Succint Filterable Decryption

7/28/2019 Succint Filterable Decryption

1/52

Reusable Garbled Circuits and

Succinct Functional Encryption

Shaf Goldwasser Yael Kalai Raluca Ada PopaVinod Vaikuntanathan Nickolai Zeldovich

MIT CSAIL Microsot Research University o Toronto

March 24, 2013

Abstract

Garbled circuits, introduced by Yao in the mid 80s, allow computing a unction f on an input xwithout leaking anything about f or x besides f(x). Garbled circuits ound numerous applications, butevery known construction suers rom one limitation: it oers no security i used on multiple inputs x.In this paper, we construct or the frst time reusable garbled circuits. The key building block is a new

succinct single-key unctional encryption scheme.

Functional encryption is an ambitious primitive: given an encryption Enc(x) o a value x, and a secretkey skf or a unction f, anyone can compute f(x) without learning any other inormation about x. Weconstruct, or the frst time, a succinctunctional encryption scheme or any polynomial-time unction

f where succinctness means that the ciphertext size does not grow with the size o the circuit or f, butonly with its depth. The security o our construction is based on the intractability o the Learning with

Errors (LWE) problem and holds as long as an adversary has access to a single key skf (or even an a priori

bounded number o keys or dierent unctions).

Building on our succinct single-key unctional encryption scheme, we show several new applications

in addition to reusable garbled circuits, such as a paradigm or general unction obuscation which we call

token-based obuscation, homomorphic encryption or a class o Turing machines where the evaluation

runs in input-specifc time rather than worst-case time, and a scheme or delegating computation which is

publicly verifable and maintains the privacy o the computation.


2/52

Contents

1 Introduction 3

1.1 Our Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1.1 Main Application: Reusable Garbled Circuits . . . . . . . . . . . . . . . . . . . . . 6

1.1.2 Token-Based Obuscation: a New Way to Circumvent Obuscation Impossibility

Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.1.3 Computing on Encrypted Data in Input-Specifc Time . . . . . . . . . . . . . . . . 7

1.1.4 Publicly Verifable Delegation with Secrecy . . . . . . . . . . . . . . . . . . . . . . 8

1.2 Technique Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Preliminaries 11

2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.2 Background on Learning With Errors (LWE) . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.3 Fully Homomorphic Encryption (FHE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.4 Background on Garbled Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.5 Attribute-Based Encryption (ABE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.5.1 Two-Outcome Attribute-Based Encryption . . . . . . . . . . . . . . . . . . . . . . 172.6 Functional Encryption (FE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.6.1 Security o Functional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3 Our Functional Encryption Scheme 20

3.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2 Proo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4 Reusable Garbled Circuits 29

4.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.2 Proo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.3 Impossibility o Public-Key Reusable Garbled Circuits . . . . . . . . . . . . . . . . . . . . 35

5 Token-Based Obuscation 36

5.1 Defnition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5.2 Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

6 Computing on Encrypted Data in Input-Specifc Time 38

6.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

6.2 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

6.3 Input-Dependent Output Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

A Detailed Background on Learning With Errors (LWE) 46

B Construction o Two-Outcome Attribute-Based Encryption 47

C Homomorphic Encryption or Turing Machines: Defnitions and Proos 49

C.1 Proo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

2


3/52

1 Introduction

Breaches o confdential data are commonplace: personal inormation o millions o people, such as fnancial,

medical, customer, and employee data, is disclosed every year [Pri12, Ver]. These disclosures oten happen

because untrustworthy systems handle confdential data. As applications move to cloud computing platorms,

ensuring data confdentiality on third-party servers that may be untrustworthy becomes a top concern [Dav12].

A powerul technique or preventing data disclosures without having to ensure the server is trustworthy is

to encrypt the data provided to the server and then compute on the encrypted data. Thus, i the server does

not have access to the plaintext or to the decryption key, it will be unable to disclose confdential data. The

big leap o the last decade towards computing over encrypted data has been ully homomorphic encryption

(FHE) [Gen09, DGHV10, SS10b, BV11b, BV11a, Vai11, BGV12, GHS12a, GHS12b, LTV12, Bra12].

A undamental question with this approach is: who can decrypt the results o computations on encrypted

data? I data is encrypted using FHE, anyone can perorm a computation on it (with knowledge o the public

key), while the result o the computation can be decrypted only using the secret key. However, the secret

key allows decrypting all data encrypted under the corresponding public key. This model sufces or certain

applications, but it rules out a large class o applications in which the party computing on the encrypted data

needs to determine the computation result on its own. For example, spam flters should be able to determine

i an encrypted email is spam and discard it, without learning anything else about the emails content. WithFHE, the spam flter can run the spam detection algorithm homomorphically on an encrypted email and

obtain an encrypted result; however, it cannot tell i the algorithm deems the email spam or not. Having the

data owner provide the decryption key to the spam flter is not a solution: the spam flter can now decrypt all

the emails as well!

A promising approach to this problem is unctional encryption [SW05, GPSW06, KSW08, LOS+10,

OT10, ON10, BSW]. In unctional encryption, anyone can encrypt data with a master public key mpk

and the holder o the master secret key can provide keys or unctions, or example skf or unction f.Anyone with access to a key skf and a ciphertext c or x can obtain the result o the computation in plaintextorm: f(x). The security o FE requires that the adversary does not learn anything about x, other than thecomputation result f(x). It is easy to see, or example, how to solve the above spam flter problem with a

unctional encryption scheme. A user Alice publishes her public key online and gives the spam flter a key orthe fltering unction. Users sending email to Alice will encrypt the email with her public key. The spam flter

can now determine by itsel, or each email, whether to store it in Alices mailbox or to discard it as spam,

without learning anything about Alices email (except or whether it was deemed spam or not).

The recent impossibility result o Agrawal, Gorbunov, Vaikuntanathan and Wee [ AGVW12] says that

unctional encryption schemes where an adversary can receive an arbitrary number o keys or general

unctions are impossible or a natural simulation-based security defnition;1 stated dierently, any unctional

encryption scheme that can securely provide q keys or general unctions must have ciphertexts growinglinearly in q. Since any scheme that can securely provide a single key yields a scheme that can securelyprovide qkeys by repetition, the question becomes i one can construct a unctional encryption scheme thatcan securely provide a single key or a general unction under this simulation-based security defnition. Such

a single-key unctional encryption scheme is a powerul tool, enabling the applications we will discuss.In this paper, we construct the frst single-key unctional encryption scheme or a general unction that

is succinct: the size o the ciphertext grows with the depth d o the circuit computing the unction and is

1This impossibility result holds or non-adaptive simulation-based security, which is weaker than some existing simulation-based

defnitions such as adaptive security. Nevertheless, this result does not carry over to indistinguishability-based defnitions, or which

possibility or impossibility is currently an open question. In this paper, we are interested in achieving the simulation-based defnition.

3


4/52

independent o the size o the circuit. Up until our work, the known constructions o unctional encryption

were quite limited. First, the works o Boneh and Waters [BW07], Katz, Sahai and Waters [KSW08], Agrawal,

Freeman and Vaikuntanathan [AFV11], and Shen, Shi and Waters [SSW09] show unctional encryption

schemes (based on dierent assumptions) or a very simple unction: the inner product unction fy (or avariant o it), that on input x outputs 1 i and only ix, y = 0.2 These works do not shed light on how toextend beyond inner products. Second, Sahai and Seyalioglu [SS10a] and Gorbunov, Vaikuntanathan andWee [GVW12] provide a construction or single-key unctional encryption or one general unction with a

non-succinctciphertext size (at least the size o a universal circuit computing the unctions allowed by the

scheme3). [SS10a] was the frst to introduce the idea o single-key unctional encryption and [GVW12] also

extends it to allow the adversary to see secret keys or q unctions o his choice, by increasing the size othe ciphertexts linearly with q where q is known in advance.4 We emphasize that the non-succinctness othese schemes is particularly undesirable and it precludes many useul applications o unctional encryption

(e.g., delegation, reusable garbled circuits, FHE or Turing machines), which we achieve. For example, in

the setting o delegation, a data owner wants to delegate her computation to a cloud, but the mere eort

o encrypting the data is greater than computing the circuit directly, so the owner is better o doing the

computation hersel.

We remark that unctional encryption (FE) arises rom, and generalizes, a beautiul sequence o papers on

attribute-based encryption (including [SW05, GPSW06, BSW07, GJPS08, LOS+10, Wat11, Wat12, LW12]),

and more generally predicate encryption (including [BW07, KSW08, OT09]). We denote by attribute-based

encryption (ABE) an encryption scheme where each ciphertext c o an underlying plaintext message mis tagged with a public attribute x. Each secret key skf is associated with a predicate f. Given a key skfand a ciphertext c = Enc(x, m), the message m can be recovered i and only if(x) is true. Whether themessage gets recovered or not, the attribute x is always public; in other words, the input to the computationof, x, leaks with attribute-based encryption, whereas with unctional encryption, nothing leaks about xother than f(x). Thereore, attribute-based encryption oers qualitatively weaker security than unctionalencryption. Attribute-based encryption schemes were also called public-index predicate encryption schemes

in the literature [BSW]. Boneh and Waters [BW07] introduced the idea o not leaking the attribute as in

unctional encryption (also called private-index unctional encryption).

Very recently, the landscape o attribute-based encryption has signifcantly improved with the works oGorbunov, Vaikuntanathan and Wee [GVW13], and Sahai and Waters [SW12], who construct attribute-based

encryption schemes or general unctions, and are a building block or our results.

1.1 Our Results

Our main result is the construction o a succinctsingle-key unctional encryption scheme or general unctions.

We demonstrate the power o this result by showing that it can be used to address the long-standing open

problem in cryptography o reusing garbled circuits, as well as making progress on other open problems.

We can state our main result as a reduction rom any attribute-based encryption and any ully

homomorphic encryption scheme. In particular, we show how to construct a (single-key and succinct)

unctional encryption scheme or any class o unctionsF

by using a homomorphic encryption scheme

which can do homomorphic evaluations or any unction in Fand an attribute-based encryption scheme or a2These inner-product schemes allow an arbitrary number o keys.3A universal circuit F is a circuit that takes as input a description o a circuit f and an input string x, runs fon x and outputs f(x).4Namely, parameter q (the maximum number o keys allowed) is fxed during setup, and the ciphertexts size grows linearly

with q.

4


5/52

slightly larger class o unctions F; F is the class o unctions such that or any unction f F, the classF contains the unction computing the i-th bit o the FHE evaluation of.Theorem 1.1 (Inormal). There is a single-key unctional encryption scheme with succinct ciphertexts

(independent o circuit size) or the class o unctions Fassuming the existence o

a ully homomorphic encryption scheme or the class o unctions

F, and

a (single-key) attribute-based encryption scheme or a class o predicates F (as above).The literature has considered two types o security or ABE and FE: selective and ull security (see

Sec. 2.6). We show that i the underlying ABE scheme is selectively or ully secure, our resulting FE scheme

is selectively or ully secure, respectively.

Two very recent results achieve attribute-based encryption or general unctions. Gorbunov, Vaikun-

tanathan and Wee [GVW13] achieve ABE or general circuits o bounded depth based on the subexponential

Learning With Errors (LWE) intractability assumption. Sahai and Waters [SW12] achieve ABE or general

circuits under the less standard k-Multilinear Decisional Dife-Hellman (see [SW12] or more details);

however, when instantiated with the only construction o multilinear maps currently known [GGH12], they

also achieve ABE or general circuits o bounded depth. Our scheme can be instantiated with any o these

schemes because our result is a reduction.When coupling our theorem with the ABE result o [GVW13] and the FHE scheme o[BV11a, BGV12],

we obtain:

Corollary 1.2 (Inormal). Under the subexponential LWE assumption, or any depth d, there is a single-keyunctional encryption scheme or general unctions computable by circuits o depth d. The scheme hassuccinct ciphertexts: their size is polynomial in the depth d (and does not depend on the circuit size).

This corollary holds or both selective and ull security defnitions, since [ GVW13] constructs both

selectively secure and ully secure ABE schemes. However, the parameters o the LWE assumption are

dierent in the two cases (Sec. 2.3).

Another corollary o our theorem is that, given a universal ABE scheme (the scheme is or all classes o

circuits, independent o depth) and any ully homomorphic encryption scheme, there is a universal unctionalencryption scheme whose ciphertext size does not depend on the circuits size or even the circuits depth.

As mentioned, extending our scheme to be secure against an adversary who receives q keys isstraightorward. The basic idea is simply to repeat the scheme q times in parallel. This strategy results in theciphertext size growing linearly with q, which is unavoidable or the simulation-based security defnitionwe consider, because o the discussed impossibility result [AGVW12]. Stated in these terms, our scheme is

also a q-collusion-resistant unctional encryption scheme like [GVW12], but our schemes ciphertexts aresuccinct, whereas [GVW12]s are proportional to the circuit size.

From now on, we restrict our attention to the single-key case, which is the essence o the new scheme.

In the body o the paper we oten omit the single-key or succinct adjectives and whenever we reer to a

unctional encryption scheme, we mean a succinct single-key unctional encryption scheme.

We next show how to use our main theorem to make signifcant progress on some o the most intriguingopen questions in cryptography today: the reusability o garbled circuits, a new paradigm or general unction

obuscation, as well as applications to ully homomorphic encryption with evaluation running in input-specifc

time rather than in worst-case time, and to publicly verifable delegation. Succinctness plays a central role in

these applications and they would not be possible without it.

5


6/52

1.1.1 Main Application: Reusable Garbled Circuits

A circuit garbling scheme, which has been one o the most useul primitives in modern cryptography, is a

construction originally suggested by Yao in the 80s in the context o secure two-party computation [Yao82].

This construction relies on the existence o a one-way unction to encode an arbitrary circuit C (garblingthe circuit) and then encode any input x to the circuit (where the size o the encoding is short, namely, it does

not grow with the size o the circuit C); a party given the garbling oC and the encoding ox can run thegarbled circuit on the encoded x and obtain C(x). The most basic properties o garbled circuits are circuitand input privacy: an adversary learns nothing about the circuit C or the input x other than the result C(x).

Over the years, garbled circuits and variants thereo have ound many applications: two party

secure protocols [Yao86], multi-party secure protocols [GMW87], one-time programs [GKR08], KDM-

security [BHHI10], verifable computation [GGP10], homomorphic computations [GHV10] and others.

However, a basic limitation o the original construction remains: it oers only one-time usage. Specifcally,

providing an encoding o more than one input compromises the secrecy o the circuit. Thus, evaluating the

circuit C on any new input requires an entirely new garbling o the circuit.The problem o reusing garbled circuits has been open or 30 years. Using our newly constructed succinct

unctional encryption scheme we are now able to build reusable garbled circuits that achieve circuit and

input privacy: a garbled circuit or any computation o depth d (where the parameters o the scheme dependon d), which can be run on any polynomial number o inputs without compromising the privacy o the circuitor the input. More generally, we prove the ollowing:

Theorem 1.3 (Inormal). There exists a polynomial p, such that or any depth unction d, there is a reusablecircuit garbling scheme or the class o all arithmetic circuits o depth d, assuming there is a single-keyunctional encryption scheme or all arithmetic circuits o depth p(d).5

Corollary 1.4 (Inormal). Under the subexponential LWE assumption, or any depth unction d, there existsa reusable circuit garbling scheme with circuit and input privacy or all arithmetic circuits o depth d.

Reusability o garbled circuits (or depth-bounded computations) implies a multitude o applications

as evidenced by the research on garbled circuits over the last 30 years. We note that or many o these

applications, depth-bounded computation sufces. We also note that some applications do not require circuit

privacy. In that situation, our succinct single-key unctional encryption scheme already provides reusable

garbled circuits with input-privacy and, moreover, the encoding o the input is a public-key algorithm.

We remark that [GVW13] gives a restricted orm o reusable circuit garbling: it provides authenticity o

the circuit output, but does not provide input privacy or circuit privacy, as we do here. Inormally, authenticity

means that an adversary cannot obtain a dierent yet legitimate result rom a garbled circuit. We note that

most o the original garbling circuit applications (e.g., two party secure protocols [Yao86], multi-party secure

protocols [GMW87]) rely on the privacy o the input or o the circuit.

One o the more intriguing applications o reusable garbled circuits pertains to a new model or program

obuscation, token-based obuscation, which we discuss next.

1.1.2 Token-Based Obuscation: a New Way to Circumvent Obuscation Impossibility Results

Program obuscation is the process o taking a program as input, and producing a unctionally equivalent but

dierent program, so that the new program reveals no inormation to a computationally bounded adversary

5For this application we need to assume that the underlying unctional encryption scheme is ully secure (as opposed to only

selectively secure).

6


7/52

about the original program, beyond what black box access to the program reveals. Whereas ad-hoc program

obuscators are built routinely, and are used in practice as the main sotware-based technique to fght reverse

engineering o programs, in 2000 Barak et al. [BGI+01], ollowed by Goldwasser and Kalai [GK05], proved

that program obuscation or general unctions is impossible using sotware alone, with respect to several

strong but natural defnitions o obuscation.

The results o[BGI

+

01, GK05] mean that there exist unctions which cannot be obuscated. Still, the needto obuscate or garble programs remains. A long array o works attempts to circumvent the impossibility

results in various ways, including adding secure hardware components [GKR08, GIS+10, BCG+11], relaxing

the defnition o security [GR07], or considering only specifc unctions [Wee05, CKVW10].

The problem o obuscation seems intimately related to the garbled circuit problem where given a

garbling o a circuit C and an encoding or an input x, one can learn the result oC(x) but nothing else. Onecannot help but wonder whether the new reusable garbling scheme would immediately imply a solution or

the obuscation problem (which we know is impossible). Consider an example illustrating this intuition: a

vendor obuscates her program (circuit) by garbling it and then gives the garbled circuit to a customer. In

order to run the program on (multiple) inputs xi, the customer simply encodes the inputs according to thegarbling scheme and thus is able to compute C(xi). Unortunately, although close, this scenario does notwork with reusable garbled circuits. The key observation is that encoding x requires knowledge o a secretkey! Thus, an adversary cannot produce encoded inputs on its own, and needs to obtain tokens in the orm

o encrypted inputs rom the data owner.

Instead, we propose a new token-basedmodel or obuscation. The idea is or a vendor to obuscate an

arbitrary program as well as provide tokens representing rights to run this program on specifc inputs. For

example, consider that some researchers want to obtain statistics out o an obuscated database containing

sensitive inormation (the obuscated program is the program running queries with the secret database

hardcoded in it). Whenever the researchers want to input a query x to this program, they need to obtaina token or x rom the program owner. To produce each token, the program owner does little work. Theresearchers perorm the bulk o the computation by themselves using the token and obtain the computation

result without urther interaction with the owner.

Claim 1.5. Assuming a reusable garbling scheme or a class o circuits, there is a token-based obuscationscheme or the same class o circuits.

Corollary 1.6 (Inormal). Under the subexponential LWE assumption, or any depth unction d, there existsa token-based obuscation scheme or all arithmetic circuits o depth d.

It is worthwhile to compare the token-based obuscation model with previous work addressing obuscation

using trusted-hardware components such as [GIS+10, BCG+11]. In these schemes, ater a user fnishes

executing the obuscated program on an input, the user needs to interact with the trusted hardware to obtain

the decryption o the result; in comparison, in our scheme, the user needs to obtain only a token beore the

computation begins, and can then run the computation and obtain the decrypted result by hersel.

1.1.3 Computing on Encrypted Data in Input-Specifc Time

All current FHE constructions work according to the ollowing template. For a fxed input size, a program is

transormed into an arithmetic circuit; homomorphic evaluation happens gate by gate on this circuit. The

size o the circuit reects the worst-case running time o the program: or example, every loop is unolded

into the maximum number o steps corresponding to the worst-case input, and each unction is called the

7


8/52

maximum number o times possible. Such a circuit can be potentially very large, despite the act that there

could be many inputs on which the execution is short.

A ascinating open question has been whether it is possible to perorm FHE ollowing a Turing-machine-

like template: the computation time is input-specifc and can terminate earlier depending on the input at hand.

O course, to compute in input-specifc time, the running time must unavoidably leak to the evaluator, but

such leakage is acceptable in certain applications and the efciency gains can be signifcant; thereore, such ascheme provides weaker security than ully homomorphic encryption (namely, nothing other than the running

time leaks about the input), at the increase o efciency.

Using our unctional encryption scheme, we show how to achieve this goal. The idea is to use the scheme

to test when an encrypted circuit computation has terminated, so the computation can stop earlier on certain

inputs. We overview our technique in Sec. 1.2.

Because the ciphertexts in our unctional encryption scheme grow with the depth o the circuits, such a

scheme is useul only or Turing machines that can be expressed as circuits o depth at most d(n) or inputso size n. We reer to such Turing machines as d-depth-bounded and defne them in Sec. 6.

Theorem 1.7. There is a scheme or evaluating Turing machines on encrypted inputs in input-specifc time

or any class od-depth-bounded Turing machines, assuming the existence o a succinct single-key unctional

encryption scheme or circuits o depth d,6 and a ully homomorphic encryption scheme or circuits o depthd.

Corollary 1.8. Under the subexponential LWE assumption, or any depth d, there is a scheme or evaluatingTuring machines on encrypted data in input-specifc time or any class o d-depth-bounded Turing machines.

1.1.4 Publicly Verifable Delegation with Secrecy

Recently, Parno, Raykova and Vaikuntanathan [PRV12] showed how to construct a 2-message delegation

scheme that is publicly verifable, in the preprocessing model, rom any attribute-based encryption scheme.

This reduction can be combined with [GVW13]s ABE scheme to achieve such a delegation scheme.

However, this scheme does not provide secrecy o the inputs: the prover can learn the inputs. By replacing

the ABE scheme in the construction o [PRV12] with our new unctional encryption scheme, we add secrecyto the scheme; namely, we obtain a delegation scheme which is both publicly verifable as in [PRV12] (anyone

can veriy that a transcript is accepting using only public inormation) and secret(the prover does not learn

anything about the input o the unction being delegated). 7 More specifcally, we construct a 2-message

delegation scheme in the preprocessing model that is based on the subexponential LWE assumption, and is

or general depth-bounded circuits, where the verifer works in time that depends on the depth o the circuit

being delegated, but is independent o the size o the circuit, and the prover works in time dependent on the

size o the circuit.

1.2 Technique Outline

Our unctional encryption scheme. We frst describe the ideas behind our main technical result: a reductionrom attribute-based encryption (ABE) and ully homomorphic encryption (FHE) to unctional encryption

(FE).

6As in previous applications, we need to assume that the underlying unctional encryption scheme is ully secure (as opposed to

only selectively secure).7We note that secrecy can be easily obtained by using an FHE scheme, however, this destroys public-verifability.

8


9/52

Compute on encrypted data with FHE. A natural starting point is FHE because it enables computation on

encrypted data, which is needed with unctional encryption. Using FHE, the FE encryption o an input xconsists o an FHE encryption o x, denoted x, while the secret key or a unction f is simply f itsel. Thesemantic security o FHE provides the desired security (and more) because nothing leaks about x; however,

using FHE evaluation, the evaluator obtains an encrypted computation result,

f(x), instead o the decrypted

value f(x). Giving the evaluator the FHE decryption key is not an option because the evaluator can use it todecrypt x as well.Attempt to decrypt using a Yao garbled circuit. We would like the evaluator to decrypt the FHE ciphertextf(x), but not be able to decrypt anything else. An idea is or the owner to give the evaluator a Yao garbled

circuit or the FHE decryption unction FHE.Dec with the FHE secret key hsk hardcoded in it, namely agarbled circuit or FHE.Dechsk. When the owner garbles FHE.Dechsk, the owner also obtains a set o garbled

circuit labels {Li0, Li1}i. The evaluator must only receive the input labels corresponding to f(x): namely, thelabels {Libi}i where bi is the i-th bit o f(x). But this is not possible because the owner does not know apriori f(x) which is determined only ater the FHE evaluation; urthermore, ater providing more than oneset o labels (which happens when encrypting another input x), the security o the garbled circuit (and henceo the FHE secret key) is compromised. One idea is to have the owner and the evaluator interact, but the

syntax o unctional encryption does not allow interaction. Thereore, the evaluator needs to determine the seto labels corresponding to f(x) by hersel, and should not obtain any other labels.

Constraining decryption using ABE. It turns out that what we need here is very close to what ABE

provides. Consider the ollowing variant o ABE (called ABE2)that can be constructed easily rom a standard

ABE scheme. One encrypts a value y together with two messages m0, m1 and obtains a ciphertext c ABE2.Enc(y, m0, m1). Then, one generates a key or a predicate g: skg ABE2.KeyGen(g). The decryptionalgorithm on input c and skg outputs m0 ig(y) = 0 or outputs m1 ig(y) = 1.

Now consider using ABE2 multiple times, once or every i {1, . . . , size o f(x)}. For the i-thinvocation oABE2.Enc, let m0, m1 be the garbled labels L

i0, L

i1, and let y be x: ABE2.Enc(x, L

i0, L

i1).

Next, or the i-th invocation oABE2.KeyGen, let g be FHE.Evalif (the predicate returning the i-th bit o the

evaluation of on an input ciphertext): ABE2.KeyGen(FHE.Evalif). Then, the evaluator can use ABE2.Dec

to obtain the needed label: Libi where bi is the i-th bit o f(x). Armed with these labels and the garbled circuit,the evaluator decrypts f(x).

The security o the ABE scheme ensures the evaluator cannot decrypt any other labels, so the evaluator

cannot learn more than f(x). Finally, note that the one-time aspect o garbled circuits does not restrict thenumber o encryptions with our FE scheme because the encryption algorithm generates a new garbled circuit

every time; since the garbled circuit is or the FHE decryption algorithm (which is a fxed algorithm), the size

o the ciphertexts remains independent o the size o f.

We now explain how to use this result to obtain the aorementioned applications.

From FE to reusable garbled circuits. The goal o garbled circuits is to hide the input and the circuit C.Our succinct single-key FE already provides a reusable garbling scheme with input privacy (the single key

corresponds to the circuit to garble). To obtain circuit privacy, the insight is to leverage the secrecy o theinputs to hide the circuit. The frst idea that comes to mind is to generate a key or the universal circuit instead

o C, and include C in the ciphertext when encrypting an input. However, this approach will yield largeciphertexts, as large as the circuit size.

Instead, the insight is to garble C by using a semantically secure encryption scheme E.Enc together withour FE scheme: the garbling o C will be an FE secret key or a circuit U that contains E.Encsk(C); on

9


10/52

input (sk, x), U uses sk to decrypt C and then runs C on the input x. The token or an input x will be an FEencryption o(sk, x). Now, even i the FE scheme does not hide E.Encsk(C), the security o the encryptionscheme E hides C.

Computing on encrypted data in input-specifc time. We now summarize our approach to evaluating a

Turing machine (TM) M homomorphically over encrypted data without running in worst-case time on all

inputs. Sec. 6 presents the scheme ormally.Our idea is to use our unctional encryption scheme to enable the evaluator to determine at various

intermediary steps in the evaluation whether the computation fnished or not. For each intermediary step, the

client provides a secret key or a unction that returns a bit indicating whether the computation fnished or not.

However, i the client provides a key or every computation step, then the amount o keys corresponds to the

worst-case running time. Thus, instead, we choose intermediary points spaced at exponentially increasing

intervals. In this way, the client generates only a logarithmic number o keys, namely or unctions indicating

i the computation fnishes in 1, 2, 4, . . . , 2i, . . . , 2log tmax steps, where tmax is the worst-case running timeoM on all inputs o a certain size.

Because o the single-key aspect o our FE scheme, the client cannot provide keys or an arbitrary number

o TMs to the evaluator. However, this does not mean that the evaluator can run only an a priori fxed

number o TMs on the encrypted data. The reason is that the client can provide keys or the universal TMs

U0, . . . , U log tmax, where TM Ui is the TM that on input a TM M and a value x, runs M on x or 2i steps

and outputs whether M fnished.Thereore, in an oine preprocessing phase, the client provides 1 + log tmax keys where the i-th key is

or a circuit corresponding to Ui, each key being generated with a dierent master secret key. The work othe client in this phase is at least tmax which is costly, but this work happens only once and is amortized overall subsequent inputs in the online phase.

In an online phase, the client receives an input x and wants the evaluator to compute M(x) or her. Theclient provides FE encryptions o(M, x) to the evaluator together with an FHE ciphertext (M, x) or (M, x)to be used or a separate FHE evaluation. The evaluator tries each key skUi rom the preprocessing phase and

learns the smallest i or which the computation oM on x stops in 2i steps. The evaluator then computes auniversal circuit o size O(2i) and evaluates it homomorphically over (M , x), obtaining the FHE encryption

oM(x). Thus, we can see that the evaluator runs in time polynomial in the runtime oM on x.

Publicly Verifable Delegation with Secrecy. Delegation schemes aim to enable a weak verifer to delegate

computation o a unction f on an input x to a prover who can then prove to the verifer that he computed theunction correctly. We now show that our single-key unctional encryption scheme provides an improvement

to publicly verifable delegation by adding secrecy. We present this improvement only inormally, because we

preer to ocus on the other applications.

We now briey recall the scheme o [PRV12] and then discuss how to modiy it; we reer the reader

to Section 2.6 or ormal defnitions o ABE and FE. There are two phases in the delegation scheme: the

preprocessing phase when the verifer prepares the computation f, and an online phase repeating many times,in which the verifer gives x to the prover who computes f(x) and proves the computation was correct.

In the preprocessing phase, the verifer generates two pairs o master secret and public keys (msk1,mpk1)

and (msk2,mpk2) or the underlying attribute-based encryption scheme. I f is the unction to delegate,the verifer uses msk1 to generate a key or f denoted skf, and msk2 to generate a key or the negation of, f(x) := 1 f(x), denoted skf. The verifer then sends both (mpk1,mpk2) and (skf, skf) to the prover.Generating skf and skf takes time that is proportional to the size o the circuit computing f, and thus is acostly operation. However, this is done only once in the preprocessing phase.

Whenever the verifer wants the prover to compute f on an input x, he chooses two random messages

10


11/52

m1, m2 and sends the prover the encryptions o (x, m) under the two keys: (Enc(mpk1, x , m1) andEnc(mpk2, x , m2)). The properties o the attribute-based encryption scheme guarantees that, if(x) = 1,the prover obtains m1 using skf and using skf so no inormation about m0, and vice versa if(x) = 0.Thereore, the act that the prover provides m1 to the verifer is a proo that f(x) was 1.

Importantly, this delegation scheme can be made to have the desired property o being publicly verifable,

meaning that the verifer can produce a verifcation key with which anyone can check the provers work.This is done by having the verifer also send two point unction obuscations, one o the point m1 and theother o the point m2.

This reduction rom ABE to publicly verifable delegation can be combined with the recent result

o [GVW13] providing ABE schemes or any depth circuit: the result is a publicly verifable 2-message

delegation scheme in the preprocessing model or any depth d circuit with verifers work being proportionalto the depth d and the provers work proportional to the circuit size.

Note however, that this scheme is not secret because ABE does not hide the input x rom the prover. It iswell known that x can be made secret by encrypting everything using a ully homomorphic encryption scheme.However, this comes at the cost o losing the public verifability property. Our idea is to replace the ABE

scheme with our unctional encryption scheme in the protocol above; now the ciphertexts Enc(mpk1, x , m1)and Enc(mpk2, x , m2) hide x and the scheme provides secrecy because the prover learns nothing about xother than f(x). The public verifability o the scheme remains the same.

We remark that we could provide a stronger version o secrecy by also hiding the result f(x) rom theprover; such stronger secrecy is non-standard or delegation, so we do not delve on it. (The idea is or the

client to concatenate a random bit to each input x and have the unction f output the opposite result when thebit is set. In this way, the prover does not learn anything rom seeing which ciphertext decrypts to non-.)

2 Preliminaries

2.1 Notation

Let denote the security parameter throughout this paper. For a distribution

D, we say x

Dwhen x is

sampled rom the distribution D. I S is a fnite set, by x S we mean x is sampled rom the uniormdistribution over the set S. We use p() to denote that p is a unction that takes one input. Similarly, p(, )denotes a unction p that takes two inputs.

We say that a unction f is negligible in an input parameter , i or all d > 0, there exists K such thator all > K, f() < kd. For brevity, we write: or all sufciently large , f() = negl(). We saythat a unction f is polynomial in an input parameter , i there exists a polynomial p such that or all ,f() p(). We write f() = poly(). A similar defnition holds or polylog().

Let [n] denote the set {1, . . . , n} or n N. When saying that a Turing machine A is p.p.t. we meanthat A is a non-uniorm probabilistic polynomial-time machine.

In this paper, we only work with arithmetic circuits over GF(2). These circuits have two types o gates: +mod 2 and mod 2. Unless the context specifes otherwise, we consider circuits with one bit o output (alsocalled boolean).

Two ensembles, X = {X}N and Y = {Y}N, are said to be computationally indistinguishable(and denoted {X}N c {Y}N) i or every probabilistic polynomial-time algorithm D,

| Pr[D(X, 1) = 1] Pr[D(Y, 1) = 1]| = negl().

In our security defnitions, we will defne probabilistic experiments and denote by random variables their

11


12/52

outputs. For example, ExprealE,A(1) denotes the random variable representing the output o the real experiment

or scheme E with adversary A on security parameter . Moreover, {ExprealE,A(1)}N denotes the ensembleo such random variables indexed by N.

2.2 Background on Learning With Errors (LWE)

The security o our results will be based on the Learning with Errors (LWE) assumption, frst introduced

by Regev [Reg05]. Regev showed that solving the LWE problem on average is (quantumly) as hard as

solving the approximate version o several standard lattice problems, such as gapSVP in the worst case.

Peikert [Pei09] later removed the quantum assumption rom a variant o this reduction. Given this connection,

we state all our results under worst-case lattice assumptions, and in particular, under (a variant o) the gapSVP

assumption. We reer the reader to [Reg05, Pei09] or details about the worst-case/average-case connection.

The best known algorithms to solve these lattice problems with an approximation actor 2

in -

dimensional lattices run in time 2O(1) [AKS01, MV10] or any constant 0 < < 1. Specifcally, given the

current state-o-the-art on lattice algorithms, it is quite plausible that achieving approximation actors 2

or

these lattice problems is hard or polynomial time algorithms.

Appendix A provides more detailed background inormation on LWE.

2.3 Fully Homomorphic Encryption (FHE)

The notion o ully homomorphic encryption was frst proposed by Rivest, Adleman and Dertouzos [RAD78]

in 1978. The frst ully homomorphic encryption scheme was proposed in a breakthrough work by Gentry in

2009 [Gen09]. A history and recent developments on ully homomorphic encryption is surveyed in [Vai11].

We recall the defnitions and semantic security o ully homomorphic encryption; the defnitions below are

based on [Vai11] with some adaptations.

Defnition 2.1. A homomorphic (public-key) encryption scheme FHE is a quadruple o polynomial time

algorithms (FHE.KeyGen,FHE.Enc,FHE.Dec,FHE.Eval) as ollows:

FHE.KeyGen(1) is a probabilistic algorithm that takes as input the security parameter 1 and outputsa public key pk and a secret key sk.

FHE.Enc(pk, x {0, 1}) is a probabilistic algorithm that takes as input the public key pk and an inputbitx and outputs a ciphertext .

FHE.Dec(sk, ) is a deterministic algorithm that takes as input the secret key sk and a ciphertextand outputs a message x {0, 1}.

FHE.Eval(pk, C , 1, 2, . . . , n) is a deterministic algorithm that takes as input the public key pk,some circuitC that takes n bits as input and outputs one bit, as well as n ciphertexts 1, . . . , n. Itoutputs a ciphertextC.

Compactness: For all security parameters , there exists a polynomial p() such that or all input sizes n, orall x1 . . . xn, or all C, the output length oFHE.Eval is at mostp(n) bits long.

Defnition 2.2 (C-homomorphism). LetC = {Cn}nN be a class o boolean circuits, where Cn is a set oboolean circuits taking n bits as input. A scheme FHE is C-homomorphic i or every polynomial n(), or

12


13/52

every sufciently large security parameter , or every circuit C Cn, and or every input bit sequencex1, . . . , xn, where n = n(),

Pr[(pk, sk) FHE.KeyGen(1);i FHE.Enc(pk, xi) ori = 1 . . . n; FHE.Eval(pk, C , 1, . . . , n) :FHE.Dec(sk, ) = C(x1, . . . xn)] = negl().

where the probability is over the coin tosses oFHE.KeyGen andFHE.Enc.

Defnition 2.3 (Fully homomorphic encryption). A scheme FHE is ully homomorphic i it is homomorphic

or the class o all arithmetic circuits overGF(2).

Defnition 2.4 (Leveled ully homomorphic encryption). A leveled ully homomorphic encryption scheme

is a homomorphic scheme where FHE.KeyGen receives an additional input1d and the resulting scheme ishomomorphic or all depth-d arithmetic circuits overGF(2).

Defnition 2.5(IND-CPA security)

. A scheme FHE is IND-CPA secure i or any p.p.t. adversaryA

,Pr[(pk, sk) FHE.KeyGen(1) : A(pk,FHE.Enc(pk, 0)) = 1]Pr[(pk, sk) FHE.KeyGen(1) : A(pk,FHE.Enc(pk, 1)) = 1] = negl().

We now state the result o Brakerski, Gentry and Vaikuntanathan [BGV12] that shows a leveled ully

homomorphic encryption scheme based on the LWE assumption:

Theorem 2.1 ([BV11a, BGV12]). Assume that there is a constant 0 < < 1 such that or every sufcientlylarge , the approximate shortest vector problem gapSVP in dimensions is hard to approximate to withina 2O(

) actor in the worst case. Then, or every n and every polynomial d = d(n), there is an IND-CPAsecure d-leveled ully homomorphic encryption scheme where encrypting n bits produces ciphertexts o length

poly(n,,d1/

), the size o the circuit or homomorphic evaluation o a unction f is size(Cf)poly(n,,d1/

)and its depth is depth(Cf) poly(log n, log d).

All known ully homomorphic encryption schemes (as opposed to merely leveled schemes) require an

additional assumption related to circular security o the associated encryption schemes. However, we do

not need to make such an assumption in this work because we only use a leveled homomorphic encryption

scheme in our constructions.

2.4 Background on Garbled Circuits

We will now defne garbled circuits. Initially, garbled circuits were presented by Yao [ Yao82] in the context

o secure two-party computation and later, they were then proven secure by Lindell and Pinkas [LP09]. Very

recently, the notion has been ormalized by Bellare et al. [BHR12]. For simplicity, we present more concisedefnitions o garbled circuits than in [BHR12].

Defnition 2.6 (Garbling scheme). A garbling scheme or a amily o circuits C = {Cn}nN with Cn a seto boolean circuits taking as inputn bits, is a tuple o p.p.t. algorithms Gb = (Gb.Garble,Gb.Enc,Gb.Eval)such that

13


14/52

Gb.Garble(1, C) takes as input the security parameter and a circuitC Cn or some n, and outputsthe garbled circuit and a secret key sk.

Gb.Enc(sk, x) takes as inputx {0, 1} and outputs an encoding c. Gb.Eval(, c) takes as input a garbled circuit , an encoding c and outputs a value y which should be

C(x).

Correctness. For any polynomial n(), or all sufciently large security parameters , orn = n(), orall circuits C Cn and all x {0, 1}n,

Pr[(, sk) Gb.Garble(1, C); c Gb.Enc(sk, x); y Gb.Eval(, c) : C(x) = y] = 1 negl().

Efciency. There exists a universal polynomial p = p(, n) (p is the same or all classes o circuits C)such that or all input sizes n, security parameters , or all boolean circuits C o with n bits o input, or allx {0, 1}n,

Pr[(, sk) Gb.Garble(1, C) : |sk| p(, n) and runtime(Gb.Enc(sk, x)) p(, n)] = 1.

Note that since Gb.Enc is a p.p.t. algorithm, it sufces to ensure that |sk| p(, n) and obtain thatGb.Encs runtime is also at most a polynomial. We preer to keep the runtime oGb.Enc in the defnition aswell or clarity.

Remark 2.2 (Remark on the efciency property). Intuitively, a garbling scheme is efcient i the time to

encode is shorter than the time to run the circuit. This requirement can be ormalized in a ew ways. A frst

defnition is as provided above in De. 2.6. Another defnition is to allow |sk| and the runtime oGb.Enc toalso depend on the depth o the circuits in C, but require that it does not depend on their size.Yao garbled circuits. The garbled circuits presented by Yao have a specifc property o the encoding scheme

that is useul in various secure unction evaluation protocols and in our construction as well. The secret key is

o the orm sk = {L0i , L

1i }

ni=1 and the encoding o an input x on bits is o the orm c = (L

x11 , . . . , L

xnn ),

where xi is the i-th bit ox.Two security guarantees are o interest: input privacy (the input to the garbled circuit does not leak to the

adversary), and circuit privacy (the circuit does not leak to the adversary). All these properties hold only or

one-time evaluation o the circuit: the adversary can receive at most one encoding o an input to use with a

garbled circuit; obtaining more than one encoding breaks these security guarantees.

Bellare et al. [BHR12] also present a third property which they call authenticity; inormally, this requires

that an adversary should not be able to come up with a dierent result o the garbled circuit that could be

de-garbled into a valid value. We do not present this property here because it is straightorward to show

that a garbling scheme with input and circuit privacy as we defne them below implies a dierent garbling

scheme with the authenticity property and we would need to provide a slightly more complicated syntax or

the defnition o garbled circuits (with an additional de-garbling algorithm).

We now present the one-time security o garbling circuits. The security defnition or reusable garbled

will be presented later, in Sec. 4.

Defnition 2.7 (Input and circuit privacy). A garbling scheme Gb or a amily o circuits {Cn}nN is inputand circuit private i there exists a p.p.t. simulatorSimGarble, such that or every p.p.t. adversaries A andD,or all sufciently large security parameters ,

14


15/52

| Pr[(x,C,) A(1);(, sk) Gb.Garble(1, C); c Gb.Enc(sk, x) : D(,x,C, , c) = 1]Pr[(x,C,) A(1); (, c) SimGarble(1, C(x), 1|C|, 1|x|) : D(,x,C, , c) = 1]| = negl(),

where we consider only A such that or some n, x {0, 1}n andC Cn.Intuitively, this defnition says that, or any circuit or input chosen adversarially, one can simulate in

polynomial time the garbled circuit and the encoding solely based on the computation result (and relevantsizes). The variable represents any state that A may want to convey to D.

A ew variants o Yao garbling schemes exist (or example, [BHR12]) that provide both input and circuit

privacy under the basic one-way unction assumption. Any such construction is suitable or our scheme.

Theorem 2.3 ([Yao82, LP09]). Assuming one-way unctions exist, there exists a Yao (one-time) garbling

scheme that is input- and circuit-private or all circuits over GF(2).

2.5 Attribute-Based Encryption (ABE)

We now provide the defnition o attribute-based encryption rom the literature (e.g., [GPSW06, LOS+10,

GVW13]).

Defnition 2.8 (Attribute-Based Encryption). An attribute-based encryption scheme (ABE) or a class o

predicates P = {Pn}nN represented as boolean circuits with n input bits and one output bit and anassociated message space M is a tuple o algorithms (ABE.Setup, ABE.KeyGen, ABE.Enc, ABE.Dec) asollows:

ABE.Setup(1): Takes as input a security parameter 1 and outputs a public master key fmpk and amaster secret key fmsk.

ABE.KeyGen(fmsk, P): Given a master secret key fmsk and a predicate P Pn, or some n, outputsa key fskP corresponding to P.

ABE.Enc(fmpk, x , M ): Takes as input the public key fmpk, an attribute x

{0, 1

}n, or some n, and

a message M M and outputs a ciphertext c. ABE.Dec(fskP, c): Takes as input a secret key or a predicate and a ciphertext and outputs M M.

Correctness. For any polynomial n(), or every sufciently large security parameter, in = n(), or allpredicates P Pn, attributes x {0, 1}n, and messages M M:

Pr

(fmpk, fmsk) ABE.Setup(1);fskP ABE.KeyGen(fmsk, P);c ABE.Enc(fmpk, x , M ) :ABE.Dec(fskP, c) =

M, iP(x) = 1,

, otherwise.

= 1 negl().

The space {0, 1}n is reerred to as the attribute space (with an attribute size on) and M is reerred to asthe message space.

Intuitively, the security o ABE is that M is revealed only iP(x) = 1. Regarding the attribute x, ABEssecurity does not require any secrecy o the attribute, so x may leak no matter what is the value oP(x).Many ABE schemes have been proven secure under indistinguishability-based defnitions. Despite being

15


16/52

weaker than simulation-based defnitions, such defnitions sufce or the security o our construction, so

we present them here. Two notions o security have been used in previous work: ull and selective security.

Full security allows the adversary to provide the challenge ciphertext ater seeing the public key, whereas

in selective security, the adversary must provide the challenge ciphertext beore seeing the public key. We

present both in the ull security and selective security cases, because the ABE primitive we use [GVW13]

achieves them with dierent parameters o the gapSVP assumption. We only provide the security defnitionor the case when the adversary can ask or a single key because this is all we need or our results.

Defnition 2.9 (Attribute-based encryption security). LetABE be an attribute-based encryption scheme or

a class o predicates P= {Pn}nN, and an associated message space M, and letA = (A1, A2, A3) be atriple o p.p.t. adversaries. Consider the ollowing experiment.

ExpABE(1):

1: (fmpk, fmsk) ABE.Setup(1)2: (P, state1) A1(fmpk)3: fskP ABE.KeyGen(fmsk, P)4: (M0, M1, x, state2) A2(state1, fskP)5: Choose a bit b at random and let c ABE.Enc(fmpk, x , M b).6: b A3(state2, c). I|M0| = |M1|, P(x) = 0, and b = b, output 1, else output 0.

We say that the scheme is a single-key ully-secure attribute-based encryption i or all p.p.t. adversaries

A, and or all sufciently large :

Pr[ExpABE,A(1) = 1] 1/2 + negl().

We say that the scheme is single-key selectively secure i the same statement holds or a slightly modifed

game in which A provides x beore receiving fmpk.

Attribute-based encryption schemes have been constructed or the class o Boolean ormulas [GPSW06,LOS+10] and most recently or the class o all polynomial-size circuits: Gorbunov, Vaikuntanathan and

Wee [GVW13] based on the subexponential Learning With Errors (LWE) intractability assumption, and Sahai

and Waters [SW12] based on the k-Multilinear Decisional Dife-Hellman (see [SW12] or more details). Our

reduction can start rom any o these schemes, but in this paper, we choose [GVW13] because it is based on

LWE, which is a more standard assumption and is also the assumption or our other building block, FHE.

Beore we state the results o Gorbunov, Vaikuntanathan and Wee [GVW13], we will set up some notation.

Let d and p be two univariate polynomials. Defne Cn,d(n),p(n) to be the class o all boolean circuits on ninputs o depth at most d(n) and size at most p(n). Let Cn,d(n) :=

polynomial p

Cn,d(n),p(n). An attribute-basedencryption or unctional encryption scheme that supports circuits in Cn,d(n) is called a d-leveled attribute-based encryption or unctional encryption scheme, respectively. We also reer to an ABE or FE scheme as

leveled, i it is d-leveled or some d. We are now ready to state the theorem o [GVW13].

Theorem 2.4 ([GVW13]). Assume that there is a constant 0 < < 1 such that or every sufciently large ,the approximate shortest vector problem gapSVP in dimensions is hard to approximate by a polynomialalgorithm to within a 2O(

) actor in the worst case. Then, or every n and every polynomial d = d(n),there is a selectively secure d-leveled attribute-based encryption scheme where encrypting n bits producesciphertexts o length poly(n,,d1/).

16


17/52

Furthermore, assuming thatgapSVP in dimensions is hard to approximate to within a 2O() actorin

time 2O(), the scheme is ully secure with ciphertexts o length poly(n,,d1/

2

).In either case, the scheme is secure with polynomially many secret-key queries.

2.5.1 Two-Outcome Attribute-Based Encryption

We use an attribute-based encryption scheme with a slightly modifed defnition. The setup and key generation

algorithms are the same as in previous schemes. The dierence is in the encryption and decryption algorithms:

instead o encrypting one message M in one ciphertext, we encrypt two messages M0 and M1 in the sameciphertext such that M0 is revealed i the predicate evaluates to zero on the attribute, and M1 is revealed ithe predicate evaluates to one. Since there are two possible outcomes o the decryption algorithm, we call the

modifed scheme a two-outcome attribute-based encryption scheme. Such a variant o ABE has been used or

other purposes by [PRV12].

Defnition 2.10 (Two-Outcome Attribute-Based Encryption). A two-outcome attribute-based encryption

scheme (ABE2) or a class o predicates P= {Pn}nN represented as boolean circuits with n input bits,and a message space M is a tuple o algorithms (ABE2.Setup, ABE2.KeyGen, ABE2.Enc, ABE2.Dec) asollows:

ABE2.Setup(1): Takes as input a security parameter1 and outputs a public master key fmpk and amaster secret key fmsk.

ABE2.KeyGen(fmsk, P): Given a master secret key fmsk and a predicate P P, outputs a key fskPcorresponding to P.

ABE2.Enc(fmpk, x , M 0, M1): Takes as input the public key fmpk, an attribute x {0, 1}n, or somen, and two messages M0, M1 M and outputs a ciphertext c.

ABE2.Dec(fskP, c): Takes as input a secret key or a predicate and a ciphertext and outputs M M.

Correctness. For any polynomial n(), or every sufciently large security parameter, in = n(), or allpredicates P Pn, attributes x {0, 1}n, messages M0, M1 M:

Pr

(fmpk, fmsk) ABE2.Setup(1);fskP ABE2.KeyGen(fmsk, P);c ABE2.Enc(fmpk, x , M 0, M1);M ABE2.Dec(fskP, c) :M = MP(x)

= 1 negl().We now defne the security or single-key two-outcome attribute-based encryption. Intuitively, the security

defnition requires that, using a token or a predicate P, an adversary can decrypt one o the two messagesencrypted in C based on the evaluation o P on the attribute, but does not learn anything about the othermessage.

Defnition 2.11 (Two-outcome attribute-based encryption security). LetABE2 be a two-outcome attribute-

based encryption scheme or the class o predicates P= {Pn}nN and associated message space M and letA = (A1, A2, A3) be a triple o p.p.t. adversaries. Consider the ollowing experiment.

17


18/52

ExpABE2 (1):

1: (fmpk, fmsk) ABE2.Setup(1)2: (P, state1) A1(fmpk)3: skP ABE2.KeyGen(fmsk, P)4: (M, M0, M1, x, state2) A2(state1, skP)5: Choose a bit b at random. Then, let

c =

ABE2.Enc(fmpk, x , M , M b), iP(x) = 0,

ABE2.Enc(fmpk, x , M b, M), otherwise.

6: b A3(state2, c). Ib = b, n such that, or all P Pn, messages M, M0, M1 M, |M0| = |M1|,x {0, 1}n, output 1, else output 0.

We say that the scheme is a ully-secure single-key two-outcome ABE i or all p.p.t. adversaries A, andor all sufciently large security parameters :

Pr[ExpABE2,A(1) = 1] 1/2 + negl().

The scheme is single-key selectively secure i A needs to provide x beore receiving fmpk.

As beore, we need only a single-key ABE2 scheme or our construction.

A class o predicates {Pn}n is closed under negation i or all input sizes n and or all predicates p Pn,we have p Pn; p is the negation op, namely p(y) = 1 p(y) or all y.Claim 2.5. Assuming there is an ABE scheme or a class o predicates closed under negation, there exists a

two-outcome ABE scheme or the same class o predicates.

The proo o this claim is immediate and we present it in Appendix B, or completeness.

2.6 Functional Encryption (FE)

We recall the unctional encryption defnition rom the literature [KSW08, BSW, GVW12] with some

notational changes.

Defnition 2.12 (Functional Encryption). A unctional encryption scheme FE or a class o unctions F={Fn}nN represented as boolean circuits with an n-bit input, is a tuple o our p.p.t. algorithms (FE.Setup,FE.KeyGen, FE.Enc, FE.Dec) such that:

FE.Setup(1) takes as input the security parameter 1 and outputs a master public key fmpk and amaster secret key fmsk.

FE.KeyGen(fmsk, f) takes as input the master secret key fmsk and a unction f Fand outputs akey fskf.

FE.Enc(fmpk, x) takes as input the master public key fmpk and an inputx {0, 1} and outputs aciphertextc.

FE.Dec(fskf, c) takes as input a key fskf and a ciphertextc and outputs a value y.

18


19/52

Correctness. For any polynomial n(), or every sufciently large security parameter, orn = n(), or allf Fn, and all x {0, 1}n,

Pr[(fmpk, fmsk) FE.Setup(1); fskf FE.KeyGen(fmsk, f); c FE.Enc(fmpk, x) :FE.Dec(fskf, c) = f(x)] = 1 negl().

2.6.1 Security o Functional Encryption

Intuitively, the security o unctional encryption requires that an adversary should not learn anything about

the input x other than the computation result C(x), or some circuit C or which a key was issued (theadversary can learn the circuit C). As mentioned, two notions o security have been used in previous work:ull and selective security, with the same meaning as or ABE. We present both defnitions because we achieve

them with dierent parameters o the gapSVP assumption. Our defnitions are simulation-based: the security

defnition states that whatever inormation an adversary is able to learn rom the ciphertext and the unction

keys can be simulated given only the unction keys and the output o the unction on the inputs.

Defnition 2.13. (FULL-SIM-Security ) LetFE be a unctional encryption scheme or the amily o unctions

F= {Fn}nN. For every p.p.t. adversary A = (A1, A2) and p.p.t. simulatorS, consider the ollowing twoexperiments:

ExprealFE,A(1): ExpidealFE,A,S(1

):

1: (fmpk, fmsk) FE.Setup(1)2: (f, stateA) A1(fmpk)3: fskf FE.KeyGen(fmsk, f)4: (x, stateA) A2(stateA, fskf)

5: c FE.Enc(fmpk, x)6: Output (stateA, c)

5: c S(fmpk, fskf, f , f (x), 1|x|)6: Output (stateA, c)

The scheme is said to be (single-key) FULL-SIMsecure i there exists a p.p.t. simulator S such thator all pairs o p.p.t. adversaries (A1, A2), the outcomes o the two experiments are computationallyindistinguishable:

ExprealFE,A(1)

N

cExpidealFE,A,S(1

)

N

.

We now defne selective security, which is a weakening o ull security, by requiring the adversary to

provide the challenge input x beore seeing the public key or any other inormation besides the securityparameter. We simply speciy the dierence rom ull security.

Defnition 2.14 (SEL-SIM-Security). The same as De. 2.13, but modiy the game so that the frst step

consists oA speciying the challenge inputx given only the security parameter.

It is easy to see that the ull simulation defnition (FULL-SIM-security) implies the selective defnition

(SEL-SIM-security).

The literature [BSW, AGVW12] has considered another classifcation or simulation-based defnitions:

adaptive versus non-adaptive security. In the adaptive case, the adversary is allowed to ask or a unction

f ater seeing the ciphertext c or an input x. In the non-adaptive case, the adversary must frst provide f

19


20/52

and only then ask or encryptions o inputs x. Our defnition alls in the non-adaptive category. Boneh etal. [BSW] have shown that adaptive simulation-based security is unachievable even or single-key unctional

encryption or the simple unctionality o identity-based encryption. As such, the adaptive defnition appears

too strong and is unachievable or general unctionalities, so we use non-adaptive security.

Remark 2.6. Attribute-based encryption can be viewed as unctional encryption or a specifc class o

unctionalities, where the additional inormation leaked is part o the output to the unction. Namely, consider

a class o unctions Fwhose plaintext space consists o pairs o values rom {0, 1}n M, where {0, 1}nis the attribute space (with an attribute size on) andM is the message space. The class o unctions or

ABE is more specifc: there exists an associated predicate class P= {Pn}nN to Fsuch that or every n, orevery f Fn, there is an associated predicate P Pn to f such that

f(x, M) =

(x, M), iP(x) = 1,

(x, ), otherwise.

Since the attribute x is in the output o the unction no matter what P is, x leaks rom the scheme no matterwhat (x is public). Thereore, this unctionality leads to weaker security guarantees than unctional encryption

in a conceptual way: the value to be computed on, x, leaks with ABE (whereas the value M on which P doesnot compute remains secret when P(x) = 0), whereas the input x to the computation is hidden with FE.

3 Our Functional Encryption Scheme

In this section, we present our main result: the construction o a unctional encryption scheme FE. We reer

the reader to the introduction (Sec. 1.2) or an overview o our approach, and we proceed directly with the

construction here.

We use three building blocks in our construction: a (leveled) ully homomorphic encryption scheme FHE,

a (leveled) two-outcome attribute-based encryption scheme ABE2, and a Yao garbling scheme Gb.

We let FHE.Evalf(hpk, ) denote the circuit that perorms homomorphic evaluation o the unction f

on the vector o ciphertexts := (1, . . . , n) using the public key hpk, and we will let FHE.Evalif(hpk, )denote the predicate that computes the i-th output bit oFHE.Evalf(hpk, ). Namely,

FHE.Evalf(hpk, ) =FHE.Eval1f(hpk, ), . . . ,FHE.Eval

f(hpk, )

,

where = () =FHE.Evalf(hpk, ). Our main theorem then says:

Theorem 3.1. There is a (ully/selectively secure) single-key unctional encryption scheme FE =(FE.Setup,FE.KeyGen, FE.Enc,FE.Dec) or any class o circuits C that take n bits o input and produce aone-bit output, assuming the existence o the ollowing primitives:

an IND-CPA-secure

C-homomorphic encryption scheme FHE = (FHE.KeyGen, FHE.Enc, FHE.Eval,

FHE.Dec);

a (ully/selectively secure) single-key attribute-based encryption scheme ABE = (ABE.Setup,ABE.KeyGen,ABE.Enc,ABE.Dec) or the class o predicates P= PC,FHE where

PC,FHE = {FHE.EvaliC, 1 FHE.EvaliC : C C andi {1, . . . , }}; and

20


21/52

a Yao garbling scheme Gb = (Gb.Garble,Gb.Enc,Gb.Eval) that is input- and circuit-private.The succinctness property o the unctional encryption scheme is summarized as ollows: the size o the

ciphertexts ctsizeFE(n) in the resulting scheme orn bits o input is

2

ctsizeFHE

ctsizeABE(n ctsizeFHE + pksizeFHE)+ poly(, ctsizeFHE, sksizeFHE).where ctsizeABE(k) denotes the size o the ciphertexts in the attribute-based encryption scheme or a k-bitattribute and a poly()-bit message, ctsizeFHE denotes the size o the ciphertexts in the ully homomorphicencryption scheme or a single-bit message andpksizeFHE (resp. sksizeFHE) denotes the size o the public key

(resp. secret key) in the ully homomorphic encryption scheme.

Since garbling schemes can be constructed rom one-way unctions, our theorem says that we can move

rom attribute-based encryption, in which the part o the input that the unction computes on leaks, to a

unctional encryption scheme, in which no part o the input leaks using ully homomorphic encryption and

Yao garbled circuits.

We can see that i the ciphertext size in the ABE scheme and the ully homomorphic encryption scheme

does not depend on the circuit size (and thus, those schemes are by themselves succinct), then neither will the

resulting ciphertexts o the FE scheme depend on the circuit size; namely, the reduction does not blow up the

ciphertexts and is succinctness-preserving. We know o both a leveled FHE scheme and a leveled ABE

scheme ([GVW13]) with ciphertext lengths independent o the size o the circuits to evaluate; the ciphertext

size in these schemes just depends on the depth o the circuits.

We note that ully homomorphic encryption schemes with succinct ciphertexts that are also independent

o depth are known, albeit under the stronger assumption o circular security o the underlying schemes. Thus,

i the result o [GVW13] can be improved to remove the depth dependency o the ciphertexts in the ABE

scheme, one automatically obtains a corresponding result or ABE using our reduction.

Our theorem needs the ABE scheme to be secure only with a single key, even though the recent

constructions [GVW13] and [SW12] can tolerate an arbitrary number o keys.

Our main theorem is thus a reduction, which has a number o useul corollaries. The frst and perhaps

the most important one shows how to combine the leveled ully homomorphic encryption scheme rom[BV11a, BGV12] with the recent construction o a leveled attribute-based encryption scheme rom [GVW13]

to obtain a leveled unctional encryption scheme based solely on the hardness o LWE. In other words, the

corollary says that or every depth d, there is a unctional encryption scheme or the class o all Booleancircuits o (arbitrary) polynomial size and depth at most d. The size o the ciphertexts in the scheme growswith d, and is o course independent o the size o the circuits it supports.

Let d and p be polynomial unctions. Defne Cn,d(n),p(n) to be the class o all Boolean circuits on n inputso depth at most d(n) and size at most p(n). Let Cn,d(n) :=

polynomial p

Cn,d(n),p(n).Corollary 3.2 (The LWE Instantiation). We have the ollowing two constructions o unctional encryption

based on the worst-case hardness o lattice problems:

Assume that there is a constant 0 < < 1 such that or every sufciently large , the approximateshortest vector problem gapSVP in dimensions is hard to approximate to within a 2O(

) actor

(in polynomial time) in the worst case. Then, or every n and every polynomial d = d(n), there isa selectively-secure (succinct single-key) unctional encryption scheme or the class Cn,d(n) whereencrypting n bits produces ciphertexts o length poly(n,,d1/).

21


22/52

Assume that there is a constant 0 < < 1 such that or every sufciently large , the approximateshortest vector problem gapSVP in dimensions is hard to approximate to within a 2O(

) actor

in time 2O() in the worst case. Then, or every n and every polynomial d = d(n), there is a ully-

secure (succinct single-key) unctional encryption scheme or the class Cn,d(n) where encrypting n bitsproduces ciphertexts o length poly(n1/, , d1/

2

).

The corollary ollows directly rom Theorem 3.1, by invoking the leveled ully homomorphic encryption

scheme o[BV11a] (see Theorem 2.1) and the leveled attribute-based encryption scheme o [GVW13] (see

Theorem 2.4). The concrete constructions and proos in act go through the learning with errors (LWE)

problem; we reer to [BV11a, GVW13] or the concrete setting o parameters.

Letting universal attribute-based encryption or unctional encryption denote a single attribute-based

encryption or unctional encryption scheme scheme, respectively, that supports the class o all polynomial-size

circuits, we have the ollowing corollary:

Corollary 3.3 (Universal Functional Encryption). Assuming that ully homomorphic encryption schemes exist

and universal single-key attribute-based encryption schemes exist, there is a universal single-key unctional

encryption scheme.

O the two prerequisites mentioned above, we know that ully homomorphic encryption schemes exist

(albeit under stronger assumptions than merely LWE). Thus, the corollary provides a way to immediately

translate any universal attribute-based encryption scheme into a unctional encryption scheme. We point out

that universal unctional encryption schemes, by defnition, have succinct ciphertexts.

A recent result o Gorbunov, Vaikuntanathan and Wee [GVW12] shows how to generically convert

single-key unctional encryption schemes into q-keys unctional encryption schemes or any bounded q,where the latter provide security against an attacker that can obtain secret keys o up to q unctions o herchoice. The size o the ciphertexts in the q-keys scheme grows polynomially with q.

Corollary 3.4 (Many queries, using [GVW12]). For every q = q(), there is a (ully/selectively-secure)q-keys succinct unctional encryption scheme or any class o circuits C that take n bits o input and produce aone-bit output, assuming the existence o primitives as in Theorem 3.1. The size o the ciphertexts ctsize

FE(n)

in the resulting scheme is q times as large as in Theorem 3.1.

Finally, a unctional encryption scheme or circuits that output multiple bits can be constructed by

thinking o the circuit as many circuits each with one-bit output, and modiying the key generation procedure

to produce keys or each o them. This gives us the ollowing corollary although we remark that more efcient

methods o achieving this directly are possible using homomorphic encryption schemes that pack multiple

bits into a single ciphertext [SV11, BGV12, GHS12a].

Corollary 3.5 (Many queries, many output bits). For every q = q() and k = k(n), there is a(ully/selectively secure) q-keys unctional encryption scheme or any class o circuits C that take n bits oinput and produce k bits o output, assuming the existence o primitives as in Theorem 3.1. The size o theciphertexts ctsizeFE(n) in the resulting scheme is qk times as large as in Theorem 3.1.

Remark 3.6 (On the necessity o single-key security). We note that even though the work o [GVW13]

provides an attribute-based scheme that is secure even i the adversary obtains secret keys or polynomially

many unctions, our theorem gives us only a single-key secure scheme. Indeed, this is inherent by the

impossibility result o [AGVW12] i we ask or (even a very weak notion o) simulation security, as we do

here. Corollary 3.4 gives us a way to get (simulation-)security with q queries or any a priori bounded q,albeit at the expense o the ciphertext growing as a unction o q.

22


23/52

Remark 3.7 (On composing our unctional encryption scheme). One might wonder i chaining is possible

with our FE scheme. Namely, one could try to generate keys or a unction f that computes another unctionf1 on an inputx and then outputs f1(x) together with a new encryption ox under a dierent public key orthe FE scheme. The new encryption o x could be used to compute a second unction f2(x) and an encryptionox under yet another public key. This chain could potentially repeat and its beneft is that it allows us to

compute multiple unctions on x (and overcome the single-key property). However, this approach allows onlya very small number o iterations because, in order to produce one bit o output rom FE.Dec, the ciphertextsoutput by FE.Enc are polynomial in . To obtain an FE ciphertext as result oFE.Dec, one needs to havestarted with ciphertexts o size quadratic in the frst polynomial. I we want to chain the scheme q times, theoriginal ciphertext must have been exponential in q.

3.1 Construction

For simplicity, we construct FE or unctions outputting one bit; unctions with larger outputs can be handled

by repeating our scheme below or every output bit.

From Claim 2.5, the existence o a secure single-key ABE scheme implies the existence o a two-outcome

single-key ABE scheme, which we denote ABE2. Let = () be the length o the ciphertexts in the FHE

scheme (both rom encryption and evaluation). The construction oFE = (FE.Setup, FE.KeyGen, FE.Enc,FE.Dec) proceeds as ollows.

Setup FE.Setup(1): Run the setup algorithm or the two-outcome ABE scheme times:

(fmpki, fmski) ABE2.Setup(1) or i [].

Output as master public key and secret key:

MPK = (fmpk1, . . . , fmpk) and MSK = (fmsk1, . . . , fmsk).

Key Generation FE.KeyGen(MSK, f): Let n be the number o bits in the input to the circuit f. Ihpk isan FHE public key and 1, . . . , n are FHE ciphertexts, recall that FHE.Eval

i

f

(hpk, 1, . . . , n) is the i-thbit o the homomorphic evaluation of on 1, . . . , n (FHE.Eval(hpk, f , 1, . . . , n)), where i []. Thus,FHE.Evalif : {0, 1}|hpk| {0, 1}n {0, 1}.

1. Run the key generation algorithm oABE2 or the unctions FHE.Evalif (under the dierent master

secret keys) to construct secret keys:

fski ABE2.KeyGen(fmski,FHE.Evalif) or i [].

2. Output the tuple fskf := (fsk1, . . . , fsk) as the secret key or the unction f.

Encryption FE.Enc(MPK, x): Let n be the number o bits ox, namely x = x1 . . . xn. Encryption proceeds

in three steps.

1. Generate a resh key pair (hpk, hsk) FHE.KeyGen(1) or the (leveled) ully homomorphicencryption scheme. Encrypt each bit o x homomorphically: i FHE.Enc(hpk, xi). Let :=(1, . . . , n) be the encryption o the input x.

23


24/52

2. Run the Yao garbled circuit generation algorithm to produce a garbled circuit or the FHE decryption

algorithm FHE.Dec(hsk, ) : {0, 1} {0, 1} together with 2 labels Lbi or i [] and b {0, 1}.Namely,

, {L0i , L1i }i=1

Gb.Garble(1,FHE.Dec(hsk, )),

where is the garbled circuit and the Lbi are the input labels.

3. Produce encryptions c1, . . . , c using the ABE2 scheme:

ci ABE2.Encfmpki, (hpk, ), L

0i , L

1i

or i [],

where (hpk, ) comes rom the frst step, and the labels (L0i , L1i ) come rom the second step.

4. Output the ciphertext c = (c1, . . . , c, ).

Decryption FE.Dec(fskf, c):

1. Run the ABE2 decryption algorithm on the ciphertexts c1, . . . , c to recover the labels or the garbledcircuit. In particular, letLdii ABE2.Dec(fski, ci) or i [],

where di is equal to FHE.Evalif(hpk, ).

2. Now, armed with the garbled circuit and the labels Ldii , run the garbled circuit evaluation algorithmto compute

Gb.Eval(, Ld11 , . . . , Ld ) = FHE.Dec(hsk, d1d2 . . . d) = f(x).

3.2 Proo

We now proceed to prove Theorem 3.1 by proving that the theorem holds or our construction above.

Proo o Theorem 3.1. We frst argue correctness.

Claim 3.8. The above scheme is a correct unctional encryption scheme (De. 2.12).

Proo. Let us examine the values we obtain in FE.Dec(fskf, c1, . . . , c, ). In Step (1), by the correctness othe ABE2 scheme used, di is the i-th bit oFHE.Evalf(hpk, ).

Thereore, the inputs to the garbled circuit in Step (2) are the labels corresponding toFHE.Evalf(hpk, ).By the correctness o the FHE scheme, decrypting FHE.Evalf(hpk, ) results in f(x). Finally, by thecorrectness o the garbling scheme, the FHE ciphertext gets decrypted correctly, yielding f(x) as the outputoFE.Dec.

We now prove the succinctness property which ollows directly rom our construction. The output oFE.Enc consists o ABE2 ciphertexts and a garbled circuit. First, equals ctsizeFHE. Second, each ABE2ciphertext consists o two ABE ciphertexts generated by ABE.Enc on input nctsizeFHE + pksizeFHE bits. Thelabels o the garbled circuit are poly() in size. Third, the garbled circuit is the output oGb.Garble so itssize is polynomial in the size o the input circuit, which in turn is polynomial in sksizeFHE and ctsizeFHE.

Thereore, overall, we obtain 2ctsizeFHEctsizeABE(n ctsizeFHE+pksizeFHE)+poly(, sksizeFHE, ctsizeFHE).

24


25/52

We can thus see that iFHE and ABE produce ciphertexts independent o the circuit size, then so will our

unctional encryption scheme.

We ocus on the ull security case: namely, assuming ABE2 is ully secure, we show that the resulting FE

scheme is ully secure. We then discuss the proo or the selective case.

For ull security, we construct a p.p.t. simulator S that achieves De. 2.13. S receives as input

(MPK, fskf, f , f (x), 1

n

) and must output c such that the real and ideal experiments in De. 2.13 arecomputationally indistinguishable. Intuitively, S runs a modifed version oFE.Enc to mask the act that itdoes not know x.Simulator S on input (MPK, fskf, f , f (x), 1

n):

1. Choose a key pair (hpk, hsk) FHE.KeyGen(1) or the homomorphic encryption scheme (where Scan derive the security parameter rom the sizes o the inputs it gets). Encrypt 0n (n zero bits) withFHE by encrypting each bit individually and denote the ciphertext 0 := (01 FHE.Enc(hpk, 0),. . .,0n FHE.Enc(hpk, 0)).

2. Let SimGarble be the simulator or the Yao garbling scheme (described in De. 2.7) or the class o

circuits corresponding to FHE.Dec(hsk, ). Run SimGarble to produce a simulated garbled circuit or the FHE decryption algorithm FHE

.Dec

(hsk

, ) : {0, 1}

{0, 1}together with the simulated

encoding consisting o one set o labels Li or i = 1 . . . . Namely,, {Li}i=1

SimGarble(1, f(x), 1|FHE.Dec(hsk,)|, 1).

The simulator S can invoke SimGarble because it knows f(x), and can compute the size o theFHE.Dec(hsk, ) circuit, and rom the sizes o the input parameters.

3. Produce encryptions c1, . . . , c under the ABE2 scheme in the ollowing way. Let

ci ABE2.Encfmpki, (hpk, 0), Li, Li

,

where S uses each simulated label Li twice.

4. Output c = ( c1, . . . , c, ).

To prove indistinguishability o the real and ideal experiments (De. 2.13), we defne a sequence o hybrid

experiments, and then invoke the security defnitions o the underlying schemes (FHE, garbled circuit, and

ABE2 respectively) to show that the outcome o the hybrid experiments are computationally indistinguishable.

Hybrid 0 is the output o the ideal experiment rom De. 2.13 or our FE construction with simulator S. Wedenote it ExpH0FE,A (= Exp

idealFE,A,S).

Hybrid 1 (ExpH1FE,A) is the same as Hybrid 0, except that the simulated ciphertext or Hybrid 1 (which we

denote c(1)), changes. Let c(1) be the ciphertext obtained by running the algorithm oS, except that in Step (3),

encrypt x instead o0, namely:

c(1)i ABE2.Enc

fmpki, (hpk, ), Li, Li

,

where (FHE.Enc(hpk, x1), . . . ,FHE.Enc(hpk, xn)). Let

c(1) = (c(1)1 , . . . , c

(1) , ).

25


26/52

Hybrid 2 (ExpH2FE,A) is the same as Hybrid 1, except that in Step ( 2), the ciphertext contains a real garbled

circuit , {L0i , L1i }i=1

Gb.Garble(FHE.Dec(hsk, )).

Let di = FHE.Evalif(hpk, ). In Step (3), include L

di twice in the ABE encryption; namely:

c(2)i ABE2.Enc

fmpki, (hpk, ), L

dii , L

dii

, and

c(2) = (c(2)1 , . . . , c

(2) , ).

Hybrid 3 (ExpH3FE,A) is the output o the real experiment rom De. 2.13 or our FE construction.

We prove each pair o consecutive hybrids to be computationally indistinguishable in the ollowing three

lemmas, Lemmas 3.9, 3.10, and 3.11.

Lemma 3.9. Assuming FHE is IND-CPAsecure, Hybrid 0 and Hybrid 1 are computationally indistinguish-

able.

Proo. We proceed by contradiction. We assume that there exist p.p.t. adversaries A = (A1, A2) and a p.p.t.distinguisher D such that D (with A) can distinguish between Hybrid 0 and Hybrid 1 above. Namely, thereexists a polynomial p() such that, or infnitely many ,

| Pr[D(ExpH0FE,A(1)) = 1] Pr[D(ExpH1FE,A(1)) = 1]| 1/p(). (1)

We construct a p.p.t. adversary R = (R1, R2) that can break the semantic security oFHE. Adversary R1outputs an n-bit value x or some n, and adversary R2 receives as input either homomorphic encryption ox or o0n, and it will distinguish between these two. Distinguishing successully implies that there is anadversary that can distinguish successully in De. 2.5, by a standard hybrid argument.

To determine x, adversary R1 works as ollows:

1. Run Exp

ideal

FE,A,S(1

) (De. 2.13) rom Step (1) to Step (4) and let x be the output oA2 in Step (4).

2. Output x.

To distinguish between encryption ox or 0n, adversary R2 receives input hpk, the FHE public key, and

an encryption E ox or 0n and works as ollows:

1. Run a modifed algorithm o S by using hpk instead o generating resh FHE keys and using E

instead o encrypting 0n. Namely:

(a) Generate

, {Li}i=1

as in Step (2) o S.

(b) Output c = (c1, . . . , c) or c

i = ABE2.Enc(fmpki, ((hpk

, E), Li, Li)).

2. Feed (c, ) to D and output the decision oD.

Notice that iE is encryption o0n, R2 simulates Hybrid 0 perectly; when E is encryption ox, R2

simulates Hybrid 1 perectly. Thereore, D must have a probability o distinguishing between the two cases o

26


27/52

at least 1/p() (Eq. (1)); moreover, whenever

Date post:	03-Apr-2018
Category:	Documents
Upload:	unicycle1234
View:	224 times
Download:	0 times

Succint Filterable Decryption

Documents