 Hi everybody and welcome to my presentation on inner product connection encryption with fine-grained access control. This is joint work with Michelle Abdullah, Dario Catalano and Roman Gay. I will briefly recall the setting of functional encryption. Here we have two parties Alice and Bob. Alice has a massive public key and some message. So it decrypts the message under the public key, the massive public key. And Bob, being in possession of the encryption key associated to some function F, it can decrypt and it will obtain the function of the message and not the message itself. This master public key and the secret key are generated by some master authority. There's a security we want that the encryption and the secret key for the function F only like F of M and no other information about the message. We are interested in unbound collusion in the setting. And, which means that we, we, we consider security with respect to Q secret keys. So we have two functions F1 all the way up to FQ and this Q is a polynomial which is not set up in advance. So then this scheme is unbound. So again, we only want to leak F1 of M FQ of M and nothing else about the message. We know that function encryption is roughly equivalent to insubstantial application. So our application candidates are inefficient. In practice, we want to look at efficient constructions based on standard assumption and a known direction, a very explored direction is to consider by previous work is to look at a different direction. And here, Alice now has a vector x, which it says to to Bob, it says to Bob the encryption. And Bob, it's a good key now is associated associated to some vector y, x and y live over CP to some dimension D. And when it decrypts it gets in a product of x with y. And in this paper we're interested in bounding a product. So we're interested in the case where the two norms are mounted. So this is a group of primordial P. So in terms of this, this is the enterprise function encryption has been extensively studied in terms of semantic security, the the goal is to only live in a product as before and so the functionality and nothing else about the play text. So we can also consider industry with security, where you want that these two ciphertext are for X zero and X one, our competition and distinguishable. And because you can always. If you have some security you can always perform descriptions, you want that you cannot trivially distinguish so you want to have this additional trivial relations, so that you cannot really distinguish. It turns out that if you have the keys. So, so here, for example, the keys for the canonical vectors. Then you can, you can decrypt and you can obtain the first component second point of X. In fact, you can compute, you can recover the entire plain text text. So as long as you have dealing your independent vectors, you can completely recover the plain text. And in practice, this means that you have to to keep track of the keys that you generate because as soon as you get to this then you don't have security anymore. I mean, the plaintiffs are completely recoverable. So, a natural question that we ask is whether we can, we can tune this liquid somehow. So here we consider a combination of inner product function encryption and attribute based encryption. Now ciphertexts also take an additional parameter piece or policy P, the encryption and secret keys also have this additional parameter the attributes. And when we decrypt we want that if the policy is satisfied then we can get the inner product and if not then you should get nothing should get bottom. So another way to think about this question is, you know how to construct a be and we know how to construct IPFE but is there any technical problem in combining them. And alternatively you can consider and consider the question of what is the richest functionality that we can get from standard assumptions. Our results are two schemes. One is in pairing groups. And here the policies can be monotone spam programs in a product benefit encryption so orthogonality testing where the attributes are hidden. And these schemes are adaptively secure. And we also propose some lattice based schemes, which achieve adaptive security in the random worker model and selectively the standard model. So take away at least in the pairing board would be that what we know how to achieve the policies that you know how to achieve with a be right now. We can we also know how to. Now we also know how to how to construct this, this, this, this scheme where we have functional encryption with the a be policies. So what's before I explained the some high level ideas of our scheme. Let's try a trivial approach. And here, let's see what happens if we just consider two layers layer of AB and a layer of IPFE. And the secret key so we encrypt with with an IPFE layer, we can deploy text and we add. On top of that and attribute based encryption later. We just to the pair of two keys. So the AB key and the other function encryption key. But this is insecure and to see why you can consider this keys for attribute zero for why zero and at one for why one where the policy is only satisfied by attribute zero but not by attributes one. So then what is the attack, you can decrypt using the blue component of the blue key, you can decrypt the AB layer. Because the policy is satisfied, and then you're left only with the IPFE layer. And then you use the green component of the green key to to decrypt the IPFE layer and get, you know, product of x with y one. But recall that when the policy was not satisfied when it was zero we should we're supposed to get bottom so instead of getting bottom, we get x one y one. And the reason for that is basically we can mix and match keys there is no. The two components here are not linked in any way, they are independent of each other. So we can mix and match. So let's look at the ideas on how to solve this. The very basic construction uses the following building blocks so we, we, we, we use the dual system AB of waters, and the ALS scheme for enterprise fashion and encryption from LSE. And we need an additional technical tool which is predicate encodings. This can be seen as a one time secure private key statistical variant of AB. And I will not explain in detail what this predicate encodings are, I will just take an example for identity base encryption. So here, the secret key will be will consist in three scalars from ZP to the three. And to encrypts. We have a one time path of alpha plus M, and these two additional. So this additional quantity of w zero plus ID w one. The region has the same quantity with respect to ID prime but it adds to it alpha. So now let's see how do we so you can see that all of this is linear with respect to alpha w zero and w one. So how do we do how do we decrypt we can decrypt linearly. And to do that we just subtract from the blues from the blue term we can subtract the green term. And the identities match is w zero plus ID prime w one is the same as w zero plus ID w one. The two terms disappear and we only left with alpha. And if ID is different from ID prime, then since we have two unknowns. And the ideas are different and we can argue that the two terms are pairwise independent and no information is statistically leaked about alpha so then M is also secure. And from from previous work that dual system encryption can boost the security of this one time primitive and this one time predicate encoding to to obtain fully fledged attribute based encryption. So let's look at if this predicates can be adapt somehow to have functional encryption for inner products. So what, what do you do for that. You consider some vector alpha now instead of the scalar alpha. And the kitchen so this term is the same and the kitchen now is changing alpha is dinner products now with white with a vector why and our secret key. If the key if the identities match, then we can decrypt linearly by subtracting so we multiply the gold part with white transpose. And with the way we subtracted the blue part. And we are the good part so as before when the identities match this term over here reduces this term over here. Alpha transpose so this is reduced from this and alpha transpose times y is reduced disappears because of this term. So we only left it in a product of x with y. And at a high level. What we do is to look at the previous compiler sent to get a compiler which also adds in a product functional encryption to the mix. So here we are interested in adding some, some kind of, you can think somehow this terms over here this alpha plus x, and this alpha transpose times y over here. So what would be a proof sketch for our scheme. If we wanted to. We could switch the challenge vector city x star star in the presence of the master public you so you can you can compute encryptions, honest encryptions, and you have some keys, SKY at the idea would be if the policy doesn't match, then you can argue this using the security of the security, that to be based on security, and if the policy doesn't match if the policy does match. Then, so this is a case which didn't appear in a be so maybe if the policies match then you can just keep the message, and you don't have to argue anything anymore. But in this case now we still need to argue that if the product is the same then the vectors are distinguishable. But that we need we we for this additional step that didn't appear before we have to use the security of the skin. And what I want to mention is that this can be selected within both the building blocks are adaptively secure. And to see why. We need to know the policy in advance and in fact we don't really need to know the policy we need to know just this beats zero or one. So that we know how to switch the key through which branch we switch the key to to to get that security, which you also prove for different scheme. We need to generalize pedicat encodings and we introduce in a notion of functioning coatings. And here we deal with technical problems which were previously encountered in previous work. We're setting a fully hiding pretty good encryption for in your product testing. So what are functioning coatings again they are a one time secure private key statistically secure scheme. And if you want to see the exact definition you can take a look at the paper now I will just look at the identity base case. Here the secret key has it consists of two vectors w one and w two to encrypt we we do something similar to the predicate so we do x plus w one plus I did that w two. So this is what transpose times this. And as before, if the identity is match then we can just multiply to the left, what transpose. What the grid term and subtract the purple term, the blue term. How do you argue security well, if the identities match, then you want to, you know that you get the inner product of x with y, because you can partially decrypt. So, then we we just use the fact w one, since it's a random factor, plus this difference is identically distributed to some w one prime, because w one is uniform and random. And now we just look at the green term, and this w one, we will replace with this term over here. And x zero basically reduces itself and we only left to x one plus w one plus it times two, which is exactly the encryption of x one. So of course this only works if we have the trivial, trivial relation between x zero and x one. And if they are not if the, if we have the same identity for the ciphertext, but we don't have decryption, then we do we need to do something different, I mean, we do the same thing but you also need to consider the leakage that is provided by this additional term in the decryption, which doesn't allow to decrypt. And, but the idea is the same now, even in the presence of this w one, the first term is, you can make this difference appear here. And you can get from encryptions and x zero to encryption that's encryptions and x one. But for more details, I will point you to the paper. So, we get an adaptive secure scheme for multiple spam programs and for what are the testing with hidden attributes so in a product product encryption. And now I will discuss a bit related work. There is this three papers that have looked at the similar, similar schemes in the context. So their purpose was to use them to build affuscation and this was the affuscation candidates. And they can support richer functionalities so they can support quadratic functionalities. So we can, we have inner products and one of the spam programs, one of the spam programs from a practical point of view are the same as NC one. And what I wanted to say is that all of these constructions are relying on parents. Now what we have even though we only do it for inner products we do have adaptive security which is what we will want to practice. So we have three schemes over here only have selective security, and we do have public key. We have a public key scheme. But there is also very interesting related work which considers other functions so for example attribute with subs. And this work which has quadratic functional encryption, and the policies are also NC one. So, and the only drawback would be that the security select. But for more details you can see, you can see a discussion in the paper. And now I will talk a bit about talk a bit about the lattice construction. Here we have an adaptively distinguishable scheme in the random model based on the IPFE of a 16 and the identity based encryption of GP 2008. And selective scheme in the standard model, using a BB 10 and a 60. So this is the high level idea. We noticed that in the inner product function encryption of a less description keys are linear combinations of the master secret key. So, in particular the master secret keys matrix, and the description keys are just this matrix multiplied to just to some vector, and to the vector why that for which the keys are associated to which the keys are associated. So our idea is to to start with the idea schemes of either this, this game or the ABB scheme. And to consider linear combinations of description keys for identity of ID. So basically we project the description key for a particular identity ID on the vector why in the description key, which will be just what transpose times the matrix which is SK ID, these two schemes. And it turns out that the results is a combination of the two schemes. So the inner product function encryption scheme and either GPV 2008 or ABB 2010. And as before we argue using the security, either the ALS security or the identity based encryption security. So just to recall the proof sketch we want to switch the challenge. So this is a challenge to the x star with ID star. If we had in the presence of the muscle pick muscle public key and the keys, the description keys SK why with ID. So, similarly to before if the identities don't match then we we switch the key using the identity based encryption security. If the identities match then we can use the ALS security. You can ask why doesn't this yield a selective scheme and for example in the random worker model, it's not the case because we only need to guess the index of the random worker query. So each identity will correspond to to some matrix. This matrix is computed as the random worker applied on the identity. So instead of guessing the identity we only gets the the index of the random worker query. But for more details you can see the proof in the paper. And finally, I will conclude with an open problem of whether one can combine attribute based encryption for circuits with the production encryption. So, so here again we are in the lattice regime. And right now we don't know how to solve this for technical reasons, but it would be to be very interesting to see a solution to this. And just to conclude, and to recap, we we have bearing based schemes where the policies are more than spam programs and in a product benefit encryption and identity based encryption. So with adaptive in the security, and we have lattice based schemes, but only for identity based policies. And they are a battery secure in the random worker model and selective secure in the standard model. Next, thank you for your attention. I hope you enjoy the conference and hopefully see you at the live session. Thank you.