 Hello everyone, my name is Radu and today I'm going to talk about Adaptive Simulation Secure Inner Product Functional Encryption Schemes, which is joint work with Shweta, Benoa and Monashish. Without further ado, let's jump into it. Our work shows that it's possible to have Adaptive Simulation Secure Inner Product Functional Encryption Schemes from standard assumptions like Decisional Diffie-Hellman, Decisional Composite Residosity or Learning with Errors. In the case of Inner Product Functional Encryption Schemes, Adaptive Simulation Security seems to be the strongest possible notion that we can hope for. Our first two results give new security proofs for the Agrawal Libertad Estelle from 2016, which shows that, in fact, this scheme satisfies a stronger security notion than it was previously known. And the last result shows a generic compiler that gives Adaptive Simulation Security from Adaptive Indistinguishability when Inner Products are computed modulo prime. In particular, we can apply this transformation to the ALS-16 LWE-based scheme. Inner Product Functional Encryption Schemes is a public key encryption scheme that encrypts n-dimensional integer vectors. It can also associate functional decryption keys to key vectors y. The decryptor using such a functional decryption key can decrypt the initial message, but it can only recover partial information about the message, namely it can recover the inner product of x and y. For instance, such functionality can be useful for computed weighted sums of encrypted data without actually revealing each individual component. Security guarantees that a key holder learns nothing about the message except the inner product. In the case of multiple key holders that decide to collude, it should still be impossible for them to learn new information about the message besides what each individual key reveals. To capture this intuition, both Indistinguishability and Simulation-based security definitions have been considered so far. Both variants of the definition will be discussed in more detail in the next couple of slides. We'll start with the Adaptive Indistinguishability definition, which assumes the usual game between the challenger and the adversary. The game starts with the challenger generating a key pair and sending the public parameters to the adversary. In the pre-challenge phase, the adversary is able to make key queries for key vectors yi of his choosing to which the challenger replies with a corresponding functional decryption key. In the challenge phase, the adversary outputs two messages, x0 and x1, and the challenger picks one of the two at random and sends its encryption back to the adversary. The messages are chosen in such a way that they decrypt to the same value when decrypted using any of the pre-challenge keys, thus making the adversary unable to trivially win the game. In the post-challenge phase, the adversary is allowed to make more key queries under the same constraint that he should not be able to trivially win the game. We say that the scheme is adaptively indistinguishable or secure if the advantage of any efficient adversary is negligible. The simulation-based definition assumes two experiments, the real experiment in which the adversary interacts with the real scheme and an ideal experiment in which the adversary interacts with the simulation of the scheme. Both experiments start off with the generation of a key pair, and the public parameters are given to the adversary. Next, in the pre-challenge phase, the adversary is granted Oracle access to the key generation process, at the end of which he must output the challenge x star. Next, the ciphertexts are computed. Notice that in the simulation, the fake ciphertext is computed not from the challenge message itself, but only from the information that is leaked by the pre-challenge keys. In the post-challenge phase, the adversary can make more key queries, at the end of which he must make its guess, whether he is in the real experiment or the ideal experiment. We say that the scheme is adaptive simulation and secure if the two experiments are computationally indistinguishable. Both definitions discussed so far are adaptive in the sense that key queries are allowed before and after the challenge. One important observation is that adaptive simulation security is strictly stronger than adaptive indistinguishability, thus adaptive simulation is to be preferred. In 2010, Bonex, Ahay and Waters showed that adaptive simulation is actually impossible for multiple challenges. Therefore, the definition that we have discussed earlier is the strongest possible security definition for this primitive. In 2015, Abdallah Burz, DeKar and Poncheval gave the first efficient construction for inner-product functional encryption schemes from standard assumptions. Unfortunately, their construction was only proven in the selectively indistinguishable security model, and this means that the adversary is forced to commit to the challenge even before seeing the public key. The results were improved in 2016 by Agrawal, Libert and Stele, who gave constructions from standard assumptions that were adaptively indistinguishable secure. In 2017, we gave a DDH-based construction that achieved semi-adaptive simulation security for inner-product functional encryption schemes. Semi-adaptive means that the adversary is not allowed to make any key queries before the challenge. And this work shows that it's possible to construct adaptive simulation secure inner-product functional encryption schemes from standard assumptions. And what we do concretely, we show that the DDH and DCR-based schemes from ALS-16 are in fact adaptively simulation secure. We do this by giving new security proofs. We also gave a generic compiler that transforms any adaptively indistinguishable IPFE into an adaptively simulation secure IPFE, as long as inner-products are computed module OP. In the next part of the talk, we'll focus on the adaptively simulation secure IPFE from DDH, which is a construction that evaluates inner-products over the integers. What I mean by this is that both message vectors and key vectors are n-dimensional integer vectors. And when we decrypt, we actually get the evaluation of the inner product of X and Y over the integers. So the main result of this section is a new security proof for the DDH-based scheme from ALS-16 that actually gives adaptive simulation security. The main insight is that the semi-adaptive simulator from 2017 can be adapted to answer pre-challenge key queries as well, thus making it suitable to prove adaptive security. Because in this work, we improve the security of the DDH-based scheme from ALS-16, we describe the scheme below. The action takes place in a group of prime-order P, where G and H are uniformly random generators. And we use the notation of square brackets of W to denote the encoding of the scalar W as a group element by raising G to the power of W. So this notation can be extended component-wise to vectors as well. So the master secret key is a pair of uniformly random vectors from ZP to DN. And the public parameters consist of the generators and the group vector bold H, which is computed as the encoding of this linear combination. To encrypt the vector X, we sample some randomness R, and we compute the encoding of R as a group element, and we compute the encoding of R times W, which is possible because the encoding of W is public. And to encrypt the message, we just hide its encoding by computing R times the public group vector bold H. To generate a functional decryption key corresponding to the key vector Y, we just output the inner products of the master secret key with this vector. The decryption is possible, and we actually can recover the encoding of the inner product of X times Y. So in order to decrypt, we will have to compute a discrete logarithm in group G. For this reason, we have to bound the magnitude of vector X and Y to make the computation of the discrete log possible. In the original work of ALS-16, the above scheme was actually proved to be adaptively indistinguishable secure under the DDH assumption. In 2017, we improved the results from ALS-16 by providing a semi-adaptive simulation proof for the same DDH scheme. The semi-adaptive model assumes that the adversary is not allowed to make any pre-challenge key queries. So we will briefly recall how the simulator from 2017 worked. To simulate the keeper, the simulation behaves like in the real scheme. In order to simulate the fake ciphertext, the simulator just encrypts the dummy message which consists of the zero vector. Now, when simulating the post-challenge keys, the simulator has to take into account that these keys must explain the correct decryption values when decrypting the dummy ciphertext. So notice that if we just give out keys as in the real scheme, these keys will always decrypt the dummy ciphertext to zero. So the idea to explain the correct decryption values is to somehow embed those decryption values into the generation of the post keys. We will zoom in into this process. So on input key vector y-post and the correct decryption value z-post, which is just the inner product of the challenge message x, y and y-post, the simulator will embed a linear shift of the correct decryption value into the keys themselves. And by carefully choosing the scalars alpha and beta, when decrypting the dummy ciphertext using these programmed keys, we will actually recover the correct decryption values. And if we do this after a careful analysis, it can be proved that the real and the simulated games are in fact computationally indistinguishable. So this is how the semi-adaptive simulator of we from 2017 worked. Now we are ready to describe the adaptive simulator that we use in this work. Notice that adaptive means that we have to be able to answer pre-challenge key queries as well as post-challenge key queries. So just like in the previous simulator that we have seen, our setup algorithm is simulated as in the real scheme. Now to answer pre-challenge key queries, we just answered them as in the real scheme. Namely, we just compute the inner product of the master secret key with the key vector y. Now when we simulate the ciphertext, we have to take into account that pre-challenge key queries were already given out. So the fake ciphertext will have to be compatible with all the key queries that we have given out in the pre-challenge phase. For this reason, we have to compute the dummy message xbar and encrypt it. And xbar is computed in such a way that it agrees with the challenge message on all the pre-challenge key queries. Such a dummy message can easily be computed just by using linear algebra. Now to simulate the post-challenge keys, we have a similar problem. We have to make them compatible with the challenge ciphertext. So we can solve this problem as we have seen previously in the previous simulator just by embedding the correct encryption values into the keys themselves. But now because in the challenge phase we encrypted the dummy message xbar, we have to cancel out that dummy message xbar. So for this reason we actually embed the linear shift of the correct encryption values minus the inner product of xbar and y. And as before we can choose alpha and beta in such a way that these post-challenge key queries correctly explain the fake ciphertext. The technique of statistical leveraging and the DDH assumption allows us to make the following argument. That the ideal experiment is just a real experiment where we replace the master secret key with a shifted version of it. But now since the master secret key has generated uniformly random modulo p, in fact those two distributions are identical. Therefore the two experiments, the real and the ideal experiment are computationally indistinguishable. The same proof strategy can be applied to the DCR-based construction of ALS-16 to get adaptive simulation. But in this case we need to slightly change the scheme, namely we need to increase the key sizes for our proof-to-work. The reason for this is that the master secret key in this construction cannot be given a uniform modern integer. Therefore the shifted distribution will not be identical to the initial one. And to make the statistical distance between these two distributions negligible we need to drown the small shift term. For the remaining of this talk I will be focusing on the generic compiler that allows us to achieve adaptive simulation security from LWE. We referred to IPFE mod p to schemes in which both messages and key vectors are integer vectors of dimension n, but the decryption actually recovers the inner product modulo prime p. The main result of this section is a generic transformation that takes as input an adaptively indistinguishable secure IPFE mod p and turns it into an adaptively simulation secure IPFE mod p. In particular we can apply this transformation to the ALS-16 LWE based scheme. The generic transformation works as long as the underlying scheme satisfies the following property. Secret keys corresponding to linearly dependent vectors can be computed by a linear combination of the old keys. Moreover, the final scheme has the property that the key generation algorithm is stateful, meaning that there should be a trusted authority who keeps track of all the keys that are issued by the scheme. The main idea behind our generic construction is to append n extra slots both in message vectors and in key vectors. We can do this while keeping the value of the inner product unchanged. Moreover, this extra flexibility that we gained by doing this trick enables both functionality and adaptive simulation. The intuition why this works is that these n extra slots are enough to simulate n-1 linearly independent keys, and for the inner product functionality this is enough. The reason is that the adversary is restricted by the functionality itself to not make more than n-1 linearly independent queries. As soon as he has n linearly independent queries he can recover the message, thus the security of the scheme becomes void. The other reason why it's sufficient to simulate n-1 linearly independent keys is because of the underlying property of the underlying IPFE scheme. Namely, all the other keys that the adversary might ask can be obtained as a linear combination from these n-1 linearly independent keys. If IPFE is the underlying adaptive indistinguishable scheme, then our construction goes as follows. At setup, just run the underlying setup algorithm for double the input length n. To encrypt the message vector x, just append to it n zeros and feed that to the underlying encryption algorithm. To generate a key, if the key vector yi is linearly independent from the previously queried key vectors, then set yi as yi to which we append the canonical vector and some randomness, and feed that to the underlying keygen algorithm. Else if yi is dependent then compute the key via a linear combination of old keys. The correctness of the scheme should follow in a straightforward manner from the correctness of the underlying scheme. We will now describe the adaptive simulator that we use to achieve adaptive simulation security for the generic compiler. As we have previously discussed, we can assume that the adversary only asks for linearly independent keys. So from now on, we assume that all the keys that the adversary asks are linearly independent. The simulated setup algorithm is just like the real scheme setup, except that all the randomness that is sampled to compute the linearly independent keys are sampled at the beginning in the setup algorithm. The simulated pre-challenge keys also are honestly generated just like in the real scheme. Just to refresh our memory, an honestly generated key is as follows. First, we compute yi pre by appending the canonical vector and the randomness ri to yi pre, and just feed this value to the underlying IPFE key generator. Now, when we simulate the ciphertext, we have to take into account the pre-challenge keys, and we have to make the simulated ciphertext be consistent with the pre-challenge keys. So we do this by first computing x-bar, such that x-bar agrees with the challenge message x star on all the pre-challenge keys. And we use x-bar to construct x-bar hat as in the slide, and we just encrypt x-bar hat using the underlying encryption algorithm. And this is how we simulate our ciphertext. Notice that the simulated ciphertext is consistent with all the pre-challenge key vectors. Now, when we simulate the post-challenge keys, we have to simulate them in such a way that they are consistent with the fake ciphertext, meaning that they should decrypt the correct value when we decrypt the fake ciphertext. And we do this by embedding the linear shift, as we used to do it in the DDH keys. But this time we embed it in the same slot as the randomness ri. And also notice that when we decrypt the fake ciphertext using these post-challenge keys, we get the correct decryption values. And using the adaptive indistinguishability property of the scheme, we can actually prove that the real and the ideal game are computationally indistinguishable. But we won't go into those details. I just wanted to present how the simulator works. So in conclusion, we proved optimal security for the inner product functional encryption scheme under standard assumptions like DDH, LWE or DCR. We managed to do this by giving new proofs for the ALS-16 schemes and by giving a generic compiler that takes any adaptive indistinguishable scheme and transforms it into an adaptive simulation scheme. Thank you.