 Hello everyone, I'm Ren Ishibashi. I'd like to talk about post quantum anonymous one-sided authenticated key exchange without random or records. This is a joint work with Kazuki Yoneyama. This presentation process as follows. First, introduction. Second, this is a model for OSAKI. Third, proposed generic construction of OSAKI in the standard models. Fourth, instantiation. Finally, conclusion. Let's start by the introduction. Presenticated key exchange so-called AKI. AKI is a cryptographic protocol to share common session key among multiple parties through an authenticated network such as the internet. In this study, we focus on it between two parties. Each party has a static KPA and in the key exchange session, each party generates on a familiar certificate key, ESK, and generates on a familiar public key, EBK, by using these keys and send it to the other parties. Then each party computes a common session key using these keys. So the ordinary AKI is mutual authentication. However, in practice, mutual authentication is not required for some applications. For example, HTTPS transactions with only server authentication. In this example, the server returns the static public key and each certificate in response to the client's request. Then the client authenticates the server using these. And then exchange keys. So for the exchange without client authentication, one-sided AKI may be sufficient. In this paper, the AKI with one-sided authentication is called OSAKI. In addition, it is desirable for clients to be anonymous. For example, to anonymity network. When the client connects to the destination, it passes through multiple relays. In the red channel, one-sided anonymous communication is used. So each relay cannot identify the sender. And finally, the exit relay communicates with the destination through normal communication. In this way, the client can communicate with the destination with keeping his anonymity. So in the anonymous networks such as the tour and the refer, anonymous OSAKI is required. If OSAKI is represented with a figure showed in the page 3, OSAKI is removed the client's SSK, since it doesn't require client authentication. Next, I'll show the existing anonymous OSAKI schemes. The GSU-12 provides security model for OSAKI to be used in this study. And the BKM-12 and GK-15 schemes are guaranteed and a weaker freshening setting than the original one. And the GK-15 consists of RATIS and DH. And in some cases, the scheme is not post-quantum, so it is partially post-quantum scheme. These schemes are approved in a random oracle model. So, as over-contribution, we propose generic constructions, one in the standard model and one in the random oracle model. The ones in the standard model can consist of in the CBA SecureCam and in the CBA SecureCam with public key independent ciphertext called PKICCam. Well, the ones in the random oracle model can consist of OWC-CBA SecureCam and OWC-CBA SecurePKICCam. These constructions are guaranteed under the original GSU model. In addition, we propose five instantiation. In DH-based schemes, the one in London in the random oracle model is under the CDH assumption. And the one in the standard model is first anonymous OS AK schemes. And these schemes are smaller online computational cost of clients than existing schemes. In the post-quantum schemes, the ones in the random oracle model are SIDH-based and CSID-based schemes. And the one in the standard model is only CSID-based schemes, but the first anonymous OS AK scheme. Here it is described as fully post-quantum because the existing schemes is not post-quantum under some leakage patterns, but all schemes are post-quantum under all leakage patterns. Next, I'll explain the GSU model. The GSU model allows the adversary to wiretap and modify and reveal previous session key and reveal a final secret key and reveal static secret key just like the ECK model. Also, as an additional query, it allows the adversary to obtain the APKs used in each party in advance. So, in the GSU model, there is a query called reveal next. It allows the adversary to obtain APKs for session in advance. That way, APKs for session must be able to be generated in advance of flying. In addition, due to the flying generation, the freshness is a bit unique. It considers leakage for secret key except for all leakage of each party. So, revealing secret key or ESK and SSK must be considered one each. For example, the secret key used in a session are RC and RT for the client and RS and the guest for the server. We need to consider revealing one each, such as RC and RS. Over RC and the guest, over RT and RS, over RT and the guest. In addition to this, there are other OS AK models such as for TRS, the setting, but those models are the application to the setting of anonymous networks is not considered and the anonymity is not focused. So, we focus on the GSU model. Next, I'll introduce the proposed generic construction of OS AK in the standard model. So, by removing the client SSK from the generic construction of AK in FS-XY-15, it looks we can simply construct OS AK. So, I'll show you an example of the construction. The FS-XY construction consists of industry secure cam and industry secure cam, and the syntax is as follows. First, I'll show the FS-XY construction. The schemes use this trick and call the 3-set PRT trick to provide a leakage resilience. So, each party has SSKs to use for this trick, and each party has the QBA of secure cam, the guest has SSK and the guest has SPK. In the key exchange session, first, the client generalizes to randomness for the trick and generalizes our randomness for the QBA cam. And it generalizes our randomness based on the trick, then it generalizes our cybertext and the key for the secure cam, and generalizes our QBA for the QBA cam, and sends CC and EQT to the cyber. Upon receiving this, the server generalizes randomness just like their client, and generalizes cybertext and keys for the CC cam and the QBA cam, and returns the cybertext. Finally, each party equips the cybertext with its own decryption key to obtain the shared value. Here, if we remove the client's SSK, we get the naive FS-XY-based construction like this. The tricks on the client side and the computation of the secure cam and the trick on the server side are removed. So, there's a protocol without the removed parts. It looks we can construct or say again, however, there are two problems with this construction. First, by considering the reveal of secret value one each, it is easy to compute cam keys. For example, RTC and DKS are reviewed. The adversary can generate DKS from RTC and decrypt city with DKS. Also, it can decrypt city with DKS. Therefore, it is difficult to construct on FS-XY-based. As a solution to this problem, we propose a technique to generate two randomness from one randomness. It uses a souped random function to generate from one randomness in this way. Then, by relation RC and RTC in this part, the reveal target for the client can be only this or. Here, I'll show how to generate randomness for the technique concretely. We generate as follows. First, generate one randomness. Second, it uses a souped random function to generate two different values in the souped random function space. Finally, it uses two souped random functions to generate two values in each randomness space. Here, can we omit intermediate RC prime and RTC prime? Okay, I'll show that this case. In this case, we generate randomness in this way. But in this example, the OSAK security cannot be reduced to the CTA security or the CBS security. For example, the game randomness, the CTA cam key. In the game, the randomness of the CTA cam is converted to the output of the random function in this way. In this case, when OSAK adversely activates the test session, the in-suitcase simulator needs to return the CTA prime and CTA stair and IKD stair. But since the simulator does not know R stair, so it cannot return the correct IKD stair. So it cannot stimulate correctly. So we use three souped random functions in the technique. Next, the second program is EPKs. This EPKs cannot be generated offline in FSXY-based construction. In this construction, the server generates CTA based on the IKD received from the client. So offline generation is not possible. As a contribution to this program, we use PKIC cam for INSIPA cam. The PKIC cam allows ciphertext to be generated independently to the public key. In this way, the ciphertext can be generated independently to this EKT. So, applying it to the protocol, we get the following protocol. So in this way, all EPKs can be generated offline before the session activates. In addition for efficiency by reversing the PKIC cam flow in this way. So we can reduce computation for W key chain. Now I'd like to consider about the security of our construction. From the freshness, if the party has only one secret key, there is no need to consider leakage. So the crime-side leakage is not considered. Therefore, since the server's reveal type is type RS and DGS, so the leakage pattern to be considered are only RS or only DGS. First, leakage of RS. In this case, the adversary can compute KT from RS in this way, but cannot compute KT without knowing this RS or this R. Therefore, it is secure. Next, leakage of DGS. In this case, the adversary can compute KT with DGS, but cannot compute KT without knowing RS or this R. Therefore, it is secure. So next, about anonymity of clients. The clients never send information dependent to him, ID and static key, etc. In each session. So the adversary cannot get any information about the client from the sci-fi text. Next, I will introduce our instance agents. This is a comparison over DH base schemes and existing schemes. The over two is the first anonymous over-seq schemes in the standard models. And both schemes reduce the online exposition agent cost for clients. Finally, the existing schemes are under the gap DH assumption, but over one is under the standard CDH assumption and over two is under the standard DDH assumption. The next instance agent is the first quantum schemes from Ice Genies in the Random Oracle Model. First, the SIDH base schemes consist of CGA Secure, Cyclicam and in the CPS Secure, PKE from SSE 20. Here, this PKE is converted to OW CPS Secure PKE action cam. And then it is used. Next, the SIDH base schemes consist of the CPS Secure, Cyclicam from YON21 and CPS Secure, Cyclicam from CRM 18. Here, this cam is converted to the PKE action cam in the same way. So these schemes are the first first quantum schemes in the Random Oracle Model. Here I introduce how to transform the Cyc PKE to PKE action cam. First, we remove the first and the fifth computation in ANK and the second and third computation in DEC. Since we use the PKE as the cam, and since our generic construction in the Random Oracle Model is sufficient for the OW CPS Secure cam, so that this CGA invariant is used as a cam key without passing it through the Random Oracle. Next, we use the first, first and second computation in ANK as this WNC and the third computation as this WNK, WNCUPK. And then we can use it as PKE action cam by transforming it as follows. The last instantiation is the first quantum schemes in the Standard Model but only C-Side-based schemes. The schemes consist of the Cyclicam and the smooth projectile passing from ALMP20 and Cyclicam from CRM 18. Here, we pass the session key of the cam through the entropy-smoothing hash function and construct it as hash-C-Side cam. And also, this cam is converted to the PKE action cam in the same way. So, the schemes are the first first quantum scheme in the Standard Model. Finally, conclusion. So, we propose generic construction for OSAK, anonymous OSAK, the ones in the Standard Model and the ones in the Random Oracle models. Also, we propose generic construction and we also propose instantiation of the generic construction. So, one of the DH-based schemes is the first DH-based anonymous OSAK schemes in the Standard Model. And the ones based on Isogenes are the first post-con-anonymous OSAK schemes. That's it from me. Thank you all for listening.