 Hello everyone, my name is Xu Yu Wang. I'm from UESTC. Our title is Fine-Grain Secure Attribute Based Encryption. Let's join the work with Jiaxin Pan and Yui Chen. For cryptographic scheme, we usually require that Hanoi's party can run the scheme in polynomial time and the scheme can be secured against polynomial time adversaries. By now, there have been a great deal of works constructing cryptographic schemes, not as secure based on one-way functions, factoring, discrete logarithm, DDH, LWE, or even existence of generic groups and algebraic groups. However, we do not know whether these assumptions hold, so it's desirable to use no assumptions or mild complexity worst-case assumptions so that we can still have cryptography even if, for example, one-way functions do not exist, but in the long history of cryptography, it has turned out that this is quite difficult. Fine-Grain cryptography gives us a direction in approaching this problem, instead of considering polynomial time on its parties and adversaries. We only require that Hanoi's party uses less resources than adversaries. And the resources of an adversary such as the running time, the memory, and the circuit dips can be prior-bounded. Under this setting, it's possible to make the underlying assumption extremely mild and make the scheme very efficient. This field was initialized by Merkel and there have been many fine-grain primitives proposed such as key exchange, one-way functions, PKE, verifiable computation, hash proof systems, and trapdoor one-way functions. But notice that there are still many important fine-grain primitives that are not known to exist such as signature. In this work, we propose the first fine-grain secure IB scheme, which is secure against adversaries with bounded circuit dips. It follows the BKP framework by Blaisea and others, which constructs IB from a fine max. And the CIGW framework by Chen and others, which constructs AB from predicated encodings. We first propose a fine-grain verging of the fine-max in the BKP paper and generalize it by using parts of a predicated encoding. And then we combine it with other parts of the encoding with some new techniques to construct AB schemes. Our construction essentially implements a dual system in the fine-grain setting. The proof for the MAC and the general construction of our AB switch functional user secret keys and functional ciphertexts to semi-functional ones respectively. Similar to the work of CIGW, by instantiating the underlying encoding in different ways, we obtain an IB scheme, which in turn implies a signature scheme and AB schemes supporting various types of Boolean predicates and also broadcasting encryption and fuzzy IB in the fine-grain setting. All the instantiations are computable in AC02 and secure against adversaries in NC1. The assumption is that NC1 is not equal to parity L slash poly. This assumption is widely believed to hold. Also, we know that all the computations are over GF2. This setting is exactly the same as the boundary circuit setting in previous works on fine-grain cryptography. Here, AC02 includes circuits with constant depth, polynomial size, and unbounded fine using and or not, and parity gates. NC1 includes circuits with logarithmic depth, polynomial size, and fine-to-gates. Note that NC1 includes AC02. Priority L poly includes log-space Turing machines with parity acceptance. We now recall the definition of ABKM, which can be easily converted to AB by using a symmetric key encryption. An ABKM consists of four algorithms. The first one is GIN, which takes as input the security parameter in lambda and outputs a public key pk and a secret key sk. The user key generation algorithm takes as input a secret key sk of value y and outputs a user secret key usky. The encryption algorithm takes as input the public key of value x and outputs a separate text and also a session key. The decryption algorithm takes as input the user secret key of value x and the separate text city and outputs the session key. Correctness holds if the session key k can be correctly recovered by deck, which is the decryption algorithm if pxy is equal to 1. Here p is the boolean predicate. This is the security game. The adversary takes as input the public key and makes many queries y to obtain user secret keys and also makes one query x to obtain the challenge separate text and also the corresponding session key k star. Security holds if k star is indistinguishable from relevance when pxy is not equal to 1 for all queried y. I became is a special case of a became where the predicate is restricted to be the equality predicate and can be easily converted into IBE. For simplicity in this presentation, we only give the high level idea on how we construct an IBE. Our construction of fine grained IBE borrows the BKP framework. Recall that in this framework, the IBE is constructed from a fine mic which is secure under the MDD assumption. The construction heavily relies on the symmetric pairing and it's necessary to compute the inverse of matrix in the security proof. However, we have no pairing and MDD assumption in Nc1. And we cannot compute the inverse of a matrix in the Nc1 world. We now need to find the counterpart of the MDD assumption. Although the assumption that Nc1 is not equal to parity Lpoly does not directly give us tools to construct cryptographic schemes. De Guica and others showed that this assumption implies the indistinguishability of two distributions, which are zero-samp and one-samp against Nc1 adversaries. Here, zero-samp outputs ranked deficient matrices and one-samp outputs full-rank matrices. And EGUSHRA and others showed that this implies a hard subset membership problem. This problem says that it's hard to distinguish a vector sampled from some PS and a vector from some NO for Nc1 adversary. Let M0 top be the inputs of some PS and some NO where M0 is from zero-samp. Some PS samples vectors from the span of M0 top were some NO samples vectors outside the span of M0 top. Next, I will give the construction of our fan mic. The construction of our fan mic is similar to the one in the BKT construction. The secret key consists of a matrix B whose transposition B top was sampled from zero-samp. A sequence of random vectors x0 to xn and run beat x prime. The tag consists of two parts T and U. T is a vector sampled from the span of B. And U is computed by a fine equation of xi top T and x prime with coefficients derived from the message which is denoted by id here. In the security game, the adversary queries messages and obtains the corresponding tags. At some point, it makes a challenge query id star and obtains a token which consists of h0 and x prime. x prime is part of the secret key and h0 is also computed by a fine equation. Security holds if x prime is indistinguishable with the random beat when id star is not equal to all the queried messages. The security proof follows from the fact that when switching the distribution of T from sum PSB to sum NOB, x prime is information theoretically hidden in U due to linear independence. We omit the details here and please see our paper for more details. Next, I will give the construction of our IV game. Let's recall two facts given by Agashina and others at first. The M0 biometric sampled from 0samp and M1 biometric sampled from 1samp. The distribution of M0 top plus n is identical to the distribution of M1 top. Here n is matrix with the bottom left entry being 1 and the other entry is being 0. Another fact is that the distributions of M0 top are 0 and M0 top are 1 identical, where r0 is run vector with the first beat fixed as 0 and r1 is run vector with the first beat fixed as 1. We now give the construction of our IV game. The key generation algorithm samples the transposition of a matrix A from 0samp and the secret key of our FM mic. Then it commits to the vectors xi by computing yi top xi times A. It also commits to the run beat x prime in the secret key in the same way. The public key consists of A and the commitments. The secret key consists of a secret key of the underlying mic and the run miss yi and y prime used to commit to the values. The user key generation algorithm generates a tag of the FM mic and computes a fine equation of yi t and y prime to generate vector v. v can be treated as a proof that the tag was correctly computed. The encryption algorithm first samples a run vector with the first beat being 0 and vectors c0 and c1. c0 is ar and c1 is computed by a fine equation of zir. The session key k is equal to z prime r. The decryption algorithm is designed similar to the BKP framework. But notice that the pairing is not necessary now. Since the computations are not in the groups. The crucial step in the security game is to construct a reduction break in the security of the underlying of FM mic. And at the core of the proof, we developed a new technique to extract the forgery of the FM mic from the adversary. What's specifically, we switch the distribution of the matrix A twice and change the distribution of the randomness r during the switching procedure. We now give the sketch of our security proof by using several hybrid games. Game 0 is the original game where the adversary obtains the public key and makes ID queries. At some point, it makes a challenge query ID start to receive several text consisting of c0, c1 and also the corresponding session key. Game 1 is the same as game 0 except that we additionally add a with the constant matrix and we mentioned before to generate c0, c1 and k. One can check that when the first bit of r is 0 and r is equal to 0. So this does not change the view of the adversary at home. In the next game, we switch the distribution of A top to 1 sub. This does not change the view of the adversary due to the indistinguishability between 1 sub and 0 sub. We now fix the first bit of r as 1 instead of 0. Notice that A plus and top is a matrix from 0 sub now and the fact about 0 sub we mentioned before shows that this change does not affect the distribution of A plus and r. Also notice that y0 top x0 times nr is equal to x0 and y prime top x prime times nr is equal to x prime instead of a 0 matrix now. This allows us to extract x0 and x prime from c1 and k later. Next, we switch the distribution of A top back to 0 sub. In game 5, which is the last game, we do not use the randomness yi and the secret xi to generate zi anymore. Instead, we generate zi as 0 di r0 top. Di is equal to yi top plus xi s top and it reveals no information on xi. And r0 and si intermediate values used by 0 sample and they are independent with yi and xi. Also, we can redefine z prime in the same way. Now we can prove that v reveals no information on the secrets except for u which is a tag of the fi mic. Also, we can prove that c1 reveals no information on xi except for x0 plus the sum of i di xi. This is exactly part of the token in the security game for the fi mic. This allows us to make use of the security of fi mic to show that x prime which is another part of the token is indistinguishable from randomness which means that the session tk can be switched to randomness. By doing the steps in the reverse order, we can prove that k is indistinguishable from randomness in the original game which completes our proof. Also, notice that in the security proof, we did not compute the inverse of matrix and all the computation sign in c1. Otherwise, the proof does not hold. We also show that the red parts of our i became essentially used the encoding for equality and can be generalized as predicating codings proposed by cjw. In this way, we can generalize our i became as an a became. This extension can also be used in the standard world, not only the fine green world. This is the conclusion of our work. We proposed a general construction of fine green a b scheme secured against nc1 adversaries and computable in ac02. The assumption is worst case complexity assumption which is very mild. It has many types of instantiations including a fine green ibe and a fine green signature scheme. Also, we know that our techniques can also be used to construct an efficient fine green QNISC. Please see our paper for more details. Thank you for your attention.