opening and the trend self-text compatible. That's why the scheme has bus select opening security. We can also achieve trend self-text security by selecting modifying the basic construction. Please see our full paper for more details. The above construction is constructed in the renderer model. We can also construct PD schemes with bus select opening security in the play model, but we can only achieve weaker security. So let's start with the definition of the weak security. In this secret definition, the adversary has to choose if it hopes to launch a sender select open attack, or the receiver select open attack after seeing the public case, then it has to follow its selection. The security still requires that the adversary output can be simulated by a simulator that only sees the corrupted messages. And we can also define trend self-text security in this case. This security definition is weaker than the standard bus select open security, but it's still strongly stronger than the sender select open security and the receiver select open security. In addition, it implies the requirement that a PD scheme has boost the sender select open security and the receiver select open security. And it seems that our new definition is stronger than this requirement. Since in our definition, the adversary can choose the attacking type after seeing the public case. But in the requirement of security, the adversary has to choose the attacking type before seeing anything. So we finally show how to construct PD schemes with weak batch select open security in the pre-model. The construction relies on a new primitive called key incompatible hash pool system. We call that a hash pool system considers a set X and a subset L or X. Both the set X and the subset L are efficiently sampleable. And if one samples an element from the subset L, it can also get a witness showing that the sampled element is actually in L. The hardness requires that an element sampled from the subset L is indistinguishable from an element sampled from X. Also, the hash pool system contains three algorithms. The key general algorithm generates the security and public key of the hash pool system. The secret evaluation algorithm evaluates a function on input X in the set L with the secret key. And if the input X is sampled from the subset L, the same function can be evaluated by using only the public key and the witness for the input X. Its hardness requires that for any input X in the subset L, the output of the secret evaluation algorithm and that of the public evaluation algorithm should be identical. Also, its security requires that finding input not in L. Then if one performs the secret evaluation algorithm on this input with a random secret key associated with a public key, the output should be uniform even given the public key. With all this, we can define key equitable hash pool system by further defining key subsets in the set X minus L. Here, for simplicity, we consider k is that k equals 1, and this is enough to construct a peaky scheme with weak bias local security in the case that each public key is only used to create one tender message. The hardness now requires that an element sampled from the subset R1 should be indistinguishable from an element sampled from L and an element sampled from X. We also need a new algorithm to re-sample a new secret key HSK prime from an old secret key HSK and actually some trouble information. And the new secret key and old secret key should be associated with the same public key. Also, we request that if one performs the secret evaluation algorithm on an input X in R1 with the old secret key, then the output should be uniform even given the new secret key. So, we next see how to construct peaky schemes with weak bias local security from the k-equivaled HSK system. The public key and secret key of the peaky scheme is just the public key and secret key of the HSK system. As the subtext of the peaky scheme contains an element from the set X and a string in the evaluation algorithm of the HSK system, to encrypt a message 0, the encryption algorithm just outputs a random subtext in the subtext space. And to encrypt message 1, the encryption algorithm samples an element from subtext L and performs the public evaluation algorithm on the input. Then to decrypt a subtext CT equals XK, the decryption algorithm performs the secret evaluation algorithm on X and outputs 1 if and only if the result equals to K. So, next we will see why the scheme is secure because we consider the case that each public key is used for all the ones in this case. Also the author is allowed to corrupt either senders or receivers but never both. Okay, so again we will use, we will okay, the simulator will evoke the author as a subroutine and the simulator is real world. In more detail, the simulator will send an public key to the author in the beginning then it will output the message distribution and the attack type output by the author. Then it sends sender subtext to the author and corrupts the users by the author. Then receiving the corrupted messages the simulator sends the corrupted messages to the author and finally it outputs what the author outputs. So, in this case the simulator still doesn't know the term master when generating the term subtext so it has to cheat here. Fortunately, the author is allowed to corrupt senders or receivers but never both. So the simulator can use different strategies to send it to the ill-formed transfer text in different pieces. So in more detail if the author chooses to corrupt senders then the simulator will up or will send inclusion O1 to the author no matter what the real message is. This is indistinguishable from an honestly guaranteed type of subtext due to the harness and the security of the hash proof system. Then in the opening phase it will send the corrupted runways to the author if the message is O1 but it will send the subtext itself to the author if the message is O0. So on the other hand if the author chooses to corrupt sub-receivers then the simulator will sample an element from the subset O1 and perform the security evaluation of them on the input for each Chinese subtext. Then in the opening phase it sends the corrupted secret key to the author if the message is O1 and if the message is O0 it will resample a new secret key and sends a new secret key to the author. So the if from the transfer text and the secret key sent to the author are indistinguishable from the honest guaranteed transfer text and the corrupted secret key due to the new harness requirement and the key capability property required by the key to the author. That's why the scheme is secure against a weak bi-select to open attacker. We can also support multiple messages and the key will transfer text to the material setting in the material setting if we start to modify the basic construction and definition of the key to the author system. Finally we will see how to install it. The key includes a hard-to-put system from the DDH assumption. In this installation we consider a group generator G and G1, G2 and G3. The set X is just three-dimensional vectors over the group G and the set R, a subset R contains three-dimensional vectors with the same discrete law. Also, the subset R1 contains elements of the form G1 to W, G2 to dump prime, G3 to W, where W and W prime are distinct. So the harness comes from the DDH assumption directive. Also, the secret key of the hard-to-put system contains a three-dimensional vector S1, S2, S3 in the queue and the public key is G1 to S1 times G2 to S2 times G3 to S3. Then, given an input X equals X1, X2, S3, the secret average algorithm outputs X1 to S1 times X2 to S2 times X3 to S3. And the public average algorithm outputs HPK to W. The installation is similar to previous installations of the hard-to-put system. So the correctness and security can be shown in a similar way. Next, given an old secret key S1, S2, S3 to sample a new secret key S1 prime, S2 prime, S3 prime. The secret key sample algorithm sets S1 prime to be S1, and it samples S2 prime uniformly at random. Then, it computes S3 prime to make the new secret key and old secret key to be associated with the same public key. So, recall that if one uses the old secret key to perform the secret algorithm on input X in the subset R1, then it will get HPK to W times D2 to S2 times prime minus W. Also, note that S2 is hidden even given the new secret key. So, the output of the secret algorithm should be uniform given the new secret key, and the key inquiry capability follows. So, that's our DDE-based instantiation. We also give a DSTAR-based instantiation in the full paper. To summarize, in this work, we formally initiate the study of bioselective openness attacks on PKE schemes. We give different definitions to capture the attack in different settings and construct PKE schemes with different security guarantees from different assumptions. Technically, we present a new primitive called K-equival hardpool system, which may find further applications. Okay, that's all, thanks for your attention.