 Welcome to my talk. I'm going to talk about Adaptively Secure Inner Product Encryption from LWE. I'm Shota Yamada, and this is a joint work with Shuichi Katsumata, Ryo Nishimaki, and Takashi Yamakawa. Let me explain our result in short. We propose the first Adaptively Secure Inner Product Encryption, or IPE in short, from lattices that can handle inner product over integer with polynomially bounded domain, or inner product over Zp with polynomial bounded modulus p. We also propose the first Adaptively Secure for ZIPE from lattices with both small and large universe. To do so, we extend the framework by summary. In particular, we relax the conforming property that is required for the framework. Even though our main interest is on inner product encryption, let me explain more general notion of attributes-based encryption or ABE in short here. In ABE, there are master public key and master secret key in the system. The former is public while the latter is hidden. Using the master public key, one can encrypt a message for some attribute X. Using the master secret key, one can generate a secret key for some attribute Y. The decryption should be possible if X and Y satisfy some relation R. Namely, if R of X, Y equals to 1, the ciphertext can be decrypted using the secret key. Otherwise, the decryption is not possible. In this presentation, we introduced two relevant predicates for ABE. The first one is inner product predicate. Here, a ciphertext and a secret key are associated with a vector, and the decryption is possible only when they are orthogonal. ABE for this predicate is called inner product encryption. We also consider ciphertext policy ABE or CP ABE in short. Here, a ciphertext is associated with a circuit, and the secret key is associated with a string. The decryption is possible if and only if the evaluation result of the circuit X on input Y equals to 1. Let me explain the security notion for ABE. The security of ABE is defined by a game between an adversary and a challenger. Essentially, it requires that the adversary cannot see any information from a message encrypted under the target attribute X star chosen by the adversary. If it is only given secret keys with some attributes that are not authorized to decrypt the ciphertext. We consider two types of security notions. Selective security and adaptive security. The selective and adaptive security differ with respect to the flexibility given to the adversary as to when it should choose the target X star. In adaptive security game, the adversary chooses X star at any point adaptively. On the other hand, in the selective security game, it should choose it at the beginning of the game. We want an ABE scheme to have adaptive security because this is a much more natural notion than selective security. Let me explain the landscape on ABE. We have various constructions of ABE from binding maps. Basically, we have adaptively secure counterpart for selectively secure constructions of ABE. In this sense, adaptive security in pairing best ABEs well understood. The situation on lattice best ABE is very different. Even though we have selectively secure lattice ABE, even for circuits, the most expressive predicate for which we have adaptively secure ABE from lattices is TCNF formula for constant T. To fill this gap in our work, we propose the first adaptively secure ABE for inner product and fuzzy ABE from lattices. Here, I explain our approach in very high level. We basically followed Sabari's approach for constructing adaptively secure ABE by combining adaptively secure constrained PRF or CPRF in short and lattice evaluation techniques. For this framework, we need the CPRF to have the property that is called conforming property that I will explain later. In Sabari's work, she obtained adaptively secure ABE for TCNF formula using a CPRF for the same predicate with conforming property. Since Davidson et al. proposed adaptively secure CPRF for inner product, a natural approach would be combining this CPRF with the above framework to obtain an adaptively secure ABE for inner product. However, their construction does not have conforming property and thus is not compatible with the above framework. To overcome this, we relax the conforming property and introduce some techniques. Because the framework is based on combination of constrained PRF and lattices, let me explain the notion of constrained PRF first. CPRF is a kind of PRF but with some additional property. In CPRF, we have a constraining operation which takes us input the master secret key or a PRF key and a circuit F and outputs a constrained key with respect to the circuit. As correctness, we require that if F of X equals to one, we can compute the PRF value on input X using the constrained key. As for the security, we require that the PRF value on input X looks random even if one is given the constrained key case of F for function F such that F of X equals to zero. If the choice of F and X in the security game is adaptive, it is called adaptively secure CPRF. We also note that we consider the single key setting. Here, we explain a high level idea of how lattice-based encryption works. A public parameter includes a public matrix A and a vector U. Using the matrix A, we can encrypt a message like this. Here, S is a random vector and approximation symbol represents that the value in the left-hand side and the right-hand side are equal up to some small error. Note that the message is encoded by some way. We can generate a secret key with respect to a matrix B. The secret key is short vector E such that BE equals to U. If the matrix is matches, namely in the case of A equals to B, the secret key can be used to decrypt the ciphertext. To do so, we compute this and then remove the error and decode the message. In our construction, we frequently use fully homomorphic computation. The homomorphic computation evaluates on the matrix A with respect to some circuit F to obtain a matrix A sub F. We also require an associated ciphertext evaluation algorithm that converts an encryption for A into that for A sub F. We require some properties for them, but I do not explain the details at this point. Next, let me explain Sabari's framework for constructing adaptively secure CBABE. Since some of the details are not quite relevant when explaining our results and techniques, I only provide very high-level description of the scheme, which is sometimes incorrect or inaccurate. In the setup, we sample random matrix A and a vector U. The master secret key is a trapdoor for the matrix A. Now I'm going to explain the encryption. When we encrypt a message for a circuit C, which specifies the policy, we evaluate the matrix A with respect to constraining circuits with input C. This circuit is hardwired with a circuit C and takes as input a PRF key K and outputs a constrained key K sub C. And then we encrypt the message with respect to the obtained matrix. Next, I'm going to explain the key generation algorithm. When we generate a secret key for a string X, which is an input to the circuit, we evaluate on the matrix with respect to the evaluation circuit of the CPRF on input X. This circuit is hardwired with an input X and takes as input a PRF key K and outputs the PRF value on input X. Then we sample a secret key with respect to this matrix. Next, I explain the decryption algorithm. When we decrypt the ciphertext using the secret key, we first convert the ciphertext for this matrix into that for this matrix, using the ciphertext evaluation algorithm with respect to the constrained evaluation algorithm of the CPRF. This circuit is hardwired with an input X and takes as input a constrained key K sub C and outputs the PRF value if C of X equals to one, which is the case for the decryption. This matrix appears during the decryption and this matrix is associated with the secret key. If these two matrices match, the decryption is possible. However, whether these two matrices equal or not is not trivial at all. Let me explain the detail in the following. Recall that as explained in the previous slide, correctness of the subarrays construction depends on whether two matrices obtained through two different homomorphic computations are equal or not. Let us explain how they are computed again. These matrices are computed by single matrix A in the public parameter. In the first way of computation, the matrix is evaluated with respect to the evaluation circuit of the CPRF on input X. This function is hardwired with an input X and takes as input a PRF key K and outputs the PRF value on input X. The other way of computing the matrix is by two steps. In the first step, we evaluate the matrix with respect to the constraining circuit. This circuit is hardwired with a circuit C and takes as input a PRF key K and outputs a constrained key. In the second step, we evaluate on the obtained matrix with respect to constrained evaluation algorithm. This function is hardwired with an input X and takes as input a constrained key. It then outputs the PRF value on input X. The question is whether two matrices obtained by two different homomorphic computation are equal or not. We want them to be equal in order to have the correctness for the scheme. The good news is that two functions homomorphically applied to the matrix are equivalent. To see this, let us recall that this function takes as input a PRF key K, constrain it with respect to a circuit C and evaluate on input X. This outputs the PRF value on input X if C of X equals to one, which is the case when the description should be possible. This function also takes as input a PRF key and outputs a PRF value on the input X. However, these functions when represented as circuits are not necessarily equal. This implies that these matrices are not necessarily equal. To have correctness, we can consider restricting the class of CPRF so that these two matrices are equal. This motivates the definition of conforming property, which stipulates that the two circuits are equal as circuits. This then allows us to argue that these two matrices are equal by using this equality, which holds for the lattice evaluation algorithm being used. In particular, here, we set F to be constrain in algorithm, G to be constrain the evaluation algorithm. Sabari defined the conforming property and showed that it is possible to construct CPRF for TCNF predicates with the conforming property. Combining the framework with the CPRF, she obtained the first adaptively secure ABE for the same predicates from lattices. In our case, we want to have an ABE for inner products. A natural approach is to use recent construction of adaptively secure CPRF for inner product by Davidson et al to instantiate the framework. The approach works if their construction has conforming property. As I mentioned, Davidson et al's CPRF does not have conforming property. To explain this, let me explain their construction. In their construction, a master secret key consists of a vector D and a matrix S. The evaluation algorithm computes a publicly computable matrix B sub X and then compute this value, where this represents some rounding operation. Note that the vector D is ignored here. Then I explain the constraining algorithm. We constrain the master secret key with respect to this circuit C sub Y, which outputs one if and only if the inner product between the input and the vector Y is zero. This means that the constrained key can only evaluate on input X that is orthogonal to Y. The constrained key is defined like this. We call this value S sub Y. The constrained evaluation algorithm is the same as the unconstrained evaluation algorithm. The correctness dictates that these two values should be the same. The correctness of the scheme can be checked by this equation which holds when X and Y are orthogonal vectors. We also require conforming property. However, this does not hold. This can be checked by observing that the unconstrained evaluation algorithm ignores the D part of the master secret key, whereas the composition of constraining algorithm and the constrained evaluation algorithm use the D part of the master secret key. As I explained, Davidosen et al's CPRF is not conforming. So we relax the conforming property. Recall that what we really want was not that the equality of the two circuits. Rather, we want that two matrices obtained by the homomorphic evaluation to be equal. So we relax the conforming property so that we directly require the equality of the matrices rather than the circuits. For this relaxed conforming property to hold, we consider new evaluation algorithms in the following. We then review the previous evaluation algorithms and what property we need for them. One et al devised two evaluation algorithms, public evaluation algorithm and the ciphertext evaluation algorithm. Public evaluation algorithm takes as input a matrix A and the circuits F and outputs a matrix A sub F. The ciphertext evaluation algorithm takes as input the circuit, F a string X, a matrix A and the ciphertext and outputs an evaluated ciphertext. The homomorphic property we require is that if the ciphertext is close to this value, the evaluated ciphertext should be close to this value. Here, the domain of X can be either binary or integer with small coefficients. What we will do in the following is to consider new evaluation algorithms with this property and this equation. Here, F is a constraining algorithm, G is the constrained evaluation algorithm and H is an evaluation algorithm of Davide Son et al's CBRF. Let me explain an important property of the evaluation algorithm that we will use. Let me consider a linear function F over integer defined like this. For F, we define the public evaluation algorithm like this as was defined in Bonnet et al's evaluation algorithm. Then for arithmetic circuits F, G and H computing linear functions over integer, we have the following equation. If composition of F and G equals to H as functions, a nice thing about this equation is that this holds even if composition of F and G is different from H as arithmetic circuits. Let me explain this property using an example. The function F, G and H are defined like this. It is easy to see that the composition of F and G equals to H as function, but not as arithmetic circuits. If we homomorphically evaluate the matrices on these functions, we have the equations like this. As you can see, the evaluation result of the composition of F and G is equal to that of H even if they are different as arithmetic circuits. In particular, composition of F and G ignores A3 whereas H does not. I also explain some useful observation on Davidozson et al's CPRF. Let us recall that the evaluation algorithm and the constraint evaluation algorithm of the CPRF are like this. For the sake of the explanation, I explicitly added intermediate step of the computation in this diagram where these values are computed. Here, these values are equal if X and Y are orthogonal. We can see that this part of the computation is linear in the master secret key over the integer. Furthermore, the computation of S sub X and S prime sub X are functionally equivalent. On the other hand, this part of the computation is not linear. However, the computation of the final value from S sub X and from S prime sub X are expressed by completely the same circuits. Given two observations that I explained, a natural idea is to evaluate the linear part of the computation by the evaluation algorithm for the linear function of the integer that I explained. As a result, these two matrices are equal since the computation of S sub X and S prime sub X from the master secret key are linear over the integer and equivalent as functions. In the next step, we want to homomorphically compute the matrix corresponding to the PRF value. However, this step requires some care. The problem is that the ciphertext corresponding to the linear part of the computation encode integer in these parts. Therefore, we have to homomorphically compute the PRF value from the intermediate value S sub X over the integer. This requires some care as I explained in the following. As I explained so far, the problem is to compute the PRF value homomorphically starting from a ciphertext encoding an integer value rather than a binary string. To do so, the difficulty is that we do not know how to compute the PRF value over the integer. In particular, we do not know how to express the rounding function which is involved in the computation of the PRF as an arithmetic circuit. Our strategy is to homomorphically convert the encoded value S sub X into its binary representation and then apply the homomorphic computation corresponding to the binary circuit. The problem boils down to the homomorphic extraction of a single bit from an integer. In more details, starting from a ciphertext encoding an integer X, we want to convert it into a ciphertext that encodes half bit of the integer X when it is represented as a binary string for arbitrary position I. To accomplish this, we use Lagrange interpolation. Note that Lagrange interpolation can be performed only on fields rather than rings. In our case, arithmetic operations related to LWE are all performed modulo sum prime Q anyway. This does not cause a problem. From Lagrange interpolation, we can see that there exists a polynomial function F sub I with degree two times B that takes as input an integer in domain of size two times B plus one and outputs the half bit of the binary representation of the input. Furthermore, if B is polynomially bounded, F sub I can be efficiently computable. Given the polynomial, what we do is to evaluate the polynomial on encoding homomorphically. Since we need efficient homomorphic computation, we restrict ourselves to the setting where the encoded integer is polynomially bounded. In fact, the setting of the polynomial F sub I is somewhat brute force, which forces some parameters to be polynomially bounded. In particular, we have to change the master secret key of CPRF by W doson et al to be polynomially bounded, which is originally super polynomial. This requires us to change the original security proof, but this can be handled by small change. Also, this limits the domain on which inner product is taken to be polynomially bounded. So far, we obtained adaptively secure IP from lattices of a domain with polynomially bounded entries. This implies the first adaptively secure IPE over ZP with polynomially bounded modulus P, and for the IPE with both small and large universe from lattices by generic constructions. Let me conclude. In our work, we proposed adaptively secure IPE from lattices for various predicates, mostly related to inner products. We also introduced new techniques. For example, we relaxed the conforming property of Sabari 19. We also used the special property of evaluation algorithm for linear functions. We also used homomorphic evaluation of Lagrange interpolation to overcome technical problems. There are various open problems. First open problem is to extend our construction to handle exponentially large modulus P. This is not possible by our technique because of the use of the Lagrange interpolation. More ambitious goal is to construct IPE for more expressive policies like NC1 circuits or even for all circuits. Our framework cannot handle them because our observation on flexibility of the homomorphic computation only applies to computation of linear functions. That's all. Thank you for your attention.