 Okay, welcome everyone. So this is a session on protocols and our first talk will be on optimal broadcast encryption and CPAB from Evasive Latest Assumptions by Hootec v and Hootec is also the one giving the talk. All right, thanks for coming. So I'm going to start my talk with my slides from the Eurogroup 2013 RAM session. So imagine you're interested in doing online dating, and if you use that, you know, joins the website. And the first thing you do on the dating website is to create a profile that contains all sorts of sensitive information about you, like your hobbies, you know, et cetera, et cetera. And the first thing you come to mind with concerns about your privacy is that you want to limit access to your profile. So ideally to people who satisfy your dating criterion, which could be something simple, like a simple and or a bit more sophisticated DNF formula. So when other users join the system, other users are associated with what we call attributes. And when they join the website, they get secret keys that are tailored to the attributes. And the with the correctness requirement is going to say that if you have a key for attributes that matches the access policy, you should be able to decrypt the message and see the profile. And for anyone else who with attributes that don't satisfy the access policy, they should learn nothing whatsoever about the message. And moreover, this should be the case even if there's a collusion in this adversary that gets all multiple secret keys. This is exactly the notion of attribute based encryption, or more generally, ciphertext policy attributes encryption, where the sender has a policy F and wants to encrypt a message and respect to the policy, the guys have a text, secret keys are associated with a big string X that specifies the attribute. And the basic correctness again says that if F of X is zero, you should learn the message. And correctness says that if X is not zero, you should learn nothing whatsoever about the message, even if there's a collusion. So the main punchline from my previous talk is that we can actually construct attribute based encryption schemes for our circuits. So the policy F can be any circuits from the standard LW learning with errors assumption, which basically says to give a random matrix as A plus E to the random. And this talk I'm going to use as quickly underline as a shorthand for plus noise. And this result actually immediately implies what in this, I guess in this talk, it's called a ciphertext policy ABE, CP ABE for circuits, where the ciphertext sign is very large. It's going to be as large as the circuit sign of F. So if you're a practitioner, you'll be concerned with the large ciphertext size. And this is a question addressed in a series of recent works, where they try to get CP ABE for circuits with sublinear ciphertext size. So polynomial depth of the circuits, you should think of the depth of circuit as roughly log of the sign of the circuit. So this is our much smaller ciphertext size. Unfortunately, these results are not quite from the LW assumption anymore, but from our stronger assumptions. Let me just say that one interesting thing about this line of works is that they immediately imply optimal broadcast encryption scheme, where the total ciphertext public key and secret key size is polylogar to make in the total more views as capital and the system. So right, so a bit more about this recent work. So the first of these results achieve CP ABE for circuits from LW and pairings and only for small depth circuits, what's called NC1, so log depth circuits. And the second of these words gives you users only lattices, but it's actually a heuristic scheme in the sense that they don't have, they don't provide a security reduction to a simpler lattice assumption. So the main punchline for this new work is a new CP ABE for circuits with small ciphertext from new lattice assumptions. And as the immediate corollary as we prior works, we get optimal broadcast encryption from this new lattice assumptions. In the rest of this talk, I want to give a sense of what the new construction looks like. And as a warm up, the starting point are the following what we call the matrix key equation underlying all of the prior ABE schemes from the LW assumption. It basically says that if you're given a minus x tensor G on the left, we should think of as a shorthand for a i minus x i G's, you can derive from this quantity a f minus f of x G, where a f is a matrix with the same dimension of a i. In particular, it's going to the matrix, the sign of the matrix a f is going to be much smaller than a cyber circuit. That's something we're going to be using. So here's roughly what our scheme is going to look like. In our master public key, we're going to put in there this very white matrix A. So the width of the matrix A is going to depend on the length of x, but independent of circuit size roughly. Then the cam, which we use master message is going to be LW sample respect to a sub f is going to be small. And the product of the cyber tax and secret key is going to be LW sample respect to a minus x tensor G. So correctness, sorry, even before that, how do we get to this product relation? We decompose this product as follows. So the cyber tax is going to be LW sample, respect to some random matrix B, which is part of the master public key. And the secret key is going to be a Gaussian preimage of the target matrix A minus x tensor G, respect to this matrix B. So then you can see that if you take the product of the cyber tax secret key, you get this pressure from before. And correctness is fairly straightforward using the matrix key equation. And in this game, with just a bit of tiny tweak, you can show that this game is secure under the LW assumption, if the adversary only sees one secret keys. But in general, in CP ABE, we're constantly setting what the adversary, we have deal with collusions for the adversary potentially gets multiple secret keys. And it's also easy to see that this game is insecure if the adversary gets two secret keys, essentially, because the adversary gets multiple equation, the same LW secret, and this will be able to recover basically LW secret S. So the way the previous constructions get around this attack is to design the scheme so that when you take the product of the cyber tax and the secret key, you get different LW secret SI, SI for the I've secret key. Concretely, in the BV scheme of Prokoski-Vakuntanathan, SI is going to be of the form RI times the matrix S, where RI is going to be a essentially random, low norm vector that comes from the secret key, the I secret key. So you pick a fresh R every time you generate a new secret key. And this matrix S is going to be the encryption randomness. It's sort of a souped up version of the LW secret S. Okay, so to implement this idea, so we will want to implement, we want to design CPAB scheme with the property that the product of the cyber tax and secret key is of the form R times X times A minus X times G. The difficulty of doing this is that you have this term S that depends on the cyber tax sandwiched between two terms that depend on the secret key, whereas you want cyber tax time secret key. So the way they implement this in a BV scheme, it's a very clever idea where they use some techniques from identity based encryption. In this what we take a rather different approach, and we make use of the following matrix identity, which comes from, if you know this thing called vectorization is very related. What this matrix identity say is that if you instead of working with the matrix S, you work with the flatten of S, which corresponds to a very wide row vector you get from concatenating the every row of S, then you can actually move S from the middle to the left hand side. And R will move to the right hand side, but with extra tensor. Now the nice thing now is you have something that depends on the secret key on the left hand side on the left part of the product and then something that only depends on the secret key on the right side of the product. So the decomposes nicely into a cyber tax and the secret key. So cyber taxes again going to be a LW sample respect to B, except the secret now is now the flattening of S. And the secret key is going to be again Gaussian pre majors with respect to some matrix B. And putting this together, we get the following very simple CPAB scheme for circuits. And to the best of my knowledge, there's no attack on the scheme. But the question this talk we want to address is can we actually prove anything about this? Okay, very well. So the first thing we're going to try to do towards proof of security is try to prove something a little bit simpler. So the first step, let's try to prove that the product of the cyber tax and the secret keys are jointly pseudo random. If you can prove such a steam, you can if you can prove such a statement, you essentially rule out at least the attack that we described earlier, but on the scheme when you get two secret keys. So let's try to prove this. So as first starting point, observed that by the LW assumption, if you are items as a pseudo random, so I remember is the randomness that comes from the secret key. And again, with this expression, if you multiply both sides of the equation by a low non matrix, it continues to be pseudo random, you need low non because these matrices interact with the error in our i plus s. So our items as so this is random, as long as a self as low non, and then aim a sex sense as low non. And now on the right hand side, you now have independent LW secrets as I so now you can do a hybrid argument. And from the LW assumption, you get that the expression on the right hand side is also pseudo random. So this pretty much proves what we wanted to achieve in step one. I said we have a minus extensor i itself a minus extensor g. So we have to go back to our matrix key equation to make sure that it still works when you replace the gadget matrix with the identity matrix i. And that's how it does. I said you pay a price, you get this, you get a much bigger error growth, which is a doubly exponential in depth of the circuit itself singly exponential. And when you translate it to a ABE scheme, this means that your side protecting a secret key size is going to be exponential in the depth of your circuit, instead of polynomial in depth of circuit. So as a ABE for circuit is not terribly interesting, because we already knew how to get a cybertech science that depends on the side of the circuits, but it's sufficient for optimal broadcast encryption, which corresponds to circuits with extremely small depth. So if you have n users, the science is n, and your depth is doubly logarithmic in n. So when you go to the depth, you get poly dot n, which gives you optimal broadcast encryption. So that's for now. For now, let's give up on circuits for a moment and just try to get optimal broadcast encryption. So so far, so good. And this is roughly what the cybertech and secret key is going to look like. As the next step, we want to go from showing that product of the cybertech and the secret key pseudo random to showing that the cybertech is pseudo random, given the secret keys, that gives you one step to itself, proving security of the scheme. And our intuition for this is that such a statement should in some sense follow from what we proved in the first step for the following reason. If you look at what the cybertech looks like, it's essentially LWE sample. So our intuition is that if you are trying to distinguish some LWE sample SP plus E from uniform, and you're given some Gaussian pre-majors B inverse with respect to some type of matrix P, really the only interesting distinguishes are the ones that take this SP plus E and B inverse of P, multiply them together to get a new LWE sample SP plus E prime, and try to distinguish SP plus E prime from uniform. In the case of our scheme, when you take this product, the SP, S times P corresponds to the product of the cybertech and the secret keys, which we know from step one to be pseudo random. Therefore, from that we, you know, if this is indeed the only attack, then you will imply that the cybertech is pseudo random given the keys. And this is, and we've formalized this intuition via a new lattice assumption, which we call the evasive LWE assumption, which is also independently introduced in the world of real-terms summary. And the assumption basically says that if some distribution P, which corresponds to this A minus X tensor G times R, if SP plus E and SP plus E pseudo random, then SP plus E should be pseudo random given these Gaussian pre-majors. And this should hold even if also you get the B at the P as standard in the LWE assumption. All right, so let's try to pass this assumption a bit. The assumption refers to essentially any distribution B, P that's independent of B. But let's look at two concrete examples of our distributions P as a sanity check. If P is a uniform distribution, then it's fairly easy to see that both the pre and post condition are true under the LWE assumption. The pre condition just because P is random, the post condition because B inverse of P looks like a random Gaussian, so you can just sample yourself without needing a trapezoidal for B. On the other hand, if P is a gadget matrix, then both the pre and the post conditions are false. You can recover as from SP plus E. So false implies false, so that's consistent with our E-based LWE assumption, so that's our examples. And let me just say that the pre-condition requiring pseudo randomness of this product is basically allows us to avoid zeroing attacks in the literature on multi-linear maps and IO candidates. All right, okay for our actually scheme we actually need a slightly support version of the assumption where we get some additional matrix A prime coming from some distribution, but this is mostly technical. Okay, so at this point we got pretty close to proving security of the scheme. We basically proved that the sabotage should already be if you don't have the cam key. Unfortunately, if you put the cam key back, the proof breaks essentially because when you do this, we try to apply LWE with the assumption of our items S, now this S applies somewhere else, so you're going to trouble. So the way we fix this is we are going to master cam key with additional LWE sample, and this essentially allows to make sure that the leakage is off to from our items S, and then you can do the same argument from before. So once you make the cam a bit more complicated, you are going to have to introduce extra terms in the cyber test and secret key so that they can cancel and you get correctness. This is essentially our final scheme, and what we show about this scheme is that under the E-basic LWE assumption and the LWE assumption, this scheme is in the issue of optimal broadcast encryption scheme with probably logarithmic size parameters. And moreover, if you take this identity matrix and move it back to the gadget matrix, you also get a compact CP ABE with small cyber text. But for the CP ABE, you are going to require additional assumption of the following form. Let me just say that this assumption doesn't talk about Gaussian free images, so it's incomparable to the E-basic LWE assumption. It also doesn't talk about the function F, it's just about access. So that's basically the entire talk. To conclude, I described new construction of broadcast encryption and CP ABE and new lattice assumptions. I think that's a bunch of very nice open problems, whether you are a creep analyst working on a text, lattice person working on lattice reductions, or someone working on new lattice based crypto systems. So it would be great to see more creep analysis and a text on the assumption, or maybe reductions to the LWE assumption for maybe specific distributions fee, ideally the ones that matches what we need for applications. And also maybe try to find new applications for this new assumption. So right, so in the work of discovery disappearing at crypto 32 and independent work, we showed that you can build witness encryption from this assumption sadly supply volume of this assumption. And finally, can you build CP ABE from just a basic LWE without needing this extra assumption about, you know, that's a bit unnecessary. Okay, thank you. Okay, we have plenty of time for questions. Thanks, I'm curious to know that is it possible to extend this idea to key policy attribute based encryptions? As an idea too. Key policy. I see, okay, so key policy problem was solved in the, that was the punchline of my euro quick bomb session talk 10 years ago. Yeah, so the key policy version sort of you get the right parameters and then, you know, we have to follow up work of our body or you get the right parameters. The CP ABE with large cybertech size basically is the construction you get when you transfer the LKP ABE to a CP ABE using universal circuits. Okay, thank you. Yeah, thanks. Okay, any other questions? Okay, so let's thank Huta again.