 Hi, so this is a giant talk with my supervisor, Kira Magaldric. So I'm going to talk about multi-key leveled FHE and multi-identity FHE. So the two main results that we have is, first of all, we have a multi-identity leveled FHE scheme. So what that means is that previous identity-based FHE scheme, so there was one in particular by Gentry in CryptoTest in 2013, and it only supports evaluation on CypherTex that have the same identity. So if you encrypt your CypherTex with the same identity, you can only do evaluation on those. So we want to be able to extend that so you could do evaluation on CypherTex with different identities, Crypto with different identities. So that's our first result. The second result is probably more practical applications and that's multi-key FHE. So that's in the public key model and we do that from LWE. And so this scheme supports a polynomial number of keys. You can specify how many you need. So just the syntax, first of all, for multi-identity IBFHE. I know it's kind of long to say. So the syntax, first of all, so to set up key-gen algorithms are standard from IB and save and encrypt and decrypt and evaluate just takes in a circuit and a bunch of sequences of CypherTex and it outputs the evaluated CypherTex. So the syntax is pretty straightforward. I guess the only maybe change that I guess is different from IB would be the decryption algorithm which takes in a sequence of secret keys. So that's for to decrypt something in the built-in key setting. You need every user to contribute their secret key for a giant decryption. That's the only change in syntax, really, that's working, noting there. So I'm going to, first of all, get to the basics of our construction which is the GSW scheme from the test in 2013. So in GSW, CypherTex is simply an M by N matrix and all its entries are small. So it's typically a binary matrix. And then a secret key for an entity is an n-dimensional vector. So we'll get to see, first of all, we can encrypt small messages. So typically we encrypt messages in zero and one space. We encrypt bits typically. And we say matrix encrypts a value mu if we multiply it by the secret key vector and we end up getting a scaled multiple of the secret key vector plus some small nice vector. And so this can be viewed as an approximate eigenvector. So it's a nice simple scheme and it has some very interesting properties. First of all, an additive homomorphism is quite simple to achieve. You simply add the two matrices and you see that you get the encryption of their sum. And then the same with the multiplicative homomorphism straight forward enough as well. So we get both of those. So we're going to start off with a warm-up construction just to give an example of how we do this. So again, our main goal is to allow evaluation on CypherTex that are encrypted with different entities. So let's say you've got someone encrypts a message with ID1, for example, someone else encrypts a message with ID2. And we'd like to be able to do some computation on both these CypherTex together and get the right results. So we'd like to be able to run a circuit that takes inputs regardless of what the identity is. So you can either encrypt it with an identity 1 or an identity 2. So this is a simple warm-up version. So our goal is at the end is to produce a 2n by 2n matrix. So in this case, it usually just would generalize to dn by dn where d is the number of identities you have. So in this simple case, we have a 2n by 2n matrix that we get at the end. So our goal is to try to produce this 2n by 2n matrix. And we know that its size is just going to depend polynomially on the number of distinct identities. So in this case, the number of distinct identities is 2. So we're going to allow the size to depend on that. And that's because we need to have encoded some information about the identity. So intuitively, we have to require that size condition. So the high-level sketch shows, and again, before we get into any concrete details, what we do is we try to, first of all, transform both the inputs CypherTex, C1 and C2. We try to transform them into what we call an expanded matrix. And again, this is going to be 2n by 2n. And then we're going to try to use the properties we've seen from GSW, the additive and multiplicative homomorphism. And we can evaluate a circuit then, gate by gate. So we evaluate a full circuit as normal. So we would evaluate starting with the expanded CypherTex instead of the fresh CypherTex as you would do in GSW. So the only difference there is that we're dealing with larger matrices. And that's the only performance difference that we get in for the evaluation. And of course, this is what I said before. It generalizes completely to any number of distinct identities, any polynomial number of distinct identities. I might come back to these in a while. We're going to review some basic operations that are at the core of the GSW construction. And we also use them in our scheme as well. So one of them is bit decomposition. And the idea of bit decomposition is bit decomposition. It takes in a vector and it outputs a larger vector. And it consists of its representation of bits. So from least significant to most significant. And then we've done inverse algorithm that we can define as well which does the opposite except it's also defined for any binary input. So it ends up recomputing whatever initial value was before we converted to binary. So this is just for binary decomposition and just for going the other way around. Flatten is a very similar algorithm, a bit decomp accepted. It applies the inverse algorithm first and then it flattens it out. It just transforms it into bits. Parts of 2 takes in a vector and it outputs an indimensional vector. In this case, it multiplies everything by all the parts of 2. So it's an easy way to do multiplication where we'll see that later. And then we can also define these algorithms over matrix inputs. Instead of taking vectors as arguments, they can take in matrices. In that case, we just apply the algorithm to every row in the matrix. So we have two simple properties here. Just to point out. The first one, if we take any bit decomposition of a vector along with the parts and we take the inner product with the parts of 2, we're going to get the inner product. And the second one as well, if we flatten a particular vector and we take the inner product with the parts of 2 of another vector, we end up getting their product. So these are quite useful properties that we'll get to later. So just an overview then of... So what GSW did in their interpapering it's two years ago now, they put forward an attribute base and an identity-based FHE scheme. And they have a compiler that works with any IAB scheme that has been based on learning with errors can be compiled into an identity-based FHE scheme. So they have a simple compiler and it requires the scheme to satisfy tree-basic properties. So we have to have the cybertext and secret key vectors. They have to be... And the extra constraint there is that the first coefficient which is usually the case of the secret key vector is 1. The second property is that we need a small dot product. So if we have an encryption of 0 when we decrypt we should get something quite small. And then finally, a security requirement is indistinguishability from uniform under the hardness of LWE. And as I said, all the schemes I know of anyway, all the LWE schemes satisfy these properties so they can be compiled into an FHE scheme. And the only limitation of the GSW approach to the motivation for this work was that it was restricted to just single identity. So it could only do evaluation on cybertext with the same identity. So if we have a scheme, as we mentioned, that satisfies these properties, we can use the GSW compiler and we can get an FHE scheme. The scheme is quite... It's quite simple of an adaptation. So first of all, the secret keys... You take the secret key vector that you get from the underlying scheme. So I'm going to call it E here. So the underlying scheme is E, the LWE-based scheme. You take the secret key vector and you run powers of two and we end up getting another vector for secret key which you'll have larger coefficients and that's what we'll use for decryption. To encrypt any bit under a similar identity ID, we essentially generate... So n is the size of the matrix. So we have to generate n different encryptions of zero. So each encryption is zero. We will use the E scheme. And so for each... What we do is we take that matrix that we get from all the encryptions of zero and we bit decompose it so we get the bit representation of it and then we finally add it to a scale version of the identity matrix. So this is to add on the plaintext. And then we finally flatten it down so we end up with binary entries in the matrix. So this is quite a nice scheme and it has some nice traits that because we can be flattened every time, denies doesn't get too big. So we want to try to extend this approach to the multi-identity setting so where we can have any number of identities being specified so any number and no restriction on that. So we're going to, first of all, take a look at some of the intuition behind this. So how a compiler for multi-identity IPFHG would work. So let's say we have two ciphertext C1 and C2 and they each encrypt mu1 and mu2. And let's say we've got two secret keys. So this is the underlying scheme E. So we've got the two underlying secret keys are S1 and S2 and the recipients can each compute the larger vector v1 and v2 that can be derived from S1 and S2. And it's going to hold, as we saw earlier, this property is going to hold where we get the product of the matrix on a vector and we end up getting a scaled vector plus some noise. So this will hold and we can perform any evaluation we want on C1 and C2 together. That's our aim. We want to be able to do anything we want on these two ciphertexts, even though they're encrypted with different identities. And as we said, we want this size of the ciphertext. It should only grow with the number of distinct identities. So in this case, if ID1 is not equal to ID2, we have two distinct identities, so it's going to grow with two. So to come back to this condition as well, that is the size of the pen polynomial on D. So these typically are our parameter. So the first thing we have to do is we have to transform the matrix that we get into an expanded matrix. And so let's say we take any input matrix that, as we said, encrypts new under ID1, for example. And we're going to denote by C hat its expanded matrix. So this is going to be the larger form. And in this case, it'll be this simple example. It'll be 2n by 2n. So we want this expanded matrix to satisfy this. If we take the concatenation of the two, the vertical concatenation of the two secret key vectors, V1 and V2, and we multiply it by C, we should get the plain text by the concatenated secret key vector, plus some nice. So this is all we want to achieve. So we have to be able to construct a C hat that satisfies this. So we could actually just view our larger expanded matrix as consisting of four sub matrices. And we can denote these, so Cij for the idrone j column. And we can look at this simple equation here, and we can simplify the top part of it easily if we set the top quadrant of our C hat matrix to simply C. And then we set the 1, we set the 1, 1, 1, 2 entry, so the top right entry to 0. And this will satisfy the top part of the equation. The second part could be satisfied if we need to find some x and y. Some matrices x and y, there'll be binary matrices. So we need to find two binary matrices x and y such that we can solve this. So we should be able... We need to solve this equation. So this is the main technical challenge of the paper, trying to find x and y that will work here. So for the moment, we're just going to take a step back and just abstract away from how we actually find the solution matrices x and y. And so we're just going to assume we've got this abstraction. We're going to call it a masking system. And the idea of a masking system is that we want to be able to generate something we call a universal mask. So the idea of a universal mask is that you have a recipient's identity. You have some identity that you're sending your message to and you specify that and you specify what the message is along with the public parameters and you get back what I call a universal mask U. So you get this information U and we should be able to use U then to derive matrices x and y. So solution matrices x and y based on some other arbitrary identity. So some other identity ID prime. It could be anything. This is not chosen by the encryptor. It will be chosen by the evaluator. So there will be any arbitrary identity. We should be able to derive an x and y such that the equation there is satisfied. So that's the idea of the masking system. So we're going to use this as a building block for the moment to describe our compiler and then we'll come back to how we concretely construct our masking system. So just first of all, what should it satisfy? Well, the correctness condition is fairly straightforward. So we need that equation back there to be satisfied and we also need the R to be bounded in some way. So we've got an expansion polynomial associated with every masking system and usually this is quite a low. It's usually linear. It's quite a low degree polynomial. So that blows up the denies that we get. So we have to keep our eyes under this limit. The security property then is that it's similar to standard selective security or adaptive security game. And the only change is that instead of giving us a challenge of hypertext, we give the universal matrix U. So that's simply the only difference. So these are the security requirements. Again, the main challenge of course is trying to prove this secure and we'll get back to our concrete masking system in a while. So just the abstract compiler then just using the masking system. So the four properties in total and we need the tree that we inherited before. So these are the tree that GSW requires, the top tree and then the fourth requirement is our masking system. So we need whatever scheme, LWE based scheme we're using, here we're calling it E for example. In whatever E we're using we need to find a masking system that is correct and is secure for E. So far we've only been able to find the identity-based setting anyway. A single LWE scheme where we can get a masking system, we construct a masking system for... We seem to fail at constructing it for most other schemes. We'll get maybe some of those reasons later. So the abstractly down the compiler to set up is going to be the same as whatever the E scheme is, the same with key generation and again you specify how many maximum number of identities you want to support. So if you want to support like let's say evaluation of up to 100 different identities you set that as the large D parameter. And to encrypt the message you simply output the universal mask. So you use the masking system to generate the universal mask and you output that. So encryption is pretty straightforward. Evaluation then simply takes in a sequence of ciphertexts. Each ciphertext simply consists of the identity that it corresponds to and along with the universal mask, the last component there, the last component. So then what we do is we actually take the number we take all of the ciphertexts that have come in and we look at the number of distinct identities. So you could have like you could have all the ciphertexts belonging to the same identity or they could all belong to different identities or it could be a mix. So we just calculate the number of distinct identities and we're going to relabel them here just for simplicity. So we're going to just call them ID1 to IDD. So before then we can do our evaluation. We need to transform the ciphertext into a DN by DN matrix, expanded matrix. So we take just an example here. We take just any arbitrary ciphertext. Let's say it has IDR. So R is its index out of how many number of distinct ones there are. And we start by setting C hat. So C hat's going to be our final expanded matrix. We set to zero. And then we simply run an algorithm for every single identity in our set. We use the derived mask algorithm for our masking system with that particular identity identifier. So we use that to get our X and Y. And then we simply set the sub matrices in C hat to... Along the diagonal we set it to YI and then whatever index we have, we set the other position we add on XI. And again this will make a bit more sense in a while, but this is simply a generalization of the case we had earlier for two identities. So now we're going to try and describe the masking system. And I'm probably going to run out of time and I don't have as much technical detail in there as maybe I could have had. Hopefully I can try to explain it best I can with these slides. So we take any recipient's identity and again ID prime is going to be some other identity. And in this case we're going to relax it. We're going to relax the requirement and we're going to let the encryptor choose what that identity is, what ID prime is. So we'll let the encryptor choose that. And so again we need to find row vectors in this case that satisfy the equation that we had. So we need to find XI and YI that satisfy this equation. So we can start off, one way of doing this is we can generate YI as a GSW encryption of zero. So just a vector encryption of zero under the identity ID prime. So remember ID prime is whatever our target is. So we're going to just look at the structure and this is where I'm missing some of the technical detail because I haven't given you background on the GPV system. So the GPV is the LWB based scheme we're actually using here to construct the masking system first. So we're using, GPV is the only one we can get it was compatible with. So would I explain the details of GPV if you haven't seen it before? I can just give you an overview essentially what YI will look like. It'll look like adding on the plain text to a bit decomposition of and then you've got the GPV ciphertext. And you can think of that as having two components. The first component, if you can think of it as a scalar and the second component as a vector. And typically we usually have some randomness vector R and we once that up by our public matrix A and we add on a nice vector. So it's a standard LWB based scheme. And the first component then consists of whatever the user's identity is. So in this case we're representing it by ZID prime and we get the inner product of ZID prime with the randomness vector R and again we add on some nice. So that's typically what a GPV ciphertext will look like. So we could also instead generate YI as similar except instead of having the first component of the GPV ciphertext as we had before we're going to just change that to zero. So we're just going to replace it with zero. And so effectively what we're doing is we're stripping out the first number of columns of our matrix. So this will happen for the full Y matrix. We'll be stripping out all the columns. But we need to be able to we have to replace them somewhere because if we take the inner product of our new YI with our secret key vector we're going to have a factor that we need to cancel out. We're going to have this product, the inner product ZID R that's going to be left. So we need to somehow get that in and try to cancel it out. So that in roughly speaking that's what we're going to have to try to do. So we need to try to cancel out this term the inner product of ZID prime and R. And one way we can do this is that when you got the inner product with XI and your secret key vector you ended up getting this exact inner product. So you can easily straightforwardly do this by blinding it. So just getting a GBV encryption of zero and adding it on to whatever the value is you want to blind. So when you're blind it's just hiding it in a way that you can't recover an outright later which you can unblind it effectively. So this allows us to use this approach that we have back on the slide back here. So we're able to we're able to straightforwardly remove a number of columns and we're able to fill in that value where we removed it across to the other matrix where it will be canceled out when we get the inner product with that secret key vector. So it's just we're we're moving across matrices and the idea of it is that otherwise we would violate semantic security quite easily here. We need to be able to hide the plain text and require the recipient's secret key vector to get anything information about that. So for convenience just for simplicity we could define an algorithm blind. It simply takes in the value you want to blind. So some element of your ring along with the targeted identity and the outputs it flattens simply the first vector where it adds the first component to the value that you want to blind. So that's quite straightforward algorithm. So then to provide an XI counterpart, something that works with the YI that we generated already we simply have to set XI as a blinding of this inner product set ID prime and R. So we have to blind in a product and we simply set X to that. So this so far will actually get us a very straightforward masking system. But the only limitation that we have is the encryptor has to choose what the other person's identity is. So if it's they have to know in advance what the other person's identity will be and that we want to be able to remove that restriction. We'd like that the evaluator could simply choose any identity. Sorry to interrupt but we're running four minutes late and the next session is going to start very soon and we need to switch the track. Can you wrap up? Sorry, this is my last slide. Sorry about that. So the only change we have to make here to work for all identities is that we have to somehow generalize it so that we can blind this product set ID prime or for any ID prime. That's chosen at any stage. We need to do that. So we need to be able to provide more information in our universal mask to do this. And one way of doing it is to simply fill in the property that we saw earlier that we could take the 50 comp and powers of two together and get the product. So what if we just blinded each coefficient of powers of two and then you could just take a subset sum then whatever your decomposition is simply you simply take a subset sum and you get the dinner product. So that's just one straight forward way of doing it. And this gets us... Sorry, we have to stop. Thank you.