 Hello everyone. In this talk, I will present our work about a generic framework for ABE with master key KDM security while the notion predicate encoding. This is a joint work with Jun Jinggong and Jie Cheng. ABE stands for attribute-based encryption, which is an advanced form of public key encryption. It consists of four PBT algorithms, setup, encrypt, key generate, and decrypt. The setup algorithm takes a boolean predicate p associated with a descriptive domain x and y, such as attribute x and policy y, and outputs a master key pale, master public key, and master secret key. Then, the encrypt algorithm encrypts the message m to value x under the master public key, and the key generation algorithm uses the master secret key to derive secret keys to value y. In the encryption algorithm, these secret keys have the ability to recover the message only if pxy equals to 1. That is, attribute x satisfies policy y. For example, if x satisfies y1, then the secret key can recover the message m. If x does not satisfy y2, y3, then the secret keys cannot obtain any information of the message m, even combining with other secret keys in some way. In this work, we use the notion of predicate encoding. It is a similar description of ABE with a statistical one-term secret key security flavor. Typically, it consists of five linear algorithms over domains x, y, and gp. In the last example, we can use se xw to encode the encryption. Use ke yrfa plus re yw to encode the key generation. And in the decryption, we can use sd and rd to recover alpha by the property of predicate encoding. Then we can obtain the message. Such predicate encodings are also known for several predicates, such as equality predicate in identity-based encryption. Like lw10. That is, you can obtain the message only if x equals to y. And prefix equality predicate in hierarchical IBE, like bbg5. And a arithmetic branching program in ABE, like cgw15. And so on. In this talk, we will employ the first symbol predicate to illustrate our framework. In our framework, we study an appealing security, key-dependent message security, or KDM security for short in the context of ABE. Namely, the message may depend on the security, but no information will be leaked. We describe the dependency by an affine function of the security. If the semantic security holds on when the message dependents on the master security, we say it achieves master key KDM security, or MKDM security for short. If the semantic security holds on when the message dependents on the user security, we say it achieves user key KDM security, or UKDM security for short. In this work, we focus on the formal security MKDM security. Formally, we describe MKDM security by the following game. At the beginning of the game, the challenger set up the ABE schema and publish the master public key to the adversary. Receive the master public key, the adversary can issue the key query repeatedly. On each key query with Y, the challenger generates key using the master security and gives it to the adversary. After that, the challenger picks a random bit B and the adversary issue multiple challenges. On each challenger with X and F, the challenger encrypts FMSK as CT0 and encrypts a random message M as CT1 and always returns CTB to the adversary. Then, the adversary can continue the key query and the challenger responds by running the key generation. In final, the adversary outputs a guess of B. At this point, we can give out the advantage of the adversary. If the advantage is negligible in the security parameter, then we see the schema achieves MKDM security. In this work, we propose a generic framework of MKDM security ABE under standard pairing-based assumption and supports more complex policies than ABE, which has never been reached since the first KDM security ABE was proposed in GHB12 and AP12. In particular, we obtain the first HPE schema with MKDM security for a fine function. And the first ABE for ABE with MKDM security for a fine function. Also, thanks to the expressiveness, that is, dedicability like HPE. We improve the security to CCA security by the classical CHK-CPA to CCA transformation. In the context of ABE, our generic framework also gives us a new ABE schema with MKDM security. Our schema enjoys a constant size master property and achieves adaptive and CCA security. In the following, we will employ this symbol predicate, the equality predicate in ABE to illustrate our framework. As a start point, we first revisit GGH20 schema, which is based on binomial pairing over prime order groups. That is, the group description only contains two prime order groups G1, G2, and relevant generator over G1, G2. Informally, all the cyber attacks and secret keys lie in the span of these bases over G1, G2 respectively. And their components in each subspace play important roles in the proof. Looking ahead, they use these three bases A1, A2, A3 to simulate three subgroups P1, P2, P3 of a composite of the groups. Under these spaces, A1, A2, A3, GARC-8DOR give out this MKDM security IBE schema with tight security, but the master property size is linear in the security parameter. In actual use, all the secret keys and cyber attacks lie in P1 subgroup, which is of normal form. And in this schema, they show a clever combination of the KDM security PKE, as in BHH08, which is highlighted by solid boxes and a tightly secured IBE. As in AHY15, GDCC16, which is highlighted by grey boxes. Following the tight proof of the tight IBE over multiple secret keys and cyber attacks, one can extract the entropy over P2 subgroup, highlighted by the dashed boxes. At this point, one can control the leakage of master secret key using the entropy, and then carry out the KDM argument for PKE from BHH08. However, to our best knowledge, there only exists tightly secured IBE in the multiple cyber attacks setting. And the tight proof in the multiple cyber attacks setting strongly depends on the key and the cyber attacks structures. But we can see the KDM argument only relies on the entropy we introduced. So, we look back to the following warm up schema presented in GGH20. Also derived by the equality predicate encoding W plus ID V. As they reported, the schema is MKDM secure with respect to five functions in a single cyber attacks setting by the dual system technical. Therefore, our strategy is to upgrade the proof to the multi-sever attacks setting without tight reduction. The typical dual system technical uses two main components, one normal component over P1 subgroup, and one so-called semi-functional component over P2 subgroup. More informally, one first turns the challenge cyber attacks city star from normal form to semi-functional form by the subgroup decision assumption. Then performs a hybrid over the user secret keys from SK1 to SKQK with the help of the P3 subgroup. Since the underlying ID of SK1 is independent of the underlying ID of city star by definition, one can first add the entropy to X1 over P3 subgroup by a statistical argument. And then one can move it to P2 subgroup by the subgroup decision assumption again. In this way, one can change all secret keys to semi-functional form while keep the cyber attacks unchanged. At this point, all the secret keys and the cyber attacks are off the semi-functional form. As a result, the proof adds entropy to each key one by one. However, this only works on the single challenge cyber attacks setting to handle many challenge cyber attacks at the same time. As is needed in the context of KDM, we have to add one extra subgroup. Concretely, we need to use a NIST variant of the dual system technical. In NIST dual system technical, one first changes all challenge cyber attacks from normal form to semi-functional form by the subgroup decision assumption. Then changes all keys into semi-functional form one by one, but employs another dual system argument where the rules of cyber attacks and keys are exchanged. As usual, one first changes challenge cyber attacks and then changes the secret keys one by one. But at this point, one first changes one secret key into semi-functional. Then changes the challenge cyber attacks into semi-functional one by one with the help of P4 subgroup. Next, move the entry to P2 subgroup. In this way, one finally changes all the secret keys and cyber attacks into semi-functional form. However, this typical NIST dual system technical uses four subgroups and complicates the proof. In this work, we only use three subgroups as in GGH20. Concretely, we will rely on a variant of NIST dual system argument which exchanges the rules of cyber attacks and keys at first. That is, one first changes all secret keys from SK1 to SKQK into the semi-functional by a standard hybrid argument, going through every key based on the subgroup decision assumption and a statistical argument. One makes the change of the challenge cyber attacks in a one by one manner with the help of P3 subgroup. Also, in order to change each challenge cyber attacks into semi-functional, one employs another standard hybrid argument over the one challenge cyber attacks along with all secret keys. First, move the cyber attacks to P3 subgroup. Then, perform a hybrid over all secret keys by subgroup decision assumption and a statistical argument to add entropy over P3 subgroup. Next, change the challenge cyber attacks into semi-functional form. And perform a hybrid over all secret keys again to withdraw entropy over P3 subgroup. In this way, one finally changes all cyber attacks into semi-functional form. This no longer requires an extra subgroup leading to a simple proof. Finally, we mentioned several open problems. In this work, we build MKDM secure HIV and ABE over prime order groups. One problem is to build a MKDM secure ABE with tight security and constant size master public key over prime order groups. Also, it will be interesting to build these schemers from other assumptions such as landing with errors assumption. Besides, this work only focuses on MKDM security. A formal study of the relation of UKDM security and MKDM security is also appearing. Thank you for your attention.