Decentralized Multi-Client Attribute Based Functional Encryption
Yuechen Chen, Linru Zhang and Siu-Ming Yiu
Department of Computer Science, The University of Hong Kong, Pokfulam, HKSAR, China
Keywords:
Functional Encryption, Attribute Based Encryption, Inner Product, Duel System Encryption, Decentralized.
Abstract:
Functional encryption (FE) allows users to learn only functional values from the encrypted data. However, in
existing FE schemes, all legitimate users get the same decryption results. Functional encryption that allows
users to get different decryption results based on user attributes/policies has many useful practical applica-
tions. For example, a company may only authorize department heads of other sections to query the average
sale figures of the sales department from the encrypted sales database.
In this paper, we combine techniques from Attribute Based Encryption(ABE) and Multi Client Function En-
cryption (MCFE) to propose a primitive that we call “Multi-Client Attribute Based Functional Encryption
scheme (MCABFE)” which allows only authorized users to obtain functional values based on the users’ at-
tributes/policies, and give the first MCABFE scheme for inner product functionality from simple and well-
studied assumptions. Then we extend our new primitive and propose a “Decentralized Multi-Client Attribute
Based Functional Encryption scheme (DMCABFE)” in which no trusted party is required in the setup phase
and the generation of functional decryption keys, and also give an instantiation for inner product functionality.
1 INTRODUCTION
Functional encryption (FE) (O’Neill, 2010; Boneh
et al., 2011; Sahai and Waters, 2005) is a paradigm
for encryption which extends the traditional “all-or-
nothing” requirement of public-key encryption in a
much more flexible way. FE allows users to learn spe-
cific functional values of the encrypted data: for any
function f from a class F, a functional decryption key
dk
f
can be computed such that, given any ciphertext
CT with underlying plaintext x, using dk
f
, a user can
efficiently compute f (x), but does not get any addi-
tional information about x. This is the most general
form of encryption as it encompasses identity-based
encryption, attribute-based encryption, broadcast en-
cryption, and predicate encryption.
In some cases, some users want to integrate their
data together, and allow authorized user to obtain a
functional value of the encrypted integrated data. For
example, in a company, employees may not want to
disclose their salaries (or sale figures) to even some
senior staff, e.g. department heads of other sections.
Each employee can store his/her salary (or sale figure)
in an encrypted form and further require that some de-
partment heads are only authorized to query certain
statistics (e.g. the average/highest salary or sale fig-
ure) of the employees in another team, but not the ex-
act figure of individual employee. To solve this prob-
lem in a practical way, we need an encryption scheme
that allows different users (clients) generate encrypted
data as partial ciphertext, and can produce decryption
keys which only allow authorized users to obtain a
functional value of the integrated ciphertext.
1.1 Related Works
At first glance, functional encryption (Ananth et al.,
2015; Badrinarayanan et al., 2016; Goldwasser et al.,
2013b; Goldwasser et al., 2013a; Gorbunov et al.,
2012; Sahai and Seyalioglu, 2010; Waters, 2015)
and multi-client functional encryption(MCFE) (Gold-
wasser et al., 2014; Brakerski et al., 2018) seem to
be able to solve our problem as it can provide a de-
cryption key that allows a user to obtain only a func-
tional value of the encrypted data. More precisely, the
function can be modeled as a Turing Machine F(·,·).
The user who has a secret key sk
k
can compute the
function F(k,x) on an encryption of x. However, FE
schemes that can solve our problem (i.e., the ones that
can consider the users’ properties in its decryption,
e.g. (Boyle et al., 2014; Garg et al., 2016; Bernstein
et al., 2013; Waters, 2015; Ananth and Sahai, 2016))
are based on new, but not well-studied assumptions
(such as indistinguishable obfuscation or multilinear
maps). Attacks were identified for some construc-
tions on indistinguishable obfuscation and multilin-
118
Chen, Y., Zhang, L. and Yiu, S.
Decentralized Multi-Client Attribute Based Functional Encryption.
DOI: 10.5220/0009824701180129
In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (ICETE 2020) - SECRYPT, pages 118-129
ISBN: 978-989-758-446-6
Copyright
c
2020 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
ear maps (Apon et al., 2017; Chen et al., 2017; Cheon
et al., 2015; Coron et al., 2016). Hence, it is not clear
whether these FE schemes are secure.
Recently, a line of work called functional encryp-
tion for inner product (IPFE) started by Abdalla et
al. (Abdalla et al., 2015) aims at building functional
encryption constructions based on standard assump-
tions such as the decisional Diffie-Hellman assump-
tion. More precisely, a user could store an encrypted
vector~y on an untrusted remote server. The authority
can generate a series of secret keys {sk
i
} correspond-
ing to different vectors {~x
i
}. These keys can be sent
to the server for decrypting the message to get inner
product h~x
i
,~yi, while ensuring no more leakage of in-
formation than the computation result. Abdalla et al.
(Abdalla et al., 2015) first proposed a framework to
construct IND-secure IPFE scheme with selective se-
curity . Continued by (Agrawal et al., 2016), the se-
curity of IPFE are improved to fully secure, also from
standard assumptions. A generic construction of IPFE
is given in (Abdalla et al., 2016), as well as three in-
stantiations from Decisional Diffie-Hellman assump-
tion (DDH), Decisional Composite Residuosity as-
sumption (DCR) and Learning with errors assumption
(LWE), respectively. (Baltico et al., 2017) realizes
Functional Encryption for quadratic functions, with
linear size of ciphertext. In (Chotard et al., 2018),
multi-client functional encryption for inner product
(MCIPFE) is proposed, in which the single input ~x
to the encryption procedure is broken down into an
input vector (x
1
,..., x
n
) where the components are in-
dependent. An index i for each client and a (typically
time-based) label ` are used for every encryption:
(CT
1
= Encrypt(1,x
1
,`),..., c
n
= Encrypt(n, x
n
,`)).
Anyone having a functional decryption key dk
f
,
for an n-ary function f and multiple ciphertexts for
the same label `, CT
1
= Encrypt(1,x
1
,`),..., CT
n
=
Encrypt(n,x
n
,`), can compute f (x
1
,..., x
n
) but noth-
ing else about the individual x
i
s. They also proposed
a decentralized multi-client functional encryption for
inner product (DMCIPFE), in which the setup phase
and the generation of functional decryption keys are
decentralized among the same clients as the ones that
generate the ciphertexts. However, these FE schemes
reveals the decryption result to all users, thus all users
get the same decryption result, which is not enough
for allowing only authorized users to obtain func-
tional values based on the users’ attributes/policies.
While Attribute-Based Encryption (ABE) offers
fine-grained decryption policy such that users can do
decryption if their attributes/policies satisfy the ac-
cess requirement on ciphertexts, users with different
attributes/policies will get different decryption values
based on their attributes/policies. ABE is first in-
troduced in(Sahai and Waters, 2005). It can be di-
vided into key-policy ABE (KP-ABE) and ciphertext-
policy ABE (CP-ABE). In KP-ABE (Sahai and Wa-
ters, 2005; Goyal et al., 2006; Ostrovsky et al., 2007;
Okamoto and Takashima, 2010), secret key is associ-
ated with access policy P, saying that users with what
attributes can decrypt the data. And ciphertext is as-
sociated with user’s attribute set S. The secret key can
decrypt the ciphertext if the attribute set S satisfies the
policy P. In CP-ABE (Bethencourt et al., 2007; Che-
ung and Newport, 2007; Waters, 2011; Yamada et al.,
2011), ciphertext is associated with policy P, while
secret key is associated with user’s attribute set S. In
(Chase, 2007), the first multi authority attribute based
encryption is proposed, which allows the data sender
to specify for each authority i a set of attributes mon-
itored by that authority and a number d
i
so that the
message can be decrypted only by a user who has at
least d
i
of the given attributes from every authority.
The property of ABE inspires us to use ABE to solve
our problem in FE.
1.2 Our Contributions
In this paper, we mainly have two contributions. First,
we propose a multi-client attribute based IPFE, which
allows only authorized users to obtain functional val-
ues based on the users’ attributes/policies. Then we
give a decentralized multi-client attribute based IPFE,
which removes the requirement of a trusted authority
in the Setup phase.
In order to realize multi-client attribute based
functional encryption for inner product, inspired by
(Chase, 2007), we use a technique which is similar to
KP-ABE to solve our problem. In our scheme, each
user is related with a policy. Each data sender can set
a data set in its partial ciphertext which restricts the
access of the integrated ciphertext. The integrated ci-
phertext is composed of all the partial ciphertexts. On
the other hand, each data sender owns a decryption
key which corresponds to the user’s own policy, and
can decrypt the functional value from the integrated
ciphertext, if its policy matches the union of all the
required attribute sets.
In the decentralized multi-client attribute based
functional encryption for inner product, we remove
the trusted authority in multi-client attribute based
IPFE, and the clients work together to generate ap-
propriate functional decryption keys. The setup phase
and the generation of functional decryption keys are
decentralized among the same clients as the ones that
generate the ciphertexts.
Decentralized Multi-Client Attribute Based Functional Encryption
119
2 BACKGROUND
2.1 Bilinear Maps
We review some facts related to groups with effi-
ciently computable bilinear maps in (Waters, 2011)
and then present the assumptions used in the paper.
Let G and G
T
be two multiplicative cyclic groups of
prime order p. Let g be a generator of G and e be a
bilinear map, e : G ×G G
T
. The bilinear map e has
the following properties:
1. Bilinearity: for all u,v G and a,b Z
p
, we
have e(u
a
,v
b
) = e(u,v)
ab
.
2. Non-degeneracy: e(g,g) 6= 1.
We say that G is a bilinear group if the group op-
eration in G and the bilinear map e : G ×G G
T
are
both efficiently computable. Notice that the map e is
symmetric since e(g
a
,g
b
) = e(g,g)
ab
= e(g
b
,g
a
).
2.2 Computational Assumptions
Definition 2.1. Decisional Diffie-Hellman Assump-
tion(DDH)
The Decisional Diffie-Hellman Assumption states
that, in a prime-order group G := (G, p,P)
$
GGen(1
λ
), no PPT adversary can distinguish be-
tween the two distributions {(g
a
, g
r
, g
ar
) | a,r
$
Z
p
} and {(g
a
, g
r
, g
s
) | a, r,s
$
Z
p
} with non-negligible
advantage.
Definition 2.2. Symmetric eXternal Diffie-Hellman
Assumption(SXDH).
The Symmetric eXternal Diffie-Hellman (SXDH)
Assumption states that, in a pairing group P G :=
(G
1
,G
2
, p,P
1
,P
2
,e)
$
PGGen(1
λ
) the DDH assump-
tion holds in both G
1
and G
2
.
2.3 Linear Secret Sharing Schemes
We review the definition of linear secret sharing
scheme (LSSS) in (Waters, 2011) as follows.
Definition 2.3. Linear Secret-Sharing Schemes
(LSSS) A secret-sharing scheme over a set of parties
P is called linear (over Z
p
) if
1. The shares for each party form a vector over Z
p
.
2. There exists a matrix M with ` rows and n columns
called the share-generating matrix for Π. For all
i = 1,.. . ,`, the i’th row of M, we let the function
ρ defining the party labelling row i as ρ(i). When
we consider the column vector v = (s, r
2
,..., r
n
),
where s Z
p
is the secret to be shared, and
r
2
,..., r
n
Z
p
are randomly chosen, then Mv is
the vector of ` shares of the secret s according to
Π. The share (Mv)
i
belongs to party ρ(i).
2.4 Key-Policy Attribute Based
Encryption
Here We review the definition of KP-ABE defined by
Goyal in his paper (Goyal et al., 2006). We let U to
represent the attribute universe description, S to rep-
resent the attributes set, and A to represent the access
structure. Here in KP-ABE, A is the input of key gen-
eration algorithm while S is used in the encryption
algorithm. We let function f (S, A) gives out 1 if and
only if A satisfies S.
Definition 2.4. A KP-ABE scheme is consisting of a
series of algorithms, namely Setup, Encrypt, KeyGen
and Decr ypt, defined as below.
(PK,MSK) Setup(λ,U). The input of setup al-
gorithm includes two parts, the description of the at-
tribute universe denoted by U and the security param-
eter denoted by λ . The output of this algorithm is the
public parameters PK and the master secret key MSK.
CT Encrypt(PK, m, S). In this algorithm, one
will take an attribute set S as part of the input. The
input also includes the public parameters, denoted by
PK, and a message, denoted by m, to be encrypted. It
gives out the ciphertext CT .
SK KeyGen(MSK, A). In the KeyGen algo-
rithm, the input includes two parts, the master key
MSK and an access structure A. It computes and
gives out the secret key SK corresponding to the ac-
cess structure A.
m/ ⊥← Decrypt(SK,CT ). The decrypt algorithm
is the final step of this scheme. It will receive a secret
key SK for A and a ciphertext CT which was origi-
nally encrypted under S as the input. This algorithm
will do the decryption and gives out the message m if
and only if f (S, A) = 1. Otherwise, it will output an
error symbol .
3 DEFINITIONS
3.1 Multi-Client Attribute Based
Functional Encryption
Definition 3.1. Multi Client Attribute Based
Functional Encryption: A MCABFE on M over a set
of n senders is defined by four algorithms:
SetUp(1
λ
): Takes as input the security parameter
λ, and outputs the public parameters mpk, the master
secret key msk and the n encryption keys ek
i
;
SECRYPT 2020 - 17th International Conference on Security and Cryptography
120
Encrypt(ek
i
, x
i
, `,S
i
): Takes as input a user encryp-
tion key ek
i
, a value x
i
to encrypt, a label `, and an
attribute set S
i
, and outputs the ciphertext CT
`,i
;
DKeyGen(msk, f , P
i
): Takes as input the master
secret key msk, a function f : M
n
R and an access
structure P
i
, and outputs a functional decryption key
dk
f
, which corresponds to the access structure P
i
;
Decrypt(dk
f
, `, CT
`,i
): Takes as input a functional
decryption key dk
f
, a label `, and an n-vector cipher-
text CT
`,i
, and outputs f (x), if CT
`,i
is a valid encryp-
tion of x = (x
i
)
i
M
n
for the label ` and the attribute
set S
i
satisfies the access structure P
i
, or otherwise.
We make the assumption that mpk is included
in msk and in all the encryption keys ek
i
as well
as the functional decryption keys dk
f
. The cor-
rectness property states that, given (mpk, msk,(ek
i
)
i
)
SetUp(λ), for any label `, any function f : M
n
R , and any vector x = (x
i
)
i
M
n
, if CT
`,i
Encrypt (ek
i
,x
i
,`,S), for i {1, . . ., n}, and dk
f
DKeyGen(msk, f ,P), then Decrypt (dk
f
,`,CT
`
=
(CT
`,i
)
i
) = f (x = (x
i
)
i
).
Definition 3.2. IND-Security Game for MCABFE.
Let us consider an MCABFE scheme over a set of
n senders. No adversary A should be able to win the
following security game against a challenger C with
non-negligible probability:
Initialization: the challenger C runs the setup algo-
rithm (mpk, msk, (ek
i
)
i
) SetUp(λ) and chooses a
random bit b {0,1}. It provides mpk to the adver-
sary A;
Encryption queries QEncrypt (i, x
0
,x
1
,`,S
i
): A has
unlimited and adaptive access to a Left-or-Right en-
cryption oracle, and receives a set of ciphertexts C
`,i,S
i
generated by Encrypt (ek
i
,x
b
,`,S
i
). Noted that for the
same pair (`,i), further queries will later be ignored;
Functional decryption key queries
QDKeyGen( f ,P
i
): A has unlimited and adap-
tive access to the DKeyGen(msk, f ,P
i
) algorithm for
any input function f and any access structure P
i
of
its choice . It is given back the functional decryption
key dk
f
;
Corruption queries QCorrupt(i): A can make an
unlimited number of adaptive corruption queries on
input index i, to get the encryption key ek
i
of any
sender i of its choice;
Finalize: A provides its guess b
0
on the bit b, and
this procedure outputs the result β of the security
game, according to the analysis given below.
The output β of the game depends on some con-
ditions, where CS is the set of corrupted senders (the
set of indexes i input to QCorrupt during the whole
game), and H S the set of honest (non-corrupted)
senders. We set the output to β b
0
, unless one of
the three cases below is true, in which case we set
β
$
{0,1} :
1. some QEncrypt (i,x
0
i
,x
1
i
,`,S
i
) query has been
asked for an index i C S with x
0
i
6= x
0
i
;
2. for some label `, an encryption-query QEncrypt
(i,x
0
i
,x
1
i
,`,S
i
) has been asked for some i H S,
but encryption-queries QEncrypt ( j,x
0
j
,x
1
j
,`,S
j
)
have not all been asked for all j H S;
3. for some label ` and for some function f asked
to QDKeyGen, there exists a pair of vectors x
0
=
(x
0
i
)
i
,x
1
= (x
1
i
)
i
such that f (x
0
) 6= f (x
1
), when
x
0
i
= x
1
i
, for all i CS;
QEncrypt (i,x
0
i
,x
1
i
,`,S
i
)-queries have been asked
for all i H S.
We say this MCABFE is IND-secure if for any
adversary A, Adv
IND
(A) = |P[β = 1|b = 1] P[β =
1|b = 0]| is negligible.
3.2 Decentralized Multi-Client
Attribute Based Functional
Encryption
In MCABFE, an authority owns a master secret key
msk to generate the functional decryption keys. We
would like to avoid such a powerful authority, and
make the scheme totally decentralized among the
owners of the data (the senders). We thus define
DMCABFE, for Decentralized Multi-Client Attribute
Based Functional Encryption. In this context, there
are n senders (S
i
)
i
, for i = 1,..., n, who will play
the role of both the encrypting players and the func-
tional decryption key generators, for a functional de-
cryptor F D. Of course, the senders do not trust each
other and they want to control the functional decryp-
tion keys that will be generated. There may be sev-
eral functional decryptors, but since they could col-
lude and combine all the functional decryption keys,
in the description below, and in the security model,
we will consider only one functional decryptor F D.
As already noticed, we could simply use the definition
of MCFE (Goldwasser et al., 2014), where the setup
and the functional decryption key algorithms are re-
placed by MPC protocols among the clients. But this
could lead to a quite interactive process. We thus fo-
cus on efficient one-round key generation protocols
DKeyGen that can be split in a first step DKeyGen-
Share that generates partial keys and the combining
algorithm DKeyComb that combines partial keys into
the functional decryption key
Definition 3.3. Decentralized Multi-Client Attribute
Based Functional Encryption: A decentralized multi-
client Attribute Based functional encryption on M
Decentralized Multi-Client Attribute Based Functional Encryption
121
over a set of n senders (S
i
)
i
, for i = 1,.. . , n, and a
functional decrypter F D is defined by an setup phase
and four algorithms:
SetUp(λ): This is a protocol between the senders
(S
i
)
i
that eventually generate their own secret keys sk
i
and encryption keys ek
i
, as well as the public param-
eters mpk;
Encrypt(ek
i
, x
i
, `,S
i
): Takes as input a user encryp-
tion key ek
i
, a value x
i
to encrypt, a label `, and an
attribute set S
i
, and outputs the ciphertext CT
`,i
;
DKeyGenShare(sk
i
, `
f
, P
i
): Takes as input a user’s
secret key sk
i
, a label `
f
and an access structure P
i
,
and outputs a functional decryption key dk
f ,i
for a
function f : M
n
R that is described in `
f
, which
corresponds to the access structure P
i
. It also gen-
erates some parameters corresponding to the access
structure for later decryption;
DKeyGenComb(dk
f ,i
, `
f
):Takes as input the par-
tial functional decryption keys and eventually outputs
the functional decryption key dk
f
;
Decrypt(dk
f
, `, CT
`,i
): Takes as input a functional
decryption key dk
f
, a label `, and an n-vector cipher-
text CT
`,i
, and outputs f (x), if CT
`,i
is a valid encryp-
tion of x = (x
i
)
i
M
n
for the label ` and the attribute
set S
i
satisfies the access structure P
i
, or otherwise.
We make the assumption that mpk is included in
msk and in all the encryption keys ek
i
as well
as the (partial) functional decryption keys. Simi-
larly, the function f might be included in the (par-
tial) functional decryption keys. The correctness
property states that, given (mpk, (sk
i
)
i
,(ek
i
)
i
)
SetUp(λ), for any label `, any function f : M
n
R , and any vector x = (x
i
)
i
M
n
, if CT
`,i
Encrypt (ek
i
,x
i
,`,S), for i {1, . . ., n}, and dk
f
DKeyGenComb((DKeyGenShare(sk
i
, `
f
, P
i
))
i
, `
f
),
then Decrypt (dk
f
,`,CT
`
= (CT
`,i
)
i
) = f (x = (x
i
)
i
).
Definition 3.4. IND- Security Game for DMCABFE.
Let us consider an DMCABFE scheme over a set of
n senders. No adversary A should be able to win the
following security game against a challenger C:
Initialization: the challenger C runs the setup algo-
rithm (mpk, msk, (ek
i
)
i
) SetUp(λ) and chooses a
random bit b {0,1}. It provides mpk to the adver-
sary A;
Encryption queries QEncrypt (i, x
0
,x
1
,`,S
i
): A has
unlimited and adaptive access to a Left-or-Right en-
cryption oracle, and receives a set of ciphertexts C
`,i,S
i
generated by Encrypt (ek
i
,x
b
,`,S
i
). Noted that for the
same pair (`,i), further queries will later be ignored;
Functional decryption key queries
QDKeyGen( f ,P
i
): A has unlimited and adaptive
access to the DKeyGenShare(msk, f ,P
i
) algorithm
for any input function f and any access structure P
i
of
its choice . It is given back the functional decryption
key dk
f
;
Corruption queries QCorrupt(i): A can make an
unlimited number of adaptive corruption queries on
input index i, to get the encryption key ek
i
of any
sender i of its choice;
Finalize: A provides its guess b
0
on the bit b, and
this procedure outputs the result β of the security
game, according to the analysis given below.
The output β of the game depends on some con-
ditions, where CS is the set of corrupted senders (the
set of indexes i input to QCorrupt during the whole
game), and H S the set of honest (non-corrupted)
senders. We set the output to β b
0
, unless one of
the three cases below is true, in which case we set
β
$
{0,1} :
1. Some QEncrypt (i,x
0
i
,x
1
i
,`,S
i
)- query has been
asked for an index i C S with x
0
i
6= x
0
i
;
2. For some label `, an encryption-query QEncrypt
(i,x
0
i
,x
1
i
,`,S
i
) has been asked for some i H S,
but encryption-queries QEncrypt ( j,x
0
j
,x
1
j
,`,S
j
)
have not all been asked for all j H S;
3. For some label ` and for some function f asked
to QDKeyGen, there exists a pair of vectors x
0
=
(x
0
i
)
i
,x
1
= (x
1
i
)
i
such that f (x
0
) 6= f (x
1
), when
x
0
i
= x
1
i
, for all i CS;
QEncrypt (i,x
0
i
,x
1
i
,`,S
i
)-queries have been asked
for all i H S.
We say this DMCABFE is IND-secure if for any ad-
versary A, Adv
IND
(A) = |P[β = 1|b = 1] P[β =
1|b = 0]| is negligible.
4 MULTI-CLIENT
ATTRIBUTE-BASED
FUNCTIONAL ENCRYPTION
FOR INNER PRODUCT
In this section, we mainly propose a scheme of
MCABFE for Inner Product. In our scheme, each user
is related with a policy. In the Encrypt Phase, each
data sender S
i
sets a data set S
i
in the partial ciphertext
CT
i
, and the integrated ciphertext CT is composed of
all the partial ciphertexts. Each data sender S
i
owns
a decryption key dk
y
which corresponds to the user’s
policy P
i
, and can decrypt the functional value from
the integrated ciphertext CT if P
i
matches the union
of all S
i
.
SECRYPT 2020 - 17th International Conference on Security and Cryptography
122
4.1 Construction
We use a prime-order group, the pairing group as de-
fined in Section 2.
SetUp(1
λ
): Takes as input the security parameter,
and generates pairing group G := (G, p, P,e)
$
PGGen(1
λ
), and H a full-domain hash function
onto G
2
. It also generates the encryption keys
s
i
$
Z
2
p
, for i = 1,..., n. The public parameters
mpk consist of (G, H ), while the encryption keys
are ek
i
= s
i
for i = 1,.. . , n, and the master secret
key is msk = ((ek
i
)
i
), (in addition to mpk, which
is omitted);
Encrypt(ek
i
, x
i
, `, S
i
): Takes as input the value x
i
to encrypt, under the key ek
i
= s
i
and the label `,
and an attribute set S
i
. For each attribute j S
i
,
it computes [u
`, j
] := H (`, j) G
2
, chooses ran-
dom numbers t
j
Z
p
, j and outputs the cipher-
text CT
`,i,S
i
= ( [c
i, j
] = [u
>
`, j
s
i
t
j
][x
i
], where [u
>
`, j
s
i
t
j
]
and [x
i
] G, and [u
`, j
]
t
j
:= H (`, j)
t
j
G
2
) j;
DKeyGen(msk, y, P
i
= (M,ρ)): Takes as input
msk = (s
i
)
i[n]
and an inner-product function de-
fined by y as f
y
(x) = hx,yi, and an access struc-
ture P
i
= (M,ρ), where M is an l × n matrix, and
function ρ associates rows of M to attributes. It
chooses random numbers r
j
and generates a ran-
dom vector ~r = (r
1, j
,r
2, j
,..., r
n, j
). For j = 1 to
l, it computes λ
j
= ~r · M
j
. It chooses random
numbers q
j
Z
p
, and generates the functional de-
cryption key dk
y
= ([~y],[q
j
i
s
i
y
i
r
j
],[λ
j
q
j
])
Z
2
p
× Z
2
p
,i, j, which corresponds to an access
structure P
i
. Then it sends this decryption to the
user associated to P
i
;
Decrypt(dk
y
, `, (CT
`,i,S
i
)
i[n]
): Takes as input a
user’s functional decryption key dk
y
, and a label
`, and ciphertexts (CT
`,i,S
i
)
i[n]
. Let attribute set
S
0
be the union set of all the attribute sets S
i
over
the ciphertexts. Suppose the access structure P
i
satisfies S
0
, and let J {1,2, ..., } be defined as
J = { j : ρ( j) S
0
}. Then, let ω
j
Z
p
j I be a
set of constants such that if λ
j
are valid shares of
any secrets according to M, then ω
j
λ
j
= r
j
.
It computes [u
`, j
] := H (`, j), and computes:
[α]
T
=
i
e([c
i, j
],[y
i
])
jJ
(e([q
j
·
i
s
i
y
i
r
j
[,[u
`, j
]
t
j
)·e([λ
j
·q
j
],g))
ω
j
=
e(g,[u
`, j
])
i
s
i
y
i
t
j
·e(g,g)
i
x
i
·y
i
e(g,[u
`, j
])
i
s
i
y
i
t
j
= [hx,yi]
T
.
Finally, it eventually solves the discrete logarithm
to extract and return α = hx, yi.
Note that, as for (Agrawal et al., 2016), the result α
must be polynomially bounded to efficiently compute
the discrete logarithm in the last decryption step.
4.2 Security Proof
Theorem 4.1. The above MCABFE scheme is IND-
secure under the DDH assumption, in the random or-
acle model. More precisely, we have Adv
IND
(A)
2Q· Adv
ddh
G
(t) + Adv
ddh
G
(t + 4Q × t
G
) +
2Q
p
, for any
adversary A, running within time t, where Q is the
number of (direct and indirect —asked by QEncrypt-
queries —) queries to H (modeled as a random ora-
cle), and t
G
is the time for an exponentiation in G.
We emphasize that 4.1 supports both adaptive en-
cryption queries and adaptive corruptions.
To obtain adaptive security, we use a technique
that consists of first proving perfect security in the
selective variant of the involved games, then, using
a guessing (a.k.a. complexity leveraging) argument,
which incurs an exponential security loss, we obtain
the same security guarantees in the adaptive games.
Since the security in the selective game is perfect (the
advantage of any adversary is exactly zero), the expo-
nential security loss is multiplied by a zero term, and
the overall adaptive security is preserved.
Proof. We proceed using hybrid games, described
in Table 1. Let RF,RF
0
,RF
00
denote random func-
tions onto G
2
,Z
p
, and Z
p
, respectively. Let A be a
PPT adversary. For any game G
index
, we denote by
Adv
index
:= |Pr[G
index
(A)|b = 1] Pr[G
index
(A)|b =
0]|, where the probability is taken over the random
coins of G
index
and A. Also, by event G
index(A)
, or
just G
index
when there is no ambiguity, we mean that
the Finalize procedure in game G
index
returns β = 1
from As answer b
0
when interacting with A.
Game G
0
: This is the IND-security game as given
in Definition 3.2. Note that the hash function H is
modeled as a random oracle RO onto G
2
. This is
essentially used to generate [u
`, j
] = H (`, j).
Game G
1
: We simulate the answers to any new
RO-query by a truly random pair in G
2
, on the fly.
The simulation remains perfect, and so Adv
0
= Adv
1
.
Game G
2
: We simulate the answers to any new
RO-query by a truly random pair in the span of [a]
for
1
a
, with a
$
Z
p
. This uses the Multi-DDH as-
sumption, which tightly reduces to the DDH assump-
tion using the random-self reducibility: Adv
1
- Adv
2
Adv
ddh
G
(t+4Q×t
G
), where Q is the number of RO-
queries and t
G
) the time for an exponentiation.
Game G
3
: We simulate any QEncrypt query as
the encryption of x
0
i
instead of x
b
i
and go back for the
answers to any new RO query by a random pair in G
2
.
While it is clear that in this last game the ad-
vantage of any adversary is exactly 0 since b does
not appear anywhere, the gap between G
2
and G
3
will be proven using a hybrid technique on the RO-
queries. We thus index the following games by q,
Decentralized Multi-Client Attribute Based Functional Encryption
123
where q = 1,... , Q. Note that only distinct RO-
queries are counted, since a second similar query is
answered as the first one. We detail this proof because
the technique is important.
G
3.1.1
: This is exactly game G
2
. Thus, Adv
2
=
Adv
3.1.1
.
G
3.q.1
G
3.q.2
: We first change the distribution
of the output of the q-th RO-query, from uniformly
random in the span of [a] to uniformly random over
G
2
, using the DDH assumption. Then, we use the
basis (
1
a
,
a
1
) of Z
2
p
, to write a uniformly random
vector over Z
2
p
as u
1
· a + u
2
· a
>
, where u
1
,u
2
$
Z
p
.
Finally, we switch to u
1
· a + u
2
· a
>
where u
1
$
Z
p
,
and u
2
$
Z
p
, which only changes the adversary view
by a statistical distance of 1/p : Adv
3.q.1
-Adv
3.q.2
Adv
ddh
G
(t) + 1/p. The last step with u
2
Z
p
will be
important to guarantee that u
`, j
a
>
6= 0
G
3.q.2
G
3.q.3
: We now change the generation
of the ciphertext [c
i, j
] := [u
>
`, j
s
i
t
j
][x
b
i
] by [c
i, j
] :=
[u
>
`, j
s
i
t
j
][x
0
i
], where [u
`, j
] corresponds to the q-th RO-
query. We then prove this does not change the adver-
sary’s view.
Note that if the output of the q-th RO-query is not
used by QEncrypt-queries, then the games G
3.q.2
and
G
3.q.3
are identical. But we can show this is true too
when there are RO-queries that are really involved in
QEncrypt-queries, and show that Adv
3.q.2
= Adv
3.q.3
in that case too, in two steps. In Step 1, we show that
there exists a PPT adversary B
such that Adv
3.q.t
=
(p
2
+ 1)
n
· Adv
3.q.t
(B
), for t = 2, 3, where the games
G
3.q.2
and G
3.q.3
are selective variants of games G
3.q.2
and G
3.q.3
respectively (see in Table 2), where QCor-
rupt queries are asked before the initialization phase.
In Step 2, we show that for all PPT adversaries B
, we
have Adv
3.q.2
(B
) = Adv
3.q.3
(B
). This will conclude
the two steps.
Step 1. We build a PPT adversary B
play-
ing against G
3.q.t
for t = 2, 3, such that Adv
3.q.t
=
(p
2
+ 1)
n
· Adv
3.q.t
(B
).
Adversary B
first guesses for all i [n],z
i
$
Z
2
p
{⊥}, which it sends to its selective game G
3.q.t
.
That is, each guess z
i
is either a pair of values (x
0
i
,x
1
i
)
queried to QEncrypt, or , which means no query to
QEncrypt. Then, it simulates As view using its own
oracles. When B
guesses successfully (call E that
event), it simulates As view exactly as in G
3.q.t
. If
the guess was not successful, then B
stops the simu-
lation and outputs a random bit β. Since event E hap-
pens with probability (p
2
+ 1)
n
and is independent
of the view of adversary A: Adv
3.q.3
(B
) is equal to
|Pr|G
3.q.t
|b = 0,E] · Pr[E] +
Pr[¬E]
2
Pr[G
3.q.t
|b =
1,E] · Pr[E]
Pr[¬E]
2
|
= Pr[E] · |Pr[G
3.q.t
|b = 0,E] Pr[G
3.q.t
|b = 1,E]|
= (p
2
+ 1)
n
· Adv
3.q.t
Step 2. We assume the values (z
i
)
i[n]
sent by B
are
consistent, that is, they don’t make the game end and
return a random bit, and Finalize on b
0
does not return
a random bit independent of b
0
(call E
0
this event).
We show that games G
3.q.2
and G
3.q.3
are iden-
tically distributed, conditioned on E
0
. To prove it,
we use the fact that the two following distributions
are identical, for any choice of γ, (s
i
)
i[n],z
i
=(x
0
i
,x
1
i
)
and
s
i
+ a
· γ(x
b
i
x
0
i
)
i[n],z
i
=(x
0
i
,x
1
i
)
where a
:=
a
1
Z
2
p
and s
i
$
Z
2
p
, for all i = 1, . . ., n. This
is true since the s
i
are independent of the z
i
(note
that this is true because we are in a selective setting,
while this would not necessarily be true with adap-
tive QEncrypt-queries). Thus, we can re-write s
i
into
s
i
+ a
· γ(x
b
i
x
0
i
) without changing the distribution
of the game.
We now take a look at where the extra terms a
·
γ(x
b
i
x
0
i
) actually appear in the adversary’s view:
They do not appear in the output of QCorrupt,
because we assume event E
0
holds, which implies that
if z
i
6=, then i is not queried to QCorrupt or x
1
i
= x
0
i
.
They might appear in QDKeyGen(~y) as dk
y
=
[q
j
(
i[n]
s
i
y
i
r
j
+ a
· γ
i:z
i
=(x
0
i
,x
1
i
)
y
i
(x
b
i
x
0
i
)r
j
].
But the item a
· γ
i:z
i
=(x
0
i
,x
1
i
)
y
i
(x
b
i
x
0
i
)r
j
equals
0 by the constraints for E
0
in Definition 3.2: for all
i H S, z
i
6= ; if i C S and z
i
6= , x
1
i
= x
0
i
and
f (x
0
) = f (x
1
), hence
i:z
i
=(x
0
i
,x
1
i
)
y
i
(x
b
i
x
0
i
) = 0.
Eventually, they appear in the output of the
QEncrypt-queries which use [u
`, j
] computed on the
q-th RO-query, since for all others, the vector [u
`, j
]
lies in the span of [a], and a
>
a
= 0. We thus
have [c
i, j
] := [u
>
`, j
s
i
t
j
+ (x
b
i
x
0
i
)γu
>
`, j
a
t
j
][x
b
i
] . Since
u
>
`, j
a
6= 0, we can choose γ = 1/u
>
`, j
a
mod p, and
then [c
i, j
] = [u
>
`
] · s
i
+ [x
0
i
], which is the encryption of
x
0
i
. We stress that γ is independent of the index i, and
so this simultaneously converts all the encryptions of
x
b
i
into encryptions of x
0
i
. Finally, reverting these sta-
tistically perfect changes, we obtain that [c
i, j
] is iden-
tically distributed to [u
>
`
]·s
i
+[x
0
i
], as in game G
3.q.3
.
Thus, when event E
0
happens, the games are iden-
tically distributed. When ¬E happens, the games both
return β
$
{0,1} : Adv
3.q.2
(B
) = Adv
3.q.3
(B
). As
a conclusion, we get Adv
3.q.2
= Adv
3.q.3
.
G
3.q.3
G
3.q+1.1
: This transition is the reverse of
G
3.q.1
G
3.q.2
, namely, we use the DDH assumption
to switch back the distribution of [u
`, j
] computed on
the q-th RO-query from uniformly random over G
2
SECRYPT 2020 - 17th International Conference on Security and Cryptography
124
Table 1: Games for the proof of Theorem 5.1.
.
Game G
0
,G
1
, G
2
,(G
3.q.1
)
q[Q+1]
,(G
3.q.2
,G
3.q.3
)
q[Q]
:
G GGen(1
λ
), for all i [n],s
i
$
Z
2
p
, ek
i
:= s
i
, msk := (s
i
)
i
, mpk := (G, p,g,e).
a
$
Z
p
,a :=
1
a
,a
:=
a
1
Sample a full-domain hash function H onto G
2
, and a bit b
$
{0,1}.
b
0
A
QEncrypt(·,·,·,·,·),QDKeyGen(·,·),QCorrupt(·,·),RO(·)
(mpk). Run Finalize on b
0
.
RO (`, j): // G
0
, G
1
, G
2
, G
3.q.1
, G
3.q.2
, G
3.q.3
[u
`, j
] := H (`, j), [u
`, j
] := RF (`, j) , [u
`, j
] := [~a · r
`, j
], with r
`, j
:= RF
0
(`, j)
On the q’th (fresh) query: [u
`, j
] := RF
0
(`, j) ·~a+RF”(`, j) ·~a
. Return [u
`, j
].
QEncrypt (i,x
0
i
,x
1
i
,`,S
i
) : // G
0
,G
1
,G
2
, G
3.q.1
,G
3.q.2
, G
3.q.3
For each attribute j S
i
, [u
`, j
] := RO (`, j), [c
i, j
] := [u
>
`, j
s
i
t
j
][x
b
i
]
If [u
`, j
] is computed on the n
0
-th RO-query, for n
0
< q : [c
i, j
] := [u
>
`, j
s
i
t
j
][x
0
i
]
If [u
`, j
] is computed on the q-th RO-query, [c
i, j
] := [u
>
`, j
s
i
t
j
][x
0
i
] . Return [c
i, j
]
QDKeyGen(y,P
i
= (M,ρ)): // G
0
,G
1
,G
2
,G
3.q.1
,G
3.q.2
,G
3.q.3
Return [~y],[q
j
i
s
i
y
i
r
j
],[λ
j
q
i
].
QCorrupt (i): Return s
i
// G
0
,G
1
,G
2
,G
3.q.1
,G
3.q.2
,G
3.q.3
(conditioned on the fact that u
>
`, j
a
6= 0) to uniformly
random in the span of [a] : Adv
3.q.3
Adv
3.q+1.1
Adv
ddh
G
+ 1/p.
As a conclusion, since G
3.q+1.1
= G
3
, we have
Adv
2
- Adv
3
2Q( Adv
ddh
G
+ 1/p). In addition, Adv
3
= 0, which concludes the proof.
5 DECENTRALIZED
MULTI-CLIENT ATTRIBUTE
BASED FUNCTIONAL
ENCRYPTION FOR INNER
PRODUCT
In MCABFE for Inner Product, a trusted authority is
required and runs the Setup phase. While the au-
thority can generate and hold the master key, it can
easily undermine any user’s privacy if the authority is
malicious or corrupted. Thus we try to build a DM-
CABFE for Inner Product, in which the trusted third-
party is not required, and the generation of functional
decryption keys remains an efficient process under
the control of the clients themselves. We use a non-
interactive generation to generate the functional de-
cryption keys.
5.1 Construction
We use a prime-order group, the pairing group as de-
fined in Section 2.
SetUp(1
λ
, U): Takes as input the security pa-
rameter and the attribute universe U, and gener-
ates pairing group P G := (G
1
,G
2
, p,P
1
,P
2
,e)
$
PGGen(1
λ
), and samples two full-domain hash
functions H
1
and H
2
onto G
2
1
and G
2
2
, respec-
tively. Each sender S
i
generates s
i
$
Z
2
p
, for
i = 1,... , n. Then, the user interactively generates
T
i
$
Z
2×2
p
such that
i[n]
T
i
= 0, and a random
numbers r. The public parameters mpk is set as
(P G, H
1
,H
2
), and for i = 1, .. . ,n, the encryption
keys ek
i
= s
i
, and sk
i
= (s
i
,T
i
,r);
Encrypt(ek
i
, x
i
, `,S
i
): Takes as input the value x
i
to encrypt, under the key ek
i
= s
i
and the label
`, and an attribute set S
i
. For each attribute j
S
i
, it computes [u
`, j
]
1
:= H
1
(`, j) G
2
, chooses
random numbers t
j
Z
p
, j and outputs the ci-
phertext CT
`,i
= ( [c
i, j
]
1
= [u
>
`, j
s
i
t
j
]
1
[x
i
]
1
, where
[u
>
`, j
s
i
t
j
]
1
and [x
i
]
1
G
1
,and [u
`, j
]
t
j
1
:= H
1
(`, j)
t
j
G
2
) j;
DKeyGenShare ( sk
i
, y, P
i
= (M,ρ)): Takes as in-
put sk
i
and an inner-product function defined by
y as f
y
(x) = hx, yi, and an access structure P
i
=
Decentralized Multi-Client Attribute Based Functional Encryption
125
Table 2: Games G
3.q.2
and G
3.q.3
, with q [Q], for the proof of Theorem 5.1.
Game (G
3.q.2
,G
3.q.3
)
q[Q]
:
(state, (z
i
Z
2
p
{⊥}
i[n]
)) A(1
λ
,1
n
)
G GGen(1
λ
), for all i [n],s
i
$
Z
2
p
, ek
i
:= s
i
, msk := (s
i
)
i
, mpk := (G, p,g).
a
$
Z
p
,a :=
1
a
,a
:=
a
1
b
$
{0,1},
b
0
A
QEncrypt(·,·,·,·,·),QDKeyGen(·,·),QCorrupt(·,·),RO(·)
(mpk,state). Run Finalize on b
0
RO(`,j): // G
3.q.2
, G
3.q.3
[u
`, j
] := [a · r
`, j
], with r
`, j
:= RF
0
(`,j)
On the q’th (fresh) query: [u
`, j
] := [RF
0
(`,j) ·˜a + RF
00
(`,j) ·˜a
]. Return [u
`, j
].
QEncrypt (i,x
0
i
,x
1
i
,`,S
i
) : // G
3.q.2
, G
3.q.3
[u
`, j
] := RO(`,j), [c
i, j
] := [u
>
`, j
s
i
t
j
][x
b
i
]
If [u
`, j
] is computed on the n
0
RO-query, for n
0
< q : [c
i, j
] := [u
>
`, j
s
i
t
j
][x
0
i
]
If [u
`, j
] is computed on the q-th RO-query, then,
· if (x
0
i
,x
1
i
) 6= z
i
, the game ends and returns β
$
{0,1}.
otherwise, [c
i, j
] := [c
i, j
] := [u
>
`, j
s
i
t
j
] ·[x
b
i
] ·[x
0
i
] , S := S {i}. Return [c
i, j
]
QDKeyGen(y): // G
3.q.2
, G
3.q.3
Return [~y],[q
j
i
s
i
y
i
r
j
],[λ
j
q
i
].
QCorrupt (i): // G
3.q.2
, G
3.q.3
If z
i
= (x
0
i
,x
1
i
) with x
0
i
6= x
1
i
the game ends and returns β
$
{0,1}, Return s
i
.
(M,ρ), where M is an l ×n matrix, and function ρ
associates rows of M to attributes. It chooses ran-
dom number r
2
,..., r
n
to generate an random vec-
tor ~v
r
= (r, r
2
,..., r
n
). For j = 1 to l, it computes
λ
j
=~r ·M
j
. Then it computes [v
y
]
2
:= H
2
(y) G
2
2
,
[d
i, j
]
2
= [s
i
y
i
r + T
i
v
y
]
2
, and returns the partial de-
cryption key [d
i, j
]
2
.
DKeyGenComb([d
i, j
]
2
): For each attribute
j S
i
, it computes: [d
j
]
2
=
i[n]
[d
i, j
]
2
=
i[n]
[s
i
y
i
r + T
i
v
y
]
2
=
i[n]
[s
i
y
i
r]
2
+ [v
y
]
2
i[n]
T
i
=
i[n]
[s
i
y
i
r]
2
.
Then outputs the functional decryption key dk
y
=
([~y]
2
,[d
j
]
2
= [
i
s
i
y
i
r
j
]) Z
2
p
× Z
2
p
,i, j;
Decrypt(dk
y
, `, (CT
`,i
)
i[n]
): Takes as input a
functional decryption key dk
y
, and a label `, and
ciphertexts. Suppose that S satisfies the access
structure and let J {1,2, ..., } be defined as J =
{ j : ρ( j) S
i
}. Then, let ω
j
Z
p
j J be a set
of constants such that if λ
j
are valid shares of any
secrets according to M, then
jJ
ω
j
λ
j
= r .
It computes [u
`, j
]
2
:= H
2
(`, j), then computes
[α]
T
=
i
e([c
i, j
]
1
,[y
i
]
2
)
jJ
(e([
i
s
i
y
i
r
j
]
2
,[u
`, j
]
t
j
1
)·[λ
j
]
T
)
ω
j
=
e(g
2
,[u
`, j
]
1
)
i
s
i
y
i
t
j
·e(g
1
,g
2
)
i
x
i
·y
i
e(g
2
,[u
`, j
]
1
)
i
s
i
y
i
t
j
= e(g
1
,g
2
)
i
x
i
·y
i
= [hx,yi]
T
.
Finally, it eventually solves the discrete logarithm
to extract and return α = hx, yi.
Note that, as for (Agrawal et al., 2016), the result α
must be polynomially bounded to efficiently compute
the discrete logarithm in the last decryption step.
5.2 Security Proof
Theorem 5.1. The above DMCABFE scheme is sta-
IND-secure under the SXDH assumption, in the ran-
dom oracle model. More precisely, for for any PPT
adversary A, there exist PPT adversaries B
1
and B
2
such that:
Adv
IND
(A) 2Q
1
· Adv
ddh
G
1
(t)+ 2Q
2
· Adv
ddh
G
2
(t)+
2Q
1
+2Q
2
p
+ Adv
ddh
G
1
(t + 4Q
1
×t
G
1
)+ 2 · Adv
ddh
G
2
(t + 4Q
2
×t
G
2
) ,
where Q
1
and Q
2
are the number of (direct and
indirect) queries to H
1
and H
2
respectively (mod-
eled as random oracles). The former being asked
by QEncrypt-queries and the latter being asked by
QDKeyGen-queries.
We note that 5.1 supports adaptive encryption
queries, and static corruptions.
Proof. We proceed using hybrid games, described
in Table 3. Let RF,RF
0
denote random functions onto
G
2
and Z
p
, respectively. Let A be a PPT adver-
sary. For any game G
index
, we denote by Adv
index
:=
|Pr[G
index
(A)|b = 1] Pr[G
index
(A)|b = 0]|, where
SECRYPT 2020 - 17th International Conference on Security and Cryptography
126
the probability is taken over the random coins of
G
index
and A. Also, by event G
index(A)
, or just G
index
when there is no ambiguity, we mean that the Final-
ize procedure in game G
index
returns β = 1 from the
adversary’s answer b
0
when interacting with A.
Game G
0
: This is the sta-IND-security game as
given in Definition 3.4, but with the set C S of cor-
rupted senders known from the beginning. Note that
the hash functions H
1
and H
2
are modeled as ran-
dom oracles. The former is used to generate [u
`, j
]
1
=
H
(`) G
2
1
and the latter [v
y
]
2
= H
(y) G
2
2
.
Game G
1
: We replace the hash function H
2
by a
random oracle RO
2
that generates random pairs from
G
2
2
on the fly. In addition, for any QDKeyGen-query
on a corrupted index i CS, one generates the partial
functional decryption key by itself, without explicitly
querying QDKeyGen. Hence, we can assume that A
does not query QCorrupt and QDKeyGen on the same
indices i [n]. The simulation remains perfect, and so
Adv
0
= Adv
1
.
Game G
2
: Now, the outputs of RO
2
are uniformly
random in the span of [b]
2
for b :=
1
a
0
, with a
0
$
Z
p
. As in the previous proof, we have Adv
1
Adv
2
Adv
ddh
G
2
(t + 4Q
2
× t
G
2
), where Q
2
is the number of
RO
2
-queries and t
G
2
the time for an exponentiation.
Game G
3
: We replace all the partial key decryp-
tion answers by d
i, j
:= [y
i
· s
i
r + w
i
· (b
)
>
v
y
+ T
i
v
y
]
2
, for new w
i
$
Z
2
p
, such that
i
w
i
= 0, for each y.
This sum being among the honest clients, we need to
know the last queried honest client to set this sum to
zero. Hence the requirement to know the set of hon-
est clients, and thus just security against static corrup-
tions. We show below that Adv
2
= Adv
3
.
Game G
4
: We switch back the distribution of all
the vectors [v
y
]
2
output by RO
2
, from uniformly ran-
dom in the span of [b]
2
, to uniformly random over
G
2
2
, thus back to H
2
(y). This transition is reverse to
the two first transitions of this proof: Adv
3
Adv
4
Adv
ddh
G
2
(t + 4Q
2
× t
G
2
).
G
3.1.1
: This is exactly game G
2
. Thus, Adv
2
=
Adv
3.1.1
.
G
3.q.1
G
3.q.2
: We first change the distribution
of the output of the q-th RO-query, from uniformly
random in the span of [b] to uniformly random over
G
2
, using the DDH assumption. Then, we use the
basis (
1
a
,
a
1
) of Z
2
p
, to write a uniformly random
vector over Z
2
p
as v
1
· b + v
2
· b
>
, where v
1
,v
2
$
Z
p
.
Finally, we switch to v
1
· b + v
2
· b
>
where v
1
$
Z
p
,
and v
2
$
Z
p
, which only changes the adversary view
by a statistical distance of 1/p : Adv
3.q.1
- Adv
3.q.2
Adv
ddh
G
(t) + 1/p. The last step with v
2
Z
p
will be
important to guarantee that v
y
b
>
6= 0
G
3.q.2
G
3.q.3
: We now change the simulation
of d
i, j
from d
i, j
= [y
i
· s
i
r + T
i
v
y
]
2
to d
i, j
= [y
i
· s
i
+
RF
i
(y) + T
i
v
y
]
2
, with some RF
i
functions onto Z
2
p
such that
i
RF
i
(y) = 0 for any input y. We prove
Adv
3.q.2
= Adv
3.q.3
.
We use the fact that the two following distri-
butions are identical, for any choice of w
i
$
Z
2
p
,
such that
i
w
i
= 0, (T
i
)
iH S
and (T
i
+w
i
(b
)
>
)
iH S
,
where for all i [n], T
i
$
Z
2×2
p
such that
i
T
i
= 0, and
b
:=
a
0
1
.
The extra terms (w
i
(b
)
>
)
iH S
only appear in the
output of the queries to QDKeyGen which use the
vector [v
y
]
2
computed on the q-th RO
2
-query (if there
are such queries), because for all other queries, [v
y
]
2
lies in the span of [b]
2
, and b
>
b
= 0. We thus have
d
i, j
:= [y
i
· s
i
r + w
i
· (b
)
>
v
y
+ T
i
v
y
]
2
. Since v
y
is such
that v
>
y
b
6= 0, (b
)
>
v
y
6= 0. In that case, the vectors
w
i
· (b
)
>
v
y
are uniformly random over Z
2
p
such that
i
w
i
· (b
)
>
v
y
= 0, which is as in G
3.q.3
, by setting
RF
i
(y) := w
i
· (b
)
>
v
y
.
G
3.q.3
G
3.q+1.1
: This transition is the reverse
ofG
3.q.1
G
3.q.2
, namely, we use the DDH as-
sumption to switch back the distribution of [v
y
]
2
to
uniformly random in the span of [b]
2
: Adv
3.q.3
Adv3.q + 1.1 Adv
ddh
G
2
(t) + 1/p.
Then one can note that G
3.Q
2
+1.1
= G
3
, but also
that in Game G
4
, all the d
i, j
output by QDKeyGen
can be computed only knowing q
i[n]
[s
i
· y
i
r] and
q, which will reveals the functional decryption key
dk
y
from our MCABFE in Section 5.1.
Thus, we can reduce to the IND-security of the
MCABFE from Section 5.1 (or even sta-IND - se-
curity) by designing an adversary B against the
MCABFE from Section 5.1: Adversary B first sam-
ples T
i
$
Z
2×2
p
for all i [n], such that
i[n]
T
i
= 0 It
sends CS given by A (set of static corruptions), then
it receives mpk from the MCABFE security game, as
well as the secret keys s
i
for i CS. It forwards mpk
as well as (s
i
,T
i
) for i CS to A. Then, B answers
oracle calls to RO
1
, RO
2
and QEncrypt from A using
its own oracles.
To answer QDKeyGen (i, y,P
i
= (M, ρ)): if i
is the last non-corrupted index for y, B queries
its own QDKeyGen oracle on y, to get dk
y
:=
([y],[q
j
i
s
i
y
i
r] Z
2
p
), computes [v
y
]
2
:= H
2
(y),
and returns d
i, j
:= [dk
y
+ RF
i
(y) + T
i
v
y
]
2
to A. Oth-
erwise, it computes [v
y
]
2
:= H
2
(y), and returns d
i, j
:=
[RF
i
(y) + T
i
v
y
]
2
to A. The random functions RF
i
are
computed on the fly, such that their sum is the zero
function.
Note that this last simulation requires to know
CS and H S, hence it is for static corruptions only.
Decentralized Multi-Client Attribute Based Functional Encryption
127
Table 3: Games for the proof of Theorem 5.1.
.
Game G
0
,G
1
, G
2
,(G
3.q.1
)
q[Q
dk
+1]
, (G
3.q.2
,G
3.q.3
)
q[Q
dk
]
,G
4
:
P G PGGen(1
λ
), i [n] : s
i
$
Z
2
p
,T
i
$
Z
2×2
p
, such that
i[n]
T
i
= 0, r
$
Z
p
ek
i
:= s
i
, sk
i
:= (s
i
,T
i
,r), mpk := (G, p,g). a
0
$
Z
p
,b :=
1
a
0
Sample full-domain hash function H
1
onto G
2
1
and H
2
onto G
2
2
. Sample a bit b
$
{0,1}.
b
0
A
QEncrypt(·,·,·,·,·),QCorrupt(·,·),RO
1
(·),RO
2
(·)
(mpk). Run Finalize on b
0
RO
1
(`,j): // G
0
, G
1
, G
2
, G
3.q.1
, G
3.q.2
, G
3.q.3
Return H
1
(`, j).
RO
2
(y): // G
0
, G
1
, G
2
, G
3.q.1
, G
3.q.2
, G
3.q.3
G
4
[v
y
]
2
:= H
2
(y), [v
y
]
2
:= RF(y) , [v
y
] := [
~
b ·t
y
], with t
y
:= RF
0
(y)
On the q’th RO
2
-query: [v
y
] := RF(y) . Return [v
y
]
2
.
QEncrypt (i,x
0
i
,x
1
i
,`,S
i
) : // G
0
,G
1
,G
2
, G
3.q.1
,G
3.q.2
,G
3.q.3
G
4
For each attribute j S
i
, [u
`, j
]
1
:= RO
1
(`,j), [c
i, j
]
1
:= [u
>
`
· s
i
t
j
]
1
[x
b
i
]
1
. Return [c
i, j
]
QDKeyGen(y,i): // G
0
,G
1
,G
2
, G
3.q.1
, G
3.q.2
, 1G
3.q.3
, G
4
Compute [v
y
]
2
:= RO
i
(y), d
i, j
:= [y
i
· s
i
r + T
i
v
y
]
2
, set S := S {i}
If [v
y
]
2
is computed on the n
0
-th RO
2
-query, for n
0
< q: d
i, j
:= [y
i
· s
i
r RF
i
(y) + T
i
v
y
]
2
If [v
y
]
2
is computed on the q-th RO
2
-query: d
i, j
:= [y
i
· s
i
r RF
i
(y) + T
i
v
y
]
2
d
i, j
:= [y
i
· s
i
r RF
i
(y) + T
i
v
y
]
2
. Return d
i, j
.
QCorrupt (i): Return s
i
,T
i
// G
0
,G
1
,G
2
,G
3.q.1
,G
3.q.2
,G
3.q.3
,G
4
From this reduction, one gets Adv
4
2Q
1
· Adv
ddh
G
1
(t + 4Q
1
× t
G
1
+
2Q
1
p
), where Q
1
denotes the number
of calls to RO
1
, t
G
1
denotes the time to compute an
exponentiation in G
1
. This concludes the proof.
6 CONCLUSION
In view of the growing demand of secure data sharing
and computations on sensitive data, improving func-
tionality and fine grained data access become an im-
portant question in Functional Encryption. In this pa-
per, we mainly consider the problem of enhancing the
Functionality of Multi-Client Functional Encryption
such that the decryption can base on the attributes of a
user, i.e., users with different attributes will get differ-
ent decryption results. We define the first Multi-Client
Attribute Based Functional Encryption scheme, and
provide the first Multi-Client Attribute-Based Inner
Product Functional Encryption scheme that is based
on simple assumptions. Also we define the first De-
centralized Multi-Client Attribute Based Functional
Encryption scheme, and provide the first Multi-Client
Attribute-Based Inner Product Functional Encryption
scheme, which is also based on simple assumptions.
REFERENCES
Abdalla, M., Bourse, F., De Caro, A., and Pointcheval,
D. (2015). Simple functional encryption schemes for
inner products. In IACR International Workshop on
Public Key Cryptography, pages 733–751. Springer.
Abdalla, M., Bourse, F., De Caro, A., and Pointcheval, D.
(2016). Better security for functional encryption for
inner product evaluations. IACR Cryptology ePrint
Archive, 2016:11.
Agrawal, S., Libert, B., and Stehlé, D. (2016). Fully secure
functional encryption for inner products, from stan-
dard assumptions. In Annual International Cryptology
Conference, pages 333–362. Springer.
Ananth, P., Brakerski, Z., Segev, G., and Vaikuntanathan,
V. (2015). From selective to adaptive security in func-
tional encryption. In Annual Cryptology Conference,
pages 657–677. Springer.
Ananth, P. and Sahai, A. (2016). Functional encryption for
turing machines. In Theory of Cryptography Confer-
ence, pages 125–153. Springer.
Apon, D., Döttling, N., Garg, S., and Mukherjee, P.
(2017). Cryptanalysis of indistinguishability obfus-
cations of circuits over ggh13. In LIPIcs-Leibniz In-
SECRYPT 2020 - 17th International Conference on Security and Cryptography
128
ternational Proceedings in Informatics, volume 80.
Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.
Badrinarayanan, S., Goyal, V., Jain, A., and Sahai, A.
(2016). Verifiable functional encryption. In Interna-
tional Conference on the Theory and Application of
Cryptology and Information Security, pages 557–587.
Springer.
Baltico, C. E. Z., Catalano, D., Fiore, D., and Gay, R.
(2017). Practical functional encryption for quadratic
functions with applications to predicate encryption. In
Annual International Cryptology Conference, pages
67–98. Springer.
Bernstein, D. J., Heninger, N., Lange, T., Garg, S., Gentry,
C., Halevi, S., Raykova, M., Sahai, A., and Waters,
B. (2013). Candidate indistinguishability obfuscation
and functional encryption for all circuits.
Bethencourt, J., Sahai, A., and Waters, B. (2007).
Ciphertext-policy attribute-based encryption. In 2007
IEEE symposium on security and privacy (SP’07),
pages 321–334. IEEE.
Boneh, D., Sahai, A., and Waters, B. (2011). Functional
encryption: Definitions and challenges. In Theory of
Cryptography Conference, pages 253–273. Springer.
Boyle, E., Chung, K.-M., and Pass, R. (2014). On ex-
tractability obfuscation. In Theory of Cryptography
Conference, pages 52–73. Springer.
Brakerski, Z., Komargodski, I., and Segev, G. (2018).
Multi-input functional encryption in the private-key
setting: Stronger security from weaker assumptions.
Journal of Cryptology, 31(2):434–520.
Chase, M. (2007). Multi-authority attribute based encryp-
tion. In Theory of cryptography conference, pages
515–534. Springer.
Chen, Y., Gentry, C., and Halevi, S. (2017). Cryptanalyses
of candidate branching program obfuscators. In An-
nual International Conference on the Theory and Ap-
plications of Cryptographic Techniques, pages 278–
307. Springer.
Cheon, J. H., Han, K., Lee, C., Ryu, H., and Stehlé, D.
(2015). Cryptanalysis of the multilinear map over
the integers. In Annual International Conference on
the Theory and Applications of Cryptographic Tech-
niques, pages 3–12. Springer.
Cheung, L. and Newport, C. (2007). Provably secure ci-
phertext policy abe. In Proceedings of the 14th ACM
conference on Computer and communications secu-
rity, pages 456–465. ACM.
Chotard, J., Sans, E. D., Gay, R., Phan, D. H., and
Pointcheval, D. (2018). Decentralized multi-client
functional encryption for inner product. In Interna-
tional Conference on the Theory and Application of
Cryptology and Information Security, pages 703–732.
Springer.
Coron, J.-S., Lee, M. S., Lepoint, T., and Tibouchi, M.
(2016). Cryptanalysis of ggh15 multilinear maps.
In Annual Cryptology Conference, pages 607–628.
Springer.
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A.,
and Waters, B. (2016). Candidate indistinguishability
obfuscation and functional encryption for all circuits.
SIAM Journal on Computing, 45(3):882–929.
Goldwasser, S., Gordon, S. D., Goyal, V., Jain, A., Katz, J.,
Liu, F.-H., Sahai, A., Shi, E., and Zhou, H.-S. (2014).
Multi-input functional encryption. In Annual Interna-
tional Conference on the Theory and Applications of
Cryptographic Techniques, pages 578–602. Springer.
Goldwasser, S., Kalai, Y., Popa, R. A., Vaikuntanathan, V.,
and Zeldovich, N. (2013a). Reusable garbled circuits
and succinct functional encryption. In Proceedings of
the forty-fifth annual ACM symposium on Theory of
computing, pages 555–564. ACM.
Goldwasser, S., Kalai, Y. T., Popa, R. A., Vaikuntanathan,
V., and Zeldovich, N. (2013b). How to run turing ma-
chines on encrypted data. In Annual Cryptology Con-
ference, pages 536–553. Springer.
Gorbunov, S., Vaikuntanathan, V., and Wee, H. (2012).
Functional encryption with bounded collusions via
multi-party computation. In Annual Cryptology Con-
ference, pages 162–179. Springer.
Goyal, V., Pandey, O., Sahai, A., and Waters, B. (2006).
Attribute-based encryption for fine-grained access
control of encrypted data. In Proceedings of the 13th
ACM conference on Computer and communications
security, pages 89–98. Acm.
Okamoto, T. and Takashima, K. (2010). Fully secure func-
tional encryption with general relations from the deci-
sional linear assumption. In Annual cryptology con-
ference, pages 191–208. Springer.
O’Neill, A. (2010). Definitional issues in functional encryp-
tion. IACR Cryptology ePrint Archive, 2010:556.
Ostrovsky, R., Sahai, A., and Waters, B. (2007). Attribute-
based encryption with non-monotonic access struc-
tures. In Proceedings of the 14th ACM conference on
Computer and communications security, pages 195–
203. ACM.
Sahai, A. and Seyalioglu, H. (2010). Worry-free encryption:
functional encryption with public keys. In Proceed-
ings of the 17th ACM conference on Computer and
communications security, pages 463–472. ACM.
Sahai, A. and Waters, B. (2005). Fuzzy identity-based
encryption. In Annual International Conference on
the Theory and Applications of Cryptographic Tech-
niques, pages 457–473. Springer.
Waters, B. (2011). Ciphertext-policy attribute-based en-
cryption: An expressive, efficient, and provably se-
cure realization. In International Workshop on Public
Key Cryptography, pages 53–70. Springer.
Waters, B. (2015). A punctured programming approach to
adaptively secure functional encryption. In Annual
Cryptology Conference, pages 678–697. Springer.
Yamada, S., Attrapadung, N., Hanaoka, G., and Kuni-
hiro, N. (2011). Generic constructions for chosen-
ciphertext secure attribute based encryption. In In-
ternational Workshop on Public Key Cryptography,
pages 71–89. Springer.
Decentralized Multi-Client Attribute Based Functional Encryption
129