 The second and final talk of this session is adaptively secure, identity-based encryption from Lattices with assemblyally shorter public parameters by Shota Yamada from Iced, and of course the talk will be given by Shota. Thank you for introduction. I'm Shota Yamada from Iced in Japan. I first explained a background on our work. Lattice-based cryptography is one of the interesting topics in cryptography because it is expected to resilient to quantum computers and it can achieve very expressive functionalities and it is potentially highly efficient. In this work we focus on adaptively secure identity-based encryption from Lattices. Currently, adaptively secure Lattice IDE is not as efficient as selectively secure ones or public key encryption schemes. In particular, it requires very long public parameters. Therefore, a natural question is can we achieve better efficiency in adaptively secure Lattice-based IDE schemes? This is our summary of our results. In our work we proposed adaptively secure Lattice IDE with the best efficiency in a symptotic sense. I remarked that our scheme is not efficient in practical parameters and it is only efficient only in a symptotic sense. As a side result, I also proposed first ABE with these properties but I will not explain this in presentation. Next, I explain identity-based encryption. Identity-based encryption consists of these algorithms and in IBE a secret key and a cipher text is associated with some identity and the decryption is possible if and only if these identities are the same. Next, I explained the security model for IBE in our work. We say that the IBE scheme is adaptively secure if the challenge cipher text which is an encryption of some message and some challenge identity that chosen by the adversary is suit random even if the adversary can make key extraction queries for any identities. Here the adaptive security means that the adversary can choose the target challenge identity depending on the value of master fabric key and secret keys because we require that the challenge cipher text is suit random. This security definition implies anonymity. Next, I explain LWE assumption. LWE assumption is introduced by Regev and it is shown that the LWE assumption LWE problem is as harder as certain worst case lattice problems. The LWE assumption says that these two distributions are indistinguishable. The first distribution outputs a random matrix and a random vector whose coefficients are random elements in ZQ. The second distribution outputs a matrix A and a vector of the form like this. Here X is a vector with small coefficients. Q over X, this value affects the hardness of the problem and we call this quantity as approximation factor. The smaller the value the harder the problem. If it is polynomial in the security parameter, I say that it is a polynomial LWE assumption. Next, I explain previous works on lattice-based IBE. I explain a template for lattice-based IBE scheme which is an abstraction of most of previous schemes. In the template, the master public key contains a matrix A and a vector U and master public key also contains other parameters. We assume that these other parameters define a function H of ID. H of ID is a matrix that depends on the value of identity. In the template, the key generation algorithm generates a secret key. Key generation algorithm outputs a short vector E which satisfies this equation. To encrypt a message which is 0 or 1, the encryption algorithm picks a random vector S and a small error vector X and a small error term X0 and outputs the ciphertext of this form. To decrypt a message, we take an inner product of C1 and E. Then this equation holds. Here the inner product of X and E is a small term because X and E are short vectors. Then to retrieve the message, we subtract the inner product from C0 to obtain this quantity. From this, we can retrieve the message M which is 0 or 1. Next, I explain the template of security proof. In the security proof, we depend on the partitioning technique. The security is proven under the LW assumption. We embed the problem instance of the LW problem into the public parameter so that this equation holds. Here H of ID is represented like this. Here A is a matrix that is from the problem instance of LWE and RID is a matrix with small coefficients. F of ID is some value in GQ and G is a gadget matrix whose trapdoor is publicly known. In the simulation, we expect that these conditions, these boxed conditions, hold. Namely, F of ID is not 0 for all queried IDI and F of ID star is 0 for all for challenging identity. If the probability of this occurring is noticeable, we can prove the security of the scheme. This is an example of the template. It is an adaptively secure ID scheme from lattices due to Agraval et al and Boyan. In the master public key, we include these boxed terms. H of ID is defined as some subset of these boxed terms. Here the number of matrices is linear in the length of the identity, so it requires very long public keys. The security proof of the scheme follows the template and it is similar to the security proof of water's IDE. Next, I explain our construction. Before doing this, I explain the difficulty of reducing the size of the master public key. To achieve adaptive security, we have the following choices. The first choice would be to use water's hash, but as we have seen, it requires long public parameters. The second choice would be to use dual system encryption methodology due to also water, due to also waters, but currently there is no lattice analog of the methodology. The third choice would be to use Nakash's variant of water's hash, but it still requires long public parameters, at least in a sympathetic sense. The final choice would be to use admissible hash due to Bonnet and Boyan, but it also requires long public parameters. In our work, we use a technique that is unique to lattice setting. Namely, we use free homomorphic computation to reduce the size of master public key. Before explaining the free homomorphic computation, we introduce a special gadget matrix G. This gadget matrix G is used in many previous works, including the previous presentation. There is a special matrix G that satisfies the following property. Given the matrix U, arbitrary matrix U, it is possible to compute another matrix V that satisfies the following equation, namely G times V equals to U. This matrix V can be chosen deterministically, and the coefficients of the V is all small. We denote this V as the G to the minus 1 of U. Then I explain the free homomorphic computation. Let us assume that V and V prime can be expressed like this. Here, R and R prime are matrices with small coefficients, and X and X prime are some scalar values. Then this equation holds. Here, the interesting feature of the equation is that the product of X and X prime appears in the equation. Furthermore, this underbraced term is small if R, R prime, X and X prime are all small. Next, I explain our idea to reduce the public parameters. In our scheme, we prepare these green matrices in the public key, in the master public key, and these yellowish green matrices are generated by these green matrices. For example, the ijth coefficient of the ijth coefficient of the yellowish green matrices ijth coefficient of the yellowish green matrix is defined by V1i and V2j by the free homomorphic computation like this. Using free homomorphic computation, we can generate larger number of matrices only from smaller number of matrices. Then I explain how to compute the matrix H of ID. H of ID is defined as a sum of V0 and some of some subset of these yellowish green matrices like this. Here, S of ID is some subset of these yellowish green matrices which depends on the value of the identity ID. This is our scheme. Our scheme follows the template for the lattice IB scheme I explained in previous slides. The master public key contains these green matrices and key generation and encryption algorithm exactly follows the template. Next, I proceed to explain the security proof of the scheme. In the security proof, we embed the problem instance of the LWA assumption into the master public key like this. Here, the matrix A is from LWA assumption, the problem instance of the LWA assumption, and the value Y0 and Yij are specified later. Here, H of ID can be represented by this equation. For now, I assume that this underpressed term is small. Then I also define this boxed term as Fy of ID. That depends on Y and identity ID. To complete the security proof, we have to choose Y0, Y1I, and Y2J so that the probability of the following boxed term, a boxed condition is noticeable. Namely, we have to ensure that Fy of ID star is 0 and Fy of ID i is not 0 for all ID i. Here, ID star is the challenge identity and ID i is an identity for which key extraction queries are made. To accomplish this, we choose Y0 and Yij like this. Here, Kappa is the maximum size of S of ID. It is easy to see that the probability that Fy of ID star is 0 is estimated like this. Furthermore, by the Schwarz-Zippel lemma for all ID i, we have that the second equation holds. The probability in estimation can be expected to be the last equation, which is noticeable. Of course, this analysis is not correct and informal because these events are not independent. However, this gives an intuition why our partitioning technique works. In fact, there is still a problem in this analysis. In the first step of overview, I assume that this over underbraced term is small. However, this is not true in general because the value contains this boxed term Y1i R2j. This term is as large as capital Q, which is the number of key extraction queries that the adversary makes. To complete the security proof, we have to ensure that modulus Q is much larger than the capital Q, which is the number of key extraction queries that the adversary makes. However, modulus Q is typically some fixed polynomial, whereas the capital Q is an unbounded polynomial that depends on adversary. This causes a problem. A simple solution to this problem is to use modulus Q, which is slightly super polynomial. In our first construction, we set modulus Q as a super polynomial function in security parameter and choose other parameters appropriately. The security proof for the first scheme requires LW assumption with super polynomial approximation factors. However, it is not desirable, and we want to base our scheme on weaker assumption. To accomplish this in our second scheme, by adding some modification to the first scheme, we can prove the security assuming that LW is hard for all polynomial approximation factors. The idea is to run our first scheme with different parameters in parallel. By this modification, the anonymity of the scheme is lost. Furthermore, the efficiency of the scheme slightly degrades. However, we can base our scheme on weaker assumption using this technique. The similar idea can be applicable to ABE for branching programs by Govunov et al. Next, I proceed to compare our scheme with previous schemes. As we can see, we propose schemes with asymptotically shorter master-public key sizes. We propose the two schemes. The first scheme is anonymous, but the approximation factor of the LWE assumption is super polynomial. Our second scheme is not anonymous, but based on weaker assumption. This is the overview of our ABE scheme that is obtained by a similar technique to our second ABE scheme. We propose the first ABE scheme for branching programs with these three properties simultaneously. Note that all previous schemes achieve at most only two out of three properties. This is the summary of our work. We proposed adaptively secure ABE schemes with asymptotically short public parameters. The idea is to use free homomorphic computation. The security proof involves partitioning technique with nonlinear function that is different from the analysis of, for example, water's hash. We also proposed ABE for branching programs with new properties. That's all. Thank you. We have time for a few questions. Yes, Ikea. So back here behind the pillar. So how is the security loss of your new construction? How does it compare to previous constructions? Is it the same or is it worse? I forgot to say, but the security reaction of our scheme is very bad. It is about Q2.2, where Q is the number of key extraction queries that the adversary makes. Q2.2 or even worse, depending on the parameter. Any other question? Yeah. Thanks. I saw on one slide you had something decreasing as k to the 1 over d, but I didn't see... Do you mind going to that? It was there. The comparison slide was... Maybe I'll just ask the question. So just in the comparison, you had k to the 1 over d, but I didn't see d appearing anywhere else. So it seemed you would want to set it to k or something really big. Is there a cost to setting d really high? Sorry? The question... So at one point in your performance comparisons against other schemes, you had this k identity length to the 1 over d, but d didn't appear anywhere else in your performance. So I was wondering, ours too, for example. I didn't explain the parameters, but k or kappa is the length of identities. And d is some constant value that depends... That can be set in the arbitrary, but in this presentation, I set the value d as 2. Okay. I was just wondering, what is the cost for making d higher as arbitrarily high? It doesn't seem... So I said that it can be arbitrary, but this affects the reduction cost and the reduction cost of the scheme is q to the d. And so in typical situation, this value d is set to be 2 or 3 or a very small constant. I guess we have no time left for our question. So let's thank the speaker again. And now is the time to switch track if you want to switch...