Decentralized Multi-Client Functional Encryption for Inner Product

Transcription

1 Ths paper s a slght varant of the Extended Abstract that appears n Advances n Cryptology ASIACRYPT 2018 (December 2 6, Brsbane, Australa) Sprnger-Verlag, LNCS?????, pages??????. Decentralzed Mult-Clent Functonal Encrypton for Inner Product Jérémy Chotard 1,2,3, Edouard Dufour Sans 2,3, Roman Gay 2,3, Duong Heu Phan 1, and Davd Pontcheval 2,3 1 XLIM, Unversty of Lmoges, CNRS 2 DIENS, École normale supéreure, CNRS, PSL Unversty, Pars, France 3 INRIA, Pars, France {jeremy.chotard,edufoursans,roman.gay,duong-heu.phan,davd.pontcheval}@ens.fr Abstract. We consder a stuaton where multple partes, ownng data that have to be frequently updated, agree to share weghted sums of these data wth some aggregator, but where they do not wsh to reveal ther ndvdual data, and do not trust each other. We combne technques from Prvate Stream Aggregaton (PSA) and Functonal Encrypton (FE), to ntroduce a prmtve we call Decentralzed Mult-Clent Functonal Encrypton (DMCFE), for whch we gve a practcal nstantaton for Inner Product functonaltes. Ths prmtve allows varous senders to non-nteractvely generate cphertexts whch support nner-product evaluaton, wth functonal decrypton keys that can also be generated non-nteractvely, n a dstrbuted way, among the senders. Interactons are requred durng the setup phase only. We prove adaptve securty of our constructons, whle allowng corruptons of the clents, n the random oracle model. Keywords. Decentralzed, Mult-Clent, Functonal Encrypton, Inner Product. 1 Introducton Functonal Encrypton (FE) [9, 15, 18, 28] s a new paradgm for encrypton whch extends the tradtonal all-or-nothng requrement of Publc-Key Encrypton n a much more flexble way. FE allows users to learn specfc functons of the encrypted data: for any functon f from a class F, a functonal decrypton key dk f can be computed such that, gven any cphertext c wth underlyng plantext x, usng dk f, a user can effcently compute f(x), but does not get any addtonal nformaton about x. Ths s the most general form of encrypton as t encompasses dentty-based encrypton, attrbute-based encrypton, broadcast encrypton. However, whereas the nput can be large, lke a hgh-dmensonal vector, the basc defnton of FE mples that the nput data comes from only one party: all the coordnates of the vector are provded by one party, and all are encrypted at the same tme. In many practcal applcatons, the data are an aggregaton of nformaton that comes from dfferent partes that may not trust each other. A nave way to dstrbute the cphertext generaton would be to take an FE scheme and to have a trusted party handlng the setup and the key generaton phases, whle the encrypton procedure would be left to many clents to execute by Mult-Party Computaton (MPC). Ths straw man constructon has two obvous weaknesses: 1. Generatng any cphertext requres potentally heavy nteractons, wth everybody smultaneously on lne, and the full cphertext has to be generated at once, wth all the components beng known at the same tme; 2. Some authorty (the trusted thrd party) reserves the power to recover every clent s prvate data. Mult-Clent Functonal Encrypton [16, 20] addresses the former ssue of ndependent generaton of the cphertext, and we ntroduce Decentralzed Mult-Clent Functonal Encrypton to address the latter, wthout any central authorty nor master secret key. c IACR 2018.

2 Mult-Clent Functonal Encrypton. In Mult-Clent Functonal Encrypton (MCFE), as defned n [16, 20], the sngle nput x to the encrypton procedure s broken down nto an nput vector (x 1,..., x n ) where the components are ndependent. An ndex for each clent and a (typcally tmebased) label l are used for every encrypton: (c 1 = Encrypt(1, x 1, l),..., c n = Encrypt(n, x n, l)). Anyone ownng a functonal decrypton key dk f, for an n-ary functon f and multple cphertexts for the same label l, c 1 = Encrypt(1, x 1, l),..., c n = Encrypt(n, x n, l), can compute f(x 1,..., x n ) but nothng else about the ndvdual x s. The combnaton of cphertexts generated for dfferent labels does not gve a vald global cphertext and the adversary learns nothng from t. MCFE s smlar to the nave constructon descrbed above wth MPC, except that cphertext generaton now smply takes one round, and each cphertext c can also be generated ndependently for the others. Decentralzed Mult-Clent Functonal Encrypton. Stll, MCFE requres a trusted party to generate a master key msk and to dstrbute the encrypton keys ek to the clents and the functonal decrypton keys dk f to the decryptors. In our scenaro, however, the clents do not want to rely on any authorty. We would thus be nterested n a decentralzed verson of MCFE, where no authorty s nvolved, but the generaton of functonal decrypton keys remans an effcent process under the control of the clents themselves. We ntroduce the noton of Decentralzed Mult-Clent Functonal Encrypton (DMCFE), n whch the authorty s removed and the clents work together to generate approprate functonal decrypton keys. We stress that the authorty s not smply dstrbuted to a larger number of partes, but that the resultng protocol s ndeed decentralzed: each clent has complete control over ther ndvdual data and the functonal keys they authorze the generaton of A Use Case Consder a fnancal frm that wants to compute aggregates of several companes prvate data (profts, number of sales) so that t can better understand the dynamcs of a sector. The companes may be wllng to help the fnancal frm understand the sector as whole, or may be offered compensaton for ther help, but they don t trust the fnancal frm or each other wth ther ndvdual data. After settng up a DMCFE, each company encrypts ts prvate data wth a tme-stamp label under ts prvate key. Together, they can gve the fnancal frm a decrypton aggregaton key that only reveals a sum on the companes prvate data weghted by publc nformaton (employee count, market value) for a gven tme-stamp. New keys can retroactvely decrypt aggregates on old data. 1.2 Related Work In ther more general form, FE and MCFE schemes have been ntroduced n [5, 6, 10, 16 19, 27, 30] but unfortunately, they all rely on non standard cryptographc assumptons (ndstngushablty obfuscaton, sngle-nput FE for crcuts, or multlnear maps). It s more mportant n practce, and t s an nterestng challenge, to buld FE for restrcted (but concrete) classes of functons, satsfyng standard securty defntons, under well-understood assumptons. Inner-Product Functonal Encrypton. In 2015, Abdalla, Bourse, De Caro, and Pontcheval [1] consdered the queston of buldng FE for nner-product functons. In ther paper, they show that nner-product functonal encrypton (IP-FE) can be effcently realzed under standard assumptons lke the Decsonal Dffe-Hellman (DDH) and Learnng-wth-Errors (LWE) assumptons [26], but n a weak securty model, named selectve securty. Later on, Agrawal, Lbert and Stehlé [4] consdered adaptve securty for IP-FE and proposed constructons whose securty s based on DDH, LWE or Paller s Decsonal Composte Resduosty (DCR) [25] assumptons.

3 Prvate Stream Aggregaton (PSA). Ths noton, also referred to as Prvacy-Preservng Aggregaton of Tme-Seres Data, s an older prmtve ntroduced by Sh et al. [29]. It s qute smlar to our target DMCFE scheme, however PSA does not consder the possblty of adaptvely generatng dfferent keys for dfferent nner-product evaluatons, but only enables the aggregator to compute the sum of the clents data for each tme perod. PSA also typcally nvolves a Dfferental Prvacy component, whch has yet to be studed n the larger settng of DMCFE. Further research on PSA has focused on achevng new propertes or better effcency [8, 11, 13, 21, 23, 24] but not on enablng new functonaltes. Mult-Input Functonal Encrypton. Goldwasser et al. [16] ntroduced the noton of Mult-Input Functonal Encrypton (MIFE) whch breaks down a sngle nput x nto an nput vector (x 1,..., x n ) where the components are ndependent (as does MCFE), but for whch there s no noton of cphertext ndex or label: user can enter x and encrypt t as c = Encrypt(x ). Anyone ownng a functonal decrypton key dk f, for an n-ary functon f and multple cphertexts c 1 = Encrypt(x 1 ),..., c n = Encrypt(x n ), can compute f(x 1,..., x n ) but nothng else about the ndvdual x s. Numerous applcatons of MIFE have been gven n detal n [16]. As wth MCFE, general purpose MIFE schemes rely on ndstngushablty obfuscaton or multlnear maps, whch we currently do not know how to nstantate under standard cryptographc assumptons. Extendng IP-FE to the mult-nput settng has proved techncally challengng. [3] bulds the frst Mult-Input IP-FE, that s, each nput slot encrypts a vector x Z m p for some dmenson m, each functonal decrypton key s assocated wth a vector y, and decrypton recovers x, y where x := (x x n ), y Z n m p, and n denotes the number of slots, whch can be set up arbtrarly. They prove ther constructon secure under standard assumptons (SXDH, and n fact, k-ln for any k 1) n blnear groups. Concurrently, [22] buld a two-nput (.e. n = 2) FE usng smlar assumptons n blnear groups. Very recently, [2, 12] gave a functon-hdng mult-nput FE for nner products, where the functonal decrypton keys do not reveal ther underlyng functons. [2] also gves a generc transformaton from sngle to mult-nput for IP-FE, whch gves the frst mult-nput constructons whose securty rely on DDH, LWE, or DCR. In mult-nput FE, every cphertext for every slot can be combned wth any other cphertext for any other slot, and used wth functonal decrypton keys to decrypt an exponental number of values, as soon as there are more than one cphertext per slot. Ths mx-and-match feature s crucal for some of the applcatons of MIFE, such as buldng Indstngushablty Obfuscaton [16]. However, t also means the nformaton leaked about the underlyng plantext s enormous, and n many applcatons, the securty guarantees smply become vod, especally when many functonal decrypton keys are quered. In the case of nner product, as soon as m well-chosen functonal decrypton keys are quered (.e. for lnearly ndependent vectors), the plantexts are completely revealed. In the mult-clent settng however, snce only cphertexts wth the same label (thnk of t as a tme-stamp, for nstance) can be combned for decrypton, nformaton leakage of the plantext s much reduced. The fact that clents have more control over how much nformaton s leaked about ther data, and that we remove the need for a central authorty n the case of DMCFE, makes our schemes better suted for real-world use Mult-Clent Functonal Encrypton We remark that, as for MIFE, prvate-key MCFE s more relevant than ts publc-key counterpart (ths s explaned n [16], or [3] n the context of IP-FE). Essentally, n a publc-key MCFE, an encrypton of unknown plantext x (for some label l) can be used together wth encryptons of arbtrarly chosen values x j for each slot j [n] (for the same label l) and a functonal decrypton key for some functon f, to obtan the value f(x 1,, x 1, x, x +1,, x n). Snce the values x j for j are arbtrarly chosen, ths reveals typcally too much nformaton on x for practcal uses. In the case of nner product, that

4 means that, from Enc(, x, l), dk y, and the publc key, one can effcently extract the values x y + j x j y j for chosen x j, whch exactly reveals the partal nner product x y (see [3] for more detals on the lmtatons of publc-key IP-FE n the mult-nput settng). Securty s defned wth an ndstngushablty game, where the adversary has to dstngush between encryptons of chosen plantexts (x 0 ) [n] and (x 1 ) [n]. The nherent leakage of nformaton about the plantext gven by functonal decrypton keys dk f s captured by a Fnalze procedure n the securty game, where the advantage s set to zero f the adversary performed a trval attack, n the sense that correctness allows the adversary to dstngush encryptons of (x 0 ) [n] from (x 1 ) [n], smply because the underlyng functons f of the decrypton keys tell apart these plantexts,.e. f(x 0 1,, x0 n) f(x 1 1,, x1 n). In the publc-key settng, n order to prevent the adversary from a trval wn, one should make the restrcton that the adversary s only allowed to ask functonal decrypton keys dk f for functons f that satsfy f(x 0 1,,..., ) = f(x1 1,,..., ), f(, x0 2,..., ) = f(, x1 2,..., ),..., f(,,..., x 0 n) = f(,,..., x 1 n). Agan, ths would essentally exclude any functon. A prvate-key encrypton solves ths ssue, and s stll well-suted for practcal applcatons. In ths paper, we wll thus consder ths prvate-key settng whch naturally fts the MCFE (and DMCFE) model as each component n the plantext s separately provded by a dfferent clent. In such a case, the corrupton of some clents s an mportant ssue, snce several of them could collude to learn nformaton about other clents nputs. More precsely, we propose such an MCFE for Inner-Product functons n Secton 4, that s secure even aganst adaptve corruptons of the senders Decentralzed Mult-Clent Functonal Encrypton Whle t allows ndependent generaton of the cphertexts, MCFE (lke MIFE) stll assumes the exstence of a trusted thrd-party who runs the SetUp algorthm and dstrbutes the functonal decrypton keys. Ths thrd-party, f malcous or corrupted, can easly undermne any clent s prvacy. We are thus nterested n buldng a scheme n whch such a thrd-party s entrely taken out of the equaton. We thus ntroduce the noton of Decentralzed Mult-Clent Functonal Encrypton (DMCFE), n whch the setup phase and the generaton of functonal decrypton keys are decentralzed among the same clents as the ones that generate the cphertexts. We are nterested n mnmzng nteractons durng those operatons. Whle one can do t, n a generc way, usng MPC, our target s at least a non-nteractve generaton of the functonal decrypton keys, that we acheve n Secton 5, agan for Inner-Product functons. The one-tme setup phase mght reman nteractve, but ths has to be done once only. 1.5 Techncal Overvew We brefly showcase the technques that allow us to buld effcent MCFE and DMCFE schemes. The schemes we ntroduce later enjoy adaptve securty (aka full securty), where encrypton queres are made adaptvely by the adversary aganst the securty game, but for the sake of clarty, we wll here gve an nformal descrpton of a selectvely-secure scheme from the DDH assumpton, where queres are made beforehand. Namely, the standard securty noton for FE s ndstngushablty-based, where the adversary has access to a Left-or-Rght oracle, that on nput (m 0, m 1 ) ether always encrypts m 0 or always encrypts m 1. Whle for the adaptve securty, the adversary can query ths oracle adaptvely, n the selectve settng, all queres are made at the begnnng, before seeng the publc parameters. We frst desgn a secret-key MCFE scheme buldng up from the publc-key FE scheme ntroduced by Abdalla et al. [1] (tself a selectvely-secure scheme) where we replace the global randomness wth a hash functon (modeled as a random oracle for the securty analyss), n order to make the generaton of the cphertexts ndependent for each clent. The comparson s

5 5 Scheme MCFE ABDP15 [1] SetUp Pck (s ) [n] at random Pck (s ) [n] at random and set v = g s Encrypt Each clent, on nput (x, s, l), return c = g x H(l) s On nput ((x ), (v ) ), pck r $ Z p, return (c 0 = g r, (c = g x v r ) ) DKeyGen Decrypt On nput ((y ), (s ) ), return dk y = ys Dscrete logarthm on g γ = cy H(l) dky On nput ((y ), (s ) ), return dk y = ys Dscrete logarthm on g γ = cy c dky 0 Fg. 1. Comparson of the Inner-Product FE scheme from Abdalla et al. [1] and a smlar MCFE obtaned by ntroducng a hash functon H. llustrated n Fgure 1. Note that for the fnal decrypton to be possble, one needs the functon evaluaton γ to be small enough, wthn ths dscrete logarthm settng. Ths s one lmtaton, whch s stll reasonable for real-world applcatons that use concrete numbers, that are not of cryptographc sze. If we wrte c 0 = g r n the sngle nput case and c 0 = H(l) n the Mult-Clent case, we have c = g x c s 0 for [n] n both cases. In the publc-key scheme from [1], s was prvate, and only v = g s was known to the encryptor. Snce we are now dealng wth prvate encrypton, the encryptor can use s. Correctness then follows from g γ = cy c dk 0 y = (gx c s 0 ) y c dk 0 y = g x y c 0 y s c dk 0 y = g x y c dk y 0 c dk 0 y = g x,y. We further defne ths MCFE scheme and prove t selectvely secure under the DDH assumpton n Appendx B. We can easly decentralze the above protocol usng standard MPC technques, but as we mentoned, our man goal s to mnmze nteractons durng the DKeyGen protocol. Ths smple protocol can llustrate our man nsght: we need to provde the aggregator wth the decrypton key s, y. Snce the s s are owned ndvdually by the clents, we are nterested n a protocol that would let them send shares from whch the decryptor would recover an agreed upon Inner Product on ther ndvdual nputs. Ths sounds lke a job for MCFE. More precsely, sendng Encrypt(s ) under some other key t would not solve our problem, because we would stll need to provde t, y to enable decrypton, so we send Encrypt(y s ) under t. Now we only need to compute one decrypton key: the key for the nner product wth vector 1 = (1,..., 1), namely t. There s one fnal caveat. The result of the nner product evaluaton requres a fnal dscrete logarthm computaton, and we are no longer operatng on real-world data, but on random elements from Z p. Any attempt to recover the dscrete logarthm s hopeless, and we are stuck wth g s,y. We work around ths ssue by usng parngs, whch effectvely enable us to decrypt usng only g s,y. The standard SXDH assumpton on parng groups states that the DDH assumpton holds n both groups, so ntroducng parngs doesn t compromse the securty of our scheme. Our fully-secure DMCFE from parngs, that nherts from ths approach, s descrbed n Secton Contrbutons Practcal constructons of functonal encrypton for specfc classes of functons s of hgh nterest. In ths paper, we focus on MCFE and DMCFE for Inner Product.

6 We present the frst solutons for Inner-Product Functonal Encrypton n the Mult-Clent and Decentralzed Mult-Clent settngs: 1. Effcency: the proposed schemes are hghly practcal as ther effcency s comparable to that of the DDH-based IP-FE scheme from [4]. A value x s encrypted as a unque group element C. The setup phase, key generaton and decrypton all take tme lnear n the number of partcpants, and encrypton takes tme lnear n ts nput. 2. Securty under a standard assumpton: our schemes are all adaptvely secure under ether the classcal DDH assumpton or the standard SXDH assumpton. 3. Securty aganst adaptve corruptons: In addton, we successfully address corruptons of clents, even adaptve ones n the MCFE settng, explorng what Goldwasser et al. [16] hghlghted as an nterestng drecton. 4. Non nteractvty: The DMCFE scheme we present n Secton 5 has a key generaton protocol that does not requre nteractons. Refer to Fgure 2 for a comparson of the dfferent schemes mentoned here. We leave open the 6 Scheme Multple Non Interactve Non Interactve Non Interactve Inner Products Setup Encrypt KeyGen Decentralzed PSA [29] N/A Secton 1: Straw man Dstrbuted FE Secton 4: MCFE Secton 5: DMCFE Fg. 2. Comparson of dfferent cryptographc solutons to the problem of lnearly aggregatng Prvate Mult-Clent data. problems of consderng LWE-based or Paller-based constructons and of extendng ths work beyond nner-product functons. 2 Defntons and Securty Models Ths secton s devoted to defnng MCFE and DMCFE and the securty models that are approprate for those prmtves, n the ndstngushablty settng. 2.1 Mult-Clent Functonal Encrypton An MCFE scheme encrypts vectors of data from several senders and allows the controlled computaton of functons on these heterogeneous data. We now defne a prvate-key MCFE as n [16, 20]: Defnton 1 (Mult-Clent Functonal Encrypton). A mult-clent functonal encrypton on M over a set of n senders s defned by four algorthms: SetUp(λ): Takes as nput the securty parameter λ, and outputs the publc parameters mpk, the master secret key msk and the n encrypton keys ek ; Encrypt(ek, x, l): Takes as nput a user encrypton key ek, a value x to encrypt, and a label l, and outputs the cphertext C l, ;

7 DKeyGen(msk, f): Takes as nput the master secret key msk and a functon f : M n R, and outputs a functonal decrypton key dk f ; Decrypt(dk f, l, C): Takes as nput a functonal decrypton key dk f, a label l, and an n-vector cphertext C, and outputs f(x), f C s a vald encrypton of x = (x ) M n for the label l, or otherwse. We make the assumpton that mpk s ncluded n msk and n all the encrypton keys ek as well as the functonal decrypton keys dk f. The correctness property states that, gven (mpk, msk, (ek ) ) SetUp(λ), for any label l, any functon f : M n R, and any vector x = (x ) M n, f C l, Encrypt(ek, x, l), for {1,..., n}, and dk f DKeyGen(msk, f), then Decrypt(dk f, l, C l = (C l, ) ) = f(x = (x ) ). The securty model s qute smlar to the one defned for FE, but as noted n [16,20], one has to consder corruptons, snce the senders do not trust each other, and they can collude and gve ther secret keys to the adversary who wll play on ther behalf. Defnton 2 (IND-Securty Game for MCFE). Let us consder an MCFE scheme over a set of n senders. No adversary A should be able to wn the followng securty game aganst a challenger C: Intalzaton: the challenger C runs the setup algorthm (mpk, msk, (ek ) ) SetUp(λ) and chooses a random bt b $ {0, 1}. It provdes mpk to the adversary A; Encrypton queres QEncrypt(, x 0, x 1, l): A has unlmted and adaptve access to a Left-or- Rght encrypton oracle, and receves the cphertext C l, generated by Encrypt(ek, x b, l). We note that any further query for the same par (l, ) wll later be gnored; Functonal decrypton key queres QDKeyGen(f): A has unlmted and adaptve access to the DKeyGen(msk, f) algorthm for any nput functon f of ts choce. It s gven back the functonal decrypton key dk f ; Corrupton queres QCorrupt(): A can make an unlmted number of adaptve corrupton queres on nput ndex, to get the encrypton key ek of any sender of ts choce; Fnalze: A provdes ts guess b on the bt b, and ths procedure outputs the result β of the securty game, accordng to the analyss gven below. The output β of the game depends on some condtons, where CS s the set of corrupted senders (the set of ndexes nput to QCorrupt durng the whole game), and HS the set of honest (noncorrupted) senders. We set the output to β b, unless one of the three cases below s true, n whch case we set β $ {0, 1}: 1. some QEncrypt(, x 0, x1, l)-query has been asked for an ndex CS wth x0 x1 ; 2. for some label l, an encrypton-query QEncrypt(, x 0, x1, l) has been asked for some HS, but encrypton-queres QEncrypt(j, x 0 j, x1 j, l) have not all been asked for all j HS; 3. for some label l and for some functon f asked to QDKeyGen, there exsts a par of vectors (x 0 = (x 0 ), x 1 = (x 1 ) ) such that f(x 0 ) f(x 1 ), when x 0 = x1, for all CS; QEncrypt(, x 0, x1, l)-queres have been asked for all HS. We say ths MCFE s IND-secure f for any adversary A, Adv IND (A) = P [β = 1 b = 1] P [β = 1 b = 0] s neglgble. Informally, ths s the usual Left-or-Rght ndstngushablty [7], but where the adversary should not be able to get cphertexts or functonal decrypton keys that trvally help dstngush the encrypted vectors: 1. snce the encrypton mght be determnstc, f we allow Left-or-Rght encrypton queres even for corrupted encrypton keys, these queres should be on dentcal messages: wth the encrypton key, the adversary could smply re-encrypt and compare n case of determnstc encrypton; 7

8 2. ntutvely, f some nput s mssng, no functon evaluaton can be done by the adversary, so we enforce the adversary to ask QEncrypt-queres for all the non-corrupted keys (snce the adversary can generate any cphertext tself for the corrupted components) as soon as one label s used; 3. for any functonal decrypton key, all the possble evaluatons should not trvally allow the adversary to dstngush the cphertexts generated through QEncrypt-queres (on honest components). In all these cases, the guess of the adversary s not consdered (a random bt β s output). Otherwse, ths s a legtmate attack, and the guess b of the adversary s output. We stress that we bar the adversary from queryng several cphertexts under the same par (l, ). In real lfe, t s of course the responsblty of the senders not to encrypt under the same label twce (as explaned n the ntroducton, the labels are typcally tme-stamps, only used once). Remark 3. Whle the thrd constrant ams at preventng the adversary from trvally wnnng by guessng the bt b from the evaluaton of a functonal decrypton, the two frst mght look artfcal, but they are requred for our proof to go through wth our constructons: wth a probablstc encrypton scheme, one could hope to remove the frst one, but up to now, we only have determnstc constructons, whch s qute classcal n the prvate-key settng (such as symmetrc encrypton); dependng on the scheme, an encrypton on an nactve component (a component that has no mpact on the value of a functon f, for nstance the th cphertext n the case of f y : x x, y when y = 0) mght not be needed for a complete evaluaton, as s the case n our schemes (see Secton 4). Moreover, our keys are homomorphc: from dk fy and dk fy, one can easly obtan dk fy+y. Rather than defnng the nactvty of components of functons n the span of those quered, we smply requre that cphertexts be obtaned for every component for a gven label (ether through an explct query to QEncrypt or thanks to the encrypton key obtaned from QCorrupt), whch s consstent wth the use-case we outlned n Secton 1.1. One could also enforce, by constructon, all the queres to be asked and otherwse guarantee that no nformaton s leaked about the plantexts, whch s not the case of our schemes. Weaker Notons. One may defne weaker varants of ndstngushablty, where some queres can only be sent before the ntalzaton phase: Selectve Securty (sel-ind): the encrypton queres (QEncrypt) are sent before the ntalzaton; Statc Securty (sta-ind): the corrupton queres (QCorrupt) are sent before the ntalzaton Decentralzed Mult-Clent Functonal Encrypton In MCFE, an authorty owns a master secret key msk to generate the functonal decrypton keys. We would lke to avod such a powerful authorty, and make the scheme totally decentralzed among the owners of the data (the senders). We thus defne DMCFE, for Decentralzed Mult- Clent Functonal Encrypton. In ths context, there are n senders (S ), for = 1,..., n, who wll play the role of both the encryptng players and the functonal decrypton key generators, for a functonal decryptor FD. Of course, the senders do not trust each other and they want to control the functonal decrypton keys that wll be generated. There may be several functonal decryptors, but snce they could collude and combne all the functonal decrypton keys, n the descrpton below, and n the securty model, we wll consder only one functonal decryptor FD. As already notced, we could smply use the defnton of MCFE [16, 20], where the setup and the functonal decrypton key algorthms are replaced by MPC protocols among the clents. But ths could lead to a qute nteractve process. We thus focus on effcent one-round key generaton

9 protocols DKeyGen that can be splt n a frst step DKeyGenShare that generates partal keys and the combnng algorthm DKeyComb that combnes partal keys nto the functonal decrypton key. Defnton 4 (Decentralzed Mult-Clent Functonal Encrypton). A decentralzed multclent functonal encrypton on M between a set of n senders (S ), for = 1,..., n, and a functonal decrypter FD s defned by the setup protocol and four algorthms: SetUp(λ): Ths s a protocol between the senders (S ) that eventually generate ther own secret keys sk and encrypton keys ek, as well as the publc parameters mpk; Encrypt(ek, x, l): Takes as nput a user encrypton key ek, a value x to encrypt, and a label l, and outputs the cphertext C l, ; DKeyGenShare(sk, l f ): Takes as nput a user secret key sk and a label l f, and outputs the partal functonal decrypton key dk f, for a functon f : M n R that s descrbed n l f ; DKeyComb((dk f, ), l f ): Takes as nput the partal functonal decrypton keys and eventually outputs the functonal decrypton key dk f ; Decrypt(dk f, l, C): Takes as nput a functonal decrypton key dk f, a label l, and an n-vector cphertext C, and outputs f(x), f C s a vald encrypton of x = (x ) M n for the label l, or otherwse; We make the assumpton that mpk s ncluded n all the secret and encrypton keys, as well as the (partal) functonal decrypton keys. Smlarly, the functon f mght be ncluded n the (partal) functonal decrypton keys. The correctness property states that, gven (mpk, (sk ), (ek ) ) SetUp(λ), for any label l, any functon f : M n R, and any vector x = (x ) M n, f C l, Encrypt(ek, x, l), for {1,..., n}, and dk f DKeyComb((DKeyGenShare(sk, l f )), l f ), then we have Decrypt(dk f, l, C l = (C l, ) ) = f(x = (x ) ). The securty model s qute smlar to the one defned above for MCFE, except that for the DKeyGen protocol, the adversary has access to transcrpts of the communcatons and can make some senders play malcously. Corrupt-queres addtonally reveal the secret keys sk. Defnton 5 (IND-Securty Game for DMCFE). Let us consder a DMCFE scheme between a set of n senders. No adversary A should be able to wn the followng securty game aganst a challenger C: Intalzaton: the challenger C runs the setup protocol (mpk, (sk ), (ek ) ) SetUp(λ) and chooses a random bt b $ {0, 1}. It provdes mpk to the adversary A; Encrypton queres QEncrypt(, x 0, x 1, l): A has unlmted and adaptve access to a Left-or- Rght encrypton oracle, and receves the cphertext C l, generated by Encrypt(ek, x b, l). We note that any further query for the same par (l, ) wll later be gnored; Functonal decrypton key queres QDKeyGen(, f): A has unlmted and adaptve access to the (non-corrupted) senders runnng the DKeyGenShare(sk, f) algorthm for any nput functon f of ts choce. It s gven back the partal functonal decrypton key dk f, ; Corruptons queres QCorrupt(): A can make an unlmted number of adaptve corrupton queres on nput ndex, to get the secret and encrypton keys (sk, ek ) of any sender of ts choce. Fnalze: A provdes ts guess b on the bt b, and ths procedure outputs the result β of the securty game, accordng to the analyss gven below. The output β of the game depends on some condtons, where CS s the set of corrupted senders (the set of ndexes nput to QCorrupt durng the whole game), and HS the set of honest (noncorrupted) senders. We set the output to β b, unless one of the three cases below s true, n whch case we set β $ {0, 1}: 1. some QEncrypt(, x 0, x1, l)-query has been asked for an ndex CS wth x0 x1 ; 9

10 2. for some label l, an encrypton-query QEncrypt(, x 0, x1, l) has been asked for some HS, but encrypton-queres QEncrypt(j, x 0 j, x1 j, l) have not all been asked for all j HS; 3. for some label l and for some functon f asked to QDKeyGen for all HS, there exsts a par of vectors (x 0 = (x 0 ), x 1 = (x 1 ) ) such that f(x 0 ) f(x 1 ), when x 0 = x1, for all CS; QEncrypt(, x 0, x1, l)-queres have been asked for all HS. We say ths DMCFE s IND-secure f for any adversary A, Adv IND (A) = P [β = 1 b = 1] P [β = 1 b = 0] s neglgble. We defne sel-ind (selectve) and sta-ind (statc) securty for DMCFE as we dd for MCFE Notatons and Assumptons 3.1 Groups Prme Order Group. We use a prme-order group generator GGen, a probablstc polynomal tme (PPT) algorthm that on nput the securty parameter 1 λ returns a descrpton G = (G, p, P ) of an addtve cyclc group G of order p for a 2λ-bt prme p, whose generator s P. We use mplct representaton of group elements as ntroduced n [14]. For a Z p, defne [a] = ap G as the mplct representaton of a n G. More generally, for a matrx A = (a j ) Z n m p we defne [A] as the mplct representaton of A n G: a 11 P... a 1m P [A] := G n m a n1 P... a nm P We wll always use ths mplct notaton of elements n G,.e., we let [a] G be an element n G. Note that from a random [a] G t s generally hard to compute the value a (dscrete logarthm problem n G). Obvously, gven [a], [b] G and a scalar x Z p, one can effcently compute [ax] G and [a + b] = [a] + [b] G. Parng Group. We also use a parng group generator PGGen, a PPT algorthm that on nput 1 λ returns a descrpton PG = (G 1, G 2, p, P 1, P 2, e) of asymmetrc parng groups where G 1, G 2, G T are addtve cyclc groups of order p for a 2λ-bt prme p, P 1 and P 2 are generators of G 1 and G 2, respectvely, and e : G 1 G 2 G T s an effcently computable (non-degenerate) blnear map. Defne P T := e(p 1, P 2 ), whch s a generator of G T. We agan use mplct representaton of group elements. For s {1, 2, T } and a Z p, defne [a] s = ap s G s as the mplct representaton of a n G s. Gven [a] 1, [a] 2, one can effcently compute [ab] T usng the parng e. For two matrces A, B wth matchng dmensons defne e([a] 1, [B] 2 ) := [AB] T G T. Compatblty. Our constructon from Secton 4 uses a prme-order group, whle the one from Secton 5 uses parng groups. Snce the latter use the former as a buldng block, we must use groups that are compatble wth each other. Notce that one can generate a prme-order group ether wth G := (G, p, P ) $ GGen(1 λ ), but also usng PG := (G 1, G 2, p, P 1, P 2, e) $ PGGen(1 λ ), and settng G := G 1. Ths s possble here because we use asymmetrc parngs and rely on the SXDH assumpton n the parng group, whch s DDH n G 1 and G 2. More detals on computatonal assumptons follow.

11 Computatonal Assumptons Defnton 6 (Decsonal Dffe-Hellman Assumpton). The Decsonal Dffe-Hellman Assumpton states that, n a prme-order group G $ GGen(1 λ ), no PPT adversary can dstngush between the two followng dstrbutons wth non-neglgble advantage: {([a], [r], [ar]) a, r $ Z p } and {([a], [r], [s]) a, r, s $ Z p }. Equvalently, ths assumpton states t s hard to dstngush, knowng [a], a random element from the span of [a] for a = ( 1 a ), from a random element n G2 : [a] r = [ar] = ( [r] [ar] ) ([r] [s] ). Defnton 7 (Symmetrc external Dffe-Hellman Assumpton). The Symmetrc external Dffe-Hellman (SXDH) Assumpton states that, n a parng group PG $ PGGen(1 λ ), the DDH assumpton holds n both G 1 and G 2. 4 A Fully-Secure MCFE for Inner Product After the frst constructon drafted n the ntroducton, from the Abdalla et al. [1] selectvely-secure FE, we propose another constructon of MCFE for nner product adapted from the Agrawal et al. [4] scheme. We also provde the full securty analyss under the DDH assumpton, snce the securty proof of our DMCFE constructon wll rely on t. Overvew of the Constructon. Ths constructon s an extenson of the prevous one proposed n the ntroducton: we frst extended the scheme from Abdalla et al. [1] n the mult-clent settng wth a hash functon. Because of the selectve securty of the underlyng scheme, our frst proposal was just selectvely secure too. We now adapt the Agrawal et al. [4] scheme, n the same manner. Ths constructon and ts proof of adaptve securty are for the sake of clarty, snce the proof of our next DMCFE wll be made clearer when reducng to ths one. 4.1 Descrpton We use a prme-order group, and the bracket notaton, as defned n Secton 3.1. SetUp(λ): Takes as nput the securty parameter, and generates prme-order group G := (G, p, P ) $ GGen(1 λ ), and H a full-doman hash functon onto G 2. It also generates the encrypton keys s $ Z 2 p, for = 1,..., n. The publc parameters mpk consst of (G, p, g, H), whle the encrypton keys are ek = s for = 1,..., n, and the master secret key s msk = ((ek ) ), (n addton to mpk, whch s omtted); Encrypt(ek, x, l): Takes as nput the value x to encrypt, under the key ek = s and the label l. It computes [u l ] := H(l) G 2, and outputs the cphertext [c ] = [u l s + x ] G; DKeyGen(msk, y): Takes as nput msk = (s ) and an nner-product functon defned by y as f y (x) = x, y, and outputs the functonal decrypton key dk y = (y, s y ) Z n p Z 2 p; Decrypt(dk y, l, ([c ]) [n] ): Takes as nput a functonal decrypton key dk y = (y, d), a label l, and cphertexts. It computes [u l ] := H(l), [α] = [c ] y [u l ] d, and eventually solves the dscrete logarthm to extract and return α. Note that, as for [4], the result α must be polynomally bounded to effcently compute the dscrete logarthm n the last decrypton step: let x, y Z n p, we have: [α] = [c ] y [u l ] d = [u l s + x ] y [u l ] y s = [u l ] s y + [x ] y [u l ] y s = [ x y ].

12 Securty Analyss Theorem 8 (IND-Securty). The above MCFE protocol (see Secton 4.1) s IND-secure under the DDH assumpton, n the random oracle model. More precsely, we have Adv IND (A) 2Q Adv ddh G (t) + Advddh G (t + 4Q t G) + 2Q p, for any adversary A, runnng wthn tme t, where Q s the number of (drect and ndrect asked by QEncrypt-queres ) queres to H (modeled as a random oracle), and t G s the tme for an exponentaton n G. We stress that ths Theorem supports both adaptve encrypton queres and adaptve corruptons. Proof Technque. To obtan adaptve securty, we use a technque that conssts of frst provng perfect securty n the selectve varant of the nvolved games, then, usng a guessng (a.k.a. complexty leveragng) argument, whch ncurs an exponental securty loss, we obtan the same securty guarantees n the adaptve games. Snce the securty n the selectve game s perfect (the advantage of any adversary s exactly zero), the exponental securty loss s multpled by a zero term, and the overall adaptve securty s preserved. Ths technque has been used before n [31] n the context of Attrbute-Based Encrypton, or more recently, n [2, 3] n the context of mult-nput IP-FE. We defer to [31, Remark 1] and [3, Remark 5] for more detals on ths proof technque. Proof. We proceed usng hybrd games, descrbed n Fg. 3. Let A be a PPT adversary. For any game G ndex, we denote by Adv ndex := Pr[G ndex (A) b = 1] Pr[G ndex (A) b = 0], where the probablty s taken over the random cons of G ndex and A. Also, by event G ndex (A), or just G ndex when there s no ambguty, we mean that the Fnalze procedure n game G ndex (defned as n Defnton 2) returns β = 1 from the adversary s answer b when nteractng wth A. Game G 0 : Ths s the IND-securty game as gven n Defnton 2. Note that the hash functon H s modeled as a random oracle RO onto G 2. Ths s essentally used to generate [u l ] = H(l). Game G 1 : We smulate the answers to any new RO-query by a truly random par n G 2, on the fly. The smulaton remans perfect, and so Adv 0 = Adv 1. Game G 2 : We smulate the answers to any new RO-query by a truly random par n the span of [a] for a := ( 1 a ), wth a $ Z p. Ths uses the Mult-DDH assumpton, whch tghtly reduces to the DDH assumpton usng the random-self reducblty (see Lemma 10, n Appendx A): Adv 1 Adv 2 Adv ddh G (t + 4Q t G), where Q s the number of RO-queres and t G the tme for an exponentaton. Game G 3 : We smulate any QEncrypt query as the encrypton of x 0 nstead of xb and go back for the answers to any new RO query by a truly random par n G 2. Whle t s clear that n ths last game the advantage of any adversary s exactly 0 snce b does not appear anywhere, the gap between G 2 and G 3 wll be proven usng a hybrd technque on the RO-queres. We thus ndex the followng games by q, where q = 1,..., Q. Note that only dstnct RO-queres are counted, snce a second smlar query s answered as the frst one. We detal ths proof because the technque s mportant. G : Ths s exactly game G 2. Thus, Adv 2 = Adv G 3.q.1 G 3.q.2 : We frst change the dstrbuton of the output of the q-th RO-query, from unformly random n the span of [a] to unformly random over G 2, usng the DDH assumpton. Then, we use the bass (( 1 a ),( a 1 )) of Z2 p, to wrte a unformly random vector over Z 2 p as u 1 a+u 2 a, where u 1, u $ 2 Z p. Fnally, we swtch to u 1 a + u 2 a where u $ 1 Z p, and u $ 2 Z p, whch only changes the adversary vew by a statstcal dstance of 1/p: Adv 3.q.1 Adv 3.q.2 Adv ddh G (t)+1/p. The last step wth u 2 Z p wll be mportant to guarantee that u l a 0.

13 13 Games G 0, G 1, G 2, (G 3.q.1) q [Q+1], (G 3.q.2, G 3.q.3) q [Q] G GGen(1 λ ), for all [n], s $ Z 2 p, ek := s, msk := (s ), mpk := (G, p, g). a $ Z p, a := ( 1 a ), a := ( a 1 ) Sample a full-doman hash functon H onto G 2, and a bt b $ {0, 1}. b A QEncrypt(,,, ),QDKeyGen( ),QCorrupt( ),RO( ) (mpk). Run Fnalze on b. RO(l): // G 0, G 1, G 2, G 3.q.1, G 3.q.2, G 3.q.3 [u l ] := H(l), [u l ] := RF(l), [u l ] := [a r l ], wth r l := RF (l) On the q th (fresh) query: [u l ] := RF (l) a + RF (l) a Return [u l ]. QEncrypt(, x 0, x 1, l): [u l ] := RO(l), [c ] := [u l ] s + [x b ] // G 0, G 1, G 2, G 3.q.1, G 3.q.2, G 3.q.3 If [u l ] s computed on the j RO-query, for j < q: [c ] := [u l ] s + [x 0 ] If [u l ] s computed on the q-th RO-query: [c ] := [u l ] s + [x 0 ] Return [c ] QDKeyGen(y): Return ys. QCorrupt(): Return s. //G0, G1, G2, G3.q.1, G3.q.2, G3.q.3 // G 0, G 1, G 2, G 3.q.1, G 3.q.2, G 3.q.3 Fg. 3. Games for the proof of Theorem 8. Here, RF, RF, RF are random functons onto G 2, Z p, and Z p, respectvely, that are computed on the fly. In each procedure, the components nsde a sold (dotted, gray) frame are only present n the games marked by a sold (dotted, gray) frame. The Fnalze procedure s defned as n Defnton 2. G 3.q.2 G 3.q.3 : We now change the generaton of the cphertext [c ] := [u l ] s + [x b ] by [c ] := [u l ] s + [x 0 ], where [u l] corresponds to the q-th RO-query. We then prove ths does not change the adversary s vew. Note that f the output of the q-th RO-query s not used by QEncrypt-queres, then the games G 3.q.2 and G 3.q.3 are dentcal. But we can show ths s true too when there are RO-queres that are really nvolved n QEncrypt-queres, and show that Adv 3.q.2 = Adv 3.q.3 n that case too, n two steps. In Step 1, we show that there exsts a PPT adversary B such that Adv 3.q.t = (p 2 + 1) n Adv 3.q.t(B ), for t = 2, 3, where the games G 3.q.2 and G 3.q.3 are selectve varants of games G 3.q.2 and G 3.q.3 respectvely (see Fg. 4), where QCorrupt queres are asked before the ntalzaton phase. In Step 2, we show that for all PPT adversares B, we have Adv 3.q.2(B ) = Adv 3.q.3(B ). Ths wll conclude the two steps. Step 1. We buld a PPT adversary B playng aganst G 3.q.t for t = 2, 3, such that Adv 3.q.t = (p 2 + 1) n Adv 3.q.t(B ). Adversary B frst guesses for all [n], z $ Z 2 p { }, whch t sends to ts selectve game G 3.q.t. That s, each guess z s ether a par of values (x 0, x1 ) quered to QEncrypt, or, whch means no query to QEncrypt. Then, t smulates A s vew usng ts own oracles. When B guesses successfully (call E that event), t smulates A s vew exactly as n G 3.q.t. If the guess was not successful, then B stops the smulaton and outputs a random bt β. Snce event E happens wth probablty (p 2 + 1) n and s ndependent of the vew of adversary A: Adv 3.q.t(B ) s equal to Pr[G 3.q.t b = 0, E] Pr[E] + Pr[ E] Pr[G 2 3.q.t b = 1, E] Pr[E] Pr[ E] 2 = Pr[E] Pr[G 3.q.t b = 0, E] Pr[G 3.q.t b = 1, E] = (p 2 + 1) n Adv 3.q.t.

14 14 Games (G 3.q.2, G 3.q.3) q [Q] : ( ) state, (z Z 2 p { }) [n] A(1 λ, 1 n ) G GGen(1 λ ), for all [n], s $ Z 2 p, ek := s, msk := (s ), mpk := (G, p, g). a $ Z p, a := ( a 1 ), a := ( a 1 ), b $ {0, 1}. b A QEncrypt(,,, ),QDKeyGen( ),QCorrupt( ),RO( ) (mpk, state). Run Fnalze on b. RO(l): [u l ] := [a r l ], wth r l := RF (l) On the q th (fresh) query: [u l ] := [RF (l) a + RF (l) a ] Return [u l ]. // G 3.q.2, G 3.q.3 QEncrypt(, x 0, x 1, l): // G 3.q.2, G 3.q.3 [u l ] := RO(l), [c ] := [u l ] s + [x b ] If [u l ] s computed on the j-th RO-query wth j < q: [c ] := [u l ] s + [x 0 ]. If [u l ] s computed on the q-th RO-query, then: f (x 0, x 1 ) z, the game ends and returns β $ {0, 1}. otherwse, [c ] := [u l ] s +[x b ] +[x 0 ], S := S {}. Return [c ]. QDKeyGen(y): Return ys. QCorrupt(): If z = (x 0, x 1 ) wth x 0 x 1, the game ends, and returns β $ {0, 1}. Return s. //G 3.q.2, G 3.q.3 // G 3.q.2, G 3.q.3 Fg. 4. Games G 3.q.2 and G 3.q.3, wth q [Q], for the proof of Theorem 8. Here, RF, RF are random functons onto G 2, and Z p, respectvely, that are computed on the fly. In each procedure, the components nsde a sold (gray) frame are only present n the games marked by a sold (gray) frame. Step 2. We assume the values (z ) [n] sent by B are consstent, that s, they don t make the game end and return a random bt, and Fnalze on b does not return a random bt ndependent of b (call E ths event). We show that games G 3.q.2 and G 3.q.3 are dentcally dstrbuted, condtoned on E. To prove t, we use the fact that the two followng dstrbutons are dentcal, for any choce of γ: ) (s ) [n],z =(x (s 0,x1 ) and + a γ(x b x 0 ) [n],z =(x 0,x1 ), where a := ( a 1 ) Z2 p and s $ Z 2 p, for all = 1,..., n. Ths s true snce the s are ndependent of the z (note that ths s true because we are n a selectve settng, whle ths would not necessarly be true wth adaptve QEncrypt-queres). Thus, we can re-wrte s nto s + a γ(x b x0 ) wthout changng the dstrbuton of the game. We now take a look at where the extra terms a γ(x b x0 ) actually appear n the adversary s vew: They do not appear n the output of QCorrupt, because we assume event E holds, whch mples that f z, then s not quered to QCorrupt or x 1 = x0. They mght appear n QDKeyGen(y) as dk y = [n] s y + a γ :z =(x 0,x1 ) y (x b x0 ). But the gray term equals 0 by the constrants for E n Defnton 2: for all HS, z ; f CS and z, x 1 = x0 ; and f(x0 ) = f(x 1 ), hence :z =(x 0,x1 ) y (x b x0 ) = 0. Eventually, they appear n the output of the QEncrypt-queres whch use [u l ] computed on the q-th RO-query, snce for all others, the vector [u l ] les n the span of [a], and

15 a a = 0. We thus have [c ] := [u l ] s + (x b x0 )γ[u l ]a + [x b ]. Snce u l a 0, we can choose γ = 1/u l a mod p, and then [c ] = [u l ] s + [x 0 ], whch s the encrypton of x 0. We stress that γ s ndependent of the ndex, and so ths smultaneously converts all the encryptons of x b nto encryptons of x 0. Fnally, revertng these statstcally perfect changes, we obtan that [c ] s dentcally dstrbuted to [u l ] s + [x 0 ], as n game G 3.q.3. Thus, when event E happens, the games are dentcally dstrbuted. When E happens, the games both return β $ {0, 1}: Adv 3.q.2(B ) = Adv 3.q.3(B ). As a concluson, we get Adv 3.q.2 = Adv 3.q.3. G 3.q.3 G 3.q+1.1 : Ths transton s the reverse of G 3.q.1 G 3.q.2, namely, we use the DDH assumpton to swtch back the dstrbuton of [u l ] computed on the q-th RO-query from unformly random over G 2 (condtoned on the fact that u l a 0) to unformly random n the span of [a]: Adv 3.q.3 Adv 3.q+1.1 Adv ddh (t) + 1/p. G As a concluson, snce G 3.Q+1.1 = G 3, we have Adv 2 Adv 3 2Q(Adv ddh G (t) + 1/p). In addton, Adv 3 = 0, whch concludes the proof. 5 A Statcally-Secure DMCFE for Inner Product 15 Overvew of the Scheme. Our constructon of MCFE for nner product uses functonal decrypton keys dk y = (y, s, y ) = (y, d), where d = s, y = s y = t, 1, wth t = s y, for = 1,..., n, and 1 = (1,..., 1). Hence, one can splt msk = s nto msk = s, defne T (msk, y) = t = s y and F (t) = t, 1. We could thus wsh to use the above generc constructon from the ntroducton wth our MCFE for nner product, that s self-enablng, to descrbe a DMCFE for nner product. However, ths s not straghtforward as our MCFE only allows small results for the functon evaluatons, snce a dscrete logarthm has to be computed. Whle, for real-lfe applcatons, t mght be reasonable to assume the plantexts and any evaluatons on them are small enough, t s mpossble to recover such a large scalar as d = s, y, whch comes up when we use our scheme to encrypt encrypton keys. Nevertheless, followng ths dea we can overcome the concern above wth parngs: One can only recover [d], but usng a parng e : G 1 G 2 G T, one can use our MCFE n both G 1 and G 2. Ths allows us to compute the functonal decrypton n G T, to get [ x, y ] T, whch s decryptable as x, y s small enough. 5.1 Constructon Let us descrbe the new constructon, usng an asymmetrc parng group, as n Secton 3.1. SetUp(λ): Generates PG := (G 1, G 2, p, P 1, P 2, e) $ PGGen(1 λ ). Samples two full-doman hash functons H 1 and H 2 onto G 2 1 and G2 2 respectvely. Each sender S generates s $ Z 2 p for all [n], and nteractvely generates T $ Zp 2 2 such that [n] T = 0. One then sets mpk (PG, H 1, H 2 ), and for = 1,..., n, ek = s, sk = (s, T ); Encrypt(ek, x, l): Takes as nput the value x to encrypt, under the key ek = s and the label l. It computes [u l ] 1 := H 1 (l) G 2 1, and outputs the cphertext [c ] 1 = [u l s + x ] 1 G 1 ; DKeyGenShare(sk, y): on nput y Z n p that defnes the functon f y (x) = x, y, and the secret key sk = (s, T ), t computes [v y ] 2 := H 2 (y) G 2 2, [d ] 2 := [y s + T v y ] 2, and returns the partal decrypton key as dk y, := ([d ] 2 ). DKeyComb((dk y, ) [n], y): the partal decrypton keys (dk y, = ([d ] 2 )) [n], lead to dk y := (y, [d] 2 ), where [d] 2 = [n] [d ] 2 ; Decrypt(dk y, l, ([c ] 1 ) [n] ): on nput the decrypton key dk y = [d] 2, the label l, and cphertexts ([c ] 1 ) [n], t computes [α] T := [n] e([c ] 1, [y ] 2 ) e([u l ] 1, [d] 2), and eventually solve the dscrete logarthm n bass [1] T to extract and return α.

16 16 Correctness: Let x, y Z n p, we have: [d] 2 = [n] = [ [n] Thus: [d ] 2 = [n][y s + T v y ] 2 y s ] 2 + [v y ] 2 y s ] 2. [n] T = [ [n] [α] T := [n] e([c ] 1, [y ] 2 ) e([u l ] 1, [d] 2 ) = [(u l s + x )y ] T [ [n] y u l s ] T = [ x y ] T. 5.2 Securty Analyss Theorem 9 (sta-ind-securty). The above DMCFE protocol (see Secton 5.1) s sta-ind secure under the SXDH assumpton, n the random oracle model. Namely, for any PTT adversary A, there exst PPT adversares B 1 and B 2 such that: Adv IND (A) 2Q 1 Adv ddh G 1 (t) + 2Q 2 Adv ddh G 2 (t) + 2Q 1 + 2Q 2 p + Adv ddh G 1 (t + 4Q 1 t G1 ) + 2 Adv ddh G 2 (t + 4Q 2 t G2 ), where Q 1 and Q 2 are the number of (drect and ndrect) queres to H 1 and H 2 respectvely (modeled as random oracles). The former beng asked by QEncrypt-queres and the latter beng asked by QDKeyGen-queres. We stress that ths Theorem supports adaptve encrypton queres, but statc corruptons only. Proof. We proceed usng hybrd games, descrbed n Fg. 5, wth smlar notatons as n the prevous proof. Game G 0 : Ths s the sta-ind-securty game as gven n Defnton 5, but wth the set CS of corrupted senders known from the begnnng. Note that the hash functons H 1 and H 2 are modeled as random oracles. The former s used to generate [u l ] 1 := H 1 (l) G 2 1 and the latter [v y ] 2 := H 2 (y) G 2 2. Game G 1 : We replace the hash functon H 2 by a random oracle RO 2 that generates random pars from G 2 2 on the fly. In addton, for any QDKeyGen-query on a corrupted ndex CS, one generates the partal functonal decrypton key by tself, wthout explctly queryng QDKeyGen. Hence, we can assume that A does not query QCorrupt and QDKeyGen on the same ndces [n]. The smulaton remans perfect, and so Adv 0 = Adv 1. Game G 2 : Now, the outputs of RO 2 are unformly random n the span of [b] 2 for b := ( 1 ), wth a a $ Z p. As n the prevous proof, we have Adv 1 Adv 2 Adv ddh G 2 (t + 4Q 2 t G2 ), where Q 2 s the number of RO 2 -queres and t G2 the tme for an exponentaton. Game G 3 : We replace all the partal key decrypton answers by dk y, := [y s + w (b ) v y + T v y ] 2, for new w $ Z 2 p, such that w = 0, for each y. Ths sum beng among the honest clents, we need to know the last quered honest clent to set ths sum to zero. Hence the requrement to know the set of honest clents, and thus just securty aganst statc corruptons. We show below that Adv 2 = Adv 3. Game G 4 : We swtch back the dstrbuton of all the vectors [v y ] 2 output by RO 2, from unformly random n the span of [b] 2, to unformly random over G 2 2, thus back to H 2(y). Ths transton s reverse to the two frst transtons of ths proof: Adv 3 Adv 4 Adv ddh G 2 (t + 4Q 2 t G2 ).