 Hi, I am Dapushpa from Indian Institute of Technology, Kharagpur. Today I will be presenting our one compact adaptive DCQ review for attribute weighted sums from Kaling. This is a joint work with Kothistathu from Entity Research. And this work is done during my internship at Entity Research. In the functional encryption scheme, there is a set of authority who generates master's secret key and a master's public key. Using master public key and encryptor encrypts the message in and generates a cyber-tech CT. The decryptor who wants to decrypt the cyber-tech CT, where is a functional secret key SKF corresponding to the functional to the central authority. The central authority will generate a secret key SKF and gives it to the decryptor. Having a SKF, the decryptor can now decrypt the cyber-tech CT and launch function of the message in. The security of functional encryption scheme is defined in two models. First one is indistinguishable security model. In indistinguishable security or functional encryption, the adversary submits two pair of challenge messages M0, M1 in the challenge space. It cannot distinguish between encryption of M0 and the encryption of M1, given the fact that all the functional secret keys SKFI corresponding to the function FI that adversary has squared it satisfies the fact that FI of M0 equal to FI of M1. Adversary can query multiple number of six such secret keys. If the number of secret keys is priori bounded, then we call the scheme bounded collision resistance. And if the adversary is allowed to submit any polynomial number of secret key queries, then we call the scheme unbounded collision resistance. Simulation security of functional encryption is defined by two worlds. First one is the real work, where the challenger runs all the algorithms honestly. Second one is the ideal work, where the challenger runs the signature version of the algorithms. The adversary submits the single challenge message during the challenge space. The challenger will now compute the challenge server text using the challenge message M in the real world. And in the ideal world, it uses the functional values of the message M for all the functions that adversary has squared it for the security till now. For the post-challenge secret key queries, the challenger can use the functional values directly during the key generation process. The adversary will not be able to distinguish between the real and the ideal world. The simulation security captures the fact that the adversary can learn only the functional values from the challenge ciphertext for all the functions that it has a secret key. Both indistinguishability and simulation security are further classified into selective, semi-adaptive and adaptive security notions. I will discuss those notions in simulation security setting. In selective simulation security, the adversary will submit the challenge message M before seeing any public parameter. It can also query for many functional secret keys. The adversary should not be able to distinguish between the real and the ideal world. In semi-adaptive case, the adversary can see the master public key before choosing the challenge message M. In adaptive simulation security, the adversary is allowed to query some functional secret keys before choosing the challenge message. It can also query for some functional secret keys after seeing the challenge ciphertext. What we can see now that selective security is seems to be weaker than semi-adaptive security and semi-adaptive security is weaker than adaptive security. And in all such cases, simulation security implies indistinguishability security. In this paper, we construct functional encryption scheme for attribute related some functionality introduced by AGW20. In this functionality, the message M consists of two parts. First one is the public part, which is Excel. And the second one is the secret part, which is JDI. During decryption, the decryptor will learn the function of the message M, which is as follows. Summation over I, FXI transpose JDI. If I is not a private bounded, then you call the scheme a non-exploit scheme. To get an idea about the significance of the functionality, I will discuss some special cases. Firstly, if F outputs a fixed factor, then this functionality will imply inner product function encryption. Secondly, if J is payload and F is a Boolean function, then this functionality will give you attribute-based encryption. Lastly, if FX is of the form Y times GXY, where Y is a fixed factor and G is a Boolean function, then this functionality will imply attribute-based IPA-free, recently introduced in AGW20. There are some interesting applications of this functionality. I will discuss one of them. Suppose in a banking sector, all the employees are divided into certain categories. Job, JI, age, AI, experience, AI, salary, GI. Now let's say we want to compute the various salary of a certain group of people. Where JI is cashier, AI is greater than 40, and AI is equal to 10. That means the job is cashier, age is greater than 40, and experience is of various. Then using the attributed some functionality, we can calculate the average. By calculating summation of I, F of JI, AI, AI times GI, where XI is equal to JI, AI, AI, which are public part of the message, and GI, which is salary, is the secret part of the message. AGW20 proposed functional encryption schemes for attribute-weighted some functionality, with some interesting features. First one is that their scheme supports unbounded slots for weight functions, which are arithmetic branch important. The sci-fi text search depends only on the private part of the message, and the security is based on the KLEE node entity assumption, which are known to be standard assumptions. However, the security is based on only semi-adaptive simulation security. That means the scheme would not provide adaptive simulation security. As it seems that selective security is weaker than semi-adaptive security, however due to GKW, 16 selective security is equivalent to semi-adaptive security. Although existing transformations from semi-adaptive to adaptive security requires much more expressive functionality. This means that the underlying semi-adaptive secure functional encryption scheme should support general circuits. Therefore AGW20 proposed an open problem in their paper, how to construct a fee for attribute-weighted some with unbounded slots for AVP, having compact safer text, and adaptive simulation security based on standard assumptions. Now I will present some previous works and challenges in solving the proposed open problem. The left hand side of the screen, we have shown some ABEs presented in the context of partially attribute-weighted AGE 17 proposed ABE for general policies with semi-adaptive simulation security. ABE 17 proposed a much more efficient ABE for AVP policies with semi-adaptive simulation security, whereas DEUT 18 proposed ABE for AVP policies with adaptive simulation security. In the right hand side of the screen, we see some functional encryption schemes for different functionality. Starting from ACGU 20, where they proposed an attribute-based inner product functional encryption schemes where the policies are in certain circuits. The security is based on a distinguished duty-based adaptive model. AGW20 proposed ABE for attribute-weighted some functionality where the weight functions are arithmetic branching programs and the security is modeled as semi-adaptive simulation security. Their scheme also supports unbounded slot. AGW20 proposed ABE for quadratic functions with semi-adaptive simulation security. Lastly, AGW20 proposed ABE for inner product functional encryption with unbounded collision and adaptive simulation security. So, what we can see is that achieving unbounded collision with adaptive simulation security for function encryption is really a challenging task and till now we know it only for inner product functionality. In this work, we build ABE for attribute-weighted some functionality where the weight functions are AVP and we propose a scheme in adaptive simulation security. First, we propose a one-slot scheme, then we extend it to unbounded slot scheme with a small caveat, which I will extend the next slide. Our scheme supports compact cybertext, which means that the cybertext science will not grow with multiple occurrence of a particular attribute in the weight function. Our scheme is based on K-LIN assumption, which is a standard assumption and it basically generalizes the framework given by LN20 from ABE to FE, that means from a load-hiding to partial attribute-hiding setting. Also, we extend the industry we shoot the security of LN20 to simulation-based security for our FE. I will first keep the overview of our function encryption scheme before discussing our main construction. So, we require two cryptographic tools. First one is information theoretic tool, arithmetic key, carveling scheme, and short AKGS, which is a particular type of randomized encoding. And the second one is a computational tool, which is function-hiding inner product functional encryption in short IPFE. Using AKGS and IPFE, we first construct a one key one cybertext secure one-slot FE scheme in the security setting. Then we extend it to a one-slot FE scheme in the public key setting. However, for that we require a slotted version of the IPFE. I will discuss about the slotted IPFE in a bit. Then we extend our one-slot one FE scheme into a one-slot one EXTFE scheme, which is again in the security setting, and it supports one key and one cybertext. So, what is the EXTFE functionality? The secret key is generated for a function and a vector Y. And the cyber fix is generated for a vector X, which is public and a vector Z, concatenated with a vector W, which are secret. The decryption will recover from effects transpose Z plus Y transpose dark blue. Then we extend this one-slot one EXTFE scheme to a full-fledged one-slot EXTFE scheme, using the same idea that would be involved in the assumption of one-slot one FE to one-slot FE scheme. That means we require slotted IPFE. After that, we use the assumption given by AGW20 with a little modification to get our unbounded-slot FE scheme in adaptive simulation with security. Here, I would like to mention one thing is that in our one-slot FE scheme, adversary can query any polynomial number of secret keys both before and after the challenge cybertext. Whereas, in our unbounded-slot scheme, adversary can query a primary bounded number of secret keys before challenge cybertext. And after challenge cybertext, it can query any polynomial number of secret keys. I will discuss the notion of arithmetic key gardening scheme. The Garville function takes a function F and the secret beta as input, where F is an ABP from JP to the current JP. Z and X are variables and R belongs to JP to the current M is the randomness. The Garville function outputs level functions L1, L2, Lm plus 1. Suppose these level functions are known for some particular values of X and Z. The level values are L1 to up to Lm plus 1. These level values are now fed into some event algorithm which takes input F and X and outputs the functional value Zfx plus beta. In simulation security, the simulator takes the input F, X and the functional value Zfx plus beta and outputs a set of simulated levels L1, Lm up to Lm plus 1. These level values are identically distributed with the level values output by the Garville algorithm. And we call it simulation security for AKGS. I will discuss some properties of linear function, linear properties of the level functions. Firstly, Li is linear in X that means if we take a product of Li and 1, X it will be the level value of that particular level Li. Li is also linear in X, Z and R and in particular Lm plus 1, Z is equal to Z minus of Rm. Where Rm denotes the Mth component of the vector R. Here algorithm is also linear in the level values L1 to up to Lm plus 1. In order to prove the adaptive security of ABE, LL20 introduced piecewise security motion for AKGS. It has two motions, reverse sampling and marginal randomness. Reverse sample algorithm takes input the level values L2 to up to Lm plus 1, F, X and the functional value Zfx plus beta and simulates the first level L1. Such that the set of level values L1 to up to Lm plus 1 is identically distributed with the level values output by the Garville. This property is called reverse sampling. In the second property, given the level functions for J greater than 1, Lg plus 1 to up to Lm plus 1, we can actually sample the Jth level function Lg uniformly at random. This property is called marginal randomness. LL20 also showed that the partial Garville scheme of IW14 is an AKGS with piecewise security and piecewise security implies simulation security. In inner product function encryption, the key generation algorithm takes input a vector V and outputs a secret key SKV. The encryption algorithm takes input a vector U and outputs a secret key CTU. The decryption algorithm decrypts the cybertext CTU using SKV and outputs the inner product between U and V. In terms of security, given a set of secret key cybertext distribution for beta equal to 0 and beta equal to 1, these two distributions are computationally indistinguishable given inner product of UI0 and VJ0 is equal to inner product of UI1 and VJ1 for every I zone. This is called the function hide and seek of IKV. For our work, we have used IKV in the pairing group model. That means the key generation and encryption algorithm can take the vectors in the power of the source group G2 and G1 respectively. The decryption algorithm uses the pairing operation E and outputs inner product U, V in the power of the target group. We now discuss our one-slot 180 scheme. Suppose we have a function if which consists of an N-prime number of APPs FT where T runs from 1 to N-prime. Now we gargle the function ZT times ZTx plus beta T where ZT and X are variables and beta T are secret. And RT is the randomness used in the gargle algorithm. And beta T are chosen such that summation of beta T is equal to 0. The gargle algorithm outputs the level functions L1T to up to L9 plus 1T. We consider two IPFE scales. The first IPFE used is used to hide the first N level values and the second IPFE is used to hide the N plus 1th level value. First IPFE using the first IPFE will compute so the secret key corresponding to the level functions L in JT for JRs from 1 to N. And using the second IPFE will compute IPFE secret key corresponding to the vector R2,1. While generating ciphertext corresponding to the vector X from a JT we use the first IPFE to compute an IPFE ciphertext for the vector 1,x. Using the second IPFE we compute an IPFE ciphertext for the vector minus 1,jt. Now if you decrypt using the first IPFE then we get to know the first N level values L1T to up to L9T. And if you output the decryption algorithm of the second IPFE then we get to know the N plus 1th level value which is JT minus RTM. Now since we have all the level values in the power of the target group we can apply the evil algorithm. And since evil algorithm of AKGS is linear in the level values therefore we can compute the linear operation in the power of the target group. So each FT will give JT times a TX plus beta T. And if we multiply all these evaluated terms we learn effects transpose of JT. Now recall that our one IPFE scheme is only secured for a single secret key. Since our goal is to prove adaptive simulation security we assume that the adversary is submitting the secret key before challenge ciphertext. The proof of our one-slot one IPFE scheme is inspired by LM20 where we have used pre-MS and Pregnancy technique along with the piecewise secretive AKGS and function-metting secretive IPFE. The one IPFE scheme already supports multi-secret key and single ciphertext since AKGS is insecure for multiple evaluation. For that we first introduce a random element S into the ciphertext vector. Then we move this random element S to the secret key vector using IPFE security. Now using DDH we can argue that the level functions are randomized. However if you look at the decryption and procedure of the function and decryption scheme then the value S is multiplied with the term JT FTX plus beta T. Since this value S is not available to the decryptor the decryption algorithm will not be able to output effects transpose JT. For that we use additional vector A. We are now garbling the function JT times A outer times 50x plus beta T outer such that summation of beta T outer is equal to 0 for each outer. We compute additional IPFE secret key for the vector A comma 0. And for J equal to M plus 1 we compute the IPFE secret key corresponding to the vector RT outer M comma A. While generating ciphertext for the vector X comma Z we generate IPFE ciphertext corresponding to the vector S comma S tensor product X and this ciphertext corresponding to the vector minus S comma S dot JT. Now if you look at the decryption all the level functions are now the linear combination of the level functions LJT iota with the coefficient vector S. Since the event algorithm outputs A dot S dot JT times FTX plus beta T dot S and A dot S is available to the decryptor and the fact that summation of beta T is equal to 0. Therefore the decryptor can easily compute effects transpose JT. Another problem remains is that the encryption algorithm still uses master secret key of the IPFE and our goal is to make the encryption algorithm public. For that we use the notion of slotted IPFE. In slotted IPFE vectors are divided into two slots. One is public slot and encrypted in the public slot requires only master public key and another is private slot and encrypted in the private slot requires master secret key. And function hiding security holds only in the private slot. This is now the original scheme. I will now discuss the security proof of our one slot IPFE scheme. Hybrid 0 is the real experiment where all the algorithms are run honestly. In hybrid 1 we activate the private slot. That means the encryption algorithm will be using master secret key. And the index term we should follow from the slotted correctness of the IPFE. In hybrid 1 we see the inner product values are a dot s, little j t, x and minus r t m plus a dot s times j t. These inner product values will be now computed through private slots. So, in hybrid 2 we make all the public slots in the cypher text 0 and rearrange the terms so that the inner product between the cypher inspector and the secret key vectors remains unchanged. And hence the security will follow from the function hiding IPFE. Our next rule is to randomize the level functions using phrase the sample random values for r t m and a dot s. So, in hybrid 3 we press the sample those values and the index term we should follow from the m d d h assumption. In hybrid 4 we apply pre-image sample ability technique. The simulator knows the function value mean f corresponding to all the pre-cypher text key queries f. So, it can solve the linear system of equation fx transpose z equal to mean f and get a done effected d such that fx transpose z equal to fx transpose d. We will use this vector d in cypher text vectors. So, we add additional hidden slots minus 1 d t minus 1 z t. And the corresponding vector elements in the secret key vector are all 0. Here we extend the dual system encryption abstraction used by ln 20 into a 3-slotted encryption technique. The first slot is minus 1 z t, the second slot is minus 1 d t and the third slot is minus 1 z t. Our goal is to make all the pre-cypher text secret key queries to interact with only the second slot that is minus 1 d t. For that we consider only the first pre-challenge secret key query and we do it one by one through a loop. In the first hybrid of the loop, we copy the secret key elements from first to third slot. Since first slot and third slot are the same in the cypher text vector, therefore the inner product will remain unchanged. Hence the indistinguish duty will follow from the function ID security of IPFE. Now at this stage we will apply our one key one IPFE scheme security in the third slot and make the element in the third slot from z t to d t. For that we need to introduce some additional hidden subspaces. Now you note that all the other secret keys are interacting with minus 1 z t of the first slot and only the first pre-challenge secret key is interacting with the third slot. Since second slot and third slot are same, therefore we can copy the secret key vector element from third slot to second slot. Now the first pre-challenge secret key is interacting with the second slot which is minus 1 d t and we make the third slot back to the normal stage which is minus 1 z t. We can repeat this technique for all other pre-challenge secret key queries one by one and after this loop all the pre-challenge secret key queries will interact with the second slot. And all post-challenge secret key queries will interact with the first slot and the third slot has worked for us as a temporary o-station. Now we will modify all the post-challenge secret key queries. For the post-challenge secret key queries, since we know the challenge message vectors x z, therefore we can directly put the label values into the ciphertext. Next we will use the simulation security of a kgs to simulate the values using the simulator. But we can see that the simulator still uses a tilde z t f t x plus beta t tilde for simulating the function f t. However the final simulator should be using only fx transpose z for that we use a statistical transformation using beta t tilde. And we use f1 to simulate the value a tilde fx transpose z plus beta 1 tilde and all other functions f t will simulate the value beta t tilde. Finally, hybrid 9 is our simulator where all pre-challenge secret key queries will interact with minus 1 dt and we have used the a kg simulator for all post-challenge secret key queries. So till now what we have seen using a kgs and IPFE we construct one-slot one iffy and we convert the secret key one-slot one iffy scheme into a public key one-slot iffy scheme. How we can convert our one-slot one iffy to one extf iffy scheme. Let us see that. We recall that our one extf scheme has this functionality as follows. The secret key is generated for a function f and a vector y. And the ciphertext is generated for a vector x and a vector z concatenated with another vector w. And the decryption outputs fx transpose z plus y dash plus w. Here we use the linear property of the algorithm. We recall that even algorithm is linear in all the level values. Our idea is to see that if we add any value new to the first level value l1t then the value new will come out of the evaluation and we get jt times fdx plus new plus beta t. Our idea is to use this new to compute the term vector transpose w. For that, for only the first level function we compute ipv secret key for the vector l1t comma y. And during the ciphertext generation process we compute the first ipv ciphertext for the vector 1x comma w. Now you can see that the term y transpose w will be added to each level value l1t. Hence we need to secret share the value y transpose w through all fd. So we introduce additional random element alpha t in the secret key generation process such that summation of alpha t is equal to 1. And new t is added to the value l1t where new t is equal to alpha t times y transpose w. Now if we multiply all the evaluated terms then we can get fx transpose j plus y transpose w which is the required functional value. Using this idea we convert our 1 slot 1 ipv to 1 slot 1 htv. And using the same idea involved in the transmission of 1 slot 1 ipv to 1 slot ipv we convert our 1 slot 1 extv to 1 slot htv. Finally we use AGW20 transmission to convert our 1 slot htv to unbounded slot ipv. Here we note that adversity can only query key number of two ciphertext secret keys. This is due to the fact that we are unable to solve the linear system of equation if the coefficient matrix is available in the exponent of a group. For that we have introduced Q-mini additional hidden subspaces in secret keys and ciphertext to incorporate all the pre-cyphertext functional values into the channel ciphertext. I will now conclude my talk. So in this work we present a functional transmission scheme for attribute weighted sum functionality where the weight functions are arithmetic branching program. The security is defined by adaptive simulation based security model. Our scheme supports unbounded slot with compact ciphertext which means the ciphertext size will not grow with multiple occurrence of a particular attribute in the weight function. Our scheme is secured based on K-lean assumption. So from the technical ground we generalize the Penal-20 framework from attribute based inclusion to functional inclusion or from payload hiding to partially attribute hiding setting. Our one slot scheme the ciphertext size grows with the size of bifit and public part of the message. And additionally for our unbounded slot scheme the ciphertext size grows with the number of pre-channel secret queries. Whereas the semi-adaptively secure FE scheme of AGW-20 the ciphertext size grows with the private part of the message. Therefore it is an interesting open problem to investigate a functional inclusion scheme with adaptive simulation security where the ciphertext size grows with only the size of the private part of the message. Another interesting open problem is to construct a functional inclusion scheme for general circuit or EVPs with selective security and unbounded slot with compact ciphertext based on AWA assumption. Thank you. If you have any question you can discuss during the video.