Token-Based Multi-input Functional Encryption

Abstract

In this paper, we put forward the notion of a token-based multi-input functional encryption (token-based MIFE) scheme – a notion intended to give encryptors a mechanism to control the decryption of encrypted messages, by extending the encryption and decryption algorithms to additionally use tokens. The basic idea is that a decryptor must hold an appropriate decryption token in addition to his secrete key, to be able to decrypt. This type of scheme can address security concerns potentially arising in applications of functional encryption aimed at addressing the problem of privacy preserving data analysis. We firstly formalize token-based MIFE, and then provide two basic schemes based on an ordinary MIFE scheme and a public key encryption scheme and a pseudorandom function (PRF), respectively. Lastly, we extend the latter construction to allow decryption tokens to be restricted to specified set of encryptions, even if all encryptions have been done using the same encryption token. This is achieved by using a constrained PRF.

Appendices

A Public Key Encryption

A public key encryption (PKE) scheme \(\texttt {PKE}\) is defined by three algorithms with the following functionality:  

\(\texttt {PKE}.\mathtt {KeyGen} (1^\lambda )\) :

This is the key generations algorithm, which on input the security parameter \(1^\lambda \), returns a public/private key pair (pk, sk).

\(\texttt {PKE}.\mathtt {Enc} (par,pk,m)\) :

This is the encryption algorithm, which on input a public key pk and a message m, returns an encryption c of m under pk.

\(\texttt {PKE}.\mathtt {Dec} (par,sk,c)\) :

This is the decryption algorithm, which on input a private key sk and a ciphertext c, returns either a message m or the error symbol \(\bot \).

  We require that a PKE scheme satisfies perfect correctness, that is, for all \(\lambda \), all \((pk,sk) \leftarrow \texttt {PKE}.\mathtt {KeyGen} (1^\lambda )\), and all m, it holds that \(\texttt {PKE}.\mathtt {Dec} (sk,\texttt {PKE}.\mathtt {Enc} (pk,m)) = m\).

Fig. 3.

Game defining indistinguishability under chosen plaintext attacks (IND-CPA) for a PKE scheme.

The standard IND-CPA security notion for PKE scheme is defined via the game shown in Fig. 3.

Definition 7

Let the advantage of an adversary \(\mathcal {A}\) playing the IND-CPA game with respect to a PKE scheme \(\texttt {PKE}\), be defined as:

$$ \mathtt {Adv}^{\mathtt {IND-CPA}}_{\texttt {PKE},\mathcal {A}}(\lambda ) = 2 \left| \Pr [\text {IND-CPA}^\texttt {PKE}_\mathcal {A}(\lambda ) \Rightarrow 1] - \frac{1}{2} \right| . $$

A scheme \(\texttt {PKE}\) is said to be IND-CPA secure, if for all PPT adversaries \(\mathcal {A}\), \(\mathtt {Adv}^{\mathtt {IND-CPA}}_{\texttt {PKE},\mathcal {A}}(\lambda )\) is negligible in the security parameter \(\lambda \).

B Security Proofs for Stateless Scheme

Theorem 7

Assume the MIFE scheme \(\texttt {M}\) is IND secure. Then the above scheme \(\texttt {T}\) is FE-IND secure. Specifically, for every PPT adversary \(\mathcal {A}\) against the FE-IND security of \(\texttt {T}\), there exists a PPT adversary \(\mathcal {B}\) against the IND security of \(\texttt {M}\) such that \(\mathtt {Adv}^{\mathtt {FE-IND}}_{\texttt {T},\mathcal {A}} \le \mathtt {Adv}^{\mathtt {IND}}_{\texttt {M},\mathcal {B}}\).

Proof

The proof is a simple and straightforward reduction. Given adversary \(\mathcal {A}\) against the FE-IND security of \(\texttt {T}\), we construct adversary \(\mathcal {B}\) against the IND security of \(\texttt {M}\) as follows.

Initially, \(\mathcal {B}\) is given parameters mpk which \(\mathcal {B}\) simply forwards to \(\mathcal {A}\). Furthermore, \(\mathcal {B}\) will compute \((pk,sk) \leftarrow \texttt {PKE}.\mathtt {KeyGen} (1^\lambda )\). When \(\mathcal {A}\) submits a key generation query y, \(\mathcal {B}\) simply forwards y to his own \(\textsc {KeyGen}\) oracle, and returns the response \(sk_y\) to \(\mathcal {A}\). When \(\mathcal {A}\) makes an encryption query \((i,x^0_i,x^1_i)\), \(\mathcal {B}\) forwards \((i,x^0_i,x^1_i)\) to his own \(\textsc {Enc}\) oracle to obtain ciphertext \(c'\). Then \(\mathcal {B}\) computes \(c \leftarrow \texttt {PKE}.\mathtt {Enc} (pk,c')\), and returns c to \(\mathcal {A}\). Eventually \(\mathcal {A}\) will terminate with output \(b'\), which \(\mathcal {B}\) forwards as his own output.

By inspection, it should be clear that \(\mathcal {B}\) provides a perfect simulation of the FE-IND game for \(\mathcal {A}\), and that \(\mathcal {B}\) wins the IND game for \(\texttt {M}\) (i.e. correctly guesses the challenge bit b) whenever \(\mathcal {A}\) wins the FE-IND game for \(\texttt {T}\). Hence the theorem follows.

Theorem 8

Assume \(\texttt {PKE}\) is IND-CPA secure. Then the above scheme \(\texttt {T}\) is pTK-IND secure. Specifically, for every PPT adversary \(\mathcal {A}\) against the pTK-IND security of \(\texttt {T}\), there exists a PPT adversary \(\mathcal {B}\) against the IND-CPA security of \(\texttt {PKE}\) such that \(\mathtt {Adv}^{\mathtt {TK-IND}}_{\texttt {T},\mathcal {A}} \le n \cdot \mathtt {Adv}^{\mathtt {IND-CPA}}_{\texttt {PKE},\mathcal {B}}\).

Proof

Again, the proof is a simple and straightforward reduction. In the following, we will for convenience make use of the standard extension of IND-CPA security to the multi-challenge setting.

Given adversary \(\mathcal {A}\) against the TK-IND security of \(\texttt {T}\), we construct adversary \(\mathcal {B}\) against the IND-CPA security of \(\texttt {PKE}\) as follows.

Initially, \(\mathcal {B}\) is given parameters pk. \(\mathcal {B}\) computes \((mpk,msk) \leftarrow \mathtt {M}.\mathtt {Setup} (1^\lambda )\). and forwards (mpk, msk) to \(\mathcal {A}\). When \(\mathcal {A}\) submits a key generation query y, \(\mathcal {B}\) simply computes \(sk_{y} \leftarrow \texttt {M}.\mathtt {KeyGen} (msk,y)\) and returns \(sk_y\) to \(\mathcal {A}\). When \(\mathcal {A}\) makes an encryption query \((i,x^0_i,x^1_i)\), \(\mathcal {B}\) computes \({c_i'}^{(0)} \leftarrow \texttt {M}.\mathtt {Enc} (msk,i,x^0_i)\) and \({c_i'}^{(1)} \leftarrow \texttt {M}.\mathtt {Enc} (msk,i,x^1_i)\). \(\mathcal {B}\) then submits \(({c_1'}^{(0)},{c_1'}^{(1)}),\ldots ,({c_n'}^{(0)},{c_n'}^{(1)})\) to the multi-challenge IND-CPA challenge oracle to obtain the challenge vector \((c_1,\ldots ,c_n)\). \(\mathcal {B}\) then returns it to \(\mathcal {A}\). Eventually \(\mathcal {A}\) will terminate with output \(b'\), which \(\mathcal {B}\) forwards as his own output.

By inspection, it should be clear that \(\mathcal {B}\) provides a perfect simulation of the TK-IND game for \(\mathcal {A}\), and that \(\mathcal {B}\) wins the multi-challange IND-CPA game for \(\texttt {M}\) (i.e. correctly guesses the challenge bit b) whenever \(\mathcal {A}\) wins the TK-IND game for \(\texttt {T}\). Furthermore, since the multi-challenge IND-CPA security reduces to the normal IND-CPA security with reduction n, the number of challenges, the theorem follows.    \(\square \)