 Good morning. Welcome to the first session for today. Sorry for the day we are writing for the video to be working properly. So this session is about months of operations and we will have four talks and the first talk is Assignment scheme with authenticated encryption by Suyash Kandere and Suyash Kandere and the talk is given by Suyash. Thank you for the introduction. Good morning everyone. Today I'm going to present key assignment scheme with authenticated encryption. This is a joint work with Dr. Solajitipal at Indian Institute of Technology, LAI. In this presentation, first I will go over the introduction followed by the motivation and then define the problem statement. Then for the solutions, we will just persecute the definition of CASAE followed by the constructions and then comparison and then I'll conclude. So suppose there is a structure, a heretical access structure as shown in the slide here where the director is at the top and she has some information say a yellow file. She wants to impart a part of this file to the dean FA and he gets a file say a green file. Now the dean FA further gives a part of his own file to a faculty which we call as a blue file and now the faculty gives a part of his blue file to a student which we call as a red file. So these files can actually represent it in this format where a big file belongs to the director, the yellow file containing all the four parts red, blue, green and yellow and the student contains only the red part defines the heretical access structure for the beta. Heretical access control means providing and restricting access to unauthorized ones. It requires a method to generate and retrieve the keys for accessible parts of the file. It finds its deployment in the business and other areas in the private sector and the solution is key assignment scheme CASAE. The key assignment scheme is basically a key generation scheme where the key required for encryption and decryption of a file can be obtained by an authorized user only. It achieves access control privacy and it finds its application in the access control in the hierarchically structured organization. There has been a huge work done in last three and a half decades in defining new and efficient methods of CASAE schemes. The motivation for our work is the fact that authentication and authentication of data are not integral part and therefore forgery is possible. So now we need to combine CAS with authenticated encryption and the question is is CASAE really required as a new primitive or the combination of CAS and AE is sufficient. So first let's see a construction which is a simple combination and a very natural construction for CASAE. Here we are using the CAS scheme which is psi and has two algorithms key generation and key derivation and the AE scheme omega which has three algorithms the key generation encryption and decryption. The CASAE scheme which here has three algorithms will be explained very quickly in the definitions part but let's design the natural construction for CASAE here. So in the encryption algorithm first of all we use the CAS scheme to generate all the keys the secret values and the public values and using each key for every file for every user we encrypt the files to generate the ciphertext and tag. These ciphertext and tag are then stored in the public values which we can assume to be cloud. The key derived algorithm is just invocation of the key derived algorithm for the CASAE scheme and the decryption algorithm is the invocation of key derived algorithm followed by the decryption of AE algorithm. This is the natural construction construction alpha but we have found that there is an attack on construction alpha. Suppose here is a small example a user U with the secret key KU and the secret values SU wants to attack the user V. So what he can do is he can compute the values KV using the DER algorithm of CASAE scheme. Then he can generate a new file F prime V which is different from FV and then he can encrypt F prime V to generate C prime V and T prime V. Now he can just replace CV and TV with C prime V and T prime V on the cloud and any user who tries to decrypt the file corresponding to user V will now get the file F prime V instead of the file FV. Because of this attack it's not trivial to construct a CASAE scheme. Now moving on to a secure construction which is construction beta. Here we have made one changes. The changes we have included the tag with the secret information of every user and therefore the attack that was possible in construction alpha here is not possible anymore in construction beta. But the problem here is it is highly memory inefficient. I'm sorry. It's highly memory inefficient because every user has to store a large number of tags. So we have seen that the trivial combination of CAS and AE is insecure and the secure combination is memory inefficient. That's why our question is can we construct a secure CASAE scheme that solves hierarchical access control problem more efficiently than a simple combination of CAS and AE executed in that order. Beginning with the CASAE definition key assignment scheme with authenticated encryption is a key generation scheme where the key required for encryption and decryption of a file can be obtained by only an authorized user and the message encryption and authentication is an integral part of the primitive itself. It achieves access control along with privacy, integrity and authenticity. The three functionalities included in CASAE are first day encryption which is responsible for generation of keys and secret information for each user, encryption of files for each user, generating the public values for the system and distribution of keys and secret information to each user. The second functionality is key derivation DER which is re-computation of decryption key of an inferior node or the subordinate node by a superior node. The third functionality is a decryption algorithm where the decryption and verification of ciphertext corresponding to the same node or the subordinate node takes place. Here is the formal definition of CASAE which is given in even more details in the paper. You can find the encryption algorithm here that takes the graph of hierarchical access structure and all the files as the input and generates the secret values, keys and the public values. The second is key derived function which takes the graph, the superior node, the subordinate node, the secret values of the superior node and the public values to generate the key corresponding to the subordinate node. And similar is the decryption algorithm which aims to generate the file for the subordinate node. The correctness requires that the derived algorithm derives the exact same key which was derived during the encryption process and the decryption requires that the file should be the same as the one encrypted here. Here we are considering three security issues, the key recovery, privacy and tag consistency which have been realized using KR, INDPRV and INTP security games. Now we move on to the CASAE constructions. The first method is to construct CASAE is from CAS chain. So CASAE chain is a special type of CASAE where the access graph is a totally ordered set. There is no hierarchical structure which is having multiple where a node has a multiple subordinate nodes. Every superior node has just one subordinate node. And the second ingredient used here is modified chain partition algorithm. This is a divide and conquer algorithm where first we partition the entire access graph into disjoint chains and then we designed CASAE chain corresponding to each of these chain. Now finally we securely join each of these CASAE chains to form the CASAE for the full access graph. In the paper we have proposed four constructions namely A, B, C and D which have the modified chain partition algorithm in common and they differ just in the CASAE chain schemes. The first CASAE chain scheme that we have described is A chain which is similar to our construction beta where we use the CAS chain scheme psi and the A algorithm omega. And we store the tags as the secret values for every user. The second construction is B chain which is inspired from Emily and we use Emily as a black box here. So in the totally ordered set as shown here the encryption process is described here where first we encrypt the file for the user U3 which is at the bottom of this access graph then for user U2 and for user U1. And whenever we encrypt the file for user we include the key into the file itself before encryption. So while we are deriving the key or when we are decrypting or when we are decrypting on decryption of each ciphertext we actually get the key for the subordinate node. Our third CASAE chain construction is based on the functionalities F1 and F2 which are themselves inspired from APE authenticated encryption given by Entreeva et al in FSE 2014. Let me give the disclaimer that the functionalities F1 and F2 are not exactly identical to the encryption and decryption of APE. They are a modification of encryption and decryption function. Now one more thing to notice is the functionality F1 takes as input message M and two initial vectors IV1 and IV2 and outputs the ciphertext and the key. Whereas the functionality F2 takes as input ciphertext C and the key K and outputs the message M and IV2. Because of this property of outputting IV2 we employ the key of the subordinate node as the value of IV2 which is shown here in the encryption, derivation and decryption diagrams. For the first user we use both of the values of IV as zeros. For the second we use IV1 as the ciphertext and IV2 as the key and we go on. While decryption we get the keys K2 from ciphertext C1, K3 from ciphertext C2 and so on. Our fourth caste-AE chain construction is based on FP hash mode of operation which was given by Paul, Homsrikumal and Kedge in IndoCrypt 2012. These designs are also not exactly identical to the FP hash mode of operation. Instead they are a modification to them. Here also for the encryption we have message and IV1 and IV2 as the inputs and the output is K and C. But for decryption the input is C, K and IV1 and the output is IV2 and message M. Therefore there is a slight change when in the encryption, key derivation and decryption procedure but the efficiency results are exactly same. Now we go for the second method where we construct caste-AE schemes from the scratch. And we propose three constructions, construction one based on MLE, construction two based on APE and third construction based on FP hash mode of operation. Our first construction which is based on MLE uses the idea that encrypting the decryption keys of immediate children, all the immediate children of the node along with the files of the node. Which offers us the advantage of decryption keys for the immediate children nodes are obtained on decryption and MLE itself takes care of the authentication and encryption together via the decryption key. So we do not need to store the tags here. Here is the encryption algorithm for this reference graph where U4, U5, U6 and U7 are the nodes at the bottom. So first we encrypt them, second using the keys that are output from U4 to U7, we prepend them over the files of U2 and U3 and then encrypt them. Finally we encrypt U1 to get the key K1 which is the master key or the key for the root node which is the superior node of the entire graph. The key derivation works as follows. If user U1 wants to find the key for U6, they get it from K3 and then K3 decrypts C3 to get K6. For decryption algorithm, the K6 here is plugged into C6 and then we obtain the file F6. Our construction tool is based on APE authenticated encryption where the idea is reverse decryption property of APE which gives the keys of immediate children nodes while decryption. And during the encryption, we take the immediate children nodes and encrypt it along with the file. This offers us the advantage of allowing efficiency improvements and the decryption keys for the immediate children nodes are obtained on decryption. We do not need to store any tags for the file. Here are the functionalities F1 and F2 that we have already seen in the C-chain construction and this is the same method of encrypting it. Here for the U4, as IV1 and IV2 we are using zeros and for all the children which are at the leaf node. And for the intermediate nodes and the root node, we have the keys of their first children as this first value. This is the encryption, key derivation and decryption module. Now the next construction is construction 3 which is based on FP hash mode of operation where the idea is exactly the same. And it offers us the similar advantages. The functionality in G1 and G2 which are being used in the encryption and G2 being used in the key derivation and the decryption algorithm. Now I would like to show you the comparison table where the first five schemes are actually construction beta. And in this construction beta, we have plugged the CAS schemes which are T-CAS, TKE-CAS, DKE-CAS, IKE-CAS and NB-CAS which are given in details by Crompton, Martin and Wilde in 2006. And we obtain the results here. So we see that for these five schemes, we have N squared lambda times the private storage which we saw in the construction beta that it has a big disadvantage of having a huge private memory requirement. Our construction A which is also based on CAS and AE offers the same disadvantage of having a huge private storage requirement. The construction B which was made using construction B chain and modified chain partition using MLE, this has NW lambda where W is the width of the access graph. And this access graph represents the poset which describes the hierarchical structure of the organization. Our construction B, C and D offer the same private storage requirement of NW lambda and the public storage requirement with a ciphertext expansion of 2N lambda, N lambda and N lambda respectively. Our most efficient constructions are construction 1, 2 and 3 which we just need to store lambda bit values per user. Here N actually represents the number of users in the organization and therefore it is just lambda bits per user. The ciphertext is a little larger but that really doesn't matter because we are storing everything on the public data. And the most important part is storage of private keys which we excel here. In the conclusion I would like to say that construction 2 and 3 have a super advantage of having a reverse decryption and depending keys of subordinate nodes to the file of superior nodes. They are based on easy to invert permutation which offer the advantage of being easy to realize in hardware and have negligible private storage overhead. They are randomized and therefore they avoid all the dictionary attacks. They have one pass encryption, key derivation and decryption mechanism. We leave it as open problems to have more efficient CAS AE constructions and to introduce the functionalities like key revocation, updating the file itself etc in CAS AE. Here are the references of our papers. Thank you. We have time for a couple of questions. I have one question about your construction based on message locked encryption. For message locked encryption you cannot have privacy. You need high entropy messages to have privacy. So does it apply to the resulting construction? Actually what we do is we add a random number to the file and that's why this random number ensures that the total entropy of the message becomes high. And this way we are preventing the attacks for the known message attacks on the MLE. Okay, thanks. Thank you. Other questions? Well if not let's thank Suyash again.