 Hi everyone! Welcome to this talk on functional encryption for Turing machines with dynamic bounded collusion from LWV. My name is Monoshij Mitra and this is joint work with Shweta Agrawal, Narasimha Sai Vempati from IIT Madras, India, and Shota Yamada from AISD Japan. This will be a joint talk with Narasimha. Let's begin with the definition of functional encryption, which is a generalization of public key encryption and consists of four algorithms. Setup takes the security parameter as input and outputs a public key and a master secret key. Encryption takes the public key and a message M to output a ciphertext key generation, takes the master secret key and the function F possibly represented as a circuit and gives a secret key for that function and decryption takes a secret key for this function and a cipher text to reveal the function of the message. Security for functional encryption informally requires that any PPD adversary should be able to learn only the function of the plain text and nothing more. This is more formally captured by the existence of a simulator in the ideal world, which simulates a ciphertext that is indistinguishable from the real-world ciphertext distribution given only the length of the message and secret keys for a bunch of let's say capital Q functions and their outputs on the plain text message. When capital Q is an unbounded polynomial, we call the scheme collusion resistant or even fully simulation secure. However, such security notion was shown to be impossible to achieve for functional encryption for all circuits. Therefore, for building collusion resistant FE schemes, people focus on the weaker indistinguishability based setting where there is a recent line of world building such FE schemes in an attempt to construct indistinguishability obfuscation from standard assumptions, thereby merging the two lands of cryptomania and obfustopia. However, these constructions are complex and they also rely on a set of mixed assumptions, some of which are not post-quantum secure. Hence, it remains meaningful and interesting to consider constructions of FE under plausible post-quantum assumptions even in a weaker security setting. Talking about a weaker security setting, we can think about bounding the quantity Q to be a bounded polynomial. We call this setting to be bounded collusion where Q is fixed during setup or Q is declared during setup and in such a setting, we can still think about arguing simulation security. This is where our work in this paper begins and we try to address some limitations and overcome them as follows. The first limitation is that of the bounded collusion model itself, which was introduced by Gorbunov et al. from 2012 and subsequent work was done till 2019 by Anantan Vaikunthanathan. Because Q is fixed at setup, this leads to an inefficiency that all the keys and cipher text in the system grow with this collusion bound Q. The subsequent works attempt to minimize this dependence on Q and the latest work by Anantan Vaikunthanathan makes the gives an FE scheme which depends the cipher text and keys where depends only linearly and thus optimally on this collusion bound Q. However, again, since Q is fixed at setup, this also leads to another inefficiency that it leads to same collusion tolerance for all the cipher texts in the scheme. However, sensitive or insensitive, however less or more sensitive the plain texts are. In this context, we come up, we introduced this notion of dynamic bounded collusion model. It is a stronger model in the sense that Encrypton now gets to fix the collusion bound per cipher text depending or demanded as demanded by the sensitivity of the underlying plain text. Further, as a consequence, we see that the runtime for the setup and key generation gets independent of the collusion bound Q and cipher texts in our scheme also grows linearly with choice of that particular Q. We show that functional encryption in the stronger dynamic bounded collusion model can be built generically from identity based encryption schemes. We also have functional encryption in this stronger model with other stronger properties from the learning with errors assumption that we will talk about in the next slides. The second limitation that we want to point out is that almost all prior work build key policy functional encryption where secret keys corresponds to functions or policies. We can try to build cipher text policy FE, which is the dual notion of key policy FE, where you want to hide the cipher text, where we want to hide a function inside the cipher text and generate secret keys for public inputs. We can try to build it via the universal circuits, switching the roles of the functions and inputs. However, this leads to an inefficiency again because of the usage of universal circuits, first of all. And secondly, it also leads to support only bounded size circuits owing to the fixed input length of the universal circuit. The only exception in this line of work is the scheme by SS 10, which gives a single key secure cipher text policy FE scheme directly from public key encryption and garbled circuits. In this context, we build dynamic boundary collusion secure cipher text policy FE with various tradeoffs, namely, assuming an int CPA secure identity based encryption scheme, we can build, we show that we can build non adaptive simulation secure CP FE supporting unbounded size circuits. However, if we want to get adaptive simulation security, we can rely on simulation based receiver selective opening secure security for IDE, but we get only support for bounded size circuits. It is worthwhile to note here that seem RSO security is not a stronger assumption than in CPA. In fact, in CPA implies some RSO and therefore, our constructions do not rely on stronger assumptions on assumptions stronger than in CPA security for IB. We also show that IB is a necessary assumption for achieving functional encryption under the stronger model DBC or dynamic bounded collusion. Further, we show that we also build succinct functional encryption schemes for LWB, which with stronger properties of dynamic bounded collusion and adaptive simulation security. Here succinct means circuits supported are of unbounded size, but of bounded depth and output. We again note that this result already strengthens an existing result by gold washer at all from 2013 where they built succinct key policy FE scheme from LWB, but only in the bounded collusion model with non adaptive simulation security. The next aspect of our work is to support more general models of computation. We want to support uniform models of computation like Turing machine and finite automata owing to the inherent drawbacks that non-uniform models like circuits come up with. Circuits have fixed input sizes and they also incur worst case runtime and this is more or less general for all non-uniform models. Here we see that there is a public key FE scheme for Turing machine from the work of gold washer at all from 2013, which relies on non-standard assumption. There is again a public key FE scheme for finite automata and Turing machine from the learning with errors assumption by Agrival and Singh, but it is only single key secure. Lately there is also a functional encryption for finite automata given by MY19 relying on learning with errors, but it is only a secret key construction. And last but not the least, all these constructions are secure in the bounded collusion model. From in this context, we build the first public key FE scheme for the class of Turing machines as well as the class of non-deterministic lock space Turing machines from LWV assumption. In particular, we build both the key policy and ciphertext policy variants and both of them satisfies dynamic bounded collusion properties. The FE for Turing machine is non-adaptive simulation secure, where the FE for NL is adaptive simulation secure. Now, because the class NL already captures finite automata, it therefore subsumes all the prior work in MY19 and AS17. We note that our ciphertext in these constructions grows with the runtime T of a Turing machine. However, T is not a global bound and can vary per input and therefore essentially can be unbounded. So, overall, we have the summary. We introduced the stronger notion of dynamic bounded collusion for functional encryption. We built ciphertext policy FE schemes from IBE with various trade-offs of security versus circuit family. We also show that IBE is a necessary assumption for achieving this stronger, for achieving security under the stronger model. We built, further we built further we built Sussing FE schemes from LWV with stronger security guarantees. And we also built FE for more general models of computation like Turing machines and NL in both the ciphertext and key policy settings from LWV as well, satisfying this dynamic bounded collusion. Here, we want to again note that there is a concurrent warp by Garg et al, which uses similar techniques like it also uses IBE and existing KPFE techniques to build generally, to generically build key policy FE schemes secure in the dynamic bounded collusion model. Now, let's move on to our techniques. Before we start with techniques, let's see a roadmap first through which we build our compiler. We start out with the optimal bounded collusion secure FE scheme by given by Anant and Vaikunthanathan. But in this ciphertext policy setting, where we instantiate the underlying single key ciphertext policy FE with the construction of SS10, we show that assuming an in-CPA secure IBE, we can build a non-adaptive simulation secure CPFE supporting unbounded size circuits. Further, assuming a SIM RSO secure IBE, we can build adaptive SIM CPFE for bounded size circuits. And this one, this object can be applied on top of the succinct key policy FE scheme from LWV by Goldwasser et al. And this yields adaptive simulation secure key policy FE for unbounded size circuits. Further, the technique from GKW16 leads us to a world where we can support function FE for Turing machines, but only for two subcases where the input lengths are bounded above and below by the machine size. Once we have these two schemes, there is a trick that we can use from MY19 to combine these two to build non-adaptive simulation secure FE for Turing machines. Because one of these schemes, namely where the input size is lower bounded by the machine size is non-adaptive simulation secure, our final construction is non-adaptive simulation secure. Again, here we note that this adaptive simulation secure CPFE for bounded size circuits can also be applied on top of succinct reusable garbled circuits from Goldwasser et al. from LWV. And we can get adaptive simulation secure ciphertext policy FE for unbounded size circuits. And then mimicking the same or mirroring the same kind of techniques from the right to left, we can build adaptive simulation secure FE for non-adaptive non-deterministic lock space machines. Here we note that the upper part of the slide represents the Turing machine and NL constructions and the lower part represents the functional encryption for circuits constructions. And all these constructions that we built in yellow are all dynamic bounded collusion secure. Further, we show that non-adaptive simulation secure FE for satisfying this dynamic bounded collusion for a small class of functions already implies int-CPA secure weekly compact IB, which via recent work also by Brickardsky et al. yields int-CPA secure IB scheme. For the rest of the talk, we will focus on this part, on the right part of this compiler and Narasimha will present the rest of the talk. Thank you. Thank you, Monasek for describing the roadmap at a high level. We now start describing the details of our CPFE scheme in dynamic bounded collusion model. A first observation in constructing such a scheme is that it is necessary to make setup and quiescent independent of the collusion bound queue. Let's first consider a beaker requirement with setup and quiescent wheel polylog in queue. A recent construction from AB19 satisfies one half of this requirement. Since their construction is optimized using elegant combinatorial argument, their quiescent is only polylog in queue. However, their setup is still polylog in queue or first step is to reduce its dependent sound queue from the setup order. Recall that their construction is generic in the sense that they constructed queue secure FE scheme from a single key secure FE scheme at a very high level. Their queue bounded FE runs queue subsystems in parallel where each subsystem in turn runs n one FE instances where n is polynomial in queue. We first instantiate single key secure FE scheme with the concrete construction from assistant which is in ciphertext policy setting. Let's quickly look at the construction from assistant. Setup generates a set of PKE keepers. Encrypting a circuit C involves garbling it and encrypting the resulting labels obtained using PKE public keys generated during setup. Secret key for input x involves giving out PKE secret keys corresponding to the bits of x. Now instantiating one FE scheme of AV19 with assistant makes its setup a bunch of PKE instances where the exact number is polynomial in queue. Now we replace all these poly queue many PKE instances with a single IB instance where PKE encryption with public key PKE i comma B is now replaced with IB encryption with ID i comma B. Now that we have a special FE scheme where setup and keys and are polylog in queue. We use the powers of two trick from gkp gkpvc13 to get rid of queue as follows. We run setup and keys and for lambda subsystems in parallel where ith instance correspond to the pollution bound 2 power i. When we encrypt the encrypt produces the smallest 2 power i that exceeds queue and encrypts the message using ith subsystem. Similarly decryption is performed using secret key generated using ith subsystem. It is crucial to note here that the resulting scheme is efficient since runtime of FE specials setup and keys and is only polylog in queue. Note that using in CPS secure IBE gives non adaptive simulation secure CPFE supporting unbounded size circuits. However, if we desire to achieve adaptive simulation security we can rely on IBE satisfying receiver selective opening security but that comes at the cost of supporting only bounded size circuits. We also note here that the usage of IBE is unavoidable since non adaptive simulation secure FE in dynamic bounded collision model even for a very small class of functionalities already implies in CPS secure IBE. Now let's move on to supporting more general class of computation during machines where we need to handle both unbounded length inputs and unbounded size machines. To handle this we construct intermediate schemes FE for Turing machines supporting unbounded length inputs but only bounded size machines and the vice versa FE for Turing machines supporting unbounded size machines but only bounded length inputs. After constructing such primitives we combine them using a trick from AM by 19 to uptime the the eventual FE for Turing machines which can support both unbounded length inputs and unbounded size machines. However, to construct such intermediate schemes we need succinct KPFE and CPFE supporting unbounded size circuits. Let's proceed ahead with their constructions. At a very high level we combine one KPFE scheme from GKPVZ13 with CPFE scheme satisfying adaptive simulation security supporting bounded size circuits that we obtained earlier to obtain adaptive simulation secure KPFE which can support unbounded size circuits. Note that this is an improvement over GKPVZ13. The MPK and MSK of the final scheme are those of CPFE's to encrypt a message M for a collision bound queue. The encryptor first constructs one KPFE's encryption circuit and then encrypts this circuit using CPFE scheme. To generate a secret key for a circuit F we sample a one KPFE key pair generate secret key for F using the generated master secret key. Also parsing the generated public key as an input string we generate CPFE secret key for it. Decryption is done by first decrypting CPFE ciphertext to recover one KPFE ciphertext and then decrypting one KPFE ciphertext using one KPFE secret key to recover FF. Note that since encryption circuit of one KPFE from GKPVZ13 is succinct the resulting scheme is succinct. Similarly if we use succinct reusable garbled circuits instead of single key secure KPFE scheme we can obtain succinct CPFE scheme satisfies adaptive simulation secure. Note that since both one KPFE and succinct reusable garbled circuits can be obtained based on LWE we can obtain both succinct KPFE and CPFE from the standard LWE assumption. We quickly recall we note here that we model TMFE in such a way that the encryptor specifies an upper bound T on runtime of curing machine on a input X along with the collision bound Q. Now that we have constructed both KPFE and CPFE scheme that can handle unbounded size circuits however these can only support fixed length inputs but to obtain FE for curing machines we have to be able to encrypt unbounded length inputs as well. To solve this we divide the computation into two sub-computations case where the length of the input is greater than the size of the machine and vice versa. The main idea is to handle the case where L greater than S using CPFE and the case L less than or equal to S using KPFE. Now let's dive into the details. Let's construct a circuit use of I with X and T hard coded in it which takes as input a machine M runs it on input X for T steps and output the result. Now let's encrypt it using IH CPFE instance for all I runs from 1 to the length of the input L and generate key for M using S CPFE instance. We can see that since L greater than S and for the instance I in L CPFE I support inputs of length I the decryption works by picking the S instance of CPFE. On the other hand the case where L less than or equal to S we can build a circuit use of I with M hard coded in it which takes as input X does the same thing as the CPFE circuit. However we can generate a secret key for each circuit where I is running from 1 to the size S of the machine thereby allowing the decryption to work by picking the correct instance corresponding to the input length S. Now we can use a technique from AM by 19 to combine this to the final Turing FE for Turing instance. Note that AM by 19 trick yields the primitive only in secret key setting. We can use a technique of delayed encryption from GKW 16 which essentially wraps the encryption and keys in under a combination of variable circuits and IBE to yield the same primitive in public key setting. To summarize we introduced the strong dynamic bonded collision model constructed various FE schemes for various models of computation satisfying different levels of security in this model and also shown that the necessity of IBE to build FE scheme in such dynamic bonded collision model. We would like to end with some open problems from our work which includes removing the runtime dependence on the size of the cybertext. Note here that we modeled TMFE in such a way that the encryptor specifies the upper bound on the runtime of any Turing machine on that particular input text. We also leave constructing TMFE in dynamic bonded collision model satisfying stronger adaptive simulation security also open. Also we can also we leave finding applications of our techniques in the realm of attribute based encryption needs CPABE for unbounded depth circuits which is considered major open problem. Thanks.