TCC 2021 Multi-Party Functional Encryption Shweta Agrawal1 Rishab Goyal2 Junichi Tomida3 1 = IIT Madras 2 = MIT 3 = NTT Functional Encryption 𝑀𝑆𝐾 [Sahai-Waters05 ……] Hide everything but 𝑓(𝑚) Without outsourcing to Bob Even when Bob is offline Wants to learn 𝑓(𝑚) 𝑀𝑃𝐾 𝑚 𝐶𝑇 = 𝐸𝑛𝑐(𝑀𝑃𝐾, 𝑚) Functional Encryption: Functionality and Security Function class ℱ ℱ Input class 𝒳 𝒳 𝑆𝐾𝑓 = 𝐾𝐺𝑒𝑛 𝑓 [𝑓 ∈ ℱ] 𝑓 𝑥 𝐶𝑇𝑥 = 𝐸𝑛𝑐 𝑥 [𝑥 ∈ 𝒳] SECURITY INTUITION Given 𝐶𝑇 = 𝐸𝑛𝑐(𝑀𝑃𝐾, 𝑥) and 𝑆𝐾𝑓1 , … , 𝑆𝐾𝑓𝑞 Adversary learns only 𝑓1 𝑥 , … , 𝑓𝑞 (𝑥) Functional Encryption: A Grand Unifier o IBE [Shamir84 ……] o ABE [Sahai-Waters05 ……] o IPFE, PE, PHPE, …… Functional Encryption: Retrospection Unifier (IBE, IPFE, ABE, …) Forecaster (Partially Hiding PE, …) Abstracter (Towards Obfuscation, …) Functional Encryption: Multiple Users • Distributed CTs • Distributed SKs • Distributed CTs and SKs Many Many 𝐶𝑇𝑥 𝑆𝐾𝑓 Dec 𝑓 𝑥 Functional Encryption: Multiple Users • Distributed CTs (Similar to MIFE but public labels associated with 𝑥𝑖 and equality checked) 𝐶𝑇𝑥𝑛 𝑆𝐾𝑓 [GGG+14] : Goldwasser-Gordon-Goyal-Jain-Katz-Liu-Sahai-Shi-Zhou [CDSG+18] : Chotard-Dufour-Sans-Gay-Phan-Pointcheval …. • Multi-Input FE [GGG+14, …] • Multi-Client FE [CDSG+18, …] 𝐶𝑇𝑥1 Dec 𝑓 𝑥1 , … , 𝑥𝑛 Functional Encryption: Multiple Users • Distributed SKs (Similar to MAFE but key inputs 𝑦𝑖 ’s are same) 𝑆𝐾𝑦1 𝑆𝐾𝑦𝑛 …. • Multi-Authority FE [Chase07, Lewko-Waters11, …] • Decentralized FE [Michalevsky-Joye18, …] 𝐶𝑇𝑔 Dec 𝑔 𝑦1 , … , 𝑦𝑛 Functional Encryption: Multiple Users • Decentralized Multi-Client FE • Ad-Hoc Multi-Input FE [Agrawal-Clear-Frieder-Garg-O’Neill-Thaler20, …] 𝑆𝐾𝑓,𝑛 (Generalization of D-MCFE to remove labels and unbounded arity) • Dynamic Decentralized FE [Chotard-Dufour-Sans-Gay-Phan-Pointcheval20] (Generalization of AdHocMIFE to dynamic setup and key combination for distinct inputs) Dec …. [Chotard-Dufour-Sans-Gay-Phan-Pointcheval18, …] 𝐶𝑇𝑙𝑎𝑏, 𝑥𝑛 𝑆𝐾𝑓,1 …. • Distributed CTs and SKs 𝐶𝑇𝑙𝑎𝑏, 𝑥1 𝑓 𝑥1 , … , 𝑥𝑛 Functional Encryption: Multiple Users • Distributed CTs [MIFE, MCFE] • Distributed SKs [MAFE, D-FE] Central key authority PURPOSE Single message source Different applications have different user models and requirements • Distributed CTs and SKs [D-MCFE, aMIFE, DDFE] No function hiding or centralized setup Makes process of studying new notions, comparing techniques etc infeasible. Functional Encryption: Our Question Unifier Forecaster Abstracter FE did this in a single-user setting Our Goal “Unify and Forecast” encryption in multi-user setting too! This Work Introduce the concept of Multi-Party FE as a broad unifier Propose new multi-user encryption functionalities Give new constructions from standard assumptions Multi-Party Functional Encryption Class of CT Inputs 𝒳 𝐶𝑇𝑥 = 𝐸𝑛𝑐 𝑥 Class of SK Inputs Ƴ 𝑆𝐾𝑦 = 𝐾𝐺𝑒𝑛 𝑦 𝑆𝐾𝑦𝒏 Dec …. 𝐶𝑇𝑥𝒎 𝑆𝐾𝑦1 …. 𝐶𝑇𝑥1 How do SKs and CTs combine? [𝑥 ∈ 𝒳] [𝑦 ∈ Ƴ] Key/ Ciphertext Aggregators CT-Aggregator 𝐴𝑔𝑔𝑥 SK-Aggregator 𝐴𝑔𝑔𝑦 Multi-Party Functional Encryption Class of CT Inputs 𝒳 𝐶𝑇𝑥 = 𝐸𝑛𝑐 𝑥 Class of SK Inputs Ƴ 𝑆𝐾𝑦 = 𝐾𝐺𝑒𝑛 𝑦 𝑆𝐾𝑦𝒏 Dec …. 𝐶𝑇𝑥𝒎 𝑆𝐾𝑦1 [𝑦 ∈ Ƴ] Aggx and Aggy are scheme specific functions …. 𝐶𝑇𝑥1 [𝑥 ∈ 𝒳] 𝑈(𝐴𝑔𝑔𝑥 𝑥1 , … , 𝑥𝒎 , 𝐴𝑔𝑔𝑦 𝑦1 , … , 𝑦𝒏 U is a universal function ) Multi-Party Functional Encryption Class of CT Inputs 𝒳 𝐶𝑇𝑥 = 𝐸𝑛𝑐 𝑥 Class of SK Inputs Ƴ 𝑆𝐾𝑦 = 𝐾𝐺𝑒𝑛 𝑦 𝑦1 𝑦𝒏 Aggx …. ≡ 𝑥𝒎 …. 𝑆𝐾𝑦𝒏 Dec …. 𝐶𝑇𝑥𝒎 𝑆𝐾𝑦1 𝑥1 …. 𝐶𝑇𝑥1 [𝑥 ∈ 𝒳] Aggy [𝑦 ∈ Ƴ] Univer sal-Ckt Multi-Party FE Syntax (arity of CTs) 𝑚 𝐴𝑔𝑔𝑥 (arity of SKs) 𝑛 𝐴𝑔𝑔𝑦 Setu p (𝑃𝑃, 𝐸𝐾1 , … , 𝐸𝐾𝑚 , 𝑀𝑆𝐾1 , … , 𝑀𝑆𝐾𝑛 ) Trusted party Protocol between users Optional 𝑚𝑜𝑑𝑒 ∈ {𝑐𝑒𝑛𝑡𝑟𝑎𝑙, 𝑙𝑜𝑐𝑎𝑙, 𝑖𝑛𝑡𝑒𝑟𝑎𝑐𝑡𝑖𝑣𝑒} Non-interactive independent Multi-Party FE Overview • 𝑆𝑒𝑡𝑢𝑝 - Run in one of 3 modes - Samples (𝑃𝑃, 𝐸𝐾1 , … , 𝐸𝐾𝑚 , 𝑀𝑆𝐾1 , … , 𝑀𝑆𝐾𝑛 ) • 𝐸𝑛𝑐 𝐸𝐾𝑖 , 𝑥𝑖 → 𝐶𝑇𝑖 • 𝐾𝐺𝑒𝑛 𝑀𝑆𝐾𝑗 , 𝑦𝑗 → 𝑆𝐾𝑗 MPFE: Security INTUITION Given 𝐶𝑇𝑖,𝑘 = 𝐸𝑛𝑐 𝐸𝐾𝑖 , 𝑥𝑖,𝑘 𝑖,𝑘 and 𝑆𝐾𝑗,ℓ = 𝐾𝐺𝑒𝑛 𝑀𝑆𝐾𝑗 , 𝑦𝑗,ℓ Adversary learns only 𝑈 𝐴𝑔𝑔𝑥 𝑥1,𝑘1 , … , 𝑥𝑚,𝑘𝑚 , 𝐴𝑔𝑔𝑦 𝑦1,ℓ1 , … , 𝑥𝑛,ℓ𝑛 We also break inputs into public-private components for cleaner applications, 𝑗,ℓ 𝑘1 ,…,𝑘𝑛 ,ℓ1 ,…,ℓ𝑚 Can also corrupt master keys, and leakage need to be correspondingly defined. [Paper for details.] Does MPFE really “Unify”? 𝐶𝑇𝑥1 𝐶𝑇𝑥𝑚 …. Let us check by examples - MIFE via the lens of MPFE 𝑆𝐾𝑓 𝑚 𝐴𝑔𝑔𝑥 = 𝕀 𝑛=1 Setu p 𝐴𝑔𝑔𝑦 = 𝕀 𝑓 𝑥1 , … , 𝑥𝑚 𝑆𝐾𝑓 = 𝐾𝐺𝑒𝑛 𝑀𝑆𝐾, 𝑓 (𝑃𝑃, 𝐸𝐾1 , … , 𝐸𝐾𝑚 , 𝑀𝑆𝐾) 𝐶𝑇𝑥𝑖 = 𝐸𝑛𝑐 𝐸𝐾𝑖 , 𝑥𝑖 𝑚𝑜𝑑𝑒 = 𝑐𝑒𝑛𝑡𝑟𝑎𝑙 MIFE Dec De c 𝑈(𝕀 𝑥1 , … , 𝑥𝑚 , 𝕀 𝑓 = 𝑓 𝑥1 , … , 𝑥𝑚 ) Does MPFE really “Unify”? Let us check by examples - (similarly) MAFE via MPFE 𝐶𝑇𝑔 𝑆𝐾𝑦𝑛 𝑚=1 𝐴𝑔𝑔𝑥 = 𝕀 𝑛 Setu p 𝑚𝑜𝑑𝑒 = 𝑙𝑜𝑐𝑎𝑙 Dec 𝑔 𝑦1 , … , 𝑦𝑛 𝑆𝐾𝑦𝑖 = 𝐾𝐺𝑒𝑛 𝑀𝑆𝐾𝑖 , 𝑦𝑖 (𝑃𝐾𝑖 , 𝑀𝑆𝐾𝑖 ) 𝐶𝑇𝑔 = 𝐸𝑛𝑐 {𝑃𝐾𝑖 }, 𝑔 𝐴𝑔𝑔𝑦 = 𝕀 …. 𝑆𝐾𝑦1 De c 𝑈(𝕀(𝑔), 𝕀(𝑦1 , … , 𝑦𝑛 )) = 𝑔 𝑦1 , … , 𝑦𝑛 How to use MPFE to forecast? • Composing FE for different functionalities and user models • E.g., Multi-Authority ∘ ABE ∘ Inner-Product FE, Decentralized ∘ PE ∘ Inner-Product FE, … • Function Hiding DDFE • Combining key materials intended for different users (unlike multiauthority, decentralized etc) • E.g., Reputation-Based Encryption, … This Work: New Positive Results Function Class Assumption Multi-Authority AB-IPFE (for Monotone Span Programs) Bilinear Groups (Composite order, or prime order in GGM) Decentralized AB-IPFE with 1-sided Policy Hiding (for Inner Products) Bilinear Groups (k-linear) Function Hiding DDFE (for Inner Products) Bilinear Groups (SXDH in ROM) Distributed CP-ABE (for log-depth circuits) LWE, Bilinear GGM General feasibility result from MIFE. [Paper for details.] Multi-Authority AB-IPFE • Recall ciphertext-policy ABE and IPFE ABE IPFE Multi-Authority AB-IPFE • Composing ciphertext-policy ABE and IPFE ABIPFE Equivalently we can say AB-IPFE for monotone span programs from bilinear [Abdalla-Catalano-Gay-Ursu20] Multi-Authority AB-IPFE • Decentralizing AB-IPFE ABIPFE Distributing Keys (making multi-authority) Constructing MA-AB-IPFE • Starting point is the MA-ABE scheme of [Lewko-Waters11] LW11 Simplified View as ElGamal of 𝑖 𝑡ℎ secret share KEM is the secret shared Upgrading to IPFE • Natural first thought • • • • • • Use ideas from literature on lifting PKE to IPFE [Abdalla-Bourse-DeCaro-Pointcheval15, …] Crux is to rely on homomorphic structure of PKE Encode each vector bit using independent PKE key Decryption key for a vector is linear combination of underlying PKE keys During decryption, user homomorphically computes to get a single PKE CT Decrypt the final ciphertext using the linearly combined PKE key • A very clean idea, BUT does not work for current MA-ABE • Briefly, KEM key is chosen during encryption time thus can not be linearly combined for generating functional keys Upgrading to IPFE: Simple trick • KEM terms masked with each authority’s master key (using ElGamal) • Give a projection of unmasking terms instead of KEM projection • LSSS reconstruction touch rows of A whereas projection on columns • Randomness can be reused across masking terms (very crucial) Constructing MA-AB-IPFE Crucial Proof Intuition • First try • Use proof strategy by merging LW11 + PKE-to-IPFE transformation • LW11 uses dual system paradigm • Relies on semi-functional CT distribution • Ideas from PKE-to-IPFE not applicable (can not switch CT to semi-functional) • Main idea in a nutshell • Introduce a new notion of partial semi-functional CTs • CTs nominally semi-functional across all-but-one projected subspace [Paper for details] This Work: New Positive Results Function Class Assumption Multi-Authority AB-IPFE (for Monotone Span Programs) Bilinear Groups (Composite order, or prime order in GGM) Decentralized AB-IPFE with 1-sided Policy Hiding (for Inner Products) Bilinear Groups (k-linear) Function Hiding DDFE (for Inner Products) Bilinear Groups (SXDH in ROM) Distributed CP-ABE (for log-depth circuits) LWE, Bilinear GGM General feasibility result from MIFE. [Paper for details.] Concluding Remarks Thank you! ia.cr/2020/1266 • Multi-Party Functional Encryption • Unifier with a simple framework • Enables abstraction of technical ideas across user models • Easier to interpolate the space of unexplored functionalities • Many fascinating open questions raised by unexplored functionalities • Built some natural functionalities from standard assumptions.