 Hi, my name is Prateesh Dutta. I am a research scientist at Entity Research. I would be presenting the paper Decentralized Multi-Authority ABE for DNFs from LWE, which is my joint work with my co-authors Ilan Komar-Gotsky and Brent Waters. Attribute based encryption or ABE for short is an advanced variant of public encryption. In case of ABE, a secret key allows the decryption of ciphertext if and only if some access policy is satisfied by some set of attributes. ABE has two flavors, namely key policy and ciphertext policy. In the key policy setting, the secret key is associated with the policy and the ciphertext is associated with the set of attributes. And for the ciphertext policy, the roles of the policy and the attribute set are switched. So in more detail, the syntax of ABE as follows, there is a central authority who runs a set of algorithm to publish a master public key pk and keeps the corresponding master secret key msk to itself. Then there is a key gene algorithm which is also run by the central authorities. In case of key policy, it takes as input a policy f and for ciphertext policy, it takes as input and attribute set u. And in both cases, it outputs a user secret key sk. Then there is an encryption algorithm which can be run by any party in the system to encrypt some message msk under the master public key. In case of key policy, the encryption is done with respect to some attribute set u and for ciphertext policy, it is done with respect to some policy f. There is a decryption algorithm, a user possessing a secret key can take a ciphertext and can decrypt to reveal something. The correctness says that if the associated policy is satisfied by the associated set of attributes, then this decrypt something should be actually the encrypted message. And if the policy is not satisfied, then the encrypted message should remain completely hidden even against the collusion of several users in the system. In case of ABE, by this time, we have a long sequence of exciting works which has achieved great milestones, both in the key policy and in the ciphertext policy setting. In the key policy, starting with the initial works of Sahay and Water Zero Five, then Goyal Pandey Sahay, Waters Zero Six and so on. And in the ciphertext policy, starting with the also Betham Quartz, Sahay Water Zero Seven, followed by Waters Eleven and so on. In all these works, we were able to progressively achieve highly expressive access policies such as NC1 or DFA's and also strong adaptive security and very good ciphertext and key sizes. But all these constructions are in the bilinear map setting. So, we can simply say that in the bilinear map setting, there is little gaps between the key policy and the ciphertext policy constructions. However, in the non-bilinear map setting, for instance, in the lattice or LWB setting, the situation is completely different. Here, we are interested in non-bilinear map setting and especially for the LWB setting for two reasons. Firstly, if we can create a scheme under various assumption, it naturally increases the confidence in that primitive. And secondly, we are actually interested in a post-quantum secure scheme. And since LWE is believed to be post-quantum secure, so we are interested in LWE-based schemes here. In the LWE-based setting, we have the scores of GBW13, BGT plus 14, which are the key policy setting and they were able to actually achieve all circuits as policies. And also, they were able to achieve very good parameters for ciphertext and key sizes. However, in case of ciphertext policy setting for the LWE-based regime, the situation is quite worse. For instance, until very recently, the only known way to get an LWE-based CPABE is via an universal circuit-based generic transformation proposed in GPSW08. However, this transformation would result in schemes with very bad parameters for ciphertext and key sizes and also it requires setting an upper bound on the policy size allowed in the system. And then the ciphertext and key sizes both scale with that upper bound, which is really bad. Recently, there have been some exciting attempts by Agarwal and Yamada into the problem. In one of their schemes, they were able to remove this upper bound restriction, but that scheme do require bilinear maps along with LWE. And in another scheme, they were able to achieve the ideal ciphertext and key size parameters, but they still require that upper bound on the policy size. So the problem of constructing CPABE under LWE that does not require the upper bound and at the same time achieves ideal parameters for ciphertext and key sizes is essentially open. That means there is a wide gap between the key policy and the ciphertext policy setting under the LWE world. We will now turn our attention into an extended version of ABE which is called Multi-Authority ABE or MAABE in short. As we mentioned in case of ABE, there is a central authority that holds the master secret key and is responsible for verifying the attributes of all the users and issuing secret keys to them. However, in reality, there is no single authority who controls all the attributes. Rather, there are several authorities which controls different attributes. For instance, the DMP officers control the attributes for driving license, universities controls attributes for PhD, and military controls attributes for being a veteran. In order to handle such distributed nature of attribute possession, this MAABE primitive were introduced in the literature and studied in the works of J07, LW11, OT13 and so on. In an MAABE, any party can become an authority at any point of time and there is no coordination required with any other party except the generation of a global public parameter that is available to all the parties in the system. The different authorities would control different attributes in the system and there will be no bound on the number of authorities that can ever come into existence during the lifetime of the system and all the authorities would be able to issue secret keys to users for attributes under their control without any coordination with any other authority in the system. Let's consider an example. Suppose there are three authorities in the system, one is DMP, one is a university and another one is a military and then there are three users in the system. The first one gets a key from DMP for driving license. The second and third one, both of form have PhD, gets the corresponding keys from the university and the third gets a key for veteran from the military. Now consider this another guy who wants to encrypt two messages, one is high, another one is high. So it encrypts high under the policy PhD and driver's license and it encrypts high under the policy PhD and veteran. Now observe that the third has both the attributes PhD and veteran would be able to decrypt the ciphertext CT2. This is the correctness of the scheme but since none of the users has the attribute for both PhD and driver's license now they would be able to decrypt the ciphertext CT1 which is actually the pollution resistance that is required from the MVP scheme. The question is how an user in the system can be uniquely identified because there are different authorities. So if we cannot identify a user in the system uniquely, so it may happen that the user can pretend to be a different user to different authorities and is successful in getting keys for attributes which it does not even possess. In order to handle this a model called a global identifier or GID model is considered in the literature. In this model each user is assigned a globally verifiable identifier. This global identifier of the users you remain the same for the entire lifetime of the system and the users would not have any freedom to choose their global identifiers on their own. For instance you can consider the social security number as the global identifier of a user. Here we would consider one attribute for authority. The syntax of an MAABE is as follows. There is a global setup algorithm which outputs the global public parameter GP. Then there is an authority setup algorithm which is run by a party when appearing as an authority. It runs this algorithm on input the global public parameter and for the attribute that it would control and it outputs a public key PKU for that attribute which it publishes. It keeps the corresponding master secret key MSKU to itself. Now in order to generate a key for a user with glory and different GID and for that attribute U it would run the key gen algorithm and generates a secret key that is associated with GID and U and gives it to the user. Now there is an encryption algorithm which is basically the same as the encryption algorithm for ABE. Any party can encrypt a message under some policy F by taking as input all the authority public keys that features in the policy and the global public parameters to generate a cipher text. And there is a decryption algorithm by which a user can decrypt a cipher text by accumulating the different keys for the different attributes it obtained from the different authorities. Note that all these secret keys has to be with this way to the same global identifier GID or that means for the same user and it decrypts something the correctness says that if the policy satisfied the decryptor something should be the same as the encrypted message and if the policy is not satisfied then the encrypted message should remain hidden and here the pollution among the users along with some corrupt authorities is allowed. We will now highlight the main works that are available in the literature before this work. One is very celebrated result by Lyuko and Waters who constructed a scheme for NC1, achieves adaptive security under the subgroup design assumption in composite order by linear groups. Then later Okamoto and Takashima transfer to the prime order setting and achieves the security under the dealing assumption. Then in 2015 Dousseles, Peace and Waters presented another scheme for NC1 which achieves only static security under Q type assumption but the advantage of the scheme over the previous two schemes is that here the number of attributes per authority is essentially unbounded. Importantly all those schemes are in the GID model and relies on random oracle for their security. This is the scheme that we got. We were able to design a scheme for DNF under the level assumption and it achieves the static security same as the Dousseles water scheme. Here we were able to allow a bounded number of attributes per authority. So our main result in this work is as follows. We've shown that there exists a multi-authority ABE scheme in the GID model for access policies represented as DNFs that is secured against an arbitrary pollution of parties in the random oracle model and assuming the LWE assumption. So DNFs as we know is the ore of ants and the LWE assumption that we require for this work is actually the sub-exponential modulus to noise ratio 1. We would now highlight what are the main challenges in constructing the multi-authority ABE scheme. In case of ABE, a central authority provides keys to individuals for all the attributes in their possession. In order to achieve pollution resistance, a fresh randomness is used to tie together the different key components that is specific to a user. It is required that the different key components that is issued to a user would be compatible within themselves but should not be compatible with the key components of another user. Now in a multi-authority setting, there is no central authority. Instead, there are several authorities. Then how to get this same randomness for tying together different key components? The randomness to tie together different key components is obtained by applying a hash function H on the global identifier of the user. It means basically that this randomness should be public or publicly computable. Unfortunately, all the existing LWE-based CPE schemes fail to achieve this public randomness feature. So they cannot be readily extended to the MA-ABE setting. The second challenge is that as we said that in an MA-ABE, any party can be able to become an authority on the fly. So that means the master public key and the user-seated keys should have some piecewise structure which would consist of pieces where each piece is associated with one attribute in the system. Just as the previous property, all the existing LWE-based CPE schemes currently fail to achieve this property as well. In this work, we make use of linear secret sharing schemes for representing our access policies. As we all know, a secret sharing scheme is a scheme by which it is possible to distribute some secret among a set of parties such that certain designated subset of the parties would be able to recover that secret while others can't. A linear secret sharing scheme is a special type of secret sharing scheme where the shared generation and the reconstruction processes are linear. A linear secret sharing scheme or LSSS is actually equivalent to another computational model which is called a SPAN program. A SPAN program is represented by some matrix M and some function rho. The matrix M is a matrix of some dimension L by S over some finite field zq and rho is a function which labels each two of these metrics with either only the set of parties in case of monotone LSSS while the set of parties union the negation of the set of parties in case of non-monotone LSSS. The LSSS that we use in this work requires two special properties. Firstly, the reconstruction coefficients should be small. For instance, coming from the set 01 and the second property is the linear independence property which states that any unauthorized subset of rows of the shared generating matrix should be linearly independent among themselves. There was already such a non-monotone LSSS for block space implicit in the work of GPW13. This has been pointed out to us after the publication of our paper on a print. However, in this work we also present an independent non-monotone LSSS with those same properties for NC1. There is also such a monotone LSSS for the policy class DNFs that has been proposed in the works of Agarwal et al and Leupo-Waters 11 and we have to use both non-monotone and monotone LSSS in this work as we will see shortly. So currently one open problem is how to get a monotone LSSS with the two properties required for our work for the policy class more than DNFs that is for instance maybe for NC1 or more. Here I would like to mention one point the only reason that we get our MAABE for DNFs is actually that currently we don't know some monotone LSSS with these two properties for some policy class more than DNFs. So if in future we get such a scheme then our MAABE if we directly translate it to that policy class for which we would get that LSSS. This is the roadmap of our work. We first start with a non-monotone LSSS with the small reconstruction coefficient and linear independence properties for some policy class C and using that we construct an LWE based CPABE for the policy class C. This construction is a direct construction not via any generic transformation and our CPABE interestingly satisfies two important properties. First one is that the randomness time together the different E components is essentially publicly computable and secondly that the keys that means the public keys and the user circuit keys has the PSY structure. So as we already mentioned these two properties are actually very essential for extension to the multi-authority scheme and by virtue of these two properties we are able to extend our CPABE to an MAABE scheme and our extension is non-generic that means it's not via any generic compiler but uses the spatial structures. For doing that instead of using the non-monotone LSSS we use a monotone LSSS with the linear independence and small reconstruction coefficient properties. The reason why we have to use monotone LSSS and not the non-monotone LSSS is that in case of standard CPABE a central authority enforces the fact that the user either gets a key for an attribute or its negation however in case of MAABE an adversary colluding with the corrupt authority can have both which breaks the security of LSSS and therefore breaks the security of MAABE. Now I would like to give a somewhat informal description of our CPABE avoiding several technical details which is not required for understanding the functionality though and this only appears in the rigorous security proof of this scheme. So first is the setup algorithm which takes as input the secret parameter and an attribute universe U and it proceeds as follows for all the attributes U in the attribute universe it generates a matrix A U over the field CQ that is dimension N by M and its trapdoor by the usual trapdoor sampling algorithm and also it samples another matrix H U for each of the attribute U in the attribute universe over the field CQ that is also of dimension N by M and it additionally samples a vector Y of dimension N over the field CQ. The master public key consists of all the sample A U and H U matrices for all the attributes U of the attribute universe along with the vector Y and the master secret key consists of the master public A and the trapdoors for all the A U matrices for all the U's. Next is the key generation algorithm which takes as input the master secret key and an attribute set U which is a subset of the attribute universe and it proceeds as follows it first samples a vector T hat of dimension N minus 1 from some appropriate noise distribution and forms a vector T which is 1 comma T hat. Then for each of the attribute U that appears in the attribute set it computes a vector K U which is basically the pre-image of the vector H U times C transpose under the matrix A U and for computation of the it it uses the trapdoor for the matrix A U. The secret key is K U for that to set U consists of all this computed K U vectors for all the U's in the set capital U along with the vector T. So note that the randomness that is tying together the different key components K U is the vector T and this is actually publicly computable. It does not require any secret to sample the vector T hat and therefore the vector T. As we pointed out already this public nature of the randomness is absolutely crucial for extending to our multi-authority scheme. Next is the inclusion algorithm which takes as input the master public key a master secret MSG and then LSS taxes policy M row. It possesses follows. Suppose M is an L by S dimensional matrix. It first samples a vector S of dimension N over Z Q and also S minus 1 many vectors V 2 up to V S of dimension M over Z Q. Next for each row I of the matrix M it computes a vector C I and C I hat as follows. C I is basically S times A row I that is the row I A matrix plus some appropriate noise and then C I hat is the I throw M I times the matrix whose first entry is S Y transpose and rest are 0 and the remaining rows are V 2 up to V S minus S times H row I matrix plus another appropriate noise. The ciphertext consists of this C I and C I hat vectors along with another bit C which is the most significant bit of the quantity S Y transpose XOR with MSG. Next is the decryption algorithm. It takes as input a secret ESKU for some attribute set U and the ciphertext CT. So if that attribute set U does not satisfy the access policy M row associated with the ciphertext then it out to spot. Otherwise this process as follows. Suppose I is the set of rows of the matrix of the LSSS associated with the ciphertext for which the user possesses the attributes and let W I be the reconstruction coefficients. In order to decrypt the user first computes the quantity K prime which is the sum over all the rows in the set I of the quantity W I times C I times A row I transpose plus C I hat times T transpose. It outputs the quantity M C prime which is the most significant bit of this quantity A prime XOR with C. So this is the correctness. Consider the expression C I K row I transpose plus C I hat T transpose. If you substitute the expressions for C I and C I hat and ignore the noise terms it basically becomes S A row I K row I transpose plus M I times that big matrix times T transpose minus S times H row I times T transpose. Now remember that by construction A row I K row I transpose is basically H row I T transpose. So by this computation the A row I K row I transpose and H row I T transpose gets cancelled and what remains if you sum it over multiplying with the reconstruction coefficient it basically is going to give you S Y transpose. This is the correctness unfortunately I don't have time to go into the security and also cannot explain our MAV scheme in detail. I would like to encourage you to look into our full paper which is available on in print. So in conclusion in this work we present the first MAV scheme from LWE assumption for some non-trivial class of access policies and we also give a direct approach towards constructing a CPAB scheme under LWE assumption. There are several open problems. Firstly, can we construct an MAVE from LWE for some more exclusive access policies than DNFs? Secondly, can we get stronger security here? We only get static security? Thirdly, can we get better parameters? For example, better sizes of ciphertext as secret keys? Here all the sizes scale with the worst case policy size bound on the system. Lastly, can we allow an unbounded number of attributes for authority in this work? We are only able to allow some bounded number of attributes for authority in this. Thank you very much for your attention.