succint filterable decryption
TRANSCRIPT
-
7/28/2019 Succint Filterable Decryption
1/52
Reusable Garbled Circuits and
Succinct Functional Encryption
Shaf Goldwasser Yael Kalai Raluca Ada PopaVinod Vaikuntanathan Nickolai Zeldovich
MIT CSAIL Microsot Research University o Toronto
March 24, 2013
Abstract
Garbled circuits, introduced by Yao in the mid 80s, allow computing a unction f on an input xwithout leaking anything about f or x besides f(x). Garbled circuits ound numerous applications, butevery known construction suers rom one limitation: it oers no security i used on multiple inputs x.In this paper, we construct or the frst time reusable garbled circuits. The key building block is a new
succinct single-key unctional encryption scheme.
Functional encryption is an ambitious primitive: given an encryption Enc(x) o a value x, and a secretkey skf or a unction f, anyone can compute f(x) without learning any other inormation about x. Weconstruct, or the frst time, a succinctunctional encryption scheme or any polynomial-time unction
f where succinctness means that the ciphertext size does not grow with the size o the circuit or f, butonly with its depth. The security o our construction is based on the intractability o the Learning with
Errors (LWE) problem and holds as long as an adversary has access to a single key skf (or even an a priori
bounded number o keys or dierent unctions).
Building on our succinct single-key unctional encryption scheme, we show several new applications
in addition to reusable garbled circuits, such as a paradigm or general unction obuscation which we call
token-based obuscation, homomorphic encryption or a class o Turing machines where the evaluation
runs in input-specifc time rather than worst-case time, and a scheme or delegating computation which is
publicly verifable and maintains the privacy o the computation.
-
7/28/2019 Succint Filterable Decryption
2/52
Contents
1 Introduction 3
1.1 Our Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1 Main Application: Reusable Garbled Circuits . . . . . . . . . . . . . . . . . . . . . 6
1.1.2 Token-Based Obuscation: a New Way to Circumvent Obuscation Impossibility
Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1.3 Computing on Encrypted Data in Input-Specifc Time . . . . . . . . . . . . . . . . 7
1.1.4 Publicly Verifable Delegation with Secrecy . . . . . . . . . . . . . . . . . . . . . . 8
1.2 Technique Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Preliminaries 11
2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Background on Learning With Errors (LWE) . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 Fully Homomorphic Encryption (FHE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 Background on Garbled Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.5 Attribute-Based Encryption (ABE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.5.1 Two-Outcome Attribute-Based Encryption . . . . . . . . . . . . . . . . . . . . . . 172.6 Functional Encryption (FE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.6.1 Security o Functional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3 Our Functional Encryption Scheme 20
3.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Proo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4 Reusable Garbled Circuits 29
4.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2 Proo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.3 Impossibility o Public-Key Reusable Garbled Circuits . . . . . . . . . . . . . . . . . . . . 35
5 Token-Based Obuscation 36
5.1 Defnition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2 Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6 Computing on Encrypted Data in Input-Specifc Time 38
6.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.3 Input-Dependent Output Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
A Detailed Background on Learning With Errors (LWE) 46
B Construction o Two-Outcome Attribute-Based Encryption 47
C Homomorphic Encryption or Turing Machines: Defnitions and Proos 49
C.1 Proo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2
-
7/28/2019 Succint Filterable Decryption
3/52
1 Introduction
Breaches o confdential data are commonplace: personal inormation o millions o people, such as fnancial,
medical, customer, and employee data, is disclosed every year [Pri12, Ver]. These disclosures oten happen
because untrustworthy systems handle confdential data. As applications move to cloud computing platorms,
ensuring data confdentiality on third-party servers that may be untrustworthy becomes a top concern [Dav12].
A powerul technique or preventing data disclosures without having to ensure the server is trustworthy is
to encrypt the data provided to the server and then compute on the encrypted data. Thus, i the server does
not have access to the plaintext or to the decryption key, it will be unable to disclose confdential data. The
big leap o the last decade towards computing over encrypted data has been ully homomorphic encryption
(FHE) [Gen09, DGHV10, SS10b, BV11b, BV11a, Vai11, BGV12, GHS12a, GHS12b, LTV12, Bra12].
A undamental question with this approach is: who can decrypt the results o computations on encrypted
data? I data is encrypted using FHE, anyone can perorm a computation on it (with knowledge o the public
key), while the result o the computation can be decrypted only using the secret key. However, the secret
key allows decrypting all data encrypted under the corresponding public key. This model sufces or certain
applications, but it rules out a large class o applications in which the party computing on the encrypted data
needs to determine the computation result on its own. For example, spam flters should be able to determine
i an encrypted email is spam and discard it, without learning anything else about the emails content. WithFHE, the spam flter can run the spam detection algorithm homomorphically on an encrypted email and
obtain an encrypted result; however, it cannot tell i the algorithm deems the email spam or not. Having the
data owner provide the decryption key to the spam flter is not a solution: the spam flter can now decrypt all
the emails as well!
A promising approach to this problem is unctional encryption [SW05, GPSW06, KSW08, LOS+10,
OT10, ON10, BSW]. In unctional encryption, anyone can encrypt data with a master public key mpk
and the holder o the master secret key can provide keys or unctions, or example skf or unction f.Anyone with access to a key skf and a ciphertext c or x can obtain the result o the computation in plaintextorm: f(x). The security o FE requires that the adversary does not learn anything about x, other than thecomputation result f(x). It is easy to see, or example, how to solve the above spam flter problem with a
unctional encryption scheme. A user Alice publishes her public key online and gives the spam flter a key orthe fltering unction. Users sending email to Alice will encrypt the email with her public key. The spam flter
can now determine by itsel, or each email, whether to store it in Alices mailbox or to discard it as spam,
without learning anything about Alices email (except or whether it was deemed spam or not).
The recent impossibility result o Agrawal, Gorbunov, Vaikuntanathan and Wee [ AGVW12] says that
unctional encryption schemes where an adversary can receive an arbitrary number o keys or general
unctions are impossible or a natural simulation-based security defnition;1 stated dierently, any unctional
encryption scheme that can securely provide q keys or general unctions must have ciphertexts growinglinearly in q. Since any scheme that can securely provide a single key yields a scheme that can securelyprovide qkeys by repetition, the question becomes i one can construct a unctional encryption scheme thatcan securely provide a single key or a general unction under this simulation-based security defnition. Such
a single-key unctional encryption scheme is a powerul tool, enabling the applications we will discuss.In this paper, we construct the frst single-key unctional encryption scheme or a general unction that
is succinct: the size o the ciphertext grows with the depth d o the circuit computing the unction and is
1This impossibility result holds or non-adaptive simulation-based security, which is weaker than some existing simulation-based
defnitions such as adaptive security. Nevertheless, this result does not carry over to indistinguishability-based defnitions, or which
possibility or impossibility is currently an open question. In this paper, we are interested in achieving the simulation-based defnition.
3
-
7/28/2019 Succint Filterable Decryption
4/52
independent o the size o the circuit. Up until our work, the known constructions o unctional encryption
were quite limited. First, the works o Boneh and Waters [BW07], Katz, Sahai and Waters [KSW08], Agrawal,
Freeman and Vaikuntanathan [AFV11], and Shen, Shi and Waters [SSW09] show unctional encryption
schemes (based on dierent assumptions) or a very simple unction: the inner product unction fy (or avariant o it), that on input x outputs 1 i and only ix, y = 0.2 These works do not shed light on how toextend beyond inner products. Second, Sahai and Seyalioglu [SS10a] and Gorbunov, Vaikuntanathan andWee [GVW12] provide a construction or single-key unctional encryption or one general unction with a
non-succinctciphertext size (at least the size o a universal circuit computing the unctions allowed by the
scheme3). [SS10a] was the frst to introduce the idea o single-key unctional encryption and [GVW12] also
extends it to allow the adversary to see secret keys or q unctions o his choice, by increasing the size othe ciphertexts linearly with q where q is known in advance.4 We emphasize that the non-succinctness othese schemes is particularly undesirable and it precludes many useul applications o unctional encryption
(e.g., delegation, reusable garbled circuits, FHE or Turing machines), which we achieve. For example, in
the setting o delegation, a data owner wants to delegate her computation to a cloud, but the mere eort
o encrypting the data is greater than computing the circuit directly, so the owner is better o doing the
computation hersel.
We remark that unctional encryption (FE) arises rom, and generalizes, a beautiul sequence o papers on
attribute-based encryption (including [SW05, GPSW06, BSW07, GJPS08, LOS+10, Wat11, Wat12, LW12]),
and more generally predicate encryption (including [BW07, KSW08, OT09]). We denote by attribute-based
encryption (ABE) an encryption scheme where each ciphertext c o an underlying plaintext message mis tagged with a public attribute x. Each secret key skf is associated with a predicate f. Given a key skfand a ciphertext c = Enc(x, m), the message m can be recovered i and only if(x) is true. Whether themessage gets recovered or not, the attribute x is always public; in other words, the input to the computationof, x, leaks with attribute-based encryption, whereas with unctional encryption, nothing leaks about xother than f(x). Thereore, attribute-based encryption oers qualitatively weaker security than unctionalencryption. Attribute-based encryption schemes were also called public-index predicate encryption schemes
in the literature [BSW]. Boneh and Waters [BW07] introduced the idea o not leaking the attribute as in
unctional encryption (also called private-index unctional encryption).
Very recently, the landscape o attribute-based encryption has signifcantly improved with the works oGorbunov, Vaikuntanathan and Wee [GVW13], and Sahai and Waters [SW12], who construct attribute-based
encryption schemes or general unctions, and are a building block or our results.
1.1 Our Results
Our main result is the construction o a succinctsingle-key unctional encryption scheme or general unctions.
We demonstrate the power o this result by showing that it can be used to address the long-standing open
problem in cryptography o reusing garbled circuits, as well as making progress on other open problems.
We can state our main result as a reduction rom any attribute-based encryption and any ully
homomorphic encryption scheme. In particular, we show how to construct a (single-key and succinct)
unctional encryption scheme or any class o unctionsF
by using a homomorphic encryption scheme
which can do homomorphic evaluations or any unction in Fand an attribute-based encryption scheme or a2These inner-product schemes allow an arbitrary number o keys.3A universal circuit F is a circuit that takes as input a description o a circuit f and an input string x, runs fon x and outputs f(x).4Namely, parameter q (the maximum number o keys allowed) is fxed during setup, and the ciphertexts size grows linearly
with q.
4
-
7/28/2019 Succint Filterable Decryption
5/52
slightly larger class o unctions F; F is the class o unctions such that or any unction f F, the classF contains the unction computing the i-th bit o the FHE evaluation of.Theorem 1.1 (Inormal). There is a single-key unctional encryption scheme with succinct ciphertexts
(independent o circuit size) or the class o unctions Fassuming the existence o
a ully homomorphic encryption scheme or the class o unctions
F, and
a (single-key) attribute-based encryption scheme or a class o predicates F (as above).The literature has considered two types o security or ABE and FE: selective and ull security (see
Sec. 2.6). We show that i the underlying ABE scheme is selectively or ully secure, our resulting FE scheme
is selectively or ully secure, respectively.
Two very recent results achieve attribute-based encryption or general unctions. Gorbunov, Vaikun-
tanathan and Wee [GVW13] achieve ABE or general circuits o bounded depth based on the subexponential
Learning With Errors (LWE) intractability assumption. Sahai and Waters [SW12] achieve ABE or general
circuits under the less standard k-Multilinear Decisional Dife-Hellman (see [SW12] or more details);
however, when instantiated with the only construction o multilinear maps currently known [GGH12], they
also achieve ABE or general circuits o bounded depth. Our scheme can be instantiated with any o these
schemes because our result is a reduction.When coupling our theorem with the ABE result o [GVW13] and the FHE scheme o[BV11a, BGV12],
we obtain:
Corollary 1.2 (Inormal). Under the subexponential LWE assumption, or any depth d, there is a single-keyunctional encryption scheme or general unctions computable by circuits o depth d. The scheme hassuccinct ciphertexts: their size is polynomial in the depth d (and does not depend on the circuit size).
This corollary holds or both selective and ull security defnitions, since [ GVW13] constructs both
selectively secure and ully secure ABE schemes. However, the parameters o the LWE assumption are
dierent in the two cases (Sec. 2.3).
Another corollary o our theorem is that, given a universal ABE scheme (the scheme is or all classes o
circuits, independent o depth) and any ully homomorphic encryption scheme, there is a universal unctionalencryption scheme whose ciphertext size does not depend on the circuits size or even the circuits depth.
As mentioned, extending our scheme to be secure against an adversary who receives q keys isstraightorward. The basic idea is simply to repeat the scheme q times in parallel. This strategy results in theciphertext size growing linearly with q, which is unavoidable or the simulation-based security defnitionwe consider, because o the discussed impossibility result [AGVW12]. Stated in these terms, our scheme is
also a q-collusion-resistant unctional encryption scheme like [GVW12], but our schemes ciphertexts aresuccinct, whereas [GVW12]s are proportional to the circuit size.
From now on, we restrict our attention to the single-key case, which is the essence o the new scheme.
In the body o the paper we oten omit the single-key or succinct adjectives and whenever we reer to a
unctional encryption scheme, we mean a succinct single-key unctional encryption scheme.
We next show how to use our main theorem to make signifcant progress on some o the most intriguingopen questions in cryptography today: the reusability o garbled circuits, a new paradigm or general unction
obuscation, as well as applications to ully homomorphic encryption with evaluation running in input-specifc
time rather than in worst-case time, and to publicly verifable delegation. Succinctness plays a central role in
these applications and they would not be possible without it.
5
-
7/28/2019 Succint Filterable Decryption
6/52
1.1.1 Main Application: Reusable Garbled Circuits
A circuit garbling scheme, which has been one o the most useul primitives in modern cryptography, is a
construction originally suggested by Yao in the 80s in the context o secure two-party computation [Yao82].
This construction relies on the existence o a one-way unction to encode an arbitrary circuit C (garblingthe circuit) and then encode any input x to the circuit (where the size o the encoding is short, namely, it does
not grow with the size o the circuit C); a party given the garbling oC and the encoding ox can run thegarbled circuit on the encoded x and obtain C(x). The most basic properties o garbled circuits are circuitand input privacy: an adversary learns nothing about the circuit C or the input x other than the result C(x).
Over the years, garbled circuits and variants thereo have ound many applications: two party
secure protocols [Yao86], multi-party secure protocols [GMW87], one-time programs [GKR08], KDM-
security [BHHI10], verifable computation [GGP10], homomorphic computations [GHV10] and others.
However, a basic limitation o the original construction remains: it oers only one-time usage. Specifcally,
providing an encoding o more than one input compromises the secrecy o the circuit. Thus, evaluating the
circuit C on any new input requires an entirely new garbling o the circuit.The problem o reusing garbled circuits has been open or 30 years. Using our newly constructed succinct
unctional encryption scheme we are now able to build reusable garbled circuits that achieve circuit and
input privacy: a garbled circuit or any computation o depth d (where the parameters o the scheme dependon d), which can be run on any polynomial number o inputs without compromising the privacy o the circuitor the input. More generally, we prove the ollowing:
Theorem 1.3 (Inormal). There exists a polynomial p, such that or any depth unction d, there is a reusablecircuit garbling scheme or the class o all arithmetic circuits o depth d, assuming there is a single-keyunctional encryption scheme or all arithmetic circuits o depth p(d).5
Corollary 1.4 (Inormal). Under the subexponential LWE assumption, or any depth unction d, there existsa reusable circuit garbling scheme with circuit and input privacy or all arithmetic circuits o depth d.
Reusability o garbled circuits (or depth-bounded computations) implies a multitude o applications
as evidenced by the research on garbled circuits over the last 30 years. We note that or many o these
applications, depth-bounded computation sufces. We also note that some applications do not require circuit
privacy. In that situation, our succinct single-key unctional encryption scheme already provides reusable
garbled circuits with input-privacy and, moreover, the encoding o the input is a public-key algorithm.
We remark that [GVW13] gives a restricted orm o reusable circuit garbling: it provides authenticity o
the circuit output, but does not provide input privacy or circuit privacy, as we do here. Inormally, authenticity
means that an adversary cannot obtain a dierent yet legitimate result rom a garbled circuit. We note that
most o the original garbling circuit applications (e.g., two party secure protocols [Yao86], multi-party secure
protocols [GMW87]) rely on the privacy o the input or o the circuit.
One o the more intriguing applications o reusable garbled circuits pertains to a new model or program
obuscation, token-based obuscation, which we discuss next.
1.1.2 Token-Based Obuscation: a New Way to Circumvent Obuscation Impossibility Results
Program obuscation is the process o taking a program as input, and producing a unctionally equivalent but
dierent program, so that the new program reveals no inormation to a computationally bounded adversary
5For this application we need to assume that the underlying unctional encryption scheme is ully secure (as opposed to only
selectively secure).
6
-
7/28/2019 Succint Filterable Decryption
7/52
about the original program, beyond what black box access to the program reveals. Whereas ad-hoc program
obuscators are built routinely, and are used in practice as the main sotware-based technique to fght reverse
engineering o programs, in 2000 Barak et al. [BGI+01], ollowed by Goldwasser and Kalai [GK05], proved
that program obuscation or general unctions is impossible using sotware alone, with respect to several
strong but natural defnitions o obuscation.
The results o[BGI
+
01, GK05] mean that there exist unctions which cannot be obuscated. Still, the needto obuscate or garble programs remains. A long array o works attempts to circumvent the impossibility
results in various ways, including adding secure hardware components [GKR08, GIS+10, BCG+11], relaxing
the defnition o security [GR07], or considering only specifc unctions [Wee05, CKVW10].
The problem o obuscation seems intimately related to the garbled circuit problem where given a
garbling o a circuit C and an encoding or an input x, one can learn the result oC(x) but nothing else. Onecannot help but wonder whether the new reusable garbling scheme would immediately imply a solution or
the obuscation problem (which we know is impossible). Consider an example illustrating this intuition: a
vendor obuscates her program (circuit) by garbling it and then gives the garbled circuit to a customer. In
order to run the program on (multiple) inputs xi, the customer simply encodes the inputs according to thegarbling scheme and thus is able to compute C(xi). Unortunately, although close, this scenario does notwork with reusable garbled circuits. The key observation is that encoding x requires knowledge o a secretkey! Thus, an adversary cannot produce encoded inputs on its own, and needs to obtain tokens in the orm
o encrypted inputs rom the data owner.
Instead, we propose a new token-basedmodel or obuscation. The idea is or a vendor to obuscate an
arbitrary program as well as provide tokens representing rights to run this program on specifc inputs. For
example, consider that some researchers want to obtain statistics out o an obuscated database containing
sensitive inormation (the obuscated program is the program running queries with the secret database
hardcoded in it). Whenever the researchers want to input a query x to this program, they need to obtaina token or x rom the program owner. To produce each token, the program owner does little work. Theresearchers perorm the bulk o the computation by themselves using the token and obtain the computation
result without urther interaction with the owner.
Claim 1.5. Assuming a reusable garbling scheme or a class o circuits, there is a token-based obuscationscheme or the same class o circuits.
Corollary 1.6 (Inormal). Under the subexponential LWE assumption, or any depth unction d, there existsa token-based obuscation scheme or all arithmetic circuits o depth d.
It is worthwhile to compare the token-based obuscation model with previous work addressing obuscation
using trusted-hardware components such as [GIS+10, BCG+11]. In these schemes, ater a user fnishes
executing the obuscated program on an input, the user needs to interact with the trusted hardware to obtain
the decryption o the result; in comparison, in our scheme, the user needs to obtain only a token beore the
computation begins, and can then run the computation and obtain the decrypted result by hersel.
1.1.3 Computing on Encrypted Data in Input-Specifc Time
All current FHE constructions work according to the ollowing template. For a fxed input size, a program is
transormed into an arithmetic circuit; homomorphic evaluation happens gate by gate on this circuit. The
size o the circuit reects the worst-case running time o the program: or example, every loop is unolded
into the maximum number o steps corresponding to the worst-case input, and each unction is called the
7
-
7/28/2019 Succint Filterable Decryption
8/52
maximum number o times possible. Such a circuit can be potentially very large, despite the act that there
could be many inputs on which the execution is short.
A ascinating open question has been whether it is possible to perorm FHE ollowing a Turing-machine-
like template: the computation time is input-specifc and can terminate earlier depending on the input at hand.
O course, to compute in input-specifc time, the running time must unavoidably leak to the evaluator, but
such leakage is acceptable in certain applications and the efciency gains can be signifcant; thereore, such ascheme provides weaker security than ully homomorphic encryption (namely, nothing other than the running
time leaks about the input), at the increase o efciency.
Using our unctional encryption scheme, we show how to achieve this goal. The idea is to use the scheme
to test when an encrypted circuit computation has terminated, so the computation can stop earlier on certain
inputs. We overview our technique in Sec. 1.2.
Because the ciphertexts in our unctional encryption scheme grow with the depth o the circuits, such a
scheme is useul only or Turing machines that can be expressed as circuits o depth at most d(n) or inputso size n. We reer to such Turing machines as d-depth-bounded and defne them in Sec. 6.
Theorem 1.7. There is a scheme or evaluating Turing machines on encrypted inputs in input-specifc time
or any class od-depth-bounded Turing machines, assuming the existence o a succinct single-key unctional
encryption scheme or circuits o depth d,6 and a ully homomorphic encryption scheme or circuits o depthd.
Corollary 1.8. Under the subexponential LWE assumption, or any depth d, there is a scheme or evaluatingTuring machines on encrypted data in input-specifc time or any class o d-depth-bounded Turing machines.
1.1.4 Publicly Verifable Delegation with Secrecy
Recently, Parno, Raykova and Vaikuntanathan [PRV12] showed how to construct a 2-message delegation
scheme that is publicly verifable, in the preprocessing model, rom any attribute-based encryption scheme.
This reduction can be combined with [GVW13]s ABE scheme to achieve such a delegation scheme.
However, this scheme does not provide secrecy o the inputs: the prover can learn the inputs. By replacing
the ABE scheme in the construction o [PRV12] with our new unctional encryption scheme, we add secrecyto the scheme; namely, we obtain a delegation scheme which is both publicly verifable as in [PRV12] (anyone
can veriy that a transcript is accepting using only public inormation) and secret(the prover does not learn
anything about the input o the unction being delegated). 7 More specifcally, we construct a 2-message
delegation scheme in the preprocessing model that is based on the subexponential LWE assumption, and is
or general depth-bounded circuits, where the verifer works in time that depends on the depth o the circuit
being delegated, but is independent o the size o the circuit, and the prover works in time dependent on the
size o the circuit.
1.2 Technique Outline
Our unctional encryption scheme. We frst describe the ideas behind our main technical result: a reductionrom attribute-based encryption (ABE) and ully homomorphic encryption (FHE) to unctional encryption
(FE).
6As in previous applications, we need to assume that the underlying unctional encryption scheme is ully secure (as opposed to
only selectively secure).7We note that secrecy can be easily obtained by using an FHE scheme, however, this destroys public-verifability.
8
-
7/28/2019 Succint Filterable Decryption
9/52
Compute on encrypted data with FHE. A natural starting point is FHE because it enables computation on
encrypted data, which is needed with unctional encryption. Using FHE, the FE encryption o an input xconsists o an FHE encryption o x, denoted x, while the secret key or a unction f is simply f itsel. Thesemantic security o FHE provides the desired security (and more) because nothing leaks about x; however,
using FHE evaluation, the evaluator obtains an encrypted computation result,
f(x), instead o the decrypted
value f(x). Giving the evaluator the FHE decryption key is not an option because the evaluator can use it todecrypt x as well.Attempt to decrypt using a Yao garbled circuit. We would like the evaluator to decrypt the FHE ciphertextf(x), but not be able to decrypt anything else. An idea is or the owner to give the evaluator a Yao garbled
circuit or the FHE decryption unction FHE.Dec with the FHE secret key hsk hardcoded in it, namely agarbled circuit or FHE.Dechsk. When the owner garbles FHE.Dechsk, the owner also obtains a set o garbled
circuit labels {Li0, Li1}i. The evaluator must only receive the input labels corresponding to f(x): namely, thelabels {Libi}i where bi is the i-th bit o f(x). But this is not possible because the owner does not know apriori f(x) which is determined only ater the FHE evaluation; urthermore, ater providing more than oneset o labels (which happens when encrypting another input x), the security o the garbled circuit (and henceo the FHE secret key) is compromised. One idea is to have the owner and the evaluator interact, but the
syntax o unctional encryption does not allow interaction. Thereore, the evaluator needs to determine the seto labels corresponding to f(x) by hersel, and should not obtain any other labels.
Constraining decryption using ABE. It turns out that what we need here is very close to what ABE
provides. Consider the ollowing variant o ABE (called ABE2)that can be constructed easily rom a standard
ABE scheme. One encrypts a value y together with two messages m0, m1 and obtains a ciphertext c ABE2.Enc(y, m0, m1). Then, one generates a key or a predicate g: skg ABE2.KeyGen(g). The decryptionalgorithm on input c and skg outputs m0 ig(y) = 0 or outputs m1 ig(y) = 1.
Now consider using ABE2 multiple times, once or every i {1, . . . , size o f(x)}. For the i-thinvocation oABE2.Enc, let m0, m1 be the garbled labels L
i0, L
i1, and let y be x: ABE2.Enc(x, L
i0, L
i1).
Next, or the i-th invocation oABE2.KeyGen, let g be FHE.Evalif (the predicate returning the i-th bit o the
evaluation of on an input ciphertext): ABE2.KeyGen(FHE.Evalif). Then, the evaluator can use ABE2.Dec
to obtain the needed label: Libi where bi is the i-th bit o f(x). Armed with these labels and the garbled circuit,the evaluator decrypts f(x).
The security o the ABE scheme ensures the evaluator cannot decrypt any other labels, so the evaluator
cannot learn more than f(x). Finally, note that the one-time aspect o garbled circuits does not restrict thenumber o encryptions with our FE scheme because the encryption algorithm generates a new garbled circuit
every time; since the garbled circuit is or the FHE decryption algorithm (which is a fxed algorithm), the size
o the ciphertexts remains independent o the size o f.
We now explain how to use this result to obtain the aorementioned applications.
From FE to reusable garbled circuits. The goal o garbled circuits is to hide the input and the circuit C.Our succinct single-key FE already provides a reusable garbling scheme with input privacy (the single key
corresponds to the circuit to garble). To obtain circuit privacy, the insight is to leverage the secrecy o theinputs to hide the circuit. The frst idea that comes to mind is to generate a key or the universal circuit instead
o C, and include C in the ciphertext when encrypting an input. However, this approach will yield largeciphertexts, as large as the circuit size.
Instead, the insight is to garble C by using a semantically secure encryption scheme E.Enc together withour FE scheme: the garbling o C will be an FE secret key or a circuit U that contains E.Encsk(C); on
9
-
7/28/2019 Succint Filterable Decryption
10/52
input (sk, x), U uses sk to decrypt C and then runs C on the input x. The token or an input x will be an FEencryption o(sk, x). Now, even i the FE scheme does not hide E.Encsk(C), the security o the encryptionscheme E hides C.
Computing on encrypted data in input-specifc time. We now summarize our approach to evaluating a
Turing machine (TM) M homomorphically over encrypted data without running in worst-case time on all
inputs. Sec. 6 presents the scheme ormally.Our idea is to use our unctional encryption scheme to enable the evaluator to determine at various
intermediary steps in the evaluation whether the computation fnished or not. For each intermediary step, the
client provides a secret key or a unction that returns a bit indicating whether the computation fnished or not.
However, i the client provides a key or every computation step, then the amount o keys corresponds to the
worst-case running time. Thus, instead, we choose intermediary points spaced at exponentially increasing
intervals. In this way, the client generates only a logarithmic number o keys, namely or unctions indicating
i the computation fnishes in 1, 2, 4, . . . , 2i, . . . , 2log tmax steps, where tmax is the worst-case running timeoM on all inputs o a certain size.
Because o the single-key aspect o our FE scheme, the client cannot provide keys or an arbitrary number
o TMs to the evaluator. However, this does not mean that the evaluator can run only an a priori fxed
number o TMs on the encrypted data. The reason is that the client can provide keys or the universal TMs
U0, . . . , U log tmax, where TM Ui is the TM that on input a TM M and a value x, runs M on x or 2i steps
and outputs whether M fnished.Thereore, in an oine preprocessing phase, the client provides 1 + log tmax keys where the i-th key is
or a circuit corresponding to Ui, each key being generated with a dierent master secret key. The work othe client in this phase is at least tmax which is costly, but this work happens only once and is amortized overall subsequent inputs in the online phase.
In an online phase, the client receives an input x and wants the evaluator to compute M(x) or her. Theclient provides FE encryptions o(M, x) to the evaluator together with an FHE ciphertext (M, x) or (M, x)to be used or a separate FHE evaluation. The evaluator tries each key skUi rom the preprocessing phase and
learns the smallest i or which the computation oM on x stops in 2i steps. The evaluator then computes auniversal circuit o size O(2i) and evaluates it homomorphically over (M , x), obtaining the FHE encryption
oM(x). Thus, we can see that the evaluator runs in time polynomial in the runtime oM on x.
Publicly Verifable Delegation with Secrecy. Delegation schemes aim to enable a weak verifer to delegate
computation o a unction f on an input x to a prover who can then prove to the verifer that he computed theunction correctly. We now show that our single-key unctional encryption scheme provides an improvement
to publicly verifable delegation by adding secrecy. We present this improvement only inormally, because we
preer to ocus on the other applications.
We now briey recall the scheme o [PRV12] and then discuss how to modiy it; we reer the reader
to Section 2.6 or ormal defnitions o ABE and FE. There are two phases in the delegation scheme: the
preprocessing phase when the verifer prepares the computation f, and an online phase repeating many times,in which the verifer gives x to the prover who computes f(x) and proves the computation was correct.
In the preprocessing phase, the verifer generates two pairs o master secret and public keys (msk1,mpk1)
and (msk2,mpk2) or the underlying attribute-based encryption scheme. I f is the unction to delegate,the verifer uses msk1 to generate a key or f denoted skf, and msk2 to generate a key or the negation of, f(x) := 1 f(x), denoted skf. The verifer then sends both (mpk1,mpk2) and (skf, skf) to the prover.Generating skf and skf takes time that is proportional to the size o the circuit computing f, and thus is acostly operation. However, this is done only once in the preprocessing phase.
Whenever the verifer wants the prover to compute f on an input x, he chooses two random messages
10
-
7/28/2019 Succint Filterable Decryption
11/52
m1, m2 and sends the prover the encryptions o (x, m) under the two keys: (Enc(mpk1, x , m1) andEnc(mpk2, x , m2)). The properties o the attribute-based encryption scheme guarantees that, if(x) = 1,the prover obtains m1 using skf and using skf so no inormation about m0, and vice versa if(x) = 0.Thereore, the act that the prover provides m1 to the verifer is a proo that f(x) was 1.
Importantly, this delegation scheme can be made to have the desired property o being publicly verifable,
meaning that the verifer can produce a verifcation key with which anyone can check the provers work.This is done by having the verifer also send two point unction obuscations, one o the point m1 and theother o the point m2.
This reduction rom ABE to publicly verifable delegation can be combined with the recent result
o [GVW13] providing ABE schemes or any depth circuit: the result is a publicly verifable 2-message
delegation scheme in the preprocessing model or any depth d circuit with verifers work being proportionalto the depth d and the provers work proportional to the circuit size.
Note however, that this scheme is not secret because ABE does not hide the input x rom the prover. It iswell known that x can be made secret by encrypting everything using a ully homomorphic encryption scheme.However, this comes at the cost o losing the public verifability property. Our idea is to replace the ABE
scheme with our unctional encryption scheme in the protocol above; now the ciphertexts Enc(mpk1, x , m1)and Enc(mpk2, x , m2) hide x and the scheme provides secrecy because the prover learns nothing about xother than f(x). The public verifability o the scheme remains the same.
We remark that we could provide a stronger version o secrecy by also hiding the result f(x) rom theprover; such stronger secrecy is non-standard or delegation, so we do not delve on it. (The idea is or the
client to concatenate a random bit to each input x and have the unction f output the opposite result when thebit is set. In this way, the prover does not learn anything rom seeing which ciphertext decrypts to non-.)
2 Preliminaries
2.1 Notation
Let denote the security parameter throughout this paper. For a distribution
D, we say x
Dwhen x is
sampled rom the distribution D. I S is a fnite set, by x S we mean x is sampled rom the uniormdistribution over the set S. We use p() to denote that p is a unction that takes one input. Similarly, p(, )denotes a unction p that takes two inputs.
We say that a unction f is negligible in an input parameter , i or all d > 0, there exists K such thator all > K, f() < kd. For brevity, we write: or all sufciently large , f() = negl(). We saythat a unction f is polynomial in an input parameter , i there exists a polynomial p such that or all ,f() p(). We write f() = poly(). A similar defnition holds or polylog().
Let [n] denote the set {1, . . . , n} or n N. When saying that a Turing machine A is p.p.t. we meanthat A is a non-uniorm probabilistic polynomial-time machine.
In this paper, we only work with arithmetic circuits over GF(2). These circuits have two types o gates: +mod 2 and mod 2. Unless the context specifes otherwise, we consider circuits with one bit o output (alsocalled boolean).
Two ensembles, X = {X}N and Y = {Y}N, are said to be computationally indistinguishable(and denoted {X}N c {Y}N) i or every probabilistic polynomial-time algorithm D,
| Pr[D(X, 1) = 1] Pr[D(Y, 1) = 1]| = negl().
In our security defnitions, we will defne probabilistic experiments and denote by random variables their
11
-
7/28/2019 Succint Filterable Decryption
12/52
outputs. For example, ExprealE,A(1) denotes the random variable representing the output o the real experiment
or scheme E with adversary A on security parameter . Moreover, {ExprealE,A(1)}N denotes the ensembleo such random variables indexed by N.
2.2 Background on Learning With Errors (LWE)
The security o our results will be based on the Learning with Errors (LWE) assumption, frst introduced
by Regev [Reg05]. Regev showed that solving the LWE problem on average is (quantumly) as hard as
solving the approximate version o several standard lattice problems, such as gapSVP in the worst case.
Peikert [Pei09] later removed the quantum assumption rom a variant o this reduction. Given this connection,
we state all our results under worst-case lattice assumptions, and in particular, under (a variant o) the gapSVP
assumption. We reer the reader to [Reg05, Pei09] or details about the worst-case/average-case connection.
The best known algorithms to solve these lattice problems with an approximation actor 2
in -
dimensional lattices run in time 2O(1) [AKS01, MV10] or any constant 0 < < 1. Specifcally, given the
current state-o-the-art on lattice algorithms, it is quite plausible that achieving approximation actors 2
or
these lattice problems is hard or polynomial time algorithms.
Appendix A provides more detailed background inormation on LWE.
2.3 Fully Homomorphic Encryption (FHE)
The notion o ully homomorphic encryption was frst proposed by Rivest, Adleman and Dertouzos [RAD78]
in 1978. The frst ully homomorphic encryption scheme was proposed in a breakthrough work by Gentry in
2009 [Gen09]. A history and recent developments on ully homomorphic encryption is surveyed in [Vai11].
We recall the defnitions and semantic security o ully homomorphic encryption; the defnitions below are
based on [Vai11] with some adaptations.
Defnition 2.1. A homomorphic (public-key) encryption scheme FHE is a quadruple o polynomial time
algorithms (FHE.KeyGen,FHE.Enc,FHE.Dec,FHE.Eval) as ollows:
FHE.KeyGen(1) is a probabilistic algorithm that takes as input the security parameter 1 and outputsa public key pk and a secret key sk.
FHE.Enc(pk, x {0, 1}) is a probabilistic algorithm that takes as input the public key pk and an inputbitx and outputs a ciphertext .
FHE.Dec(sk, ) is a deterministic algorithm that takes as input the secret key sk and a ciphertextand outputs a message x {0, 1}.
FHE.Eval(pk, C , 1, 2, . . . , n) is a deterministic algorithm that takes as input the public key pk,some circuitC that takes n bits as input and outputs one bit, as well as n ciphertexts 1, . . . , n. Itoutputs a ciphertextC.
Compactness: For all security parameters , there exists a polynomial p() such that or all input sizes n, orall x1 . . . xn, or all C, the output length oFHE.Eval is at mostp(n) bits long.
Defnition 2.2 (C-homomorphism). LetC = {Cn}nN be a class o boolean circuits, where Cn is a set oboolean circuits taking n bits as input. A scheme FHE is C-homomorphic i or every polynomial n(), or
12
-
7/28/2019 Succint Filterable Decryption
13/52
every sufciently large security parameter , or every circuit C Cn, and or every input bit sequencex1, . . . , xn, where n = n(),
Pr[(pk, sk) FHE.KeyGen(1);i FHE.Enc(pk, xi) ori = 1 . . . n; FHE.Eval(pk, C , 1, . . . , n) :FHE.Dec(sk, ) = C(x1, . . . xn)] = negl().
where the probability is over the coin tosses oFHE.KeyGen andFHE.Enc.
Defnition 2.3 (Fully homomorphic encryption). A scheme FHE is ully homomorphic i it is homomorphic
or the class o all arithmetic circuits overGF(2).
Defnition 2.4 (Leveled ully homomorphic encryption). A leveled ully homomorphic encryption scheme
is a homomorphic scheme where FHE.KeyGen receives an additional input1d and the resulting scheme ishomomorphic or all depth-d arithmetic circuits overGF(2).
Defnition 2.5(IND-CPA security)
. A scheme FHE is IND-CPA secure i or any p.p.t. adversaryA
,Pr[(pk, sk) FHE.KeyGen(1) : A(pk,FHE.Enc(pk, 0)) = 1]Pr[(pk, sk) FHE.KeyGen(1) : A(pk,FHE.Enc(pk, 1)) = 1] = negl().
We now state the result o Brakerski, Gentry and Vaikuntanathan [BGV12] that shows a leveled ully
homomorphic encryption scheme based on the LWE assumption:
Theorem 2.1 ([BV11a, BGV12]). Assume that there is a constant 0 < < 1 such that or every sufcientlylarge , the approximate shortest vector problem gapSVP in dimensions is hard to approximate to withina 2O(
) actor in the worst case. Then, or every n and every polynomial d = d(n), there is an IND-CPAsecure d-leveled ully homomorphic encryption scheme where encrypting n bits produces ciphertexts o length
poly(n,,d1/
), the size o the circuit or homomorphic evaluation o a unction f is size(Cf)poly(n,,d1/
)and its depth is depth(Cf) poly(log n, log d).
All known ully homomorphic encryption schemes (as opposed to merely leveled schemes) require an
additional assumption related to circular security o the associated encryption schemes. However, we do
not need to make such an assumption in this work because we only use a leveled homomorphic encryption
scheme in our constructions.
2.4 Background on Garbled Circuits
We will now defne garbled circuits. Initially, garbled circuits were presented by Yao [ Yao82] in the context
o secure two-party computation and later, they were then proven secure by Lindell and Pinkas [LP09]. Very
recently, the notion has been ormalized by Bellare et al. [BHR12]. For simplicity, we present more concisedefnitions o garbled circuits than in [BHR12].
Defnition 2.6 (Garbling scheme). A garbling scheme or a amily o circuits C = {Cn}nN with Cn a seto boolean circuits taking as inputn bits, is a tuple o p.p.t. algorithms Gb = (Gb.Garble,Gb.Enc,Gb.Eval)such that
13
-
7/28/2019 Succint Filterable Decryption
14/52
Gb.Garble(1, C) takes as input the security parameter and a circuitC Cn or some n, and outputsthe garbled circuit and a secret key sk.
Gb.Enc(sk, x) takes as inputx {0, 1} and outputs an encoding c. Gb.Eval(, c) takes as input a garbled circuit , an encoding c and outputs a value y which should be
C(x).
Correctness. For any polynomial n(), or all sufciently large security parameters , orn = n(), orall circuits C Cn and all x {0, 1}n,
Pr[(, sk) Gb.Garble(1, C); c Gb.Enc(sk, x); y Gb.Eval(, c) : C(x) = y] = 1 negl().
Efciency. There exists a universal polynomial p = p(, n) (p is the same or all classes o circuits C)such that or all input sizes n, security parameters , or all boolean circuits C o with n bits o input, or allx {0, 1}n,
Pr[(, sk) Gb.Garble(1, C) : |sk| p(, n) and runtime(Gb.Enc(sk, x)) p(, n)] = 1.
Note that since Gb.Enc is a p.p.t. algorithm, it sufces to ensure that |sk| p(, n) and obtain thatGb.Encs runtime is also at most a polynomial. We preer to keep the runtime oGb.Enc in the defnition aswell or clarity.
Remark 2.2 (Remark on the efciency property). Intuitively, a garbling scheme is efcient i the time to
encode is shorter than the time to run the circuit. This requirement can be ormalized in a ew ways. A frst
defnition is as provided above in De. 2.6. Another defnition is to allow |sk| and the runtime oGb.Enc toalso depend on the depth o the circuits in C, but require that it does not depend on their size.Yao garbled circuits. The garbled circuits presented by Yao have a specifc property o the encoding scheme
that is useul in various secure unction evaluation protocols and in our construction as well. The secret key is
o the orm sk = {L0i , L
1i }
ni=1 and the encoding o an input x on bits is o the orm c = (L
x11 , . . . , L
xnn ),
where xi is the i-th bit ox.Two security guarantees are o interest: input privacy (the input to the garbled circuit does not leak to the
adversary), and circuit privacy (the circuit does not leak to the adversary). All these properties hold only or
one-time evaluation o the circuit: the adversary can receive at most one encoding o an input to use with a
garbled circuit; obtaining more than one encoding breaks these security guarantees.
Bellare et al. [BHR12] also present a third property which they call authenticity; inormally, this requires
that an adversary should not be able to come up with a dierent result o the garbled circuit that could be
de-garbled into a valid value. We do not present this property here because it is straightorward to show
that a garbling scheme with input and circuit privacy as we defne them below implies a dierent garbling
scheme with the authenticity property and we would need to provide a slightly more complicated syntax or
the defnition o garbled circuits (with an additional de-garbling algorithm).
We now present the one-time security o garbling circuits. The security defnition or reusable garbled
will be presented later, in Sec. 4.
Defnition 2.7 (Input and circuit privacy). A garbling scheme Gb or a amily o circuits {Cn}nN is inputand circuit private i there exists a p.p.t. simulatorSimGarble, such that or every p.p.t. adversaries A andD,or all sufciently large security parameters ,
14
-
7/28/2019 Succint Filterable Decryption
15/52
| Pr[(x,C,) A(1);(, sk) Gb.Garble(1, C); c Gb.Enc(sk, x) : D(,x,C, , c) = 1]Pr[(x,C,) A(1); (, c) SimGarble(1, C(x), 1|C|, 1|x|) : D(,x,C, , c) = 1]| = negl(),
where we consider only A such that or some n, x {0, 1}n andC Cn.Intuitively, this defnition says that, or any circuit or input chosen adversarially, one can simulate in
polynomial time the garbled circuit and the encoding solely based on the computation result (and relevantsizes). The variable represents any state that A may want to convey to D.
A ew variants o Yao garbling schemes exist (or example, [BHR12]) that provide both input and circuit
privacy under the basic one-way unction assumption. Any such construction is suitable or our scheme.
Theorem 2.3 ([Yao82, LP09]). Assuming one-way unctions exist, there exists a Yao (one-time) garbling
scheme that is input- and circuit-private or all circuits over GF(2).
2.5 Attribute-Based Encryption (ABE)
We now provide the defnition o attribute-based encryption rom the literature (e.g., [GPSW06, LOS+10,
GVW13]).
Defnition 2.8 (Attribute-Based Encryption). An attribute-based encryption scheme (ABE) or a class o
predicates P = {Pn}nN represented as boolean circuits with n input bits and one output bit and anassociated message space M is a tuple o algorithms (ABE.Setup, ABE.KeyGen, ABE.Enc, ABE.Dec) asollows:
ABE.Setup(1): Takes as input a security parameter 1 and outputs a public master key fmpk and amaster secret key fmsk.
ABE.KeyGen(fmsk, P): Given a master secret key fmsk and a predicate P Pn, or some n, outputsa key fskP corresponding to P.
ABE.Enc(fmpk, x , M ): Takes as input the public key fmpk, an attribute x
{0, 1
}n, or some n, and
a message M M and outputs a ciphertext c. ABE.Dec(fskP, c): Takes as input a secret key or a predicate and a ciphertext and outputs M M.
Correctness. For any polynomial n(), or every sufciently large security parameter, in = n(), or allpredicates P Pn, attributes x {0, 1}n, and messages M M:
Pr
(fmpk, fmsk) ABE.Setup(1);fskP ABE.KeyGen(fmsk, P);c ABE.Enc(fmpk, x , M ) :ABE.Dec(fskP, c) =
M, iP(x) = 1,
, otherwise.
= 1 negl().
The space {0, 1}n is reerred to as the attribute space (with an attribute size on) and M is reerred to asthe message space.
Intuitively, the security o ABE is that M is revealed only iP(x) = 1. Regarding the attribute x, ABEssecurity does not require any secrecy o the attribute, so x may leak no matter what is the value oP(x).Many ABE schemes have been proven secure under indistinguishability-based defnitions. Despite being
15
-
7/28/2019 Succint Filterable Decryption
16/52
weaker than simulation-based defnitions, such defnitions sufce or the security o our construction, so
we present them here. Two notions o security have been used in previous work: ull and selective security.
Full security allows the adversary to provide the challenge ciphertext ater seeing the public key, whereas
in selective security, the adversary must provide the challenge ciphertext beore seeing the public key. We
present both in the ull security and selective security cases, because the ABE primitive we use [GVW13]
achieves them with dierent parameters o the gapSVP assumption. We only provide the security defnitionor the case when the adversary can ask or a single key because this is all we need or our results.
Defnition 2.9 (Attribute-based encryption security). LetABE be an attribute-based encryption scheme or
a class o predicates P= {Pn}nN, and an associated message space M, and letA = (A1, A2, A3) be atriple o p.p.t. adversaries. Consider the ollowing experiment.
ExpABE(1):
1: (fmpk, fmsk) ABE.Setup(1)2: (P, state1) A1(fmpk)3: fskP ABE.KeyGen(fmsk, P)4: (M0, M1, x, state2) A2(state1, fskP)5: Choose a bit b at random and let c ABE.Enc(fmpk, x , M b).6: b A3(state2, c). I|M0| = |M1|, P(x) = 0, and b = b, output 1, else output 0.
We say that the scheme is a single-key ully-secure attribute-based encryption i or all p.p.t. adversaries
A, and or all sufciently large :
Pr[ExpABE,A(1) = 1] 1/2 + negl().
We say that the scheme is single-key selectively secure i the same statement holds or a slightly modifed
game in which A provides x beore receiving fmpk.
Attribute-based encryption schemes have been constructed or the class o Boolean ormulas [GPSW06,LOS+10] and most recently or the class o all polynomial-size circuits: Gorbunov, Vaikuntanathan and
Wee [GVW13] based on the subexponential Learning With Errors (LWE) intractability assumption, and Sahai
and Waters [SW12] based on the k-Multilinear Decisional Dife-Hellman (see [SW12] or more details). Our
reduction can start rom any o these schemes, but in this paper, we choose [GVW13] because it is based on
LWE, which is a more standard assumption and is also the assumption or our other building block, FHE.
Beore we state the results o Gorbunov, Vaikuntanathan and Wee [GVW13], we will set up some notation.
Let d and p be two univariate polynomials. Defne Cn,d(n),p(n) to be the class o all boolean circuits on ninputs o depth at most d(n) and size at most p(n). Let Cn,d(n) :=
polynomial p
Cn,d(n),p(n). An attribute-basedencryption or unctional encryption scheme that supports circuits in Cn,d(n) is called a d-leveled attribute-based encryption or unctional encryption scheme, respectively. We also reer to an ABE or FE scheme as
leveled, i it is d-leveled or some d. We are now ready to state the theorem o [GVW13].
Theorem 2.4 ([GVW13]). Assume that there is a constant 0 < < 1 such that or every sufciently large ,the approximate shortest vector problem gapSVP in dimensions is hard to approximate by a polynomialalgorithm to within a 2O(
) actor in the worst case. Then, or every n and every polynomial d = d(n),there is a selectively secure d-leveled attribute-based encryption scheme where encrypting n bits producesciphertexts o length poly(n,,d1/).
16
-
7/28/2019 Succint Filterable Decryption
17/52
Furthermore, assuming thatgapSVP in dimensions is hard to approximate to within a 2O() actorin
time 2O(), the scheme is ully secure with ciphertexts o length poly(n,,d1/
2
).In either case, the scheme is secure with polynomially many secret-key queries.
2.5.1 Two-Outcome Attribute-Based Encryption
We use an attribute-based encryption scheme with a slightly modifed defnition. The setup and key generation
algorithms are the same as in previous schemes. The dierence is in the encryption and decryption algorithms:
instead o encrypting one message M in one ciphertext, we encrypt two messages M0 and M1 in the sameciphertext such that M0 is revealed i the predicate evaluates to zero on the attribute, and M1 is revealed ithe predicate evaluates to one. Since there are two possible outcomes o the decryption algorithm, we call the
modifed scheme a two-outcome attribute-based encryption scheme. Such a variant o ABE has been used or
other purposes by [PRV12].
Defnition 2.10 (Two-Outcome Attribute-Based Encryption). A two-outcome attribute-based encryption
scheme (ABE2) or a class o predicates P= {Pn}nN represented as boolean circuits with n input bits,and a message space M is a tuple o algorithms (ABE2.Setup, ABE2.KeyGen, ABE2.Enc, ABE2.Dec) asollows:
ABE2.Setup(1): Takes as input a security parameter1 and outputs a public master key fmpk and amaster secret key fmsk.
ABE2.KeyGen(fmsk, P): Given a master secret key fmsk and a predicate P P, outputs a key fskPcorresponding to P.
ABE2.Enc(fmpk, x , M 0, M1): Takes as input the public key fmpk, an attribute x {0, 1}n, or somen, and two messages M0, M1 M and outputs a ciphertext c.
ABE2.Dec(fskP, c): Takes as input a secret key or a predicate and a ciphertext and outputs M M.
Correctness. For any polynomial n(), or every sufciently large security parameter, in = n(), or allpredicates P Pn, attributes x {0, 1}n, messages M0, M1 M:
Pr
(fmpk, fmsk) ABE2.Setup(1);fskP ABE2.KeyGen(fmsk, P);c ABE2.Enc(fmpk, x , M 0, M1);M ABE2.Dec(fskP, c) :M = MP(x)
= 1 negl().We now defne the security or single-key two-outcome attribute-based encryption. Intuitively, the security
defnition requires that, using a token or a predicate P, an adversary can decrypt one o the two messagesencrypted in C based on the evaluation o P on the attribute, but does not learn anything about the othermessage.
Defnition 2.11 (Two-outcome attribute-based encryption security). LetABE2 be a two-outcome attribute-
based encryption scheme or the class o predicates P= {Pn}nN and associated message space M and letA = (A1, A2, A3) be a triple o p.p.t. adversaries. Consider the ollowing experiment.
17
-
7/28/2019 Succint Filterable Decryption
18/52
ExpABE2 (1):
1: (fmpk, fmsk) ABE2.Setup(1)2: (P, state1) A1(fmpk)3: skP ABE2.KeyGen(fmsk, P)4: (M, M0, M1, x, state2) A2(state1, skP)5: Choose a bit b at random. Then, let
c =
ABE2.Enc(fmpk, x , M , M b), iP(x) = 0,
ABE2.Enc(fmpk, x , M b, M), otherwise.
6: b A3(state2, c). Ib = b, n such that, or all P Pn, messages M, M0, M1 M, |M0| = |M1|,x {0, 1}n, output 1, else output 0.
We say that the scheme is a ully-secure single-key two-outcome ABE i or all p.p.t. adversaries A, andor all sufciently large security parameters :
Pr[ExpABE2,A(1) = 1] 1/2 + negl().
The scheme is single-key selectively secure i A needs to provide x beore receiving fmpk.
As beore, we need only a single-key ABE2 scheme or our construction.
A class o predicates {Pn}n is closed under negation i or all input sizes n and or all predicates p Pn,we have p Pn; p is the negation op, namely p(y) = 1 p(y) or all y.Claim 2.5. Assuming there is an ABE scheme or a class o predicates closed under negation, there exists a
two-outcome ABE scheme or the same class o predicates.
The proo o this claim is immediate and we present it in Appendix B, or completeness.
2.6 Functional Encryption (FE)
We recall the unctional encryption defnition rom the literature [KSW08, BSW, GVW12] with some
notational changes.
Defnition 2.12 (Functional Encryption). A unctional encryption scheme FE or a class o unctions F={Fn}nN represented as boolean circuits with an n-bit input, is a tuple o our p.p.t. algorithms (FE.Setup,FE.KeyGen, FE.Enc, FE.Dec) such that:
FE.Setup(1) takes as input the security parameter 1 and outputs a master public key fmpk and amaster secret key fmsk.
FE.KeyGen(fmsk, f) takes as input the master secret key fmsk and a unction f Fand outputs akey fskf.
FE.Enc(fmpk, x) takes as input the master public key fmpk and an inputx {0, 1} and outputs aciphertextc.
FE.Dec(fskf, c) takes as input a key fskf and a ciphertextc and outputs a value y.
18
-
7/28/2019 Succint Filterable Decryption
19/52
Correctness. For any polynomial n(), or every sufciently large security parameter, orn = n(), or allf Fn, and all x {0, 1}n,
Pr[(fmpk, fmsk) FE.Setup(1); fskf FE.KeyGen(fmsk, f); c FE.Enc(fmpk, x) :FE.Dec(fskf, c) = f(x)] = 1 negl().
2.6.1 Security o Functional Encryption
Intuitively, the security o unctional encryption requires that an adversary should not learn anything about
the input x other than the computation result C(x), or some circuit C or which a key was issued (theadversary can learn the circuit C). As mentioned, two notions o security have been used in previous work:ull and selective security, with the same meaning as or ABE. We present both defnitions because we achieve
them with dierent parameters o the gapSVP assumption. Our defnitions are simulation-based: the security
defnition states that whatever inormation an adversary is able to learn rom the ciphertext and the unction
keys can be simulated given only the unction keys and the output o the unction on the inputs.
Defnition 2.13. (FULL-SIM-Security ) LetFE be a unctional encryption scheme or the amily o unctions
F= {Fn}nN. For every p.p.t. adversary A = (A1, A2) and p.p.t. simulatorS, consider the ollowing twoexperiments:
ExprealFE,A(1): ExpidealFE,A,S(1
):
1: (fmpk, fmsk) FE.Setup(1)2: (f, stateA) A1(fmpk)3: fskf FE.KeyGen(fmsk, f)4: (x, stateA) A2(stateA, fskf)
5: c FE.Enc(fmpk, x)6: Output (stateA, c)
5: c S(fmpk, fskf, f , f (x), 1|x|)6: Output (stateA, c)
The scheme is said to be (single-key) FULL-SIMsecure i there exists a p.p.t. simulator S such thator all pairs o p.p.t. adversaries (A1, A2), the outcomes o the two experiments are computationallyindistinguishable:
ExprealFE,A(1)
N
cExpidealFE,A,S(1
)
N
.
We now defne selective security, which is a weakening o ull security, by requiring the adversary to
provide the challenge input x beore seeing the public key or any other inormation besides the securityparameter. We simply speciy the dierence rom ull security.
Defnition 2.14 (SEL-SIM-Security). The same as De. 2.13, but modiy the game so that the frst step
consists oA speciying the challenge inputx given only the security parameter.
It is easy to see that the ull simulation defnition (FULL-SIM-security) implies the selective defnition
(SEL-SIM-security).
The literature [BSW, AGVW12] has considered another classifcation or simulation-based defnitions:
adaptive versus non-adaptive security. In the adaptive case, the adversary is allowed to ask or a unction
f ater seeing the ciphertext c or an input x. In the non-adaptive case, the adversary must frst provide f
19
-
7/28/2019 Succint Filterable Decryption
20/52
and only then ask or encryptions o inputs x. Our defnition alls in the non-adaptive category. Boneh etal. [BSW] have shown that adaptive simulation-based security is unachievable even or single-key unctional
encryption or the simple unctionality o identity-based encryption. As such, the adaptive defnition appears
too strong and is unachievable or general unctionalities, so we use non-adaptive security.
Remark 2.6. Attribute-based encryption can be viewed as unctional encryption or a specifc class o
unctionalities, where the additional inormation leaked is part o the output to the unction. Namely, consider
a class o unctions Fwhose plaintext space consists o pairs o values rom {0, 1}n M, where {0, 1}nis the attribute space (with an attribute size on) andM is the message space. The class o unctions or
ABE is more specifc: there exists an associated predicate class P= {Pn}nN to Fsuch that or every n, orevery f Fn, there is an associated predicate P Pn to f such that
f(x, M) =
(x, M), iP(x) = 1,
(x, ), otherwise.
Since the attribute x is in the output o the unction no matter what P is, x leaks rom the scheme no matterwhat (x is public). Thereore, this unctionality leads to weaker security guarantees than unctional encryption
in a conceptual way: the value to be computed on, x, leaks with ABE (whereas the value M on which P doesnot compute remains secret when P(x) = 0), whereas the input x to the computation is hidden with FE.
3 Our Functional Encryption Scheme
In this section, we present our main result: the construction o a unctional encryption scheme FE. We reer
the reader to the introduction (Sec. 1.2) or an overview o our approach, and we proceed directly with the
construction here.
We use three building blocks in our construction: a (leveled) ully homomorphic encryption scheme FHE,
a (leveled) two-outcome attribute-based encryption scheme ABE2, and a Yao garbling scheme Gb.
We let FHE.Evalf(hpk, ) denote the circuit that perorms homomorphic evaluation o the unction f
on the vector o ciphertexts := (1, . . . , n) using the public key hpk, and we will let FHE.Evalif(hpk, )denote the predicate that computes the i-th output bit oFHE.Evalf(hpk, ). Namely,
FHE.Evalf(hpk, ) =FHE.Eval1f(hpk, ), . . . ,FHE.Eval
f(hpk, )
,
where = () =FHE.Evalf(hpk, ). Our main theorem then says:
Theorem 3.1. There is a (ully/selectively secure) single-key unctional encryption scheme FE =(FE.Setup,FE.KeyGen, FE.Enc,FE.Dec) or any class o circuits C that take n bits o input and produce aone-bit output, assuming the existence o the ollowing primitives:
an IND-CPA-secure
C-homomorphic encryption scheme FHE = (FHE.KeyGen, FHE.Enc, FHE.Eval,
FHE.Dec);
a (ully/selectively secure) single-key attribute-based encryption scheme ABE = (ABE.Setup,ABE.KeyGen,ABE.Enc,ABE.Dec) or the class o predicates P= PC,FHE where
PC,FHE = {FHE.EvaliC, 1 FHE.EvaliC : C C andi {1, . . . , }}; and
20
-
7/28/2019 Succint Filterable Decryption
21/52
a Yao garbling scheme Gb = (Gb.Garble,Gb.Enc,Gb.Eval) that is input- and circuit-private.The succinctness property o the unctional encryption scheme is summarized as ollows: the size o the
ciphertexts ctsizeFE(n) in the resulting scheme orn bits o input is
2
ctsizeFHE
ctsizeABE(n ctsizeFHE + pksizeFHE)+ poly(, ctsizeFHE, sksizeFHE).where ctsizeABE(k) denotes the size o the ciphertexts in the attribute-based encryption scheme or a k-bitattribute and a poly()-bit message, ctsizeFHE denotes the size o the ciphertexts in the ully homomorphicencryption scheme or a single-bit message andpksizeFHE (resp. sksizeFHE) denotes the size o the public key
(resp. secret key) in the ully homomorphic encryption scheme.
Since garbling schemes can be constructed rom one-way unctions, our theorem says that we can move
rom attribute-based encryption, in which the part o the input that the unction computes on leaks, to a
unctional encryption scheme, in which no part o the input leaks using ully homomorphic encryption and
Yao garbled circuits.
We can see that i the ciphertext size in the ABE scheme and the ully homomorphic encryption scheme
does not depend on the circuit size (and thus, those schemes are by themselves succinct), then neither will the
resulting ciphertexts o the FE scheme depend on the circuit size; namely, the reduction does not blow up the
ciphertexts and is succinctness-preserving. We know o both a leveled FHE scheme and a leveled ABE
scheme ([GVW13]) with ciphertext lengths independent o the size o the circuits to evaluate; the ciphertext
size in these schemes just depends on the depth o the circuits.
We note that ully homomorphic encryption schemes with succinct ciphertexts that are also independent
o depth are known, albeit under the stronger assumption o circular security o the underlying schemes. Thus,
i the result o [GVW13] can be improved to remove the depth dependency o the ciphertexts in the ABE
scheme, one automatically obtains a corresponding result or ABE using our reduction.
Our theorem needs the ABE scheme to be secure only with a single key, even though the recent
constructions [GVW13] and [SW12] can tolerate an arbitrary number o keys.
Our main theorem is thus a reduction, which has a number o useul corollaries. The frst and perhaps
the most important one shows how to combine the leveled ully homomorphic encryption scheme rom[BV11a, BGV12] with the recent construction o a leveled attribute-based encryption scheme rom [GVW13]
to obtain a leveled unctional encryption scheme based solely on the hardness o LWE. In other words, the
corollary says that or every depth d, there is a unctional encryption scheme or the class o all Booleancircuits o (arbitrary) polynomial size and depth at most d. The size o the ciphertexts in the scheme growswith d, and is o course independent o the size o the circuits it supports.
Let d and p be polynomial unctions. Defne Cn,d(n),p(n) to be the class o all Boolean circuits on n inputso depth at most d(n) and size at most p(n). Let Cn,d(n) :=
polynomial p
Cn,d(n),p(n).Corollary 3.2 (The LWE Instantiation). We have the ollowing two constructions o unctional encryption
based on the worst-case hardness o lattice problems:
Assume that there is a constant 0 < < 1 such that or every sufciently large , the approximateshortest vector problem gapSVP in dimensions is hard to approximate to within a 2O(
) actor
(in polynomial time) in the worst case. Then, or every n and every polynomial d = d(n), there isa selectively-secure (succinct single-key) unctional encryption scheme or the class Cn,d(n) whereencrypting n bits produces ciphertexts o length poly(n,,d1/).
21
-
7/28/2019 Succint Filterable Decryption
22/52
Assume that there is a constant 0 < < 1 such that or every sufciently large , the approximateshortest vector problem gapSVP in dimensions is hard to approximate to within a 2O(
) actor
in time 2O() in the worst case. Then, or every n and every polynomial d = d(n), there is a ully-
secure (succinct single-key) unctional encryption scheme or the class Cn,d(n) where encrypting n bitsproduces ciphertexts o length poly(n1/, , d1/
2
).
The corollary ollows directly rom Theorem 3.1, by invoking the leveled ully homomorphic encryption
scheme o[BV11a] (see Theorem 2.1) and the leveled attribute-based encryption scheme o [GVW13] (see
Theorem 2.4). The concrete constructions and proos in act go through the learning with errors (LWE)
problem; we reer to [BV11a, GVW13] or the concrete setting o parameters.
Letting universal attribute-based encryption or unctional encryption denote a single attribute-based
encryption or unctional encryption scheme scheme, respectively, that supports the class o all polynomial-size
circuits, we have the ollowing corollary:
Corollary 3.3 (Universal Functional Encryption). Assuming that ully homomorphic encryption schemes exist
and universal single-key attribute-based encryption schemes exist, there is a universal single-key unctional
encryption scheme.
O the two prerequisites mentioned above, we know that ully homomorphic encryption schemes exist
(albeit under stronger assumptions than merely LWE). Thus, the corollary provides a way to immediately
translate any universal attribute-based encryption scheme into a unctional encryption scheme. We point out
that universal unctional encryption schemes, by defnition, have succinct ciphertexts.
A recent result o Gorbunov, Vaikuntanathan and Wee [GVW12] shows how to generically convert
single-key unctional encryption schemes into q-keys unctional encryption schemes or any bounded q,where the latter provide security against an attacker that can obtain secret keys o up to q unctions o herchoice. The size o the ciphertexts in the q-keys scheme grows polynomially with q.
Corollary 3.4 (Many queries, using [GVW12]). For every q = q(), there is a (ully/selectively-secure)q-keys succinct unctional encryption scheme or any class o circuits C that take n bits o input and produce aone-bit output, assuming the existence o primitives as in Theorem 3.1. The size o the ciphertexts ctsize
FE(n)
in the resulting scheme is q times as large as in Theorem 3.1.
Finally, a unctional encryption scheme or circuits that output multiple bits can be constructed by
thinking o the circuit as many circuits each with one-bit output, and modiying the key generation procedure
to produce keys or each o them. This gives us the ollowing corollary although we remark that more efcient
methods o achieving this directly are possible using homomorphic encryption schemes that pack multiple
bits into a single ciphertext [SV11, BGV12, GHS12a].
Corollary 3.5 (Many queries, many output bits). For every q = q() and k = k(n), there is a(ully/selectively secure) q-keys unctional encryption scheme or any class o circuits C that take n bits oinput and produce k bits o output, assuming the existence o primitives as in Theorem 3.1. The size o theciphertexts ctsizeFE(n) in the resulting scheme is qk times as large as in Theorem 3.1.
Remark 3.6 (On the necessity o single-key security). We note that even though the work o [GVW13]
provides an attribute-based scheme that is secure even i the adversary obtains secret keys or polynomially
many unctions, our theorem gives us only a single-key secure scheme. Indeed, this is inherent by the
impossibility result o [AGVW12] i we ask or (even a very weak notion o) simulation security, as we do
here. Corollary 3.4 gives us a way to get (simulation-)security with q queries or any a priori bounded q,albeit at the expense o the ciphertext growing as a unction o q.
22
-
7/28/2019 Succint Filterable Decryption
23/52
Remark 3.7 (On composing our unctional encryption scheme). One might wonder i chaining is possible
with our FE scheme. Namely, one could try to generate keys or a unction f that computes another unctionf1 on an inputx and then outputs f1(x) together with a new encryption ox under a dierent public key orthe FE scheme. The new encryption o x could be used to compute a second unction f2(x) and an encryptionox under yet another public key. This chain could potentially repeat and its beneft is that it allows us to
compute multiple unctions on x (and overcome the single-key property). However, this approach allows onlya very small number o iterations because, in order to produce one bit o output rom FE.Dec, the ciphertextsoutput by FE.Enc are polynomial in . To obtain an FE ciphertext as result oFE.Dec, one needs to havestarted with ciphertexts o size quadratic in the frst polynomial. I we want to chain the scheme q times, theoriginal ciphertext must have been exponential in q.
3.1 Construction
For simplicity, we construct FE or unctions outputting one bit; unctions with larger outputs can be handled
by repeating our scheme below or every output bit.
From Claim 2.5, the existence o a secure single-key ABE scheme implies the existence o a two-outcome
single-key ABE scheme, which we denote ABE2. Let = () be the length o the ciphertexts in the FHE
scheme (both rom encryption and evaluation). The construction oFE = (FE.Setup, FE.KeyGen, FE.Enc,FE.Dec) proceeds as ollows.
Setup FE.Setup(1): Run the setup algorithm or the two-outcome ABE scheme times:
(fmpki, fmski) ABE2.Setup(1) or i [].
Output as master public key and secret key:
MPK = (fmpk1, . . . , fmpk) and MSK = (fmsk1, . . . , fmsk).
Key Generation FE.KeyGen(MSK, f): Let n be the number o bits in the input to the circuit f. Ihpk isan FHE public key and 1, . . . , n are FHE ciphertexts, recall that FHE.Eval
i
f
(hpk, 1, . . . , n) is the i-thbit o the homomorphic evaluation of on 1, . . . , n (FHE.Eval(hpk, f , 1, . . . , n)), where i []. Thus,FHE.Evalif : {0, 1}|hpk| {0, 1}n {0, 1}.
1. Run the key generation algorithm oABE2 or the unctions FHE.Evalif (under the dierent master
secret keys) to construct secret keys:
fski ABE2.KeyGen(fmski,FHE.Evalif) or i [].
2. Output the tuple fskf := (fsk1, . . . , fsk) as the secret key or the unction f.
Encryption FE.Enc(MPK, x): Let n be the number o bits ox, namely x = x1 . . . xn. Encryption proceeds
in three steps.
1. Generate a resh key pair (hpk, hsk) FHE.KeyGen(1) or the (leveled) ully homomorphicencryption scheme. Encrypt each bit o x homomorphically: i FHE.Enc(hpk, xi). Let :=(1, . . . , n) be the encryption o the input x.
23
-
7/28/2019 Succint Filterable Decryption
24/52
2. Run the Yao garbled circuit generation algorithm to produce a garbled circuit or the FHE decryption
algorithm FHE.Dec(hsk, ) : {0, 1} {0, 1} together with 2 labels Lbi or i [] and b {0, 1}.Namely,
, {L0i , L1i }i=1
Gb.Garble(1,FHE.Dec(hsk, )),
where is the garbled circuit and the Lbi are the input labels.
3. Produce encryptions c1, . . . , c using the ABE2 scheme:
ci ABE2.Encfmpki, (hpk, ), L
0i , L
1i
or i [],
where (hpk, ) comes rom the frst step, and the labels (L0i , L1i ) come rom the second step.
4. Output the ciphertext c = (c1, . . . , c, ).
Decryption FE.Dec(fskf, c):
1. Run the ABE2 decryption algorithm on the ciphertexts c1, . . . , c to recover the labels or the garbledcircuit. In particular, letLdii ABE2.Dec(fski, ci) or i [],
where di is equal to FHE.Evalif(hpk, ).
2. Now, armed with the garbled circuit and the labels Ldii , run the garbled circuit evaluation algorithmto compute
Gb.Eval(, Ld11 , . . . , Ld ) = FHE.Dec(hsk, d1d2 . . . d) = f(x).
3.2 Proo
We now proceed to prove Theorem 3.1 by proving that the theorem holds or our construction above.
Proo o Theorem 3.1. We frst argue correctness.
Claim 3.8. The above scheme is a correct unctional encryption scheme (De. 2.12).
Proo. Let us examine the values we obtain in FE.Dec(fskf, c1, . . . , c, ). In Step (1), by the correctness othe ABE2 scheme used, di is the i-th bit oFHE.Evalf(hpk, ).
Thereore, the inputs to the garbled circuit in Step (2) are the labels corresponding toFHE.Evalf(hpk, ).By the correctness o the FHE scheme, decrypting FHE.Evalf(hpk, ) results in f(x). Finally, by thecorrectness o the garbling scheme, the FHE ciphertext gets decrypted correctly, yielding f(x) as the outputoFE.Dec.
We now prove the succinctness property which ollows directly rom our construction. The output oFE.Enc consists o ABE2 ciphertexts and a garbled circuit. First, equals ctsizeFHE. Second, each ABE2ciphertext consists o two ABE ciphertexts generated by ABE.Enc on input nctsizeFHE + pksizeFHE bits. Thelabels o the garbled circuit are poly() in size. Third, the garbled circuit is the output oGb.Garble so itssize is polynomial in the size o the input circuit, which in turn is polynomial in sksizeFHE and ctsizeFHE.
Thereore, overall, we obtain 2ctsizeFHEctsizeABE(n ctsizeFHE+pksizeFHE)+poly(, sksizeFHE, ctsizeFHE).
24
-
7/28/2019 Succint Filterable Decryption
25/52
We can thus see that iFHE and ABE produce ciphertexts independent o the circuit size, then so will our
unctional encryption scheme.
We ocus on the ull security case: namely, assuming ABE2 is ully secure, we show that the resulting FE
scheme is ully secure. We then discuss the proo or the selective case.
For ull security, we construct a p.p.t. simulator S that achieves De. 2.13. S receives as input
(MPK, fskf, f , f (x), 1
n
) and must output c such that the real and ideal experiments in De. 2.13 arecomputationally indistinguishable. Intuitively, S runs a modifed version oFE.Enc to mask the act that itdoes not know x.Simulator S on input (MPK, fskf, f , f (x), 1
n):
1. Choose a key pair (hpk, hsk) FHE.KeyGen(1) or the homomorphic encryption scheme (where Scan derive the security parameter rom the sizes o the inputs it gets). Encrypt 0n (n zero bits) withFHE by encrypting each bit individually and denote the ciphertext 0 := (01 FHE.Enc(hpk, 0),. . .,0n FHE.Enc(hpk, 0)).
2. Let SimGarble be the simulator or the Yao garbling scheme (described in De. 2.7) or the class o
circuits corresponding to FHE.Dec(hsk, ). Run SimGarble to produce a simulated garbled circuit or the FHE decryption algorithm FHE
.Dec
(hsk
, ) : {0, 1}
{0, 1}together with the simulated
encoding consisting o one set o labels Li or i = 1 . . . . Namely,, {Li}i=1
SimGarble(1, f(x), 1|FHE.Dec(hsk,)|, 1).
The simulator S can invoke SimGarble because it knows f(x), and can compute the size o theFHE.Dec(hsk, ) circuit, and rom the sizes o the input parameters.
3. Produce encryptions c1, . . . , c under the ABE2 scheme in the ollowing way. Let
ci ABE2.Encfmpki, (hpk, 0), Li, Li
,
where S uses each simulated label Li twice.
4. Output c = ( c1, . . . , c, ).
To prove indistinguishability o the real and ideal experiments (De. 2.13), we defne a sequence o hybrid
experiments, and then invoke the security defnitions o the underlying schemes (FHE, garbled circuit, and
ABE2 respectively) to show that the outcome o the hybrid experiments are computationally indistinguishable.
Hybrid 0 is the output o the ideal experiment rom De. 2.13 or our FE construction with simulator S. Wedenote it ExpH0FE,A (= Exp
idealFE,A,S).
Hybrid 1 (ExpH1FE,A) is the same as Hybrid 0, except that the simulated ciphertext or Hybrid 1 (which we
denote c(1)), changes. Let c(1) be the ciphertext obtained by running the algorithm oS, except that in Step (3),
encrypt x instead o0, namely:
c(1)i ABE2.Enc
fmpki, (hpk, ), Li, Li
,
where (FHE.Enc(hpk, x1), . . . ,FHE.Enc(hpk, xn)). Let
c(1) = (c(1)1 , . . . , c
(1) , ).
25
-
7/28/2019 Succint Filterable Decryption
26/52
Hybrid 2 (ExpH2FE,A) is the same as Hybrid 1, except that in Step ( 2), the ciphertext contains a real garbled
circuit , {L0i , L1i }i=1
Gb.Garble(FHE.Dec(hsk, )).
Let di = FHE.Evalif(hpk, ). In Step (3), include L
di twice in the ABE encryption; namely:
c(2)i ABE2.Enc
fmpki, (hpk, ), L
dii , L
dii
, and
c(2) = (c(2)1 , . . . , c
(2) , ).
Hybrid 3 (ExpH3FE,A) is the output o the real experiment rom De. 2.13 or our FE construction.
We prove each pair o consecutive hybrids to be computationally indistinguishable in the ollowing three
lemmas, Lemmas 3.9, 3.10, and 3.11.
Lemma 3.9. Assuming FHE is IND-CPAsecure, Hybrid 0 and Hybrid 1 are computationally indistinguish-
able.
Proo. We proceed by contradiction. We assume that there exist p.p.t. adversaries A = (A1, A2) and a p.p.t.distinguisher D such that D (with A) can distinguish between Hybrid 0 and Hybrid 1 above. Namely, thereexists a polynomial p() such that, or infnitely many ,
| Pr[D(ExpH0FE,A(1)) = 1] Pr[D(ExpH1FE,A(1)) = 1]| 1/p(). (1)
We construct a p.p.t. adversary R = (R1, R2) that can break the semantic security oFHE. Adversary R1outputs an n-bit value x or some n, and adversary R2 receives as input either homomorphic encryption ox or o0n, and it will distinguish between these two. Distinguishing successully implies that there is anadversary that can distinguish successully in De. 2.5, by a standard hybrid argument.
To determine x, adversary R1 works as ollows:
1. Run Exp
ideal
FE,A,S(1
) (De. 2.13) rom Step (1) to Step (4) and let x be the output oA2 in Step (4).
2. Output x.
To distinguish between encryption ox or 0n, adversary R2 receives input hpk, the FHE public key, and
an encryption E ox or 0n and works as ollows:
1. Run a modifed algorithm o S by using hpk instead o generating resh FHE keys and using E
instead o encrypting 0n. Namely:
(a) Generate
, {Li}i=1
as in Step (2) o S.
(b) Output c = (c1, . . . , c) or c
i = ABE2.Enc(fmpki, ((hpk
, E), Li, Li)).
2. Feed (c, ) to D and output the decision oD.
Notice that iE is encryption o0n, R2 simulates Hybrid 0 perectly; when E is encryption ox, R2
simulates Hybrid 1 perectly. Thereore, D must have a probability o distinguishing between the two cases o
26
-
7/28/2019 Succint Filterable Decryption
27/52
at least 1/p() (Eq. (1)); moreover, whenever