From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University)
Functional Encryption [Sahai-Waters 05] Enc pk m f Alice Public key pk Server Learns f m and nothing else about m sk f Bob Master secret key msk 2
Private-Key Functional Encryption Enc msk m f Alice msk sk f Server Learns only f m k 0 and Enc msk m, server can learn whether m 0, but nothing else! 3
Private-Key Functional Encryption Enc msk m f Alice msk sk f Server Learns only f m 0 k 0 and Enc msk Enc Enc msk mmsskk Enc msk m mm m, server can learn whether mm 0, but nothing else! Positivity-Revealing Encryption: Given s k 0 0 and Enc msk m, server can 4
Private-Key Functional Encryption Enc msk m f Alice msk sk f Server Learns only f m Security (Ind-based): Server sees keys for f 1,, f l and encryptions of m 1,, m k. 0 k 0 and Enc msk Enc Enc msk mmsskk Enc msk m mm m, server can learn whether mm 0, but nothing else! Can learn f i m j but nothing else. Positivity-Revealing Encryption: Given s k 0 0 and Enc msk m, server can 5
Known Constructions of Functional Encryption Schemes (Highlights) # keys Bounded Bounded Unbounded Ciphertext Long Short Short Assumption OWF/PKE [GVW12] LWE [GKPVZ13] io [GGHRSW13, W15] [GVW12] Gorbunov, Vaikuntanathan, Wee: Functional Encryption with Bounded Collusions via Multi-party Computation. CRYPTO 2012 [GKPVZ13] Goldwasser, Kalai, Popa, Vaikuntanathan, Zeldovich. Reusable garbled circuits and succinct functional encryption. STOC 2013 [GGHRSW13] Garg, Gentry, Halevi, Raykova, Sahai, Waters: Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. FOCS 2013 [W14] Waters: A Punctured Programming Approach to Adaptively Secure Functional Encryption. CRYPTO 2015 6
Known Constructions of Functional Encryption Schemes (Highlights) # keys Bounded Bounded Unbounded Ciphertext Long Short Short Assumption OWF/PKE [GVW12] LWE [GKPVZ13] io [GGHRSW13, W15] [GVW12] Gorbunov, Vaikuntanathan, Wee: Functional Encryption with Bounded Collusions via Multi-party Computation. CRYPTO Main 2012 question: [GKPVZ13] Goldwasser, Kalai, Is Popa, io Vaikuntanathan, necessary Zeldovich. for FE Reusable garbled circuits and succinct functional encryption. STOC 2013 [GGHRSW13] Garg, Gentry, with Halevi, unbounded Raykova, Sahai, Waters: keys? Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. FOCS 2013 [W14] Waters: A Punctured Programming Approach to Adaptively Secure Functional Encryption. CRYPTO 2015 7
Does FE imply io? 8
Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. 9
Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. 10
Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. 11
Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. Bitansky et al. [BNPW16]: sub-exp-secure private-key FE & nearly exp-secure OWF imply PKE 12
Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. Bitansky et al. [BNPW16]: sub-exp-secure private-key FE & nearly exp-secure OWF imply PKE sub-exp-secure private-key FE & sub-exp-secure PKE imply io 13
Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. Bitansky et al. [BNPW16]: sub-exp-secure private-key FE & nearly exp-secure OWF imply PKE sub-exp-secure private-key FE & sub-exp-secure PKE imply io Non black-box component of [BKS16] 14
Does FE imply io? 15
Does FE imply io? # inputs Assumption Applications 16
Does FE imply io? # inputs Assumption O log n Trivial Applications 17
Does FE imply io? # inputs Assumption O log n Trivial O n Sub-exp-secure Public-key FE [AJ15,BV15] Or Sub-exp-secure Private-key FE + PKE [BNPW16] Applications All applications of io 18
Does FE imply io? # inputs O log n O log n loglog n O n Assumption Trivial Sub-exp-secure Private-key FE [BKS16] Sub-exp-secure Public-key FE [AJ15,BV15] Or Sub-exp-secure Private-key FE + PKE [BNPW16] Applications +nearly-exp OWF => PKE w. slight super-polynomial security [BNPW16] All applications of io 19
Does FE imply io? # inputs O log n O log n loglog n O log 1+δ n O n Assumption Trivial Sub-exp-secure Private-key FE [BKS16] Quasi-polysecure Privatekey FE [ThisWork] Sub-exp-secure Public-key FE [AJ15,BV15] Or Sub-exp-secure Private-key FE + PKE [BNPW16] Applications +nearly-exp OWF => PKE w. slight super-polynomial security [BNPW16] +sub-exp OWF => Public-key FE, PPAD hardness w. quasi-poly security All applications of io 20
Our Results xp(log ε n) with inputs of length log 1+δ n. xp(log ε n) with inputs of length log 1+δ n. 21
Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. xp(log ε n) with inputs of length log 1+δ n. 22
Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Theorem: Quasi-poly-secure private-key FE implies io for circuits of Observation: size exp(log ε Such an io is sufficient for many n) with inputs of length log 1+δ applications! n. xp(log ε n) with inputs of length log 1+δ n. 23
Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Observation: Such an io is sufficient for many applications! Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 1: Quasi-poly-secure private-key FE & sub-exp-secure OWF imply public-key FE for circuits of size exp(log ε n) with inputs of length log 1+δ n. 24
Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Observation: Such an io is sufficient for many applications! Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 1: Quasi-poly-secure private-key FE & sub-exp-secure OWF imply public-key FE for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 2: 25
Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Observation: Such an io is sufficient for many applications! Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 1: Recently: ]Kitagawa-Nishimaki- Quasi-poly-secure private-key Tanaka] FE & showed sub-exp-secure that secure of size private-key exp(log FE ε implies n) with io OWF imply public-key FE for circuits inputs of length log 1+δ n. Example Corollary 2: 26
PPAD-Hardness Summary [AKV04] [BPR15] The strong assumption VBB io Hardness Super-Poly [GPS16] Public-key FE Poly This Work Private-key FE Quasi-poly
PPAD-Hardness Summary [AKV04] [BPR15] The strong assumption VBB io Hardness Super-Poly [GPS16] Public-key FE Poly This Work Private-key FE Quasi-poly Open: Can be based on weaker/other assumptions? LWE, DDH TDF/PKE (impossible via SVL hardness [RSS17]).
2-Input Functional Encryption [GGG+ 14] Enc msk m 1, f Enc msk m 2 Alice msk sk f Server Learns only f m 1, m 2 k,enc msk m 1 and Enc msk m 2, server can learn whether m 1 m 2, but nothing else! 29
2-Input Functional Encryption [GGG+ 14] Enc msk m 1, f Enc msk m 2 Alice msk sk f Server Learns only f m 1, m 2 k, Enc msk Enc Enc msk mmsskk Enc msk m 1 m 1 mm m 1 1 m 1 m 1 and Enc msk Enc Enc ms k mmsskk Enc msk m 2 m 2 mm m 2 2 m 2 m 2, server can learn whether m 1 mm m 1 1 m 1 30
2-Input Functional Encryption [GGG+ 14] Enc msk m 1, f Enc msk m 2 Alice msk sk f Server Learns only f m 1, m 2 k, Enc msk Enc Enc msk mmsskk Enc msk m 1 m 1 mm m 1 1 m 1 m 1 and Enc msk Enc Enc ms k mmsskk Enc msk m 2 m 2 mm m 2 2 m 2 m 2, server can learn whether m 1 mm m 1 1 m 1 t-input defined analogously. 31
Constructions of t-input FE Schemes [GGG+14] [BLR+15] [AJ15,BV15] [BKS16] This work Assumption io Multilinear Maps (idealized model) Sub-exp-secure single-input public-key FE Sub-exp-secure single-input private-key FE Quasi-poly-secure single-input private-key FE t - # of inputs Poly Poly Poly O(loglog n) log δ n 32
Constructions of t-input FE Schemes Assumption t - # of inputs [GGG+14] io Poly [BLR+15] Multilinear Maps (idealized model) Poly [AJ15,BV15] [BKS16] Sub-exp-secure single-input public-key FE Sub-exp-secure single-input private-key FE Poly O(loglog n) Remark: All of the schemes are selectively secure. ]BKS16] is adaptively secure. This work Quasi-poly-secure single-input private-key FE log δ n 33
Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs -input FE scheme 34
Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs tt-input FE We show a new generic transformation of any private-key t-input FE scheme into a private-key 2tinput FE 35
Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs loglog nn times and get a log δ log log δ δδ log δ nn -input FE scheme tt-input FE We apply the transformation δ loglog n times and get a log δ n-input FE scheme 36
Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs og log 1+δ 1+δδ log 1+δ nn. loglog nn times and get a log δ log log δ δδ log δ nn -input FE scheme tt-input FE Apply the [GGG+14,BNPW16] transformation to get io for inputs of length log 1 + δ n. 37
Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs og log 1+δ 1+δδ log 1+δ nn. og log 1+δ 1+δδ log 1+δ nn. loglog nn times and get a log δ log log δ δδ log δ nn -input FE scheme Apply the [GGG+14,BNPW16] transformation to get io for inputs of length log 1 + δ n. Apply the [GGG+14,BNPW16] transformation to get io 38
Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). 39
Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t Proof: The obfuscation of a circuit C contains {sk C } {ct i,j } i {0,1} log n,j t 40
Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t Proof: Key for the Encryption of the function C string i w.r.t input j The obfuscation of a circuit C contains {sk C } {ct i,j } i {0,1} log n,j t 41
Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) ( x 1 xx x 1 Key 1 for x 1 the,, x t Encryption xx x t tt of the x t ) {0,1 } t log(n) } } t function C string i w.r.t input j log(n) tt log(nn) } t log(n), return sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t 42
Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) ( x 1 xx x 1 Key 1 for x 1 the,, x t Encryption xx x t tt of the x t ) {0,1 t-input } t log(n) scheme is } } t function C string i w.r.t input j function private log(n) tt log(nn) } t log(n), return sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t 43
From t-input FE to 2t-Input FE 44
From t-input FE to 2t-Input FE )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) 45
From t-input FE to 2t-Input FE msk t msk msk t tt msk t,kk) t-input scheme PRF key )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) The master secret key is (msk t, K) 46
From t-input FE to 2t-Input FE x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t x 1 t-input,, xscheme t, y 1,, PRF ykey t, msk t msk msk t tt msk t,kk) )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) The master secret key is (msk t, K) To generate a key for f x 1 1 1 x 1,, x t, y 1,, y t, 47
From t-input FE to 2t-Input FE x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t x 1 t-input,, xscheme t, y 1,, PRF ykey t, msk t msk msk t tt msk t,kk) )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) The master secret sk f key Keygen is (msk msk t, K) t, Gen f,k To generate a key for f x 1 1 1 x 1,, x t, y 1,, y t, Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) 48
From t-input FE to 2t-Input FE x 1,, x t xx x t tt x t f x 1,, x t f x 1,, x t ( y 1 yy y 1 1 y 1,, y tt-input yy yscheme t tt y t )=ff( PRF key x 1 xx x 1 1 x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t ). x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t x 1,, x t, y 1,, y t, msk t msk msk t tt msk t,kk) sk f Keygen msk t, Gen f,k )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) Gen The master secret f,k (x key 1,, x is (msk t ): t, K) msk x1,,x To generate a key for t = Setup(F K (x 1,, x t )) f x 1 1 1 x 1,, x t, y 1,, y t, Output Keygen(msk x1,,x t, f x1,,x t ) 49
From t-input FE to 2t-Input FE jj jj ii To encrypt an input x, i To encrypt an input y, j To encrypt an input y, j To encrypt an input y, j 50
From t-input FE to 2t-Input FE jj jj ct x,i Enc msk t, x, i ii To encrypt an input x, i To encrypt an input y, j To encrypt an input y, j To encrypt an input y, j 51
From t-input FE to 2t-Input FE jj jj ct x,i Enc msk t, x, i ii To encrypt an input x, i To encrypt an input y, j To encrypt an Encryption input y, jof y, j: To encrypt an ct input y,j y, Keygen j msk t, AGG y,j,k AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 52
From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i ct x,i Enc msk t, x, i To encrypt an input y, j Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 53
From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 54
From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 55
From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 56
From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 57
From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t ct y,1 Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 58
From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k ct ct y,1 y,t To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 59
From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t ct ct y,1 y,t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: f(x 1,, x t, y 1,, y t ) ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 60
From t-input FE to 2t-Input FE The master secret key is (msk t, K) To Proof generate of security a key overview: for f x 1,, x t, y 1,, y t, sk 1. Make f Keygen AGG and t msk Gen t, Gen indep. of K f,k Using punctured PRFs + function privacy Dec(sk To encrypt f, ct(à x,1 la, an [BS15,KSY15,BKS16]), ct input x,t, ct y,1 x,, i, ct y,t ): ct x,i Enc t msk t, x, i 1. sk fx 2. Attack Dec(sk 1,,x t each x f, ct x,1,, ct x,t ) 1,, x t separately 2. To 3. j: encrypt Embed ct y,j an Dec(ct in every input y,j, ct y, x,1 j,, ct x,t ) y,j ahead of time the 3. Ret Dec(f encryption x1,,xencryption t, of ct y,1, w.r.t, ct msk of y,t ) y, x1 j:,,x t 4. Embed in sk ct fy,j ahead Keygen of time t msk the t key, AGG for y,j,k f x1,,x t To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 61
Questions? The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen t msk t, Gen f,k To encrypt an input x, i ct x,i Enc t msk t, x, i To encrypt an input y, j Encryption of y, j: ct y,j Keygen t msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 62