1 Introduction

The ability to cryptographically obfuscate computer programs holds great prospects for securing the future digital world. While general-purpose program obfuscation remained an elusive goal for several decades, this changed recently with the seminal work of Garg et al. [26] who gave the first candidate construction of indistinguishability obfuscation [8] (\(i\mathrm {O}\)) for \(\mathsf {P/poly}\). Since then, \(i\mathrm {O}\) has been used to realize several advanced cryptographic primitives that were previously beyond our reach, including deniable encryption [45], collusion-resistant functional encryption [26], round-optimal multiparty computation [25], and so on. Indeed, by now, \(i\mathrm {O}\) has been established as a central hub of cryptography.

The tremendous appeal of \(i\mathrm {O}\) motivates the goal of constructing it from well-studied, standard cryptographic assumptions. However, not much is known in this direction. The security of candidate \(i\mathrm {O}\) constructions, initiated by [7]Footnote 1, is proven in the “generic graded encoding model” and lacks a reduction in the standard model. The recent works of Pass et al. [43] and Gentry et al. [33] seek to rectify this situation by constructing \(i\mathrm {O}\) from various assumptions on multilinear maps [24]. In particular, Pass et al. [43] reduce the security of their construction to an “uber assumption” on multilinear maps while Gentry et al. [33] provide a reduction to the “multilinear subgroup elimination assumption” (stated in their paper) on composite-order multilinear maps [22].

Till date, these remain the only known constructions of general-purpose \(i\mathrm {O}\). Further, all of them rely on a common cryptographic primitive, namely, multilinear maps. This is an unsatisfactory situation, especially in light of several recent attacks on multilinear maps [13, 21, 23, 30]. This calls for new constructions of \(i\mathrm {O}\) from other, more familiar cryptographic primitives.

1.1 This Work

In this work, we make progress in this direction by providing a new construction of \(i\mathrm {O}\) based on a natural form of functional encryption (FE). Along the way, we also obtain new results on multi-input FE [35] that significantly improve upon the prior results.

I. Indistinguishability Obfuscation from Compact FE. Our main result is a reduction from \(i\mathrm {O}\) to any public-key functional encryption scheme that satisfies a natural “compactness” requirement on the encryption algorithm. Specifically, we give a construction of \(i\mathrm {O}\) for \(\mathsf {P/poly}\) from any public-key FE scheme for \(\mathsf {NC}^1\) that satisfies the following requirements:

  • Security: It supports one key query and achieves selective, indistinguishability security against sub-exponential time adversaries.

  • Compactness: For any input message x, the running time of the encryption algorithm is polynomial in the security parameter and the size of x. In particular, it does not depend on the circuit description size or the output length of any function f supported by the scheme.Footnote 2 We call such an FE scheme compact.

We stress that we do not require function hiding property [1, 11] from the underlying FE. Indeed, function-hiding public-key FE already implies \(i\mathrm {O}\).

On the use of Sub-exponential Hardness. Our reliance on sub-exponential hardness of the underlying FE scheme is similar in spirit to the use of sub-exponential hardness assumptions in the work of Gentry et al. [33]. Indeed, as discussed in their paper, the use of sub-exponential hardness assumptions “seems” inherent to realizing \(i\mathrm {O}\). We note, however, that to the best of our knowledge, no formal proof supporting this intuition is known.

On the Existence of compact FE. While public-key FE is an extremely well-studied notion, somewhat surprisingly, compact FE has remained largely unexplored. Previously, Goldwasser et al. [36] studied the notion of “succinct” FE which, informally speaking, requires that the size of any ciphertext must be independent of the function description size. We note, however, that this notion does not preclude dependence on the function output length. Indeed, [36] focuses on functions with single bit output, and their construction does not achieve our desired compactness property for the case of functions with long output.

Compact FE with simulation-based security is known to be impossible for general functions [2, 20]. Concretely, in the case of adaptive simulation security, the impossiblity result holds for a single key and message query. In the selective security case, it holds for a single key and unbounded message queries.Footnote 3 However, we stress that for our main result, we only require the underlying compact FE scheme to satisfy indistinguishability security in the selective model.

Presently, the only known constructions of compact FE for general functions rely on \(i\mathrm {O}\) [26, 46].Footnote 4 In contrast, non-compact FE can be based on LWE [36], or even semantically-secure public-key encryption [37, 44].

We hope that this work will bring attention to the natural goal of compactness in FE and that it will be realized from standard complexity assumptions in the future. With this view, we believe that the results in this work open new doors to the eventual goal of realizing \(i\mathrm {O}\) from well-studied cryptographic assumptions, possibly avoiding multilinear maps altogether.

II. A Technique for Arity Amplification. At the heart of our results is a novel technique for arity amplification in secret-key multi-input functional encryption (MiFE), a notion introduced by Goldwasser et al. [35]. Specifically, we show how to transform a selectively-secure secret-key MiFE scheme for i-ary functions into another selectively-secureFootnote 5 secret-key MiFE scheme for \((i+1)\)-ary functions. Interestingly, we achieve this by “knitting together” a secret-key FE scheme for i-ary functions with a public-key FE scheme for 1-ary functions. In order to prove the security of our transformation, we build on program puncturing techniques that were first introduced by Sahai and Waters [45] in the context of \(i\mathrm {O}\) and recently developed in the context of secret-key FE by Brakerski and Segev [16] and Komargodski et al. [40].

Starting from a secret key FE scheme for single-ary functions (aka single-input FE) and applying our transformation iteratively, we obtain a secret-key MiFE scheme for multi-ary functions. This iterated procedure is sensitive to the efficiency of the underlying single-input FE and yields different end results depending upon whether the underlying FE scheme is compact or not.

More concretely, given a compact single-key FE scheme for \(\mathsf {NC}^1\), we first convert it into a compact FE scheme for general functions that supports an a priori bounded polynomial number of key queries. This process involves multiple steps, including the key query amplification step of Gorbunov et al. [37] and the generic transformation from [4, 31] for boosting the function family from \(\mathsf {NC}^1\) to general functions.

Then, instantiating our iterated approach with a sub-exponentially secure compact FE scheme that supports (say) q number of key queries, we obtain a secret-key MiFE scheme for polynomial-arity functions that supports q key queries and q message queries. Instantiating this result for the case of \(q=2\) and combining it with the MiFE to \(i\mathrm {O}\) transformation of Goldwasser et al. [35], we obtain \(i\mathrm {O}\) for general functions.

III. MiFE for Functions with Small Arity from Standard Assumptions. We also analyze our transformation for the case when the underlying FE scheme is non-compact. Recall that in such a scheme, the running time of the encryption algorithm may depend upon the function description size [37, 44] or its output length [36].

Bounded-Message Security from Standard Assumptions. Starting with a non-compact FE scheme that supports an a priori bounded polynomial (say) q number of key queries, we obtain a secret-key MiFE scheme for constant-ary functions that supports q message and q key queries. Instantiating the underlying FE scheme with [37, 44], we obtain the above result based on semantically secure public-key encryption.Footnote 6 This significantly improves over the state of the art in this area in terms of security assumptions. In particular, prior constructions of such an MiFE scheme either rely upon \(i\mathrm {O}\) [35] or lack a security proof in the standard model [10].

Unbounded-Message Security from \(i\mathrm {O}\). Starting with a non-compact FE scheme that achieves security against unbounded key queries, we obtain a secret-key MiFE scheme for constant-ary functions that supports unbounded message and key queries.

Presently, known constructions of public-key FE with security against unbounded collusions rely upon \(i\mathrm {O}\) and one-way functions [26, 46] or specific assumptions on composite-order multilinear maps [27]. Then, instantiating the underlying FE scheme in our construction with [26], we obtain a secret-key MiFE scheme for functions with constant arity that supports unbounded number of message and key queries based on \(i\mathrm {O}\) and one-way functions. Previously, such an MiFE scheme [35] was only known based on differing-inputs obfuscation [3, 8, 14].

On the Optimality of Our Results. It is easy to see that a secret-key MiFE scheme for 2-ary functions that supports a single key query and unbounded message queries already implies a secret-key single-input FE scheme that supports unbounded key and message queries. This observation is already implicit in [35].

In light of the above, we note that our results on secret-key MiFE with bounded message queries are essentially optimal.

IV. Compact FE from Randomized Encodings for Turing Machines. Our final contribution is a construction of a single-key, compact FE scheme from the learning with errors (LWE) assumption and randomized encodings (RE) [6, 38] for Turing machines where the size of the encoding only depends on the size of the Turing machine (TM) and not on its running time or the output length. Combining this with our reduction from \(i\mathrm {O}\) to compact FE, we get a construction of \(i\mathrm {O}\) for general circuits from sub-exponentially secure RE for Turing machines and LWE.

Randomized encodings for circuits are known to exist from only one-way functions [47]. In contrast, the problem of RE for TMs has received far less attention. Recently, a few works [28, 29, 42] construct RE for RAM programs from only one-way functions; however, the size of the garbled RAM program in these schemes is proportional to the (worst-case) running time of the underlying RAM program. Even more recently, [9, 18, 41] give constructions of RE for TMs where the encoding size is independent of the running time of TM. However, all of these results are based on \(i\mathrm {O}\).

We hope that our work will bring more attention to this natural goal, and that it can be realized from standard cryptographic assumptions in the future. This result is presented in the full version [5].

1.2 Our Techniques

Main Goal: Arity Amplification. The starting point of our \(i\mathrm {O}\) construction is the recent work of Goldwasser et al. [35] who showed a transformation from secret-key MiFE to \(i\mathrm {O}\). Concretely, [35] proved that secret-key MiFE for \((n+1)\)-ary functions that supports a single key query and 2 message queries implies \(i\mathrm {O}\) for all functions with input length n. Very roughly, in order to obfuscate a function f with input length n, their idea is to use the first MiFE ciphertext to hide the function and use the remaining n positions to encode f’s input domain à la Yao’s garbled circuits [47]. This, coupled with a secret key for the universal circuit yields an indistinguishability obfuscation of f.

Given their result, our goal of constructing general-purpose \(i\mathrm {O}\) from public-key single-input FE reduces to the task of constructing secret-key MiFE scheme for polynomial-ary functions from a public-key FE for single-ary functions. To help the presentation, we ignore the succinctness requirements on the underlying FE for now, and revisit it later.

At a first glance, it is not clear at all how to proceed towards realizing the above goal.

Knitting together Two FE Instances. Towards that end, let us first consider a weaker goal of constructing secret-key MiFE for 2-ary functions. Roughly speaking, our main idea is to “knit” together an instance of a secret-key single-input FE scheme with an instance of public-key single-input FE to obtain a secret-key MiFE for 2-ary functions. Here, the importance of using both a secret-key FE and a public-key FE will become clear once we explain our approach.

More concretely, the 2-ary MiFE scheme is constructed as follows:

  • The master secret key of the 2-ary scheme consists of a key pair \((\mathsf {pk},\mathsf {msk})\) of the underlying public-key FE scheme as well as a master secret key \(\mathsf {msk}'\) of the underlying secret-key FE scheme. Further, a key for a function f is computed as a key \(K_f\) of the underlying public-key FE scheme for f.

  • In order to encrypt a message \(m_1\) corresponding to the first position, we generate (using \(\mathsf {msk}'\)) a function key of the underlying secret-key FE scheme for the following function \(\mathcal {G}^{\mathsf {enc}}_{[m_1,K,pk]}\): it contains the message \(m_1\), a key for a pseudorandom function (PRF) K, and the public key \(\mathsf {pk}\) hardwired in its description. On input a message \((m_2,\mathsf {tag})\), \(\mathcal {G}^{\mathsf {enc}}_{[m_1,K,pk]}\) outputs an encryption (using \(\mathsf {pk}\)) of the combined message \(m_1\Vert m_2\) w.r.t. the underlying public-key FE. Here, the randomness r for encryption is derived as \(r\leftarrow \mathsf {PRF}_K(\mathsf {tag})\).

    A message \(m_2\) corresponding to the second position is encrypted (along with a random tag) using the encryption algorithm of the underlying secret-key FE scheme.

  • In order to decrypt a pair of ciphertexts \((c_1\), \(c_2)\) using a function key \(K_f\), we first decrypt \(c_2\) using \(c_1\) (recall that \(c_1\) corresponds to a function key of the secret key FE scheme) to produce a new ciphertext \(\tilde{c}\) corresponding to the underlying public-key FE scheme. Finally, we decrypt \(\tilde{c}\) using \(K_f\) to get the desired output.

The correctness of the above construction is easy to verify. A careful reader, however, may immediately notice a security problem. Note that in order to prove security, we must ensure that the first ciphertext hides the message \(m_1\) and the PRF key K. However, this is not necessarily guaranteed by the above construction.

We solve this problem by building upon the recent elegant result of Brakerski and Segev [16] who give a generic transformation from any single-input secret-key FE scheme into another secret-key FE scheme that satisfies function hiding. Specifically, instead of using a standard secret-key FE, we will use a function-hiding secret-key FE in the above construction. We then rely upon the function-hiding property of the function key to argue that \(m_1\) and K remain hidden. As we will see later, this technique, when generalized to the MiFE setting, is vital to our overall approach.

We highlight another subtle point in the above construction: suppose that we want the 2-ary MiFE scheme to support \(q\ge 2\) message queries. Then, since the function keys of the underlying secret-key FE scheme act as ciphertexts in the 2-ary MiFE scheme, we need the underlying secret-key FE scheme to, in fact, support q key queries. To obtain such an FE scheme, we leverage [37] to transform a single-key FE scheme into a q-key FE scheme. We refer the reader to the full version for more details.

Overview of Proof Strategy. Proving the security of the above construction turns out to be quite non-trivial. Suppose that we wish to prove security for q message queries (for each position), say \(\{x_{i}^0,y_{i}^0\}_{i=1}^{q}\), \(\{x_{i}^1,y_{i}^1\}_{i=1}^{q}\). Further, for simplicity, let us restrict our attention to a single function key query f. One plausible proof strategy would be to construct a sequence of roughly q hybrids where at any step \(i\in [q]\), we switch from \((x_i^0,y_i^0)\) to \((x_i^1,y_i^1)\). However, note that in the case of MiFE, an adversary can compute “cross-terms” from the challenge message pairs. That is, the adversary is allowed to compute \((x_i^b,y_i^b)\) for any \(i,j\in [q]\). Indeed, this is why the security definition of MiFE requires that \(f(x_{i}^0,y_{j}^0)=f(x_{i}^1,y_{j}^1)\) for all \(i,j\in [q]\). However, note that in the above proof strategy, the adversary might end up computing \(f(x_{i}^1,y_{j}^0)\) which will allow him to distinguish between two successive hybrids.

A plausible solution to overcome the above problem is to argue indistinguishability in one shot. That is, instead of arguing indistinguishability one message-pair at a time, we instead switch all the challenge message pairs corresponding to challenge bit 0 with the ones corresponding to challenge bit 1. Implementing this strategy successfully, however, will require “hardwiring” and “unhardwiring” of the (public-key) encryption of all the \(q^2\) message pairs \((x_i^b,y_j^b)\) (each of which corresponds to a different output) in the challenge ciphertexts for the first position that correspond to function keys of the underlying secret-key FE scheme. While this is tolerable for the case of arity 2 (and more generally for constant arity), it quickly becomes prohibitive for large arity. Indeed, for arity \(n=\mathsf {poly}(\lambda )\), the number of possible outputs (and therefore the message pair combinations) is exponential.

We solve the above problems by carefully employing a “one-input-at-a-time” strategy where we consider roughly \(q^2\) intermediate hybrids (and \(q^n\) in the case of arity n; see below). Very briefly, our proof involves careful hardwiring and un-hardwiring of the (public-key) encryption of each of the \(q^2\) message pairs \((x_i^b,y_j^b)\), one at a time, in the challenge ciphertexts for the first position that correspond to function keys of the underlying secret-key FE scheme. Furthermore, we crucially ensure that the adversary cannot learn an output of the form \(f(x_i^0,y_j^1)\) at any point in the hybrids. In order to implement these ideas, we rely upon program puncturing techniques that were originally introduced in the context of \(i\mathrm {O}\) [45] and recently developed in the secret-key FE setting by [16, 40]. In particular, as in the work of [40], we rely on function hiding property of the underlying secret-key FE scheme to argue indistinguishability of these core hybrids. We finally note that our proof strategy bears resemblance to the proof methodology in several recent works [9, 18, 19, 32, 33, 41].

Note that in the above proof strategy, it was crucial that we use a public-key FE in our construction. To see this, suppose we were to replace the public-key FE with an instance of a secret-key FE, referred to as \(\mathcal {FE}\) (while the other secret-key FE instance used in the construction is referred to as \(\mathcal {FE}'\)). Note that now, the challenge ciphertexts corresponding to the first position would contain the master secret key (say) \(\mathsf {msk}\) of \(\mathcal {FE}\). Then, in order to execute the aforementioned proof strategy, it would seem that we need to somehow “puncture” \(\mathsf {msk}\) such that it allows encryption all messages except a select message (say) \(x^b_i\Vert y^b_j\). Furthermore, the punctured \(\mathsf {msk}\) should not allow generation of any function keys, except \(K_f\). However, it is not clear how to realize such a notion of secret-key FE. By using public-key FE, we are able to bypass the above difficulties since by definition, the public key does not need to be hidden.

Climbing the Arity Ladder. The above approach can be generalized to transform a secret-key MiFE scheme for i-ary functions into a secret-key MiFE scheme for \((i+1)\)-ary functions. Concretely, this transformation consists of two steps: first, by using ideas from [16], we add function privacy property to the i-ary MiFE scheme. Next, we combine the resultant scheme with a “fresh” instance of a public-key single-input FE scheme to obtain an \((i+1)\)-ary MiFE scheme.

In more detail, as in the 2-ary case, the ciphertext corresponding to the first position will consist of a function key of the underlying (function private)c-ary MiFE scheme for the function \(\mathcal {G}^{\mathsf {enc}}_{[m_1,K,pk]}\) which is defined similarly to the 2-ary case, except that here it takes as input messages \(m_2,\ldots ,m_{i+1}\) (along with random tags) and outputs an encryption (using \(\mathsf {pk}\)) of the combined message \(m_1\Vert \ldots \Vert m_{i+1}\) w.r.t. the underlying public-key FE. The ciphertexts corresponding to remaining i positions will correspond to ciphertexts of the underlying c-ary MiFE scheme. The function key for a function f in the \(c+1\)-ary scheme will correspond to a key \(K_f\) for the same function f of the underlying public-key single-input FE scheme.

By applying the above ideas iteratively, we can transform a secret-key single-input FE into a secret-key multi-input FE. Our iterated construction is depicted in Fig. 1. The security of the construction follows along the same lines as discussed above.

Fig. 1.
figure 1

The Iterated Construction. (q)-FE denotes a single-input public-key FE scheme that supports q key queries. \((q_1,q_2)\)-\(\mathsf {MIFE}_{i}\) denotes a secret-key MiFE scheme for i-ary functions that supports \(q_1\) key and \(q_2\) message queries. Finally, FH refers to function hiding.

Full size image

The Role of Compactness. Upon “unrolling” our construction of n-ary MiFE scheme, one can observe that it involves n instances of a single-input FE scheme. Specifically, in the n-ary MiFE scheme, each of the ciphertexts corresponding to the first \(n-1\) positions corresponds to a function key of (a different instance of) a single-input FE, while the ciphertext corresponding to the nth position corresponds to a ciphertext of a single-input FE scheme. The function key at position \(n-1\) computes an encryption corresponding to the function key at position \(n-2\) which in turn computes an encryption corresponding to the function key at position \(n-3\), and so on.

With the above view, it is easy to see that the complexity of the above construction becomes prohibitive for \(n=\omega (1)\) when it is instantiated with a non-succinct FE scheme. On the other hand, instantiating the construction with a succinct FE scheme allows us to go all the way to \(n=\mathsf {poly}(\lambda )\).

We remark that the above discussion is oversimplified. We refer the reader to the technical parts of the paper (and the full version [5]) for more details.

2 Preliminaries

Throughout the paper, we denote the security parameter by \(\lambda \). We assume that the reader is familiar with basic cryptographic concepts [34].

Given a PPT sampling algorithm A, we use \(x \xleftarrow {\$} A\) to denote that x is the output of A when the randomness is sampled from the uniform distribution.

Punctured Pseudorandom Function Families. The works of [12, 15, 39] constructed a strengthening of PRF families that is commonly known as punctured pseudorandom function families. Unlike the standard notion of PRFs, this primitive is accompanied by a puncturing algorithm that takes as input x, a PRF key K and outputs a punctured key \(K_x\) that allows one to evaluate the output of PRF on any input other than x. The security guarantee states that the output of PRF on x is indistinguishable from random even if the adversary gets a key punctured on x.

2.1 Indistinguishability Obfuscation

Here we recall the notion of indistinguishability obfuscation (\(i\mathrm {O}\)) that was defined by Barak et al. [8].

Definition 2.1

(Indistinguishability Obfuscator ( \(i\mathrm {O}\) )). A uniform PPT algorithm \(i\mathrm {O}\) is called an indistinguishability obfuscator for a circuit class \(\{\mathcal {C}_{\lambda }\}\), where \(\mathcal {C}_{\lambda }\) consists of circuits C of the form \(C:\{0,1\}^{\lambda } \rightarrow \{0,1\}\), if the following holds:

  • Completeness: For every \(\lambda \in \mathbb {N}\), every \(C \in \mathcal {C}_{\lambda }\), every input \(x \in \{0,1\}^{\lambda }\) (i.e., it belongs to the input space of C), we have that

    $$\mathsf {Pr}[C'(x) = C(x)\ :\ C' \leftarrow i\mathrm {O}(\lambda ,C)] = 1.$$

  • Indistinguishability: For any PPT distinguisher D, there exists a negligible function \(\mathsf {negl}(\cdot )\) such that the following holds: for all sufficiently large \(\lambda \in \mathbb {N}\), for all pairs of circuits \(C_0,C_1 \in \mathcal {C}_{\lambda }\) such that \(C_0(x)=C_1(x)\) for all inputs x, we have:

    $$\Big | \mathsf {Pr}[D(i\mathrm {O}(\lambda ,C_0)) = 1] - \mathsf {Pr}[D(i\mathrm {O}(\lambda ,C_1)) = 1] \Big | \le \mathsf {negl}(\lambda )$$

2.2 Public-Key Functional Encryption

Syntax. Let \(\mathcal {X}= \{\mathcal {X}_{\lambda }\}_{\lambda \in \mathbb {N}}\) and \(\mathcal {Y}= \{\mathcal {Y}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be ensembles where each \(\mathcal {X}_{\lambda }\), \(\mathcal {Y}_{\lambda }\) are sets of size, functions in \(\lambda \). Let \(\mathcal {F}= \{\mathcal {F}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be an ensemble where each \(\mathcal {F}_{\lambda }\) is a finite collection of functions. Each function \(f\in \mathcal {F}_{\lambda }\) takes as input a string \(x\in \mathcal {X}_{\lambda }\) and outputs \(f(x)\in \mathcal {Y}_{\lambda }\).

A public-key functional encryption (FE) scheme \(\mathsf {FE}\) for \(\mathcal {F}\) consists of four algorithms \((\mathsf {FE}.\mathsf {Setup},\) \(\mathsf {FE}.\mathsf {KeyGen},\) \(\mathsf {FE}.\mathsf {Enc},\) \(\mathsf {FE}.\mathsf {Dec})\):

  • Setup. \(\mathsf {FE}.\mathsf {Setup}(1^{\lambda })\) is a PPT algorithm that takes as input a security parameter \(\lambda \) and outputs a public key, (master) secret key pair \((\mathsf {FE}.\mathsf {pk},\mathsf {FE}.\mathsf {msk})\).

  • Key Generation. \(\mathsf {FE}.\mathsf {KeyGen}(\mathsf {FE}.\mathsf {msk},f )\) is a PPT algorithm that takes as input a master secret key \(\mathsf {FE}.\mathsf {msk}\), a function \(f \in \mathcal {F}_{\lambda }\) and outputs a functional key \(\mathsf {FE}.sk_f\).

  • Encryption. \(\mathsf {FE}.\mathsf {Enc}(\mathsf {FE}.\mathsf {pk},x)\) is a PPT algorithm that takes as input a public key \(\mathsf {FE}.\mathsf {pk}\), a message \(x\in \mathcal {X}_{\lambda }\) and outputs a ciphertext \(\mathsf {ct}\).

  • Decryption. \(\mathsf {FE}.\mathsf {Dec}(\mathsf {FE}.sk_f,\mathsf {ct})\) is a deterministic algorithm that takes as input a functional key \(\mathsf {FE}.sk_f\), a ciphertext \(\mathsf {ct}\) and outputs a string y.

The correctness property guarantees that the output of the decryption on input a functional key of \(f \in \mathcal {F}_{\lambda }\) and a ciphertext of \(x \in \mathcal {X}_{\lambda }\) yields \(f(x) \in \mathcal {Y}_{\lambda }\).

Selective Security. We recall indistinguishability-based selective security for FE. This security notion is modeled as a game between the challenger and the adversary where the adversary can request functional keys and ciphertexts from the challenger. Specifically, the adversary can submit function queries f to the challenger and receive corresponding functional keys. It can also submit a message query of the form \((x_0,x_1)\) and in response, the challenger encrypts message \(x_b\) and sends the ciphertext back to the adversary. The adversary wins the game if she can guess b with probability significantly greater than 1/2 and if \(f(x_0)=f(x_1)\) for all function queries f. The only constraint here is that the adversary has to declare the challenge messages at the beginning of the game itself.

The term \((q_{\mathsf {key}},\mu )\)-secure FE scheme refers to the setting where the adversary can request up to \(q_{\mathsf {key}}\) queries and he can succeed in the game with probability at most \(\mu \).

Compactness. We now define the notion of compact FE that will play a central role in our main result on \(i\mathrm {O}\). In a compact FE scheme, the running time of the encryption algorithm only depends on the security parameter and the input message length. In particular, it is independent of the complexity of the function family supported by the FE scheme. Note that a direct consequence of this is that the size of the public key must also be independent of the complexity of the function family.

Definition 2.2

(Compact FE). Let \(p(\cdot )\) be a polynomial. A \((q_{\mathsf {key}},\mu )\)-selectively secure public-key FE scheme \(\mathsf {FE}=(\mathsf {FE}.\mathsf {Setup},\mathsf {FE}.\mathsf {KeyGen},\mathsf {FE}.\mathsf {Enc},\mathsf {FE}.\mathsf {Dec})\), defined for an input space \(\mathcal {X}=\{\mathcal {X}_{\lambda }\}\) and function space \(\mathcal {F}=\{\mathcal {F}_{\lambda }\}\) is said to be compact if for all \(\lambda \in \mathbb {N}\), the size of any public key \(\mathsf {FE}.\mathsf {pk}\) is \(p(\lambda )\), where \((\mathsf {FE}.\mathsf {msk},\mathsf {FE}.\mathsf {pk}) \leftarrow \mathsf {FE}.\mathsf {Setup}(1^{\lambda })\), and the running time of the encryption algorithm \(\mathsf {FE}.\mathsf {Enc}\), on input \(1^{\lambda }\), \(\mathsf {FE}.\mathsf {pk}\) and a message \(x\in \mathcal {X}_{\lambda }\), is \(p(\lambda ,q_{\mathsf {key}},|x|)\).

Remark 2.3

We can define the notion of unbounded compact FE in the same manner as above except that we now allow the number of key queries made by the adversary in the security game to be an arbitrary polynomial.

3 Function Private Multi-input Functional Encryption (MiFE)

The concept of multi-input functional encryption was proposed by Goldwasser et al. [35]. Standard FE only allows for computing on a single ciphertext, i.e., it only supports single-ary functions. In contrast, multi-input functional encryption (MiFE) allows for (joint) computation over multiple ciphertexts. In other words, it supports multi-ary functions.

Analogous to standard FE, one can consider MiFE in two settings, namely, public-key and secret-key setting.Footnote 7 In this work, we will restrict our attention to the secret-key setting.

The security notion we are interested in is stronger than the one considered in Goldwasser et al. [35]. We expect the functional keys to hide the function it is associated with. This concept, termed as function privacy was previously considered in the single ary private key FE setting by Brakerski-Segev [16]. We extend their notion to the multi-input functional encryption setting as well.

We first present the syntax of a MiFE scheme and later we formalize the function privacy property.

Syntax. Let \(\mathcal {X}= \{\mathcal {X}_{\lambda }\}_{\lambda \in \mathbb {N}}\) and \(\mathcal {Y}= \{\mathcal {Y}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be ensembles where each \(\mathcal {X}_{\lambda }\), \(\mathcal {Y}_{\lambda }\) are sets of size, functions in \(\lambda \). Let \(\mathcal {F}= \{\mathcal {F}_{\lambda }\}_{\lambda \in \mathbb {N}}\) be an ensemble where each \(\mathcal {F}_{\lambda }\) is a finite collection of n-ary functions. Each function \(f\in \mathcal {F}_{\lambda }\) takes as input strings \(x_1,\ldots ,x_n\), where each \(x_i\in \mathcal {X}_{\lambda }\), and outputs \(f(x_1,\ldots ,x_n)\in \mathcal {Y}_{\lambda }\).

An MiFE scheme \(\mathsf {MIFE}_{n}\) for n-ary functions \(\mathcal {F}\) consists of four algorithms \((\mathsf {MIFE}_{n}.\mathsf {Setup},\mathsf {MIFE}_{n}.\mathsf {KeyGen},{\mathsf {MIFE}_{n}.\mathsf {Enc}},\mathsf {MIFE}_{n}.\mathsf {Dec})\) described below:

  • Setup. \(\mathsf {MIFE}_{n}.\mathsf {Setup}(1^{\lambda })\) is a PPT algorithm that takes as input a security parameter \(\lambda \) and outputs the master secret key \(\mathsf {MIFE}_{n}.\mathsf {msk}\).

  • Key Generation. \(\mathsf {MIFE}_{n}.\mathsf {KeyGen}(\mathsf {MIFE}_{n}.\mathsf {msk},f)\) is a PPT algorithm that takes as input the master secret key \(\mathsf {MIFE}_{n}.\mathsf {msk}\) and a function \(f \in \mathcal {F}_{\lambda }\). It outputs a functional key \(\mathsf {MIFE}_{n}.sk_f\).

  • Encryption. \(\mathsf {MIFE}_{n}.\mathsf {Enc}(\mathsf {MIFE}_{n}.\mathsf {msk},m,i)\) is a PPT algorithm that takes as input the master secret key \(\mathsf {MIFE}_{n}.\mathsf {msk}\), a message \(x \in \mathcal {X}_{\lambda }\) and an index \(i\in [n]\). It outputs a ciphertext \(\mathsf {MIFE}_{n}.\mathsf {ct}\).

    Here index i signals to the encryption algorithm that message x corresponds to the \(i^{th}\) input of functions \(f \in \mathcal {F}_{\lambda }\).

  • Decryption. \(\mathsf {MIFE}_{n}.\mathsf {Dec}(\mathsf {MIFE}_{n}.sk_f,\mathsf {MIFE}_{n}.\mathsf {ct})\) is a deterministic algorithm that takes as input a functional key \(\mathsf {MIFE}_{n}.sk_f\) and a ciphertext \(\mathsf {MIFE}_{n}.\mathsf {ct}\). It outputs a value \(y\in \mathcal {Y}_{\lambda }\).

Remark 3.1

From now on, we use the phrase “encryption of m in the \(i^{th}\) position” to refer to the process of executing \(\mathsf {MIFE}_{n}.\mathsf {Enc}\) on the input \((\mathsf {MIFE}_{n}.\mathsf {msk},m,i)\).

Correctness. There exists a negligible function \(\mathsf {negl}(\cdot )\) such that for all sufficiently large \(\lambda \in \mathbb {N}\), every n-ary function \(f\in \mathcal {F}_{\lambda }\) and input tuple \((x_1,\ldots ,x_n)\in \mathcal {X}_{\lambda }^n\) 8.510.5

$$\begin{aligned} \Pr \left[ \begin{array}{l} \mathsf {MIFE}_{n}.\mathsf {msk}\leftarrow \mathsf {MIFE}_{n}.\mathsf {Setup}\left( 1^{\lambda }\right) \,;\,\mathsf {MIFE}_{n}.sk_f\leftarrow \mathsf {MIFE}_{n}.\mathsf {KeyGen}\left( \mathsf {MIFE}_{n}.\mathsf {msk},f\right) \,;\,\\ \qquad \quad \mathsf {MIFE}_{n}.\mathsf {Dec}\left( \mathsf {MIFE}_{n}.sk_f, \left\{ \mathsf {MIFE}_{n}.\mathsf {Enc}\left( \mathsf {MIFE}_{n}.\mathsf {msk},x_i,i\right) \right\} _{i=1}^n\right) \ne f\left( x_1,\ldots ,x_n\right) \end{array} \right] \end{aligned}$$

is at most \(\mathsf {negl}(\lambda )\). In the above expression, the probability is taken over the random coins of all the algorithms.

We present the function privacy definition below. Similar to the single ary setting, we can consider two security notions – selective and adaptive. We first give the selective security definition since this is the definition we are going to consider throughout this paper.

Definition 3.2

(Selective Function Private MiFE). A secret-key MiFE scheme \(\mathsf {MIFE}_{n}\) for n-ary functions \(\mathcal {F}\) is \((q_{\mathsf {key}},q_{\mathsf {msg}},\mu )\)-selective function private if for any PPT adversary \(\mathcal {A}\), there exists a function \(\mu (\lambda )\) such that for all sufficiently large \(\lambda \in \mathbb {N}\), the advantage of \(\mathcal {A}\) is

$$\mathsf {Adv}_{\mathcal {A}}^{\mathsf {MIFE}_{n}} = \Big | \mathsf {Pr}[\mathsf {Expt}_{\mathcal {A}}^{\mathsf {MIFE}_{n}}(1^{\lambda },0)=1] - \mathsf {Pr}[\mathsf {Expt}_{\mathcal {A}}^{\mathsf {MIFE}_{n}}(1^{\lambda },1)=1] \Big | \le \mu (\lambda ), $$

where for each \(b \in \{0,1\}\) and \(\lambda \in \mathbb {N}\), the experiment \(\mathsf {Expt}_{\mathcal {A}}^{\mathsf {MIFE}_{n}}(1^{\lambda },b)\) is defined below:

  1. 1.

    Message Queries: \(\mathcal {A}\) submits \(q_{\mathsf {msg}}\) number of queries, \(\Big \{ \big ((x_{1,0}^{j},x_{1,1}^{j}),\ldots ,(x_{n,0}^{j},x_{n,1}^{j}) \big ) \Big \}_{j \in [q_{\mathsf {msg}}]}\), with \(x_{i,0}^{j} \in \mathcal {X}_{\lambda }\), to the challenger C.

  2. 2.

    C computes \(\mathsf {MIFE}_{n}.\mathsf {msk}\leftarrow \mathsf {MIFE}_{n}.\mathsf {Setup}(1^{\lambda })\). It then computes \(\mathsf {MIFE}_{n}.\mathsf {ct}_i^{j} \leftarrow \mathsf {MIFE}_{n}.\mathsf {Enc}(\mathsf {MIFE}_{n}.\mathsf {msk},x_{i,b}^{j})\) for all \(i \in [n]\) for all \(j \in [q_{\mathsf {msg}}]\). The challenger C then sends \(\big \{(\mathsf {MIFE}_{n}.\mathsf {ct}_{1}^j,\ldots ,\mathsf {MIFE}_{n}.\mathsf {ct}_{n}^j)\big \}_{j \in [q_{\mathsf {msg}}]}\) to the adversary \(\mathcal {A}\).

  3. 3.

    Function Queries: The following is repeated up to \(q_{\mathsf {key}}\) times: \(\mathcal {A}\) submits a function query \((f_0,f_1) \in \mathcal {F}_{\lambda }^2\) to C. The challenger C computes \(\mathsf {MIFE}_{n}.sk_{f}\leftarrow \mathsf {MIFE}_{n}.\mathsf {KeyGen}({\mathsf {MIFE}_{n}.\mathsf {msk}},f_b)\) and sends it to \(\mathcal {A}\).

  4. 4.

    If there exists a function query \((f_0,f_1)\) and a challenge message query \(\big ((x_{1,0},\ldots ,x_{n,0}),\) \((x_{1,1},\ldots ,x_{n,1}) \big )\) such that \(f_0(x_{1,0},\ldots ,x_{n,0})\ne \) \(f_1(x_{1,1},\ldots ,x_{n,1})\), then the output of the experiment is set to \(\bot \). Otherwise, the output of the experiment is set to \(b'\), where \(b'\) is the output of \(\mathcal {A}\).

Remark 3.3

When \(\mu \) is a negligible function in the security parameter, then we omit it from the notation and simply refer to \((q_{\mathsf {key}},q_{\mathsf {msg}})\)-function privacy of MiFE.

Constructing Function Private MiFE. In the single ary setting, Brakerski-Segev [16] gave a generic transformation that converts any secret key single ary FE into a function private secret key single ary FE. We observe that techniques, similar to those used in Brakerski-Segev, can be adapted to obtain a transformation from any i-ary MiFE into a function private i-ary MiFE in the secret key setting. We defer the technical details to the full version.

4 Our Transformation: From \(\mathbf {c}\)-ary to \(\mathbf {(c+1)}\)-ary MiFE

In this section, we show how to transform a secret-key MiFE scheme for c-ary functions into an MiFE scheme for \((c+1)\)-ary functions, for \(c \ge 1\).

Our transformation proceeds in two steps:

  1. 1.

    Starting with an MiFE scheme for c-ary functions, we first apply the function privacy transformation (mentioned towards the end of Sect. 3) to obtain a function private MiFE scheme \(\mathsf {MIFE}_{c}\) for c-ary functions.

  2. 2.

    Next, we convert \(\mathsf {MIFE}_{c}\) into an MiFE scheme \(\mathsf {MIFE}_{c+1}\) for \(c+1\)-ary functions. We refer to this step as the arity amplification step.

We now describe the arity amplification step. We construct an MiFE scheme for \(c+1\)-ary functions \(\mathsf {MIFE}_{c+1}\) with function space \(\mathcal {F}^{c+1}\) and message space \(\mathcal {X}^{c+1}\).

Notation. We use the following tools in our transformation: (a) A function private MIFE scheme for c-ary functions, denoted as \(\mathsf {MIFE}_{c}=(\mathsf {MIFE}_{c}.\mathsf {Setup},\) \(\mathsf {MIFE}_{c}.\mathsf {KeyGen},{\mathsf {MIFE}_{c}.\mathsf {Enc}},{\mathsf {MIFE}_{c}.\mathsf {Dec}})\). Let \(\mathcal {F}^{\mathsf {fp},c}\) and \(\mathcal {X}^{\mathsf {fp},c}\) be the associated function space and message space, respectively. (b) A public-key FE scheme for single-ary functions, denoted as \(\mathsf {FE}=(\mathsf {FE}.\mathsf {Setup},\mathsf {FE}.\mathsf {KeyGen},{\mathsf {FE}.\mathsf {Enc}},{\mathsf {FE}.\mathsf {Dec}})\). Let \(\mathcal {F}^{\mathsf {fe}}\) and \(\mathcal {X}^{\mathsf {fe}}\) be the associated function space and message space, respectively. (c) A puncturable pseudorandom function family, denoted as \(\mathsf {F}=\mathsf {PRF}_{K}(\cdot )\).

Setup \(\mathsf {MIFE}_{c+1}.\mathsf {Setup}(1^{\lambda })\) : On input a security parameter \(\lambda \), sample a master secret key \(\mathsf {MIFE}_{c}.\mathsf {msk}\leftarrow \mathsf {MIFE}_{c}.\mathsf {Setup}(1^{\lambda })\) of \(\mathsf {MIFE}_{c}\) and a key pair \((\mathsf {FE}.\mathsf {pk}\), \(\mathsf {FE}.\mathsf {msk})\leftarrow \mathsf {FE}.\mathsf {Setup}(1^{\lambda })\) of \(\mathsf {FE}\). Output \(\mathsf {MIFE}_{c+1}.\mathsf {msk}=(\mathsf {MIFE}_{c}.\mathsf {msk}, \mathsf {FE}.\mathsf {pk}, \mathsf {FE}.\mathsf {msk})\).

Key Generation \(\mathsf {MIFE}_{c+1}.\mathsf {KeyGen}(\mathsf {MIFE}_{c+1}.\mathsf {msk},f)\) : On input master secret key \(\mathsf {MIFE}_{c+1}.\mathsf {msk}\) and a function \(f \in \mathcal {F}^{c+1}\), parse \(\mathsf {MIFE}_{c+1}.\mathsf {msk}=(\mathsf {MIFE}_{c}.\mathsf {msk},\mathsf {FE}.\mathsf {pk}, \mathsf {FE}.\mathsf {msk})\). Sample a functional key \(\mathsf {FE}.sk_{f}\leftarrow \mathsf {FE}.\mathsf {KeyGen}({\mathsf {FE}.\mathsf {msk}},f)\) for function f. Output \(\mathsf {MIFE}_{c+1}.sk_f=\) \(\mathsf {FE}.sk_f\).

Encryption \(\mathsf {MIFE}_{c+1}.\mathsf {Enc}(\mathsf {MIFE}_{c+1}.\mathsf {msk},x,i)\) : On input master secret key \(\mathsf {MIFE}_{c+1}.\mathsf {msk}\), message \(x \in \mathcal {X}^{c+1}\) and index i, parse \(\mathsf {MIFE}_{c+1}.\mathsf {msk}=(\mathsf {MIFE}_{c}.\mathsf {msk}, \mathsf {FE}.\mathsf {pk},\mathsf {FE}.\mathsf {msk})\).

  1. 1.

    If \(i=1\), then draw a PRF key \(K\in \{0,1\}^{\lambda }\) at random. Initialize the index vector \(\mathcal {I}=(0,\ldots ,0)\). Compute \(\mathsf {MIFE}_{c}.sk_{G}\leftarrow \mathsf {MIFE}_{c}.\mathsf {KeyGen}(\mathsf {MIFE}_{c}.\mathsf {msk},G)\) where the circuit \(G=\mathsf {GenCT}^{(c)}_{[x,1,K,\mathsf {FE}.\mathsf {pk},\mathcal {I}]} \in \mathcal {F}^{\mathsf {fp},c}\) is described in Fig. 2. Output the ciphertext \(\mathsf {MIFE}_{c+1}.\mathsf {ct}=\mathsf {MIFE}_{c}.sk_{G}\).

  2. 2.

    Else, if \(2 \le i \le c+1\), then perform the following steps:

    • If the input message x is of the form \((x_1,x_2,1,\tau ,i-1)\) then compute \(\mathsf {MIFE}_{c+1}.\mathsf {ct}\leftarrow \mathsf {MIFE}_{c}.\mathsf {Enc}(\mathsf {MIFE}_{c}.\mathsf {msk},(x_1,x_2,1,\tau ,i),i)\)

    • Else, choose a tag \(\tau \in \{0,1\}^{\lambda }\) at random. Compute \(\mathsf {MIFE}_{c+1}.\mathsf {ct}\leftarrow \mathsf {MIFE}_{c}.\mathsf {Enc}(\mathsf {MIFE}_{c}.\mathsf {msk},(x,{x},1,\tau ,i),i)\).

    Output the ciphertext \(\mathsf {MIFE}_{c+1}.\mathsf {ct}\).

Fig. 2.
figure 2

Description of \(\mathsf {GenCT}^{c}\).

Full size image

Decryption  \(\mathsf {MIFE}_{c+1}.\mathsf {Dec}(\mathsf {MIFE}_{c+1}.sk_f,\mathsf {MIFE}_{c+1}.\mathsf {ct}_1,\ldots ,\mathsf {MIFE}_{c+1}.\mathsf {ct}_{c+1})\) : On input \((\mathsf {MIFE}_{c+1}.sk_f,{\mathsf {MIFE}_{c+1}.\mathsf {ct}_1},{\ldots },{\mathsf {MIFE}_{c+1}.\mathsf {ct}_{c+1}})\), perform the following steps:

  1. 1.

    Parse: (a) \(\mathsf {MIFE}_{c+1}.sk_f=\mathsf {FE}.sk_f\), (b) \({\mathsf {MIFE}_{c+1}.\mathsf {ct}}_1={\mathsf {MIFE}_{c}.sk}_G\), and (c) \(\mathsf {MIFE}_{c+1}.\mathsf {ct}_{i}=\mathsf {MIFE}_{c}.\mathsf {ct}_{i-1}\) for all \(i \ne 1\), where \(\mathsf {MIFE}_{c}.\mathsf {ct}_{i-1}\) denotes the ciphertext corresponding to \((i-1)^{th}\) position in \(\mathsf {MIFE}_{c}\).

  2. 2.

    Next, compute \(\mathsf {FE}.\mathsf {ct}^*\leftarrow \mathsf {MIFE}_{c}.\mathsf {Dec}(\mathsf {MIFE}_{c}.sk_{G},{\mathsf {MIFE}_{c}.\mathsf {ct}_1},\ldots ,{\mathsf {MIFE}_{c}.\mathsf {ct}_{c}})\).

  3. 3.

    Finally, compute \(y\leftarrow \mathsf {FE}.\mathsf {Dec}(\mathsf {FE}.sk_f,{\mathsf {FE}.\mathsf {ct}^*})\). Output y.

This completes the description of the scheme.

Correctness. We now argue the correctness of \(\mathsf {MIFE}_{c+1}\). Let \(\mathsf {MIFE}_{c}.sk\) be a valid functional key for the function \(\mathsf {GenCT}[x_1,j_1,K,\mathsf {FE}.\mathsf {pk},\mathcal {I}]\) w.r.t. \(\mathsf {MIFE}_{c}\). For \(i \in [c]\), let \(\mathsf {MIFE}_{c}.\mathsf {ct}_i\) be a valid encryption of \(x_{i+1}\) w.r.t. \(\mathsf {MIFE}_{c}\). By the correctness of \(\mathsf {MIFE}_{c}.\mathsf {Enc}\), we have that the output of \(\mathsf {MIFE}_{c}.\mathsf {Dec}(\mathsf {MIFE}_{c}.sk_{\mathsf {GenCT}},\mathsf {MIFE}_{c}.\mathsf {ct}_1,\ldots ,\mathsf {MIFE}_{c}.\mathsf {ct}_{c})\) is \(\mathsf {FE}.\mathsf {ct}^*\), where \(\mathsf {FE}.\mathsf {ct}^*\) is a valid encryption of \((x_1,\ldots ,x_{c+1})\) w.r.t. \(\mathsf {FE}\). Further, from the correctness of \(\mathsf {FE}\), it follows that the output of \(\mathsf {FE}.\mathsf {Dec}(\mathsf {FE}.sk_f,\mathsf {FE}.\mathsf {ct}^*)\) is \(f(x_1,\ldots ,x_{c+1})\), where \(\mathsf {FE}.sk_f\) is a valid functional key of f w.r.t. \(\mathsf {FE}\).

The proof of security can be found in the full version [5].

5 Multi-input FE from Single-input FE

In Sect. 4, we gave a general transformation from a secret-key MiFE scheme for c-ary functions to another secret-key MiFE scheme for \(c+1\)-ary functions. Using this transformation, we now give a construction of a secret-key MiFE scheme for functions with \(n=\mathsf {poly}(\lambda )\) arity. Later we will use this construction to obtain our main result on \(i\mathrm {O}\). We will also consider different instantiations of this construction which yield new results on constant-ary MiFE from standard assumptions.

We construct a n-ary \((q,q)\)-secure MiFE scheme \(\mathsf {MIFE}_{n}\). To obtain this construction we start with a \(q\)-secureFootnote 8 public-key FE scheme. This implies a single-ary \((q,q)\)-secure secret-key MiFE scheme, \(\mathsf {MIFE}_{1}\).

figure a

Repeat the following two steps for \(c=1,\ldots ,n\):

  1. 1.

    Function Privacy Transformation: Using the MiFE function-privacy transformation (mentioned towards the end of Sect. 3), convert the \((q,q)\)-secure MiFE scheme \(\mathsf {MIFE}_{c}\), obtained in the previous iteration, into a function-private \((q,q)\)-secure MiFE scheme \(\mathsf {MIFE}_{c}^{\mathsf {fp}}\), also supporting c-arity functions.

  2. 2.

    Arity Amplification: The function-private c-ary \((q,q)\)-secure MiFE scheme \(\mathsf {MIFE}_{c}^{\mathsf {fp}}\) obtained in the previous step is then transformed into a \(c+1\)-ary \((q,q)\)-secure MiFE scheme, using the transformation presented in Sect. 4. In this step, we additionally use a \(q\)-secure public-key FE scheme \(\mathsf {FE}\).

The efficiency properties of the underlying public-key FE scheme determines the value of n that we can achieve in the above construction. Consequently, we consider two different instantiations of the underlying public-key FE scheme that yield different results. We discuss these instantiations next.

iO from Compact FE. We start by stating our main result for secret-key MiFE for polynomial-arity functions.

Theorem 5.1

For all \(n=\mathrm {poly}(\lambda )\), the above proposed scheme \(\mathsf {MIFE}_{n}\) is \((q,q)\)-secure for any polynomial \(q\), assuming that \(\mathsf {FE}\) is \(\Big (1,\frac{1}{(64q)^{(n+1)^2} \cdot 2^{\lambda }} \Big )\)-selectively secure compact public-key FE scheme.

The core non triviality in the above theorem is to argue that the size of parameters does not grow exponentially with the number of iterations. At a high level, this is because the compactness of \(\mathsf {FE}\) ensures that the growth of the parameters at the \(i^{th}\) level (i-ary MiFE) depends only on the security parameter, level i and the message length. The actual calculations can be found in the appropriate section in the full version.

We now invoke a theorem by [35] that shows how to obtain iO for functions of input length n from a n-ary MiFE for a specific function family. We thus have the following main theorem.

Theorem 5.2

Assuming the \((2,\frac{1}{(128)^{n^2} 2^{\lambda }})\)-security of compact public-key selectively secure \(\mathsf {FE}\) public key FE scheme for polynomial time computable functions, the scheme \(i\mathrm {O}\) is an indistinguishability obfuscation scheme for P/poly.

Constant ary MiFE. If we restrict our attention to just constant ary MiFE then we can obtain a construction based on public key encryption encryption schemes. We state the result formally below.

Theorem 5.3

For any constant n, the above proposed scheme \(\mathsf {MIFE}_{n}\) is \((q,q)\)-selectively secure assuming that \(\mathsf {FE}\) is a \(q\)-selectively secure (not necessarily compact) public-key FE scheme.

Combining Theorem 5.3 with [37, 44], we obtain the following result.

Corollary 5.4

For any polynomial \(q=q(\lambda )\), there exists a \((q,q)\)-selectively secure secret-key MiFE scheme for constant-arity functions, assuming the existence of semantically-secure public-key encryption.

The reason why we can only achieve constant arity is because the growth of parameters in this case could be exponential. If we start from any public key FE scheme, the size of the parameters at each level grows proportional to the size of the parameters at the next level. This stems from the fact that the FE scheme that we start off with could be such that the encryption complexity might depend on the function complexity. And hence, the number of iterations that can be performed is just a constant. A detailed explanation is provided in the full version.