 Thank you for introduction. I'm Takashi from Entity. Today I will talk about constraint PRF for NFC1 in traditional group. Here the traditional group in the title just means pairing free group, so I will use the term pairing free group throughout this talk for avoiding misunderstanding. And this is a joint work with Natsupon Atropazen, Takahiro Matsuda, Yonishimaki and Shota Yamada. So the PRF theorem function is a key function that is indistinguishable from a random function via Oracle Accessive. And it is well known that there is a construction based on any one-man function as shown by Goro Rai Goro Wasami Kari. And in recent work there is considered extension of a PRF called constraint PRF. In constraint PRF we can constrain PRF key k by a constraint f which defines some predicate. And to generate a constraint key k sub f and we require this correctness and the security. As a correctness we require that for every input x such that f of x equal to 0 we can evaluate the PRF value on the input x by using the constraint key k sub f. On the other hand as a security for every x such that f of x equal to 1 the value of PRF on the input x is to the random given the constraint key k sub f. And here I remarked that in the original definition the definition is rebuffed in the meaning that in the original definition the correctness required for the case of f of x equal to 1 and the security was defined for the case of f of x equal to 0. So the definition is rebuffed but this difference is just for notational convenience of our construction and that doesn't make any significant difference. So I will explain our motivation of this work. So there are several non-construction of the PRF. In the collusion resistant setting where otherwise we can obtain arbitrary many constraint key there are construction based on multi-linear map or obfuscation. In the single key setting where otherwise we can only obtain a single constraint key there is a last best construction. And here I omit construction for specific functionalities very limited functionality like puncturing or bit fixing. And our problem is is there a contraction of a CPRF for large function class based on pairing free group. And actually even if we assume we use a pairing there is no contraction of such a large CPRF for large function class but in this world we stick to a contraction based on pairing free group. And as a second motivation we consider a private CPRF which was introduced by Bonnet-Leviu in 2017. CPRF is said to be private if case of F does not review F. And in the collusion resistant setting there are construction based on multi-linear map or obfuscation. And the single key setting there are construction based on lattice. However we don't know how to construct such a private CPRF based on pairing free group. And in private settings actually we don't know how to construct private CPRF on pairing free group for very simple functionalities like puncturing or bit fixing. So we want to construct a private CPRF on pairing free group for any any functionality. And this is the summary of our results. As a first result we construct CPRF for NC1 circuit on pairing free group. And this construction is selectively single key secure under the LDH assumption on the group of a quadratic residue QR subq and the DDH assumption on another group. And LDH assumption is a parameterized assumption by ensure error which I will explain later. And our second result is a construction of private CPRF for bit fixing function on pairing free group. And this construction is selectively single key secure under the DDH assumption. And the core technique that is common to both of these results is a novel use of created implicit secure hash function. And in this talk I will mainly explain our first result. So first I will explain the formal definition of the security notion of CPRF. And because in this talk we only consider selective single key security so I will only define this in security notion. And in this security notion advertory first makes a key query F which is in the function class F. And then a challenger to the PRF key K and returns a constrained key case of F. And this advertory can make key query only once because we only consider single key security. And after that advertory can make arbitrary many evaluation query. And when advertory makes for evaluation query X, the challenger returns the PRF of K comma X. And finally advertory makes a challenger query X star. And then the challenger picks a random coin which is 0 or 1. And if the coin equal 1 then the challenger returns PRF of K comma X star. And otherwise it returns random output Y. And advertory task is to get the value of the coin. And to prevent trivial attack we have to put two restrictions on the advertory. First we require that F of X star is equal to 1. And second X star is not created as an evaluation query. And then we see that CPRF is selectively single key secure if for every polynomial time advertory that satisfies these two conditions. The probability that advertory can correctly get coin is almost equal to 1 half. So this is a roadmap of our construction. So our construction can be divided into two steps. First we construct selectively single key secure CPRF for NFC 1 that is only secure against advertory that make no evaluation query. After that we strengthen the construction by using the created input secure hash function to achieve security against advertory that make unbounded number of evaluation queries. So first I will explain the first step, the construction secure against no evaluation query. So this is the construction of no evaluation secure CPRF. And let you be your universal circuit for function plus F for which we want to construct CPRF. And that is we have U of F1 to FZ comma X equal to F of X where F sub I denotes the I bit of the description of the function F. And then we assume that the degree of U as a multivariate polynomial is at the most capital D which is a polynomial in the security parameter lambda. And it is known that such a universal circuit exists for any C1 circuit which is a log depth circuit. And so this condition is satisfied when considering function plus F that is contained in NFC 1. And let G be a cyclic group of order P with generator G. Our construction is described like this. The PRF key K consists of B1 to BZ which are uniformly chosen from ZP and alpha which is uniformly chosen from ZP star. And the PRF value is defined like this. PRF of K comma X is defined to be a G to the U of B1 to BZ comma X over alpha. This is the definition of our PRF, no evaluation secure CPRF. And because we want to claim that this construction is a constrained PRF so we have to define how to generate constrained key and how to use that constrained key to evaluate the PRF. The first I will explain the definition of constraint key. So for constraint function F we do like this. So for every I we compute BI prime which is equal to BI minus FY over alpha module P. And then the constraint key K sub F consists of F itself and the B1 prime to BZ prime and GG to the alpha to the G to the alpha to the G minus 1. And next I will explain how to use this constrained key to evaluate the PRF for input X such that F of X equal to 0. So first by the definition of BI prime we have BI equal alpha BI prime plus FY module P. And then by using this equation we can expand U of B1 to BZ comma X like this. And here we assume that the degree of universal circuit U is at most D so the summation is from I equal 1 to capital D. And here the constant time U of F1 to FB comma X is actually equal to F of X because of the definition of the universal circuit. And here when considering the correctness we assume that F of X equal to 0. So this time is actually 0 and so we have the U of B1 to BZ comma X is equal to that summation. So we can write PRF of K comma X like this. And here we have that constrained key case of F contains these values G to G to the alpha to the alpha to the G minus 1. So we can compare this value efficiently by just using this value. And next I will explain the security proof of the contraction that against or no evaluation at about 3. So for that purpose we introduce security assumption called L-Decision or Defecation in version assumption, LDH assumption. So LDH assumption claims that given G to the alpha to the G to the alpha to the air G to the 1 over alpha and random group element R is computationally distinguishable. And we prove that the previous we've given scheme is selectively single key secure against other pathways that make no evaluation queries under the D minus 1 DDH assumption. We recall that D is the degree of the universal circuit. And okay I will briefly explain the security proof. And so what we have to prove is that given constrained key case of F, if F of X equal to 1 then the PRF value on the input X is random. And here we have this equation as seen in the correctness. And then if F of X equal to 1 we can write PRF of K comma X like this. And here this part is efficiently computable from case of F as seen in the correctness argument. On the other hand this part is still random under the D minus 1 DDH assumption. As a result we can prove that PRF of K comma X is also still random. And this completes the security of the no proof of the no evaluation security. So now we completed our first step the CPRF against no evaluation security. So from now I will explain how to strengthen the construction to achieve unbounded evaluation security. So before explaining how to strengthen the construction I will first explain why the previous construction only achieved no evaluation security. So actually there if the evaluation work is given then there exists an attack against the no evaluation scheme. So I will explain the attack. So suppose that an adversary is given case of F and also given the PRF of K comma X for X such that F of X equal to 1 then as seen before we have this equation. Here consider another X prime such that F of X prime equal to 1. We have this equation for another CA prime and then by using PRF K comma X we can write like this. And here we notice that this part is computable from case of F. And so this means that if one is given PRF K comma X and also given case of F then we can predict value of PRF K comma X prime for every X prime. And so this means that this scheme is broken if otherwise we can make only one evaluation free. So the problem of the previous construction was that PRF of K comma X and the PRF of K comma X prime have an algebraic correlation which means that there is a creation like this form. And so we want to break the creation. For this purpose we use created input secure hash function. The created input secure hash function was introduced by Goyer on a row in 2011 and a hash function C I H is a created input hash function for function class F if the following two words are computationally thinkable. In the real world the oracle first picks a random R and then when algebraic queries function F the oracle returns C I H of F of R. On the other hand in the ideal world the oracle chooses a random function RF in addition to the random R and then if algebraic makes the query F then the oracle returns RF of F of R. So the difference between these two words is that in the ideal world the C I H hash function C I H is replaced by a random function RF. And intuitively in the real world as about we can obtain many output value of C I H on created input F of R which derived from single randomness R. And even in this situation as about we cannot detect the correlation among the input just by seeing the output distribution. This is the intuition of the security notion of C I H. And in our purpose we want to break the algebraic relation between group elements. So we want to use a C I H for group compatible function class. And the C I H is incompatible C I H if it is a C I H for the class of all non-their constant multiplication function on G. That is these two words are interchangeable. In the real world algebraic makes the query A and then the oracle returns C I H of A times R. And in the ideal world when A is the query the oracle returns RF of A times R. So these two words are interchangeable. So now I will explain how to use group compatible C I H to strengthen non-evaluation security to unbounded evaluation security. So let PRF sub N E be our non-evaluation security PRF as given before and C I H be your G compatible C I H. And then we just define our new PRF as a C I H of PRF N E of K comma X. And then the constraint key of PRF can be defined exactly same as that of PRF sub N E because C I H is just a efficient the publicly computer hash function. So this does not affect the correctness. And we proved that this PRF as defined like this is selectively single key secure against other pathways that make unbounded number of evaluation queries. So I will give a sketch of the proof. The four X such that F of X equal to one we have PRF of K comma X equal to this time because we take C I H of PRF sub N E and PRF of sub N E is this form. And now we use D minus one D D H assumption to replace G to the one over alpha with a random group element R. And next we use the security of C I H to replace the hash function C I H with a random function RF. And now at this point the PRF of K comma X is completely independently random for each X. In that case the evaluation oracle just returns the independent random values. So that is meaningless for other battery. This means that we can reduce the security against unbounded evaluation security to the no evaluation security. And we already assumed no evaluation security of the PRF sub N E. So this completes the proof. And now we obtain selectively single key secure C PRF for N C one assuming D minus one D D H assumption holds on G and there exists G compatible C I H. So the problem is what group G to use. Actually in the random oracle model we can use the random oracle to instance 8 G compatible C I H and so what we need is just for D minus the group G on which D minus one D D H assumption holds. However in the standard model unfortunately there is no known instantiation of such a group G that satisfies these conditions simultaneously. This is mainly because we have very limited number of construction of group compatible C I H in the standard model. So to find instantiation in the standard model we have to further modify the construction. So actually the only known construction of a group compatible C I H is the one proposed by Bilal and the cache. And actually Bilal and the cache presented their result as a related key secure PRF but that can be seen as a C I H. And their C I H suppose component wise multiplication over the Q start of M under the D D H assumption another group G prime. And so our first attempt is to set the group G to be Z Q star and define PRF of K comma X to be a C I H of M parallel copies of the PRF sub N E. And if D minus one D D H assumption holds on the group Z Q star then this construction works. However unfortunately the D minus one D D H assumption does not hold on this group because this can be broken by just computing the Yakobi symbol. And actually on this group it is well known that by using the same attack even D D H assumption does not hold. So our idea is to use a subgroup G subgroup Q R sub Q which is a quadratic residue subgroup of Z Q star. And on this group a Yakobi symbol of any element is equal to one and so the attack by the Yakobi symbol does not work on this group. And so it is reasonable to assume the D minus one D D H assumption holds on this group. So this is our actual contraction. Our contraction is a PRF defined to be C I H of M parallel copies of PRF sub N E. Where PRF sub N E is instantiated on Q R Q. And C I H is barely cash C I H instantiated on another group G prime. And security can be proven based on this assumption D minus one D D H assumption on Q R Q and D D H assumption on G prime. And finally I will give you a comparison table among construction of C PRF. And this is a comparison table and before our work construction of C PRF that can be instantiated based on pairing three group was this one and this one and this one. However these construction only achieve limited functionality like or puncturing or substring match function. And so on the other hand our construction achieve anything one circuit that is a fairly large function class. So this is the first scheme that can support such a large function class based on pairing three group. And those I did not give any detail of the construction of our private C PRF but I will give a comparison among private C PRF. So as seen in this table before our work there were no no no construction of private C PRF that can be instantiated based on pairing three group even for very limited functionality like a bit fiction or puncturing. And our function our construction is the first scheme that achieve private C PRF for bit fiction based on the standard DDH assumption. So finally I will give you a summary of my talk. We gave new construction of C PRF on pairing three group. Our first construction is single key C PRF for any C1 from DDH and the D minus one DDH assumption on QR sub Q. And the second construction is single key private C PRF for bit fixing function from DDH assumption. And finally I will give mention severe open problem as a fast open problem. Fast open problem is construction of collusion resistant and or adaptive construction because our construction only achieve single key and selective security and so this is not achieved in our construction. And I remarked that in our paper we proved that in the random rocket model we can achieve adaptive security however we don't know how to achieve adaptive security in the standard model. And the second open problem is to instant eight our first construction based on general groups because because of the use of the specific C IH we have to instantiate our construction based on the specific group QR sub Q for it will be nice if we can instantiate the construction based on any groups. And finally the third open problem is construction of private or non private C PRF for wider function class on pairing three group. Our function our first result only achieve any C1 circuit so it will be better to achieve construction for all circuit and our second construction only achieve bit fixing function so it will be nice to achieve all circuit or even any C1 circuit. This is end of my talk thank you for your attention.