 So, if anybody arrives late, maybe you miss the announcement, there will be at quarter to six some walking caravan, leaving for the organ concert. There are also some buses, but we encourage people to walk, since there are not enough buses. Okay. Okay, so next talk is dynamic collusion bounded functional encryption from identity based encryption. George Lu will be giving the talk, and this is joint work with Richard Garg and Rishabh Goyal and Brad Waters. Okay, yeah. Hello. I'm George. So, yeah, as she said, our work is on dynamic collusion bounded functional encryption from identity based encryption. So, we can start with the concept, many of you are probably already pretty familiar, which is just plain old functional encryption. Oh, I don't know. So, in this setting, you have like a setup algorithm, and a key gen, which produces secret keys associated with a particular function, and sort of like any public key primitive, you can encrypt with the public key and decrypt with the secret keys. And so, what makes functional encryption functional is that even though you encrypt sort of just like any public key encryption, when you decrypt a particular function key, what you produce is not the message itself, but the evaluation of that message on the function associated with that function key. And so, what this should, and you know, depending on what this function is, you may reveal like more or less about the underlying message, but for a functional encryption scheme to be secure, it should sort of be the case that this function is all you learn about when you decrypt. So, how to capture this idea a bit more formally is with this simulation security game, where an adversary gets to request a ciphertext and a bunch of function keys, and they shouldn't be able to tell if these were produced by an honest, honestly using the encrypt algorithm and the key gen algorithm, or if there was actually a simulator, which doesn't actually know the message itself, but only knows the evaluation of the message on those functions, and has to simulate the keys and ciphertext in this way. So, there have been, you know, functional encryption has turned out to be like a pretty cool concept, a lot of people like it, but the sort of downside is that at least as I've described here, functional encryption has turned out to be pretty hard to construct. So, an actual relaxation of this was the definition of bounded collusion functional encryption, which for like correctness purpose, correctness works almost exactly the same as regular functional encryption. The only syntactical difference is that at setup time, you also take in this collusion bound Q, and you only sort of guarantee security as long as an adversary gets to see Q or less keys. So, bounded collusion functional encryption has also turned out to be a pretty successful definition. It turns out it is actually much easier to construct than functional encryption, and it actually does come up in a lot of applications where you want something sort of like functional encryption, but, you know, maybe not quite as strong. And, yeah, there's been a bunch of works in this area, and just to elaborate a little bit further on the easier to construct part, in the case of bounded collusion functional encryption, we can actually already know how to construct it for all polynomial size circuits just from public key encryption, which is pretty much like the best you can hope for in something in a case like this. I guess, unfortunately, it's pretty clear that this is not functional encryption, and from sort of a practical perspective, having this collusion bound is pretty limiting. So, at setup time, you have to decide what your collusion bound is. You have to have some foresight on how you're actually going to be using your functional encryption system. And if you, you know, an adversary happens to get their hand on more than Q keys somehow, then you're like, there's no security at all in your system. And finally, you know, even when you, since it's a public key system, there could be multiple encryptors, and they all have to sort of, you know, agree. Yeah, this seems like a reasonable Q value to use in this system. So, we can also look at bounded collusion functional encryption, or I guess functional encryption in general from a bit more of a theoretical perspective. So, I think a couple of sides ago I said that turns out like full functional encryption is pretty hard to construct. And in fact, using the simulation definition that I've given, unbound like fully collusion resistant functional encryption is actually impossible. So, I won't go into too much detail on how this result is actually shown, but the basic intuition is that the sim, since the simulator doesn't know the message itself, when it's trying, when it needs to simulate the ciphertext, it needs to program in all the, all the function outputs into the ciphertext. And so, what the like impossibility result sort of actually rules out is any sort of simulation security, even for bounded, bounded collusion functional encryption when your ciphertext is sub-linear in your number of keys. And as a brief like side note as well, some of you may be aware there's also an indistinguishability based definition of functional encryption, which I guess fortunately is actually constructable. But even in this case, you can sort of see that when you when you try to force it to be sub-linear in your collusion bound, it's, it gives you the full the full like collusion resistant functional encryption, which we only know how to realize from like fairly hard cryptographic assumptions. We're in contrast, if we allow our scheme to grow linearly, these, the, the prior works actually achieve like linear dependence in your collusion bound. So it seems like this is like a pretty tight, you know, we're pretty, this is like pretty tight results, right? Like if it's sub-linear, we, it's either impossible or like you can only realize from IO and if it's linear, we can get it from public key encryption, right? But where there's like this slight gap here is that these impossibility results only really care about the, or talk about the ciphertext size, right? And so this sort of brings us to the definition that we introduce in our paper, which is a dynamic bounded collusion function, collusion functional encryption. And so whereas a normal, so it's a pretty simple change, whereas a normal functional encryption in normal bounded collusion functional encryption, which I think we'll refer to as like static bounded collusion functional encryption from now on, the collusion bound is specified at setup time. Instead we can just move this collusion bound to encrypt time because that's when, you know, your ciphertext is actually generated. And so notice here that now you're set up in key-gen algorithms have to like run independently or like without knowledge of this collusion bound. So this kind of, this is kind of like a bit of a stronger notion and it does solve these like practicality, I guess, issues with static bounded collusion functional encryption since, you know, at setup time you don't have to worry about any of this collusion bounded stuff at all. And moreover, like if you have different encryptors they can even like choose different collusion bounds to encrypt their messages too. So, right. In our paper what we get is okay, first we introduce a dynamic collusion bounded FE and then we construct this primitive from IB. I guess I'd also like to mention there was a concurrent work by MBY, which says the same thing. And they also consider this problem of dynamic FE in the uniform model for like Turing machines where they get some results from LWB. Okay, so how do we actually get from IBE to dynamic FE? So we have a couple transformations. So even though it says we start with IBE sort of maybe a better way to think about it is we start with, you know, these existing constructions of static FE schemes and we really want to like, you know, make the key gen and set up more efficient so that it can become dynamic. So starting with using IBE in some of these static schemes let's us build this intermediate primitive we call a tag functional encryption. And you can think about this as sort of an analog of IBE for static functional encryption where an IBE scheme is just, you know, maybe like you can think about it as like an exponential number of like public key schemes sort of sharing a single setup. Tag functional encryption scheme is sort of a bunch of static functional encryption schemes, which all share the same setup algorithm. And now once we have this tag functional encryption scheme, we also want to make, remember we also in the definition of dynamic functional encryption, your key gen also doesn't know of your collusion bound, right? So somehow your key gen algorithm also has to be efficient. And the way we do this and so our next goal I guess is to produce explicitly a static FE scheme which has an efficient setup and key gen algorithm. And basically the way we do this is we take advantage of the fact that we do have we can efficiently set up like many static FE schemes in parallel. And we use this to sort of, when we want the static FE scheme which has an efficient key gen, we just run the tagged FE scheme in parallel with a lower collusion bound but sort of more parallel instances. And then when it comes time to key gen, we only give out the key for a single one of these tagged instances of the tagged FE. And finally, once both of these algorithms are efficient, we can almost direct, we can pretty, at least in a single step, go to a dynamic functional encryption if you're, which, you know, the main change here is sort of a syntactic one where we need to move our setup algorithm, where we need to move the collusion bound from the setup algorithm to the encrypt algorithm. So I'll go over all of these steps a little bit more in detail, but that was just sort of the high level roadmap. So, okay, we can start by defining this intermediate primitive of tagged bounded functional encryption. So what this, like as I said, what this is is pretty much an analog of the, of IBE for static bounded functional encryption. So every key in ciphertext has a tag associated with it and it can only decrypt the matching tags. And sort of just like IBE, your efficiency is like poly logarithmic in the tag space. So I just emphasize how exactly this works. Notice that it really, they really are just like parallel instances of the static scheme. Even though the collusion bound here is set to two, it's okay that you gave, we gave out like seven keys in total, so long as for under, for each single tag we've given out at most our collusion bound. And you know the security I guess is only broken when you exceed that on any single tag. Okay, so to go from IBE to tag functional encryption, sort of as I said earlier, we start with some of these static bounded functional encryption schemes that are constructed from public encryption. So there's this line of work which all sort of have a similar flavor of construction. In our actual paper we use the AV-19 result to get, I guess, Q-bounded dynamic functional encryption for p slash poly, but just for like, just at a high level, these all sort of have the same overall structure which we can use. And what this is is, in the scheme, how these schemes generally work, is that if you want to produce a ciphertext for a message, you first have a universal circuit which, with the message hard-coded, which takes in a circuit and evaluates that circuit C on your message M. And then you compute a garbled circuit of this circuit. And there's also a bunch of public encryption schemes and what you do is you encrypt the input labels of your garbled circuit under each of these public encryption schemes. So when it comes time to produce a function key for some particular function, you just compute the secret keys which allow you to decrypt the input labels which will allow you to evaluate the garbled circuit at that particular C value and that gives you the and that gives you, this gives you like a some static-bounded functional encryption scheme. So since our starting point is IBE we can pretty simply just replace all these different public key schemes with a single IBE scheme and instead of, you know, encrypting to different public keys, we'll just encrypt to different identities. But once we have this, it's actually really easy to go to this tagged functional encryption, right? We just add our tag to the ID space and the sort of efficiency and security properties that we wanted from our tagged functional encryption scheme pretty much follow from the same, the corresponding like efficiency and security in an IBE scheme. So, okay. Now that we have our tag functional encryption, our next step is to go to this efficient static form and remember the main goal here is to make sure that our key gen is efficient. So how we do this is we run our tag space, like concretely is we run our tag scheme on a tag space of Q and the collusion bound equal to the security parameter. So and at key gen time instead of, you know, maybe like, I don't know what else you could do, but what you do is you just pick a random tag and you give out a key for that tag. And you can sort of argue by this like concentration bound. If you notice there's Q separate instances here. In expectation, each tag will only get one key. You can concentration bound the probability that any tag gets more than lambda with like negligible. And of course for this to, you know, work out correctness wise, you do need to encrypt all Q of these tags. Okay. So finally, last step we have the, now that we have our efficient static scheme our goal here is just to move this Q input from setup to encrypt, right. And so this uses a pretty, we use a pretty standard powers of two trick where we run setup in key gen to sort of instantiate lambda different, lambda different static FE schemes where each of these schemes is run on like collusion bound which are the powers of two. And remember since our setup in key gen are efficient now, it's all right that this goes up to exponential and your security parameter. And since there's only lambda of them, even running all of these is efficient. And when it comes time to encrypt and now you know your collusion bound, you can just pick the power of, the closest power of two larger than your security parameter and just encrypt to that scheme. Okay. So to summarize, we introduce dynamic founded functional encryption and build it from IBE. And then I can, I guess I'll end off with a couple of open directions that this paper leaves. So one is we is transforming any static FE scheme to dynamic. So you know there's been a you know if you remember from like the prior work slide or something, there's been like many schemes in the static setting and you know, our transformation here, you know, takes advantage of like a particular you know, a particular structure in like the GVW or AV style static FE schemes. But suppose you know tomorrow someone came out with like some like completely new like static scheme, which maybe works in either has some like cool property or works in some different like on some different like model of computation, like how much work would it be like to make that dynamic. And we actually have a work on at least making progress towards this on going from static to our like intermediate tag notion generically. And another question is if you remember, we had this motivation of sort of closing this gap between the negative and positive results of in terms of bounded collusion functional encryption and you know a possible future and something else to explore might be like how could this maybe even further be closed. So for example, there's a couple bounded collusion schemes where the dependence on the collusion bound is additive. And like can this be sort of either done like even better or like more generically. And yeah, that is it for my talk. Thank you very much. Any questions in the audience? Okay, so I guess we'll close the session now remember that there is a walking caravan quarter to six living at the front to go to the organ concert and there are buses you can find the information on the buses at the website but remember there is no place for everyone in the classes. Thank you.