 Hello, today I will tell you about a new universal framework for function encryption that we call multi-party function encryption. The goal of multi-party function encryption is to encapsulate all existing function encryption schemes under a single umbrella, even in the multi-user setting. The starting point of this talk is the notion of function encryption itself, whose roots can be traced back as early as 2005. FA is a powerful notion of encryption that the goal of enabling fine-grained encryption access over encrypted data. Victorially, the intuition behind function encryption can be understood using the following example. Suppose we have three parties, Alice, Pop, and Charlie. Alice has a sensitive data M, Pop has the secret key, and Charlie wants to learn the evaluation of a function M on the secret data. And to compute this, what Pop can do is that Pop can simply give the secret key to Charlie. Charlie can decrypt it, compute F, and learn FFM. But what if we want Charlie to only learn FFM and nothing else about the underlying message? And what if Charlie doesn't want to outsource this computation to Pop, or it does not want Pop to be online for this computation? To capture all such interesting scenarios that go beyond the traditional definition of encryption, the notion of functional encryption was devised. In functional encryption, Pop can actually decrypt or can create some partial decryption keys for a function M, such that given this partial decryption keys, these functional keys, Charlie can perform this computation on its own and learn only FFM, nothing else about the message M. Abstractly, a functional encryption scheme is parametrized by two classes, a function class and an input class. Here we are viewing FE as a scheme in which messages in the input class can be encrypted. And partial decryption keys or functional keys for functions in the function class can be computed such that combining a single saftex secret key pair, you get the desired function evaluation, that is FFM. The function behind security for functional encryption is that, given an encryption of an input X, and polynomially many secret keys, say for functions F1 and FQ, the adversary only learns the evaluations of all those functions that it has a key for, for the underlying message X, and nothing else. And as I was alluding to earlier, FE has been a grand unifier wherein it enabled placing all previously known encryption systems at that time under a single umbrella. For even illustrative purposes, let us consider the simple example of identity-based encryption, which was introduced in 1984 by Adesh Amir. The goal of identity-based encryption is to let the interpreter only be aware of the recipient's identity and script their exact public key. Now, IBE can also be captured by functional encryption by the simple equality check class. Similarly, we can also capture attribute-based encryption, which is much more fine-grained access control system by function encryption by using appropriate function classes as well. And there's so many more encryption concepts that are special in cases of function encryption. Now, since its formalization over a decade ago, FE has turned out to be a very meaningful and powerful cryptographic concept. It has unified not only at all at that time all existing encryption functionalities, but it has helped in predicting new concepts and also served as the right abstraction to study relationships between numerous cryptographic objects including program obfuscation. It has been a radical concept such that it has been further generalized to many more general multi-user models. Now, some of you might be wondering, what do I mean by multi-user model? Wasn't FE already defined for multiple users? And even my simple example, I had already three parties, Alice Vauban Charity. Well, that is true. The point is that despite the incredible expressiveness of FE, the decryption still takes a simple, the single saftex and secret key pair as input. Thus the question becomes, what happens if there are multiple different data sources? Or what if there are multiple independent key holders? Or maybe there's a mixture of both. There are multiple keys, multiple saftex, and we want to learn computation about all of them at the same time. It turns out that this goes beyond the abstraction of regular single-party functional encryption. And to that end, numerous generalizations have been proposed. Let me elaborate on that. The earliest work was by Code Rosarito, where they proposed something called a multi-input function encryption, which was in the domain of multiple data sources. The saftex can be computed for different independently chosen message values, x1 up to xn, and the decryption can combine multiple different saftex given a single secret key and learn the corresponding value f of x1 up to xn. Recently, the notion of MIFE was further generalized to the notion of multi-client function encryption, where the point is that instead of having just basically in multi-client function encryption, the inputs x1 also contains some public labels and the computation only succeeds into public labels for all the input saftex they match. Similarly, there has been much progress in the domain of distributing secret keys as well. But it's been mostly from the perspective of either keyscrew or adding extra functionality. The earliest works were referred to as multi-authority encryption, where there are multiple sources and saftex contain a secret function instead. So here you can see the saftex contains a function gene and secret keys contain some attributes or some input values y1 up to yn. So the evaluation of this decryption functionality is going to give me the valid output of the secret function gene on these particular input values. Recently more such notions such as decentralized function encryption has also been started. Lastly, as I was alluding to earlier, there has been a lot of recent progress on distributing both saftex and secret keys. One of the first works in this line was by Chotar and all, who define what they described as decentralized version of multi-client functional encryption, combining these two previously defined multi-user systems. Briefly, in such systems, we have supposed an n, a polynomial number of saftex and a polynomial number of secret keys. These saftex and secret keys can be combined to learn the evaluation of a function f on inputs x1 up to xn, where x1 up to xn are encoded in the saftex and function f are encoded inside secret keys, all these independent secret keys, as long as the labels of the saftex they match. Very recently, there have been further extent these these notion of decentralized multi-client function encryption has been further extended and generalized to give concepts of ad hoc multi input function encryption, as well as dynamic decentralized function encryption. Where ad hoc multi input function encryption, it generalized the concept of decentralized MCFE to remove labels and add unbounded additive and very recently dynamic decentralized function encryption. It generalized ad hoc MIFE even further to have the concept of totally dynamic and local setup and allowed key combination across different inputs and the secret keys not have the same function encoded inside of them. Overall, this shows that there is a fast unexplored universe of encryption functionality that has yet to be studied. Additionally, the study of function encryption in the multi user setting has been similar to the pre single user, these pre single user function functions in the multi user setting today where many new models were proposed and studied and it seemed that they were quite related and but it was often difficult to understand how they compare to each other and whether they use related techniques and what is known in terms of visibility for different functionalities. And this has been going on as well in the multi user setting today, because we have these amazing different models of multi user encryption systems for functional systems like distributed ciftex, distributed keys, and both of them. And they have different applications. And it's, it's a bit inconvenient that how can we try to compare them. While they all were designed for different applications, different user models, the process of studying new notions and comparing the techniques that we already have has become very invisible. To that end, in this work, we study the notion of or the question of encapsulating multi user function encryption function between multi user models in a more systematic framework, similar to what was done by bonus sign orders over a decade ago for single user model. Now, in the main contributions of our work is that we introduced this notion of multi party function that is meant to capture and unify all notion of function encryption in these multi user models. We also propose a new, we also propose new multi user functionalities that go beyond what has been previously studied, and we also give some interesting new installations for these functionalities from standard options. Now moving on, I will define the notion of define the framework of multi party function encryption. Now, in order to jointly capture the notion of ciftex policy and key policy systems in function options more holistically, we define the input spaces for both ciftex and secret keys, instead of defining them a function space for each of them individually. Jumping a little bit ahead, the main point at multi party function encryption is the possibility of combining multiple ciftex and secret keys at the same time during the description in order to learn interesting functional values. A natural question would be how would this or what would this combination look like, I mean how can we combine these things. Now our suggestion is to define two aggregation functions. Each for the ciftex and secret key input spaces separately, and these aggregation functions are going to be tied to the underlying encryption system. And now the description algorithm is going to compute the universal circuit on the individually aggregated input and function values or it's like the key values as well as the ciftex values. Now pictorially this could be visualized as follows, you have these input values stored inside the ciftex and you have we have these y values these input values inside the secret keys. Now, multi party function encryption says that these input values can be aggregated first using the corresponding aggregation functions, and then after applying the universal circuit, we learn the corresponding value of the underlying function that we want to learn using the multi party function Now a little more syntactically in functional encryption systems, we would have a setup algorithm in which the setup algorithm would take as input the aggregation functions associated associated with the functional functional system, it also takes as input the identity of the ciftex and the secret keys that we want to consider in this model. Now the identity of the secret key and the ciftex could be optional. Suppose in the case we want to have totally dynamic functional encryption systems, in that case these will not be given as input to the setup algorithm. Now, in addition to these inputs the setup algorithm also takes as input the mode of the computation, whether it's performing the central mode, or a local mode of an interactive mode, and what do I mean by that. So first let us imagine that the setup algorithm generates a sequence of public parameters encryption keys and master secret keys. Now, if I input the central mode to the setup algorithm, then the setup algorithm is being performed by a trusted party which generates all these parameters in a trusted manner and then it distributes to the all corresponding users in the system. In the local mode, this setup algorithm is performed in a non interactive and totally independent way by all users independently. Lastly, the interactive mode, it is a protocol between all the users at the input time, and during that mode interaction can happen but after that there is no interaction going on further during the encryption system. In multi-party functional encryption, just like functional encryption, we have a setup mode, but setup mode can be done in now one of three modes, local, interactive or trusted. And it samples all the public keys, the encryption keys and the master keys for the corresponding function encryption system. And given the encryption keys, one can encrypt and code the input, the message inputs or the Syftex inputs into a Syftex, and using the master secret keys, one can create some partial decryption keys for these function inputs or these Syftex secret key inputs. And decryption algorithm can take as input arbitrary number of these or just a predefined number of Syftex and secret keys and combine them to learn appropriate function values, allowed by the underlying multi-party function encryption system. Now the security, since these functional encryption systems are very powerful, the security for these systems can also be very complicated to state. Now I am going to give you a very high level brief intuition, or what's the intuition behind the security for multi-party functional encryption. So suppose an adversary is given a polynomial number of Syftex, which contain encryptions of different inputs for different, under different encryption, under different encryption keys for different inputs. And we also given encoding of different inputs, the secret keys for these inputs under the corresponding master secret keys. Now we say the scheme is secured as long as the adversary only learns the evaluation values that it can learn by performing the decryption algorithm by running the decryption algorithm honestly. So it can take any combination of the Syftex and secret keys, run the decryption algorithm and whatever the output of the decryption algorithm is, that's all the adversary can learn and nothing else. Now this can be formulated by indistinguishability scheme, and this is what we formally do in our paper. And we also allow corrupting master keys or encryption keys, and we have to define the leakage corresponding that allowed leakage to the adversary in that case. And for more details I'll refer you to the paper. And just to give a little bit of more input in it, how we actually do it in the paper, we actually also break the inputs in the Syftex and the secret keys into two domains. Where we have like a public part and a private part, which basically makes a cleaner, which makes a cleaner framework for eventual applications. Suppose you want to define the notion of partially hiding functional encryption, it becomes easier when we sort of define we split our inputs into two domains into two components, public and a private component. Now, before proceeding further, let me actually show you the expressiveness of multi-party functional encryption. And let me tell you why MPFA actually unifies all existing notions of functional encryption that we have studied so far. For starters, let us consider the simple example of multi-input function encryption. Now recall that in multi-input function encryption, we have say a polynomial number of Syftex that can be jointly decrypted using a single function decryption key. And F of the value from the functional on the all the inputs at the same time. Now, in order to instantiate this using multi-party function encryption, the idea is that we will run the setup in the central trusted mode. We will substitute the number of additive of the secret key to be one, the aggregation function to be one. And F of the Syftex to be M, the number of messages that we want to or the number of slots encryption slots that we want, and the aggregation function to be the identity function again. This is going to generate the key material. And using this key material, we can encrypt all these inputs x1 up to xm using the corresponding encryption values, we can encode the function using the master secret key. And finally trying to decrypt this using the multi-party function encryption decryption algorithm, we're going to learn the universal circuit on the aggregated values, since the aggregation is just the identity function. And we apply the universal circuit on top of it. That's why we will learn the evaluation of the function F on the underlying message values. This basically matches what multi-input function encryption is trying to do in a more general manner. Now let us also look at the distributed secret key setting. This was the distributed Syftex setting. Now in the distributed secret key setting, let us look at the multi-authority function encryption systems. Now in multi-authority function systems, as I referred to previously, the functions are encoded in the Syftex and secret keys have these partial inputs that we want to encode in the secret keys. Such that the encryption is going to learn the evaluation of the secret key on these values y1 up to ym. Now as you probably would have guessed, in order to instantiate this using our multi-party function encryption system, now we substitute n to be the identity of the secret keys. m to be the m is equal to 1 to be the identity of the Syftex and identity with the aggregate functions in both cases. And now we're going to select the local mode because it's a multi-authority mode. The setup is going to be formed in a local mode and this is going to generate the public keys in the master secret keys for all of these authorities individually. And the idea is that using all the master public keys together, user can encrypt the policy g on its own and using all these master secret keys individually, the authority can generate these partial decryption keys for inputs y1 up to ym. And the idea is that the decryption algorithm combines all these elements and that will sort of give us the universal function again on this identity aggregated function of g and y1 up to ym which can be simplified to be devaluation of the function g, the secret function g on the inputs y1 up to ym. Thereby again matching the syntax of multi-authority at the function encryption. Now this basically shows that multi-party function encryption can actually be used to unify all these existing encryption systems. And looking ahead, can we use multi-party function encryption to even forecast something, predict new interesting functionalities. Now, in this work, we actually show that we can compose function encryption for different functionalities and user models to come up with some very interesting functionalities. For example, previously we have only studied multi-authority attribute-based encryption systems or attribute-based encryption systems in which the function spaces were inner product functionalities. Now in this work, we say we can actually combine all of these together to define something called multi-authority attribute-based inner product functional encryption systems. We can also define decentralized notions of predicate encryption where the message functionality is the inner product function encryption functionality. Additionally, as I was referring to previously, the notion of dynamic decentralized function encryption has been defined as very powerful, but unfortunately that notion does not provide function hiding. So we say that multi-party function encryption says that DTFE can be extended to define the function hiding or counterparts for that. Lastly, we can also sort of ask that typically when we look at into distributed secret key setting for multi or for functional encryption. In that case, all these different key materials are typically intended for a single user. It's a single user secret key that is that is generated by multiple authorities. But what if we want to combine key materials for different users for totally different independent users. This is totally unlike multi-authority or decentralized encryption. And this is something that we sort of formalize using reputation-based encryption. And we show that these are interesting models that has not been previously studied, but they make sense just because we are visualizing functional encryption in a totally multi-party setting. Now in this work, we also give many new interesting positive results by giving new functional encryption systems for in the multi-user setting for interesting functionalities from standard assumptions. Just as a quick summary, we built multi-authority attribute-based inner product functional encryption systems where the predicate class is monotone spam programs, and we just rely on binary groups for building such functional classes. We also showed that we can build decentralized attribute-based inner product functional encryption systems, but now we also can hide the policy in one side. But then we can only guarantee it for inner product functionalities in terms of predicates. But again, we only show this by relying on binary groups. And you also show that we can lift the DDT construction for inner products and make it function hiding by just relying binary groups in the random oracle model. And lastly, we also give how to distribute SAFTEX policy attribute-based encryption systems that have been recently studied by relying on assumptions such as learning with others and the binding a generic group model. And we also show that we give interesting feasible results for multi-party functional descriptions by relying on the minimal assumption of multi-input functional descriptions. And I would just advise you to look at the paper for all these details because we can only summarize what we have shown this work. But there are so many interesting results in our paper. So moving on, I'm only going to focus in on the first part of the result and where I will tell you how to design this multi-authority attribute-based inner product functional encryption system for monotone spam programs. Now moving ahead, in order to actually construct it, I have to first define what multi-authority attribute-based IPFE is because this has not been defined previously. So first let us recall SAFTEX policy attribute-based encryption and inner product functional encryption. Now in a SAFTEX policy attribute-based functional encryption system, we have input spaces in which input spaces encode a policy circuit phi, a predicated policy circuit phi, and some payload messages M. And we also have these function spaces, these key spaces, which are going to encode some strings Y, some input strings Y. And the idea is that the functionality that attribute-based encryption systems they compute, it is the evaluating the function F corresponding to the input Y on the input X, which encodes this predicate phi and the payload M. Then it's going to give us the message M, the corresponding payload and the predicate phi as long as the predicate phi is satisfied on the key input, key attribute Y. So the key contains some inputs and the key input is satisfied on the SAFTEX predicate. Then we basically learn the message M, otherwise we do not. Now IPFE simply says that you always learn something. Suppose I give you an encryption of vector X and then key for the vector Y, then IPFE allows computing inner product of X and Y, but nothing else about the vector X. And that's the notion of identity-based function encryption. In ABE, there is a notion of fine-grained access. If you satisfy a predicate, then only you learn some information. In IPFE, you always learn some information, but some partial functional information about the underlying message space, which is all the input space, which is X in this case. Now, an answer question is that, okay, what happens if we combine ABE and IPFE? Now combining ABE and IPFE, we get attribute-based IPFE. An attribute-based IPFE. Now, instead of having a message M as part of the input space, as part of the input, the SAFTEX input space, we have a vector Y. And as part of the SAFTEX, as part of the key inputs, you're going to have this input W again, this input attribute W, and also a key vector V. And the idea is that evaluating this function F, W, and comma V on the input fee comma U is going to give us the inner product between U and vector V. So the vector V in the key, the message U, the message vector in the SAFTEX, as long as the predicate is satisfied on the input attribute, on the key attribute W. Otherwise, we do not learn anything. So if the attribute is satisfied, then you learn some partial evaluation of the function, of the message vector. Otherwise, you don't learn anything. So this is more powerful than attribute-based encryption systems because an attribute-based encryption system, it isn't all or nothing in encryption primitive. You either learn everything or you learn nothing. In IPFE, you always learn something. Combine both of these things, you have a more fine-grained access structure. You might not learn anything, but even if you might learn something, you might learn just some partial information. So we can equivalently say that the function that is being computed here is the inner product between the message vector and the key vector, multiplied by the predicate value, whether the predicate is satisfied or not. And this notion was very recently studied by Abtala et al, where they proposed AB IPFE for monotone spandrograms just from binary maps. And this was a very interesting result. Now, in this work, we say, that's great, but attribute-based encryption systems are very meaningful in the multi-authority setting. Then can we try to decentralize AB IPFE, this notion of fine-grained access structure of attribute-based structure to the multi-authority setting? And the idea is that we will take this input, this key space, this key inputs and try to distribute them into multiple keys. Now, each key vector is going to consist of a portion of the key, of the key, a portion of the attribute that you want to satisfy and the input key vector. And the idea is that combining the aggregation function will combine all of these different key inputs. And the idea is that it will append simply all the inputs, W1 up to WM, into a single input string, into a single attribute-based attribute string. And it basically checks whether the key vector that is associated with the function class, that is actually the same. It basically copies the same vector, the key vector, and it appends all the input attributes, which are part of the different key inputs. If you want to aggregate them, then this basically is just the aggregated function. And since there's only a single SAF text, you evaluate this single SAF text on this particular aggregated function. Now, how to actually construct, go about constructing such multi-authority attribute-based IPFE schemes? Now, one could actually start with up-to-light all construction, but due to some technical reasons, you're not able to make it multi-authority scheme directly. So basically, we look back at a much older scheme of Luku invoders, which built multi-authority attribute-based encryption schemes, which don't have any functional encryption property, but they do have multi-authority property from binary maps for monotone span programs. And we try to sort of just move around this construction just to work with it and modify it so that we can add this IPFE capability to it. So in the construction, let me just give you a much simplified overview of Luku orders construction. So the Luku orders construction, each authority, it samples a random exponent, alpha i, and it sets the encoding of alpha i. This bracket means the encoding of alpha i in the base group as the public key and the secret key is going to be the corresponding secret key alpha i, corresponding exponent alpha i. So we want to generate a secret key for an attribute bit wi. Since it's a multi-authority attribute-based encryption scheme, we only generate the secret keys for attribute bits. We don't have any key vectors associated, so we call no key vectors only attribute bits. And the secret key, the spatial secret key is simply going to be the product of this exponent along with the bit wi. So if you satisfy the attribute, then you will learn alpha i, otherwise you will not learn alpha i. Now let us see how to perform encryption in this simplified LWU 11 scheme. The idea is that the encryption algorithm takes a simple and access structure, a monotone access structure, which can be represented as a linear secret sharing scheme, because it's going to launch the monotone span programs. And I'm going to simply consider that it's a very simple access structure, a read once a monotone access structure. And the Cyphex is going to consist of three components, a chem key and two different Cyphex components. The first Cyphex component, which is CD2, that's going to simply contain an encryption of a large vector of random, of just random exponents r1 up to rn. And then we will also have the second component of Cyphex components. And the second Cyphex components are going to be, you first we sample a secret vector, a random secret vector s. And we use this access structure a to secret share this, secret share this vector s. So this is our secret, and we try to secret share it using the access structure because the access structure can be imagined like a secret sharing and we basically encrypt, we basically encrypt this as like an L gamma encryption, where we use the ith user's public key as the ith public key here, and the, the randomness exponent r i will be the randomness of the L gamma encryption. The ith user's public key and the ith randomness coefficient is going to be used as a masking term for masking the secret share for the secret s corresponding to the ith row of the secret sharing matrix. Now the, the chem value, the key encapsulation value of this encryption system is going to be simply the first element of the secret s that I sampled randomly. So this is going to be the chem value in the target group. So now, let me actually explain how to perform the description, that's going to clarify all this magic of binary maps, now all this magic algebra. So the description, we have a Cyphex, and we have a bunch of secret keys for these different input values. Now, suppose we have now since we have like an accepting input, then there must be a vector reconstruction vector such that we can use this reconstruction vector, take linear combinations of the rows of the access structure a, and come up with a row vector such that the first column, the first vector, the first element of that row vector is going to be a one. This is the property of linear secret sharing schemes that linearly we can combine these secret sharing schemes to come up with the, the, to come up with the first basis vector in the canonical basis vector. Now once we compute such a reconstruction vector, the idea is as follows. We compute some term K1. This K1 term is basically, we take all these key terms, these key terms for these different users, which are L gamma interruptions basically for these different users, and we align them in a, in a, in a, in a row vector, and take the inner product of this row vector with our secret sharing terms with our, with our reconstruction terms. These are in the target group. So we basically raise it to the exponents and perform the multiplication the target group. Next, we also have these reconstruction vectors. We multiply each reconstruction vector individually to the corresponding secret key. We raise it to that exponent. And then we basically compute this, we basically take the inner product between this vector, the secret key vector, and this, and the Saftex vector, which encodes these randomness coefficients for the corresponding L command interruptions. And finally, my claim is that if I just divide the K1 term by the K2 term, then that's going to give me the gain, encapsulation vector. Let me actually show it to you. So first, if we try to simplify the K1 term, then we're going to resolve in this following value, because I'm multiplying this, and I'm taking the inner product of the vector, the reconstruction vector ZW with CTI, Ct1, i for all i. In that case, I'll multiply these ZW, i coefficients with the corresponding CTI, Ct1, i terms, and that's going to give me this term. Similarly, I compute this simplified this key to term, and this key to term can also be satisfied, K2 term can also be satisfied, can be simplified as follows. Another combination of these reconstruction vectors using these reconstruction vectors as coefficients of the terms, these alpha i, r i, because r i is the, these randomness terms are computed using this data present in the Saftex, and alpha i's are the secret terms that are given to me. Once I compute this, I can basically just divide them out, and that's going to give me the term ZWi, inner product with just multiplied with the inner product of the row vector, the ith row vector, and the secret vector. And by the linear secret sharing properties, we get that this is going to give me the first element of the secret vector s, and this is exactly my KEM value. So basically the idea is that you have to view the Saftex as L-Gamal encryptions of the ith secret share, ith row of this structure is enables us the computing the ith secret share of the secret vector s. We perform the L-Gamal encryption, and the KEM value is simply the first element of the secret shared value. This is the first element just because we're computing a reconstruction vector in this following way, so that we can compute the first, the first basis vector in the canonical vector. And that's the high level idea behind the Lugo-Vortice construction. Now I'm actually really throwing a lot of details under the rug, but I'm not talking about the global identifier model, or a lot of other technical details. But this more or less captures the core construction, the core ideas behind the Lugo-Vortice construction. Now our idea trying to, so we want to take this multi-authentic attribute-based encryption scheme and add IPFE framework to it, IPFE flavor to it. So how to upgrade it? A natural first thought is to use ideas that have been developed in the literature already. This shows us that we can lift any public encryption scheme, which has some nice homomorphic properties to any identity or to any inner product function encryption scheme. And the crux in those constructions will rely on the homomorphic structure of the PK public encryption schemes. And the point is that each vector bit will be encoded using independent public key. And now, decryption for a vector is simply a linear combination of all these underlying PK keys. So we have these underlying PK secret keys, you linearly combine them and that's going to be a decryption key for that particular secret vector that you have. And now during decryption, the user is going to homomorphically compute, just homomorphically compute these different individual PK keys, PK ciphertext into a single PK ciphertext. And that single PK ciphertext can be decrypted using its linearly combined PK key that received as part of the secretion key. And unfortunately, this idea does not work. It's a very clean and elegant idea, but it does not seem to work for current multi-authority attribute based encryption schemes that we have. Or let me add a little bit of a, let me see if there's a caveat. We actually show in our paper that we can use this framework, this other framework, this Abdullah at all framework to go from multi-authority AB to multi-authority attribute based IPFE, but only for the classes of inner product predicates. But if you want to go to monotone span programs, then we have to rely on some other cool ideas. And very briefly, the problem here is that, typically in the above idea, in the above PK to IPFE lifting theorem idea, the chem key, the chem key is the underlying decryption key that is actually chosen during decryption time. Thus, it can be linearly combined when you have to give that particular linear combination to a particular user as its partial key. But the chem key in the luco orders construction, if you look at the chem key in the luco orders construction, that is chosen during encryption time, not at setup time. Thus, it is unclear how to actually give linear combinations of the chem key as part of the partial, as part of the key generation process because that's chosen during the encryption time. Now, with that, let us just look at the simple trick that became from this work and the idea is very simple. The idea is that, if we look very closely at the luco orders construction, then we will observe that the chem terms are actually masked with each authorities master secret key using the algama encryption. And we simply have to give a projection of these unmasking terms instead of a projection of the chem terms and linear combination in regard as a projection and previously we were giving a projection of the PK keys. So we only have to give out a projection of these unmasking terms, which the authority each authority does know. And now the LSS construction, these linear secret key reconstruction, they only touch the rows of the matrix A. Now we can perform the projection on the column so that they won't be any mangling that's going to happen. The reconstruction happens on the row side, the projection happens on the column side. That's why these these these operations these algebraic operations are totally independent and do not affect each other. And a very crucial important fact is that we have to rely on the fact that the randomness for the underlying systems has to be reused across different masking terms. Otherwise, the entire framework doesn't work and you have to be very careful with this. I'll elaborate more on that in the coming to its slides. But let me just give you a very high level overview of how to actually upgrade this local water's construction to an I do a multi authority ABI PFE scheme. So this is the local water's construction. I'm just copied this from two slides ago. And let's just update it step by step, following the intuition that I said that you're going to sort of give projections of the masking terms that each authority computes. So these masking terms are these as these random exponents. So first, we switch out the setup algorithm, instead of sampling a single exponent, we sampled us a sequence of exponents, a large vector of exponents, where the number of exponents is the same is the length of the vectors that we want to actually give out an IPFE. We want to design an IPFE system for. Those many exponents each authority samples those many exponents. And now the secret key is going to be instead of that particular secret key given out in public, if you satisfy the attribute. It's the inner product of your masking term with the key term with the key vector w in a product of your secret key and the inner product, and then multiplied by whether you are satisfied that particular attribute or not. It's going to be natural so far. Now, let's see how to actually perform encryption during encryption. We now also have this message vector this message vector you. And instead of now having a chem mechanism because it's no longer an all or nothing encryption system, it's a function encryption system it's an IPFE encryption system, we have to actually encrypt the message vector itself. So our ideas as follows. We will keep the second component of the safe text as before the city to is going to stay the same. But now the first one was I've text the city one com I components previously you're sampling just a single secret vector and performing the secret sharing just once for each row. Now we're going to perform the secret sharing and times. So each row and times and basically we can do sample a secret matrix X multiply a I times with S and just we're going to use all our El Gamal secrets El Gamal public keys for the ith row, you know to mask this particular secret value. The crucial bar is that we have to rely on the same randomness for all these independent El Gamal values, El Gamal encryptions. So that seems to see if it like the up the light all translation create. And now, just to actually tie things up, we have to do the following. Now the third set of components of text that's going to be the one time pad. Basically, we hide the message vector using a one time pad where the one time pad key is the first row of the secret vector of the secret matrix previously we're using the first element of the secret vector. Now we're going to use the entire secret the first row of the secret vector secret matrix, you know to mask this term. And naturally the idea is for decryption also pretty similar. We basically update the K one first step, where previously we just taking the inner product between the, the Saftex vectors and the reconstruction vector. Now we're also going to take the league the right multiplier with the reconstruction vectors, but we left multiply with the key vector that we have. So, on the right side on the basically the row side of the matrix, we're going to perform reconstruction and the on the column side of the matrix we're going to perform this projection. And in order to compute the output, we're basically going to first compute the inner product between the third component of Saftex with the key vector, and just come up with these masking terms appropriately, multiply and divide them and then that will give you the message vector you with your key vector W with your key vector V as soon as long as we actually satisfy as long as you sort of satisfy your attribute satisfy the access structure. And mathematically we can sort of just check again the same math works out the algebra works out and it's not a very interesting thing to look at. But what is more crucial is that the Saftex here actually shares the randomness coefficients across all these different, all these different algomal terms or these in binary terms. And typically, this was not a problem in the, the PKE to IPFE lifting theorems. But it turns out to be a little bit of a problem in the case of attribute based encryption systems and the ideologies follows. So we're trying to just simply merge the look over as constructions and the PKE to IPFE lifting theorems these transformations and trying to combine these proofs and almost black box way, and just trying to combine these proofs and just being done with that. Unfortunately, that does not work. The reason is that look over is relies on these dual system techniques these dual system paradigms. And this dual system paradigms relies on the notion of semi functional Saftex distributions, where the Saftex no longer work for basically the challenge Saftex when you switch it to a semi functional Saftex. It is no longer a good Saftex for all the secret keys that you have to give it out for. Ideas from PKE to IPFE are no longer applicable, because we cannot switch our challenge Saftex to a completely semi functional Saftex, because our Saftex can potentially be decrypted on a large number of it is possible we allow decrypting our challenge Saftex on a large number of keys and we're not getting some partial information about the message vector. If you're only trying to say that if you don't have any distinguishing keys, then you should not be able to learn the underlying message, the underlying you should not be able to distinguish the underlying message vector. But you do have accepting keys in traditional multi authority attribute based encryption systems, you do not have any accepting keys. Here, we do have accepting keys, because the accepting keys have the property that the evaluation of both the challenge messages is going to be the challenge vectors, the two challenge vectors are going to give the same in a product with a key vector, if you have an accepting key, and that causes a problem. Now I won't have enough time to actually tell you how to get around this problem, but the main idea in a nutshell is a simple again. So to that end we actually introduce a new notion of semi functional Saftex that we call partial semi functional Saftex, which is very crucial to extend the notion of semi functional Saftex to this functional encryption where the idea is that these Saftex are going to be nominally semi semi functional across all but one projected subspace. So there are so many different subspace in the underlying message in the underlying Saftex right, and it's only one particular subspace where we have to perform the the the magic of dual systems paradigm but for all the other subspaces we don't have to perform them magic of dual systems paradigm, but over there we can't treat them as independent subspaces, because all these are tired using the same random terms, same randomness coefficients. So we have to actually define something called nominal semi function, semi functionality for all these other inputs, all these other projection spaces, but for the challenge of projection space, we have to actually rely on this make it completely semi functional. And I refer you to look at the paper for interesting deals. It's a pretty, it's a pretty neat notion of partial semi functional security, and I believe it's going to be very meaningful if we sort of try to push this forward and try to come up with more interesting notions in trying to combine multi authority or attribute for his functional encryption systems with other type of functional systems, because this is going to appear again again. Now just trying to summarize in this work we gave a lot of, we proposed this incredible notion of multi party function systems, and he gave these amazing new positive results. And I was able to only describe to you this multi authority API systems from my unit groups, but we also have a bunch of other interesting function classes that we show that we can realize that we can actually instantiate very simply using multi party function systems, this framework of MPFA and we can actually give new constructions for these things. Finally trying to include this talk, I describe the notion of multi party function encryption system. And the multi party function system is a universal is an amazing framework is a unit is a unifier, which comes with the simple framework, trying to come up with a framework for all multi user encryption systems in the function strategy. It enables abstraction of technical ideas across user models. So we developed some use some nice ideas in the IPFE landscape developed some interesting ideas in the multi authority landscape as we saw, and we were able to sort of abstract these ideas in a more coherent way and use them to get something more out of it. And it also this MPFA it also makes it easier to interpolate the space of unexplored functionalities. And we were able to say, okay, hey, we can combine multi authority at to be based encryption and IPFE to come up with a totally new primitive. We can combine decentralized predicate encryption or IPFE, you can combine policy hiding encryption or being combined distributed dynamic decentralized function systems, and to get something more. There are so many interesting unexplored functionalities that are out there. And, yeah, it would be wonderful if you can actually just come with a more systematic approach of trying to sort of come up with those functionalities. And there's so many fascinating open questions. And as I was leaving earlier, we build some natural functionalities from some assumptions. I would like to take a leak. Thank you for listening. And the papers online and the apron number is 2021 266. Thank you for listening.