 So our next talk is efficient IBU with type reduction to standard assumption in the multi-challenge setting. And the speaker is Jun Qin Gong. Okay, good afternoon. My talk is about how to construct efficient IB with type reduction to standard assumption in the multi-challenge setting. And the title is somewhat too long, so I first explained some terms in the title. So the first is identity-based encryption. So it is an encryption system within an authority which publish a master public key and issue the secret key for every user. In order to equip the message, the user need to know the master public key and the user ID. So in such a system, we want to resist such a kind of adversary which holds the master public key and can know some review the keys from the user. So here is the formal definitions. There are two query phrase allow the adversary to ask some secret key and there is another challenge phrase allow the adversary to touch the cycle text. And the second term is type reduction. In order to prove security of an IB scheme, we always want to construct and solve for the heart problem from an adversary against the IB scheme. But the reduction may have some loss. So here's a large adversary and this is a small one which is this way is stronger. And so the title means smaller reduction loss and which means some better theoretical results and maybe have some positive impact on the implementation. So this one is our main topic, how to extend to the multi-challenge setting. So the concept is quite easy. It is basic just that we have reviewed which is always called single-challenge setting plus enhancements. So the first is we allow the multiple-challenge query. So the adversary is allowed to touch more than one challenge cycle text. Another is we allow the multiple instance. So it attack more than one IB instance at the same time. So here is a picture show. There is many query phrase, challenge phrase and interleaved ass. So the good news is an IB scheme which is secure in the single-challenge setting is also probably secure in the multi-challenge setting which we just used standard hybrid argument. But the bad news is this trivial implication is not tightness preserving. So if we have a tightly secure IB scheme in a single-challenge setting, its trivial extension is not tight. So maybe we need to do some more work to deal with this problem. So we talk about our motivation. Currently we have several schemes. The first two is in the single-challenge model and there are four in the multi-challenge model. So we focus on these four and the last three is constructed using the more efficient prime order by linear group. But in the last two that dimension, the scheme based on the standard assumption is not quite efficient but the two efficient one need a somewhat stronger assumption. So here it seems to be a trade-off. So we asked a question, can we find a scheme with short ciphertext under the standard assumption? So our strategy is an observation that current scheme in the multi-challenge world is extended from this paper, Cheng Wei at Crypto 30. So, and another observation is a recent paper proposed a almost tightly secure IB which is more efficient than their work. So why not start from this one? And is it possible and will the resulting scheme be more efficient? So we first review their work. They actually propose a framework which transform a fine MAC to an IV relying on a proof system. So we just see one of the concrete scheme which are tightly secure. The secret key is consist of a MAC tag for the ID and the X and this one X is the secret key for the MAC which is committed to in the master public key like that. So another part of secret key is a proof showing that this is a legal tag. So although they use the dual system technique but there is a problem. So the normal and a semi-functional space is not quite obvious. And so we don't know how to employ existing extension method to extend this scheme to the multi-challenges setting. So our first work is to revit the BKP IB scheme in order to give a clean and something we can work on. So the clue is in the proof. So the first step of the proof is transform the ciphertext into this form which attach to something here using the key linear assumption. And the donor step is a simple substitution which changed the proof part of the secret key into this form which there's no Y. So there is an observation which is using the proof. There's no Y here and so Z and X are into independent space. We want to say it's not quite followed we just see it okay. So we can see, consider Z is in the normal space X in the semi-functional space. So keep it in mind we can rewrite their scheme like that. So first we do not consider this as a Mac just to forget the generic transformation. So this is the randomness and we write the other two parts together to remove the Y and put the Z and X in it. And we know Z and X are independent this is invertible so we can sample this directly using a W. So we actually define the Z and X. So finally we can reach such a form which is maybe quite simple. At least it's simple for me to work on. So we give a picture like that. I guess this picture has appeared in yesterday's invited talk by Hotec. So actually it is quite similar to CGW disk paper which is published in Eurogrypto. So we want to say is it just a simple no. Actually someone asked me why BKPS is more better than CW. I just told him it is a new scheme so nothing I can tell. But actually with this similarity we can say something more. So the first thing we can notice is that the secret key is much more simple because we do not need a parameter hiding property here. And the signal since is the matrix here is smaller because they actually use a more powerful to us to realize the nested hiding distinguishability. So they just needed to hide a K unit entries here. So at least we can give more two reasons for that question. So the discussion above is quite not formal. So we want to have some formal things. So we have this system, Durosystem group which describe the normal space and semi-function space in a quite formal form. And we know that CW13 is extended from CW14. They are similar. So they have some results like that. So we found our simplified BKPS all the similar to a in-stage agent of Durosystem group. So can we put this in the framework of this concept? So it's quite fortunately we can do that with some simple generalization. So we first to generalize the nested Durosystem group and realize it, which is motivated by BKP14 and the CW15. So we realize it using the primordial group. So this imply an IV which is exactly the simplified BKP we have shown before. So have the first result. We thought we can go to go to extend this one to the multi-changer settings. So here we have a new start point instead of this one. So we also ask this question, is it possible to extend this simplified BKP to the multi-changer setting? And will it be more efficient? Actually with our work, so it's quite simple to extend. We use this two paper, the technique in this two paper which include the dimension extension. So we extended the K plus one, two, three K. And the second part is defined by this four, three space, which is normal space and the hat semi-function space till the semi-functional space. So given this space and this space, we just reviewed part of entropy of W and we use the leftover entropy in the W to prove the nested hiding property here. So that's the point. And so you can see that our extension is quite simple and just actually follow previous technique. So while the existing scheme is, while the resulting system is more efficient. So here's the picture. Actually these two part is really enlarged. They become three K dimension vectors. But these two part remains unchanged. Even the matrix A and the matrix B is become larger. So that is the reason. So in previous extension, both part will be extended. So formally we do the following things. We start from our first technical results. First use our PKC paper to extend it to a generalized extended nested dual system group, which may support the proof in the multi-changer setting. And we extended the primordial extension to this one using this paper. And it's realized this extended nested dual system group. And together we've got our main construction. So this is the big picture we now have. So we give a comparison and discussion. So this paper give a construction which is the best in both four dimensions. And maybe we start here. So actually they just approved from the standard assumption and actually the ciphertext has the same length. So it may be not quite interesting if we just do this work for these reasons. So we give a more concrete comparison. Why we need to pursue a scheme under the standard assumption because we can set the K to be one, which is maybe a strong assumption, but which will lead a real improvement. So this is, this need a element, a element and then we need only four elements. So, and when we compare to these two scheme in the single-challenge model, you can see that we actually pay one group element to achieve this most stronger model. So we summarize our work. Our work is in two steps. The first steps is reveal the PKP and PKP IV, which actually provide a new instantiation of the generalized nested dual group system, a dual system group. And we can compare these two schemes in a more clear way. And then the second step is to extend the simplified version to the multi-changer setting, which achieved the short cybertext, also actually are the aspect of the performance and under the standard assumption. So this lead to the most efficient concrete constructions. And additionally, we actually consider the weak anonymous features. So we don't, we won't cover in this talk. Okay, that's all, thank you. Any questions or comments? Does your result naturally lead to HIV's too? No, no HIV. What's gonna be the major obstacle when you want to do HIV with multi-challenging cybertext? So you talk about the PKP HIV, did their proof maybe have some flaws? Can you say it again? Their proof has some flaws. But in general, what's the difficulty in making it work? We actually not consider this problem actually. And tightness is more considered in the setting of IVs. So the tight security in the HIV is also a big problem. So it's maybe far from considered in the multi-incidence setting or something. Okay, thank you. Any other questions or comments? No, let's thank Qingqing again.