 Okay, this is joint work with Fabiano Aguilomia and Carlos Raffles. Here's an outline of the talk. I will first describe the primitive of attribute-based encryption, then a relation between this primitive and a different cryptographic primitive. Then I will present quickly the new scheme, which is the first attribute-based encryption scheme with constant size ciphertext, and I will conclude with some open problems. The notion of attribute-based encryption can be traced back to that of identity-based encryption, introduced by Shamir in 1984. The center of message chooses an identity, and only people whose identity exactly matches this identity can decrypt. This concept was extended by Sahay and Waters in 2005 to fax the identity-based encryption. Now, identities are vectors or subsets of attributes, and in order to decrypt the identity of the receiver must match at least in T positions with the identity chosen by the sender. This threshold T is fixed for the system. So, a natural extension of this concept is threshold attribute-based encryption, which was introduced by Goyal et al. in 2006. Now, it's the same idea, only those whose identity matches at least T positions with the identity chosen by the sender can decrypt. But here the threshold T is chosen by the sender on the fly, so it may choose different thresholds for different encryptions. Of course, this idea can be generalized to more general decryption policies. So, in general, decryption policy will be a family. I'm not an increasing family of subsets of attributes. And only those people who have enough attributes, who hold enough attributes, a subset in the decryption policy, will be able to decrypt. So, here's a simple example with this decryption policy gamma. People who have attributes 2 and 3 will be able to decrypt. But we will require also collusion resistance, which means that, for example, if a user holds attribute 2 and a different user holds attribute 3 and they put together their secret keys, they shouldn't be able to decrypt a message for this decryption policy. And of course, the threshold case can be easily recovered as a particular case of this formulation. So, the protocols of an attribute-based encryption scheme are four. There is a setup phase run by a master entity. It takes us to input the security parameter and a global set of attributes. And USTAR produces some public parameters and a master secret key. Then a user must prove to this master entity that he holds some attributes, a subset A, and he will receive from the master entity a secret key, which will depend on this subset of attributes. Then to encrypt, the sender of the message chooses a set of attributes S and some decryption policy gamma and applies an encryption algorithm, which may depend as well of the public parameters. And finally, well, of course, in the ciphertext, the sender must include the description of the decryption policy. In the threshold case, the description of the threshold policy is just the set S and the threshold T. And to decrypt, a user takes the ciphertext and his secret key and runs the decryption algorithm. And then if the subset of attributes held by the user is in the decryption policy, he will obtain the original plaintext. What about security of attribute-based encryption? Of course, there are different notions of security for encryption, as usual, but in the literature on attribute-based encryption, this is the notion that is usually considered, which is one of the weakest ones, actually, is selective security and the chosen place. So it's defined by the following game between an adversary and a challenger. First, the challenger chooses a global set of attributes U star. Then, at this stage, an adversary must select the set of attributes S and the decryption policy gamma that he wants to attack in the future. The challenger runs the setup phase and gives the public parameters to the adversary and stores the master secret key. Then the adversary can make secret key queries. So for subsets of attributes which are not in the target decryption policy, he will ask for the secret keys corresponding to these subsets. At some point, the adversary chooses two messages in 0 and 1. The challenger takes one of these messages at random and encrypts it under the decryption policy gamma and gives the challenger's effort to the adversary. The adversary can make more secret key queries and, at the end, he outputs, I guess, a bit. So, of course, if the adversary wins the game, if he guesses the bit with probability significantly higher than one-half, we say that this adversary succeeds. And if no polynomial time adversary succeeds, then we say that the scheme is S in CPA secure. So this topic of attribute-based encryption has received a lot of attention in the last year, so some papers in quite good conferences. The proposed schemes consider different encryption policies and they use different tools, ranging from secret sharing to binary trees for DNF formulas, et cetera. But all of them have the drawback that the size of the ciphertext is at least linear with respect to the number of attributes involved in encryption. An exception is the scheme by Emura, it's all that is spec, all nine, but that has a constant size ciphertext but the consider decryption policies are quite restrictive because they are only threshold policies where the threshold is exactly equal to the number of involved attributes. So in this work we propose the first attribute-based encryption scheme which produces constant size ciphertext and which admits any threshold decryption policy. And we prove that it's secure, S in CPA secure in the standard mode. And for the more it can be extended to admit also weight threshold decryption policies where its attribute is assigned to one different weight and there's also a threshold and a user is able to decrypt if the sum of weights of his attributes is over this threshold. The thing that we exploited to design our scheme is a conceptual relation between attribute-based encryption and this other cryptographic primitive identity-based dynamic distributed encryption. So these kinds of schemes, it's really similar. There is a master entity which produces secret keys for the user. So each user has an identity and receives from the master entity a secret key for that identity. Then to encrypt the sender chooses a set of identities S and also a decryption policy inside this set S. And to decrypt some users different identities must cooperate, must interact and by putting together their secret keys to try to decrypt and obtain the original context. So only if the user who cooperates form an authorized subset in the decryption policy they will succeed. It's quite clear that there are similarities between this primitive and attribute-based encryption. So in particular we can take one such scheme and try to design an attribute-based encryption scheme based on this. So the idea is for the setup is exactly the same and then for the extraction of secret keys so its attribute held by a user will be seen as an identity. So we run the extraction key of the identity-based dynamic distribution distributed encryption scheme for this attribute and the secret key is concatenated, is added to the secret key for this subset of attributes. And then also the encryption and decryption work exactly the same as in the underlying scheme. So this leads to an attribute-based encryption scheme but which does not have complete security because this scheme is not secure and they're collision. Why? Because the secret keys are obtained in the same way by different users exactly in the same way. So for example if a method is encrypted for a threshold and decryption policy with threshold three, two users can collude one who holds two attributes and the other one holds only one attribute and they will combine their secret keys and will easily decrypt. So this contradicts the collision-resistant property that we want for attribute-based encryption. So if we want an attribute-based encryption we have to add something to this contraction and the idea is to modify the way in which secret keys are extracted. In some way the keys that are given to the same user must be linked, must be personalized in some way. So for example by adding some random value which is unique different for different users. So this is a general idea so this idea does not work always because we have tried with different schemes and not always succeed. But there's a precedent so this is not new for this work. In this other paper that will be will appear soon in a journal which is available at Aprim since 2008 these authors take an identity-based dynamic decryption scheme that the same method had proposed in Prophecyc 2007 and they managed to transform it into a secure attribute-based encryption scheme. And the properties of this scheme works for general decryption policies and in particular for racial policies the size of the ciphertext is 2 times s minus t plus constant. So in particular the result of m where at all where the threshold t was equal to s the number of attributes was already achieved in that work. So now the question was is there any other identity-based dynamic distributed encryption scheme that we can take and try to transform into an attribute-based encryption scheme? And the answer came the same year in 2008 in a paper by Delajable and Ponciabal at Crypto. There they proposed such a scheme with following properties it admits threshold decryption policies and it produces constant size ciphertext and they proved the security of this scheme selective security again under any assumption in the sequence of exponents this is an artificial assumption that they proved generically hard using the tools by Bonnet, Guayang and Gu. So we took this scheme and managed to transform it into an attribute-based encryption scheme with essentially the same properties. So I will quickly describe the scheme the details are in the paper so maybe it's not worth it to suspend a lot of time on it. So the scheme uses asymmetric linear pairings as a generator z for the first group and the generator h for the second group of prime-order p to encode all the attributes into different elements of zp star and we also need m-1 additional different values in zp star where m is the total number of attributes and the secret key of the master entity is alpha gamma which are two secret exponents and then there are other public values so the length of the public parameters in particular is linear with respect to m which is the total number of attributes. Then here in the key extraction is the main difference with respect to the scheme of Del Jable and Puan Xeval because their extraction protocol was deterministic actually for an identity the secret key for an identity was g raised to 1 over gamma plus the identity so we have to randomize this protocol by adding these values r which are chosen at random for each execution of this protocol and we have to add some additional values to the secret key of a user in particular again the length of the secret key is linear with respect to m the number of attributes and we want to stress that if we add an additional value in the public parameters e to the alpha then the user can check that the secret key is consistent by using the linear pairings and a crucial point is the existence of this protocol aggregate which was originally introduced by Del Jable and Puan Xeval in 2007 and the idea is to aggregate values powers of g into a value a different power of g that has in the denominator the product of the denominators and the same numerator so of course a user with the first values in his secret key can run this protocol and obtain that value but if different users put together the secret keys since there are different values r they will not be able to run this protocol correctly this is for encryption the sender just takes a random and exponent kappa and computes these three elements one in each group of the value in the map setting the safer text three elements therefore has constant size and for the second element which are powers of h with gammas the degree of gamma in the exponent is m plus t minus 1 so this is always less than 2m minus 1 so this value can be computed from the public parameters of the scheme then for the encryption if a user has enough attributes so it has a subset as of t attributes and inside the set s chosen by the sender then we can define this polynomial p evaluated in gamma this polynomial if the subset as has cardinality t then this polynomial has degree at most n minus 2 and so the user could compute this value in blue from the values the second family of values inside his secret key which were powers of h r gamma to the n minus 2 ok so then what can the receiver do he can run the aggregated protocol to obtain this value then he can pair this value with the second element in the safer text to produce this value l he can multiply l with this other value which is the pairing of c1 the value in blue multiplied to obtain this value the last exponent is public so it can be removed to obtain the value in green and finally he can pair the first element of the cypher text with the last element in his secret key to obtain this other value multiply the two values to get this value which is actually the one time key that has been used to mass the message ok so the scheme is really similar so it is natural that the security is based on a similar problem that the scheme so the security of the scheme was based on this problem the multisequence of exponents decisionally if we have a problem where we have three secret exponents kappa alpha and gamma then a set of different elements in zp star which define to polynomials f and g some samples of powers of g0 and h0 and the final goal is to distinguish between this element and a random element in gt so we were not able to prove the security of our scheme based on this computational problem but we did based on a very similar problem that we called the augmented multisequence of exponents decisionally if we have a problem there is an additional exponent omega and two additional rows of powers but the goal is still the same so in the paper you can find the reduction between the security of our scheme and this problem so just to conclude let me repeat that this is the first attribute based encryption scheme which has constant size ciphertexting which admits quite expressive decryption policies and there are still many problems that are open in this area for example there is only one attribute based encryption scheme which achieves full security so non-selective security which will be presented next week at Eurocrypt and of course the computational problems and the decryption policies of our scheme can be improved thank you