 We'll give the talk. Thanks, Daniel. So I'm going to talk about projective arithmetic function encryption. And we will see how to use this to construct IO from degree 5 multi-linear maps. OK. So in this work, we're going to focus on constructing IO. So all the current known constructions of IO are based on multi-linear maps. So multi-linear maps are essentially generalizations of binary maps. While binary maps allows you to compute quadratic functions in exponents of the group, multi-linear maps allows you to compute higher degree polynomials in exponents of the group. And in particular, we define degree D multi-linear maps to be one where you can compute degree D polynomials in exponents of the group. So the natural question to ask is, what is the minimum degree of multi-linear maps that you require to construct IO? So the ideal goal would be 2. So then we can just base IO on bilinear maps. However, the original constructions, starting with Garg et al, built IO from polynomial degree multi-linear maps. In last Eurocrypt, a very nice construction by Lin showed how to construct IO from constant degree multi-linear maps. However, this constant was large. Subsequently, work by Lin and Michael Tonath and showed how to achieve IO from 32 degree multi-linear maps. And in this work, we reduce this degree further and we show how to construct IO from degree 5 multi-linear maps. And on route, we give a new template to construct IO from constant degree multi-linear maps. And we hope that this template might be useful to reduce the degree further. So in order to show what is this template, let us revisit the template of Lin and Michael Tonath. So they show how to construct IO from constant degree multi-linear maps by going through collision resistant function encryption for Boolean circuits. So in order to construct collision resistant function encryption for Boolean circuits, you need to first start with M-maps, which natively performs computations on elements of large fields. So in order to construct IO for Boolean circuits, the first step would be to sort of arithmatize this Boolean circuit into an arithmetic circuit and then perform M-map computations over this arithmetic circuit. So this arithmatization step could potentially increase the degree of the Boolean circuit you start with. So in order to overcome this, we introduce this new template where we introduce a notion of FE4 arithmetic circuits and we show how to construct IO from FE4 arithmetic circuits and then we show how to achieve this notion from constant degree multi-linear maps. So as I said, PAFE would be a version of function encryption for arithmetic circuits. So let me talk about our template in more detail. So we start with degree D multi-linear maps and then we construct PAFE for degree D polynomials. So the D here is the same in this transformation. And then we show how to construct sublinear secret GFE for arbitrary polynomial size circuits starting from PAFE for degree D polynomials and degree D randomizing polynomials. Again, here the D is the same. And then using prior works, we can get IO from sublinear secret GFE for all P. So we just have to achieve the first and the second step. The third step is achieved by prior works. So when you instantiate the randomizing polynomials with degree 5 randomizing polynomials, you get IO from degree 5 multi-linear maps. And the existence of degree 5 randomizing polynomials is based on degree 5 pseudo random generators with polynomial stretch. Concurrently, Lynn showed how to build IO assuming joint a 60H on degree 5 multi-linear maps. So let me describe the technical details. So let me first start by defining the notion of projective arithmetic FE. So as I said, we need to define a version of FE for arithmetic circuits. So the most brain-raided attempt would be to just take FE for Boolean circuits. But instead of associating functional keys for Boolean circuits, now associate them with arithmetic circuits. So what is the problem with defining such a notion? The problem is that we don't know how to achieve this. And current techniques seem to be a limiting factor to achieve such a strong notion. And more particularly, if the output of the arithmetic circuits or you can also view it as a polynomial is large, then we don't know how to construct this. So to give more intuition, if you look at FE schemes for inner products which are based on bilinear maps, the way decryption would work is in the end, the output of the computation is available as the exponent of a group. And you recover this output by performing discrete log. And you can only do discrete log if this output is small. So let's define the notion of PAFE with sort of a circumvences obstacle. So the basic syntax is similar to the FE scheme, except that we have what we call projective decrypt algorithm. Just as in FE scheme, there is encryption and a key generation algorithm. However, the decryption of the functional key on the cipher text is performed using a projective decrypt algorithm that does not give you the output in the clear, but instead it gives you an encoding of the output. And if you have many, many such encodings, you can execute a recover algorithm that takes as input a linear function as well as many of these encodings. And it outputs a linear function of all these elements in the clear as long as this output is small. So this is the notion. As I said, the notion is similar to FE scheme, except that in FE scheme, the output of the decryption gives you the result in the clear. However, here it's an encoding. And later on, you can manipulate these encodings to recover a result in the clear. OK, so there are two main properties associated with the scheme. I'm not going to talk about correctness. So apart from correctness, there is efficiency property that says that the size of the encryption should be a multiplicative overhead in the size of the message. And the multiplicative factor is polynomial in the security parameter and the degree d. For this word, d will be constant, so you can just ignore the multiplicative factor. And for security, we are going to define what we call semi-functional security. I won't have time to go into details. So this security notion is inspired by the semi-functional security notions defined for AB. And in the context of AB, it was introduced to capture adaptive security. However, in this work, we define this to achieve a weak form of function hiding that lets us prove things more easily. OK, so now we define PAFE. So let's see how to construct sublinear secret KFE from PAFE for degree d polynomials and degree d randomizing polynomials. OK, so Ilan gave a very nice definition of FE. So let me just define the sublinearity property that we need to place on the FE scheme. So the sublinearity property just says that the time to encrypt a message x should be sublinear in the circuit size, time some polynomial in the security parameter in the message length. So the other tool which I didn't define was randomizing polynomials. If you're familiar with randomize encodings, it's essentially the same, except that the encoding algorithm is associated with polynomials. So the encode algorithm takes as input a circuit C, and it breaks it into many polynomials p1 to pn. And on input x and a random string r, you can essentially evaluate the polynomial p1 to pn on x, r, and the result is the randomizing polynomial of c, x. And then there is a decode algorithm that takes as input the output of all these polynomials and it outputs c of x. And we define degree-d randomizing polynomial to be 1 if all the polynomials are of degree at most d. OK, so let's see how to construct sublinear FE. So let me give the key generation algorithm. You can figure out the setup algorithm from this. So we have to generate a key for circuit C. First, execute the randomizing polynomial encoding scheme on C to get polynomials p1 to pn. And then generate PAFE keys for each one of these polynomials. And then the functional key corresponding to C will be the collection of all these PAFE functional keys. This is a key generation algorithm. So the encryption algorithm takes as input x and picks a random string r. And then executes a PAFE encryption of x, r. And how do you perform? Before we talk about decryption, so one thing here is that we want the size of the random string to be small, because we are constructing sublinear FE. And we require that the ciphertext is sublinear in a circuit length. And so if the random string was as large as the size of the circuit, then the sublinearity property is destroyed. So in order to achieve this property, we are going to place the constraint on the randomizing polynomial scheme that the randomness is sublinear in the circuit size. So the decryption is straightforward. So you have all these PAFE functional keys. And you have the PAFE ciphertext. You just execute the projective decrypt algorithm to get the encodings of the output of the polynomials. And then you execute the recover algorithm to obtain the randomized encoding of c, x in the clear. And then you execute the decoding procedure of the randomizing polynomial scheme. So with this, I'm not going to talk about the security. That can be, you can reduce the security of the sublinear FE scheme on the semi-functional security of the PAFE scheme and the security of randomizing polynomial scheme. So let's see how to instantiate the randomizing polynomials using degree 5 randomizing polynomials. So the first attempt would be to take a degree 3 randomizing polynomials, polynomial scheme. And note that this scheme does not have the sublinearity property. In particular, the size of the random string would be proportional to the circuit size. A trivial approach to compress randomness is just to use PRGs. And we want to use low degree PRGs. And so we are going to use degree 5 PRGs that achieves polynomial stretch. And now if you plug in the PRGs in the randomizing polynomial scheme, you will end up with the new randomizing polynomial scheme that achieves the sublinearity property and now has degree 15. And the question is, how do we get these degree 5 PRGs? There is a gold rig PRG candidate which was proposed in the Boolean setting, but again, you can convert that in the arithmetic setting. And in the Boolean setting, the degree is 2. And when you consider this notion in the arithmetic setting, then the degree becomes 5. And the security of this candidate was analyzed by Ryan O'Donnell and Whitmer in 2014. And in order to reduce the degree further from 15 to 5, we use some pre-processing trick that I won't have time to go into detail. So in this trick, we essentially pre-compute some partial terms in the polynomials as part of the encryption itself. And the degree of the new randomizing polynomial would be degree 5 in all the pre-computed terms. So let me explain the last step where we have to get PFE for degree D polynomials from degree D multiliner maps. So in order to do this, let me define an abstract notion that we call slotted encodings. So this is an abstraction of composite order multiliner maps. As in composite order multiliner maps, we encode a vector as against just one element. So suppose, let's say, you have a vector a, b, c. You encode a, b, c with respect to some color. For instance, here it's orange. And now we can perform some operations such as addition and multiplication on these encodings. So if you want to perform addition, then you need to consider encodings of the same color. Suppose, let's say, you have encoding a1, b1, c1, and a2, b2, c2 with respect to the same color. And then you can add both of them to get a new encoding a1 plus a2, b1 plus b2, and c1 plus c2. So we're essentially performing component-wise addition. And the multiplication is performed on encodings with respect to some compatible colors. What pair of colors are compatible is dictated by the rules associated with the scheme. So suppose, let's say, you have encoding a1, b1, c1. And a2, b2, c2. Then finally, you'll get an encoding corresponding to a1, a2, b1, b2, and c1, c2. So even for multiplication, even multiplication is performed component-wise. And finally, there is a zero test operation that is performed on encodings with respect to color red. So suppose, let's say, you have encoding a, b, c. And you say that this encoding is zero if a plus b plus c0. So this last step is where it sort of is different from composite order material maps. So in the case of composite order m maps, you output zero if all of them are zero. So we show that we can actually construct slotted encodings from degree D prime order material maps. We define degree D slotted encodings to be one where it allows for evaluating polynomials of degree at most D and the exponents of the group. So let me start with the simple case of degree 2, which is bilinear maps. So we want to encode a1, b1, c1, and a2, b2, c2. And what we are going to do is we are going to pick vectors u1, u2, u3, and v1, v2, v3. And then we are going to encode the vector a1, u1 plus b1, u2 plus c1, u3. So this is not just one encoding. It's a vector of encodings. And then you also encode a2, v1 plus v2 plus c2, v3. And these vectors are chosen in such a way that if you consider the inner product of ui and vj, then it is one if and only if i is equal to j. Otherwise, the inner product is zero. And if you're familiar with bilinear maps literature, you will notice that this is essentially the notion of dual vector spaces. And indeed, such a transformation was already given in the bilinear maps literature. So how is this formulation useful? So if you just compute an inner product of these two encodings, you will end up with an encoding of a1, a2 plus b1, b2 plus c1, c2. So this sort of mechanism allows for component-wise multiplication. So in order to do for higher degrees, we can only do this transformation for constant degree. We will consider a tensoring of dual vector spaces. So for this talk, I'm just going to focus on degree 3. So as before, you pick vectors u1, u2, u3, and b1, b2, v3. Additionally, you also pick vectors w1, w2, and w3. So the vector corresponding to w will be associated with the next level. So at the base level, you will use vectors u's and v's. So on the left-hand side, you'll encode a1, b1, c1 using a tensoring of w vectors and u vectors. On the right-hand side, you will encode just using v vectors. So now if you consider an inner product of these two vectors, you will end up with a1, a2, w1, plus b1, b2, w2, plus c1, c2, w3. So this again, the component-wise multiplication is still going on. But now note that you also have these vectors w1, w2, and w3 remaining. And this can be used for the next level computation. So you can sort of generalize this idea for constant degrees. OK, so now let's focus on constructing PFE from started encodings. OK, so let me start with a setup algorithm. Here, you're going to pick random values r1 to rn. And where n here is the length of the message that you're encrypting. So in order to encrypt a message x, you are going to encrypt xi, ri, and 0 using the sorted encoding scheme for every bit of x. And all these encodings will now form the ciphertext. So in order to now generate a key for a polynomial p, you are going to evaluate the polynomial p on r1 to rn that was picked in the setup. And then you're going to encode 0, p of r1 to rn and 0. So the functional key will be p, this encoding. So how would you decrypt? So now you have the polynomial p, and all these encodings as part of the ciphertext. So you homomorphically evaluate these encodings using the polynomial p. So you'll end up with p of x1 to xn in the first slot and p of r1 to rn in the second slot and 0 in the third slot. And you can cancel the second slot, which has p of r1 to rn using the encoding as part of the functional key. And then you'll end up with p of x1 to xn in the first slot and 0 and 0 in the second and third slots, from which if p of x1 to xn is small, you can recover this. The question is, why is this secure? This is secure because the p of r1 to rn in the second slot sort of forces the evaluator to use the polynomial p in the homomorphic evaluation algorithm. However, there are still some attacks that I did not take into consideration, which are these mix and match attacks. I could potentially take some encodings from one ciphertext and combine them with some encodings from another ciphertext. And in the end, I can still evaluate and cancel out the element in the second slot. And in order to prevent these sort of attacks, we use ciphertext-specific checks. So note that the check p of r1 to rn is independent of the ciphertext. It can be used for any ciphertext. So by somehow interacting the key and the ciphertext, if we can create some ciphertext-specific checks, we can prevent such attacks. And we have mechanisms in our paper to deal with this. And I don't want to go into details. With this, I conclude. So in this work, we give a new template to get I of r1 degree 5 multilayer maps. Lynn and Tesaro showed how to get I of r1 degree 3 multilayer maps. And in particular, they define the notion of block-wise local PRGs. And they show they give a degree-preserving transformation to go from a block-wise local PRGs to I of r1. One question to explore is, what is the right kind of definition of PRG that suffices to construct I of r1? And in particular, can we define a notion of degree 2 PRGs that suffices to get I of r1? And why do we focus on degree 2? Because this would yield I of from bilinear maps. However, recently, there have been some works that have some negative results on degree 2 PRGs. Again, for some definitions of degree 2 PRGs. With this. Any questions for Prbhanjan? Time for one quick question. Prbhanjan, hi. So nice talk. When you say I of from constant degree 5 multilayer maps, what assumption do you need? So in our work, we have a generic model proof, essentially. It's not based on such an assumption. I see. And the improvement of Rachel, it needs a 6DH or joint a 6DH? Yes, joint a 6DH. OK.