 So, the second talk of the session is from single input to multi-input functional encryption by Jan Komogotsky, Svika Barkatsky and Gilles Segev, and Jan will give the talk. Okay. Hi. So, I'm Ilan, and I'll talk about multi-input functional encryption. This is joint work with Svika Barkatsky and Gilles Segev. So, let me briefly remind you the setting of functional encryption and what does it mean. So, in functional encryption, there's a player, Alice, that has a master secret key. It can encrypt messages at any time she wants, send them to some server, and at some later time, a player named Bob, it can be Alice as well, but he has a secret key, he can generate keys for functions that allow the server to learn some partial information about the message M. Okay. For example, one very nice application of this is that you can publish your database in some server, encrypted, and at some later time, you can give the server a key for a function that allows him to reveal whether the messages are non-negative or not. Okay. And more generally, we can allow to send, we can allow the server to learn a bunch of functions, F1 till FL, given encryptions of M1 till MK, and the server will be able to know any F on any M and nothing else. And how do we formalize this notion of nothing else is a central topic of research. And there are a couple of variants, I'll be mostly talking about the indistinguishability based one in which we require that the server seeing two encryptions of messages M0 and M1 will not be able to distinguish them as in standard encryption schemes, but here he has also access to a key for some function F, and we require that the encryptions, the ciphertexts are indistinguishable, even given the key, as long as the function F does not separate the two messages by itself. There are a couple of variants for this definition on how to really formalize it, depending on who chooses M0 and M1 and when, and two of the most common formalizations are known as selective security and adaptive security. A selectively secure scheme is a scheme in which the adversary commits to the challenge, to the challenge pair M0 and M1 ahead of time, before any interaction with the scheme, and the adaptive security ensures that even if the adversary has access to the scheme interacts with it and only then commits on the challenge, then the scheme is still secure. Of course, the adaptive security is much harder to get, but it's also much better. Okay, what do we know in a nutshell? What do we know about functional encryption? We know how to construct many variants of functional encryption scheme, all offering some sorts of different security guarantees and functionality guarantees even. So for example, even from one-way functions, we can construct an FE scheme which supports a bounded number of keys, and the ciphertexts are pretty long in this scheme. If we want to assume LWE, we can get a scheme with much shorter ciphertexts, but it still only supports a bounded number of keys. And from IO, we can get essentially anything, as we've heard, and we can get the perfect scheme which supports unbounded ciphertexts and very short unbounded keys and very short ciphertexts. And in terms of selective versus adaptive security, there was a paper last crypto showing how to generically take any scheme which is selectively secure and transform it into an adaptively secure scheme. So this is in a nutshell what we know. So we have a range of assumptions and the same range of constructions. Okay, and natural generalization of functional encryption is the multi-input functional encryption scheme. It was introduced two years ago in Eurocrypt by Goldwasser et al. And this notion is pretty similar to the single input one, except now the functions for which we can generate keys are multi-input functions. So now Alice can send two encryptions, like a ciphertext of a message M0 and a ciphertext of a message M1. Later at some time, one can generate a key for a function F that gets two inputs, M0 and M1, and a server that has both ciphertexts. And the key for the function will be able to learn F on both messages. One of the major applications of this primitive is what's known as order revealing encryption that was mentioned today a couple of times. This encryption scheme allows us to encrypt messages, just as any encryption scheme, but it also allows us to output a key for a function that allows us to test whether two ciphertexts encrypt messages, who is bigger? It allows us to test if the encryption of M0, if M0 is bigger than M1, given only their encryptions. So it's a very powerful primitive, and it's also very useful. The two-input functional encryption that I'm going to talk about most of the talk can be generalized to more inputs. It has applications with more inputs, but I'm going to talk mostly about the two-input setting just for simplicity. The formalization of the security of this scheme is very similar to the single-input one, so I'll not get into it. But intuitively, I hope we all understand what it means. And again, we have the same issue of selective versus adaptive security, who and when chooses the challenge, whether it's before interacting with the scheme or after. Okay. What do we know about multi-input FIs, or specifically two-input FIs? The first paper that introduced this notion by Goldwasser Hotel two years ago constructed this scheme from Fuscation. Their scheme is not adaptively secure, at least not if we assume only polynomial I.O. It supports polymany inputs, so we can get quite cool stuff from it. A follow-up work by Bonetal showed how to get an adaptively secure scheme that supports polynomial number of inputs, but the construction is from multilinear maps, and the proof of security is in an idealized model, so it's not in the standard model, which is kind of not very good. A concurrent work to our work by Nathan Jane showed how to start from any single input public key FE and get a multi-input secret key FE. Their scheme is not adaptively secure, it's only selectively secure, and they can generalize it to more than a constant number of inputs, assuming more assumptions on the initial scheme, like compactness and sub-explanational security, which I'm not going to get into. The main result of our work is a construction of a multi-input functional encryption scheme from any single input secret key, private key, functional encryption scheme. It can be extended to any constant number of inputs, and actually even a slightly super constant number of inputs, assuming the initial scheme was sub-explanationally secure. So in terms of assumptions, our assumption is the weakest, and in terms of security, our security is the strongest possible, but we are limited to a constant number of inputs. So this is the main result of this work, and in the rest of the talk, I'm going to talk about how we get it. Okay, so the construction is actually a generic transformation. You give me any private key FE, single input FE, and I construct from it a two-input functional encryption scheme, and then from any two-input functional encryption scheme, I construct a three-input scheme, and so on until any T that you choose. In terms of instantiations, what do we actually get when it boils down to assumptions? Then from IO or multilinear maps, we can get an adaptively secure scheme that supports any number of inputs. If you're only willing to assume LWE or one-way functions, we get a scheme that supports multi-inputs, multi-number of inputs, but it will only support a bounded number of keys and a bounded number of ciphertexts. Okay, so the main idea is something we call input aggregation, and it's very simple to explain, I hope. So we start with a function with a two-input function. This is the function for which we want to generate a key for, and we view it as a single input function, the most natural thing you can do. It's a function that gets double the length input, and it just parses as two inputs and applies the original function on both inputs. We'll generate a key for this function. Okay, so we'll denote it by sk sub f. It's a key for this function. Now, what do we hope? We hope that given a ciphertext of x and a ciphertext of y, we would be able to somehow combine them magically and get a ciphertext for x concatenated with y. This is the hope. If we can do it, we can use the key for f star and get f on x, y. And how one can do this bullet, it's actually pretty easy, and the idea is kind of nice, the encryption of x is actually going to be a key for a function, and not an encryption of something. It's actually going to be a key for a function that we call agg for aggregator. It will have x hardwired inside, and it will output an encryption on input y. It will output an encryption of x concatenated with y. That's a very simple functionality. I'm going to ignore the fact that the encryption is a randomized function. We can handle it. And the encryption of y is going to be just an encryption of y. So what do we get? We get that if we have an encryption of y and an encryption of x, we can combine both of them to get an encryption of x concatenated with y. And then use this encryption with the key for f star to get f on x and y. Indeed, this is how we hope it would work. So we'll apply the encryption of the functional encryption scheme on the ciphertext of x and the ciphertext of y, get the encryption of x concatenated with y, and then apply it with the key for f star, for f. So this is the main idea. I hope it's clear. So let's see how we actually instantiate it because I've been playing too much around without being too precise. So we'll have a two-level encryption. We'll have the internal level and the external level, like the intuition tells us. So the master secret key will actually be composed of two schemes, an internal scheme and an external scheme. The key for f is exactly what I said. It's just going to be the key for function f star, which is the single input function. And it's going to be with the key, the outer key. The ciphertext of x is going to be exactly what I said before, but now I'm formalizing what I mean, which keys are used where. So the key generation is going to be with respect to the key, the internal key, and the AGG circuit will have inside hardwired the external key. And now the AGG circuit will encrypt x concatenated with y with respect to the outer master secret key. And the encryption of y is the same as before with the internal secret key. You can see that when we combine both blue parts, we'll get the encryption of x concatenated with y with respect to the outer secret key, which we can use together with the key for f to get f on x, y. Okay? Good. So how would we prove that such a scheme works? So the problem is that MSK out is hardwired inside the encryption of x, and as far as it's there, we won't be able to use its security. So what we're going to do, we're going to hope to take it out of there, because we want to use the security of the scheme. And the standard way to do it is just to embed all possible ciphertext inside the encryption. And the problem is that we have given t inputs, so only t encryptions of t messages, we have t squared possible ciphertexts. So we don't have enough place to embed all of them. So this doesn't really work. But one idea, which comes up very quickly, is to instead of using the outer scheme as a secret key scheme, use a public key scheme. And then instead of having hardwired, the outer MSK will have a public key that allows for encryption. And indeed, we can have such a scheme. So this is a scheme that uses a public key single input FE, and the public key is used for encryption inside the AGG. This is exactly the scheme of finance engineering from the concurrent work. And they were actually able to prove that this scheme is selectively secure. And it's quite, I think, it makes sense, given what I said. But we want to work from any single input scheme, secret key scheme. We don't want to assume public key. So we have a new idea that we call one-sided key encapsulation. And roughly speaking, the idea is that instead of using the outer secret key in every encryption of X, we'll just sample a new master secret key for every encryption of X. And the scheme will be slightly more complicated. So we're going back to the setting in which the master secret key is composed of two keys for secret key FEs. Now an encryption of X will sample first a new master secret key that we'll call MSKSTAR. We'll generate a key for the AGG circuit exactly as before. And in addition, we'll give us an encryption of MSKSTAR with respect to the outer secret key, okay? And the key generation is going to be for a circuit which is slightly different than FSTAR. It's going to be D sub FSTAR, where D sub FSTAR gets its input S secret key and generates a key with respect to this secret key. Good. And what should we notice? That if we combine both blue parts, we get an encryption of X concatenated with Y with respect to MSKSTAR. And if we combine both red parts, we get a key for FSTAR with respect to MSKSTAR. And now we can combine both of them and get F of XY. So this is the decryption of our scheme. So we combine both blue parts to get a ciphertext of X concatenated with Y with respect to MSKSTAR. And we combine SK sub F with CT prime sub X to get a key for FSTAR with respect to MSKSTAR. Okay. I hope functionality is clear. This actually works. And we are able to prove selective security. And it's nice to see why it works as opposed to the scheme from before. So now the idea is that we don't have to take MSKSTAR, all possible MSKSTARs outside of the scheme to use their security. But we will attack them one by one in the proof of security. It's going to be a bunch of hybrid arguments. And we're going to attack each MSKSTAR in a different set of hybrid. And now the point is that when we attack a single MSKSTAR, there are only T possible ciphertexts that use it. So it's the X that corresponds to MSKSTAR with all possible Ys. So there are only T of them. We cannot embed them in X because it's too long. So what we're going to do, we're going to embed each one of them in one of the Ys. So in every YI, we're going to embed an encryption of X concatenated with YI with respect to MSKSTAR. And we can do it because we only care about selective security in this scheme. So we know all Xs and Ys ahead of time. So we'll embed them before time. And the proof will work out. So this is the main idea. And I promised you that we get adaptive security and not selective security. How do we get that? So the rough idea is that instead of having a master secret key pair ciphertext corresponding to X, we'll have a master secret key that corresponds to every pair. So idea one was that each message X will have a corresponding master secret key. And in the proof, we are going to attack them one by one. So we used any single input FE and got a selectively secure two input FE. Our second idea, which is the two-sided encapsulation, actually is able to associate one master secret key to every pair of messages on the fly. And in the proof, we attack every master secret key separately, so every pair of messages separately. So we'll have something like T squared hybrids. And the point is that since we want to prove adaptive security, we don't know ahead of time which messages the adversary is going to query on. But we know that they have an order. So either he asks first on X or first on Y. And if he asks first on X, we'll embed into Y the ciphertext of X concatenated with Y. And if he asks on Y, first we'll embed into X the ciphertext of X concatenated with Y. And realizing it is much more complicated. The scheme is not very simple, but the building blocks are a single input FE, any single input FE. And the selectively secure two input FE, which we just constructed from a single input FE. And from these two creatures, we are able to construct an adaptive secure two input scheme. So that's the idea for the adaptive scheme. And let me summarize by how do we get multi-input schemes, because I focused most of the time on the two input setting. So we can start from any single input FE scheme, selectively secure, use the transformation of ABSV from last year, and get a single-input adaptive scheme. Our first idea gives the two-input selective scheme. And combining both of them, we get the two-input adaptive scheme. From the two-input adaptive scheme, we can get a three-input selective scheme. And from the three-input selective scheme and the two-input adaptive scheme, we can get a three-input adaptive scheme, and so on and so forth. And that's it. So any questions? So you're asking whether there exists a construction. If you tell me in advance there is a bound on the number of ciphertexts, so if you tell me in advance the bound, and you tell me that you only want order revealing encryption or anything. So I don't know. I think it's not very simple. Any other question? So no other questions? So let's find the speaker again.