 Hello, everyone. Today, I'll tell you how to build attribute-based encryption for tearing machines from the general assumption of identity-based encryption in the bound collision model. This is a joint work with the dead man and Brett. So let's start by talking about attribute-based encryption. The notion of attribute-based encryption was originally defined in 2005 and is a powerful generalization of public encryption, which allows fine-grained access over encrypted data. It can be understood via the following example. Suppose we have two bodies, Alice and Bob, Bob has some secret key, Alice has a public key, and Alice wants to encrypt the message, the sub-sensitive data M, and a set of attributes such that anybody who satisfies these attributes should be able to recover the message M from the encrypted data. So Alice creates this particular safe text and now there's a third party, Charlie, and Charlie wants to recover this message M whenever its policy F satisfies the underlying attribute. So if F attribute is equal to one, it wants to recover the message M. Now, one way to solve this problem is Charlie can simply send the safe text over to Bob and prove that I'm authorized to decrypt it, that it is authorized to decrypt it, and Bob will decrypt the safe text and give back Charlie the encrypted message if Charlie satisfies the attributes. While this is great, it's very inefficient and suboptimal. And to be based on encryption provides a brilliant way of solving this problem in which the attribute-based encryption says, Bob can actually create some partial secret keys called predicate keys for the function F corresponding to Charlie such that using the secret key SKF, the Charlie can decrypt the safe text as long as it is authorized to decrypt it, as long as F of attribute is equal to one. Basically, attribute-based encryption provides fine-grained access over encrypted data and it solves this problem without outsourcing the computation to Bob and even it lets Charlie perform this computation when Bob is offline. Now, syntactically, attribute-based encryption can be understood as follows. We have four algorithms. The setup algorithm samples a pair of master public and master secret key. Using the master public key, anybody can encrypt the message M under a set of attributes. And using the master secret key, anybody can create a functional secret key or a predicate secret key for any function F such that compiling the secret key and the safe text, one can recover the message M, the encrypted value as long as the policy satisfies the underlying attributes encrypted inside the safe text. Now, naturally for security, the idea is as follows. Suppose I give you a safe text that encrypts a message M under set of attributes and you also have all the many, many secret keys for different functions, for many different functions, F1, F2, F3. Now, attribute-based encryption says the message M that was in the grid will be hidden as long as all the policies that you have for basically all the policies for which you have a secret key for. None of those policies satisfies the attributes because if some of the policies satisfies the attributes, then you can run the decryption algorithm and recover the message M. But if you don't have any of the authorized secret keys, you can have the accepting secret keys, then the message M should be hidden from you. And this gives extreme power of fine-grained access of integrated data because now you can provide partial secret keys but also guarantee security in presence of revealing certain partial secret keys. Now, attribute-based encryption has been started in two different models of computation for specifying the policy functions. So typically, the policy function can be specified either using a non-uniform computation class such as pooling formulas or circuits or using uniform functions or the uniform class such as deterministic finite automotiles, gaming machines, RAM computation and so on. And the point is that in the uniform class of policies, the attributes that the policy circuit is going or the policy function is going to read, it's going to be fixed, it's going to be a priority fixed whereas in the uniform class, we can actually hand them unbounded length of attributes. And uniform class are much more useful for practical applications. So basically the main difference between these two models of computation for specifying the policies for secret keys is that we need a separate key for your non-uniform models because we have to specify a separate key for each different length of the attributes. Whereas in uniform classes, you specify a single secret key and that can handle all unbounded length attributes. So uniform classes seem much more useful for practical applications such as, suppose you have to give out a secret key in practice where the person has to perform a firewall check. And in that case, you have to read a regular expression. And depending upon the regular expression, read it. And if the regular expression satisfies your predicate, then you can actually decrypt the message. And there could be plenty many applications in which uniform models are much more useful in practice. So despite, or no, I should not say despite, but with all great progress in the literature, we have amazing results for building attribute-based encryption in the non-uniform as well as the uniform model from a wide variety of assumptions such as buying in maps, learning with errors, multi-maps and so on. But with all this progress, we've seen that there is one commonality in all these results. They need specific algebraic assumptions to sort of the most powerful notion of attribute-based encryption. And further, there is a large gap of feasibilities between for same assumptions between the two models. The class of policies that we can actually decrypt or we can give secret keys for in the non-uniform model, they are much more expressive. We can basically build attribute-based encryption for all circuits from learning with errors, for nc from binary maps, and for all circuits again from multi-maps. Whereas in the uniform model, we still do not have the best known or the best possible results such as forgetting machines from certain assumptions such as binary maps and learning with errors. And in this work, we study whether we can actually close the gap between the uniform and non-uniform model and do we always need specific algebraic assumptions? So the question in consideration is that, is there always a gap? And can we actually use general assumptions to build attribute-based encryption for non-uniform models? So in this work, we prove the following. We show we build an attribute-based encryption scheme for the uniform model of learning machines from identity-based encryption in the bound collusion model. And just to summarize, we prove two theorems and so we show that we provide a scheme that is non-adapted to secure against Q-collisions where Q is an A-prime fixed parameter of the system from identity-based encryption. And we also show that this can be upgraded to adaptive security in the random oracle model. And one caveat of reconstruction is that although the encryption algorithm can handle unbounded length attributes and a single secret key can work for unbounded length attributes, the encryption algorithm still needs to dictate or just still needs to sort of give out or decide or fix the running time of the tearing machine. So the tearing machine that is going to eventually be run on the word or the attribute that's in prepedent services have text, that has to be decided at encryption panel. Now, as a site application, you would actually also able to improve the notion of garbled rams and you're able to build garbled rams with much more fine-grained simulation security as it was crucial improving security of our attribute-based encryption system. Now, just to understand the result a little bit better, in the bound collusion model, so this is the basically the attribute-based encryption security requirement. If you say, get polynomial number secret keys and you should still be able to get security. Bound collusion model says that security holds as long as you have at most Q-collisions. So if you don't have more than Q keys, then the security holds. But if you have more than that, then there are no more guarantees. And Q is basically an a priori fixed parameter of the scheme itself. And although bound collusion is restricted is a peak a notion of security and say collision resistant or fully collision resistant security for attribute-based encryption, attribute-based encryption bound collusion security has already seen a lot of practical applications. And the landscape and bound collusion model looks as follows for the non-uniform models, we already have attribute-based encryption for circuits from just public encryption from basically the minimal element. But all prior constructions for uniform models even in the bound collusion setting, they require specific algebraic assumptions just learning what there is in most cases. And in this work, we show that algebra is not unit for uniform models as well. So we close the gap between non-uniform and uniform models, at least in the bound collusion setting. And a very high level of construction in three steps. It's basically the first step is we try to build an attribute-based encryption in which we can only corrupt one key, only single key corruption. So one size collusion bound. Then we show how to go from single key corruption to bound key corruption. And finally, we show how to actually also upgrade non-adaptive security to adaptive security via the random oracle model. Now the step two is follows via standard commutorial tricks that are commonly used in the literature. And the step three, it relies on simple non-committing encryption that we were able to prove security under the random oracle model. We were able to show how to upgrade non-adaptive security, generically using to do adaptive security using this non-committing encryption scheme. And I invite you to look at the paper for more details. Now, the first part of the paper, or this first step is where most of the technical ideas came in, most of the new technical ideas came in, where we were able to show how to use add identity-based encryption to build A, B for tearing machines with just single key corruption. So at a very high level, the overview is as follows. To encrypt an attribute for a particular time bound T because this is decided during encryption, the safe text is going to consist of T goblins. You can talk about what goblins mean in the next step, but T goblins. And basically the ith goblins, you align these goblins from one, two, three up to sequential steps. And the ith goblins is going to perform the itearing machine computation step on this particular attribute. And basically the iths goblins is going to not only perform this computation, but it's going to output the labels for the next gardening step. And these labels are going to integrate under the identities corresponding to the tearing machine transition state transitions. So the train state transition that you're going to perform between I and I plus one steps, that's going to dictate what particular labels can you decrypt. And each secret key is going to be identity keys for appropriate tearing machine state transitions. So using safe transitions, you basically encrypt the labels due to form the gobbling evaluation, that's going to give you an encrypted set of labels and you again decrypt these labels and just keep on continuing that. Eventually you basically either learn the message M from the fine gobble circuit or nothing if you're not authorized. And the type of gobbling we need is that it turns out gobbling gobble circuits are sufficient, but it leads to quadratic blow up in the sci-fi text size because we have to state in the entire tearing machine state to the entire gobble circuit at each step. But we notice that if we use gobbledrams then we can make it to just linear and not just have this quadratic blow up in the sci-fi text size. And gobbledrams are a strengthening of gobbled circuits where gobbledrams says you can have a persistent memory that can be reused across a bunch of gobbledram programs. And you can gobble all these RAM programs independently for this particular memory. And in this work, we provide a new security property for gobbledrams typically in the standard security, all the programs were simulated together jointly in gobbledrams. But in this work, we show that if the gobbledrams programs can be simulated iteratively, sequentially, and that also has interesting applications as we show this work and we show that the prior constructions for gobbledrams are already secure but already secure in this I2 dissemination security model. And as I said, this is necessary for our proof as we have to simulate our gobbledrams sequentially in our construction. And I invited you to look at paper for details about how we execute all these ideas. And I'll quickly conclude by saying that in this work, we propose or we build an attribute-based encryption scheme for cleaning machines for this uniform model of cleaning machines from the general assumption of identity-based encryption in the bound collusion model, thereby closing this gap. And we prove adaptive security in the random molecule model and non-adaptive security in the standard model. And as I said, it's uniform model and general assumptions of identity-based encryption. And we also show a new find and simulation security property for gobbledrams, which might see more applications down the line and some new directions for future work. So an answer question could be, can we actually close the gap even further? Can we build functional encryption for cleaning machines in the bound collusion model? And can we remove this time bound that we had in an encryption algorithm? And what about adaptive security without random molecule model? And recently, there has been some interesting work which has strengthened the collusion model to the dynamic collusion model. And the question could be, can we actually strengthen an attribute-based encryption for cleaning machines in the dynamic collusion model as well? And with that, I would like to conclude and thank you for listening. Please send me an email if you have any more questions.