 Hello everyone. I'm Takashi. Today I will talk about adaptively secure constraints through the random functions in the standard model. This is a joint work with Alex, Shuichi, Yo, and Shota. Through the random function, PLF is a fundamental primitive in cryptography. PLF is a key function that is indistinguishable from a random function if a distinguisher is only given or her access to the function. As a classical result, it is known that there is a construction of PLF based on any random function. Recently, there was a proposed extension of PLF called Constraint PLF or CPLF. In CPLF, given the key k and the constraint c that defines a certain predicate, we can generate a constraint key denoted by k sub c. By using the constraint key, we can evaluate the PLF on any input x that satisfies the predicate. That is, as correctness, we require that for any input x such that c of x is equal to 1, we can use this constraint key to evaluate the PLF value. On the other hand, as security, we require that for any input x such that c of x is equal to 0, PLF value looks random even if we are given the constraint key k sub c. More formally, for defining the security of CPLF, we consider the following security gain. In the security gain, ADBOT we can make the following three types of queries. The first is the key query. In the key query, ADBOT we submit a predicate c and then the challenger returns a constraint key corresponding to this predicate. The second is evaluation query. In this evaluation query, ADBOT we submit some input x and then the challenger returns the PLF value on this input x. The third type is the challenge query. For the challenge query, ADBOT we submit some input x star that must satisfy a certain condition to prevent trivial attacks. And then the challenger picks a coin informally from 0 or 1. And if coin is equal to 1, challenger returns the PLF value on the challenger input x star. And otherwise, it returns a uniform string y in the range of the PLF. And ADBOT's goal is to guess which is the case and its output is guess coin prime. We see that ADBOT we win the game if coin prime is equal to coin. And we see that the CPLF is secure if for any ADBOT the probability of correctly guessing is almost 1 half. In more detail, there are several flavors of definition of the security of CPLF. And in particular, in this work, we consider the following two axes of strength level of security of CPLF. The first is selective security versus adaptive security. In the adaptive security, ADBOT we can make its query in arbitrary order. On the other hand, in selective security, the order is restricted in a certain way. So of course, adaptive security is stronger than the selective security. And as a second, we also consider single key security versus Q collision resistance. In the Q collision resistance, ADBOT we can make at most Q key queries. On the other hand, in the single key security, ADBOT we can query only one key query. And of course, if Q is larger than 1, Q collision resistance is stronger than single key security. So ideally, the optimal security notion of CPLF is adaptive and Q collision resistance for any polynomial Q. Here I would like to review non-contractions of CPLF. And I would like to divide non-construction into the following two categories. The first category is construction from standard assumption. There are a lot of construction in this category. However, all the constructions only achieve selective security. And most of them only achieve single key security. So we would like to ask one question for this category. Our question is, can we construct adaptive, secure, and collusion resistant CPLF for any functionality from standard assumption? So this is our first question. And the second category is construction from obfuscation. By using obfuscation, Bonnie and Tandry showed that we can construct collectively poly-collusion resistant CPLF for p slash poly. However, this only satisfies selective security. And interestingly, though obfuscation is a very strong frame-tip, it turns out very difficult to construct adaptively secure CPLF even using obfuscation. And in 2015, Ohm-Bagger et al. constructed adaptively secure CPLF for puncturing functionality. However, so puncturing is a very limited functionality. So this is not sufficient. And recently, in 2019, Atropardon et al. improved that result to construct adaptively and single key secure CPLF for NC1 from obfuscation. However, this is not still sufficient because single key security only satisfies single key security and the function cloud is limited to NC1. So our question for this category is, can we construct adaptively secure and collusion resistant CPLF for p slash poly, which is the class of all polynomial-sized circuit? And here I would like to remark that we omit construction relying complexity-leveling or random oracle. And we focus in construction in the standard model from polynomial hardness assumption. So in this work, we construct three new constructions of adaptively secure CPLF. The first construction is adaptively secure and all the word collusion resistant CPLF for the class of TC and F for any constant T from one-way function. Here, TC and F is a predicate that is expressed as an end of many clauses that each of which depend on at most T input bits. And especially, this class includes bit-fixing functionality because bit-fixing is exactly one CNF. Second, our second construction is adaptively single key secure CPLF for inner product functionality from LWE. And our third construction is adaptively secure and all the word collusion resistant CPLF for p slash poly from indistinguishability of application and LWE. And here I note that the first two construction also satisfy weak one-key privacy, which roughly says that the constraint key doesn't reveal the constraint that is associated with the key. So from now, I would like to explain each construction in more detail. So our first construction is adaptively order one collusion resistant CPLF for TC and F for any constant T from one-way function. As a historical note, in the first version of our work, we constructed adaptively order one collusion resistant CPLF for a smaller class of bit-fixing. And after that, Tabary observed that we can trade the collusion resistance and the functionality to achieve single key security for TC and F. And in the current version of our work, we take the both advantages. That is, our scheme, our CPLF is order one collusion resistant and at the same time, we that supports the TC and F functionality. And I also note that in the concurrent work of PyKalm GACN, they also gave a similar construction to ours, but they only approved selective and single-key security. Our construction is based on a combinatorial construction from normal PLF. And for simplicity, we focus on the special case of bit-fixing in this talk. This is the construction of adaptively single-key CPLF for bit-fixing. Here, bit-fixing predicate is described by your string V that consists of zero, one, or asterisk. That means the wild card. For input X, we say that X satisfies the predicate V if Vi equals Xi, or Vi is wild card for all i. Then the key of our CPLF consists of two L keys of the underlying normal PLF. And the CPLF on input X is defined to be X or of L evaluation of the underlying normal PLF using a key that is chosen according to each bit of X. Then for predicate bit-fixing predicate V, a constant key case of V is said to be a subset of these keys chosen according to the predicate V. For example, if L equals 5 and V equals 0, one asterisk, then KV looks like this. And for example, if we want to evaluate on 0, 1, 0, 0, 0, then that is possible because 0, 1, 0, 0, 0, 0, so the corresponding key is contained in KV. On the other hand, if we want to evaluate on 0, 0, 0, 0, 0, 0, then K2, 0 is missing, so we cannot evaluate that using this KV. And similarly, in general, we can prove that this construction satisfies the security if arbitrary only obtains at most one key. However, unfortunately, it is easy to see that this construction can be completely broken by using two key queries, so we have to modify the construction to achieve collusion resistance. For achieving a Q-collusion resistance, our idea is to associate each normal PRF key with Q-input bits instead of 1, like this. And overall structure of the CPRF is similar to the single key secular case, so that is XOR of evaluation of the underlying normal PRF using key that is chosen according to each bit of X. And I will not explain the detail of the security proof, but by some simple combinatorial argument, we can indeed prove that this is Q-collusion resistant. And as for efficiency, because the number of each CPRF key consists of 2L to the Q normal PRF key, so for keeping this to be polynomial in the security parameter, we have to set Q to be a constant. And that's why this construction is only limited to all the one-collusion resistance. Next, I'll move on to the second construction. Our second construction is adaptably single key secure CPRF for inner product from LVE. Inner product predicate is specified by integer vector Y, and for integer vector X, X satisfies predicate specified by Y if the inner product between X and Y is there over the integer. Our construction is divided into the following two steps. In the first step, we construct selectively secure CPRF for inner product based on existing construction of key homomorphic normal PRF. I know that the concurrent work of Picard and Chiehien also gave a similar construction for this selectively secure construction. As a second step, we modify the selectively secure construction to achieve adaptive security by using a technique taken from loss-c mode of LVE and partitioning technique inspired by a recent work of Libert et al. Our starting point is a loss-based key homomorphic PRF by Banerjee and Picard. In the construction, there is a public matrix denoted by A, and the second key of the PRF is a vector S. Then, for evaluating the PRF on input X, we first compute certain matrix A sub X that is associated with input X from A by using BGG plus 14 homomorphic evaluation technique. And the detail of this part is irrelevant for the part of this talk, so I would like to skip this part. And then, after generating the matrix A sub X, the PRF value on input X is set to be S transpose A sub X rounded module P. So here I would like to explain how to modify the BP14 construction to obtain selectively secure CPRF for inner product. The difference from the BP14 construction is that the secret key is said to be a matrix instead of a vector, and the input of the PRF is an integer vector instead of a bit string. And we use Sx, so Sx plays a role of the secret key in the BP14 construction, and this is the construction of the selectively secure CPRF. And for generating constraint key for predicate Y, we first uniformly choose a random vector D, and then we set the constraint key K sub Y to be S plus D tensor Y. And by using this constraint key for evaluating the PRF, we just use K sub Y instead of the secret key K like this. And then by definition of K sub Y, we can write this like this. And if the inner product between X and Y is equal to 0, then this additional term disappears, and so this is equal to the original PRF value. On the other hand, if the inner product is not equal to 0, then this additional term remains, and so this can be written like this. And here we notice that this term is actually the PRF value of BP14. If we see the other secret key of the BP14, this means that this value is the original PRF value shifted by another PRF value. This means that this value computationally hides the original PRF value, and that's why we cannot use this constraint key to evaluate the PRF on input X such that inner product is not equal to 0. And this intuition can be turned into formal proof in the selective setting. However, unfortunately, we cannot prove the adaptive security in this way, so we have to use additional ideas to achieve adaptive security. For achieving adaptive security, we will rely on the technique often referred to as a lossy mode of LVE. The LVE assumption says that a LVE tupper of the form A, D transports A plus noise is computationally indistinguishable from uniform. And in this context, we consider two modes for the public matrix A. The first mode is the injective mode. In the injective mode, the LVE tupper information theoretically determines the secret vector D. On the other hand, in the lossy mode, the LVE tupper leaks almost no information about the secret vector D. And interestingly, it is known that we can generate matrix in the injective mode or a lossy mode in such a way that they are computationally indistinguishable. Extending these notions, recent work of Libert et al. introduced a technique which we call time-times injective mode in the following sense. They gave a way to generate a public matrix A so that the following three conditions are satisfied. First, A is to the random assuming LVE. Second, a matrix A sub x can be efficiently computed from A and x. Third, for any x1 to xq and x star for any polynomial q, the probability that A sub xi is lossy for all i and A sub x star is injective is one over poly. So, in this condition, we consider q plus one matrices and the first q matrices are lossy but only one matrix is injective and that's why we call this technique time-times injective mode. This is our construction of adaptably secure CPLF. This construction is very similar to the selectively secure construction except for the differences that we take a randomness extractor at the last of the evaluation. And also, we define the matrix A sub x so that we can set this matrix to be in the sometimes injective mode in the security proof by using the technique of Libert et al. Then I will explain the proof sketch of the adaptive security. So, first, we implicitly set S to be S hat minus D tensor y by using the uniform matrix S hat. Here, I know that this S is the master secret key of the CPLF and so this is not given to the add-about tree. So, the reduction algorithm doesn't need to explicitly compute this S and further reduction algorithm actually does is to just pick a uniform matrix S hat. Then by using this S hat, the constraint key case of y is easy to simulate because this D tensor y is cancer so the constraint key case of y is just equal to S hat. Let x1 to x2 be the evaluation queries and x star be the challenge query. Then, if we set A sub x to be in the sometimes injective mode, then the probability that A sub x sub i is lossy for all i and A sub x star is injective in one over poly. Then, the PR values on this evaluation query and the challenge query can be written like this. Here, because we assume that the A sub x sub i is lossy so this means that this term leaks almost no information about D. So, even if we are given all these PR values, D still has a lot of entropy. On the other hand, because we assume that A sub x star is in the injective mode so because D has a lot of entropy, this term also has a lot of entropy. Therefore, by using the property of the random extractor, we can conclude that the PR value on the challenge input x star is through the random and this completes the security proof. And what is important in this security proof is that after switching the public matrix to the sometimes injective mode, the rest of the argument is completely information theoretical and this is why this proof works in the adaptive setting. Our third construction is adaptively secure and all around collusion resistant CPRF for p slash poly from indistinguishability of fudgation and LWE. And our construction is basically obtained by obfuscating a primitive called shift-hiding-shiftable function that is constructed based on LWE by Paikatan Shehien. So, our construction looks like this and unfortunately I don't have enough time to explain the detail of the construction and security proof but our main idea is to embed previous key queries into free-challenged key queries. And this idea is very different from the previous work of Bonham Chantry through constructed collectively secure CPRF from obfuscation because they embed the challenge into all key queries. Finally, I would like to introduce several applications of our constructions. After uploading the initial draft of our paper, Tabali used our past construction to construct adaptively secure ABE for TCNF and actually she gave a generic conversion from adaptively secure CPRF to adaptively secure ABE. If we assume certain property for the underlying CPRF, unfortunately, her conversion is not directly applicable to our second CPRF because that doesn't satisfy the condition. In the recent work of ours, we generalized Tabali's framework to be applicable to our second CPRF and as a result, we obtained adaptively secure IPE from LWE which has been open for all motor decade. This is our summary slide. Thank you for your attention.