Publicly Auditable Functional Encryption

Abstract

We introduce the notion of publicly auditable functional encryption (PAFE). Compared to standard functional encryption, PAFE operates in an extended setting that includes an entity called auditor, besides key-generating authority, encryptor, and decryptor. The auditor requests function outputs from the decryptor and wishes to check their correctness with respect to the ciphertexts produced by the encryptor, without having access to the functional secret key that is used for decryption. This is in contrast with previous approaches for result verifiability and consistency in functional encryption that aim to ensure decryptors about the legitimacy of the results they decrypt.

We propose four different flavors of public auditability with respect to different sets of adversarially controlled parties (only decryptor, encryptor-decryptor, authority-decryptor, and authority-encryptor-decryptor) and provide constructions for building corresponding secure PAFE schemes from standard functional encryption, commitment schemes, and non-interactive witness-indistinguishable proof systems. At the core of our constructions lies the notion of a functional public key, that works as the public analog of the functional secret key of functional encryption and is used for verification purposes by the auditor. Crucially, in order to ensure that these new keys cannot be used to infer additional information about plaintext values (besides the requested decryptions by the auditor), we propose a new indistinguishability-based security definition for PAFE to accommodate not only functional secret key queries (as in standard functional encryption) but also functional public key and decryption queries. Finally, we propose a publicly auditable multi-input functional encryption scheme (MIFE) that supports inner-product functionalities and is secure against adversarial decryptors. Instantiated with existing MIFE using “El Gamal”-like ciphertexts and \(\varSigma \)-protocols, this gives a lightweight publicly auditable scheme.

A Proof of Theorem 1

We prove the PAFE security game indistinguishable regardless of the challenger bit. We define multiple Hybrids to go from the execution of the PAFE security game with \(b=0\) to the execution with \(b=1\) and prove them subsequently indistinguishable. We state the advantage that the adversary has during each transformation and provide the total advantage at the end of our analysis.

Note that we exclude from our analysis adversarial strategies that trivially win the PAFE security game (by violating its winning conditions). This means that if the adversary issues a series of queries like (\(^\star \)) or (\(^{\star \star }\)) the advantage of the adversary is reduced to 0, from the PAFE security game (Definition 8).

Now, observe that we can divide all remaining possible, non-trivially-winning, strategies into two cases, based on whether the adversary issues QDec(\(\cdot \),\(\cdot \)) queries (case (i)) or not (case (ii)).

Intuitively by making such a division first we “exploit” the fact that adversaries who do not issue QDec(\(\cdot ,\cdot \)) queries (case (ii)), essentially degenerate into FE-type adversaries. The only exception is that they can also have access to functional public keys (which are computationally hiding commitments). On the other hand, we know that the adversary in case (i) will issue at least one non-trivially-violating QDec(\(\textsf {ct},\cdot \)) query, for QEnc(x\(_0\),x\(_1\))\(\rightarrow \) ct. This allows us to define hybrids over the total number of QEnc queries that are subsequently different in just a single output of the QEnc(x\(_0\),x\(_1\))\(\rightarrow \) ct\(^b\) query (based on the challenger bit) and prove them indistinguishable. In more detail, we present our analysis for the two cases below:

Proof

( Security ).

Case (i): We assume \(\mathcal {A}_{\textsf {PAFE}}\) issues at least one QDec(\(\cdot ,\cdot \)) query. We prove indistinguishability of the game that \(\mathcal {A}_{PAFE}\) plays when \(b=0\) and \(b=1\) through a series of hybrids. Below we define the hybrids and prove them consecutively indistinguishable. The challenger bit is represented in the game/hybrid exponents.

It is the security game when \(b=0\).

It is exactly the same game as \(\mathcal {G}_{UD}^0\) except for the computation of the c\(_d\). In \(\mathcal {G}_{UD}^0\) c\(_d\) \(\leftarrow \) Com.Commit(msk,\(;u_d\)), whereas in \(\mathcal {H}_{UD,1}^0\) c\(^\prime _d\) \(\leftarrow \) Com.Commit(\(\top ;u_d\)). From the hiding property of the employed commitment scheme no PPT adversary who sees a commitment can identify the committed value. Thus, \(\mathcal {G}_{UD}^0 \approx \mathcal {H}_{UD,1}^0\) and more specifically, \(Adv^\text {Distinguish}_{\mathcal {G}_{UD}^0-\mathcal {H}_{UD,1}^0}(\mathcal {A}_\textsf {PAFE})=Adv^\text {Com-Hidding}(\mathcal {A}_\textsf {PAFE})\).

It is exactly the same game as \(\mathcal {H}_{UD,1}^0\) except for the computation of \(\pi _d\). In \(\mathcal {H}_{UD,1}^0\) \(\pi _d\) \(\leftarrow \) NIWI\(_d\) .Prove(mpk,msk,f,sk\(_f\),\(r_f\),pk\(_f\),ct,y,c\(_d\),\(u_d\) ) using the first condition for relation \(\textsf {R}_{UD,d}\), whereas in \(\mathcal {H}_{UD,2}^0\), using the second condition of \(\textsf {R}_{UD,d}\), \(\pi _d^\prime \) \(\leftarrow \) NIWI\(_d\) .Prove(mpk,\(\bot \),f,\(\bot \),\(\bot \),pk\(_f\),ct,y,c\(_d\),\(u_d\) ) respectively. From the witness indistinguishability property of NIWI\(_d\) no PPT adversary can distinguish between which condition is satisfied for the generation of \(\pi _d\). Thus, \(\mathcal {H}_{UD,1}^0 \approx \mathcal {H}_{UD,2}^0\) and more specifically, \(Adv^\text {Distinguish}_{\mathcal {H}_{UD,1}^0-\mathcal {H}_{UD,2}^0}(\mathcal {A}_\textsf {PAFE})=Adv^{WI}_{NIWI}(\mathcal {A}_\textsf {PAFE})\).

It is exactly the same game as \(\mathcal {H}_{UD,2}^0\) except for the computation of the y. In this case, we change y to be \(\textsf {y}=f(\textsf {x})\) instead of y \(\leftarrow \) FE.Dec(mpk,f,sk\(_f\),ct). Remember that for \(\mathcal {A}_{\textsf {PAFE}}\) to have non-negligible chance of winning in its game, it must be that for all functions f that \(\mathcal {A}_\textsf {PAFE}\) issues a QSKeyGen(f) query, for all \(\textsf {ct}\leftarrow \) QEnc(x\(_0\),x\(_1\)): \(f(\textsf {x})=f(\textsf {x}_0)=f(\textsf {x}_1)\). Additionally and similarly, for all functions f for which \(\mathcal {A}_\textsf {PAFE}\) has issued QPKeyGen(f) and QDec(ct,f) queries, where ct\(\leftarrow \) QEnc(x\(_0\),x\(_1\)), it must be that \(f(\textsf {x})=f(\textsf {x}_0)=f(\textsf {x}_1)\). In any other case by the restrictions of the security game for PAFE \(Adv^{sec-PAFE}\big (\mathcal {A}_\textsf {PAFE}(1^\lambda )\big )=0\). Since \(\mathcal {A}_{\textsf {PAFE}}\) cannot win in any of these two games with non-negligible advantage unless \(f(\textsf {x}_0)=f(\textsf {x}_1)\), \(\mathcal {H}_{UD,2}^0 \approx \mathcal {H}_{UD,3}^0\) and more specifically, \(Adv^\text {Distinguish}_{\mathcal {H}_{UD,2}^0-\mathcal {H}_{UD,3}^0}(\mathcal {A}_\textsf {PAFE})=0\).

In this game we make the following change: the challenger samples , initializes a counter \(j=0\), and when \(\mathcal {A}_\textsf {PAFE}\) issues an encryption query, the challenger sets \(j=j+1\) and returns ct\(_j^b\) (we denote that query as QEnc(x\(_{0,j}\),x\(_{1,j}\)), more concretely). Now, when \(\mathcal {A}_\textsf {PAFE}\) issues a QPKeyGen(f) query, \(\mathcal {C}\) checks whether \(f(\textsf {x}_{0,j^\prime })\ne f(\textsf {x}_{1,j^\prime })\). If so, it samples z\(_f\), \(r_f\) and computes pk\(_f\) \(\leftarrow \) Com.Commit(z\(_f\),\(r_f\)). Remember that since \(f(\textsf {x}_{0,j^\prime })\ne f(\textsf {x}_{1,j^\prime })\) the adversary cannot issue a QSKeyGen(f) or a QDec(ct\(_{j^\prime }^b\),f) query — for that particular ciphertext. In such cases \(\mathcal {A}_\textsf {PAFE}\) would trivially diminish its advantage to 0, contradicting our assumption that it has non-negligible advantage \(\epsilon \) in winning the security game for PAFE. Therefore, from the hiding property of the underlying commitment scheme, similarly to \(\mathcal {G}_{UD}^0 \approx \mathcal {H}_{UD,1}\), we get that \(\mathcal {H}_{UD,3}^0 \approx \mathcal {H}_{UD,4}^0\) and more specifically, \(Adv^\text {Distinguish}_{\mathcal {H}_{UD,3}^0-\mathcal {H}_{UD,4}^0}(\mathcal {A}_\textsf {PAFE})=Adv^\text {Com-Hidding}(\mathcal {A}_\textsf {PAFE})\).

We now define a series of hybrids, indexed by j. In these hybrids we make the following change: the challenger samples and when \(\mathcal {A}_\textsf {PAFE}\) issues a QEnc(x\(_0\),x\(_1\)) query \(\mathcal {C}\) returns ct\(^0\leftarrow \) PAFE.Enc(mpk,ek,x\(_0\) ), if \(j<j^\prime \), ct\(^1\leftarrow \) PAFE.Enc(mpk,ek,x\(_1\) ), if \(j>j^\prime \), and ct\(^b\leftarrow \) PAFE.Enc(mpk,ek,x\(_b\) ), if \(j=j^\prime \). Based on the choice of j we define \(m+1\) sub-hybrids, which we denote by \(\mathcal {H}_{UD,5.m+1}^b,\cdots \mathcal {H}_{UD,5.0}^b\). Clearly, \(\mathcal {H}_{UD,4}^0=\mathcal {H}_{UD,5.m+1}^b\), \(\mathcal {H}_{UD,4}^1=\mathcal {H}_{UD,5.0}^b\), and \(\mathcal {H}_{UD,5.j}^1=\mathcal {H}_{UD,5.j+1}^0\). Following we prove \(\mathcal {H}_{UD,5.j}^0\approx \mathcal {H}_{UD,5.j}^1\), which translates into \(\mathcal {H}_{UD,5.j}^0\approx \mathcal {H}_{UD,5.j+1}^0\), based on the above, and ultimately into \(\mathcal {H}_{UD,4}^0 \approx \mathcal {H}_{UD,4}^1\).

Lemma 1

Assuming the underlying FE scheme is secure as per Definition 4 \(\mathcal {H}_{UD,5.j}^0\approx \mathcal {H}_{UD,5.j}^1\).

Proof

We prove this via contraposition. We construct an adversary \(\mathcal {A}_\textsf {FE}\) that utilizes \(\mathcal {A}_\textsf {PAFE}\) to win in the security game of FE. Now, assuming \(\mathcal {A}_\textsf {PAFE}\) issues at most m Qenc(\(\cdot \)) queries, \(\mathcal {A}_\textsf {FE}\) functions as follows:

• Initialization: \(\mathcal {A}_\textsf {FE}\) receives mpk from \(\mathcal {C}\), computes pp \(\leftarrow \) Com.Setup(\(1^\lambda \)), samples , initializes \(counter=0\), initializes a table \(\mathcal {T}_{enc}\), samples \(r_s \leftarrow \{0,1\}^\lambda \), computes c\(_d\) \(\leftarrow \) Com.Commit(\(\top ;u_d\) ), samples \(b^\prime \leftarrow \{0,1\}\), and forwards the triple (pp,mpk,c\(_d\)) to \(\mathcal {A}_{\textsf {PAFE}}\).

• Encryption queries: When \(\mathcal {A}_{\textsf {PAFE}}\) issues a QEnc(x\(_0\),x\(_1\)) query to \(\mathcal {A}_\textsf {FE}\), the latter issues a QEnc(x\(_j\),x\(_j\)) query to \(\mathcal {C}\) and increments counter by 1. \(x_j=x_0\) for \(counter < j^\star \), and \(x_j=x_1\) for \(counter>j^\star \). For \(counter=j^\star \) \(\mathcal {A}_\textsf {FE}\) forwards the query to \(\mathcal {C}\) without any alteration. Regardless the case, \(\mathcal {C}\) returns a ciphertext ct, which \(\mathcal {A}_{FE}\) forwards to \(\mathcal {A}_{\textsf {PAFE}}\).

• Functional secret key queries: When \(\mathcal {A}_{\textsf {PAFE}}\) issues a QSKeyGen query to \(\mathcal {A}_\textsf {FE}\), the latter forwards the query to \(\mathcal {C}\), who responds with sk\(_f\). \(\mathcal {A}_\textsf {FE}\) then checks if a QPKeyGen query has been issued for f. If not, it samples and computes pk\(_f \leftarrow \) Com.Commit(\(\textsf {sk}_f;r_f\) ), \(\mathcal {A}_\textsf {FE}\) forwards (sk\(_f\),pk\(_f\)) to \(\mathcal {A}_{\textsf {PAFE}}\).

• Functional public key queries: When \(\mathcal {A}_{\textsf {PAFE}}\) issues a QPKeyGen(f) query to \(\mathcal {A}_\textsf {FE}\), the latter checks whether \(f(\textsf {x}_{0.j^\star })\ne f(\textsf {x}_{1.j^\star })\). If so, \(\mathcal {A}_{FE}\) samples , samples , and computes pk\(_f \leftarrow \) Com.Commit(\(\textsf {z}_f;r_f\) ). Otherwise, \(\mathcal {A}_{FE}\) forwards a QSKeyGen(f) query to \(\mathcal {C}\), who responds with sk\(_f\). \(\mathcal {A}_{FE}\) samples , and computes pk\(_f \leftarrow \) Com.Commit(\(\textsf {sk}_f;r_f\) ). In any case \(\mathcal {A}_\textsf {FE}\) returns pk\(_f\) to \(\mathcal {A}_{\textsf {PAFE}}\).

• Decryption queries: When \(\mathcal {A}_{\textsf {PAFE}}\) issues a QDec(\(\textsf {ct},f\)) query to \(\mathcal {A}_\textsf {FE}\), the latter assigns y \(\leftarrow f(\textsf {x}_{j})\) and \(\pi _d\) \(\leftarrow \) NIWI\(_d\) .Prove(mpk,\(\top \),f,\(\bot \),\(\bot \),pk\(_f\),ct,y,c\(_d\),\(u_d\) ). \(\mathcal {A}_\textsf {FE}\) forwards (y,\(\pi _d\)) to \(\mathcal {A}_{\textsf {PAFE}}\).

• Finalization: \(\mathcal {A}_{\textsf {PAFE}}\) outputs a bit \(b^\prime \) which \(\mathcal {A}\) forwards to \(\mathcal {C}\).

The advantage \(\mathcal {A}_\textsf {FE}\) has in winning the FE IND-security game utilizing \(\mathcal {A}_\textsf {PAFE}\) is \(\frac{\epsilon }{m}>\textsf{negl}{({\lambda })}\). This derives from the fact that \(\mathcal {A}_\textsf {FE}\) needs to “guess” correctly the ct\(^b_j\leftarrow \)Qenc(\(\cdot ,\cdot \)) query for which \(\mathcal {A}_\textsf {PAFE}\) will issue at least one “legitimate” QDec(\(\cdot \),ct\(_j^b\)) query; and does so by sampling \(j^\star \) at random.

Thus, \(\mathcal {H}_{UD,4}^0=\mathcal {H}_{UD,5.m+1}^b \approx \mathcal {H}_{UD,5.0}^b=\mathcal {H}_{UD,4}^1\) and more specifically:

\(Adv^\text {Distinguish}_{\mathcal {H}_{UD,4}^0-\mathcal {H}_{UD,4}^1}(\mathcal {A}_\textsf {PAFE})=Adv^\text {FE-IND security}(\mathcal {A}_\textsf {PAFE})\).

In this game we make the following change: When \(\mathcal {A}_\textsf {PAFE}\) issues a QPKeyGen(f) query, \(\mathcal {C}\) forwards pk\(_f\leftarrow \) PAFE.KeyGen(msk,mpk,f) to \(\mathcal {A}_\textsf {PAFE}\). From the hiding property of the underlying commitment scheme, similarly to \(\mathcal {H}_{UD,3}^0 \approx \mathcal {H}_{UD,4}^0\), we get that \(\mathcal {H}_{UD,4}^1 \approx \mathcal {H}_{UD,3}^1\) and more specifically, \(Adv^\text {Distinguish}_{\mathcal {H}_{UD,4}^1-\mathcal {H}_{UD,3}^1}(\mathcal {A}_\textsf {PAFE})=Adv^\text {Com-Hidding}(\mathcal {A}_\textsf {PAFE})\).

It is exactly the same game as \(\mathcal {H}_{UD,3}^1\) except for the computation of the y. In this case, we change y to be y \(\leftarrow \) FE.Dec(mpk,f,sk\(_f\),ct), instead of \(\textsf {y}=f(\textsf {x})\). Similarly to the case \(\mathcal {H}_{UD,2}^0 \approx \mathcal {H}_{UD,3}^0\), we get that \(\mathcal {H}_{UD,3}^1 \approx \mathcal {H}_{UD,2}^1\) and more specifically, \(Adv^\text {Distinguish}_{\mathcal {H}_{UD,3}^1-\mathcal {H}_{UD,2}^1}(\mathcal {A}_\textsf {PAFE})=0\).

It is exactly the same game as \(\mathcal {H}_{UD,2}^1\) except for the computation of \(\pi _d\). In \(\mathcal {H}_{UD,2}^0\) \(\pi _d^\prime \) \(\leftarrow \) NIWI\(_d\) .Prove(mpk,\(\bot \),f,\(\bot \),\(\bot \),pk\(_f\),ct,y,c\(_d\),\(u_d\) ) using the second condition of \(\textsf {R}_{UD,d}\), whereas in \(\mathcal {H}_{UD,1}^0\), using the first condition for relation \(\textsf {R}_{UD,d}\), \(\pi _d\) \(\leftarrow \) NIWI\(_d\) .Prove(mpk,msk,f,sk\(_f\),\(r_f\),pk\(_f\),ct,y,c\(_d\),\(u_d\) ). From the witness indistinguishability property of NIWI\(_d\), similarly to \(\mathcal {H}_{UD,1}^0 \approx \mathcal {H}_{UD,2}^0\) we get that \(\mathcal {H}_{UD,2}^1 \approx \mathcal {H}_{UD,1}^1\) and more specifically, \(Adv^\text {Distinguish}_{\mathcal {H}_{UD,2}^1-\mathcal {H}_{UD,1}^1}(\mathcal {A}_\textsf {PAFE})=Adv^{WI}_{NIWI}(\mathcal {A}_\textsf {PAFE})\).

It is the security game when \(b=1\). It is exactly the same game as \(\mathcal {H}_{UD,1}^1\) except for the computation of the c\(_d\). In \(\mathcal {H}_{UD,1}^1\) c\(^\prime _d\) \(\leftarrow \) Com.Commit(\(\top ;u_d\)), whereas in \(\mathcal {G}_{UD}^1\) c\(_d\) \(\leftarrow \) Com.Commit(msk,\(;u_d\)). From the hiding property of the employed commitment scheme no PPT adversary who sees a commitment can identify the committed value. Thus, \(\mathcal {H}_{UD,1}^1 \approx \mathcal {G}_{UD}^1\) and to be more specific, \(Adv^\text {Distinguish}_{\mathcal {H}_{UD,1}^1-\mathcal {G}_{UD}^1}(\mathcal {A}_\textsf {PAFE})=Adv^\text {Com-Hidding}(\mathcal {A}_\textsf {PAFE})\).

Therefore, the overall advantage \(\mathcal {A}_\textsf {PAFE}\) has in case (i): \(Adv^\text {Distinguish}_{\mathcal {G}_{UD}^0-\mathcal {G}_{UD}^1,(i)}(\mathcal {A}_\textsf {PAFE})\le 4\times Adv^\text {Com-Hidding}(\mathcal {A}_\textsf {PAFE}) + 2\times Adv^{WI}_{NIWI}(\mathcal {A}_\textsf {PAFE}) + Adv^\text {FE-IND security}(\mathcal {A}_\textsf {PAFE})\).

Case (ii): We assume \(\mathcal {A}_{\textsf {PAFE}}\) issues no QDec(\(\cdot ,\cdot \)) queries and has a non-negligible advantage \(\epsilon \) in winning the PAFE ecurity game. In this case we exploit the fact that \(\mathcal {A}_\textsf {PAFE}\) will not issue a QSKeyGen(f) query if there exists a pair of messages \((\textsf {x}_0,\textsf {x}_1)\) in a QEnc\((\textsf {x}_0,\textsf {x}_1)\rightarrow \textsf {ct}\) query, such that \(f(\textsf {x}_0)\ne f(\textsf {x}_1)\) and vice versa — since either way would trivially violate the winning conditions of the PAFE security game, rendering \(Adv^{sec-PAFE}(\mathcal {A}_\textsf {PAFE})=0\) \(\big (\)see case (\(^\star \))\(\big )\). We therefore can construct a “greedy” adversary \(\mathcal {A}_\textsf {FE}^\prime \) who utilizes \(\mathcal {A}_\textsf {PAFE}\) and wins the FE IND-security game with non-negligible advantage. \(\mathcal {A}_\textsf {FE}^\prime \) forwards all queries made by \(\mathcal {A}_\textsf {PAFE}\) to its challenger, except for QPKeyGen(\(\cdot \)) ones. When \(\mathcal {A}_{\textsf {PAFE}}\) issues a QPKeyGen(f) query to \(\mathcal {A}_\textsf {FE}^\prime \), the latter checks whether \(\exists \textsf {ct}\leftarrow \)QEnc(\(x_0,x_1)\) such that \(f(\textsf {x}_0)\ne f(\textsf {x}_1)\). If so, \(\mathcal {A}_\textsf {FE}^\prime \) samples , samples , and computes pk\(_f \leftarrow \) Com.Commit(\(\textsf {z}_f;r_f\) ). Otherwise, \(\mathcal {A}_\textsf {FE}^\prime \) forwards a QSKeyGen(f) query to \(\mathcal {C}\), who responds with sk\(_f\). \(\mathcal {A}_{FE}^\prime \) samples , and computes pk\(_f \leftarrow \) Com.Commit(\(\textsf {sk}_f;r_f\) ). In any case \(\mathcal {A}_\textsf {FE}^\prime \) returns pk\(_f\) to \(\mathcal {A}_{\textsf {PAFE}}\). Since the commitment scheme is computationally hiding \(\mathcal {A}_\textsf {FE}^\prime \) has also \(\epsilon >\textsf{negl}{({\lambda })}\) advantage in winning the FE IND-security game, violating our initial assumption.

(Auditability). We show that no PPT adversary \(\mathcal {A}_{\textsf {PA-UD}}\) can violate the PA-UD property of PAFE, assuming a computationally sound NIWI for relation \(\textsf {R}_{UD,d}\), NIWI\(_d\) and a perfectly binding commitment scheme Com. We examine two cases. First, there is the case where the adversary \(\mathcal {A}_{\textsf {PA-UD}}\) may output a tuple T that satisfies \(\textsf {R}_{UD,d}\). If so, it either satisfies the condition that ensures that PA-UD holds , or the “trapdoor” condition c\(_d\) \(\leftarrow \) Com(\(\top ;u_d\) ). In the PA-UD setting c\(_d\) is generated by the authority (assumed to be honest in this setting), meaning that no malicious decryptor can generate a convincing proof using condition (2) of \(R_{UD,d}\).

Otherwise, without loss of generality we distinguish between the following regarding the first condition: T either violates the commitment or the algorithmic condition. Since the commitment is perfectly binding, \(\forall \) pk\(_f\) \(\not \exists \)(sk\(_f^\star \),\(r_f^\star \)) \(\ne \) (sk\(_f\),\(r_f\)) such that pk\(_f\) \(\leftarrow \) Com(sk\(_f^\star \);\(r_f^\star \) ) \(\wedge \) pk\(_f\) \(\leftarrow \) Com(sk\(_f\);\(r_f\) ). Additionally, since mpk and ct, are provided by trusted entities and the uniquely correct sk\(_f\) is used in the FE.Dec algorithm, y is also explicitly correct (due to the correctness of the underlying FE scheme). Due to the soundness property of NIWI\(_d\) any proof \(\pi ^\star \) that passes verification is generated for accepting PA-UD statements using valid witnesses. Therefore, no PPT \(\mathcal {A}_{\textsf {PA-UD}}\) can break the PA-UD property with non-negligible advantage.