Multiinput Functional Encryption and Its Application in Outsourcing Computation
 1.2k Downloads
Abstract
We study functional encryption and its application in outsourcing computation. Functional encryption is a new primitive first defined by Boneh, Sahai and Waters: given an encryption of a message x and a decryption key \(sk_f\) for a function f, anyone can obtain f(x) but cannot learn anything else about x. In multiinput functional encryption, the secret key \(sk_f\) corresponds to an nary function f and takes multiple ciphertexts as its input. Prior works on multiinput functional encryption are based on indistinguishability obfuscation which is either rely on a polynomial set of assumptions or an exponential number of assumptions. In this paper, we construct a multiinput functional encryption scheme without obfuscation. And we show its application in outsourcing computation and construct a multiclient outsourcing computation scheme that is publicly verifiable.
Keywords
Functional encryption Outsourcing computation Multiinput Multiclient Privacy Public verification1 Introduction
Traditional public key encryption has been used to secure the communication channel between two parties, the sender and receiver. It has two features: (1) The ciphertexts are sent through the channel, and the party who has the secret key can recover the plain message. (2) The secret key holder can decrypt and know the entire plaintext, but those who do not have the secret key can learn nothing at all (“black and white” property) [4]. Traditional public key encryption scheme can help a user to share its data over an insecure network. However, with the development of the internet and cloud services, this “black and white” notion encryption is inefficient for many applications. For example, an outside server which acts as a spam filter should be able to determine if an encrypted email is spam or not without learning anything else about the email’s content; the encrypted data which is stored in the cloud may be used in different ways by different users. To solve these problems, functional encryption is studied in recent years. The notion of functional encryption was first defined by Boneh et al. [4]. In functional encryption, the owner of the master secret key can generate the secret key \(sk_f\) for any function f in a family F. Given the ciphertext CT of message x, the user who holds the secret key \(sk_f\) can do the decryption to obtain f(x) but does not know anything else about x.
It is natural to extend the notion of functional encryption to multiinput functional encryption which is a very general tool for computing on encrypted data. Let f be a nary function (\(n\ge 1\)). In multiinput functional encryption, given n ciphertexts CT\(_1\), CT\(_2,\cdots ,\) CT\(_n\) of underlying messages \(x_1, x_2,\cdots , x_n\) and a secret key \(sk_f\) corresponding to function f, the user can obtain \(f(x_1, x_2,\cdots , x_n)\) but can not learn anything else about the messages \(x_1, x_2,\cdots , x_n\). Multiinput functional encryption has many applications, for example it can be used in multiclient outsourcing computation, computing over encrypted data stream, running on SQL queries on encrypted database and so on [11].
Functional encryption is a suitable tool in designing outsourcing computation scheme [13]. With the development of cloud computing, there are many cloud service providers offer attractive services, client would like to outsource its computation task to service provider and pay the service charge. Multiclient outsourcing computation can be described as following [6]: n computational weak clients each has its input \(x_i\) wish to outsource the computation of \(f(x_1,\cdots ,x_n)\) to an untrusted server. A secure outsourcing scheme should make sure that the clients’ inputs are keeping private from the server and the clients can verify the correctness of the computation result returned from the server. In this paper, we mainly study multiinput functional encryption and show its application in multiclient outsourcing computation.
1.1 Related Work
The notion of functional encryption was first formalized by Boneh et al. [4]. Early works are known only for restricted functions such as inner product function or a variant of it [1, 5, 15, 21]. These works do not show how to extend the scheme beyond inner products. Sahai and Seyalioglu [20] first proposed a single key query functional encryption for general functions, and [14] extended it and designed a q key bounded functional encryption scheme, which allows the adversary to make q secret key queries for functions. Because of the nonsuccinctness of the ciphertext size in [14, 20]’s work. [13] designed a single key query functional encryption scheme with succinct ciphertext. In the same year, [7] proposed functional encryption supporting unbounded key queries using indistinguishability obfuscation. And it only satisfies selective security. Using puncturable technique, [8, 23] designed adaptively secure functional encryption for general functions respectively.
Multiinput Functional Encryption. The study on multiinput functional encryption was done by Goldwasser et al. [11]. They gave constructions of multiinput functional encryption based on indistinguishability obfuscation [7] and differinginputs obfuscation [2]. Similar to the idea of [7], in [11]’s work n parties first use the twokey encryption technique [17] to encrypt its inputs. Using the property of indistinguishability obfuscation, they hide the verification, decryption and functioncomputation process in an obfuscation circuit. The obfuscation circuit here is the secret key \(sk_f\) corresponding to f. Thus the user who holds \(sk_f\) can get the computation result \(f(x_1,\cdots ,x_n)\) and learn nothing else about \(x_1,\cdots ,x_n\). Their scheme satisfies selective indistinguishable security and q bounded selective simulation security. While in [11]’s construction, its privacy property relies on a completely honest party. For there must be a party who generates the master secret key (MSK) which contains the secret key of the twokey encryption scheme. If the party who holds the master secret key is dishonest, it can easily get the input of other parties by just decrypting the corresponding ciphertexts. And the indistinguishability obfuscation it based on is still either rely on a polynomial set of assumptions or an exponential number of assumptions, but with an exponential loss in the security reduction [10]. In our work, we aim to design a multiinput functional encryption scheme that avoids using obfuscation and can keep privacy of the parties’ inputs from each other without relying on a completely honest party.
Multiclient Outsourcing Computation. There are limited works in this area. [6] constructed a multiclient outsourcing scheme using proxyOT technique. In its scheme only the client who has the secret key can do the verification and get the computation result. [19, 22] also designed multiclient outsourcing computation schemes by using two noncollude servers, while their scheme do not verify the correctness of the computation result. The verification process is essential in achieving secure and correct outsourcing scheme. In some cases, other parties may also need to verify the correctness of the computation result. This leads to the study of public verification which means that using the public verify key any other party can verify the correctness of the result returned by the untrusted server. In this paper, we consider the scenery that n clients outsource their computation task to one server. We use multiinput functional encryption scheme to construct multiclient outsourcing computation scheme that satisfies public verification. This idea comes from the works about functional encryption [12, 13], however in their outsourcing schemes, the clients need to execute functional encryption scheme twice in order to do the verification.
1.2 Our Contribution

Based on [13]’s work, we design a multiinput functional encryption scheme using multikey fully homomorphic encryption, and our construction does not need to use obfuscation.

Compared with [11]’s work, the privacy property of the parties’ inputs holds and does not rely on a completely honest party.

Using multiinput functional encryption we construct a multiclient outsourcing scheme that satisfies public verification. We use a new verifymethod to achieve public verification and does not need to run the functional encryption scheme twice.
1.3 Technique Outline
In the rest of this paper, we denote FE the functional encryption. Our work is mainly based on the FE construction of [13]. We briefly introduce [13]’s idea and show how to transfer it to a multiinput FE scheme.
In [13]’s work, a message x’s encryption Enc(x) is computed using fully homomorphic encryption (FHE), the decryptor can do homomorphic evaluation on the encrypted data and get Enc(f(x)). While in functional encryption the decryptor finally obtains f(x) but can not learn anything else about x. The decryption process is done by using Yao’s garbled circuit which hides the secret key sk in the circuit and takes input Enc(f(x)). But how to choose the corresponding labels of Enc(f(x)) when begin to compute the garbled circuit? To solve this problem it uses twooutcome attribute based encryption scheme as its tool.
The idea of [13] is ingenious, however it only considered oneinput functional encryption. Based on its work, we design a multiinput functional encryption scheme using multikey fully homomorphic encryption scheme(MFHE) [16]. In our construction, each party holds its key pair \((hpk_i, hsk_i)\) generated from the multikey FHE. In order to decrypt Enc\((f(x_1,\cdots ,x_n))\), the parties first compute the decryption key \(hsk=hsk_1 \cdot hsk_2 \cdots hsk_n\) and then one of these parties produces a garbled circuit of MFHE.Dec\((hsk,\cdot )\). In order to avoid interaction among the parties, we use the noninteractive MPC method(NIMPC) recently introduced by [3]. Use NIMPC, the parties can noninteractively generate the decrypt key \(hsk=hsk_1\cdot hsk_2 \cdots hsk_n\).
How to apply it to multiclient outsourcing computation scheme?
The notion of functional encryption is a little similar with outsourcing computation. The clients in outsourcing computation act like the encryptors, and the server acts like the decryptor. In multiclient outsourcing scheme, the server needs to return the result \(f(x_1, x_2, \cdots , x_n)\) to the clients. In addition to this process, the clients need to verify the correctness of the computation result. In [12]’s work, they followed the approach of Parno et al. [18] and described how to achieve public verifiable multiclient outsourcing computation scheme. In their design, the clients should first generate two pairs of master secret keys and public keys and run FE scheme twice. Instead of using [18]’s public verify method, we use a new method to do public verification. Using the garbled circuit’s output labels which are corresponding to the computation result f(x), we design a public verify method similar to [18] but do not need to run FE scheme twice.
2 Preliminaries
We denote k the security parameter, \(negl(\cdot )\) a negligible function and ppt the probabilistic polynomial time. ABE\(_2\) denotes the twooutcome attribute based encryption, MFHE denotes the multikey homomorphic encryption(or Multikey FHE) for short, NIMPC denotes noninteractive multiparty computation and MIFE means the multiinput functional encryption.
2.1 Multikey Fully Homomorphic Encryption
Definition 1
 1.
KeyGen\((1^k) \rightarrow (pk_i,sk_i,ek_i)\): input the security parameter k, output a public key \(pk_i\), a secret key \(sk_i\) and a evaluation key \(ek_i\) \((i\in [N])\).
 2.
Enc\((pk_i,x)\rightarrow c\): input the public key \(pk_i\) and message \(x_i\), output a ciphertext \(c_i\).
 3.
Eval\((C, (c_1', pk_1', ek_1'), \cdots ,(c_t', pk_t', ek_t')) \rightarrow c^* \): given a circuit C and t ciphertexts \((c_i', pk_i', ek_i')\), outputs a ciphertext \(c^*\). Here the t keys \(\{pk_1',\cdots ,pk_t' \}\) is a subset of \(\{pk_1,\cdots ,pk_N\}\).
 4.
Dec\((sk_1,\cdots ,sk_N, c^*) \rightarrow x^*\): given N secret keys \(sk_1,\cdots ,sk_N\) and a ciphertext \(c^*\), outputs a message \(x^*\).
Compactness. Let \(c^*=\)Eval\((C,(c_1', pk_1', ek_1'), \cdots ,(c_t', pk_t', ek_t'))\). There exist a polynomial P such that \(c^*\leqslant P(k,n)\).
Multikey FHE. An encryption scheme consisting algorithms (KeyGen, Enc, Dec, Eval)\(_{N>0}\) is multikey fully homomorphic if it is Chomomorphic for the class of all circuits.
If the underlying encryption scheme is semantically secure, then the multikey FHE holds semantically secure in the presence of the evaluation key ek [16].
L\(\acute{o}\)pezAlt et al. [16] designed a multikey FHE scheme, and in their scheme the decryption of a multikey ciphertext requires a multiplication by the product of all keys that were involved in the generation of the ciphertext.
2.2 Garbled Circuit
Definition 2
 1.
Gb.Garble\((1^k, C)\) takes as input the security parameter k and a circuit \(C\in \mathcal {C}_n\) for some n, and outputs the garbled circuit \(\varGamma \) and a secret key sk.
 2.
Gb.Enc(sk, x) takes as input the secret key sk and data \(x \in \{0,1\}^n\) and outputs an encoding c.
 3.
Gb.Eval\((\varGamma , c)\) takes as input a garbled circuit \(\varGamma \), an encoding c and outputs a value y .
Efficiency. There exists a universal polynomial \(p = p(k, n)\) (p is the same for all classes of circuits C) such that for all input sizes n, security parameters k, for all boolean circuits C of with n bits of input, for all \(x \in \{0,1\}^n\), Pr\([(\varGamma , sk) \leftarrow \) Gb.Garble\((1^k, C) : sk \leqslant p(k, n)\) and runtime(Gb.Enc\((sk, x)) \leqslant p(k, n)] = 1\).
Input and Circuit Private. If there exist a ppt simulator Sim\(_{Garble}\), such that for every ppt adversaries A and D, for all sufficiently large security parameters k, the following equation holds. Then the garbled scheme Gb for a family of circuits \(\{\mathcal {C}_n\}_{n\in N}\) is input and circuit private.
Pr\([(x,C,\alpha )\leftarrow A(1^k); (\varGamma ,sk)\leftarrow \) Gb.Garble\((1^k,C); c\leftarrow \) Gb.Enc\((sk,x):D(\alpha ,x, C,\varGamma ,c)] \)Pr\([(x,C,\alpha )\leftarrow A(1^k); (\tilde{\varGamma },\tilde{c})\leftarrow \)Sim\(_{Garble}(1^k,C(x),1^{C},1^{x}):D(\alpha ,x, C,\tilde{\varGamma },\tilde{c})]=\)negl(k)
2.3 TwoOutcome AttributeBased Encryption
Definition 3
 1.
ABE\(_2\).Setup\((1^k)\): Takes a security parameter k as input and outputs a master public key mpk and a master secret key msk.
 2.
ABE\(_2\).KeyGen(msk, P): Given a master secret key msk and a predicate \(P \in P_n\) for some n, outputs a key \(sk_P\) corresponding to P.
 3.
ABE\(_2\).Enc\((mpk,x,m_0,m_1)\): Takes as input the public key mpk, an attribute \(x\in \{0,1\}^n\) for some n, and two messages \(m_0,m_1 \in M\), outputs a ciphertext c.
 4.
ABE\(_2\).Dec\((sk_P,c)\): Takes as input a secret key \(sk_P\) for a predicate P and a ciphertext c and outputs \(m^*\in M\).
2.4 Multiinput Functional Encryption
Definition 4
 1.
MIFE.Setup\((1^k ,n )\): takes the secure parameter k and function’s arity n as input, outputs a master secret key MSK and a master public key MPK.
 2.
MIFE.Enc\((MPK, x_1,\cdots ,x_n)\): takes input public key MPK and messages \(x_1,\cdots ,x_n\), here \(x_i\) is the data corresponding to party i. Using MPK each party encrypts its data \(x_i\) and outputs a ciphertext \(c_i\). The algorithm finally output a ciphertext CT related to the ciphertexts \((c_1,\cdots ,c_n)\).
 3.
MIFE.KeyGen(MSK, f): takes input the master secret key MSK and an nary function f, outputs a key \(sk_f\).
 4.
MIFE.Dec\((sk_f, CT)\): takes ciphertext CT and secret key \(sk_f\) as its input and output a value y.
2.5 Multiclient Outsourcing Computation Scheme
As far as we know, multiclient outsourcing computation scheme was first considered by choi et al. [6]. There are n clients each has their corresponding input \(x_i\) want to outsource the computation of \(f(x_1, \cdots ,x_n)\) to a server. Here we consider the public verification case where any other clients can verify the correctness of the computation result using the public verify key.
Definition 5
 1.
KeyGen\((1^k, f) \rightarrow (SK,PK)\): On input the security parameter k and a function \(f \in F\), it outputs a secret key SK, a public key PK.
 2.
ProbGen\((PK,SK,x_1,\cdots ,x_n) \rightarrow (\sigma _X, VK_X)\): Each client uses the public key PK computes the encoding of its input \(x_i\) denote by \(\sigma _{x_i}\). Finally the algorithm output a verification key \(VK_X\) and an encoding \(\sigma _X\) related to \(\sigma _{x_i}(i=1,\cdots ,n).\)
 3.
Compute\((PK,\sigma _X)\rightarrow Z\): This algorithm takes input the public key PK, and the encoding \(\sigma _X\), output a result Z.
 4.
Verify\((PK,VK_X ,Z) \rightarrow (y,reject)\): Using the public messages PK, public verify message \(VK_X\), the algorithm verifies the correctness of Z. If the verification passes, the corresponding result y can be recovered after the verification. Otherwise reject.
Security. A multiclient outsourcing scheme is secure if the probability that there exist a ppt adversary that can make the clients accept an incorrect computation result is negligible. We describe it via the experiment below:
Experiment EXP\(_\mathcal {A}^{Ver}(S,f,k)\)
\((SK,PK)\leftarrow \) KeyGen \((1^k, f)\)
For \(i=1\) to q:
\(X_i \leftarrow \mathcal {A}(PK,\sigma _{X,1},VK_{X,1},\ldots ,\sigma _{X,i1},VK_{X,i1})\)
\((\sigma _{X,i}; VK_{X,i}) \leftarrow \) ProbGen \((PK, SK, X_i)\)
\(X^* \leftarrow \mathcal {A}(PK,\sigma _{X,1},VK_{X,1},\ldots ,\sigma _{X,q},VK_{X,q})\)
\((\sigma _{X^*},VK_{X^*})\leftarrow \) ProbGen \((PK, SK, X^*)\)
\(Z^*\leftarrow \mathcal {A}(PK,\sigma _{X,1},VK_{X,1},\ldots ,\sigma _{X,q},VK_{X,q},\sigma _{X^*},VK_{X^*})\)
\(y^* \leftarrow \) Verify \((PK, VK_{X^*}, Z^*)\)
Output 1 if \(y^* \notin {\{f(X^*),\perp \}}\) and 0 otherwise.
We say that a multiclient outsourcing scheme is secure if Prob[EXP \(_{\mathcal {A}}^{Ver}(S,f,\lambda )=1]\) is negligible.
Privacy. Based on indistinguishability arguments we define input privacy which guarantees that no information about the inputs is leaked [9]. We describe the Experiment EXP\(_\mathcal {A}^{Priv}\) as follow.
Experiment EXP\(_\mathcal {A}^{Priv}[S,f,n,\lambda ]\)
\((PK,SK,EK) \leftarrow \) KeyGen \((1^\lambda , f);\)
\((X_0,X_1) \leftarrow \mathcal {A}^\mathbf{ProbGen_{SK}(\cdot )}(PK);\)
\((\sigma _0,VK_{X_0})\leftarrow \mathbf{ProbGen}_{SK}(X_0);\)
\((\sigma _1,VK_{X_1})\leftarrow \mathbf{ProbGen}_{SK}(X_1);\)
\(b \leftarrow \{0,1\};\)
\(b^* \leftarrow \mathcal {A}^\mathbf{ProbGen_{SK}(\cdot )}(PK,X_0,X_1,\sigma _b);\)
if \(b^*=b\), output \('1'\), else \('0'\);
We define the advantage of an adversary \(\mathcal {A}\) in the above experiment as:
ADV\(_\mathcal {A}^{Priv}[S,f,n,\lambda ]\)=Prob[EXP\(_\mathcal {A}^{Priv}[S,f,n,\lambda ]=1]\frac{1}{2}\).
A multiclient outsourcing computation scheme is private against the server if for any ppt adversary \(\mathcal {A}\) it holds that ADV\(_\mathcal {A}^{Priv}[S,f,n,\lambda ]\) is negligible.
3 Our Construction
3.1 Multiinput Functional Encryption
In this section, we construct a multiinput functional encryption scheme without obfuscation and the inputs are keeping private from each other. For simplicity, we construct MIFE for functions outputting one bit. We use three building blocks: twooutcome attributebased encryption scheme, multikey fully homomorphic encryption scheme and Yao’s garbled circuit. Let \(\mathbf c \) be a vector of n ciphertexts \(\mathbf c =(c_1,\cdots , c_n)\). Let MFHE.Eval\(_f^i(hpk,\mathbf c )\) be the predicate function that computes the ith output bit of MFHE.Eval\(_f(hpk,\mathbf c )\). Let \( \lambda \) be the length of the ciphertexts in MFHE scheme.
In our construction, we use the noninteractive multiparty computation(denote NIMPC) [3] as our tool to help the parties cooperatively compute the decryption key \(hsk=hsk_1\cdot hsk_2\cdots hsk_n\). In [3]’s NIMPC construction, its process can be divided into offline and online stage. In its offline stage the parties generate correlated randomness; in the online stage, the parties encode their messages respectively and then compute on the encodings to get the final computation result but cannot learn anything else about each others’ message.
 1.
MIFE.Setup\((1^k)\): Run twooutcome ABE scheme \(\lambda \) times: \((mpk_i,msk_i) \leftarrow \) ABE\(_2\).Setup\((1^k)\) for \(i \in [\lambda ]\). Run the offline stage of NIMPC to generate correlated randomness, denote R. The master public key \(MPK=(mpk_1,\cdots ,mpk_\lambda )\), the master secret key \(MSK=(msk_1,\cdots ,msk_\lambda ,R)\).
 2.MIFE.Enc\((MPK,x_1,\cdots ,x_n)\): let n be the number of inputs. \(x_i\) corresponds to the input of party i. The encryption algorithm proceeds as follows:
 (a)
Each party generates a fresh key pair \((hpk_i,hsk_i)\leftarrow \)MFHE.KeyGen\((1^k)\). Each party encrypts its input \(x_i\) by computing \(c_i \leftarrow \)MFHE.Enc\((hpk_i,x_i)\). let \( \mathbf c =(c_1,\cdots ,c_n)\).
 (b)
The n parties run the online stage of NIMPC protocol to secure compute \(hsk=hsk_1\cdot hsk_2 \cdots hsk_n\). Then one party (suppose the first party) produces a garbled circuit \(\varGamma \) for the MFHE decryption algorithm MFHE.Dec\((hsk, \cdot )\) together with \(2\lambda \) input labels \(L_i^b\) for \(i \in [\lambda ]\), \(b \in \{0,1\}\).
 (c)
The party who generates the garbled circuit \(\varGamma \) computes the encryption of \( \mathbf c =(c_1,\cdots ,c_n)\) using ABE\(_2\).Enc algorithm: CT\(_i=\)ABE\(_2\).Enc\((mpk_i,(hpk,\mathbf c ),L_i^0,L_i^1)\) for i in \([\lambda ]\).
 (d)
Output the ciphertext CT=(CT\(_1,\cdots ,\)CT\(_\lambda , \varGamma )\).
 (a)
 3.
MIFE.KeyGen(MSK, f): As we have mentioned that MFHE.Eval\(_f^i(hpk,\mathbf c )\) is the predicate function that computes the ith output bit of MFHE.Eval\(_f(hpk,\mathbf c )\). Here \(hpk=(hpk_1,\cdots ,hpk_n)\) and \(\mathbf c \) consists n MFHE ciphertexts.
 (a)
Run the key generation algorithm of ABE\(_2\) for function MFHE.Eval\(_f^i\) under different master secret keys: sk\(_f^i\)=ABE\(_2\).KeyGen\((msk_i,\)MFHE. Eval\(_f^i)\).
 (b)
Output \(sk_f=(sk_f^1,\cdots ,sk_f^\lambda )\) the secret key for function f.
 (a)
 4.MIFE.Dec(\(sk_f,\)CT):
 (a)
Run ABE\(_2\) decryption algorithm on ciphertext CT, obtain the labels \(L_i^{d_i} \leftarrow \) ABE\(_2\).Dec \((sk_f^i,\)CT\(_i)\) for \(i \in [\lambda ]\).
 (b)
Run the garbled circuit \(\varGamma \) on the labels \(L_i^{d_i}\) to compute the function result: Gb.Eval\((\varGamma , L_1^{d_1},\cdots ,L_\lambda ^{d_\lambda })=\)MFHE.Dec\((hsk,d_1d_2 \cdots d_\lambda )=f(x_1, \cdots ,x_n)\).
 (a)
3.2 Correctness and Security Proof
Correctness. In the decryption process, according to the correctness of ABE\(_2\) scheme, \(d_i\) is the ith output bit of MFHE.Eval\(_f(hpk,\mathbf c )\). Next the labels \(L_i^{d_i}\) are the inputs to the Garbled circuit corresponding to the value of MFHE.Eval\(_f(hpk,\mathbf c )\). For the garbled circuit is the decrypting algorithm of MFHE, denote by MFHE.Dec\((hsk,\cdot )\). Here the decrypt key hsk is computed by the NIMPC algorithm. Thus by the correctness of the NIMPC scheme and the garbled circuit, the output of the garbled circuit is the correct plain message corresponding to MFHE.Eval\(_f(hpk,\mathbf c )\). Finally by the correctness of the Multikey FHE scheme, this plain message is \(f(x_1,\cdots ,x_n)\). The correctness of the Multiinput FE scheme holds.
Theorem 1
Assuming the underlying ABE\(_2\) scheme is fully secure, the Multikey FHE scheme is INDCPA secure, Yao’s garbled circuit is input and circuit private, the resulting MIFE scheme is fully secure.
Security Proof:
 1.
Choose n key pairs\((hpk_i,hsk_i)\leftarrow \) MFHE.KeyGen\((1^k)\) for \(i=1,\cdots ,n\). Encrypt n inputs \(0^\lambda \)(\(\lambda \) zero bits), we denote the ciphertexts \(\hat{0}=(\hat{0}_1\leftarrow \) MFHE.Enc\((hpk_1,0^\lambda ),\cdots ,\hat{0}_n\leftarrow \) MFHE.Enc\((hpk_n,0^\lambda ))\). Compute \(hsk=hsk_1\cdot hsk_2\cdots hsk_n\).
 2.
Let Sim\(_{Garble}\) be the simulator for Yao’s garbled circuit corresponding to FHE.Dec\((hsk,\cdot )\). Run Sim\(_{Garble}\) to produce a simulated garbled circuit \(\varGamma \) for the multikey FHE decryption algorithm MFHE.Dec\((hsk,\cdot ): \{0, 1\}^\lambda \rightarrow \{0, 1\}\) together with the simulated encoding consisting of \(\lambda \) labels \(L_i\) for \(i=1,\cdots ,\lambda \). Namely: \((\hat{\varGamma },\{\hat{L}_i\}_{i=1}^\lambda )\leftarrow \) Sim\(_{Garble}(1^k,f(x_1,\cdots ,x_n),1^{MFHE.Dec(hsk,\cdot )},1^\lambda )\).
 3.
Produce encryption \(\hat{c}_1,\cdots ,\hat{c}_\lambda \) under the ABE\(_2\) scheme by computing the equation below: \(\hat{c}_i \leftarrow \) ABE\(_2\).Enc\((mpk_i,(hpk,\hat{0}),\hat{L}_i,\hat{L}_i)\) where the simulator S uses each simulated labels \(\hat{L}_i\) twice.
 4.
Output \(\hat{c}=(\hat{c}_1,\cdots ,\hat{c}_\lambda ,\hat{\varGamma })\).
Next we define a sequence of game experiments to prove the security of our multiinput FE scheme.
Game 0 is the output of the real experiment Exp\(_{MIFE,\mathcal {A}}^{H_0}\)=Exp\(_{MIFE,\mathcal {A}}^{real}\) .
Game 1 is the same as game 0, except that, let \(d_i=\)MFHE.Eval\(_f^i(hpk, \mathbf c )\), include \(L^{d_i}\) twice in the ABE\(_2\) encryption, namely:
\(\hat{c}_i^{(1)}\leftarrow \) ABE\(_2\).Enc\((mpk_i,(hpk,\mathbf c ),L_i^{d_i},L_i^{d_i})\) and \(\hat{c}^{(1)}=(\hat{c}_1^{(1)},\cdots ,\hat{c}_\lambda ^{(1)},\varGamma )\).
Game 2 is the same as game 1 except that the Garbled circuit is generated by the Sim\(_{Garble}\) algorithm. \((\hat{\varGamma },\{\hat{L}_i\}_{i=1}^\lambda )\leftarrow \) Sim\(_{Garble}(1^k,f(x_1,\cdots ,x_n),1^{MFHE.Dec(hsk,\cdot )},1^\lambda )\).
Game 3 is the output of the ideal experiment Exp\(_{MIFE,\mathcal {A}}^{H_3}\)=Exp\(_{MIFE,\mathcal {A},S}^{ideal}\).
Lemma 1. Assuming the underlying ABE\(_2\) scheme is fully secure, Game 0 and Game 1 is above is computationally indistinguishable.
Proof: In Game 0 and Game 1 there are \(\lambda \) ABE\(_2\) encryptions, each with a pair of independent ABE\(_2\) keys. The computational indistinguishability property with \(\lambda \) encryptions can be hold if these two games are computationally indistinguishable with only one of these encryptions. This property has been proved in [13]’s work. The difference between Game 0 and Game 1 is that in Game 0 the ABE\(_2\) encryption algorithm encrypts \((L_i^{d_i}, L_i^{1d_i})\), while in Game 1, the ABE\(_2\) encryption algorithm encrypts \((L_i^{d_i},L_i^{d_i})\), here \(d_i=\)MFHE.Eval\(_f^i(hpk,\mathbf c )\) . If there exist a ppt algorithm \(\mathcal {A}\) that can distinguish these two experiments with different encodings, then there exist a ppt algorithm \(\mathcal {B}\) that can use \(\mathcal {A}\)’s ability to break the security of the ABE\(_2\) scheme.
Lemma 2. Assuming the garbled circuit is input and circuit private, Game 1 and Game 2 are computationally indistinguishable.
Proof: The only difference between Game 1 and Game 2 is the generation method of the garbled circuit. In Game 1, \((\varGamma ^*,\{L_i^*\}_{i=1}^\lambda )\) is the output of the real garbled circuit. while in Game 2, \((\varGamma ^*,\{L_i^*\}_{i=1}^\lambda )\) is the output of Sim\(_{Garble}\). If there exist a ppt algorithm \(\mathcal {A}\) that can distinguish Game 1 and Game 2, then these exist a ppt algorithm \(\mathcal {B}\) that can distinguish these two cases how the \((\varGamma ^*,\{L_i^*\}_{i=1}^\lambda )\) are generated.
Lemma 3. Assuming the Multikey FHE scheme is INDCPA secure, Game 2 and Game 3 are computationally indistinguishable.
Proof: The difference between Game 2 and Game 3 is that the ciphertext \(\mathbf c \) is computed in different ways. In Game 2 the ciphertext \(\mathbf c \) is the encryption of the real messages \(x_1,\cdots ,x_n\), while in Game 3 the ciphertext \(\mathbf c \) is a vector of n ciphertexts of \(0^\lambda \). \(\mathbf c =\hat{0}=(\hat{0}_1\leftarrow \) MFHE.Enc\((hpk_1,0^\lambda ),\cdots ,\hat{0}_n\leftarrow \) MFHE.Enc\((hpk_n,0^\lambda ))\). If there exist a ppt algorithm that can distinguish these two games, then there exist a ppt algorithm that can break the INDCPA security of the Multikey FHE scheme.
Our lemmas show that there is no PPT adversary \(\mathcal {A}\) can distinguish one game from the next one with nonnegligible probability, thus Game 0 corresponds to the real experiment is indistinguishable from Game 3 corresponds to the ideal experiment. The security property holds. \(\Box \)
4 Multiclient Outsourcing Computation Scheme
As we have described, multiinput functional encryption can be used as a tool in multiclient outsourcing scheme to achieve public verification. This idea has been showed in [12]’s work. Their public verify method comes from Parno et al.’s work [18] and needs to run two times of the MIFE scheme. In our multiclient outsourcing scheme we use the output label of the garbled circuit to do the verification. Our thought mainly comes from Gennaro et al.’s work [9], for they used the garbled circuit’s outputwire label to map to the computation result.
The multiinput functional encryption(MIFE\(^*\)) used in our outsourcing computation scheme is the same as the multiinput functional encryption(MIFE) constructed in Sect. 3 except that the value of the garbled circuit’s outputwire is the label of the computation result instead of the computation result. For simplicity, we consider the functions with one bit output.
 1.
KeyGen\((1^k, f) \rightarrow (SK,PK)\): Run MIFE\(^*\).Setup\((1^k)\) algorithm and get MSK and MPK. Run MIFE\(^*\).KeyGen\((1^k)\) algorithm to obtain the decryption key \(sk_f\) corresponding to function f. Let \(PK=(MPK,sk_f)\), \(SK=MSK\).
 2.
ProbGen\((PK,SK,x_1,\cdots ,x_n) \rightarrow (\sigma _X, VK_X)\): Run the MIFE\(^*\).Enc\((\cdot )\) algorithm, obtain the ciphertexts \(\sigma _X=(CT_1,\cdots ,CT_\lambda )\) and a garbled circuit \(\varGamma \). Here the garbled circuit \(\varGamma \)’s outputs are the labels \((L_y^0,L_y^1)\) which encode the computation result. Using a oneway function \(g(\cdot )\), the client who generates the garbled circuit compute \(vk_0=g(L_y^0)\) and \(vk_1=g(L_y^1)\). Let the public verify message VK\(_X=(vk_0, vk_1)\).
 3.
Compute\((PK,\sigma _X) \rightarrow Z\): This algorithm takes input the public key PK, the encodings \(\sigma _X=(CT_1, \cdots , CT_\lambda ,\varGamma )\), runs MIFE\(^*\).Dec\((\cdot ) \rightarrow L_y^b\) and outputs \(Z=L_y^b\).
 4.
Verify\((PK,VK_X ,Z) \rightarrow (y,reject)\): Input the public messages PK, \(VK_X\) and the returned result Z. The clients verify whether the equation \(g(Z)=vk_0\) or \(g(Z)=vk_1\) holds. If the former holds, then \(f(x)=0\), if the latter holds, \(f(x)=1\). Otherwise, output \(\bot \).
Our scheme can be easily generalized to outsource functions with larger outputs by providing more pairs of the public verify messages in the ProbGen stage.
4.1 Correctness and Security Proof
Correctness. We can easily see that the above multiclient outsourcing scheme is correct. In our multiclient outsourcing scheme, we use the multiinput functional encryption scheme designed in Sect. 3. By the correctness of the multiinput functional encryption scheme, the Verify algorithm can correctly decrypt the ciphertext returned by the worker and get the correct label corresponding to the output \(f(x_1,\cdots ,x_n\)), and then map the label to the output bit \(f(x_1,\cdots ,x_n)\).
Theorem 2
If the underlying multiinput FE scheme is secure and the garbled circuit is circuit and input private, then the scheme designed above is a private and secure multiclient outsourcing scheme.
Proof: Our proof is divided into two parts. First we talk about the privacy of the outsourced data, and later we proof the unforgeability of the scheme.
The privacy property is guaranteed by the security of the multiinput functional encryption. If the MIFE scheme is secure, then the worker can only get the computation result but can not learn anything else about the outsourced data.
Next we show the unforgeability of the scheme. By contradiction, we assume that there exist a ppt adversary \(\mathcal {A}\) that makes the experiment EXP\(_\mathcal {A}^{Ver}(S,f,\lambda )\) output 1 with nonnegligible probability. Which means that the adversary \(\mathcal {A}\) can produce the encoding \(Z^*\) that makes the Verify algorithm outputs \(y^* \notin {\{f(x^*),\perp \}}\) with nonnegligible probability. For \(y^* \notin {\{f(x^*),\perp \}} \) and it has passed the Verify algorithm, which imply that the adversary gains the other output label that doesn’t corresponding to the real output \(f(x^*)\), which contradicts the privacy of the garbled circuit. \(\Box \)
5 Conclusion
In this work, we construct a multiinput functional encryption scheme that can keep privacy of the parties’ inputs from each other and does not need to use obfuscation. We also show its application in outsourced computation and design a publicly verifiable multiclient outsourcing scheme using a new verifymethod. Our schemes are proved to be correct and secure. We want to point out that our multiinput FE scheme uses the noninteractive MPC protocol to help the parties compute the product of their secret keys. Thus designing an efficient noninteractive MPC protocol can improve the efficiency of the functional encryption and the outsourced computation scheme as well. Another interesting direction in this area is to design multiinput functional encryption with unbounded key queries without obfuscation.
Notes
Acknowledgement
This work is supported by the National Natural Science Foundation of China (No. 61379140), the National Basic Research Program of China (973 Program) (No. 2013CB338001). The authors would like to thank anonymous reviewers for their helpful comments and suggestions.
References
 1.Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 2.Ananth, P., Boneh, D., Garg, S., Sahai, A., Zhandry, M.: Differinginputs obfuscation and applications. In: IACR Cryptology ePrint Archive 2013:689 (2013)Google Scholar
 3.Beimel, A., Gabizon, A., Ishai, Y., Kushilevitz, E., Meldgaard, S., PaskinCherniavsky, A.: NonInteractive secure multiparty computation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 387–404. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 4.Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 5.Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 6.Choi, S.G., Katz, J., Kumaresan, R., Cid, C.: Multiclient noninteractive verifiable computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 499–518. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 7.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS), pp. 40–49. IEEE (2013)Google Scholar
 8.Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Fully secure functional encryption without obfuscation. Technical report, Cryptology ePrint Archive, Report /666 (2014)Google Scholar
 9.Gennaro, R., Gentry, C., Parno, B.: Noninteractive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 10.Gentry, C., Lewko, A.B., Sahai, A., Waters, B.: Indistinguishability obfuscation from the multilinear subgroup elimination assumption. IACR Cryptology ePrint Archive, 2014:309 (2014)Google Scholar
 11.Goldwasser, S., et al.: Multiinput functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 12.Goldwasser, S., Goyal, V., Jain, A., Sahai, A.: Multiinput functional encryption. In: IACR Cryptology ePrint Archive 2013:727 (2013)Google Scholar
 13.Goldwasser, S., Kalai, Y., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Proceedings of the FortyFifth Annual ACM Symposium on Theory of Computing, pp. 555–564. ACM (2013)Google Scholar
 14.Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multiparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 15.Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 16.LópezAlt, A., Tromer, E., Vaikuntanathan, V.: Onthefly multiparty computation on the cloud via multikey fully homomorphic encryption. In Proceedings of the FortyFourth Annual ACM Symposium on Theory of Computing, pp. 1219–1234. ACM (2012)Google Scholar
 17.Naor, M., Yung, M.: Publickey cryptosystems provably secure against chosen ciphertext attacks. In: Proceedings of the TwentySecond Annual ACM Symposium on Theory of Computing, pp. 427–437. ACM (1990)Google Scholar
 18.Parno, B., Raykova, M., Vaikuntanathan, V.: How to delegate and verify in public: verifiable computation from attributebased encryption. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 422–439. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 19.Peter, A., Tews, E., Katzenbeisser, S.: Efficiently outsourcing multiparty computation under multiple keys. IEEE Trans. Inf. Forensics Secur. 8(12), 2046–2058 (2013)CrossRefGoogle Scholar
 20.Sahai, A., Seyalioglu, H.: Worryfree encryption: functional encryption with public keys. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 463–472. ACM (2010)Google Scholar
 21.Shen, E., Shi, E., Waters, B.: Predicate privacy in encryption systems. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 457–473. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 22.Wang, B., Li, M., Chow, S.S.M., Li, H.: Computing encrypted cloud data efficiently under multiple keys. In: IEEE Conference on Communications and Network Security (CNS), pp. 504–513. IEEE (2013)Google Scholar
 23.Waters, B.: A punctured programming approach to adaptively secure functional encryption. Technical report, Cryptology ePrint Archive, Report 2014/588 (2014). http://eprint.iacr.org