 Today, we'd like to talk to you about Cecily Procure Anglisher without buying maps in the traditional model. This is joint work with Keisuke Tanaka and Ryo Nishimaki. First, we show our presentation. First, we introduce Procure Anglisher and its definition. Second, we show receipt of the function and we will pick up the water's encryption scheme. Based on this scheme, we propose our scheme. Second, we show our main idea and propose scheme. First, we introduce Procure Anglisher. We consider the setting or male fighting setting. The setting is a public anglisher setting that is as and both have own public and secret keys respectively. In this setting, as gets the sacrifice from somebody. And as thinks that, as modifies this male to both, as modifies the function or male fighting. As simple as that. First, as decrypt this separate text into a message. Second, as encrypt this message into a separate text. And as send this message, this separate text into both. Or as want to do has been finished. However, we consider that. As thinks more, as have more demand. For example, as thinks that, the encryption is very heavy only for male fighting. And we think that, as also consider that. As want to propose the third party to re-angle this separate text. If as the result is very small, that is a mobile or mathematical, this is natural demand. In this case, because the Procure Anglisher and Procure Anglisher solve this program. In the Procure Anglisher, there is a semi-trusted party Procure. Procure has a re-anglisher key. The Procure gets a separate text from I. And the Procure Anglisher just separate text into this. And Procure send this separate text to both. Actually, this is both separate text. If there is just Procure, the program or male fighting is solved. We show an example of male fighting for Procure Encryption. However, there is other application of Procure Encryption. There are many list management, file management, district management, and so on. Next, we review the security notion of Procure Encryption. The PRCPS security and PRCPS security are extensions of INDCPA and INDCPA security. Respectively, they keep a message secure for even the Procure. That is, Procure can re-anglish this separate text into this separate text. However, Procure can't understand the message from this transformation. Next, we classify Procure Encryption into two types. One is a unidirectional type, and the other is a bi-directional type. In the unidirectional type, Wan-ki performs one-way transformation. That is, Procure will anchor this separate text into this separate text. However, Procure cannot enter this separate text into this separate text. In the unidirectional type, Wan-ki performs iso-side part text into both separate text, but can't do both separate text into other separate text. On the other hand, bi-directional type, Wan-ki performs two-way transformation. That is, if Wan-ki re-anglishes iso-side part text into both separate text, it can do both separate text into other separate text. It can do iso-side part text into both separate text. From simple observation, Wan-ki constructs bi-directional type from unidirectional type. We use two unidirectional type keys as one bi-directional type key. However, we do not know the opposite transformation. Next, we show a simple Procure Encryption. This is a simple Procure Encryption. I and Bob have own public and secret keys, respectively. Procure has a re-encryption key, y minus x. This is R2-side part text. Procure re-encrypt this side part text into this and into this. Both can decrypt this side part text into a message. Of course, this Procure Encryption is bi-directional type. Procure can re-encrypt both side part text into iso-side part text. Next, really the previous work or Procure Encryption. This is the main previous work or Procure Encryption. The first one shows both sides and yes. The next one shows security notions. The next one shows directions. The next one shows assumptions. The next one shows powering. The next one shows random output. No means not to use it. Yes means using it. For this previous work, we consider that we find a fact that is powering or random output are necessary in order to construct a PROCure Encryption. We explain it. The first two schemes grant only CPS security. The next two schemes require powering. The next two schemes require random output. Therefore, every previous PROCure Encryption require powering or random output. Therefore, we consider that. Can we construct PROCure Encryption without barring maps in the standard model? We construct it. This is our scheme. Our scheme is the security notion. Security is the PROCure Encryption and direction is the direction. And assumption is based on the DDH assumption and no powering and no random output. This is our scheme. Next, we will use the top of the function and packet orders encryption scheme. Based on this scheme, we propose our scheme. The receipt of the function is proposed by packet and orders. The receipt of the function is one of the specialized top of the function. One of the construction is based on the algorithm encryption. And they construct other primitives all but top of the function, which is like receipt of the function. And they prove these two primitives are equivalent. And they construct and this is a public encryption system from these two primitives. Next, we explain receipt of the function. This figure is receipt of the function's figure. That function is an injection function and the left function is receipt function. Oh, sorry. Left function is injection function and right function is receipt function. Left function preserves information of inverse. Left function can compute inverse. And right function... Oh, sorry. Left, left. Left function is receipt function. Left function. Left function lost the information of inverse. The receipt top of the function says that if given a function, the decision can decide whether this function is rushy or injective. The decision can decide rushy or injective. This is receipt of the function. packet and orders construct this primitive and construct the INGCC public encryption system from this primitive. Really, this system. This is packet order encryption scheme. Based on this system, we explain it. A public key consists of receipt of the function, all that type of function and hash function. This hash function is not cryptographic hash. This hash function requires no function. A secret key is f inverse. And injection process is as follows. It shows a randomness x and generate one-time signature key, VK and SK schema. This one-time signature key and this one-time signature scheme is made from one-time function. Therefore, we can construct one-time signature from rushy to the function. And it generates a member of the psychotext, the C1, C2, C3. C1 is f of x and C2 is Z of VK and Z of VK and x. C3 is x of n and hx. And it sign this member of the psychotext, C1, C2, C3, the signature, sigma. And a psychotext consists of C1, C2, C3. For this scheme, we consider that can we use this scheme for proxy encryption? Next, we show our result and propose scheme. This is PICAT watered encryption scheme. I recall forever I said I use this scheme for proxy encryption. However, this scheme has one difficult point for proxy encryption. This scheme has one difficult point for proxy encryption. That is this signature. We show this reason. We must transform C1, C2, C3 for proxy encryption. Therefore, this is the main part of psychotext. However, the very casual algorithm of signature rejects the modified C1, C2, or C3. Therefore, we must transform C1, C2, C3. However, the signature scheme does not permit it. Therefore, we consider that we do not sign C1 and this scheme granted INCC security. We show this reason. First, the signature of C1, C2, C3 the signature of C1, C2, C3 means the signature of X and M because F is injective function, sorry, F is injective function. Therefore, the signature of C1 means the signature of X. The signature of C1 means the signature of X. Similarly, the signature of C2 implies the signature of X because of the injectivity of ZOVK. ZOVK is injective function. Therefore, the signature of C2 implies the signature of X. Now, X is fixed from the signature of C1 and C2. X is fixed. Therefore, the signature of C3 means the signature of M. Similarly, the signature of C2 sorry, therefore the signature of C1, C2 and C3 means the signature of X and M. Similarly, the signature of C2 means the signature of X and M. Signing C2 and C3 means signing X and M because of the injectivity of the OVK and exit fixed. We found out that it is important to sign X and M for proof. Signing X and M is important for proof, not C1, C2, C3. Therefore, this game granted INDCC security because the signature of C2 and C3 means signature of X and M. And we get a free part of the signature, C1, we get a free part. And we use this C1 for proof-sharing encryption. This C1 is like Erdogan's psychotics because this F is the receipt of the function and one of the construction of the receipt of the function is based on the Erdogan encryption and a simple proxy encryption is Erdogan encryption. Therefore, we use this C1 for proxy encryption for our purpose. We modify this receipt of the function into the new primitive which is we apply the receipt of the function which is specialized receipt of the function for proxy encryption. We construct this RLTDX from the DDH assumption. Unfortunately, we cannot construct from the other assumptions such as the LW or the linear assumption. We construct this primitive from DDH assumption and we construct the bi-directional PICCA proxy encryption from this RLTDX in conclusion. We construct the bi-directional PICCA proxy encryption from the DDH assumption. This is our main result. Next, we show our proposed scan. Proposed scan image. I and Bob have our own public and secret keys and Alice's public key is the re-applicant receipt of the function and its inverse. And proxy has a re-encryption key. This re-encryption key is made from FA inverse and FB inverse. And Alice's central text is this C1, C2, C3, Sigma and VK. Sigma is the signature of C2 and C3, made from C2 and C3. And C1 is the FAX. And proxy encrypts this ciphertext into Bob's ciphertext. This is Bob's ciphertext, C1 prime, C2, C3, Sigma and VK. C1 prime is FB of X. This is Bob's ciphertext, Bob's public key. FB is Bob's public key. And the signature of Sigma is the signature of C2 and C3. Therefore, we can verify this signature. We can accept this signature. And Bob can decrypt this ciphertext. And we state again the advantage of asking. We construct bi-electional PIECCA proxy encryption, without firing a match in the standard model. No powering and no random output. This is the advantage of asking. Thank you.