Simulation-Based Secure Functional Encryption in the Random Oracle Model

  • Vincenzo Iovino
  • Karol Żebroski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9230)


One of the main lines of research in functional encryption (FE) has consisted in studying the security notions for FE and their achievability. This study was initiated by [Boneh et al. – TCC’11, O’Neill – ePrint’10] where it was first shown that for FE the indistinguishability-based (IND) security notion is not sufficient in the sense that there are FE schemes that are provably IND-Secure but concretely insecure. For this reason, researchers investigated the achievability of Simulation-based (SIM) security, a stronger notion of security. Unfortunately, the above-mentioned works and others [e.g., Agrawal et al. – CRYPTO’13] have shown strong impossibility results for SIM-Security. One way to overcome these impossibility results was first suggested in the work of Boneh et al. where it was shown how to construct, in the Random Oracle (RO) model, SIM-Secure FE for restricted functionalities and was asked the generalization to more complex functionalities as a challenging problem in the area. Subsequently, [De Caro et al. – CRYPTO’13] proposed a candidate construction of SIM-Secure FE for all circuits in the RO model assuming the existence of an IND-Secure FE scheme for circuits with RO gates. To our knowledge there are no proposed candidate IND-Secure FE schemes for circuits with RO gates and they seem unlikely to exist. We propose the first constructions of SIM-Secure FE schemes in the RO model that overcome the current impossibility results in different settings. We can do that because we resort to the two following models:
  • In the public-key setting we assume a bound on the number of queries but this bound only affects the running-times of our encryption and decryption procedures. We stress that our FE schemes in this model are SIM-Secure and have ciphertexts and tokens of constant-size, whereas in the standard model, the current SIM-Secure FE schemes for general functionalities [De Caro et al., Gorbunov et al. – CRYPTO’12] have ciphertexts and tokens of size growing as the number of queries.

  • In the symmetric-key setting we assume a timestamp on both ciphertexts and tokens. In this model, we provide FE schemes with short ciphertexts and tokens that are SIM-Secure against adversaries asking an unbounded number of queries.

Both results also assume the RO model, but not functionalities with RO gates and rely on extractability obfuscation [Boyle et al. – TCC’14] (and other standard primitives) secure only in the standard model.


Functional encryption Random oracle model Simulation-based security Obfuscation 



We thank Abhishek Jain, Adam O’Neill, Anna Sorrentino and the anonymous reviewers for useful comments. Part of this work was done while Vincenzo Iovino was at the University of Warsaw. This work was supported by the WELCOME/2010-4/2 grant founded within the framework of the EU Innovative Economy Operational Programme and by the National Research Fund of Luxembourg.


  1. 1.
    Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011) Google Scholar
  2. 2.
    O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010).
  3. 3.
    Bellare, M., O’Neill, A.: Semantically-secure functional encryption: possibility results, impossibility results and the quest for a general definition. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 218–234. Springer, Heidelberg (2013) Google Scholar
  4. 4.
    Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013) Google Scholar
  5. 5.
    De Caro, A., Iovino, V.: On the power of rewinding simulators in functional encryption. IACR Cryptology ePrint Archive, 2013:752 (2013)Google Scholar
  6. 6.
    Agrawal, S., Agrawal, S., Badrinarayanan, S., Kumarasubramanian, A., Prabhakaran, M., Sahai, A.: Function private functional encryption and property preserving encryption : new definitions and positive results. Cryptology ePrint Archive, Report 2013/744 (2013).
  7. 7.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 93: 1st Conference on Computer and Communications Security, Fairfax, Virginia, USA, pp. 62–73. ACM Press, 3–5 November 1993Google Scholar
  8. 8.
    De Caro, A., Iovino, V., Jain, A., O’Neill, A., Paneth, O., Persiano, G.: On the achievability of simulation-based security for functional encryption. In: Canetti and Garay [22], pp. 519–535Google Scholar
  9. 9.
    Apon, D., Gordon, D., Katz, J., Liu, F.-H., Zhou, H.-S., Shi, E.: Personal Communication, July 2013Google Scholar
  10. 10.
    Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012) Google Scholar
  11. 11.
    Goldwasser, S., Gordon, S.D., Goyal, V., Jain, A., Katz, J., Liu, F.-H., Sahai, A., Shi, E., Zhou, H.-S.: Multi-input functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014) Google Scholar
  12. 12.
    Dov Gordon, S., Katz, J., Liu, F.-H., Shi, E., Zhou, H.-S.: Multi-input functional encryption. IACR Cryptology ePrint Archive, 2013:774 (2013)Google Scholar
  13. 13.
    Goldwasser, S., Goyal, V., Jain, A., Sahai, A.: Multi-input functional encryption. Cryptology ePrint Archive, Report 2013/727 (2013).
  14. 14.
    Boyle, E., Chung, K.-M., Pass, R.: On extractability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 52–73. Springer, Heidelberg (2014) Google Scholar
  15. 15.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: 30th ACM STOCAnnual ACM Symposium on Theory of Computing, Dallas, Texas, USA, pp. 209–218. ACM Press, 23–26 May 1998Google Scholar
  16. 16.
    Iovino, V., Żebrowksi, K.: Simulation-based secure functional encryption in the random oracle model. Cryptology ePrint Archive, Report 2014/810 (2014).
  17. 17.
    Garg, S., Gentry, C., Halevi, S., Wichs, D.: On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. Cryptology ePrint Archive, Report 2013/860 (2013).
  18. 18.
    Boyle, E., Pass, R.: Limits of extractability assumptions with distributional auxiliary input. Cryptology ePrint Archive, Report 2013/703 (2013).
  19. 19.
    Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st Annual Symposium on Foundations of Computer Science, St. Louis, Missouri, USA, vol. I, pp, 308–317. IEEE Computer Society, 22–24 October 1990Google Scholar
  20. 20.
    Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. IACR Cryptology ePrint Archive, 2013:401 (2013)Google Scholar
  21. 21.
    Canetti, R., Garay, J.A. (eds.): CRYPTO 2013, Part II. LNCS, vol. 8043. Springer, Heidelberg (2013) Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.University of LuxembourgLuxembourgLuxembourg
  2. 2.University of WarsawWarsawPoland

Personalised recommendations