Practical Fully Secure Unrestricted Inner Product Functional Encryption Modulo p

  • Guilhem CastagnosEmail author
  • Fabien Laguillaumie
  • Ida Tucker
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)


Functional encryption (FE) is a modern public-key cryptographic primitive allowing an encryptor to finely control the information revealed to recipients from a given ciphertext. Abdalla, Bourse, De Caro, and Pointcheval (PKC 2015) were the first to consider FE restricted to the class of linear functions, i.e. inner products. Though their schemes are only secure in the selective model, Agrawal, Libert, and Stehlé (CRYPTO 16) soon provided adaptively secure schemes for the same functionality. These constructions, which rely on standard assumptions such as the Decision Diffie-Hellman (\(\mathsf {DDH}\)), the Learning-with-Errors (\(\mathsf {LWE}\)), and Paillier’s Decision Composite Residuosity (DCR) problems, do however suffer of various practical drawbacks. Namely, the DCR based scheme only computes inner products modulo an RSA integer which is oversized for many practical applications, while the computation of inner products modulo a prime p either requires, for their \(\mathsf {DDH}\) based scheme, that the inner product be contained in a sufficiently small interval for decryption to be efficient, or, as in the \(\mathsf {LWE}\) based scheme, suffers of poor efficiency due to impractical parameters.

In this paper, we provide adaptively secure FE schemes for the inner product functionality which are both efficient and allow for the evaluation of unbounded inner products modulo a prime p. Our constructions rely on new natural cryptographic assumptions in a cyclic group containing a subgroup where the discrete logarithm (\(\mathsf {DL}\)) problem is easy which extend Castagnos and Laguillaumie’s assumption (RSA 2015) of a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup. Instantiating our generic constructions using class groups of imaginary quadratic fields gives rise to the most efficient FE for inner products modulo an arbitrary large prime p. One of our schemes outperforms the DCR variant of Agrawal et al.’s protocols in terms of size of keys and ciphertexts by factors varying between 2 and 20 for a 112-bit security.


Inner product functional encryption Adaptive security Diffie-Hellman assumptions 



The authors would like to thank both Benoît Libert and Damien Stehlé for fruitful discussions. This work was supported by the French ANR ALAMBIC project (ANR-16-CE39-0006), and by ERC Starting Grant ERC-2013-StG-335086-LATTAC.


  1. [ABCP16]
    Abdalla, M., Bourse, F., Caro, A.D., Pointcheval, D.: Better security for functional encryption for inner product evaluations. Cryptology ePrint Archive, Report 2016/011 (2016).
  2. [ABDP15]
    Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). Scholar
  3. [ABP+17]
    Agrawal, S., Bhattacherjee, S., Phan, D.H., Stehlé, D., Yamada, S.: Efficient public trace and revoke from standard assumptions: extended abstract. In: ACM CCS 17, pp. 2277–2293. ACM Press (2017)Google Scholar
  4. [ABSV15]
    Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015). Scholar
  5. [Adl94]
    Adleman, L.M.: The function field sieve. In: Adleman, L.M., Huang, M.-D. (eds.) ANTS 1994. LNCS, vol. 877, pp. 108–121. Springer, Heidelberg (1994). Scholar
  6. [AGVW13]
    Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). Scholar
  7. [ALS16]
    Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). Scholar
  8. [BBL17]
    Benhamouda, F., Bourse, F., Lipmaa, H.: CCA-secure inner-product functional encryption from projective hash functions. In: Fehr, S. (ed.) PKC 2017, Part II. LNCS, vol. 10175, pp. 36–66. Springer, Heidelberg (2017). Scholar
  9. [BCP03]
    Bresson, E., Catalano, D., Pointcheval, D.: A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 37–54. Springer, Heidelberg (2003). Scholar
  10. [BGJS16]
    Badrinarayanan, S., Goyal, V., Jain, A., Sahai, A.: Verifiable functional encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 557–587. Springer, Heidelberg (2016). Scholar
  11. [BJS10]
    Biasse, J.-F., Jacobson, M.J., Silvester, A.K.: Security estimates for quadratic field based cryptosystems. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 233–247. Springer, Heidelberg (2010). Scholar
  12. [BO13]
    Bellare, M., O’Neill, A.: Semantically-secure functional encryption: possibility results, impossibility results and the quest for a general definition. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 218–234. Springer, Cham (2013). Scholar
  13. [Bou17]
    Bourse, F.: Functional encryption for inner-product evaluations. Ph.D. thesis, PSL Research University, France (2017)Google Scholar
  14. [BSW11]
    Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). Scholar
  15. [CIL17]
    Castagnos, G., Imbert, L., Laguillaumie, F.: Encryption switching protocols revisited: switching modulo p. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 255–287. Springer, Cham (2017). Scholar
  16. [CL09]
    Castagnos, G., Laguillaumie, F.: On the security of cryptosystems with quadratic decryption: the nicest cryptanalysis. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 260–277. Springer, Heidelberg (2009). Scholar
  17. [CL15]
    Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from \(\sf DDH\). In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015). Scholar
  18. [CLT18]
    Castagnos, G., Laguillaumie, F., Tucker, I.: Practical fully secure unrestricted inner product functional encryption modulo \(p\). Cryptology ePrint Archive, Report 2018/791 (2018).
  19. [Coh00]
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (2000)Google Scholar
  20. [CS98]
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). Scholar
  21. [CS02]
    Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). Scholar
  22. [CS03]
    Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003). Scholar
  23. [DIJ+13]
    De Caro, A., Iovino, V., Jain, A., O’Neill, A., Paneth, O., Persiano, G.: On the achievability of simulation-based security for functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 519–535. Springer, Heidelberg (2013). Scholar
  24. [GGHZ16]
    Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Functional encryption without obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part II. LNCS, vol. 9563, pp. 480–511. Springer, Heidelberg (2016). Scholar
  25. [Gjø05]
    Gjøsteen, K.: Symmetric subgroup membership problems. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 104–119. Springer, Heidelberg (2005). Scholar
  26. [GKP+13a]
    Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013). Scholar
  27. [GKP+13b]
    Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: 45th ACM STOC, pp. 555–564. ACM Press (2013)Google Scholar
  28. [GPV08]
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: 40th ACM STOC, pp. 197–206. ACM Press (2008)Google Scholar
  29. [GVW12]
    Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). Scholar
  30. [HO12]
    Hemenway, B., Ostrovsky, R.: Extended-DDH and lossy trapdoor functions. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 627–643. Springer, Heidelberg (2012). Scholar
  31. [Jac00]
    Jacobson Jr., M.J.: Computing discrete logarithms in quadratic orders. J. Cryptol. 13(4), 473–492 (2000)MathSciNetCrossRefGoogle Scholar
  32. [KSW08]
    Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). Scholar
  33. [Luc02]
    Lucks, S.: A variant of the Cramer-Shoup cryptosystem for groups of unknown order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 27–45. Springer, Heidelberg (2002). Scholar
  34. [Mar03]
    Martinet, J.: Perfect Lattices in Euclidean Spaces. Grundlehren der mathematischen Wissenschaften, vol. 327, 1st edn. Springer, Heidelberg (2003). Scholar
  35. [McC89]
    McCurley, K.S.: Cryptographic key distribution and computation in class groups. In: Number Theory and Applications (Proc. NATO Advanced Study Inst. on Number Theory and Applications, Banff, 1988). Kluwer (1989)Google Scholar
  36. [MR04]
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th FOCS, pp. 372–381. IEEE Computer Society Press (2004)Google Scholar
  37. [MR07]
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)MathSciNetCrossRefGoogle Scholar
  38. [Ngu91]
    Nguyen, P.Q.: La Géométrie des Nombres en Cryptologie. Ph.D. thesis, École Normale Supérieure (1991)Google Scholar
  39. [O’N10]
    O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010).
  40. [Pai99]
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). Scholar
  41. [Sha84]
    Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). Scholar
  42. [SS10]
    Sahai, A., Seyalioglu, H.: Worry-free encryption: functional encryption with public keys. In: ACM CCS 10, pp. 463–472. ACM Press (2010)Google Scholar
  43. [SW05]
    Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). Scholar
  44. [Wat15]
    Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 678–697. Springer, Heidelberg (2015). Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Guilhem Castagnos
    • 1
    Email author
  • Fabien Laguillaumie
    • 2
  • Ida Tucker
    • 2
  1. 1.Université de Bordeaux, Inria, CNRS, IMB UMR 5251TalenceFrance
  2. 2.Univ Lyon, CNRS, Université Claude Bernard Lyon 1, ENS de Lyon, Inria, LIP UMR 5668Lyon Cedex 07France

Personalised recommendations