 Well thank you for the introduction and thanks for everyone for making this popular 8.50 in the morning session with me. This is joint work with Venkata Coppola and the talk title as we have it is about getting chosen CypherTech security for attribute based encryption but Venkata and I decided that if we could go back in time we'd actually title it something a little bit more like this which emphasizes just a way of going generically from chosen plain tech security to chosen CypherTech security. So that's going to actually be the core of our techniques and also what I'm going to focus on the talk today. I imagine most people in this audience are already familiar with the concept of public key encryption. We have a setup algorithm which generates a public and secret key pair where the public key can be used to take a message, create a Cypher text with it and the public key and then the decryption algorithm takes this input the secret key and can be used to recover the message. The first formalized notion of security for public key encryption was due to Goldwasser McKally who came up with indistinguishability under chosen plain tech attack and intuitively this says that an attacker if given a Cypher text of a message of its choice will not be able to distinguish this from another Cypher text let's say one of the all zero string. However, over time what we discovered is for in real life there's more active attackers than one that just sits there and looks at Cypher text and to capture these in deployed systems we need to have a stronger definition and the right one has turned out to be something called chosen Cypher tech security where we're going to give an attacker oracle access to a decryption algorithm where in the security game we can ask for a decryption of any Cypher text of its choice other than the challenge Cypher text that it's trying to figure out. Okay so over time I think our community has actually been really really successful in getting chosen Cypher tech security you know usually we started out with some number of theoretic constructions of plain CPA security but then over time with different innovations pretty much for most assumptions I wouldn't say all them for most ones you think of we now have chosen Cypher tech secure variants. Now one thing that's interesting though is can we generically go from CPA to CCA security so I give you any CPA scheme never mind how it's built is there a way to transform it or to make a chosen Cypher tech secure scheme from it now there's some what I would call minor roblox to doing this so one barrier is that this earlier work showed well any scheme that does this generically in a black box way the decryption algorithm must call the encryption algorithm okay but I'm gonna call that kind of a weak barrier because number one you can and number two most schemes actually do do this right like this that get chosen Cypher tech security do something like that but in general I mean people you can debate this a little bit but for going from CPA to CCA generically the main path of main technique we have is non-interactive zero-knowledge proofs and the two you know somewhat draw so that that's a great idea of course but perhaps the two drawbacks with that is a you need a nizic which they're not always so easy to come by and b the nizic approach needs to usually prove something about the encryption circuit gate by gate so this is a non-black box technique and tends to be you know not as efficient due to this okay so in this in this talk I'm gonna we're gonna talk about going from CPA to CCA generically now however in order to do this we have a new approach and we need one extra little ingredient which is a certain type of pseudo random generator that we're gonna call a hinting PRG so through the talk I'll talk about a construction and at the end I'll touch on what exactly is this little extra ingredient we need to be able to make the leap from here to here in order to explain things I'm gonna build things up I'm gonna build things up incrementally the first thing I'm gonna do is start with the CPA scheme and then go to another chosen plain text secure scheme this one will have some of the structure we're gonna need later on and then I'm gonna go to chosen ciphertext security one which essentially means that all decryption queries must be before the challenge ciphertext and as far as going to the full result we're just going to punt this to the paper okay so as warm up we're gonna go from CPA to CPA and I warn you on its own it might look a little bit odd it won't make sense why you'd want to just do this for a chosen plain text secure scheme but the point is we're going to be laying out the structure for what we're doing okay so let's think of n as our security parameter and to build a scheme we're going to create n pairs or two times n public key and seek public keys and secret keys okay so we're going to have what I would think of as like a zero row of the public keys and the run row and I'll keep this layout as a theme throughout the talk and we're going to also generate the corresponding secret keys the first thing we can do is actually just delete we're only going to need the zero of the secret keys so there's going to be a public keys our public keys going to consist of all these two times n sub public keys and our secret key will be n of these secret keys okay so let's let's look at how encryption is done the first thing you're going to do is you're going to choose a random seed s let's say of n bits and you're going to run s into a prg I'm going to call this h and this is going to give you a value z zero so we're going to take the message we want to encrypt and blind it by z zero like x or it in with with z zero now for someone to be able to decrypt we have to communicate s somehow okay and the way we're going to do this is in a bit by bit encryption and also an x almost what you would think of as an extra redundant way it's a little strange so just imagine that for each bit let's say the first bit I'm going to encrypt imagine just the string no in the in the first index and zero position I'm going to encrypt a no to say no the first bit is not one and then yes it is a zero and for the second bit yes it is a zero and no it's not a one you know it's a bit strange as it is but that that's the way we're going to do it so we're going to just keep on doing this bit by bit in in our slide here we're going to imagine that n is four bits for presentation purposes okay now so that's an encryption we have the message blinded by z zero and these sort of yes no ways of encoding s and to decrypt is pretty simple right you just um you have all these zero keys in the index so we're actually going to decrypt just using this top row and essentially just ignore this bottom one and we can learn si if there's a no I assume it's a one and if it's yes it's a zero so I go through index by index and I can recover um s and then once I have this I can run s through the pseudo random generator once again and and and recover z zero and then recover the message by x or in it out so this is not too difficult as it is okay and the security proof for just the cpa scheme is pretty simple what we're going to do though and when what's going to be useful later on is we're going to essentially want to erase information about s if we erase information about s we um we can hide m right and the way we're going to erase information about s is we're going to uh we're going to instead of we're going to essentially add disinformation so we're going to do a hybrid via cpa security to say yes it yes the first bit was a zero and yes the first bit was a one and essentially say it's both things um this is sort of an encoding technique that I got inspired from um Gargan Haji Badi from a paper about a year ago uh where they use this I thought kind of was a clever idea for trapdoor functions of adding disinformation right um although I won't go further into uh exactly how um they did their thing okay so you add yes yes yes and and then when the information about s is um gone we'll kind of do in the cca proof we'll do things a little bit differently and um then once the information about s is gone we can use prg security to hide information about the message m okay so that's a pretty simple proof um as it is okay of course this is only just warming up towards chosen cypher tech security so let's see how that works uh to do this we're going to have three building blocks the first thing is the chosen plain text scheme I should like the with the sub cypher text I showed you earlier um we're going to use that again but it's going to have this additional property where um if you happen instead of having the secret key if you happen to have the randomness used for encryption you can also recover the message and it's not it's not too hard to show that this property is buildable in a very easy way from regular cpa security uh the second thing we're going to do is going to we're going to have a prgh that's going to have this hinting property that i'm going to uh talk about at the very end and finally uh we didn't we explained it a little differently than this in the um original paper we're going to have a commitment scheme that is um equivocal okay and that's also built from pseudo random generators okay so a bit a bit commitment scheme is going to work as follows there's going to be a setup algorithm and a commitment algorithm the setup algorithm outputs some public parameters commitment algorithm takes his input public parameters message is and some randomness for the commitment it's going to be hiding the commitment should not reveal the message um binding it should be hard to produce openings for um different messages and also equivocal in that we can generate the parameters in a different way than the normal setup which actually does allow a commitment to both a zero and a one but the way i'm the the way i create these parameters should be indistinguishable from the normal mode okay so let's let's build the scheme public scheme uh the public and secret keys for the scheme are essentially the same as before but i'm just going to add the public parameters for the commitment scheme in there otherwise they're the same as what you just saw uh next for encryption the high level ideas are in addition to encrypting the seed s as before we're going to commit to it bit by bit and then we're going to add a lot of checks to prevent malicious cipher text or or at least limit the damage that they can do in the cca game and along with this we're going to have a more elaborate way of saying yes or no okay so let's let's see how the encryption scheme works i'm going to do things as before but also choose um randomness for the commitments so n and random um so x one through x n are going to be uh the randomness for the commitments and when so we're going to have yes or no encodings of s and bitwise commitments for for each of them so over here we're going to have commitment to one zero one zero under the strings under the randoms x one x two x b x four and now in order to say now in addition to saying yes and no like before when we say yes we'll kind of do yes but then also give as the message the commitment randomness x one and x two and so on and so forth so the no values will be done as before the yes values are going to be done a little bit differently and moreover for the um we're going to expand things even a little further we're going to imagine that our prg in addition to just giving us this blinding value z zero is actually going to give us um randomness for the encryption so these would be the z one through z n so here um the x values are the randomness for the commitments which are the messages of the little encryption schemes and the z values are going to be used as the random coins for this the sub cipher text now the note the no cipher text will also have randomness here but it's just freshly chosen it's not related to this it's not related to this prg value okay okay now let me let's let's see how um decryption works just by example so what i'm going to do is remember i have the all zeros key or i have the the zero half of the cipher text so what i can do is i can use my decryption keys to recover what's up here and i can use this to map into a what i'll call a candidate s value so if i see a no i can say well no okay it's not a zero so that must be a one um and this one claims to be uh claims to be a uh a zero so i'll write that down and so on and so forth so now i would cover s at this point but i can't trust that the cipher text uh was i can't trust that what i did was a good thing or can't lead to some attack instead of just using this s value what i want to do now is do some sanity checks on it then in order to do the sanity check the first thing i do is i plug the possible s value like at this point an attacker for example could have given me two nos or you know try to um or give me a wrong commitment uh i'm going to take this s value plug it into the pr the prg get these z one through z ends and i can check each of them the first thing i can do is use this randomness to try to recover uh the x values to check all the commitments that's the first thing i'm going to do and the second thing i'm going to do is actually now that i have the claim randomness i'm going to re-encrypt at least all these yes values not the no ones i'm going to re-encrypt them myself and see that they actually match up with the cipher text so this is um actually using re-encryption uh which has been used in other contexts like fukusaki oga moto and other ways in order to check um validity of the cipher text themselves okay so so really two sanity checks uh you recover the x values you check first check the commitments um then you check the at least half of the encryptions the half that you can now you might ask well why why go through this whole you know what why why would we bother going through this whole um process of you know all these checks and it really comes through this first step of the security proof um as i told as i explained things uh in the actual scheme we're going to use the zero version of the secret key right with this really for each pair of public for each uh index there's a one a zero version and a one version i'm saying use the zero version all the way across it turns out that after we do all those checks what you can do is um you can use uh the secret key according to any string uh these checks mean that attacker can't tell what secret key or what secret key half for each index you're using um when you're decryption if you do all these checks so the first thing we're going to do is actually if we let s star be the seed for the challenge cipher text we're going to do a hybrid stuff in a security proof where the decryption oracle will um now decrypt along s star instead of the all zero string and if it was succeeding in breaking the scheme before it should still be succeeding after doing this um after doing this switch okay that's that's the first step and then the second thing we're going to do is change the commitments to be equivocal so there's like for each one there's a coin x1 that will let's say open it to one and a coin x1 prime that will open it to zero we're going to then change this is a high level of view there's a little more details to these steps so we're going to have an opening for both the zero and a one and then we're going to use cpa security to actually um put that value in there so this is equivalent to me saying yes it's a zero and yes it's a one yes it's a zero and yes it's a one i'll do this for each little part adding this disinformation to lose um to lose information about s um now okay at this point it looks like all information about s is gone right like i i at least in the message space all information about s is gone and it looks like you know we're almost pretty much done here right we can plug in the same argument as before and however there's one little catch and this is a little this is a bit subtle that there still is information hanging around about s in the random coins here right because here the random coins for this thing are just freshly random chosen and the random coins here are derived from running this prg on s and if you follow it if you follow it you see this kind of the fact that there's a zero it's in this one position here and the zero position here and so on and um and so on and so forth now there's really this um lingering information that's kind of annoying about s and we need to get rid of it we want to be able to go from that to something where they're let's say all fresh um all fresh coins and essentially the way we get rid of it is by the security game of the hinting prg it um essentially it does this for us okay well let me explain what these hinting prgs do uh we can think of it as going from n to n square n square bits or n different blocks each of um length n bits um so here's the security game we have imagine a challenger takes a random seed s runs it through the prg and gives you z1 through zn i'm going to throw out the z zero value just for simplicity all right then it also chooses ran just completely freshly random blocks v1 through vn each of these is n bits now what we're going to do is we're going to swap zi and vi if s i is equal to one um essentially here we're going to place the z the z blocks um according to the the string s so the first bit was one replacing this one here then we're putting the second one there and then the third bit is a zero so we're going to put it up top we're going to arrange it in this way which really maps pretty much directly with the way i way i had the scheme and the question is can can an attacker distinguish this distribution from one where all these um two times n blocks are just uh chosen uniform length random all right uh and that's why we call the hinting prg because the layout of where the z's are are an extra an extra hint um so good news is that we actually can create we actually can generate these from standard number of theoretic assumptions we do it from learning with errors computational diffie helman uh the constructions follow pretty directly from some early work on similar similar mechanisms were used in leconic ote or a committee in hash batch quit uh this type of work uh but one differentiating point is those works needed some asymmetric cryptography at their core so while we can do number theoretic assumptions you know we could also just take an aes based prg and hope it's hinting secure and you know it seems like it would be but uh one one can't get number of theoretic proofs there uh okay so this this is an overview of what we did we had a process a new generic way of going from cpa to cca security and the only thing not implied just by public key encryption was this additional hinting prg and of course it's pretty tantalizing to think uh you know could you just somehow get that from public key encryption or pseudoram generators or or something like that uh i i i don't it's still kind of tough uh and i like to wrap up by just tying it together uh tying things together some other some other works here i mentioned earlier there's this work of a hajibati and garg on trapdoor functions there's also follow-up work to theirs that was concurrent to ours that um improve these trapdoor functions in a way i think it um appeared recently uh interesting part about the construction is we recover random we do we do do this like fugusaki okamoto or lots of trapdoor function or whatever way of recovering randomness and we re-encrypting but we don't recover all the randomness those no ciphertexts we don't encrypt it we don't recover it and i'll argue this is actually a good thing uh the limitations of work is we don't get a trapdoor function but maybe this is a good thing right like we don't want to run into those uh impossibility results in doing it uh the transformation works equally well for attroup-based encryption which is why i think we kind of used the title that um ended ourselves in the attroup-based encryption um session of the talk so almost the same construction you could just plug into attroup-based encryption and it would give you the right thing uh a neat thing is that works have already built on this so i think tomorrow we're going to see something on reasonable designated verifier nizics that need to uh use our particular cca structure to get their um to get the result is you know one piece of putting things together um also some work uh not uh a little bit later today will show how they can take this hinting prg assumption we had and instead use encryption uh symmetric key encryption um that is key dependent message secure and it turns out that since they do this they can also get in addition to diffie helman and lwe there's also a learning parity with no way of bringing this framework um down that's kind of interesting uh it'd be interesting to see how that goes okay so um yeah this is this is the this is the high-level picture of what we do going from cpa to cca with hinting uh plus hinting prg's uh obviously one way of exploring things is to try to get new ways for the hinting prg's or maybe use the framework maybe you don't need hinting prg's maybe use a general framework but uh tweak some other parts of it it's hard to say and i'll just know in another way there's been a lot of interesting progress recently and it seems that now we have a new path it could be worth investing more time into exploring it okay well thank you very much for your attention if you have a question please come to the microphone