 Welcome to my talk. The title of this presentation is optimal broadcast encryption from LWE and pairings in the standard model. I'm Shota Yamada, and this is a joint work with Shweta Agrawal and Daniel Weeks. Since this talk is about broadcast encryption, I'm going to explain the notion of broadcast encryption. Let us consider a system which consists of capital N users. Furthermore, let us consider a user who wants to encrypt a message for a subset of users. Namely, this user prepares the message and encrypt it to obtain a ciphertext. And this ciphertext should be decryptable for the intended receivers. However, the ciphertext should not be decryptable for a user who is outside of the intended users. Furthermore, the users cannot obtain any information of the message even if the users outside of the intended recipient set collude. We call this security notion collusion resistance and require this notion by default. A trivial solution to construct broadcast encryption is to prepare public key for each user by playing public key encryption scheme. Then, when we encrypt a message for a subset of users, we encrypt the message by the public keys corresponding to the users. However, this solution requires long ciphertext, which is linear in the number of users in the system, in the worst case. We are interested in a co-instruction with shorter ciphertext. Let us summarize the previous works on broadcast encryption. Here, we focus on the size of parameters. The trivial construction I explained in the previous slide requires master public key and ciphertext whose sizes are linear in the number of users. The first fully collision resistant broadcast encryption schemes with short ciphertext were proposed by Bonnet, Gentry and Waters. In their construction, the ciphertext and the secret key are constant size. However, the drawback of the scheme is that the master public key is linear in N. To mitigate the problem, they also propose a construction which has shorter master public key at the cost of longer ciphertext size. Since then, the construction of broadcast encryption scheme whose parameter sizes are all constant had been an open problem for about 10 years. The first construction with such parameter size was proposed by Bonnet, Waters and Gentry. The drawback of the construction is that it requires multi-linear maps, which requires strong assumption to instantiate. Later, Gentry also proposed a construction based on indistinguishability of classification, but it still requires strong assumption. To remove the necessity of indistinguishability of classification and base the scheme on formal security assumptions, two schemes have been proposed recently. Brackersky and the Weigundanden proposed a construction from lattices. However, the scheme lacks formal security proof. Agrawal and Yamada proposed a construction from binding maps and lattices and proved its security. However, the proof is in binding agent group model, which is heuristic. In this work, we improve Agrawal and Yamada's construction and give a construction that can be proven secure in the standard model. A caveat is that even though the construction is in the standard model, it requires strong assumption, as I will explain in more details. Here, I explain our result in more details. We propose broadcast encryption with optimal parameter size in the sense that all parameters in the system are constant from binding a map and LW assumption in the standard model. More generally, we constructed Syphatext Policy Attribute-Based Encryption and CPABE for NC1 circuits with some special efficiency property that I explained later. Selective security of the scheme is shown from a variant of the caller assumption introduced by Baolens and We on binding a groups. In fact, this assumption is a knowledge type assumption which is not very desirable. However, we believe that this is a significant improvement over the previous work because it is in the standard model. Along the way, we simplify and modularize the ideas from Agrawal and Yamada's construction. Because we construct CPABE for NC1 circuits, I'm going to explain the notion. In the CPABE for NC1 circuits, or ABE in general, there are master public key and master secret key. Using the master public key, one can encrypt a message for some circuit C. This circuit C specifies the policy regarding who can decrypt the Syphatext. Using the master secret key, one can generate a secret key for some specific attribute X. X, in this case, is an input to circuit, which is some string. And the decryption is possible if and only if C of X equals to 1. Namely, if C of X equals to 1, one can decrypt the Syphatext to retrieve the message using the secret key. And if C of X equals to 0, the decryption should not be possible. And this should be the case even if the unauthorized users collude. We require the collision-resistant property similar to the broadcast encryption case. Now I'm going to explain our approach in high level. In the first step, we reduce the construction of optimal broadcast encryption to CPABE for NC1 circuits with with independent efficiency. The meaning of the with independent efficiency will be explained in the later slide. In the next step, we construct the CPABE for NC1 circuits from the combination of AW assumption and by linear group model. Now I'm going to explain the first step. In fact, this step is the same as the previous works. Here I'm going to explain that we can construct broadcast encryption from CPABE for NC1 circuits if the latter has some special efficiency property to generate a secret key for user index J in broadcast encryption. We use the key generation algorithm of the CPABE to generate a secret key for the same index J where J is interpreted as a binary string. To encrypt a message for a set of users or a set of recipient S, we encrypt the message under the circuit F sub S which is defined as follows using the encryption algorithm of the CPABE. The function F sub S takes us user index J as input and output 1 if J is in the set S and 0 otherwise. It is easy to see that CPABE with this encoding actually implements the functionality of broadcast encryption. To have an efficient construction, we use the following specific circuit to implement F sub S. The circuit takes J in binary form and compare it with each indexing S in parallel one by one. If any of them equals, it outputs 1 and otherwise 0. It is straightforward to see that this circuit indeed implements F sub S. This circuit in fact has the following nice property. Namely, the circuit has short input length which is only logarithmic in N. Also, its depth is shallow due to the parallel computation which is also logarithmic. However, it has very wide width. This suggests that if we have a CPABE scheme whose parameter size is independent from width of the circuit supported by the scheme, this implies broadcast encryption scheme with compact parameter size since the circuit is compact except for its width. In the following, we focus on the construction of such CPABE scheme. Next, I am going to explain the second step. Here, we construct CPABE for NC1. In this step, we diverge from the approach of Ay20. In Ay20, we construct ABE using a combination of specific algebraic techniques on bilinear maps. On the other hand, in our work, we implement the step using three components in more modular manner, though it is similar to Ay20 in high level. Our approach can be seen as a refinement of that of Ay20. Now, I am going to explain three components that we use in the construction of our ABE scheme. The first ingredient is secret sharing scheme with certain succinctness condition on the size of shares. This secret sharing scheme can be constructed from LWE. The next ingredient is hyperplane obfuscation. This is constructed using bilinear maps and proven secure under the bilinear quarer assumption. The final ingredient is the functional encryption for Adamard product. This can be constructed using bilinear maps and proven secure under standard assumptions such as matrix DDH assumption. Now, I am going to explain the first ingredient. I first explain the syntax and the security notion of ordinary secret sharing scheme and then explain special properties that we require. The sharing algorithm of the secret sharing scheme takes as input an NC1 circuit C that specifies the policy and the message to obtain a set of shares. For simplicity, we assume that the message is one bit. The output consists of two L shares where L is the input length of the circuit. We consider subset of shares in a specific form. In particular, we consider a subset which is obtained by choosing one share from each column. Such subset can be associated with binary string X of length L. We denote the subset associated with X as S sub X. The reconstruction algorithm takes as input C, X and S sub X and outputs message or bot. As correctness requirement, we require that reconstruction algorithm recovers the message when C of X equals to one. As for the security requirement, we require that the shares does not leak any information of the message if C of X equals to zero. As for the efficiency requirement, we require that these algorithms are efficient. In our work, we need stronger properties for each requirement. As for the correctness, we need stronger requirement that the reconstruction algorithm can be divided into two steps. In the first step, the algorithm first applies a linear function computed from C and X on shares S sub X. We require that the result should be in the form of message times some constant plus polynomially bounded size noise. In the second step, we can recover a message by removing the noise. We also require stronger notion for the security. We require that S sub X is suitable random if C of X equals to zero. Instead of just requiring, they hide the information of the message. Finally, we require stronger efficiency requirement that stipulates that the size of the share S sub X is independent from the width of the circuit C. This will be useful for constructing ABE with independent parameter size. I briefly explain how we instantiate the secret sharing scheme. Basically, the construction is obtained by modifying the ABE scheme by Bonnet et al. that we call BGG+. The construction matches the syntax of secret sharing scheme because of certain decomposability condition of BGG+. The security of the construction directly follows from that of BGG+. Also, the efficiency of the construction follows from the succinctness of secret keys of BGG+. In actual construction, the syntax and the construction are a bit more complex. We incorporate the ideas from QWW18 due to technical reasons. We refer to the paper for the details. Then, at the first attempt, we try to construct an ABE scheme by combining C.R. Olegl and Sahai's idea with the secret sharing scheme. To set up, we prepare two L public keys of the plain public key encryption scheme. These public keys will be the master public key of the ABE scheme and master secret key of the ABE scheme is the corresponding secret keys. To encrypt a message for a policy that is specified by circuit C, we first secret share the message and C to obtain two L shares. We then encrypt the shares using the corresponding position of the public key. The secret key for a string X is the subset of all secret keys of plain public key encryption that corresponds to the string X. Using the secret key to decrypt the ciphertext, the decryptor first recovers S of X by decrypting the ciphertext of the PKE using the corresponding position of the secret key. If C of X equals to 1, then the decryptor can recover the message from S of X. While this construction satisfies correctness and with independent compactness of parameters, this is not secure. This is because if two users whose attributes are all their string and all one string collude, they can recover all the secret keys of the PKE. Now I'm going to explain how to add collision resistance by modifying the construction in the previous slide. Our first idea is instead of letting the decryptor learn S of X, we let it learn hyperplane obfuscation of S of X. Now I'm going to explain what is hyperplane obfuscation. The hyperplane obfuscation allows one to obfuscate a vector V. Given the obfuscated circuit, one can check if the vector V is in an hyperplane or not. But the circuit does not leak any information beyond that. In fact, such obfuscated version of the share S of X is enough for decryption. If C of X equals to 1, we have the following equation. This equation says that the share S of X is in some hyperplane specified by the noise term and the message. Since the noise term is polynomially bounded and the message is 0 or 1, this means that the decryptor can find the hyperplane on which S of X is located by brute force search. In particular, it can recover the message. We then consider what kind of security is required for the hyperplane obfuscation. Since the collusion of uses is allowed, the adversary may recover S of X for multiple X. Even though S of X is individually should run them, multiple S of X are correlated and possibly cause a problem. So the question is what kind of security do we need for the obfuscation to handle this problem? The answer is that we need the following security property. If the VI is individually should run them for all I, we need that the obfuscations of multiple VI are indistinguishable from obfuscation of random vectors even if the set of VI is correlated. I then explain how to instantiate the obfuscation. It turns out that extremely simple construction of obfuscation suffices for our construction. The obfuscation of a vector V consists of g to the r and g to the rv for random r. To check if V is in the hyperplane specified by an affine function h, we check if g to the hv equals to 1 or not, where g to the hv is computable from the group elements by taking linear combination among them. The intuitive reason why this works is that the randomness r prevents the adversary from combining different obfuscation of different vectors to obtain minimum for information. For the construction, we can prove its security and the variant of co-assumption introduced by Buellens and we. The co-assumption we require is as follows. If the adversary distinguishes group elements whose exponents are on some hyperplane from random group elements, then there exists another adversary that outputs a vector that is orthogonal to the hyperplane. This intuitively says that the only way to distinguish the group elements is to find an orthogonal vector to the hyperplane. In fact, the co-assumption introduced by Buellens and we is defined on groups without bilinear maps. However, we require the assumption to hold on bilinear groups. Furthermore, we also require the assumption to hold with auxiliary information while Buellens and we do not. This causes a subtle problem and we refer to the paper for the details. Next, I explain how to combine obfuscator and secret sharing scheme. In our idea, the encryptor generates shares of the message and the circuit C that specifies the policy. We want the decryptor with attribute x to learn the obfuscation of vector is sub x. The question is how do we encrypt the shares so that the decryptor only learns the obfuscation and nothing else? To achieve our goal, we introduce functional encryption for ad-marled product. I then explain what is functional encryption for ad-marled product. In the functional encryption for ad-marled product, a ciphertext encrypts a set of group elements in source group of bilinear maps that encode a matrix. Similarly, a secret key is associated with a set of group elements in source group of bilinear maps that encode a matrix. If we decrypt the ciphertext using the secret key, we obtain an ad-marled product of the matrices on the exponent of the target group. As for the security, we require the ordinary security requirement that the decryptor learns nothing more than the decryption result. We then explain that this suffices for our purpose. Let me explain it using an example. To encrypt a message, we first generate the secret shares. We then lift them to the exponent and encrypt it using the functional encryption. To generate a secret key, we first form a 2 times L matrix as follows. Namely, for each column, we put G sub 2 to the R in the first row if X equals to 0 and put it in the second row otherwise. Then we generate a secret key for this matrix using the key generation algorithm of the functional encryption. If we decrypt the ciphertext using the secret key, we obtain the ad-marled product between the matrices. Removing zero components from the matrix, we recover the obfuscation of the vector S sub X. More generally, the ciphertext and secret key can be written like this. It remains to consider how to instantiate the functional encryption for ad-marled product. We instantiate it using slotted public function encryption scheme for inner product, which is an extension functional encryption for inner product. The reason why we use the former is that we require a kind of simulation-based security. This can be instantiated from standard assumptions like matrix DDH assumption using existing construction. Here, I explain the final construction. To generate master public key and master secret key, we generate master public key and master secret key of the functional encryption for ad-marled product. To encrypt a message, we generate shares of message under the policy C. We then encrypt the shares using the functional encryption for ad-marled product. To generate the secret key, we form the matrix as I explained and generate the secret key of the functional encryption for this matrix. We also append G sub T to the R to the secret key. To decrypt, we execute the decryption algorithm of the functional encryption to recover the obfuscation of a vector sub X. As I explained, we can recover the message from the obfuscation. Here, I explain the intuition for the security proof. First, by the security of the functional encryption, we can guarantee that the adversary only learns the obfuscations of the vectors corresponding to the crafted attributes. Then, we can show that each vector sub X is sued random by the security of the secret sharing scheme. Finally, by the security of hyperplane obfuscation and by the fact that each individual vector is sued random, the obfuscations are computationally indistinguishable from the obfuscations of random vectors. Since obfuscations of random vectors do not leak any information of the message, the security follows. Here, we briefly discuss the security of our construction. Even though we prove the security in the standard model, we still require strong knowledge type assumption. The advantage of our proof over the proof in the bi-linear group model is that we allow the adversary to use representation of group elements to attack the scheme. This difference is similar to the difference between algebraic group model and generic group model. Let me conclude. In our work, we constructed the CP-ABE with independent parameter size from secret sharing with compacted shares from LW assumption, hyperplane obfuscation from a variant of Coal assumption, and slotted functional encryption for inner product from MDH assumption. This implies optimal broadcast encryption from bi-linear maps and LWE in the standard model. The construction from more standard assumption is still open. Thank you for your attention.