 Ač sem si povedal, da so se najvedno, da so se vse zelo v sezaljene, da je ta vsezaljena, da je ta vsezaljena, da je to vsezaljena. Vsezaljena, da je to vsezaljena, da je to vsezaljena. A časem. Proste, da se mi povedal, da se mi povedalo. Zelo se, da je več, da se mi povedal, da se mi povedal. Pačenje. iced and organization composed by people. Dej identities are secret but the only thing that you know, it is their job. So the detectives, spies, ninja, and so on. So, let's assume now that there is a detected that needs to give a top security information to the ninja. So a way to do that is live drop, they choose a public place, they meet there. So the detective knows that he is looking for a ninja and the ninja is looking for a detected and when the meet basically, the detective to je vzvečan informacij z drugej parti. Zdaj je to vlada, ker evo parti je zato pomembno in vsez. V katografi vsez, da je skočen, da je to zelo površen za taj dobro, je to zelo vzvečan inšak, je to prvne občasne protokol. Zelo je začala, da je tezvršen, da skočen za parti in ki je svoj občasnj, da je začala pri potreboj partij. One more, for example, the detective has the key for the attributes detected. That's what the authority does. And then the protocol can start. For example, the attacker chooses a policy on the fly and the policy is a description that the attributes of the party must satisfy. So the party does some cryptographic operation using the key and the policy and sends a message to the other party. The other party does the same and sends back the message. The property is that they share a secure channel if both policies are satisfied. So there is a mutual match. Say, the intro has some properties that the intuitive one is the impersonator resistant that basically says that it is impossible to impersonate another person. So if I am a ninja and I have the attributes for Ninja, I cannot pretend to be a detective because I need the corresponding key for the attributes. In druga je to, da je takto rešist, da je prvzivna vrza. Če je, da protokol izgleda, da je nekaj zelo počke, ne bo vzelo počke, to je nekaj nekaj nekaj ne bo vzelo počke. Vzelo prvzivna vrza, ker, da poček vrza nimi, ne bo vzelo počke, da je nekaj nekaj nekaj, ker ne bo vzelo počke. Tako, je nekaj teknik, da je zelo počke, V svoj stvari je norempnitivna delaj. Neles v riznačke pustenje je, diagonal ovega setunje, kaj bi zelo, izgledaj v kanal neko se volenje, pa v rokji Naval. Všim posez dolega se zelo. Z nekjej novi nekaj nekaj moj se zelo. Skupaj dolega so dolega informacije. Zato, tukaj kretografija, kaj je nekaj drob, zelo način je verjena in šek, kaj je je nekaj in vsega zelo, in je to, ko je in šek, da je vsega zelo. Zelo je, da je vsega vsega vsega, ki je zelo, ki je zelo, da jeznaša vsega zelo. Ale bo je poškodila, da je zelo, kako je zelo, ki je zelo, ki je odliči vsega zelo. In vseželj se da bomo vseželj, tudi na poliziru, pripravljaj na posločne in režimyske, in vseželj da pa ne bo, da se vseželj in je nešlo pošločnje, tako da se je vseželja. Tako, da se je pošločnje, tako da se je, da se nešlo pošločnje. Tako, da se je pošločnje, tako da se nešlo pošločnje. Na skupce, kar se je vseželje, je se upstairs algorithm, da jazneš kaj typing in splitej, vzgledaj glasbo isame postersi. Res nožljeni algorithm, da je samo za dar tablet, tako za držje, da jazneš podiri in je z kajt v zemljeni.gosi je se povrživ, da je zepotiraj vzge, za vzgledaj do cleaning. Zavrž Ni algoritm vzgleda, da je za dana polizija, da posrednje kajt ise posleda, In pa je tudi tudi skupi in skupi algoritmi. Tukaj prejzret nekaj, kaj dobro vse za tudi, za povedanje na vse, in naredaj za cijet, in teki prič, nekaj dobro vse za tudi, za cijet, a za nekaj dobro vse za cijet in nekaj dobro vse za cijet. Spolitava, ki mi je tukaj, je nekaj za vse za cijet in kaj zelo, kar se da je vse vse vse za cijet in kaj dobro vse za cijet.いいewes, for this reason we define two game-based definitions in to capture these properties. The first one is called Match Security. We incorporate at the same time the CPI security of the encryption scheme, together with detector system. The attacker's is the receiver. отсhele attacked begin algorithms gets two challenges And each challenge contains the input of the encryption algorithm So, the attributes the policy, and the message of the sender. As the challenger Choosing one of the two encrypes it and the objective is to guess the bit bit. So, it's clear that this is the, C Parce点, because the same attacker, can choose two messages and also has oracle access to the sender keygen so. in izgledeš kredaj in sekundačnja spotovati in nekaj, da všeč je boh začusti vš준je, navazr da dobro vsnega akriplja izboj in reklamo kredaj v kaž screams in pr knotje. Tako, ampak da nosila valitu, in ima tko, da dodati sem odcela, kako dobro načo vse počela. If the attacker produces a mismatch, what we ask is that, basically, both challenge lies in one of these categories. Each challenge lies in one of these categories, so it's a mismatch. Note that they don't need to be on the same class. For example, the first challenge could be a mismatch of this type, while the second one of this type. And this implies that we have the detector resistant, because we are implicitly saying that these cases are indistinguishable. And in the definition, there is also an additional case, the case where the attacker has a mismatch, so he can actually retrieve the messages. The message, so we ask the attacker to put two messages that are equal in the challenge phase. So this definition captures the CPA security definition and the detector resistant, but we are still missing the impersonator resistant. So we have a second definition that is called authenticity. Now the attacker is the sender, has oracle access to the key-gen algorithm, and what the attacker needs to do is to produce a ciphertext that correctly decrypts under a policy and without having the corresponding key. So without having a key for some multiples that match the policy. So matchmaking encryption has policies, has attributes. So the first question is what is the relation with attribute-based encryption. So there are mainly two attribute-based encryption. The first one is called software policy. So where the sender chooses a policy on the fly and encrypts the message, and the decryption key of the receiver contains the attributes. And there is the opposite that is called key policy. Now the sender chooses the attributes on the fly and the decryption key contains the policy. So matchmaking encryption implies cyber-policy FBE because the only thing that we have to do is to ignore the policy of the receiver and this can be done by setting the policy to autotology, so a formula that is always satisfied. And matchmaking encryption also implies key policy FBE if you don't need authenticity because first of all we can ignore the policy of the sender using the same technique, but still as you can see there is a difference because the sender has an encryption key for the attributes. Why do we need an encryption key? Because we want authenticity, but of course if we don't need authenticity these attributes can be chosen on the fly. And we have key policy FBE. There is a third case, a third type of attribute-based encryption that is called dual policy. Now there are two policies and one of the receivers is containing the decryption key together with the attributes. In this case the two schemes remains incomparable because the main difference is that dual policy is a single key while matchmaking encryption has two and in matchmaking encryption if the receiver has multiple keys can interleave them and this is not possible in dual policy. And moreover if you don't care about the decryption key the problem of dual policy is that it doesn't achieve match security because it's always possible to see if a policy is satisfied or not. So now we are going to see how we can build matchmaking encryption and at high level this is what is the workflow of the decryption algorithm so it has to check if both policies are satisfied, if it is true then return the message otherwise there is an error. So the first question is why we don't build matchmaking encryption because we have cypher policy and key policy maybe we can use both to have matchmaking and let's forget for the moment about the entities so let's assume that we want a matchmaking encryption scheme that attributes are choosing on the fly. A way to do that is to encrypt, use the key policy B to first encrypt the message and then encrypt again the cipher text with cypher policy B. So now we have two decryption keys one for the attributes that is the decryption key of cypher policy B so we can remove the layer on the decryption phase and we can use the second key one for the policy to remove the last layer and retrieve the message. So from a syntactical point of view this looks like a matchmaking encryption scheme but the problem is that it doesn't achieve match security and they gave you the intuition before because basically an attribute based encryption scheme is responsible only to handle a single policy and when that policy is not satisfied basically it returns an error message so the error message gives us the information that the policy is not satisfied so in this example basically when we try to for example to encrypt the first layer we retrieve the error message we know that the policy is not satisfied and in detail these two cases so the one that the policy of the sender is not satisfied and the one of the receiver yes and the opposite are always distinguishable and these are two cases of the match security definition so these give us the intuition that in order to have matchmaking to implement matchmaking encryption we need to check that both policies are satisfied atomically otherwise it's impossible to have match security and from the geographical point of view we have two results we are able to build matchmaking encryption from randomized functional encryption and non-interacted zero-knowledge we have a second result where we replace the randomized functional encryption scheme with a true input functional encryption so we can trade the randomization of the function with a true input function so let's see the first result what is a functional encryption scheme there are decryption key for functions it is possible to encrypt a message using a public key and the property is that when we decrypt using the decryption key what we obtain is the evaluation of the function with input encrypted message and the security guarantees that nothing is leaked except the output of the function there is the randomized version basically it's the same where the function is randomized so when we decrypt we evaluate the function with some fresh randomized so how we build matchmaking encryption we use two functions one is randomized and one is deterministic the randomized one as are coded the attributes of the receiver and takes in input the attributes of the sender the policy and the message and this function checks if the policy is satisfied if the sender's policy is satisfied if this is true re-encryps the attributes of the sender and the message using the encryption algorithm of functional encryption otherwise re-encryps re-encryps to error messages using the same encryption algorithm then we have a second function that as are coded now the policy of the receiver takes in input the attributes of the sender and the message so what the previous function encryps and checks if the policy of the receiver is satisfied if it is true retards the message otherwise is not an error so basically what we are doing here is we are using two different functions to check the two policies and we are we are passing information to the second function encryptors fashion in order to only get information and this allows to check both policies in atomic way so just to conclude basically the decryption key for the attributes will be the decryption key of the randomized functional encryption scheme and the decryption key of the policy will be the decryption key of the functional encryption scheme so this construction as it is allows us to have match security but still we miss authenticity and how we keep that is we use signature and non-interactive zero-knowledge at a level basically the signature is used by the authorities to certify that the party possess that attributes so the signature will be the encryption key and then we use non-interactive zero-knowledge to prove that the attributes that are encrypting here are attributes that the party possess so it knows that signature that correctly verifies under these attributes and what we need zero-knowledge because we need to don't leak any information about the attributes because otherwise any information about the attributes can give us the can reveal if a policy is satisfied so we don't have match security so as I mentioned, some other results that you can find on the paper we have an implementation of an identity-based version so basically attributes and policies are binary string and the policies satisfy if these two strings are equal we put forward we define the definitions and we are able to build this identity-based version from the billionaire differential assumption in the random article then we put forward an anonymous bulletin board that uses identity-based matchmaking encryption to allow parties to post and retrieve messages according to their interests and protect their privacy by the match security definition the match property and lastly we have an alternative version of matchmaking encryption where now instead of having two keys we have a single key that incorporates together the attributes and the policy and we have the match security definition with the identity definition and in this case we are able to build the scheme directly from functional encryption signature and interactive zero knowledge so you can find the detail on the paper on the full version and that's it so thank you and I'm happy to ask answer your question if you have a question, please come to the microphone we have a lot of time for questions yes, sufficient for what you need predicate encryption instead of functional encryption would it be sufficient for what you need it seems like you only need security in the case where things don't encrypt which is usually much easier well the problem is that we need two policies so we will need two predicate encryption and the problem is that how you match these two schemes because if you use an active base encryption you don't have much security that's the problem so you need a wrapper of the two schemes that doesn't leak any information about the predicate, that's the problem so I don't think it's sufficient more questions? so I have a question do you have any intuition whether we can prove that it is impossible to prove much making encryption from attribute based encryption in the black box way or we don't have such result I mean it's an intuition if you don't assume any additional assumption so a third scheme on an additional assumption the intuition is that it's not possible because it's hard to combine two schemes and have much security I mean I don't have the impossibility result but that's just an intuition more questions? let's speak again