Post-Quantum Universal Composable OT Based on Key Exchange

We construct a universal composable framework for two-message oblivious transfer protocols based on lattice-assumption. Compared with the paper proposed by Liu and Hu, we modify a framework proposed by Liu and Hu by adding three tools, which are XOR, Bit Commitment and Smooth Projective Hash Function (SPHF). We instantiate Hash Function as SPHF, which can be more secure in practical application and can achieve full-simulatable in security proof. Compared with Hash Function used as Random Oracle in security proof, this construction is more secure and efficient in security proof. In particular, we mainly consider full-simulatable in simulation, which simulator can simulate any corruption cases. So we mainly consider non-adaptively malicious adversary in Oblivious Transfer protocols.


I. INTRODUCTION
Oblivious Transfer was proposed by Rabin in 1981 [1], which is based on integer factoring. Oblivious Transfer protocol has two participants, sender and receiver. We mainly focus on 1-out-of-2 OT, where sender holds two message M 1 , M 2 , and receiver selects any bit to obtain M i , i ∈ {0, 1}. Sender transmits messages M 1 , M 2 to receiver by OT protocol. The security of OT ensures that sender doesn't know which message receiver obtains. Receiver can only obtain his chosen message M i , and has no information about M 1−i .
Oblivious Transfer can be constructed by public key cryptosystem (PKC). Most OT are based on number theory assumption. And OT can be used to construct other MPC protocols, including Zero Knowledge Proof, Bit Commitment etc. In 1985, Even and Goldreich proposed a randomized OT protocol for signing contracts protocol, which can be implemented by PKC (public key cryptosystem) [2]. OT protocol can be used as main technical means to achieve privacy protection. As a basic cryptographic protocol, OT protocol can be widely used in MPC, including secret information retrieval, e-commerce (online ordering, payment browsing and securities trading, etc.), etc. As a basic cryptographic The associate editor coordinating the review of this manuscript and approving it for publication was Cristina Rottondi .
primitive, OT can be used to construct Oblivious Circuit Evaluation proposed by Kilian in 1988 [3]. Klilian also mentioned that OT can be useful to noninteractive zero-knowledge proof and commitment protocol. Bellar and Micali based on DH assumption and design non-interactive OT in 1989 [4]. In 1991, Bennett proposed a practical quantum OT, which is based on quantum physics. This quantum OT can implement bit commitment and oblivious circuit evaluation [5]. In 1995, Beaver proposed a pre-computing oblivious transfer, which had efficient computability by obtaining intensive online computation without unproven hard assumption [6]. Crépeau proposed a efficient committed OT and PMPC (private multi-party computation). BC (bit commitment) and 1-outof-2 OT are used as basic tools to construct PMPC used in multi-party secure computation [7]. In 1999, Naor and Pinkas proposed k-out-of-n OT, which has various applications in protecting privacy combined with commitment. This OT k n based on sum consistent synthesizers, and make many invocations of OT 1 2 [8]. In 2000, Gertner and Kannan introduce the relationship between public key encryption and oblivious transfer, which is incomparable under the reduction of black box [9].
The security model of OT and extending-OT are based on random oracle, one-way function, homomorphism and universally composable etc. In 2001, Naor and Pinkas proposed VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ efficient oblivious transfer protocols. They constructed a two round protocol based on DDH assumption, whose security proof wasn't based on random oracles [10]. In 2002, Tzeng proposed efficient OT 1 n schemes, which achieves optimal round and obtain receiver's security without any conditions. These schemes can apply (symmetric) private information retrieval (PIR\SPIR) between user and database manager (DBM) [11]. Mu and Zhang proposed OT m n based on DL assumption, which have better completeness, robustness and flexibility. Specially, they construct a non-interactive OT. These constructions have suitable application in electronic commerce [12]. In 2003, Ishai and Kilian proposed an extending OT technique in the random oracle. Compared with extending OT based on one-way function proposed by Beaver [13], this technique had better practicability [14]. Lipmaa combined HOT protocol with homomorphic public key cryptosystems to construct verifiable homomorphic oblivious transfer and private equality test [15]. In 2004, Crépeau and Morozov proposed an unconditional secure OT whose setting is from any noisy channel [16]. Ogata and Sasahara extend OT 1 n proposed by Naor and Pinkas whose security was based on random oracle, but the security of OT k n didn't need random oracle [17]. Garay and Mackenzie extend committed oblivious transfer to obtain ECOT (extended committed oblivious transfer), which can achieve security in universal composable model. ECOT protocol can be used as building primitive to apply in some MPC's function [18]. In 2005, Huang and Chang improved Mu's OT m n protocol provided in 2002, which cannot provide security of receiver. And this improvement didn't have impact on efficiency [19]. Chu and Tzeng proposed an efficient OT k n based on DDH and CT-CDH (chosen-target CDH) with universal parameters, which was most efficient in communication cost. The proposal adaptive OT k n with commitment and transfer phase [20]. Harnik and Kilian introduced a robust combiner which can combine OT with other primitives to obtain universal protocols [21].
Smooth Projective Hash Function (SPHF) originally was used to construct OT for half-simulatable security. Then modified SPHF can be used to construct full-simulation OT [48]. Full-simulation mainly matches non-adaptive adversary in most cases. Kalai constructed two-message OT protocols using modified smooth projective hash function (SPHF) provided by Gramer and Shoup in 2002 [22], whose security were based on N'th residuosity and quadratic residuosity [23]. In 2006, Wolf and Wullschleger proposed a reduction and proved that OT is symmetric function in mathematical level [24]. Fischlin construct an universal composable OT schemes used in multi-party setting for honest participants [25]. In 2007, Huang proposed a OT k n which has lower bandwidth and speeds up calculation [26]. Green and Hohenberger proposed blind identity-based encryption (IBE) and applied this protocol to construct simulatable OT [27]. Camenisch and Neven constructed first OT based on blind signatures in the random oracles. And they proposed second OT which only need a constant number of group elements without random oracle model [28]. Meier and Braydatek constructed an uniform OT-combiner which can achieve optimal robustness [29]. In 2008, Green and Hohenberger proposed an universal composable secure adaptive OT k n in the static corruption model [30]. Lindell proposed an efficient OT which could obtain fully-simulatable security with assumptions of DDH, QR and FHE [31]. Haitner proposed an black-box technique that malicious OT protocol can be reduced to semi-honest OT [32]. Shakar and Srinathan proposed an alternative reduction used for generalized OT, combining with secret sharing to replace private protocols [33]. Dowsley and Graaf proposed an OT which reduced to Mceliece assumptions [34].
Key Exchange (KE) can be used to construct OT with the help of SPHF. In addition to KE, lossy function, dual-mode cryptosystems and cut-and-choose technique are used to construct OT. Lattice-based OT have been proposed in recent years. Lattice-based OT are believed to quantum-resistance. LWE as a average-case lattice assumption are always used to construct OT, which has better reduction property. Parakh proposed that key exchange (KE) can be used to implement OT [35]. Peikert and Vaikuntanathan proposed a framework to construct efficient and universally composable OT. Messy public keys had necessary role in dual-mode cryptosystems, which used in PVW framework to implement statistical security [36]. In 2009, camerich and Dubovitskaya proposed a OT protocol with anonymous access to database [37]. Rial and Kohlweiss proposed an priced oblivious transfer (POT) scheme between vendor and buyer, which was based on pairing-related assumptions in the standard model [37]. Lindell and Zarosim proposed adaptive zero-knowledge proofs and adaptively secure OT [38]. Wang and Ishwar proposed bootstrap string OT and secure two-party function computation [40]. Qin and Zhao proposed a non-interactive OT protocols [41]. Katz and Vaikuntanathan proposed an public key encryption scheme based on LWE assumption. This PKE schemes combined with SPHF to construct password-based authenticated key exchange (PAKE) based on lattice [42]. In 2010, Jain and Hair proposed a efficient OT k n protocol, which was based on Diffie-Hellman key exchange [43]. Isaka proposed an OT which used in additive white Gaussian noise channel [44]. In 2011, Green and Hohenberger proposed a practical adaptive oblivious transfer from simple assumptions [45]. Ma and Xu proposed an oblivious transfer with time-release receiver's privacy [46]. Tassa proposed a generalized OT combined with secret sharing [47]. In 2012, Halevi and Kalai improved SPHF and two-message OT which first proposed by Kalai in 2005 [48]. Cannetti and Dachman-soled proposed a efficient password quthenticated key exchange via OT [49]. Lindell and Pinkas proposed an secure two-party computation via cut and choose OT [50]. Zeng and Tartary proposed a practical framework for OT t n with security against covert adversaries [51]. In 2013, Asharov and Lindell proposed more efficient OT and some extensions which can speed up secure computation [52].
Canetti proposed an universally composable security model for cryptographic protocols [53] in 2001, which was based on simulation technique. In 2014, Guleria and Dutta proposed an efficient adaptive OT in universal composable framework [54]. David and Dowsley proposed an universally composable OT based on LPN assumption, which belongs to lattice assumption [55]. In 2015, Blazy and Chevalier proposed a generic construction of UC-secure OT [56]. Zhao and Jiang proposed an cut-and-choose bilateral OT. As a basic technique cut-and-choose has necessary role in designing OT protocols [57]. Asharov and Lindell proposed OT extensions which achieved security under malicious adversaries [58]. In 2017, Jannati and Bahrak proposed an OT protocol based on elgamal encryption, which can apply preserving location privacy [59]. In 2018, Li and Xiang proposed an OT combined with lossy encryption under lattice-based assumption [60]. Li and Micciancio proposed an equational security proofs for OT protocols [61]. Branco and Ding proposed an universal composable OT which was based on RLWE assumption [62]. In 2019, Liu and Hu proposed an UC-secure OT based on ideal lattice [63]. Li and Ma proposed an efficient OT by multiple bits dual-mode cryptosystem, which can apply in the cloud [64]. Li and Huang proposed a post-quantum OT 1 n protocol [65]. Bu and Agrawal proposed some cryptographic hardware primitives which were resist to quantum [66]. Döttling and Garg proposed a two-round OT which was based on CDH or LPN assumptions [67]. For better understanding key exchange based on LWE, Ding and Jiang proposed an research on key exchange based on LWE [68], including some relation between key exchange protocols.

A. OUR CONTRIBUTION
As an important cryptographic primitive, Oblivious Transfer (OT) plays an important role in Multi-party Secure Computation (MPC) protocols. As a basic protocol used in transporting key, key exchange (KE) can also be considered as a technique to construct OT. Most OT constructions are based on DDH, RSA, et al., those primitives may become unsafe as the development of quantum computing. Latticed-based cryptography are believed to be quantumresistance, we use LWE (RLWE) assumption to construct post-quantum OT protocols. Combined with KE protocol, we mainly think about 'universally composable' security model.
We modify a framework proposed by Liu and Hu (2019) [63], which construct a UC-secure OT based on KE. Combined with XOR and Bit Commitment (BC), we can obtain better security with the help of BC's privacy and blinding properties. With the help of SPHF, we can obtain full-simulation OT which can resist non-adaptive malicious adversary in all corruption cases.
Compared to OT proposed by Liu's protocol, we pressent an OT which is secure in standard model. Liu proposed a UC-secure OT in random oracle (RO) model. However, practicability is negligible in RO model. To some extent, protocols based on RO model is insecure than protocols based on standard model.

B. ORGANIZATION
In Section 2, we describe notations used in this paper and some preliminaries about lattice assumption, which include LWE, error distribution and reduction relations. In Section 3, we mainly introduce several basic primitives, which include Key Exchange (KE), Smooth Projective Hash Function (SPHF), Bit Commmitment (BC), Zero-Knowledge Proof (ZKP), Oblivious Transfer (OT) and Universally Composable (UC). In Section 4, we introduce a UC-secure OT protocol, which is based on Perkert's KE, XOR, BC and SPHF. In Section 5, we propose security proof. It mainly include two phases, which are key initialization and section phase, key transfer and commitment phase. We mainly apply Simulation tools to prove security against non-adaptive malicious adversary. In Section 6, we give a conclusion.

II. PRELIMINARIES
At present, there are five cryptographic systems to resist quantum attacks, which are Lattice-based, Codebased, Multivatiable-based, Hash-based and Hypersingular Homology-based. Due to its flexible structure and rich functions, lattice cryptography is the most common type of cryptography system. Almost all classical cryptography primitives can be implemented in lattice cryptography.

A. BASIC NOTATION
As an certain algebraic structure, lattice has an important role in quantum cryptography. It mainly includes CVP, SVP, SIS, LWE and their variants. As a discrete additive subgroup, we denote lattice as L, which is generated from linear independent lattice basis B. We denote q is an integer, which is usually used as prime. Define Z as a integer ring, and Z + as a set of positive integer ring.
Define quotient ring as Z q = Z/qZ q . Define Z q = {0, 1, . . . .., q − 1}. Z q (x) is an n-dimensional polynomial whose coefficients are defined on Z q . Considering that ideal lattice is relative to polynomial ring, we denote R f = Z q (x)/ f (x), which f (x) is a monic polynomial of degree n. Generally speaking, we always apply a monic and irreducible polynomial f . In most cases, we use f (x) = (x). (x) is a polynomial with coefficients n. In general, let denote n as a power of 2. (x) = x n + 1, n = 2 k , k ∈ Z + , q = 1 mod 2n.
Define mod function as a mod b = a − a b b. Denote quotient ring R q = Z q (x)/ (x), which is a polynomial with coefficients n − 1 in integer ring. It is also an an polynomial ring.
We denote x ← X as that x samples from distribution X . In most cases, it means uniformly distribution.
Considering lattice assumptions used in protocols, we denote reduction algorithms R i (i ∈ {1, 2, 3, . . . .}) VOLUME 8, 2020 as reduction oracle which can reduct protocols to lattice assumptions. In most cases, we mainly apply LWE and SIS assumptions. Because CVP/SVP assumptions in worst case can be reduced to LWE/SIS assumptions in average case.
A negligible function is always used to describe negligible success probability. A function f is negligible, meaning that the following conditions are satisfied. If for any positive polynomial p(n), existing an N , holds f (n) < 1/p(n) for all n > N .
Considering that adversary A corrupt normal participant in protocols, we denote a sequence of Game i (i ∈ {0, 1, 2}), which is used to simulate in security proof. In ideal world, we denote S as a simulator, which is used to simulate adversary A. For better understanding the environment, we denote Z as an indistinguishable box, which has the view of indistinguishability between real world and ideal world. We denote real OT protocol as P in real environment. Denote ideal function F OT 1 N in ideal environment, which can implement the function of protocol P.

B. LATTICE
Lattice can be seen as discrete additive subgroup. Lattice can be regarded as a linear combination of integral coefficients under a set of linear independent lattice basis.
LWE has necessary advantage which can be reduced from worst-case to average-case. Considering efficiency and practicability, some schemes based on LWE or LWE's variants have weaker practicability on account of key and ciphertext size.

1) LWE
Learning with errors assumption mainly means that LWE's pairs are indistinguishable from uniform distribution. LWE's pair means that a and s are chosen from uniform distribution, e is chosen from certain distribution, such as Gaussian distribution, Centered binomial distribution, output (a, a, s + e).

2) SEARCH-LWE
Given polynomial LWE's pairs, find correct solution of s, simplify as S-LWE. From one point of view, given a set of unary polynomial equations, it is difficult to solve s.

3) DECISION-LWE
Given polynomial samples, it's negligible to distinguish LWE's pairs from uniform distribution, simplify as D-LWE. [69] Assumpting that q = poly(n), there exist an algorithm, which can distinguish an certain distribution χ from uniform distribution. Then there is an algorithm, which can solve s in LWE's pairs. Considering the difficulty of solving s, the probability of succeeding in distinguishing certain distribution from uniform distribution is negligible.

6) CENTERED BINOMIAL DISTRIBUTION
The probability of outputting 0 is 1 2 , and the probability of outputting ±1 is 1 4 .

C. IDEAL LATTICE
Considering that ideal lattice basis has the property of cyclic, lattice can be constructed by an ideal lattice basis. Ordinary lattice can be constructed by different basis, which need to choose a suitable basis in application. Comparatively speaking, ideal lattice is better applied than ordinary lattice in Public Key Cryptosystems (PKC), which is only constructed by ideal basis. Ideal lattice as a variant of lattice, has many advantages applied in PKC, which shorten the length of key and ciphertext and has better efficiency in communication.

1) RLWE
Ring learning with errors assumption can be seen as LWE's problem based on ideal lattice. Certain distribution χ means sampling from R q in terms of distribution function, such as Gaussian Sampling, Centered Binomial Sampling. etc. For random s ∈ R q , and certain distribution χ, input a ∈ R q , e ∈ χ , output (a, b = a, s + e) ∈ R q × R q . When R = Z, this RLWE is plain LWE.

III. BASIC PRIMITIVES A. KEY EXCHANGE 1) DIFFIE-HELLMAN KEY EXCHANGE
Diffie and Hellman proposed that key exchange(KE) based on discrete logarithm. After choosing suitable parameters, we mainly introduce this KE cryptosystem, sender Alice sends A = g a to receiver Bob, Bob sends B = g b to Alice. Then Alice computes B a and Bob computes A b . Finally both of them get same key g ab [70].

2) POST-QUANTUM KE
More KE protocols were proposed based on number theory's assumptions, such as RSA, bilinear pairings, elliptic curve, which were like Diffie-Hellman's KE. To defend against possible quantum attacks, cryptographist proposed some KE protocols which are resistant quantum attacks. NIST called for post-quantum schemes submission in 2016. After two-round competition, there are four kinds of schemes, lattice-based, code-based, multivariable-based, hash-based. Considering lattice cryptography to resist quantum attack, we mainly apply KE which is based on lattice assumptions.

3) PEIKERT'S KE
This reconciliation mechanism was proved by Peikert. For 2 ) mod q mod 2. Define Cha function as follws: If q is even, corresponding function is rec : We introduce rec function when q is even, and another situation is similar to it.
Considering that modulus is even during key exchange, we mainly use several functions to achieve key exchange by every bit. For better understanding key exchange under even modulus and odd modulus, we briefly introduce key exchange in even modulus q ≥ 4. Considering that modular rounding function v 2 = 2 q ×v mod 2 mainly applys in I b and q 2 +I b , we calculate the values of the functions in different sets.
For better understanding this reconciliation mechanism, several theorems have been cited from [71], as follows.
Lemma 1: When q is even integer, given v is uniformly distributed in R q and v 2 , obtain that v 2 is also uniformly random in R q .
Lemma 2: When q is even integer, The above is the case of even modulus, we'll nextly introduce the case of odd modulus. Considering practical application in security, we mainly use odd modulus. For better understand key exchange in modulus of odd integer, we briefly introduce key exchange in even modulus. For better apply designing of even modulus to odd modulus, make use of dbl(v = 2v −ē) function to complete transition between even modulus and odd modulus. Notice sender should apply rec function in 2us.

B. SMOOTH PROJECTIVE HASH FUNCTION
Smooth Projective Hash Function(SPHF) is based on hard subset membership problem. Given a set U , which mainly refers to the distribution on U , and an NP-language D ⊂ U . Hardness assumption is that it's indistinguishable between random element from D and random element from U \D.
SPHF has two keys, hash key and projection key. These keys are closely related with SPHF's requirement and property. Define K h as hash key. Define K p as projection key. Define SPHF as a hash function H : Standard Property Given hash key K h and random element x from U , user can obtain the value of hash function Projection Property Given projection key K p and random element y from D, user can obtain the unique value of hash function H (K p , x).
Smoothness Property Given projection key K p and random element y from U \D, user can obtain indistinguishability between the value of hash function and random value. It means the indistinguishability between {y ∈ U \D, H (K p , y)} and {y ∈ U \D, v{0, 1} n }.

C. BIT COMMITMENT
We introduce Bit Commitment schemes between sender and receiver. It mainly includes two phases: Commit Phase and Reveal (Decommit) Phase. Bit Commitment (BT) schemes VOLUME 8, 2020 are used to commit on some message for sender in Commit Phase. Then this commitment will be opened by receiver in Reveal Phase. Commit Phase Sender make a commitment on bit σ and send this commitment to receiver. Receiver has no information about σ .
Decommit(Reveal) Phase Sender prove that commitment above mentioned is relevant to bit σ , and sender can't modify the value of σ .
Bit Commitment schemes should satisfy three properties, which are correctness, privacy and binding.
Correctness Property If sender and receiver honestly run BC protocol, receiver will obtain correct bit σ committed by sender. It holds Privacy/Hiding Property In Commit phase, receiver has no information about σ . Define event E as adversary distinguish Y 0 from Y 1 , it holds Pr[E] < negl(n) for any adversary.
Binding Property In Decommit phase, receiver only obtain unique σ . And sender can't modify the value of σ . It holds Pr[Commit(M i ) = Commit(M 1−i )] < negl(n) for any adversary.
Some symmetric algorithms and Hash function are always used to construct BC schemes. Considering some BC based on lattice, we can apply BC which is correlative with lattice assumptions.

D. ZERO-KNOWLEDGE PROOF
The interactive zero-knowledge proof was first proposed by Goldawasser, and then Blum modified it and proposed the non-interactive zero-knowledge proof. Currently, we learn more zero-knowledge proof protocols of Stern type and Fiat-Shamir with abort type(FSWA). In 2019, Yang et al. [72] proposed a zero-knowledge proof protocol for lattice-related relationships, which solve disadvantages of Stern type's reliability error rate and low efficiency of FSWA's type.
In brief, zero-knowledge proof protocol has two parties, certifier and verifier. It mainly includes the process of proof and the process of verification. Turing machines are often used in formal proof of security. We can get an evidence or assertion, which can become true. But it doesn't disclose the process of finding the evidence.
A complete zero-knowledge proof protocol satisfies the following three properties. We mainly introduce interactive system < P, V > for relation L, which includes prover P and verifier V .
Completeness From the view of certifier, correct assertions can be proved, and wrong assertions would be invalid. It holds ∀x ∈ L, Pr[< P, V > (x) Soundness From the view of verifier, if certifier cheat and give deceptive argument, verifier will not be deceived by certifier's proof. It holds ∀x / ∈ L, Pr[< A, V > (x) = 1] < negl(n) for any adversary A.
Zero Knowledge Verifier can give correct statements and will not reveal any information. Verifier can only obtain the result of relevant statement, and can't get any other useful information.

E. OBLIVIOUS TRANSFER
Oblivious transfer(OT) is a common basic and underlying protocol in secure multi-party computing(MPC). We briefly introduce OT 1 N . Sender sends N messages to receiver, who only obtains relative message. Sender does not know what information receiver chooses to receive.
In general, when designing OT protocol, we need to use ideal functions based on OT function during security proof phase. Next, I'll briefly introduce ideal function for implementing OT 1 N functionality F OT 1 N . We mainly consider the case of N = 2. If so, sender sends M i to receiver, and stop running program. If no information exists, receiver will receive nothing.

2) ATTACK TYPES
From the perspective of the participants, there are four attack types to consider: only sender is corrupted by adversary; only receiver is corrupted by adversary, both sender and receiver are corrupted adversary, and neither sender nor receiver is corrupted by adversary.

F. UNIVERSALLY COMPOSABLE
UC framework was proposed by Canetti [53] and combination theorem was put forward. When analyzing security, a certain protocol was firstly analyzed in an independent model. After meeting the security requirements, combination theorem was applied to carry out parallel operation with other protocols in a composite environment, and finally overall protocol remained secure. The proposed UC framework greatly simplifies the calculation of security definition and security proof of composite protocol. The UC framework is very suitable for complex network society. In this paper, we mainly consider the generalized combination, which refers to the combination of cryptographic different protocols. In this paper, we mainly consider the security of combination protocols between key exchange protocol, bit commitment protocol and oblivious transfer protocol under UC framework.
It mainly aims to analyze security of composite protocols based on indistinguishability between real process and ideal process. In the real environment, there are mainly participants P i , adversary A and environment Z interacting with each other to complete real protocol P. Correspondingly, there are mainly P i , simulator S and environment Z interacting with each other to complete ideal function F in the real environment.
1) UC SECURITY [53] For protocol P, if the following conditions are satisfied, protocol P reaches UC security. For the interaction between real adversary A and protocol P in real environment Z, there is an ideal simulation adversary S interacting with ideal function F. Protocol P reaches UC security when it's indistinguishable between real state and ideal state interacting with each other.

IV. UC-SECURE OT PROTOCOL
This protocol includes key exchange phase and encryption phase. Key exchange phase is mainly based on two mathematical functions, random function and reconciliation function. Firstly, sender and receiver get same initial key. Sender applys Commitment algorithm, and receiver verifies the value of commitment. Next, sender and receiver can make sure that this protocol continue or stop.
Commitment: Sender makes commitments for two keys K sk 0 and K sk 1 by applying random value l. Then receiver makes commitment for obtained K sk by applying same random value l. Commitment scheme consists of KeyGen, Commit and Open algorithms. Considering the security of the post-quantum OT scheme, we mainly apply Commitment scheme based on LWE's assumption. Sender sends two commitments Y 0 , Y 1 to receiver. And receiver also makes a commitment Y for initial key K sk . Both sender and receiver can open commitment committed by themselves. Receiver checks whether one of the two commitments matches corresponding commitment by himself.
Verify: Receiver applys algorithm Verify(Y 0 , Y 1 , Y ) = β, β ∈ {0, 1} and verifies whether Y = Y 0 or not Y = Y 1 . When β = 1, it means Y = Y 0 or Y = Y 1 . Sender and receiver obtain same initial key, so sender can continue running the protocol. When β = 0, it means that sender and receiver hasn't obtained same initial key. So sender stop running this protocol.
Then Smooth Projective Hash function is used to get final key. With the help of Enc scheme, sender computes a ciphertext for two messages, and receiver decrypt ciphertext. Considering construction of post-quantum OT, Enc and Dec algorithm can apply SPH system, which is relative to Lattice-SPHF, mainly based on LWE's assumption [73]. Considering that we propose an UC-secure OT, we give a brief introduction about the process of Enc and Dec algorithm.
In this part, we mainly introduce an approximate-Smooth Projective Hash system. In previous section, we have introduced SPHF, which satisfy several properties. Due to properties of projection and smoothness, SPHF has been applied in Key Exchange Phase. Considering the security of whole protocol, we apply a CCA-secure encryption based on approximate SPH system. We mainly apply a CCA-secure encryption scheme. [73] Lemma 4 [42]: Given parameters q ≥ 2 and m ≥ 4n log 2 q, there is a PPT algorithm TrapSamp(1 n , q, m), which outputs matrices B ∈ Z m×n q , T ∈ Z m×m . And these matrices satisfy two requirements: t i ≤ 4 √ m, TB = 0( mod q); the distribution of B is statistically indistinguishable with uniform distribution. There is a PPT algorithm BDDSolve(T , Z ), satisfy: If exist a vector s ∈ Z m , which satisfy dist(z, Bs) ≤ √ q/4, output s. If dist(z, Bs) > √ q/4 for any s ∈ Z m , output ⊥.

A. CCA-SECURE ENCRYPTION
We mainly apply an CCA-secure encryption for our protocol [73]. Next, we'll introduce this encryption scheme. This encryption scheme mainly includes KeyGeneration, Encryption and Decryption algorithms, which is mainly based on LWE's assumption. VOLUME 8, 2020 Parameters: Let n be the security parameter, and l be the message length. Denote q as the modulus of the system. Denote m and n + l + 1 as the dimension of matrices. Considering Gaussian distribution β .
KeyGeneration: Apply TrapSamp algorithm to obtain Encryption: Given message M ∈ Z l q , encrypt M under public key pk. In addition to (pk, sk), sender apply signature scheme SigKeyGen to obtain (VK , SK ). Denote matrix A VK as A 1,VK 1 , · · · , A n,VK n . Then sample s from uniform distribution and sample error vector x from Gaussian distribution β . Next compute y = A VK · (s, 1, M ) + x(mod q) and σ = Sign SK (y). Finally outputs ciphertext C = (VK , y, σ ).
Decryption: Firstly parse ciphertext C as (VK , y, σ ), and verify whether σ is a corresponding signature on y. If the verification is wrong, outputs ⊥. If the verification is correct, continue next step. Then parse y as (y 0 , y 1 , · · · , y n ) , y i ∈ Z m q . Then continue the loop algorithm's operation as follows: then output M /a and stop. otherwise try next value of a. end if all values of a, output ⊥.
2. Sender inputs hash key (e 1 , e 2 , · · · , e k ) and ciphertext 3. Receiver inputs a projected key (u 1 , u 2 , · · · , u k ), a ciphertext C = (y, M ) and a witness s ∈ Z n q , compute Then outputs H (C, s) = b 1 b 2 · · · b k Sender and receiver apply SPHF hash function to get final key. Sender applys hash key to obtain two indistinguishable key K 0 and K 1 . Then sender applys projection key to obtain final key K σ .
Then sender and receiver apply approximate-SPH hash system. Firstly, sender and receiver apply approximate-SPH .KeyGenaration to obtain (pk, sk). Sender applys hash key pk to obtain signature y and ciphertext C. Then sender sends y and C to receiver. Secondly, receiver verifys signature y. If signature can be verified by receiver, continue this protocol. Otherwise, stop this process.

KEM.Gen(a):
Sender samples s, e from distribution χ, computes b = as + e. Sender samples random value t, and sends b, t to receiver.

KEM.Encaps(a, b):
Receiver samples s 1 , e 1 , e 2 from distribution χ, computes u = as 1 + e 1 , v = bs 1 + e 2 . Receiver uses random functionv = dbl(v) = 2v −ē (ē ∈ χ). And receiver uses mathematical function v 2 = 4 q ×v mod 2. Finally, receiver computes A = (u + σ t) ⊕ b, σ ∈ {0, 1} and sends A, f to sender. KEM.Decaps(s, (u, f )): Then sender uses an reconciliation function rec for computing K sk 0 = rec(2W 0 s, f ), K sk 1 = rec(2W 1 s, f ). And receiver uses an mathematical function K sk = v 2 to obtain intial key, which is same as K sk 0 or K sk 1 . Commit and Verify : Sender computes commitment for two initial key K sk 0 , K sk 1 . Sender choose a random value from uniform distribution and obtains two commitment value by Y 0 = Commit(K sk 0 , l) and Y 1 = Commit(K sk 1 , l). Sender sends Y 0 , Y 1 and l to receiver. Receiver makes a commitment for K sk and obtains a commitment Y = Commit(K sk , l). Then receiver applys algorithm Verify(Y 0 , Y 1 , Y ) = β, β ∈ {0, 1} and verifies whether Y = Y 0 or not Y = Y 1 . When β = 1, it means Y = Y 0 or Y = Y 1 . Sender and receiver obtain same initial key, so sender can continue running the protocol. When β = 0, it means that sender and receiver hasn't obtained same initial key. So sender stop running this protocol.

Smooth Projective Hash function :
Sender applys Smooth Projective Hash function for better randomness. Firstly, sender samples an r from random distribution and computes K σ = SPHF(K sk σ , r). Sender sends SPHF, r to receiver. Secondly, receiver uses same SPHF function and same random r for computing hash value. Finally, receiver computes K σ = SPHF(K sk , r) and check whether obtaining same hash value. If so, sender and receiver will use the final key K σ for next application. Enc : Sender computes C 0 = Enc(K 0 , M 0 ) and C 1 = Enc(K 1 , M 1 ) for two messages. Then sender sends C 0 , C 1 to receiver. Dec : Finally, receiver computes M σ = Dec(K σ , C σ ) for obtaining corresponding message.

V. SECURITY PROOF
This UC oblivious transfer protocol mainly includes two phases. The first phase is Key Initialization and Selection Phase, and the second phase is Key Transfer and Enc Phase. Next, I'll introduce the security of the first phase.

A. KEY INITIALIZATION AND SELECTION PHASE
We mainly consider sender's security and receiver's security. Firstly, I'll introduce sender's security.
From the view of sender's security, receiver can only get selected message M σ , and has no information on M 1−σ in protocol. If receiver can obtain M 1−σ , meaning that receiver can obtain K sk 1−σ . We know that K sk 1−σ = rec(2W 1−σ s, f ) can be used to compute K sk 1−σ , and the secret information s is crucial to obtain initial key. If receiver can obtain initial key K sk 1−σ , receiver will have ability to obtain s in RLWE's assumption. But obtaining s will contradict with RLWE's difficulty in lattice theory.
We make use of SPHF functions in forming final key stage. Receiver can also obtain same final key K 1−σ , which isn't obtained by K sk 1−σ . Due to properties of non-collision of Hash functions, we know that the receiver can't obtain same final key by different from K sk 1−σ . Due to smoothness property of SPHF function, we can obtain that receiver can't distinguish the distribution of SPHF's value from random distribution.
Next, we need to prove that receiver can't guess K sk 1−σ .
We'll apply sequence-of-game approach for security proof. And we mainly constructs a sequence of games, Game 0 and Game 1 .
Game 0 : Game 0 is the original attack game corresponding to given adversary and challenger in other games. We should notice that (a, b), (a, u) and (b, v) are RLWE pairs in Game 0 . We define the event S i which succeedingly output σ * and σ * = σ in Game i . The probability of success of event S i is defined as Pr[S 0 ]. In Game 0 , we can obtain that the minimum success probability of adversary is |Pr[S 0 ] − 1/2|. We define this probability as Adv 0 . And we can get Adv 0 ≤ |Pr[S 0 ] − 1/2|. Game 1 : Considering participants adversary and challenger, challenger sends b, t (b = as + e) to adversary, and adversary sends u ← U (R q ), v ← U (R q ) to challenger. Corresponding to u = as 1 + e 1 and v = bs 1 + e 2 , adversary choose random u, v to replace RLWE's pairs (a, u) and (b, v). In Game 1 , we can obtain the minimum success probability of adversary |Pr[S 1 ] − 1/2|. We define this probability as Adv 1 . And we can obtain Adv 1 ≤ |Pr[S 1 ] − 1/2|.
Considering that (a, u) and (b, v) are RLWE's pairs in Game 0 , (a, u) and (b, v) are random pairs from uniform distribution in Game 1 . Considering Decision-RLWE's assumption and difference between Game 0 and Game 1 , Considering that there is a reduction algorithm R 1 . In reduction algorithm, when the input of u and v are RLWE's pair, the output is Game 0 's output, and when the input of u and v are from uniformly distribution, the output is Game 1 's output. VOLUME 8, 2020  We define Adv R1 as adversary succeeding in reduction algorithm R 1 . The probability Adv R1 of succeeding in distinguishing RLWE's distribution and uniform distribution.
We can obtain that the probability of succeeding in R 1 is negligible in reduction algorithm R 1 due to the hardness of Decision-RLWE's assumption. So we can obtain that Adv R 1 ≤ |Pr[S 1 ] − Pr[S 0 ]|. Considering indistinguishability of RLWE's distribution and uniform distribution, we can obtain Adv R 1 is negligible.
We have completed the proof of sender's security in the above. Secondly, I'll introduce receiver's security.
The whole protocol is a four-round protocol, receiver sends A, f to sender in second round. Receiver maybe reveal some information in this round. So we need prove receiver's security. In another view, we should prove that adversary can't obtain useful information about selected bit.
Firstly, we'll prove that selected bit can't be revealed by A and f . For better proof, we'll apply sequence-of-game approach. We can obtain that f = v 2 andv ← dbl(v) are relevant with v. But v = bs 1 + e 2 are relevant with secret s 1 .
If f reveal information about secret s 1 , the difficulty of search-RLWE assumption will be solved. But this conclusion contradicts hypothesis about related lattice theory. Next, we'll apply sequence-of-game approach to prove. We now give a proof of receiver's security under the search-RLWE and decision-RLWE assumptions by applying sequence-of-game approach.
We mainly constructs a sequence of games, Game 0 , Game 1 , Game 2 .
Game 0 : Game 0 = Game 0 , we denote Game 0 for better understanding the process of receiver's security. Game 0 is the original attack game corresponding to given adversary and challenger in other games. We should notice that (a, b), (a, u) and (b, v) are RLWE pairs in Game 0 . We define the event S i which succeedingly output σ * and σ * equals to selected bit σ in Game i . The probability of success of event S i is defined as Pr[S 0 ].
In Game 0 , we can obtain that the minimum success probability of adversary is |Pr[S 0 ] − 1/2|. We define this probability as Adv 0 . And we can get Adv 0 ≤ |Pr[S 0 ] − 1/2|. Game 1 : Considering participants adversary and challenger, challenger sends b, t (b ←− U (R q )) to adversary corresponding to send b = as + e in Game 0 . In Game 1 , we can obtain that the minimum success probability of adversary is |Pr[S 1 ] − 1/2|. We define this probability as Adv 1 . And we can get Adv 1 ≤ |Pr[S 1 ] − 1/2|.  Game 0 and  (a, b) is random pairs from uniform distribution in Game 1 . Considering Decision-RLWE's assumption and difference between Game 0 and Game 1 , Considering that there is a reduction algorithm R 2 . In reduction algorithm, when the input of b is RLWE's pair, the output is Game 0 's output, and when the input of b is from uniformly distribution, the output is Game 1 's output. We define Adv R2 as adversary succeeding in reduction algorithm R 2 . The probability Adv R2 of succeeding in distinguishing RLWE's distribution and uniform distribution.

Considering that (a, b) is RLWE pairs in
We can obtain that the probability of succeeding in R 2 is negligible in reduction algorithm R 2 due to the hardness of Decision-RLWE's assumption. So we can obtain Adv R2 ≤ |Pr[S 1 ] − Pr[S 0 ]|. Considering indistinguishability of RLWE's distribution and uniform distribution, we can obtain that Adv R2 is negligible.
Game 2 : Considering participants adversary and challenger, challenger sends u, v(u, v ←− U (R q )) to adversary corresponding to send u = as 1 + e 1 , v = bs 1 + e 2 in Game 1 .
Considering that (a, u) and (b, v) are RLWE pairs in Game 1 and u, v are random pairs from uniform distribution in Game 2 . Considering Decision-RLWE's assumption and difference between Game 1 and Game 2 , there is a reduction  algorithm R 3 . In reduction algorithm, when the input of u and v are RLWE's pair, the output is Game 1 's output, and when the input of u and v are from uniformly distribution, the output is Game 2 's output. We define Adv R3 as adversary succeeding in reduction algorithm R 3 . The probability Adv R3 is the probability of succeeding in distinguishing RLWE's distribution from uniform distribution.
Due to the hardness of Decision-RLWE's assumption, we can obtain that the probability of succeeding in R 3 is negligible in reduction algorithm R 3 . So we can obtain Adv R 3 ≤ |Pr[S 2 ] − Pr[S 1 ]|. Considering indistinguishability of RLWE's distribution from uniform distribution, we can obtain that Adv R 3 is negligible.
So we have proven that selected bit σ can't be revealed by f . Secondly, we'll prove that A can't reveal the information of selected bit.
For better understand, let Considering that (a, u) (u = as 1 + e 1 ) is RLWE's pair, we can obtain that u and u + t (t ∈ U (R q )) is indistinguishable. Due to RLWE's assumption, we can obtain that A 0 and A 1 is indistinguishable from the view of sender. We can similarly obtain that W 0 and W 1 in indistinguishable from the view of sender. So we have proven that selected bit σ can't be revealed by A.
We have completed the proof of receiver's security in the above.

B. KEY TRANSFER AND ENC PHASE
To better understand key transfer phase, we add the phase which receiver sends A, f to sender. For conveniently understanding the process of getting initial key, we add introduction in process of sending A and f to sender.
We (2W 1 s, f ). We mainly introduce two situation in indistinguishability. In one case, when σ = 0, we can obtain K sk 0 = rec(2W 0 s, f ) = rec(2us, f ) and K sk 1 = rec(2W 1 s, f ) = rec(2(u − t)s, f ). Considering that u and u − t are indistinguishable, and properties of reconciliation function, we can obtain that K sk 0 and K sk 1 are indistinguishable.
In another case, when σ = 1, we can obtain K sk 0 = rec(2W 0 s, f ) = rec(2(u + t)s, f ) and K sk 1 = rec(2W 1 s, f ) = rec(2us, f ). Considering that u + t and u is indistinguishable, and properties of reconciliation function, we can obtain that K sk 0 and K sk 1 are indistinguishable.
Sender sends b, t to receiver, and receiver sends A, f to sender. Then both sender and receiver can obtain same initial key. Considering that RLWE's pairs are indistinguishable with random values, combined reconciliation function with modular rounding function, we can obtain initial key. This progress will not reveal any information. Receiver sends A, f to sender, and sender applys K sk 0 = rec(2W 0 s, f ), K sk 1 = rec(2W 1 s, f ) to get initial key, Receiver doesn't know secret s from sender, so receiver will not know the value of K sk σ . But receiver can obtain initial key K sk with the help of modular rounding function. Receiver makes use of modular rounding function based onv. Considering thatv = 2v −ē andē is uniformly distributed, sender can't reveal any information aboutv.
From the point of view of receiver, receiver can give necessary information for sender to obtain initial key without VOLUME 8, 2020 leaking information. This also reflects zero knowledge property. If sender cheat and give deceptive b, t to receiver, receiver will give corresponding A and f to sender, this will result in termination and can't obtain same initial key. This also reflects soundness property. If sender and receiver honestly run protocol, both of them will obtain same final key. This also reflects completeness property.
Considering the indistinguishability between RLWE's pairs' distribution and uniform distribution, we combine this indistinguishability with special properties of SPHF function to obtain two indistinguishable keys. Due to the projection and smoothness properties of Smooth Projective Hash Function, we can obtain that K 0 = H (K sk 0 , r) and Now let's think about bit Enc phase. Sender encrypts M 0 , M 1 to receiver. Sender sends C 0 = Enc(K 0 , M 0 ) and C 1 = Enc(K 1 , M 1 ) to receiver, which based on two different keys K 0 , K 1 . Receiver can use Dec algorithms to get M σ = Dec(K σ , C σ ), which receiver only decrypts C σ .
If sender and receiver honestly run whole protocol, receiver will obtain correct M σ . In Enc phase, receiver has no information about σ . In Dec phase, receiver only obtain the value of M σ , and has no information about M 1−σ .

C. SIMULATION
Protocol's UC security is on the condition that malicious adversary attacks is securely authenticated in static corruption and channels between participants. SPHF hash function can be simulated by standard oracle, which used in simulation process proof.
We make use of an ideal function for proving security of protocols. In real world, participant P i which is corrupted by adversary A, interact with other parties based on designed protocols P. In ideal world, ideal adversary interacts with other parties based on ideal function. We mainly consider simulation between oblivious transfer protocols and ideal function F OT 1 N . Considering interaction between sender P 1 and receiver P 2 in real and ideal world, combine with adversary A in real world with simulator S in ideal world. Invoking environment Z used to distinguish ideal world from real world, define view in ideal and real world as IDEAL F OT ,S,Z and EXEC P,A,Z .
Let F OT be a ideal function used to implement OT, P is an OT protocol, A is any adversary in real world and S is simulator in ideal world. If for any environments Z, obtain IDEAL F OT ,S,Z ≈ EXEC P,A,Z (meaning computationally indistinguishable), protocol P will obtain UC's security.
We consider four cases. Firstly, adversary corrupts the sender. Secondly, adversary corrupts the receiver. Thirdly, adversary corrupts the sender and the receiver. Fourthly, neither the sender nor the receiver is corrupted by adversary.
Considering designed protocols' security in universal composable model, we need construct a simulator in ideal environment.

1) WHEN SENDER IS CORRUPTED
When sender P 1 is corrupted by adversary A, define this corrupted sender as P * 1 . We have a task that interaction between P * 1 and P 2 in real world is indistinguishable with interaction between S and P 2 in ideal world for any environment Z.
Simulator S knows P * 1 's queries about hash function SPHF. Considering that SPHF has projection property, simulator S can make use of stored key to decrypt ciphertext.
Secondly, we construct a simulator S as follow: 1. Before interaction between P * 1 and S, simulator S can reply standard oracle's inquiry.
2. P * 1 sends b and t to simulator S. 3. Simulator S chooses s 3 , e 3 from uniform distribution, computes u = as 3 + e 3 , v = bs 1 + e 2 ,v ← dbl(v), f = v 2 and sends A, f to P * 1 . Simulator S makes two commitment for K sk i , i ∈ {0, 1}. And S sends two commitment value Y i to P 2 . P * 1 answers K i = SPHF(K sk i , r) to obtain K i , i ∈ {0, 1}. Simulator S stores (K sk i , K i ) to decrypt P * 1 's ciphertext. 4. P * 1 outputs (C 0 , C 1 ) to simulator S, then S use Dec(K i , C i ) to obtain M i , otherwise outputs nothing and halts.
5. Simulator S outputs (M 0 , M 1 ) to ideal function F OT . From the view of any environment Z, combined with simulator S, we need to prove the indistinguishability between IDEAL F OT ,S,Z and EXEC P,A,Z . P * 1 sends (b, t) to simulator S, then simulator S simulates receiver's input (A, f ) to P * 1 . Considering receiver's security in above part, (A, f ) generated from simulator S is indistinguishable with (A, f ) generated from receiver P 2 .
Due to RLWE's pairs' characteristic of pseudo-uniform random distribution, obtain IDEAL F OT ,S,Z ≈ EXEC P,A,Z (computationally indistinguishable).

2) WHEN RECEIVER IS CORRUPTED
When receiver P 2 is corrupted by adversary A, define this corrupted receiver as P * 2 . We have a task that interaction between P 1 and P * 2 in real world is indistinguishable with interaction between P 1 and S in ideal world for any environment Z.
Firstly, simulator S interacts with P * 2 , S sends b = as + e and t selected from distribution to P * 2 for extracting P * 2 's input selected bit i. Once simulator S is activated in ideal world, simulator S will send i to ideal function F OT for obtaining M i .
Secondly, simulator S who act as sender P 1 sends (C 0 , C 1 ) to P * 2 . Considering that simulator S knows P * 2 's queries about reconciliation F OT and hash function SPHF, simulator can extract corresponding selected bit i.
Thirdly, we construct a simulator S as follow: 1. Before interaction between P * 2 and S, simulator S can reply standard oracle's inquiry.
2. Simulator S computes b = as + e(s, e selected from uniform distribution).
3. Simulator S receives A and f from corrupted receiver P * 2 . 4. After receiving (A, f ) from P * 2 , simulator S invokes reconciliation function K sk i = rec(2W i s, f ) according to designed protocol P. S verifies the commitment from sender P 1 . When algorithm Verify outputs β = 1, protocol continues. Simulator S checks if K sk 0 = rec(2W 0 s, f ) has been queried by hash function SPHF. Then simulator S can obtain corresponding selected bit i ∈ {0, 1}.
Corresponding (C 0 , C 1 ) from simulator S, and (C 0 , C 1 ) from sender P 1 , ciphertext pairs (C 0 , C 1 ) which are simulator S and sender P 1 are indistinguishable. P * 2 has access to query random oracle to obtain final key K i , i ∈ {0, 1}. This means that P * 2 also invokes reconciliation function to obtain initial key's value of K sk i , i ∈ {0, 1}) (K sk 0 = rec (2W 0 s, f )).
But this result contradicts s-RLWE's assumption. Sender P 1 has a secret s which is used in reconciliation function rec(). And P * 2 has no information about secret s from sender P 1 . So P * 2 can't obtain corresponding key. Considering that RLWE's distribution is indistinguishable with uniform random distribution, it's indistinguishable between (b, t) from sender P 1 and (b, t) from simulator S.
We can obtain IDEAL F OT ,S,Z ≈ EXEC P,A,Z (computationally indistinguishable).

3) WHEN BOTH SENDER AND RECEIVER ARE CORRUPTED
When both parties are corrupted, considering the above two situations, simulator S only needs to simulate copies information generated from adversary's attack. Generally speaking, the combination of the above two corruptions is relatively simple to understand.

4) WHEN NEITHER SENDER NOR RECEIVER IS CORRUPTED
Communication channel between sender and receiver is authenticated, public, but not secret. Adversary A can observe the information interacted between two parties in communication channel. We can construct a simulator S which can simulate (b, t), (A, f ), (Y 0 , Y 1 , l), (SPHF, r) and (C 0 , C 1 ).
We construct a simulator S as follow: 1. S samples s, e, s 1 , e 1 , e 2 , t, r from uniform distribution and computes b = as + e. S sends (b, t) to P 2 .
Due to indistinguishability between RLWE's pairs' distribution and uniform distribution, combine with smoothness property of SPHF hash function and binding property of Bit Commit, (b, t), (A, f ), (C 0 , C 1 ) from real world is indistinguishable with ideal world by simulation. We can obtain IDEAL F OT ,S,Z ≈ EXEC P,A,Z (computationally indistinguishable).

VI. CONCLUSION
Considering that post-quantum oblivious transfer in universal composable model, we mainly apply key exchange to obtain post-quantum OT. We also apply Smooth Projective Hash Function's property for designed protocol's security and can be effectively modeled standard oracle. Combined with Bit Commitment, obtain commitment which can only be verified by honest receiver. Considering SPH system's application, Enc and Dec algorithm can be resistant to quantum attacks, which is more secure in Post-quantum Era. Combined with sequence of games and full-simulation, we conduct a series of security proof. In brief, Sender's security can be obtained by S-RLWE's assumption, which can make sure the privacy of message. Receiver's security can be obtained by D-RLWE's assumption, which can make sure the privacy of selected bit. We can also think about oblivious transfer based on NTRUEncrypt.
DING HANGCHAO received the master's degree from the School of Mathematics, Shandong University, Jinan, China, in 2016, where she is currently pursuing the Ph.D. degree in cyberspace security. Her research interests include information security and cryptography, especially post-quantum cryptography based on lattices. She is a member of CACR.
HAN JIANG received the master's and Ph.D. degrees from the School of Computer Science and Technology, Shandong University, Jinan, China, in 2005 and 2008, respectively. He is currently an Associate Professor with Shandong University. His main interests include cryptography and information security, especially secure multi-party computation. He is a member of CACR.
QIULIANG XU received the master's and Ph.D. degrees from Shandong University, Jinan, China, in 1985 and 1999, respectively. He is currently a Professor and a Ph.D. Supervisor with Shandong University, where he has been, since 1985. He is also a Syndic of the Chinese Association for Cryptologic Research. His main interests include public key cryptography and multi-party secure computation. He holds several Science Foundations and Key Program of China. VOLUME 8, 2020