Skip to main content

Blind Functional Encryption

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12282)


Functional encryption (FE) gives the power to retain control of sensitive information and is particularly suitable in several practical real-world use cases. Using this primitive, anyone having a specific functional decryption key (derived from some master secret key) could only obtain the evaluation of an authorized function f over a message m, given its encryption. For many scenarios, the data owner is always different from the functionality owner, such that a classical implementation of functional encryption naturally implies an interactive key generation protocol between an entity owning the function f and another one managing the master secret key. We focus on this particular phase and consider the case where the function needs to be secret.

In this paper, we introduce the new notion of blind functional encryption in which, during an interactive key generation protocol, the master secret key owner does not learn anything about the function f. Our new notion can be seen as a generalisation of the existing concepts of blind IBE/ABE. After a deep study of this new property and its relation with other security notions, we show how to obtain a generic blind FE from any non-blind FE, using homomorphic encryption and zero-knowledge proofs of knowledge. We finally illustrate such construction by giving an efficient instantiation in the case of the inner product functionality.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-61078-4_11
  • Chapter length: 19 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-61078-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.


  1. 1.

    There are two parties in our model where the master secret key owner is the only party to provide functional keys. In [27], it is only possible to produce functional keys that depends on the ciphertext and is only used once, while we consider multiple users, functional keys and ciphertexts.


  1. Abadi, M., Feigenbaum, J.: Secure circuit evaluation. J. Cryptol. 2(1), 1–12 (1990).

    CrossRef  MATH  Google Scholar 

  2. Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015).

    CrossRef  Google Scholar 

  3. Abe, M., Ohkubo, M.: A framework for universally composable non-committing blind signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 435–450. Springer, Heidelberg (2009).

    CrossRef  Google Scholar 

  4. Agrawal, S., Agrawal, S., Badrinarayanan, S., Kumarasubramanian, A., Prabhakaran, M., Sahai, A.: On the practical security of inner product functional encryption. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 777–798. Springer, Heidelberg (2015).

    CrossRef  Google Scholar 

  5. Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016).

    CrossRef  Google Scholar 

  6. Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded key-dependent message security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 423–444. Springer, Heidelberg (2010).

    CrossRef  Google Scholar 

  7. Boneh, D., Raghunathan, A., Segev, G.: Function-private identity-based encryption: hiding the function in functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 461–478. Springer, Heidelberg (2013).

    CrossRef  MATH  Google Scholar 

  8. Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011).

    CrossRef  Google Scholar 

  9. Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000).

    CrossRef  MATH  Google Scholar 

  10. Brakerski, Z., Segev, G.: Function-private functional encryption in the private-key setting. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 306–324. Springer, Heidelberg (2015).

    CrossRef  Google Scholar 

  11. Camenisch, J., Kohlweiss, M., Rial, A., Sheedy, C.: Blind and anonymous identity-based encryption and authorised private searches on public key encrypted data. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 196–214. Springer, Heidelberg (2009).

    CrossRef  MATH  Google Scholar 

  12. Camenisch, J., Michels, M.: Proving in zero-knowledge that a number is the product of two safe primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999).

    CrossRef  MATH  Google Scholar 

  13. Canard, S., Diop, A., Kheir, N., Paindavoine, M., Sabt, M.: BlindIDS: market-compliant and privacy-friendly intrusion detection system over encrypted traffic. In: Karri, R., Sinanoglu, O., Sadeghi, A., Yi, X. (eds.) Proceedings of the 2017 ACM AsiaCCS 2017. ACM (2017)

    Google Scholar 

  14. Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Two-party ECDSA from hash proof systems and efficient instantiations. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 191–221. Springer, Cham (2019).

    CrossRef  Google Scholar 

  15. Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Bandwidth-efficient threshold EC-DSA. In: PKC 2020 (2020, to appear)

    Google Scholar 

  16. Castagnos, G., Laguillaumie, F.: Linearly Homomorphic Encryption from \({\sf DDH}\). In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015).

    CrossRef  Google Scholar 

  17. Castagnos, G., Laguillaumie, F., Tucker, I.: Practical fully secure unrestricted inner product functional encryption modulo p. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 733–764. Springer, Cham (2018).

    CrossRef  Google Scholar 

  18. Cuvelier, É., Pereira, O., Peters, T.: Election verifiability or ballot privacy: do we need to choose? In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 481–498. Springer, Heidelberg (2013).

    CrossRef  Google Scholar 

  19. Emura, K., Katsumata, S., Watanabe, Y.: Identity-based encryption with security against the KGC: a formal model and its instantiation from lattices. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 113–133. Springer, Cham (2019).

    CrossRef  Google Scholar 

  20. Gentry, C.: Fully homomorphic encryption using ideal lattices. STOC 9, 169–178 (2009)

    CrossRef  MathSciNet  Google Scholar 

  21. Girault, M., Poupard, G., Stern, J.: On the fly authentication and signature schemes based on groups of unknown order. J. Cryptology 19(4), 463–487 (2006)

    CrossRef  MathSciNet  Google Scholar 

  22. Goethals, B., Laur, S., Lipmaa, H., Mielikäinen, T.: On private scalar product computation for privacy-preserving data mining. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 104–120. Springer, Heidelberg (2005).

    CrossRef  Google Scholar 

  23. Goyal, V.: Reducing trust in the PKG in identity based cryptosystems. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 430–447. Springer, Heidelberg (2007).

    CrossRef  Google Scholar 

  24. Green, M., Hohenberger, S.: Blind identity-based encryption and simulatable oblivious transfer. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 265–282. Springer, Heidelberg (2007).

    CrossRef  Google Scholar 

  25. Han, J., Susilo, W., Mu, Y., Zhou, J., Au, M.H.: PPDCP-ABE: privacy-preserving decentralized ciphertext-policy attribute-based encryption. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 73–90. Springer, Cham (2014).

    CrossRef  Google Scholar 

  26. Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 150–164. Springer, Heidelberg (1997).

    CrossRef  Google Scholar 

  27. Naveed, M., et al.: Controlled functional encryption. In: Ahn, G., Yung, M., Li, N. (eds.) Proceedings of the 2014 ACM SIGSAC, pp. 1280–1291. ACM (2014)

    Google Scholar 

  28. Rial, A.: Blind attribute-based encryption and oblivious transfer with fine-grained access control. Designs Codes Cryptogr. 81(2), 179–223 (2015).

    CrossRef  MathSciNet  MATH  Google Scholar 

Download references


The authors would like to thank Damien Stehlé for his suggestions during the redaction of this paper. All three authors were supported by the European Union H2020 Research and Innovation Program Grant 780701 (PROMETHEUS). The two first authors were also supported by the European Union H2020 Research and Innovation Program Grant 786767 (PAPAYA).

Author information

Authors and Affiliations


Corresponding author

Correspondence to Adel Hamdi .

Editor information

Editors and Affiliations


A Message-Privacy for IFE

Oracles. In traditional FE, the adversary has access to a \(\mathsf {KeyGen}(\mathsf {msk},\cdot )\) oracle which extracts a functional key when the adversary requests it for a chosen input function f. We here adapt the definition of message-privacy to our interactive setting. The main difference relies in the fact that some information could leak during the interactive key generation. We introduce an interactive oracle \(\mathsf {IKeyGen}(\mathcal {O}(\mathsf {msk}),\cdot )\): when calling this oracle, the adversary, on input \(f \in F\), participates in an interactive protocol with the oracle playing the role of an honest authority. The adversary finally gets the output functional key \(sk_f\). For any bit \(b\in \{0,1\}\), we define \(\mathsf {Enc}_b(\mathsf {mpk},\cdot ,\cdot )\) to be an oracle which takes as inputs \(x_0\) and \(x_1\) and returns \(\mathsf {Enc}(\mathsf {mpk},x_b)\). The next definition extends known definitions  [8] to the interactive setting and could be well adapted for private-key \(\mathsf {FE}\).

Definition 8

(Message-privacy). Let \(\mathsf {IFE} = (\mathsf {Setup},\mathsf {IKeyGen},\mathsf {Enc},\mathsf {Dec})\) over a message space M and a function space F. We say that \(\mathsf {IFE}\) is message-private (MP) if for any PPT adversary \(\mathcal {A}\), there exists a negligible function \(\mathsf{negl}(\lambda )\) such that the quantity, called the advantage of \(\mathcal {A}\), \(\mathsf {Adv}_{\mathcal {A},\texttt {MP-IFE}}(1^\lambda ):= \left| \mathsf {Pr}\left[ \mathsf {Exp}_{\mathcal {A}}^{(0),\mathsf {mp}}(\lambda )= 1 \right] - \mathsf {Pr}\left[ \mathsf {Exp}_{\mathcal {A}}^{(1),\mathsf {mp}}(\lambda )= 1 \right] \right| \le \mathsf{negl}(\lambda )\), where \(\mathsf {Exp}_{\mathcal {A}}^{(b),\mathsf {mp}}(\lambda )\) is

1. \( (\mathsf {mpk},\mathsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda )\)

   2. \( b' \leftarrow \mathcal {A}^{\mathsf {IKeyGen}(\mathcal {O}(\mathsf {msk}),\cdot ), \mathsf {Enc}_b (\mathsf {mpk},\cdot ,\cdot )}(1^\lambda ,\mathsf {mpk})\)

3. output \(b' =b \)


We required that for all \(f \in F\) and \((m_0,m_1)\) coming from \(\mathcal {A}\)’s calls to the oracles \(\mathsf {KeyGen}\) and \(\mathsf {Enc}_b\) respectively, it holds that \(f(m_0) = f(m_1)\).

B Leak-Freeness

We provide a generalization of the Leak-Freeness property of [24].

Definition 9

(Leak-Freeness). An \(\mathsf {IKeyGen}\) protocol corresponding to \(\mathsf {KeyGen}\) algorithm of any FE scheme is leak-free w.r.t. \(\mathsf {KeyGen}\) if, for all efficient adversaries \(\mathcal {A}\), there exists an efficient simulator \(\mathcal {S}\) such that for all value \(\lambda \), no distinguisher \(\mathcal {D}\) can determine whether it is playing \(\mathsf {GameReal}\) or \(\mathsf {Game Ideal}\) where

  • \(\mathsf {GameReal}\): Run \(\mathsf {Setup}(1^{\lambda })\). As many times as \(\mathcal {D}\) wants, \(\mathcal {A}\) chooses a function f and executes the \(\mathsf {IKeyGen}(\mathcal {AUT},\cdot )\) protocol input f with an honest authority \(\mathcal {AUT}\). \(\mathcal {A}\) returns the resulting view to \(\mathcal {D}\) which returns a bit.

  • \(\mathsf {Game Ideal}\): Run \(\mathsf {Setup}(1^{\lambda })\). As many times as \(\mathcal {D}\) wants, \(\mathcal {S}\) chooses a function f and asks \(\mathsf {Trivial}.\mathsf {IKeyGen}(\mathsf {msk},\cdot )\) to obtain a functional key \(sk_f\) on input f. \(\mathcal {S}\) returns then the resulting view to \(\mathcal {D}\) which returns a bit.

The quantity \(\mathsf {Adv}_{\mathcal {D},\mathsf {leak-free}}(1^\lambda ) := |\mathsf {Pr}[\mathcal {D}^\mathsf {GameReal} (1^\lambda ) = 1] - \mathsf {Pr}[\mathcal {D}^\mathsf {Game Ideal}(1^\lambda ) = 1]|\) is the advantage of \(\mathcal {D}\) and \(\mathsf {IKeyGen}\) is leak-free w.r.t \(\mathsf {KeyGen}\) if it is negligible.

We discuss in the following some remarks about the definition.

  • A secure two-party protocol realizing the \(\mathsf {KeyGen}\) functionality of a classical \(\mathsf {FE}\) ensures the message-privacy since it preserves each party for learning the other party’s input. The main difference in our consideration is that we require the use of a known \(\mathsf {FE}\) scheme with some specific \(\mathsf {KeyGen}\) algorithm in addition to the existence of a simulator (which interacts with a specific oracle \(\mathsf {Trivial.IKeyGen}\)). This simulator is then asked to produce a consistent view to any distinguisher. As mentioned in previous sections, a two-party protocol wouldn’t offer the blindness property for free. In Example 2.1, \(\mathsf {Trivial.\mathsf {IKeyGen}}\) is by definition leak-free w.r.t \(\mathsf {KeyGen}\) but not blind.

  • The adversary in \(\mathsf {GameIdeal}\) does not appear in the definition. As pointed in [24], the leak-freeness definition implies that the function (for the key being extracted) is extractable from the \(\mathsf {IKeyGen}\) protocol (with all but negligible probability), since for every adversary it must exist a simulator \(\mathcal {S}\) that should be able to interact with \(\mathcal {A}\), in order to learn which functions to submit to the \(\mathsf {Trivial}.\mathsf {IKeyGen}(\mathsf {msk},\cdot )\) oracle.

  • When considering the validity of \(sk_f\) (in Sect. 2.1), a \(\mathsf {ZKPoK}\) is used in order to verify if a functional key \(sk_f\) is well-formed. This is independent from the definition of the leak-freeness property, since the authority is always honest in this context (simulated by an oracle).

C The Castagnos-Laguillaumie Scheme

CL Encryption Scheme. The \(\mathsf {Setup}\) phase in the CL scheme consists of the description of a DDH group with an easy DL subgroup \((p,\tilde{s},\mathfrak {g},\mathfrak {f},\mathfrak {g}_p,G,F,G^p)\) where the set \((G,\cdot )\) is a cyclic group of order ps, for an unknown integer s, p is a prime number such that \(\gcd (p,s)=1\). The only known information on s is an upper bound \(\tilde{s}\) of s. The set \(G^p=\{\mathfrak {y}^p, \mathfrak {y} \in G\}\) is the subgroup of (unknown) order s of G, and F is the subgroup of order p of G, so that \(G = F \times G^p\). The elements \(\mathfrak {f}\), \(\mathfrak {g}_p\) and \(\mathfrak {g}=\mathfrak {f} \cdot \mathfrak {g}_p\) are respective generators of F, \(G^p\) and G. The discrete logarithm problem is easy in F, which means that there exists deterministic polynomial time algorithm a \(\mathsf{Solve}\) that solves the discrete logarithm problem in F. The message space of CL is \(\mathbb {Z}_p\) and its indistinguishability under chosen plaintext attacks relies on the hard subgroup membership assumption that says that is hard to distinguish the elements of \(G_p\) in G. An instantiation of this group is obtained using the class group of a non maximal order of an imaginary quadratic field (we refer the reader to [16, 17] for a more precise description). Roughly, \(\mathsf {CL}\) scheme consists of a secret key \(\mathsf {sk}\) is an integer \(x \leftarrow \{0, \dots , \tilde{s} p-1\}\) and the public key is \( \mathsf {pk}= \mathfrak {g}_p^{x}\). The encryption procedure returns a ciphertext \(c_m = (c_1,c_2)\) where \(c_{1} \leftarrow \mathfrak {g}_p^{r}\) and \(c_{2} \leftarrow \mathfrak {f}^{m} \mathfrak {h}^{r}\) for a random r. The decryption algorithm computes \(M \leftarrow c_{2} / c_{1}^{x}\) and returns m using the \(\mathsf{Solve}\) algorithm on M.

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Canard, S., Hamdi, A., Laguillaumie, F. (2020). Blind Functional Encryption. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds) Information and Communications Security. ICICS 2020. Lecture Notes in Computer Science(), vol 12282. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-61077-7

  • Online ISBN: 978-3-030-61078-4

  • eBook Packages: Computer ScienceComputer Science (R0)