 Can you change the mode? OK, so our next paper is on multi-input functional encryption with unbounded message security. The authors are Vipul from MSR. I use from UCLA and Adam from Georgetown. And I usually give the talk. Hi, I'm going to talk about multi-input functional encryption with unbounded message security. This is joint work with Vipul and Adam sitting in the audience. So let's first start discussing with what's public key encryption in a public key encryption scheme. Any decryptor can either learn everything about the underlying message or can know nothing about it, depending on if he gets the secret key or not. But in a functional encryption, you get a fine-grained access to the private data. So in particular, if suppose there is a malicious, there's an adversarial cloud or an adversary, he gets an encryption of x. And let's say he wants to learn f of x. He can ask a key for a function f from the trusted authority who does the setup for the encryption scheme. And he can learn f of x. What security guarantee we want is that the adversary should not learn anything more about the message than just knowing the value f of x. But we are not going to talk about functional encryption. Rather, we are going to discuss an extension of functional encryption, which was studied by Goldwasser et al. And here, we are going to talk about functional encryption where, given the function key, you can basically compute joint functions from the independently generated ciphertext. And so here, for example, the cloud has this secret key for f. And he gets encryptions from four independent sources. Then what he can learn is f of a, b, c, d, where he gets the encryptions of a, b, and c, and d. There's an interesting application of this function encryption, which was given in Goldwasser et al. It was computing on medical data. Here, a researcher wants to perform some computations on patient records from various hospitals. But at the same time, the hospitals don't want to reveal the entire medical data to the researchers. So the solution that was proposed is that the hospitals can participate in a trusted setup. And then they can encrypt their data. And then a researcher can request for a key from the trusted authority about the function. And then he can learn f of a, b, c. Security, what we require from this multi-input functional encryption is that he should not be, he should already learn f of a, b, c, given the ciphertext and the function key. So there has been a lot of work in this area. And the first work was done by Goldwasser et al, where they define this primitive and also construct it for bounded arity and bounded number of ciphertext. By arity, I mean how many sources can the function key operate on. And this scheme only allowed to release bounded number of ciphertext in the system. So that was the bottleneck. But this scheme was based on IO and one-way functions. They also had another construction which removed these bottlenecks. But it was based on more stronger assumption of what's called as differing input obfuscation. Then there is this work by Brekarski Komodoski-Sagev and Anantin Jain. It was concurrent to work. And they construct an MIFE for only secret key setting. By secret key, I mean the encryption keys are not known to the adversary in the security model. But they removed the bottleneck of having bounded number of ciphertext. So this was based upon secret key FE and one-way functions. And finally, there was this work by Badrin Narayan et al. And they construct MIFE for functions with a priori unbounded arity. And it also allowed releasing unbounded number of ciphertext. And this was based on slightly stronger assumptions of PC-DIO and one-way functions. So what are the drawbacks of this work? So one drawback is all the known constructions either give us constant arity for unbounded number of ciphertext. Or they are based upon strong assumptions of DIO and PC-DIO. So in particular, in the examples, imagine a scenario where there are these hospitals and they encrypt their patient data. Now the researcher learns F of A, B, C. Suppose now that the hospital wants to update its patient data and there are some changes in the data and he releases the encryption of A prime. And now the researcher wants to learn F of A prime B and C. These schemes with bounded number of ciphertext do not provide any security guarantee at all in this regard. So what's the bottleneck? We can't issue many ciphertexts. So in this work, we construct MIFE for unbounded number of ciphertext. But we rely on sub-exponentially secure IO instead of polynomial IO. And we also rely on existence of sub-exponentially secure injective one-way functions. So the existence is in bold because we don't require to know explicit instantiation of such one-way function. Any existence is enough for the security proof to go through. So I will just recall quickly the syntax of what's multi-input functional encryption. And so in the original construction, there was a setup algorithm which takes as input the security parameter to bound on the arity. Again, by arity, I mean the number of sources of data the function key can operate on. And it also takes as input the bound on the number of ciphertexts that can be released. But since we are dealing with unbounded number of ciphertext in this work, the syntax that we propose doesn't use this bound. So the setup algorithm outputs some master secret key and n encryption keys. There's an encrypt algorithm which takes the encryption key for any index out of those n. And it also takes the message, and it outputs an encryption. Then there is a key generation algorithm which takes the master secret key and the function for which you want to issue the key. And it outputs a function key for that function. Then there's a decrypt algorithm which takes the secret key for f and all the ciphertexts. And it outputs the joint computation f of x1 through xn. So what's the security definition of such an encryption scheme? We will look at a simplified setting of the secret keys where adversity does not know any encryption keys. So consider two worlds, left and right. On the left world, the adversity gets encryption from two sources where he gets the encryptions of xi, j. And on the right, he gets encryptions of yi, j. And from two sources, and he gets additionally a key for some function f. On the left world, we can see that it learns these values, fx1, x2, j. And on the right, he learns fy1i and y2j. So we want to put some restriction on the security model that these values should be the same. If we have these values, if these values are the same, then we want that the left world should be indistinguishable to the right world. But this is insufficient for the public key setting because in the public key setting, he can encrypt by himself and learn more than what's released by the given ciphertext. So he can basically substitute any value on the star. So we must require additional constraint that basically these two functions should be the same. Anyways, we are not going to deal with public key setting here just to give things simple. So let me recall some of the primitives that we are going to use in this work. So in IO, there are two circuits A and B, and they are equivalent. By equivalent, I mean that they output the same value at all the inputs. Then if you obfuscate A or you obfuscate B, then adversary cannot tell apart these two obfuscations. So this is an indistinguishability obfuscator. There's a stronger variant which we are not going to use in this work. It's called DIO, but our construction does derive some motivation from DIO. So I'm just going to quickly tell. So in DIO, if there are two circuits A and B, such that they differ at some point, but that point is hard to recover, then the guarantee is that if you obfuscate circuit A from obfuscate, if you're given obfuscation of A or an obfuscation of B, the adversary cannot decide unless he himself computes the point at which the circuits differs. So we are also going to use what's a special kind of injective unbi function. It's a sub exponential injective unbi function. This function is injective and it's hard to invert. But other than that, we also require that if there's any algorithm that breaks it, successfully inverts the unbi function, then it should definitely run in time, which is sub exponential in the length of the input. But we don't want an explicit instantiation of this function, as I will describe later. And this is finally the last tool that we are going to use. It's puncturable PRF. A puncturable PRF is just like a normal PRF with some special properties. And the property is that there exists a puncturing algorithm, which takes a PRF key and some point x, and it punctures the key at that point x. This punctured key allows to evaluate the actual PRF on all values except that point x at which it was punctured. Also, security-wise, given this punctured key, it's hard to tell what evaluation of the PRF at the point x. So given the punctured key, it's the PRF evaluation of k at x is indistinguishable from a random value. So now I will describe the approach of our work. How do we construct MIFE for unbounded number of ciphertext? Let's recall what is general recipe for MIFE or FE that has been studied in various works. So in general, the ciphertext generally consists of two two public encryption ciphertext. And there is a IO-friendly proof like a statistically binding NISIC. And any function key is generally an obfuscated program which takes as input these ciphertext and then it verifies the proof. And once if the proof verifies, then it uses one of the hardware PK secret key. And then using these decrypted value, it computes the function and outputs that evaluation. So here thing to observe is that since we are dealing with IO-friendly proofs, these statistically sound NISICs, typically for the proof to work, we'll have to commit all the challenge ciphertext in the setup. And therefore the size of the setup parameters, the size of the encryption keys, it grows with the number of ciphertexts. So that gives us only bounded number, bounded security. Also it restricts us to just selective security since we have to commit all the ciphertext in the public parameter. So I'll describe our solution like step by step. So first we look at how to remove this bottleneck. So one way is to use simulation sound NISICs instead of using SSS NISICs. But we cannot use this with IO. So we'll have to use it with like DIO because DIO is using DIO, what we can do is you can, these kind of NISICs are more friendly with DIO so they can help us to argue security. But since we are not allowed to use DIO, we have to do something else. First thing is that for every valid statement, there are multiple proofs in BCP 14 where it says that IO is some sort of one point differing input of the specification. By that I mean that IO itself gives you some, some DIO like property that you can utilize for the proofs. So what we do is now make the proofs unique. Since here we have many proofs which satisfy the same statement, we want to make them unique so that we can use this result and it will become later here in the talk. So I'll just describe the construction in quickly. So the setup algorithm is just doing setups for the public encryption two times and it samples a PRF key. This PRF key will give you some sort of proof that we are going to use in the algorithm. The master secret key consists of these PRF keys, the public keys, the secret key of the PK system and the public encryption key is just the set of public keys and the PRF key. Okay, so how do you encrypt? First you take the message and encrypt it twice using the public key of the PK and then you compute the PRF value on these ciphertext that you get from PK encryption and just output these encryptions along with the PRF evaluation. This PRF evaluation behaves like some sort of proof and the function key, it looks like first it verifies the PRF evaluation for the ciphertext as you can see here and the decryption first and then it decrypts one of the ciphertext using the hardwired key and it finally computes the value value value. So what's the proof idea? So the main idea is again that IO implies the IO for bounded number of inputs. So this is the main theorem that if two circuits A and B differ at one input say X, then any adversary which distinguishes obfuscation of A from obfuscation of B with some advantage E, then there exists an extractor that recovers X and it runs in time polynomial in the security parameter and inverse of the advantage. We consider, so the proof works in the following manner consider the challenge vectors in the first step. Then we start with an encryption of say vector X, then we switch from encryptions of since the circuit only uses one of the secret key, we can switch the other remaining pk encryption to yi's and then we switch the function keys to use the first secret key to the other secret key and this is done step by step which I am going to describe. So we consider a hybrid circuit G sub Z which is the hybrid function key and in this function key the first step is the same except that there is another step at which we check that if the ciphertext is less than some value Z, then we decrypt using the first key otherwise we use the second secret key and we output the and using this decryption the obfuscation just outputs the value. So now we iterate the Z from zero to all the space of all the inputs. So if now how do we argue security between the two if suppose G sub Z and G sub Z plus one are equivalent then in this case we are good because of the IO security. If suppose they are not then what we can actually do is invert the one way function use this to invert the one way function p. This is done by using IO implies the IO result. So since the main idea is again we use the hard coding and the puncture programming technique to embed a one way function challenge and then using IO implies the IO we can invert the one way function. So note that p which is a one way function is used only in the proof. We can actually as well use it as any one one function in the construction. Now this construction works only for the security setting for the public key setting we need to do something else because once you when since in the public key setting encryption keys are revealed to the to the adversary since the encryption key contains the PRF key you are losing the security there. So what we do is instead of giving the PRF key in the clear we give a program that contains the PRF key and that program is obfuscated and given as the encryption. Yeah the obfuscated program takes the two ciphertexts and its randomness and gives out the proof the PRF value only if both the ciphertexts encrypt the same message. So now I will conclude we get an MAFE for unbounded number of ciphertexts and we rely on sub exponential IO injective one way functions with sub exponential security and we get adaptive security for free because we are dealing with sub exponential assumptions here so we get it for free. But there are some open problems. First is that since we are going input by input are the secure we can only achieve security for bounded message lens which like the message lens that has to be bounded in advance. So how to remove that bottleneck? Then second open question is the ultimate goal of coming with an MAFE scheme with unbounded RAT. What about polynomial time assumptions? Okay any questions? I'll ask a quick one. So with respect to the first open problem you had up what is the current bound on the message length? You can fix any polynomial bound like in the security parameter. So in practice it's probably not a huge deal. Anyways we are not implementing MAFE in practice. Yeah. Okay any other questions? Okay then let's thank Ayush again.