 Thanks for the introduction, and I will share our work about ABE for DFA. So first, in ABE schemes, so the ciphertext is corresponding with attribute x, and the secret key is corresponding with some policies. So if the attribute is satisfied, is satisfied policy, then we can, we can recover the message using this secret key. Otherwise, we require that the messages is hidden, even we have the secret key, and this should be heard even if we have more secret keys. So in this talk, I will focus on ABE for DFA. So where the policy is described by a deterministic finite automata. So let me quickly review the notion using this example about DFA. So DFA has two states. So at the beginning, when we run the DFA, we start from state one, the machine is in state one, and then it will run in several states, and at each stage, it will read one bit. And when they read one bit, it will change the state. So this is described by the transition functions. We write it using the arrows. So the lower arrow says that if the machine is in state one and input is zero, then we will move to state two. So when we read all the bits, we will reach some states. If the state is two, which is called the accept state, we will accept the input, otherwise we just reject. So I want to remind you that DFA defines a regular language. So I write a regular expression here. So sometimes we call it ABE for regular language. So the advantage is that this allows us to have attribute x with arbitrary size. This is different from traditional ABE for circuit. The input is bounded, so which is very useful for some application like text return, where the data can be very long. So for this very useful primitive, we have some constructions, but all of them require Q-type assumptions. The key point is that the complexity of the assumption related to the lens of input x, that means it's bounded, it's not very good. So in our work, we give a first ABE scheme for DFA from Kline assumption. This is a static assumption. The complexity is constant. So in this talk, I have to explain our idea using bilinear group of composite order, but I promise you that everything I will tell you can be translated into a primordial group and can be based on Kline assumption. So the first thing is how to realize the functionalities. So that means we have a ciphertext for x and a secret key for f, and then we can decrypt if x satisfies f. So the first thing is in the ciphertext, we have four randomness. So this basically corresponds to the four steps when we run the DFA f on this input, because this means that we are at the step zeroes. We read no bit. S1 means we add a step one. We have read the first zero and so on. Then in a secret key, we have two randomness, D1 and D2. This basically means that D1 is for the state one, D2 is for the state two. So we use a small dot to save the space. So actually when you decrypt using the secret key and to decrypt the ciphertext, we actually compute some values corresponding to this D and S. So let me first tell you the correspondence between the values and the execution of DFA and tell you the structure of secret key and the ciphertext. So in the first step, we said that we always start from the state one. So in stage one, we are at the state one. So we will compute a value corresponding to S0 and D1. So in our construction and basically the parent-based one, so we compute the product of these two values. Then we actually depict the transition function like this. So the dot here in this column basically means the same state, but for the step one, for the next step. So because we are in the state one, so follow this line, we will move to state two. So this basically corresponds to these values. So actually we need to compute S0, D1 we have obtained. So then we continue this process, compute S2, D1, S3, D2. According to the state we can reach in each step. Then finally we will reach these values and the state two is the accept state. So it should be used, use this value to recover the message. So generally we will do this. If we can reach Ui after reading I bit, then we will compute these values. Okay, let me tell you the structure. You need to do something for the start and connect to the message, but we focus on the transitional part. So for this part we want to compute this value from the previous values. We use subcyclic text encoding the first zero and the sub-secret key encoding these transitions. So we choose a public parameter, Z and W, which were published in master public key in the proper form. Then we actually encrypt D1 and D2 in this form, which is an algorithm like one but shared randomness. Then for the ciphertext we connect S0 and S1 using this structure so that we are not recovering S1, D2 individually. We actually recover the difference of these two values such that we can move from S0, D1 to S1, D2. So for all other transitions we can do the same things. For example for the I0 we use the same structure but use different S, we use SI and SI-1 and SI. For other transitions from U to V, we just replace D, U, DV, the corresponding random values in the place of D1 and D2. Also we can hope that we have other symbols in the input. So for this case we just choose different W for each possible symbols. When we have a transition on sigma, we just replace W with the corresponding W. In the ciphertext, SI is used to create W, SI. So this actually is the structure used in the first AB for DFA from Waters. But we need to change the scheme. We work with composite order group and give a different proof. So we call this warm-up scheme and tell you what kind of things we should do. So this is the takeaway for this part. So for the security, we give these examples which are shorter. That means from the expression you can see that they will be rejected by the DFA. So it basically corresponds to the execution of DFA on this input and we need to create a hybrid corresponding to this one. So what the hybrid is? So in G0, it's corresponding to step 0. In step 0, we are in state 1, so we cannot reach state 2. So we want to say that S0, D2 is still the random. Then in G1, we look at the step 1. So basically that means, very similar, that means S1, D1 is still the random. Then we move to the next hybrid. So in this hybrid, S2 and D2 is still the random because D2 is not reachable. So as we have said that D2 is accept the state, it's corresponding to the message. So the fact that S2, D2 is still the random helps us to hide the message. So this is the high level of the proof. So similar we have a general way to define hybrid I. If we can reach UI after reading I bit, we will define a GI with SI and a DV is still the random for all V which is different from UI. So how to realize it in the secret key and the cyclotix? S and a D from two components. So we need to change the distribution of the cyclotix and the secret key. So this one is very standard for the system encryption. The key point is here, we add the delta IV here. So we define it in this form, which depends on whether V is corresponding to the UI. And this means we hide the DV by delta if V is not reachable after reading I bit, otherwise it's just clear. So at this point, the takeaway is like this, we call this execution graph. So the green part is basically say what we can recover during the decryption. That means the value we can compute. So the red dot means that in each game we want to hide. So actually this also, we can read how to assign delta IV from this graph. I actually from 0, 1, 2 and the V is 1, 2. The green dot means we set delta to be 0. Red dot said that we set delta IV to be delta. So let's move to the proof, but I must say that we need to change a little bit about the definition of hybrid. But let me show you the proof idea and see why we need to change the hybrid. So we have a lot of hybrid. The point is to say that the digestion hybrid are indistinguishable. So I want to show you the statement like this. This statement is oversimplified. So we need the many steps to connect the left-hand side to the gi-1 and the right-hand side to the gi. But in this talk, let me just focus on this very simple statement. As I said with our definition, it's actually wrong. We can find the u to v sigma, the transition. The corresponding term is actually distinguishable. So let me tell you what kind of transition. So we focus on sigma equals xi. That means we can actually recover this part, the delta part, in clear because we know wxi. We can actually decrypt it. So we just compare this to 1. So if we set u is not equal to ui minus 1, that means it cannot reach in the i minus 1 step. That means we set it to be delta. And if we set u to be vi, that means we can reach. So it's actually not equal. So the statement is wrong in this case. So in order to fix it, we need to require that we have such kind of property. So if you have a connection from v to u are input xi, the corresponding delta should be equal. So in the graph, actually, if you have a line connecting to dot, the dot should be has the same color. So the point is that how to get this, so we require such kind of features. The point is that we can change the definition of delta by just pick v from fi. That means we define fi for each hybrid. And from the fi, we can define our new delta IV, which satisfies this property. So let me show you an example. It's a little complex execution graph. So there are three states. The first is star state. The second, the remaining two is accept state. And we draw the transition here. So according to our previous idea, we have a path from the star state to this. And the other states will be colored in red. That means we will argue that it's pseudo random. So you can see that there are two lines, which is problematic, we have told you. So the way to fix it is to set like this. So let's come back to this graph. This is the right hybrid we can use and satisfy the property here. That means the set f0 to f3 can be defined like this. We actually don't cover all the other states here and here. So we have a smaller f1 and a smaller f2. So actually you don't need to do all the work like this to define the set. We actually can define a set in an iterative way. So actually the last set f3 corresponding to the accept state. We put all accept state into the set. Then we trace back to define f2. So f2 contains all states which will transfer to the state in f3. Then we trace back to find the s1. Then we trace back to find f0. So this gives our definition. So now with the definition here, we have these features. Then we can prove this statement. So the proof is very simple. So for the case sigma equals xi, we just use the features. Clearly the two sides are equal. And for the other case, sigma is not equal to xi. We just use dh to hide the difference between these sides. Actually this is the main idea in the proof. Actually we have a more idea to carry out the actual proof because we still need to change the ciphertext. So we have more idea like this. It's a subgroup hiding. But it's enhanced by giving something like this, but hidden in an Elgarma type encryption. And we also need one more subgroup to realize such kind of tools. Then as I told you that the warm-up scheme is not the actual scheme. So to move to the actual scheme, we have to do some change. But I have no time to explain why, but I just tell you the things we want to do. We need two copies of the public parameter like this. Then we create a secret key for each transition and the two copies. It's parallel just to copy of the secret key. The complex step is the ciphertext part. So for the ciphertext part, xi is encoded using z0 and w sigma0 if i is an urban number. So actually switch between the two parameters depending on the parity of i. So this is our actual scheme. Okay, let's summarize the talk. Actually we give a new technique about how to construct AB for DFA from a static assumption, and then we really give new concrete schemes. So for the future work, I think a lattice based variant should be interesting. And the idea to trace the execution of DFA may be useful in another scenario. Okay, thank you. If you have a question, please come to the microphone. We have a lot of time for questions. I have one question. Where did you use the selective security? Yeah, yeah, yeah. Because we just see this one. So when you define delta, you need the information about x. Ah, okay, okay. So without the information about this, we even don't know how to simulate the first secret key. So we have to be selective, and we don't know how to deal with it. Okay, thanks. Ah, okay. So this part. So we actually use subgroup hiding from G1 to G3 and G3 to G2. I mean, when you prove this statement, you need to subgroup hiding step. Sorry, I can't. This one is composite order group. So but you can translate in the primordial group. It's fine. More questions? Thanks for speaking again.