 So, the next talk will be given by Ike Kjeldt and it's about identity-based lossy trapdoor functions. Okay, good morning everybody. Can you hear me? Yeah, okay. So, it's identity-based lossy trapdoor functions and applications, which Mark forgot to mention. So, it's joint work with Mihir Ballari from UCSD, Chris Piker from George Attack and Ben Waters from Austin. Okay, so instead of, you know, presenting a new tool and then, you know, as the previous talk and then maybe you're focusing on the applications, what you do, I want to present you a new tool and maybe not too much focus on the application. I really want to present you a new tool, which I think is interesting by its own right and that's going to be identity-based trapdoor functions, which sometimes are lossy and sometimes are not. Okay, so let me remind you what is a trapdoor function or trapdoor permutation as Dennis already did. So, what we have, we have an, of course, we want, we need injective trapdoor functions. What we have, we have the function f, which is indexed by a public key. Okay, it was the index in Dennis' talk, slightly different notation. So, it's a function that maps in as strings from 0, 1 to the n to some range. Okay, and of course, we want that it's hard to invert. So, it's one way, it's hard to invert. So, computing f to the minus 1 is hard in general, but of course, if you want to know a secret key, a trapdoor, it's easy. Okay, and, you know, examples are this famous RSA scheme from 78 and ever since, no, some time ago, well, this has emerged as one of the most fundamental primitives in crypto. And in particular, we can do a lot of things from it. We can do, whatever, signatures, encryption, the whole word in crypto mania from Brussels specifications. And one interesting thing is to note that first came a trapdoor function, and six years later in GM 84, there was only the concept of probabilistic encryption. Okay, so first trapdoor functions, then encryption six years later. Okay. So, what are security notions for a trapdoor function? So, the most simple one is the traditional one is one way. So, given, you know, a public key, which is generated using a T-generation algorithm, outputs also a trapdoor, but that's not given at the adversary. So, given this green public key and f of x, it's hard to recompute x for randomly chosen x. That's one way. No, it's all well known. So, then as I explained, there's also the loss in this. It's induced by pike and water set in 0, 8. So, what they require, so it's, again, it's a trapdoor function, but we retire additional security requirement. Require that they exist an alternative G-generation algorithm that outputs a fake public key. So, my fake public key is always red, such that, first of all, it's indistinguishable from real public key. And second, the range of the function is smaller, much smaller than the pre-image size. So, if you want, there is an image. So, in the lossy mode, the public key, actually, the range is much, much smaller than 2 to the n. So, that's a lossy trapdoor function. Okay. And, you know, it has a couple of implementations. So, it implies, of course, it's one-manus. Well, because once you switch to the lossy mode, you know, there's no, not information left of f of x to recompute x. So, you can easily show that it applies one-manus. It also implies, but it also applies in a couple of advanced primitives, such that CCA secure encryption, selective opening security, domestic encryption, and hatched encryption. They're constructions known from DDH, QR, PAE, RSA, LWE, and the phyhating assumptions. A bunch of constructions are known. Okay. So, what's the context of our paper? So, we show a couple of things. Actually, it has a lot of results, a lot of small results as well. So, first of all, we look at trapdoor functions in the identity-based framework. Explain that in a second. Okay. So, first of all, we give definitions. And that's, you know, most of my talk will actually focus on definitions. So, it's somehow non-trivial to define these objects. Applications. I'll, you know, quickly mention the applications of identity-based loss trapdoor functions. And then, you know, I'll give you some, you know, two slides I have about constructions. But since it's, like, super complicated and it's, you know, a 20-page construction on paper, I will only give you the high-level idea. And we have two constructions. Actually, one from Bellinia Maps from Pairings. And the other one is from Lattice's in the, you know, that is construction. I'm not mentioning at all, but the Bellinia construction, I, you know, gives some idea. Okay. So, let me remind you what is identity-based encryption. Okay. So, identity-based encryption formula. So, the idea is that you want to simplify the PKI such that every public key, gives raise to one, every public key together with an entity, gives raise to an encryption function. That means people don't have to generate their own public key, secret key, put the public key into the PKI. Just use the master pocketly and an identity encryption. So, more formally, so this consists of the following algorithms, for example, key generation algorithm. And then an encryption algorithm inserts the public key, the master public key, and an entity in a message, and outputs a ciphertext. And that works for all identities, for an exponential large set of identities. Okay. And then the other thing is that there's some sort of abstract algorithm that inputs the secret key here, and an entity and outputs the secret key, the trapdoor, which is used to reconstruct the ciphertext using the decryption algorithm. Okay. So, gen, ang, extract, such that decryption and decryption yields the identity for all identities. Historically, this concept was proposed by Shamir in 84, but only 20 years later, there was actually an accurate security definition, and there were a couple of constructions in these years. You know, once this concept was proposed, a lot of other ID-based objects were also considered, including identity-based signatures were already proposed by Shamir, and some other ID-based blind signatures. You can do everything ID-based, if you want. There's a bunch of papers on these things. Okay. So, now I'm going to define you what is an ID-based trapdoor function. Let me switch back and forth maybe two or three times. You can see what's changing, nothing much. Changing is the, you know, the encryption algorithm and the inversion algorithm here. Okay. So, what do we have? This is an ID-based trapdoor function. So, we have generate, evaluation, extract, and invert. So, the thing that changed again is encryption is now evaluation. So, what do we have? We have, for each identity here, the evaluation algorithm implies a function which is indexed by all these identities, which goes from zero one to the end to R. So, here's the picture. Okay. So, each identity, the public key implies for each of these identities a function that goes from zero one to the end into the range. Okay. For exponentials. So, one public key specifies exponentially many functions. And what is a newest that there's also an extract algorithm, again, that implies once you have the secret key, then actually can do the inversion. Okay. So, once you have the secret key, you can go back from the range to zero one to the end. Okay. For a specific identity. Okay. So, that's the definition. So, I want to sort of, you know, say one thing that I think that, or what they think that this is sort of a natural object to look at. And particularly, if you look at the history in the normal public key setting, there was the trapdoor function six years before the encryption. And in the database framework, it was somehow reversed because we made all this post-progress and, you know, thinking how cryptography works. And at some point we realized maybe encryption is a bit more important than trapdoor functions. But we sort of forgot that trapdoor function is actually the most fundamental object and implies a lot of things. What we do here, so if we correct history and, you know, we look at the most natural thing, actually, in the database framework that, you know, over the last couple of years, it's now 10 years since the Bonnie Franklin encryption scheme has, you know, been overlooked. Okay. So, how about security? So, intuitively, to find security of a database trapdoor function, we want that the function indexed by some challenge identity is secure. It's one way or Russia, whatever you want. Even given the user-seq key for many other identities, so that's what we want to capture. And then there are sort of two dimensions where we can consider. We can first consider security, so which can be one-wayness or lossiness, lossiness stronger. And then we can sort of specify how the adversely selects the challenge identity. And that's usually, it's distinguished between selective and adaptive. And then you get these four notions here. Okay. So, let's, you know, I'll give you the definition of one-wayness in the selective setting. So, how does it work? So, the experiment is put in here, and here is an adversary, okay? Adversary place against the experiment. So, first of all, the adversary has to choose as a challenge identity, has to commit that, okay? Gives that the experiment, the experiment computes a public key, and a security pair, and gives the public key to the adversary. Okay? Now the adversary can make a couple of ID queries and get the user security for this identity. Okay? And then finally, the experiment chooses a random X and challenges. So, evaluates the trapdoor function on ID star on X. Okay? So, you get FID star of X. And, you know, the experiment outputs win if X equals X prime, X prime being returned by this. So, the adversary is able to compute this X here. So, that's one-wayness. Okay? We defined it one-wayness as the probability that the adversary wins is sort of negligible. So, there are things that sort of make sense, and it's easy. In the selective setting, we want that the identity is then selectively or adaptively chosen before the challenge is established. Okay? We can do that, and that also makes sense. So, we just say, you know, instead of getting in the beginning, the adversary says, okay, you know, after I've seen a couple of user-seq keys, I want to get challenged on this particular identity, ID star. Then, FID star of X is challenged, and the adversary wins if we can compute the right X. Okay? So, again, one-wayness and adaptive setting is also sort of easy and intuitive to define. Okay? So, if you get to lossiness, things get a little bit more difficult. Okay? In the selective setting, it's still okay. In adaptive setting, it's going to be a little bit more complicated. Okay? Selective lossiness, again, an adversary in beginning commits to a challenge identity, ID star, you know, gets the public key, and now it has to, in the end, has to distinguish between the green public key and the red public key. The green public key is going to be the injective public key, meaning that all the trapdoor functions for all identities are going to be injective, invertible. Okay? And the red party key sort of is some sort of lossy public key. And, of course, we want that it's lossy on this ID star identity, you know, the one that the adversary chose to be challenged on in the end. Okay? And then everything sort of pops up more or less naturally. So, again, the adversary can make a couple of identity queries, and, you know, outputs a bit, and you define it as lossy if the adversary cannot distinguish these things, and in the red case, actually, the range of the ID star function is small, is lossy. Okay? And if you want a picture, it's actually similar to Dennis's picture, but I, you know, can't draw graphics as nice as he can. So, if, so that is the identity space. It's the set of all identities. So then actually we require that the public key that the adversary in the, in the red case outputs here sort of gives a punctured identity space. So the green ones are all injective. Okay? But the red one here is the, that's the challenge identity, and that's required to be lossy. Okay? And, of course, in the security experiment, the public key can actually depend on this identity ID star here, because that's what the adversary committed to. So there are things sort of works fine, and still, so that, that security definition is sort of natural. Okay? Now comes the, the adaptive case, and that's going to be less natural. Okay? So let's try to define adaptive settings. So it means that entity ID star moves down here. Okay? And then sort of, okay, so then, in the lossy case, we cannot make the, the public key generation depending, dependent on ID star anymore. Okay? So what does it mean? What does it mean here? So we, sort of, if you consider this set of all identities here, so, and, so that is well-defined once the public key is output, that it's well-defined if a particular identity is lossy or not. Okay? So we cannot make this definition anymore, because, um, the adversary has to query these identities here, and it has to get the user's secret key back. Okay? So, you know, if, if you sort of make some identities losses and, and some not, the adversary may be able to notice because he can query some identities and maybe, you know, the user's secret key doesn't exist to the, um, so the adversary may notice that we are in the, in the, in the lossy case and will say, okay, I don't want to distinguish, okay? So this security definition doesn't make any sense anymore in the adaptive setting, and it's absolutely not clear how to define it. So what we propose in this, in the paper, is a reaccession of, of, of this notion. So what, our tuition is, is the same. Again, this is a similar image that Dennis drew with a, with a, with a lattice. I, you know, I can't draw it like, nice like that, but I, you know, this is a fraction of lossy identities. So what we, which we require from the, um, from the public key that it's sort of in a, in a state between lossy and, and non-lossy. The lossy identities are the red ones and the, um, non-lossy identities are the green ones. Okay? And, uh, so now we need a sort of a reaccession factor. Um, we want that this set of all identities contains a D fraction of, um, of lossy identities. And this D fraction has to be hidden. Okay? And this is the, the security mission that we define. So we do a scaling factor here. So we define D lossiness for a scaling parameter such that the probability, so D times probability that the adversary outputs one on the public key, on the real public key, minus the probability that outputs one on the red public, on the lossy public key. Um, and the challenge identity is really lossy. That has to be negligible. Okay? The former definition was, okay, the D is just one, but we just saw that this is not fulfillable. Actually there's an attack against it. And, but we can relax it. And our hope is that we can still first instantiate and second actually make sense. Okay? And that's we, what we show here, the implications of ID with lossy trapdoor function as follows. First in the disselective setting, um, be sure that, uh, uh, implies one minutes actually. Uh, and it also implies the domestic and hatched identification encryption. So I should say a few words about what it is, maybe. Um, the domestic identification encryption is, uh, so suppose the message you want to, so suppose you want to make an encryption function, um, deterministic. So we all know from our crypto one lecture for the first lecture that we had in crypto that this is actually impossible. We cannot, uh, it doesn't fulfill in CPI security. Okay? But suppose the message actually has some entropy. Okay? And this is what the domestic encryption does. It gets the highest possible security notion if, um, if you assume that the message is, uh, has some entropy and then, um, we can actually use a deterministic encryption function. Okay? So, um, we show that identity-based lossy chapter function actually imply deterministic identity-based encryption. Okay? And it also implies something else, which we call hatched identity-based encryption, which is only known to be, uh, doable in the public key setting hatched identity-based encryption is that when you, um, have sort of a bad randomness when encrypting, then still there's still some sort of security guarantee. Um, that's still, uh, you get some sort of, uh, in CPI security, even though there's some leakage about the randomness that's hatched, uh, an identity-based encryption. Okay? In the adaptive, uh, setting, we show that if the scaling factor D is more or less one over a polynomial, okay? So one verse, again, not achievable, but it's one over polynomial, if the fraction of lossy identities is one over polynomial, um, then actually implies, uh, a one-wayness in the adaptive setting. What we can show yet, um, is if it implies identity-based encryption or not, but it cannot deterministic or hatched identity-based encryption in the adaptive setting. That's an open problem. Okay? So let me say, uh, a few words about the constructions of these identity-based lossy chapter functions. Um, so first about the difficulty. So if you look at IBE, IBE is, the encryption function is probabilistic and that makes things much more easy. But here you can use some sort of Diffie-Hellman kind of, uh, you know, inherently, uh, randomized encryption function. On the other hand, lossy chapter function, you know, each function is actually function, so it's inherently deterministic. Okay? So that's the difficulty. The determinism where the probabilism. Um, one thing in the random arc model is actually easy to construct these objects. Just, uh, define FID of X is the, you know, IBE encryption on a sum identity and then just use the, um, a random oracle, um, and, uh, you know, derive, uh, the randomness from the, um, from the value X. And I can prove that this is actually a Diffie-Hellman lossy chapter function. But in the random arc model, it's a little bit more difficult. Okay. So the first construction is based on pairings. Um, and here's the idea. So it's very, uh, very high-level idea. I'm not going to go into any details because the schemes are really complicated. Okay. So we start from an anonymous IBE scheme, which anonymous means that the ciphertext hide the identities. Okay? Okay? So there's actually one scheme, which is by, uh, uh, a boyan in waters from, uh, with our intuition, but it didn't work out. So we needed to modify it because we need some sort of more homomorphic properties later. Okay? So actually on the way we found a new construction of an, uh, anonymous IBE scheme, um, from the linear assumption, which is actually more efficient than original, uh, boyan waters scheme. So it has four elements in the ciphertext instead of five or six, I don't know, which we found actually surprising because we thought some other system was optimal. Okay. So in order to construct from this anonymous IBE scheme, an adiabase loss chapter function, we used the homomorphic properties of this, um, anonymous IBE scheme. And that's sort of similar to the construction Dennis had. You remember the paillet construction and also the DDH construction where sort of multiply things together in a homomorphic way and then sometimes things cancel out and sometimes things don't cancel out. Okay. So here's a little bit more details. Again, two settings, an injective public key and a lossy public key. And this is the way it works. So first of all, a key generation outputs a public key and a secret key. A master public key can take the matrix of a bunch of these, you know, magic IBE and ciphertexts. Okay. And public keys, of course. Okay. And the relation is so evaluate this loss chapter function on this identity ID is a function that maps bit strings into a bunch of group elements. And, you know, not going to go into details, but the relation is that it outputs this element here, c3, c3 and c4 are vectors such that c1, c2, together with the ith component of this c3 and the ith component of c4 is actually a valid encryption of the underlying anonymous IBE scheme under the identity ID and encrypts the ith bit of x of the input here. Okay. And the way you do it and again you're not going to go into details, but you sort of multiply things together in a linear way and then the exponent things will sort of, you know, cancel out or not and this is the way it works. Of course, once you have that, you just, you know, the user's secret key of our trapped identity restructure function can just be the user's secret key of the underlying IBE scheme and then you can actually invert things because these are all bits and they can output everything. Okay. So, so actually the key generation output some sort of controlling function with little f and Dennis talk it goes from zero one to the n identity space to zp. Okay. It's such that if the, so this this controlling function f is sort of hidden in the public key. Okay. Such that if the entity and so the function is evaluated in some value x such that this is actually a valid encryption again, a valid execution if this controlling function is non-equal zero and the other end if it's zero then actually the encryption here is independent of the of the x here. Okay. So it doesn't contain any information anymore about the x. Okay. So this magic controlling function sort of if it's zero it is, it makes it everything lost. Okay. So this is an underlying IBE scheme because the intuition that the public key right, which some contains some information about the f here hides f because the IBE scheme is anonymous. Okay. So let me say two words about this controlling function f in the selective lossy case we just define the controlling function f as id minus id star it has to be a linear function sort of so if f of id is non-equal zero this is the case if and only if id doesn't equal id star so then we actually have this scenario here exactly what we want. So in the Chinese identity here the red dot is lossy so this thing is zero so it loses information on x so there we are fine. In the depth setting it's a little bit more difficult and what we do what? Yeah I'm finished as good as finished okay in the lossy case there is nothing missing here okay one thing about the lackless construction actually what we show which is actually interesting is that the LDB function is a lossy trapdoor function which came to me as a surprise Chris was folklore under the LDB function which may be useful in other context as well and in order to do a lossy trapdoor function we use the we gave a couple of security definitions showed some applications the constructions are actually quite complicated so I only gave a small overview and if you want to have details it's on a print and now I'm finished thank you Any quick questions if not then let's thank Ike again