 So, our work is about predicating codeings, and predicating codeings are a primitive that is used to build predicate encryption, so I will start by explaining what predicate encryption is. In predicate encryption, there is a master authority, and there are some users, and this master authority provides secret key to the users, and every key is associated to certain value Y that can be different for every user, and now in this setting everyone is allowed to encrypt, and where you are going to encrypt, you need to think of a value X, and what you produce is a hypertext associated to this value X, and now, so the requirement for predicate encryption is that only users that own a key such that a certain predicate involving X and the value Y from the key is true will be able to decrypt. For example, in this case, let's say only the first girl is able to decrypt, a very important requirement also for predicate encryption is collision resistance, so we want to avoid these two guys that individually cannot decrypt, we want to avoid that they can combine their keys, for example, and be able to decrypt, so in general, no matter how many keys you have, if none of the keys can individually decrypt this hypertext, you should not be able to decrypt. More formally, predicate encryption consists of four algorithms that they set up, this is run by the master authority, encryption that from a message and certain value X produces a hypertext for X, key generation, this is run only by the master authority, as you can see, this needs the master secret key, and this produces secret keys for values Y, and the encryption only works when the predicate is true. Okay, so there has been many works in this area, here I'm just showing some of them, but usually all of them fall into one of these problems, for example, some of them are for very specific predicates, for example, the inner product, if you think of X and Y as vectors, the inner product, the inner product between these vectors is here, for example. So some of these works are for very specific predicates, like inner product or pull-in formulas. Another work, so I use very, very strong assumptions, and other problems are like composite order groups, they use composite order groups that are supposed to be not so efficient and they usually have bad performance, what I mean by this is that, for example, you may need several group elements to encode a very small policy, okay, so after all these works, two years ago, these two words appeared and basically they allowed to build a predicate encryption in a much simpler way, so for example, they allowed to achieve flexible predicates, you're not restricted to use one of these specific predicates, they also use reasonable assumptions, you see Kay Lin in this one and the more general metrics, they are defined over prime order groups and they have flexible performance, so predicated encodings, as I said, are a building block to build predicated encryption and predicated encodings are used in this work here, but these two works are modular frameworks, I'm going to explain a bit of the idea of these two works, so they define a simpler encoding, a simple primitive that they call predicated encoding in one case and pre-encoding in the other work, and from these primitives, they can combine this with a compiler and they can produce a fully secure predicated encryption for P, so as you see, this predicate depends on this simple primitive, so if you replace this primitive by another one for a different predicate, you automatically get a fully secure predicated encryption for a new predicate, okay, so currently there have been some improvements on this area and now we have like three kinds of different encodings with different predicates, so there is this tag-based encodings and in this case, the compiler is supposed to be a bit more efficient, you can save some group elements, then we have predicated encodings, this is what we are going to talk about in this talk, and parent encodings, which are supposed to be more expressive because they admit computational notion of security, while these other two are only defined for an information-predicate notion of security, so some improvements have been done by Agrabalan Chase in this area, I will mention this later, but in this talk, we focus on predicated encodings and what we do in this work is first we provide a new characterization of predicated encodings, we show how to optimize them and provide some transformations, like for example, the junction-conjunction negation, so if you start from a predicated encoding for P1 and another one for P2, we show how to convert this into a predicated encoding for P1 and P2, for example, and then we show new constructions out of these results, okay, in this work we also consider the relationship, we investigate the relation between these primitives, and we show how to transform tag-based encodings into predicated encodings and predicated encodings into parent encodings, we formalize basically this folklore idea of the fact that parent encodings are more expressive, so now I'm going to define predicated encodings, this is the original definition, basically predicated encodings are five algorithms, the first one stands for sender encoding, this is used in encryption, these two are called receiver encoding and key encoding, and they are used for key generation, and these two are used for the encryption, so okay, so these algorithms must satisfy three properties, the first one is they must be all linear in the last component, second one is called alpha reconstruction, which basically says when the predicate is true, there is some equation that holds, and here you can think of alpha as a secret that allows you to do the script, so basically when these equations hold, you can compute alpha in the exponent somehow, so you will be able to do the script, and the last property is called alpha privacy, that says that when the predicate is false, these two distributions are identical, and if you look here, alpha appears only on the left-hand side, so intuitively this means alpha is information theoretically hidden, and intuitively this is what allows you to argue security for this scheme. Okay, so I'm going to redefine predicated encodings, and the first thing I'm going to do is to use matrix notation, because since all the algorithms are linear, you can think of SE of xw as the product of a matrix SE of x, this matrix times a vector w, so in particular I will be talking about five matrices instead of five algorithms. Now let's see a very simple example, the predicate encoding for the quality predicate, so these five algorithms are predicated encoding for this predicate, how can we validate this? Well, you will need to check all the properties, so first let's check linearity, all the algorithms are linear, as you see these three are linear, because they are the identity in the last component, and these other two are also linear in the last component, in w. Then we also need to check alpha reconstruction, so when the predicate is true, we need these two equations to be satisfied, the second one is always satisfied, and when the predicate is true, x equals y, and therefore these two things are also equal, so it's also satisfied, and alpha privacy is a bit more tricky, but it can be justified, so we need to show that these two distributions are identical when the predicate is false, and to do so you can argue that when x is different from y, these two things are independent when you sample omega random, so this is how you validate a predicated encoding, you check that it satisfies all the properties, so okay, so in matrix notation this looks something like this, and I think now we are ready to redefine predicated encodings in the way we did in our work, so we start from these five algorithms, and since I'm using matrix notation, we can forget about linearity property, so alpha restricted reconstruction, if we use matrices, becomes this equality between matrices, and alpha privacy can be expressed as an algebraic property, so this is one of our main results, so the fact that two distributions are identical, we showed that this is completely equivalent to the existence of a solution of certain linear system of equations, so this is very useful because this algebraic property is what is going to allow us to prove all our further results in the paper, okay, so I want to point out that you can call this W star the witness for the fact that the two distributions are identical, okay, another modification that I want to do is I would like to put these two algorithms inside here, and the reason is that these two are used for decryption, you are only going to decrypt when the predicate is true, so yeah, we can do this, and the reason for this is that when these algorithms exist, you can compute them efficiently, because you can basically apply Gaussian elimination here, and you can compute these algorithms efficiently, so there is no need to consider them explicitly in the definition of the encoding, and why is this interesting? Because now look at this, we have two expressions that look kind of the same, they are in the same shape, we are saying in both, there exists a vector satisfying a linear system, and in fact these two conditions we showed that they are complementary, so that's why I'm using complementary colors yellow and purple, okay, so what I mean by this is that if this is the space of all pairs x, y, in this space some of the points will be yellow, some of them will be purple, but what I mean is that this region cannot exist, everything has to be either yellow or purple, and this is useful because now if we only have three matrices, we can say that these three matrices, arbitrary matrices, induce a predicate encoding, a valid predicate encoding for the predicate, you are in the yellow region, why so? Because okay, let's see, when the predicate is true, you are in the yellow region by definition, and therefore you satisfy alpha reconstruction, because yellow is exactly alpha reconstruction, and when the predicate is false, since you cannot be in the yellow region, you must be in the purple region because they are complementary, but purple is exactly privacy, so basically given any three matrices, we can say these three matrices induce a valid predicate encoding for this predicate, here I'm basically using the definition from the purple, I'm saying you are not in the purple, so to see an example if we consider a previous encoding, now if we are given just these three matrices without any analysis, we already know that this is a valid predicate encoding for this predicate, the predicate that says you cannot build vector zero one as a linear combination of these two vectors, and with a little analysis you can show that this is equivalent to x equals y as we knew from before. Okay, I want to point out that in a work by Aravain Chase from YearCrip this year, they consider a notion of encoding, so this is in the other setting of parent codings, and they consider this notion of encoding that they have similar ideas to what we obtain from this implicit predicate, and the reason is that they build a compiler that takes what they call non-trivally broken encoding, and produces a predicate encryption scheme out of this, and their Q type assumption, and why is this similar, because they also manage to relate the notions of reconstructability and privacy, so what they are doing is basically a non-trivally broken encoding is basically an encoding that does not satisfy reconstructability, and basically they argue that that is enough to have privacy. Okay, so I'm just gonna talk about our transformations, so one of the things we consider is can we simplify predicate encodings, and the operation that we consider is okay, we work with matrices, so if we start with these three encodings, what happens if we multiply by a matrix A and B, obtaining new encodings? What we want to achieve is that the implicit predicate associated to these three matrices is preserved after this multiplication, so in our results we'll give the conditions on these matrices, such that this predicate is preserved, and why does this simplify, because for example, if after multiplying you get smaller matrices, this will be translated into performance improvements, and also saving of some group elements, and yeah, so you can also consider multiplying from the right, and we also consider that case in our paper, and then we want to talk about these transformations, so we provide generic transformations for predicated encodings, I want to point out that conjunction and dual predicate, by the way, the dual predicate swaps the rows of X and Y, before if you remember secret keys were associated to values Y, and Cyphert X to X, when you apply dual predicate it's the other way around, so this can make the difference for example between secret key, policy, and Cyphert X policy, AB for example, so in the framework of parent encodings, Atrapadoon already shows some construction for the conjunction and the dual predicate, and in our work we show that our constructions are slightly more efficient, and just to give an intuition about how these transformations work, I'm gonna talk about our negation, so basically if we start from these three matrices, we build negation like this, we create new matrices, as blocks of matrices using the previous one, so for example the new SE matrix is gonna be the original one transposed, then we have a block with minus the identity, and then we have a block of zeros, and by a similar way we can build these three matrices, and thanks to our algebraic characterization we can show that this is in fact a valid predicate encoding for the negated predicate of the original one. Okay, I want to talk a bit about some applications, so in fact we managed to improve some existing encodings, for example if we take this encoding from this work, predicate encoding for Boolean formulas, and we transform it with negation, and then we simplify it, we get a simpler encoding, and by simpler I mean it has fewer group elements in the master public key. This will be translated into efficiency improvements, and also the secret key size is variable, so if we produce a secret key for a small formula, secret key will be small, and if the formula is large, secret key will be large, but I want to point out that in the original encoding, secret keys were always large, always the worst case scenario for the size. Okay, there is a small problem here which is our encoding is negated. So if you want to have a normal behavior, you need to negate again, and we can do this negating also from the input. So for example, instead of giving attributes A, B, C, and D to the users, instead of giving a user A and B, you give not C and not D, so you work with negated attributes, and then instead of considering policies, you encrypt for negated policies, and if on top of this you are using our negated encoding, which is simpler, then you can have the normal behavior. Okay, so here I have some benchmarks, I don't know if you can see it properly, but so this is a comparison for the setup. So another thing that we consider is, so now we can do dual policy, A, B, in the framework of predicated encodings. So yeah, this was already considered in the other framework of parent codeings. And basically we can do this by combining the conjunction and dual predicate transformation. Another thing we can achieve is revocation, so we propose this method for revocation. You combine a predicate P1 for the actual access policies that you want to use, with a predicate for broadcast encryption, and by using this, you can revoke some users. So even if two users have the same secret key for the same set of attributes A, and this set of attributes is supposed to be enough to encrypt certain ciphertext, you can still use this part to revoke one of them, and not the other. And in fact, we show that with this mechanism for revocation, you can achieve revocation for thousands of users in reasonable time. Here you have four algorithms, of an implementation of our primitive. Okay, and then we have other possible applications. You can read more about this in the paper, but for example, we show also how to improve predicated encodings to support delegation. So this would allow you to, for example, take your secret key and weaken it into this powerful one that you can delegate also. You can also use this to achieve a forward secrecy, if you destroy your original key. Yeah, so basically to sum up, in this work we consider this framework of encodings that simplify the analysis of predicated encryption and construction, and we focus on predicated encodings. We try to improve their expressivity and efficiency, and to do so we define a new notion of predicated encodings. We combine them and provide transformations, optimizations, and we also give some possible applications for all these results. And we also consider the relations between these encoding primitives. So I want to finish with some questions, in fact. Yeah, so for example, given a predicated encoding, a predicated, sorry, what is the minimal predicated encoding that you can build for it? Or this one here, can we build predicated encodings for regular languages or unbounded A-B? I'm not sure about this. These two can be achieved in the framework of parent encodings. And a very interesting one is, why does this negation trick works? So as you saw, we managed to improve an existing encoding by negating it and simplifying. And this doesn't only work for the Boolean formula encoding that I mentioned, but it also works, for example, for arithmetic spam programs. So the question is, why does it work? Also you may consider of negating twice, but if you negate twice, you always end up, go back to the original encoding. So I would really like to understand why does negating simplifies encodings? It's an interesting question for me. Yeah, so this was all, thank you very much for your attention.