 Hello everyone. I'll be talking about Rotatable Zero Knowledge Sets, an allocable dictionary with privacy and post-compromise security. There is joint work between Zoom and my own Microsoft Research with the full list of authors listed on the title screen. Let me begin with the motivating application, intended encrypted communication systems. The scenario is that parties wish to send messages to each other while communication must go through some central server. Intended encrypted communication systems allow parties to communicate securely without the server being able to read the messages it forwards. It's used for all sorts of messaging, such as Zoom, WhatsApp, Teams, yada, yada, yada. And the most common solution is to use public key encryption. However, to use PPA, users need to know each other's public keys. If the server were to simply host a database of public keys, that opens up the possibility of man the middle of a text where the server would respond with a compromised public key. The common solution to this is to have security codes, where users directly share a short code, for example, the hash of their public key, which can be checked manually by other users. However, this is tedious and inefficient, and so we may want to automate this process, which we can do using a key transparency system, otherwise known as an audible dictionary. In a key transparency system, the server provides a commitment to the database and a proof pie for each query that the identity public key pair returned is in fact stored in the committed database. As long as all users agree on the commitment, man the middle attacks are detectable by users checking that their own public key has been stored correctly. The database may also change over time, and we don't want users to have to check their public key stored correctly after each update. And so therefore, after every update, the key transparency system will provide a proof that nothing has been deleted or changed, which can be checked by others, not by the users themselves. Key transparency systems by default do not preserve privacy, and in fact, querying the server about Alice's public key may reveal false public key as well. However, there are privacy preserving key transparency systems out there, for example, seamless and cons. But these solutions do not satisfy public's compromise security. In fact, when the server is compromised, it is clear that the full database at that time must be leaked, but it is not necessarily the case that all new public keys added later on must also be leaked. In the existing solutions, if the server state, for say, commitment one has been leaked, then privacy is also lost for all future commitments. Our contribution is to prevent this. We provide a post-compromise secure private key transparency system, which we abstract out into a primitive we call RZKS, a Rotatable Zero Knowledge Sense. The ZK here refers to the privacy aspect, and the Rotatable here refers to the post-compromise security. Our construction will rely on a new primitive of independent interest, Rotatable Verifiable Random Functions, or RVRF. In short, an RVRF is a verifiable random function with the additional ability to update the public key. When the public key is updated, for every previously queried output, the Rotatable Verifiable Random Function provides a new output and a proof that both outputs came from the same input. Notably, the rotation proof must not leak any information about the inputs themselves. For full details, read our paper, or come to my talk, Wednesday, December 7th, at 12-3 p.m.