Multi-Client Inner Product Encryption: Function-Hiding Instantiations Without Random Oracles

In a Multi-Client Functional Encryption (MCFE) scheme, $n$ clients each obtain a secret encryption key from a trusted authority. During each time step $t$, each client $i$ can encrypt its data using its secret key. The authority can use its master secret key to compute a functional key given a function $f$, and the functional key can be applied to a collection of $n$ clients’ ciphertexts encrypted to the same time step, resulting in the outcome of $f$ on the clients’ data. In this paper, we focus on MCFE for inner-product computations. If an MCFE scheme hides not only the clients’ data, but also the function $f$, we say it is function hiding. Although MCFE for inner-product computation has been extensively studied, how to achieve function privacy is still poorly understood. The very recent work of Agrawal et al. showed how to construct a function-hiding MCFE scheme for inner-product assuming standard bilinear group assumptions; however, they assume the existence of a random oracle and prove only a relaxed, selective security notion. An intriguing open question is whether we can achieve function-hiding MCFE for inner-product without random oracles. In this work, we are the first to show a function-hiding MCFE scheme for inner products, relying on standard bilinear group assumptions. Further, we prove adaptive security without the use of a random oracle. Our scheme also achieves succinct ciphertexts, that is, each coordinate in the plaintext vector encrypts to only $O(1$) group elements. Our main technical contribution is a new upgrade from single-input functional encryption for inner-products to a multi-client one. Our upgrade preserves function privacy, that is, if the original single-input scheme is function-hiding, so is the resulting multi-client construction. Further, this new upgrade allows us to obtain a conceptually simple construction

Non-Interactive Anonymous Router with Quasi-Linear Router Computation

Anonymous routing is an important cryptographic primitive that allows users to communicate privately on the Internet, without revealing their message contents or their contacts. Until the very recent work of Shi and Wu (Eurocrypt’21), all classical anonymous routing schemes are interactive protocols, and their security rely on a threshold number of the routers being honest. The recent work of Shi and Wu suggested a new abstraction called Non-Interactive Anonymous Router (NIAR), and showed how to achieve anonymous routing non-interactively for the first time. In particular, a single untrusted router receives a token which allows it to obliviously apply a permutation to a set of encrypted messages from the senders. Shi and Wu’s construction suffers from two drawbacks: 1) the router takes time quadratic in the number of senders to obliviously route their messages; and 2) the scheme is proven secure only in the presence of static corruptions. In this work, we show how to construct a non-interactive anonymous router scheme with sub-quadratic router computation, and achieving security in the presence of adaptive corruptions. To get this result, we assume the existence of indistinguishability obfuscation and one-way functions. Our final result is obtained through a sequence of stepping stones. First, we show how to achieve the desired efficiency, but with security under static corruption and in a selective, single-challenge setting. Then, we go through a sequence of upgrades which eventually get us the final result. We devise various new techniques along the way which lead to some additional results. In particular, our techniques for reasoning about a network of obfuscated programs may be of independent interest

Multi-Input Inner Product Encryption: Function-hiding instantiations without Random Oracles

In a Multi-Input Functional Encryption (MIFE) scheme, n clients each obtain a secret encryption key from a trusted authority. Each client i can encrypt its data using its secret key. The authority can use its master secret key to compute a functional key given a function f, and the functional key can be applied to a collection of n clients’ ciphertexts, resulting in the outcome of f on the clients’ data. If an MIFE scheme hides not only the clients’ data but also the function f, we say it is function hiding. In this work, we study function-hiding security of two variants of MIFE for inner-product computations.  Multi-Client Functional Encryption (MCFE) is a strengthening of MIFE where clients associate their encrypted data with some time step t and the outcome of f can be computed only on ciphertexts encrypted to the same time step. Although MCFE for inner-product computation has been extensively studied, most earlier works on MCFE do not achieve function privacy. The recent work by Agrawal et al. showed how to construct a function-hiding MCFE for inner-product from standard assumptions and the existence of a random oracle. An intriguing open question is whether we can achieve the same without random oracles. In this work, we are the first to show such a function-hiding MCFE for inner products, relying on the standard Decisional Linear assumption. Our main technical contribution is a new upgrade from single input functional encryption for inner-products to a multi client one; and, if the single-input scheme is function-hiding, so is the resulting multi-client scheme. Ad Hoc MIFE (AMIFE) is a decentralized version of MIFE. In AMIFE, the users can jointly decide in a decentralized way what function they would allow to be evaluated on their joint data. The aforementioned work by Agrawal et al. also showed how to construct a function-hiding AMIFE scheme for inner-products, relying on standard bilinear group assumptions, and without random oracles. We construct a new AMIFE scheme that provides the same security guarantees as this earlier work but our construction provides a nicer abstraction making the scheme and the security proofs conceptually simpler.</p