 And despite the long title and the long name here, our Lousel is actually encryption with short ciphertext. So if you can remember our contribution in that way, I would appreciate most. So what is our contribution here? I would like to summarize in one slide first. In this paper, we construct a functional encryption scheme with constant ciphertext, like the title said. And we got a scheme with adaptive security and a scheme that support policy for negation formula. But our scheme came up with a satisfying anonymity. So anonymity of why here is not whole hell anymore. But there are a lot of application of non-anonymous and I will talk about that later on. So here is our talk, our life today. I would like to explain first about background on functional encryption and next to our contributions. And finally, we will go to difficulties of constructing such a scheme with constant ciphertext and how we solve them. I will not go into details. I just leave the scheme description and so on in the paper and I just speak here for the intuition. So first, background before functional encryption. We have a public key encryption. That's why we are here in PKSC conference. And there is ID based encryption where any ID can be used as public key, like Alice at gmail.com and so on. And there is more advanced encryption called attributes encryption where you can use any policy as a public key, like if you want a president or a manager that has more than 35 can be equipped. You just specify that policy as a public key. And of course, it should have the universal public key or it's called a public parameter to digitize the system first at first. So what is functional encryption? It's a further generalization of attributes encryption and ID based encryption. Its definition is as follow. Functional encryption for function F where F is a Boolean function that evaluates to zero or two or zero or one. And the point is that the key will be correspond to what I call a key attribute X and ciphertext will correspond to ciphertext attribute Y. And this key can be used to decrypt this ciphertext if the function of F of X and Y evaluates to one. So it also known as predicate encryption by cat's high waters or generalized ID based encryption by Bonnet Humboldt. So F E generalized IBE and ABE in the following way. In IBE the underlying function F IBE is defined in such a way that it evaluates to one if two inputs ID dash and ID is equal. So it evaluates if it equals. So and attribute based encryption it evaluates the underlying function is evaluates to one if attribute is satisfied P. It is quite simple and for the definition and it generalize many more encryption primitive. So what motivate us to study about this functional encryption? Because functional encryption is a new perspective of encryption. So we can think of some complex system like crowd environment in the trash where we want a set access control over our data database and in traditional solution we have many keys. So we have many complex key management, complex database and up on that we have to define some access control mechanism separately from encrypt data. So it's not so nice. But if you use functional encryption access control is enabled by encryption mechanism itself and security is guaranteed by that. So it's nice. And our focus is functional encryption for zero inner product similar to test the high waters in zero, zero or eight. Okay, in your equipment. So what is functional encryption for zero inner product? It's defined by the following. The key will correspond to vector X and the ciphertext will correspond to the vector Y of length N and the function is evaluated to one if it's in a product it will evaluate to zero. So we can call it also zero inner product encryption or zero APE for short. So why we are studying this inner product encryption? Because it has useful instance which is a functional encryption for polynomial evaluation. So in this case the key will correspond to a polynomial F, a small F here and the ciphertext will correspond to a value set and the definition is that it evaluates to one if the value of FC is zero. So we can construct this from inner product encryption by use the vector X as a coefficient vector of a polynomial F and vector Y as a, the power vector of various set. So that the inner product of X and Y is evaluated to FC and we can have this polynomial evaluation and it can be generalized to multi-variate polynomial also and it has a dual case which is a ciphertext policy type where the ciphertext will correspond to policy. And so why we are studying that polynomial evaluation because it actually implies functional encryption for policy satisfaction. So if you want like in this first line of policy, if you want all policy you just implement by using the F set of the multiplication of set minus I1 multiplied by set minus I2. So you have all by doing that and you can have and also like this R is the random number and it extends to a general CNF or DNF formula like in Castahay waters. So that is a motivation of inner product encryption in general and since we are going to speak about adaptive security let me explain about that adaptive security. So it actually similar to IDE case where adversary will get the public key and he will receive this challenge ciphertext and at any time he can ask for the key of X if F of X and Y star is zero which cannot be used for decrypt challenge ciphertext and this query can be asked anytime so we call that adaptive security. So there is also selective security notion where it's exactly the same except that adversary has to announce the challenge vector Y star before looking at the public key, public parameter. So it's weaker and we want adaptive security more than this selective security. So I will move next to our contributions in this paper. Previously for zero inner product encryption Castahay waters and Takashima Okamoto in Azure Crypt propose a scheme with ciphertext size of linear size. So it's quite long and not so efficient in size and they got only selective security. Here in our contribution we reduce ciphertext size to only constant and obtain adaptive security but we have to trade of anonymity out. So our scheme is not anonymous and indeed we send the ciphertext attribute Y in clear. Yeah, so that is straight up. And independently Leukosahay waters and Takashima Okamoto we will present in next week your trip with another scheme with adaptive security but ciphertext is still linear size but they got anonymity. So the question arise here that anonymity is actually the problem or not. The answer is that there are a lot of application that we don't need anonymous. For example, if you consider this encryption database in like cloud storage, at least want to search or attain ciphertext to her. And if you use non-anonymous FE at least just evaluating the F of X and YJ if it is true or false, which could be really efficient. But if you use anonymous FE, the ciphertext attribute YJ is not in clear. So at least must decrypt all the ciphertext to see if it intends to her or not. So the decryption might be actually generally more inefficient than evaluating F of XY. So maybe if you want efficiency, not anonymity, it may be better to use non-anonymous FE. So we also have a side contribution from our first contribution, which is a adaptive ID-based broadcast encryption with constant size ciphertext. Previously, Gentry and Waters got the scheme IBBE, which is adaptive secure, but ciphertext are either linear size or the proof is in random or commodal, but we got both. And our second, I will move to our second contribution, which is functional encryption for non-zero inner product. It's actually the negation of zero inner product encryption, where you can guess from the name that decryption can be done when the inner product of X and Y is not zero. So it's kind of like a evocation and a rock of FE for zero inner product. So what is the application of non-zero IP? It's actually imply functional encryption for non-zero polynomial evaluation, which actually imply FE for policy and satisfaction. So you can get functional encryption for NOR or NAND policy, like we wrote it here. For example, if you want policy of NOR, you can just implement the polynomial evaluation, which is non-zero by the first line of that implementation. And it actually extends to general CNF-DNF formula with negation. So, but for the case of FE for non-zero inner product, we couldn't achieve adaptive security. We achieved what we call co-selective security. It's actually do our case of selective security in the sense that it's actually the same, but the challenge can be adaptively chosen by the adversary at any time after the public key. But however, the query have to be asked first before seeing the public key. So it's kind of like do our case of selective security. And this is incomparable in general, but in some case, co-selective security will be stronger notion. And let's see, later on. And for our second contribution, we proposed this constant size suffatex non-zero IPE with co-selective security. And we have also site contribution from this, which is a ID-based evocation scheme. Until now, only Lugosa High Waters and other scheme also, actually. All the schemes until now, achieve a suffatex size only linear in the number of rework user. But we got a scheme with constant size suffatex, but we have to trade off the key. And we also present a scheme with the trade off of suffatex and key. And you can see the Lugosa High Waters scheme and our scheme to be a extreme on the spectrum of the trade off, actually. And we got the security, which is co-selective, which is actually slightly stronger in the case of revocation. And in the third contribution, we proposed a functional encryption for F5 spare inclusion, which is called spatial encryption in Bonet-Hamblouc, Azure Crypt zero eight. Actually, I will gonna skip this slide, but I just want to explain that in Bonet-Hamblouc is selective security, but our is adaptive secure. So I will go to the next part to talk about the difficulty of achieving constant size suffatex scheme and how we solve them. So here is our approach overview. We have a warm up scheme as a selective zero inner product encryption first. And we will use dual system encryption of waters last year to get the adaptive security. So it's kind of like a generalization of IBE case to functional encryption case. So there are two problems here because we don't have a selective secure scheme first. And this generalization is actually non-trivial as the first place. For the first problem, we just show implication from spatial encryption, but we will omit the detail here and go to the main part here, which is the problem of generalization dual system encryption to functional encryption case. So since we want to use dual system encryption, I will re-rule that first. The concept of dual system encryption is that there are two types of keys and ciphertext in the scheme which call a normal and semi-functional type. The point is that both types are indistinguishable to each other, but if you use semi-functional key to decrypt semi-functional ciphertext, it will fail. So from this idea, they prove adaptive security of water scheme by using the game hopping as follow. It begins with the real game and end up with the game queue here in the right hand side. In the game queue here, the challenge ciphertext and all the key queries are of the semi-functional type. So from the definition concept here, the keys cannot be used to decrypt. So advantage of adversary could be zero in the last game. So we can prove security from that. And the point for adaptive security is that simulator can produce keys for any identity ID. So we can have adaptive security from that. But actually there is some paradox to solve and this is the most difficult part of your system encryption which I explained briefly as follow. In the proof between game i minus one and game i, we have the simulation that interpolate to each a game. And the simulator can construct a key which is unknown type. It could be semi-functional or normal, depending on the problem instance to the simulator, which for example decision linear as in water scheme. But if the simulator can produce a semi-functional ciphertext, I don't have pointers here, that semi-functional ciphertext, it can actually distinguish the game i minus one and game i by itself by just decrypt the challenge ciphertext with the key of unknown type. If it fail, it should be game i. And if it not fail, it should be game i minus one. So it's kind of like paradox because the simulator can distinguish itself. So there's no point of reduction. So how water solved that is, he used a scheme with the notion of tag, is the tag of ciphertext and tag of key, tag c and tag k here. And he set up the scheme so that the script can be done only when the tag c is not equal to tag k. And in the simulation, the simulator is constructing such a way that he can simulate only at the tag c, which is equal to f of id and tag k also the same value. So the tag of ciphertext and key will end up with the same value. So he cannot test by itself. So the point here is here, which is the heart of the system encryption. So we are back to the difficulty of generalize this dual system encryption to our functional encryption. So it's not clear at the first place that how we should generalize. So difficulty begin with, we have to consider a critical case. So in the IBE case, the critical case is only one such id that equal to id star. So it's kind of like not so complex, but in the functional encryption case, we have to consider critical case of x, which that is in a product with y star is equal to zero, which there are many super polynomial, many such x. So this FE is much richer structure and it's more difficult to do. So this is difficulty of generalization to functional encryption case. So how we do that, here's the idea. We set up the scheme so that the encryption can be done only when the tag of ciphertext is not equal to the inner product of tag k and y star. I mean y, the vector y for the ciphertext. And we call this is aggregate tag and we look back to the IBE case to set up the system for this decryption condition. Waters use his id-based revocation inside the scheme. So to generalize this to aggregate tag, we use the notion of non-zero IPE of tags. So it's kind of like confusing at first, but if you summarize, you see the summarize here, summarization here. You can see the similarity from IBE wall to FE wall. Waters use Leuco-Sahai waters, id-based revocation, which is negative analog to prove security of adaptive IBE. But our scheme use non-zero IPE, which is the negative analog of zero IPE to prove adaptive security of our adaptive zero inner product encryption. So this is why our two contribution is relayed like this. I will not go to the detail of how to use non-zero IPE to prove contribution one, but I will go to the problem three, which is how we can generalize id-based revocation to construct non-zero IPE. We can't emphasize ciphertext. So I will review that revocation scheme first. So actually it's quite detailed here. I will speak only the simplified form with one revoke user. So the intuition of revocation scheme of Leuco-Sahai waters is that the decryption can be done when the id and id- is not the same. So you can see this denominator here. We can compute when it's not equal. So the revocation can be done. But behind the scene is that we have abstract interpretation like this. Actually the key and the ciphertext will form a two equation system like this and decrypt condition is actually equivalent to solve the system, which is equivalent to that determinant of m is not equal zero, which is actually the value of id minus id dash. So we got that intuition behind the scene here. And since we are going to generalize to n dimension, we will look at the case of n revoke user. In that case, they set up the n systems of local two equation here like this. And I will speak briefly about the difficulty of constructing non-zero IPE from the n revoke user, id-based revocation. There are two difficulties here because the first one is that decryption condition is generalization. In the id-based revocation case, we can decompose to n systems. But in the inner product encryption, all n dimension are correlated, correlated. So it's non-trivial. And even we can use the technique from LSW, the scheme of content, I mean linear size, ciphertext. So we have to use some new technique here and we propose a technique called n equations technique. We use the system of n equations. And we have a problem here of constant size ciphertext and how to define the metric so that the system is solvable when the inner product is not zero. And we solve this by do some kind of trick here but I am not going to say the detail. You can look at the paper and we got the FSEC interpretation here and we transform back to the algorithm and we got the scheme. So here is the complete view of our contributions in the paper. We also have another one but I will neglect here. Here is the summary. We propose FEE functional encryption for zero inner product. Previously it's linear size ciphertext and selective security. We propose a scheme with constant size ciphertext with adaptive security but without anonymity. Under decision linear in prime order group and it extends somehow and we also do that for non-zero inner product also. So thank you very much. That's all. Thank you.