1 Introduction

Traditional public key encryption has been used to secure the communication channel between two parties, the sender and receiver. It has two features: (1) The ciphertexts are sent through the channel, and the party who has the secret key can recover the plain message. (2) The secret key holder can decrypt and know the entire plaintext, but those who do not have the secret key can learn nothing at all (“black and white” property) [4]. Traditional public key encryption scheme can help a user to share its data over an insecure network. However, with the development of the internet and cloud services, this “black and white” notion encryption is inefficient for many applications. For example, an outside server which acts as a spam filter should be able to determine if an encrypted email is spam or not without learning anything else about the email’s content; the encrypted data which is stored in the cloud may be used in different ways by different users. To solve these problems, functional encryption is studied in recent years. The notion of functional encryption was first defined by Boneh et al. [4]. In functional encryption, the owner of the master secret key can generate the secret key \(sk_f\) for any function f in a family F. Given the ciphertext CT of message x, the user who holds the secret key \(sk_f\) can do the decryption to obtain f(x) but does not know anything else about x.

It is natural to extend the notion of functional encryption to multi-input functional encryption which is a very general tool for computing on encrypted data. Let f be a n-ary function (\(n\ge 1\)). In multi-input functional encryption, given n ciphertexts CT\(_1\), CT\(_2,\cdots ,\) CT\(_n\) of underlying messages \(x_1, x_2,\cdots , x_n\) and a secret key \(sk_f\) corresponding to function f, the user can obtain \(f(x_1, x_2,\cdots , x_n)\) but can not learn anything else about the messages \(x_1, x_2,\cdots , x_n\). Multi-input functional encryption has many applications, for example it can be used in multi-client outsourcing computation, computing over encrypted data stream, running on SQL queries on encrypted database and so on [11].

Functional encryption is a suitable tool in designing outsourcing computation scheme [13]. With the development of cloud computing, there are many cloud service providers offer attractive services, client would like to outsource its computation task to service provider and pay the service charge. Multi-client outsourcing computation can be described as following [6]: n computational weak clients each has its input \(x_i\) wish to outsource the computation of \(f(x_1,\cdots ,x_n)\) to an untrusted server. A secure outsourcing scheme should make sure that the clients’ inputs are keeping private from the server and the clients can verify the correctness of the computation result returned from the server. In this paper, we mainly study multi-input functional encryption and show its application in multi-client outsourcing computation.

1.1 Related Work

The notion of functional encryption was first formalized by Boneh et al. [4]. Early works are known only for restricted functions such as inner product function or a variant of it [1, 5, 15, 21]. These works do not show how to extend the scheme beyond inner products. Sahai and Seyalioglu [20] first proposed a single key query functional encryption for general functions, and [14] extended it and designed a q key bounded functional encryption scheme, which allows the adversary to make q secret key queries for functions. Because of the non-succinctness of the ciphertext size in [14, 20]’s work. [13] designed a single key query functional encryption scheme with succinct ciphertext. In the same year, [7] proposed functional encryption supporting unbounded key queries using indistinguishability obfuscation. And it only satisfies selective security. Using puncturable technique, [8, 23] designed adaptively secure functional encryption for general functions respectively.

Multi-input Functional Encryption. The study on multi-input functional encryption was done by Goldwasser et al. [11]. They gave constructions of multi-input functional encryption based on indistinguishability obfuscation [7] and differing-inputs obfuscation [2]. Similar to the idea of [7], in [11]’s work n parties first use the two-key encryption technique [17] to encrypt its inputs. Using the property of indistinguishability obfuscation, they hide the verification, decryption and function-computation process in an obfuscation circuit. The obfuscation circuit here is the secret key \(sk_f\) corresponding to f. Thus the user who holds \(sk_f\) can get the computation result \(f(x_1,\cdots ,x_n)\) and learn nothing else about \(x_1,\cdots ,x_n\). Their scheme satisfies selective indistinguishable security and q bounded selective simulation security. While in [11]’s construction, its privacy property relies on a completely honest party. For there must be a party who generates the master secret key (MSK) which contains the secret key of the two-key encryption scheme. If the party who holds the master secret key is dishonest, it can easily get the input of other parties by just decrypting the corresponding ciphertexts. And the indistinguishability obfuscation it based on is still either rely on a polynomial set of assumptions or an exponential number of assumptions, but with an exponential loss in the security reduction [10]. In our work, we aim to design a multi-input functional encryption scheme that avoids using obfuscation and can keep privacy of the parties’ inputs from each other without relying on a completely honest party.

Multi-client Outsourcing Computation. There are limited works in this area. [6] constructed a multi-client outsourcing scheme using proxy-OT technique. In its scheme only the client who has the secret key can do the verification and get the computation result. [19, 22] also designed multi-client outsourcing computation schemes by using two non-collude servers, while their scheme do not verify the correctness of the computation result. The verification process is essential in achieving secure and correct outsourcing scheme. In some cases, other parties may also need to verify the correctness of the computation result. This leads to the study of public verification which means that using the public verify key any other party can verify the correctness of the result returned by the untrusted server. In this paper, we consider the scenery that n clients outsource their computation task to one server. We use multi-input functional encryption scheme to construct multi-client outsourcing computation scheme that satisfies public verification. This idea comes from the works about functional encryption [12, 13], however in their outsourcing schemes, the clients need to execute functional encryption scheme twice in order to do the verification.

1.2 Our Contribution

Our thought mainly comes from Goldwasser et al.’s work [13]. We design a multi-input functional encryption scheme and apply it to design a multi-client outsourcing scheme. The main contributions of our constructions are as follows:

  • Based on [13]’s work, we design a multi-input functional encryption scheme using multikey fully homomorphic encryption, and our construction does not need to use obfuscation.

  • Compared with [11]’s work, the privacy property of the parties’ inputs holds and does not rely on a completely honest party.

  • Using multi-input functional encryption we construct a multi-client outsourcing scheme that satisfies public verification. We use a new verify-method to achieve public verification and does not need to run the functional encryption scheme twice.

1.3 Technique Outline

In the rest of this paper, we denote FE the functional encryption. Our work is mainly based on the FE construction of [13]. We briefly introduce [13]’s idea and show how to transfer it to a multi-input FE scheme.

In [13]’s work, a message x’s encryption Enc(x) is computed using fully homomorphic encryption (FHE), the decryptor can do homomorphic evaluation on the encrypted data and get Enc(f(x)). While in functional encryption the decryptor finally obtains f(x) but can not learn anything else about x. The decryption process is done by using Yao’s garbled circuit which hides the secret key sk in the circuit and takes input Enc(f(x)). But how to choose the corresponding labels of Enc(f(x)) when begin to compute the garbled circuit? To solve this problem it uses two-outcome attribute based encryption scheme as its tool.

The idea of [13] is ingenious, however it only considered one-input functional encryption. Based on its work, we design a multi-input functional encryption scheme using multikey fully homomorphic encryption scheme(MFHE) [16]. In our construction, each party holds its key pair \((hpk_i, hsk_i)\) generated from the multikey FHE. In order to decrypt Enc\((f(x_1,\cdots ,x_n))\), the parties first compute the decryption key \(hsk=hsk_1 \cdot hsk_2 \cdots hsk_n\) and then one of these parties produces a garbled circuit of MFHE.Dec\((hsk,\cdot )\). In order to avoid interaction among the parties, we use the non-interactive MPC method(NIMPC) recently introduced by [3]. Use NIMPC, the parties can non-interactively generate the decrypt key \(hsk=hsk_1\cdot hsk_2 \cdots hsk_n\).

How to apply it to multi-client outsourcing computation scheme?

The notion of functional encryption is a little similar with outsourcing computation. The clients in outsourcing computation act like the encryptors, and the server acts like the decryptor. In multi-client outsourcing scheme, the server needs to return the result \(f(x_1, x_2, \cdots , x_n)\) to the clients. In addition to this process, the clients need to verify the correctness of the computation result. In [12]’s work, they followed the approach of Parno et al. [18] and described how to achieve public verifiable multi-client outsourcing computation scheme. In their design, the clients should first generate two pairs of master secret keys and public keys and run FE scheme twice. Instead of using [18]’s public verify method, we use a new method to do public verification. Using the garbled circuit’s output labels which are corresponding to the computation result f(x), we design a public verify method similar to [18] but do not need to run FE scheme twice.

2 Preliminaries

We denote k the security parameter, \(negl(\cdot )\) a negligible function and ppt the probabilistic polynomial time. ABE\(_2\) denotes the two-outcome attribute based encryption, MFHE denotes the multikey homomorphic encryption(or Multikey FHE) for short, NIMPC denotes non-interactive multiparty computation and MIFE means the multi-input functional encryption.

2.1 Multikey Fully Homomorphic Encryption

Definition 1

(Multikey C-homomorphic encryption). [16] let C be a class of circuits. A multikey C-homomorphic encryption consisting four algorithms (KeyGen, Enc, Dec, Eval)\(_{N}\) for all integers \(N>0\) satisfies the followings:

  1. 1.

    KeyGen\((1^k) \rightarrow (pk_i,sk_i,ek_i)\): input the security parameter k, output a public key \(pk_i\), a secret key \(sk_i\) and a evaluation key \(ek_i\) \((i\in [N])\).

  2. 2.

    Enc\((pk_i,x)\rightarrow c\): input the public key \(pk_i\) and message \(x_i\), output a ciphertext \(c_i\).

  3. 3.

    Eval\((C, (c_1', pk_1', ek_1'), \cdots ,(c_t', pk_t', ek_t')) \rightarrow c^* \): given a circuit C and t ciphertexts \((c_i', pk_i', ek_i')\), outputs a ciphertext \(c^*\). Here the t keys \(\{pk_1',\cdots ,pk_t' \}\) is a subset of \(\{pk_1,\cdots ,pk_N\}\).

  4. 4.

    Dec\((sk_1,\cdots ,sk_N, c^*) \rightarrow x^*\): given N secret keys \(sk_1,\cdots ,sk_N\) and a ciphertext \(c^*\), outputs a message \(x^*\).

Correctness. let \(c^*=\)Eval\((C, (c_1', pk_1', ek_1'), \cdots ,(c_t', pk_t', ek_t'))\), where \(c_i'= \)Enc\((pk_i',x_i')\). Then Dec\((sk_1, \cdots , sk_N, c^*)=C(x_1',\cdots ,x_t')\).

Compactness. Let \(c^*=\)Eval\((C,(c_1', pk_1', ek_1'), \cdots ,(c_t', pk_t', ek_t'))\). There exist a polynomial P such that \(|c^*|\leqslant P(k,n)\).

Multikey FHE. An encryption scheme consisting algorithms (KeyGen, Enc, Dec, Eval)\(_{N>0}\) is multikey fully homomorphic if it is C-homomorphic for the class of all circuits.

If the underlying encryption scheme is semantically secure, then the multikey FHE holds semantically secure in the presence of the evaluation key ek [16].

L\(\acute{o}\)pez-Alt et al. [16] designed a multikey FHE scheme, and in their scheme the decryption of a multi-key ciphertext requires a multiplication by the product of all keys that were involved in the generation of the ciphertext.

2.2 Garbled Circuit

Definition 2

(Garbling scheme). \(\mathcal {C}_n\) is the set of circuit taking as input n bits. A garbling scheme for a family of circuits \(\mathcal {C}=\{\mathcal {C}_n\}_{n \in N}\), is a tuple of ppt algorithms Gb=(Gb.Garble, Gb.Enc, Gb.Eval) such that

  1. 1.

    Gb.Garble\((1^k, C)\) takes as input the security parameter k and a circuit \(C\in \mathcal {C}_n\) for some n, and outputs the garbled circuit \(\varGamma \) and a secret key sk.

  2. 2.

    Gb.Enc(sk, x) takes as input the secret key sk and data \(x \in \{0,1\}^n\) and outputs an encoding c.

  3. 3.

    Gb.Eval\((\varGamma , c)\) takes as input a garbled circuit \(\varGamma \), an encoding c and outputs a value y .

Correctness. For any polynomial \(n(\cdot )\), for all sufficiently large security parameters k, for \(n = n(k)\), for all circuits \(C \in \mathcal {C}_n\) and all \(x \in \{0, 1\}^n\), Pr\([(\varGamma , sk) \leftarrow \) Gb.Garble\((1^k, C); c \leftarrow \) Gb.Enc\((sk, x); y \leftarrow \) Gb.Eval\((\varGamma , c): C(x) = y] =1-negl(k)\).

Efficiency. There exists a universal polynomial \(p = p(k, n)\) (p is the same for all classes of circuits C) such that for all input sizes n, security parameters k, for all boolean circuits C of with n bits of input, for all \(x \in \{0,1\}^n\), Pr\([(\varGamma , sk) \leftarrow \) Gb.Garble\((1^k, C) : |sk| \leqslant p(k, n)\) and runtime(Gb.Enc\((sk, x)) \leqslant p(k, n)] = 1\).

Input and Circuit Private. If there exist a ppt simulator Sim\(_{Garble}\), such that for every ppt adversaries A and D, for all sufficiently large security parameters k, the following equation holds. Then the garbled scheme Gb for a family of circuits \(\{\mathcal {C}_n\}_{n\in N}\) is input and circuit private.

|Pr\([(x,C,\alpha )\leftarrow A(1^k); (\varGamma ,sk)\leftarrow \) Gb.Garble\((1^k,C); c\leftarrow \) Gb.Enc\((sk,x):D(\alpha ,x, C,\varGamma ,c)]- \)Pr\([(x,C,\alpha )\leftarrow A(1^k); (\tilde{\varGamma },\tilde{c})\leftarrow \)Sim\(_{Garble}(1^k,C(x),1^{|C|},1^{|x|}):D(\alpha ,x, C,\tilde{\varGamma },\tilde{c})]|=\)negl(k)

2.3 Two-Outcome Attribute-Based Encryption

Definition 3

(Two-outcome Attribute-based Encryption). A two-outcome attribute-based encryption scheme (ABE\(_2\)) for a class of predicates \(P=\{P_n\}_{n \in N}\) represented as boolean circuits with n input bits and one output bit and an associated message space M is a tuple of algorithms (ABE\(_2\).Setup, ABE\(_2\).KeyGen, ABE\(_2\).Enc, ABE\(_2\).Dec) as follows:

  1. 1.

    ABE\(_2\).Setup\((1^k)\): Takes a security parameter k as input and outputs a master public key mpk and a master secret key msk.

  2. 2.

    ABE\(_2\).KeyGen(mskP): Given a master secret key msk and a predicate \(P \in P_n\) for some n, outputs a key \(sk_P\) corresponding to P.

  3. 3.

    ABE\(_2\).Enc\((mpk,x,m_0,m_1)\): Takes as input the public key mpk, an attribute \(x\in \{0,1\}^n\) for some n, and two messages \(m_0,m_1 \in M\), outputs a ciphertext c.

  4. 4.

    ABE\(_2\).Dec\((sk_P,c)\): Takes as input a secret key \(sk_P\) for a predicate P and a ciphertext c and outputs \(m^*\in M\).

Correctness. We say that the ABE\(_2\) scheme is correct if for any polynomial \(n(\cdot )\), for every sufficiently large security parameter k, if \(n = n(k)\), for all predicates \(P \in P_N\), attributes \(x \in \{0, 1\}^n\) , and messages \(m_0,m_1 \in M\):

$$\begin{aligned} Pr \left| \begin{array}{l} (mpk, msk) \leftarrow ABE_2.Setup(1^k); \\ sk_P \leftarrow ABE_2.KeyGen(msk, P); \\ c \leftarrow ABE_2.Enc(mpk,x, m_0, m_1); \\ m^* \leftarrow ABE_2.Dec(sk_P, c); \\ m^*=m_{P(x)} \end{array} \right| =1-negl(k) \end{aligned}$$

The space \(\{0, 1\}^n\) is referred to as the attribute space (with an attribute size of n) and M is referred to as the message space.

Security. We say that the ABE\(_2\) scheme is secure if for all PPT adversary \(\mathcal {A}\), and for every sufficiently large security parameter k, the following experiment holds that:

$$\begin{aligned} Pr | Exp_{ABE_{2},\mathcal {A}}(1^{k})=1|\le 1/2+negl(k). \end{aligned}$$
figure a

2.4 Multi-input Functional Encryption

Definition 4

(Multi-input Functional Encryption). A multi-input functional encryption scheme(MIFE) for a class of functions \(\mathcal {F}=\{\mathcal {F}\}_{n\in N}\) consists of four algorithms (MIFE.Setup, MIFE.Enc, MIFE.KeyGen, MIFE.Dec). We describe them as following:

  1. 1.

    MIFE.Setup\((1^k ,n )\): takes the secure parameter k and function’s arity n as input, outputs a master secret key MSK and a master public key MPK.

  2. 2.

    MIFE.Enc\((MPK, x_1,\cdots ,x_n)\): takes input public key MPK and messages \(x_1,\cdots ,x_n\), here \(x_i\) is the data corresponding to party i. Using MPK each party encrypts its data \(x_i\) and outputs a ciphertext \(c_i\). The algorithm finally output a ciphertext CT related to the ciphertexts \((c_1,\cdots ,c_n)\).

  3. 3.

    MIFE.KeyGen(MSKf): takes input the master secret key MSK and an n-ary function f, outputs a key \(sk_f\).

  4. 4.

    MIFE.Dec\((sk_f, CT)\): takes ciphertext CT and secret key \(sk_f\) as its input and output a value y.

Correctness. We say that a multi-input functional encryption scheme is correct if for all \(f \in \mathcal {F}\) and all \((x_1, \cdots , x_n)\in X_k^n\), the following holds:

$$\begin{aligned} Pr \left[ \begin{array}{l} (MSK,MPK) \leftarrow MIFE.Setup (1^k); sk_f \leftarrow MIFE.KeyGen (MSK,f); \\ MIFE.Dec (sk_f, MIFE.Enc (x_1,\cdots ,x_n)) \ne f(x_1, \cdots , x_n)] \end{array} \right] =negl(k) \end{aligned}$$

Full-SIM-Security. A multi-input functional encryption scheme scheme is (single-key) full-SIM-secure if for every ppt adversary \(A=(A_1,A_2)\) there exist a ppt simulator S such that the following two experiments are computational indistinguishable.

figure b

2.5 Multi-client Outsourcing Computation Scheme

As far as we know, multi-client outsourcing computation scheme was first considered by choi et al. [6]. There are n clients each has their corresponding input \(x_i\) want to outsource the computation of \(f(x_1, \cdots ,x_n)\) to a server. Here we consider the public verification case where any other clients can verify the correctness of the computation result using the public verify key.

Definition 5

(Multi-client Outsourcing Computation Scheme). A \(n-\) party multi-client outsourcing computation scheme consists four algorithms (KeyGen, ProbGen, Compute, Verify):

  1. 1.

    KeyGen\((1^k, f) \rightarrow (SK,PK)\): On input the security parameter k and a function \(f \in F\), it outputs a secret key SK, a public key PK.

  2. 2.

    ProbGen\((PK,SK,x_1,\cdots ,x_n) \rightarrow (\sigma _X, VK_X)\): Each client uses the public key PK computes the encoding of its input \(x_i\) denote by \(\sigma _{x_i}\). Finally the algorithm output a verification key \(VK_X\) and an encoding \(\sigma _X\) related to \(\sigma _{x_i}(i=1,\cdots ,n).\)

  3. 3.

    Compute\((PK,\sigma _X)\rightarrow Z\): This algorithm takes input the public key PK, and the encoding \(\sigma _X\), output a result Z.

  4. 4.

    Verify\((PK,VK_X ,Z) \rightarrow (y,reject)\): Using the public messages PK, public verify message \(VK_X\), the algorithm verifies the correctness of Z. If the verification passes, the corresponding result y can be recovered after the verification. Otherwise reject.

Correctness. A multi-client outsourcing computation scheme is correct if for any function \(f \in F\) and any \((SK,PK)\leftarrow \) KeyGen\((1^k, f)\), any \((x_1,\cdots ,x_n) \in Dom(F)\), if \((\sigma _X, VK_X) \leftarrow \) ProbGen\((PK,SK,x_1,\cdots ,x_n)\) and \(Z\leftarrow \) Compute\((PK,\sigma _X)\), then \( y=f(x_1,\cdots ,x_n)\leftarrow \) Verify\((PK.VK_X,Z)\) holds with all but negligible probability.

Security. A multi-client outsourcing scheme is secure if the probability that there exist a ppt adversary that can make the clients accept an incorrect computation result is negligible. We describe it via the experiment below:

Experiment EXP\(_\mathcal {A}^{Ver}(S,f,k)\)

\((SK,PK)\leftarrow \) KeyGen \((1^k, f)\)

For \(i=1\) to q:

\(X_i \leftarrow \mathcal {A}(PK,\sigma _{X,1},VK_{X,1},\ldots ,\sigma _{X,i-1},VK_{X,i-1})\)

\((\sigma _{X,i}; VK_{X,i}) \leftarrow \) ProbGen \((PK, SK, X_i)\)

\(X^* \leftarrow \mathcal {A}(PK,\sigma _{X,1},VK_{X,1},\ldots ,\sigma _{X,q},VK_{X,q})\)

\((\sigma _{X^*},VK_{X^*})\leftarrow \) ProbGen \((PK, SK, X^*)\)

\(Z^*\leftarrow \mathcal {A}(PK,\sigma _{X,1},VK_{X,1},\ldots ,\sigma _{X,q},VK_{X,q},\sigma _{X^*},VK_{X^*})\)

\(y^* \leftarrow \) Verify \((PK, VK_{X^*}, Z^*)\)

Output 1 if \(y^* \notin {\{f(X^*),\perp \}}\) and 0 otherwise.

We say that a multi-client outsourcing scheme is secure if Prob[EXP \(_{\mathcal {A}}^{Ver}(S,f,\lambda )=1]\) is negligible.

Privacy. Based on indistinguishability arguments we define input privacy which guarantees that no information about the inputs is leaked [9]. We describe the Experiment EXP\(_\mathcal {A}^{Priv}\) as follow.

Experiment EXP\(_\mathcal {A}^{Priv}[S,f,n,\lambda ]\)

\((PK,SK,EK) \leftarrow \) KeyGen \((1^\lambda , f);\)

\((X_0,X_1) \leftarrow \mathcal {A}^\mathbf{ProbGen_{SK}(\cdot )}(PK);\)

\((\sigma _0,VK_{X_0})\leftarrow \mathbf{ProbGen}_{SK}(X_0);\)

\((\sigma _1,VK_{X_1})\leftarrow \mathbf{ProbGen}_{SK}(X_1);\)

\(b \leftarrow \{0,1\};\)

\(b^* \leftarrow \mathcal {A}^\mathbf{ProbGen_{SK}(\cdot )}(PK,X_0,X_1,\sigma _b);\)

if \(b^*=b\), output \('1'\), else \('0'\);

We define the advantage of an adversary \(\mathcal {A}\) in the above experiment as:

ADV\(_\mathcal {A}^{Priv}[S,f,n,\lambda ]\)=|Prob[EXP\(_\mathcal {A}^{Priv}[S,f,n,\lambda ]=1]-\frac{1}{2}|\).

A multi-client outsourcing computation scheme is private against the server if for any ppt adversary \(\mathcal {A}\) it holds that ADV\(_\mathcal {A}^{Priv}[S,f,n,\lambda ]\) is negligible.

3 Our Construction

3.1 Multi-input Functional Encryption

In this section, we construct a multi-input functional encryption scheme without obfuscation and the inputs are keeping private from each other. For simplicity, we construct MIFE for functions outputting one bit. We use three building blocks: two-outcome attribute-based encryption scheme, multikey fully homomorphic encryption scheme and Yao’s garbled circuit. Let \(\mathbf c \) be a vector of n ciphertexts \(\mathbf c =(c_1,\cdots , c_n)\). Let MFHE.Eval\(_f^i(hpk,\mathbf c )\) be the predicate function that computes the i-th output bit of MFHE.Eval\(_f(hpk,\mathbf c )\). Let \( \lambda \) be the length of the ciphertexts in MFHE scheme.

In our construction, we use the non-interactive multiparty computation(denote NIMPC) [3] as our tool to help the parties cooperatively compute the decryption key \(hsk=hsk_1\cdot hsk_2\cdots hsk_n\). In [3]’s NIMPC construction, its process can be divided into offline and online stage. In its offline stage the parties generate correlated randomness; in the online stage, the parties encode their messages respectively and then compute on the encodings to get the final computation result but cannot learn anything else about each others’ message.

Now we are ready to give our multi-input FE scheme. The construction of multi-input FE is described as follows:

  1. 1.

    MIFE.Setup\((1^k)\): Run two-outcome ABE scheme \(\lambda \) times: \((mpk_i,msk_i) \leftarrow \) ABE\(_2\).Setup\((1^k)\) for \(i \in [\lambda ]\). Run the offline stage of NIMPC to generate correlated randomness, denote R. The master public key \(MPK=(mpk_1,\cdots ,mpk_\lambda )\), the master secret key \(MSK=(msk_1,\cdots ,msk_\lambda ,R)\).

  2. 2.

    MIFE.Enc\((MPK,x_1,\cdots ,x_n)\): let n be the number of inputs. \(x_i\) corresponds to the input of party i. The encryption algorithm proceeds as follows:

    1. (a)

      Each party generates a fresh key pair \((hpk_i,hsk_i)\leftarrow \)MFHE.KeyGen\((1^k)\). Each party encrypts its input \(x_i\) by computing \(c_i \leftarrow \)MFHE.Enc\((hpk_i,x_i)\). let \( \mathbf c =(c_1,\cdots ,c_n)\).

    2. (b)

      The n parties run the online stage of NIMPC protocol to secure compute \(hsk=hsk_1\cdot hsk_2 \cdots hsk_n\). Then one party (suppose the first party) produces a garbled circuit \(\varGamma \) for the MFHE decryption algorithm MFHE.Dec\((hsk, \cdot )\) together with \(2\lambda \) input labels \(L_i^b\) for \(i \in [\lambda ]\), \(b \in \{0,1\}\).

    3. (c)

      The party who generates the garbled circuit \(\varGamma \) computes the encryption of \( \mathbf c =(c_1,\cdots ,c_n)\) using ABE\(_2\).Enc algorithm: CT\(_i=\)ABE\(_2\).Enc\((mpk_i,(hpk,\mathbf c ),L_i^0,L_i^1)\) for i in \([\lambda ]\).

    4. (d)

      Output the ciphertext CT=(CT\(_1,\cdots ,\)CT\(_\lambda , \varGamma )\).

  3. 3.

    MIFE.KeyGen(MSKf): As we have mentioned that MFHE.Eval\(_f^i(hpk,\mathbf c )\) is the predicate function that computes the i-th output bit of MFHE.Eval\(_f(hpk,\mathbf c )\). Here \(hpk=(hpk_1,\cdots ,hpk_n)\) and \(\mathbf c \) consists n MFHE ciphertexts.

    1. (a)

      Run the key generation algorithm of ABE\(_2\) for function MFHE.Eval\(_f^i\) under different master secret keys: sk\(_f^i\)=ABE\(_2\).KeyGen\((msk_i,\)MFHE. Eval\(_f^i)\).

    2. (b)

      Output \(sk_f=(sk_f^1,\cdots ,sk_f^\lambda )\) the secret key for function f.

  4. 4.

    MIFE.Dec(\(sk_f,\)CT):

    1. (a)

      Run ABE\(_2\) decryption algorithm on ciphertext CT, obtain the labels \(L_i^{d_i} \leftarrow \) ABE\(_2\).Dec \((sk_f^i,\)CT\(_i)\) for \(i \in [\lambda ]\).

    2. (b)

      Run the garbled circuit \(\varGamma \) on the labels \(L_i^{d_i}\) to compute the function result: Gb.Eval\((\varGamma , L_1^{d_1},\cdots ,L_\lambda ^{d_\lambda })=\)MFHE.Dec\((hsk,d_1d_2 \cdots d_\lambda )=f(x_1, \cdots ,x_n)\).

Intuition. Each party i’s secret key \(hsk_i\) is keeping private from other parties. Every time the garbled circuit \(\varGamma \) has been regenerated.

3.2 Correctness and Security Proof

Correctness. In the decryption process, according to the correctness of ABE\(_2\) scheme, \(d_i\) is the i-th output bit of MFHE.Eval\(_f(hpk,\mathbf c )\). Next the labels \(L_i^{d_i}\) are the inputs to the Garbled circuit corresponding to the value of MFHE.Eval\(_f(hpk,\mathbf c )\). For the garbled circuit is the decrypting algorithm of MFHE, denote by MFHE.Dec\((hsk,\cdot )\). Here the decrypt key hsk is computed by the NIMPC algorithm. Thus by the correctness of the NIMPC scheme and the garbled circuit, the output of the garbled circuit is the correct plain message corresponding to MFHE.Eval\(_f(hpk,\mathbf c )\). Finally by the correctness of the Multikey FHE scheme, this plain message is \(f(x_1,\cdots ,x_n)\). The correctness of the Multi-input FE scheme holds.

Theorem 1

Assuming the underlying ABE\(_2\) scheme is fully secure, the Multikey FHE scheme is IND-CPA secure, Yao’s garbled circuit is input and circuit private, the resulting MIFE scheme is fully secure.

Security Proof:

We construct a ppt simulator S that receives inputs \((MPK,sk_f,f,f(x_1, \cdots ,x_n),1^n)\) and must output \(\tilde{c}\) such that the real and ideal experiments are computational indistinguishable. Simulator S on input \((MPK,sk_f,f, f(x_1,\cdots ,x_n),1^n)\):

  1. 1.

    Choose n key pairs\((hpk_i,hsk_i)\leftarrow \) MFHE.KeyGen\((1^k)\) for \(i=1,\cdots ,n\). Encrypt n inputs \(0^\lambda \)(\(\lambda \) zero bits), we denote the ciphertexts \(\hat{0}=(\hat{0}_1\leftarrow \) MFHE.Enc\((hpk_1,0^\lambda ),\cdots ,\hat{0}_n\leftarrow \) MFHE.Enc\((hpk_n,0^\lambda ))\). Compute \(hsk=hsk_1\cdot hsk_2\cdots hsk_n\).

  2. 2.

    Let Sim\(_{Garble}\) be the simulator for Yao’s garbled circuit corresponding to FHE.Dec\((hsk,\cdot )\). Run Sim\(_{Garble}\) to produce a simulated garbled circuit \(\varGamma \) for the multikey FHE decryption algorithm MFHE.Dec\((hsk,\cdot ): \{0, 1\}^\lambda \rightarrow \{0, 1\}\) together with the simulated encoding consisting of \(\lambda \) labels \(L_i\) for \(i=1,\cdots ,\lambda \). Namely: \((\hat{\varGamma },\{\hat{L}_i\}_{i=1}^\lambda )\leftarrow \) Sim\(_{Garble}(1^k,f(x_1,\cdots ,x_n),1^{|MFHE.Dec(hsk,\cdot )|},1^\lambda )\).

  3. 3.

    Produce encryption \(\hat{c}_1,\cdots ,\hat{c}_\lambda \) under the ABE\(_2\) scheme by computing the equation below:       \(\hat{c}_i \leftarrow \) ABE\(_2\).Enc\((mpk_i,(hpk,\hat{0}),\hat{L}_i,\hat{L}_i)\) where the simulator S uses each simulated labels \(\hat{L}_i\) twice.

  4. 4.

    Output \(\hat{c}=(\hat{c}_1,\cdots ,\hat{c}_\lambda ,\hat{\varGamma })\).

Next we define a sequence of game experiments to prove the security of our multi-input FE scheme.

Game 0 is the output of the real experiment Exp\(_{MIFE,\mathcal {A}}^{H_0}\)=Exp\(_{MIFE,\mathcal {A}}^{real}\) .

Game 1 is the same as game 0, except that, let \(d_i=\)MFHE.Eval\(_f^i(hpk, \mathbf c )\), include \(L^{d_i}\) twice in the ABE\(_2\) encryption, namely:

\(\hat{c}_i^{(1)}\leftarrow \) ABE\(_2\).Enc\((mpk_i,(hpk,\mathbf c ),L_i^{d_i},L_i^{d_i})\) and \(\hat{c}^{(1)}=(\hat{c}_1^{(1)},\cdots ,\hat{c}_\lambda ^{(1)},\varGamma )\).

Game 2 is the same as game 1 except that the Garbled circuit is generated by the Sim\(_{Garble}\) algorithm. \((\hat{\varGamma },\{\hat{L}_i\}_{i=1}^\lambda )\leftarrow \) Sim\(_{Garble}(1^k,f(x_1,\cdots ,x_n),1^{|MFHE.Dec(hsk,\cdot )|},1^\lambda )\).

Game 3 is the output of the ideal experiment Exp\(_{MIFE,\mathcal {A}}^{H_3}\)=Exp\(_{MIFE,\mathcal {A},S}^{ideal}\).

Lemma 1. Assuming the underlying ABE\(_2\) scheme is fully secure, Game 0 and Game 1 is above is computationally indistinguishable.

Proof: In Game 0 and Game 1 there are \(\lambda \) ABE\(_2\) encryptions, each with a pair of independent ABE\(_2\) keys. The computational indistinguishability property with \(\lambda \) encryptions can be hold if these two games are computationally indistinguishable with only one of these encryptions. This property has been proved in [13]’s work. The difference between Game 0 and Game 1 is that in Game 0 the ABE\(_2\) encryption algorithm encrypts \((L_i^{d_i}, L_i^{1-d_i})\), while in Game 1, the ABE\(_2\) encryption algorithm encrypts \((L_i^{d_i},L_i^{d_i})\), here \(d_i=\)MFHE.Eval\(_f^i(hpk,\mathbf c )\) . If there exist a ppt algorithm \(\mathcal {A}\) that can distinguish these two experiments with different encodings, then there exist a ppt algorithm \(\mathcal {B}\) that can use \(\mathcal {A}\)’s ability to break the security of the ABE\(_2\) scheme.

Lemma 2. Assuming the garbled circuit is input and circuit private, Game 1 and Game 2 are computationally indistinguishable.

Proof: The only difference between Game 1 and Game 2 is the generation method of the garbled circuit. In Game 1, \((\varGamma ^*,\{L_i^*\}_{i=1}^\lambda )\) is the output of the real garbled circuit. while in Game 2, \((\varGamma ^*,\{L_i^*\}_{i=1}^\lambda )\) is the output of Sim\(_{Garble}\). If there exist a ppt algorithm \(\mathcal {A}\) that can distinguish Game 1 and Game 2, then these exist a ppt algorithm \(\mathcal {B}\) that can distinguish these two cases how the \((\varGamma ^*,\{L_i^*\}_{i=1}^\lambda )\) are generated.

Lemma 3. Assuming the Multikey FHE scheme is IND-CPA secure, Game 2 and Game 3 are computationally indistinguishable.

Proof: The difference between Game 2 and Game 3 is that the ciphertext \(\mathbf c \) is computed in different ways. In Game 2 the ciphertext \(\mathbf c \) is the encryption of the real messages \(x_1,\cdots ,x_n\), while in Game 3 the ciphertext \(\mathbf c \) is a vector of n ciphertexts of \(0^\lambda \). \(\mathbf c =\hat{0}=(\hat{0}_1\leftarrow \) MFHE.Enc\((hpk_1,0^\lambda ),\cdots ,\hat{0}_n\leftarrow \) MFHE.Enc\((hpk_n,0^\lambda ))\). If there exist a ppt algorithm that can distinguish these two games, then there exist a ppt algorithm that can break the IND-CPA security of the Multikey FHE scheme.

Our lemmas show that there is no PPT adversary \(\mathcal {A}\) can distinguish one game from the next one with non-negligible probability, thus Game 0 corresponds to the real experiment is indistinguishable from Game 3 corresponds to the ideal experiment. The security property holds.                                                 \(\Box \)

4 Multi-client Outsourcing Computation Scheme

As we have described, multi-input functional encryption can be used as a tool in multi-client outsourcing scheme to achieve public verification. This idea has been showed in [12]’s work. Their public verify method comes from Parno et al.’s work [18] and needs to run two times of the MIFE scheme. In our multi-client outsourcing scheme we use the output label of the garbled circuit to do the verification. Our thought mainly comes from Gennaro et al.’s work [9], for they used the garbled circuit’s output-wire label to map to the computation result.

The multi-input functional encryption(MIFE\(^*\)) used in our outsourcing computation scheme is the same as the multi-input functional encryption(MIFE) constructed in Sect. 3 except that the value of the garbled circuit’s output-wire is the label of the computation result instead of the computation result. For simplicity, we consider the functions with one bit output.

We describe our construction of multi-client outsourcing computation scheme below:

  1. 1.

    KeyGen\((1^k, f) \rightarrow (SK,PK)\): Run MIFE\(^*\).Setup\((1^k)\) algorithm and get MSK and MPK. Run MIFE\(^*\).KeyGen\((1^k)\) algorithm to obtain the decryption key \(sk_f\) corresponding to function f. Let \(PK=(MPK,sk_f)\), \(SK=MSK\).

  2. 2.

    ProbGen\((PK,SK,x_1,\cdots ,x_n) \rightarrow (\sigma _X, VK_X)\): Run the MIFE\(^*\).Enc\((\cdot )\) algorithm, obtain the ciphertexts \(\sigma _X=(CT_1,\cdots ,CT_\lambda )\) and a garbled circuit \(\varGamma \). Here the garbled circuit \(\varGamma \)’s outputs are the labels \((L_y^0,L_y^1)\) which encode the computation result. Using a one-way function \(g(\cdot )\), the client who generates the garbled circuit compute \(vk_0=g(L_y^0)\) and \(vk_1=g(L_y^1)\). Let the public verify message VK\(_X=(vk_0, vk_1)\).

  3. 3.

    Compute\((PK,\sigma _X) \rightarrow Z\): This algorithm takes input the public key PK, the encodings \(\sigma _X=(CT_1, \cdots , CT_\lambda ,\varGamma )\), runs MIFE\(^*\).Dec\((\cdot ) \rightarrow L_y^b\) and outputs \(Z=L_y^b\).

  4. 4.

    Verify\((PK,VK_X ,Z) \rightarrow (y,reject)\): Input the public messages PK, \(VK_X\) and the returned result Z. The clients verify whether the equation \(g(Z)=vk_0\) or \(g(Z)=vk_1\) holds. If the former holds, then \(f(x)=0\), if the latter holds, \(f(x)=1\). Otherwise, output \(\bot \).

Our scheme can be easily generalized to outsource functions with larger outputs by providing more pairs of the public verify messages in the ProbGen stage.

4.1 Correctness and Security Proof

Correctness. We can easily see that the above multi-client outsourcing scheme is correct. In our multi-client outsourcing scheme, we use the multi-input functional encryption scheme designed in Sect. 3. By the correctness of the multi-input functional encryption scheme, the Verify algorithm can correctly decrypt the ciphertext returned by the worker and get the correct label corresponding to the output \(f(x_1,\cdots ,x_n\)), and then map the label to the output bit \(f(x_1,\cdots ,x_n)\).

Theorem 2

If the underlying multi-input FE scheme is secure and the garbled circuit is circuit and input private, then the scheme designed above is a private and secure multi-client outsourcing scheme.

Proof: Our proof is divided into two parts. First we talk about the privacy of the outsourced data, and later we proof the unforgeability of the scheme.

The privacy property is guaranteed by the security of the multi-input functional encryption. If the MIFE scheme is secure, then the worker can only get the computation result but can not learn anything else about the outsourced data.

Next we show the unforgeability of the scheme. By contradiction, we assume that there exist a ppt adversary \(\mathcal {A}\) that makes the experiment EXP\(_\mathcal {A}^{Ver}(S,f,\lambda )\) output 1 with non-negligible probability. Which means that the adversary \(\mathcal {A}\) can produce the encoding \(Z^*\) that makes the Verify algorithm outputs \(y^* \notin {\{f(x^*),\perp \}}\) with non-negligible probability. For \(y^* \notin {\{f(x^*),\perp \}} \) and it has passed the Verify algorithm, which imply that the adversary gains the other output label that doesn’t corresponding to the real output \(f(x^*)\), which contradicts the privacy of the garbled circuit.                                                                \(\Box \)

5 Conclusion

In this work, we construct a multi-input functional encryption scheme that can keep privacy of the parties’ inputs from each other and does not need to use obfuscation. We also show its application in outsourced computation and design a publicly verifiable multi-client outsourcing scheme using a new verify-method. Our schemes are proved to be correct and secure. We want to point out that our multi-input FE scheme uses the non-interactive MPC protocol to help the parties compute the product of their secret keys. Thus designing an efficient non-interactive MPC protocol can improve the efficiency of the functional encryption and the outsourced computation scheme as well. Another interesting direction in this area is to design multi-input functional encryption with unbounded key queries without obfuscation.