Go to DBLP homepageA new approach to practical function-private inner product encryption
Abstract: Functional encryption (FE) is a novel paradigm supporting restricted decryption keys for a function f that allow one to learn f(xj)<math><mi is="true">f</mi><mo stretchy="false" is="true">(</mo><msub is="true"><mrow is="true"><mi is="true">x</mi></mrow><mrow is="true"><mi is="true">j</mi></mrow></msub><mo stretchy="false" is="true">)</mo></math> from the encryptions of messages xj<math><msub is="true"><mrow is="true"><mi is="true">x</mi></mrow><mrow is="true"><mi is="true">j</mi></mrow></msub></math>. A natural and practical security requirement for FE is to keep not only messages x1,…,xq<math><msub is="true"><mrow is="true"><mi is="true">x</mi></mrow><mrow is="true"><mn is="true">1</mn></mrow></msub><mo is="true">,</mo><mo is="true">…</mo><mo is="true">,</mo><msub is="true"><mrow is="true"><mi is="true">x</mi></mrow><mrow is="true"><mi is="true">q</mi></mrow></msub></math>, but also functions f1,…fq<math><msub is="true"><mrow is="true"><mi is="true">f</mi></mrow><mrow is="true"><mn is="true">1</mn></mrow></msub><mo is="true">,</mo><mo is="true">…</mo><msub is="true"><mrow is="true"><mi is="true">f</mi></mrow><mrow is="true"><mi is="true">q</mi></mrow></msub></math>, excluding inevitable information {fi(xj)}i,j∈[q]<math><msub is="true"><mrow is="true"><mo stretchy="false" is="true">{</mo><msub is="true"><mrow is="true"><mi is="true">f</mi></mrow><mrow is="true"><mi is="true">i</mi></mrow></msub><mo stretchy="false" is="true">(</mo><msub is="true"><mrow is="true"><mi is="true">x</mi></mrow><mrow is="true"><mi is="true">j</mi></mrow></msub><mo stretchy="false" is="true">)</mo><mo stretchy="false" is="true">}</mo></mrow><mrow is="true"><mi is="true">i</mi><mo is="true">,</mo><mi is="true">j</mi><mo is="true">∈</mo><mo stretchy="false" is="true">[</mo><mi is="true">q</mi><mo stretchy="false" is="true">]</mo></mrow></msub></math>, confidential from encryption and decryption keys for any polynomial a priori unknown number q, where fi<math><msub is="true"><mrow is="true"><mi is="true">f</mi></mrow><mrow is="true"><mi is="true">i</mi></mrow></msub></math> and xj<math><msub is="true"><mrow is="true"><mi is="true">x</mi></mrow><mrow is="true"><mi is="true">j</mi></mrow></msub></math> are adaptively chosen by adversaries. This security requirement is called full function privacy. In this paper, we focus on function-private FE for inner product functionality in the private key setting (referred to as inner product encryption (IPE)). To the best of our knowledge, only two approaches have been proposed for fully function-private IPE schemes in the private key setting. One is to employ a general transformation from (non-function-private) FE for general circuits (Brakerski and Segev, 2015 [20]). This approach requires computationally intensive cryptography tools, such as indistinguishability obfuscation (for non-function-private FE for general circuits), meaning it is inefficient. The other approach is more practical. It directly constructs an IPE scheme by using dual-pairing vector spaces (DPVS) (Bishop et al., 2015 [21], Datta et al., 2016 [22], and Tomida et al., 2016 [32]).We present a novel approach for practical function-private IPE schemes that does not employ DPVS, but instead uses generalizations of the Brakerski-Segev transformation. Our generalizations of the Brakerski-Segev transformation are easily combinable with existing (non-function-private) IPE schemes, as well as (non-function-private) FE schemes for general circuits on several levels of security. The proposed IPE scheme achieves better performance compared to the schemes proposed by Bishop et al. and Datta et al. The proposed IPE scheme preserves the same security level as previous schemes under the same complexity assumptions. Compared to the scheme proposed by Tomida et al., our scheme has comparable performance in terms of the size of ciphertext and decryption keys, but superior performance in terms of the size of the master key.
Loading