 In this talk, I would like to present our paper. Learning encryption and its objections to submitable protocols with low-round combinator city, and Xinxuan Zhang is a joint work with Yidong. First, consider the following simple protocol. Roughly, the WIFI will send the public key to the approval, and the approval will encrypt its WIFI approval, proving that it knows the secret key of some other settlements. That's a tall example, and here, we only concentrate on submitting the approval. Now, as we can see, if the WIFI can't distinguish subtexts, then the simulator can easily encrypt a domain message to conclude the simulation. And if the WIFI can't distinguish the subtexts, which means that the WIFI should know the secret key, then we hope the simulator can use the secret key as a trapdoor to generate the WIFI proof. The critical question here is that, how to extract the secret key from the malicious WIFI? In other words, that the ability of the submission subtexts means the knowledge of the secret key. Then, we consider the following two encryption schemes closing to our requirements, that the witness encryption and conditional disclosure scheme. Both allow one to generate key pairs from an MP instance and its witness, so that if the instance is invaded, no efficient algorithm can decrypt subtexts. However, neither of them provides any security when using a witness instance. In other words, the decryption algorithm provides only a sound proof that the corresponding public key is valid. Now, we have a question. Can we construct a public key encryption for which only algorithm that knows the secret key can decrypt subtexts? In other words, the decryption algorithm provides a proof of knowledge of the secret key. Unfortunately, most of the existing encryption schemes fail to satisfy this requirement without knowledge assumptions. The only exception we are aware of is the virus of robin's encryption, of which security is based on the factory assumption. As shown in DONG20, this consumption is useful in constructing tips on secure protocols. What we did by this question, we put forward the notion of knowledge encryption. Like CDS, knowledge encryption is associated with an MP language. The key pairs are generated from an instance and its witness. Knowledge encryption should satisfy the witness' extractability and poverty, which claims that if an efficient adversary can decrypt subtexts, then the efficient algorithm extracts the witness, which is also part of the secret key, from the adversary. This should hold even for malicious generated public key. Besides it, we also require knowledge encryption to satisfy the extinguished ability and the public key simulation properties. In our paper, we present two constructions of knowledge encryption. The first one is based on CDS and the randomest of reducible encryption. The second one is based on CDS only. It means that knowledge encryption can be constructed from two round-game-based secure AWS transfer, which is a known based on DDH, QR or LWE assumption. Here, we only give a highly wide idea about the second construction. Remind that CDS can be constructed from the two message secure function evaluation for the secured show and the slides. We embed a simple decoding mechanism in this secure so that a special generated subtext will be interchangeable from the subtext of some position of the witness. Therefore, one can extract the witness by observing the view of the adversary. Now, as shown on the slide, knowledge encryption can be used to construct several protocols. Due to the time limits, we only provide a highly wide idea about the construction of the first three round-game-based secure AWS transfer. The highly wide idea is that the receiver will send a pair of knowledge encryption public keys for the instance that it knows the witness for only one of them so that it can only decrypt one of these two subtext senders in the last round. These subtexts are generated by the sender and through encrypting its two input strings. In the meanwhile, the simulator simulation receiver will extract both strings by generating two real public keys and decrypting both subtexts. The simulator simulation senders will extract civil keys from malicious receiver using the individual reduction technique and the witness' extractability property of our knowledge encryption. It's a women's conjunction such that no matter how many civil keys are extracted, the simulator will always be able to conclude the simulation. We refer to our paper for more details. That's all. Thank you for your attention.