Abstract
We propose simple generic constructions of succinct functional encryption. Our key tool is strong exponentially efficient indistinguishability obfuscator (SXIO), which is the same as indistinguishability obfuscator (IO) except that the size of an obfuscated circuit and the running time of an obfuscator are slightly smaller than that of a bruteforce canonicalizer that outputs the entire truth table of a circuit to be obfuscated. A “compression factor” of SXIO indicates how much SXIO compresses the bruteforce canonicalizer. In this study, we propose a significantly simple framework to construct succinct functional encryption via SXIO and show that SXIO is powerful enough to achieve cuttingedge cryptography. In particular, we propose the following constructions:

Singlekey weakly succinct secretkey functional encryption (SKFE) is constructed from SXIO (even with a bad compression factor) and oneway functions.

Singlekey weakly succinct publickey functional encryption (PKFE) is constructed from SXIO with a good compression factor and publickey encryption.

Singlekey weakly succinct PKFE is constructed from SXIO (even with a bad compression factor) and identitybased encryption.
Our new framework has side benefits. Our constructions do not rely on any number theoretic or lattice assumptions such as decisional Diffie–Hellman and learning with errors assumptions. Moreover, all security reductions incur only polynomial security loss. Known constructions of weakly succinct SKFE or PKFE from SXIO with polynomial security loss rely on number theoretic or lattice assumptions. As corollaries of our results, relationships among SXIO, a few variants of SKFE, and a variant of randomized encoding are discovered.
This is a preview of subscription content, access via your institution.
Notes
We basically focus on functional encryption for all circuits in this study.
In some papers, the term “compactness” is used for this property, but we use the term by Bitansky and Vaikuntanathan [16] in this study.
Note that if we construct a PKFE scheme for multibit output circuits, the construction [26] results in one the size of whose encryption circuit depends on the number of output bits of the circuits.
They use a bootstrapping technique by Ananth et al. [2], which transforms functional encryption for \(\mathsf {NC}^1\) into one for \(\mathsf {P/poly}\).
Note that our requirements on an identitybased encryption scheme are the same as theirs on their identitybased encryption scheme.
We ignore the issue regarding randomness of the ciphertext in this section.
When we say identitybased encryption, we assume that it satisfies this type of succinctness. In fact, most identitybased encryption schemes based on number theoretic or lattice assumptions satisfy it. See Definition 2.10.
Komargodski and Segev [37] show that IO for \(O({\mathrm {poly}}(\log {\lambda }))\)bitinput and subpolynomialsize circuits is constructed from collusionresistant SKFE. However, the construction incurs quasipolynomial security loss. In addition, it is not clear whether their IO is sufficient for the construction of Lin and Tessaro since it supports only circuits of subpolynomial size.
The security definition of Li and Micciancio for indexbased functional encryption and ours is slightly different. Their definition allows an adversary to use indices for key generation in an arbitrary order. On the other hand, our definition does not allow it. The difference comes from the fact that their goal is constructing collusionresistant functional encryption while our goal is constructing singlekey functional encryption. By restricting an adversary to use indices successively from one, we can describe security proofs more simply.
More precisely, Gorbunov et al. prove that we can construct adaptively secure schemes, in which adversaries are allowed to declare a target message pair after the function query phase. However, selective security is sufficient for our purpose.
Again, we stress that the size of the encryption circuit of an identitybased encryption scheme is \(\left \mathcal {ID}\right ^{\alpha }\cdot {\mathrm {poly}}(\lambda ,\ell )\) where \(\ell \) is the length of plaintext, \(\mathcal {ID}\) is the identityspace, and \(\alpha \) is a constant such that \(0<\alpha <1\). Most identitybased encryption schemes based on concrete assumptions have such succinct encryption circuits. In our scheme, \(\mathcal {ID}\) is just a polynomial size.
If we want to achieve bounded collusionresistant schemes, we additionally need pseudorandom generators that are computed by polynomial degree circuits, which is implied by number theoretic or lattice assumptions [29].
Ananth, Jain, and Sahai show a transformation from a collusionresistant nonsuccinct functional encryption into a (collusionresistant) succinct one [7]. It is easy to verify that the transformation by Ananth et al. also works for qkey collusionsuccinct functional encryption schemes to achieve singlekey weakly succinct ones.
References
S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (H)IBE in the standard model, in Henri Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, (Springer, Heidelberg, 2010), pp. 553–572
P. Ananth, Z. Brakerski, G. Segev, V. Vaikuntanathan, From selective to adaptive security in functional encryption, in Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, (Springer, Heidelberg, 2015), pp. 657–677
P. Ananth, A. Cohen, A. Jain, Cryptography with updates, in JeanSébastien Coron and Jesper Buus Nielsen, editors, EUROCRYPT 2017, Part II, volume 10211 of LNCS, (Springer, Heidelberg, 2017), pp. 445–472
G. Asharov, N. Ephraim, I. Komargodski, R. Pass, On the complexity of compressing obfuscation, in Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part III, volume 10993 of LNCS, (Springer, Heidelberg, 2018), pp. 753–783
B. Applebaum, Y. Ishai, E. Kushilevitz, Computationally private randomizing polynomials and their applications. Computat. Complex. 15(2), 115–162 (2006)
P. Ananth, A. Jain, Indistinguishability obfuscation from compact functional encryption, in Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part I, volume 9215 of LNCS, (Springer, Heidelberg, 2015), pp. 308–326
P. Ananth, A. Jain, A. Sahai, Indistinguishability obfuscation from functional encryption for simple functions. Cryptology ePrint Archive, Report 2015/730 (2015). https://eprint.iacr.org/2015/730
D. Boneh, X. Boyen, Efficient selective identitybased encryption without random oracles. J. Cryptol. 24(4), 659–693 (2011)
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs. J. ACM 59(2), 6:1–6:48 (2012)
E. Boyle, S. Goldwasser, I. Ivan, Functional signatures and pseudorandom functions, in Hugo Krawczyk, editor, PKC 2014, volume 8383 of LNCS, (Springer, Heidelberg, 2014), pp. 501–519
Z. Brakerski, I. Komargodski, G. Segev, Multiinput functional encryption in the privatekey setting: stronger security from weaker assumptions. J. Cryptol. 31(2), 434–520 (2018)
N. Bitansky, R. Nishimaki, A. Passelègue, D. Wichs, From cryptomania to obfustopia through secretkey functional encryption. J. Cryptol. 33(2), 357–405 (2020)
A. Banerjee, C. Peikert, A. Rosen, Pseudorandom functions and lattices, in David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, (Springer, Heidelberg, 2012), pp. 719–737
Z. Brakerski, G. Segev, Functionprivate functional encryption in the privatekey setting. J. Cryptol. 31(1), 202–225 (2018)
D. Boneh, A. Sahai, B. Waters, Functional encryption: definitions and challenges, in Yuval Ishai, editor, TCC 2011, volume 6597 of LNCS, (Springer, Heidelberg, 2011), pp. 253–273
N. Bitansky, V. Vaikuntanathan, Indistinguishability obfuscation from functional encryption. J. ACM 65(6), 39:1–39:37 (2018)
D. Boneh, B. Waters, Constrained pseudorandom functions and their applications, in Kazue Sako and Palash Sarkar, editors, ASIACRYPT 2013, Part II, volume 8270 of LNCS, (Springer, Heidelberg, 2013), pp. 280–300
R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively secure multiparty computation, in 28th ACM STOC, (ACM Press, May 1996), pp. 639–648
D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4):601–639 (2012)
N. Döttling, S. Garg, Identitybased encryption from the DiffieHellman assumption, in Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, (Springer, Heidelberg, 2017), pp. 537–569
S. Even, O. Goldreich, A. Lempel, A randomized protocol for signing contracts, David Chaum, Ronald L. Rivest, and Alan T. Sherman, editors, CRYPTO’82, (Plenum Press, New York, USA, 1982), pp. 205–210
U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)
S. Goldwasser, S.D. Gordon, V. Goyal, A. Jain, J. Katz, F.H. Liu, A. Sahai, E. Shi, H.S. Zhou, Multiinput functional encryption, in Phong Q. Nguyen and Elisabeth Oswald, editors, EUROCRYPT 2014, volume 8441 of LNCS, (Springer, Heidelberg, 2014), pp. 578–602
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016)
O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33(4), 792–807 (1986)
S. Goldwasser, Y.T. Kalai, R.A. Popa, V. Vaikuntanathan, N. Zeldovich, Reusable garbled circuits and succinct functional encryption, in Dan Boneh, Tim Roughgarden, and Joan Feigenbaum, editors, 45th ACM STOC, (ACM Press, 2013), pp. 555–564
S. Garg, M. Mahmoody, A. Mohammed, When does functional encryption imply obfuscation? in Yael Kalai and Leonid Reyzin, editors, TCC 2017, Part I, volume 10677 of LNCS, (Springer, Heidelberg, 2017), pp. 82–115
S. Garg, A. Srinivasan, Singlekey to multikey functional encryption with polynomial loss, in Martin Hirt and Adam D. Smith, editors, TCC 2016B, Part II, volume 9986 of LNCS, (Springer, Heidelberg, 2016), pp. 419–442
S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption with bounded collusions via multiparty computation, in Reihaneh SafaviNaini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, (Springer, Heidelberg, 2012), pp. 162–179
J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any oneway function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Y. Ishai, E. Kushilevitz, Randomizing polynomials: a new representation with applications to roundefficient secure computation, in 41st FOCS, (IEEE Computer Society Press, 2000), pp. 294–304
F. Kitagawa, R. Nishimaki, K. Tanaka, From singlekey to collusionresistant secretkey functional encryption by leveraging succinctness. Cryptology ePrint Archive, Report 2017/638 (2017). https://eprint.iacr.org/2017/638
F. Kitagawa, R. Nishimaki, K. Tanaka, Indistinguishability obfuscation for all circuits from secretkey functional encryption. Cryptology ePrint Archive, Report 2017/361 (2017). https://eprint.iacr.org/2017/361
F. Kitagawa, R. Nishimaki, K. Tanaka, Obfustopia built on secretkey functional encryption, in Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS, (Springer, Heidelberg, 2018), pp. 603–648
E. Kushilevitz, R. Ostrovsky, Oneway trapdoor permutations are sufficient for nontrivial singleserver private information retrieval, in Bart Preneel, editor, EUROCRYPT 2000, volume 1807 of LNCS, (Springer, Heidelberg, 2000), pp. 104–121
A. Kiayias, S. Papadopoulos, N. Triandopoulos, T. Zacharias, Delegatable pseudorandom functions and applications, in AhmadReza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, ACM CCS 2013, (ACM Press, 2013), pp. 669–684
I. Komargodski, G. Segev, From minicrypt to obfustopia via privatekey functional encryption. J. Cryptol. 33(2), 406–458 (2020)
B. Li, D. Micciancio, Compactness vs collusion resistance in functional encryption, in Martin Hirt and Adam D. Smith, editors, TCC 2016B, Part II, volume 9986 of LNCS, (Springer, Heidelberg, 2016), pp. 443–468
H. Lin, R. Pass, K. Seth, S. Telang, Indistinguishability obfuscation with nontrivial efficiency, in ChenMou Cheng, KaiMin Chung, Giuseppe Persiano, and BoYin Yang, editors, PKC 2016, Part II, volume 9615 of LNCS, (Springer, Heidelberg, 2016), pp. 447–462
H. Lin, S. Tessaro, Indistinguishability obfuscation from trilinear maps and blockwise local PRGs. Cryptology ePrint Archive, Report 2017/250 (2017). https://eprint.iacr.org/2017/250
M. Naor, O. Reingold, Numbertheoretic constructions of efficient pseudorandom functions. J. ACM 51(2), 231–262 (2004)
A. O’Neill, Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010). https://eprint.iacr.org/2010/556
J. Rompel, Oneway functions are necessary and sufficient for secure signatures, in 22nd ACM STOC, (ACM Press, 1990), pp. 387–394
A. Shamir, Identitybased cryptosystems and signature schemes, in G. R. Blakley and David Chaum, editors, CRYPTO’84, volume 196 of LNCS, (Springer, Heidelberg, 1984), pp. 47–53
A. Sahai, H. Seyalioglu, Worryfree encryption: functional encryption with public keys, in Ehab AlShaer, Angelos D. Keromytis, and Vitaly Shmatikov, editors, ACM CCS 2010, (ACM Press, 2010), pp. 463–472
A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in David B. Shmoys, editor, 46th ACM STOC, (ACM Press, 2014), pp. 475–484
A.C.C. Yao, Theory and applications of trapdoor functions (extended abstract), in 23rd FOCS, (IEEE Computer Society Press, 1982), pp. 80–91
A.C.C. Yao, How to generate and exchange secrets (extended abstract), in 27th FOCS, (IEEE Computer Society Press, 1986), pp. 162–167
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Eike Kiltz.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
SingleKey Nonsuccinct Functional Encryption
Our construction of weakly succinct PKFE (resp. SKFE) uses a singlekey nonsuccinct PKFE (resp. SKFE) scheme as a building block. As observed by Sahai and Seyalioglu [45] and later extended by Gorbunov et al. [29], singlekey nonsuccinct functional encryption scheme can be constructed based on standard assumptions such as publickey encryption and oneway function.
For selfcontainment, we show the construction of singlekey nonsuccinct PKFE scheme based on publickey encryption scheme. More specifically, the construction is based on garbling scheme and publickey encryption.
Let \(\mathsf {GC}=(\mathsf {Grbl},\mathsf {Eval})\) be a garbling scheme, and \(\mathsf {PKE}=(\mathsf {KG},\mathsf {Enc}, \mathsf {Dec})\) be a publickey encryption scheme. Using \(\mathsf {GC}\) and \(\mathsf {PKE}\), we construct a singlekey PKFE scheme \(\mathsf {OneKey}=(\mathsf {1Key}.\mathsf {Setup},\mathsf {1Key}.\mathsf {KG}, \mathsf {1Key}.\mathsf {Enc}, \mathsf {1Key}.\mathsf {Dec})\) as follows. Below, we assume that we can represent every function f by an nbit string \((f[1],\cdots ,f[s])\).
Construction The scheme consists of the following algorithms.
\(\mathsf {1Key}.\mathsf {Setup}(1^\lambda ):\)

Generate \((\mathsf {pk}_{j,\alpha },\mathsf {sk}_{j,\alpha }) \leftarrow \mathsf {KG}(1^\lambda )\) for every \(j\in [s]\) and \(\alpha \in \{0,1\}\).

Return \(\mathsf {MPK}\leftarrow \{\mathsf {pk}_{j,\alpha }\}_{j\in [s], \alpha \in \{0,1\}}\) and \(\mathsf {MSK}\leftarrow \{\mathsf {sk}_{j,\alpha }\}_{j\in [s], \alpha \in \{0,1\}}\).
\(\mathsf {1Key}.\mathsf {KG}(\mathsf {MSK},f):\)

Parse \(\{\mathsf {sk}_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}} \leftarrow \mathsf {MSK}\) and \((f[1],\cdots , f[s]) \leftarrow f\).

Return \(\mathsf {sk}_f \leftarrow (f,\{\mathsf {sk}_{j,f[j]}\}_{j\in [s]})\).
\(\mathsf {1Key}.\mathsf {Enc}(\mathsf {MPK}, m):\)

Parse \(\{\mathsf {pk}_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}} \leftarrow \mathsf {MPK}\).

Compute \(({{\widetilde{U}}}, \{L_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}}) \leftarrow \mathsf {Grbl}(1^\lambda , U(\cdot ,m))\).

For every \(j\in [s]\) and \(\alpha \in \{0,1\}\), compute \(c_{j,\alpha } \leftarrow \mathsf {Enc}(\mathsf {pk}_{j,\alpha },L_{j,\alpha })\).

Return \(\mathsf {CT}\leftarrow ({{\widetilde{U}}}, \{c_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}})\).
\(\mathsf {1Key}.\mathsf {Dec}(\mathsf {sk}_f, \mathsf {CT}):\)

Parse \((f, \{\mathsf {sk}_j\}_{j\in [s]}) \leftarrow \mathsf {sk}_f\) and \(({{\widetilde{U}}}, \{c_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}}) \leftarrow \mathsf {CT}\).

For every \(j\in [s]\), compute \(L_j \leftarrow \mathsf {Dec}(\mathsf {sk}_{j,f[j]},c_{j,f[j]})\).

Return \(y \leftarrow \mathsf {Eval}({{\widetilde{U}}}, \{L_j\}_{j\in [s]})\).
\(\mathsf {OneKey}\) is singlekey PKFE scheme that satisfies weakly selective security if \(\mathsf {GC}\) is secure and \(\mathsf {PKE}\) is CPAsecure. The construction is nonsuccinct since the encryption algorithm of \(\mathsf {OneKey}\) encrypts a universal circuit whose size is at least linear in the size of functions.
We can analogously construct singlekey nonsuccinct SKFE scheme based on garbling scheme and secretkey encryption.
Gorbunov et al. [29] later showed how to extend this construction to adaptively secure one using a technique of noncommitting encryption [18]. This is done by only using publickey encryption (or oneway function) if we focus on singlekey schemes.^{Footnote 14} Thus, we need only publickey encryption or oneway function to obtain singlekey adaptively secure schemes for our building blocks.
Proof for Weak Succinctness from CollusionSuccinctness
In this section, we see a transformation from a qkey weakly collusionsuccinct indexbased functional encryption into a singlekey weakly succinct functional encryption. Bitansky and Vaikuntanathan have shown such a transformation [16, Theorem 4.3].^{Footnote 15} The key tool for the transformation is decomposable randomized encoding, which is implied by oneway function (see Definition 2.6).
We stress that the transformation in this section is not new. The differences between the construction of Bitansky and Vaikuntanathan and ours is that we assume that the underlying weakly collusionsuccinct scheme is weakly selectively secure and uses an index for functional key generation. The resulting weakly succinct scheme of our transformation is also weakly selectively secure. Note that the resulting scheme does not need any index for key generation since it is a singlekey scheme.
It is known that singlekey weakly selectively secure weakly succinct PKFE can be transformed into collusionresistant and succinct PKFE [28]. Moreover, to construct IO by using the theorem by Bitansky and Vaikuntanathan [16], a singlekey weakly selectively secure weakly succinct PKFE scheme is sufficient.
Note that if the maximum size of functions in a function family is fixed, the number of decomposed randomized encodings (denoted by \(\mu \)) of a function is also fixed. Thus, \((\mu ,\delta )\)weakly selectively secure (i.e., bounded collusionresistant) schemes are sufficient for this transformation.
Readers that are familiar with the transformation by Bitansky and Vaikuntanathan [16, Theorem 4.3] can skip this section. We write the transformation and a proof for the weakly selective security for confirmation. Of course, we can obtain a selectively secure scheme by the transformation if we use a selectively secure scheme as the underlying scheme.
Remark B.1
(Difference between decomposable randomized encoding and decomposable garbled circuit) We stress that there are significant differences between decomposable randomized encoding and decomposable garbled circuit [12] as we note in Sect. 1. In fact, both are basically slight extensions of Yao’s garbled circuit. However, the definition of decomposable randomized encoding is much simpler than that of decomposable garbled circuit by Bitansky et al. [12]. In addition, a decomposable randomized encoding is constructed from oneway function with polynomial security loss, but a decomposable garbled circuit is constructed from oneway function with exponential security loss in the depth of circuits.
In decomposable garbled circuit, we can garble a circuit by a gatebygate manner and consider hybrid garbled circuits that consist of real and simulated garbled gates. In the hybrid transitions from the real to the simulation, a “punctured programming”type security notion [46] is used for each garbled gate. These two properties are differences from decomposable \(\mathsf {RE}\). To achieve the security notion, Bitansky et al. change a real (resp. hybrid) garbled gate into a hybrid (resp. simulated) one if all of its predecessor (resp. successor) gates are hybrid ones. Thus, \(2^{O(d)}\) (d is the depth of a circuit) hybrid steps are needed to prove the security.
The reason decomposable garbled circuit is such complicated is that it is customized to be an IOfriendly (or SXIOfriendly) tool [12]. We use neither IO nor SXIO when we use decomposable randomized encoding. Thus, we do not need decomposable garbled circuit for our purpose. See the paper by Bitansky et al. for details of decomposable garbled circuit [12].
Conversion We show only the PKFE case. The SKFE case is similarly proven.
Construction B.2
Our singlekey weakly succinct PKFE scheme \(\mathsf {sFE}=(\mathsf {sFE}.\mathsf {Setup},\mathsf {sFE}.\mathsf {KG}, \mathsf {sFE}.\mathsf {Enc}, \mathsf {sFE}.\mathsf {Dec})\) for circuits of size at most \(s=s(\lambda )\) with \(n=n(\lambda )\) bit inputs is based on a qkey weakly collusionsuccinct iPKFE scheme \(\mathsf {qFE}=(\mathsf {qFE}.\mathsf {Setup},\mathsf {qFE}.\mathsf {i}\mathsf {KG},\mathsf {FE}.\mathsf {Enc},\mathsf {qFE}.\mathsf {Dec})\) for circuits of size at most s with nbit inputs. Let \(\mathsf {F}\), \(\mathsf {RE}\), and \(\mathsf {SKE}\) be a PRF, clocal decomposable randomized encoding, and CPAsecure secretkey encryption scheme, respectively. In the scheme, we use \(\mathsf {F}:\{0,1\}^{\lambda } \rightarrow \{0,1\}^{\rho }\).
\(\mathsf {sFE}.\mathsf {Setup}(1^\lambda ):\)

Generate \((\mathsf {MPK},\mathsf {MSK}) \leftarrow \mathsf {qFE}.\mathsf {Setup}(1^\lambda )\).

Return \((\mathsf {MPK}, \mathsf {MSK})\).
\(\mathsf {sFE}.\mathsf {KG}(\mathsf {MSK}, f):\)

Generate \(t \leftarrow \{0,1\}^\lambda \).

Compute decomposed f, that is, \(({\widehat{f}}_1,\ldots ,{\widehat{f}}_\mu )\leftarrow \mathsf {RE.E}(1^\lambda ,f)\).

Choose \(\mathsf {SKE}\) secretkey \(\mathsf {SK}\leftarrow \{0,1\}^{\lambda }\). For all \(i \in [\mu ]\), generate \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},0)\), and compute \(\mathsf {sk}_{f_i} \leftarrow \mathsf {qFE}.\mathsf {i}\mathsf {KG}(\mathsf {MSK}, \textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t, \mathsf {CT}_{\mathsf {ske}}^i],i)\). The circuit \(\textsf {D}_{\mathsf {re}}\) is defined in Fig. 12.

Return \(\mathsf {sk}_f \leftarrow (\mathsf {sk}_{f_1},\ldots ,\mathsf {sk}_{f_\mu })\).
\(\mathsf {sFE}.\mathsf {Enc}(\mathsf {MPK}, x):\)

Generate \(K \leftarrow \mathsf {PRF}.\mathsf {Gen}(1^\lambda )\).

Return \(\mathsf {CT}\leftarrow \mathsf {qFE}.\mathsf {Enc}(\mathsf {MPK}, (0,x,K,\bot ))\).
\(\mathsf {sFE}.\mathsf {Dec}(\mathsf {sk}_f, \mathsf {CT}):\)

Parse \((\mathsf {sk}_{f_1},\ldots , \mathsf {sk}_{f_\mu }) \leftarrow \mathsf {sk}_f\).

For all \(i \in [\mu ]\), compute \(e_i \leftarrow \mathsf {qFE}.\mathsf {Dec}(\mathsf {sk}_{f_i}, \mathsf {CT})\).

Decode y from \((e_1,\ldots ,e_\mu )\).

Return y.
Proof of Theorem 3.11
We start with analyzing succinctness then move on to the security proof.
We assume that \(\mathsf {RE}\) is a \(\delta \)secure decomposable randomized encoding scheme, \((\mathsf {PRF}.\mathsf {Gen}, \mathsf {F},\mathsf {Punc})\) is a \(\delta \)secure puncturable PRF, \(\mathsf {SKE}\) is a \(\delta \)secure SKE, and \(\mathsf {qFE}\) is a \((\mu ,\delta )\)weakly selectively secure iPKFE scheme for circuits of size at most \(s = s(\lambda )\) with \(n = n(\lambda )\) inputs with encryption circuit of size \(\mu ^{\gamma }\cdot {\mathrm {poly}}(\lambda ,n,s)\) where \(\mu = s \cdot {\mathrm {poly}}_\mathsf {RE}(\lambda ,n)\) and \({\mathrm {poly}}_\mathsf {RE}\) is a fixed polynomial determined by \(\mathsf {RE}\).
Weak Succinctness To issue one key, we need to issue \(1\cdot \mu = s\cdot {\mathrm {poly}}_\mathsf {RE}(\lambda ,n)\) keys of \(\mathsf {qFE}\) since we consider functions of size s. Thus, we choose \(\mu =s\cdot {\mathrm {poly}}_\mathsf {RE}(\lambda ,n)\) as the number of issued keys of \(\mathsf {qFE}\).
Let \(\textsf {D}_i :=\textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t,\mathsf {CT}_{\mathsf {ske}}^i]\). \(\textsf {D}_i\) includes a decryption of \(\mathsf {SKE}\), PRF evaluation on the domain \(\{0,1\}^\lambda \times [\mu ]\), and evaluation of decomposed randomized encoding \({\widehat{f}}_i\). \({\widehat{f}}_i\) is independent of \(\left f\right \) by the decomposability of \(\mathsf {RE}\) and \(\left t\right \) and \(\left \mathsf {CT}_{\mathsf {ske}}^i\right \) are bounded by \(O(\lambda )\). Moreover, the PRF evaluation is done in time \({\mathrm {poly}}(\lambda , \log s)\). Thus, the size of \(\textsf {D}_i\) is \({\mathrm {poly}}(\lambda ,n, \log s)\). Therefore, the size of encryption circuit \(\mathsf {sFE}.\mathsf {Enc}\) is
where \(\gamma '\) is any constant such that \(\gamma<\gamma '<1\).
Security Proof Let \(\mathcal {A}\) be an adversary attacking the weakly selective security of \(\mathsf {sFE}\). We define a sequence of hybrid games.
 \(\mathsf {Hyb}_{0}\)::

The first game is the original weakly selective security experiment for \(b=0\), \(\mathsf {Expt}_{{\mathcal {A}}}^{\mathsf {sel^*}}(1^\lambda ,0)\). In this game, \({\mathcal {A}}\) first selects the challenge messages \((x_0^*,x_1^*)\) and a function f then obtains an encryption of \(x_0^*\), the master publickey, and a functional decryption key \(\mathsf {sk}_f\).
 \(\mathsf {Hyb}_{1}\)::

We change \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},0)\) into \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},{\widehat{f}}_i(x_0^*;r))\) for all \(i\in [\mu ]\). It holds that \(\mathsf {Hyb}_{0}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{1}\) due to the CPAsecurity of \(\mathsf {SKE}\).
 \(\mathsf {Hyb}_{2}\)::

We change \(\mathsf {CT}\leftarrow \mathsf {qFE}.\mathsf {Enc}(\mathsf {MPK}, (0,x_0^*,K,\bot ))\) into \(\mathsf {CT}\leftarrow \mathsf {qFE}.\mathsf {Enc}(\mathsf {MPK}, (1,\bot ,\bot ,\mathsf {SK}))\).
\(\square \)
Lemma B.3
It holds that \(\mathsf {Hyb}_{1}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{2}\) if \(\mathsf {qFE}\) is a \((q,\delta )\)weakly selectively secure PKFE.
Proof of lemma
We construct an adversary \({\mathcal {B}}\) of \(\mathsf {qFE}\). First, \({\mathcal {A}}\) sends messages \((x_0^*,x_1^*)\) and a function f to the challenger of \(\mathsf {sFE}\). \({\mathcal {B}}\) generates \(K\leftarrow \mathsf {PRF}.\mathsf {Gen}(1^\lambda )\) and chooses random t and a secretkey encryption key \(\mathsf {SK}\leftarrow \{0,1\}^{\lambda }\), computes \(({\widehat{f}}_1,\ldots ,{\widehat{f}}_{\mu })\) from f, and generates \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},{\widehat{f}}_{i}(x_0^*;r))\) and \(\textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t,\mathsf {CT}_\mathsf {ske}^i]\) for all \(i\in [\mu ]\). Then, \({\mathcal {B}}\) sends messages \(((0,x_0^*,K,\bot ),(1,\bot ,\bot ,\mathsf {SK}))\) as challenge messages and functions \(\textsf {D}_i :=\textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t,\mathsf {CT}_\mathsf {ske}^i]\) for all \(i\in [\mu ]\) to the challenger of \(\mathsf {qFE}\) and receives \(\mathsf {MPK}\), \(\mathsf {CT}^*\), and \(\{\mathsf {sk}_{\textsf {D}_i}\}_{i\in [\mu ]}\). \({\mathcal {B}}\) passes \(\mathsf {MPK}\), \(\mathsf {CT}^*\), and \(\{\mathsf {sk}_{\textsf {D}_i}\}_{i\in [\mu ]}\) as the master publickey, target ciphertext, and functional key for f to \({\mathcal {A}}\). This perfectly simulates \(\mathsf {Hyb}_{1}\) if \(\mathsf {CT}^*\) is an encryption of \((0,x_0^*,K,\bot )\) and \(\mathsf {Hyb}_{2}\) if \(\mathsf {CT}^*\) is an encryption of \((1,\bot ,\bot ,\mathsf {SK})\). Thus, the lemma follows. \(\square \)
 \(\mathsf {Hyb}_{3}\)::

We change \(r \leftarrow \mathsf {F}_K(t)\) into \(r \leftarrow \{0,1\}^{\rho }\). It holds that \(\mathsf {Hyb}_{2}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{3}\) due to the pseudorandomness of \(\mathsf {F}\).
 \(\mathsf {Hyb}_{4}\)::

We change \(e_i \leftarrow {\widehat{f}}_i(x_0^*;r)\) into \(e_i \leftarrow {\widehat{f}}_i(x_1^*;r)\) for all \(i \in [\mu ]\). It holds that \(\mathsf {Hyb}_{3}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{4}\) due to the security of the decomposable randomized encoding and the condition \(f(x_0^*)=f(x_1^*)\) for \(\mathsf {sFE}\). In fact, we intermediately use the output of the simulator of \(\mathsf {RE}\).
 \(\mathsf {Hyb}_{5}\)::

This is the same as \(\mathsf {Expt}_{{\mathcal {A}}}^{\mathsf {sel^*}}(1^\lambda ,1)\). We can show \(\mathsf {Hyb}_{4} {\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta } \mathsf {Hyb}_{5}\) in a reverse manner.
Therefore, Construction B.2 is \((1,\delta )\)selectively secure and weakly succinct PKFE for \(\mathsf {P/poly}\) with compression factor \(\gamma '\) such that \(\gamma ' <1\). This completes the proof of Theorem 3.9. This completes the proof of Theorem 3.11. \(\square \)
Rights and permissions
About this article
Cite this article
Kitagawa, F., Nishimaki, R. & Tanaka, K. Simple and Generic Constructions of Succinct Functional Encryption. J Cryptol 34, 25 (2021). https://doi.org/10.1007/s0014502109396x
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s0014502109396x
Keywords
 Functional encryption
 Succinctness
 Indistinguishability obfuscation