Unbounded Quadratic Functional Encryption & More from Pairings Eurocrypt 2023
Explore unbounded quadratic functional encryption and security of functional encryption schemes in this informative content from Eurocrypt 2023. Discover motivations, insights, and previous works in the field of functional encryption.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Unbounded Quadratic Functional Encryption and More from Pairings Eurocrypt 2023 Junichi Tomida NTT Social Informatics Laboratories 1
Functional Encryption (FE) [ONeill10, BSW11] pk,msk Setup(1 ) sk KeyGen(msk,?) sk ct ?(?) Dec(ct,sk) ct Enc pk,? : ? = (?pub,?priv) Unbounded: |?| is not bounded by pk 2
SIM-based Security of FE (Semi-Adaptive) dlskaio 354dsi Enc(pk,?) [Real world] KeyGen(msk,?) dlskaio 354dsi Enc (msk,?pub) [Simulated world] KeyGen (msk,?,?(?)) 3
Motivation of Unbounded FE In most FE schemes, the message length is fixed by pk. fixed message length ?1 ?2 ?3 4
Motivation of Unbounded FE In most FE schemes, the message length is fixed by pk. fixed message length dummy ?1 dummy ?2 ?3 5
Motivation of Unbounded FE In most FE schemes, the message length is fixed by pk. fixed message length ?1 ?2 ?3 6
Motivation of Unbounded FE In most FE schemes, the message length is fixed by pk. fixed message length dummy ?1 dummy ?2 dummy ?3 The ciphertext size is proportional to the message size. 7
Unbounded FE CT for ?1 ?1 CT for ?2 ?2 CT for ?3 ?3 No need to pad dummy data in encryption No bound on the message size Suitable for systems with various sizes of data 8
Previous Works for Unbounded FE Reference Function Class Message Function Output Assumption ? 0,1 [BCP14, IPS15, AS16] Turing Machines Obfuscation ? ??? ?(?) Unbounded Inner Product ???? [TT18, DP19] SXDH ?? ? ? ?? ? ? ? ??,?? ? ? ??is public ?(??)?? [AGW20, DP21] Attribute Weighted Sums MDDH ? ???? ? ? Unbounded Quadratic Functions ??,????? ??,??,? ? This work 1 MDDH+RO ?? ? ? ?,? ? ??,??,? ? ??,? ???? (?, ?? ? ?) ? is public ??,?(?)???? This work 2 Partially-hiding UQF MDDH+RO ?,? ? S and T can be any sets. The outputs of unbounded FE without obfuscation are all linear in private input ??. Quadratic functions in {??} without obfuscation (the ciphertext size is linear in S)? 9
Unbounded Quadratic Functions public private Index 2 3 6 7 9 Salary ?2 ?3 ?6 ?7 ?9 2+ ?3,6?3?6+ ?6,6?6 2 ? = 3,6 , ?(?3,?6) = ?3,3?3 |?|) ?2) Message: ? = (?, ?? ? ? ? Function:? = (?, ??,??,? ? ? ??,????? (? ?) ? ? = Attribute-based FE [ACGU20] ?,? ? (? ?) 10
1. Quadratic Functional Encryption (QFE) QFE by [RPDBG19] secure in the GGM (Instead of QFE by [Lin17]) Setup 1?,1?: pk = ?1, ?2,msk = ?,? ( ? Enc(pk,? ? ? ?? ?1,?2= ? ? ?1,?2 = ? ? ? + ?? ? ? ?)2 ? ? ?? ? ?): ct = ?1= ?,?3= ?1 ? Cannot efficiently compute! QF for ? masking term ?2): sk = [? ? ? ]? KeyGen(msk,? ? ? ?3,sk = the masking term How to make this scheme unbounded? Na ve idea: generating ?1and ?2by hash functions modeled as RO This problem is common in existing schemes 11
2. Hash-Function-Friendly QFE New QFE scheme Setup 1?,1?: pk = ?1, ?2,msk = (?,?) ?): ct = ?1= ? ? ?1,?2 = ? ? ? + ? ? ? S ? ? ?? ? Enc(pk,? ? ? ? ?1,?2= ?,?3= ?1 ? Additional layer QF for ? masking term ?1encrypts ?1 ? ? ? = ? ? ? ? KeyGen(msk,? ? ? ?3,sk = the masking term We can use hash function to generate ?2 Anyone can compute sk Not access controllable T [? ? ? ]? needs msk ?2): sk = [? ? ? ]? [? ? ? ]? ?1 Dec( , ) reveals the masking term iff ? ? Unbounded IPFE [TT18] 12
3. Unbounded QFE Our unbounded QFE Setup 1?:(upk,umsk) uSetup(1?), ?2is generated by a hash function Enc(pk,? ? ? ? ?1,?2 = ? ? ? + ? ? ? ?): ct = ?1,?2,?3 uEnc(upk,?, ?1) ? QF for ? masking term ?2): sk uKeyGen(umsk,?,[? ? ? ]?) ?iff ? ? KeyGen(msk,? ? uDec(?3,sk) reveals ? ? ? ? ? ? is also revealed iff ? ? 13
Conclusion Construction of the first unbounded quadratic FE Extension to partially hiding FE (PHFE for UQF) Semi-adaptively SIM-secure under MDDH and the random oracle model Open problems Unbounded QFE without RO Adaptive security in the standard model (even in standard QFE) 14
