 I'll talk about a simpler way to analyze predicate encryption schemes. This is joint work with Melissa Chase from Microsoft Research. In a predicate encryption scheme, we have a trusted authority that generates a master public key and a master secret key. The master public key can be used by anyone to encrypt messages under some value x. The master secret key is used to generate keys for some value y. When a ciphertext and a secret key are put together into the decryption algorithm, then we are able to recover the message if a certain predicate evaluates to true on x and y. But if the predicate is false, then we want to hide the message. Here we do not care about hiding x or y. A predicate encryption has come a long way, starting from identity-based encryption, which corresponds to the predicate equality all the way up to arbitrary circuits. But bilinear maps remain the most practical way of building predicate encryption schemes, if not the most powerful. But the task of building a predicate encryption scheme from bilinear maps is not an easy one. There are several choices for the map, there are different types of assumptions, and there are many different techniques that one needs to be familiar with. So the main question we ask in this paper is how can we simplify the design and analysis of predicate encryption schemes? Can we identify the key properties that are needed to enable the use of cryptographic tools and techniques? This problem was first formally studied by V and Atropadong, and later on by several other papers. At a high level, these papers provide a way to encode the predicate into some simple polynomials. Then you prove a property about these polynomials, which could be either information theoretic or computational. As a result, you get a secure encoding, and then these papers provide a way to convert any secure encoding into a secure encryption scheme for the same predicate. Now this is a very useful result if I want to build encryption schemes, because instead of doing it directly, which is a more difficult task, it requires familiarity with bilinear maps, assumptions, and proof techniques, I can instead build a secure encoding, which can be much easier. So this leads to the next question. How easy it is to design secure encodings for a predicate? Which is really a two-part question. Does there exist an encoding for some predicate which satisfies a property? And how easy it is to prove that property? All the properties that we know so far are either information theoretic or computational. Information theoretic properties are very easy to use, but the problem is that there are many different predicates for which we do not know of any information theoretically secure encodings, even though there are direct constructions available for them from some assumption on bilinear maps. The computational properties can capture many different predicates, but the problem is they're not easy to work with. In particular, one needs to find a suitable hardness assumption on bilinear maps to make them work. So the question is, can we get the best of both worlds? Can we find a property that is easy to use, and at the same time, captures all kinds of predicates? In this paper, we propose a new property for encodings called the symbolic property. And to prove symbolic property for an encoding, we need to find a mapping from the variables in the encoding to some matrices and vectors that satisfy certain equations derived from the encoding itself. In particular, there is no need to argue about any kind of indistinguishability between some distributions, which is usually a subtle task. We do several cool things with this property. Most importantly, we show that for any predicate P, if there exists an encoding that satisfies the symbolic property, then we can build a secure encryption scheme for P under a fixed Q-type assumption on type 3 pairings, which are the most efficient. We use this mechanism to design several encryption schemes for ciphertext policy and key policy AB with nice properties and even for regular languages. We also show how to reduce the number of variables and polynomials in an encoding to a constant in a generic way while preserving the symbolic property. These compact encodings then directly give encryption schemes with constant size ciphertexts and keys. We also show how to convert an encoding for a predicate P into an encoding for the dual predicate. So for example, if there is an encoding for CP AB that satisfies the symbolic property, then you can get an encoding for KP AB that satisfies the symbolic property as well. Finally, we give strong evidence that our property is inherent to the notion of encodings by showing that if an encoding is not broken in a trivial way that I'll define later, the encoding satisfies symbolic property. In the rest of the talk, I'll describe in some detail what encodings are, what is symbolic property, and why is it easy to use. I'll also talk about why the property is inherent and conclude with some open questions. We'll use the Lyuco Waters identity-based encryption scheme as a running example. Here, ciphertexts and keys are associated with identities. And decryption works if the identities match. Note that if you are only concerned with identity-based encryption, then we can use one of the existing information theoretic properties. We'll get a very simple analysis and the security would follow from a standard assumption. But symbolic property allows you to do much more easily, something which information theoretic properties cannot do. So here is a somewhat simplified version of Lyuco Waters IB, the exact details of this scheme are not important. Just focus on the parts that are highlighted in red. In the public key, we have U, H, and alpha, which are chosen at random. In the ciphertext, we have S, which is chosen at random. And ID is the input. In the secret key, we have R, which is again chosen at random. And ID prime is the input. Now, we'll rewrite this scheme in a different way. Because U and H are chosen at random, I can write that as G to the B1, and H as G to the B2, where B1 and B2 are again chosen at random. As a result, the C1 component of the ciphertext can be written as G to the ID times B1S plus B2S. And the second component of the key can be written as G to the alpha plus ID prime times B1R plus B2R. Now, if we pair C1 with K1 and C2 with K2 and divide one from the other, this is what we are going to get in the exponent. And if ID is equal to ID prime, then the second term disappears and you are left with alpha times S only. Now, we can use this alpha S to remove the blinding factor in the first component of the ciphertext and recover the message. So we can extract out the main components of the identity-based encryption scheme into an encoding scheme. This encoding scheme has five variables. The first two variables are common variables. The variable S is part of the ciphertext encoding and the variables alpha and r are the part of the key encoding. There are two polynomials, one in the ciphertext encoding and one in the key encoding. And for correctness, we require that when the predicate is true, it should be possible to combine these variables and polynomials to recover alpha S. So in this sense, alpha and S are somewhat special variables here. So now comes the more interesting question. I have a correct encoding scheme. This could have come from anywhere, I could have dreamed about it. So now, can I prove some property about this encoding when the predicate is false that will help me in building a fully secure encryption scheme for it? Symbolic property is one such property. And like I said before, here we need to find a mapping from the variables in the encoding to some matrices and vectors. Such that if I substitute the variables in the polynomials with these matrices and vectors, they should all go to zero, okay? Now what prevents me from setting all the matrices and vectors to just the zero vector? This extra constraint that for the two special variables S and alpha, the vectors corresponding to them should not be orthogonal to each other. So what is the mapping in this particular case? It's actually easy to figure out, here is one example. It doesn't even require two dimensions. And when we substitute these vectors into the first polynomial, we get an expression that you can easily simplify to get the zero vector. And similarly, when you substitute these vectors into the second polynomial, you again get zero. It's also easy to see that the vectors for S and alpha are not orthogonal to each other if the predicate is false. Which means id is not equal to id prime. That's all you need to do. In fact, symbolic property allows you an additional level of flexibility. It consists of two parts, selective and co-selective. For the selective property, the vectors for key encoding variables, alpha, r1, r2, and so forth, can depend on both x and y. And for the co-selective property, the vectors for ciphertext encoding variables can depend on both x and y. Now once we have an encoding for any predicate p, not just equality, that satisfies the symbolic property, we can use it to build a fully secure encryption scheme for p in asymmetric prime order bilinear maps. This transformation actually goes through several steps. First, we extend the encoding with some additional variables and polynomials to get a more strict form of symbolic property, which constraints what kind of matrices and vectors you can use. Then we build an encryption scheme in something called dual system groups, which were introduced by Chen and V. And finally, it's already known how to instantiate these groups in prime order bilinear maps. I'll not talk about how these transformations work. In the next part of the talk, I'll discuss in some detail why this property is inherent to the notion of encodings. So recall that for correctness, we require that if the predicate is true, then it should be possible to recover alpha times s. And why is this important? Because I use alpha s to remove the blinding factor in the encryption scheme that you've built from the encoding. So when the predicate is false, at the least, we want that it should not be possible to recover alpha s. So it makes sense to define a scheme, an encoding scheme, to be trivially broken if there exists some x and y, such that the predicate is false, but alpha s can still be recovered. So not being trivially broken is a very basic property for an encoding scheme. Turns out it is sufficient too, because we can show that if a scheme is not trivially broken, it satisfies the symbolic property. So as an example, let's go back to the encoding for the quality predicate. Here, we saw that if id prime is equal to id, then these variables and polynomials can be combined to recover alpha s, which is fine. But if id prime is not equal to id, then no matter how you combine these variables and polynomials, you cannot get alpha times s. So as a result, this encoding scheme is not trivially broken. So it is symbolically secure. More generally, an encoding for a predicate p will have many variables and many polynomials. And when the predicate is false, suppose we know that these variables and polynomials cannot be combined to get alpha times s. So can we use this fact to find a mapping from these variables to some matrices and vectors, so that these polynomials go to zero? We'll focus on only the selective symbolic property here, where these variables can depend on x only, but these variables depend on both x and y. Now, here is a very high level two slide overview of the proof. First, we want to make the ciphertext encoding polynomials go to zero. So we capture these polynomials in the form of a matrix, where the rows correspond to the polynomials, and the columns correspond to the monomials in these polynomials. This matrix can be defined based on the knowledge of x only. We use the kernel of this matrix, that is, all the vectors that make this matrix go to zero to define the matrices for the common variables and the vectors for the ciphertext encoding variables. Next, we want to make all the key encoding polynomials go to zero. For this, we consider a much larger matrix, where the rows have all possible combinations or all possible products of the variables and polynomials, and the columns have all possible monomials that can be generated through these products. The first column represents the special monomial alpha times s. Now, because this encoding scheme is not trivially broken, the rows of this matrix cannot be combined to get the vector 1, 0, 0, 0, which means that the first column can be represented as a linear combination of all the other columns. Now, we use this fact together with the kernel defined before to define the vectors for the key encoding variables. So, that's all I'm going to say about this proof. You can see the paper for full details. To conclude, there are some open questions which are very interesting to look at. The first one is about our new Q-type assumption. I have not talked about this assumption in any detail, but in the paper, we show that it follows from some known Q-type assumptions. Now, the dimensions of this assumption that we need in the proof depend on the matrices in the mapping that we saw before. If the matrices are small, then a small value of Q would work. So, it's interesting to explore how the simple cases of this assumption are related to the standard assumptions. Next, is the question about automating the proof generation process itself. Now, if we want to build a secure encryption scheme, all that we need to do is find a mapping that satisfies certain equations. So, it is possible that such mappings could be generated through a computer program. And finally, can we use this new framework that we have developed to push the boundaries of what can be done from bilinear maps? In particular, can we go beyond NC1? Thank you. So, any questions? So, I wonder about Q-type assumptions. Can you reduce by using Deja-Q assumption with Deja-Q technique, which is also done by Melissa? Do you reduce, too? Reduce the Q-type assumption to simpler assumptions. We are Deja-Q method. We have not looked at that. I mean, that would be an interesting direction. Okay. So, any questions? We have a lot of time here. Any questions? Yeah, please. So, you are saying that you don't code... Okay, I'm not sure if you understood. So, do the encoding you have... As the encoding you have created, not information theoretically secure according to the previous definition, but they are computationally secure or even... They could be computationally secure, yeah. But proving them computationally secure may not be easy. Okay. Any other questions, no? I'm trying to ask a question. Okay, that. So, early in the talk, you said something about you could do something with certain information properties and one with symbolic, but I didn't really catch what the difference was or what that meant. Between information theoretic and symbolic? Yeah, because, I mean, I know what information theoretic means overall, but it seemed like you could prove IB schemes with information theoretic. Exactly, yes. I think I get what that... So, for IB, you can have encodings that are information theoretically secure, but if you have more complex predicates, then you do not know how to get information theoretically secure encodings for more complex predicates. So, you have an information... So, what does it mean to have an information theoretically secure IB? I guess that's... Not information theoretically secure IB. The encoding, for example, that we extracted out from an IB scheme, there is a definition for information theoretic security of that encoding. Oh, okay, so it's... Some terminology specific to this one, right? Okay. Okay. So, no questions anymore? Okay. So, for the transformation, so you didn't say anything about, so how efficient is the transformation? So, how much do you lose in the construction of the final scheme? So, I mean, how important it is to build that compact predicate so that then the final construction is efficient? Does it make sense? No? So, the final... I mean, you said that the assumption depends on the predicate, no? Like the queue. This queue depends on how efficiently you can map to. Sure, yeah. And then I guess the efficiency of the scheme also to a certain extent. The efficiency of this, for example, we have ways to get schemes with constant size ciphertexts. In those cases, you will have, I don't know, maybe like four or five elements in the ciphertext, that's all. It doesn't depend on what predicate you have. And the public parameters? Public parameters would depend on... So, we don't have a way to make the public parameters compact, yeah. But we can make the keys in ciphertext compact.