Advertisement

Practical Fully Secure Unrestricted Inner Product Functional Encryption Modulo p

  • Guilhem CastagnosEmail author
  • Fabien Laguillaumie
  • Ida Tucker
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)

Abstract

Functional encryption (FE) is a modern public-key cryptographic primitive allowing an encryptor to finely control the information revealed to recipients from a given ciphertext. Abdalla, Bourse, De Caro, and Pointcheval (PKC 2015) were the first to consider FE restricted to the class of linear functions, i.e. inner products. Though their schemes are only secure in the selective model, Agrawal, Libert, and Stehlé (CRYPTO 16) soon provided adaptively secure schemes for the same functionality. These constructions, which rely on standard assumptions such as the Decision Diffie-Hellman (\(\mathsf {DDH}\)), the Learning-with-Errors (\(\mathsf {LWE}\)), and Paillier’s Decision Composite Residuosity (DCR) problems, do however suffer of various practical drawbacks. Namely, the DCR based scheme only computes inner products modulo an RSA integer which is oversized for many practical applications, while the computation of inner products modulo a prime p either requires, for their \(\mathsf {DDH}\) based scheme, that the inner product be contained in a sufficiently small interval for decryption to be efficient, or, as in the \(\mathsf {LWE}\) based scheme, suffers of poor efficiency due to impractical parameters.

In this paper, we provide adaptively secure FE schemes for the inner product functionality which are both efficient and allow for the evaluation of unbounded inner products modulo a prime p. Our constructions rely on new natural cryptographic assumptions in a cyclic group containing a subgroup where the discrete logarithm (\(\mathsf {DL}\)) problem is easy which extend Castagnos and Laguillaumie’s assumption (RSA 2015) of a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup. Instantiating our generic constructions using class groups of imaginary quadratic fields gives rise to the most efficient FE for inner products modulo an arbitrary large prime p. One of our schemes outperforms the DCR variant of Agrawal et al.’s protocols in terms of size of keys and ciphertexts by factors varying between 2 and 20 for a 112-bit security.

Keywords

Inner product functional encryption Adaptive security Diffie-Hellman assumptions 

Notes

Acknowledgements

The authors would like to thank both Benoît Libert and Damien Stehlé for fruitful discussions. This work was supported by the French ANR ALAMBIC project (ANR-16-CE39-0006), and by ERC Starting Grant ERC-2013-StG-335086-LATTAC.

References

  1. [ABCP16]
    Abdalla, M., Bourse, F., Caro, A.D., Pointcheval, D.: Better security for functional encryption for inner product evaluations. Cryptology ePrint Archive, Report 2016/011 (2016). http://eprint.iacr.org/2016/011
  2. [ABDP15]
    Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46447-2_33CrossRefGoogle Scholar
  3. [ABP+17]
    Agrawal, S., Bhattacherjee, S., Phan, D.H., Stehlé, D., Yamada, S.: Efficient public trace and revoke from standard assumptions: extended abstract. In: ACM CCS 17, pp. 2277–2293. ACM Press (2017)Google Scholar
  4. [ABSV15]
    Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48000-7_32CrossRefzbMATHGoogle Scholar
  5. [Adl94]
    Adleman, L.M.: The function field sieve. In: Adleman, L.M., Huang, M.-D. (eds.) ANTS 1994. LNCS, vol. 877, pp. 108–121. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-58691-1_48CrossRefGoogle Scholar
  6. [AGVW13]
    Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40084-1_28CrossRefGoogle Scholar
  7. [ALS16]
    Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53015-3_12CrossRefGoogle Scholar
  8. [BBL17]
    Benhamouda, F., Bourse, F., Lipmaa, H.: CCA-secure inner-product functional encryption from projective hash functions. In: Fehr, S. (ed.) PKC 2017, Part II. LNCS, vol. 10175, pp. 36–66. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54388-7_2CrossRefGoogle Scholar
  9. [BCP03]
    Bresson, E., Catalano, D., Pointcheval, D.: A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 37–54. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-40061-5_3CrossRefGoogle Scholar
  10. [BGJS16]
    Badrinarayanan, S., Goyal, V., Jain, A., Sahai, A.: Verifiable functional encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 557–587. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53890-6_19CrossRefGoogle Scholar
  11. [BJS10]
    Biasse, J.-F., Jacobson, M.J., Silvester, A.K.: Security estimates for quadratic field based cryptosystems. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 233–247. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14081-5_15CrossRefGoogle Scholar
  12. [BO13]
    Bellare, M., O’Neill, A.: Semantically-secure functional encryption: possibility results, impossibility results and the quest for a general definition. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 218–234. Springer, Cham (2013).  https://doi.org/10.1007/978-3-319-02937-5_12CrossRefGoogle Scholar
  13. [Bou17]
    Bourse, F.: Functional encryption for inner-product evaluations. Ph.D. thesis, PSL Research University, France (2017)Google Scholar
  14. [BSW11]
    Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19571-6_16CrossRefGoogle Scholar
  15. [CIL17]
    Castagnos, G., Imbert, L., Laguillaumie, F.: Encryption switching protocols revisited: switching modulo p. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 255–287. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63688-7_9CrossRefGoogle Scholar
  16. [CL09]
    Castagnos, G., Laguillaumie, F.: On the security of cryptosystems with quadratic decryption: the nicest cryptanalysis. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 260–277. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_15CrossRefGoogle Scholar
  17. [CL15]
    Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from \(\sf DDH\). In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16715-2_26CrossRefGoogle Scholar
  18. [CLT18]
    Castagnos, G., Laguillaumie, F., Tucker, I.: Practical fully secure unrestricted inner product functional encryption modulo \(p\). Cryptology ePrint Archive, Report 2018/791 (2018). https://eprint.iacr.org/2018/791
  19. [Coh00]
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (2000)Google Scholar
  20. [CS98]
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055717CrossRefGoogle Scholar
  21. [CS02]
    Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_4CrossRefGoogle Scholar
  22. [CS03]
    Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_8CrossRefGoogle Scholar
  23. [DIJ+13]
    De Caro, A., Iovino, V., Jain, A., O’Neill, A., Paneth, O., Persiano, G.: On the achievability of simulation-based security for functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 519–535. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40084-1_29CrossRefGoogle Scholar
  24. [GGHZ16]
    Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Functional encryption without obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part II. LNCS, vol. 9563, pp. 480–511. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49099-0_18CrossRefGoogle Scholar
  25. [Gjø05]
    Gjøsteen, K.: Symmetric subgroup membership problems. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 104–119. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30580-4_8CrossRefGoogle Scholar
  26. [GKP+13a]
    Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40084-1_30CrossRefGoogle Scholar
  27. [GKP+13b]
    Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: 45th ACM STOC, pp. 555–564. ACM Press (2013)Google Scholar
  28. [GPV08]
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: 40th ACM STOC, pp. 197–206. ACM Press (2008)Google Scholar
  29. [GVW12]
    Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_11CrossRefGoogle Scholar
  30. [HO12]
    Hemenway, B., Ostrovsky, R.: Extended-DDH and lossy trapdoor functions. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 627–643. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-30057-8_37CrossRefGoogle Scholar
  31. [Jac00]
    Jacobson Jr., M.J.: Computing discrete logarithms in quadratic orders. J. Cryptol. 13(4), 473–492 (2000)MathSciNetCrossRefGoogle Scholar
  32. [KSW08]
    Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_9CrossRefGoogle Scholar
  33. [Luc02]
    Lucks, S.: A variant of the Cramer-Shoup cryptosystem for groups of unknown order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 27–45. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-36178-2_2CrossRefGoogle Scholar
  34. [Mar03]
    Martinet, J.: Perfect Lattices in Euclidean Spaces. Grundlehren der mathematischen Wissenschaften, vol. 327, 1st edn. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-662-05167-2CrossRefzbMATHGoogle Scholar
  35. [McC89]
    McCurley, K.S.: Cryptographic key distribution and computation in class groups. In: Number Theory and Applications (Proc. NATO Advanced Study Inst. on Number Theory and Applications, Banff, 1988). Kluwer (1989)Google Scholar
  36. [MR04]
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th FOCS, pp. 372–381. IEEE Computer Society Press (2004)Google Scholar
  37. [MR07]
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)MathSciNetCrossRefGoogle Scholar
  38. [Ngu91]
    Nguyen, P.Q.: La Géométrie des Nombres en Cryptologie. Ph.D. thesis, École Normale Supérieure (1991)Google Scholar
  39. [O’N10]
    O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010). http://eprint.iacr.org/2010/556
  40. [Pai99]
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48910-X_16CrossRefGoogle Scholar
  41. [Sha84]
    Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985).  https://doi.org/10.1007/3-540-39568-7_5CrossRefGoogle Scholar
  42. [SS10]
    Sahai, A., Seyalioglu, H.: Worry-free encryption: functional encryption with public keys. In: ACM CCS 10, pp. 463–472. ACM Press (2010)Google Scholar
  43. [SW05]
    Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_27CrossRefGoogle Scholar
  44. [Wat15]
    Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 678–697. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48000-7_33CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Guilhem Castagnos
    • 1
    Email author
  • Fabien Laguillaumie
    • 2
  • Ida Tucker
    • 2
  1. 1.Université de Bordeaux, Inria, CNRS, IMB UMR 5251TalenceFrance
  2. 2.Univ Lyon, CNRS, Université Claude Bernard Lyon 1, ENS de Lyon, Inria, LIP UMR 5668Lyon Cedex 07France

Personalised recommendations