 Thanks, Rachel. First of all, thanks, Brent, for advertising our result. OK, so I'm going to talk about how to achieve adaptive FE from selective FE. This is in joint work with vCargill and Vinod. So as Brent already described the function encryption scheme in a really nice manner, but let me just go over it quickly. So functional encryption scheme allows for a user to get a constrained key corresponding to a function in such a way that given an encryption of a message M, he can decrypt to obtain the output f of M. And in order to obtain this constrained key, the trusted authority is going to use the master secret key, which will be generated as part of the setup algorithm. And the intuitive security guarantee we require here is that the adversary should only obtain f of M and nothing else. So how do we formalize this security notion? So there are many ways to formalize this security notion, and I'm going to use indistinguishability based security notion. This security notion is modeled as a game between a challenger and an adversary. In the beginning of the game, the challenger is going to generate the master public key and the master secret key. And he's going to hand over the master public key to the adversary. The adversary is then going to request for many functional keys. And correspondingly, the challenger is going to generate the keys corresponding to these functions, and he hands them over to the adversary. And he can do this many, many times. After this, the adversary is going to submit two challenge messages to the challenger. And at this point, the challenger is going to pick a random bit B, using which he's going to choose one of the messages to encrypt as part of the challenge ciphertext. And after this, the adversary can now make many more functional queries. So this is somewhat a strong notion of security. And this is the notion of security we should all strive for. And the literature, so before I go into more details, here I should mention that this game is invalid if the adversary queries for any function that outputs something different on M0 and M1. And the goal of the adversary is to get the challenge bit B. And as I mentioned, this is the security notion we should all strive for. And in the literature, this security notion is called adaptive security. So however, in the literature, there was another notion of security that was considered, which is selective security. So what is the selective security? In this game, the adversary has to declare the challenge messages at the beginning of the game itself, even before he receives any parameters from the system. So after this, the challenger is going to generate the massive public key and the challenge for text, handy hands them over to the adversary. After this, the adversary can make the functional queries adaptively many, many times. So let's see what is the relation between selective and adaptive notions of FE known in the literature. So the literature can be classified into two broad categories, that of general techniques. So there is a very naive approach to go from selective to adaptive FE, which is using complex delivery. This is sort of unsatisfactory because here we need to assume that the adversary cannot, that the security holds against sub-exponential adversaries. And the second general approach of obtaining adaptive FE was through IO or multi-map assumptions. You already saw one of the constructions by Brent in the previous talk. So however, in the literature, there were also other techniques of obtaining adaptive FE. And the situation was that these techniques are tailor-made to specific bilinear map-based constructions. And there have been many, many works in the past, so I don't want to go into these details. So let me state our main theorem. So we show how to obtain adaptive functional encryption, assuming any selective functional encryption scheme. And in our work, we don't make any additional assumptions. And as we will see later, our transformation is very simple. And this transformation works both in the public key setting and the secret key setting. As a corollary of this theorem, we get a simple construction of adaptive FE from IO by just combining this theorem with selective FE constructions of either GGHRSW or Brent's construction. It should be Waters 15, but sorry. The second theorem is that of as a bootstrapping theorem. We show how to obtain selective FE for all poly-sized circuits starting from selective FE for TC0. TC0 is essentially a constant-depth circuit, but you're also allowing majority gates. However, this transformation is not unconditional. We also make the assumption that weak PRFs exist in TC0. But this is, in some sense, a weak assumption. This is not a strong assumption because we know how to construct weak PRFs in TC0 based on either DDH or LWE. I should also mention that the transformation works for the adaptive setting as well. And this transformation works both in the public key setting and the private key setting. So now combining both these theorems, we get adaptive FE for all poly-sized circuits starting from selective FE for TC0. And our techniques have been useful in subsequent work, such as obtaining FE for Turing machines, compactness transformations, straight-edge tracing schemes, and so on. So let me jump into the technical details. But before that, let me refresh some basics, which we all studied in our undergrad, which is hybrid encryption technique. So what is hybrid encryption technique? This gives a way to combine a public key scheme and a private key scheme in such a way that the resulting scheme enjoys the nice properties of both the schemes. So let us see this in more detail. So in order to encrypt message M, you are first going to pick a secret key corresponding to a private key scheme afresh in the execution of this encryption algorithm. And then you're going to use the public key scheme to encrypt the secret key. And now you have to somehow encrypt the message somewhere. So you're going to encrypt the message using the secret key scheme. And you're going to use SK to perform the encryption operation. So as I said, this is a public key encryption. This is private key. And this is the hybrid encryption scheme. And I should mention that this hybrid encryption, which you obtain, is actually a public key scheme, corresponds to a public key scheme. So how is this useful? It's useful for efficiency. So if you take any public key scheme, which might be inefficient, and if you combine with an efficient private key scheme, you obtain an efficient scheme, which is also public key. So before I explain how this technique is useful for us, let us review how the security proof works. So I have to show you that an encryption of M0 is indistinguishable from encryption of M1. So in other words, I have to switch M0 to M1 here. But I cannot do that immediately. Why? Because the secret key corresponding to this encryption exists here. So let me first remove that. Once I remove that, now I can just switch from M0 to M1. I'm done. So we show how to adapt this technique in the context of functional encryption. What do I mean by that? So I'm going to adapt the same sort of scheme we had, but in the context of FE. I'm just going to replace any public key encryption scheme by a public key FE encryption scheme. And correspondingly, I'm going to replace this by a private key FE scheme. And the resulting hybrid FE scheme would be public key. So the question is, how do we decrypt? So in the case of the traditional hybrid encryption scheme, it was sort of simple, because you can just decrypt the first ciphertext using the master secret key, and then you can recover the message. But here you have additional functional keys. So things are not that straightforward. So let's see how to perform this operation. So let's say you are given a functional key of F. So why am I denoting by G and not F? You will know soon. So now I'm going to use this functional key to obtain G of MSK. Somehow I have to use this to obtain, to recover the output F of M. So before I describe what should G be, note that in order to recover the output F of M from the second ciphertext, I should have a functional key corresponding to F. So I will define G appropriately. So what my G will do is it will take as input a master secret key, and it's going to output a functional key of F corresponding to this master secret key. So let's see how this helps. So before that, I should mention that this functional key generation algorithm is probabilistic. But you only generate functional keys for deterministic functions. So in order to resolve this problem, we are going to use the PRF key to generate randomness. I don't want to go into the details of how this is implemented. So for the rest of the talk, I'm going to assume that the function G is probabilistic. So now let me proceed with decryption. So I have this functional key corresponding to G origin prime. I'm going to first decrypt the first ciphertext to obtain a functional key corresponding to F. And then I'm going to use this functional key to decrypt the second ciphertext to obtain F of M as desired. So the question is, how is this useful? I mean, we just adapted this technique for functional encryption. So what? So at first thought, you might be thinking that this might be useful for efficiency. But it turns out that it will be useful for security. So what do I mean by that? I'll show you how if you start off with the private KFE scheme, which was adaptive, you will end up with the hybrid public KFE scheme, which will be adaptive. To be more precise, I'm going to have the same system. But I'm going to replace this private KFE by adaptive FE. And I'm going to replace the public KFE by a selective FE. I don't even need an adaptive FE. But the result will be an adaptive FE scheme. And this will be public key. So before I explain how this is done, let's see what is the minimal requirements we need from this private key adaptive FE scheme. So in order to do this, let me make one observation that when I encrypt a message, I'm sampling the master secret key afresh every time. So this means that I only need a private KFE scheme that is secure against adversaries who makes a single ciphertext query. And we know how to base this on one-way functions. So let me now replace the private key adaptive FE by private key single ciphertext adaptive FE. So in other words, what I'm going to do is I'm going to construct a one-way function-based construction and selective FE to obtain adaptive FE. So I should mention that Brent also gave this transformation of going from one time to multi-time FE using IO, which you saw in the last talk. So how does the proof of security go? So let me just consider a simple case when the adversary only makes a single functional query and a single message query, just to give you more intuition. So what does the adversary gets in this case? He gets a ciphertext of M0, and he also gets a functional key of F. And on the right-hand side, he gets an encryption of M1, and he gets a functional key of F. F here is a function in such a way that F of M0 is the same as F of M1. And the goal for him is to distinguish between the left and right words. So let's go over the hybrids and see whether this works or not. So in the first hybrid, I'm going to encrypt M0 as before. So in the second hybrid, what I'm going to do, I'll just emulate whatever we did for the traditional encryption scheme, which is to remove MSK. But you'll notice that something terrible will happen. And what will happen is that we lose functionality. In other words, in the second hybrid, we won't be able to recover the output F of M0. Because of this, there is a trivial distinguishing attack. Because in the first hybrid, the adversary can recover F of M0. But in the second hybrid, he cannot recover F of M0. Let's try to fix this. So in order to fix this, I'm going to introduce an additional slot, which will initially be 0, which will help me hardwire some information of MSK. So on one hand, I will remove MSK, but I will hardwire enough information that will help a user to recover the value of F of M0. So let me go back to the second hybrid. In the second hybrid, instead of just removing MSK, I'm also going to hardwire the secret key, corresponding to the function. And I will also change this function to have another branch. So if you just evaluate this function on this ciphertext, you are going to get F of M0 as desired. Let's see whether this works or not. So in order to show the indistinguishability of hybrid 1 and hybrid 2, we need to reduce that to the security of selective FE scheme. So in other words, there is an intermediate reduction, which acts like a challenger to the adversary of the adaptive FE, but acts like an adversary in the game of selective FE scheme. Note that since this guy is participating in the selective game, he needs to declare the messages in the beginning of the game itself. So what are the messages? The first message is MSK comma 0, and the second message is 0 comma escape, the secret key of F. But what is F? We don't even know the function F at this point of time. So we are completely stuck here. And the second problem is that, like the screen, the ciphertext does not have enough space to store all the functional keys. So in other words, here we only consider the case when there was a single functional key, but if you have multiple functional keys, it will be an issue. So one fix to both these problems is to push all the hardwiring that you were doing in the ciphertext to all the functional keys. But there is an issue here. Functional keys don't have any hiding property. So if you hardware something, the adversary will immediately notice that you have hardwired something. So the question is, can we still do some hardwiring in the setting when there is no function hiding? And the answer is yes. And we're going to employ a method called Trojan method to solve this problem. So what is this Trojan method? This method is an adaptation of a trapdoor mechanism. And I will explain this in more detail soon. So in the Trojan method, a functional key has essentially two branches. The first branch is a public branch that can be accessed by anyone. In other words, all the honest execution happens in the public branch. And the second branch is what we call the sneaky branch. This is where you can sort of hardwire things and make the simulator work in the proof of security. So just to explain this in more detail, let's consider the example of the function key, which we described a few slides back. So we have this function gen-pri. In the earlier case, you had a case when if this u was 0, then you executed the key generation algorithm honestly. Now what changes is the second branch. If u is 1, u here is interpreted as a mode, then you're going to output the decryption of the cipher text. And the cipher text is hardwired here using the symmetric key. And this symmetric key will be part of the input. So if you don't understand what is going on, let's consider the, you will know very soon. OK, so as I mentioned, as I mentioned, this was the public branch. And this was the sneaky branch, which can be accessed if you know the symmetric key. So let me modify the construction appropriately. This will be our final construction. So the public key encryption scheme, the message which is encrypted in the public encryption scheme, will also have a symmetric key as part of the message, and in addition to the master secret key of the private key scheme. And the 0 here indicates the mode, which means to signal to the functional key that to perform the onS execution. OK. OK. So in the second hybrid, I'm going to remove the master secret key. But instead of hardwiring the functional key in the cipher text itself, I'm going to hardwire the functional key in the cipher text. And the symmetric key that decrypts this cipher text will be part of the first cipher text. And I will also correspondingly change the mode to indicate to the functional key to actually use the second sneaky branch. So how do I argue the security? In order to argue security, I need to reduce the indistinguishability of hybrid 1 and hybrid 2 to the selective security. And how can I do that? The reduction will first send the message pair, MSK all zeros. And the second message is the symmetric key and 1. And the reduction actually can choose these messages because this is independent of the actual messages and the functions the adversary is going to query. So the reduction can do this. And then he will perform the, then he can simulate by himself. Can keep on doing this whenever he gets a function query, he can forward a correspondingly transformed functional query to the challenger. And once he gets back a functional key, he's going to forward the corresponding functional key back to the adversary. So once we do this, we have shown the indistinguishability of hybrid 1 and hybrid 2. So what do we do next? Now we are going to switch M0 to M1. So we are modifying something in the private key encryption scheme. So we need to reduce the security of the indistinguishability of hybrid 2 and hybrid 3. It should be hybrid 3, sorry, to the security of the adaptive private key free scheme. And I don't want to go into the details. You can refer to the paper. So let me summarize. So we show how to obtain selective FE to adaptive FE in a generic way without using any additional assumptions. And some open problems that remain is how to obtain similar transformations in the context of primitives which are simpler than FE, such as A, B, or predicate encryption and so on. And also it will be useful to see whether this Trojan method or trapdoor mechanism can be adapted to other settings as well. Thank you.