 Ja, das ist jetzt gut! Hi everyone, I'm Sherwin Schaaf from Trice, your phone call and your share here. We are having a session of SS Control. We have two papers on SS Control and one paper on AFIS transfer with SS Control. So we will serve as Sam, who will tell us about AC for general policy for standard assumption. So, peace. So thank you for the introduction. So this is a joint work with David. So the topic of this talk is an access control encryption. So, let me begin by motivating this motion. So let's first consider the setting of a standard encryption scheme. So in the setting we have two parties, Alice and Bob, who have access to some shared secret key K. So if Alice wants to send some message to Bob, then she would of course encrypt using this key K and send the side text over to Bob and Bob would then encrypt using the same key. So this is a very basic notion of encryption that we all know and love and we make a lot of uses for them. So, let's not consider the setting where there are many, many users in the system. Okay, Alice wants to encrypt to some arbitrary subset of a user in the system. Then what Alice would need is to have some shared secret key with each user in the system. Okay, and if she does, then she can just encrypt using each of the shared keys and she can broadcast out to arbitrary users in the system. Of course Alice can be made correct and it can be made secure, but Alice ist also ideal in dass sie eine große Zahl der Keys für jeden User in der Systeme hat. So, zu klingen mit diesen Situationen, viele von den E-Systemen, haben sie über die Jahre gepostet, wie identifizierte E-Systeme, die e-Systeme, die e-Systeme, die e-Systeme und so aufgenommen werden. So, alle diese E-Systeme fallen unter der genaue Framerik der Funktionen-E-Systeme. So, es ist vom given the decryption keys associated with some function f, and this function f specifies the precise information that a decrypter is supposed to learn from a cybertext. So if Alice encrypts using some global encryption key, then she can just broadcast out the cybertext to all the users, and a user with a decryption key associated with some function f will learn the function f applied to the message and nothing else about the message. Okay, and since the access control is done at the decryption level, Alice just has to maintain some global encryption key that she can just decrypt. So for functional encryption is a very big topic of research today, and what it basically allows us to do is to have a fine reading control of the decryption. Okay, so it allows us to precisely control what information can be learned from the decryption. So an actual question that we can ask them is, can we also have a fine reading control of encryption? So, can we precisely control what information a sender can send, a sender can send, a sender can infert? So this is a natural question, and it's applicable to many global scenarios. So, let's first just consider the setting of a company environment. The company can give its employees, its users, the ability to work with, the authority to work with some private data of company. Okay, but the employees of the company are not allowed to publicly reveal their data. They can come to the company and work with the private data, but not able to bring this data home. So in this type of scenario, we want some security against malicious senders. We want to prevent an adversary who already has access to some private data to send some information out. Also, this type of security also makes sense, because oftentimes information is sent out by mistake, or there can always be a virus that will randomly scrape random parts of the memory and just broadcast it out to an open channel. So, can we define some cryptographic primitive that will capture, that will address these type of scenarios. And this is of course clearly impossible without some additional hardware countries, without some additional restraint on the model. And the question is, of course, if the adversary is already given some private information, if the adversary is given, also given access to some open channel, then there's nothing to prevent the adversary from just sending out to the open channel all the private information in plain text. So the question is, what is the right model? And this is where access-control encryption comes in, or ACE for short. So this is an ocean that was introduced by Dan Carter Tum in 2016, and basically they introduced this entity called a Sanitizer, where each architect has to go through. So each Sanitizer, that's encrypted by an encryptor, is going to be processed by a Sanitizer. So let me just describe this more in detail using diagrams. So in the setting of access-control encryption, there's going to be two sets of users, the encryptors and the decryptors, and each user in the system is going to be identified, but with some unique identity string. Okay, and of course for applications, we can assume that these two sets are overlapping, but for now let's just consider that they're disjoint. And for the whole system, we're going to have some fixed predicate pi that will basically take in a pair of identities, an encryptor and one from the decryptor, and basically output is 0 over 1. So this predicate pi is basically specified of who can send information to whom. So if an encryptor with some identity is authorized to send some information to a decryptor with another identity, then these two identities should basically satisfy the predicate. And also we have a sanitizer in the middle giving some sanitizer key. So if an encryptor generates a sanitizer, then this is going to be forwarded out to the sanitizer. The sanitizer will basically process, or do some operations on this sanitizer, and output some new sanitizer. And the sanitizer will be broadcasted out to all the decryptors and basically all the decryptors with the identity that basically satisfy the predicate in combination with the sender's identity should be able to decrypt this message. Okay, and the general goal of access control encryption is to basically minimize the amount of information that a sanitizer learns. So of course, if a sanitizer is able to learn the sender's identity or the obtained text, then it's actually quite easy to construct such protocols. Okay, just using standard certification protocols or zero knowledge proofs and so on. But since we want to minimize the amount of information that a sanitizer learns, in particular we want to hide the plain text and sender's identity, this is not as trivial to construct. So how do we actually define security in this model? So the original paper of Dan Garretel proposed two security requirements. So the first security notion is called the no-resecurity. So in the setting, we basically assumed that all the decryptors, the sanitizer and all the decryptors are malicious and they're all colluding with each other. And basically we have one honest encryptor who is playing the role of a challenger and if the encryptor basically generates some cybertext, then it should be hard for an adversary to gain any information on a cybertext, as long as all the decryptors are not authorized to decrypt this message. So that's basically equivalent of just the next standard of anti-security. So the second security requirement is called no-right security and this basically captures the idea of finally controlling the encryption. So in the setting, we have all the decryptors and all the decryptors are dishonest and only the sanitizer is basically off. So the invisible condition here is that no encryptor should be able to send information to any of the decryptors and basically the adversary's goal is to send some information through the sanitizer to get to the decryptor. So how do we actually capture this notion formally? So we basically define some game where an involvement of a malicious encryptor generates a malicious cybertext and sends it over to the sanitizer and the sanitizer will basically flip a coin and it will either honestly sanitize the cybertext using the real algorithm or it will basically sample a random cybertext from a cybertext space. We basically require that a bounded adversary is not able to distinguish between honestly sanitized cybertext and a randomly sampled cybertext. So this is the notion of no-right security and this is basically the notion of access to total encryption. So what we know about this construction so the original paper of Dan Garda-Tal who introduced the notion gave two constructions. The first one was based on DDH or DCR and the downside of this construction was that the cybertext size grew exponentially with the size of the identity constraints. And so the second construction they basically gathered this downside but they had to rely on strong assumptions of a distinguishability obdiskussion. So there were some follow-up works out of this so Push Power Intel 2017 constructed access control encryption where you're just using a standard assumption of herring boots of SXDH and they were also able to get a cybertext size that's very compact. But the downside of this construction was that the value of predicates that the scheme can support was restricted to basically equality and comparison predicates. And there was also a work by Tata-Tal and they basically construct access control encryption for arbitrary predicates using LWB so the cybertext size was also very big. So in this work we basically construct access control encryption that basically can support arbitrary predicates. The cybertext size is also very compact and we only use standard assumptions of DDH, RSA and LWB. So we do have to rely on all three of these DDH, RSA and LWB but I will talk more about this later in the talk. Okay so for the remainder of the talk let me give a high level overview of our construction. So we're basically going to do a divide and conquer approach. We're just going to break down the notion of access control encryption into different components and basically solve each of these components separately. So let's just consider, let's just first achieve no red security. So let's just ignore no red security or just ignore SXDH. So in this job, just no red security then it's actually quite easy to achieve. So basically just use a cert. So all the encryptors can just be given a signature of their own attenative string. And to encrypt, the encryptors can just attach the signature to the message and just send it off to the sanitizer. And the sanitizer can just verify the signature and basically if it checks out then you can encrypt to all the users in the system that are authorized to decrypt this message. So I guess it's a little more clear in the diagram. So all the encryptors are now going to be given a signature of their own attenative string. And all the encryptors are going to be given some unique secret key for just a standard symmetric encryption scheme. And basically to encrypt the encryptor is just going to attach its own identity and the signature along to the message and just send it off to the sanitizer. And then you can access the signature and just encrypt to all the decryptors in the system that are allowed to decrypt and concatenate all the cyberplex and just broadcast out the cyberplex. So does this actually satisfy no-right security? So in the no-right security we basically assume that all the encryptors are malicious and all the decryptors are in the signature scheme. So the cyberplex is just attaching the signature of their own identity to the message. So as long as the encryptors cannot forge they cannot produce maliciously generated segments. And the security against the encryptors just follow from the definition of the sanitizer and the semantic security of the underlying encryption scheme. So by definition the sanitizer we're only encrypted to decryptors who are authorized to decrypt. So by semantic security no information is lead to the malicious decryptors. So I guess the downside of the previous construction of this construction is that the sanitizer size is very big. The sanitizer is encrypting to all the users in the system that are allowed to decrypt. So let's try to tackle compact sanitizer next. So with this useful tool that we use is an encrypted encryption. So this was a notion formalized by Monet & Waters in 2007. So this is just a more advanced encryption scheme where the encryption algorithm takes in some attribute and message pair. So the encryption algorithm takes in some attribute X and some message M for introducing some cybertext associated with XMF. And now the decryption keys are also associated with some function F. And the decryption on the cybertext associated with the attribute XM and message M should output the message M if and only if the associated attribute X satisfies the function M. And basically the security property says that the cybertext associated with the attribute X and the message M should be hidden to the adversary who is only given a pretty good encryption secret key for which decrypt equals to zero. So this is just a standard notion of predicate encryption secret. So basically the idea is we're going to make the sanitizer when given the identity, the signature and the message to just encrypt to the predicate encryption using the sender's identity as the attribute. And basically the decryptors are now going to be given a predicate encryption decryption keys associated with function that just checks the fixed predicate pi with their own identity hardwired into the predicate. So here the decryptor is now going to be given a predicate encryption decryption keys that will check the predicate pi with their own identity string hardwired inside and when the sanitizer receives the identity, the signature and the message it will just check the signature and just encrypt using the predicate encryption sender's identity. And then you will just broadcast out this predicate's status and by correctness and security of the predicate encryption scheme the no write security is maintained but now the start click size is very compact because the sanitizer is only encrypting to a single predicate encryption set. So the final goal is to achieve no re-security and basically the problem right now is that the sanitizer is learning too much information. So the sanitizer, the current task of the sanitizer is to basically check the signature in which case it will learn the sender's identity and then encrypt using a predicate encryption scheme in which case it will learn the message. So how can we actually make the sanitizer perform these tasks in a blindfolded way? And for this we basically use functional encryption and functional encryption itself is a very powerful primitive in its full generality that only follows from obbligation but we basically in this setting we can just rely on a boundary key functional encryption which can be constructed from standard assumptions so boundary key function encryption is just a standard function encryption scheme where the security is only guaranteed when the adversary is only given a boundary number of keys. So basically our idea is to just provide this functional encryption secret key sk sub f where the function f is basically going to simulate the task of the sanitizer. So this function f will take an identity, a signature and a message and it will just check the signature and it valid and it will just output a predicate encryption sacrifice. So now the sanitizer is going to be given fe decryption key sk sub f and now the encryptor is just going to encrypt the trip over the message using a functional encryption scheme and the sanitizer it will just run the fe decryption using its own key and by definition it will check the signature and this will output some predicate encryption sacrifice and this predicate encryption sacrifice will be broadcasted out to all users like before. So does this actually satisfy our no-re security so in no-re security remember we basically assume that all everyone is honest except for a single encryptor and if the honest encryptor is encrypting using a functional encryption scheme by the security of functional encryption the adversary should only learn the function f applied to the underlined message. But by definition of the function f f applied to the identity signature and the message is basically the predicate encryption sacrifice and by security of the predicate encryption sacrifice the adversary should not learn any information of the identity of the attribute or the message as long as no other decryptors are authorized to decrypt. So this is basically how we achieve no-re security. And of course there is a number of security details that comes up to our security and I will just defer that up to the paper. One important thing to note here is that where basically the encryption algorithm the predicate encryption algorithm so this actually violates the traditional syntax of a functional encryption scheme so basically we have to embed PRF keys everywhere so basically we have to embed PRF keys as part of the message and also as part of the function associated with fd key and this also this makes security a little bit harder to argue and a little bit cumbersome to argue about so there are a number of works that actually study function encryption for randomized functionalities and basically these words show that if you take a regular function encryption scheme for deterministic functionalities then you can actually boost that to function encryption that can support randomized functionalities using if you just assume the hnrc. So this is basically the reason why we actually need all three assumptions because right now this boosting step only we only know how to do this boosting step using the hnrc and predicate encryption actually just we only know how to do it from the other three alright so additionally in the paper we propose some additional extensions to the ac definition so basically basically to support dynamic policies that's pretty simple to have a more fine way control of the standard policies and to get beyond all or nothing encryption but I will just refer to the details in this paper but basically with just simple modifications to our original construction we can basically achieve all of these extensions alright so let me conclude with some open problems so so like I said our construction basically relies on three different assumptions so dth, rsa and lve so it would be really nice if we can actually just rely on a single assumption and that would be qualitatively much better and that would be really nice and I think it's actually doable and so another question so access control encryption is a very new top, is a very new notion so there's a lot more work to be done on connecting this primitive to other more advanced notions in cryptography like obfuscation, functional encryption and predictive encryption so on so I think there's a lot more work to be done here and with that I will finish my talk with your questions so I probably blinked when you said where rsa is being used that's one question must you use the generic transformation for randomized functional encryption in your case it seems like an easier case there's just one key and perhaps like some other some other properties that would make it easier to sort of just get based on pure assumptions yeah so the first question yeah so to get to boost functional encryption to support my transfunctionalities I believe we need this and we basically so yeah so you basically have to use either parents or rsa and we cannot get it from other view so that's the first so ddh rsa so you either need ddh plus rsa or parents I believe so that's the first question and the second question yeah I guess I guess that is possible but we didn't really explore that part so I guess so the security argument was becoming much more complicated but we just basically just relied on the randomized function functional encryption so yeah but it might be possible to not use any false generality yeah questions, comments we see you sometime if not the next question, same again