 This video is a presentation for multi-input quadratic functional encryption from Pairings in CRIFT 2021. I am Jun Michi from NGD Corporation, and this is joint work with Shrid and Rishal. The contribution of this paper is quite simple. We construct the first multi-input functional encryption for quadratic functions from a standard assumption. So I will begin with recording what functional encryption was. Functional encryption or FE for short is a generalization of public key encryption and also a generalization of various cryptographic notions such as identity-based encryption or attribute-based encryption. Similar to public key encryption, a user can encrypt a message using a public key. The serient property of functional encryption is that an owner of master secret key can generate a secret key associating it with some function. When a ciphertext for x is decrypted by a secret key for a function f, it only reveals f of x and nothing else. FE can be applicable to various situations. For example, assumes that x is a database and f is some SQL query. Then a user can make SQL queries to the encrypted database without revealing any other information of the database by using functional encryption. Multi-input functional encryption or MIFE for short is a generalized notion of FE, and we can handle functions that take multiple inputs in MIFE, while we only consider single input functions in FE. Other than public key and master secret key, there are encryption keys for each slot or function in MIFE. An owner of EKI can encrypt a message for the sake of slot I. Decryption algorithm takes ciphertexts for slot I to slot N and secret key, and it reveals f of x1 to xn to the decryptor and nothing else. So for example, MIFE can be used to securely make SQL queries that aggregate several databases owned by different parties. We can observe that when the number of slots is one, then MIFE corresponds to FE. The indistinguishability based security of MIFE is defined by the following game. First, the adversary is given a public key and the challenger chooses a random bit B. Then the adversary can make three queries. The first is encryption query, and on input xi0 and xi1, it reprises the encryption of xiB. The second is the key generation query, and on input function f, it reprises a secret key for function f. The last is the corruption query, and on input i, it reprises the EKI. As usual, the adversary is prohibited to make queries that allow the adversary to trivially learn the bit B. Then the security requires that the efficient adversary cannot distinguish the case where B equals 0 and B equals 1. The studies of MIFE can be classified into two categories with respect to a function class that the MIFE scheme can compute in the description. The first category includes MIFE for general functions such as Turing machines or all circuits. While all MIFE schemes in this category need non-standard assumptions such as indistinguishability of fascination or multi-linear maps, etc. The other category includes MIFE for specific functions, and only known MIFE schemes in this category can be handled only linear functions or inner products. MIFE schemes in this category are efficient and can be constructed from standard assumptions such as matrix DDH or LWE or DCR assumption. Let us have a closer look at FE for specific functions. The start of this line of works is a single input to FE for linear functions. The point is that DDH-based schemes do not use pairings. Later, a single input to FE schemes for quadratic functions are also proposed using pairings. ACFZU-18 shows that linear MIFE can be generically constructed from single input to linear FE. So the DDH-based linear MIFE does not need pairings. So looking at this table, a natural question is whether we can construct a quadratic MIFE scheme using pairings. The contribution of this work is to answer the question affirmatively. I will explain these functions more formally. A single input to linear function is just a multivariate linear function over the input. Similarly, a single input quadratic function is a multivariate quadratic function over the input. It is not hard to see that a single input quadratic function is a linear function over quadratic terms of the input. So we can construct a quadratic functional encryption from a linear functional encryption. But in this case, the ciphertext size inherently becomes order M squared. So basically, functional encryption for quadratic function refers to functional encryption with compact ciphertext, where the ciphertext size is order M. A multi-input linear function is a multivariate linear function over all inputs. And the multi-input quadratic function is a multivariate quadratic function over all inputs. An important fact is that a multi-input quadratic function is not a linear function over quadratic terms of each input, because it also contains the quadratic terms that derived from two different inputs. So quadratic MYV cannot be generically obtained from linear MYV, even if we do not care about the ciphertext size. Therefore, the situation is essentially different in the single input setting and the multi-input setting. Since the issue is the ciphertext size in the single input setting, what a quadratic function can compute is essentially different from linear functions in the multi-input setting. We also mentioned the variants of MYV to clarify our result. As explained, the encryption algorithm takes encryption key i to encrypt a message for sort i in standard MYV. We can consider other cases where the encryption algorithm takes public key or master secret key. In public key MYV, anyone can encrypt a message for any slot. On the other hand, in SK MYV, only an owner of the master secret key can encrypt messages. Public key MYV and secret key MYV is special cases of the standard MYV. In this work, we show that public key quadratic MYV can be easily constructed from linear MYV. The main contribution of this work is the construction of SK quadratic MYV. And constructing the standard MYV for quadratic functions is an interesting open problem. Before moving on to our quadratic MYV construction, we briefly recall how to obtain linear MYV in previous works. Basically, all linear MYV schemes are obtained by this blueprint. That is, our linear MYV runs in parallel instances of single input linear MYV, and each set of n-argoisms can be seen as each algorithm of MYV. Since multi-input linear function can be computed by the summation of each single input linear function, this scheme already satisfies the correctness of linear MYV. However, this construction lacks every linear function value of each slot. To prevent this, we make each slot output the linear function value masked by the unknown term R i, where the summation of the masking term can be removed by decryptor. This blueprint is not applicable to construct quadratic MYV. Suppose each instance outputs a quadratic function over each input. The multi-input quadratic function cannot be computed from these quadratic functions, since it also contains quadratic terms derived from different inputs. So, the challenge is how to deal with such terms. Especially, the difficulty lies in the fact that xi and xj are encrypted independently. So, we do not use such a parallel execution single input FE, and take a new approach that is inspired by the secret key quadratic FE proposed by Lin. The main tool of our scheme is a function-hiding linear FE. In function-hiding FE, a secret key hides the underline function, as well as a ciphertext hides the underline message. So, the polytime adversary can run only in a product of c and x from the ciphertext of x and the secret key for c. Especially, we use a function-hiding linear FE scheme where a decryption value is output on the exponent of the target group of pairing groups. Lin's quadratic FE scheme is based on the linear FE scheme by ABDP-15. Let us briefly recall the ABDP linear FE scheme. In the scheme, a public key is a group element vector w of rings m, and the ciphertext for our vector x is x plus sw, where square brackets denote a vector of group elements. A naive way to achieve a quadratic FE scheme from the linear FE is to encrypt all quadratic terms in advance. However, this induces the ciphertext sites of order m squared. Lin's idea is to use function-hiding linear FE to compress the ciphertext sites. Specifically, each element of vector is encoded into ciphertexts and the secret keys of the function-hiding linear FE scheme together with masking term. Then, decrypting every pair of ciphertexts and the secret key of the function-hiding linear FE scheme recovers each element of the naive quadratic FE scheme in the target group. So, this ciphertext can be decrypted similarly to ABDP linear FE scheme. Our high-level idea is to apply Lin's technique to the linear MIV scheme by ACFZU-18. In the ACFZU scheme, a ciphertext of a vector x for slot i can be written as xi plus sw plus ui over group elements. Roughly speaking, this has the form that a vector ui is added to the ciphertext of the ABDP scheme. This can be decomposed into ciphertexts and secret keys of function-hiding linear FE similarly to Lin's scheme like this. Observe that decryption of each pair of ciphertexts and the secret key of function-hiding linear FE scheme errs the ciphertext of the ACFZU scheme. The point is that the reason that we decompose the ACFZU ciphertext by the function-hiding linear FE scheme is not to compress the ciphertext size as Lin's scheme, but to allow the decryptor to generate the ACFZU ciphertext for quadratic terms derived from different inputs. That is, by decrypting function-hiding FE ciphertexts for slot i and secret keys for slot j, the decryptor can generate the ACFZU ciphertext of xi all times xj for slot ij. By this construction, we can solve the opposed challenge of dealing with quadratic terms derived from two different inputs. In summary, each ciphertext of our candidate quadratic MIC MLFE scheme consists of m pairs of ciphertexts under secret key of the function-hiding linear FE scheme. In decryption, it first generates the ACFZU ciphertext for slot ij by decryption with all pairs of function-hiding FE ciphertexts in slot i and secret key in slot j. A secret key of our candidate is the ACFZU secret key of vector c. Finally, by running decryption of m-squared input ACFZU scheme with MICTs and MISK, it yields the desired decryption value. The correctness for one of the input quadratic functions falls by this construction, but we need more work to make the candidate secure. Let us explain why this construction is not secure. We consider a two-input case where the vector length is one. Suppose the adversary has two ciphertexts for slot I, one ciphertext for slot II, and one secret key. In this case, the adversary can generate the ACFZU ciphertext for slot 11, slot 12, and slot 22. The ACFZU ciphertext for slot 21 can be ignored here since this encrypts the same term as the ciphertext for slot 12. We can observe that the adversary can choose ABC arbitrarily from 1 and 2. So it can run if ABC for any ABC. However, this gives too much information to the adversary. MIC should allow the adversary to make two ways of decryption. That is, first ciphertext for slot 1 is used, or the second ciphertext for slot 1 is used. So the adversary should be able to run only F111 and F222, and we need to prevent the adversary from running other cases. Observe that we can allow decryption A equals B equals C. So it is sufficient to prohibit decryption if A does not equal B or A does not equal C. We deal with the former case by the technique of attribute-based encryption. That is, we embed the information of A and B into ICT and ISK, respectively, and allow decryption only thing A equals B. We constructed such an attribute-based function-hiding linear FV from pairings. Attribute-based linear FV is also considered by ACZU20, but they do not consider the function-hiding property. So this is also one of new results of our work. The latter case is more complex. Intuitively, we prevent this case by checking random elements used in MYCT11 and MYCT12 are the same. Since the random element in MYCT is inherited from ICT, the random elements used in MYCT11 and MYCT12 will be different with overwhelming probability if A does not equal C. To end our such checking functionality to the ACFZU20 MYV is the challenging task, but I will not go into details in this presentation since it is a little bit too technical. These are the high-level ideas of our quadratic MYV scheme. Let us summarize this work. The main contribution of this work is the construction of secret key quadratic MYV scheme from pairings and the assumption is the standard matrix DDH. We also show that public key quadratic MYV scheme can be easily constructed from linear FV scheme. Finally, we mentioned several open problems related to our work. The first is the adaptively secure quadratic MYV, since we proved the security of our scheme in the selective security model. However, even for the single input case, the adaptive security of quadratic FV has not been achieved yet in the standard model, so it seems a challenging problem. The second is shorter ciphertext. I didn't mention the ciphertext sides of our scheme in this presentation, but a ciphertext of our scheme has a large overhead that is necessary for the security proof. So investigating an alternative proof technique to reduce the overhead is also an interesting open problem. Lastly, MYV for a function class beyond quadratic functions is also interesting direction, which includes multi-client functional encryption and multi-input variant of partially hiding functional encryption for quadratic functions. This is the end of my talk. Thank you for your attention.