 Okay, so welcome to the last section today. There will be two talks in this section. The first talk is on efficient KTM CCA secure public key equation for polynomial function and the orders are Shuang Han, Sheng Li Liu in Ling Liu. Okay, you are Ling Liu Liu right? Shuang Han will give the talk. Thanks for the chair. Good afternoon everyone. I'm very glad to introduce our work. The title of our work is Efficient KTM CCA Secure Public Key Equipment for Polynomial Functions. The orders are Shuang Han, Sheng Li Liu and Ling Liu where from Shanghai Jiao Tong University. We study key dependent message security in this work. KTM security compared with traditional security notion it allows the anniversary to assist encryption of messages which are closely dependent on the secret keys. That is, the adversary may obtain the encryption of FSK under the corresponding public key PK. This scenario may occur due to careless key management. For example, the backup key may be encrypted by the corresponding backup system on the disk. Another situation for key dependent message security is by design and it has applications in anonymous credential system. Recent years there were many works devoted to to prove, to give counter examples showing that traditional security notions does not imply KTM securities and give the separations between these two security notions. It has bravely revealed the public key encryption the Alice will generate a pair of public key and secret key and given the public key Bob will encrypt the message M and send the resulting ciphertext to Alice and Alice can decrypt the ciphertext with her secret key. The KTM security there will be users and the adversary is given all the public keys. The adversary is also given an encryption or a call. Each time the adversary will submit a function f to some user and the user, for example, the ice user will encrypt the f of SK1 to SKN or encrypt dummy message 0 under the public key PKI and then return the challenge ciphertext to the adversary. The target of the adversary is to distinguish encryption of key dependent messages from encryption of dummy messages. This defines KTM CPS security. As for KTM CC security, the adversary has also assist to decryption or call and submit ciphertext to some user and the ice user will decrypt the ciphertext with SKI and return the decrypted message back to the adversary. This defines the KTM CC security. KTM security is related to a set of functions, typical function says includes the set of selection functions and the set of functions and the set of polynomial functions of boundary degree D. The bottom line here is the larger the function state F is, the stronger the KTM security is. BHHO proposed the first KTM CPS secure PKE scheme in the standard model in 2008. However, their ciphertext is incompact. It consists of group elements. The number is linear in the security parameter L. SCPS also propose KTM CPS security, secure PKE for fine functions and the ciphertext are compact. MTY provides KTM CPE secure PKE for polynomial functions and their ciphertext consists of all the group elements. For the KTM CPS secure PKE, there are a few efficient constructions. Hoffens presented the first efficient KTM CPS secure PKE with compact ciphertexts. However, the function set only consists of functions of selection functions. Recently, in 2015, LLJ proposed the first KTM CPS secure PKE for fine functions. However, what points out the security proof of their scheme is flawed. We will explain this later. In this work, we work on the design of KTM CPS PKE scheme. We give the first efficient KTM CPS secure PKE for fine functions with compact ciphertexts. The ciphertext consists only a constant number of group elements and our scheme is very efficient. It is free of needs and free of pairing. We then extend our technique and for the first time construct the first efficient KTM CPS secure PKE for polynomial functions. The ciphertext is almost compact. Let's first review the LLJ scheme. The LLJ scheme was claimed to be KTM CPS secure for fine functions. The essential building block called authenticated encryption or AE bar is employed in their construction. The KTM CPS security of the LLJ scheme heavily relies on so-called IONTF affine RKE security of the AE bar. However, the IONTF affine RKE security proof of the LLJ's AE bar does not go through the DDH assumption smoothly. LLJ's AE bar can be regarded as L-gamma type. In order to reduce the IONTF RKE security to the DDH assumption, we need to construct a DDH problem solver who is given a DDH tuple or a random tuple and simulates the IONTF RKE security game for the adversary of AE bar. Finally, the adversary of AE bar will output a forgery. However, the DDH problem solver who does not have a trapdoor is not able to convert the forgery from the adversary to decision bits efficiently. The failure of the IONTF RKE security of LLJ's AE bar in turn affects the KDMCC security of the LLJ scheme. Then we show our approach to KDMCC secure PKE by introducing a new primitive called authenticated encryption with auxiliary inputs. A possible solution is to construct a new AE with a sound IONTF RKE security and we build such a new ION AE called AI AE following Kurosawa Desmet type. However, a new problem arises. The security game of our AI consists of four elements and a fine function of K is too complicated to prove the IONTF RKE security. Our solution is to introduce a new primitive called authenticated encryption with auxiliary inputs. It's generalized the traditional authenticated encryption in two aspects. The first different place is AI must support auxiliary inputs. In order to encrypt a message M, Bob needs to pick auxiliary input AUX and sends both the ciphertext and auxiliary inputs to Alice. With auxiliary inputs, Alice can encrypt the ciphertext with her secret key. The second difference place is we introduce a new security notion for AI AE called wake IONTF RKE security. It has an additional special rule for checking the forgery. In the security game defining wake IONTF RKE A security, the adversary can submit a function F, a message M and an auxiliary inputs AUX to a user and the user will encrypt the message M with auxiliary inputs AUX under the related key effects and sends the ciphertext back to the adversary. Finally, the adversary will output a forgery that consists of a function F star, self-test AI E CT star and AUX star. The adversary succeeds if the decryption of AI E CT star with auxiliary inputs AUX under F star K does not fill and the forgery must satisfy the special rule. Then we prove the wake IONTF RKE security of our AI with respect to a smaller function set called restricted function set. The wake IONTF RKE security of our AI can be reduced to the DDH assumption smoothly because the DDH problem solver can sample the trapdoor itself and turns the forgery from the adversary of AI to a decision bit efficiently. Then we show our methods to construct KDMCC security secure PKE for offline functions. We stress that our AI only achieves a very weak IONTF RKE security for small function sets so we cannot apply the LLGS methods to construct KDMCC secure PKE for fun functions. Alternatively, we develop a new approach and build our PKE from stray building blocks or key encapsulation mechanism KEM a public key encryption scheme E and our AI. The encryption algorithm of our scheme is shown here. The KEM will encapsulate a key K for AI and the resulting encapsulation KEM CT will serve as auxiliary inputs for AI and the encryption of M using the encryption algorithm of E will be served as an input for AI and AI will use the key encapsulated by KEM to encrypt the separatist of E with auxiliary inputs CT as KEM CT and the decryption algorithm is symmetric. The KEM will decrypt the separatist to recover the encapsulated key K and with the key K, AI can decrypt AI CT to recover E CT and finally the message M can be recovered. We show the highly-proved idea about how to prove our KEM CT security for fun functions. We will divide the sacred key SK to two independent parts the blue part SK module N and the gray part SK module 501. First, we will use the sacred key SK instead of PK to answer the encryption queries made by the adversary. Then, we will change the encryption algorithm of E to E-bar under the DCR assumption such that the encryption algorithm of E-bar can behave like an entropy filter for fun functions such that the blue part SK module N is reserved. That means the separatist E CT only contains information about SK module 501. We also change the encryption algorithm of KEM to KEM-bar under the DCR assumption. We express the encapsulated key K as an restricted affine function of a fixed base key K star. In KEM CT, the blue part SK module N will protect the base key K star. Our goal is to ensure that the blue part is not used elsewhere so it can protect the base key K star in KEM CT perfectly. We turn to the decryption oracle to make sure it does not use the blue parts. First, the decryption of KEM is changed to KEM-tuda which rejects the decryption query if the computation of K involves the blue parts. By the weak anti-RK security of our AIE, we can show this change is computationally indistinguishable. Then we change the decryption algorithm of E to E-bar and it will reject the decryption query if the computation of M involves the blue parts. And thanks to the authentication functionality of our building block E, we can show this change is also computational way indistinguishable. So now the decryption oracle does not use the blue parts SK module at anymore. Then we back to the encryption oracle and replace the N express E or N express K and restrict the functions of an independent base key K star bar. Since in the encryption algorithm of E and the decryption oracle, the blue part is not involved. So in KEM-city, the base key K star can be perfectly hide it by SK module N. Finally, we change AIE-city as an encryption of a dummy message 0 instead of E-city. Because K is a restricted function of K star bar which is independent of other parts of the game, so by the IND-RK security of our AIE, this change is also computationally indistinguishable. Now the advantage of the DOS-ray 0, this shows the KDMCC security of our scheme for functions. Then we show how to extend our technique and build KDMCC secure PKE for polynomial functions. We design a new building block E which serve as an entropy filter for the polynomial functions. That means through some computationally indistinguishable change, the blue part can be reserved by the encryption of E. Thanks to our approach, we only need to design a new E and the other two building blocks, KEM and AIE, does not need to change. As an example, we show how to design E for this monomial. So I skip this part and just to show the general E. We show how to design a general E for polynomial functions. A polynomial function f in SK consists of the sum of many terms. For each monomial, say, the encryption algorithm will create a pair of tables and a corresponding way. The products of this way are used to hide the message in E. Under the DCR assumption, the encryption algorithm of E is changed to E to the such that each way is multiplied with an additional term. The additional term is T to the minus of this monomial. Consequently, in the calculation of E, the products of these additional terms will eliminate the message T to the FSK completely. Therefore, the E that behaves back and entropy filter for polynomial functions because the entropy of SK module N is reserved. So this concludes our work. In this work, we propose a new approach for constructing KDMCC secure PKE from three building blocks, KME and a new primitive called AIIE. By designing specific building blocks, we construct efficient KDMCC secure PKE for functions and for polynomial functions. The self-attacks of our schemes are compact. Thanks for your attention. Okay, thank you. Is there any question or comment for the authors? No question. Let's speak again.