1 Introduction

In cryptography, many interesting cryptographic primitives rely on computational assumptions. Over the years, many assumptions have been proposed such as factoring, quadratic residuosity, decisional Diffie-Hellman, learning with errors, and many more. However, despite years of research, the security of these assumptions is still not firmly established. Indeed, we do not even know how to prove P \(\ne \) NP; our understanding of algebraic hardness is even more speculative. Moreover, we also do not have a strong understanding of how different cryptographic assumptions compare against each other. For instance, it is not known whether decisional Diffie-Hellman is a weaker or a stronger assumption than learning with errors. This inability to adequately compare different cryptographic assumptions induces the following problematic situation: suppose we have a cryptographic primitive (say, public key encryption) with many candidate constructions based on a variety of assumptions, and we want to pick the most secure candidate to use. Unfortunately, due to our limited knowledge of how these assumptions compare against each other, we cannot determine which candidate is the most secure one.

Unconditional Cryptographic Combiners. Cryptographic combiners were introduced to handle the above issue. Given many candidates of a cryptographic primitive, possibly based on different assumptions, a cryptographic combiner takes these candidates and produces another candidate for the same primitive with the guarantee that this new candidate is secure as long as at least one of the original candidates is secure. For example, a combiner for public key encryption can be used to transform two candidates, one based on decisional Diffie-Hellman and the other on learning with errors, into a new public-key encryption candidate that is secure provided either decisional Diffie-Hellman or learning with errors is secure. Thus, this new public-key encryption candidate relies on a strictly weaker assumption than the original two candidate constructions and allows us to hedge our bets on the security of the two original assumptions.

Furthermore, even if an underlying primitive, such as public-key encryption, requires an unproven hardness assumption, the security of a combiner for that primitive can be unconditional. Therefore, cryptographic combiners stand out in the world of cryptography in the sense that they are one of the few useful cryptographic objects that do not inherently require reliance on hardness assumptions. And indeed, combiners for fundamental primitives like one-way functions, public-key encryption, and oblivious transfer are known to exist unconditionally [28, 38, 39, 42].

Obtaining unconditional combiners is particularly important because the entire purpose of constructing combiners is to make cryptographic constructions future-proof in case assumptions break down. In this work, we study combiners for functional encryption, an area where studying combiners is particularly important and where, prior to our work, only conditional constructions were known [2, 5, 6] (and in fact, these previous results required either algebraic or sub-exponentially strong assumptions). We obtain the first unconditional combiner for functional encryption. Furthermore, we do so by providing a general compiler, significantly simplifying previous work in this area. Along the way, we define and provide constructions of input-local MPC protocols, input-local garbling schemes, and combiner-friendly homomorphic secret sharing schemes, primitives that may be of independent interest.

Combiners for Functional Encryption. Functional encryption (FE), introduced by [52] and first formalized by [19, 51], is one of the core primitives in the area of computing on encrypted data. This notion allows an authority to generate and distribute constrained keys associated with functions \(f_1,\ldots ,f_q\), called functional keys, which can be used to learn the values \(f_1(x),\ldots ,f_q(x)\) given an encryption of x. Intuitively, the security notion states that the functional keys associated with \(f_1,\ldots ,f_q\) and an encryption of x reveal nothing beyond the values \(f_1(x),\ldots ,f_q(x)\).

Function encryption has opened the floodgates to important cryptographic applications that have long remained elusive. These applications include, but are not limited to, multi-party non-interactive key exchange  [34], universal samplers  [34], reusable garbled circuits [36], verifiable random functions [10, 13, 37], and adaptive garbling [40]. FE has also helped improve our understanding of important theoretical questions, such as the hardness of Nash equilibrium [33, 34]. One of the most important applications of FE is its implication to indistinguishability obfuscation (iO for short), which is considered the holy grail of cryptography [8, 15]. In fact, if we are willing to tolerate subexponential security loss, then even secret-key FE is enough to imply iO [14, 43, 44].

Over the past few years, many constructions of functional encryption have been proposed [1, 4, 7, 9, 29, 30, 45,46,47,48,49] and studying what assumptions suffice for constructing general-purpose FE remains a very important and active area of investigation. Recent cryptanalytic attacks [11, 12, 23,24,25,26, 41, 49] on FE schemes further highlight the importance of careful study. Given these results, we should hope to minimize the trust we place on any individual FE candidate.

The notion of a functional encryption combiner achieves this purpose. Informally speaking, a functional encryption combiner allows for combining many functional encryption candidates in such a way that the resulting FE candidate is secure as long as at least one of the initial FE candidates is secure. In other words, a functional encryption combiner says that it suffices to place trust collectively on multiple FE candidates, instead of placing trust on any specific FE candidate. Furthermore, FE combiners are an important area of study for the following reasons:

  • Most importantly, it gives a mechanism to hedge our bets and distribute our trust over multiple constructions. This has been highlighted above.

  • Often, constructions of FE combiners give rise to constructions of robust FE combiners generically [2, 6]. Any robust FE combiner gives us a universal construction of FE, which is an explicit FE scheme that is secure as long as there exists a secure functional encryption scheme.

  • Studying FE combiners helps improve our understanding of the nature of assumptions we need to build FE.

  • They give rise to theoretically important results in other branches of cryptography, such as round-optimal low-communication MPC [2].

  • Constructions of robust FE combiners have encouraged research on understanding correctness amplification for FE, iO [6, 16], and other fundamental cryptographic primitives [17].

  • Finally, due to connections to security amplification, techniques used to build FE combiners are useful to give better constructions of FE. In particular, the work of [7] used techniques developed from the study of FE combiners to provide a generic security amplification of FE, which proved pivotal in giving the first construction of FE that does not rely on multilinear maps and makes use of simply stated, instance-independent assumptions.

There have been a series of works in this area. The starting point was the work of two concurrent papers [5, 27], both appearing at CRYPTO, that studied the related question of obfuscation combiners. This was followed up by the work of [6], which gave a construction of FE combiners (and universal FE) assuming the existence of a subexponentially secure FE algorithm. They also gave a construction of a robust FE combiner assuming LWE. Then [2] gave construction of a robust FE combiner (and universal obfuscation) relying on the algebraic assumption of the existence of constant degree randomizing polynomials (which are known to exist assuming number-theoretic assumptions such as LWE, DDH, and quadratic residuosity). However, until now, the ultimate question in this area, of whether FE combiners exist without making any additional assumptions, has remained open.

1.1 Our Contributions

In this paper, we consider the following questions.

$$\begin{aligned} \begin{array}{c} {What\,is\,the\,minimal\,assumption\,necessary\,to\,construct\,FE\,combiners\,and} \\ {universal\,FE?} \end{array} \end{aligned}$$

In particular,

$$\begin{aligned} {Is\,it\,possible\,to\,construct\,FE\,combiners\,and\,universal\,FE\,unconditionally? } \end{aligned}$$

We resolve the above question in the affirmative and prove the following.

Theorem 1

(Informal). There exists an unconditionally secure FE combiner for \(\mathsf {P}/\mathsf {poly}\).

It turns out that our construction of an FE combiner also gives rise to a robust FE combiner using the results of [2, 6].

Corollary 1

(Informal). There exists an unconditionally secure robust FE combiner for \(\mathsf {P}/\mathsf {poly}\).

As any robust FE combiner gives a universal FE scheme [5, 6], we obtain the following additional result.

Corollary 2

(Informal). There exists an unconditional construction of a universal FE scheme for \(\mathsf {P}/\mathsf {poly}\).

We note that, as was the case in previous constructions, our construction of a universal FE scheme is parameterized by the maximum run-time of any of the algorithms of the secure FE scheme.

1.2 Technical Overview

Our starting point is the observation that FE combiners are related to the notion of secure multi-party computation and function secret sharing (also known as homomorphic secret sharing [18, 20,21,22, 50]). Suppose for a function f, it was possible to give out function shares \(f_1, \ldots , f_n\) such that for any input x, we can n-out-of-n secret share x into shares \(x_1, \ldots , x_n\) and recover f(x) given \(f_1(x_1), \ldots , f_n(x_n)\). Then, we would be able to build an FE combiner in the following manner. Given an input x, the encryptor would n-out-of-n secret share x and encrypt the ith share \(x_i\) under the ith FE candidate \(\mathsf {FE}_i\) (depicted in Fig. 1). To generate a function key for a function f, \(\mathsf {FE}_i\) would generate a function key for function share \(f_i\). Using these ciphertexts and function keys, it would be possible to recover \(f_i(x_i)\), from which it would be possible to recover f(x). Security would follow from the fact that since at least one FE candidate is secure, one of the input shares remains hidden, hiding the input. This overall approach was used in [2, 6] to construct FE combiners from LWE. In this work, we would like to minimize the assumptions needed to construct an FE combiner, and, unfortunately, we do not know how to construct such a function sharing scheme for polynomial-sized circuits from one-way functions. Note that since FE implies one-way functions, any FE combiner can assume the existence of one-way functions since the individual one-way function candidates arising from each FE candidate can be trivially combined by independent concatenation (direct product) of the candidate one-way functions.

Fig. 1.
figure 1

A pictorial overview of splitting x amongst n FE candidates.

Full size image

Our first step towards constructing an FE combiner unconditionally is that we observe that it is easy to build an FE combiner for a constant number of FE candidates by simply nesting the candidates. For example, if we had 2 FE candidates, \(\mathsf {FE}_1\) and \(\mathsf {FE}_2\), we could combine these two candidates by simply having encryption encrypt first under \(\mathsf {FE}_1\) and then encrypt the resulting ciphertext under \(\mathsf {FE}_2\). To generate a secret key for a function f, we would generate a function key \(\mathsf {SK}_{f,1}\) for f under \(\mathsf {FE}_1\) and then generate a function key \(\mathsf {SK}_{f,2}\) for the function that runs \(\mathsf {FE}_1{.}\mathsf {Dec}(\mathsf {SK}_{f,1}, \cdot )\) under \(\mathsf {FE}_2\). The function key \(\mathsf {SK}_{f,2}\) would then be the function key for f under the combined FE scheme. Using nestings of candidates, we can replace our original FE candidates with these new nested candidates. For example, if we use 2-nestings, we can consider all possible 2-nestings \(\mathsf {FE}_{i,j}\) for \(i,j \in [n]\) as our new set of FE candidates. Observe now that we have replaced our original n FE candidates with \(n^2\) “new” FE candidates. At first glance, this appears to not have helped much. However, note that previously, we needed to consider function sharing schemes that were secure against up to \(n -1\) corruptions. When using nested candidates, it follows that if \(\mathsf {FE}_{i^*}\) was originally secure, then \(\mathsf {FE}_{i,j}\) with at least one of \(i,j = i^*\) is also secure. We show how to leverage this new corruption pattern of the candidates in the following manner (Fig. 2).

Fig. 2.
figure 2

A pictorial overview of 3-nested FE candidates (the required level of nesting in our construction). If \(\mathsf {FE}_5\) is secure, then \(\mathsf {FE}_{1,5,7}\) and \(\mathsf {FE}_{5,6,8}\) are secure.

Full size image

Suppose we had a “special” MPC protocol \(\varPhi \) where every bit in the transcript of an execution of \(\varPhi \) can be computed by a function on the inputs (and random coins) of a constant number of parties (say 2). Furthermore, the output of \(\varPhi \) can be determined solely from the transcript and \(\varPhi \) is secure against a semi-honest adversary that corrupts up to \(n -1\) parties. If \(\varPhi \) has the above properties, then the transcript of an execution of \(\varPhi \) can be determined via an alternate computation. Instead of running \(\varPhi \) normally to obtain the transcript, we can instead compute jointly on all pairs of parties’ inputs (and randomness) to obtain the transcript. That is, if a bit \(\tau _\alpha \) in the transcript \(\tau \) can be computed given only the inputs (and randomness) of parties \(P_i\) and \(P_j\) (we say it “depends” on parties \(P_i\) and \(P_j\)), then we can determine the value of \(\tau _\alpha \) in an execution of \(\varPhi \) by computing this function on \((x_i, r_i)\) and \((x_j, r_j)\) (the inputs and randomness of these two parties) rather than executing the protocol in the normal fashion. Proceeding in the same manner for every bit in the transcript, we can obtain the same exact transcript that we would have by executing the protocol normally, but we are able to do so by only evaluating functions on two parties’ inputs (and randomness).

This observation leads us to the following approach for constructing an FE combiner. To encrypt an input x, additively secret share x into n shares \((x_1 , \dots , x_n)\) and encrypt each pair of shares \((x_i, x_j)\) under \(\mathsf {FE}_{i,j}\). To generate a function key for a function f, consider the MPC protocol that computes \(f(x_1 \oplus \ldots \oplus x_n)\). Then, for every bit \(\tau _\alpha \) in the transcript of such a protocol, if \(\tau _\alpha \) “depends” on parties \(P_i,P_j\), we would generate a function key under \(\mathsf {FE}_{i,j}\) for the circuit \(C_{\tau _\alpha }\) that computes \(\tau _\alpha \) given \(x_i, x_j\).

This approach immediately runs into the following problem. The MPC protocol is randomized, whereas the function keys in an FE scheme are for deterministic functions. Moreover, an FE ciphertext needs to be compatible with many function keys. Fortunately, these problems can easily be solved by having the encryptor also generate a PRF key \(K_i\) for each party \(P_i\). The encryptor now encrypts \((x_i, x_j, K_i, K_j)\) under FE candidate \(\mathsf {FE}_{i,j}\) and uses \(K_i\) and some fixed tag \(\mathsf {tag}_f\) embedded in the function key for f to generate the randomness of \(P_i\) in the evaluation of the MPC protocol. Now, by using the function keys for the \(C_{\tau _\alpha }\)’s, it is possible for the decryptor to recover all the bits in the transcript of an execution of the protocol and, therefore, recover f(x). Security would follow from the fact that if candidate \(\mathsf {FE}_{i^*}\) is secure, then \(x_{i^*}\) and \(K_{i^*}\) remain hidden, and we can use the security of the MPC protocol to simulate the view of party \(P_{i^*}\).

If such an MPC protocol as described above could be found, the above would suffice for constructing an FE combiner. However, the goal of this work is to construct an FE combiner unconditionally and so we would like to only assume the existence of one-way functions. However, semi-honest MPC secure against up to \(n-1\) corruptions requires oblivious transfer (OT), which we do not want to assume. To deal with this, we adapt our MPC idea to settings with correlated randomness, such as the OT-hybrid model.

A first attempt at adapting this idea to protocols in the OT-hybrid model is the following. Suppose that we have a “special” MPC protocol \(\varPhi \) where every bit in the transcript of an execution of \(\varPhi \) can be computed by a function on the inputs (and random coins/correlated randomness) of a constant number of parties (say 2). Furthermore, the output of \(\varPhi \) can be determined solely from the transcript and \(\varPhi \) is secure against a semi-honest adversary that corrupts up to \(n-1\) parties in the OT-hybrid model.

The first challenge is to instantiate the OT oracle. This can be done by having shared PRF keys \(K_{i,j}\) between all pairs of parties \(P_i\) and \(P_j\). Then \(K_{i,j}\) will be used to generate correlated randomness between \(P_i\) and \(P_j\). We can generate all the correlated randomness prior to the protocol execution and include it as part of the input to a party \(P_i\). This allows us to generate correlated randomness, but we still run into a second issue. Since a party \(P_i\) has correlated randomness between itself and all other parties, its input now depends on all other parties! So, it appears that constant nestings of FE candidates will no longer suffice.

Fortunately, this second issue can be mitigated by a more refined condition on the “special” MPC protocol \(\varPhi \). Let \((r_{i,j}, r_{j,i})\) denote the correlated randomness pair between parties \(P_i\) and \(P_j\), where \(r_{i,j}\) and \(r_{j,i}\) are given to \(P_i\) and \(P_j\), respectively. Instead of having the functions that compute bits of the transcript of \(\varPhi \) take as input the entire correlated randomness string \(\{r_{i,j}\}_{j \ne i\in [n]}\) held by a party \(P_i\), we instead allow it to take single components \(r_{i,j}\) as input. If the function takes as input \(r_{i,j}\), then both parties \(P_i\) and \(P_j\) are counted in the number of parties that the function depends on. More formally, the condition on the “special” MPC protocol \(\varPhi \) becomes the following. Let \((x_i, r_i)\) denote the input and randomness of a party \(P_i\) and let \(r_{i,j}\) denote the correlated randomness between parties \(P_i\) and \(P_j\) held by \(P_i\). Every bit \(\tau _\alpha \) in the transcript \(\tau \) of an execution of \(\varPhi \) can be computed by some deterministic function \(f_\alpha \) on input

$$ ((x_i)_{i \in \mathcal {S}_\alpha }, (r_i)_{i \in \mathcal {S}_\alpha }, (r_{i,j})_{i,j \in \mathcal {S}_\alpha }), $$

where \(|\mathcal {S}_\alpha | \le t\) for some constant t. We call such an MPC protocol a t-input-local MPC protocol and define this formally in Sect. 4.

To summarize, if we had a t-input-local MPC protocol for some constant t, then we would be able to construct an FE combiner unconditionally using the ideas detailed above. However, it is unclear how to construct such an MPC protocol, and, unfortunately, no protocol in the literature for all polynomial-sized circuits in the OT-hybrid model satisfies all our required properties. However, the 2-round semi-honest MPC protocol of Garg-Srinivasan [35] transformed to operate in the OT-hybrid model [31] comes close. At a high level, this is because they compile an MPC protocol into a series of garbled circuits, where each garbled circuit is computed by a single party. However, there are several bottlenecks that make their protocol initially incompatible with our schema. One observation is that the protocol of [31, 35] contains a pre-processing phase that causes the initial state (effectively input) of each party to be dependent on all other parties. This might seem like a major issue since messages dependent only on a single parties’ state can now depend on all parties. Yet, a careful analysis shows that while individual messages sent by a party might “depend” on all parties in the protocol, each bit sent by a party still depends on only a constant number of parties.

The real issue is that in the protocol of [31, 35], parties send garbled circuits of circuits whose descriptions depend on all parties. Thus, the resulting garbled circuit may depend on all parties. However, we observe that the way these circuits depend on all parties is very specific. The circuits garbled are keyed circuits of the form C[v], where v is some hardcoded value. C itself is public and does not depend on any party. And while v depends on all parties, each bit of v only depends on a constant number of parties! To obtain an input-local MPC protocol, we construct a garbling scheme that has the property that garbling circuits of the form C[v] described above results in a garbled circuit where each bit of the garbled circuit only depends on a constant number of parties. We call such a garbling scheme an input-local garbling scheme. By instantiating the protocol of [31, 35] with this input-local garbling scheme, we are able to arrive at an input-local MPC protocol.

Combiner-Friendly Homomorphic Secret Sharing (CFHSS). In the sketch of our plan for constructing an FE combiner provided above, we wanted to generate function keys for various circuits with respect to nested FE candidates. As an intermediate tool, we introduce the notion of a combiner-friendly homomorphic secret sharing (CFHSS) scheme. Such an abstraction almost immediately gives rise to an FE combiner, but will be useful in simplifying the presentation of the construction.

Informally, a CFHSS scheme consists of input encoding and function encoding algorithms. The input encoding algorithm runs on an input x and outputs input shares \(s_{i,j,k}\) for \(i,j,k \in [n]\) (we define CFHSS schemes for triples of indices, since we will require 3-nestings of FE candidates in our construction). The function encoding algorithm runs on a circuit C and outputs function shares \(C_{i,j,k}\) for \(i,j,k \in [n]\). Then, the decoding algorithm takes as input the evaluation of all shares \(C_{i,j,k}(s_{i,j,k})\) and recovers C(x). Informally, the security notion of a CFHSS scheme says that if the shares corresponding to some index \(i^*\) remain hidden, then the input is hidden to a computationally bounded adversary and only the evaluation C(x) is revealed.

In order to build an FE combiner from a CFHSS scheme, we will encrypt the share \(s_{i,j,k}\) using the nested FE candidate corresponding to indices ijk. To provide a function key for a circuit C, we will issue function keys for the circuit \(C_{i,j,k}\) with respect to the nested candidate corresponding to indices ijk. This allows the decryptor to compute \(C_{i,j,k}(s_{i,j,k})\) for all \(i,j,k\in [n]\), which by the properties of our CFHSS scheme, is sufficient to determine C(x). Note that in order to argue security, we will have to rely on the Trojan method [3].

Organization. We begin by defining functional encryption, secure multi-party computation, and garbling schemes in Sect. 2. Then, in Sect. 3, we define the notion of a functional encryption combiner. In Sect. 4, we define the notion of an input-local MPC protocol and then show how to construct such a protocol. This is done by constructing a specific garbling scheme that, when used to instantiate the garbling scheme used in the protocol of [31, 35], results in an input-local MPC protocol. In Sect. 5, we introduce and define the notion of a combiner-friendly homomorphic secret sharing (CFHSS) scheme and construct such a scheme using an input-local MPC protocol. In Sect. 6, we construct an FE combiner from a CFHSS scheme. Finally, in Sect. 7, we observe that our unconditional FE combiner implies a universal FE scheme.

2 Preliminaries

We denote the security parameter by \(\lambda \). For an integer \(n \in \mathbb {N}\), we use [n] to denote the set \(\{1,2, \ldots , n\}\). We use \(\mathcal {D}_0 \cong _c \mathcal {D}_1\) to denote that two distributions \(\mathcal {D}_0, \mathcal {D}_1\) are computationally indistinguishable. We use \(\mathsf {negl}(\lambda )\) to denote a function that is negligible in \(\lambda \). We use \(y \leftarrow \mathcal {A}\) to denote that y is the output of a randomized algorithm \(\mathcal {A}\), where the randomness of \(\mathcal {A}\) is sampled from the uniform distribution. We write \(\mathcal {A}(x;r)\) to denote the output of \(\mathcal {A}\) when ran on input x with randomness r. We use PPT as an abbreviation for probabilistic polynomial time.

2.1 Functional Encryption

We define the notion of a (secret key) functional encryption candidate and a (secret key) functional encryption scheme. A functional encryption candidate is associated with the correctness requirement, while a secure functional encryption scheme is associated with both correctness and security.

Syntax of a Functional Encryption Candidate/Scheme. A functional encryption (FE) candidate/scheme \(\mathsf {FE}\) for a class of circuits \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) consists of four polynomial time algorithms \((\mathsf {Setup},\mathsf {Enc},\mathsf {KeyGen}, \mathsf {Dec})\) defined as follows. Let \(\mathcal {X}_{\lambda }\) be the input space of the circuit class \(\mathcal {C}_\lambda \) and let \(\mathcal {Y}_{\lambda }\) be the output space of \(\mathcal {C}_\lambda \). We refer to \(\mathcal {X}_\lambda \) and \(\mathcal {Y}_\lambda \) as the input and output space of the candidate/scheme, respectively.

  • Setup, \(\mathsf {MSK}\leftarrow {\mathsf {FE}{.}\mathsf {Setup}}(1^{\lambda })\): It takes as input the security parameter \(\lambda \) and outputs the master secret key \(\mathsf {MSK}\).

  • Encryption, \(\mathsf {CT}\leftarrow {\mathsf {FE}{.}\mathsf {Enc}}(\mathsf {MSK},m)\): It takes as input the master secret key \(\mathsf {MSK}\) and a message \(m\in \mathcal {X}_{\lambda }\) and outputs \(\mathsf {CT}\), an encryption of m.

  • Key Generation, \(\mathsf {SK}_{C} \leftarrow {\mathsf {FE}{.}\mathsf {KeyGen}}\left( \mathsf {MSK}, C\right) \): It takes as input the master secret key \(\mathsf {MSK}\) and a circuit \(C\in \mathcal {C}_{\lambda }\) and outputs a function key \(\mathsf {SK}_{C}\).

  • Decryption, \(y \leftarrow {\mathsf {FE}{.}\mathsf {Dec}}\left( \mathsf {SK}_C, \mathsf {CT}\right) \): It takes as input a function secret key \(\mathsf {SK}_C\), a ciphertext \(\mathsf {CT}\) and outputs a value \(y\in \mathcal {Y}_{\lambda }\).

Throughout this work, we will only be concerned with uniform algorithms. That is, \((\mathsf {Setup}, \mathsf {Enc},\mathsf {KeyGen}, \mathsf {Dec})\) can be represented as Turing machines (or equivalently uniform circuits).

We describe the properties associated with the above candidate.

Correctness

Definition 1

(Correctness). A functional encryption candidate \(\mathsf {FE}=(\mathsf {Setup},\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})\) is said to be correct if it satisfies the following property: for every \(C:\mathcal {X}_{\lambda } \rightarrow \mathcal {Y}_\lambda \in \mathcal {C}_{\lambda }, m \in \mathcal {X}_{\lambda }\) it holds that:

$$ \Pr \left[ \begin{array}{c} \mathsf {MSK}\leftarrow {\mathsf {FE}{.}\mathsf {Setup}}(1^{\lambda }) \\ \mathsf {CT}\leftarrow {\mathsf {FE}{.}\mathsf {Enc}}(\mathsf {MSK},m)\\ \mathsf {SK}_C \leftarrow {\mathsf {FE}{.}\mathsf {KeyGen}}(\mathsf {MSK},C) \\ C(m) \leftarrow {\mathsf {FE}{.}\mathsf {Dec}}(\mathsf {SK}_C,\mathsf {CT}) \end{array} \right] \ge 1 - \mathsf {negl}(\lambda ),$$

where the probability is taken over the coins of the algorithms.

IND-Security. We recall indistinguishability-based selective security for FE. This security notion is modeled as a game between a challenger \(\mathsf {Chal}\) and an adversary \(\mathcal {A}\) where the adversary can request functional keys and ciphertexts from \(\mathsf {Chal}\). Specifically, \(\mathcal {A}\) can submit function queries C and \(\mathsf {Chal}\) responds with the corresponding functional keys. \(\mathcal {A}\) can also submit message queries of the form \((x_0, x_1)\) and receives an encryption of messages \(x_b\) for some bit \(b \in \{0,1\}\). The adversary \(\mathcal {A}\) wins the game if she can guess b with probability significantly more than 1/2 and if for all function queries C and message queries \((x_0, x_1)\), \(C(x_0) = C(x_1)\). That is to say, any function evaluation that is computable by \(\mathcal {A}\) gives the same value regardless of b. It is required that the adversary must declare the challenge messages at the beginning of the game.

Definition 2

(IND-secure FE). A secret-key FE scheme \(\mathsf {FE}\) for a class of circuits \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in [\mathbb {N}]}\) and message space \(\mathcal {X}=\{\mathcal {X}_{\lambda }\}_{\lambda \in [\mathbb {N}]}\) is selectively secure if for any PPT adversary \(\mathcal {A}\), there exists a negligible function \(\mu (\cdot )\) such that for all sufficiently large \(\lambda \in \mathbb {N}\), the advantage of \(\mathcal {A}\) is

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A}}^{\mathsf {FE}} = \Big | \mathsf {Pr}[\mathsf {Expt}_{\mathcal {A}}^{\mathsf {FE}}(1^{\lambda },0)=1] - \mathsf {Pr}[\mathsf {Expt}_{\mathcal {A}}^{\mathsf {FE}}(1^{\lambda },1)=1] \Big | \le \mu (\lambda ), \end{aligned}$$

where for each \(b \in \{0,1\}\) and \(\lambda \in \mathbb {N}\), the experiment \(\mathsf {Expt}_{\mathcal {A}}^{\mathsf {FE}}(1^{\lambda },b)\) is defined below:

  1. 1.

    Challenge message queries: \(\mathcal {A}\) submits message queries,

    $$ \Big \{(x_0^i, x_1^i)\Big \} $$

    with \(x_{0}^i, x_{1}^i \in \mathcal {X}_{\lambda }\) to the challenger \(\mathsf {Chal}\).

  2. 2.

    \(\mathsf {Chal}\) computes \(\mathsf {MSK}\leftarrow \mathsf {FE}{.}\mathsf {Setup}(1^{\lambda })\) and then computes \(\mathsf {CT}_i \leftarrow \mathsf {FE}{.}\mathsf {Enc}( \mathsf {MSK},x_{b}^{i})\) for all i. The challenger \(\mathsf {Chal}\) then sends \(\{\mathsf {CT}_i\}\) to the adversary \(\mathcal {A}\).

  3. 3.

    Function queries: The following is repeated an at most polynomial number of times: \(\mathcal {A}\) submits a function query \(C\in \mathcal {C}_{\lambda }\) to \(\mathsf {Chal}\). The challenger \(\mathsf {Chal}\) computes \(\mathsf {SK}_{C}\leftarrow \mathsf {FE}{.}\mathsf {KeyGen}({\mathsf {MSK}},C)\) and sends it to \(\mathcal {A}\).

  4. 4.

    If there exists a function query C and challenge message queries \((x_0^i, x_1^i)\) such that \(C(x_{0}^{i}) \ne C(x_1^i)\), then the output of the experiment is set to \(\bot \). Otherwise, the output of the experiment is set to \(b'\), where \(b'\) is the output of \(\mathcal {A}\).

Adaptive Security. The above security notion is referred to as selective security in the literature. One can consider a stronger notion of security, called adaptive security, where the adversary can interleave the challenge messages and the function queries in any arbitrary order. Analogous to Definition 2, we can define an adaptively secure FE scheme. In this paper, we only deal with selectively secure FE schemes. However, the security of these schemes can be upgraded to adaptive with no additional cost [3].

Collusions. We can parameterize the FE candidate by the number of function secret key queries that the adversary can make in the security experiment. If the adversary can only submit an a priori upper bounded q secret key queries, we say that the scheme is q-key secure. We say that the functional encryption scheme is unbounded-key secure if the adversary can make an unbounded (polynomial) number of function secret key queries. In this work, we will allow the adversary to make an arbitrary polynomial number of function secret key queries.

FE Candidates vs. FE Schemes. As defined above, an FE scheme must satisfy both correctness and security, while an FE candidate is simply the set of algorithms. Unless otherwise specified, we will be dealing with FE candidates that satisfy correctness. We will only refer to FE constructions as FE schemes if it is known that the construction satisfies both correctness and security.

2.2 Secure Multi-party Computation

The syntax and security definitions for secure multi-party computation can be found in the full version. In this work, we will deal with protocols that follow a certain structure, introduced in [31, 35], called conforming protocols. The full syntactic definition of conforming protocols can be found in the full version.

2.3 Garbling Schemes

The definition of garbling schemes can be found in the full version.

2.4 Correlated Randomness Model

In the correlated randomness model, two parties \(P_i\) and \(P_j\) are given correlated strings \(r_{i,j}\) and \(r_{j,i}\), respectively. If we set \(r_{i,j} = (k_0, k_1)\) for two strings \(k_0, k_1\) and \(r_{j,i} = (b, k_b)\) for a random bit b and the string \(k_b\), then these two parties can now perform a 2-round information-theoretically secure OT, where \(P_i\) is the sender and \(P_j\) is the receiver. In the first round, the receiver sends \(v = b \oplus c\), where c is the receiver’s choice bit. Then, the sender responds with \((y_0, y_1) = (m_0 \oplus k_v, m_1 \oplus k_{1 \oplus v})\). The receiver can then determine \(m_c\) by computing \(y_c \oplus k_b\).

In this work, we will often say that parties generate correlated randomness necessary to perform a certain number of OTs. By this, we simply mean that the parties repeat the above procedure once for each necessary OT (with the appropriate party as sender/receiver) and use the above 2-round information-theoretically secure OT protocol for each necessary OT.

3 FE Combiners: Definition

In this section, we give a formal definition of an FE combiner. Intuitively, an FE combiner \(\mathsf {FEComb}\) takes n FE candidates, \(\mathsf {FE}_1, \ldots , \mathsf {FE}_n\) and compiles them into a new FE candidate with the property that \(\mathsf {FEComb}\) is a secure FE scheme provided that at least one of the n FE candidates is a secure FE scheme.

Syntax of a Functional Encryption Combiner. A functional encryption combiner \(\mathsf {FEComb}\) for a class of circuits \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) consists of four polynomial time algorithms \((\mathsf {Setup},\mathsf {Enc},\mathsf {KeyGen},\mathsf {Dec})\) defined as follows. Let \(\mathcal {X}_{\lambda }\) be the input space of the circuit class \(\mathcal {C}_\lambda \) and let \(\mathcal {Y}_{\lambda }\) be the output space of \(\mathcal {C}_\lambda \). We refer to \(\mathcal {X}_\lambda \) and \(\mathcal {Y}_\lambda \) as the input and output space of the combiner, respectively. Furthermore, let \(\mathsf {FE}_1, \ldots , \mathsf {FE}_n\) denote the descriptions of n FE candidates.

  • Setup, \( \mathsf {FEComb}{.}\mathsf {Setup}(1^{\lambda }, \{\mathsf {FE}_i\}_{i \in [n]})\): It takes as input the security parameter \(\lambda \) and the descriptions of n FE candidates \(\{\mathsf {FE}_i\}_{i \in [n]}\) and outputs the master secret key \(\mathsf {MSK}\).

  • Encryption, \(\mathsf {FEComb}{.}\mathsf {Enc}(\mathsf {MSK}, \{\mathsf {FE}_i\}_{i \in [n]}, m)\): It takes as input the master secret key \(\mathsf {MSK}\), the descriptions of n FE candidates \(\{\mathsf {FE}_i\}_{i \in [n]}\), and a message \(m\in \mathcal {X}_{\lambda }\) and outputs \(\mathsf {CT}\), an encryption of m.

  • Key Generation, \( \mathsf {FEComb}{.}\mathsf {Keygen}\left( \mathsf {MSK}, \{\mathsf {FE}_i\}_{i \in [n]}, C\right) \): It takes as input the master secret key \(\mathsf {MSK}\), the descriptions of n FE candidates \(\{\mathsf {FE}_i\}_{i \in [n]}\), and a circuit \(C\in \mathcal {C}_{\lambda }\) and outputs a function key \(\mathsf {SK}_{C}\).

  • Decryption, \(\mathsf {FEComb}{.}\mathsf {Dec}\left( \{\mathsf {FE}_i\}_{i \in [n]}, \mathsf {SK}_C, \mathsf {CT}\right) \): It is a deterministic algorithm that takes as input the descriptions of n FE candidates \(\{\mathsf {FE}_i\}_{i \in [n]}\), a function secret key \(\mathsf {SK}_C\), and a ciphertext \(\mathsf {CT}\) and outputs a value \(y\in \mathcal {Y}_{\lambda }\).

Remark 1

In the formal definition above, we have included \(\{\mathsf {FE}_i\}_{i \in [n]}\), the descriptions of the FE candidates, as input to all the algorithms of \(\mathsf {FEComb}\). For notational simplicity, we will often forgo these inputs and assume that they are implicit.

We now define the properties associated with an FE combiner. The three properties are correctness, polynomial slowdown, and security. Correctness is analogous to that of an FE candidate, provided that the n input FE candidates are all valid FE candidates. Polynomial slowdown says that the running times of all the algorithms of \(\mathsf {FEComb}\) are polynomial in \(\lambda \) and n. Finally, security intuitively says that if at least one of the FE candidates is also secure, then \(\mathsf {FEComb}\) is a secure FE scheme. We provide the formal definitions below.

Correctness

Definition 3

(Correctness). Suppose \(\{\mathsf {FE}_i\}_{i \in [n]}\) are correct FE candidates. We say that an FE combiner is correct if for every circuit \(C:\mathcal {X}_{\lambda } \rightarrow \mathcal {Y}_\lambda \in \mathcal {C}_{\lambda }\), and message \(m \in \mathcal {X}_{\lambda }\) it holds that:

$$ \Pr \left[ \begin{array}{c} \mathsf {MSK}\leftarrow {\mathsf {FEComb}{.}\mathsf {Setup}}(1^{\lambda }, \{\mathsf {FE}_i\}_{i \in [n]}) \\ \mathsf {CT}\leftarrow {\mathsf {FEComb}{.}\mathsf {Enc}}(\mathsf {MSK}, \{\mathsf {FE}_i\}_{i \in [n]}, m)\\ \mathsf {SK}_C \leftarrow {\mathsf {FEComb}{.}\mathsf {Keygen}}(\mathsf {MSK}, \{\mathsf {FE}_i\}_{i \in [n]}, C) \\ C(m) \leftarrow {\mathsf {FEComb}{.}\mathsf {Dec}}(\{\mathsf {FE}_i\}_{i \in [n]}, \mathsf {SK}_C,\mathsf {CT}) \end{array} \right] \ge 1 - \mathsf {negl}(\lambda ),$$

where the probability is taken over the coins of the algorithms and \(\mathsf {negl}(\lambda )\) is a negligible function in \(\lambda \).

Polynomial Slowdown

Definition 4

(Polynomial Slowdown) An FE combiner \(\mathsf {FEComb}\) satisfies polynomial slowdown if on all inputs, the running times of \(\mathsf {FEComb}{.}\mathsf {Setup}, \mathsf {FEComb}{.}\mathsf {Enc}, \mathsf {FEComb}{.}\mathsf {Keygen},\) and \(\mathsf {FEComb}{.}\mathsf {Dec}\) are at most \(\mathsf {poly}(\lambda , n)\), where n is the number of FE candidates that are being combined.

IND-Security

Definition 5

(IND-Secure FE Combiner). An FE combiner \(\mathsf {FEComb}\) is selectively secure if for any set \(\{\mathsf {FE}_i\}_{i \in [n]}\) of correct FE candidates, it satisfies Definition 2, where the descriptions of \(\{\mathsf {FE}_i\}_{i \in [n]}\) are public and implicit in all invocations of the algorithms of \(\mathsf {FEComb}\), if at least one of the FE candidates \(\mathsf {FE}_1, \ldots , \mathsf {FE}_n\) also satisfies Definition 2.

Note that Definition 2 is the IND-security definition for FE.

Robust FE Combiners and Universal FE

Remark 2

We also define the notion of a robust FE combiner. An FE combiner \(\mathsf {FEComb}\) is robust if it is an FE combiner that satisfies the three properties (correctness, polynomial slowdown, and security) associated with an FE combiner when given any set of FE candidates \(\{\mathsf {FE}_i\}_{i \in [n]}\), provided that one is a correct and secure FE candidate. No restriction is placed on the other FE candidates. In particular, they need not satisfy correctness at all.

Robust FE combiners can be used to build a universal functional encryption scheme defined below.

Definition 6

(T-Universal Functional Encryption). We say that an explicit Turing machine \(\varPi _{\mathsf {univ}} = (\varPi _{\mathsf {univ}}{.}\mathsf {Setup}, \varPi _{\mathsf {univ}}{.}\mathsf {Enc}, \varPi _{\mathsf {univ}}{.}\mathsf {KeyGen}, \varPi _{\mathsf {univ}}{.}\mathsf {Dec})\) is a universal functional encryption scheme parametrized by T if \(\varPi _{\mathsf {univ}}\) is a correct and secure FE scheme assuming the existence a correct and secure FE scheme with runtime \(< T\).

4 Input-Local MPC Protocols

As discussed in Sect. 1.2, if we had a “special” MPC protocol, where every bit of the transcript is computable by a deterministic function on a constant number of parties’ inputs and randomness, and the output of the protocol can be computed solely from the transcript, we could use such a protocol to construct an FE combiner. Here, we formally define such a protocol and call it an input-local MPC protocol. Since our goal is to construct FE combiners unconditionally, we do not want to assume the existence of OT, so we will define our input-local MPC protocol in the correlated-randomness model.

4.1 Input-Local Protocol Specification

Let \(\varPhi \) be an MPC protocol for n parties \(P_1, \ldots , P_n\) with inputs \(x_1, \ldots , x_n\) in the correlated randomness model. We can view \(\varPhi \) as a deterministic MPC protocol, where the input of a party \(P_i\) is \((x_i, r_i, (r_{i,j})_{j \ne i})\), where \(r_{i}\) is the randomness used by \(P_i\) and \((r_{i,j}, r_{j,i})\) for \(i \ne j\) is the correlated randomness tuple used between parties \(P_i\) and \(P_j\). \(\varPhi \) is called t-input-local if the following holds:

  • Input-Local Transcript: Let \(\tau \) be a transcript of an execution of \(\varPhi \). Every bit \(\tau _\alpha \) of \(\tau \) can be written as a deterministic function of the inputs, randomness, and correlated randomness dependent on at most t parties. That is, there exists a deterministic function \(f_\alpha \) such that

    $$ \tau _\alpha = f_\alpha \left( (x_i)_{i \in \mathcal {S}_\alpha }, (r_i)_{i \in \mathcal {S}_\alpha }, (r_{i,j})_{i,j \in \mathcal {S}_\alpha }\right) , $$

    where \(|\mathcal {S}_\alpha | \le t\). If \(i \in \mathcal {S}_\alpha \), then \(\tau _\alpha \) depends on party \(P_i\).

  • Publicly Recoverable Output: Given a transcript \(\tau \) of an execution of \(\varPhi \), there exists a function \(\mathsf {Eval}\) such that the output of the protocol \(\varPhi \) for all parties is given by

    $$ y = \mathsf {Eval}(\tau ). $$

  • Security: \(\varPhi \) is simulation secure against \(n -1\) semi-honest corruptions, assuming the existence of one-way functions.

No MPC protocol in the literature for all polynomial-sized circuits in the correlated randomness model satisfies the specification of a t-input-local MPC protocol for a constant t. However, the protocols of [31, 35] come “close”, and we show that with a simple transformation, the protocol of [31, 35] can be made t-input-local.

[31, 35] show the following.

Theorem 2

([31, 32, 35]). Assuming one-way functions, for any circuit C, there exists a 2-round MPC protocol in the correlated randomness model that is secure against semi-honest adversaries that can corrupt up to \(n-1\) parties.

The MPC protocol satisfying Theorem 2 is the MPC protocol of [35] modified to operate in the correlated randomness model. In [31], they additionally modify the protocol of [35] in other ways, since the focus of [31] is on achieving information-theoretic security for smaller circuit classes and better efficiency. However, one can simply modify the protocol of [35] to operate in the correlated randomness model without making the additional modifications present in [31], a fact which we confirmed with the authors [32].

The MPC protocol of Theorem 2 is not input-local, but can be made input-local via a simple modification. At a high level, the reason that the above protocol is not input-local is because parties \(P_i\), as part of the protocol, send garbled circuits of circuits C[v] that have values v hardcoded in them that depend on \((r_{i,j})_{j \ne i}\), the correlated randomness between \(P_i\) and all other parties. As a result, these garbled circuits depend on all parties, and thus, the protocol is not input-local for a constant t. Fortunately, this issue is easily fixable by instantiating the garbling scheme used by the protocol in a specific manner. We consider the garbling scheme for keyed circuits that garbles C[v] by applying Yao’s garbling scheme to the universal circuit U, where \(U(C, v, x) = C[v](x)\). The garbled circuit of this new scheme consists of \(\hat{U}\), the Yao garbling of U, along with input labels corresponding to C and v. The input labels of this new scheme are the input labels corresponding to x. Observe now that \(\hat{U}\) and the input labels for C are clearly input-local, since they only depend on the party \(P_i\) that is garbling. Furthermore, since every bit of v only depends on a constant number of parties, each input label for each bit of v also depends on a constant number of parties, giving us an input-local protocol.

Formally, consider the following garbling scheme.

Definition 7

(Input-Local Garbling Scheme). Let \(\mathsf {GC}= (\mathsf {GrbC}, \mathsf {EvalGC})\) denote the standard Yao garbling scheme [53] for poly-sized circuits. Let \(\mathcal {C}\) be a class of keyed circuits with keyspace \(\mathcal {V}\). Let the description length of any \(C \in \mathcal {C}\) be \(\ell _1\) and of any \(v \in \mathcal {V}\) be \(\ell _2\). Let the input length of any circuit \(C \in \mathcal {C}\) be \(\ell _3\). Let \(\ell = \ell _1 + \ell _2 + \ell _3\). Let \(C_i\), \(v_i\) denote the ith bit of the description of C, v, respectively. Let \(\mathsf {GC}' = (\mathsf {GrbC}', \mathsf {EvalGC}')\) be a garbling scheme for the class of keyed circuits \(\mathcal {C}\) defined as follows:

  • Garbled Circuit Generation, \(\mathsf {GrbC}'(1^\lambda , C[v])\): Let U be the universal circuit that, on input (Cvx) with \(|C| = \ell _1\), \(|v| = \ell _2\), and \(|x| = \ell _3\), computes C[v](x). Compute \((\hat{U}, (\mathbf {k}_1, \ldots , \mathbf {k}_{\ell })) \leftarrow {\mathsf {GrbC}}(1^\lambda , U)\). Output

    $$((\hat{U}, k_1^{C_1}, \ldots , k_{\ell _1}^{C_{\ell _1}}, k_{\ell _1 + 1}^{v_1}, \ldots , k_{\ell _1 + \ell _2}^{v_{\ell _2}}), (\mathbf {k}_{\ell _1 + \ell _2 + 1}, \ldots , \mathbf {k}_{\ell })). $$

  • Evaluation, \(\mathsf {EvalGC}'(\widehat{C[v]}, (k_1^{x_1}, \ldots , k_{\ell _3}^{x_{\ell _3}}))\): Parse \(\widehat{C[v]}\) as \((\hat{U}, (k_1, k_2, \ldots , k_{\ell _1 + \ell _2}))\). Run

    $$ \mathsf {EvalGC}(\hat{U}, (k_1, \ldots , k_{\ell _1 + \ell _2}, k_1^{x_1}, \ldots , k_{\ell _3}^{x_{\ell _3}})) $$

    and output the result.

Correctness of the above garbling scheme follows immediately from the correctness of Yao’s garbling scheme and the definition of U. In particular, for every keyed circuit C[v], for any \(x \in \{0,1\}^{\ell _3}\), \(\mathsf {EvalGC}'\) runs \(\mathsf {EvalGC}\) on \(\hat{U}\) with input labels corresponding to (Cvx), giving \(U(C,v,x) = C[v](x)\) as desired.

Theorem 3

The garbling scheme of Definition 7 is secure.

Proof

Let \(\mathsf {SimGC}\) be the simulator for Yao’s garbling scheme. The simulator \(\mathsf {SimGC}'\) operates as follows. Run

$$ (\hat{U}, (k_1, \ldots , k_\ell )) \leftarrow {\mathsf {SimGC}}(1^\lambda , \phi (U), C[v](x)) $$

and output

$$ ((\hat{U}, k_1, \ldots , k_{\ell _1 + \ell _2}), (k_{\ell _1 + \ell _2 + 1}, \ldots , k_\ell )). $$

Suppose there exists an adversary \(\mathcal {A}\) that can distinguish the output of \(\mathsf {SimGC}'\) from the real execution. Then, consider the adversary \(\mathcal {A}'\) that breaks the security of Yao’s garbling scheme by simply querying its challenger on the pair (U, (Cvx)), rearranging the components of its received challenge to match the output of \(\mathsf {SimGC}'\), and running \(\mathcal {A}\). \(\mathcal {A}'\) outputs the result of \(\mathcal {A}\). \(\mathcal {A}'\) simulates the role of \(\mathcal {A}\)’s challenger exactly and, therefore, must win with nonnegligible advantage, a contradiction.    \(\square \)

Armed with the above garbling scheme, we are able to obtain an input-local MPC protocol. By taking the MPC protocol of Theorem 2 and instantiating the underlying garbling scheme with the one from Definition 7, we arrive at the following result.

Theorem 4

Assuming one-way functions, there exists a 3-input-local MPC protocol for any poly-sized circuit C.

Proof

The proof is included in the full version.

5 Combiner-Friendly Homomorphic Secret Sharing Schemes

As an intermediate step in our construction of an FE combiner, we define and construct what we call a combiner-friendly homomorphic secret sharing scheme (CFHSS). Informally, a CFHSS scheme consists of input encoding and function encoding algorithms. The input encoding algorithm runs on an input x and outputs input shares \(s_{i,j,k}\) for \(i,j,k \in [n]\). The function encoding algorithm runs on a circuit C and outputs function shares \(C_{i,j,k}\) for \(i,j,k \in [n]\). Then, the decoding algorithm takes as input the evaluation of all shares \(C_{i,j,k}(s_{i,j,k})\) and recovers C(x). Looking ahead, our CFHSS scheme has several properties that will be useful in constructing an FE combiner. Recall that the high-level idea of our construction was to view each FE candidate as a party \(P_i\) in an MPC protocol. In our construction of a CFHSS scheme, each input and function share depends on only the state of a constant number of parties. In particular, share \(s_{i,j,k}\) will depend only on the state of parties \(P_i, P_j\), and \(P_k\). Informally, the security notion of a CFHSS scheme says that if the shares corresponding to some index \(i^*\) remain hidden, then the input is hidden to a computationally bounded adversary and only the evaluation C(x) is revealed.

5.1 Definition

Definition 8

A combiner-friendly homomorphic secret sharing scheme, \(\mathsf {CFHSS}=(\mathsf {InpEncode}, \mathsf {FuncEncode}, \mathsf {Decode})\), for a class of circuits \(\mathcal {C}= \{\mathcal {C}_{\lambda }\}_{\lambda \in \mathbb {N}}\) with input space \(\mathcal {X}_{\lambda }\) and output space \(\mathcal {Y}_{\lambda }\) supporting \(n \in \mathbb {N}\) candidates consists of the following polynomial time algorithms:

  • Input Encoding, \(\mathsf {InpEncode}(1^{\lambda }, 1^n, x)\): It takes as input the security parameter \(\lambda \), the number of candidates n, and an input \(x \in \mathcal {X}_{\lambda }\) and outputs a set of input shares \(\{s_{i,j,k}\}_{i, j, k \in [n]}\).

  • Function Encoding, \(\mathsf {FuncEncode}(1^\lambda , 1^n, C)\): It is an algorithm that takes as input the security parameter \(\lambda \), the number of candidates n, and a circuit \(C \in \mathcal {C}\) and outputs a set of function shares \(\{C_{i,j,k}\}_{i,j,k \in [n]}\).

  • Decoding, \(\mathsf {Decode}(\{C_{i,j,k}(s_{i,j,k})\}_{i,j,k \in [n]})\): It takes as input a set of evaluations of function shares on their respective input shares and outputs a value \(y \in \mathcal {Y}_{\lambda } \cup \{\bot \}\).

A combiner-friendly homomorphic secret sharing scheme, \(\mathsf {CFHSS}\), is required to satisfy the following properties:

  • Correctness: For every \(\lambda \in \mathbb {N}\), circuit \(C \in \mathcal {C}_\lambda \), and input \(x \in \mathcal {X}_\lambda \), it holds that:

    $$ \Pr \left[ \begin{array}{c} \{s_{i,j,k}\}_{i,j,k \in [n]} \leftarrow {\mathsf {InpEncode}}(1^\lambda , 1^n, x) \\ \{C_{i,j,k}\}_{i,j,k \in [n]} \leftarrow {\mathsf {FuncEncode}}(1^\lambda , 1^n, C)\\ C(x) \leftarrow {\mathsf {Decode}}(\{C_{i,j,k}(s_{i,j,k})\}_{i,j,k \in [n]}) \end{array} \right] \ge 1 - \mathsf {negl}(\lambda ),$$

    where the probability is taken over the coins of the algorithms and \(\mathsf {negl}(\lambda )\) is a negligible function in \(\lambda \).

  • Security:

Definition 9

(IND-secure \(\mathsf {CFHSS}\)). A combiner-friendly homomorphic secret sharing scheme \(\mathsf {CFHSS}\) for a class of circuits \(\mathcal {C}=\{\mathcal {C}_{\lambda }\}_{\lambda \in [\mathbb {N}]}\) and input space \(\mathcal {X}=\{\mathcal {X}_{\lambda }\}_{\lambda \in [\mathbb {N}]}\) is selectively secure if for any PPT adversary \(\mathcal {A}\), there exists a negligible function \(\mu (\cdot )\) such that for all sufficiently large \(\lambda \in \mathbb {N}\), the advantage of \(\mathcal {A}\) is

$$\begin{aligned} \mathsf {Adv}_{\mathcal {A}}^{\mathsf {CFHSS}} = \Big | \mathsf {Pr}[\mathsf {Expt}_{\mathcal {A}}^{\mathsf {CFHSS}}(1^{\lambda }, 1^n, 0)=1] - \mathsf {Pr}[\mathsf {Expt}_{\mathcal {A}}^{\mathsf {CFHSS}}(1^{\lambda },1^n, 1)=1] \Big | \le \mu (\lambda ), \end{aligned}$$

where for each \(b \in \{0,1\}\) and \(\lambda \in \mathbb {N}\) and \(n \in \mathbb {N}\), the experiment \(\mathsf {Expt}_{\mathcal {A}}^{\mathsf {CFHSS}}(1^{\lambda },1^n, b)\) is defined below:

  1. 1.

    Secure share: \(\mathcal {A}\) submits an index \(i^* \in [n]\) that it will not learn the input shares for.

  2. 2.

    Challenge input queries: \(\mathcal {A}\) submits input queries,

    $$ \Big (x_0^\ell , x_1^\ell \Big )_{\ell \in [L]} $$

    with \(x_{0}^\ell , x_{1}^\ell \in \mathcal {X}_{\lambda }\) to the challenger \(\mathsf {Chal}\), where \(L = \mathsf {poly}(\lambda )\) is chosen by \(\mathcal {A}\).

  3. 3.

    For all \(\ell \), \(\mathsf {Chal}\) computes \(\{s^\ell _{i,j,k}\}_{i,j,k \in [n]} \leftarrow {\mathsf {InpEncode}}(1^\lambda , 1^n, x_b^\ell )\). For all \(\ell \), the challenger \(\mathsf {Chal}\) then sends \(\{s^\ell _{i,j,k}\}_{i,j,k \in [n] \backslash \{i^*\}}\), the input shares that do not correspond to \(i^*\), to the adversary \(\mathcal {A}\).

  4. 4.

    Function queries: The following is repeated an at most polynomial number of times: \(\mathcal {A}\) submits a function query \(C\in \mathcal {C}_{\lambda }\) to \(\mathsf {Chal}\). The challenger \(\mathsf {Chal}\) computes function shares \(\{C_{i,j,k}\}_{i,j,k \in [n]} \leftarrow {\mathsf {FuncEncode}}(1^\lambda , 1^n, C)\) and sends them to \(\mathcal {A}\) along with all evaluations \(\{C_{i,j,k}(s^\ell _{i,j,k})\}_{i,j,k \in [n]}\) for all \(\ell \in [L]\).

  5. 5.

    If there exists a function query C and challenge message queries \((x_0^\ell , x_1^\ell )\) such that \(C(x_{0}^{\ell }) \ne C(x_1^\ell )\), then the output of the experiment is set to \(\bot \). Otherwise, the output of the experiment is set to \(b'\), where \(b'\) is the output of \(\mathcal {A}\).

5.2 Construction

Using 3-input-local MPC protocols \(\{\varPhi _C\}\) for a circuit class \(\mathcal {C}\) and a PRF, we will construct a combiner-friendly homomorphic secret sharing scheme for \(\mathcal {C}\). For a circuit \(C \in \mathcal {C}\) and number of parties n, we say that \(\varPhi _C\) is an MPC protocol for C on n parties if it computes the function \(C(x_1 \oplus \ldots \oplus x_n)\) on inputs \(x_1, \ldots , x_n\).

Formally, we show the following.

Theorem 5

Given 3-input-local MPC protocols \(\{\varPhi _C\}\) for a circuit class \(\mathcal {C}\) and assuming one-way functions, there exists a combiner-friendly homomorphic secret sharing scheme for \(\mathcal {C}\) for \(n = \mathsf {poly}(\lambda )\) candidates.

Using Theorem 4 to instantiate the 3-input-local MPC protocols, we immediately arrive at the following.

Theorem 6

Assuming one-way functions, there exists a combiner-friendly homomorphic secret sharing scheme for \(\mathsf {P}/\mathsf {poly}\) for \(n = \mathsf {poly}(\lambda )\) candidates.

Notation:

  • Let \(\mathsf {PRF}\) be a pseudorandom function with \(\lambda \)-bit keys that takes \(\lambda \)-bit inputs and outputs in \(\{0,1\}^*\). \(\mathsf {PRF}\) will be used to generate the randomness needed for various randomized algorithms. As the length of randomness needed varies by use case (but is always polynomial in length), we don’t specify the output length of \(\mathsf {PRF}\) here and the output length needed will be clear from context. It is easy to build our required pseudorandom function from one with a fixed length output. Let \(\mathsf {PRF}'\) be a pseudorandom function that maps \(\{0,1\}^{2 \lambda }\)-bit inputs to a single output bit in \(\{0,1\}\). Then, to evaluate \(\mathsf {PRF}(K, x)\) to an appropriate output length \(\ell \), we would simply compute the output bit by bit by evaluating \(\mathsf {PRF}'(K,x||1), \mathsf {PRF}'(K,x||2), \ldots , \mathsf {PRF}'(K,x||\ell )\). When we write \((r_1, r_2, r_3) := \mathsf {PRF}(K, x)\), we mean that we generate the randomness needed for three different algorithms using this PRF, where the length of each \(r_i\) depends on the amount of randomness needed by the algorithm. This can be done in the same manner, by computing \(r_i\) bit by bit by evaluating \(\mathsf {PRF}'(K,x||i||1), \mathsf {PRF}'(K,x||i||2), \ldots \) etc.

  • For a 3-input-local protocol \(\varPhi \) for a circuit \(C \in \mathcal {C}\), we use the same syntax as in Sect. 4 to refer to the various components and algorithms associated with this protocol. We implicitly assume that the description of the 3-input-local protocol \(\varPhi \) for C is included in the descriptions of the function shares for C.

  • Let \(\mathsf {Corr}(1^\lambda , 1^\ell , i,j) \rightarrow (r_{i,j}, r_{j,i})\) be the function that on input the security parameter \(\lambda \), a length parameter \(\ell \), and indices \(i \ne j \in [n]\) outputs correlated random strings \(r_{i,j}\) and \(r_{j,i}\) each in \(\{0,1\}^\ell \). We will assume that \(i < j\) and if not, we implicitly assume that the indices are swapped when evaluating the algorithm. Looking ahead, \(\ell \) is set as the the length of the correlated randomness required between two parties in the execution of the 3-input-local protocol. For simplicity, we will omit the parameter \(\ell \) in the description below when it is clear from the context. We note that \(\mathsf {Corr}\) can be implemented by generating random OT-correlations.

  • In the construction, for simplicity, we will denote input and function shares for the tuple of indices (iii) by \(s_i\) and \(C_i\), respectively. Similarly, we will denote the input and function shares for the tuple of indices (iji) with \(i \ne j\) by \(s_{i,j}\) and \(C_{i,j}\), respectively. We will denote input and function shares for the tuple of indices (ijk) with \(i \ne j \ne k\) by \(s_{i,j,k}\) and \(C_{i,j,k}\) respectively. All other input and function shares are set to \(\bot \).

Overview: We provided a sketch of our construction in Sect. 1.2. Here, we provide more details to assist in the understanding of our construction. The input encoding algorithm will take an input x, n-out-of-n secret share it into shares \(x_1, \ldots , x_n\), sample PRF keys \(K_i\) for \(i \in [n]\) and shared PRF keys \(K_{ij}\) for \(i < j\in [n]\). Shares of the form \(s_i\) will be \((x_i, K_i)\), shares of the form \(s_{i,j}\) will be \((x_i, x_j, K_i, K_j, K_{ij})\), and shares of the form \(s_{i,j,k}\) will be \((x_i, x_j, x_k, K_i, K_j, K_k, K_{ij}, K_{ik}, K_{jk})\). These will serve as the inputs to the function shares \(\{C_{i,j,k}\}_{i,j,k \in [n]}\). Intuitively, a share \(s_{i,j,k}\) (or \(s_{i,j}\) or \(s_i\)) contains all the input shares and PRF keys that correspond to the indices ijk (or ij or i).

The description of function shares of the form \(C_i\), \(C_{i,j}\), and \(C_{i,j,k}\) is given in Fig. 3, Fig. 4, and Fig. 5, respectively. The purpose of \(C_i\), \(C_{i,j}\), and \(C_{i,j,k}\) is to simply output input-local bits in the transcript of \(\varPhi _C\) dependent on either only \(P_i\), the two parties \(P_i\) and \(P_j\), or the three parties \(P_i, P_j, P_k\), respectively.

Given evaluations of all the function shares, decoding operates by using the evaluations to obtain a transcript \(\tau \) of an execution of \(\varPhi _C\) and then running the evaluation procedure of \(\varPhi _C\).

Construction: We now provide the formal construction.

  • Input Encoding, \(\mathsf {InpEncode}(1^{\lambda }, 1^n, x)\):

    • XOR secret share x uniformly at random across n shares such that \(x_1 \oplus \ldots \oplus x_n = x\).

    • For \(i \le j \in [n]\), sample distinct PRF keys \(K_{ij}\). For \(i > j \in [n]\), set \(K_{ij} = K_{ji}\). Set \(K_i = K_{ii}\).

    • For \(i \in [n]\), set \(s_{i} = (x_i, K_{i})\).

    • For \(i,j \in [n]\) with \(i < j\), set \(s_{i,j} = (x_i, x_j, K_{i}, K_{j}, K_{ij})\).

    • For \(i,j,k \in [n]\) with \(i< j < k\), set \(s_{i,j,k} = (x_i, x_j, x_k, K_i, K_j, K_k, K_{ij}, K_{ik}, K_{jk})\).

    • Set all other shares to \(\bot \).

    • Output all shares \(\{s_{i,j,k}\}_{i,j,k \in [n]}\).

  • Function Encoding, \(\mathsf {FuncEncode}(1^\lambda , 1^n, C)\): Let \(\varPhi \) denote the 3-input-local MPC protocol for C on n parties. For every bit \(\tau _\alpha \) in \(\tau \), a transcript of \(\varPhi \), let \(\mathcal {S}_\alpha \) denote the set of parties that \(\tau _\alpha \) depends on and \(f_\alpha \) be the function that computes \(\tau _\alpha \) with respect to these parties’ inputs and randomness (see Sect. 4).

    • Sample tag

      \(\mathsf {tag}_\mathsf {rand}\) from \(\{0,1\}^\lambda \), uniformly at random.

    • For \(i \in [n]\), function share \(C_{i}\) is given by circuit \(C_i\) in Fig. 3.

    • For \(i,j \in [n]\) with \(i < j\), function share \(C_{i,j}\) is given by circuit \(C_{i,j}\) in Fig. 4.

    • For \(i,j,k \in [n]\) with \(i< j < k\), function share \(C_{i,j,k}\) is given by circuit \(C_{i,j,k}\) in Fig. 5.

    • Set all other function shares to \(\bot \) and output \(\{C_{i,j,k}\}_{i,j,k \in [n]}\).

  • Decoding, \(\mathsf {Decode}(\{C_{i,j,k}(s_{i,j,k})\}_{i,j,k \in [n]})\): It does the following:

    • Rearrange all input-local bits \(\tau _\alpha \) output by the function shares to obtain \(\tau \), the transcript of an execution of \(\varPhi \).

    • Run \(\mathsf {Eval}(\tau )\) to obtain the output y.

Fig. 3.
figure 3

Description of function share \(C_{i}\).

Full size image
Fig. 4.
figure 4

Description of function share \(C_{i,j}\).

Full size image
Fig. 5.
figure 5

Description of circuit \(C_{i,j,k}\).

Full size image

Correctness: Correctness follows from the correctness of the underlying set of 3-input-local MPC protocols \(\{\phi _C\}\). In particular, for any circuit \(C \in \mathcal {C}_\lambda \) and input \(x \in \mathcal {X}_\lambda \), we note that the \(\mathsf {Decode}\) algorithm obtains \(\tau \), the transcript of an execution of \(\phi _C\). Therefore, by running \(\mathsf {Eval}\) on \(\tau \), \(\mathsf {Decode}\) obtains

$$ y = C(x_1 \oplus \ldots \oplus x_n) = C(x) $$

as desired.

Security: The security proof can be found in the full version.

6 Construction of an FE Combiner from a CFHSS Scheme

In this section, we show how to use a CFHSS scheme and one-way functions to construct an FE combiner. Instantiating the CFHSS scheme with the construction in Sect. 5 and the one-way function with the concatenation of the one-way function candidates implied by our FE candidates (as described in Sect. 1.2), we arrive at the following result.

Theorem 7

There exists an unconditionally secure unbounded-key FE combiner for \(n = \mathsf {poly}(\lambda )\) FE candidates for \(\mathsf {P}/\mathsf {poly}\).

In the rest of this section, we show Theorem 7.

6.1 d-Nested FE

A tool used in our construction is d-nested FE (for \(d = 3\)). d-nested FE is a new FE candidate that can be created easily from d FE candidates by simply encrypting in sequence using the d FE candidates. Intuitively, this new FE candidate will be secure as long as one of the d candidates is secure since an adversary should be unable to break the encryption of the secure candidate. d-nested FE can be viewed as an FE combiner that can only handle a constant number of FE candidates since the runtime of its algorithms may depend exponentially on d. The construction and proof of d-nested FE can be found in the full version.

6.2 Construction

We now formally describe the construction. First, we provide some notation that will be used throughout the construction.

Notation:

  • Let \(\mathsf {FE}_1, \ldots , \mathsf {FE}_n\) denote n FE candidates. In the following construction, we assume that the descriptions \(\{\mathsf {FE}_i\}_{i \in [n]}\) are implicit in all the algorithms of \(\mathsf {FEComb}\).

  • Let \(\mathsf {FE}_{ijk}\) denote the 3-nested FE candidate derived by nesting \(\mathsf {FE}_i\), \(\mathsf {FE}_j\), and \(\mathsf {FE}_k\).

  • Let \(\mathsf {CFHSS}= (\mathsf {InpEncode}, \mathsf {FuncEncode}, \mathsf {Decode})\) be a combiner-friendly homomorphic secret sharing scheme. Let \(\ell _{\text {output}}\) denote the length of the outputs obtained from the evaluation of function shares on input shares.

  • Let \(\mathsf {E}\) be any \(\lambda \)-bit CPA-secure secret-key encryption scheme with message space \(\{0,1\}^{\ell _{\text {output}}}\).

  • Let \(\ell _x = \ell _x(\lambda )\) denote the length of the messages and let \(\ell _{\mathsf {E}} = \ell _{\mathsf {E}}(\lambda )\) denote the length of the encryption key for the scheme \(\mathsf {E}\).

Construction:

  • \(\mathsf {FEComb}{.}\mathsf {Setup}(1^{\lambda }){:}\) On input the security parameter, it runs \(\mathsf {FE}_{ijk}{.}\mathsf {Setup}(1^{\lambda })\) for \(i,j,k \in [n]\) and \(\mathsf {E}{.}\mathsf {SK}\leftarrow {\mathsf {E}}{.}\mathsf {Setup}(1^\lambda )\). It outputs \(\mathsf {MSK}= (\{\mathsf {MSK}_{ijk}\}_{i,j,k \in [n]}, \mathsf {E}{.}\mathsf {SK})\).

  • \(\mathsf {FEComb}.\mathsf {Enc}(\mathsf {MSK}, x \in \{0,1\}^{\ell _x} ){:}\) It executes the following steps.

    • First, encode x into \(n^3\) shares by running \(\mathsf {CFHSS}{.}\mathsf {InpEncode}(1^\lambda , 1^n, x)\) to compute \(\{s_{i,j,k}\}_{i,j,k \in [n]}\). Then, for all \(i,j,k \in [n]\), compute

      $$ \mathsf {CT}_{ijk} = \mathsf {FE}_{ij}{.}\mathsf {Enc}\left( \mathsf {MSK}_{ijk}, (s_{i,j,k}, 0^{\ell _{\mathsf {E}}}, 0)\right) . $$

    • Output \(\mathsf {CT}= \{\mathsf {CT}_{ijk}\}_{i,j,k \in [n]}\).

  • \(\mathsf {FEComb}{.}\mathsf {KeyGen}(\mathsf {MSK}, C ){:}\) It executes the following steps.

    • For all \(i,j,k \in [n]\), it computes \(c_{i,j,k} \leftarrow {\mathsf {E}}{.}\mathsf {Enc}(\mathsf {E}{.}\mathsf {SK}, 0^{\ell _{\text {output}}})\), where \(\ell _{\text {output}}\) is the length of evaluations of function shares on input shares of \(\mathsf {CFHSS}\).

    • It computes \(\{C_{i,j,k}\}_{i, j,k \in [n]} \leftarrow {\mathsf {CFHSS}}{.}\mathsf {FuncEncode}(1^\lambda , 1^n, C)\).

    • For all \(i,j,k \in [n]\), it computes \(\mathsf {SK}_{H_{i,j,k}} \leftarrow {\mathsf {FE}}_{ijk}{.}\mathsf {KeyGen}\left( \mathsf {MSK}_{ijk}, H_{i,j,k}\right) \), where circuit \(H_{i,j,k}\) is described in Fig. 6.

    • It outputs \(\mathsf {SK}_C = (\{\mathsf {SK}_{H_{i,j,k}}\}_{i,j,k \in [n]})\).

  • \(\mathsf {FEComb}{.}\mathsf {Dec}(\mathsf {SK}_C, \mathsf {CT}){:}\) Parse \(\mathsf {SK}_C\) as \((\{\mathsf {SK}_{H_{i,j,k}}\}_{i,j,k \in [n]})\) and \(\mathsf {CT}\) as \(\{\mathsf {CT}_{ijk}\}_{i,j,k \in [n]}\). For all \(i,j,k \in [n]\), compute \(y_{i,j,k} = \mathsf {FE}_{ijk}{.}\mathsf {Dec}(\mathsf {SK}_{H_{i,j,k}}, \mathsf {CT}_{ijk})\).

    Run \(\mathsf {CFHSS}.\mathsf {Decode}(\{y_{i,j,k}\}_{i,j,k \in [n]})\) and output the result.

Correctness: Correctness follows from the correctness of \(\mathsf {CFHSS}\) and the fact that all correct encryptions are encryptions of messages of the form \((s_{i,j,k}, 0^{\ell _{\mathsf {E}}}, 0)\). In particular, for all \(i, j,k \in [n]\), \(H_{i,j,k}(s_{i,j,k}, 0^{\ell _{\mathsf {E}}}, 0) = C_{i,j,k}(s_{i,j,k})\) and then \(\mathsf {CFHSS}{.}\mathsf {Decode}(\{C_{i,j,k}(s_{i,j,k})\}_{i,j,k \in [n]}) = C(x)\) by the correctness of \(\mathsf {CFHSS}\).

Polynomial Slowdown: The fact that all the algorithms of \(\mathsf {FEComb}\) run in time \(\mathsf {poly}(\lambda , n)\) is immediate from the efficiency of the FE candidates, \(\mathsf {CFHSS}\), and \(\mathsf {E}\) and the fact that there are \(n^3 = \mathsf {poly}(n)\) different tuples (ijk) for \(i,j,k \in [n]\).

Fig. 6.
figure 6

Description of the evaluation circuit.

Full size image

6.3 Security Proof

The security proof can be found in the full version.

7 Robust FE Combiners and Universal FE

We can consider a stronger notion of an FE combiner called a robust FE combiner. A robust FE combiner is an FE combiner that satisfies correctness and security provided that at least one FE candidate, \(\mathsf {FE}_i\), satisfies both correctness and security. No restrictions are placed on the other FE candidates. In particular, they may satisfy neither correctness nor security. We note that the FE combiner constructed in Sect. 6 is not robust. However, [2] showed how to unconditionally transform an FE combiner into a robust FE combiner.

Theorem 8

([2]). If there exists an FE combiner, then there exists a robust FE combiner.

Combining Theorem 8 with Theorem 7, we obtain the following corollary.

Corollary 3

There exists an unconditionally secure unbounded-key robust FE combiner for \(n = \mathsf {poly}(\lambda )\) FE candidates for \(\mathsf {P}/\mathsf {poly}\).

Universal Functional Encryption: Robust FE combiners are closely related to the notion of universal functional encryption. Universal functional encryption is a construction of functional encryption satisfying the following simple guarantee. If there exists a Turing Machine with running time bounded by some \(T(n) = \mathsf {poly}(n)\) that implements a correct and secure FE scheme, then the universal functional encryption construction is itself a correct and secure FE scheme. Using the existence of a robust FE combiner (Corollary 3) and the results of [2, 5], we obtain the following corollary.

Corollary 4

There exists a universal unbounded-key functional encryption scheme for \(\mathsf {P}/\mathsf {poly}\).