Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Indistinguishability obfuscation (\(i\mathcal {O}\)), first formalized in [7] and further investigated in [26], is currently one of the most intriguing notions on the cryptographic landscape, and it has attracted a tremendous amount of attention in the last few years. Since Garg et al. [21] put forward a plausible candidate obfuscation algorithm, \(i\mathcal {O}\) has been successfully used to solve a wide range of complex cryptographic problems, including functional encryption [21], deniable encryption [32], and much more (e.g., see [8, 16].) However, the problem of building an obfuscator with a solid proof of security is still far from being solved. The multilinear-map problems [1820, 23] underlying most known candidate \(i\mathcal {O}\) constructions [5, 6, 11, 21, 24, 31] have recently been subject to attacks [15, 17], and basing \(i\mathcal {O}\) on a solid, well-understood standard complexity assumption, has rapidly emerged as perhaps the single most important open problem in the area of cryptographic obfuscation.

An alternative path toward the construction of \(i\mathcal {O}\) from standard assumptions has recently been opened by Bitansky and Vaikuntanathan [9] and Ananth and Jain [3], who independently showed that \(i\mathcal {O}\) can be built from any (subexponentially secure) public key functional encryption scheme satisfying certain compactness requirements. While general constructions of compact functional encryption (for arbitrary functions) are only known using \(i\mathcal {O}\), functional encryption is typically considered a weaker primitive than general \(i\mathcal {O}\), or, at very least, a more manageable one, closer to what cryptographers know how to build. In fact, several functional encryption schemes (for restricted, but still rather broad classes of functions) are known achieving various notions of security [2, 12, 14, 25, 34]. We recall that a (public key) functional encryption scheme [1, 10, 30, 33] is an encryption scheme with a special type of functional secret decryption keys \( sk _f\) (indexed by functions f) such that encrypting a message m (using the public key) and then decrypting the resulting ciphertext using \( sk _f\) produces the output of the function f(m), without revealing any other information about the message. Parameters of interest in the study of functional encryption (in relation to obfuscation) are the time (or circuit) complexity of the encryption function \(t^{\mathsf {Enc}}\) and the number of functional keys \( sk _f\) that can be released without compromising the security of the scheme. (See Sect. 2 for formal definitions and details about security.) Ideally, we would like the encryption time \(t^{\mathsf {Enc}}\) to depend (polynomially) only on the message size |m| (irrespective of the complexity of the functions f computed during decryption), and the scheme to support an arbitrary polynomial number q of functional decryption keys \( sk _f\). Schemes satisfying these two properties are usually called compact (when \(t^{\mathsf {Enc}}\) is independent of the size |f| of the circuit computing the function), and collusion-resistant (when q can be an arbitrary polynomial).

The class of functions f supported by the scheme is also an important parameter, but for simplicity here we will focus on schemes for which f can be any polynomial sized circuit. Interestingly, [25] gives a functional encryption scheme (based on standard lattice assumptions) which supports arbitrary functions f. However, the scheme allows to release only \(q=1\) decryption key (i.e., it is not collusion resistant) and the complexity of encryption depends polynomially on the output size and circuit depth of f (i.e., the scheme is not compact.) It is easy to see that any number q of functional decryption keys can always be supported simply by picking q independent public keys. But this makes the complexity of encryption grow linearly with q. So, technically, the constraint that a scheme is collusion-resistant can be reformulated by requiring that the complexity of encryption \(t^{\mathsf {Enc}}\) is independent of q. One can also consider weaker versions of both compactness and collusion resistance where the complexity of encryption \(t^{\mathsf {Enc}}\) is required to be just sublinear in |f| or q.

Using this terminology, the main result of [3, 9] states that any (weakly) compact (but not necessarily collusion-resistant) functional encryption scheme can be used to build an \(i\mathcal {O}\) obfuscator.Footnote 1 In an effort to further reduce (or better understand) the minimal assumptions on functional encryption required to imply obfuscation, the full version of [9] also gives a polynomial reduction from weakly compact functional encryption to (non-compact) weakly collusion-resistant functional encryption. A similar polynomial reduction from compact functional encryption to (non-compact) collusion-resistant functional encryption is also given in [4], where it is suggested that non-compact functional encryption may be easier to achieve, and the reduction is presented as a further step toward basing obfuscation on standard assumptions. In summary, the relation between these four variants of functional encryption (all known to imply \(i\mathcal {O}\) by the results of [3, 9]) is summarized by the solid arrows in the following diagram:

figure a

where the horizontal implications are trivial (from stronger to weaker constraints on the \(t^{\mathsf {Enc}}\)) and the vertical implications are from [3, 9].

1.1 Our Results and Techniques

In this paper we further investigate the relation between these four variants of functional encryption, and prove (among other things) the following result:

Theorem 1

(Informal). There is a polynomial time reduction from collusion-resistant functional encryption to weakly compact functional encryption.

This adds precisely the (dotted) diagonal arrow to the previous diagram, showing (by transitivity) that all four variants are equivalent under polynomial time reductions. Technically, proving the above theorem requires showing that any single key (\(q=1\)) functional encryption scheme satisfying some weak compactness requirement can be turned into a scheme supporting an arbitrary large polynomial number Q of functional key queries. We do so in a modular way, analyzing two general constructions that can be used to combine two arbitrary functional encryption schemes, which we call the SUM construction and the PRODUCT construction.

  • The SUM construction takes two functional encryption schemes \(FE_1\), \(FE_2\) supporting \(q_1\) and \(q_2\) functional key queries, and combines them into a new scheme \(FE_1+FE_2\) supporting \(q_1+q_2\) key queries.

  • The PRODUCT construction takes two functional encryption schemes \(FE_1\), \(FE_2\) supporting \(q_1\) and \(q_2\) functional key queries, and combines them into a new scheme \(FE_1\times FE_2\) supporting \(q_1\cdot q_2\) key queries.

The two constructions can be recursively combined in a number of different ways, exhibiting various efficiency/security tradeoffs. For example, Theorem 1 corresponds to starting from a scheme \(FE_1\) supporting a single key (\(q_1=1\)), using the SUM construction \(FE_2 = (FE_1+FE_1)\) to support \(q_2=2\) keys, and then iterating the PRODUCT construction \((FE_2\times \cdots \times FE_2)\) precisely \(\log (Q)\) times, where Q is the desired number of key queries in the final scheme. (Here for simplicity Q is chosen in advance, but our operations are flexible enough to design a scheme where Q is chosen dynamically by the adversary, and the public key does not depend on Q.)

Another possible instantiation is given by repeatedly squaring the scheme \(FE_2\), i.e., defining \(FE_4 = FE_2\times FE_2\), \(FE_{16} = FE_4\times FE_4\), etc. The squaring operation is repeated \(\log (\log ((Q))\) times, to yield a scheme supporting Q queries. (Again, we are assuming Q is fixed in advance for simplicity, and our results are easily extended to dynamically chosen Q.) Interestingly (and perhaps surprisingly) this produces a different scheme than the iterated product described before, offering different trade-offs. Specifically, the iterated squaring scheme is no longer compact, and the complexity of encryption now depends on Q. However, the dependence is pretty mild, just double-logarithmic \(\log (\log (Q))\), as opposed to linear O(Q) as in the trivial construction. This mild dependence on Q results in different ciphertext lengths: while the iterated product construction produces a ciphertext of length twice as long as that of the underlying single-key FE scheme, the iterated squaring construction produces a ciphertext that is a single encryption of a slightly longer message using the underlying FE scheme.

The methods used by the SUM and PRODUCT constructions are relatively standard: the SUM construction is essentially a formalization and generalization of the trivial “repetition” construction to turn a single-key scheme into one supporting q key queries by picking q public keys. The PRODUCT construction is based on the same type of “chaining” techniques used in many bootstrapping theorems before this work. The main technical novelty of this work is the general modular framework to combine the operations, and the detailed analysis of the efficiency and security of the SUM and PRODUCT construction. We remark that, even for the trivial construction, a detailed analysis is needed in order to evaluate the parameters growth when the constructions are applied iteratively an arbitrary (non-constant) number of times. The details of our SUM and PRODUCT constructions are also particularly simple: both constructions combine the component FE schemes making a simple use of just a length doubling pseudorandom generator. Similar constructions in the literature typically make use of more complex building blocks, like puncturable pseudorandom function. We consider the simplicity of the constructions in this work as a positive feature.

1.2 Other Related Work

In a concurrent and independent work, Garg and Srinivasan [22] present a generic transformation from a polynomial-hard single-key weakly-compact FE scheme to a collusion-resistant compact FE scheme. While their work and ours have similar complexity theoretic implications about the existence of functional encryption schemes, they are quite different at the technical level, and produce very different constructions of (collusion resistant) functional encryption, which may be of independent interest. At a high level, the construction of [22] is based on the use of single-key FE schemes to simulate the role of the obfuscation in the \(i\mathcal {O}\)-to-FE transformations of [3, 9], together with a prefix puncturable pseudorandom function. Our constructions are much more direct, and make use of just a simple pseudorandom generator. An easy way to see how this leads to very different schemes is that our FE public keys are just the same as the public keys of the underlying (single-key) FE scheme, while the public keys of [22] consist of polynomially many functinal decryption keys from the underlying (single-key) FE scheme. So, one advantage of our work over [22] is simplicity and, potentially, efficiency.Footnote 2 On the other hand the construction of [22] produces a compact FE scheme even while starting from a weakly compact one, while our construction only preserves the compactness properties, from weakly compact to weakly compact or from fully compact to fully compact.

Our definition of a SUM and PRODUCT construction, and their combined use to build different schemes exhibiting a variety of efficiency/security tradeoffs is somehow similar to the work [28], where sum and product constructions are used to build forward secure signature schemes supporting an arbitrary number of updates, starting from regular signatures (i.e., supporting no updates) and hash functions. However, beside this high level similarity, we deal with completely different cryptographic primitives. The chaining technique used in our product construction has been used many times before in previous bootstrapping theorems for functional encryption, but it is most closely related to the work of [13] where chaining is used in a tree fashion to achieve a hierarchical functional encryption scheme. Our composition approach can be easily adapted to that setting to make the construction and analysis of [13] more modular.

2 Background

We first set up the notation and terminology used in our work.

2.1 Functional Encryption

For notational simplicity, we assume that all randomized algorithms (e.g., key generation and encryption procedure of a cryptosystem) all use precisely \(\kappa \) bits of randomness, where \(\kappa \) is the security parameter. This is without loss of generality, as \(\kappa \) bits of randomness can be used to generate polynomially many pseudorandom bits using a pseudorandom generator.

We consider only public key functional encryption schemes in our work, so from now on we omit “public key” and just say functional encryption. We use the following syntax for functional encryption schemes, where \(R=\{0,1\}^\kappa \).

Definition 1

A Functional Encryption scheme is specified by four sets MRIF (the message, randomness, index and function spaces) and four algorithms \((\mathsf {Setup}\), \(\mathsf {Enc}\), \(\mathsf {Dec}\), \(\mathsf {KeyGen})\) where

  • \(\mathsf {Setup}( sk )= pk \) is a public key generation algorithm that on input a random secret key \( sk \in R\), produces a corresponding public key \( pk \).

  • \(\mathsf {Enc}( pk ,m;r)=c\) is an encryption algorithm that on input a public key \( pk \), message \(m\in M\) and randomness \(r\in R\), produces a ciphertext c.

  • \(\mathsf {KeyGen}( sk ,f,i)= fk \) is a functional key derivation algorithm that on input a secret key \( sk \), a function \(f\in F\), and an index \(i\in I\), produces a functional decryption key \( fk \) associated to f.

  • \(\mathsf {Dec}( fk ,c)=m'\) is a decryption algorithm that on input a functional decryption key \( fk \) and ciphertext c, outputs a plaintext message \(m'\).

The scheme is correct if with overwhelming probability (over the choice of \( sk ,r\in R\)), for any message \(m\in M\), function \(f\in F\) and index \(i\in I\), it holds that

$$\begin{aligned} \mathsf {Dec}(\mathsf {KeyGen}( sk ,f,i),\mathsf {Enc}(\mathsf {Setup}( sk ),m;r)) = f(m). \end{aligned}$$

Our syntax for functional encryption schemes slightly differs from the standard one in two respects. First, we identify the randomness used by the public key generation procedure \(\mathsf {Setup}\) with the master secret key of the scheme. This is without loss of generality, but provides a more convenient syntax for our constructions. The other is that the functional key derivation algorithm \(\mathsf {KeyGen}\) takes an index i as an additional parameter. The only requirement on this index is that different calls to \(\mathsf {KeyGen}( sk ,\cdot ,i)\) use different values of i. The role of i is simply to put a bound on the number of calls to the functional key derivation algorithm. (In particular, the indexes \(i\in I\) can be used in any order, and the key derivation algorithm does not need to keep any state.) For example, a functional encryption scheme supporting the release of a single functional key \( fk \) will have an index space \(I=\{1\}\) of size 1.

Remark 1

We remark that the standard definition of bounded collusion resistant functional encryption typically allows an arbitrary number of calls to \(\mathsf {KeyGen}\), and imposes a bound only on the number of functional decryption keys that are released to the adversary. This always requires the set I to have exponential (or, at least, superpolynomial) size in the security parameter. So, our definition of I-bounded FE is somehow more restrictive than |I|-bounded collusion resistance. When the set I has superpolynomial size (e.g., as obtained in the main results of this paper,) it is easy to make the \(\mathsf {KeyGen}\) completely stateless and match the standard FE security definition with only a negligible loss in security, e.g., by letting \(\mathsf {KeyGen}\) pick \(i \in I\) at random, or setting \(i = H(f)\) for some collision resistant hash function \(H:F\rightarrow I\).

Security. Since our work is primarily motivated by the application of FE to indistinguishability obfuscation [3, 9], we will use an indistinguishability security definition for FE, which is the most relevant one in this context. We follow the indistinguishability security notions as defined in [10], expressed in the functional/equational style of [27, 29]. Security for functional encryption is defined by a game between a challenger and an adversary. Both the challenger and the adversary are reactive programs, modeled by monotone functions: the challenger is a function \(\mathcal {H}^\mathsf {FE}((m_0,m_1),\{f_i\}_{i\in I}) = ( pk ,c,\{ fk ^i\}_{i\in I})\) that receives as input a pair of message \((m_0,m_1)\in M^2\) and collection of function queries \(f_i \in F\), and outputs a public key \( pk \), ciphertext c and collection of functional keys \( fk ^i\) for \(i\in I\). The adversary is a function \(\mathcal {A}( pk ,c,\{ fk ^i\}_{i\in I}) = ((m_0,m_1),\{f_i\}_{i\in I},b')\) that on input a public key \( pk \), ciphertext c and functional keys \(\{ fk ^i\}_{i\in I}\) outputs a pair of messages \((m_0,m_1)\), function queries \(\{f_i\}_{i\in I}\) and decision bit \(b'\). We recall that, as reactive programs, \(\mathcal {H}\) and \(\mathcal {A}\) can produce some outputs before receiving all the inputs. (Formally, each of the input or output variable can take a special undefined value \(\bot \), subject to the natural monotonicity requirements. See [29] for details.)

Security for an FE scheme \(\mathsf {FE}\) is defined using the following challenger \(\mathcal {H}_b^\mathsf {FE}\), parameterized by a bit \(b \in \{0,1\}\):

figure b

By the notation \(x \leftarrow R\) we mean the operation of selecting an element uniformly at random from R. Note that, if \(f_i = \bot \) or \(m_j = \bot \), then \(f_i(m_j) = \bot \). So, this challenger corresponds to a non-adaptive security definition where the adversary cannot get any functional key before choosing the challenge messages \((m_0,m_1)\). On the other hand, the public key \( pk \) is computed (and given to the adversary) right away, so the (distribution of the) messages \((m_0,m_1)\) may depend on the value of the public key. Alternative definitions can be obtained by setting

  • \( pk =\) if \(((m_0,m_1) \ne \bot )\) then \(\mathsf {Setup}( sk )\) else \(\bot \), which corresponds to the selective (i.e., fully non-adaptive) attack where the adversary has to choose the messages before seeing the public key.

  • \( fk ^i = \mathsf {KeyGen}( sk ,f_i,i)\) and \(c =\) if \((\forall i. f_i(m_0)=f_i(m_1))\) then \(\mathsf {Enc}( pk ,m_b;r)\) else \(\bot \), which corresponds to allowing function queries (only) before choosing the messages \((m_0,m_1)\).

All our results and constructions are easily adapted to all these different definitional variants, as well as fully adaptive settings where message and function queries can be specified in any order, subject to the natural non-triviality requirements.

A FE game \(\mathsf {Exp}_{FE}[\mathcal {H}_{(\cdot )}^\mathsf {FE},\mathcal {A}]\) is defined by the following system of equations:

figure c

The output of the game can be obtained by finding the least fixed point of \([\mathcal {H}_b^\mathsf {FE}, \mathcal {A}]\), which describes the output when the computation stabilizes. We say that the adversary \(\mathcal {A}\) wins the game \(\mathsf {Exp}_{FE}[\mathcal {H}_{(\cdot )}^{\mathsf {FE}},\mathcal {A}]\) if the game outputs \(\top \), and we define the advantage of \(\mathcal {A}\) in breaking the FE scheme \(\mathsf {FE}\) as

$$\begin{aligned} \mathsf {Adv}_{\mathsf {FE}}[\mathcal {A}] = \left| 2\Pr \{\mathsf {Exp}_{FE}[\mathcal {H}_{(\cdot )}^\mathsf {FE},\mathcal {A}] = \top \} - 1\right| . \end{aligned}$$

Alternatively, we can let the FE game be parameterized by b and output a bit \(b'\):

figure d

Then the advantage of \(\mathcal {A}\) in breaking the FE scheme \(\mathsf {FE}\) can be defined as

$$\begin{aligned} \mathsf {Adv}_{\mathsf {FE}}[\mathcal {A}] = \left| \Pr \{[\mathcal {H}_{0}^\mathsf {FE},\mathcal {A}]=1\} - \Pr \{[\mathcal {H}_{1}^\mathsf {FE},\mathcal {A}]=1\}\right| . \end{aligned}$$

The two formulations are easily seen to be perfectly equivalent.

Definition 2

A functional encryption scheme \(\mathsf {FE}\) is \((q,\epsilon )\)-non-adaptively (or selectively/adaptively) secure if \(|I| = q\) and for any efficient adversary \(\mathcal {A}\) there exists a negligible function \(\delta (\kappa )\) such that \(\delta (\kappa ) < \epsilon (\kappa )^{\varOmega (1)}\) and the advantage of \(\mathcal {A}\) in the non-adaptive (or selective/adaptive) FE game is bounded by \(\mathsf {Adv}_{\mathsf {FE}}[\mathcal {A}] \le \delta (\kappa )\).

When \(\epsilon (\kappa )\) is negligible, for simplicity we sometimes omit it and just say a FE scheme is q-secure, where \(q=|I|\) as in the definition above.

Efficiency. For a FE scheme to be useful in the real world applications or in building other cryptographic constructs, we need to measure its efficiency. Several notions have been considered in the literature, and here we mention those that are used in our work. Let \(\mathsf {FE}\) be a FE scheme with security parameter \(\kappa \), and let n be the length of messages to be encrypted. Then we say

  • \(\mathsf {FE}\) is compact Footnote 3 if the running time \(t^\mathsf {Enc}\) of the encryption procedure \(\mathsf {Enc}\) is polynomial in n and \(\kappa \), and it is independent of other parameters.

  • \(\mathsf {FE}\) is weakly compact Footnote 4 if \(t^\mathsf {Enc}\) is sub-linear in |I| and the maximal circuit size s of functions in F, and it is polynomial in n and \(\kappa \).

  • \(\mathsf {FE}\) is ciphertext-succinct or simply succinct if \(t^\mathsf {Enc}\) is polynomials in n, \(\kappa \), and the maximal circuit depth d of functions in F.

  • \(\mathsf {FE}\) is weakly ciphertext-succinct or simply weakly succinct if \(t^\mathsf {Enc}\) is sub-linear in |I| but is polynomials in n, \(\kappa \), and d.

The notion of compact FE has been considered in [3, 4], and also in [9] under the name fully circuit succinct. Here we choose the name “compact” to distinguish other variants of succinctness notions. It was shown in [3, 9] that a 1-secure compact FE with sub-exponential security for all circuits implies an indistinguishability obfuscation for all circuits.

Succinct FE scheme, a weaker notion, was considered in [25], where their definition was based on ciphertext length. They constructed a succinct FE scheme based on standard sub-exponential lattice assumptions. We note that, although our definition is stronger due to using the complexity of encryption, the [25] FE scheme is still ciphertext-succinct with our definition.

Furthermore, one may naturally require a FE scheme to be secure even when a large number of functional keys are released. We say a FE scheme is collusion-resistant if it is secure when |I| is any polynomial in \(\kappa \). When we also allow sub-linear dependence on |I|, the FE scheme is called weakly collusion-resistant.

2.2 Pseudorandom Generators

Our construction assumes the existence of pseudorandom generators that can stretch a short random seed to a polynomially long pseudorandom bit-string. In the following we give its definition and some conventions in using it.

Definition 3

Let \(\mathsf {G}: R \rightarrow S\) be a deterministic function that can be computed in polynomial time. We say that \(\mathsf {G}\) is a \(\mu (\kappa )\)-secure pseudorandom generator of stretch \(\ell (\kappa )\) if for all \(x \in R\) we have \(|\mathsf {G}(x)| = \ell (|x|)\), where \(\ell (\kappa )\) is a polynominal in \(\kappa \), and for any efficient adversary \(\mathcal {A}\) we have

$$\begin{aligned} \mathsf {Adv}_\mathsf {G}[\mathcal {A}] = \left| \Pr _{s \leftarrow S}\{\mathcal {A}(s) = 1\} - \Pr _{r \leftarrow R}\{\mathcal {A}(\mathsf {G}(r)) = 1\}\right| \le \mu (\kappa ). \end{aligned}$$

The quantity \(\mathsf {Adv}_\mathsf {G}[\mathcal {A}]\) is the advantage of \(\mathcal {A}\) in breaking the PRG \(\mathsf {G}\).

We write \(\mathsf {G}(r)\) to denote the output of a pseudorandom generator on input a (randomly chosen) seed r, with the domain and range of \(\mathsf {G}\) usually defined implicitly by the context. We write \(\mathsf {G}_i(r)\) to denote a specific part of the output, i.e., \(\mathsf {G}(r) = \mathsf {G}_0(r)\mathsf {G}_1(r)\ldots \mathsf {G}_k(r)\), where the blocks \(\mathsf {G}_i(r)\) usually have all the same length. The assumption is that \(\mathsf {G}(r)\) is computationally indistinguishable from a random string of length \(|\mathsf {G}(r)|\), i.e., \(\mathsf {G}\) is \(\mu \)-secure for some negligible function \(\mu (\kappa )\).

3 The SUM Construction

We describe a simple method to combine two functional encryption schemes \(\mathsf {FE}_0\) and \(\mathsf {FE}_1\) with index spaces \(I_0\) and \(I_1\), into a new scheme \(\mathsf {FE}= \mathsf {FE}_0 + \mathsf {FE}_1\) with index space \(I = I_0 + I_1 = \{(b,i) \mid b\in \{0,1\}, i \in I_b\}\) given by the disjoint union of \(I_0\) and \(I_1\). Let \(\mathsf {FE}_b = (\mathsf {Setup}_b,\mathsf {Enc}_b,\mathsf {Dec}_b,\mathsf {KeyGen}_b)\) for \(b\in \{0,1\}\). Then, \(\mathsf {FE}= (\mathsf {Setup},\mathsf {Enc},\mathsf {Dec},\mathsf {KeyGen})\) is defined as

  • \(\mathsf {Setup}( sk )=(\mathsf {Setup}_0(\mathsf {G}_0( sk )),\mathsf {Setup}_1(\mathsf {G}_1( sk )))\)

  • \(\mathsf {Enc}(( pk _0, pk _1),m;r) = (\mathsf {Enc}_0( pk _0,m;\mathsf {G}_0(r)),\mathsf {Enc}_1( pk _1,m;\mathsf {G}_1(r)))\)

  • \(\mathsf {Dec}((b, fk ),(c_0,c_1)) = \mathsf {Dec}_b( fk ,c_b)\)

  • \(\mathsf {KeyGen}( sk ,f,(b,i))=(b,\mathsf {KeyGen}_b(\mathsf {G}_b( sk ),f,i))\)

for all \( sk ,r \in R\), \(m\in M\), \(b \in \{0,1\}\) and \(i \in I_b\). Informally, the SUM scheme works by generating two public keys (one for each component scheme \(\mathsf {FE}_b\)), and encrypting each message under both public keys. When applied to two copies of the same scheme \(\mathsf {FE}_0=\mathsf {FE}_1\), this doubles the size of the index space \(|I|=2|I_b|\) (allowing twice as many functional decryption keys,) but at the cost of doubling also the public key and ciphertext size. The complexity of decryption and functional key generation stays essentially the same as that of the component schemes (no doubling, only a small additive increase for multiplexing), as only one of the two ciphertexts gets decrypted.

The correctness of the scheme is easily verified by substitution. Security (proved in the next theorem) is not entirely trivial, as it requires a careful use of the pseudorandom generator, but it still follows by a fairly standard hybrid argument. The construction preserves the non-adaptive/selective/adaptive security properties. We prove the non-adaptive version, which can be easily adapted to the other models.

Theorem 2

(SUM construction). If \(\mathsf {FE}_i\) for \(i \in \{0,1\}\) is a succinct \((q_i,\epsilon _i)\)-non-adaptively secure FE scheme for functions in the class F, with public key size \(\ell _i^k\) and ciphertext length \(\ell _i^c\), and if \(\mathsf {G}\) is a \(\mu \)-secure pseudorandom generator, then \(\mathsf {FE}=\mathsf {FE}_0+\mathsf {FE}_1\) is a succinct \((q_0+q_1,\epsilon _0+\epsilon _1+4\mu )\)-non-adaptively secure FE scheme for F with public-key size \(\ell _0^k+\ell _1^k\) and ciphertext length \(\ell _0^c+\ell _1^c\).

Moreover, if the algorithms \(\mathsf {Setup}_i,\mathsf {Dec}_i,\mathsf {KeyGen}_i\) and \(\mathsf {Enc}_i\) of \(\mathsf {FE}_i\) run in time \(t_i^\mathsf {Setup}\),\(t_i^\mathsf {Dec}\),\(t_i^\mathsf {KeyGen}\) and \(t_i^\mathsf {Enc}(n,\kappa ,d_i)\), respectively, where \(d_i\) is the maximum depth of functions in F, and if \(\mathsf {G}\) runs in time \(t^\mathsf {G}\), then the running times of the algorithms in \(\mathsf {FE}= \mathsf {FE}_0+\mathsf {FE}_1\) are:

  • \(\mathsf {Setup}\): \(t_0^\mathsf {Setup}+ t_1^\mathsf {Setup}+ t^\mathsf {G}\)

  • \(\mathsf {Enc}\) : \(t_0^\mathsf {Enc}+ t_1^\mathsf {Enc}+ t^\mathsf {G}\)

  • \(\mathsf {Dec}\) : \(\max \{t_0^\mathsf {Dec}, t_1^\mathsf {Dec}\}\)

  • \(\mathsf {KeyGen}\) : \(\max \{t_0^\mathsf {KeyGen}, t_1^\mathsf {KeyGen}\} + t^\mathsf {G}\)

Proof

We build 6 hybrids to reduce the security of the SUM construction \(\mathsf {FE}_0 + \mathsf {FE}_1\) to the security of the PRG \(\mathsf {G}\) and the security of the FE schemes \(\mathsf {FE}_0\) and \(\mathsf {FE}_1\). We denote a hybrid by \(\mathcal {H}_b^{(j)}\) for \(b \in \{0,1\}\) and an index j. Like the challenger in a FE game, a hybrid is a monotone function \(\mathcal {H}_b^{(j)}((m_0,m_1),\{f_{(h,i)}\}_{(h,i) \in I}) = ( pk ,c,\{ fk ^{(h,i)}\}_{(h,i) \in I})\), where \(I = I_0 + I_1\). Proofs of lemmas can be found in Appendix A.

\(\mathcal {H}_b^{(0)}\): This hybrid is the same as the original challenger \(\mathcal {H}_b^\mathsf {FE}\) in the FE game for the FE scheme \(\mathsf {FE}_0 + \mathsf {FE}_1\). For a fixed \(b \in \{0,1\}\), by expanding the SUM construction, we get the following definition of \(\mathcal {H}_b^{(0)}\):

figure e

\(\mathcal {H}_b^{(1)}\): In this hybrid we replace the PRG outputs by truly random strings. So \( sk \) and r are no longer needed and hence we remove them from the hybrid.

figure f

Lemma 1

If \(\mathsf {G}\) is a \(\mu \)-secure pseudorandom generator, then for any \(b\in \{0,1\}\) and adversary \(\mathcal {A}\) we have \(|\Pr \{[\mathcal {H}_b^{(0)},\mathcal {A}]=1\} - \Pr \{[\mathcal {H}_b^{(1)},\mathcal {A}]=1\}| \le 2\mu (\kappa )\).

\(\mathcal {H}^{(2)}_b\): In this hybrid the ciphertext c encrypts both \(m_0\) and \(m_1\):

figure g

Lemma 2

If \(\mathsf {FE}_1\) is a \((q_1,\epsilon _1)\)-non-adaptively secure FE scheme, then for any adversary \(\mathcal {A}\) we have \(|\Pr \{[\mathcal {H}_0^{(1)},\mathcal {A}]=1\}-\Pr \{[\mathcal {H}_0^{(2)},\mathcal {A}]=1\}| ~\le ~\epsilon _1(\kappa )\).

By symmetric argument, we can also obtain the following lemma.

Lemma 3

If \(\mathsf {FE}_0\) is a \((q_0,\epsilon _0)\)-non-adaptively secure FE scheme, then for any adversary \(\mathcal {A}\) we have \(|\Pr \{[\mathcal {H}_1^{(1)},\mathcal {A}]=1\}-\Pr \{[\mathcal {H}_1^{(2)},\mathcal {A}]=1\}| \le \epsilon _0(\kappa )\).

Finally, we observe that the last hybrid \(\mathcal {H}_b^{(2)}\) does not depend on the bit b, and therefore \(\Pr \{[\mathcal {H}_0^{(2)},\mathcal {A}]=1\} = \Pr \{[\mathcal {H}_1^{(2)},\mathcal {A}]=1\}\). It follows by triangle inequality that the advantage of adversary \(\mathcal {A}\) in breaking the SUM FE scheme is at most \(\mathsf {Adv}_\mathsf {FE}[\mathcal {A}] = |\Pr \{[\mathcal {H}_0^{(0)},\mathcal {A}]=1\} - \Pr \{[\mathcal {H}_1^{(0)},\mathcal {A}]=1\}| \le 2\mu + \epsilon _1 + 0 + \epsilon _0 + 2\mu = 4\mu + \epsilon _0 + \epsilon _1\).    \(\square \)

4 The PRODUCT Construction

We now define a different method to combine \(\mathsf {FE}_0\) and \(\mathsf {FE}_1\) into a new scheme \(\mathsf {FE}= \mathsf {FE}_0 \times \mathsf {FE}_1\) with index space \(I_0 \times I_1\) equal to the cartesian product of the index spaces \(I_0\), \(I_1\) of \(\mathsf {FE}_0\) and \(\mathsf {FE}_1\). Let \(\mathsf {FE}_b = (\mathsf {Setup}_b,\mathsf {Enc}_b,\mathsf {Dec}_b,\mathsf {KeyGen}_b)\) for \(b\in \{0,1\}\). First, for each \(i \in I_0\), we define a “re-encryption” function \(e_i[c, pk ] : M \times R \rightarrow M\), parameterized by \(c \in M\) and \( pk \in K\):

$$\begin{aligned} e_i[c, pk ](m,\tilde{r}) = \left\{ \begin{array}{ll} \mathsf {G}_i(\tilde{r})\oplus c &{} \text{ if } m=\bot \\ \mathsf {Enc}_1( pk ,m;\mathsf {G}_i(\tilde{r})) &{} \text{ otherwise } \end{array}\right. \end{aligned}$$

Then, \(\mathsf {FE}= (\mathsf {Setup},\mathsf {Enc},\mathsf {Dec},\mathsf {KeyGen})\) is defined as follows:

  • \(\mathsf {Setup}( sk ) = \mathsf {Setup}_0(\mathsf {G}_0( sk ))\)

  • \(\mathsf {Enc}( pk ,m;r) = \mathsf {Enc}_0( pk ,(m,\mathsf {G}_0(r));\mathsf {G}_1(r))\)

  • \(\mathsf {Dec}(( fk _0, fk _1),c) = \mathsf {Dec}_1( fk _1,\mathsf {Dec}_0( fk _0,c))\)

  • \(\mathsf {KeyGen}( sk ,f,(i,j)) = ( fk _0^i, fk _1^{i,j})\) where

figure h

The re-encryption function can work in two modes: in the regular mode where a message m is given, it computes the \(\mathsf {FE}_1\) ciphertext of m under a hard-wired public key \( pk \) with pseudo-randomness supplied by a random seed from input; in the special mode where m is not given (denoted by the special symbol \(\bot \)), it pads a hard-wired ciphertext c with pseudo-randomness derived from the random seed from input. Note that the special mode is never invoked in a real world execution of the scheme, but it is only used in security proofs.

Let \(\mathbb {RE}_\mathsf {FE}\) be the class of functions that include \(e_i[c_i, pk _1^i](\cdot ,\cdot )\) defined using \(\mathsf {Enc}\) of the FE scheme \(\mathsf {FE}\). Then we state the security of our PRODUCT construction as follows. Again, the analysis can be easily adapted to other (e.g., selective/adaptive) models.

Theorem 3

(PRODUCT construction). Assume \(\mathsf {FE}_0\) and \(\mathsf {FE}_1\) are succinct public-key FE which are \((q_0,\epsilon _0)\)- and \((q_1,\epsilon _1)\)-non-adaptively secure for functions in the classes \(\mathbb {RE}_{\mathsf {FE}_0}\) and F respectively, whose key sizes are \(\ell _0^k\) and \(\ell _1^k\), ciphertext lengths \(\ell _0^c(n,\kappa ,d_0)\) and \(\ell _1^c(n,\kappa ,d_1)\), where n is the message length and \(d_0,d_1\) are the maximum depth of functions in \(\mathbb {RE}_{\mathsf {FE}_0},F\), respectively. Also assume \(\mathsf {G}\) is a \(\mu \)-secure pseudorandom generator. Then \(\mathsf {FE}_0\times \mathsf {FE}_1\) is a \((q_0q_1,q_0\epsilon _1+2\epsilon _0+12\mu )\)-non-adaptively secure succinct public-key FE scheme for F with public-key sizes \(\ell _0^k\) and ciphertext length \(\ell _0^c(n+\kappa ,\kappa ,d_0)\).

Moreover, for \(i \in \{0,1\}\), let \(t_i^\mathsf {Setup}\),\(t_i^\mathsf {Enc}\),\(t_i^\mathsf {Dec}\),\(t_i^\mathsf {KeyGen}\) be the running times of algorithms \(\mathsf {Setup}_i,\mathsf {Enc}_i,\mathsf {Dec}_i,\mathsf {KeyGen}_i\) of \(\mathsf {FE}_i\), where \(t_i^\mathsf {Enc}= t_i^\mathsf {Enc}(n,\kappa ,d_i)\), and let \(t^\mathsf {G}\) be the running time of \(\mathsf {G}\). Then the running times of \(\mathsf {FE}\) are:

  • \(\mathsf {Setup}\): \(t_0^\mathsf {Setup}+ t^\mathsf {G}\)

  • \(\mathsf {Enc}\) : \(t_1^\mathsf {Enc}(n+\kappa ,\kappa ,d_0) + t^\mathsf {G}\)

  • \(\mathsf {Dec}\) : \(t_0^\mathsf {Dec}+ t_1^\mathsf {Dec}\)

  • \(\mathsf {KeyGen}\) : \(t_1^\mathsf {Setup}+ t_0^\mathsf {KeyGen}+ t_1^\mathsf {KeyGen}+ 3t^\mathsf {G}\)

Proof

We build a series of hybrids to reduce the security of \(\mathsf {FE}_0 \times \mathsf {FE}_1\) to the security of the PRG and the security of FE schemes \(\mathsf {FE}_0\) and \(\mathsf {FE}_1\). We denote our hybrids by \(\mathcal {H}_b^{(h)}\) for \(b \in \{0,1\}\) and h an index. Let \(I = I_0 \times I_1\). A hybrid is a monotone function \(\mathcal {H}_b^{(h)}((m_0,m_1),\{f_i\}_{i \in I}) = ( pk ,c,\{ fk ^i\}_{i \in I})\). An adversary \(\mathcal {A}\) wins the game against \(\mathcal {H}_b^{(h)}\) if \(b' = [\mathcal {H}_b^{(h)},\mathcal {A}] = 1\), and its advantage over \(\mathcal {H}_b^{(h)}\) is \(\mathsf {Adv}[{\mathcal {A}}]_b^{(h)} = \Pr \{[\mathcal {H}_b^{(h)},\mathcal {A}]=1\}\). Again, proofs of lemmas can be found in Appendix A.

\(\mathcal {H}_b^{(0)}\): This is the same as the original challenger \(\mathcal {H}_b^{\mathsf {FE}_0 \times \mathsf {FE}_1}\) in the FE game for the scheme \(\mathsf {FE}_0 \times \mathsf {FE}_1\). By expanding the PRODUCT construction, we get the following definition of \(\mathcal {H}_b^{(0)}\):

figure i

\(\mathcal {H}_b^{(1)}\): In this hybrid some uses of the PRG \(\mathsf {G}\) are replaced by truly random strings. In addition, \( sk \) is no longer needed so we remove it from the hybrid.

figure j

Lemma 4

If \(\mathsf {G}\) is a \(\mu \)-secure pseudorandom generator, then for any \(b \in \{0,1\}\) and any efficient adversary \(\mathcal {A}\), we have \(|\mathsf {Adv}[\mathcal {A}]_b^{(0)} - \mathsf {Adv}[\mathcal {A}]_b^{(1)}| \le 4\mu (\kappa )\).

\(\mathcal {H}_b^{(2)}\): In this hybrid we slightly modify how \(c_i\) is generated without changing its distribution.

figure k

Lemma 5

For any \(b \in \{0,1\}\) and adversary \(\mathcal {A}\), we have \(\mathsf {Adv}[\mathcal {A}]_b^{(1)} = \mathsf {Adv}[\mathcal {A}]_b^{(2)}\).

\(\mathcal {H}_b^{(3)}\): In this hybrid we replace the truly random \(s_i\) with a pseudorandom string.

figure l

Lemma 6

If \(\mathsf {G}\) is a \(\mu \)-secure pseudorandom generator, then for any \(b \in \{0,1\}\) and adversary \(\mathcal {A}\), we have \(|\mathsf {Adv}[\mathcal {A}]_b^{(2)} - \mathsf {Adv}[\mathcal {A}]_b^{(3)}| \le \mu (\kappa )\).

\(\mathcal {H}_b^{(4)}\): In this hybrid we modify c to encrypt \((\bot ,s)\) instead of \((m_b,r)\).

figure m

Lemma 7

If \(\mathsf {FE}_0\) is a \((q_0,\epsilon _0)\)-non-adaptive secure FE scheme for functions in the class \(\mathbb {RE}_{\mathsf {FE}_0}\), then for any \(b \in \{0,1\}\) and any efficient adversary \(\mathcal {A}\), we have \(|\mathsf {Adv}[\mathcal {A}]_b^{(3)} - \mathsf {Adv}[\mathcal {A}]_b^{(4)}| \le \epsilon _0(\kappa )\).

\(\mathcal {H}_b^{(5)}\): Now we use fresh randomness to generate \(\tilde{c}_i\) instead of sharing a pseudorandom string.

figure n

Lemma 8

If \(\mathsf {G}\) is a \(\mu \)-secure pseudorandom generator, then for any \(b \in \{0,1\}\) and any adversary \(\mathcal {A}\) we have \(|\mathsf {Adv}[\mathcal {A}]_b^{(4)} - \mathsf {Adv}[\mathcal {A}]_b^{(5)}| \le \mu (\kappa )\).

Lemma 9

If \(\mathsf {FE}_1\) is a \((q_1,\epsilon _1)\)-non-adaptive secure FE scheme, then for any efficient adversary \(\mathcal {A}\) we have \(|\mathsf {Adv}[\mathcal {A}]_0^{(5)} - \mathsf {Adv}[\mathcal {A}]_1^{(5)}| \le q_0 \cdot \epsilon _1(\kappa )\).

Finally, by applying previous lemmas, we see that the advantage of any adversary \(\mathcal {A}\) to the PRODUCT scheme \(\mathsf {FE}\) can be bounded by \(\mathsf {Adv}_\mathsf {FE}[\mathcal {A}] = |\Pr \{[\mathcal {H}_0^{(0)},\mathcal {A}]=1\} - \Pr \{[\mathcal {H}_1^{(0)},\mathcal {A}]=1\}| \le 2(4\mu + 0 + \mu + \epsilon _0 + \mu ) + q_0 \epsilon _1 = q_0 \epsilon _1 + 2\epsilon _0 + 12\mu \).    \(\square \)

5 Compositions Using SUM and PRODUCT Constructions

SUM and PRODUCT constructions provide ways to build new FE schemes with larger function spaces. They also have nice efficiency preserving properties. Using them as building blocks, we propose two composition methods to define transformations from a FE scheme supporting only one functional key query to a new FE scheme that supports any polynomially many functional key queries without losing much security and efficiency guarantees.

Throughout this section, we assume \(\mathsf {FE}_0\) is a \((1,\epsilon _0)\)-secure FE scheme, where \(\epsilon _0(\kappa )\) is negligible, for functions in a class F with some minimal efficiency guarantees, for example, succinct. \(\mathsf {FE}_0\) can be either selective-, non-adaptive-, or adaptive-secure, and our transformations preserve these security notions. We also assume \(\mathsf {G}\) is a \(\mu \)-secure PRG, for negligible \(\mu (\kappa )\). Let \(t_0^\mathsf {Setup}\),\(t_0^\mathsf {Enc}\),\(t_0^\mathsf {Dec}\),\(t_0^\mathsf {KeyGen}\) be the running times of the four algorithms in \(\mathsf {FE}_0\), and let \(\ell _0^k\), \(\ell _0^c\), \(\ell _0^ fk \) be the lengths of public key, ciphertext, and functional keys of \(\mathsf {FE}_0\). Since \(\mathsf {FE}_0\) is succinct, \(t_0^\mathsf {Enc}= t_0^\mathsf {Enc}(n,\kappa ,d)\) and \(\ell _0^c = \ell _0^c(n,\kappa ,d)\) are both polynomials in the message length n, security parameter \(\kappa \), and the maximal depth d of functions in F. Let \(t^\mathsf {G}\) be the running time of the PRG \(\mathsf {G}\). Our main results are two reductions from collusion-resistant (weakly) compact FE schemes for F to \(\mathsf {FE}_0\) assuming F meets some requirements (more details later).

5.1 Iterated Squaring Composition

Our first transformation can be obtained by repeatedly squaring the previously composed FE scheme. At the beginning, we use the SUM construction to obtain FE schemes supporting 2 functional key queries. Then PRODUCT construction is used on the FE schemes of the previous iteration.

Formally, we can define the iterated squaring composition method by:

$$\begin{aligned} \mathsf {FE}_1 = \mathsf {FE}_0 + \mathsf {FE}_0, \text {and for}\, p \ge 1, \mathsf {FE}_{p+1} = \mathsf {FE}_p \times \mathsf {FE}_p. \end{aligned}$$
(1)

So \(\mathsf {FE}_1\) supports 2 functional queries, and for \(p \ge 1\), the FE scheme \(\mathsf {FE}_{p+1}\) supports \(2^{2^p}\) functional queries. For any polynomial \(Q(\kappa )\), when \(p \ge \log \log Q\), the FE scheme \(\mathsf {FE}_{p+1}\) supports \(Q(\kappa )\) functional queries, and its security and performance can be characterized as follows.

Security: The advantage of \(\mathsf {FE}_{p+1}\) over any efficient adversary \(\mathcal {A}\) is

$$\begin{aligned} \mathsf {Adv}_{\mathsf {FE}_{p+1}}[\mathcal {A}] = 2^{2^p} \epsilon _0 + 2^{2^p} \mu = Q \cdot \epsilon _0 + Q \cdot \mu . \end{aligned}$$
(2)

Running times and output lengths:

  • \(\mathsf {Setup}\): \(2t_0^\mathsf {Setup}+ (p+1)t^\mathsf {G}= 2t_0^\mathsf {Setup}+ \log \log Q \cdot t^\mathsf {G}\)

  • \(\mathsf {Enc}\) : \(2t_0^\mathsf {Enc}(n+p\kappa ,\kappa ,d) + (p+1)t^\mathsf {G}= 2t_0^\mathsf {Enc}(n+\kappa \log \log Q,\kappa ,d)+\log \log Q \cdot t^\mathsf {G}\)

  • \(\mathsf {Dec}\) : \(2^pt_0^\mathsf {Dec}= \log Q \cdot t_0^\mathsf {Dec}\)

  • \(\mathsf {KeyGen}\) : \(2(2^p-1)t_0^\mathsf {Setup}+ 2^pt_0^\mathsf {KeyGen}+ (\sum _{i=0}^p(p+2-i)2^i + 2^{p+1} - 1)t^\mathsf {G}= 2\log Q \cdot t_0^\mathsf {Setup}+ \log Q \cdot t_0^\mathsf {KeyGen}+ 6 \log Q \cdot t^\mathsf {G}\)

  • \(\ell _{p+1}^k = 2\ell _0^k\)

  • \(\ell _{p+1}^c = \ell _0^c(n+p\kappa ,\kappa ,d) = \ell _0^c(n+\kappa \log \log Q,\kappa ,d)\)

  • \(\ell _{p+1}^ fk = 2^p\ell _0^ fk = \log Q \cdot \ell _0^ fk \)

Clearly \(\mathsf {FE}_{p+1}\) is a secure FE scheme, and the transformation incurs only linear (in terms of Q) security loss. Since \(\mathsf {FE}_0\) is succinct, \(t_0^\mathsf {Enc}\) is a polynomial in n, \(\kappa \), and d. So \(t_{p+1}^\mathsf {Enc}\) can be bounded by \(\mathrm {poly}(\log Q,n,\kappa ,d)\) for some fixed polynomial \(\mathrm {poly}\), and hence \(\mathsf {FE}_{p+1}\) is weakly succinct.

Besides, for the iterated squaring composition to be viable, we must be careful about the function classes supported in each iteration of the composition. Let \(F_h\) be the class of functions supported by \(\mathsf {KeyGen}_h\) of the FE scheme \(\mathsf {FE}_h\), for \(h \ge 0\). First we have \(F_1 = F_0\). In the steps using PRODUCT construction on \(\mathsf {FE}_p\) to derive \(\mathsf {FE}_{p+1}\), a functional key \( fk = ( fk _0, fk _1)\) for any function f consists of two keys under \(\mathsf {FE}_p\): \( fk _0\) is for a “re-encryption” function \(e_i^{(p)}[c, pk ](\cdot ,\cdot )\), and \( fk _1\) is for f. Hence for the composition to go through, \(\mathsf {FE}_p\) must be capable of generating functional keys for these two classes of functions, namely

$$\begin{aligned} F_{p+1} \cup \{e_i^{(p)}[c, pk ] \mid c \in M, pk \in R\} \subseteq F_p. \end{aligned}$$

Recall from Sect. 4 that \(\mathbb {RE}_{\mathsf {FE}_p}\) is the class containing \(e_i^{(p)}[c, pk ]\) for all \(c \in M, pk \in R\). Let \(\mathbb {RE}_{\mathsf {FE}_0}^p = \cup _{h=1}^p \mathbb {RE}_{\mathsf {FE}_h}\). By expanding the above recursion, we see that to support function class \(F_{p+1}\) the FE scheme \(\mathsf {FE}_0\) must be capable of functional keys for the functions in \(F_{p+1} \cup \mathbb {RE}_{\mathsf {FE}_0}^p\) and the PRG \(\mathsf {G}\).

Theorem 4

Fix any polynomial \(Q(\kappa )\), and let \(p(\kappa ) = \varOmega (\log \log Q(\kappa ))\). Assume \(\mathsf {FE}_0\) is a succinct \((1,\epsilon _0)\)-non-adaptive (or selective/adaptive) secure FE scheme for the function class F such that \(\mathbb {RE}_{\mathsf {FE}_0}^p \subseteq F\) and \(\mathsf {G}\in F\), where \(\epsilon _0(\kappa )\) is some negligible function; and assume \(\mathsf {G}\) is a secure PRG. Then \(\mathsf {FE}_{p+1}\) defined in Eq. 1 is a weakly succinct \((Q,\epsilon )\)-non-adaptive (or selective/adaptive, respectively) secure FE scheme for F, where \(\epsilon (\kappa )\) is some negligible function.

5.2 Iterated Linear Composition

A drawback of the iterated squaring composition is that the base scheme \(\mathsf {FE}_0\) must be capable of generating functional keys for the re-encryption functions of all iteration steps. It is usually hard to check if this condition holds for a concrete FE scheme. We now present another composition method that only requires the base scheme is capable of functionals keys for its own encryption function.

The iterated linear composition is defined recursively by

$$\begin{aligned} \mathsf {FE}_1 = \mathsf {FE}_0 + \mathsf {FE}_0, \text {and for}\, p \ge 1, \mathsf {FE}_{p+1} = \mathsf {FE}_1 \times \mathsf {FE}_p. \end{aligned}$$
(3)

Under this composition, \(\mathsf {FE}_1\) supports 2 functional keys, and for \(p \ge 1\), \(\mathsf {FE}_{p+1}\) supports \(2^{p+1}\) functional keys. For \(\mathsf {FE}_p\) to achieve \(Q(\kappa )\) functional keys, we need \(p \ge \log Q\). Then it is straightforward to get the following characteristics of \(\mathsf {FE}_p\):

Security: The advantage of \(\mathsf {FE}_p\) over any efficient adversary is

$$\begin{aligned} \mathsf {Adv}_{\mathsf {FE}_p}[\mathcal {A}] = (3\cdot 2^p)\epsilon _0 + (12\cdot 2^p)\mu = Q\epsilon _0 + Q\mu . \end{aligned}$$
(4)

Running times and output lengths:

  • \(\mathsf {Setup}\): \(2t_0^\mathsf {Setup}+ 2t^\mathsf {G}\)

  • \(\mathsf {Enc}\) : \(2t_0^\mathsf {Enc}(n+\kappa ,\kappa ,d) + 2t^\mathsf {G}\)

  • \(\mathsf {Dec}\) : \(pt_0^\mathsf {Dec}= \log Q \cdot t_0^\mathsf {Dec}\)

  • \(\mathsf {KeyGen}\) : \(pt_0^\mathsf {KeyGen}+ 2(p-1)t_0^\mathsf {Setup}+ (6p-5)t^\mathsf {G}= 2\log Q \cdot t_0^\mathsf {Setup}+ \log Q \cdot t_0^\mathsf {KeyGen}+ 6\log Q \cdot t^\mathsf {G}\)

  • \(\ell _p^k = 2\ell _0^k\)

  • \(\ell _p^c = \ell _0^c(n+\kappa ,\kappa ,d) = 2\ell _0^c(n+\kappa ,\kappa ,d)\)

  • \(\ell _p^ fk = p\ell _0^ fk = \log Q \cdot \ell _0^ fk \)

The FE scheme \(\mathsf {FE}_p\) is also secure, and this transformation too incurs linear (in terms of Q) security loss. This time, the running time of the encryption procedure no longer depends on Q, so \(\mathsf {FE}_p\) is fully succinct.

Again, for this composition method to be viable, we should consider the functions can be handled at each iteration. Let \(F_h\) denote the function class supported by \(\mathsf {FE}_h\), for \(h \ge 0\). As in the squaring composition, we have \(F_1 = F_0\). For \(h \ge 1\), to derive a functional key for any function f in \(\mathsf {FE}_{h+1}\), the scheme \(\mathsf {FE}_1\) must generate functional keys for the re-encryption function \(e_i[ pk ,c]\), and \(\mathsf {FE}_h\) must be capable of generating functional keys of f. This implies that

$$\begin{aligned} F_p \cup \{e_i[ pk ,c] \mid pk \in R, c \in M\} \subseteq F_0. \end{aligned}$$

Since \(e_i[ pk ,c](\cdot ,\cdot )\) can be easily built using basic operations on \(\mathsf {Enc}_1( pk ,\cdot ;\cdot )\) and \(\mathsf {G}(\cdot )\), it is sufficient to require that \(\mathsf {FE}_0\) can generate functional keys for these two classes of functions.

Theorem 5

Assume \(\mathsf {FE}_0\) is a succinct \((1,\epsilon _0)\)-non-adaptive (or selective/adaptive) secure FE scheme for the class F of functions such that \(\mathsf {Enc}_0( pk ,\cdot ;\cdot ),\mathsf {G}(\cdot ) \in F\) for any \( pk \in R\), where \(\epsilon _0(\kappa )\) is some negligible function, and assume \(\mathsf {G}\) is a secure PRG. Then, for any polynomial \(Q(\kappa )\), the FE scheme \(\mathsf {FE}_p\) defined in Eq. 3 for \(p = \varOmega (\log Q)\) is a succinct \((Q,\epsilon )\)-non-adaptive (or selective/adaptive, respectively) secure FE scheme for F, for some negligible function \(\epsilon (\kappa )\).

Comparing with the iterated squaring composition to support Q functional key queries, one can see that the security loss, the running times, and key lengths of \(\mathsf {Setup}\) and \(\mathsf {KeyGen}\) are about the same, and the iterated linear composition gives better encryption performance: \(\mathsf {Enc}\) runs slightly faster. The trade-off is in the ciphertext length: our linear composition simply doubles the ciphertext length of the underlying 1-secure FE scheme, while the iterated squaring composition produces a ciphertext that encrypts a slightly longer message in the 1-secure FE scheme.

5.3 On the Implications of Our Reductions

So far we have obtained two transformations from a 1-secure succinct FE scheme to a (weakly) succinct FE scheme that supports polynomially many functional key queries. In this subsection we explore the implications of our reductions.

A \((Q,\epsilon )\)-secure FE scheme for F is called weakly collusion-succinct if \(t^\mathsf {Enc}\) grows sub-linearly in Q but polynomially in n, \(\kappa \), and the maximum circuit size of functions in F. If the sub-linear dependence on Q is removed, then the FE scheme is called collusion-succinct. For succinct \(\mathsf {FE}_0\), let us consider the following two cases about the encryption time \(t^\mathsf {Enc}_{p+1}\) of \(\mathsf {FE}_{p+1}\) obtained by our transformations on \(\mathsf {FE}_0\):

  1. 1.

    If \(\mathsf {FE}_{p+1}\) is as in the iterated squaring composition, then \(p = \varOmega (\log \log Q)\) and \(t^\mathsf {Enc}_{p+1} = t^\mathsf {Enc}_0(n+\kappa \cdot \log \log Q, \kappa , d) + \log \log Q \cdot t^\mathsf {G}(\kappa )\). Clearly \(t^\mathsf {Enc}_{p+1}\) is sub-linear in Q, and thus \(\mathsf {FE}_{p+1}\) is weakly collusion-succinct.

  2. 2.

    If \(\mathsf {FE}_{p+1}\) is as in the iterated linear composition, then \(p = \varOmega (\log Q)\) and \(t^\mathsf {Enc}_{p+1} = 2t^\mathsf {Enc}_0(n+\kappa ,\kappa ,d)+2t^\mathsf {G}(\kappa )\), which is independent of Q. So \(\mathsf {FE}_{p+1}\) is succinct (hence collusion-succinct).

Remark 2

Security in Theorems 4 and 5 degrades linearly in Q. So it may appear that setting the size of the index space to be superpolynomial results in a superpolynomial security loss. However, a careful analysis shows that Theorems 4 and 5 hold with Q equal to the number of key queries made by any efficient adversary, where the index space is just an upper bound on Q. As long as the adversary runs in polynomial time, the security loss is only polynomial, even when setting p accordingly to achieve superpolynomial-sized index space.

As we have mentioned in Remark 1, when the index space of \(\mathsf {FE}_{p+1}\) has superpolynomial size, we can eliminate i from the interface of \(\mathsf {KeyGen}\) to make it completely stateless. To achieve this, we may set \(p = \omega (\log \log \kappa )\) in our first transformation, and we may set \(p = \omega (\log \kappa )\) in our second transformation. Such conversions incur only a negligible security loss, and they do not affect the security properties of \(\mathsf {FE}_{p+1}\) in either transformation. Moreover, \(\mathsf {FE}_{p+1}\) is secure with any polynomial number of functional key queries, so it is collusion-resistant. We can state our transformations in terms of standard FE definition:

Theorem 6

  1. 1.

    If \(\mathsf {FE}_0\) is a succinct 1-secure FE scheme for a class F of functions such that \(\mathbb {RE}_{\mathsf {FE}_0}^p \subseteq F\) for \(p = O(\log \kappa )\) and that \(\mathsf {G}\in F\), then for some \(p = \omega (\log \log \kappa )\), \(\mathsf {FE}_{p+1}\) as in the iterated squaring composition is a weakly collusion-succinct and collusion-resistant FE scheme for F;

  2. 2.

    If \(\mathsf {FE}_0\) is a succinct 1-secure FE scheme for a class F of functions such that its encryption function \(\mathsf {Enc}_0\) satisfies \(\mathsf {Enc}_0( pk ,\cdot ;\cdot ) \in F\) for any \( pk \in R\) and that \(\mathsf {G}\in F\), then for some \(p = \omega (\log \kappa )\), \(\mathsf {FE}_{p+1}\) as in the iterated linear composition is a succinct and collusion-resistant FE scheme for F.

Bitansky and Vaikuntanathan [9] described a reduction from any (weakly) compact Q-secure FE scheme to a (weakly) collusion-succinct Q-secure FE scheme for the same class of functions. We note that, although in [9] the notion of collusion-succinct was defined in terms of ciphertext length, their reduction still holds with our encryption time based definition. By applying their reduction together with our transformations, we get the following new reductions:

Theorem 7

  1. 1.

    If there exists a succinct 1-secure FE scheme \(\mathsf {FE}_0\) for a class F of functions such that \(\mathbb {RE}_{\mathsf {FE}_0}^p \subseteq F\) for \(p = O(\log \kappa )\) and that \(\mathsf {G}\in F\), then there exists a weakly compact and collusion-resistant FE scheme for F;

  2. 2.

    If there exists a succinct 1-secure FE scheme \(\mathsf {FE}_0\) for a class F of functions such that its encryption function \(\mathsf {Enc}_0\) satisfies \(\mathsf {Enc}_0( pk ,\cdot ;\cdot ) \in F\) for any \( pk \in R\) and that \(\mathsf {G}\in F\), then there exists a compact and collusion-resistant FE scheme for F.

Notice that a (weakly) compact FE scheme is necessarily (weakly) succinct. Our results show that weakly compact (non-collusion-resistant) FE schemes (supporting a sufficiently general class of functions,) imply collusion-resistant FE schemes. As shown in [3, 9], (non-compact) collusion-resistant FE schemes imply compact FE schemes. So now we can see these variants as equivalent notions under polynomial time reductions.

One may attempt to instantiate a compact collusion-resistant FE scheme using our transformations on a succinct 1-secure FE scheme. Based on sub-exponential lattice assumption, Goldwasser et al. [25] showed that, for any polynomial d(n), there exists a succinct 1-secure FE scheme for the class of functions with 1-bit output and depth d circuits. However, it is not clear how to efficiently “upgrade” this FE scheme to be capable of generating a functional key of its own encryption function so that the assumptions of our transformations can be met. This is not surprising because any instantiation would immediately give an indistinguishability obfuscator. We find it very interesting to answer such question and we leave it for future work.