 Hello, my name is Akim Unel, I am a PhD student at ETH Zurich. When I started my PhD two years ago, my supervisor said to me, Hey, we have compact functional encryption schemes for credit polynomials from parings. Also, we have this very nice assumption called learning of errors with very nice mathematical properties. Why don't you try to achieve compact function encryption schemes for credit polynomials from this assumption learning of errors? Naive, as I was at that time, I thought, oh yeah, that sounds doable. However, several very frustrating months later, I realized that it's very hard to construct new functional encryption schemes from land space assumptions. So I gave up and I asked myself, okay, there are probably a lot of people who are way more confident than me working on this subject right now. And still, we don't know any new functional encryption schemes from land space assumptions beyond inner product encryption. Are there maybe any inherent reasons why this task is so complicated or maybe impossible? This question led to a paper which I'm going to present here. Random with errors is a cryptographic hardness assumption which states that an adversary cannot distinguish a rectangular random matrix or a set model UQ with an undetermined high number of rows from another random matrix of the same shape where the last column is a secret linear combination of other columns plus a small Gaussian noise vector. Despite the Gaussian noise added to a last column of random matrix, it is possible to exploit the homomorphic properties of this assumption and construct very powerful cryptographic primitives. For example, fully homomorphic encryption, log-blown fiscation, attribute-based encryption and many more. But what about functional encryption? In fact, if we compare schemes from land space assumptions and from billionaire groups, then we see that land space schemes are far behind paring-based ones. While inner product encryption can be achieved by both types of assumptions, there are no land space-based function-hiding inner product encryption schemes. Further, we can achieve compact functional encryption schemes for quadratic polynomials from parings but not from land space assumptions. However, here the list of functional encryption schemes stops. At a queuing moment, we cannot construct proof-be-secure compact functional encryption for cubic polynomials from any standard assumption. Why are those schemes interesting? Because we know they would imply inistinguishability obfuscation. For a sake of completeness, we should also mention that we can always convert an inner product encryption scheme to a non-compact functional encryption scheme for constant to-be polynomials by linearizing the corresponding polynomials. Also, in this list, you omitted all kinds of identity and attribute-based encryption schemes and also functional encryption schemes with a bounded number of secret keys. In this talk, we will focus on functional-hiding inner product encryption. The big question is, what hinders us from constructing functional-hiding inner product encryption schemes? Whose security can be proven solely from a learning-with-errors assumption? We will not definitely answer this question here, but we will give some intuition which mathematical obstacles make the task of constructing lattice-based, function-hiding, functional encryption schemes hard. Let us first define inner product encryption schemes. We will look here only at symmetric schemes. Our secret key inner product encryption scheme enables the functionality of computing a scale product modulo p. Messages and functions are both n-dimensional vectors on a set modulo p. On input security parameter lambda, with setup algorithm, computes a master secret key. With this master secret key, we can encrypt messages via the encryption algorithm and compute secret keys for function vectors via the key generation algorithm. Given a side text for message x and a secret key for function vector y, the encryption algorithm can now decrypt to a scale product of x and y modulo p. Recall an inner product encryption scheme correct if its decryption algorithm outputs the correct result with an overwhelming probability. Recall an inner product encryption scheme, selectively function-hiding in the singable and a chosen plain text text secure for empty secret keys, with the advantage of HPPT Adversary A following security game is negligible in our security parameter lambda. First, Adversary computes T candidate side texts for World Zero and World One and M candidate functions for World Zero and World One. C is a polynomial which depends on the size of Adversary, while M is an arbitrary fixed parameter. Adversary submits all candidate side texts and functions to a challenger. Then the challenger draws a random bit B, computes with side texts and secret keys of the messages and functions of World B and sends them back to Adversary. Adversary can now perform arbitrary computations. At the end, he has to guess in which world he lives. He wins a run of this game if he gets correctly and if the candidate messages and functions don't tell him trivially in which world he lived. His advantage is twice his success probability minus one. For some parameter M, which may depend on lambda, we save the scheme as selectively M function hiding in CPA secure if advantage for each PPT adversary is negligible. If an inner product encryption scheme is selectively M function hiding in CPA secure for each polynomial M lambda, then it is secure for an unbounded number of secret keys and we just omit the M from a security notion. Now imagine we would know that there are no lattice-based function hiding inner product encryption schemes and we would want to prove this fact. Since we know that there are paring-based function hiding IPE schemes, we cannot show unconditionally that there are no function hiding inner product encryption schemes. Instead, the term lattice-based has to exclude such paring-based schemes. Therefore, our idea is to replace the term lattice-based by concrete mathematical requirements like encryption and decryption, which are motivated by popular design patterns in lattice-based crypto schemes. In most lattice-based function encryption schemes, but also in lattice-based identity and attribute-based schemes, cypher texts and secret keys are vectors over set module Q for some exterior modules Q and the message space is a vector space over set module P. Also, in most cases, to decrypt a cypher text with a secret key, we have to compute the inner product of both module Q, divide it by a QGP ratio and round it to the nearest element in set module P. We will call this procedure linear decryption. In almost all lattice-based, functional, identity-based and attribute-based encryption schemes, the encryption procedure can be split into two parts, an offline and an online part. The offline part is very complex, but independent of the input message and serves to sample some complex randomness. The online part is very simple and applies the output of the offline part to the input message in an algebraically simple way. We will model this property as follows. The offline part is encapsulated in an algorithm, ANK-OF, which, on input with master secret key, samples as multi-nome integer polynomials of total degree D for some constant D. The online part then evaluates these polynomials at the input message X. It reduces their values module Q and outputs them as a cypher text for X. We call such an encryption procedure online-offline of DEF D. We can now state the main result of our work. We prove that an inner product encryption scheme with linear decryption and offline online encryption of constant DEF cannot be selectively function-hiding in CPA Secure for an unmounted number of secret keys. In our paper, we can even give an upper bound M for a maximum number of secret keys which can be handed out to adversary before he can launch an attack. However, this result is not hard unconditionally. We need that exterior and interior modular fulfil some requirements. But since these requirements are not atypical for lattice-based schemes, we do not think that a limited intuition which is provided by our result. Before we can talk about the proof of this result, we need some more notions and terms for offline online encryption. We said that a functional encryption scheme is of DEF D if its encryption algorithm splits into an offline and an online part. The offline part samples a number of multivariate integer polynomials of total degree D and the online part evaluates them at input message X and reduces their values in modular queue. Since the online part reduces their values in modular queue, we call this an encryption procedure of DEF D over set modular queue. If no arithmetical reduction does happen in the online part, however, then we call this an encryption procedure of DEF D over the integers. Further, if we have an encryption algorithm of DEF D over set, then its generated ciphertexts are just vectors over integers. We say the encryption algorithm is of with B if, with all probability, the infinity norm of a ciphertext is bounded by B. That is, if the absolute value of each entry of a ciphertext is smaller than B. If our ciphertexts are vectors of a set modular queue, then we say the encryption algorithm is of with B if the absolute value of each entry of a ciphertext is bounded by B, where we identify set modular queue with the integers centered around zero. Okay, so how do we prove our main result here? We have to show that for each inner product encryption scheme, there is a PPT adversary who wins a selective function-hiding in-CPA security game with non-aggressive advantage by querying secret keys for M plus one function vectors. Instead of directly constructing an adversary, we prove this result in three steps. First, we show that each M plus one function-hiding in-CPA secure inner product encryption scheme of constant DEF can be transformed by an adversary to a secure secret key encryption scheme of with Q over P and of constant DEF. Note that this secret key encryption scheme is of polynomial width, since we require that Q over P is bounded by a polynomial. In a second step, we show that an adversary can then transform this in-CPA secure secret key encryption scheme over set modular queue to a secret key encryption scheme over integers with constant DEF and polynomial width. Finally, we construct a general adversary who can break the in-CPA security of each secret key encryption scheme of constant DEF and polynomial width over integers by performing statistical tests. All together, this proves that there can be no function-hiding in-CPA secure inner product encryption scheme with linear decryption and offline online encryption. We want to very roughly sketch each of the steps and give vague ideas which properties we exploit in which set. In the first step, the adversary has to transform a function-hiding IP scheme of constant DEF with linear decryption to a secret key encryption scheme of constant DEF and width Q over P. First note that each inner product encryption scheme is already a secret key encryption scheme. Also note that both schemes are of constant DEF or set module Q. So you only need to do one thing. We need to trade off the function-hiding property and the linear decryption of our IP scheme against short cipher tags in our SKE scheme. So how can our adversary do this? He queries n different secret keys for a zero-function vector. When we decrypt such a secret key with a ciphertext, then the result must be zero because of correctness. Therefore, we know that the inner product of each of those secret keys with a ciphertext must be small. These inner products are with decryption noises which are cut off when we round to a nearest element and set module P. Since our IP scheme is function-hiding, our secret key for function vector y must look similar to m-secret keys our adversary has drawn. In fact, one can show that with non-negligible probability our secret key for the arbitrary vector y must lie in the linear space spanned by m-secret keys for a zero-function. This implies that in a non-negligible number of cases the inner product of the secret key for function vector y with a ciphertext can be reconstructed from the decryption noises of the m-secret keys for a zero-function when applied to that ciphertext. Therefore, our idea here is to use the specter of m-decryption noises as new ciphertexts in our secret key encryption scheme. With decryption noises are small, they can be computed by an encryption algorithm of constant depth and they contain a non-negligible amount of information about the encrypted message x. In the second step, our adversary has to transform a secret key encryption scheme of constant depth of a set module q and width q over p to a secret key encryption scheme of constant depth and polynomial width over integers. Note that both SKE schemes are of constant depth and of polynomial width. The only thing that differs is the ring about which the computations and encryption to happen. We need to go from set module q to set. So we have to get rid of arithmetic reductions and the online part of the encryption algorithm. We will only extremely roughly sketch the idea of how to do this here. The main observations that, since our starting scheme is of bounded width, the output values of each polynomial sample by the offline part of our starting scheme must be small when evaluated in the inputs from a message space. From this observation, we can deduce that all polynomials sample by the offline part must have small coefficients. Now, when we evaluate a polynomial with small coefficients at a small enough input, then the output value will be bounded by q halves. In this case, there is no need to apply an arithmetic reduction module q, since this would not change the output value. This gives us a very rough idea how we can convert our starting scheme to a secret key encryption scheme or the integers without any arithmetic reduction. Finally, we have to give a general adversary who can win the selective in-CPA security game of each secret key encryption scheme or the integers of constant depth and polynomial width. Remember that in this game, the challenger draws a random bit B, which the adversary has to guess and that the adversary submits two sets of messages for world zero and world one, but he only receives the ciphertext of messages for world B. Now, for some non-zero message x, our adversary queries a lot of ciphertext for messages zero B times x and x. He receives the ciphertext for messages zero B times x and x without knowing B. He can now approximate the means of the squares of the entries of the ciphertext very closely. After doing this, he looks at one of the means of the squared entries of a ciphertext of zero times B is closer to a means of zero or closer to a means of x. And then, depending on this, guesses if B was zero or one will prove that the advantage of this adversary is non-illegible, now just consists of a rigorous sequence of mathematical lemmas and calculations. This concludes the proof for our impossibility theory. We have shown that lattice-based functional encryption schemes which use popular design choices and encryption decryption cannot be function-hiding in CPSQ. However, does this mean that lattice-based function-hiding function encryption schemes cannot be secure in general? Well, we don't know. We could determine some mathematical pitfalls which will inevitably lead to insecurities. We could also show that one needs to deviate from solid constructions to avoid these pitfalls. For example, gadget matrices could be a solution here or nested modular operations or encryption algorithms of polynomial depth. Rating length errors on its own, however, will not be a solution to circumvent our impossibility theory. All in all, the subject of functional encryption stays exciting and supposedly very hard. Thank you for watching.