 Alright, so we can get started. I'll talk to you about stronger security for reusable garbage circuits, general definitions and attacks. So, let's start the talk with a flashback. It's not displaying very well on the top if you could. Okay, so let's start with a flashback. Let's look at garbage circuits. So, this is a classic primitive in cryptography. It's back to the 80s and the idea here is that you want to run some circuit C on some input X, but you don't want the evaluator to learn either the circuit C or the input X. Okay, so what you do is that you garble the circuit, get some C hat, garble the input, get some X hat and there should be some decode procedure that takes the C hat and X hat and outputs exactly C of X. Privacy requires that C hat and X hat should reveal nothing but C of X to the decryptor or to the evaluator, right? And this is a primitive which has been used all over cryptography, tremendous applications, but it's only secure for one time use. So, what that means is that if I have this garbled circuit C hat, I can only evaluate a single input on it. If I even try to run the circuit on two different inputs, then security is broken completely. So, now a natural question that follows from this is whether you can have reusability for garbled circuits. So, is it possible for us to have a garbled circuit C hat, but now a mechanism for us to encode many different inputs such that the decoding and the privacy property can be generalized, right? So, if I'm given C hat and X hat, X hat and so on, then I'd like to be able to recover C of X i for all i and privacy would then state that given C hat and X i hat, I should learn nothing except the output of the circuit on those values, right? So, this was an open problem, but recently there was an elegant solution to this problem by Goldwasser, Kallai, Popa, Wekunter, Nathan and Zeldovich. Now, reusable garbled circuits can be seen as a special case of a more general primitive which is called functional encryption. So, let's see how. Functional encryption essentially means that you can have a secret key corresponding to some circuit. So, let's call that SKC and you have a ciphertext corresponding to some input X and you should be able to decrypt CTX with SKC to recover C of X and privacy again should state that you learn nothing except C of X from this, right? Now, there are various flavors that functional encryption comes in various parameters that you can try to get. So, input hiding means that you want to hide X in CTX. So, this is something that you always ask for, but you could also ask for circuit hiding and in some cases it's possible to provide this. So, you could ask that the circuit C be hidden in SKC. You could have public or private key variance to this primitive and you could have one or many key security. So, this is about whether the adversary gets secret keys corresponding to one or many circuits of his or her choice, right? And the state of the art in functional encryption from standard assumptions. So, by standard here I mean not using indistinguishability obfuscation or multilinear maps. What we have is that if you restrict the adversary to only make one query or if you restrict the adversary to only make certain types of queries, I will talk about what this means, then you have FE for all circuits, ok. And in particular if you restrict the adversary to only make one query, then the variant of FE that you get is the reusable garbage circuit. And in the second case if you restrict the adversary to only make certain types of queries, then the variant that you get is predicate encryption, ok. So, let us look at each of these a little bit. So, as I said already for reusable garbage circuits, the adversary can only request one key. So, a key corresponding to a single circuit of her choice, but here you want circuit privacy because you want the you want to generalize garbage circuits, but it turns out you can achieve this in the symmetric key setting. However, in the construction provided by GKPVC, security again breaks down completely if you have more than one circuit query, ok. So, if the attacker asks for more than one secret key, then security breaks down completely. And even though natively this construction only supports a single key request, it can be generalized to support a Q key requests, where Q is some polynomial bounded in advance. So, in particular the setup algorithm will take the Q as input, ok. And the ciphertext of the resultant scheme will grow multiplicatively as Q to the 4 when you apply the compiler from Gorbanova, Kuntanathan and V. So, GVW12 showed a compiler that takes a single key FE and gives you a Q key FE. And when you do this, this is the loss in ciphertext size that you get. So, now let us look at the other variant. So, if you want to restrict the types of queries, so what do I mean by that? Well, in this case as I said you get a variant of FE called predicate encryption. And here essentially what happens is that the adversary can request any number of circuits. So, she is no longer bound by how many circuits she requests. However, it should be the case that on all on the challenge messages, the circuits should evaluate the circuits should evaluate to 0. So, for any circuit C i that the adversary requests, it should hold that C i of x 0 is equal to well C i of x 0 is equal to C i of x 1. This is required in the security game, but you additionally impose that these should be equal to 0. And she may not request even a single circuit such that the circuit evaluates to 1 on the challenge, on the challenge messages. So, this game where you restrict the type of keys, we will call these types of keys as 0 keys because the output is 0. This is known as the weak attribute hiding game, for those of you who are familiar with this terminology. In our talk, we will just call them 0 keys. And current systems for predicate encryption can only achieve security in this weak attribute hiding game. Even the older predicate systems that only support evaluation of inner products. So, even for simple functionalities like inner product zero testing, the predicate encryption scheme will only support the weak attribute hiding game. So, just to summarize, the best known is as follows. So, for an adversary, the number of one keys that she can request in GKPVC is bounded above by 1. And the number of zero keys is 1 minus whatever she requests here. So, she can request one key, either a zero key or a one key does not matter. The security game is selective. And if you compile it with GVW12 and get a Q key scheme, then the ciphertext degrades multiplicatively as Q to the 4. And then the predicate encryption system by Gorbino, Vekuntanathan and we, this can support only, well, it can support no one keys at all. But it can support any unbounded number of zero keys. The security is again selective and there is no query dependence. So, the ciphertext size does not depend on the number of queries that the attacker requests. So, in this work what we achieve is we can support any fixed Q number of one keys. We can again support any unbounded number of zero keys. We improve the security from selective to semi-adaptive and the ciphertext size is improved from multiplicative Q to the 4 to additive Q square. So, here I should say that a linear dependence in Q is inherent for this kind of security and we get additive Q square. Additionally, what we show in this work is that prior constructions for predicate encryption schemes are totally insecure if the attacker is allowed to request any one keys. In fact, we show that a constant number of one key suffices to completely break security and this applies even to inner product predicate encryption from 2011. So, I will just say a few words about these attacks. We show three attacks. The first one exploits the ciphertext and key structure of these predicate encryption schemes and this applies even to inner product zero testing. The second one exploits the ciphertext evaluation mechanism that is used in the more general predicate encryption scheme and the third one attacks what is called the lazy or trick in GVW 15 which leaks some noise in fully homomorphic encryption. So, are these attacks surprising? These predicate encryption schemes were never claimed to be secure against a general adversary. They were only proved to be secure in the restricted game. So, it is important to understand whether these attacks are surprising. The last one is not. So, this attack is not surprising even in the original paper the authors had hinted that there is some leakage and this is likely to be a problem. But the first two attacks especially the first one are surprising in my opinion. So, let us talk a little bit about the first attack which like I said exploits the ciphertext and key structure in these schemes. So, the ciphertext structure comes from the learning with errors problem which says that it is difficult to distinguish noisy inner products from uniform. So, if I sample some matrix A and compute S times A plus some error then this should be indistinguishable from uniform. This is the learning with errors problem and this is essentially what the ciphertext looks like. The secret key comes from the SIS problem which says that given some matrix A and some matrix A you want to find a low norm vector Z such that A times Z is 0 mark Q. So, the secret key is a short vector Z of this kind and many short vectors in many such short vectors will form a trapdoor for A which in particular can be used to break the LWE problem that we saw in the previous slide when applied to this matrix A. So, in these schemes roughly what happens is that the ciphertext looks like this the secret key looks like this and decryption works when these matrices match alright. So, in our attack we exploit this at a very high level what the attacker does is it requests keys for linearly dependent vectors. It combines these keys in a certain way to get short vectors and then hence a trapdoor in a certain lattice A star which is related to the parameters in the system and then the challenge ciphertext can also be manipulated to get an LWE sample with some matrix B star and A star and B star match when for the case of one keys ok. So, essentially there is an inherent vulnerability for any attribute hiding scheme that has this structure. So, further constructions that we see will have to contend with this problem. The second attack relies on the fact that regardless of the circuit that is being computed the noise terms that the attacker sees after decryption is a linear function of the original noise terms in the construction. So, given just a few decrypting keys or one keys the attacker can recover the noise terms because these are linear functions and hence the LWE secret and hence the attributes that the challenge is supposed to be hiding and the lesson here is that there is an inherent asymmetry between 0 and 1 keys in the way that the ciphertext evaluation works for these systems. So, I will say a few words about the new construction that we have. So, what we do is that we start with the predicate encryption scheme which already supports an unbounded number of 0 keys and we extend this to also support some number of 1 keys and this gives us reusable garbage circuits. So, the security that we get for the resultant scheme which generalizes reusable garbage circuits is stronger than the security known so far. So, in particular as I mentioned the support for 0 keys is for free you can ask any unbounded number of them and we also get what is called semi adaptive rather than selective security. We show a few new techniques in order to get this. So, in the proof, in the simulation the 0 keys and 1 keys are handled separately and this turns out to be crucial and we also show a new method to program public parameters based on keys that will be requested in the future. So, that is also new to this work and then we show a new extension to bounded key FE which as I said gets a better ciphertext size than what was known before, but in a weaker security game. Okay so, at a sort of high schematic level we start with the predicate encryption scheme of GVW 15. We have some new tricks plus a more careful proof which gives us a scheme which subsumes predicate encryption and reusable garbage circuits, but in a very weak security game which we call very selective security. I will talk about what that is in a second. This scheme is then compiled using a new method that we have to get predicate encryption plus reusable garbage circuits with semi adaptive security and then finally, we have a new method that let us extend this to bounded collusion FE for any fixed bound Q. Okay so, very selective security means that the adversary must announce the challenge ciphertext as well or the challenge messages as well as the function key in the very first step without even seeing the public parameters and semi adaptive security means that the attacker may see the public parameters in the security game before announcing the challenge ciphertext. All right so, in the few remaining minutes that I have I will talk a little bit about how we perform this step. So, how do we go from very selective security to semi adaptive security. Okay so, the idea here is to nest two different schemes. So, you take the very selectively secure scheme let us call it cell and you nest this within a linear FE scheme. So, you nest this within an adaptively secure scheme FE scheme for linear functions and the way that this helps is that this adaptively secure linear FE scheme can be used to generate ciphertexts of the selective scheme on the fly. Okay so, let us see how that works. So, let us remind ourselves what linear FE is. So, here the idea is that you have a ciphertext corresponding to some vector x, you have the secret key corresponding to some vector y and decryption gives you the inner product of x and y. Now last crypto there was a construction of linear FE that achieves adaptive security and this is crucial in our work. So, the fact that we get adaptive security in this scheme is what helps us to go from very selective to semi adaptive. Okay so, essentially what is going to happen is that the ciphertext of the cell scheme is going to be computed on the fly like I said. So, we can look at the structure of the cell ciphertext and we note that it can be written as an inner product of two vectors one of which is known to the key generator and one of which is known to the encryptor. All right. So, the encryptor now can provide a linear FE ciphertext for this vector and the key generator can provide secret keys. So, the linear FE secret key for the corresponding vector that we saw in the previous slide the vector corresponding to this as well as the cell FE secret key for the selectively secure scheme. So, decryption will proceed in two steps. So, first you will run the linear FE decryption. So, you will take the linear FE ciphertext provided here and the linear FE secret key provided here and when you run the linear FE decryption what you will get is the ciphertext for the selective scheme. So, you run the linear FE decryption to obtain the ciphertext for the selective scheme. The secret key for the selective scheme has already been provided. So, now you run the decryption for the selective scheme and you obtain your final answer. So, we can show that this nesting allows you to improve the security from very selective to semi-adaptive. So, I will conclude with this. We showed a new construction of reusable garbled circuits with stronger security than what was known before. So, again we can support an unbounded number of zero keys and we can go from selective to semi-adaptive. We showed a new method for compiling very selective security to semi-adaptive security. This method is fairly generic. Most LWE based systems have ciphertext that can be expressed as an inner product of two vectors. So, we think that this method can be used also in other contexts. We showed attacks on existing predicate encryption schemes and we believe that this codifies the barrier in generalizing predicate encryption to full-fledged functional encryption. And then we showed a new method to generalize the scheme to handle Q queries of any type. This has a better ciphertext size than the previously best known, but it is only secure in a weaker security game. Thank you.