 Hello, and thank you for showing interest in our research. My name is Dylan Martz, and I'll be presenting common work with my colleagues Jose Maria Bermudo-Mera, Angshuman Karmakar, and Azam Soleimaniyan on efficient lattice-based inner product functional encryption. Let's start with some basics. Functional encryption introduced by Sahay and Waters in 2005 can be seen as a generalization of public key encryption, where we have a trusted third party being able to produce public keys that enable an encryptor, say Alice in our case, to encrypt message X using the public key. And independent of that, the trusted third party is able to produce functional keys, depending on a function F, that can be distributed to a decryptor, say Bob, who can, with the functional key, decrypt from the encryption of message X a function F of X. So, in some sense, the decryptor is able to do computation on encrypted message and decrypt only the result of this function. Notice a similarity with homomorphic encryption, which also enables computing on encrypted data, but usually there the result is returned back to encryptor. In this case, in the case of functional encryption, the decryptor should be able to decrypt only the result. Let's try to understand what it means for a functional encryption scheme to be secure. The security notion is usually modeled as an indistinguishability game, where an adversary submits to messages, say X0 and X1, and the challenger encrypts one of them. The adversary shouldn't be able to tell which message was encrypted. But the challenge here is, in functional encryption, that the adversary shouldn't be able to distinguish the message, even if he or she has access to functional encryption keys, with this limitation that he or she can ask only for functional encryption keys for functions that do not distinguish messages itself. So only for functions f such that f of X0 is equal to f of X1. There is a slight difference between selective and adaptive security, where the adaptive security is a bit stricter, demanding that the adversary cannot submit messages X0, X1, even after he or she observed the public parameters and public keys. There has been quite a lot of research done already in the field of functional encryption, and there are many interesting results and constructions. There are designs for functional encryption schemes for arbitrary functions, but unfortunately, as it was shown, constructing such schemes is equivalent to indistinguishability obfuscation, constructing which is known to be quite hard, and even though there were quite major breakthroughs recently, they still remain a bit impractical. For this reason, a subfield emerged, starting with Abdullah et al. in 2015, focusing on providing functional encryption schemes that have some limited functionality, but designing these schemes had efficiency in mind, so they tried to provide schemes that could be practical and implemented. In particular, schemes for inner products, so linear functions were designed and also quadratic functions based on well-established assumptions such as DDH, DCR and LWE. Furthermore, they were extended to multi-client settings in a decentralized or centralized way, meaning that multiple encryptors can provide ciphertext and also with function-hiding property. In this context, our work improves this line of work, where we wanted to provide efficient and practical ring LWE-based, so quantumly secure functional encryption scheme for inner product, and we do so with selective and also adaptive security. In particular, we improve results on inner product functional encryption schemes based on LWE, and we do this transition to ring LWE setting, because we really wanted to provide schemes that can be considered practical, since the practicality of existing LWE schemes, as I will try to argue later, are still quite limited. To provide these results, we need to prove some new results on lattices, as I will tell you later. Additionally, to make the schemes even more practical, we provide also a compiler to decentralized identity-based multi-client inner product functional encryption and a quite highly optimized implementation showing our claims on efficiency. An inner product functional encryption scheme should support encrypting vectors, say X in our case, and deriving functional encryption keys based on some other vectors, say Y, that enable you to decrypt an inner product of X and Y, of course having such a functional encryption key. The idea how ring LWE-based inner product functional encryption scheme is constructed is similar to other existing inner product functional encryption schemes, and also can be seen as a natural generalization of ring LWE-based public key encryption. The main idea is to produce public keys that can be seen as ring LWE samples. Recall that we obtained such samples by sampling some values, say A, uniformly at random, from some ring, usually ring of polynomial, which is the case in our scheme as well, and some secret and noise values, usually sampled from some small distribution such as Gaussian distribution. To encrypt in our functional encryption scheme, one does the same as it's done in ring LWE-based public key encryption, but just we encrypt coordinates of the vector that we want, so values X, I, each one with a separate public key that we produced above. The point is here also that shared randomness needs to be used, so the values, the random values that are used across all these ciphertext values are shared. To generate a functional encryption key, one uses the fact that ring LWE-public key encryption scheme is key homomorphic, so a functional key is produced as a linear combination of secret keys with respect to coefficients of vector Y. Finally, to decrypt an inner product, one uses the ciphertext homomorphic property of ring LWE and evaluates as it was in a standard way, which results in some value plus some noise, and because we obtain this noise as it is standard, the values that were encrypted were also a bit scaled, so this scaling of the result helps us to eliminate the noise. Let's see what are the main challenges in proving security of such schemes. As previously mentioned, the main challenge in functional encryption schemes is to prove that encryption is still indistinguishable, even knowing functional keys. And as it turns out, in our case, functional keys reveal a bit more information about the underlying ring LWE problems than desired. Maybe going directly to our scheme, let's first just assume that the adversary had no access to functional keys. Then one could simply argue that values in public keys, sampled in this way, could be seen as ring LWE samples, and one could then argue that they can be replaced by the hardness of ring LWE problem with uniformly random ones, since the adversary could not distinguish this change. And then in the next step, also these values here could also be replaced by uniformly random sampled ones, and having such values, then they statistically hide the message. But since the adversary has some information about secret values, some known directly through the functional keys, but some also are leaked through the noise in the decryption, one cannot simply replace this and these values with uniformly random ones. But nevertheless, a similar strategy can be employed and with a bit of resampling and also a bit of rewriting the ciphertext. One can still replace these values and actually also these values with some other values that statistically hide all the information that could be used for distinguishing which message was encrypted. But to do so, one arrives to the following problem that we call multi-hint extended ring LWE problem. Recall that standard ring LWE problem asks to distinguish for say A and U uniformly sampled values from some ring of polynomials and some S and E also sampled from a ring of polynomials but from some small distribution, usually Gaussian distribution. So the ring LWE problem asks to distinguish this pair from uniformly a random sampled pair. In the multi-hint extended ring LWE problem, we have a similar situation. We want to distinguish these values from these values, but additionally we are given some hints that reveal some information about the secret and the noise term in the ring LWE sample. And what we were able to do, we were able to prove that if one increases the starting distribution of the noise and secret, one can still argue that with this a bit increased distribution that these hints do not reveal enough information to distinguish the values. In particular, one can transfer the hardness of this problem to the hardness of the original ring LWE problem. And this allows us to rewrite, to change the ciphertext sampling by the challenger in an indistinguishable way for the adversary. Actually, we can use this trick twice in our proof, which simplifies and gives a bit better parameters in comparison to the LWE proof, which also used multi-hint extended LWE problem in their case. But in their case this is not enough and additional tricks need to be employed, so our proof is a bit simpler. Nevertheless, using only hardness of multi-hint extended ring LWE problem, we were not able to prove adaptive security of our scheme. So what we needed to do is modify the scheme slightly, particularly sampling public keys, since these are the ones that adversary can observe before submitting messages in the adaptive security game. And we modified them with a trick that was also used in LWE-based functional encryption schemes. In particular, replace it with values sampled like this, where we sample values A, J, shared across public keys, uniformly at random, and secret values S, I, J, from some small Gaussian distribution. What one can argue is that values sampled like this are indistinguishable from random by a statistical argument, so not depending on the hardness of underlying ring LWE problem or something like that. These arguments are usually known as leftover hash lemma and are reasonably standard thing in LWE setting. In ring LWE settings there are also results showing that these kind of values are indistinguishable from random. Some quite general results, some also a bit more specific. What we did is we took these results and a bit polished them to fit our purpose, to have as efficient scheme as possible, so to get a bit better parameters then they are suggested in say the most general results. What is also interesting in the ring setting is that this M value here that also tells us how big the public keys, public parameters will be does not need to be too big in the LWE setting. So in the matrix setting it must be quite big but here it can be say constant for a bit depends but how you want to choose parameters but it does not grow as a linearly with N or something like that. And having public keys statistically indistinguishable from random one can then use some standard arguments with complexity leveraging to argue that a similar proof as it was in selective case so also using multi-hint extended to ring LWE problem but a bit in a slightly different way one can lift this proof to adaptive security without losing much on security assumptions. So what are the benefits of ring LWE setting? Well ring LWE allows us as set to simplify the proofs arriving to a bit better parameters in the end and we did really carefully craft these parameters to not lose efficiency for too much. On the other hand ring settings allows some faster operations due to the fact that multiplying polynomials is a bit faster than multiplying well can be a bit faster than multiplying matrices with vectors and this is for example reflected in this table where we compare with two known LWE based inner product functional schemes where procedures like setup and encryption has this factor of N times log N which is asymptotically what's the cost of multiplying two polynomials while for multiplying matrix with the vector we have terms N squared in setup and encryption as well so there is an improvement here but also in the ring setting we do have smaller keys since in LWE settings we need to have quite big matrices to ensure security. In particular for example for public key we have these factors of N squared log Q squared in both LWE schemes while in ring LWE we have only N times log Q factor so a huge improvement well which might not seem on paper as much it turns out that if one implements such a scheme for say vectors of reasonably big length it turns out that then the public keys in the case of LWE can be even measured in gigabytes while in ring LWE they are only megabytes of size so a drastic improvement. There is another advantage which could be important for many applications and that is that ring setting allows to encrypt values in one ciphertext in parallel. This is well known phenomenon that is also used in homomorphic encryption so in our case it means that we are able to encrypt not just one vector but maybe thousands of vectors in one ciphertext without losing much in the performance actually a really small addition here and this way then on decrypting not decrypting just one value but doing a kind of SIMD type of calculation so in parallel decrypting thousands of values of evaluation of some function in our case inner product. As pointed out we provided an efficient implementation of our scheme and I will let my colleague Ankhshuman explain to you what were the problems and solutions in implementing our scheme We need to perform very large polynomial multiplications for our scheme we choose our primes such that they support efficient polynomial multiplication using number theoretic transform and fast modular reduction we also need large fields for correctness of our scheme we split our large primes using Chinese remainder theorem into smaller primes and perform individual multiplication using smaller primes we provide a full residual number system based implementation using CRT finally as the length of our polynomials can be very large the rearrangement steps after entity or inverse entity can be very costly to avoid this we combine Kulituki entity and Gentleman Sunday inverse entity for security we also need samples from very large Gaussian distributions we achieve this using two steps first we generate samples from a Gaussian distribution with small and fixed standard deviation second we combine the samples from the small distribution to generate samples from arbitrarily large Gaussian distribution we perform both of these steps in constant time to remove any adverse effect of any timing attacks here are our parameters for our implementations we provide parameters for three different levels of post quantum security we also provide the set of CRT primes for each level of security the implementation is available at the above mentioned GitHub repository thank you Anshuman to better understand what these performance numbers mean we also implemented some simple use case to demonstrate how our scheme can be used we showed how to use some simple machine learning on encrypted data in particular we wanted to do simple machine learning on encrypted images images can be seen as simply a vector of pixels so for each pixel you get one value and using our scheme then you can of course encrypt these vectors what we worked with is quite standard data set in machine learning known as MNIST data set of handwritten digits so each image consists of one digit that has been handwritten the task is to classify or predict which image, which digit is in the image so using our scheme one can encrypt these images these can be seen as 785 dimensional vectors and evaluate a simple machine learning model we used logistic regression because it only needs to evaluate linear functions and we are bound in our scheme to linear functions concretely one needs to evaluate 10 inner product functions to get 10 predictions for each digit and what we observe is that it takes roughly 381 milliseconds to encrypt such an image and then to evaluate the machine learning model that was learned before it takes only 170 milliseconds to evaluate 10 inner product functions but notice also that one can encrypt multiple images in one ciphertext without increasing the size of the ciphertext and worsening the time complexity of it so in fact you can encrypt up to 4092 images in parallel in one ciphertext and then evaluate the model on all the images encrypted simultaneously without worsening these performance numbers as a bonus and to make our scheme even more practical we explained how the scheme can be compiled to multi-client setting so a setting where we have not just one encryptor but many of them each encrypting their own secret values, secret message so there are known compilers how to do that for example Abdallah et al explained it in 2019 what we do here is we argue that our scheme can be used in such compilers and we even additionally extend this or generalize it to identity-based decentralized setting so we end up with a scheme where the encryptors can in truly decentralized way without some trusted setup encrypt their values with some labels and the decryptor is then able to decrypt inner product of these values and is not able to join ciphertext that were not meant to be joined only those which correspond to the same label for the conclusion let's recap the results we presented in this talk we provided an efficient ring LWE based inner product functional encryption schemes with selective and also adaptive security we provide some new results on lattices needed to prove security of the mentioned schemes most importantly multi-hint extended ring LWE problem reduction of the difficulty of this problem to a standard ring LWE problem and also a version of leftover hash lemma for rings that we needed to make our scheme more practical we explained how to compile it to identity-based decentralized multi-client scheme and provide an implementation quite optimized implementation of our scheme with multiple parameters and security settings and a simple showcase of how our scheme can be used of course all further details can be found in the paper thank you for your attention and see you