 Great, thank you. So let me start off with the definition of predicate encryption. So predicate encryption, in the predicate encryption, the game takes place between four different players. You have Alice, Authority, a cloud server, and Bob. In a first phase, the Authority issues a master public key and gives it to the user Alice. It can also issue different secret keys with respect to different predicates and given to different users. For example, Authority can issue a secret key for a predicate P and give it to the user Bob. Given the master public key, Alice can encrypt an arbitrary message M together with a secret attribute vector X and upload it to the cloud server. Any user can come in and download the ciphertext from the cloud server. The basic correctness properties of predicate encryption say that the user holding a secret key with respect to a predicate P and a ciphertext learns the message M if the predicate evaluated on the attribute vector is equals to one and learns nothing otherwise. The security informally says the following, that an adversary can only learn the message or the secret attribute vector if it's, so no adversary can learn the message or the attribute vector given many secret keys for different predicates P1 up all the way up to P sub N. And the subject to the constraint is that for all of the secret keys that the adversary holds, none of them should be able to decrypt the message individually. That is for all I, PI of X is equals to zero. Okay, let me give you an example of a predicate encryption. So suppose Alice wants to protect her contact information and upload it to a magic.com website. At the same time, she wants to include her criteria as for example, her height, the major that she's tied in as the secret attribute vector. Any user can come into this cloud server and download the ciphertext, but the users are also restricted with a special secret keys with their preferences policies. And using the predicate encryption, you can ensure that the user Bob only learns Alice's contact information if and only if she matches his preference. So to give you a distinction between the predicate encryption and an attribute-based encryption, the key feature is that the attribute vector X is hidden. So what do we know about predicate encryptions? Well, there are a variety of constructions for predicate encryptions for different functions. For example, some of you know about anonymous identity-based encryption. It's a special case of predicate encryption. There are also predicate encryption schemas for conjunctions, range queries, or inner products. And they all can be realized from a variety of assumptions such as bilinear or learning with errors. But unfortunately, all of those constructions fall in the complexity class of NC1. That is the secret keys for the predicates that you can issue are restricted to be from NC1 complexity class. Now, there is a different line of work that realizes a more powerful primitive such as functional encryption for arbitrary circuits. But unfortunately, all of those constructions rely on multilinear maps. And as we know, as of today, there are no good candidates of multilinear maps that we can use. So the standard problem that we're facing is whether or not we can construct the predicate encryption for arbitrary circuits from standard assumptions. And this is what we achieve in this work. So we'll construct the predicate encryption for arbitrary circuits, secure assuming sub-exponential hardness of learning with errors. The schema satisfies the following parameters. So first, it works with the a prior bounded depth. So the depth for the circuits for which you want to issue different secret keys has to be bounded before the setup algorithm. And the second feature is actually a nice feature. And it says that the secret key with respect to a predicate P is of size proportional to the size of the description of the predicate P plus some polynomial overhead in the security parameter and the depth of the circuit. So clearly you have to specify in the secret key the description of the predicate P and that's the best you can hope for. And there is some additive factor of polynomial in the security parameter and the depth of the circuit that you have to pay for. Okay, so now that I told you what predicate encryption is and told you our result, let me tell you how we're going to construct it. First, I'm going to define a new primitive which we call a partially hiding predicate encryption. And then I'm gonna show you a transformation from a partially hiding predicate encryption to predicate encryption. And I'm gonna spend a little bit of time telling you how to construct partially hiding predicate encryption. So let's begin. What is a partially hiding predicate encryption? Well, the interface is very similar to the standard predicate encryption except that the ciphertext now takes two attribute vectors, X and a Y. Now the X is the public attribute vector. Think of an attribute-based encryption type of attribute vector and Y is the secret attribute. That is the attribute as in a predicate encryption. But the correctness is that the user holding a secret key with respect to a predicate P and the ciphertext learns the message M if the inner product of the predicate P applied on the public part X together with Y is equals to one and nothing otherwise. In other words, you can apply the predicate P only on the public part of the attribute and you can only take the result and put an inner product with that with respect to the secret Y. So now we know that what the partially hiding predicate encryption is. It seems like a pretty weak primitive. You can only take an arbitrary predicate and apply it on the public part. Let me tell you how to use it together with a fully homomorphic encryption to construct predicate encryption. The starting point for our construction is going to be a transformation by Goldwasser at all. We're gonna use some of the techniques relying on that paper. So let's recap what it is that we want. We want to encrypt the private attribute X together with the message M. What we have is a partially hiding predicate encryption and the first thing that we're going to do is we're going to take the attribute X and encrypt it with a fully homomorphic encryption. So we're gonna generate a fully homomorphic secret key encrypt X. The result, the result in Cypher to X prime, we're going to treat as a public component for the attribute of partially hiding predicate encryption and the secret key from the fully homomorphic encryption is gonna be treated as a secret component of the attribute of the partially hiding predicate encryption. We're gonna take the Cypher text and the secret key and the message, run it through the encryption algorithm to obtain a Cypher text. Now how we're going to generate a secret key for predicate P? Well, what we're going to do is we're going to generate a secret key for related predicate. We're going to compute a predicate P prime, which is a fully homomorphic evaluation circuit with respect to the predicate P and we're going to feed it through the partially hiding predicate encryption key generation algorithm to obtain a secret key for the predicate P prime. Now put together, let's see what we get when we try to apply the decryption algorithm. By the correctness properties of the partially hiding predicate encryption, running the decryption on the Cypher text and the secret key, the user learns the message M if the inner product of the predicate P prime evaluated on C prime together in a product with a fully homomorphic secret key is equals to one. So what do we get? Well, let's expand it a little bit. C prime was a fully homomorphic Cypher text. Now when we take P prime evaluated on C prime, what we get is a fully homomorphic Cypher text, which is an encryption of the result of the computation P of X. Now, how does this help us? Well, what we know is that there exists a fully homomorphic encryption scheme from learning with errors assumption satisfying the following semantics. So first the Cypher text lives in ZQN, also the fully homomorphic secret key lives in ZQN. Moreover, the decryption algorithm is nothing more than an inner product of a Cypher text and a secret key followed by a rounding operation. Now, as we can see in the partially hiding predicate encryption, I almost get the fully homomorphic decryption algorithm. So I'm almost able to check the result of the computation whether or not P of X is equals to one or not, except that I have to take care for this rounding operation. For this talk, I'm not gonna tell you how to take care of this rounding operation, but it turns out to be very easy by issuing multiple secret keys for very related predicates and you can handle this rounding operation. And a result, you do get what you want. You get the message M. If the inner product of P of X is equals to one. So now we have a transformation from partially hiding predicate encryption to predicate encryption. Let me tell you a little bit how to construct it. And the starting tool for this construction is going to be a hemo-homomorphic trapdoor function introduced by Bonnet et al. in the context of attribute-based encryption. So in that setting, they didn't care about how to hide the attribute whatsoever, but we're gonna use this primitive in a not-blackbox way to achieve what we want. So let me tell you about this primitive a little bit. So it's a family of trapdoor functions satisfying the following semantics. You have an additive and multiplicative homomorphism with respect to the keys. In other words, if you take a function and evaluate with respect to a public key pk sub one on some secret S and add it to another function, evaluate with respect to a different public key pk two on the same secret S, then what you get is a function evaluation with respect to the addition of public keys evaluated on the same secret S. And a similar homomorphism holds with respect to the multiplication. So we know that we can construct this key homomorphic trapdoor functions assuming hardness of learning with error's problem. Now, before I tell you how to use this primitive a little bit, let me modify it slightly to help me. So let me say that it's a family of trapdoor functions parameterized by the public key that consists of two components, a public key followed by some scalar x. And when I refer to the homomorphism, I refer to the component-wise homomorphism. That is when you take a function evaluated with respect to the public key and some scalar x one evaluated on a secret S, then you can add it to another function evaluated with respect to the different public key pk sub two on a different scalar x two. And what you get is a component-wise addition of the public keys and the scalars. And the similar operations hold with respect to the multiplication. So you can multiply it to different functions, evaluate it with respect to different public keys and different scalars, and you have component-wise multiplication. Okay, so let's put it together. Let's suppose we fix a master public key as a collection of regular public keys pk one up to pk sub n. And we'll fix an attribute vector x, which consists of many scalars x one up to x sub n. We can take an arbitrary predicate p and evaluate it over the collection of these functions applied with respect to different public keys individually. So we take the predicate and applied of the collection of this function with respect to the attribute vector x. And a result through the homomorphic properties of this function, what we get as a result is a function evaluation, which is evaluated with respect to the homomorphically derived public key. So it's p evaluated with respect to mpk followed by p evaluated on the attribute vector x evaluated on s. Moreover, we can invert the result of the computation and get s if we're given the corresponding trapdoor function. So if we're given f evaluated with respect to the homomorphically derived public key followed by the result of the computation p of x. Okay, so as I told you, this primitive was used to construct an attribute-based encryption which doesn't require any hiding whatsoever on the attribute vector, but let me tell you a little bit more on how it works. So let's expand and see how these homomorphic operations are performed. Suppose I have a very simple predicate that consists of a multiplication and addition. And suppose I have just three bits at the input followed by attribute vector x, which is consist of x1, x2 and x3. I can take the function evaluations corresponding to the input bits, x1, x2 and x3. I can now multiply them homomorphically to get f evaluated with respect to the multiplication of public keys followed by the multiplication of scalars evaluated on s. And I can do the same thing for the addition. And the key observation that we make is the following. First, you can perform the multiplication knowing only x1 or x2. So in other words, you only have to know one of the two inputs corresponding to the input wires of the multiplication gate that you're evaluating. You don't have to know the other one. Moreover, you can perform the addition without knowing any of the inputs at the wires corresponding to that gate. So you can take the function and add them with respect to different public keys and different index bits. And you don't have to know what these index bits are to perform the homomorphic addition. And as a result, you don't have to give all of these vector scalars as in your ciphertext. So you don't have to give x1, x2 and x3. You can only give x1, then you can perform the homomorphic multiplication and then you can perform the homomorphic addition. So what can we do with this? Well, it turns out that if you have this kind of a property, then you can construct a partially-hidden predicate encryption simply for inner products as a step one. So let's suppose we fix the public key to consist of two different public keys. One, they're gonna correspond to the public components of the ciphertext that we're gonna give in clear and the other one is gonna correspond to the secret components. Now in the predicate that I care about is simply an inner product of x and y. And my goal is to make sure I can perform this homomorphic computations without giving you y. So only giving you x and clear. So as I told you, you can actually do this. So for every multiplication, when you want to multiply functions evaluated with respect to x and y, you only have to know one of the inputs. And this is the input that I gave you in clear. This is the x. So you can multiply those functions together and more you can add all of the functions at the output gate without knowing any of its inputs. So you don't have to know what x1 times one y is in clear. And the result what you get is a function evaluated with respect to the homomorphically derived public key, which is an inner product of the public, a master public key corresponding to the public component and the master public key prime corresponding to the secret component followed by the result of the computation that is the inner product of x and y. Okay, now we're not happy with just inner product and we said that we wanna evaluate an arbitrary function p with respect to the public component. The question is, can we do this? Well, yes we can because as I told you, if we were given the entire input in clear, then you can apply arbitrary computations over it, arbitrary additions and multiplications and you can feed the result as the result of the computation into the multiplication gate. So what do we get? Well, we get a inner product partially hide and predicted encryption on steroids. So suppose we fix the master public key to be the same, consists of two components, one corresponds to the public part and the other one corresponds to the secret part and the predicates that we can now evaluate consist are more expressive. So it's a predicate p prime evaluated on x which is a collection of predicates p1, p2 and p3 applied separately on the public component x. You can apply arbitrary predicates because you're gonna know the input x in clear and then you can take the result and taken in a product of that with a secret y. So we do get exactly what we wanted, we can evaluate arbitrary predicates on the public component and taken in a product with a secret component and I don't have to give you the secret component in clear. Okay, so now I gave you this overview. Let me just summarize how the construction is going to look like in terms of components. So your master public is divided in two parts, the public, the master public key corresponding to the public part and the secret part for this key homomorphic trapdoor function. Your ciphertext also consists of two components. One set of components is the key homomorphic trapdoor function evaluated with respect to the public parts of the ciphertext and the public parts of the master public key followed by the secret part. So f with respect to the master public key prime evaluated on the secret component y applied on s. You also have to give the public component x and clear and finally you take a one time pad of the secret s with a message m. Now what is the secret key? Well the secret key is going to be a trapdoor function for the function defined with respect to the following public key. It's a homomorphically derived public key with respect to the p prime evaluated with respect to the public part mpk in a product with a secret part mpk prime followed by one. And one here really indicates the intention of the predicate encryption that is allow the user to decrypt when the result of the computation is equals to one. So when the user performs the decryption, the user simply applies the predicate p prime to the collection of homomorphically given components corresponding to the public part and then takes them in a product of that with a secret part and put together if the result of the computation is one then given the correct trapdoor function the user can invert and recover s. Once the user recover s he can recover the message m and achieve their desired result. Okay, so in this talk I only gave you a high level overview. We're not using this key homomorphic trapdoor function in a black box way. We actually have to do a non-black box construction. There are many setups that didn't go into the security prove the correctness and so on and so forth. So I'm gonna refer you to the paper for this. So finally let me mention some open problems. So open problem number one is the construction of function encryption for circuits from standard assumptions. So such as learning with errors. And let me know that the predicate encryption is only one step away from this. In particular we're able to compute an arbitrary predicate p on the secret component of the attribute vector and the catch is actually in the security definition. In the function encryption you are required to guarantee security even if when you allow to decrypt completely and learn the message. Whereas in our case you will only guarantee security with respect to the users that are not allowed to decrypt the message m. There are some additional interesting open problems such as removing the depth dependency in all of these constructions. We have a bootstrapping theorem for fully homomorphic encryption and we don't know any similar bootstrapping theorems with respect to attribute based on predicate encryption. And finally I wanna mention the construction of predicate encryption for different unbounded models of computation from standard assumptions such as Turing machines, RAM programs, and so on and so forth. Thank you.