 So, what am I going to talk about today? Well, I'm going to talk about a technique that's inspired by pseudo-random generators that allows us to use a small number of group elements that are random to replace a much larger number of elements that are in the public parameters of certain functional encryption schemes that employ the dual system proof technique of Bishop and Waters. So, the particular application that we're going to look at is attribute-based encryption, and this is the same setting as the last two talks, where we want to encrypt messages under a set of attributes or tags, and we're going to associate keys with policies that take in sets of attributes and either grant or deny access to the underlying plain text. And we want our security model, again, to include collusions, so that we want no colluding set of unauthorized adversaries should be able to decrypt the message. So, the particular construction we're going to look at is, it uses bilinear groups, and so these contain just a prime-order source group, target group, GT of the same order, and a bilinear map, which takes in two source group elements and returns a target group element. And this satisfies the property that E applied to G to the A and G to the B returns the target group element EGG raised to the AB. Furthermore, we want this property that there's no efficiently computable isomorphism from the target group back to the source group, so what the bilinear map gets you is effectively a one-time only multiplication in the exponent. On either side of this, you can do the normal group operations that give you normal addition in the exponent. So the first scheme I want to look at is the classic scheme of Goyal, Pandy, Sahay, and Waters for attribute-based encryption. So in this scheme, the public parameter is you're given a single target group element, EGG to the alpha, where the alpha is secret. And for each attribute that you want your system to support, you choose a random exponent, AI, and you give out G to the AI as well. And so to make a ciphertext in the scheme, you take the public EGG to the alpha and you raise it to your secret S that you choose, which is a random exponent, and you use that to blind the message. Then you additionally give out G to the S and G to the S AI for each attribute that you'd like to associate the ciphertext to. Remember, we're encrypting ciphertext under sets of attributes. So for keys, the key generator will take the secret alpha and generate a linear secret sharing of alpha under the desired policy. And so this creates shares, which I'll call lambda i. And these lambda i are each associated with a given attribute. And they have the property that if you have a set of lambda i that correspond to a set of attributes that are authorized by the given policy, you should be able to recreate alpha linearly from them. And without such a set, you should be unable to reconstruct alpha. So for the key, what we give you is G to the lambda i for all these lambda i. And masked kind of by this AIRI, where AI is the corresponding attribute to the lambda i and RI is a random exponent chosen. And you also give out G to the RI. So the idea to decrypt what you'd like to do is somehow come up with EGG to the S alpha, I mean, yeah, EGG to the S alpha so you can divide it off of the ciphertext and get the message in the clear. So what you're going to be able to do, how you get that is by using the lambda i in your key. But you can't really use the lambda i as it's given to you because it has this AIRI that's going to mess things up. So you'd like to remove that and the only way you're going to be able to remove that is if the ciphertext contains the corresponding attributes. So specifically what we do for decryption is you first pair these two elements together which remember gives you the one time multiplication in the exponent. And so the S of the exponent in the ciphertext gets multiplied by the exponent of the key element and you get the target element, target group element EGG raised to the S lambda i minus S AIRI. And then you pair these two elements together and you again get the same multiplication in the exponent to get EGG to the S AIRI. And now you can just do the normal group operation here to remove the S AIRI and just get EGG to the S lambda i for all the attributes i that are in the ciphertext. And so assuming these attributes are an authorized set for your policy then using the properties of the linear secret sharing scheme you can linearly recombine these using the group operation to get EGG to the S alpha. And then divide off and get the message. So that's how decryption works for GPSW and if you stare at GPSW for a while you'll notice that the full security proof for it requires that the public parameters due to the AI are independent random elements. And not only for each attribute but also for every attribute use in policies. So if you want a policy that uses attributes more than one time, you need an actual copy of fresh new G to the AI for each use. So the point is that these public parameters can get very large if we have a large set of attributes that we want to support in many uses. So it brings up the natural question, can we get away with publishing less than one attribute, one element per attribute use in the public parameters? So this is a question that Akamoto and Takashima achieved a smaller version of public parameters in 2012 for ABE using different methods. But we're interested in trying to see if there's some small tweak that we can apply to an existing scheme like GPSW that might also be usable in other instances. So what we want to do is take, somehow maybe publish a smaller set of group elements that we might use to replace the independent random lots of GI that currently are in GPSW. And so the first thing that might come to mind is using a pseudo random generator. So one idea that you might have is to say that we're going to use the output of a pseudo random function to generate random looking attribute elements that are going to replace the original independent random elements at G to the AI. So if we look at an Orion Gold, which is a classic PRF for prime order fields, how this works is you have a small number C1 through CK of random exponents and the output of the function is defined to be a subset product of these exponents in the exponent of G, where the exact subset is determined by the input X. And we want to try to create as many possible random elements as possible, so we're going to consider evaluating our PRF on all possible inputs. So if we were going to adapt this to our situation, what we'd want to do is take all possible subset products of the exponents. So for instance, my public parameters now might be a much smaller set G1, G to the C1 through G to the CK, and to replace the old G to the AI, which I'm now calling G to the A K, I would just take all possible subset products of these in the exponent, which would be cool. But the problem is that we can't do multiplication and the exponent of group elements, we can only do addition with the normal group operation. You can, with bilinear maps, let you do one multiplication, but then it takes you to the target group and you can't do any more multiplications past that. So if we want, we definitely can't get all the possible products that we'd want to this method. So what we can do is use the normal group operation, which would just give us subset sums in the exponent instead of subset products. So if I was the same thing as before, I'd publish the same G to the C1 through G to the CK, and I would replace my G to the A K with subset sums of these G to the C1 through G to the CK. And so that's cool, but on their own the problem is that these elements don't look random anymore. You can, I can't just say that if I gave you G to the A K for all possible K that you can't tell whether I made these through the subset sum construction or if I chose each A K randomly and independently. You can tell, because note that if they're structured, then G to the A sub one times G to the A sub two is equal to G to the A sub one two, just because you have this relation. And this is something that you could check, so you could easily tell whether I gave you a structured version of G to the A K or a random version. If it was random, it would not satisfy this relation with that. But the thing is that the G to the A K don't show up on their own in GPSW ciphertext and secret keys. If you recall the ciphertext and secret keys look like this. So in ciphertext, the G to the A K is kind of masked by this S that shows up somewhere else as G to the S. And the secret key is kind of masked by this R K that shows up elsewhere as G to the R K. So you might think that maybe this is enough, like this might be able to hide the subset structure a little bit more. We have more to play with here. And so that kind of turns out to be the case, so I'll talk more about it. But first, I want to consider a simplification. So imagine that the GPSW ciphertext and secret keys, they only ever use G to the A K masked by a random exponent. And by that, I mean they only ever occur like they do in the secret key. So here the A K are masked by this R K for every K. And so what I'm asking you to ignore is the fact that in the ciphertext, the A K is masked by the same S for all K. So in particular, I want you to consider a version of the scheme that, imagine that it somehow makes sense to change this to be S K's instead of S's. So now each A K is masked by an independent random S K for all K. This change is going to make it easier for the rest of this proof. And it still will retain the same idea. So in particular, the way that A K is used in the ciphertext and secret key is now the same. It's this general form G to the Y K A K and G to the Y K, where Y K is an independent random element exponent per K. So if I gave you these and asked you to tell me whether I gave you the A K as a subset some structured versions or independent random exponents. You can't do the same trivial attack that we described earlier, where we're just adding the sets together to see if they add up. And so you might hope that this means that they're really hidden. And that turns out to be kind of the case. So this is the main technical limit of our paper. The simplified version, obviously that applies to the simplified version of the scheme I just mentioned. So I give you a small number of random exponents, C 1 through C K. And well, I don't give you them, but I choose the small number. And for each non-empty subset, I'm gonna choose a random exponent Y K. And then I give you G to the Y K and G to the Y K R K. And you need to tell me whether R K is equal to this subset sum for all the K, or if it's independently randomly chosen for each K. So if we had this, what we'd like to do is just publish these G to the C 1 through G to the C K as public parameters now. And use subset sums in the construction of our ciphertext and secret keys and then use this lemma to transfer to the version of the scheme where we're no longer using subset sums, we're using random elements. And which is just like the old GPSW and then proceed with the rest of the GPSW security proof. So we prove this using a hard assumption, obviously. So we use the decisional linear problem, which is the same assumption that GPSW is proven under. And so it's the following. Given the following elements where Y 1, Y 2, C 1 and C 2 are chosen at random, you're given a challenge term T. Where T equals G to the C 1 plus C 2 plus R. And R is either randomly chosen exponent or it's zero. And so if it's randomly chosen exponent, then T is random. And if it's zero, then T is related to the previous elements that were given because of the C 1 and C 2 that are repeated. Yeah, so if we look at the base case of our dilemma, where K equals two and by this I mean there's only two random exponents that are chosen, so this is what it looks like. We give you G to the Y 1, G to the Y 2, G to the Y 3, G to the Y 1, C 1, G to the Y 2, C 2 and G to the Y 3 times C 1 plus C 2 plus R. And then you need to decide whether R equals zero or R is random. So if R is zero, then note that this is subset sum structured. Because the Y 1, C 1 is the singleton set one, the Y 2, C 2 is the singleton set two. And the Y 3 is attached to the full set, C 1 plus C 2, the subset sum. But if R is random, then this whole term is random. And these three are just independent random values. And so we're in the random case of the lemma. So it's written very suggestively here. It's an easy reduction from a decision linear problem. Because most of these terms are actually even given to you directly through the decision linear problem statement. Like you have all these four terms. And the only thing you don't have is this G to the Y 3. So you can just choose your own Y 3 and give out G to the Y 3. And then take your target term T, your challenge term T, which is G to the Y, C 1 plus C 2 plus R. And then raise it to that Y 3 to make that element. And so it's a direct reduction and you enjoy the same advantage deciding the deal in problem as you do in deciding this problem. So this is the base case of the lemma when K equals 2. And so for the general K, we do this by induction, which I'm gonna skip because I don't want people to fall asleep. And okay, so now, how do we embed this once we have it assuming for all K into GPSW, the actual, the original scheme? So in the dual system proof of security for GPSW, we change the security game. The security games first change to one where the secret keys and the ciphertext contain like a parallel copy of themselves in a new subgroup. So if you recall the secret key and the ciphertext in the simplified version that I asked you to consider, all have these elements G to the RI AI where RI is per attribute. So the first thing that happens in the security proof is we switch to a version where we make secret keys like this where we have an extra subgroup element G to the RI tilde, AI tilde, which the extra subgroup element I've written in red here. And the important part is that these RI tilde and AI tilde are independent and random. So the AI tilde in particular aren't tied to the public parameters G to the AI that these, like these are. So the randomness of these untethered AI tilde is then used in an information theoretic subargument to argue that an unauthorized adversary can't decrypt the challenge ciphertext. So what we're going to do now is we publish this really small number of subgroup elements G to the C1 through G to the CK and use subset sums to replace the old AI and GPSW. When we do this, when we do this subset, when we expand into the new subgroup, the subset sum structure extends and we get these subset sums of these untethered CI tilde. And this is where we plug in the bilinear entropy expansion. Because now that these CI tilde are no longer tied to the public parameters G to the C1 through CK, we can just plug the lemma indirectly and then change from a game where these CI tilde are subset sum structured to one where they're independently randomly chosen for each K. And this is the same as the old version of GPSW where the AI tilde were independently random. And so the same information theoretic subargument can still be run and the rest of the proof proceeds just like the same. So, I've shown how this bilinear entropy expansion lemma can be used in a really modular way to improve the fully secure ABE scheme of GPSW and achieve exponentially smaller public parameters. And because of this modularity, how it just sticks in this one part and changes to a point where we can follow the rest of the proof through. We're hoping that it might be similarly useful in improving other functional encryption primitives that use the dual system methodology in a similar way. So if anybody has any ideas, I'm definitely interested in hearing. So feel free to talk to me. That's it, thank you.