 Hello everyone, I'm going to talk about fully dynamic group encryption, message filtering, and code-based instantiation. It's a joint work with Kua Yuan, Rihanna, Sufei, Yinani, Yuli, Suxila, Huasheng Wang, and Ye Hongxu. First, I will recall some background on group encryption and discuss the limitations and our motivation. Then I will state our three contributions, fully dynamic group encryption, message filtering, and code-based instantiation. Besides, I will describe the techniques at last in summary. So let me start with group encryption. Group encryption was introduced by Kiannis, Suanis, and Yong in 2007. It is the encryption analog of group signatures. There are four parties involved, the sender, the receiver, the group manager who manages a group of receivers, and also there is an opening authority and who is capable of identifying the recipient of the ciphertext. Group encryption allows sender verifiably encrypts messages and to certify group members while keeping the anonymity of the receiver. More formally, group encryption allows encrypting while the following holds. First, the ciphertext is well formed and can be decrypted by some registered group members. Second, the opening authority can identify the intended receiver. Third, the plaintext satisfies certain requirements such as being a witness for some public relation. Group encryption scheme have many appealing privacy preserving applications. Natural application is for encrypted email filtering. It allows a firewall to accept only rows incoming emails that are intended for some certified organization user. It can also find interesting applications in anonymous trusted parties and previous retriever storage systems. Now, let me briefly review some previous works on group encryption. In 2007, KTY introduced the model of group encryption. They also provide concrete instantiation based on the number theoretical assumptions. Two years later, Katler et al. proposed non-interactive realization based on pairings in the standard model. Subsequently, Amelia and Joey presented various efficiency improvements for pairing-based group encryption. Libertat et al. proposed a refined tracing mechanism and enriched the KTY model. In 2017, the first construction from lattice assumptions was presented by Libertat et al. But so far, the group encryption has been much less well-studied and we aim to contribute to the development of group encryption given its compelling features and nice application. Now, we will identify several limitations of existing group encryption schemes. First limitation exists in user revocation. The KTY model, they allow the dynamic enrollments of new users to a group but it does not provide any mechanism to prevent revoked users from equipping new self-protects intended for them. Even though these revoked users were expelled from some misbehaviors or just they already retired from the organization. So formal treatment of fully dynamic group encryption is fully desirable. The second limitation is about the usefulness of existing group encryption in the context of email filtering which we have mentioned as the most natural application. In all known instantiation of group encryption, the relations for message are defined according to the computationally hard problems. For example, the discrete log relation is implied in KTY model for message filtering. And this treatment fit the definition of group encryption. But in our real life, it is hard to sample the witness, satisfy the relation. So commit design group encryption with expressive policies instead of using some hard problems. Third, regarding the diversity of concrete computational assumptions used in constructing group encryption Among all existing schemes, the only one that is known to be content-resistant is the lattice-based construction from Librelet O. And this raised the question of realizing group encryption based on alternative content-resistant assumptions such as can we construct code-based group encryption scheme? So in our work, we have three contributions. First, the formalization of fully dynamic group encryption. And second, we realize message filtering with two expressive policies. And third, we construct the first code-based group encryption scheme that follows our fully dynamic group encryption model and supports both of the two message filtering policies. Now I will go to the first contribution of fully dynamic group encryption. Fully dynamic group encryption is an encryption analog to the fully dynamic group signatures. As for the fully dynamicity, this means the user has flexibility in joining and leaving the groups at the choice of group manager. And also the group manager can update the group periodically to reflect user verification. Now I will briefly introduce the model of fully dynamic group encryption. And first, the open authority and the group manager runs the algorithm to produce their own public and secret key pair. In this drawing and issue, this is an interactive practical securely run between the user and the group manager. And the user can obtain its own public key and secret key. And the group manager updates the group information. Since our model enables the group manager to remove some users from the group through a group updating algorithm. So in this updating algorithm, the group manager can advance the approach and update the group information. The sender can encrypt the witness W for its chosen users in this encryption algorithm. So this is proof and verification. The proof algorithm is run by a sender who acts as a proofer and demonstrates the honest computation of the several texts. And this verification algorithm is run by any verifier to check if the proof is valid. And then the user can decrypt the several texts to get the messages. And the open authority can anonymize the several texts in the open algorithm. And we also define three security notions, message secrecy, anonymity in CCA2 stamps, and songiness. And all these three notions are carefully extended from the KTY model. Message secrecy protects the appointed receiver from a malicious adversary who tries to extract the information about the encrypted messages. And the adversary can fully corrupt the group manager and open authority. CCA2 anonymity in CCA2 stamps disarms to prevent the adversary from learning information about the identity of the receiver. And also the adversary can fully corrupt group manager and we have an honest open authority. As for songness, songness protects the verifier from accepting a several texts that either does not have the required structure or cannot be decrypted by a registered group member. And only partial corruption of open authority here. Now I'm going to talk about our second contribution, message filtering. And our goal is to equip group encryption skin with some basic yet commonly used policies for filtering. So more precisely, we consider a public list S with S1 to SK of k binary keywords. And each of them has bit less T and we need to test against the less T substrates of the encrypted message W. By the way, the public list S can be regularly updated by the group manager, depending on the interests or the needs of the organization. And the keywords SI could either be some good keywords or bad ones. Then we will define two policies, permissive and prohibitive. So in the permissive policies, we accept the message W if it contains some good keywords. Informally, this means they exist some I such that the keywords SI is a substring of the message W. All the messages that do not contain any of these keywords are rejected. And in the prohibitive policy, we accept the message W if it is far from some bad keywords. And in formal words, this means for every length T substring Y of W and for every keywords SI, their humming distance is at least D. Here the keywords SI could correspond to some topics that are illegal or simply out of the group's interest. And also I will explain the minimum humming distance D here is to address spammers who might slightly change SI so that it passes the filtering while still being somewhat readable. So now let me introduce our techniques regarding these two policies. Regarding the permissive policy, we need to prove that they exist I such that SI is a substring of W. First, we form a matrix capital W here whose colon are length T substrings of the message. And then we form matrix S whose colon are all the keywords SI here we have as 1 to SK. We will prove W is a legitimate if and only if they exist colon WI and keywords SJ such that WI equal to SJ. Then this means the message W contains some good keywords. This equivalent to prove that they exist with one vector G and H such that W times vector G equal to S times vector H. Then in order to handle this relation, we will imply stance permutating techniques to prove knowledge of such a vector G and H. And then adapt liberty at all techniques for proving the well-formedness of the quadratic term. The matrix W times vector G here W is square and G is a square. We follow the zero knowledge for quadratic relation A times R for secret matrix A times secret vector R with some constraint. After we introduce the techniques for permissive policy, then we go ahead to techniques for prohibitive policy. As for prohibitive policy, we need to prove for every length T substring Y of W and every keywords SI their timing distance is at least D. So we can see the all pairs of WI and SJ and to prove that all the sums of them we get Z here have humming weight at least D. And to prove this statement, we adapt techniques in length at all and we will prove that perform an extension trick here. First, we append T minus D coordinates to the vector Z and we get Z star. Z star with length to T minus D and humming weight to be exactly T here. Then we have Z star with weight T. The original vector Z must have weight at least T minus T minus D here since we append T minus D coordinates here. At this point, it's satisfied to use stance permutating technique for proving knowledge of fixed weight binary vectors. Then follow the model of fully dynamic group encryption and the policies we just mentioned. We can have a code-based instantiation. Then to design a skin satisfying our model of fully dynamic group encryption, we have a modular design. Then we need three ingredients here. The first ingredient is an anonymous CCA to secure public key encryption skin. We need it to encrypt the messages under the user public key and we will encrypt the public key and the open authorities public key. The second ingredient is a secure digital signature to verify the public key of group members. Third, we need a zero knowledge proof compatible with the encryption and signature layer as well as with the message filtering layer. We will adapt the modular design to the code-based setting. So the first ingredient in code-based setting we can obtain from we use the randomized McAllister encryption skin and the non-linear transformation. And the second ingredient, the secure digital signature. This one seemed not readily available as the code-based signatures with efficient zero knowledge argument are not known to date. To tackle this issue, we replace the signature skin by an accumulator skin equipped with zero knowledge argument of membership. And the third ingredient we use the zero knowledge argument with the instance framework. Now I will introduce the main idea of our code-based fully dynamic group encryption. At first step, when the user requests to join the group, it generates its own public key and secret key. And then the user sends his public key and non-zero hash value D to group manager. And here we use the macro tree accumulator to certify his public key and get the non-zero hash value D here. Second, the group manager first encrypts random messages under the user's encryption key and to show that the user's encryption key are valid. If the user correctly decrypted, then the group manager computes the macro tree route. Well, all leaf nodes are the hash value of all users D. In our fully dynamic group encryption, in order to achieve the fully dynamicity, we will follow the updating algorithm in the end. So let me explain how user location and the dynamic user enrollment can be done in a simple manner based on this efficiently updateable accumulator. So at the setup phase, all leaves in the tree are set as zero. And when a new user joins the group, then this zero is changed to the non-zero hash value D of the user. And if the user is later revoked from the group, then the value is set back to zero. And for each change, the group manager can efficiently update the tree by recomputing the path in time big O log N. And then when sender sending a message W, satisfying the permissive or prohibitive policies to user J, the sender uses the public key to encrypt the message and uses the opening of society's public key to encrypt the identity of J. As for the firmness of cybertext, sender needs to prove in zero knowledge that the message W satisfies the given policy. And the cybertext of the identity is an honesty computed cybertext of J. And CW is a correct cybertext of W. And it computed under some hidden public key and whose hash value D is not zero at the tree leaf corresponding to J. And I will now introduce the main difficulty in our construction. And here we know CW has the form of PK times RW plus E. So it would require to prove learning parity with noise-like relation with hidden but certified metrics PK to well-formed encryption randomness R and E. And a secret message is W, which satisfies some relations. So we will adapt techniques from Libet and follow the zero knowledge argument for A times R plus E for secret metrics A, secret vector R, and some small weight E. Now we are able to obtain the first construction of code-based fully dynamic group encryption. So in comparison with the only known group encryption scheme from post-quantum assumptions from the Libet et al. And ours is more efficient. And the main reason is we use a macro tree which can be viewed as a weak form of signature. However, it is still not practical due to the involvement of heavy zero knowledge argument. Then there is an interesting open question. So can we construct practically usable fully dynamic group encryption scheme from post-quantum assumptions? Last is summary. So we give a formalization of fully dynamic group encryption. We realize two basic and commonly used policies for message filtering. And we construct the first code-based group encryption. So thank you for listening.