 Hello everyone, I'm Natmeh and in my social distancing mood, I will present you our result in verifiable in-apportive encryption scheme which is a joint work with Vincenzo, Alfredo, Peterone and Piteria. I will start my presentation with a short introduction on Functional Encryption Scheme FG, and then explain the concept of verifiable for FG in general, then I will define my in-apportive encryption scheme, IP for short, and then I can introduce our perfectly correct IP which allows us to construct a verifiable IP, and I will end up my presentation with mentioning some application of verifiable in-apportive encryption scheme. You all know in classical encryption scheme the output of the decryption algorithm is either the original message or some error. While in FE the output of the decryption algorithm is an evaluation of the original message or some error. So in FE we need to have at least four algorithms. One algorithm to generate the token for specific functionality, for example here function F, we need a setup algorithm to generate a master public key and master secret key which this master secret key used in token generator algorithm and master public key is used in encryption algorithm. An encryption algorithm works as usual taking the message and master public key as input and generate some side effects. In the standard setting of FE it is assumed all the party to run their algorithm faithfully. And this implies that in presence of any dishonest party, either the party who run the setup or the encryptor, the decryption output may be inconsistent and this rates serious issue in practical application. So for example this is an interesting scenario that's mentioned in this paper. Assume there is a cloud server which stores some encrypted image or document and the police may require the server to search for a specific image of some criminal. And the server can generate some token for the police which recover the data if and only if the data includes the criminal name or image. As you can see here FE would be useful because it helps to recover the related data while it preserve the privacy of innocent user. However if the server somehow relates to the criminal, the server related to the criminal it's possible for the server to generate a faulty token for the police. And since the police just use the token for decryption algorithm he never know that he has the valid token or faulty token. So in order to solve this problem for functional encryption scheme in this paper in 2016 they put forth the concept of verifiable FE which essentially guarantees that these honest encryptors and authorities even when cloning together are not able to generate cyber takes and token that give inconsistent result. So the concept of verifiable FE says something like this that if in some FE we have some public verification algorithm such that if some stream like in cyber takes master public key and the token has this public verification procedure then for every output of the decryption algorithm there exist some message M such that F of M is equal to Y. And also if we have two different token for function F and G then there exist some message that F of M is equal to Y and G of M is equal to Z. Just note that we have we use the same cyber takes for both of these decryption algorithm. We will give a formal definition for verifiability later on in IP scheme. I just like to mention this point that verifiability and security are two conflicting requirements for an encryption scheme. It means that if you put too much effort to make a scheme verifiable I mean the perfect verifiable maybe we lose somehow the security or we have ourselves. So this is the reason why having secure verifiable encryption scheme is a challenging problem. And therefore that encryption scheme is a notable special case of FE for this functionality. Here the message is a pair of M and X which M is a member of the message space that we call it payload message and the vector X is the attribute coming from the set of sigma. And the token is associated with a vector V which also is from this set. And the functionality is this function which returns M if the inner product of X and V is 0 and this symbol at the rest. Same as FE in IP if we have four algorithms. Set of algorithms generate master security and master public key. The only difference is that here we have the vector length as input. In encryption algorithm we have V encrypt the payload message M with respect to attribute X. And the token is generated for the vector V which is specified the function. And finally this decryption algorithm. The IP any IP needs to have a correctness property and the correctness property is that the output of decryption algorithm is the original message M if the inner product of X and V is 0. And this probability should occur with the overwhelming probability. It means that here we are allowed to have a negligible probability of error. Also notice that in attribute hiding IP the vector X is kept secret and the only information someone can get from the decryption algorithm would be the vector is orthogonal to vector V or not. Essentially the IP is similar to IP except that it has some extra verification algorithm. Verifying the side protect, verifying the token and verifying the master public key. This tree verification algorithm outputs 1 if the input was correctly generated and outputs 0 otherwise. Verifiable IP also needs correctness but one subtle difference between the correctness in IP and VIP is that VIP has to have a perfect correctness. This means that this probability must be equal to 1 because if this scheme has a negligible probability of decryption error rather than perfect correctness this honest party might include with each other so that the invalid result would be accepted by the verification algorithm. And actually achieving the perfect correctness for some IP is quite a challenging step. Also verifiable IP needs to have a verifiable property which said that for every string here NPK, side protect and the token if this string has verification algorithm then the output of the decryption algorithm would be equal to the evaluation of this function for some SHM. Also here the probability should be equal to 1. So to start constructing VIP first we need to have a perfect verifiable IP. To our knowledge most IPs scheme known in the literature have an actual probability of error which makes cheating possible and so they are not directly usable to construct VIP. So our first challenge was to construct one. We have started with IPs scheme introduced in BIPARC. In this scheme the decryption algorithm output MSTAR which MSTAR is equal to this formula. Here London 1 and London 2 are randomness value used in the token generation algorithm and S3 and S4 are randomness used in the encryption algorithm. And as you can see this part is random value. MSTAR would be equal to M if the inner product of X and V is equal to 0 but it also would be equal to M if London 1 S3 plus London 2 S4 is equal to 0. This is the first issue because we don't want this happen and this is exactly the point that the negligible probability of error and here there is another issue which is how the decryption algorithm decides whether to accept the output of the decryption or not because the decryption algorithm doesn't know anything about doesn't know any information about the vector X so it doesn't know that X and V are orthogonal or not so it's really important to how to decide that output MSTAR or output the error. The first item would be the following. Generate two ciphertexts CT and CT prime with two the independent random values decrypt both ciphertexts to get M1 and M2. Output M1 if M1 is equal to M2 and accept the result or if M1 is not equal to M2 output the error. But this is not working because regardless of the inner product of X and V if these two random values are equal to each other then M1 is equal to M2. So in this scenario we would have more serious issues. So to avoid that issue we choose the randomness value in a way that that equality can never appear. To do so in the encryption algorithm we choose non-zero randomness value S1 to S4 and S prime 1 to S prime 4 such that S3 is not equal to S3 prime and S4 is equal to S4 prime. In this case since S3 plus S4 is never equal to S3 prime plus S4 we can conclude that M1 is equal to M2 if and only if the inner product of the vector X and V is equal to zero and the decryption algorithm just outputs M if M1 is equal to M2 and otherwise it outputs the error. So during our research we went through this cycle a lot modified the scheme, designed the verification algorithm tried to do the security proof then we didn't manage to do the security proof then we had to modify the scheme again and we went through this cycle a lot but fortunately we finally could manage to get the result. Finally we had our perfectly correct inner product encryption scheme which is efficient because no need to solve a discrete log in the encryption algorithm and this implies that we can use this inner product encryption scheme for line messaging space and also it's secure, it's indistinguishable secure based on the standard assumption based on dealing and BDDH and also it is attribute hiding and this helps us to construct our very favorable inner product encryption scheme with the major advantage of this VIP is that we don't need any trusted party. Now I would like to talk a little bit about how we construct our VIP. To do so we use the transform of FE to V FE introduced in this paper which transfer a perfectly correct FE to a verifiable FE. For doing this we need for perfectly correct RPE along with the commitment scheme and this means that we have to run each algorithm four times with different master public key and different master secret key and each algorithm also has an extra step to provide a proof for some specific relation. For example, for encryption algorithm the encryption algorithm generates for ciphertext 61 to 64 and then we need to provide a proof that either all of these ciphertexts are the encryption of the single message M or two out of four of these ciphertexts are the encryption of same message and the zero is commitment to some value and that one is a commitment of zero. That zero and that one are part of the public parameter that generated in the setup algorithm. I'm not going to explain more about them because it will be a little bit confusing. So based on this kind of predicate that we need to provide that our these four ciphertexts kind of satisfy this predicate based on this we define the specific relation for our our scheme as you can see it's a little bit messy. In the next step based on the structure of our ciphertext that you can see here we define some variable and to relate this variable this actually ciphertext to this relation we design this system of equation and then we use the gross eye new proof system for this system of equation to generate a proof the new proof that our ciphertext actually satisfy this predicate. Of course we prove that this system of equation is equivalent to that relation. Just I'm not going to detail of this system of equation as you can see it's a little bit messy the only thing that I would like to mention that we have another challenge in generating the new proof system and using the gross eye technique and the challenge that we had was related to some of the relation that define in the transformation for FE to verifiable FE because in some of the some of the relation consists of generalized form of disjunction and the standard technique to implement disjunction for gross eye proof cannot be directly applied. So we had to do some modification which you can see in the paper. Okay this almost I almost done and in the last part I like to just briefly explain briefly talk about the application of VIP there are many application for IP and VIP for example anonymous identity based encryption scheme predicate encryption scheme supporting polynomial evaluation hidden vector encryption and polynomial commitment scheme. And in the last to construct a verifiable polynomial commitment scheme from our VIP Alice can do the following steps assume she has this polynomial in this PX and she wants to commit to this polynomial and she doesn't want to remove this polynomial. So she can define the vector X based on the polynomial coefficients and put the one in the last component around the setup algorithm and for dimension D plus 1 to generate the pair of keys and encrypt this vector with this the IP scheme to generate the ciphertext and as a commitment she can send the commitment she can send the master public and the ciphertext to Bob. And in opening phase if Bob wants to get the evaluation of polynomial on value n he can define the vector V as this and ask for the token for this vector. As you can see the ear product of X and V is equal to polynomial on point M minus Y. So if the output of decryption algorithm is equal to zero it means that the polynomial evaluation of value M is equal to Y. And since this is a verifiable polynomial commitment it doesn't, there is no need that Bob trusts Alice to be honest. So if all the verification has great output 1 it means that Bob can trust Alice otherwise he doesn't need to. So I think almost that's it and this is my difference. Actually the difference that I used in my presentation and thank you for your attention and I would be happy if there is some question.