 Daniel Vicks and Mark Zandri. And I guess Rio will give the talk. Can you hear me? Thanks for the introduction. I'm going to talk about traitor tracing. This is joint work with Daniel and Mark. So let's start with what is traitor tracing? In traitor tracing, each user has a secret key based on their identities, which was generated by trusted third party. And a server generates ciphertext of contents. And this server broadcasts this encrypted contents to all users. And each user can decrypt this encrypted contents by using their own secret key. And we can consider the following situation. Some users may be corrupted, and a pirate gets some secret keys from corrupted users. And this pirate decoder may generate a pirate decoder program from these secret keys of corrupted users. And if the pirate decoder upload this pirate decoder program, then anyone can decrypt the encrypted contents. However, in traitor tracing scheme, we have our trace algorithm. And this trace algorithm has a black box access to the pirate decoder. And then the trace algorithm can identify one of users, one of corrupted users, by using a black box access to pirate decoder. So this system can be used to some pay TV system. OK. And there are a lot of traitor tracing schemes so far. For example, bonus high waters propose an efficient traitor tracing scheme based on barrier maps. Here, capital N is the number of user identities. And this scheme achieved all the square root n and cyphotic size. And Bonnet Chandler also proposed the traitor tracing scheme based on indistinguishability of the skation. There in this scheme, the cyphotic size of log capital N. However, both of these schemes, the running time of the trace algorithm is all over capital N. So here, the number of user identity must be polynomial. In our paper, we achieved the traitor tracing scheme for exponentially many identities. So it means capital N is 2 to the small n. We can use a little bit of strings as the ID space. To achieve this, we propose a new tracing technique. And we also propose a general framework for traceability. We call Oracle Jumpfinding Program. By using this general framework, we can obtain various traitor tracing scheme from various assumptions. For example, if we use a standard public key inclusion scheme, we can achieve a Q-bounded collusion resistant traitor tracing. And the cyphotic size is order of small n times the polynomial of Q. And if we use indistinguishability of skation, we can achieve adaptive security. Adaptive security means unbounded collusion resistant. And the cyphotic size is polynomial log of small n. So our construction is asymptotically very efficient. And we also propose a trace and a rubric system for exponentially many identities. These are our results. And in previous traitor tracing scheme, user identity is just a number. So we need some correspondence between user identity and user information. However, in our traitor tracing scheme, we can embed arbitrary information in the key. So we don't need a database of users in our traitor tracing scheme. So if we generate user secret key via, for example, secure multi-part computation, then our traitor tracing scheme can be anonymous. This is a benefit of our framework. OK, this is our result. So let's move to a security definition of traitor tracing. I focus on traceability. First, the challenger sends a public key to the adversary. And the adversary has access to key generation oracle, which takes identity as input and output secret key for this identity. And this oracle maintains the list of corrupted user identities. And the size of L is Q. At some point, the adversary output two plain text and a pirated decoder D and a success probability of decryption of a pirated decoder D. Now, the challenger run a trace algorithm which has black box access to a pirated decoder D. And finally, output to a list of key. The winning condition of the adversary is following. If the list includes an honest user identity, then the adversary wins. Or if the pirated decoder has non-negative advantage of decryption probability, and this list T does not include a corrupted user's identity, then the adversary wins. This is a definition of traceability. So now let's move to previous approach and its limitation. Bonus high waters propose the Toyota tracing scheme by using a private linear broadcast encryption scheme. I called the PLBE for short. In PLBE, we have a trapdoor encryption algorithm which takes index and play text as input. And this trapdoor ciphertext is for users in the region from index 0 to index T. If secret key for identity AI is in this region, then we can decrypt this trapdoor ciphertext by using secret key SKI. However, if the index is outside of this region, then we cannot decrypt this trapdoor ciphertext. And PLBE satisfies the following security properties. First, trap the ciphertext under index capital N. Then this ciphertext is indistinguishable from standard ciphertext. Second, if the ciphertext is under index 0, then this trapdoor ciphertext satisfies semantic security. And the final security property is index hiding. Index hiding means the trapdoor ciphertext is under a different index T and T prime. However, the adversary cannot distinguish these two ciphertexts under two different index T and T prime. Of course, if the adversary has secret key SKI sub-I in the region from T to T prime, then we can easily distinguish these two trapdoor ciphertexts. So the adversary is not allowed to have this secret key SKI in this region. So how to use this PLBE to achieve a teratorizing scheme? In bonus high-waters construction, encryption algorithm of teratorizing scheme is trapdoor encryption algorithm under index N. So under index N means this trapdoor ciphertext is for all users. If user has a secret key, the user can declare this ciphertext. How the trace algorithm work? The trace algorithm incrementally check the decryption probability by using trapdoor ciphertext as follows. First, generate trapdoor ciphertext under index 0. And next, generate trapdoor ciphertext under index 1. Then send these ciphertexts to the pirated decoder and check the probability difference of these two ciphertexts. And so and so forth, if there exists a noticeable probability difference between two indexes, then trace algorithm identify which user is corrupted user. So from the security property of PLBE, if a pirated decoder succeeding a decryption, then there must exist some index I, which the success probability of decryption is greater than some non-negligible probability delta. However, this contradicts to the security of index hiding, so we can at the trace algorithm succeed tracing. So this is the result of bonus high waters. However, bonus high waters and Bonnechandri use the linear search trace algorithm, as I explained. So the running time of this trace algorithm is order of capital N. This is a limitation of previous constructions. So now let's move to our approach to go beyond the exponential barrier. First, we propose a clean abstraction we call Oracle Jumpfinding problem. And Oracle can be seen as a pirated decoder in Toyota tracing setting. And large jump means the large success probability difference of two toruptor ciphertext. And we also propose a carefully designed binary search algorithm to go beyond the exponential value. The running time of this algorithm is polynomial of small n and q, so we can treat exponentially many identities. Here q is the number of corrupted users. This algorithm is inspired by a clever approach in Boyle-John's past paper, which shows the different input obfuscation is equivalent to indistinguishability obfuscation in a totally different context. Let's move to the definition of Oracle Jumpfinding problem. In Oracle Jumpfinding problem, there exists an Oracle P, which takes index i and output some probability. And this curve indicates a success probability of this Oracle P. And the first rule of this problem is the difference between p of capital N and p of 0 is greater than epsilon. This means a success probability of a pyrite decoder. And 0 is set C, which is subset of the region from 1 to capital N. This can be seen as a corrupted users. And there are several large jumps in this curve. And only this large jump occurs only at the corrupted user index. And in other part, the probability difference is less than small delta. So this is a rule of Oracle Jumpfinding problem. And the goal of this problem is find one of large jumps. So we can identify corrupted users by finding this large jump. This is the definition of Oracle Jumpfinding problem. And we propose a polynomial time algorithm for this problem. Here, I explain by deterministic algorithm press algorithm, which has Oracle access to p, and output one of a traitor. And this algorithm runs in polynomial log of capital N and Q. Again, Q is number of corrupted users. And if epsilon satisfies this condition. And in real setting, pyrite decoder is probabilistic algorithm. So in fact, our TORES algorithm is also probabilistic algorithm with Oracle access to some noisy Oracle. Here, p is just a deterministic Oracle. But in the real setting, we analyze of this algorithm by using noisy Oracle. But for simplicity, I explain by this simplified deterministic setting. So now I explain our basic TORES algorithm. First, this is inspired by BCP 14 paper. First, i is interval from a to b. And large delta sub i is the probability difference of index b and index a. Next, if large delta sub i is less than or equal to small delta, then this algorithm abort and output the empty set. As if the size of interval is equal to 1, then output b as a corrupted user. And as if we divide this interval i into two parts and then recursively apply this basic TORES algorithm for both these two regions. So this is a kind of a binary search algorithm. But we explore two regions at the same time. So you might think this algorithm does not stop in polynomial time. However, we apply this basic algorithm for entire interval to the end. But this basic TORES algorithm is called for at most two Q intervals in each level. Why? Here is the key observation. Q is the number of corrupted users or the number of large jump. This Q is polynomial. So here is abort condition. If probability difference is less than or equal to small delta, then this algorithm will stop. So the number of corrupted user is very fast in the whole regions. So even if we apply binary search to these two divided regions, this algorithm will stop quickly because this algorithm uses this abort condition. So our algorithm runs in polynomial time. So how to instantiate a TORES scheme in our framework? Here is a big picture of our result. We construct a TORES scheme from adaptive secure PLBE or private block linear broadcast integration scheme. And we use our framework, Oracle Jump finding problem framework, and sophisticated binary search algorithm, just I explained now. And how to construct the PLBE? We use functional action. This is a trivial implication. We can get various functional rendition from various assumptions. These are known results. For example, we can obtain functional rendition from indistinguishable obfuscation or sub-exponential LWE or standard public integration. So we can get our TORES scheme for exponentially many users from these various assumptions. And we also propose the new construction, which we call functional rendition with revocation. This is also our new result. And if we achieve the functional rendition with revocation, we can get TORES scheme with revocation by using the same technique. So let's move to the efficiency of our TORES scheme. So we use functional rendition to achieve PLBE. Here, a secret key for identity is a secret key of functional rendition for function F sub ID. And the ciphertext is the ciphertext of functional rendition, integration of set S and the plaintext M. How to obtain plaintext M? If identity is in this set, then this function rendition, decryption algorithm out of the plaintext M. So we can achieve PLBE, TORBE from functional rendition. And here, we set this set S as a whole identity space, two to the N. So we need NB to describe this set S. So the ciphertext size over our scheme is polynomial over small N. And we can also achieve more compact ciphertext size over log of small N. How to do this? First, we divide ID into blocks, like this, divide ID into N blocks. Then we can identify one of the blocks by using only log of small NB. And more concretely, for NB to string ID, we convert this NB to string ID into another identity ID, like this ID sub I is equal to two times S minus ID prime sub I. Here S is common tag for all identity ID. And okay, so this tag is for reconstructing ID from these two divided IDs. By using this dividing, we can identify identity as log of small N times security parameter. So we can achieve order of log of small N ciphertext. But to achieve this, we need a generalized Oracle Jumpfinding framework. But I skip this explanation due to the limitation of time. Okay, let's summarize of this talk. We proposed a compact teratorizing scheme and teresandryborg scheme for exponentially many identities from various assumptions, like standard of public key integration or LW or indistinguishability obfuscation. To achieve this, we proposed a general abstraction called the Oracle Jumpfinding program. And we proposed a new trace algorithm by using sophisticated binary search algorithm. There is an open issue. For the most compact scheme of our result, we need indistinguishability obfuscation, but can we construct such scheme by using result indistinguishability obfuscation? For example, LW assumption. That's it. Thank you for your attention. Any questions for lunch? Okay, I'll ask a question. So the functional encryption is, you only need it for one query. You don't need like unbounded queries, just one query. We achieved it. If we need adaptability secure one, then we need adaptability secure function or English. If we achieve the bounded collision scheme, then we can use the standard of public key or bounded collision function reaction. Okay. All right, so I guess lunch.