 Hello everyone. Today I'm going to talk about oblivious message retrieval. It's a joint work with Iran trauma. Let's first talk about motivation. For anonymous message delivery systems, the sender wants to send some pillows that can be text messages or coin transfers to some central database. In applications like cryptocurrency, it's realized by a person board and in apps like signal is a central server. Then the recipients want to retrieve the messages addressed to them. There have been lots of work studying about sending privacy and bulletin board privacy, but how about recipient privacy? How can a recipient retrieve that person messages without leaking identity or metadata? Naively, the recipient can simply download the whole database and then distilled themselves locally, but this can be too expensive in both bandwidth and computation. Alternatively, we can introduce a third party which we call a detector. The detector will hold the board and help the recipient distill the board and collect some digest and send back to the recipients that contain the person messages. There have been two recent works. The first one is for the message detection. It provides decoy based privacy. Therefore, it has relatively weak privacy guarantee and also the computation and communication cost are both dependent on the privacy it provides. The second work is called private signaling. It has two constructions, but both of them have slightly strong environmental assumptions. The first one assumes trusted hardware like Intel SGX. The second one assumes two communicating but not including servers. In generality, we want to achieve oblivious message detection and the end oblivious message retrieval. For detection, only the indices will be sent back to the recipients. For retrieval, the payloads will be sent back to the recipients. The first goal is that we want the detector to learn nothing about a recipient. It doesn't learn which messages are pertinent and which messages are not. It also doesn't learn who is doing the retrieval with what keys. The second goal is that we want the digest size to be much smaller than the bullet size. Ideally, it should only be proportional to the number of pertinent messages. Our solution is clue based detection retrieval. We can hold some secret keys and use the secret keys to generate some public keys that contain clue key and detection key. The sender will use the clue key to generate some clue and put it together with a payload to the bulletin board. And then the recipient will send the detection key to the detector. The detector will have the board, then use the clues, payloads, and the detection keys to accumulate some digest and send this digest back to the recipient. The recipient will then process and get the plan text payloads. Our result is that we have constructed OMR and OMT. Our approach is based on fully homomorphic encryption based on standard ring out the B assumption together with some coding techniques like sparse randomly in your code. We have also applied some application driven optimizations like the hybrid use of BFE and PVW encryption, and also BFE circuit and error optimization, etc. We have fully implemented and benchmarked our constructions using seal and policy libraries. For security, our constructions are fully private, and we have also observed that the private prior schemes are vulnerable to attacks of envisioned applications like the service attacks and key linkability attacks. We define the stronger notions of security and achieve them to against those attacks. Let's take a look at the performance. You may be wondering whether the use of FHG is practical. As you can see it concretely is quite practical. It costs roughly $1 per meter message scan based on our benchmark using Google Cloud instances. Asymptotically, our constructions are also the best for a large amount of messages. And furthermore, we have the fastest detection even compared to MPC and SGX based solutions. Lastly, as a bonus, we have a new let's harness contracture about LWB based encryption. This is needed just for DOS resistance, but it seems critically different from the standard LWB assumptions. If you are interested in our work, you're very welcome to watch our full talk. Thank you all very much for listening.