TCC 2021
Multi-Party Functional Encryption
Shweta Agrawal1
Rishab Goyal2
Junichi Tomida3
1 = IIT Madras
2 = MIT
3 = NTT
Functional Encryption
𝑀𝑆𝐾
[Sahai-Waters05 ……]
Hide everything but 𝑓(𝑚)
Without outsourcing to Bob
Even when Bob is offline
Wants to learn
𝑓(𝑚)
𝑀𝑃𝐾
𝑚
𝐶𝑇 = 𝐸𝑛𝑐(𝑀𝑃𝐾, 𝑚)
Functional Encryption: Functionality and Security
Function class ℱ ℱ
Input class 𝒳 𝒳
𝑆𝐾𝑓 = 𝐾𝐺𝑒𝑛 𝑓
[𝑓 ∈ ℱ]
𝑓 𝑥
𝐶𝑇𝑥 = 𝐸𝑛𝑐 𝑥
[𝑥 ∈ 𝒳]
SECURITY INTUITION
Given 𝐶𝑇 = 𝐸𝑛𝑐(𝑀𝑃𝐾, 𝑥) and 𝑆𝐾𝑓1 , … , 𝑆𝐾𝑓𝑞
Adversary learns only 𝑓1 𝑥 , … , 𝑓𝑞 (𝑥)
Functional Encryption: A Grand Unifier
o IBE [Shamir84 ……]
o ABE [Sahai-Waters05 ……]
o IPFE, PE, PHPE, ……
Functional Encryption: Retrospection
Unifier
(IBE, IPFE, ABE, …)
Forecaster
(Partially Hiding PE, …)
Abstracter
(Towards Obfuscation, …)
Functional Encryption: Multiple Users
• Distributed CTs
• Distributed SKs
• Distributed CTs and SKs
Many
Many
𝐶𝑇𝑥
𝑆𝐾𝑓
Dec
𝑓 𝑥
Functional Encryption: Multiple Users
• Distributed CTs
(Similar to MIFE but public labels
associated with 𝑥𝑖 and equality checked)
𝐶𝑇𝑥𝑛
𝑆𝐾𝑓
[GGG+14] : Goldwasser-Gordon-Goyal-Jain-Katz-Liu-Sahai-Shi-Zhou
[CDSG+18] : Chotard-Dufour-Sans-Gay-Phan-Pointcheval
….
• Multi-Input FE [GGG+14, …]
• Multi-Client FE [CDSG+18, …]
𝐶𝑇𝑥1
Dec
𝑓 𝑥1 , … , 𝑥𝑛
Functional Encryption: Multiple Users
• Distributed SKs
(Similar to MAFE but
key inputs 𝑦𝑖 ’s are same)
𝑆𝐾𝑦1
𝑆𝐾𝑦𝑛
….
• Multi-Authority FE [Chase07, Lewko-Waters11, …]
• Decentralized FE [Michalevsky-Joye18, …]
𝐶𝑇𝑔
Dec
𝑔 𝑦1 , … , 𝑦𝑛
Functional Encryption: Multiple Users
• Decentralized Multi-Client FE
• Ad-Hoc Multi-Input FE
[Agrawal-Clear-Frieder-Garg-O’Neill-Thaler20, …]
𝑆𝐾𝑓,𝑛
(Generalization of D-MCFE to
remove labels and unbounded arity)
• Dynamic Decentralized FE
[Chotard-Dufour-Sans-Gay-Phan-Pointcheval20]
(Generalization of AdHocMIFE to dynamic setup
and key combination for distinct inputs)
Dec
….
[Chotard-Dufour-Sans-Gay-Phan-Pointcheval18, …]
𝐶𝑇𝑙𝑎𝑏, 𝑥𝑛
𝑆𝐾𝑓,1
….
• Distributed CTs and SKs
𝐶𝑇𝑙𝑎𝑏, 𝑥1
𝑓 𝑥1 , … , 𝑥𝑛
Functional Encryption: Multiple Users
• Distributed CTs
[MIFE, MCFE]
• Distributed SKs
[MAFE, D-FE]
Central key
authority
PURPOSE
Single message
source
Different applications have
different user models and
requirements
• Distributed CTs and SKs
[D-MCFE, aMIFE, DDFE]
No function
hiding or
centralized
setup
Makes process of studying
new notions, comparing
techniques etc infeasible.
Functional Encryption: Our Question
Unifier
Forecaster
Abstracter
FE did this in a single-user setting
Our Goal
“Unify and Forecast” encryption in multi-user setting too!
This Work
Introduce the concept of Multi-Party FE as a broad unifier
Propose new multi-user encryption functionalities
Give new constructions from standard assumptions
Multi-Party Functional Encryption
Class of CT Inputs
𝒳
𝐶𝑇𝑥 = 𝐸𝑛𝑐 𝑥
Class of SK Inputs
Ƴ
𝑆𝐾𝑦 = 𝐾𝐺𝑒𝑛 𝑦
𝑆𝐾𝑦𝒏
Dec
….
𝐶𝑇𝑥𝒎
𝑆𝐾𝑦1
….
𝐶𝑇𝑥1
How do SKs and CTs
combine?
[𝑥 ∈ 𝒳]
[𝑦 ∈ Ƴ]
Key/ Ciphertext
Aggregators
CT-Aggregator 𝐴𝑔𝑔𝑥
SK-Aggregator 𝐴𝑔𝑔𝑦
Multi-Party Functional Encryption
Class of CT Inputs
𝒳
𝐶𝑇𝑥 = 𝐸𝑛𝑐 𝑥
Class of SK Inputs
Ƴ
𝑆𝐾𝑦 = 𝐾𝐺𝑒𝑛 𝑦
𝑆𝐾𝑦𝒏
Dec
….
𝐶𝑇𝑥𝒎
𝑆𝐾𝑦1
[𝑦 ∈ Ƴ]
Aggx and Aggy are scheme specific functions
….
𝐶𝑇𝑥1
[𝑥 ∈ 𝒳]
𝑈(𝐴𝑔𝑔𝑥
𝑥1 , … , 𝑥𝒎 , 𝐴𝑔𝑔𝑦 𝑦1 , … , 𝑦𝒏
U is a universal function
)
Multi-Party Functional Encryption
Class of CT Inputs
𝒳
𝐶𝑇𝑥 = 𝐸𝑛𝑐 𝑥
Class of SK Inputs
Ƴ
𝑆𝐾𝑦 = 𝐾𝐺𝑒𝑛 𝑦
𝑦1
𝑦𝒏
Aggx
….
≡
𝑥𝒎
….
𝑆𝐾𝑦𝒏
Dec
….
𝐶𝑇𝑥𝒎
𝑆𝐾𝑦1
𝑥1
….
𝐶𝑇𝑥1
[𝑥 ∈ 𝒳]
Aggy
[𝑦 ∈ Ƴ]
Univer
sal-Ckt
Multi-Party FE Syntax
(arity of CTs) 𝑚
𝐴𝑔𝑔𝑥
(arity of SKs) 𝑛
𝐴𝑔𝑔𝑦
Setu
p
(𝑃𝑃, 𝐸𝐾1 , … , 𝐸𝐾𝑚 , 𝑀𝑆𝐾1 , … , 𝑀𝑆𝐾𝑛 )
Trusted party
Protocol between users
Optional
𝑚𝑜𝑑𝑒 ∈ {𝑐𝑒𝑛𝑡𝑟𝑎𝑙, 𝑙𝑜𝑐𝑎𝑙, 𝑖𝑛𝑡𝑒𝑟𝑎𝑐𝑡𝑖𝑣𝑒}
Non-interactive
independent
Multi-Party FE Overview
• 𝑆𝑒𝑡𝑢𝑝
- Run in one of 3 modes
- Samples (𝑃𝑃, 𝐸𝐾1 , … , 𝐸𝐾𝑚 , 𝑀𝑆𝐾1 , … , 𝑀𝑆𝐾𝑛 )
• 𝐸𝑛𝑐 𝐸𝐾𝑖 , 𝑥𝑖 → 𝐶𝑇𝑖
• 𝐾𝐺𝑒𝑛 𝑀𝑆𝐾𝑗 , 𝑦𝑗 → 𝑆𝐾𝑗
MPFE: Security
INTUITION
Given 𝐶𝑇𝑖,𝑘 = 𝐸𝑛𝑐 𝐸𝐾𝑖 , 𝑥𝑖,𝑘 𝑖,𝑘 and 𝑆𝐾𝑗,ℓ = 𝐾𝐺𝑒𝑛 𝑀𝑆𝐾𝑗 , 𝑦𝑗,ℓ
Adversary learns only
𝑈 𝐴𝑔𝑔𝑥 𝑥1,𝑘1 , … , 𝑥𝑚,𝑘𝑚 , 𝐴𝑔𝑔𝑦 𝑦1,ℓ1 , … , 𝑥𝑛,ℓ𝑛
We also break inputs into
public-private components for
cleaner applications,
𝑗,ℓ
𝑘1 ,…,𝑘𝑛 ,ℓ1 ,…,ℓ𝑚
Can also corrupt master keys, and
leakage need to be correspondingly
defined. [Paper for details.]
Does MPFE really “Unify”?
𝐶𝑇𝑥1
𝐶𝑇𝑥𝑚
….
Let us check by examples
- MIFE via the lens of MPFE
𝑆𝐾𝑓
𝑚
𝐴𝑔𝑔𝑥 = 𝕀
𝑛=1
Setu
p
𝐴𝑔𝑔𝑦 = 𝕀
𝑓 𝑥1 , … , 𝑥𝑚
𝑆𝐾𝑓 = 𝐾𝐺𝑒𝑛 𝑀𝑆𝐾, 𝑓
(𝑃𝑃, 𝐸𝐾1 , … , 𝐸𝐾𝑚 , 𝑀𝑆𝐾)
𝐶𝑇𝑥𝑖 = 𝐸𝑛𝑐 𝐸𝐾𝑖 , 𝑥𝑖
𝑚𝑜𝑑𝑒 = 𝑐𝑒𝑛𝑡𝑟𝑎𝑙
MIFE
Dec
De
c
𝑈(𝕀
𝑥1 , … , 𝑥𝑚 , 𝕀 𝑓
= 𝑓 𝑥1 , … , 𝑥𝑚
)
Does MPFE really “Unify”?
Let us check by examples
- (similarly) MAFE via MPFE
𝐶𝑇𝑔
𝑆𝐾𝑦𝑛
𝑚=1
𝐴𝑔𝑔𝑥 = 𝕀
𝑛
Setu
p
𝑚𝑜𝑑𝑒 = 𝑙𝑜𝑐𝑎𝑙
Dec
𝑔 𝑦1 , … , 𝑦𝑛
𝑆𝐾𝑦𝑖 = 𝐾𝐺𝑒𝑛 𝑀𝑆𝐾𝑖 , 𝑦𝑖
(𝑃𝐾𝑖 , 𝑀𝑆𝐾𝑖 )
𝐶𝑇𝑔 = 𝐸𝑛𝑐 {𝑃𝐾𝑖 }, 𝑔
𝐴𝑔𝑔𝑦 = 𝕀
….
𝑆𝐾𝑦1
De
c
𝑈(𝕀(𝑔), 𝕀(𝑦1 , … , 𝑦𝑛 ))
= 𝑔 𝑦1 , … , 𝑦𝑛
How to use MPFE to forecast?
• Composing FE for different functionalities and user models
• E.g., Multi-Authority ∘ ABE ∘ Inner-Product FE,
Decentralized ∘ PE ∘ Inner-Product FE, …
• Function Hiding DDFE
• Combining key materials intended for different users (unlike multiauthority, decentralized etc)
• E.g., Reputation-Based Encryption, …
This Work: New Positive Results
Function Class
Assumption
Multi-Authority AB-IPFE
(for Monotone Span Programs)
Bilinear Groups
(Composite order, or
prime order in GGM)
Decentralized AB-IPFE with 1-sided Policy Hiding
(for Inner Products)
Bilinear Groups
(k-linear)
Function Hiding DDFE (for Inner Products)
Bilinear Groups
(SXDH in ROM)
Distributed CP-ABE (for log-depth circuits)
LWE, Bilinear GGM
General feasibility result from MIFE.
[Paper for details.]
Multi-Authority AB-IPFE
• Recall ciphertext-policy ABE and IPFE
ABE
IPFE
Multi-Authority AB-IPFE
• Composing ciphertext-policy ABE and IPFE
ABIPFE
Equivalently we can say
AB-IPFE for monotone span programs from bilinear
[Abdalla-Catalano-Gay-Ursu20]
Multi-Authority AB-IPFE
• Decentralizing AB-IPFE
ABIPFE
Distributing Keys
(making multi-authority)
Constructing MA-AB-IPFE
• Starting point is the MA-ABE scheme of [Lewko-Waters11]
LW11 Simplified
View as ElGamal of 𝑖 𝑡ℎ secret
share
KEM is the secret shared
Upgrading to IPFE
• Natural first thought
•
•
•
•
•
•
Use ideas from literature on lifting PKE to IPFE [Abdalla-Bourse-DeCaro-Pointcheval15, …]
Crux is to rely on homomorphic structure of PKE
Encode each vector bit using independent PKE key
Decryption key for a vector is linear combination of underlying PKE keys
During decryption, user homomorphically computes to get a single PKE CT
Decrypt the final ciphertext using the linearly combined PKE key
• A very clean idea, BUT does not work for current MA-ABE
• Briefly, KEM key is chosen during encryption time thus can not be linearly
combined for generating functional keys
Upgrading to IPFE: Simple trick
• KEM terms masked with each authority’s master key (using ElGamal)
• Give a projection of unmasking terms instead of KEM projection
• LSSS reconstruction touch rows of A whereas projection on columns
• Randomness can be reused across masking terms (very crucial)
Constructing MA-AB-IPFE
Crucial
Proof Intuition
• First try
• Use proof strategy by merging LW11 + PKE-to-IPFE transformation
• LW11 uses dual system paradigm
• Relies on semi-functional CT distribution
• Ideas from PKE-to-IPFE not applicable (can not switch CT to semi-functional)
• Main idea in a nutshell
• Introduce a new notion of partial semi-functional CTs
• CTs nominally semi-functional across all-but-one projected subspace
[Paper for details]
This Work: New Positive Results
Function Class
Assumption
Multi-Authority AB-IPFE
(for Monotone Span Programs)
Bilinear Groups
(Composite order, or
prime order in GGM)
Decentralized AB-IPFE with 1-sided Policy Hiding
(for Inner Products)
Bilinear Groups
(k-linear)
Function Hiding DDFE (for Inner Products)
Bilinear Groups
(SXDH in ROM)
Distributed CP-ABE (for log-depth circuits)
LWE, Bilinear GGM
General feasibility result from MIFE.
[Paper for details.]
Concluding Remarks
Thank you!
ia.cr/2020/1266
• Multi-Party Functional Encryption
• Unifier with a simple framework
• Enables abstraction of technical ideas across user models
• Easier to interpolate the space of unexplored functionalities
• Many fascinating open questions raised by unexplored functionalities
• Built some natural functionalities from standard assumptions.