 Hi everybody. So let me just remind you about the classical public key encryption setting. So let's say we have three players, Alice, Bob and Charlie. Let's say Bob has the secret key, Alice has the public key. So Alice can now encrypt messages posted on the bulletin board. However, but the problem with this is that only Bob can now decrypt the message and compute functions of the message. So the question that I asked in the stock is the following. How can we allow Charlie to learn functions of the message? So in particular, I'm going to say we're going to be dealing with circuits. I'm going to denote them by C. How can we ensure that Charlie doesn't learn anything but the output of the function? At the same time, we would like to make sure that Bob does as little work as possible and he can go offline. So let's look at some of the trivial solutions that you can think of. So you can say why not just ask Bob to send the secret key to Charlie? Of course this has an immediate problem because now Charlie can decrypt and learn everything about the message and not just the output of the function. On the other side, you can say why not say Alice and ask her to send the ciphertext to Bob? Bob can now decrypt, compute the function of the message and send the result to Charlie. Of course, this requires Bob to do the computation and that requires Bob to stay online at all times. So another solution you can think of why not use fully homomorphic encryption? So in particular, why not ask Charlie to compute encryption of the output of the function, send the ciphertext to Bob? Bob can now verify decrypt and send the result to Charlie. Now, the function encryption comes in to actually help us solve all of these problems. In particular, it says the following. How can we allow Charlie to learn a function of a message M? So I'm going to say let's see denote a family of circuits and let M be the message space. So now Bob can do the following. Now Bob can run a special key generation algorithm on the master secret key and a particular circuit from the family. He can send it to Charlie and now he can go offline without having to communicate to him ever again. So now when Alice sends the ciphertext, Charlie can run the special decryption algorithm on the secret key and the ciphertext and learn the output of the function. And the security says the following. Security intuitively says that Alice shouldn't learn anything about the message M except for the output of the function. And there are various ways of formalizing which I won't go into the details. Okay, so let me give you a simple example. Let's say we have three players. Let's say we have a doctor who wants to go on a vacation. At the same time, he has patients and he wants to make sure they're taken care of. So what he can do is he can define a special C as a circuit that opens special urgent emails defined by the doctor. He can send the secret key to the secretary, for example. The secretary can now get an email which is an encryption of an email, run the decryption algorithm and learn the email if and only if the email is urgent. So there are various special cases of function encryption, for example, identity-based encryption. In identity-based encryption, we view a family of circuits being indexed by an ID and the message consists of two parts, ID prime and a payload. And the property is the following, that the decryptor should be able to learn the payload if and only if ID matches to ID prime. And there are various other special cases of function encryption. Now in the stock I asked the following question, can we actually construct function encryption for all circuits? And the answer that I give you is yes, with a small catch. And what is the catch? Well, the catch is the following, is that the number of functions that Charlie can compute is now going to be bounded by some queue. And this queue is going to be fixed before the setup. In particular, I'm going to require that if Charlie gets secret key 1 up to secret key subq, he can compute and learn the output of all these functions, but he shouldn't be able to learn anything about the message m other than the output of these functions. A alternative way of looking at this is in the bounded collusion setting. In particular, let's say we have many charlots. Each one of them gets one or more secret keys for different functions. If all of them now try to collude and learn about something about the message m other than the output of the function, they shouldn't be able to do so. So let me just quickly mention that previously this relaxation had to be studied in a number of works, for example, CCA secure or bounded collusion IB. So our results as the following. We show how to construct a queue bounded, not adaptive simulation secure function encryption for all policy circuits. Assuming CPA secure public key encryption and PRG is computable in the low depth. Let me just say one thing. If you are interested in the bounded number of messages, this result actually extends to the adaptive setting. Now, if you're worried about the later assumption that is PRG is computable in low depth, you shouldn't be, because it's implied by the standard hardness assumptions, such as factoring discrete log and lattice problems. So let me make a quick note, in particular, if you're trying to construct public index predicate encryption, then you don't need the later assumption. So I already told you what queue bounded is, and you asked the question, why do we restrict ourselves with this bound queue? Why not consider an unbounded setting? We have a result that says for unbounded collisions, it's actually impossible to construct function encryption for all functions in the non-adaptive setting. On the other side, why do we restrict ourselves with a non-adaptive case? That is, the adversary can ask for the secret keys only before seeing the challenge ciphertext. Well, again, there is a result by BSW that shows that for adaptive simulation secure function encryption, it's impossible to achieve for all circuits. And finally, let me just mention that simulation security is the stronger of the two for function encryption, and particularly it implies in usability-based security. So let me give you a roadmap of our construction. So first of all, we're going to start with one query that is one bounded function encryption from SS10. We're going to combine it with some techniques for multi-party computation such as BJW, and we're going to obtain a bounded function encryption for bounded degree circuits only. And after that, I'm going to show you a bootstrap in theorem that converts a bounded function encryption for bounded circuits to unbounded circuits. So let me tell you a little bit what I mean by this bounded degree circuits. In particular, I'm going to say that for every circuit in the family, the circuit is going to be an L-variate polynomial over the field of degree D. And this D is going to come up throughout the construction. Okay. So let me just give you some intuition about one function encryption that is one query function encryption for all circuits from SS10. So in particular, you can view the ciphertext as being a universal garbage encoding of the message M, and the secret key for a specific circuit as simply being the set of input labels. So from the security of garbage circuits, we know that the user can now evaluate and earn the output of the function. However, he learns nothing about the message M. We also know that as soon as you give two secret key, two sets of input labels, the underlying schema can no longer be secure. Okay. So another property that I'm going to use in my construction is a property observed in BGW protocol about Shamir's secret chain. In particular, it says the following that you can actually perform computation over the shares. And what this means is that if I give you a share of a message M and you compute over the shares, what you get is a share of the output of the function. Now, this has a problem. And the problem is the following is that once you multiply two polynomials, the degree of the underlying polynomial increases. So in particular, this catch at this step of the construction is going to prevent us from achieving unbounded circuits. Okay. So let me actually go into the construction. So let's say I have a one query function encryption consistent of four algorithms. So our setup algorithm is going to do the following. So it's going to repeat setup for one query function encryption and number of times. And what is then, well, n is a simple parameter that I'm going to leave as unspecified for the rest of my talk. It's going to depend on both D and Q. Okay. Where D is this degree of the polynomial and Q is the number of collisions that you would like to achieve the construction for. So the second step, let's look at the key generation algorithm. Well, the key generation algorithm is given a circuit C. So the first thing it does, it actually chooses a random subset of the secret keys that it's going to use. Now, for each one of the secret keys, it's going to run the key generation algorithm for the same circuit for one query function encryption in order to get a secret key. And what it outputs at the end is a collection of all the secret keys. Now, the number of secret keys I'm going to set in a minute and you will see what it should be. Now, the encryption algorithm does the following. So it takes a message M. So the first thing it does, it secret shares M using degree T polynomial. Okay. And it obtains N shares and one up to M7. So now, for each one of the shares, it uses appropriate master public key to encrypt the share and get a ciphertext. Now, in the output ciphertext, it's simply going to consist of the collection of all the ciphertexts. Now, what does the decryption algorithm do? Well, the decryption algorithm is going to take the secret keys which it has and it's going to match it with corresponding ciphertexts. And it's going to run the one-query decryption algorithm in order to get C of M I for each I. Okay. Now, what is this? Well, I told you that by properties of Shamir's secret sharing, we can perform homomorphic computation over the shares. So in particular, in this case, C of M2 is going to be a share of C of M. So what this actually means is that what I get is a secret sharing of C of M. So given enough shares, what we can do is we can reconstruct C of M and learn the output of the function. Okay. Now, let's calculate how many secret keys we have to give to the decryptor. So in particular, let's say Mi is S of I, where S is a degree T polynomial. Okay. Now, I also assume that C is a degree D polynomial. In particular, this means that the composition of the two polynomials gives us a degree DT polynomial. So by Shamir's secret sharing, we know that as long as the decryptor has DT plus one shares, he can actually recover the output. Okay. Now, let's look at the second setting where a key generation algorithm is being run on a different circuit. Let's say C2. So again, remember that for each key generation call, we choose a random subset of the master secret keys that we're going to use in the construction. So let's say, for example, these are going to be the secret keys. So the view of the decryptor is the following. He learns C1 of M1, C1 of M2, and so on. He also learns some secret sharing of C2 of M. So however, what did I do here? Well, I did something illegal. In particular, I ran the one query function encryption on the same master secret key. And this could no longer be secure. So therefore, in the worst case, I'm going to assume that decryptor fully recovers the share M2. Okay. However, remember that we secret shared M using a degree T polynomial. So therefore, assuming that decryptor learns at most T shares, information theoretically, he learns nothing about the message M. So let me tell you about a few other technical problems that come into the proof. So first of all, I told you that we proved the construction to be secure under the simulation-based definition. So therefore, because the adversary learns C of M1, the simulator must also be able to simulate the same view. However, these are not random shares. Because how would we do that? Well, we computed the function over secret sharing of M. So therefore, it's unclear how to simulate it. The same problem has been observed in the BGW protocol. And the solution is actually quite simple. All the solution is to consider a new set of, a new family of circuits C prime, where the message consists of two things. It's secret sharing of M and it's secret sharing of zero. So what we're going to do is we're going to add the secret sharing that is this randomness to the output of C of M1. Now this creates another problem. In particular, because we add in random sharing of zero of the same polynomial between different outputs of the function, this relates some correlation. So again, it's unclear how to simulate this view. So the solution is to use a QY's independent random sharing of zero. So in particular, we're going to take a linear combination of some random secret sharing of zero and we're going to add it to the output of the function. And we're going to construct a function encryption for this circuit family. Okay. So what did we do? Well, we started with a one-query function encryption from SS10. We combined it with some multi-party techniques and we got a bounded function encryption for bounded degree circuits. However, I promised you more. I promised you for all policy circuits. And how would we do this? Well, the idea is to use randomized encodings. In particular, the observation that we use as the following is that the function that computes a randomized encoding for C is of low degree. So what this means is that we can actually now construct a function encryption that doesn't output C of M, but it outputs a randomized encoding for C of M. So given the output of that, we know that the decryptor can learn C of M, but from the security of randomized encodings and the security of underlying function encryption, he learns nothing but the output of the function. Okay. So let me just summarize what we have done. Well, we took a one-query function encryption. We'll combine it with some multi-party techniques and we got a function encryption for bounded degree circuits. And then we constructed unbounded decryptor for unbounded decryptor circuits using randomized encodings. So finally, let me just conclude with some open problems. Well, one of them you might ask is why not consider weaker definitions for function encryption, in particular, unusability-based definition. So you can ask whether or not you can construct function encryption for all policy circuits with unbounded collusions under unusability-based definition. Similarly, you can ask for new connections with multi-party computation, zero knowledge, and function encryption. That's it. Thank you.