International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News item: 20 November 2015

Shweta Agrawal, Benoit Libert, Damien Stehle
ePrint Report ePrint Report
Functional encryption is a modern public-key paradigm where a master

secret key can be used to derive sub-keys $SK_F$ associated with

certain functions $F$ in such a way that the decryption operation

reveals $F(M)$, if $M$ is the encrypted message, and nothing

else. Recently, \\mbox{Abdalla} {\\it et al.} gave simple and

efficient realizations of the primitive for the computation of

linear functions on encrypted data: given an encryption of a vector

$\\vec{y}$ over some specified base ring, a secret key $SK_{\\vec{x}}$ for the vector $\\vec{x}$ allows computing $\\langle \\vec{x} ,\\vec{y} \\rangle$. Their technique surprisingly allows for instantiations under standard assumptions, like the hardness of the Decision Diffie-Hellman (DDH) and Learning-with-Errors (LWE) problems. Their constructions, however, are only proved secure against selective adversaries, which have to declare the challenge messages $M_0$ and $M_1$ at the outset of the game.

In this paper, we provide constructions that provably achieve security

against more realistic {\\it adaptive} attacks (where the messages

$M_0$ and $M_1$ may be chosen in the challenge phase, based on the

previously collected information) for the same inner product functionality. Our constructions are obtained from hash proof systems endowed with homomorphic properties over the key space. They are (almost) as efficient as those of Abdalla {\\it et al.} and rely on the same hardness assumptions.

In addition, we obtain a solution based on Paillier\'s composite

residuosity assumption, which was an open problem even in the case

of selective adversaries. We also propose $\\LWE$-based schemes that

allow evaluation of inner products modulo a prime~$p$, as opposed to

the schemes of Abdalla {\\it et al.} that are restricted to evaluations of integer inner products of short integer vectors. We finally propose a solution based on Paillier\'s composite residuosity

assumption that enables evaluation of inner products modulo an RSA integer $N = pq$.

We demonstrate that the functionality of inner products over a prime field is very powerful and can be used to construct bounded collusion FE for all circuits.

Expand

Additional news items may be found on the IACR news page.