 Thank you for coming to our presentation for our new result for attribute-based encryption. This is joint work with Natapone from AIST and I am Junichi from NTE. Attribute-based encryption is a generalization of public key encryption and which specifies predicate P. A predicate P decides what kind of access control is possible for encrypted data. Attribute-based encryption consists of four algorithms. Setup algorithm outputs public key and master secret key. Key generation algorithm takes master secret key and key attribute y and output secret key for attribute y. Encryption algorithm takes public key and message and ciphertext attribute x and output ciphertext for x. Encryption is possible for ciphertext if the attribute x and y satisfies the predicate P. I will give some examples for predicates. Identity-based encryption is the simplest example for a class of ABE and in which attributes x and y satisfies the predicate P if x equals to y. Inner product encryption is also well known for a class of ABE and in which x and y are vectors and x and y satisfies the predicate P when vector x and vector y are orthogonal. In ABE for Boolean formulas, x is n-bit string and y is an input Boolean formula and x and f satisfies the predicate P when f of x is equal to 1. The standard security notion for attribute-based encryption is adaptive security or collision resistance. That is, gathering unqualified secret keys is not helpful for decrypting a ciphertext. Concretely, we consider the following game in which the adversary is given a public key and it can make a secret key queries for its choice of y. It can also make a challenge ciphertext query in which it sends m0 and m1 and challenges attribute x and it is given a ciphertext for a bit b chosen by the challenger. Finally, the adversary outputs a bit b' and if the probability of b' equals to b is negligible, then the scheme is said to be adaptively secure. Of course, the adversary cannot ask the secret key which can decrypt the challenger ciphertext. What we want to do in this work is constructing an expressive predicate by combining existing predicates. Let us give an example of conjunction of predicates. Let P1 and P2 be predicates and consider a conjunction of P1 and P2 in which P1 and P2 is satisfied by if P1 of x1 and y1 is equal to 1 and P2 of x2 and y2 is equal to 1. Our goal is to construct an ABE for P1 and P2 from ABE schemes for P1 and P2. It is known that there are two types of predicate compositions which is static and dynamic. The first one is static compositions and in an ABE scheme for staticly composed predicates the composition policy is already fixed in the setup phase and in the case of this slide the composed policy is P1 and P2 or P3. In the secret key generation the key attribute y1 and y2 and y3 is decided. Similarly, in the encryption algorithm ciphertext attribute x1 and x2 and x3 is decided. In the encryption the policy is evaluated by the secret key attribute and ciphertext attribute. If P1 is satisfied and P2 is not satisfied and P3 is satisfied by these ciphertext attribute and secret key attribute then the evaluation of this policy is one so the ciphertext is decryptable by the secret key. The second is dynamic compositions. Dynamic compositions are classified into two types a key policy and ciphertext policy. In this slide I will explain the key policy dynamic compositions. In this case, ingredients predicates P1, P2, P3 and composition class is fixed at the setup phase but concrete composition policies are not fixed at this point. The concrete composition policy is decided at the secret key generation as well as key attributes. In encryption ciphertext attributes are decided. In the encryption the composition policy is evaluated by P1 and P2 and P3 with key attributes and ciphertext attributes. For example, if P1 is satisfied P2 is not satisfied and P3 is satisfied then this policy is satisfied so the ciphertext can be decrypted. As long as the policy belongs to the composition class we can use any policies in the key generation. And unbounded composition which is used in the title of this paper means that the number of input for policy is not bounded at the setup. While dynamic compositions of predicates are interesting in themselves, Atalapadong showed that dynamic compositions of predicates are useful to instantiate new ABE schemes. For example, Kp or Cp ABE simultaneously satisfying these properties. And these properties are very important properties for ABEs. And concretely these ABEs are instantiated by the composition of IBE and N-IBE where N-IBE is a negation of IBE. And before Atalapadong proposed these dynamic compositions there have been no constructions of ABEs that satisfying these properties. However, the Atalapadong's technique needs parameterized assumptions or Q-type assumptions. So natural question here is can we achieve the ABE with dynamic compositions from standard assumptions? Because if we have such a framework then we can differentiate new ABEs that satisfies these properties from standard assumptions. The main contribution of this paper is proposing a new framework to achieve dynamic predicate compositions from standard assumptions. But we need some restrictions for achieving this framework compared with Atalapadong's framework. Concretely we need restrictions for composition class and ingredient ABEs. For composition class in Atalapadong's framework we can use span programs and branching programs and DFA for compositions while we can only use Boolean formulas in our framework. Boolean formulas is included in span programs and branching programs. Next we also need restrictions for ingredient ABEs. In Atalapadong's framework ingredient ABEs need to have symbolic property while in our framework the ABEs need to have perfectly master key hiding property. Which is information theoretic property. And basically it is the same as ABEs that is structured by predicate encodings by we. But we show that these are still our framework is powerful enough to achieve many new ABEs. Even though these restrictions are necessary. This is because IBE and N-I-B-E has a perfectly master key hiding property. Before explaining details of dynamic compositions we introduce the name for the predicate of dynamic compositions. This slide shows that ABE that is obtained from KP dynamic composition over predicate set P which consists of P1, P2 and P3. And we denote the predicate KP dynamic compositions over P by KP of predicate set P. First I will explain how to obtain the predicate KP of P. This predicate is obtained by applying KP transformation from predicate set P. And Atrapadong showed that the KP transformation can be decomposed into three simpler predicate transformations. Namely DirectSum, Dual and KP Augmentation of a single predicate which is denoted by KP1. We briefly recall these three predicate transformations. DirectSum is a transformation for combining many predicates into one predicate. Dual is a transformation for switching the key attribute domain and ciphertext attribute domain. KP1 is a transformation for injecting a policy to the key attribute domain. So far I have explained how to obtain a predicate KP of P. Next I will explain how to construct a concrete ABE scheme for a predicate KP of P. To explain it, first I will recall pair encoding scheme. A pair encoding scheme is a concise expression of an ABE scheme by polynomials. Let us give an example. A ciphertext and a secret key of Bonnet Boyen IBE is given like this. Then a P4 Bonnet Boyen IBE is given by two polynomials. The ciphertext polynomial Cx is a polynomial over s, s hat and w. And a key polynomial Ky is a polynomial over r, r hat and w. Basically these polynomials represent the exponents of ciphertext group elements and secret key group elements. From a pair encoding scheme and group description we can recover ABE scheme. As explained earlier, the predicate KP of P can be obtained by applying three transformations for predicates. That is direct sum and dual and KP1 to the predicate set P. Atropadding shows that there exist corresponding transformations for direct sum and dual and KP1. So we can obtain a pair encoding scheme for the predicate KP of P by applying the predicate encoding scheme transformations for direct sum and dual and KP1 to a pair encoding scheme for P1 to Pn. The last thing we need to consider is how to prove the security of the resulting ABE scheme. In Atropadding's work he proved the security of ABE schemes as follows. The security of his schemes is based on the following three facts. The first one is that Agrawal and Chase showed that all meaningful pair encoding schemes have the symbolic property. And I will not go into the detail of the symbolic property here. But if you are interested in the symbolic property, please look at the paper by Agrawal and Chase. The second is that the symbolic property is preserved through the three transformations. So the pair encoding scheme for KP of P has a symbolic property. And the last is Agrawal and Chase shows that we can construct a ABE scheme. ABE schemes from a pair encoding scheme with symbolic property which is adaptively secure under the curation assumption. So we can achieve ABE schemes for KP of P which is adaptively secure under the curation assumption. So as long as we rely on symbolic property we need a two type assumption to prove the security of ABE schemes. To take the similar strategy to Agrawal's technique we introduce a new property for pair encoding schemes called key encoding indistinguishability or KEIND for short. In this work we proved the following three theorems for KEIND. The first is a pair encoding scheme with the perfectly masake hiding property satisfies KEIND under the MDHH assumption. The second is KEIND is preserved through the basic three transformations for a pair encoding scheme under the MDHH assumption. The third is we can construct a ABE scheme from a pair encoding scheme with KEIND which is adaptively secure under the MDHH assumption. So as long as the starting pair encoding schemes satisfy the perfectly masake hiding property we can construct an ABE scheme for KP of P for the basic predicate following our framework in modular manner. Let us give an intuition for what kind of property KEIND is. First recall computationally masake hiding property of a pair encoding scheme which states that the master secret key element alpha is computationally hidden on the exponent of a semi-functional group element if the predicate is not satisfied by x and y. And we found that the CMH is not preserved in the basic three transformations so we modified CMH so that it is preserved in the three transformations to obtain KEIND. And KEIND basically states that normal secret key of L and semi-functional secret key of L are computationally indistinguishable in composite order groups of order L which consists of z' and normal secret key of L and semi-functional secret key of L is given by below. And we also showed that KEIND is used for the dual system encryption technique similarly to CMH to prove the adaptive security of ABE schemes. And we emphasize that this definition of KEIND is informal. It is just a definition for intuition. Similarly to Atalapadang's work, we can instantiate many new ABEs via unbounded compositions in ABE. The most notable one is new unbounded ABEs from standard assumptions. Currently, the state of the art of unbounded ABEs in the standard model is ABE by Quarchek and Wee. And their ABE scheme satisfies prime order groups and other previous security and compact and standard assumptions. And also they construct only KPEB scheme. By using our framework, we can instantiate additionally satisfies large universe construction and non-monotone ABE and ciphertext policy variant in the modular manner. As other instantiations, we can also construct new ABE schemes with constant size ciphertext and secret keys in modular manner. Summary, we achieved unbounded dynamic compositions in ABE from standard assumptions in this paper. And to achieve that, we introduced a new property for pair encoding schemes that is called KEIND. And using our framework, we can instantiate new ABE schemes from standard assumptions which are not known before our work. And as open problems, the first one is how to weaken the requirements for ingredient predicate encoding schemes. Because in our framework, the ingredient predicate encoding schemes need to have perfectly master key hiding property. And the second is how to obtain compositions for spam programs and branching programs and the way from standard assumptions because in our framework, the compositions are limited to only Boolean formula. This is the end of my talk. Thank you for your attention.