Feel the Quantum Functioning: Instantiating Generic Multi-Input Functional Encryption from Learning with Errors

Abstract

Functional Encryption (FE) allows users who hold a specific decryption key, to learn a specific function of encrypted data while the actual plaintexts remain private. While FE is still in its infancy, it is our strong belief that in the years to come, this remarkable cryptograhic primitive will have matured to a degree that will make it an integral part of access-control systems, especially cloud-based ones. To this end, we believe it is of great importance to not only provide theoretical and generic constructions but also concrete instantiations of FE schemes from well-studied cryptographic assumptions. Therefore, in this paper, we undertake the task of presenting two instantiations of the generic work presented in [5] from the Decisional Diffie-Hellman (DDH) problem that also satisfy the property of verifiable decryption. Moreover, we present a novel multi-input FE (MIFE) scheme, that can be instantiated from Regev’s cryptosystem, and thus remains secure even against quantum adversaries. Finally, we provide a multi-party computation (MPC) protocol that allows our MIFE construction to be deployed in the multi-client model.

This work was partially funded from the Technology Innovation Institute (TII), Abu Dhabi, United Arab Emirates, for the project ARROWSMITH: Living (Securely) on the edge.

This work was partially funded by the Harpocrates project, Horizon Europe.

Appendices

A Proof of Theorem 4

Proof

The proof begins with \(\mathcal {B}\) sending (0, z) to the challenger \(\mathcal {C}\), where z is an element sampled at random from the message space of \(\mathsf {PKE}\). Upon receiving \((0, \mu )\), \(\mathcal {C}\) generates a public/private key pair \(\left( \mathsf {pk}_{\mathcal {C}}, \mathsf {sk}_{\mathcal {C}}\right) \), flips a truly random coin b and encrypts either 0 or \(\mu \) under \(\mathsf {pk}_{\mathcal {C}}\) according to the result of the random coin to produce \(c_b\). Finally, \(\mathcal {C}\) forwards the pair \(\left( \mathsf {pk}_{\mathcal {C}}, c_b\right) \) back to \(\mathcal {B}\). Upon reception, \(\mathcal {B}\) invokes \(\mathcal {A}\) and as a result, receives two messages \(\mathbf {x_0}\) and \(\mathbf {x_1}\) such that \(\Vert x_0\Vert _1 = \Vert x_1\Vert _1\)⁷. To make sure that \(\mathcal {B}\) only issues functional decryption keys queries for vectors such that \(\Vert \mathbf {x_0}\Vert _1 = \Vert \mathbf {x_1}\Vert _1\), we impose the restriction that \(\mathcal {B}\) only issues queries to a vector space \(\mathcal {V} \subset \mathcal {M}\) of dimension n such that \(\forall \mathbf {x} \in \mathcal {V}, \Vert \mathbf {x}\Vert _1 = 0\) and is not able to decrypt in other vector spaces. As a next step, \(\mathcal {B}\) produces a basis of \(\mathcal {V}\) as \((\mathbf {x_1 - x_0}, r_1, \dots , r_{n-1})\).

Key Generation. The first thing \(\mathcal {B}\) needs to do, is to generate the master public key \(\mathsf {mpk}\). To do so, \(\mathcal {B}\) samples \(n-1\) linearly independent vectors \(\mathbf {r_1, \dots , r_{n-1}}\) such that \(\forall i\in [1, n-1]: r_i \in \mathcal {V}\) and each \(\mathbf {r_i}\) is also linearly independent to \(\mathbf {x_1 - x_0}\). The canonical vectors of the basis are then \(\mathbf {e} = \left[ \boldsymbol{\alpha }\cdot (\mathbf {x_1 - x_0})+\sum _1^{n-1} z_j\right] \), where \(\boldsymbol{\alpha } = (\alpha _1, \dots , \alpha _n)\) and \(\alpha _i = \frac{x_{1,i} - x_{0,i}}{\Vert x_{1,i-x_{0,i}}\Vert ^{2}_{2}}\). Subsequently, \(\mathcal {B}\) executes \((\mathsf {pk}_{z_j}, \mathsf {sk}_{s_j}) \leftarrow \mathsf {PKE.Gen}, \forall j \in [1, n-1]\) and sets:

$$\begin{aligned} \mathsf {pk_i} = \alpha _i\cdot \mathsf {pk}_{C} + \sum _{j}^{n-1} \mathsf {pk}_{z_j} \quad \text {and}\quad \mathsf {mpk = (pk_1, \dots , pk_n)}. \end{aligned}$$

(11)

Note that while \(\mathsf {sk}_{\mathcal {C}}\) is not known to \(\mathcal {B}\), due to the AKH property of \(\mathsf {PKE}\) \(\mathcal {B}\) is unknowingly setting \(\mathsf {sk}_i = \alpha _i\cdot \mathsf {sk}_{\mathcal {C}} + \sum _1^{n-1} \mathsf {sk_{z_j}}\)

Functional Decryption Keys. \(\mathcal {B}\) receives queries for functional decryption keys from \(\mathcal {A}\). To reply to such a query, all \(\mathcal {B}\) has to do, is set \(\mathsf {sk} = \sum _{1}^{n-1}\mathsf {sk}_{z_j}\).

Challenge Ciphertexts. At some point \(\mathcal {A}\) outputs two messages \(\mathbf {x_0}\) and \(\mathbf {x_1}\) such that \(\Vert \mathbf {x_0}\Vert \) to \(\mathcal {B}\). According to the game in the Definition 6, \(\mathcal {B}\) is supposed to flip a random coin \(\beta \in \{0, 1\}\), and reply to \(\mathcal {A}\) with \(c_\beta \). However, recall that \(\mathcal {B}\) not only needs to simulate a perfect view for \(\mathcal {A}\), but also extract as much information as possible in order to win its own indistinguishability game of the public-key encryption scheme \(\mathsf {PKE}\). To do so, \(\mathcal {B}\) flips the truly random coin \(\beta \) but instead of replying with \(c_\beta \), sets the challenge ciphertext to be:

$$\begin{aligned} c = \alpha \cdot c_b + \mathsf {PKE.Enc}\left( \sum _{i=1}^{n-1} \mathsf {pk}_{z_j}, 0 \right) + \mathsf {PKE.Enc}(0_{el}, \mathbf {x}_{\beta }) \end{aligned}$$

(12)

where \(0_{el}\) in Eq. 12 denotes the zero element of the space in which the public keys live.

Finally, \(\mathcal {A}\) outputs a guess for \(\beta \). If \(\mathcal {A}\) correctly guess \(\mathcal {\beta }\), then \(\mathcal {B}\) guesses that \(\mathcal {C}\) encrypted 0. Otherwise, if \(\mathcal {A}\) fails to guess \(\beta \), then \(\mathcal {B}\) guesses that \(\mathcal {C}\) encrypted \(\mu \). For a clearer presentation, we distinguish between two cases based on \(\mathcal {C}\)’s choice.

• C1: \(\mathcal {C}\) encrypted 0: Assuming that \(\mathcal {C}\) encrypted 0, then Eq. 12 becomes:

  $$\begin{aligned} \begin{aligned} c&= \mathsf {PKE.Enc}(\alpha \cdot \mathsf {pk}_{\mathcal {C}}, 0) + \mathsf {PKE.Enc}\left( \sum _{i=1}^{n-1} \mathsf {pk}_{z_j}, 0 \right) + \mathsf {PKE.Enc}(0_{el}, \mathbf {x}_{\beta }) \\&= \mathsf {PKE.Enc}(\alpha \cdot \mathsf {pk}_{\mathcal {C}}+\sum _{i=1}^{n-1} \mathsf {pk}_{z_j}+0_{el}, 0+0+\mathbf {x}_{\beta }) = \mathsf {PKE.Enc}(\mathsf {pk}_i, \mathbf {x}_\beta ) \end{aligned} \end{aligned}$$

  It is evident, that in this case, \(\mathcal {B}\) simulates a perfect view of the environment for \(\mathcal {A}\), and hence, if \(\mathcal {A}\) can guess \(\beta \) with advantage \(\epsilon _{\mathcal {A}}\), then the advantage of \(\mathcal {B}\), \(\epsilon _{\mathcal {B}}\) in guessing that \(\mathcal {C}\) will be exaclty the same. Thus:

  $$\begin{aligned} \epsilon _{\mathcal {A}} = \epsilon _{\mathcal {B}} \end{aligned}$$

  (13)

• C2: \(\mathcal {C}\) encrypted \(\mu \): Following the same procedure as in the previous case, if \(\mathcal {C}\) encrypted \(\mu \) instead of 0, then the challenge ciphertext from Eq. 12 becomes:

  $$\begin{aligned} \begin{aligned} c&= \mathsf {PKE.Enc}(\alpha \cdot \mathsf {pk}_{\mathcal {C}}, \alpha \cdot \mu ) + \mathsf {PKE.Enc}\left( \sum _{i=1}^{n-1} \mathsf {pk}_{z_j}, 0 \right) + \mathsf {PKE.Enc}(0_{el}, \mathbf {x}_{\beta }) \\&= \mathsf {PKE.Enc}(\alpha \cdot \mathsf {pk}_{\mathcal {C}}+\sum _{i=1}^{n-1} \mathsf {pk}_{z_j}+0_{el}, \alpha \cdot \mu +0+\mathbf {x}_{\beta }) \\&= \mathsf {PKE.Enc}(\mathsf {pk}_i, \alpha \cdot \mu + \mathbf {x}_\beta ) = \mathsf {PKE.Enc}(\mathsf {pk}_i, \mathbf {x}') \end{aligned} \end{aligned}$$

  However, recall that \(\alpha \) is defined as: \(\alpha = \frac{\mathbf {x}_{1} - \mathbf {x}_{0}}{\Vert \mathbf {x}_{1}-\mathbf {x}_{0}\Vert ^{2}_{2}}\) Hence, \(\mathbf {x}'\) is:

  $$\begin{aligned} \begin{aligned} \mathbf {x}'&= \mathbf {x}_{\beta } + \alpha \cdot \mu = \frac{\mu }{\Vert \mathbf {x}_1 - \mathbf {x}_0\Vert _2^2}(\mathbf {x}_1-\mathbf {x}_0) + \mathbf {x}_\beta \\&= \frac{\mu }{\Vert \mathbf {x}_1 - \mathbf {x}_0\Vert _2^2}(\mathbf {x}_1-\mathbf {x}_0) + \mathbf {x}_0 + \beta (\mathbf {x}_1 - \mathbf {x}_0) \end{aligned} \end{aligned}$$

  If we now set \(v = \frac{\mu }{\Vert \mathbf {x}_1 - \mathbf {x}_0\Vert _2^2} + \beta \), we see that the challenge message \(\mathbf {x}'\) becomes:

  $$\begin{aligned} \mathbf {x}' = v\cdot \mathbf {x}_1 + (1-v)\mathbf {x}_0 \end{aligned}$$

  (14)

  which is exactly the message that corresponds the the challenge ciphertext. Note that \(\mathbf {x}' \in V\) since it is a linear combination of elements that live in V and whose coefficients sum up to one. Hence, \(\mathbf {x}'\) is well defined. Finally, \(\beta \) is information theoretically hidden as the distributions of u is independent of \(\beta \). Hence, in this case we have that:

  $$\begin{aligned} \epsilon _{\mathcal {B}} = 0 \end{aligned}$$

  (15)

Combining Eqs. 13 and 15 we end up with \(\epsilon _{\mathcal {B}} = \epsilon _{\mathcal {A}}\). Hence, the best advantage one can get against the CPA security of our construction presented in Definition 13, is bounded by the best advantage one can get against the IND-CPA security of the public key encryption scheme \(\mathsf {PKE}\). In other words, we proved that if \(\mathcal {A}\) breaks our MIFE construction, then there exists a PPT algorithm \(\mathcal {B}\) that that wins the IND-CPA game of \(\mathsf {PKE}\) and hence, \(\mathsf {PKE}\) cannot be IND-CPA secure, which contradicts with our initial assumption that \(\mathsf {PKE}\) is IND-CPA secure.    \(\square \)

Functional Keys for Vectors in Different Vector Spaces: As mentioned, \(\mathcal {A}\) is only allowed to request functional keys for vectors living in a vector space \(V \subset M\), where \(\forall \mathbf {x} \in V: \Vert \mathbf {x}\Vert _1 = 0\). Notice that by allowing \(\mathcal {A}\) to obtain functional decryption keys for vectors \(x \notin V\), our scheme can be trivially broken. However, this would imply that \(\mathcal {B}\) can generate such functional decryption keys, which is impossible since \(\mathcal {B}\) does not know \(\mathsf {sk}_{\mathcal {C}}\). Hence, the generated functional keys can only decrypt ciphertexts whose plaintexts are elements of V. This is a valid assumption since otherwise, we would demand security in a scenario where the master secret key is known to the adversary.

B Proof of Theorem 6

Proof

Recall that each user receives \(n-1\) shares from the remaining users. Assuming that \(\mathcal {ADV}\) has colluded with \(n-2\) users, we conclude that \(\mathcal {ADV}\) will know the \(n\cdot (n-2)\) shares of the compromised users. Moreover, \(\mathcal {ADV}\) will also know the \(n-4\) shares sent from the legitimate users \(u_l\) and \(u_\ell \) to the compromised ones. In other words, \(\mathcal {ADV}\) knows all the exchanged shares except from the ones that \(u_l\) and \(u_\ell \) keep for themselves as well as the ones exchanged between \(u_l\) and \(u_\ell \). More specifically, the shares \(r_{l,l}\) and \(r_{\ell , \ell }\) are kept with \(u_l\) and \(u_\ell \) respectively, while the shares \(r_{\ell , l}\) and \(r_{l, \ell }\) are exchanged between \(u_l\) and \(u_\ell \). We notice that:

$$\begin{aligned} s_{l} = \underline{\mathsf {sk}_l} + \underline{r_l} - (r_{1,l}+\dots + \underline{r_{l,l}}+ \dots + \underline{r_{\ell , l}} + \dots + r_{n, l}) \end{aligned}$$

(16)

and

$$\begin{aligned} s_{\ell } = \underline{\mathsf {sk}_\ell } + \underline{r_\ell } - (r_{1,\ell }+\dots + \underline{r_{l,\ell }}+ \dots + \underline{r_{\ell , \ell }} + \dots + r_{n, \ell }) \end{aligned}$$

(17)

Where the underlined terms are the ones that \(\mathcal {ADV}\) does not know. Equations 16 and 17 can also be written as:

$$\begin{aligned} s_{l} = \underline{\mathsf {sk}_l} + \sum _{j\ne l, \ell }^n (r_{l,j} - r_{j, l}) + \underline{r_{l,\ell } - r_{l, \ell }} \quad \text {and}\quad s_{\ell } = \underline{\mathsf {sk}_\ell } + \sum _{j\ne \ell , l}^n (r_{\ell ,j} - r_{j, \ell }) + \underline{r_{\ell ,l} - r_{\ell , l}} \end{aligned}$$

We see that for \(\mathcal {ADV}\) to find the the secret keys \(\mathsf {sk}_l\) and \(\mathsf {sk}_{\ell }\), she needs to solve a system of two equations with four unknown terms. Hence, we conclude that even in the extreme scenario where \(n-2\) users are corrupted, \(\mathcal {ADV}\) cannot infer any information about the keys of the legitimate users.    \(\square \)