Simple and efficient FE for quadratic functions

Abstract

This paper presents two functional encryption schemes for quadratic functions (or degree-2 polynomials) achieving simulation-based security in the semi-adaptive model with constant-size secret keys. Prior constructions in the standard model either achieve weaker security model [CRYPTO 17] or require linear-size secret keys (in the message length) [PKC 20]. One of our proposed schemes is comparable to existing schemes in the generic group model in terms of ciphertext size. Technically, we combine Wee’s compiler [TCC 17] with Gay’s paradigm [PKC 20]. However, we avoid (partially) function-hiding inner-product functional encryption used in Gay’s paradigm which makes our work conceptually simpler.

Appendices

Secret-key functional encryption

Algorithm. A secret-key functional encryption \(\uppi \) for \({F}\) consists of four PPT algorithms:

• \(\textsf {Setup}(1^\lambda ,{F}) \rightarrow {\textsf {msk}}\): The \(\textsf {Setup}\) algorithm takes security parameter \(1^\lambda \) and functionality \({F}\) as input, outputs master secret key \({\textsf {msk}}\).

• \(\textsf {Enc}({\textsf {msk}},x\in {X}) \rightarrow {\textsf {ct}}_x\): The \(\textsf {Enc}\) algorithm takes master secret key \({\textsf {msk}}\) and message \(x\in {X}\) as input, outputs a ciphertext \({\textsf {ct}}_x\).

• \(\textsf {KeyGen}({\textsf {msk}},y\in {Y}) \rightarrow {\textsf {sk}}_y\): The \(\textsf {KeyGen}\) algorithm takes master secret key \({\textsf {msk}}\) and function index \(y\in {Y}\) as input, outputs a functional secret key \({\textsf {sk}}_y\).

• \(\textsf {Dec}({\textsf {ct}}_x,{\textsf {sk}}_y) \rightarrow z \in {Z}\): The \(\textsf {Dec}\) algorithm takes a ciphertext \({\textsf {ct}}_x\) and a functional secret key \({\textsf {sk}}_y\) as input, outputs \(z \in {Z}\).

Correctness. For all \(\lambda \in \mathbb {N}\), \(x \in {X}\), \(y \in {Y}\), we require that

$$\begin{aligned} \Pr \left[ \begin{array}{ll} \textsf {Dec}({\textsf {ct}}_x,{\textsf {sk}}_y) = {F}(x,y) : &{} \begin{array}{l} {\textsf {msk}}\leftarrow \textsf {Setup}(1^\lambda ,{F})\\ {\textsf {ct}}_x \leftarrow \textsf {Enc}({\textsf {msk}},x)\\ {\textsf {sk}}_y \leftarrow \textsf {KeyGen}({\textsf {msk}},y) \end{array} \end{array}\right] = 1. \end{aligned}$$

Analogously, we require the correctness described above holds when \({F}(x,y) \in B\) where \(B \subseteq \mathbb {Z}_p\) has polynomial size.

Selective simulation-based security (SIM-security). For every efficient stateful adversary \(\mathscr {A}\), there exists simulator \((\widetilde{\textsf {Setup}},\widetilde{\textsf {Enc}},\widetilde{\textsf {KeyGen}})\) such that

$$\begin{aligned} \left[ \begin{array}{l} {\textsf {msk}}\leftarrow \textsf {Setup}(1^\lambda ,{F}); \\ x^* \leftarrow \mathscr {A}(1^\lambda ,{F}); \\ {\textsf {ct}}^* \leftarrow \textsf {Enc}({\textsf {msk}},x^*); \\ \text{ output } \mathscr {A}^{\textsf {KeyGen}({\textsf {msk}},\cdot )}(1^\lambda ,{F},{\textsf {ct}}^*)\\ \end{array} \right] \approx _c \left[ \begin{array}{l} {\widetilde{{\textsf {msk}}}}\leftarrow \widetilde{\textsf {Setup}}(1^\lambda ,{F});\\ x^* \leftarrow \mathscr {A}(1^\lambda ,{F});\\ {\widetilde{{\textsf {ct}}}}^* \leftarrow \widetilde{\textsf {Enc}}({\widetilde{{\textsf {msk}}}});\\ \text{ output } \mathscr {A}^{\widetilde{\textsf {KeyGen}}({\widetilde{{\textsf {msk}}}},\cdot ,\cdot )}(1^\lambda ,{F},{\widetilde{{\textsf {ct}}}}^*)\\ \end{array} \right] \end{aligned}$$

where \(\widetilde{\textsf {KeyGen}}({\widetilde{{\textsf {msk}}}},\cdot ,\cdot )\) gets y along with \({F}(x^*,y)\) whenever \(\mathscr {A}\) makes a query \(y\in {Y}\) to \(\textsf {KeyGen}({\textsf {msk}},\cdot )\). We use to denote the advantage function.

Selective SIM-security of \(\uppi _1\) and \(\uppi _2\)

This section sketches the proofs of selective SIM-security of \(\uppi _1\) and \(\uppi _2\), respectively. For this, we first sketch the proof for (2) shown in the Introduction in more detail and explain how to adapt the proof for \(\uppi _1\) and \(\uppi _2\), respectively.

Game Sequence for (2). We employ the following game sequence.

\(\underline{{\textsf {G}}_{0}}\)::

This is the real game where the challenge ciphertext for \((\mathbf {x},\mathbf {y})\) is:

$$\begin{aligned} {\textsf {ct}}= (\,[\mathbf {C}_1]_1,[\mathbf {C}_2]_2\,) \quad \text { where } \quad \mathbf {C}_1 = (\mathbf {x}\Vert \mathbf {U})\mathbf {M}^*,\,\mathbf {C}_2 = (\mathbf {y}\Vert \mathbf {V})\mathbf {M}\end{aligned}$$

a secret key for \(\mathbf {F}\) is:

$$\begin{aligned} {\textsf {sk}}_\mathbf {F}= [\langle \mathbf {F} , \mathbf {U}\mathbf {V}^{}{\top } \rangle ]_T \end{aligned}$$

where \(\mathbf {U}\leftarrow \mathbb {Z}_p^{n \times k},\mathbf {V}\leftarrow \mathbb {Z}_p^{m \times k}\) are components of \({\textsf {msk}}\) and \((\mathbf {M}^*,\mathbf {M}) \leftarrow \mathbb {Z}_p^{(k+1)\times (k+1)} \times \mathbb {Z}_p^{(k+1)\times (k+1)}\) are random coins for \({\textsf {ct}}\) with the restriction \(\mathbf {M}^*\mathbf {M}^{}{\top }= \mathbf {I}\).

\(\underline{{\textsf {G}}_1}\)::

Identical to \({\textsf {G}}_0\) except that a secret key for \(\mathbf {F}\) is:

$$\begin{aligned} {\textsf {sk}}_\mathbf {F}= [\langle \mathbf {F} , \mathbf {C}_1\mathbf {C}_2^{}{\top }- \mathbf {x}\mathbf {y}^{}{\top } \rangle ]_T. \end{aligned}$$

We claim that \({\textsf {G}}_1 \equiv {\textsf {G}}_0\) since the change is conceptual.

\(\underline{{\textsf {G}}_2}\)::

Identical to \({\textsf {G}}_1\) except that the challenge ciphertext for \((\mathbf {x},\mathbf {y})\) is

We claim that \({\textsf {G}}_2 \approx _c {\textsf {G}}_1\). This follows from the \(\textsc {MDDH}^{}_{k,n}\) assumption which implies that for all \(\mathbf {x}\in \mathbb {Z}_p^n\),

$$\begin{aligned} {[}\mathbf {U}]_1,[\mathbf {x}+ \mathbf {U}\mathbf {a}]_1 \approx _c [\mathbf {U}]_1, [\mathbf {r}]_1 \end{aligned}$$

where \(\mathbf {U}\leftarrow \mathbb {Z}_p^{n \times k}\), \(\mathbf {a}\leftarrow \mathbb {Z}_p^k\) and \(\mathbf {r}\leftarrow \mathbb {Z}_p^n\). The reduction programs:

$$\begin{aligned} \mathbf {M}^*,\,\mathbf {M},\,\mathbf {V}\longmapsto \begin{pmatrix}1&{}\mathbf {0}\\ \mathbf {a}&{}\mathbf {I}\end{pmatrix}\mathbf {M}^*,\,\begin{pmatrix}1&{}-\mathbf {a}^{}{\top }\\ \mathbf {0}&{}\mathbf {I}\end{pmatrix}\mathbf {M},\,\mathbf {V}+ \mathbf {y}\mathbf {a}^{}{\top }\end{aligned}$$

such that the distribution of \([\mathbf {C}_2]_2\) remains unchanged and \(\mathbf {a}\) is embedded into \([\mathbf {C}_1]_1\); in particular, this allows us to argue:

$$\begin{aligned} {[}\mathbf {C}_1]_1 = [(\mathbf {x}+ \mathbf {U}\mathbf {a}\Vert \mathbf {U})\mathbf {M}^*]_1 \approx _c [(\mathbf {r}\Vert \mathbf {U}) \mathbf {M}^*]_1 \end{aligned}$$

which is uniformly distributed over \(G_1^{n \times (k+1)}\).

\(\underline{{\textsf {G}}_3}\)::

Identical to \({\textsf {G}}_2\) except that the challenge ciphertext for \((\mathbf {x},\mathbf {y})\) is

We claim that \({\textsf {G}}_3 \approx _c {\textsf {G}}_2\). Let \(\overline{\mathbf {M}}\in \mathbb {Z}_p^{1\times (k+1)}\) and \(\underline{\mathbf {M}} \in \mathbb {Z}_p^{k\times (k+1)}\) be submatrices consisting of the first row and the remaining k rows of \(\mathbf {M}\in \mathbb {Z}_p^{(k+1)\times (k+1)}\). This follows from the \(\textsc {MDDH}^{k+1}_{k,m}\) assumption which implies that

$$\begin{aligned} {[}\mathbf {V}\underline{\mathbf {M}}]_2 \text { is pseudorandom} \end{aligned}$$

and so is

$$\begin{aligned} {[}\mathbf {C}_2]_2 = [(\mathbf {y}\Vert \mathbf {V})\mathbf {M}]_2 = [\mathbf {y}\overline{\mathbf {M}}+ \mathbf {V}\underline{\mathbf {M}}]_2. \end{aligned}$$

Game Sequence for \(\uppi _1\). The scheme \(\uppi _1\) is identical to (2) except that the secret key for \(\mathbf {F}\) is over \(G_2\):

$$\begin{aligned} {\textsf {sk}}_\mathbf {F}=[\langle \mathbf {F} , \mathbf {U}\mathbf {V}^{}{\top } \rangle ]_2 \end{aligned}$$

The simulator and game sequence are analogous except that we need \(\textsc {Bi-MDDH}^{}_{k,n}\) to prove \({\textsf {G}}_{2}\approx _c{\textsf {G}}_{1}\) since \(\mathbf {C}_1\) are over \(G_2\) in \({\textsf {sk}}_\mathbf {F}\).

Game Sequence for \(\uppi _2\). The scheme \(\uppi _2\) is identical to (2) except that the secret key for \(\mathbf {F}\) consists of two elements from \(G_1\) and \(G_2\), respectively:

$$\begin{aligned} {\textsf {sk}}_\mathbf {F}= \big (\, [\tau ]_1,\, [\langle \mathbf {F} , \mathbf {U}\mathbf {V}^{}{\top } \rangle - \tau ]_2\,\big ). \end{aligned}$$

The simulator and game sequence are analogous except that when we prove \({\textsf {G}}_{2}\approx _c{\textsf {G}}_{1}\) we simulate the secret key as:

$$\begin{aligned} {\textsf {sk}}_\mathbf {F}= \big (\, [\langle \mathbf {F} , \mathbf {C}_1\mathbf {C}_2^{}{\top }- \mathbf {x}\mathbf {y}^{}{\top } \rangle - \tau ]_1,\, [\tau ]_2\,\big ) \end{aligned}$$

such that \(\mathbf {C}_1\) appears over \(G_1\) as in (2).