Skip to main content

Simple and Generic Constructions of Succinct Functional Encryption


We propose simple generic constructions of succinct functional encryption. Our key tool is strong exponentially efficient indistinguishability obfuscator (SXIO), which is the same as indistinguishability obfuscator (IO) except that the size of an obfuscated circuit and the running time of an obfuscator are slightly smaller than that of a brute-force canonicalizer that outputs the entire truth table of a circuit to be obfuscated. A “compression factor” of SXIO indicates how much SXIO compresses the brute-force canonicalizer. In this study, we propose a significantly simple framework to construct succinct functional encryption via SXIO and show that SXIO is powerful enough to achieve cutting-edge cryptography. In particular, we propose the following constructions:

  • Single-key weakly succinct secret-key functional encryption (SKFE) is constructed from SXIO (even with a bad compression factor) and one-way functions.

  • Single-key weakly succinct public-key functional encryption (PKFE) is constructed from SXIO with a good compression factor and public-key encryption.

  • Single-key weakly succinct PKFE is constructed from SXIO (even with a bad compression factor) and identity-based encryption.

Our new framework has side benefits. Our constructions do not rely on any number theoretic or lattice assumptions such as decisional Diffie–Hellman and learning with errors assumptions. Moreover, all security reductions incur only polynomial security loss. Known constructions of weakly succinct SKFE or PKFE from SXIO with polynomial security loss rely on number theoretic or lattice assumptions. As corollaries of our results, relationships among SXIO, a few variants of SKFE, and a variant of randomized encoding are discovered.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11


  1. We basically focus on functional encryption for all circuits in this study.

  2. In some papers, the term “compactness” is used for this property, but we use the term by Bitansky and Vaikuntanathan [16] in this study.

  3. Note that if we construct a PKFE scheme for multi-bit output circuits, the construction [26] results in one the size of whose encryption circuit depends on the number of output bits of the circuits.

  4. They use a bootstrapping technique by Ananth et al. [2], which transforms functional encryption for \(\mathsf {NC}^1\) into one for \(\mathsf {P/poly}\).

  5. See Remark B.1 in Sect. 2 for more details on the difference between decomposable garbled circuit and decomposable randomized encoding.

  6. Note that our requirements on an identity-based encryption scheme are the same as theirs on their identity-based encryption scheme.

  7. In fact, the functional key generation algorithm takes an additional input called index and is stateful. We ignore this issue here. However, in fact, this issue does not matter at all. See Remark 2.15 in Sect. 2 regarding this issue.

  8. We ignore the issue regarding randomness of the ciphertext in this section.

  9. When we say identity-based encryption, we assume that it satisfies this type of succinctness. In fact, most identity-based encryption schemes based on number theoretic or lattice assumptions satisfy it. See Definition 2.10.

  10. Komargodski and Segev [37] show that IO for \(O({\mathrm {poly}}(\log {\lambda }))\)-bit-input and sub-polynomial-size circuits is constructed from collusion-resistant SKFE. However, the construction incurs quasi-polynomial security loss. In addition, it is not clear whether their IO is sufficient for the construction of Lin and Tessaro since it supports only circuits of sub-polynomial size.

  11. The security definition of Li and Micciancio for index-based functional encryption and ours is slightly different. Their definition allows an adversary to use indices for key generation in an arbitrary order. On the other hand, our definition does not allow it. The difference comes from the fact that their goal is constructing collusion-resistant functional encryption while our goal is constructing single-key functional encryption. By restricting an adversary to use indices successively from one, we can describe security proofs more simply.

  12. More precisely, Gorbunov et al. prove that we can construct adaptively secure schemes, in which adversaries are allowed to declare a target message pair after the function query phase. However, selective security is sufficient for our purpose.

  13. Again, we stress that the size of the encryption circuit of an identity-based encryption scheme is \(\left| \mathcal {ID}\right| ^{\alpha }\cdot {\mathrm {poly}}(\lambda ,\ell )\) where \(\ell \) is the length of plaintext, \(\mathcal {ID}\) is the identity-space, and \(\alpha \) is a constant such that \(0<\alpha <1\). Most identity-based encryption schemes based on concrete assumptions have such succinct encryption circuits. In our scheme, \(\mathcal {ID}\) is just a polynomial size.

  14. If we want to achieve bounded collusion-resistant schemes, we additionally need pseudo-random generators that are computed by polynomial degree circuits, which is implied by number theoretic or lattice assumptions [29].

  15. Ananth, Jain, and Sahai show a transformation from a collusion-resistant non-succinct functional encryption into a (collusion-resistant) succinct one [7]. It is easy to verify that the transformation by Ananth et al. also works for q-key collusion-succinct functional encryption schemes to achieve single-key weakly succinct ones.


  1. S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (H)IBE in the standard model, in Henri Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, (Springer, Heidelberg, 2010), pp. 553–572

  2. P. Ananth, Z. Brakerski, G. Segev, V. Vaikuntanathan, From selective to adaptive security in functional encryption, in Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, (Springer, Heidelberg, 2015), pp. 657–677

  3. P. Ananth, A. Cohen, A. Jain, Cryptography with updates, in Jean-Sébastien Coron and Jesper Buus Nielsen, editors, EUROCRYPT 2017, Part II, volume 10211 of LNCS, (Springer, Heidelberg, 2017), pp. 445–472

  4. G. Asharov, N. Ephraim, I. Komargodski, R. Pass, On the complexity of compressing obfuscation, in Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part III, volume 10993 of LNCS, (Springer, Heidelberg, 2018), pp. 753–783

  5. B. Applebaum, Y. Ishai, E. Kushilevitz, Computationally private randomizing polynomials and their applications. Computat. Complex. 15(2), 115–162 (2006)

    MathSciNet  Article  Google Scholar 

  6. P. Ananth, A. Jain, Indistinguishability obfuscation from compact functional encryption, in Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part I, volume 9215 of LNCS, (Springer, Heidelberg, 2015), pp. 308–326

  7. P. Ananth, A. Jain, A. Sahai, Indistinguishability obfuscation from functional encryption for simple functions. Cryptology ePrint Archive, Report 2015/730 (2015).

  8. D. Boneh, X. Boyen, Efficient selective identity-based encryption without random oracles. J. Cryptol. 24(4), 659–693 (2011)

    MathSciNet  Article  Google Scholar 

  9. B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs. J. ACM 59(2), 6:1–6:48 (2012)

  10. E. Boyle, S. Goldwasser, I. Ivan, Functional signatures and pseudorandom functions, in Hugo Krawczyk, editor, PKC 2014, volume 8383 of LNCS, (Springer, Heidelberg, 2014), pp. 501–519

  11. Z. Brakerski, I. Komargodski, G. Segev, Multi-input functional encryption in the private-key setting: stronger security from weaker assumptions. J. Cryptol. 31(2), 434–520 (2018)

    MathSciNet  Article  Google Scholar 

  12. N. Bitansky, R. Nishimaki, A. Passelègue, D. Wichs, From cryptomania to obfustopia through secret-key functional encryption. J. Cryptol. 33(2), 357–405 (2020)

    MathSciNet  Article  Google Scholar 

  13. A. Banerjee, C. Peikert, A. Rosen, Pseudorandom functions and lattices, in David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, (Springer, Heidelberg, 2012), pp. 719–737

  14. Z. Brakerski, G. Segev, Function-private functional encryption in the private-key setting. J. Cryptol. 31(1), 202–225 (2018)

    MathSciNet  Article  Google Scholar 

  15. D. Boneh, A. Sahai, B. Waters, Functional encryption: definitions and challenges, in Yuval Ishai, editor, TCC 2011, volume 6597 of LNCS, (Springer, Heidelberg, 2011), pp. 253–273

  16. N. Bitansky, V. Vaikuntanathan, Indistinguishability obfuscation from functional encryption. J. ACM 65(6), 39:1–39:37 (2018)

  17. D. Boneh, B. Waters, Constrained pseudorandom functions and their applications, in Kazue Sako and Palash Sarkar, editors, ASIACRYPT 2013, Part II, volume 8270 of LNCS, (Springer, Heidelberg, 2013), pp. 280–300

  18. R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively secure multi-party computation, in 28th ACM STOC, (ACM Press, May 1996), pp. 639–648

  19. D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4):601–639 (2012)

    MathSciNet  Article  Google Scholar 

  20. N. Döttling, S. Garg, Identity-based encryption from the Diffie-Hellman assumption, in Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, (Springer, Heidelberg, 2017), pp. 537–569

  21. S. Even, O. Goldreich, A. Lempel, A randomized protocol for signing contracts, David Chaum, Ronald L. Rivest, and Alan T. Sherman, editors, CRYPTO’82, (Plenum Press, New York, USA, 1982), pp. 205–210

  22. U. Feige, D. Lapidot, A. Shamir, Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)

    MathSciNet  Article  Google Scholar 

  23. S. Goldwasser, S.D. Gordon, V. Goyal, A. Jain, J. Katz, F.-H. Liu, A. Sahai, E. Shi, H.-S. Zhou, Multi-input functional encryption, in Phong Q. Nguyen and Elisabeth Oswald, editors, EUROCRYPT 2014, volume 8441 of LNCS, (Springer, Heidelberg, 2014), pp. 578–602

  24. S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016)

    MathSciNet  Article  Google Scholar 

  25. O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33(4), 792–807 (1986)

    MathSciNet  Article  Google Scholar 

  26. S. Goldwasser, Y.T. Kalai, R.A. Popa, V. Vaikuntanathan, N. Zeldovich, Reusable garbled circuits and succinct functional encryption, in Dan Boneh, Tim Roughgarden, and Joan Feigenbaum, editors, 45th ACM STOC, (ACM Press, 2013), pp. 555–564

  27. S. Garg, M. Mahmoody, A. Mohammed, When does functional encryption imply obfuscation? in Yael Kalai and Leonid Reyzin, editors, TCC 2017, Part I, volume 10677 of LNCS, (Springer, Heidelberg, 2017), pp. 82–115

  28. S. Garg, A. Srinivasan, Single-key to multi-key functional encryption with polynomial loss, in Martin Hirt and Adam D. Smith, editors, TCC 2016-B, Part II, volume 9986 of LNCS, (Springer, Heidelberg, 2016), pp. 419–442

  29. S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption with bounded collusions via multi-party computation, in Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, (Springer, Heidelberg, 2012), pp. 162–179

  30. J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)

    MathSciNet  Article  Google Scholar 

  31. Y. Ishai, E. Kushilevitz, Randomizing polynomials: a new representation with applications to round-efficient secure computation, in 41st FOCS, (IEEE Computer Society Press, 2000), pp. 294–304

  32. F. Kitagawa, R. Nishimaki, K. Tanaka, From single-key to collusion-resistant secret-key functional encryption by leveraging succinctness. Cryptology ePrint Archive, Report 2017/638 (2017).

  33. F. Kitagawa, R. Nishimaki, K. Tanaka, Indistinguishability obfuscation for all circuits from secret-key functional encryption. Cryptology ePrint Archive, Report 2017/361 (2017).

  34. F. Kitagawa, R. Nishimaki, K. Tanaka, Obfustopia built on secret-key functional encryption, in Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS, (Springer, Heidelberg, 2018), pp. 603–648

  35. E. Kushilevitz, R. Ostrovsky, One-way trapdoor permutations are sufficient for non-trivial single-server private information retrieval, in Bart Preneel, editor, EUROCRYPT 2000, volume 1807 of LNCS, (Springer, Heidelberg, 2000), pp. 104–121

  36. A. Kiayias, S. Papadopoulos, N. Triandopoulos, T. Zacharias, Delegatable pseudorandom functions and applications, in Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, ACM CCS 2013, (ACM Press, 2013), pp. 669–684

  37. I. Komargodski, G. Segev, From minicrypt to obfustopia via private-key functional encryption. J. Cryptol. 33(2), 406–458 (2020)

    MathSciNet  Article  Google Scholar 

  38. B. Li, D. Micciancio, Compactness vs collusion resistance in functional encryption, in Martin Hirt and Adam D. Smith, editors, TCC 2016-B, Part II, volume 9986 of LNCS, (Springer, Heidelberg, 2016), pp. 443–468

  39. H. Lin, R. Pass, K. Seth, S. Telang, Indistinguishability obfuscation with non-trivial efficiency, in Chen-Mou Cheng, Kai-Min Chung, Giuseppe Persiano, and Bo-Yin Yang, editors, PKC 2016, Part II, volume 9615 of LNCS, (Springer, Heidelberg, 2016), pp. 447–462

  40. H. Lin, S. Tessaro, Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. Cryptology ePrint Archive, Report 2017/250 (2017).

  41. M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51(2), 231–262 (2004)

    MathSciNet  Article  Google Scholar 

  42. A. O’Neill, Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010).

  43. J. Rompel, One-way functions are necessary and sufficient for secure signatures, in 22nd ACM STOC, (ACM Press, 1990), pp. 387–394

  44. A. Shamir, Identity-based cryptosystems and signature schemes, in G. R. Blakley and David Chaum, editors, CRYPTO’84, volume 196 of LNCS, (Springer, Heidelberg, 1984), pp. 47–53

  45. A. Sahai, H. Seyalioglu, Worry-free encryption: functional encryption with public keys, in Ehab Al-Shaer, Angelos D. Keromytis, and Vitaly Shmatikov, editors, ACM CCS 2010, (ACM Press, 2010), pp. 463–472

  46. A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in David B. Shmoys, editor, 46th ACM STOC, (ACM Press, 2014), pp. 475–484

  47. A.C.-C. Yao, Theory and applications of trapdoor functions (extended abstract), in 23rd FOCS, (IEEE Computer Society Press, 1982), pp. 80–91

  48. A.C.-C. Yao, How to generate and exchange secrets (extended abstract), in 27th FOCS, (IEEE Computer Society Press, 1986), pp. 162–167

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Ryo Nishimaki.

Additional information

Communicated by Eike Kiltz.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.


Single-Key Non-succinct Functional Encryption

Our construction of weakly succinct PKFE (resp. SKFE) uses a single-key non-succinct PKFE (resp. SKFE) scheme as a building block. As observed by Sahai and Seyalioglu [45] and later extended by Gorbunov et al. [29], single-key non-succinct functional encryption scheme can be constructed based on standard assumptions such as public-key encryption and one-way function.

For self-containment, we show the construction of single-key non-succinct PKFE scheme based on public-key encryption scheme. More specifically, the construction is based on garbling scheme and public-key encryption.

Let \(\mathsf {GC}=(\mathsf {Grbl},\mathsf {Eval})\) be a garbling scheme, and \(\mathsf {PKE}=(\mathsf {KG},\mathsf {Enc}, \mathsf {Dec})\) be a public-key encryption scheme. Using \(\mathsf {GC}\) and \(\mathsf {PKE}\), we construct a single-key PKFE scheme \(\mathsf {OneKey}=(\mathsf {1Key}.\mathsf {Setup},\mathsf {1Key}.\mathsf {KG}, \mathsf {1Key}.\mathsf {Enc}, \mathsf {1Key}.\mathsf {Dec})\) as follows. Below, we assume that we can represent every function f by an n-bit string \((f[1],\cdots ,f[s])\).

Construction The scheme consists of the following algorithms.

\(\mathsf {1Key}.\mathsf {Setup}(1^\lambda ):\)  

  • Generate \((\mathsf {pk}_{j,\alpha },\mathsf {sk}_{j,\alpha }) \leftarrow \mathsf {KG}(1^\lambda )\) for every \(j\in [s]\) and \(\alpha \in \{0,1\}\).

  • Return \(\mathsf {MPK}\leftarrow \{\mathsf {pk}_{j,\alpha }\}_{j\in [s], \alpha \in \{0,1\}}\) and \(\mathsf {MSK}\leftarrow \{\mathsf {sk}_{j,\alpha }\}_{j\in [s], \alpha \in \{0,1\}}\).

\(\mathsf {1Key}.\mathsf {KG}(\mathsf {MSK},f):\)  

  • Parse \(\{\mathsf {sk}_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}} \leftarrow \mathsf {MSK}\) and \((f[1],\cdots , f[s]) \leftarrow f\).

  • Return \(\mathsf {sk}_f \leftarrow (f,\{\mathsf {sk}_{j,f[j]}\}_{j\in [s]})\).

\(\mathsf {1Key}.\mathsf {Enc}(\mathsf {MPK}, m):\)  

  • Parse \(\{\mathsf {pk}_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}} \leftarrow \mathsf {MPK}\).

  • Compute \(({{\widetilde{U}}}, \{L_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}}) \leftarrow \mathsf {Grbl}(1^\lambda , U(\cdot ,m))\).

  • For every \(j\in [s]\) and \(\alpha \in \{0,1\}\), compute \(c_{j,\alpha } \leftarrow \mathsf {Enc}(\mathsf {pk}_{j,\alpha },L_{j,\alpha })\).

  • Return \(\mathsf {CT}\leftarrow ({{\widetilde{U}}}, \{c_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}})\).

\(\mathsf {1Key}.\mathsf {Dec}(\mathsf {sk}_f, \mathsf {CT}):\)  

  • Parse \((f, \{\mathsf {sk}_j\}_{j\in [s]}) \leftarrow \mathsf {sk}_f\) and \(({{\widetilde{U}}}, \{c_{j,\alpha }\}_{j\in [s],\alpha \in \{0,1\}}) \leftarrow \mathsf {CT}\).

  • For every \(j\in [s]\), compute \(L_j \leftarrow \mathsf {Dec}(\mathsf {sk}_{j,f[j]},c_{j,f[j]})\).

  • Return \(y \leftarrow \mathsf {Eval}({{\widetilde{U}}}, \{L_j\}_{j\in [s]})\).

\(\mathsf {OneKey}\) is single-key PKFE scheme that satisfies weakly selective security if \(\mathsf {GC}\) is secure and \(\mathsf {PKE}\) is CPA-secure. The construction is non-succinct since the encryption algorithm of \(\mathsf {OneKey}\) encrypts a universal circuit whose size is at least linear in the size of functions.

We can analogously construct single-key non-succinct SKFE scheme based on garbling scheme and secret-key encryption.

Gorbunov et al. [29] later showed how to extend this construction to adaptively secure one using a technique of non-committing encryption [18]. This is done by only using public-key encryption (or one-way function) if we focus on single-key schemes.Footnote 14 Thus, we need only public-key encryption or one-way function to obtain single-key adaptively secure schemes for our building blocks.

Proof for Weak Succinctness from Collusion-Succinctness

In this section, we see a transformation from a q-key weakly collusion-succinct index-based functional encryption into a single-key weakly succinct functional encryption. Bitansky and Vaikuntanathan have shown such a transformation [16, Theorem 4.3].Footnote 15 The key tool for the transformation is decomposable randomized encoding, which is implied by one-way function (see Definition 2.6).

We stress that the transformation in this section is not new. The differences between the construction of Bitansky and Vaikuntanathan and ours is that we assume that the underlying weakly collusion-succinct scheme is weakly selectively secure and uses an index for functional key generation. The resulting weakly succinct scheme of our transformation is also weakly selectively secure. Note that the resulting scheme does not need any index for key generation since it is a single-key scheme.

It is known that single-key weakly selectively secure weakly succinct PKFE can be transformed into collusion-resistant and succinct PKFE [28]. Moreover, to construct IO by using the theorem by Bitansky and Vaikuntanathan [16], a single-key weakly selectively secure weakly succinct PKFE scheme is sufficient.

Note that if the maximum size of functions in a function family is fixed, the number of decomposed randomized encodings (denoted by \(\mu \)) of a function is also fixed. Thus, \((\mu ,\delta )\)-weakly selectively secure (i.e., bounded collusion-resistant) schemes are sufficient for this transformation.

Readers that are familiar with the transformation by Bitansky and Vaikuntanathan [16, Theorem 4.3] can skip this section. We write the transformation and a proof for the weakly selective security for confirmation. Of course, we can obtain a selectively secure scheme by the transformation if we use a selectively secure scheme as the underlying scheme.

Remark B.1

(Difference between decomposable randomized encoding and decomposable garbled circuit) We stress that there are significant differences between decomposable randomized encoding and decomposable garbled circuit [12] as we note in Sect. 1. In fact, both are basically slight extensions of Yao’s garbled circuit. However, the definition of decomposable randomized encoding is much simpler than that of decomposable garbled circuit by Bitansky et al. [12]. In addition, a decomposable randomized encoding is constructed from one-way function with polynomial security loss, but a decomposable garbled circuit is constructed from one-way function with exponential security loss in the depth of circuits.

In decomposable garbled circuit, we can garble a circuit by a gate-by-gate manner and consider hybrid garbled circuits that consist of real and simulated garbled gates. In the hybrid transitions from the real to the simulation, a “punctured programming”-type security notion [46] is used for each garbled gate. These two properties are differences from decomposable \(\mathsf {RE}\). To achieve the security notion, Bitansky et al. change a real (resp. hybrid) garbled gate into a hybrid (resp. simulated) one if all of its predecessor (resp. successor) gates are hybrid ones. Thus, \(2^{O(d)}\) (d is the depth of a circuit) hybrid steps are needed to prove the security.

The reason decomposable garbled circuit is such complicated is that it is customized to be an IO-friendly (or SXIO-friendly) tool [12]. We use neither IO nor SXIO when we use decomposable randomized encoding. Thus, we do not need decomposable garbled circuit for our purpose. See the paper by Bitansky et al. for details of decomposable garbled circuit [12].

Conversion We show only the PKFE case. The SKFE case is similarly proven.

Construction B.2

Our single-key weakly succinct PKFE scheme \(\mathsf {sFE}=(\mathsf {sFE}.\mathsf {Setup},\mathsf {sFE}.\mathsf {KG}, \mathsf {sFE}.\mathsf {Enc}, \mathsf {sFE}.\mathsf {Dec})\) for circuits of size at most \(s=s(\lambda )\) with \(n=n(\lambda )\) bit inputs is based on a q-key weakly collusion-succinct iPKFE scheme \(\mathsf {qFE}=(\mathsf {qFE}.\mathsf {Setup},\mathsf {qFE}.\mathsf {i}\mathsf {KG},\mathsf {FE}.\mathsf {Enc},\mathsf {qFE}.\mathsf {Dec})\) for circuits of size at most s with n-bit inputs. Let \(\mathsf {F}\), \(\mathsf {RE}\), and \(\mathsf {SKE}\) be a PRF, c-local decomposable randomized encoding, and CPA-secure secret-key encryption scheme, respectively. In the scheme, we use \(\mathsf {F}:\{0,1\}^{\lambda } \rightarrow \{0,1\}^{\rho }\).

\(\mathsf {sFE}.\mathsf {Setup}(1^\lambda ):\)  

  • Generate \((\mathsf {MPK},\mathsf {MSK}) \leftarrow \mathsf {qFE}.\mathsf {Setup}(1^\lambda )\).

  • Return \((\mathsf {MPK}, \mathsf {MSK})\).

\(\mathsf {sFE}.\mathsf {KG}(\mathsf {MSK}, f):\)  

  • Generate \(t \leftarrow \{0,1\}^\lambda \).

  • Compute decomposed f, that is, \(({\widehat{f}}_1,\ldots ,{\widehat{f}}_\mu )\leftarrow \mathsf {RE.E}(1^\lambda ,f)\).

  • Choose \(\mathsf {SKE}\) secret-key \(\mathsf {SK}\leftarrow \{0,1\}^{\lambda }\). For all \(i \in [\mu ]\), generate \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},0)\), and compute \(\mathsf {sk}_{f_i} \leftarrow \mathsf {qFE}.\mathsf {i}\mathsf {KG}(\mathsf {MSK}, \textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t, \mathsf {CT}_{\mathsf {ske}}^i],i)\). The circuit \(\textsf {D}_{\mathsf {re}}\) is defined in Fig. 12.

  • Return \(\mathsf {sk}_f \leftarrow (\mathsf {sk}_{f_1},\ldots ,\mathsf {sk}_{f_\mu })\).

\(\mathsf {sFE}.\mathsf {Enc}(\mathsf {MPK}, x):\)  

  • Generate \(K \leftarrow \mathsf {PRF}.\mathsf {Gen}(1^\lambda )\).

  • Return \(\mathsf {CT}\leftarrow \mathsf {qFE}.\mathsf {Enc}(\mathsf {MPK}, (0,x,K,\bot ))\).

\(\mathsf {sFE}.\mathsf {Dec}(\mathsf {sk}_f, \mathsf {CT}):\)  

  • Parse \((\mathsf {sk}_{f_1},\ldots , \mathsf {sk}_{f_\mu }) \leftarrow \mathsf {sk}_f\).

  • For all \(i \in [\mu ]\), compute \(e_i \leftarrow \mathsf {qFE}.\mathsf {Dec}(\mathsf {sk}_{f_i}, \mathsf {CT})\).

  • Decode y from \((e_1,\ldots ,e_\mu )\).

  • Return y.

Fig. 12
figure 12

Description of \(\textsf {D}_{\mathsf {re}}\)

Proof of Theorem 3.11

We start with analyzing succinctness then move on to the security proof.

We assume that \(\mathsf {RE}\) is a \(\delta \)-secure decomposable randomized encoding scheme, \((\mathsf {PRF}.\mathsf {Gen}, \mathsf {F},\mathsf {Punc})\) is a \(\delta \)-secure puncturable PRF, \(\mathsf {SKE}\) is a \(\delta \)-secure SKE, and \(\mathsf {qFE}\) is a \((\mu ,\delta )\)-weakly selectively secure iPKFE scheme for circuits of size at most \(s = s(\lambda )\) with \(n = n(\lambda )\) inputs with encryption circuit of size \(\mu ^{\gamma }\cdot {\mathrm {poly}}(\lambda ,n,s)\) where \(\mu = s \cdot {\mathrm {poly}}_\mathsf {RE}(\lambda ,n)\) and \({\mathrm {poly}}_\mathsf {RE}\) is a fixed polynomial determined by \(\mathsf {RE}\).

Weak Succinctness To issue one key, we need to issue \(1\cdot \mu = s\cdot {\mathrm {poly}}_\mathsf {RE}(\lambda ,n)\) keys of \(\mathsf {qFE}\) since we consider functions of size s. Thus, we choose \(\mu =s\cdot {\mathrm {poly}}_\mathsf {RE}(\lambda ,n)\) as the number of issued keys of \(\mathsf {qFE}\).

Let \(\textsf {D}_i :=\textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t,\mathsf {CT}_{\mathsf {ske}}^i]\). \(\textsf {D}_i\) includes a decryption of \(\mathsf {SKE}\), PRF evaluation on the domain \(\{0,1\}^\lambda \times [\mu ]\), and evaluation of decomposed randomized encoding \({\widehat{f}}_i\). \(|{\widehat{f}}_i|\) is independent of \(\left| f\right| \) by the decomposability of \(\mathsf {RE}\) and \(\left| t\right| \) and \(\left| \mathsf {CT}_{\mathsf {ske}}^i\right| \) are bounded by \(O(\lambda )\). Moreover, the PRF evaluation is done in time \({\mathrm {poly}}(\lambda , \log s)\). Thus, the size of \(\textsf {D}_i\) is \({\mathrm {poly}}(\lambda ,n, \log s)\). Therefore, the size of encryption circuit \(\mathsf {sFE}.\mathsf {Enc}\) is

$$\begin{aligned} (s\cdot {\mathrm {poly}}(\lambda ,n))^{\gamma } \cdot {\mathrm {poly}}(\lambda ,n, \log s) = s^{\gamma '}\cdot {\mathrm {poly}}(\lambda ,n), \end{aligned}$$

where \(\gamma '\) is any constant such that \(\gamma<\gamma '<1\).

Security Proof Let \(\mathcal {A}\) be an adversary attacking the weakly selective security of \(\mathsf {sFE}\). We define a sequence of hybrid games.

\(\mathsf {Hyb}_{0}\)::

The first game is the original weakly selective security experiment for \(b=0\), \(\mathsf {Expt}_{{\mathcal {A}}}^{\mathsf {sel^*}}(1^\lambda ,0)\). In this game, \({\mathcal {A}}\) first selects the challenge messages \((x_0^*,x_1^*)\) and a function f then obtains an encryption of \(x_0^*\), the master public-key, and a functional decryption key \(\mathsf {sk}_f\).

\(\mathsf {Hyb}_{1}\)::

We change \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},0)\) into \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},{\widehat{f}}_i(x_0^*;r))\) for all \(i\in [\mu ]\). It holds that \(\mathsf {Hyb}_{0}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{1}\) due to the CPA-security of \(\mathsf {SKE}\).

\(\mathsf {Hyb}_{2}\)::

We change \(\mathsf {CT}\leftarrow \mathsf {qFE}.\mathsf {Enc}(\mathsf {MPK}, (0,x_0^*,K,\bot ))\) into \(\mathsf {CT}\leftarrow \mathsf {qFE}.\mathsf {Enc}(\mathsf {MPK}, (1,\bot ,\bot ,\mathsf {SK}))\).

\(\square \)

Lemma B.3

It holds that \(\mathsf {Hyb}_{1}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{2}\) if \(\mathsf {qFE}\) is a \((q,\delta )\)-weakly selectively secure PKFE.

Proof of lemma

We construct an adversary \({\mathcal {B}}\) of \(\mathsf {qFE}\). First, \({\mathcal {A}}\) sends messages \((x_0^*,x_1^*)\) and a function f to the challenger of \(\mathsf {sFE}\). \({\mathcal {B}}\) generates \(K\leftarrow \mathsf {PRF}.\mathsf {Gen}(1^\lambda )\) and chooses random t and a secret-key encryption key \(\mathsf {SK}\leftarrow \{0,1\}^{\lambda }\), computes \(({\widehat{f}}_1,\ldots ,{\widehat{f}}_{\mu })\) from f, and generates \(\mathsf {CT}_{\mathsf {ske}}^i \leftarrow \mathsf {SKE}.\mathsf {Enc}(\mathsf {SK},{\widehat{f}}_{i}(x_0^*;r))\) and \(\textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t,\mathsf {CT}_\mathsf {ske}^i]\) for all \(i\in [\mu ]\). Then, \({\mathcal {B}}\) sends messages \(((0,x_0^*,K,\bot ),(1,\bot ,\bot ,\mathsf {SK}))\) as challenge messages and functions \(\textsf {D}_i :=\textsf {D}_{\mathsf {re}}[{\widehat{f}}_i,t,\mathsf {CT}_\mathsf {ske}^i]\) for all \(i\in [\mu ]\) to the challenger of \(\mathsf {qFE}\) and receives \(\mathsf {MPK}\), \(\mathsf {CT}^*\), and \(\{\mathsf {sk}_{\textsf {D}_i}\}_{i\in [\mu ]}\). \({\mathcal {B}}\) passes \(\mathsf {MPK}\), \(\mathsf {CT}^*\), and \(\{\mathsf {sk}_{\textsf {D}_i}\}_{i\in [\mu ]}\) as the master public-key, target ciphertext, and functional key for f to \({\mathcal {A}}\). This perfectly simulates \(\mathsf {Hyb}_{1}\) if \(\mathsf {CT}^*\) is an encryption of \((0,x_0^*,K,\bot )\) and \(\mathsf {Hyb}_{2}\) if \(\mathsf {CT}^*\) is an encryption of \((1,\bot ,\bot ,\mathsf {SK})\). Thus, the lemma follows. \(\square \)

\(\mathsf {Hyb}_{3}\)::

We change \(r \leftarrow \mathsf {F}_K(t)\) into \(r \leftarrow \{0,1\}^{\rho }\). It holds that \(\mathsf {Hyb}_{2}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{3}\) due to the pseudo-randomness of \(\mathsf {F}\).

\(\mathsf {Hyb}_{4}\)::

We change \(e_i \leftarrow {\widehat{f}}_i(x_0^*;r)\) into \(e_i \leftarrow {\widehat{f}}_i(x_1^*;r)\) for all \(i \in [\mu ]\). It holds that \(\mathsf {Hyb}_{3}{\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta }\mathsf {Hyb}_{4}\) due to the security of the decomposable randomized encoding and the condition \(f(x_0^*)=f(x_1^*)\) for \(\mathsf {sFE}\). In fact, we intermediately use the output of the simulator of \(\mathsf {RE}\).

\(\mathsf {Hyb}_{5}\)::

This is the same as \(\mathsf {Expt}_{{\mathcal {A}}}^{\mathsf {sel^*}}(1^\lambda ,1)\). We can show \(\mathsf {Hyb}_{4} {\mathop {\approx }\limits ^{{\mathsf {c}}}}_{\delta } \mathsf {Hyb}_{5}\) in a reverse manner.

Therefore, Construction B.2 is \((1,\delta )\)-selectively secure and weakly succinct PKFE for \(\mathsf {P/poly}\) with compression factor \(\gamma '\) such that \(\gamma ' <1\). This completes the proof of Theorem 3.9. This completes the proof of Theorem 3.11. \(\square \)

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kitagawa, F., Nishimaki, R. & Tanaka, K. Simple and Generic Constructions of Succinct Functional Encryption. J Cryptol 34, 25 (2021).

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI:


  • Functional encryption
  • Succinctness
  • Indistinguishability obfuscation