 Hi everyone, I'm going to talk to you about multi-input functional encryption, original products. Yeah, so I will talk about function hiding and unrelated how to construct multi-input functional encryption without pairings. So let's get this started with some motivation. We have this context of a server that manages emails and would like that it only has access to encrypted emails so emails are encrypted with the public keys of the users and the goal would be that the server can compute the spam function yes the server can compute the spam function on each email and decide if emails are spam but it cannot actually read the emails like this is the only information that is being leaked and this is a nice motivation for why functional encryption is interesting functional encryption is just a generalization of public encryption so if in public encryption when you decrypt a message with a secret key you get the message in functional encryption decryption keys are now associated with functions and we also have master keys so if you want to decrypt a message with the decryption key associated to the function f instead of getting the message you get the function of the message but where do these master keys come into play and where do this skf come from basically we have also a master authority in our model and if Bob wants to decrypt something that he got from Alice this server text event he needs first to ask the function to the wizard which represents the master authority and he'll get the function of the message so this is why we have the master keys and the decryption keys great now what is multi-input functional encryption this is a notion formalized in 2014 and in this context instead of wanting to decrypt just one cypher text we want to decrypt and cypher text at the same time but the catch is that the cypher texts are generated independently so this one over here is generated independently from this one over here so with fresh randomness and complete separately and when you want to try to decrypt you decrypt all the messages at the same time so that's what's written here they're independent so the function now is a function that takes n inputs it has n arity and the last thing that I want to introduce before I state the contribution is we work we look at schemes for specific classes of functions in this case the inner product and we would in this context the function is just the functions are associated to vectors y and the function is just the inner product of the input with y so if you have so the messages are now vectors and when you decrypt you obtain the inner product of x with y similarly in the multi-input setting you have x you have n input vectors and when you decrypt you obtain a big inner product so keys now are associated with n small y's and you get the big inner product of everything so again recall that this thing is independent from this thing it's like they come from different places so previous work on this since the seminal paper in 2014 we have seen a lot of a lot of work in the field and they achieve multi-input functional encryption for a wide variety of functions but most of them rely on complicated assumptions like IO, multi-inert maps and then in 2017 so not very efficient IO and multi-inert maps and then in 2017 the question was asked if we could actually have efficient schemes like schemes which we can actually implement in practice and this paper presented a scheme that worked for the inner products with supporting a polynomial number of inputs while only relying on polynomial hardness assumptions in this case the assumption was xxdh in pairing groups and also concurrently with our work at the beginning of this year the same the same result has been obtained but for unbounded polynomial number of inputs so now the the inputs are not being set at the setup but also from pairings so what do we do we complement a little bit the figure by proposing two schemes the first one is a multi-input functional encryption for inner products in which we remove the need to rely on pairings so now we we we can construct schemes that have the same functionality but can be based on DDH, DCR or LWE and we also proposed the functional hygiene scheme concurrently with this 2018 paper but in a slightly weaker model because here they can do unbounded and we don't have this okay so now let's move on to the presentation of the model yeah so in this talk I will talk more about the the construction without pairings because there is no time to talk about everything so what is the security goal the security goal would be that if you have the encryption of the vector x and if you have the encryption associated with y you would like to leak only the inner product of x with y y and the size of the message which we usually leak in in the crypto so the only information that's leaked about x is the inner product of x with the key and in multi-input functional encryption of course similarly you have n ciphertexts and you'd like to that the only leakage is uh this big inner product big with the concatenations of vectors x's from different sources and the y's this is how you would expect the leakage to look like but it's actually not that simple so it's more complex and now I will explain explain why this leakage comes from the model and the reason is that these ciphertexts are independent so they come from different sources different computers that talk for example with a cloud that has a secret key um this is the functionality that we get but the goal would be that uh we only get the inner product of the big vectors and not uh and this should be the only information that we obtain and not uh independent inner products like xi or yi so only the inner product the big ones and not the inner product the small ones that would be the goal but this doesn't make sense in the public key setting in the sense that it's an inherent leakage so in the public key setting if the adversary has the master public key uh it could just encrypt uh if adversary has access to this encryption key it could just encrypt zero and then it would construct this big vector in which it concatenates uh it puts zero on every other slot except for di when di slotted to sex the rest are zeros and when it encrypt it obtains xi yi so this small inner product is inherently caching the public key setting and it's too much and so we looked at the symmetric key setting uh and to finish the presentation of the model we I will talk a little bit about ciphertext mixing so what we would like to be what is marketing for functional encryption about uh you would like if if the cloud obtains multiple ciphertext from edit from the same source so in this case ciphertext for x1 x1 prime and from another different source it obtains x2 x2 prime many should be able to compute all the combinations and for two it's you'll get four combinations for n you'll get an exponential number and we want to allow ciphertext mixing we want to allow uh our skin to decrypt uh ciphertext that come from different sources but at the same time we don't want to allow key collusion like we don't we don't want to be able to take two keys and mix like somehow mix them together and obtain another one with new information so ciphertext mixing but not key mixing um and now the i just formalize a security notion i i would just not formalize it i will just explain it in a very informal way um so assume that this challenger here the owl has run the setup and has the master public in the master secret key in this evil horse which is an adversary he hates the owl um he has access to two oracles so he can either query the kitchen oracle on vectors yy1 and ym and get decryption keys or he can query the encryption oracle on a specific slot which a specific input i with xi and he will get encryptions uh so these two oracles are actually interleaved they can first call the first one and then the second one and first one second one uh were maybe first one three times and so on they are interleaved and the the goal would be that it only gets the beginner products and not maybe not small ones not this should be the only information and the only information that the adversary gets should be information derived from this this is a very informal description of how it looks like because uh we actually rely on we actually achieve indistinguishability security and this is more looks more like simulation okay so a roadmap of our construction um we um i will show you first um a very easy way to achieve security for one ciphertext query uh coming from one input source and then uh i will show you how to bootstrap this to one ciphertext query but for many input sources um and then in parallel we will also go to many ciphertext queries uh and one input source so why do we do we have to go from one ciphertext to many ciphertext well it's because we open the symmetric key setting so one ciphertext doesn't really imply that we also have security for many ciphertext queries uh and in the end we'll put everything together and and step four and we will have our final scheme so again we only need to we need to go from one to many one ciphertext query to many ciphertext queries because we don't have this trivial implication uh so let's start with one ciphertext uh and one uh from one input source this is just one one type pad very simple the master secret key it's a uniform vector u from zqm uh the encryption is just the one time pad of x with u and the key generation will be y along with the inner product of u with y so why does this work well it's because for example if i wanted to decrypt i would just take the the ciphertext i will make the cipher the inner product of the ciphertext with y obtaining x plus u inner product with y and then i can remove uh from this i can remove this quantity here which i have this is the key so only the person with the key should be able to decrypt and what we will get is uh we'll get the inner product of x with y and this will cancel because it's because of the generality of the inner product u comes out of the inner product and why is this secure so the goal remember it will be to only leak x y and not any other information about x the way the reason why it works is because if we look at what the adversary sees the adversary sees x plus u the ciphertext the decryption key ui and y and this is distributed exactly in the same way as a uniformly random vector w instead of the ciphertext the inner product of w is y minus x y and if you look at this in this uh in this final game you can imagine this is the game um here in this word the adversary doesn't the only information that the adversary can ever hope to obtain about x is this w completely i mean there is no information the ciphertext about x anymore and the only information about x here in this word is the inner product of x with y which is exactly what we were hoping to to to achieve so we have uh we have security for one ciphertext and one ciphertext query and one input and now let's see how do we go to many inputs this is very easy to paralyze we just instead of having only one u we will have n use n vector use so bigger master script key and to encrypt we on one slot i we will just make make the the one time pad of x side plus u plus ui it's exactly the same the only thing that changes a little bit is the is the key generation and because now we have a sum and uh before it was just ui so now we have the sum over all the all the i's of ui yi and the reason why it works is of course because of the linearity of the inner product all the sums actually come out all the ui's yi come out and in the end the cancel so we are left with our goal the inner product of the vectors so this is how we do for how we do it if you had many input sources and one ciphertext query per per source and now let's go to step three now we want to see how do we achieve security only one one input and only one from one if you have only one input source so this is basically just single input functional encryption normal functional encryption but with many supporting many ciphertext queries and this is actually this line of work actually started in 2015 with a work by Abdallah Burz Decaro in Pansheval in which they they showed that the inner product functional encryption for one slot uh can can be constructed and the way it works here i will present it for a prime group g of the word the q the master secretary remains the same so it's still a uniform vector v from zqm the encryption now though changes a little bit it's we will draw a uniform random r or uniform scalar r so r is scalar x and v here are vectors so everything with color is a vector and if you don't have a color it's probably not a vector uh so we have g to dr and g to the x plus rv the key generally remains the same and the the hope is like if you try to argue security in a very intuitive way the hope is that this rv here will from ddh assumption will look like a uniformly random vector for each new x for each new encryption and it will behave like a one-time path so this is actually a generalization of lkmal a nice generalization of lkmal uh so this is how you do it for ddh but you can also using for example this 2016 paper by agaval libers libers tele we can do we can make this step also from lw or dci and actually if this step it's more efficient if you do this assumptions than with dvh and what i can say here also is the fact that here we cannot really hope for here we really have to rely on computation assumption at this step we cannot mask all these messages all these queries just from the master circuit key it's not enough so let's look at the big round map and let's see how to put everything together now we saw how to do it how to do how to achieve a scheme that has that can achieve security for one ciphertext query and one input then we saw that just by making the sums we can make we can bootstrap this to many inputs but only one ciphertext query input in parallel we have seen how to do this only for one input source how to support multiple ciphertext queries here just now putting everything together we the master circuit key will be the master circuit key from step two so we'll have the uis be the master circuit key from step three we'll have the v is and the the encryption is a double layer encryption so encrypting in step four uh in the in the scheme four it's not really step four scheme for vector x will be just of this was x i this was x i yeah so encrypting x i in step four then it's just the encryption in step two so here this one uses ui and then so this encryption we apply encryption in step three the one that uses v and the reason why this works that why we can do this lab double layer encryption is because the outputs of the of ng2 are compatible with the inputs of ng3 so you have to work a little bit to to make sure that this to fit uh and the the key generation which will just be the key generation in step two this sum of uis yis is exactly the one here but on the yis side things change a little bit we need to apply key gen three on the yis so why does it work we can argue um that everything decrypts correctly by just um so first you want to you decrypt the outer layer with the kip ng3 by using key gen three so encrypting the outer layer uh the correctness of this comes just from the correctness of scheme three and decrypting the the the inner layer the ng2 will come because this after we we calculate the ng3 we are only left with ng2 and the key gen from step two so by the correctness of of step two we can decrypt completely but of course i mean here we can put other schemes i can put a le then it becomes a little bit more complicated or vcr but this is the the big picture so to conclude what do we achieve we have a construction without pairings um compared to the previous work we removed the need for binary groups just as them we achieve adaptive security um we support larger message spaces why is this it's because um if you if you use dvh then the message is encrypted in the the message is encrypted in the in the exponent so you'll have some kind of bound on how big x can be which you don't have if you rely on a w or dcr so we can support more more assumptions and we have more efficient schemes uh and we of course just as the previous work we achieve a polynomial number of slots we can we have security for a polynomial number of inputs but only relying on uh on polynomial hardness assumptions and now i'll talk a little bit about our second contribution the function hiding scheme here the security goal is that if you have the encryption of x and the decryption key of y what is being lit is just the inner product of x y size of x but now this time y is hidden as well so we do this by uh by uh by applying an idea which was first appeared in the paper by Lina Vaikotanathan uh double layer encryption um we still have to have to rely on by linear groups but uh what is nice is that the scheme is adaptive secure and achieve for normal many uh inputs uh and comparing this to previous work um um we started from this scheme and we build up on it and we we we have almost the same efficiency but this time uh we also achieve function hiding for almost for free um and um yeah i did i forgot to mention but the pairing reconstruction is also almost for free um and compared with this paper for which is concurrent work um uh we uh they have um they have they achieve things in a better model and also a little bit more efficient uh say fh here is just that fact that the function is that they have function hiding so now i'm ready to conclude i think yes um i can finish with an open problem is it possible to adapt our techniques to for other classes of functions just that during our products so quadratic functions uh general polynomials even more uh this is a very interesting question so thank you happy questions