 Thank you Pierre. So traditionally cryptography treats the problem of communication between two parties over a public channel and we assume there exists an adversary listening to this communication and we build schemes such that the adversary can get no information about the message transmitted. However now encryption is used in more complicated ways such as satisfying access policies or identity based encryption or attribute based encryption. In this work we focused on something that has been given much attention recently which is computations on encrypted data. The main idea is that it should be possible to publicly learn the property on a massive encrypted data set by only looking at encrypted data elements. So suppose you have a server that has stored a bunch of ciphertexts and we would like to allow the server without being able to decrypt to execute various computations like indexing or range queries or data clustering keyword search or general computations. What works to this notion are format preserving encryption, public key encryption with keyword search and others, but the notion that inspired our work, our line of work is order preserving encryption introduced in 2009 by Baldera, Chenette, Lee and O'Neill. In the order preserving encryption setting the message space, the plaintext space admits a partial ordering and the scheme is built in such a way that the encrypted ciphertexts admit the same partial order. So essentially the computation that the server can execute here is to compare the ciphertexts and they use something about the partial ordering of the messages. For these guys so that in order to get strong security guarantees from such schemes the ciphertext space has to be very sparse and actually it has to be so sparse that the schemes would be totally impractical. So they prove that either we get strong security guarantees like INDCPA security and the size of the ciphertext space is exponential in the size of the message space, therefore the scheme would be impractical and or they assume that the plaintext distributions have sufficiently high minentropy. So they consider this weaker security notion where the messages to be encrypted are sufficiently random. And inspired by this work we asked if there are properties or schemes with no such restrictions namely practical schemes but with strong security guarantees. So the first step to generalize this notion of property preserving encryption is to generalize the notion of a property. We define the property to be a function on K messages which outputs 0 or 1. Our property preserving encryption schemes contain the three usual algorithms set up encryption and encryption and a new algorithm called TEST which acts on case ciphertexts and outputs 0 or 1. As you might have guessed the testing algorithm should output the same value as the property we have decided at the beginning of our scheme namely if you apply the testing algorithm in case ciphertexts it should give you the property P on the corresponding K plaintexts. And this is the second generalization we considered here. So notice that in order of preserving encryption the testing algorithm was there. The testing algorithm there was the comparison of the ciphertexts so the test and the property P were the same however in our case we allowed the testing algorithm on the ciphertext to be something different. We just require that it outputs the same property and since we require that this algorithm is publicly computable we needed to use a symmetric key encryption because if we allowed someone to encrypt using a public key then he would be able to create a ciphertext for any message and for non-trivial properties he would be able to use the testing algorithm and extract too much information from a challenge ciphertext using the ciphertext he created. So we stick to the setting of symmetric key encryption and let's see our main goal, our strong security that I mentioned. This is a security notion we adapted from a paper by Belar the site Joquip and Rockaway. This was a work on symmetric key encryption and it was called left-to-right security. In this security game the challenger picks a side, uniformly random at BB either left or right and returns the encryption of either the left messages or the right messages. You will see how that works. First he gives the public parameters to the adversary and the adversary makes queries of that form, pairs of plaintexts. Depending on the BB the challenger returns the ciphertext of either the left or the right message and this continues for a polynomial number of steps. At the end of the game the adversary has either encryption of all the left messages or all the right messages and tries to guess the BB and break the scheme. Now since in property preserving encryption the adversary is allowed to learn the value of the property on any case subset of plaintexts we have to impose the following so-called equality pattern restriction. He says that if you pick any subset of game messages on the left sequence and you apply the property P on them it should give you the same result as if you apply the property on the same subset on the right sequence. If there is restriction where and true the adversary would be able to use the testing algorithm and break the scheme trivially. However the so this is our main goal to build practical schemes that satisfy this security notion. However the problem with this notion is that it has so many challenge pairs and we considered a simple security notion again it was introduced in the same work called find then guess security or in other works single challenge security which has only one challenge pair. So again the challenger picks a side B and now the adversary is allowed to make single message queries at first. The challenger responds with the ciphertext of the message and this continues for as long as the adversary wants. At only one point the adversary is allowed to make a challenge query that contains two messages and now depending on the bit B the challenger returns the correct ciphertext either the left or the right. After that the adversary makes another single message query phase and as before we have to impose a similar restriction on the left and the right sequence where the left and the right sequence here is the one that consists of the single messages, the left challenge message and the single messages after the challenge pair and the right sequence accordingly. So initially in our work we tried to prove using a hybrid argument that these two notions were equivalent that's what these guys did in the standard symmetric key notion and if we could do that we would be able to get left or right security by only proving FTG security. However we discovered surprisingly that this is not possible for property preserving encryption. The intuition behind that is that in the left or right security game it might be the case that the left sequence is not reachable from the right sequence using only one step changes, one message changes and this depends on the property at hand. So in this case we say that the two sequences here have the same equality pattern but they belong to different reachability classes. Other way to see this is that the FTG security notion says that two sequences are indistinguishable when they differ only in one message, this one the challenge message here. Therefore although they have the same equality pattern and the same reachability class while left or right security says something stronger that all sequences with the same equality pattern are indistinguishable. And this is the main result of our work that in property preserving encryption the left or right security is strictly stronger than finding a security and by generalizing the notion of finding a security by allowing more challenge pairs, constant number of challenge pairs, we discovered that there exists an entire hierarchy of strictly stronger notions of security. In the following slides I will present the proof of the first theorem, the separation result between FTG and left or right. As usual we assume there exists an FTG secure scheme pi and we construct a new scheme pi star which is FTG secure but not left or right secure. To do that the first step is to define the message space and the property p that is to be tested. So our message space consists of the integers modulo a prime p and we know that the set of quadratic residues, the squares modulo p can be defined and the set of quadratic non residues, the remaining elements. And from number theory we know the following fact that if a number is the product of two other numbers in z p star then this number is a square if and only if both factors are in q r or both factors are in q n r. We are going to use this fact in the following slides in the proof. So the property that our scheme preserves, the scheme pi, is similar to this theorem. It takes two messages x and y and outputs one if and only if their product is quadratic residues. And as I told you we assume that pi is FTG secure on this property p. Now we have to create a new scheme pi star such as that it is FTG secure but not left or right secure. To do that we define the setup algorithm, it calls the setup of the original scheme and samples a random bit t from 0 or 1, uniformly at random. I will be referring to this bit as the one time pad. You will see in a second why. The encryption algorithm calls the encryption of the original scheme and outputs the cipher text c t and every time it is called it samples a random bit b. If b equals 0 it outputs the cipher text, the value of the bit b and the one time pad t. Otherwise it outputs the cipher text, the bit b and the one time pad masked with the sign of the message to be encrypted where the sign is this function similar to the legendary symbol which tells you whether the message is a quadratic residue or not. So essentially the one time pad here masks the sign of the message. Now let's see why this scheme is FTG secure. As usual we have to build an attacker for pi using an attacker on pi star. The FTG security game is shown here. We have a single message squeeze, a challenge pair and then again single message squeeze. And according to our quality pattern restriction for the property at hand, for the property for quadratic residuality, it should be true that if you apply the property on a single message and the left challenge message it should give you the same value as the right side. Now let's see what this means for our attacker and this specific property. In case one where the signs of the challenge messages are the same we can have single messages because if this is for example a quadratic residue you get the same result for the product in both sides. However in case two where you have a quadratic residue on one side and a quadratic non-residue on the other side, if we had a single message here and let's say this was a quadratic residue, the product would give you one on one side and zero on the other side according to the theorem I showed you. Therefore in this case no single message queries are allowed by our assumed attacker. So to build the simulator for the pi scheme here is on the encryption of pi star in combat form. Something on the case the simulator acts differently. So in the first case where the challenge messages have the same size our simulator picks the one time pad himself and simulates the game perfectly by answering all single message queries. He can do that because he knows their sign and the challenge query as well. Again he knows the sign of the message that is encrypted. He doesn't know which message is encrypted here, the left or the right, but since the sign is the same for both left and right he's okay. And for the second case where the signs of the two messages are different the simulator responds to the only one query with CT and two uniformly random bits. And since the attacker has seen only this ciphertext these are uniformly distributed. Because as I told you in case two he gets no ciphertext from single message queries. Therefore pi star is FTG secure. Now to conclude the proof we have to give an attack for the left or right security and the attack is obvious. In one side we can query for all quadratic residues and in the other side for only quadratic non residues. This is a valid attack because if you pair any two in one side you get a QR and in the left side as well. If you multiply a quadratic non residue with another non residue you get a square quadratic residue. And it's successful because with very high probability the attacker will get a ciphertext where B equals zero, he will get the one time pati and using another ciphertext where B equals one he can deduce the sign of the messages and check whether it's on the right side or the left side. And that concludes the proof of our main theory. For the hierarchy we follow a similar way. We assume there exists an FTG and secure scheme pi where n is a constant integer and we construct a scheme pi star with the required properties. I won't go into the details of that proof. The two cases are similar. We have a case one where single messages are allowed but all signs are the same and case two where only challenge queries are allowed and all signs in each pair are different. However, notice here that our simulator in this case has to output ciphertexts for both quadratic residues and quadratic non residues and therefore the extension from the previous reduction is not that trivial but the main ideas are similar. So in this case we use an n time pad to encode information about sign and in case one we simulate the game perfectly and in case two we output suitable random integers. We have correct simulation until n challenge queries and if we allow n plus one challenge queries we get a break with constant probability. There are other security notions as well that we consider but I will not go into them and I will not switch to the constructions of the schemes. So for unary properties there is a trivial generic construction. Just include the property p in the ciphertext. For binary properties there is a generic construction as well using predicate encryption. However, to get left or right security it requires very strong security guarantees from the predicate encryption scheme which are not known to exist for non-trivial properties. Therefore in our paper we presented an explicit construction for testing orthogonality. And finally for tenary properties and above it is still an open problem. I will go through our explicit construction quite quick. So our scheme works in a bilinear groups of composite order where the order is product of two prime numbers and therefore we get two subgroups g0 and g1 where if we assume that these are the generators then this independence property is satisfied. If you pair an element of the first subgroup to an element of the second subgroup you get one. The property as I told you the property that our construction preserves is the orthogonality of n dimensional vectors. These are the messages of our scheme and it outputs zero if and only if their inner product is zero. Let's see how our construction works. To create the secret key we pick two generators g0 and g1 of the respective subgroups and m plus 1 exponents such that v square is equal to the sum of the squares of t. For the encryption of a message we just pick two random exponents and output this huge cipher text. Notice that the components of the message are only exponents in the first subgroup while the components of the secret key are used as exponents in the second subgroup. For the testing algorithm you just get two cipher tests and you just pair the respective components together. If you do the math from the first pairing you get e of g1 comma g1 to the r plus v square while from the product of the n remaining pairings you get e of g0 g0 to something that has the inner product of the two messages in the exponent and e of g1 comma g1 to the r prime to the sum of the t's. Therefore according to the way we picked our secret key these two parts are equal and our testing algorithm can compare this term with this term and it uses whether the two messages are orthogonal by not knowing any secret information just by executing pairings. I will conclude the talk with the new directions for property preserving encryption which are numerous as you can see. There are many interesting properties like ternary properties, arithmetic progressions or geometric states and we suggest using lattices since pairings seem suitable only for binary properties. And there are many applications for property preserving encryption like privatizing popular algorithms such as clustering or data classification. Finally final direction is to generalize the properties to functions so the properties output only 0 or 1 and instead of that we can have a function that outputs a specific value and then we would get powerful public computations on encrypted data. And that's all. Thank you. So we have time for a quick question. Yes? Thank you. In your separation result you assume the existence of a scheme that's secure with respect to a particular property, right? Yes. The reason I'm asking is because you require some amount of computation on ciphertext on one hand. On the other hand this notion cannot be secure for a public encryption and the third thing is for schemes that allow computation of interesting functions on ciphertext you can prove that symmetric and public are equivalent. The might it's plausible that you can combine these three in order to show that you actually cannot have a secure property preserving for interesting properties or for smooth enough properties or whatever which if that's true that would render the separation result mute because it just says that the property you assume exist cannot exist in a secure scheme. So my question is whether you looked at trying to prove that certain properties cannot have it seems plausible that you can show that is essentially what I'm saying that certain properties that interesting enough properties cannot have a secure encryption scheme associated with them. Well so what's the question the exact question if we looked into that? Yeah I mean do you know anything about showing our main focus properties have or don't have secure encryption associated with them? No we didn't look all properties but our main focus was to show that there is no general way to go from one notion to the other that there exists some properties That's only under the assumption that specific properties do have encryption, secure encryption scheme. I mean in order to prove the separation we had to assume that an FTG secure scheme existed. So that property yeah you looked at properties that are sort of efficiently testable because this property wasn't efficiently testable right or this property the orthogonality property the quadratic residual property that you had it is official oh sorry that was okay maybe I just looked at the wrong thing it only used pairings and multiplications oh okay I want to know whether we're any closer given your results to practical order preserving encryption. Can you repeat the question including here? Given your results are we any closer to a practical order preserving encryption OPE? Not yet no thank you so one quick question for your separation did you need quadratic residuality or could you have just done it with normal encryption and have the property to be the last bit like the last bits are the same? Yes we didn't need it we just needed a property that had the same that works the same way as quadratic residuality. Just any encryptions yeah we just wanted to have a to show a concrete property. Any other question? No so let's Yanis again and hold the speaker of this session.