 I am Junichi Tomida and I will present our paper First Compact and Expressive Attribute-Based Encryption. This is joint work with Yuto Kawahara and Ryo Nishimaki from NTT. Attribute-based encryption is a cryptographic paradigm that yields fine-grained access control of encrypted data. In typical use case, an authority generates a public key and master secret key. The authority can issue a secret key for an attribute set S using the master secret key. In encryption, a user can encrypt a message on behalf of a formula F. The ciphertext is decryptable by the secret key for F if the attribute set S satisfies the formula F and otherwise the decryption reveals nothing. In this example, S contains the attribute A and decryption reveals the message. Here, the policy F is expressed by a Boolean formula and associated with the ciphertext. So, this scheme is called ciphertext policy attribute-based encryption for Boolean formula. Our goal in this work is to construct practical A-B schemes. Recently, Agrawal and Chase proposed practical A-B schemes called FAME, which satisfies the properties 125. Briefly, in their scheme, the attribute universe size is exponentially large. The maximum size of attribute sets are not fixed. It runs in first type 3 groups and decryption can be done with a small number of pairings and they achieve adaptive security under standard assumptions or K-linear assumptions. Aiming to construct more practical A-B schemes, we propose A-B schemes that satisfy the properties 6 and 7 in addition to the properties 125. We explain what these properties are in the next slides. We first explain the compactness of A-B since it is easy to see. In a C-P-A-B scheme, we call it compact if secret key size is linear in the attribute set size and independent of policies used in the scheme even in the merge use setting. In the K-P-A-B case, the compactness implies that the ciphertext size is linear in the size of S. The merge use setting means that we can use each attribute more than once in a policy. In this example formula F, attribute A is used twice and this is the multi-use of attributes. Typically, the secret key size grows linearly in the size of S times the maximum number of multi-use in compact A-B schemes. We next explain non-monotone A-B for Boolean formulae. We call A-B schemes monotone if policies are expressed by Boolean formulae with operators and and or in the scheme. On the other hand, we call A-B schemes non-monotone if policies are expressed by Boolean formulae with operators and or and not in the scheme. Non-monotone A-B is necessary for black-rich sync access control and more expressive than monotone A-B. There are two types of non-monotone A-B. One is called OT type by Okamoto and Takashima and the other is called OSW type by Ostrofski, Sahai and Waters. Next, we explain the difference of these two types. As shown in the picture, an attribute typically consists of a label and value in many cases, like Alice's attribute is faculty role and year first, blah blah blah. In the OT type, attributes are regulated as in the left side and policies are specified like the green formula. On the other hand, in the OSW type, attributes are regulated as shown in the right side and policies are specified like the red formula. Semantically, the former policy is satisfied if one has attributes for faculty and year and the value for faculty equals role and the value for year does not equal first. Thus, Carol does not satisfy the policy because she does not have an attribute for year. The latter formula is satisfied if someone has attribute faculty role and does not have year first. In this case, Carol satisfies the policy because she has attribute faculty role and does not have year first. We consider that the OT type is more suitable for the real applications and we will explain the reason. Let us consider the following example. Suppose there is an ABE system in which only the label faculty exists and he is a first year student in the faculty of role. At some point, label year is added to the system and ciphertext with policies including the new label will be generated. Also, new keys will be distributed. The important fact is that he can decrypt the new ciphertext with the old key since this key does not have attribute year first in the OSW type ABE. However, this is a problem since he is a first year student. On the other hand, this problem does not occur in the OT type ABE. This is why we consider that the OT type is more suitable for real-world applications. Thus, our scheme employs the OT type non-monotonicity. We explain the basic idea of how to achieve these properties. To achieve the five properties demonstrated before, we rely on the fame construction and extend it to achieve additional two properties. Intuitively, a structure of a basic component in fame can be seen as a one-time part, while the counterpart of our schemes can be seen as a combination of identity-based encryption and its negation, N-I-B-E. The non-monotonicity of our schemes comes from the N-I-B-E component and the compactness comes from the fact that I-B-E and N-I-B-E allows us to generate many ciphertexts under a single parameter or a single public key. However, we encounter a problem to achieve these properties simultaneously. Recently, Koalchuk and we solved the notoriously difficult problem of how to achieve compactness and adaptive security under standard assumptions, which was presented in Eurocrypt 19. We found that it is still not straightforward to achieve non-monotonicity in addition to property 5 and 7, even if given the recent result of Koalchuk and we. Our main technical contribution in this paper is to improve the technique by Koalchuk and we in two ways. First, we made it applicable to non-monotone A-B-E, and second, we made it applicable to A-B-E schemes with a smaller number of group elements than the original KW scheme. In this talk, we focus on the first technical contribution and we briefly introduce the result of the second contribution. In the original KW technique, when generating a secret key or ciphertext associated with the formula F, we need the same order of group elements as the number of all nodes of the formula F. We improve it so that we can construct A-B-E schemes where the order of group elements for the formula F corresponds to the number of leaf nodes of the formula F. Let us recall what the adaptive security of A-B-E was. The adaptive security requires that all polynomial time adversaries cannot distinguish the challenger's speed with the meaningful probability in the following game. First, the challenger gives a public key to the adversary. Then, adversaries can make any number of secret key queries and the one-challenge ciphertext query adaptively. Finally, the adversary tries to guess the bit B. And as a game condition, the adversary is prohibited to get a secret key that can decrypt the challenger's ciphertext. The standard way to achieve the adaptive security of A-B-E is the dual system technique by Waters. Roughly speaking, it is sufficient to prove the indistinguishability of one A-B-E for the dual system technique. In one A-B-E, the adversary can obtain one ciphertext and one secret key. The example of this slide is the case of Bonnet-Boyan I-B-E in composite order binary groups. The security of one A-B-E implies that a normal key, as shown in the left-hand side, and the semi-functional key, as shown in the right-hand side, are indistinguishable, even given the ciphertext. Observe that the semi-functional key has the additional h2 term in the second element. The KW technique is a method for proving the adaptive security of one A-B-E. More concretely, for a check, we prove that the challenger's bit in the following game is indistinguishable. First, the challenger generates a secret key of secret key encryption scheme and a secret mule. Then the adversary can adaptively make two queries once for each. One query is a query on a formula F, and the adversary can obtain SKE ciphertext for secret shares of mule or zero, which is decided by depending on the challenge bit. The other is a query on an attribute set S, and the adversary can obtain secret shares corresponding to attributes in S. Of course, there is a condition such that the adversary cannot obtain secret shares that can recover mule. SKE ciphertext for secret shares correspond to the secret key for one A-B-E, and the secret shares for S correspond to the ciphertext in one A-B-E. And if mu i means shares of zero, they correspond to a normal secret key, and otherwise they correspond to a semi-functional secret key. Here, we show basic components of the KW scheme and our scheme. In the KW scheme, basic components have the form as shown in the left side. In the secret key, the secret shares mu i are hidden by an SKE scheme where a secret key is W. On the other hand, the counterpart of our scheme has I-B-E and N-I-B-E-like scheme. Note that we omit the N-I-B term in this slide for simplicity. Then what will happen in one A-B-E in our case? This is one A-B-E game for our case. The green part is different from the original one A-B-E. Roughly speaking, secret shares are hidden like a master secret in a secret key for identity Y. For query on S, the adversary also queries on identity X and obtains a ciphertext for identity X. Here, we realize that we cannot prove the security of one A-B-E similarly to the original case. The main reason is to randomize the shares mu i, the reduction needs to know X. However, these queries are made adaptively, so the reduction may not know X. This is a problem. Our observation here is that if the I-B-E part that hides the shares mu i has adaptive security, then we can similarly prove the security of one A-B-E similarly to the original one. So we modified one A-B-E game so that we can use dual system technique to achieve adaptive security also in one A-B-E. Concretory, we include each one term in the secret key element so that we can use a subgrouped assumption. Intuitively, we use the dual system technique two steps for the entire security proof of our schemes. The first step is used to prove one A-B-E and the second step is used to prove the adaptive security of our scheme using the security of our one A-B-E. This is the last slide and in this work we constructed two A-B-E schemes that simultaneously satisfy these seven properties. We also implemented our schemes and show the evaluation result. So if you are interested in the implementation result, please refer to our paper. Thank you for listening.