 Hello everyone, I'm Chi Chi Lai. The title of our paper is New Light is Two-Stage Sampling Technique and its application to function and encryption. This is a joint work with Feng Huan and Zhou Dong. The outline of this presentation consists of three parts, background, or contribution and all techniques. First, let us focus on the background. Considering the scenario of a circular message transmission taking PKE for example, we always assume that the receiver alies first need to generate a pair of PKSK and then send PKE to the sender Bob. In this case, Bob can run an encryption algorithm and send the server to city to alies. Finally, alies can get message M from city through using her secret key. We notice that the mind shortcoming of PKE that requires a lot of work to do to public key management. In order to overcome this limitation, we can adopt IBE schemes. In this case, we need to assume an authority who will issue MPK to two parties and then Bob can directly encrypt messages using alies as the ID. Finally, alies can decrypt through using her secret key from the authority. In order to further increase the fine green access control for the decryptor, we can use ABE schemes. In this case, message M is encrypted with the receiver's attribute X and the receiver's secret key is corresponding to a function class, function F. Alies view decrypting successfully if FX equals one or Bob mentioned encryption schemes are all nothing still. In order to further increase the fine green access control for the encrypted message itself, we can use functional encryption. In this case, when decrypting through SKF, the receiver can just obtain the partial information as FM. So we think of functional encryption as the most advanced encryption still and it is significant to construct much better functional encryption schemes. Next, we recall the syntax of functional encryption. According to the biogeneralization of increased schemes from PKE to FVE, the regular syntax of FVE can be described as follows. First, the syntax algorithm output appear of MPK, MSK. Second, a cage algorithm take MPK, MSK and a function F as input and output a secret key SKF. Here, F is a function from message space to arbitrary bitstream. Third, the encryption algorithm directly encrypt message M under MPK. Finally, with the SKF, we can get FM through decrypting the server text. In fact, FVE also has a more fine green syntax. Compared with this regular one, these fine green syntax has the following differences. First, the function F has two different parts, P and G, where P acts as a predict whose output is a zero or one and G is a function of message. Second, the method M also has two different parts, X and U, where X is viewed as the index and U, the real message load. Third, for decryption, the decryptor get a GU if PX equals one and the button otherwise. From above all, we can summarize the difference between regular syntax and a fine green syntax in this way. Clearly, the two notions of syntax are essentially equivalent. This is mainly because their function class can be expressed by each other. In this paper, we would like to focus on the fine green syntax. Notice that fine green syntax does only capture IBE, ABE, P, and more naturally, but also divide the secret key and index into one zero key and private public index respectively. And this will provide many more perspectives to promote the current state of art on FVE. Next, we recall the security definitions of FVE schemes. Finally, in our security game for FVE, after obtaining MPK from the challenger, the adversary can conduct extraction and the challenge queries in an adaptive way. Finally, the adversary outpours some information alpha on the challenger sabotaged the city. In this process, we need to consider the following things. First, from the view of the adversary, the index X of the only study generated as sabotage may be public or private. Second, the challenger attribute X star and the message star are chosen by the adversary in a selective, semi-adaptive or adaptive way. Third, case-strategy queries can be separated into two parts, pre-challenged query or post-challenged query. Fourth, the semi-adaptive size depends on the concrete function class of F and the times of key extraction queries made by the adversary. For fifth, the security for this interactive game can be defined in a indistinguishably based or simulation-based way. Sixth, of course, from the challenging message, we need to consider single or multiple challenge messages. In this paper, we might consider two settings of FEE, private index or public index. Next, we first recall private index setting. According to the above statement about the private index setting, the function class of FEE is generally and denoted as P times G. Notice that after our careful consideration, it is significant for us to just focus on P times I, where I is the identity function. Furthermore, for security, we can consider two types, simulation-based or anti-based. In case of a private index, we prefer to simulation-based security and as it gives much more security guarantee. Here, we give the simulation-based semi-adaptive security. Notice that in the real game, the semi-adaptive is just with respect to the challenging dice and star, which is children just after receiving the master public key. Then in the ideal game, it is necessary to consider four simulators, such that the real game and the ideal game are indistinguishable. Then for the case of a public index, we also consider both sim-based or anti-based security. We are just interested in anti-based one. This is because, now that the indexed X is available for the adversary, it is more significant to pursue efficiency rather than to strong security. For the function class, we just focus on the subclass of P times IP, where IP denotes inner product. In particular, we focus on IB times IP and AB times IP. More formally, the anti-based security of a public index of IFE can be described in the following way. Here, we use the different color to indicate the choice of the challenging index in the different states. In particular, they indicate the selective or semi-adaptive or adaptive security respectively. Next, we introduce the current state of art of art on simulation-based FEE. As we know, the prior works have given many results on simulation-based FEE. In particular, BSW and AGVW have proposed two lower bounds on the construction of the sim FEE for post-challenge queries and the server-desk sites respectively. So, we can conclude that for a single-challenge message case, there is no poly-sim FEE. Here, we use the first poly to indicate the number of one-key queries and the second poly as the number of zero-key queries. Then, GWW gives simulation-based FEE which has a strong security guarantee but poor efficiency. In particular, GWW supports Q times one-key and zero-key queries in both pre- and post-challenge steps. And its chain index can be adapted to children, but its server-desk sites depends on the circuit-desk sites of F and gross-vehicle multiplicative big O Q24. Here, we use Q to denote the number of one-key queries. Then, GWW, they are proposed FEE with much better efficiency but with the cost of the achieved security. Then, AR, GWW and AV also propose the different SIM-based FEE, but all those constructions are still not satisfied in both security and efficiency. So, we want to ask, is it possible to further promote the security and the efficiency making simulation-based FEE to approach the existing lower bound? This is the detailed case of a current state of art of simulation-based FEE. So, this derive the first mind question of these people. Is it possible to construct much better simulation-based FEE? Next, let us see something on the current state of art on and the FEE for P times IP. In particular, ACGU proposed FEE for IP times IP from combine IDE and FEE for IP. But we know that even each building block is adaptive security, the resulting FEE scheme just satisfy selective security. So, we may consider how to construct how to construct and the FEE for AV times IP and achieved adaptive security. This is the detailed case of the current state of art on simulation and the FEE. And our second question is, is it possible to construct much better and based FEE for P times IP? So, the mind goals in all paper can be presented as the following two items. Next, we start to introduce our contribution using this paper. The first is a mind-tinted contribution on new lattice two-stage sampling, which is believed to be of independent interest and may be used in other lattice-based curved graphite. In order to explain all new sampling process more naturally, let us first recall the existing lattice sampling techniques. The first is a GPV sampling. GPV says we can sample the topo matrix A, vector U, vector Y into statistically close way. This means that even a random matrix A, we cannot only first sample a vector U and then sample a vector Y from discrete Gaussian distribution over lattice. But also first sample vector Y from discrete Gaussian distribution over integers and then multiply it to matrix A from the right hand side. The second is ABB sampling. ABB says that even a short matrix R, the GPV sampling algorithm still works. We can note that in the previous construction of ABB or PE and even FEE construction from lattices, this matrix R always depends on which secret key queries the adversary conduct. And in that case, we require the adversary to first claim the challenge attribute such that we can embed the hard problem in the simulated public key. But this will inherently result in the selective security. So if we want to achieve adaptive or some adaptive security, we need to consider how to delay the usage of matrix R. In this paper, we gave a new method to delay the matrix R. In particular, in stage one, we first choose a matrix A and a vector X from the corresponding distribution and then compute vector U. Then in stage two, given certain small matrix R, we can sample vector Z and output vector V in this way. Finally, the sample algorithm output the table in A times R, vector UY. We noted that this table satisfies this equation. The part of the sample is denoted as a sampler tool in our paper and it is essentially used in the security proof. And in the real FEE constructions, we will use this variant sampler one. Clearly, after setting on correct parameter, those two algorithms should be indistinguishable. Then we see all contribution in FEE with the private index. Clearly, all results can be divided into three cases, single key FEE reusable garbage and multi key FEE. Overall, all construction has a significant step forward in the security and the efficiency relative to the existing result. Due to time limit, I will not see too many details about that. From above all, we need to obtain significant progress in simulation based FEE and our result is quite approached the existing lower bound in the security and the efficiency. Then for the FEE with public index, up until now there is just one paper ACGU that have proposed on the FEE for IB times IP with the selective security and all construction can support AB times IP with the semi adapter security. Hence all contributions are still significant just as a list by this table. Next, we focus on all techniques. In fact, our technique is inspired by that of Agarwa and we both rely on the notion of PHP which means popular hiding, predicting, encryption. So let us first recall Agarwa's technique and then look all differences from them. In particular, this start with a one zero poly selective PHP and then upgrade it into one poly very selective PHP, one poly semi-adaptive PHP, two poly semi-adaptive PHP and two poly semi-adaptive FEE. We notice that Agarwa has limitations in security and several times the size. In particular, although their construction is also semi-adaptive, they require the adversary to commit all one key queries just after know the master public key. This means that their construction will not allow the adversary to conduct the post-challenge one key queries and their surface size is grouped with big O Q2 in an additive way. In order to further improve this scheme, we adopted the tiny map as starting from zero poly selective PHP and then upgrade it to one poly selective PHP, one poly semi-adaptive PHP, Q2 poly semi-adaptive PHP and Q2 poly semi-adaptive PHP. Except the last step from semi-adaptive PHP to semi-adaptive FEE, we employ several new techniques for the three steps from zero poly selective PHP to pure poly semi-adaptive PHP. In particular, from zero poly selective PHP to one poly selective PHP, we adopted a new lattice two-stage sampling algorithm to replace the corresponding sample algorithm in Agarwa. From one poly selective PHP to one poly semi-adaptive PHP, we adopted lightweight encoding by PKE to replace the method of nesting two FEE schemes. From one poly semi-adaptive PHP to pure poly semi-adaptive PHP, we construct post-challenge simulator to answer post-challenge one key queries and use a more efficient call-free set to reduce the server-sized-size-growing-speed-with-kill. Up until now, after putting all of our things together, we get the desired simulation-based FEE. For the case of undie-based FEE, the time is quite similar. Please see our paper. Thanks for your attention.