Fully Secure Functional Encryption for Inner Products, from Standard Assumptions

Functional encryption is a modern public-key paradigm where a master secret key can be used to derive sub-keys $$SK_F$$ associated with certain functions F in such a way that the decryption operation reveals FM, if M is the encrypted message, and nothing else. Recently, Abdalla et al. gave simple and efficient realizations of the primitive for the computation of linear functions on encrypted data: given an encryption of a vector $$\varvec{y}$$ over some specified base ring, a secret key $$SK_{\varvec{x}}$$ for the vector $$\varvec{x}$$ allows computing $$\langle \varvec{x},\varvec{y} \rangle $$. Their technique surprisingly allows for instantiations under standard assumptions, like the hardness of the Decision Diffie-Hellman $$\mathsf {DDH}$$ and Learning-with-Errors $$\mathsf {LWE}$$ problems. Their constructions, however, are only proved secure against selective adversaries, which have to declare the challenge messages $$M_0$$ and $$M_1$$ at the outset of the game. In this paper, we provide constructions that provably achieve security against more realistic adaptive attacks where the messages $$M_0$$ and $$M_1$$ may be chosen in the challenge phase, based on the previously collected information for the same inner product functionality. Our constructions are obtained from hash proof systems endowed with homomorphic properties over the key space. They are almost as efficient as those of Abdalla et al. and rely on the same hardness assumptions. In addition, we obtain a solution based on Paillier's composite residuosity assumption, which was an open problem even in the case of selective adversaries. We also propose $$\mathsf {LWE}$$-based schemes that allow evaluation of inner products modulo a primei¾?p, as opposed to the schemes of Abdalla et al. that are restricted to evaluations of integer inner products of short integer vectors. We finally propose a solution based on Paillier's composite residuosity assumption that enables evaluation of inner products modulo an RSA integeri¾?$$N = p \cdot q$$. We demonstrate that the functionality of inner products over a prime field is powerful and can be used to construct bounded collusion FE for all circuits.

[1]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[2]  John M. Pollard,et al.  Kangaroos, Monopoly and Discrete Logarithms , 2015, Journal of Cryptology.

[3]  Yuval Ishai,et al.  Computationally Private Randomizing Polynomials and Their Applications , 2005, Computational Complexity Conference.

[4]  Steven D. Galbraith,et al.  Using Equivalence Classes to Accelerate Solving the Discrete Logarithm Problem in a Short Interval , 2010, IACR Cryptol. ePrint Arch..

[5]  Jacques Stern,et al.  Merkle-Hellman Revisited: A Cryptanalysis of the Qu-Vanstone Cryptosystem Based on Group Factorizations , 1997, CRYPTO.

[6]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[7]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[8]  Ron Steinfeld,et al.  Hardness of k-LWE and Applications in Traitor Tracing , 2016, Algorithmica.

[9]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[10]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[11]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[12]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[13]  Omer Paneth,et al.  On the Achievability of Simulation-Based Security for Functional Encryption , 2013, CRYPTO.

[14]  Craig Gentry,et al.  Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits , 2014, EUROCRYPT.

[15]  Vinod Vaikuntanathan,et al.  Predicate Encryption for Circuits from LWE , 2015, CRYPTO.

[16]  Adam O'Neill,et al.  Definitional Issues in Functional Encryption , 2010, IACR Cryptol. ePrint Arch..

[17]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[18]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[19]  Angelo De Caro,et al.  Simple Functional Encryption Schemes for Inner Products , 2015, IACR Cryptol. ePrint Arch..

[20]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[21]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[22]  Brice Minaud,et al.  Cryptanalysis of the New CLT Multilinear Map over the Integers , 2016, EUROCRYPT.

[23]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[24]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[25]  Yupu Hu,et al.  Cryptanalysis of GGH Map , 2016, EUROCRYPT.

[26]  Vinod Vaikuntanathan,et al.  Attribute-based encryption for circuits , 2013, STOC '13.

[27]  Vinod Vaikuntanathan,et al.  Functional Encryption: New Perspectives and Lower Bounds , 2013, IACR Cryptol. ePrint Arch..

[28]  Yevgeniy Dodis,et al.  Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack , 2003, Public Key Cryptography.

[29]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[30]  Tanja Lange,et al.  Computing Small Discrete Logarithms Faster , 2012, INDOCRYPT.

[31]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[32]  Emmanuel Bresson,et al.  A Simple Public-Key Cryptosystem with a Double Trapdoor Decryption Mechanism and Its Applications , 2003, ASIACRYPT.

[33]  Alon Rosen,et al.  Online-Offline Functional Encryption for Bounded Collusions , 2016, IACR Cryptol. ePrint Arch..

[34]  Vinod Vaikuntanathan,et al.  From Selective to Adaptive Security in Functional Encryption , 2015, CRYPTO.

[35]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[36]  Brent Waters,et al.  Functional Encryption for Regular Languages , 2012, CRYPTO.

[37]  Jean-Sébastien Coron,et al.  Practical Multilinear Maps over the Integers , 2013, CRYPTO.

[38]  Amit Sahai,et al.  Worry-free encryption: functional encryption with public keys , 2010, CCS '10.

[39]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices and Applications , 2012, IACR Cryptol. ePrint Arch..

[40]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[41]  Yael Tauman Kalai,et al.  Reusable garbled circuits and succinct functional encryption , 2013, STOC '13.

[42]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[43]  Vinod Vaikuntanathan,et al.  Functional Encryption with Bounded Collusions via Multi-party Computation , 2012, CRYPTO.

[44]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[45]  Vinod Vaikuntanathan,et al.  The Trojan Method in Functional Encryption: From Selective to Adaptive Security, Generically , 2014, IACR Cryptol. ePrint Arch..

[46]  Vinod Vaikuntanathan,et al.  Functional Encryption for Inner Product Predicates from Learning with Errors , 2011, IACR Cryptol. ePrint Arch..

[47]  Hovav Shacham,et al.  A Cramer-Shoup Encryption Scheme from the Linear Assumption and from Progressively Weaker Linear Variants , 2007, IACR Cryptol. ePrint Arch..

[48]  Yael Tauman Kalai,et al.  How to Run Turing Machines on Encrypted Data , 2013, CRYPTO.

[49]  Brent Waters,et al.  Bi-Deniable Public-Key Encryption , 2011, CRYPTO.

[50]  Jung Hee Cheon,et al.  Cryptanalysis of the Multilinear Map over the Integers , 2014, EUROCRYPT.

[51]  Daniele Micciancio,et al.  Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions , 2011, CRYPTO.

[52]  Allison Bishop,et al.  Bounded-Collusion IBE from Key Homomorphism , 2012, TCC.

[53]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[54]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[55]  Allison Bishop,et al.  Function-Hiding Inner Product Encryption , 2015, ASIACRYPT.

[56]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[57]  Dan Boneh,et al.  Efficient Selective Identity-Based Encryption Without Random Oracles , 2011, Journal of Cryptology.

[58]  Chris Peikert,et al.  Circular and KDM Security for Identity-Based Encryption , 2012, Public Key Cryptography.

[59]  Brent Waters,et al.  Attribute-Based Encryption for Circuits from Multilinear Maps , 2012, CRYPTO.

[60]  M. Bellare,et al.  Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions , 2008, Journal of Cryptology.