>>I am. So take a week off representing my work functional encryption for attribute. With that sums, this is tracked, what with Michelle dolla and twin Cinco you go. So the context of this work is to do a private data based analysis. So consider we have a database off an attribute value past comprising expire public values and see a private value. So thank for concreteness off X. I being say demographic and geographic attributes, and C i s a some rating in the poll. Now we'll be interested in computing the average X value over some subset of the data base, for instance, where the subset of the data basis selected by apply some practical f So the public attribute exile The concrete, if we may be interested in it, would be, for instance, to look at, say, uh, individuals over the age of 40 who are focusing subscribers in the state of Wisconsin because they're more generous, setting off a tribute with the sums. Where are the up of the function Ethnic of Israel? One, but could be arbitrary. Wait. And the when FBIs the uproar license real one. This corresponds to this pressure from we'll be looking at this question from the point of your function. Encryption, where in function encryption We have encryption algorithm that they just put the database and outputs a cyber attacks with the key generation where them that this is simply a function and outputs a secret key and with the decryption algorithm that this is simple the separatists and the secret key outputs still actually with the sound. And we want the additional privacy guarantee that the site protection and the secret key should like no additional information beyond about the private values beyond what we learned from the attribute with that stuff. In this work, we construct function encryption scheme for actually with the sums for large class of programs corresponding toe aromatic question programs, which contains as a special case of bullion formula. Our scheme has the property that key generations independent off, and the site of database this'll means that we can generate secret keys without knowing a brewery the size off the database, and we can use the same secret key to decrypt database off any science containing any number of entries. Most of the encryption algorithm who's running time depends on end but otherwise independent off the complexity off the function at we achieve strong simulation base security against about the collusions, and we achieve security, understand assumptions over prime Auto buy dinner groups. Ah, construction is very simple. Um, position two steps. We start with the scheme for setting and equals toe one. So their scheme, which we did know superscript one that this is simple snz and description returned back in time, see? And then the second step, we amplify this species scheme from n equals one toe general arbitrary. And now, for this case and equals one, you can actually get the scheme by some simple tweaks. Toe briar works. So for this talk, we're going toe focus on the second steps, which is an amplification procedure that starts from n equals 212 general and >>without blowing up >>the site of secret key. So here's our first attempt at a subject and identification procedure. So this is a very natural construction, namely toe encrypt the entire database. We apply the basic scheme and each off the attribute value plastics. I see I And then secret key will basically be the secret key for the basic skin. Uh, to decrypt, we first applied a secret kid. They each of the individual anti production, the basic schemes to compute f of X, i C i and then some off these values. No, no, that correctness is very straightforward and for those from the off the underlying scheme. And we also accuse efficiency in the sense that the site of secret key only depends on F, and it's independent off the capital and the total number of innovation trees. The problem, however, is that we do not choose security in particular the this partial descriptions licked the individual ever besides the values words we should description should only like the Southeast values. To solve this problem, we basically will introduce additional randomize us to the skin. So during encryption who additionally big envelope scatters with some museum and we will apply the basis schemes and protection I together with I will see I the concatenation of the i n w I s the private very the secret keys similar to that from before, we have set tweak that we generate secret keeper function f that when we decrypt the basics type of tax return ever X icy blast W by see something we can do. And now if we summon all these values the W I can sell and then we get correctness unspeakable. And this additional randomize is from the w. I also guarantee that the partial descriptions don't leak additional information about the individual Apple Excellency. Nice. Now this works if we only get about one secret key. However, if we give up multiple secret keys, assist the case when we have collusions security no longer holds because we cannot reuse this randomizer w ice across multiple keys The fix this problem we will competition randomized w ice using a d this assumption concretely. During key generation, we will bigger random scatter arm the Children fresh for secret key and included in the exponents which we are, you know, by the square brackets and then the the secret key will be generated for a function f arm that when you saw that when you decrypt the individual stuff that you don't compute, emphasized the I rather you compute anxiety. I blast w items are Where are you are in the secret key and this computation is that India's for them. It's and toe to decrypt. We just need to multiply all these values together, which then basically induces a some India's opponents because, uh, toe get the final answer would need to do a group off the script lock so we only get efficient description. If the attribute With some life standpoint, it makes sense to me. All right, let's think about how we'll try to prove security. So consider the drug distribution of the partial descriptions, but we'll apply the devious assumption to replace W. I asked with uniformly random values, frustrated minders per secret key. Thanks, toa. Having a fresh are per security. And then we can a blessed testicle argument to essentially move each off the individual xz items toe the first time in the entire Siri's. This gives a security, >>however, if we try to carry this out Thesis, uh, argument out in the scheme, we need to somehow embed this and >>Eunice eventually be correspondent by tourists in tow. Either this type of tax or the secret key. >>Now let us know that we cannot embed >>and municipal will be into the secret key because the sight of secret cannot go through there. Now if we try to embed this annual, it's off and to be in the cyber attacks. It also doesn't work because we actually need, uh, and fresh units, Um, and to be her secretly query. And if you try to embed all this into the sack attacks the cyberattacks science will grow with number of secret key queries, which is something we cannot allow for. So to solve this problem, we're going toe instead, use a different strategy. We're going toe and what with the partial sums and and let this partial sums into the secret key across and introduced this aneurysm entropy, one unit at a time across and hybrid experiments in a bit more detail. Thistle. Again, it's the partial descriptions. We start by looking at the first two terms. We're >>gonna basically of like, the dishes before toe move that FX does that to turn from the second term to the custom. Now we look at the first and the term and again we can apply the delis assumption to the term toe move, uh, off extra. That three tools the custom on we can keep doing this over and over again. Moving the fourth f accepts for the four to the first summer and so on, so forth until we move everything to the question. This basically works. Each that will only need toe >>applied. The once per secret here introduced one you can eventually be. The main >>problem, however, is that we will now need in >>approval security to show that really assimilate itself that's indistinguishable while giving up assimilated secret key. >>This is the whole in >>general for the basic scheme, but we can work around this but essentially running two copies off the basic scheme that basically concludes the talk. So we show how to construct function encryption for attribute way that stands for automatic brushing programs in the what. We also discussed the extension toe a setting where the database is distributed across multiple clients, a couple of people problems. One is to achieve it up to security, and another is to get a scheme from lattice assumptions. Thank you very much.