 Hello, everyone. In this talk, I will present our work about functional encryption, which allows the computation of so-called attribute-weighted sum. This is a joint work with Michelle Abdelha and Hotec Wee. Let me first motivate the notion of attribute-weighted sum. Consider a database with four fields or attributes. Each record in a database corresponds to a particular person. It contains some demographic information, such as gender, age, and whether he or she smokes. It also contains some sensitive information of whether he or she got cancer. With this toy database, we may want to count the number of smokers who is older than age 40 and got cancer. This can be presented in this form. It is the sum of five quantities. Each cement corresponds to one record in the database. It equals one if the corresponding record comes from a person with cancer who is a smoker and older than age 40. We can consider this as a weighted sum of values in the sensitive field cancer. The weight for each cement is computed by evaluating the function f on the corresponding three public attributes, gender, smoker, and age. So we call this attribute-weighted sum. If we use xi and zi to represent the public and the sensitive values in the ith record respectively, we can write the function in this compact form. To allow a party to compute an attribute-weighted sum without leaking the sensitive data zi, we can use the functional encryption for attribute-weighted sum. In such a crypto system, we encrypt xi zi with xi being public and zi being protected and issue a secret key for the function f to the party. The decryption is required to recover the attribute-weighted sum and reveal nothing else about zi. We will formalize the security a bit later. Before that, we want to first motivate another important notion in this setting. For a database, the number of attributes and their data types are determined when the database was established. However, the number of records will constantly increase after that. Namely, xi and zi are small and have bounded size, while the number of records n is larger and unbounded. When we protect the sensitive data in the database by functional encryption for attribute-weighted sum, this means that n probably grows larger and larger after a secret key for f is issued. Therefore, we require that a secret key should be able to decrypt the ciphertext for any a priori unbounded n. This is called unbounded slot for short in this work. Furthermore, in the above, we have zi being Boolean variable and a function f being Boolean function. We will actually consider a more general form, where zi is a vector over larger field and the product becomes inter-product operation. This allows us to capture more applications, such as computing average salaries of a particular group of people. Even with the one-slot case, this notion covers a set of classical and newly introduced functionalities. Now, let me be more formal about the security notion. We call that we want a secret key for f to only leak the attribute-weighted sum with respect to xi, zi, and f, but keep other information on zi secret. This is formalized as the simulation-based security against unbounded collusion. The adversary is allowed to see the mass public key, one ciphertext, and unbounded number of secret keys. We show two keys here as an example. They can recover the attribute-weighted sum regarding f and g respectively. The security means that the adversary's view is indistinguishable with the one on the lower row, where the ciphertext does not contain any information about zi, and the attribute-weighted sum with respect to f and g is embedded into the corresponding key. The solid lock and the key on the upper row refer to real ciphertext and a secret key. The hollow lock and the key on the lower row refer to the simulated ciphertext and a secret key. We note that decrypting the simulated ciphertext using the simulated key gives the value embedded in the key. Our main result is an FE scheme for attribute-weighted sum with selective simulation-based security from K-linear assumption in the prime-order by linear group. It also satisfies the unbounded slot requirement, that is, a secret key can be used to decrypt a ciphertext for any n. We also mention that our proposed scheme is expressive in the sense that it allows the function f, which defines the weight, to be an arithmetic branching program, which covers many important function classes, such as nc1 and the log space. Besides that, our ciphertext size is independent of the size of public attribute xi. Technically, we build a one-slot scheme first, and bootstrap this basic scheme to support n-slot. This talk will focus on the bootstrap part. Let me begin with a brief sketch of our one-slot scheme. It is based on the partial hiding-predict encryption by we, which basically corresponds to the same function, but review whether the result is zero or not, rather than the actual value. We inherit the expressiveness and the security guarantee from we's predict encryption. We also make an optimization so that the ciphertext size is independent of the size of public attribute x, and our bootstrapping technique described later preserves this feature. With this basic one-slot scheme, we are ready to show how to build a scheme supporting unbounded n. Along the way, we will always concern about correctness, security, and unbounded slot feature. For simplicity, we will give an example for three-slot case, where x1, x2, x3 are public, z1, z2, z3 are secret. Here f is the function supported by the one-slot scheme. A naive bootstrapping works like this. We encrypt xi, zi in each slot using the one-slot encryption algorithm, and the secret key is exactly the same as the one-slot secret key. Namely, the ciphertext for three-slot case consists of three sub ciphertexts. The sub ciphertext i corresponds to slot i. Using the secret key to decrypt the sub ciphertext 1, we get a partial decryption result for slot 1 according to the correctness of basic one-slot scheme. Then we can do the same for sub ciphertext 2 and sub ciphertext 3. Decrypting up all partial decryption results for all three slots gives us the attribute-weighted sum, and the scheme indeed satisfies the correctness. Furthermore, this scheme supports a bounded slot. Recall that we decrypt all sub ciphertexts using the same secret key, and this procedure can continue if we have more sub ciphertexts. However, this is insecure at all. Partial decryption results immediately leak intermediate summands of attribute-weighted sum. Remember we only want to review the sum of them. To fix the issue, we introduce correlated randomness wi into sub ciphertext i, and the randomness r in each key so that all partial decryption result contain a mask wi times r and hide all summands. We notice that the randomness r is crucial to support unbounded collusion. For this, we need to slightly extend the basic one-slot scheme to capture the newly introduced w and r. Here, w is considered to be a secret like z and r is public in some form. Fortunately, the function is still an arithmetic branching program. To serve as the building block, we need some technical modification, but we don't give the details here. To check the correctness, we know that the decryption works as warm-up scheme 1. We use the secret key to decrypt each sub ciphertext one by one and sum up all the partial decryption results. By the relation of wi, we can see that all wi r will be cancelled out, and the attribute-weighted sum will be correctly reviewed. Namely, the warm-up scheme 2 is correct. Again, the schemes support unbounded number of slots for the same reason. Let us see how the newly introduced wi times r in each partial decryption result can hide each summand. Technically, the value is recovered in the exponent. The dh assumption allows us to change wi times r to wi prime, which is fresh for each key and has the same restriction as wi. Then, a direct statistical argument can show that the three partial decryption results are identically distributed like this, which can be simulated only using the knowledge of the final attribute-weighted sum instead of every summand. This suffices to prove that only the sum is leaked. However, this does not work well with the warm-up scheme 2, especially with the unbounded slot requirement. We only have a single secret key for all three sub ciphertexts, which has no room to embed all three partial decryption results. In general, we must embed n values in a single secret key of the basic one-slot scheme. In another word, it seems to be true that the warm-up scheme 2 only leaked the sum, but further ideas are required in order to make the proof work. The first idea is to split the previous statistical argument into several hybrids by which we gradually collect partial sum. In our example, we have three slots, so two hybrids are sufficient. In general case, where we have n-slot, m-1 hybrid are used. By hybrid zero, we just rewrite the first partial decryption result by the restriction of wi and do some rearrangement. In hybrid 1, we use the entropy of w2 to collect the partial sum involving the first two slots, that is x1, z1, and x2, z2. Here we again need the help of DDH. Similarly, in the hybrid 2, we use the entropy of w3 to pick the last cement and get the final sum, which involves all three slots. This finished the argument and the resulting distribution is actually identical to our one-shot argument shown before. How can this new strategy help us? And how can we carry out the strategy in the proof? Observe that each hybrid only involves two slots. This means we only need to have two places to embed the two corresponding partial decryption results. This motivates our second idea. To accommodate the two partial decryption results involved in each hybrid, we employ two independent copies of the basic one-slot scheme. This means we need to generate two sets of fresh masked public secret key pairs. In the talk, we just use a subscript 1 and 2 to indicate ciphertext and a secret key from the two copies respectively. Now, the secret key consists of two sub-keys. Sub-key 1 is from the first copy and the sub-key 2 is from the second copy, but both of them are generated for the same f and r. Roughly, sub-key 1 is used to embed the partial decryption result of the first slot, while sub-key 2 is used to embed another partial decryption result depending on the hybrid. Accordingly, sub-ciphertext 1 for x1 and z1 is generated using the first copy of the basic one-slot scheme. Sub-ciphertext 2 and 3 are created using the second copy. Let me sketch how the proof actually works with our two ideas. We switch sub-ciphertext 1 and sub-key 1 to the simulated form. This follows from the simulation-based security of the first copy of one-slot scheme. By this, we embed the partial decryption result for the first slot to the sub-key 1. Then, we can deal with the remaining slot one by one. We switch sub-ciphertext 2 and sub-key 2 to the simulated form so that we embed the second partial decryption result into the secret key. This follows from the simulation-based security of the second copy and the independence of the two copies of the basic scheme. Then, we can carry out the argument of moving from hybrid 0 to hybrid 1, which collects the partial sum involving the first two slots. Then, we switch sub-ciphertext 2 and sub-key 2 back to the real form. Note that sub-ciphertext 2 does not contain z2 anymore, which has been embedded into partial sum in sub-key 1. And it is crucial to switch back to the real-ciphertext and the secret key since we can now reuse sub-key 2 to handle sub-ciphertext 3 with an analog strategy. Namely, we switch sub-ciphertext 3 and sub-key 2 into simulated form and embed the partial decryption result for the third slot into sub-key 2 again. With this, the argument for moving from hybrid 1 to hybrid 2 allows us to reach the final attribute weighted sum and embed it into sub-key 1. Switching all sub-ciphertext and sub-keys from the second copy back to the real one, we get a simulated ciphertext and a simulated secret key for our three-slot scheme. The simulated ciphertext does not contain any information about the i, and the attribute weighted sum is now embedded into sub-key 1. For this, only sub-ciphertext and sub-key from the first copy is in the simulated form, while all remaining sub-ciphertext and sub-keys from the second copy are real. And this is our actual final scheme. In general n-slot case, we have n sub-ciphertexts. Sub-ciphertext 1 encrypts the first slot using the first copy of one slot scheme, while all remaining slots are handled using the second copy. The secret key will always have two sub-keys from the two copies respectively. Let me summarize this talk. In this work, we study functional encryption for attribute weighted sum. We give a construction in the primordial bilinic group with simulation-based security. A key feature is that we consider the so-called unbounded slot feature, which requires that a secret key can be used to decrypt the ciphertext for any n. In this talk, we sketched how to get in one slot scheme as basis, and bootstrap this to the n-slot scheme. We can also adapt our n-slot scheme to the multi-client setting, where each xi and zi is encrypted by different parties and the corruption of parties is also considered. Finally, we leave several open problems. First, our scheme only achieves selective security. It is generally desirable to have an adaptively secure scheme. Then, by using the bilinic group, we have to restrict the domain size to be polynomial, so that we can use brute force discrete log algorithm to recover the final attribute weighted sum. It would be interesting to have a lattice-based scheme so that we can get rid of this restriction. Finally, our multi-client scheme requires all parties to negotiate a fresh correlated randomness for each encryption. It would make the scheme more practical to allow them to reuse the randomness in the future. Thank you for your attention.