Simple and Generic Constructions of Succinct Functional Encryption

Abstract

We propose simple generic constructions of succinct functional encryption. Our key tool is strong exponentially efficient indistinguishability obfuscator (SXIO), which is the same as indistinguishability obfuscator (IO) except that the size of an obfuscated circuit and the running time of an obfuscator are slightly smaller than that of a brute-force canonicalizer that outputs the entire truth table of a circuit to be obfuscated. A “compression factor” of SXIO indicates how much SXIO compresses the brute-force canonicalizer. In this study, we propose a significantly simple framework to construct succinct functional encryption via SXIO and show that SXIO is powerful enough to achieve cutting-edge cryptography. In particular, we propose the following constructions:

• Single-key weakly succinct secret-key functional encryption (SKFE) is constructed from SXIO (even with a bad compression factor) and one-way functions.

• Single-key weakly succinct public-key functional encryption (PKFE) is constructed from SXIO with a good compression factor and public-key encryption.

• Single-key weakly succinct PKFE is constructed from SXIO (even with a bad compression factor) and identity-based encryption.

Our new framework has side benefits. Our constructions do not rely on any number theoretic or lattice assumptions such as decisional Diffie–Hellman and learning with errors assumptions. Moreover, all security reductions incur only polynomial security loss. Known constructions of weakly succinct SKFE or PKFE from SXIO with polynomial security loss rely on number theoretic or lattice assumptions. As corollaries of our results, relationships among SXIO, a few variants of SKFE, and a variant of randomized encoding are discovered.

Appendices

Single-Key Non-succinct Functional Encryption

Our construction of weakly succinct PKFE (resp. SKFE) uses a single-key non-succinct PKFE (resp. SKFE) scheme as a building block. As observed by Sahai and Seyalioglu [45] and later extended by Gorbunov et al. [29], single-key non-succinct functional encryption scheme can be constructed based on standard assumptions such as public-key encryption and one-way function.

For self-containment, we show the construction of single-key non-succinct PKFE scheme based on public-key encryption scheme. More specifically, the construction is based on garbling scheme and public-key encryption.

Let \(\mathsf {GC}=(\mathsf {Grbl},\mathsf {Eval})\) be a garbling scheme, and \(\mathsf {PKE}=(\mathsf {KG},\mathsf {Enc}, \mathsf {Dec})\) be a public-key encryption scheme. Using \(\mathsf {GC}\) and \(\mathsf {PKE}\), we construct a single-key PKFE scheme \(\mathsf {OneKey}=(\mathsf {1Key}.\mathsf {Setup},\mathsf {1Key}.\mathsf {KG}, \mathsf {1Key}.\mathsf {Enc}, \mathsf {1Key}.\mathsf {Dec})\) as follows. Below, we assume that we can represent every function f by an n-bit string \((f[1],\cdots ,f[s])\).

Construction The scheme consists of the following algorithms.

\(\mathsf {1Key}.\mathsf {Setup}(1^\lambda ):\)  

• Generate \((\mathsf {pk}_{j,\alpha },\mathsf {sk}_{j,\alpha }) \leftarrow \mathsf {KG}(1^\lambda )\) for every \(j\in [s]\) and \(\alpha \in \{0,1\}\).

• Return \(\mathsf {MPK}\leftarrow \{\mathsf {pk}_{j,\alpha }\}_{j\in [s], \alpha \in \{0,1\}}\) and \(\mathsf {MSK}\leftarrow \{\mathsf {sk}_{j,\alpha }\}_{j\in [s], \alpha \in \{0,1\}}\).

\(\mathsf {1Key}.\mathsf {KG}(\mathsf {MSK},f):\)  

• Parse \(\{\mathsf {sk}_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}} \leftarrow \mathsf {MSK}\) and \((f[1],\cdots , f[s]) \leftarrow f\).

• Return \(\mathsf {sk}_f \leftarrow (f,\{\mathsf {sk}_{j,f[j]}\}_{j\in [s]})\).

\(\mathsf {1Key}.\mathsf {Enc}(\mathsf {MPK}, m):\)  

• Parse \(\{\mathsf {pk}_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}} \leftarrow \mathsf {MPK}\).

• Compute \(({{\widetilde{U}}}, \{L_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}}) \leftarrow \mathsf {Grbl}(1^\lambda , U(\cdot ,m))\).

• For every \(j\in [s]\) and \(\alpha \in \{0,1\}\), compute \(c_{j,\alpha } \leftarrow \mathsf {Enc}(\mathsf {pk}_{j,\alpha },L_{j,\alpha })\).

• Return \(\mathsf {CT}\leftarrow ({{\widetilde{U}}}, \{c_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}})\).

\(\mathsf {1Key}.\mathsf {Dec}(\mathsf {sk}_f, \mathsf {CT}):\)  

• Parse \((f, \{\mathsf {sk}_j\}_{j\in [s]}) \leftarrow \mathsf {sk}_f\) and \(({{\widetilde{U}}}, \{c_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}}) \leftarrow \mathsf {CT}\).

• For every \(j\in [s]\), compute \(L_j \leftarrow \mathsf {Dec}(\mathsf {sk}_{j,f[j]},c_{j,f[j]})\).

• Return \(y \leftarrow \mathsf {Eval}({{\widetilde{U}}}, \{L_j\}_{j\in [s]})\).

\(\mathsf {OneKey}\) is single-key PKFE scheme that satisfies weakly selective security if \(\mathsf {GC}\) is secure and \(\mathsf {PKE}\) is CPA-secure. The construction is non-succinct since the encryption algorithm of \(\mathsf {OneKey}\) encrypts a universal circuit whose size is at least linear in the size of functions.

We can analogously construct single-key non-succinct SKFE scheme based on garbling scheme and secret-key encryption.

Gorbunov et al. [29] later showed how to extend this construction to adaptively secure one using a technique of non-committing encryption [18]. This is done by only using public-key encryption (or one-way function) if we focus on single-key schemes.¹⁴ Thus, we need only public-key encryption or one-way function to obtain single-key adaptively secure schemes for our building blocks.

Proof for Weak Succinctness from Collusion-Succinctness

In this section, we see a transformation from a q-key weakly collusion-succinct index-based functional encryption into a single-key weakly succinct functional encryption. Bitansky and Vaikuntanathan have shown such a transformation [16, Theorem 4.3].¹⁵ The key tool for the transformation is decomposable randomized encoding, which is implied by one-way function (see Definition 2.6).

We stress that the transformation in this section is not new. The differences between the construction of Bitansky and Vaikuntanathan and ours is that we assume that the underlying weakly collusion-succinct scheme is weakly selectively secure and uses an index for functional key generation. The resulting weakly succinct scheme of our transformation is also weakly selectively secure. Note that the resulting scheme does not need any index for key generation since it is a single-key scheme.

It is known that single-key weakly selectively secure weakly succinct PKFE can be transformed into collusion-resistant and succinct PKFE [28]. Moreover, to construct IO by using the theorem by Bitansky and Vaikuntanathan [16], a single-key weakly selectively secure weakly succinct PKFE scheme is sufficient.

Note that if the maximum size of functions in a function family is fixed, the number of decomposed randomized encodings (denoted by \(\mu \)) of a function is also fixed. Thus, \((\mu ,\delta )\)-weakly selectively secure (i.e., bounded collusion-resistant) schemes are sufficient for this transformation.

Readers that are familiar with the transformation by Bitansky and Vaikuntanathan [16, Theorem 4.3] can skip this section. We write the transformation and a proof for the weakly selective security for confirmation. Of course, we can obtain a selectively secure scheme by the transformation if we use a selectively secure scheme as the underlying scheme.

Remark B.1

(Difference between decomposable randomized encoding and decomposable garbled circuit) We stress that there are significant differences between decomposable randomized encoding and decomposable garbled circuit [12] as we note in Sect. 1. In fact, both are basically slight extensions of Yao’s garbled circuit. However, the definition of decomposable randomized encoding is much simpler than that of decomposable garbled circuit by Bitansky et al. [12]. In addition, a decomposable randomized encoding is constructed from one-way function with polynomial security loss, but a decomposable garbled circuit is constructed from one-way function with exponential security loss in the depth of circuits.

In decomposable garbled circuit, we can garble a circuit by a gate-by-gate manner and consider hybrid garbled circuits that consist of real and simulated garbled gates. In the hybrid transitions from the real to the simulation, a “punctured programming”-type security notion [46] is used for each garbled gate. These two properties are differences from decomposable \(\mathsf {RE}\). To achieve the security notion, Bitansky et al. change a real (resp. hybrid) garbled gate into a hybrid (resp. simulated) one if all of its predecessor (resp. successor) gates are hybrid ones. Thus, \(2^{O(d)}\) (d is the depth of a circuit) hybrid steps are needed to prove the security.

The reason decomposable garbled circuit is such complicated is that it is customized to be an IO-friendly (or SXIO-friendly) tool [12]. We use neither IO nor SXIO when we use decomposable randomized encoding. Thus, we do not need decomposable garbled circuit for our purpose. See the paper by Bitansky et al. for details of decomposable garbled circuit [12].

Conversion We show only the PKFE case. The SKFE case is similarly proven.

Construction B.2

Our single-key weakly succinct PKFE scheme \(\mathsf {sFE}=(\mathsf {sFE}.\mathsf {Setup},\mathsf {sFE}.\mathsf {KG}, \mathsf {sFE}.\mathsf {Enc}, \mathsf {sFE}.\mathsf {Dec})\) for circuits of size at most \(s=s(\lambda )\) with \(n=n(\lambda )\) bit inputs is based on a q-key weakly collusion-succinct iPKFE scheme \(\mathsf {qFE}=(\mathsf {qFE}.\mathsf {Setup},\mathsf {qFE}.\mathsf {i}\mathsf {KG},\mathsf {FE}.\mathsf {Enc},\mathsf {qFE}.\mathsf {Dec})\) for circuits of size at most s with n-bit inputs. Let \(\mathsf {F}\), \(\mathsf {RE}\), and \(\mathsf {SKE}\) be a PRF, c-local decomposable randomized encoding, and CPA-secure secret-key encryption scheme, respectively. In the scheme, we use \(\mathsf {F}:\{0,1\}^{\lambda } \rightarrow \{0,1\}^{\rho }\).

\(\mathsf {sFE}.\mathsf {Setup}(1^\lambda ):\)  

• Generate \((\mathsf {MPK},\mathsf {MSK}) \leftarrow \mathsf {qFE}.\mathsf {Setup}(1^\lambda )\).

• Return \((\mathsf {MPK}, \mathsf {MSK})\).

\(\mathsf {sFE}.\mathsf {KG}(\mathsf {MSK}, f):\)  

• Generate \(t \leftarrow \{0,1\}^\lambda \).

• Compute decomposed f, that is, \(({\widehat{f}}_1,\ldots ,{\widehat{f}}_\mu )\leftarrow \mathsf {RE.E}(1^\lambda ,f)\).

• Choose \(\mathsf {SKE}\) secret-key \(\mathsf {SK}\leftarrow \{0,1\}^{\lambda }\). For all \(i \in [\mu ]\), generate \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},0)\), and compute \(\mathsf {sk}_{f_i} \leftarrow \mathsf {qFE}.\mathsf {i}\mathsf {KG}(\mathsf {MSK}, \textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t, \mathsf {CT}_{\mathsf {ske}}^i],i)\). The circuit \(\textsf {D}_{\mathsf {re}}\) is defined in Fig. 12.

• Return \(\mathsf {sk}_f \leftarrow (\mathsf {sk}_{f_1},\ldots ,\mathsf {sk}_{f_\mu })\).

\(\mathsf {sFE}.\mathsf {Enc}(\mathsf {MPK}, x):\)  

• Generate \(K \leftarrow \mathsf {PRF}.\mathsf {Gen}(1^\lambda )\).

• Return \(\mathsf {CT}\leftarrow \mathsf {qFE}.\mathsf {Enc}(\mathsf {MPK}, (0,x,K,\bot ))\).

\(\mathsf {sFE}.\mathsf {Dec}(\mathsf {sk}_f, \mathsf {CT}):\)  

• Parse \((\mathsf {sk}_{f_1},\ldots , \mathsf {sk}_{f_\mu }) \leftarrow \mathsf {sk}_f\).

• For all \(i \in [\mu ]\), compute \(e_i \leftarrow \mathsf {qFE}.\mathsf {Dec}(\mathsf {sk}_{f_i}, \mathsf {CT})\).

• Decode y from \((e_1,\ldots ,e_\mu )\).

• Return y.

Fig. 12

Description of \(\textsf {D}_{\mathsf {re}}\)

Proof of Theorem 3.11

We start with analyzing succinctness then move on to the security proof.

We assume that \(\mathsf {RE}\) is a \(\delta \)-secure decomposable randomized encoding scheme, \((\mathsf {PRF}.\mathsf {Gen}, \mathsf {F},\mathsf {Punc})\) is a \(\delta \)-secure puncturable PRF, \(\mathsf {SKE}\) is a \(\delta \)-secure SKE, and \(\mathsf {qFE}\) is a \((\mu ,\delta )\)-weakly selectively secure iPKFE scheme for circuits of size at most \(s = s(\lambda )\) with \(n = n(\lambda )\) inputs with encryption circuit of size \(\mu ^{\gamma }\cdot {\mathrm {poly}}(\lambda ,n,s)\) where \(\mu = s \cdot {\mathrm {poly}}_\mathsf {RE}(\lambda ,n)\) and \({\mathrm {poly}}_\mathsf {RE}\) is a fixed polynomial determined by \(\mathsf {RE}\).

Weak Succinctness To issue one key, we need to issue \(1\cdot \mu = s\cdot {\mathrm {poly}}_\mathsf {RE}(\lambda ,n)\) keys of \(\mathsf {qFE}\) since we consider functions of size s. Thus, we choose \(\mu =s\cdot {\mathrm {poly}}_\mathsf {RE}(\lambda ,n)\) as the number of issued keys of \(\mathsf {qFE}\).

Let \(\textsf {D}_i :=\textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t,\mathsf {CT}_{\mathsf {ske}}^i]\). \(\textsf {D}_i\) includes a decryption of \(\mathsf {SKE}\), PRF evaluation on the domain \(\{0,1\}^\lambda \times [\mu ]\), and evaluation of decomposed randomized encoding \({\widehat{f}}_i\). \(|{\widehat{f}}_i|\) is independent of \(\left| f\right| \) by the decomposability of \(\mathsf {RE}\) and \(\left| t\right| \) and \(\left| \mathsf {CT}_{\mathsf {ske}}^i\right| \) are bounded by \(O(\lambda )\). Moreover, the PRF evaluation is done in time \({\mathrm {poly}}(\lambda , \log s)\). Thus, the size of \(\textsf {D}_i\) is \({\mathrm {poly}}(\lambda ,n, \log s)\). Therefore, the size of encryption circuit \(\mathsf {sFE}.\mathsf {Enc}\) is

$$\begin{aligned} (s\cdot {\mathrm {poly}}(\lambda ,n))^{\gamma } \cdot {\mathrm {poly}}(\lambda ,n, \log s) = s^{\gamma '}\cdot {\mathrm {poly}}(\lambda ,n), \end{aligned}$$

where \(\gamma '\) is any constant such that \(\gamma<\gamma '<1\).

Security Proof Let \(\mathcal {A}\) be an adversary attacking the weakly selective security of \(\mathsf {sFE}\). We define a sequence of hybrid games.

\(\mathsf {Hyb}_{0}\)::

The first game is the original weakly selective security experiment for \(b=0\), \(\mathsf {Expt}_{{\mathcal {A}}}^{\mathsf {sel^*}}(1^\lambda ,0)\). In this game, \({\mathcal {A}}\) first selects the challenge messages \((x_0^*,x_1^*)\) and a function f then obtains an encryption of \(x_0^*\), the master public-key, and a functional decryption key \(\mathsf {sk}_f\).

\(\mathsf {Hyb}_{1}\)::

We change \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},0)\) into \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},{\widehat{f}}_i(x_0^*;r))\) for all \(i\in [\mu ]\). It holds that \(\mathsf {Hyb}_{0}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{1}\) due to the CPA-security of \(\mathsf {SKE}\).

\(\mathsf {Hyb}_{2}\)::

We change \(\mathsf {CT}\leftarrow \mathsf {qFE}.\mathsf {Enc}(\mathsf {MPK}, (0,x_0^*,K,\bot ))\) into \(\mathsf {CT}\leftarrow \mathsf {qFE}.\mathsf {Enc}(\mathsf {MPK}, (1,\bot ,\bot ,\mathsf {SK}))\).

\(\square \)

Lemma B.3

It holds that \(\mathsf {Hyb}_{1}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{2}\) if \(\mathsf {qFE}\) is a \((q,\delta )\)-weakly selectively secure PKFE.

Proof of lemma

We construct an adversary \({\mathcal {B}}\) of \(\mathsf {qFE}\). First, \({\mathcal {A}}\) sends messages \((x_0^*,x_1^*)\) and a function f to the challenger of \(\mathsf {sFE}\). \({\mathcal {B}}\) generates \(K\leftarrow \mathsf {PRF}.\mathsf {Gen}(1^\lambda )\) and chooses random t and a secret-key encryption key \(\mathsf {SK}\leftarrow \{0,1\}^{\lambda }\), computes \(({\widehat{f}}_1,\ldots ,{\widehat{f}}_{\mu })\) from f, and generates \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},{\widehat{f}}_{i}(x_0^*;r))\) and \(\textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t,\mathsf {CT}_\mathsf {ske}^i]\) for all \(i\in [\mu ]\). Then, \({\mathcal {B}}\) sends messages \(((0,x_0^*,K,\bot ),(1,\bot ,\bot ,\mathsf {SK}))\) as challenge messages and functions \(\textsf {D}_i :=\textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t,\mathsf {CT}_\mathsf {ske}^i]\) for all \(i\in [\mu ]\) to the challenger of \(\mathsf {qFE}\) and receives \(\mathsf {MPK}\), \(\mathsf {CT}^*\), and \(\{\mathsf {sk}_{\textsf {D}_i}\}_{i\in [\mu ]}\). \({\mathcal {B}}\) passes \(\mathsf {MPK}\), \(\mathsf {CT}^*\), and \(\{\mathsf {sk}_{\textsf {D}_i}\}_{i\in [\mu ]}\) as the master public-key, target ciphertext, and functional key for f to \({\mathcal {A}}\). This perfectly simulates \(\mathsf {Hyb}_{1}\) if \(\mathsf {CT}^*\) is an encryption of \((0,x_0^*,K,\bot )\) and \(\mathsf {Hyb}_{2}\) if \(\mathsf {CT}^*\) is an encryption of \((1,\bot ,\bot ,\mathsf {SK})\). Thus, the lemma follows. \(\square \)

\(\mathsf {Hyb}_{3}\)::

We change \(r \leftarrow \mathsf {F}_K(t)\) into \(r \leftarrow \{0,1\}^{\rho }\). It holds that \(\mathsf {Hyb}_{2}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{3}\) due to the pseudo-randomness of \(\mathsf {F}\).

\(\mathsf {Hyb}_{4}\)::

We change \(e_i \leftarrow {\widehat{f}}_i(x_0^*;r)\) into \(e_i \leftarrow {\widehat{f}}_i(x_1^*;r)\) for all \(i \in [\mu ]\). It holds that \(\mathsf {Hyb}_{3}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{4}\) due to the security of the decomposable randomized encoding and the condition \(f(x_0^*)=f(x_1^*)\) for \(\mathsf {sFE}\). In fact, we intermediately use the output of the simulator of \(\mathsf {RE}\).

\(\mathsf {Hyb}_{5}\)::

This is the same as \(\mathsf {Expt}_{{\mathcal {A}}}^{\mathsf {sel^*}}(1^\lambda ,1)\). We can show \(\mathsf {Hyb}_{4} {\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta } \mathsf {Hyb}_{5}\) in a reverse manner.

Therefore, Construction B.2 is \((1,\delta )\)-selectively secure and weakly succinct PKFE for \(\mathsf {P/poly}\) with compression factor \(\gamma '\) such that \(\gamma ' <1\). This completes the proof of Theorem 3.9. This completes the proof of Theorem 3.11. \(\square \)