 Hello, it's my pleasure to give the presentation about lattice-based group equation with flow dynamicity and message-feeder policy. It's a geotalk by Jin Pan, Xiaofeng Chen, Fang Guozhang, and Willis O'Sullo. In this talk, beginning with a short background of group equation, we introduce the fully dynamic group equation primitive, then show the ideas and technologies we use here. Finally, we make a conclusion for this work. Group equation is a fundamental and limited primitive analog of group signature. It consists of these algorithms by considering valid respionage for specific self-test with a group of certified users. While keeping traceability to anonymous behalf, it provides the confusion and anonymity and traceability. Since its first force, the group equation has found a wide of applications in the related world. Such as trusted third parties, oblivious retrieval storage systems, hierarchical global signatures, and encrypted math victory. All these applications show it's essential goal is to have the valid self-test with respionage with a certified group while keeping traceability to anonymous behalf. We can show group equation as in the following figure. Each involves five parties, a group manager, a manager's group, an opening authority, an opening authority who anonymizes the self-test when a dispute is occasioned, a center, a verify, and a user's. According to the video model, the group equation scheme can be extracted from a skewed digital signature, or 682 anonymous public equation, zero-knowledge argument. When a center wants to securely transmit a witness compliant to a relationship R, to a member blown into a group, it encrypts the witness under the user public key and equips the respionage identity under the opening authority to the public key, then generates a zero-knowledge argument to demonstrate that the self-test is reformed and can be correctly decrypted by the member blown into a group. Now we review the search line of group equation. The concept was first introduced by GTI in 2007 whereas they provided the formalized definition under a majority design. Later, by reducing the number of runs, the CL scheme was proposed. It was a scheme with no interactive zero-knowledge in the study model. To stress the secrets, the IPvS scheme was proposed. It was free of subliminal channels. After that, a more practical scheme was proposed of weak assemblies, similar to traceable signatures or traceable scheme was proposed. However, we argue that all the schemes were constructed of traditional sympathetic assemblies and they would be fragile in the sense of quantum computing. To change this suggestion, the first quantum resistance scheme was proposed by Leibold from Lattice. Recently, another positive quantum scheme was proposed over coding theory. It also features the fluid density and message feedback policies. It promotes the development of group equation, especially in the edge-over-equated image theory. We argue that these two little schemes are quantum-resistant. However, except the last scheme, all the schemes are like over for dynamicity and message feedback policies, which limits these applications in the edge-over equated image theory. Moreover, the SS scheme has these coins. It is suffering from upper-skill security experiments in extremely efficient and weaker security. Thus, we may ask a question. Can we propose a Lattice-based scheme with the fluid density and voltage message feedback policies while replacing the existing coins? Our answer to this question is positive. In this work, our attributes are very formalized, the model and security requirements of the fully dynamic group in question. Instead of directly adapted from that of fully dynamic group signatures, we upgrade it from KDW model by adding appropriate ingredients, and it is essentially equal to but more succinct and understandable than the currently exact model. Then, we provide the generic and efficient zero-logic proof for zero binary vectories and prohibited messages, feature policies in the 1930s. Both of them are used for abstraction. Finally, we construct the last Lattice-based fully dynamic group in question while supporting message feedback policies. The scheme is why followed our model and is also possessing enhanced efficiency in that standard model. Now, we introduce the fully dynamic group encryption primitive. The goal of this primitive is to allow users to join or leave the group in their use to achieve this function, motivated by the design of fully dynamic group signatures. We upgrade it from the KDW model by introducing time factor and a group update algorithm. This fresh primitive ecosystem of these fellows. The fourth setup is used to generate the public parameters. Given the public parameters, the group manager, the opening authority and the users run the key generation algorithm to generate the key path, respectively. After that, the user and the group manager run an interactive protocol to introduce the user into the group. When the protocol ends successfully, it generates a certificate to show that the user's membership is certified by the group manager. When a user wants to leave the group, the group manager runs this algorithm to remove the user and issue. The certificate group information for encryption. The sender runs this algorithm to simple statement, witness, PR, or complying to relation PR. Then the sender encrypted the witness under the user public key with the group information, information. Once the recipient receives the self-test, it runs this algorithm to recover the witness. Also, when a dispute is the occasion, the opening authority opens this self-test via this algorithm. Finally, the sender performs a third-order argument to convince the verify that the self-test is a way for the grouping encryption. Who is the plain text? Plain text is complied off. Subsequently, the security requirements are the messages secrets, the anonymity, and some of these. The messages secrets ask that it is how to distinguish genuine self-test and random self-test generated at the same epoch, where the whole system, except the honest recipient, is under the control of the adversary. The anonymity asks that it is how to distinguish which public key over two chosen recipient is used to generate self-tests at epoch time, where the whole system, except the two chosen recipients and the opening authority is under the control of the adversary. The sender needs to ask that it is how to generate a convincing group encryption self-test. Generally, at epoch time, that is able to be finally transferred back to an un-certified group member or evaluate the public key, where the whole group manager is honest and the opening authority is partially corrupted. Our basic idea is Lexis. According to the module design, presented by KTUI, a group encryption scheme can be constructed from a skew digital signature. OCCA2, key provost public key, and a third-order argument is a general design, where some motivation is taken to achieve the full diversity. We utilize an update accumulated to fully certify group membership, since the GPV dual equation is used to encrypt witness and respondent identity. Finally, the young act was the knowledge argument is used to demonstrate the validity of a self-test by this design. We achieve the full diversity under a basic key space, which is right into a scheme with functions, efficiencies. Now we present our design idea. Given the public parameters, the group manager, the opening authority, and the users genuinely to their key paths respectfully, then the group manager builds a lattice-based regulatory of ANSAS, leaves with initial zero values. When a user wants to do the group, it sends his public key to the group manager. The group manager checks its vision with the previous public keys, and if not, has it into binary vector AP. Then replace the zero value by P1, and by ADV, all these operations can be shown in the full figure. After the aggregator of the protocol, the group manager builds a tree like this. When a user with index, the reward wants to do the group, the group manager replace the initial value by his public key's hashed value. And for any ANSAS journey group application, the group manager handles it similarly. This is the group update operation. When a user wants to leave the group, the group manager sets the leaf value associated to the user as a result. Then update the mark tree by computing the node values on the path from the specific nodes to the root. This process can be simply shown in the full figure. When a user with index journey wants to leave the group, the group manager sets its leaf value as a result. Then update the tree, allow another path considered of yellow nodes from the bottom to the root. This is the equation process. The sender samples waiting stop according to some messaging feature policy, then equips the waiting stop under the user public key and equips the position value under the opening authority's public key. In this equation, to achieve CCA security, the NIO paradigm is also utilized. Finally, the sender performs the knowledge argument to demonstrate that the safe test is holding the following. The user public key is certified and active at Epochta. The waiting stop is equated under public key and the authority's position value is equated under the opening authority's public key. Finally, the waiting stop is compliant to the messaging feature policy. The performance of this work is like this. Here we take the 80-bit security level as an example. By the above result, our scheme is over 25 and 35 schemes in terms of function, efficiency, and security. Our efficiency advantage comes from the free trap-to-door design and the usage of the knowledge argument. Now we explain the main difficulty in this work. The difficulty is mainly reduced to perform the knowledge for the active membership and waiting for the property. In the sense of the network framework, that's what we call the network framework. We describe it in the substituted form where m greater than y are a public matrix and vector, and x is a secret vector. The flat body m is the set of the top of ih, of which ih is equal to the product of x and xj. It equips the short norm and the hidden matrix vector product of relations. We are now concerned to prove that binary vector p is not zero, actually, under that type. The relation is either to prove by painting a minus 1 dummy entrance and applying the decomposition extending from typing technologies. However, in the sense of a young act with a framework, the master cannot be used. When we find the label to act with the knowledge master for integral relationships, like the variable x in the interval alpha and beta is useful. However, the master is still evaluated. To address this problem, we consider the following subtraction. Let the variable x with index r be in the interval alpha and beta. Prove among which alpha j is less than xj. Interestingly, let alpha i be zero and beta i be one. Our problem is a special case. The difference between our problem and the label type of the problem is to prove some variable among them satisfies an inequality. Actually, it is hard to prove this relationship one by one. Thus, we change our strategy. We equally transform it into a sum problem and prove the little one. Specifically, we sum xi and then prove that alpha is less than the sum of xi. Well, alpha is a special value with taking alpha 1 to alpha n as input. Our concrete solution is like this. Introduce a composite vector cube. Then prove q's norm is bounded. Immediately introduce a composite vector cube such that the sum of p and q is equal to a vector with each entry b1. Then prove its i1 norm is not greater than i-1. Further, by using the technologies for improving inequality relationship in the electricity, we can transform it into the final solution. Well, g is a public matrix dependent on minus 1. This provides our solution. Now we start our proofs for the message filter policies. Now our two common policies include the filter. The first is the permissive type and the second is the prohibited type. The permissive type is different as given e-straps, i-sine and r-secreting-straps, w. At least that is the straight i-sine as r-substrate of w. The prohibited type is similarly defined given the same strats. For any substrate y over w, the Hamiltonian between i-sine and i-sine is not less than d, where d is a fixed constituent. They are not not. The proof must be in the lattice unknown, especially under the Young-Atwood framework. Moreover, the proof for permissive type is trivial and incorporated into that of a prohibited type. Thus, they only need to consider the proof for the prohibited type. The difficulty to this problem is, first, how to express the substrate relationship y or w, then how to compute the actual operation of binary vectors a and b in the sense of taking modulus q. Finally, how to handle the not less than relation, very not less than the basic. The second point is basic but key. Okay, the solution is like write the substrate relationship as an equation like yj equal to the product of bj and w, where bj is a public matrix. Then you choose the modulus transformation operation. Finally, use our fresh solution for non-zero p to deal with inequality. Our concrete solution is like this. Our point is for any bit x, y, the x or operation is equal to the later equation, where they generalize it into the sense of vectors like this. Then it is used to write the desired relationship as this equation. Now by citing yj as the product of bj and w, and after taking somewhat complicated computations, we obtain the final equation, where bj are public matrices, and d is a public vector, whereas w and j are secretive vectors. It means that when one wants to prove a w is compliant to prohibitive type, it only need to prove that it satisfies such an equation. But not that, our solution for p not equal zero and the message vector balancing are also compatible with the store type. Now we make a conclusion for this work. We reformulate the fully dynamic group equation with more succinct and understandable security requirements, then provide the generic and efficient zero-knowledge proofs for no zero binary vector and prohibitive message-efficient policies in the lattice schedule, both of which are used for our construction. Finally, we propose the first lattice-based fully dynamic group equation was voting message-efficient policies, which is also possessing and has efficiencies in that model. That's all. Thanks for your attention.