 Hello everyone, I'm Qiqi Lai. The title of our paper is Read 1 KDM Security View Reusable Hormorific Extractor. This is a joint work with Fenghao and Zhuo Dong. When considering security for encryption schemes, we always assume that the messages are independent of a strict key. In this case, even the message M is chosen by the adversary, he can still get no information on M from the corresponding server test. However, in some situations, the plantar's messages depend on the strict key. In this special case, the previously semantic security seems to be insufficient to provide security. To solve the security issue, the notion of KDM security has been proposed. And the relationship between the message and the strict key can be generally described by certain function class F from the strict key space to the message space. In this case, the query from the adversary is modded as a function F, and the answer from the challenger is the server test of FSK. Formally, the KDM security can be described by a security game between the challenger and the adversary in the following way. At the beginning, the challenger first choose a random beat, and then send the master public key to the adversary. Then the adversary can conduct key extraction and KDM queries. During this process, the challenger answers KDM queries according to the previously chosen B. Finally, the adversary responds a bit B prime. We see that the adversary wins the game if B equals B prime. In particular, the KDM queries are formed by functions from KDMChallengeFound class, and if B equals 1, the challenger returns the incorporations of functions of the strict key. Otherwise, the challenger returns the incorporations of 0. In this formal definition, the class of function F chosen by the adversary is an important parameter of KDM security, which is called KDMChallengeFound class. Clearly, the larger challenger function class means the stronger ability of the adversary. And we have tried to enlarge KDM function class from a secure function to a fine function, and then to projective function and general bounded size circuit. Besides, there is also another important parameter, the number unbar of different public keys in the security game. In a more general case, we call this as KDM unbar security. There exist many PKE or IBE schemes that are KDM-circuit with respect to different KDM-ChallengeFound class and different unbar of public keys. In particular, all those schemes are based on various assumptions such as DTH, ECR, QR, LWA, LAPN or CDH. However, all those existing schemes have the common drawback. Their information rates are quite small, so our main question in this paper is that how to construct a KDM unbar circle PKE with optimal information rate. And the main result of this paper consists of KDM-1 circle PKE with optimal information rate, KDM unbar circle PKE with optimal information rate for unbounded polynomial unbar, KDM unbar circle IBE with optimal information rate for unbounded polynomial unbar. In addition, the above PKE or IBE is also liquid resilient with optimal liquid rate against block leakage function. Here, I focus on the first result and the others can be viewed as its extensions. In order to describe our technique in a more clear way, we adopted the following framework view. First, this paper tells us that homomorphic WGPS implies KDM-1 security. Second, Burkowski's, at all's paper, tells us that batch encryption plus all operations implies KDM-1 plus under leakage resilience. However, the parameters in those two papers are little bit restricted, so we try to improve that prior prior result in the following three aspects. First, achieving optimal information rate. Second, set unbounded polynomial unbar. Third, generalize the result to the IBE setting. Inspired by the two papers, we consider whether we can get much better KDM circle construction from WGPS with additional structure plus homomorphic strata. Of course, before this, we should introduce the building blocks WGPS and the homomorphic strata. A weak high speed system consists of four algorithms. The first one is the setup algorithm which outputs a pair of pksk. The second one is a valid income solution algorithm which outputs a valid sabotage city and its income solution key. The third one is the invalid income solution algorithm which outputs an invalid sabotage city star. The fourth one is that of decalculating the sabotage using the sift key. Similarly, the required WGPS should satisfy the following three properties. The first one is Quranis. It specifies that the income solution key from the valid income solution algorithm should be equivalent to that of the decalculation algorithm. The second one is the sabotage indistinguishability. It specifies that even given sift key, the adversary still cannot distinguish the valid sabotage from the corresponding invalid one. The third one is an information theoretic property. In particular, it specifies that given the public key and the invalid sabotage city star, the remaining entropy of K' is still larger than W. Additionally, we still need the following useful structure of WGPS. The first, the sift key is the vector from ZB to N. Second, given vector K' the invalid sabotage city star can be simulated physically. Third, the decalculation of an invalid sabotage city star through using sift key, vector X equals vector X plus vector K' where vector K' is related to the invalid sabotage city star. Besides the WGPS, we also need to introduce homomorphic strata as a building block. Before this, we review the definition of a planned randomness strata. Generally, an efficient computable function strata from X times s to Y is called to be e strata if the output of strata rs is statistically close to uniform. Here, the source s should have enough conditional mean entropy. And homomorphic strata with respect to a final class h means that for any function small h in class big h, it holds the output of strata times hs equals strata h' xs. Here, h' is an invertible function and efficiently computable given corresponding function h. With above two building blocks, we can describe our basic schemes in the following way. First, the K' algorithm is that run the center of algorithm of WGPS and output the corresponding pK sk. Second, the encryption algorithm is that run the validly incorporated algorithm of WGPS to get a valid sabotage city and its incorporated key vector key and then compute the sabotage in this way. Now, we analyze the KDM security of the above construction. For secret key vector i's and the KDM query function h from secret key space to message space, it holds the original KDM sabotage is indistinguishable from the below randomness sabotage through using properties and additional structure of WGPS. So, we get a conclusion. We indeed can prove the security for just one KDM sabotage. Clearly, from WGPS and homomorphic strata, a restricted KDM1 security scheme can be constructed. However, it seems that the above proof technique can only support one KDM query as its indistinguishability relates to entropy of the secret key and we cannot ensure enough entropy for more than one KDM sabotage. So, we need to conquer the dilemma how to argue the normal KDM security for the above basic construction. Here, we need to introduce and leverage the correlated source security of the strata. Next, let me first introduce the definition of this required property and then see how to employ it to achieve KDM security. More formally, we see that a strata satisfies correlated source security with respect to a function class f. If for any function f i in big class f, the output of strata function are statistically close to uniform. Even the source of strata has been applied many different functions from f1 to fq, where q is an unbounded polynomial in the security parameter. With this correlated source security, I'm observing the structure of all KDM sabotage. We notice that if we treat vx plus vti prime as a shift function of vx, and the used strata indeed satisfies correlated source security with respect to shift functions, then this KDM sabotage should be indistinguishable from the below random sabotage. Clearly, we succeed to bypass the above dilemma for the restricted KDM security through using the correlated source security of the strata. Back to high level building block, we can see it more clearly. In particular, with leveraging the correlated source security of strata, we can achieve the normal KDM1 security. Furthermore, we need to consider how to instantiate those required building blocks. First, we find that batch encryption is already implies a weak HPS with three useful additional structures. Second, the required strata can be constructed from DDH or RWE. And now, we have obtained a KDM circle PKD scheme from weak HPS and strata. However, it is still far away from our desired target optimal information rate. So, let's consider how to improve information rate through further using reusable property and block source setting. First, let us analyze the information rate of our already obtained KDM scheme. In particular, for such a sabotage, we need to consider how to test it. Each information rate is a length of mu over the length of a whole sabotage. Clearly, this rate is equivalent to order one over the security parameter. Here, we use W to denote the output length of strata. That's relationships among the sizes. Next, I first describe the reusable property of the strata and show how to enlarge information rate from it. Generally, the reusable property of strata means that one source can be repeatedly used for many randomness RI for I is children from 1 to T. Even in this case, the output of strata are still indistinguishable from uniform. Through using the reusable version of strata, the sabotage can be related as this one. In this case, the information rate is approaching 1 over R over W plus 1 for sufficient large T. Thus, the information rate in this case is about 1 over constant, which is much better than above 1 or lambda, but still far away from optimal 1. Furthermore, we notice that if we replace the above reusable strata with one in block source setting, we can encrypt many more plant tests in one strata. Here, the strata in the block source setting means that one copy of strata can be repeatedly used for different blocks over 6 key. And 6 key BK consists of a different wire key is used as a block source in the computation of strata. In this case, we notice that the information rate becomes WDT over the whole size of sabotage, which is approaching to WD over R plus WD. And this rate is becoming optimal if D is large enough such that size R equals small or WD. Up until now, we finally get KDM1 security with optimal information rate. In fact, we almost obtain one desired KDM circle PKE scheme, except for two important parameters for KDM security, KDM chain function class and the number of different pairs of public keys. Next, we first focus on the chain function class and then consider the number M bar. In particular, from the several types of different styles of the above analysis, we can easily know its information rate and KDM function classes. The first function class is a function, a fine function from ZB to N to the mass space M. The second function class is generalized affine functions from ZB to N to the mass space M to T. In fact, affine functions are generally enough, since it can be amplified to any bounded size circuit through using garbled circuit. However, when achieving the optimal information rate, we have to set the strict key in block starting. And in this case, the function class is the block affine functions from ZB to N prime times D to M to T times D, where N equals N prime times D. Clearly, the block affine function is weaker than regular beta fine function. So, we need to consider is it possible to further amplify the block affine function class just as done for regular affine function. Next, we consider how to amplify the block affine chain function in the case of optimal information rate. Before this, the most widely used amplification approach is due to upper-bombs work in Eurocopytal 2011. It should be significant and instructive to review upper-bombs approach and has an essential idea. The advantage of upper-bombs approach is that of achieving KTM security for any bounded size circuit. However, it's disadvantage is that of leading to serious loss in information rate. So, it seems that we cannot apply upper-bombs approach directly. This is because block affine function is weaker than the regular affine function, and directly use the view effect that you familiar with of all KTM circuit scheme. So, next, we need to consider the further questions. First, how to amplify block affine functions, and how to achieve optimal information rate. How to bypass this obstacle is all next, folks. But, literally, after analyzing our problems work more deeply, we find his essential idea is to encode the label of double-circuit into mass space, and all schemes satisfy this property. Moreover, we find that due to special structure of all mass space, we can adjust parameters to offset the loss cost by the encoding of double-circuits in the encrypted message. So, for all KTM circuit PKE, we can amplify or block affine function in a preferred way. For many more details, please see our paper. Now, after putting all about the things together, we get KTM 1-circuit PKE for any bounded-size circuit with optimal information rate. Besides, all the used building blocks can be instantiated from DDH-RWA, and the detailed random extractor is also very interesting and can be found in our paper. Here, we have completed our first result. We can achieve KTM 1-circuit PKE with optimal information rate. Next, we consider how to enlarge the number of different public keys. In order to do this, we roughly adopted the following three aspects. Introduce the notion of BE-based PKE and ET, useful property. Second, establish security reduction between KTM 1-security and KTM 1-bar security with respect to block affine function. Third, instantiate BE with reusable property from DDH-RWA. Up until now, we have achieved our second result, KTM 1-bar circuit PKE with information rate. And the detailed construction can be found in our paper. Finally, we consider how to generalize or above the result to IBE setting. In order to do this, we roughly adopted the following four steps. First, introduce a DIN structure for IBE-based WIG-HPS. Second, introduce the new concept of on-the-fly KTM security for PKE. Third, introduce a new compiler for KTM PKE to KTM IBE. Fourth, set a particular KTM challenge function class for IBE such that the information rate to be optimal. The detailed construction can also be found in our paper. Thank you for your attention.