An Indistinguishably Secure Function Encryption Scheme

Zhang, Ping; Li, Yamin; Liu, Muhua

doi:https://doi.org/10.1155/2019/8567534

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Cryptography and Security Tools and Techniques for Networked Embedded Systems

View this Special Issue

Research Article | Open Access

Volume 2019 | Article ID 8567534 | https://doi.org/10.1155/2019/8567534

An Indistinguishably Secure Function Encryption Scheme

Ping Zhang,¹Yamin Li,¹and Muhua Liu¹

Guest Editor: Leonel Sousa

Received01 Apr 2019

Revised17 Aug 2019

Accepted30 Aug 2019

Published05 Nov 2019

Abstract

In this work, we first design a function encryption scheme by using key encapsulation. We combine public key encryption with symmetric encryption to implement the idea of key encapsulation. In the key encapsulation, we use a key to turn a message (plaintext) into a ciphertext by symmetric encryption, and then we use public key encryption to turn this key into another ciphertext. In the design of function encryption scheme, we use the public key encryption system, symmetric encryption system, noninteractive proof system, indistinguishable obfuscator, and commitment scheme. Finally, we prove the indistinguishable security of our function encryption scheme.

1. Introduction

Nowadays, network technology has been rapidly developed and widely used. Due to the emergence of hacking, virus, and electronic fraud and theft, various information leakage incidents occur frequently. Both personal information security and enterprise information security are getting more and more attention, which makes information security more important than ever.

With the rise of cloud computing, in order to save local storage resources, more and more companies or individuals choose to store local data on third-party servers (such as cloud computing platforms). To prevent user data from leaking, the data can be encrypted before storing it on third-party servers. It is noteworthy that in this application, third-party servers need to operate something on the user’s ciphertext, such as data mining, query, and statistics of the ciphertext. However, the traditional encryption system does not support ciphertext computing.

This problem can be solved by using fully homomorphic encryption [1]. It is possible to compute on the ciphertext using fully homomorphic encryption. In other words, a nontrusted information processing system can process information in ciphertext environment without disclosing any information of users. However, the main problem of fully homomorphic encryption is that the results are encrypted. That is to say, although the third-party servers can perform ciphertext calculation, it cannot obtain the calculation results. In many application scenarios, third-party servers need to make certain decisions based on the results of the calculations. Therefore, fully homomorphic encryption does not meet our requirements.

Function encryption firstly appeared in the article [2]. It is an extension of the articles [2–7]. It enables the third party to operate and output a function of plaintext without decryption. Therefore, it is very suitable for the computing scenario of data outsourcing encryption. Specifically, in function encryption for a function family, the key generation algorithm can generate the corresponding decryption key for each function in this function family by using the master private key. Given the ciphertext of a plaintext, the owner of the decryption key of each function can calculate the corresponding function value for this plaintext. A secure function encryption system should satisfy that users with decryption key can only get a function value of the plaintext but not any information about the plaintext. The traditional public key encryption scheme is too extreme. It enables users with decrypted key to get all or no messages from the ciphertext. Therefore, it is of great significance to study function encryption.

Function encryption is a perfect noninteractive solution to many problems that arise in delegating services to external servers. Consider the following scenario: Suppose a bank subscribes to an external cloud server for storing financial records of its customers. In order to ensure the security of these records and perform various computations on the outsourced data remotely from time to time, a cost-effective choice for the bank is to use a function encryption scheme to encrypt the records locally prior to uploading to the cloud server. Now, suppose the researchers wish to retrieve investment amount summary of all customers who have joined a certain wealth management product from the cloud server. For this, the bank needs to provide the researchers a decryption key for the corresponding functionality. However, if the encryption scheme used by the bank possesses no function privacy, then the researchers would get to know the specific customer’s information from the decryption key provided by the bank. Thus, after performing the assigned computation, for financial gain, the researchers may leak the information to someone. This is clearly undesirable from the privacy point of view. Our function encryption scheme can solve the aforementioned information leak problem, and it can be applied to the following application scenarios such as spam filtering in the mail service, patient record privacy protection in the hospital, and partial decryption of information in the encrypted information store.

1.1. Our Result

The design of our function encryption scheme depends on the idea of key encapsulation. Key encapsulation (also known as hybrid encryption) consists of two parts: an external scheme and an internal scheme. To encrypt messages in a hybrid encryption scheme, a new key is generated for the internal scheme and used to encrypt messages. The key itself is then encrypted using an external scheme. The final hybrid ciphertext consists of two parts: the external ciphertext and the internal ciphertext. If someone wants to decrypt, he should firstly decrypt the external ciphertext to get the key and use this key to decrypt the internal ciphertext. While the internal scheme is symmetric encryption and the external scheme is public key encryption, the hybrid scheme still belongs to public key encryption. Why use the idea of key encapsulation? The external scheme is inefficient, so it is only used to encrypt relatively short keys, while relatively long messages are encrypted by the internal scheme.

We choose symmetric encryption and public key encryption as the internal and external schemes of key encapsulation, respectively. In the design of the function encryption scheme, our idea is as follows: at first, we choose a key k of the internal scheme to encrypt the message x, and then use the external scheme to encrypt the key k to get the two parts of a complete ciphertext. This will allow for decryption during the two-step process described above. First, the key k of the internal scheme is obtained by decrypting the external ciphertext in the external scheme, and then is obtained by using this key in the internal scheme. Specifically, we describe how to use the public key encryption system, symmetric encryption system, noninteractive proof system, indistinguishable obfuscator, and commitment scheme to design our function encryption scheme. Our scheme achieves indistinguishable security [8].

1.2. Related Works

The concept of function encryption originates from inner product encryption [6] and attribute-based encryption [5]. Early function encryption generally refers to attribute-based encryption, predicate encryption, or inner product encryption. These three kinds of encryption are the preliminary stages of function encryption. Sahai and Waters firstly created the concept of function encryption in 2008 [9]. Later, O’Neill proposed the security definition of the general function encryption [7], which laid the foundation for the research of function encryption.

In 2011, Boneh et al. [3] not only gave the general form of function encryption, but also gave the formal definition and various security definitions of function encryption. In 2012, Gorbunov et al. [10] proposed a nonconcise general-purpose function encryption scheme based on multiparty security calculation. In 2013, Waters [11], Garg et al., [12] and Ananth et al. [13] further improved the efficiency of universal function encryption system. Subsequently, the function encryption scheme for regular language [14] and the function encryption scheme-based deterministic finite automata [15] were proposed. In the same year, Garg et al. [16] constructed a general function encryption scheme for the first time using indistinguishable obfuscation, which set up a new direction for the research of universal function encryption. Goldwasser et al. [17] proposed a simple universal function encryption scheme which uses fully homomorphic encryption, attribute-based encryption, and obfuscation circuit technology as the underlying modules. This scheme is a classical function encryption scheme. Later, Goldwasser et al. [18] firstly proposed multi-input function encryption. They not only proved the adaptive indistinguishable security of the scheme but also proved the simulation-based security of the scheme. It has to be noted that multi-input function encryption scheme is a refinement of function encryption, which can be applied in many occasions and can realize the security processing of multiuser information at different times.

With the deepening of research on function encryption and fully homomorphic encryption, a new full key homomorphic encryption scheme (FKHE) [19] was proposed at the Eurocrypt 2014. It combines fully homomorphic encryption with function encryption. It overcomes the shortcomings of single key shortage of fully homomorphic encryption and provides possibilities for the use of function encryption in the outsourcing computing environment. In 2015, Goyal et al. [20] proposed for the first time the definition and construction of function encryption for random functions, which proved that the construction scheme was simulation-based security. Ananth et al. [13] proved that any selective secure function encryption can be transformed into adaptive secure function encryption and designed an adaptive function encryption scheme that combines public key function encryption with private key function encryption. Brakerski and Segev [21] studied the symmetric function encryption system with function hiding. Abdalla et al. [22] firstly proposed an internal product function encryption scheme based on public key, which set up a new direction of practical internal product function encryption scheme. Bishop et al. [23] firstly proposed the inner product function encryption scheme of the function hidden in symmetric case. Subsequently, Datta et al. [24] improved Bishop’s scheme. In 2018, Kim et al. [25] improved the inner product function encryption scheme of the function hidden to improve its efficiency. They also described three application scenarios of inner product function encryption of the function hidden. Kim et al. made it possible to use the inner product function encryption of the function hidden in practical applications.

1.3. Organization

This paper is organized as follows. The first section is the introduction of this paper. The second section is the existing definition of function encryption. In the third section, we recall some definitions of cryptographic primitives used in scheme construction. In the fourth section, we propose the design of our function encryption. In the fifth section, we prove the security of our constructed scheme. Finally, in the sixth section, we summarize the full text.

1.4. Basic Notation

In the following sections, the security parameter is . If holds for all polynomials and all sufficiently large λ, we call as negligible function. In this paper, “PPT” represents probabilistic polynomial time and “” represents a concatenation of x and y. Let represent an ensemble, each of which is a finite function.

2. Function Encryption

In the second section, the concept of function encryption [3] and its indistinguishable security are rementioned. Indistinguishable security is not only the first consideration of function encryption but also of predicate encryption [4, 6].

2.1. Syntax

For a class of functions over message space , a function encryption scheme is composed of the following four algorithms:(i): This is a random algorithm. This algorithm requires a security parameter λ as the input of the algorithm, requires the master public key , and the master secret key as the output of the algorithm.(ii): This algorithm requires the master public key and the plaintext as the input of the algorithm and requires a ciphertext as the output of the algorithm.(iii): This algorithm requires the master secret key and the randomized function as the input of the algorithm and requires a secret key as the output of the algorithm.(iv): This algorithm requires the ciphertext and the secret key as the input of the algorithm and requires a string as the output of the algorithm.

Definition 1. (correctness). If the following conclusion holds for every function and every message , the function encryption scheme for is correct.

Definition 2. (indistinguishable security of function encryption). The indistinguishable security can be seen as a game between the attacker and challenger. This game is divided into five phases.(i)Setup phase: the challenger generates master key by the algorithm and then makes the attacker get the master public key .(ii)Query phase 1: the attacker chooses in adaptively and makes the challenger get this . The challenger generates the key of function by the algorithm and sends it to the attacker. The attacker can repeat this step in any polynomial number of times.(iii)Challenge phase: the attacker chooses two messages such that and makes the challenger get it. The Challenger chooses () from and , runs the algorithm (), and makes the attacker get the ciphertext .(iv)Query phase 2: key queries continue to be initiated by the attacker as before, but it also needs to satisfy that for any query , there is holds.(v)Guess phase: the attacker guesses whether the ciphertext is encryption for message or message . Finally, the attacker give his guess ().In this game, the advantage of the attacker is .

3. Preliminaries

In the third section, we recall some concepts of primitives in cryptography, which are used in the construction of function encryption. Here, we omit not only the formal definitions of standard semantically secure public key encryption scheme but also the formal definitions of standard semantically secure symmetric encryption scheme . Next, we describe the formal definitions of indistinguishable obfuscation, commitment scheme, and witness indistinguishable proof system in detail.

3.1. Indistinguishable Obfuscation

According to the syntax of [16], the concept of indistinguishable obfuscation was recalled.

Definition 3. (Indistinguishable Obfuscation()). If the following conclusions hold, then the uniform PPT machine is known as an indistinguishable obfuscator of a circuit class .(i)Correctness: for every security parameter , , and every input x, the following formula holds:(ii)Indistinguishability: there is a negligible function that makes the following conclusion hold for every PPT distinguisher (which is not necessarily uniform). For every security parameter and every pair of circuits , if for every input x, then

3.2. Commitment Scheme

According to the syntax of [26], a commitment scheme takes a random number r and a string x as the input and takes as the output. The following two properties are necessary for a perfectly binding commitment scheme:(i)Perfectly binding property: this property means that the commitments for two different strings must also be different. More formally, and , , .(ii)Computational hiding property: for every string and (the length of and is the same) and for every PPT adversary , the following formula holds:

3.3. Noninteractive Witness Indistinguishable Proof

The syntax of the noninteractive proof system was firstly recalled, and then the formal concept of noninteractive witness indistinguishable () proof [27] was also recalled.

3.3.1. Syntax

An efficiently computable relation R is composed of pairs , in which x and are named as the statement and the witness, respectively. The language consisting of statements in R is denoted by L. The following three algorithms constitute a noninteractive proof system for a language L:(i): this algorithm requires a security parameter as the input of the algorithm and requires a common reference string as the output of the algorithm.(ii): this prove algorithm requires the common reference string and a statement x along with a witness as the input of the algorithm. This prove algorithm outputs a proof string π when or outputs fail when .(iii): this verify algorithm requires the common reference string and a statement x with a corresponding proof π as the input. If the proof is valid, this algorithm outputs 1 and otherwise 0.

Definition 4 (NIWI). A noninteractive witness indistinguishable proof system for a language L with a PPT relation R needs to satisfy the following properties:(i)Perfect completeness property: for all , the following formula holds:Here, the reference string is generated by the algorithm , and the probability is taken over the coins of .(ii)Statistical soundness property: for all adversary , the following formula holds:(iii)Witness indistinguishability property: for any triplet ( and ), the distributions and are computationally indistinguishable (here the reference string is generated by the algorithm ).

4. Construction

In the fourth section, we propose the design of function encryption scheme. In our construction, we set the key space of the symmetric encryption scheme to .

In our scheme, we set the ciphertext length of the public key encryption scheme to . In the design of our scheme, the parameter will be used, and the symmetric encryption scheme needs to satisfy this property:where symbol “” denotes an error.

In the design of our scheme, the proof system used is denoted by , the perfectly binding commitment scheme used is denoted by , and the indistinguishable obfuscator used is denoted by . Now, we begin to give our scheme .(i)(1)At first, two pairs of key pairs are generated using the key generation algorithm and of the public key encryption scheme (note: is a random algorithm)(2)Compute a common reference string using the proof system(3)Choose a symmetric encryption scheme (4)Compute (5)Let the master public key and the master secret key be and , respectively(ii)(1)Choose a secret key of the symmetric encryption and compute the ciphertexts (2)Compute ()(i) Either and are encryptions for the same plaintext, or(ii) C is a commitment for The real witness is used to prove the first part of the statement, where the random numbers and are used to compute the ciphertexts and , respectively; the trapdoor witness is used to prove the second part of the statement, where the random number s is used to compute C(3)The ciphertext is (iii)(1)Compute the decryption key for function f, where the circuit is showed in Figure 1; it should be noted that the circuit contains the random function f, the secret key , and the master public key (iv)(1)It inputs and decryption key and outputs

The correctness of the scheme we design is easily derived from the correctness of its components. Next, we will demonstrate the security of this scheme.

5. Proof of Security

Theorem 1. Assume that the aforementioned function encryption instantiated with a standard semantically secure public key encryption, a standard semantically secure symmetric encryption, a computational hiding commitment, a noninteractive witness indistinguishable proof, and indistinguishably secure obfuscator, it is indistinguishably secure.

Now, we prove that if the aforementioned assumption is true, no polytime attacker can break our scheme. We will prove indistinguishable security of the function encryption using indistinguishable game. We assume that a polytime attacker makes q private key queries. Let () denote the ith function query. There is a constraint for each function query.

We need to define a sequence of games to prove theorem 1. The first game is the experiment with the challenge message . Next, we prove that any PPT adversary has almost the same advantage in each game as that of the previous game. Game 1. The challenger encrypts message in the challenge ciphertext.(i)Setup Phase. The challenger firstly computes the key pair and gives master public to . Choose a symmetric encryption scheme and three secret keys , , and for the symmetric encryption scheme. Compute the ciphertexts: , . , . , . Set , , , , .(ii)Query Phase. The adversary submits query of f adaptively. The challenger sends to .(iii)Challenge Phase. The challenger chooses a challenge plaintext from two plaintexts and a secret key of the symmetric encryption, computes the ciphertexts , , and . Compute a proof (). Set . At last, it returns . Game 2. This game is exactly the same as the previous game (Game 1) except for a little difference. The difference is that for all key queries of f, the corresponding secret key is computed by , where the circuit is described in Figure 2. Game 3. This game is exactly the same as the previous game (Game 2) except for a little difference. The difference is that the commitment C is computed as follows: the challenge ciphertext is denoted by and . Game 4. This game is exactly the same as the previous game (Game 3) except for a little difference. The difference is that in every challenge ciphertext is computed using the trapdoor witness. Game 5. This game is exactly the same as the previous game (Game 4) except for a little difference. The difference is that we modify the challenge ciphertext : the second ciphertext is an encryption of , that is, . Game 6. This game is exactly the same as the previous game (Game 5) except for a little difference. The difference is that for all key queries of f, the corresponding secret key is computed by , where the circuit is described in Figure 3. Game 7. This game is exactly the same as the previous game (Game 6) except for a little difference. The difference is that we modify the challenge ciphertext : the first ciphertext is an encryption of , that is, . Game 8. This game is exactly the same as the previous game (Game 7) except for a little difference. The difference is that the symmetric encryption key is replaced by another key . Game 9. This game is exactly the same as the previous game (Game 8) except for a little difference. The difference is that we modify the challenge ciphertext : the third ciphertext is an encryption of , that is, . Game 10. This game is exactly the same as the previous game (Game 9) except for a little difference. The difference is that we modify the challenge ciphertext : the first ciphertext is an encryption of , that is . Game 11. This game is exactly the same as the previous game (Game 10) except for a little difference. The difference is that for all key queries f, the corresponding secret key is computed by . Game 12. This game is exactly the same as the previous game (Game 11) except for a little difference. The difference is that we modify the challenge ciphertext : the second ciphertext is an encryption of , that is, . Game 13. This game is exactly the same as the previous game (Game 12) except for a little difference. The difference is that in every challenge ciphertext , the proof is computed using the real witness. Game 14. This game is exactly the same as the previous game (Game 13) except for a little difference. The difference is that the commitment C is computed as follows: . Note that this game corresponds to the selective indistinguishable game that has been honestly executed, where the challenger encrypts the message in the challenge ciphertext. The description for the sequence of games is completed. Next, we prove that the neighbouring games are indistinguishable.

Lemma 1. Game 1 and Game 2 are computationally indistinguishable when is an indistinguishable obfuscator.

Proof. We can see that the difference between Game 1 and Game 2 lies only in the calculation method of the secret key . In the former experiment, Game 1, for any key query f, the secret key is outputted by ; however, in the latter experiment, Game 2, the secret key is outputted by . If we want to prove that Game 1 and Game 2 are computationally indistinguishable, we need to prove that for any input , and have identical output for identical input. Then, according to the security of indistinguishable obfuscator, we can get that and are computationally indistinguishable, which means that Game 1 and Game 2 are computationally indistinguishable.
First, we will prove that for any input , outputs if and only if outputs .
We can find that both and output if and only if the proof π is invalid, that is, . Here, . If the proof π is valid, we define that an input is valid.
Next, we prove that for any valid input , .
Here we have to consider two cases:(i)Case 1. There does not exist a , such that .(ii)Case 2. There exists a , such that .For the case 1, both and compute with by decrypting , compute m with by decrypting , and outputs . In the case 2, computes with by decrypting , computes m with by decrypting , and also outputs . What’s more, because , also outputs . So we can get that .
The experiment () is defined as follows: in , the first ith queries are answered by and the remaining to qth queries are answered by . We can see that happens to be Game 1 and happens to be Game 2.
Here, we prove that if there is a PPT adversary which can distinguish the experiments and with nonnegligible advantage, there is another PPT adversary which can break the security of indistinguishable obfuscator with nonnegligible advantage.
We construct by as follows:(1)First of all, the adversary honestly runs the Game 1.(2)For the first ith key queries f, the adversary computes the key by . For the remaining to qth key queries f, the adversary computes the key by .(3)For the key queries f, the adversary respectively constructs the circuit and and sends them to the challenger of the and receives an obfuscation . Then, the adversary gives to .(4)The adversary runs the rest of the experiment according to the Game 1.(5)At last, the adversary gives the output of the game to the adversary and the obfuscation challenger.We happen to be in experiment when the challenger of chose the circuit ; We happen to be in experiment when the challenger of chose the circuit . Therefore, if the adversary can distinguish between the two experiments with nonnegligible advantage, then the adversary can break the security of indistinguishable obfuscator with the same advantage.
In summary, Game 1 is computationally indistinguishable from Game 2.

Lemma 2. If is a computationally hiding commitment scheme, Game 2 is computationally indistinguishable from Game 3.

Proof. We can see that the difference between Game 2 and Game 3 lies only in the calculation method of the commitment C. In the former game, Game 2, C is a commitment for ; however, in the latter game, Game 3, C is a commitment for . It is important to note that the random number used to compute C is never used anywhere. Therefore, the property of computational hiding in the commitment guarantees that Game 2 is computationally indistinguishable from Game 3.

Lemma 3. Because of witness indistinguishability of , Game 3 is computationally indistinguishable from Game 4.

Proof. We can see that the difference between Game 3 and Game 4 lies only in the witness used. In Game 3, for proving that and are encryptions of the same message, we use the real witness to compute π. However, in Game 4, for proving that C is a commitment for , we use the trapdoor witness to compute π. Since is witness indistinguishable, Game 3 is computationally indistinguishable from Game 4.

Lemma 4. If is a semantically secure public key encryption scheme, Game 4 is computationally indistinguishable from Game 5.

Proof. We can see that the difference between Game 4 and Game 5 lies only in the calculation method of the second ciphertexts in the challenge ciphertexts . In Game 4, is an encryption of the random message , while in Game 5, is an encryption of the random message . Next, we show that if there is an adversary who can distinguish Game 4 from Game 5, there is an adversary who can break the semantic security of the public key encryption system. The adversary is designed as follows:(1)At first, the adversary received a public key from the challenger.(2) generates , , and chooses a symmetric encryption scheme . Next, the adversary encrypts the string using to compute the ciphertext .(3)The adversary sends to the challenger and receives a ciphertext . Then, computes the commitment .(4)The adversary runs the rest of the experiment according to Game 4 and Game 5.(5)At last, the adversary received the output of the experiment from the adversary .(6)If adversary outputs Game 4, the adversary outputs that is an encryption of , otherwise outputs that is an encryption of .We can see that the adversary just runs Game 4 when is an encryption of , and just runs Game 5 when is an encryption of . Therefore, if there exists an adversary who can distinguish the outputs of the two games with nonnegligible advantage, we can construct another adversary who can break the semantic security of public key encryption with nonnegligible advantage.

Lemma 5. If is perfectly binding, and is statistically sound, is an indistinguishable obfuscator and Game 5 and Game 6 are computationally indistinguishable.

Proof. Similar to the proof of Lemma 1, we firstly prove that for any input , outputs if and only if outputs .
We can see that both and output if and only if the proof π is invalid, that is, ().
So we need to consider valid inputs only. Then, we will prove that all valid inputs meet one of the following properties:(i) and are encryptions for the same message(ii)There exists an i such that We are going to use a proof by contradiction here. We assume that there is a valid input that satisfies neither of the above properties. Because is statistically sound, the statement must have either a real witness or a trapdoor witness when the input is valid. However, because and are encryptions of different messages, the real witness does not exist. Therefore, there must be a trapdoor witness to make the input valid. That means there is s such that . On the other hand, since and is perfectly binding, . Thus, we get a contradiction, and the assumption is not true.
Next, we will prove that for any input , .
If both and are encryptions for the same message, then , and . Therefore, both and output . On the other hand, if there is an i satisfying , then both and output . Therefore, for all valid inputs, and have same output for the same input, that is, .
In summary, if there exists an adversary which can distinguish the outputs of these games with nonnegligible advantage, we can construct another adversary which can break the security of indistinguishable obfuscation with the same advantage.

Lemma 6. Game 6 is computationally indistinguishable from Game 7, when is a semantically secure public key encryption scheme.

Proof. The proof method of this lemma is the same as the proof method of lemma 4, so it is omitted here.

Lemma 7. Game 7 is computationally indistinguishable from Game 8.

Proof. We can see that Game 7 and Game 8 differ in the secret key used in the symmetric encryption scheme. In Game 7, is used to encrypt , while in Game 8, is used to encrypt . We can find that both and are chosen randomly from the key space of symmetric encryption scheme. So Game 7 is computationally indistinguishable from Game 8.

Lemma 8. The outputs of Game 8 and Game 9 are computationally indistinguishable when is a semantically secure symmetric encryption scheme.

Proof. Since the proof method of this lemma is the same as that of lemma 4, the proof process is omitted here.

Lemma 9. The outputs of Game 9 and Game 10 are computationally indistinguishable when is a semantically secure public key encryption scheme.

Proof. Since the proof method of this lemma is the same as that of lemma 4, the proof process is omitted here.

Lemma 10. Game 10 and Game 11 are computationally indistinguishable when is statistically sound, is perfectly binding, and is an indistinguishable obfuscator.

Proof. Since the proof method of this lemma is the same as that of lemma 5, the proof process is omitted here.

Lemma 11. The outputs of Game 11 and Game 12 are computationally indistinguishable when is a semantically secure public key encryption scheme.

Proof. Since the proof method of this lemma is the same as that of lemma 4, the proof process is omitted here.

Lemma 12. Because of witness indistinguishability of , Game 12 and Game 13 are computationally indistinguishable.

Proof. Since the proof method of this lemma is the same as that of lemma 3, the proof process is omitted here.

Lemma 13. Game 13 is computationally indistinguishable from Game 14 when is a computationally hiding commitment scheme.

Proof. Since the proof method of this lemma is the same as that of lemma 2, the proof process is omitted here.

6. Conclusion

We firstly design a function encryption scheme using the key encapsulation mechanism in this paper. This mechanism combines public key encryption with symmetric encryption. We encrypt the message using symmetric encryption, and then we encrypt the key of symmetric encryption using public key encryption. In the construction of function encryption scheme, we use noninteractive witness indistinguishable proof, commitment scheme, and indistinguishable obfuscator. Finally, the indistinguishable security of the designed function encryption is proven.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (No. 11401172) and Science and Technology Project of Henan Educational Committee of China (No. 20A520012).

References

G. Craig, A Fully Homomorphic Encryption Scheme, Stanford University, Stanford, CA, USA, 2009.
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473, Aarhus, Denmark, May 2005.
View at: Google Scholar
D. Boneh, A. Sahai, and B. Waters, “Functional encryption: definitions and challenges,” in Proceedings of the 8th Theory of Cryptography Conference, TCC 2011, pp. 253–273, Providence, RI, USA, March 2011.
View at: Google Scholar
D. Boneh and B. Waters, “Conjunctive, subset, and range queries on encrypted data,” in Proceedings of the 4th Theory of Cryptography Conference, TCC 2007, pp. 535–554, Amsterdam, The Netherlands, February 2007.
View at: Google Scholar
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 89–98, Alexandria, VA, USA, October-November 2006.
View at: Google Scholar
J. Katz, A. Sahai, and B. Waters, “Predicate encryption supporting disjunctions, polynomial equations, and inner products,” in Proceedings of the 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 146–162, Istanbul, Turkey, April 2008.
View at: Google Scholar
A. O’Neill, “Definitional issues in functional encryption,” Tech. Rep., 2010, Cryptology ePrint Archive: Report 2010/556.
View at: Google Scholar
S. Goldwasser and M. Bellare, Lecture Notes on Cryptography, MIT Laboratory of Computer Science, Cambridge, MA, USA, 2001.
A. Sahai and B. Waters, Slides on Functional Encryption, PowerPoint Presentation, 2008.
S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Functional encryption with bounded collusions via multi-party computation,” in Proceedings of the 32nd Annual Cryptology Conference, pp. 162–179, Santa Barbara, CA, USA, August 2012.
View at: Google Scholar
B. Waters, “A punctured programming approach to adaptively secure functional encryption,” in Proceedings of the 35th Annual Cryptology Conference, pp. 678–697, Santa Barbara, CA, USA, August 2015.
View at: Google Scholar
S. Garg, C. Gentry, S. Halevi, and M. Zhandry, “Functional encryption without obfuscation,” in Proceedings of the 13th International Conference on Theory of Cryptography, TCC 2016, pp. 480–511, Tel Aviv, Israel, January 2016.
View at: Google Scholar
P. Ananth, Z. Brakerski, G. Segev, and V. Vaikuntanathan, “From selective to adaptive security in functional encryption,” in Proceedings of the 35th Annual Cryptology Conference, pp. 657–677, Santa Barbara, CA, USA, August 2015.
View at: Google Scholar
B. Waters, “Functional encryption for regular languages,” in Proceedings of the 32nd Annual Cryptology Conference, pp. 218–235, Santa Barbara, CA, USA, August 2012.
View at: Google Scholar
S. C. Ramanna, “DFA-based functional encryption: adaptive security from dual system encryption,” Tech. Rep., 2013, IACR Cryptology ePrint Archive: Report 2013/638.
View at: Google Scholar
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters, “Candidate indistinguishability obfuscation and functional encryption for all circuits,” in Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, pp. 40–49, Berkeley, CA, USA, October 2013.
View at: Google Scholar
S. Goldwasser, Y. T. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich, “Reusable garbled circuits and succinct functional encryption,” in Proceedings of the Symposium on Theory of Computing Conference, STOC’13, pp. 555–564, Palo Alto, CA, USA, June 2013.
View at: Google Scholar
S. Goldwasser, V. Goyal, A. Jain, and A. Sahai, “Multi-input functional encryption,” Tech. Rep., 2013, IACR Cryptology ePrint Archive Report: 2013/727.
View at: Google Scholar
D. Boneh, C. Gentry, S. Gorbunov et al., “Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits,” in Proceedings of the 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 533–556, Copenhagen, Denmark, May 2014.
View at: Google Scholar
V. Goyal, A. Jain, V. Koppula, and A. Sahai, “Functional encryption for randomized functionalities,” in Proceedings of the 12th Theory of Cryptography Conference, TCC 2015, pp. 325–351, Warsaw, Poland, March 2015.
View at: Google Scholar
Z. Brakerski and G. Segev, “Function-private functional encryption in the private-key setting,” in Proceedings of the 12th Theory of Cryptography Conference, TCC 2015, pp. 306–324, Warsaw, Poland, March 2015.
View at: Google Scholar
M. Abdalla, F. Bourse, A. D. Caro, and D. Pointcheval, “Simple functional encryption schemes for inner products,” in Proceedings of the 18th IACR International Conference on Practice and Theory in Public-Key Cryptography, pp. 733–751, Gaithersburg, MD, USA, March-April 2015.
View at: Google Scholar
A. Bishop, A. Jain, and L. Kowalczyk, “Function-hiding inner product encryption,” in Proceedings of the 21st International Conference on the Theory and Application of Cryptology and Information Security, pp. 470–491, Auckland, New Zealand, November-December 2015.
View at: Google Scholar
P. Datta, R. Dutta, and S. Mukhopadhyay, “Functional encryption for inner product with full function privacy,” in Proceedings of the 19th IACR International Conference on Practice and Theory in Public-Key Cryptography, pp. 164–195, Taipei, Taiwan, March 2016.
View at: Google Scholar
S. Kim, K. Lewi, A. Mandal, H. Montgomery, A. Roy, and D. J. Wu, “Function-hiding inner product encryption is practical,” in Proceedings of the 11th International Conference on Security and Cryptography for Networks, SCN 2018, pp. 544–562, Amalfi, Italy, September 2018.
View at: Google Scholar
O. Goldreich, Foundations of Cryptographyčž Basic Tools, The Press Syndicate of the University of Cambridge, Cambridge, UK, 2001.
U. Feige and A. Shamir, “Witness indistinguishable and witness hiding protocols,” in Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, pp. 416–426, Baltimore, MA, USA, May 1990.
View at: Google Scholar

Copyright

Copyright © 2019 Ping Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1153

Downloads

888

Citations