Decentralized Multi-Client Functional Encryption for Inner Product

Jérémy Chotard; Edouard Dufour Sans; Romain Gay; Duong Hieu Phan; David Pointcheval

doi:10.1007/978-3-030-03329-3_24

International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2018: Advances in Cryptology – ASIACRYPT 2018 pp 703-732 | Cite as

Decentralized Multi-Client Functional Encryption for Inner Product

Authors
Authors and affiliations

Jérémy Chotard
Edouard Dufour Sans
Romain Gay
Duong Hieu Phan
David Pointcheval

Conference paper

First Online: 27 October 2018

Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)

Abstract

We consider a situation where multiple parties, owning data that have to be frequently updated, agree to share weighted sums of these data with some aggregator, but where they do not wish to reveal their individual data, and do not trust each other. We combine techniques from Private Stream Aggregation (PSA) and Functional Encryption (FE), to introduce a primitive we call Decentralized Multi-Client Functional Encryption (DMCFE), for which we give a practical instantiation for Inner Product functionalities. This primitive allows various senders to non-interactively generate ciphertexts which support inner-product evaluation, with functional decryption keys that can also be generated non-interactively, in a distributed way, among the senders. Interactions are required during the setup phase only. We prove adaptive security of our constructions, while allowing corruptions of the clients, in the random oracle model.

Keywords

Decentralized Multi-Client Functional encryption Inner product

This is a preview of subscription content, to check access.

Notes

Acknowledgments

This work was supported in part by the European Community’s Seventh Framework Programme (FP7/2007-2013 Grant Agreement no. 339563 – CryptoCloud), the European Community’s Horizon 2020 Project FENTEC (Grant Agreement no. 780108), the Google PhD fellowship, the ANR ALAMBIC (ANR16-CE39-0006) and the French FUI ANBLIC Project.

Supplementary material

Open image in new window

B A Selectively-Secure MCFE

B.1 Description

In this section, we formally present the selectively secure $\textsf {MCFE} $ scheme for inner product we described in Sect. 1. It is inspired by Abdalla et al.’s scheme [1]:

$\mathsf {SetUp} (\lambda )$: Takes as input the security parameter, and generates a group $\mathbb {G}$ of prime order $p \approx 2^\lambda $, $g \in \mathbb {G}$ a generator, and $\mathcal {H}$ a full-domain hash function onto $\mathbb {G}$. It also generates the encryption keys $s_i{\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_p$, for $i=1,\ldots ,n$, and sets $\varvec{s}= (s_i)_i$. The public parameters ${\mathsf {mpk}}$ consist of $(\mathbb {G},p,g,\mathcal {H})$, while the master secret key is ${\mathsf {msk}=\varvec{s}}$ and the encryption keys are ${\mathsf {ek}_i = s_i}$ for $i=1,\ldots ,n$ (in addition to ${\mathsf {mpk}}$, which is omitted);
${\mathsf {Encrypt} (\mathsf {ek}_i,x_i,\ell )}$: Takes as input the value $x_i$ to encrypt, under the key ${\mathsf {ek}_i = s_i}$ and the label $\ell $. It computes $[u_\ell ] := \mathcal {H}(\ell ) \in \mathbb {G}$, and outputs the ciphertext $[c_i] = [u_\ell s_i + x_i] \in \mathbb {G}$;
${\mathsf {DKeyGen} (\mathsf {msk}, \varvec{y})}$: Takes as input ${\mathsf {msk}= (s_i)_i}$ and an inner-product function defined by $\varvec{y}$ as $f_{\varvec{y}}(\varvec{x}) = \langle \varvec{x}, \varvec{y} \rangle $, and outputs the functional decryption key $\mathsf {dk}_{\varvec{y}} = \left( \varvec{y},\sum _{i} s_i y_i \right) \in \mathbb {Z}_p^n \times \mathbb {Z}_p$;
$\mathsf {Decrypt} (\mathsf {dk}_{\varvec{y}}, \ell , ([c_i])_{i \in [n]})$: Takes as input a decryption key $\mathsf {dk}_{\varvec{y}} = (\varvec{y}, d)$, a label $\ell $. It computes $[u_\ell ] := \mathcal {H}(\ell )$, $[\alpha ] = \sum _i y_i \cdot [c_i] - d \cdot [u_\ell ]$, and eventually solves the discrete logarithm to extract and return $\alpha $.

As for Abdalla et al.’s scheme [1], the result $\alpha $ should not be too large to allow the final discrete logarithm computation.

Correctness: if the scalar dk in the decryption functional key $\mathsf {dk}_{\varvec{y}}=(\varvec{y},dk)$ is indeed $dk = \langle \varvec{s}, \varvec{y} \rangle $, then

$$\begin{aligned}{}[\alpha ]&= \sum _i y_i \cdot [c_i] - d \cdot [u_\ell ] = \sum _i y_i \cdot [u_\ell s_i + x_i] - [u_\ell ] \cdot \sum _{i} s_i y_i \\&= [u_\ell ] \cdot \sum _i s_iy_i + [\sum _i x_iy_i] - [u_\ell ] \cdot \sum _{i} s_i y_i = [\sum _i x_i y_i]. \end{aligned}$$

B.2 Selective Security

Like Abdalla et al.’s original scheme [1], our protocol can only be proven secure in the weaker security model, where the adversary has to commit in advance to all of the pairs of messages for the Left-or-Right encryption oracle ($\mathsf {QEncrypt} $-queries). However, it can adaptively ask for functional decryption keys ($\mathsf {QDKeyGen} $-queries) and encryption keys ($\mathsf {QCorrupt} $-queries). Concretely, the challenger is provided (plaintext,label) pairs: $(x_{j,i}^b,\ell _j)_{b \in \{0,1\},i\in [n], j \in [Q]}$, where Q is the number of query to $\mathsf {QEncrypt} (i,\cdot ,\cdot )$, each one for a different label $\ell _j$ (note that in the security model, we assume each slots are queried the same number of time, on different labels). The challenge ciphertexts ${C_{i,j} = \mathsf {Encrypt} (\mathsf {ek}_i, x_{j,i}^b,\ell _j)}$, for the random bit b, are returned to the adversary.

Note that the adversary committing to challenge ciphertexts also limits its ability to corrupt users during the game: it must corrupt clients for which it didn’t ask a ciphertext and cannot corrupt any client from which it asked a ciphertext for $x_{j,i}^0\ne x_{j,i}^1$.

B.3 Security Analysis

Theorem 11

(sel-IND Security). The $\textsf {MCFE}$ protocol described above (see Appendix B.1) is sel-IND secure under the $\textsf {DDH}$ assumption, in the random oracle model. More precisely, we have

$$\begin{aligned} \mathsf {Adv}^\texttt {IND} (\mathcal {A}) \le 2Q \cdot \mathsf {Adv}_\mathbb {G}^\textsf {ddh} (t) , \end{aligned}$$

for any adversary $\mathcal {A}$, running within time t, where Q is the number of encryption queries per slot.

Proof

We proceed using hybrid games, described in Fig. 6, with the same notations as in the previous proofs.

Game $G_0$: This is the Open image in new window security game as given in Definition 2 (see the paragraph about weaker models), with all the encryption queries being sent first: they are stored in $z_{j,i}=(x_{j,i}^0,x_{j,i}^1)$, for $j\in [Q]$ and $i\in [n]$, where j is for the j-th $\mathcal {H}$-query that specifies the label $\ell _j$ and i is for the index of the sender. If the query is not asked, we have $z_{j,i} = \bot $. Note that the hash function $\mathcal {H}$ is modeled as a random oracle $\mathsf {RO}$ onto $\mathbb {G}$. This is used to generate $[u_\ell ] = \mathcal {H}(\ell )$.
Game $G_1$: We simulate the answers to any new $\mathsf {RO}$ query by computing a truly random element of $\mathbb {G}$, on the fly. The simulation remains perfect, so $\mathsf {Adv}_0 = \mathsf {Adv}_1$.
Game $G_2$: We simulate every encryption as the encryption of $x_i^0$ instead of $x_i^b$.

While it is clear that in this last game the advantage of any adversary is exactly 0 since b does not appear anywhere, the gap between $G_1$ and $G_2$ will be proven using an hybrid argument on the $\mathsf {RO}$-queries. We thus index the following games by q, where $q=1,\ldots , Q$. Note that only distinct $\mathsf {RO}$-queries are counted, since a second similar query is answered as the first one.

$G_{2.1}$: This is exactly game $G_1$. Thus, $\mathsf {Adv}_1= \mathsf {Adv}_{2.1}$.
$G_{2.q} \rightsquigarrow G_{2.q+1}$: We change the generation of the ciphertexts from $[c_{q,i}] := [u_{\ell _q}s_i + x_{q,i}^{b}]$ to $[c_{q,i}] := [u_{\ell _q}s_i + x_{q,i}^{0}]$. We proceed in three steps:

Step 1. We use the fact that the two following distributions are identical, for any choice of $\gamma $:
$$\left( s_{i}\right) _{i \in [n], z_{q,i} = (x_{q,i}^{0},x_{q,i}^{b})} \text{ and } \left( s_{i} + \gamma (x_{q,i}^{0} - x_{q,i}^{b}) \right) _{i \in [n], z_{q,i} = (x_{q,i}^{0},x_{q,i}^{1})},$$
where $s_{i} {\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_p$, for all $i\in [n]$. This is true since the $s_{i}$ are independent of the $z_{q,i}$ (we are in a selective setting, so the $s_i$’s are generated after the $z_{q,i}$’s have been chosen). Thus, we can re-write $s_{i}$ into $s_{i} + \gamma (x_{q,i}^{0} - x_{q,i}^{b})$ without changing the distribution of the game.

Note that when Finalize does not output a random bit $\beta {\mathop {\leftarrow }\limits ^{{}_\$}}\{0,1\}$ independent of the guess $b'$, $\gamma $ does not appear in the outputs of $\mathsf {QCorrupt} (i)$, since it must be that $x_i^0=x_i^1$ or $z_{q,i}=\bot $, and it does not appear in the output of $\mathsf {QDKeyGen} (\varvec{y})$ either, since Open image in new window , where the gray term equals zero by Definition 1. The fact that $\gamma $ does not appear in the outputs of these oracles will be crucial for step 2, which applies $\textsf {DDH}$ on $[\gamma ]$.

Step 2. We use the $\textsf {DDH}$ assumption to replace the $[u_{\ell _q}\gamma ]$ that appear in the output of the q-th query to $\mathsf {QEncrypt} $ queries with $[r_{\ell _q} + 1]$ with $r_{\ell _q} {\mathop {\leftarrow }\limits ^{{}_\$}}\mathbb {Z}_p$. This is possible since the rest of the adversary view can be generated only from $[\gamma ]$ and $[r_{\ell _q}+1]$. This increases the adversary’s advantage by no more than $\mathsf {Adv}_\mathbb {G}^\textsf {ddh} (t)$. We now have:
$$\begin{aligned}{}[c_{q,i}] :=&[u_{\ell _q}s_i + (x_{q,i}^{0} - x_{q,i}^{b}) (r_{\ell _q} + 1) + x_{q,i}^{b}] \\ =&[u_{\ell _q}s_i + r_{\ell _q}(x_{q,i}^{0} - x_{q,i}^{b}) + x_{q,i}^{0} - x_{q,i}^{b} + x_{q,i}^{b}] \\ =&[u_{\ell _q}s_i + r_{\ell _q}(x_{q,i}^{0} - x_{q,i}^{b}) + x_{q,i}^{0}]. \end{aligned}$$
Step 3. We switch $[r_{\ell _q}]$ in the output of the q-query to $\mathsf {QEncrypt} $ back to $[u_{\ell _q} \gamma ]$, using the $\textsf {DDH}$ assumption again. This is possible since the adversary’s view is simulatable solely from $[\gamma ]$, $[u_{\ell _q}]$, and $[r_{\ell _q}]$. We finally undo the distribution change on the $\varvec{s}_i$, which brings us to $G_{2.q+1}$.

As a conclusion, since $G_{2.Q+1} = G_{2}$, we have $\mathsf {Adv}_{1} - \mathsf {Adv}_{2} \le 2Q\cdot \mathsf {Adv}_\mathbb {G}^\textsf {ddh} (t)$. In addition, $\mathsf {Adv}_{2} = 0$, which concludes the proof.

References

1.
Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_33CrossRefGoogle Scholar
2.
Abdalla, M., Catalano, D., Fiore, D., Gay, R., Ursu, B.: Multi-input functional encryption for inner products: function-hiding realizations and constructions without pairings. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, part I. LNCS, vol. 10991, pp. 597–627. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_20CrossRefGoogle Scholar
3.
Abdalla, M., Gay, R., Raykova, M., Wee, H.: Multi-input inner-product functional encryption from pairings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, part I. LNCS, vol. 10210, pp. 601–626. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_21CrossRefGoogle Scholar
4.
Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, part III. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_12CrossRefGoogle Scholar
5.
Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, part II. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_32CrossRefzbMATHGoogle Scholar
6.
Badrinarayanan, S., Goyal, V., Jain, A., Sahai, A.: Verifiable functional encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, part II. LNCS, vol. 10032, pp. 557–587. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_19CrossRefGoogle Scholar
7.
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, pp. 394–403. IEEE Computer Society Press, October 1997Google Scholar
8.
Benhamouda, F., Joye, M., Libert, B.: A new framework for privacy-preserving aggregation of time-series data. ACM Trans. Inf. Syst. Secur. 18(3), 10:1–10:21 (2016)CrossRefGoogle Scholar
9.
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16CrossRefGoogle Scholar
10.
Brakerski, Z., Komargodski, I., Segev, G.: Multi-input functional encryption in the private-key setting: stronger security from weaker assumptions. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, part II. LNCS, vol. 9666, pp. 852–880. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_30CrossRefzbMATHGoogle Scholar
11.
Chan, T.-H.H., Shi, E., Song, D.: Privacy-preserving stream aggregation with fault tolerance. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 200–214. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_15CrossRefGoogle Scholar
12.
Datta, P., Okamoto, T., Tomida, J.: Full-hiding (unbounded) multi-input inner product functional encryption from the k-linear assumption. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, part II. LNCS, vol. 10770, pp. 245–277. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_9CrossRefGoogle Scholar
13.
Emura, K.: Privacy-preserving aggregation of time-series data with public verifiability from simple assumptions. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 193–213. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59870-3_11CrossRefzbMATHGoogle Scholar
14.
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for diffie-hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8CrossRefGoogle Scholar
15.
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013Google Scholar
16.
Goldwasser, S., et al.: Multi-input functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_32CrossRefGoogle Scholar
17.
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, part II. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_30CrossRefGoogle Scholar
18.
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 555–564. ACM Press, June 2013Google Scholar
19.
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_11CrossRefGoogle Scholar
20.
Gordon, S.D., Katz, J., Liu, F.H., Shi, E., Zhou, H.S.: Multi-input functional encryption. Cryptology ePrint Archive, Report 2013/774 (2013). http://eprint.iacr.org/2013/774
21.
Joye, M., Libert, B.: A scalable scheme for privacy-preserving aggregation of time-series data. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 111–125. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_10CrossRefzbMATHGoogle Scholar
22.
Lee, K., Lee, D.H.: Two-input functional encryption for inner products from bilinear maps. IACR Cryptology ePrint Archive 2016, 432 (2016). http://eprint.iacr.org/2016/432
23.
Li, Q., Cao, G.: Efficient and privacy-preserving data aggregation in mobile sensing. In: ICNP 2012, pp. 1–10. IEEE Computer Society (2012)Google Scholar
24.
Li, Q., Cao, G.: Efficient privacy-preserving stream aggregation in mobile sensing with low aggregation error. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 60–81. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39077-7_4CrossRefGoogle Scholar
25.
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16CrossRefGoogle Scholar
26.
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005Google Scholar
27.
Sahai, A., Seyalioglu, H.: Worry-free encryption: functional encryption with public keys. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 2010, pp. 463–472. ACM Press, October 2010Google Scholar
28.
Sahai, A., Waters, B.R.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27CrossRefGoogle Scholar
29.
Shi, E., Chan, T.H.H., Rieffel, E.G., Chow, R., Song, D.: Privacy-preserving aggregation of time-series data. In: NDSS 2011. The Internet Society, February 2011Google Scholar
30.
Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, part II. LNCS, vol. 9216, pp. 678–697. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_33CrossRefGoogle Scholar
31.
Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_26CrossRefGoogle Scholar

Copyright information

Authors and Affiliations

Jérémy Chotard
- 1
- 2
- 3
Edouard Dufour Sans
- 2
- 3
Romain Gay
- 2
- 3
Duong Hieu Phan
- 1
David Pointcheval
- 2
- 3
Email author

1.XLIM, University of Limoges, CNRSLimogesFrance
2.DIENS, École normale supérieure, CNRS, PSL UniversityParisFrance
3.InriaParisFrance

Decentralized Multi-Client Functional Encryption for Inner Product

Abstract

Keywords

Notes

Acknowledgments

Supplementary material

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper