Ad Hoc Multi-Input Functional Encryption

Consider sources that supply sensitive data to an aggregator. Standard encryption only hides the data from eavesdroppers, but using specialized encryption one can hope to hide the data (to the extent possible) from the aggregator itself. For flexibility and security, we envision schemes that allow sources to supply encrypted data, such that at any point a dynamically-chosen subset of sources can allow an agreed-upon joint function of their data to be computed by the aggregator. A primitive called multi-input functional encryption (MIFE), due to Goldwasser et al. (EUROCRYPT 2014), comes close, but has two main limitations: - it requires trust in a third party, who is able to decrypt all the data, and - it requires function arity to be fixed at setup time and to be equal to the number of parties. To drop these limitations, we introduce a new notion of ad hoc MIFE. In our setting, each source generates its own public key and issues individual, function-specific secret keys to an aggregator. For successful decryption, an aggregator must obtain a separate key from each source whose ciphertext is being computed upon. The aggregator could obtain multiple such secret-keys from a user corresponding to functions of varying arity. For this primitive, we obtain the following results: - We show that standard MIFE for general functions can be bootstrapped to ad hoc MIFE for free, i.e. without making any additional assumption. - We provide a direct construction of ad hoc MIFE for the inner product functionality based on the Learning with Errors (LWE) assumption. This yields the first construction of this natural primitive based on a standard assumption. At a technical level, our results are obtained by combining standard MIFE schemes and two-round secure multiparty computation (MPC) protocols in novel ways highlighting an interesting interplay between MIFE and two-round MPC

Multi-Input Functional Encryption

\emph{Functional encryption} (FE) is a powerful primitive enabling fine-grained access to encrypted data. In an FE scheme, secret keys (``tokens\u27\u27) correspond to functions; a user in possession of a ciphertext \ct = \enc(x) and a token \tkf for the function~$f$ can compute $f(x)$ but learn nothing else about~$x$. An active area of research over the past few years has focused on the development of ever more expressive FE schemes. In this work we introduce the notion of \emph{multi-input} functional encryption. Here, informally, a user in possession of a token \tkf for an $n$-ary function $f$ and \emph{multiple} ciphertexts \ct_1=\enc(x_1), \ldots, \ct_n=\enc(x_n) can compute $f(x_1, \ldots, x_n)$ but nothing else about the~$\{x_i\}$. Besides introducing the notion, we explore the feasibility of multi-input FE in the public-key and symmetric-key settings, with respect to both indistinguishability-based and simulation-based definitions of security

Multi-Input Functional Encryption

We introduce the problem of Multi-Input Functional Encryption, where a secret key SK_f can correspond to an n-ary function f that takes multiple ciphertexts as input. Multi-input functional encryption is a general tool for computing on encrypting data which allows for mining aggregate information from several different data sources (rather than just a single source as in single input functional encryption). We show wide applications of this primitive to running SQL queries over encrypted database, non-interactive differentially private data release, delegation of computation, etc. We formulate both indistinguishability-based and simulation-based definitions of security for this notion, and show close connections with indistinguishability and virtual black-box definitions of obfuscation. Assuming indistinguishability obfuscation for circuits, we present constructions achieving indistinguishability security for a large class of settings. We show how to modify this construction to achieve simulation-based security as well, in those settings where simulation security is possible. Assuming differing-inputs obfuscation [Barak et al., FOCS\u2701], we also provide a construction with similar security guarantees as above, but where the keys and ciphertexts are compact

Two-Input Functional Encryption for Inner Products from Bilinear Maps

Functional encryption is a new paradigm of public-key encryption that allows a user to compute $f(x)$ on encrypted data $CT(x)$ with a private key $SK_f$ to finely control the revealed information. Multi-input functional encryption is an important extension of (single-input) functional encryption that allows the computation $f(x_1, \ldots, x_n)$ on multiple ciphertexts $CT(x_1), \ldots, CT(x_n)$ with a private key $SK_f$. Although multi-input functional encryption has many interesting applications like running SQL queries on encrypted database and computation on encrypted stream, current candidates are not yet practical since many of them are built on indistinguishability obfuscation. To solve this unsatisfactory situation, we show that practical two-input functional encryption schemes for inner products can be built based on bilinear maps. In this paper, we first propose a two-input functional encryption scheme for inner products in composite-order bilinear groups and prove its selective IND-security under simple assumptions. Next, we propose a two-client functional encryption scheme for inner products where each ciphertext can be associated with a time period and prove its selective IND-security. Furthermore, we show that our two-input functional encryption schemes in composite-order bilinear groups can be converted into schemes in prime-order asymmetric bilinear groups by using the asymmetric property of asymmetric bilinear groups

Multi-Client Functional Encryption for Separable Functions

In this work, we provide a compiler that transforms a single-input functional encryption scheme for the class of polynomially bounded circuits into a multi-client functional encryption (MCFE) scheme for the class of separable functions. An n-input function f is called separable if it can be described as a list of polynomially bounded circuits f^1, ... , f^n s.t. f(x_1, ... , x_n)= f^1(x_1)+ ... + f^n(x_n) for all x_1 ,... , x_n. Our compiler extends the works of Brakerski et al. [Eurocrypt 2016] and of Komargodski et al. [Eurocrypt 2017] in which a generic compiler is proposed to obtain multi-input functional encryption (MIFE) from single-input functional encryption. Our construction achieves the stronger notion of MCFE but for the less generic class of separable functions. Prior to our work, a long line of results has been proposed in the setting of MCFE for the inner-product functionality, which is a special case of a separable function. We also propose a modified version of the notion of decentralized MCFE introduced by Chotard et al. [Asiacrypt 2018] that we call outsourceable mulit-client functional encryption (OMCFE). Intuitively, the notion of OMCFE makes it possible to distribute the load of the decryption procedure among at most n different entities, which will return decryption shares that can be combined (e.g., additively) thus obtaining the output of the computation. This notion is especially useful in the case of a very resource consuming decryption procedure, while the combine algorithm is non-time consuming. We also show how to extend the presented MCFE protocol to obtain an OMCFE scheme for the same functionality class

Functional encryption: definitional foundations and multiparty transformations

Classical cryptographic primitives do not allow for any fine-grained access control over encrypted data. From an encryption of some data x, a decryptor, who is in possession of a decryption key, can either obtain the whole data x or nothing. The notion of functional encryption overcomes this drawback and enables access control over encrypted data. In this setting, a setup generator is responsible for generating the public parameters and, so-called, functional keys. These functional keys are decryption keys that are associated with a function f such that, when used in the decryption procedure, the decryptor obtains f(x), which is the result of the function f applied to the encrypted data x. The standard security definition of functional encryption prevents a malicious decryptor from learning more about the encrypted data than what can be obtained from the functional keys it owns. In this thesis, we introduce the notion of consistency, a security definition that protects an honest decryptor against a malicious encryptor and/or setup generator. We formally introduce this notion using different security games and show that our notions are completely separated from existing confidentiality notions. Additionally, we analyze existing schemes and show how they can be modified to achieve consistency. Furthermore, we construct black-box compilers that turn any functional encryption scheme into a consistent one. Finally, we also analyze consistency in the universal composability (UC) framework and show that the consistency games imply UC security. A more general notion of functional encryption is the notion of multi-client functional encryption, which allows a decryptor to evaluate multi-input functions on multiple ciphertexts generated by several different clients. This notion also requires a setup generator that generates the encryption keys for the different clients as well as the functional keys for the decryptor. A corrupted setup generator is able to compromise the privacy of all the clients in the system by generating arbitrary functional keys. To remove this single point of failure, the notion of decentralized multi-client functional encryption has been introduced. In a decentralized multi-client functional encryption scheme the participating clients in the system are responsible for the generation of the encryption and functional keys. In this thesis, we present a compiler that decentralizes any multi-client functional encryption scheme for inner-products, that fulfills certain properties. Furthermore, we show that we can construct a (decentralized) multi-client functional encryption scheme for separable functions, n-input functions that can be written as the sum of n single-input functions, from any general-purpose single-input functional encryption scheme. An interactive version of multi-client functional encryption is the notion of multiparty computation. In multiparty computation several parties can jointly compute a function involving their private inputs by interacting in multiple rounds of communication. We show how we can use functional encryption to amplify existing multiparty computation protocols in terms of their communication complexity. In more detail, we show how to turn a multiparty computation protocol with arbitrary communication complexity into a multiparty computation protocol with a communication complexity only depending on the depth of the circuit that is being computed, while preserving the number of rounds of interaction of the protocol. Furthermore, we present an improved compiler that relies on fully homomorphic encryption, a cryptographic notion that allows for the oblivious evaluation of functions on encrypted data, where the communication complexity of the amplified protocol is completely independent of the circuit that is being computed

Dynamic Decentralized Functional Encryption

International audienceWe introduce Dynamic Decentralized Functional Encryption (DDFE), a generalization ofFunctional Encryption which allows multiple users to join the system dynamically, without relying on atrusted third party or on expensive and interactive Multi-Party Computation protocols.This notion subsumes existing multi-user extensions of Functional Encryption, such as Multi-Input, Multi-Client, and Ad Hoc Multi-Input Functional Encryption.We define and construct schemes for various functionalities which serve as building-blocks for latter primitivesand may be useful in their own right, such as a scheme for dynamically computing sums in any Abeliangroup. These constructions build upon simple primitives in a modular way, and have instantiations fromwell-studied assumptions, such as DDH or LWE.Our constructions culminate in an Inner-Product scheme for computing weighted sums on aggregatedencrypted data, from standard assumptions in prime-order groups in the Random Oracle Model

Multi-Input Functional Encryption for Unbounded Arity Functions

The notion of multi-input functional encryption (MI-FE) was recently introduced by Goldwasser et al. [EUROCRYPT’14] as a means to non-interactively compute aggregate information on the joint private data of multiple users. A fundamental limitation of their work, however, is that the total number of users (which corresponds to the arity of the functions supported by the MI-FE scheme) must be a priori bounded and fixed at the system setup time. In this work, we overcome this limitation by introducing the notion of unbounded input MI-FE that supports the computation of functions with unbounded arity. We construct such an MI-FE scheme with indistinguishability security in the selective model based on the existence of public-coin differing-inputs obfuscation for turing machines and collision-resistant hash functions. Our result enables several new exciting applications, including a new paradigm of on-the-fly secure multiparty computation where new users can join the system dynamically

Multi-Input Functional Encryption with Unbounded-Message Security

Multi-input functional encryption (MIFE) was introduced by Goldwasser \emph{et al.} (EUROCRYPT 2014) as a compelling extension of functional encryption. In MIFE, a receiver is able to compute a joint function of multiple, independently encrypted plaintexts. Goldwasser \emph{et al.} (EUROCRYPT 2014) show various applications of MIFE to running SQL queries over encrypted databases, computing over encrypted data streams, etc. The previous constructions of MIFE due to Goldwasser \emph{et al.} (EUROCRYPT 2014) based on indistinguishability obfuscation had a major shortcoming: it could only support encrypting an \emph{a priori bounded} number of message. Once that bound is exceeded, security is no longer guaranteed to hold. In addition, it could only support \emph{selective-security}, meaning that the challenge messages and the set of ``corrupted\u27\u27 encryption keys had to be declared by the adversary up-front. In this work, we show how to remove these restrictions by relying instead on \emph{sub-exponentially secure} indistinguishability obfuscation. This is done by carefully adapting an alternative MIFE scheme of Goldwasser \emph{et al.} that previously overcame these shortcomings (except for selective security wrt.~the set of ``corrupted\u27\u27 encryption keys) by relying instead on differing-inputs obfuscation, which is now seen as an implausible assumption. Our techniques are rather generic, and we hope they are useful in converting other constructions using differing-inputs obfuscation to ones using sub-exponentially secure indistinguishability obfuscation instead

Semantically Secure Order-Revealing Encryption: Multi-Input Functional Encryption Without Obfuscation

Deciding greater-than relations among data items just given their encryptions is at the heart of search algorithms on encrypted data, most notably, non-interactive binary search on encrypted data. Order-preserving encryption provides one solution, but provably provides only limited security guarantees. Two-input functional encryption is another approach, but requires the full power of obfuscation machinery and is currently not implementable. We construct the first implementable encryption system supporting greater-than comparisons on encrypted data that provides the best-possible semantic security. In our scheme there is a public algorithm that given two ciphertexts as input, reveals the order of the corresponding plaintexts and nothing else. Our constructions are inspired by obfuscation techniques, but do not use obfuscation. For example, to compare two 16-bit encrypted values (e.g., salaries or age) we only need a 9-way multilinear map. More generally, comparing $k$-bit values requires only a $(k/2+1)$-way multilinear map. The required degree of multilinearity can be further reduced, but at the cost of increasing ciphertext size. Beyond comparisons, our results give an implementable secret-key multi-input functional encryption scheme for functionalities that can be expressed as (generalized) branching programs of polynomial length and width. Comparisons are a special case of this class, where for $k$-bit inputs the branching program is of length $k+1$ and width $4$