Practical CCA-Secure Functional Encryptions for Deterministic Functions

Wang, Huige; Chen, Kefei; Pan, Tianyu; Zhao, Yunlei

doi:https://doi.org/10.1155/2020/8823788

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusions Appendix Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 8823788 | https://doi.org/10.1155/2020/8823788

Practical CCA-Secure Functional Encryptions for Deterministic Functions

Huige Wang,^1,2Kefei Chen,^3,4Tianyu Pan,²and Yunlei Zhao^2,5,6

Academic Editor: Kaitai Liang

Received08 May 2020

Revised05 Jun 2020

Accepted20 Jul 2020

Published08 Sept 2020

Abstract

Functional encryption (FE) can implement fine-grained control to encrypted plaintext via permitting users to compute only some specified functions on the encrypted plaintext using private keys with respect to those functions. Recently, many FEs were put forward; nonetheless, most of them cannot resist chosen-ciphertext attacks (CCAs), especially for those in the secret-key settings. This changed with the work, i.e., a generic transformation of public-key functional encryption (PK-FE) from chosen-plaintext (CPA) to chosen-ciphertext (CCA), where the underlying schemes are required to have some special properties such as restricted delegation or verifiability features. However, examples for such underlying schemes with these features have not been found so far. Later, a CCA-secure functional encryption from projective hash functions was proposed, but their scheme only applies to inner product functions. To construct such a scheme, some nontrivial techniques will be needed. Our key contribution in this work is to propose CCA-secure functional encryptions in the PKE and SK environment, respectively. In the existing generic transformation from (adaptively) simulation-based CPA- (SIM-CPA-) secure ones for deterministic functions to (adaptively) simulation-based CCA- (SIM-CCA-) secure ones for randomized functions, whether the schemes were directly applied to CCA settings for deterministic functions is not implied. We give an affirmative answer and derive a SIM-CCA-secure scheme for deterministic functions by making some modifications on it. Again, based on this derived scheme, we also propose an (adaptively) indistinguishable CCA- (IND-CCA-) secure SK-FE for deterministic functions. The final results show that our scheme can be instantiated under both nonstandard assumptions (e.g., hard problems on multilinear maps and indistinguishability obfuscation (IO)) and under standard assumptions (e.g., DDH, RSA, LWE, and LPN).

1. Introduction

PKE is the most useful asymmetric encryption, which encrypted the plaintext using a public encryption key and decrypted the ciphertext using a private key only owned by the receiver. In particular, in this cryptosystem, without , nobody can get any sensitive information about plaintext. This type of cryptosystem does not work well in some special case where fine-grained access control functionality [1, 2] is needed to act on the decrypted plaintext. FE with this functionality was introduced by Boneh et al. [3]. Informally speaking, FE scheme [4–6] can encrypt a message into a ciphertext using a system public key. However, it can only recover a function value from the ciphertext with a private key associated with the function .

Security is a most important nature of functional encryption, among which indistinguishable chosen-plaintext attack (IND-CPA) security is the most common. IND-CPA security requires that an efficient adversary cannot distinguish the encryption of two different messages even if it allows the adversary to get some extra information such as allowing them access the private key oracle. Furthermore, according to the capability of the adversary, security can be classified into the selective mode and adaptive mode. In the former, the challenge message must be chosen before the public parameter and private key is generated, while in the latter, it may be chosen at any time.

Constructing FE for general functionalities with adaptive IND-CCA [7] security has been an open problem. Now, expressive functional encryptions with adaptive security have got rapid development. In 2015, Ananth et al. proposed an adaptively secure FE from the selective one [8]. The same year, Waters also presented an adaptively secure FE, but it relies on the strong IO assumption [9–11].

1.1. CCA Security

Although a wealth of results have been obtained on IND-CPA security, those schemes can only resist passive attacks. In order to resist active attacks, an IND-CCA security notion is required which is the same as IND-CPA but with exception that it additionally allows the adversary to access a decryption oracle. IND-CCA security in PKE settings has got richly studied by many researchers. Also, in the IBE [12] and ABE [13] settings, it also got extensively studied. Although IBEs and ABEs are subordinate to functional encryption, none of them could apply to general functions. Thus, studying FE with CCA security for arbitrary functions is necessary. In particular, although we allow the adversary to decrypt any ciphertext with private keys, it obtains by making key queries, and the security equipped with decryption oracle is still stronger than that without decryption oracle. The reason is, for any decryption query , the challenger can use the private key to decrypt , even conditioned on , but if without decryption oracle, the private key conditioned on is not allowed to obtain, and thus, cannot be decrypted with this key. Simulation-based CCA (SIM-CCA) is a stronger notion than IND-CCA, meaning that the reduction can be simulated via a probability polynomial time (PPT) simulator who only knows partial information and parameters that the system allows.

The FEs with CCA security are presented in [14, 15]. In [14], Benhamouda et al. proposed a CCA-secure functional encryption (FE) that only solves the CCA security in FE based on the projective hash functions. In [15], Nandi and Pandit also solved this problem but with strong restrictions (e.g., needing restricted delegation or verifiability on the underlying IND-CPA FE). However, up to now, it is not known whether the underlying schemes with these special properties exist. Although the generic transformation of Naor and Yung’s [16] from IND-CPA to IND-CCA encryption scheme can be adapted to functional encryption, it is only applied to the nonadaptive case in the public-key setting. Of course, it may achieve unbounded collusions, but which is not the key point we focus on in this paper. In particular, in Naor and Yung’s generic transformation, the encryption needs to run the original PK-FE twice.

1.2. Our Contributions

To construct functional encryptions with CCA security, some nontrivial techniques will be needed. We propose two (adaptively) CCA-secure generic construction for FE with CCA security for deterministic generic functions where one is in PKE settings and the other is in private-key settings. These generic constructions first yield practical FE that can be instantiated in the standard assumptions.

We first construct an (adaptively) SIM-CCA-secure PK-FE for deterministic functions by making a small modification on Agrawal and Wu’s SIM-CCA-secure PK-FE for randomized functions. Then, using the PK-FE scheme together with a NIZK equipped with the property of extractabilities, we construct an (adaptively) IND-CCA-secure SK-FE scheme. Particularly, in our construction, SIM-CPA-secure PK-FE can be used in a black-box way. Thus, the constructed SK-FE can also be based on the same assumption as the underlying PK-FE scheme.

1.3. An Informal Description of Our Schemes

Our constructions are inspired by Agrawal and Wu’s generic transformation of PK-FE from deterministic functions to randomized functions [17]. Our solutions can work on standard assumptions and are more efficient than that by Naor and Yung’s generic transformation (since we only use the original primitive once rather than twice which is the case in Naor and Yung’s generic transformation). They are essentially optimal in communication size: in the derived PK-FE with SIM-CCA security, the public parameter and private key are almost equal to that in the underlying PK-FE, while the ciphertext consists of a PK-FE ciphertext and a NIZK proof. In the SK-FE with IND-CCA security, in addition to a PK-FE ciphertext and a NIZK proof, the final ciphertext also adds an SE ciphertext. In Agrawal and Wu’s generic CPA-to-CCA transformation from deterministic functions to randomized functions, they use a simulation-sound extractable NIZK to implement CPA-to-CCA transformation and a -RKA-secure PRF and a one-way permutation to implement deterministic-to-randomized function transformation. Concretely, in the decryption query, e.g., , where is a function, the simulator deals with the decryption by first employing the NIZK to extract a message from the ciphertext and then evaluating function on . Thus, the simulator can perfectly realize the decryption functionalities under the extractability of the NIZK. For the deterministic-to-randomized function transformation, the core idea is to use a PRF to remove randomization on the function. Specifically, the scheme transforms the encryption of to that of the pair with randomness under the SIM-CPA FE scheme where is a one-way permutation and is a hardcore function of . In the construction of the private key for a randomized function , the scheme first constructs a “derandomize” function and then computes a SIM-CPA FE private key for function . The decryption algorithm uses to recover from a ciphertext which encrypts the message . For our goals of deterministic functions, we remove the and one-way permutation used for implementing the deterministic-to-randomization function transformation and directly define the final private key as that of the SIM-CPA PK-FE for deterministic functions. Luckily, the removal operation does not affect the CPA-to-CCA transformation since the and does not participate in the transformation. In this way, we get a SIM-CCA-secure PK-FE scheme for deterministic functions.

In the construction of adaptive IND-CCA SK-FE, a similar methodology proposed by Elkind and Sahai in [18] is adopted. In their construction, the encryption scheme is designed by first constructing a “bare” oblivious-decryptor scheme (ODS) and then employing a designated-verifier NIZK to achieve adaptive CCA security. More specifically, their scheme first encrypted message under the ODS encryption into a ciphertext and then employed a designated-verifier NIZK to prove of .

Compared with their scheme, our work on IND-CCA security for SK-FE uses some seemingly different techniques. In our scheme, beyond a standard simulation-sound NIZK and a PK-FE scheme secure against SIM-CCA, we also use a semantically secure symmetric encryption (SE). The symmetric encryption is used to mask the message directly. Particularly, in order to enable decrypting, the SE ciphertext together with the symmetric key are reencrypted in a PK-FE ciphertext. A simulation-sound NIZK proof functions as a “well-formedness” condition on the symmetric ciphertext and is contained in the overall ciphertext. The underlying PK-FE scheme corresponds to the oblivious-decryptor scheme by Elkind and Sahai [18], whose SIM-CCA security together with the standard NIZK proof is used for rejecting ill-formed ciphertexts.

Note that simulation security is strong; in particular, it implies that we have to restrict ourselves to either secure against bounded collusion, which may hinder the practicability of the scheme, or to simple functionality (for example, IBE), for which the scheme cannot be simulation secure against bounded collusion. Although a weak notion, for example, an IND-CPA-secure SK-FE which may induce a more practical scheme or simple functionality, it is not applicable to our construction. This is because, when we directly use the weak scheme, during the decryption query phase, the master secret key encrypted in the underlying SK-FE ciphertext can be extracted out by the NIZK.

2. Preliminaries

2.1. Noninteractive Zero Knowledge (NIZK)

Here, we first explain several notions. a PPT binary relation which takes as input a statement and the corresponding witness and outputs a bit indicating whether belongs to the language .

Definition 1. A NIZK system with respect to a relation consists of three PPT algorithms . Setup: ), where denotes the common random string, which is public and can be accessed by anyone. Prove: , where denotes the proof which proves that it owns the secret witness of the statement . Verification: , where denotes the verifier “accept” and denotes “reject”. Perfect completeness: an argument system is perfectly complete if for all PPT adversaries , the following holds: Computational soundness: the computational soundness of the scheme is demonstrated as follows, where is a PPT algorithm:

Definition 2. (zero knowledge). A system is said to be computational zero-knowledge if is a PPT simulator s.t. for all PPT , the following holds:where the oracles and are demonstrated as follows:(i)The oracle takes as input a pair and outputs if ; o.w. outputs .(ii)The oracle is the simulator algorithm, which takes as input and outputs if ; o.w. outputs .

Definition 3. (simulation-sound extractability). Let be a NIZK with respect to a relation and be a PPT simulator. Then, satisfies the notion of simulation-sound extractability if is an extraction algorithm s.t.where is the set that contains all queries makes to and the answers from .

2.2. Symmetric Encryption and Semantic Security

Let be a symmetric encryption (SE), be the secret key space, and be the message space. These PPT algorithms work as follows: (1) the key-generation algorithm works as ; (2) the encryption algorithm works as ; and (3) the decryption algorithm works as .

Correctness of the scheme is obvious.

Definition 4. (semantic security). An is called semantic security (SS), if for all PPT in the game (see Figure 1) played by , the function is negligible in (security parameter), where .

3. PK-FE [8]

Let , , and , where each takes as input a string and outputs .

3.1. Definition of PK-FE

A PK-FE scheme , , , consists of the following four PPT algorithms: Setup: the setup algorithm works as , where denotes the master public key and denotes the master secret key. Private key generation: this algorithm works as , where denotes a deterministic function. Encryption: the encryption algorithm works as , where denotes a plaintext and denotes the generated ciphertext. Decryption: the decryption algorithm works as . Perfect correctness: for all sufficient large , , , and , the correct implies that

3.2. Simulation-Based Chosen-Ciphertext Security

For security, we give the definitions of simulation-based chosen-ciphertext (SIM-CCA) security and indistinguishability-based chosen-ciphertext (IND-CCA) security, respectively. We first give the definition of SIM-CCA security, where (see Figure 2) denotes the SIM-CCA game played by a PPT adversary .

Then, we define the advantage of the adversary in game as .

3.2.1. Oracles

(i)Real Game. In this game, both oracles and invoke the algorithm when makes key queries to and copyright has been updated in VTW, please repush task to validation. Oracle acts as the decryption oracle, i.e., when makes a decryption query , the oracle first invokes to obtain and then computes for all , where and outputs the ordered set . In this game, an ordered set is used to denote the functions that the adversary made queries to and used to denote the answers of the oracle .(ii)Ideal Game. In the ideal game, oracles and denote the simulator algorithms and . Simulator takes a key query as input and outputs a key for function . For simulator , besides given as input, it is also allowed to access an oracle , which inputs a function and returns for all . The (ordered) set denotes the functions that the adversary had made key queries to oracles and . Taking as input, oracle invokes the simulator to obtain or for each . Next, for each , if , then set ; otherwise, compute . Finally, it outputs the ordered set . For convenience, we abbreviate as .

Here, we give a further restriction on decryption queries. First, we give an equivalence relation notation functioning on ciphertext space . We say that any two ciphertexts satisfy, if for all , and so that one of the following conditions holds:(i) or .(ii).

Next, we give the restriction on decryption queries, namely, for each decryption query , whether in ideal game or real game, we require that, for all and , then , and for all , , and the challenge ciphertext , it must hold .

Definition 5. (SIM-CCA). We say that a PK-FE scheme for deterministic functions is -simulation-based chosen-ciphertext secure (-SIM-CCA secure) if for any efficient adversary where and make at most and key-generation queries, respectively, there exists an over ciphertext space () and a PPT simulator s.t. the advantage is negligible.
One thing in particular to note is that, in the SIM-CCA security game, if we disallow the adversary to query decryption oracles and , then the game becomes SIM-CPA game.

3.3. Indistinguishable-Based Chosen-Ciphertext Security

For the IND-CCA security, (see Figure 3) denotes the IND-CCA game played by a PPT adversary . We define the advantage function as .

In the above game, we require that if the ordered set denotes all key queries and denotes all challenge message pairs delivered by the adversary , then the distributions and are identical. Now, we give the definitions of oracles below.

3.3.1. Oracles

(i) denotes a key-generation oracle which, on inputting a function , invokes the key-generation algorithm to obtain a key for function .(ii) denotes a decryption oracle which, on taking as input a tuple such that , first invokes the key-generation algorithm to obtain a key and then computes and outputs .

Note that the above definition is secure, and it is easily modified to the nonadaptive security by requiring the adversary to specify two challenge messages before obtaining the master public key and function keys. In this paper, we only pay attention to the security.

Definition 6. (IND-CCA for PK-FE). We say that a PK-FE scheme for deterministic functions is adaptively indistinguishable chosen-ciphertext secure (-IND-CCA secure) if for any PPT adversary where and make at most and key-generation queries, respectively, and we have that the function value is negligible.
In particular, as remarked in [19], the above definition can be trivially extended to multiple challenge message security, i.e., adaptive -IND-CCA security where , , and are polynomials in . Particularly, we stress that the SIM-CCA security described in Section 3.2 implies IND-CCA security.

Lemma 1. Assume that a PK-FE scheme is adaptively SIM-CCA secure, then is also adaptively IND-CCA secure.

The proof is described in Appendix A.

4. Private-Key Functional Encryption

Here, we give the definition of SK-FE for deterministic functions. Let = , , , and be an SK-FE scheme defined over function space and message space , respectively. The detailed definition is given as follows: Setup: the setup algorithm computes , where denotes the system public parameter , denotes the system master secret key, and the public parameter is implied in the following algorithms: Key generation: the key-generation algorithm computes , where denotes the generated private key. Encryption: the encryption algorithm computes , where denotes the being encrypted message and denotes the generated ciphertext. Decryption: the decryption algorithm computes , where denotes the final decrypted result.

Here, we give the perfect correctness of scheme SK-FE, which says that, for all sufficient large , , , and , it holds that .

4.1. Indistinguishable-Based Chosen-Ciphertext

Here, we review the IND-CCA of the SK-FE from [8]. In Figure 4, denotes the IND-CCA game played by a PPT adversary . The advantage function is defined as .

In the above game, we require that all challenge messages that the adversary delivers in the encryption queries to oracle satisfy for all the functions that the adversary makes queries to the key-generation oracle , where and denote the challenge message that the adversary delivers in the challenge phase. In the following, we define the functionalities of the oracles.

4.1.1. Oracles

(i) denotes the key-generation oracle which means that when the adversary makes a function query , the oracle invokes the algorithm to get a private key .(ii) denotes an encryption oracle. On taking as input two messages , it invokes to obtain for a random bit . We denote all challenge ciphertexts as .(iii) denotes a decryption oracle which, on taking as input a tuple such that , invokes the algorithm to obtain a private key and outputs .

Note that the above definition is secure and is easily modified to the nonadaptively security by requiring the adversary to make encryption queries before key queries.

Definition 7. (IND-CCA for SK-FE). We say that an SK-FE scheme for deterministic functions is adaptively indistinguishability-based chosen-ciphertext secure (adaptively IND-CCA secure) if for all PPT , the advantage is negligible in .

5. Construction of SIM-CCA-Secure PK-FE

In this section, we modify Agrawal and Wu’s generic transformation [17] to the setting of deterministic functions.

The modified scheme needs the following building blocks:(i)A NIZK argument = (, , ) with simulation-sound extractability.(ii)An (adaptively) SIM-CPA-secure PK-FE scheme = (, , , ).

A SIM-CCA-secure PK-FE scheme = (, , , ) is constructed as follows:(i)The setup algorithm: . This algorithm first runs and and then sets and and releases in public.(ii)The key-generation algorithm: . This algorithm first parses and then runs and sets .(iii)The encryption algorithm: on taking as input and a message , this algorithm first samples a randomness and runs to get and then computes , where , the witness , and . The relation and language satisfy the following equation: The final ciphertext is set as .(iv)The decryption algorithm: on taking as input a private key and a ciphertext , the decryption algorithm first verifies whether , where ; if so, it computes and outputs ; otherwise, it outputs .

It is easy to see that the correctness of the scheme follows from the completeness of and the correctness of .

Theorem 1. If is a simulation-sound extractable noninteractive zero-knowledge argument, is perfectly correct -SIM-CPA-secure PK-FE scheme for deterministic function class , then is -SIM-CCA-secure functional encryption scheme for the same function class.

Like [17], our definition also requires that the equivalence relation over the ciphertext space is satisfied, i.e., given any two ciphertexts , , the equivalence relation holds, if .

To prove Theorem 1, we will construct an ideal-world simulator for the scheme . Let be the simulator for the scheme and and be the simulator and extractor for the scheme , respectively.

5.1. Simulator

The setup simulator proceeds as follows. On taking as input , it first runs and then invokes , where denotes a common random string, denotes a simulation trapdoor, and denotes an extraction trapdoor. It finally sets and and outputs .

5.2. Simulator

The prechallenge key-generation query simulator proceeds as follows. On taking as input and , it runs . Then, it outputs the key and a fresh state .

5.3. Simulator

simulates the challenge ciphertext query procedure. On taking as input a statement and a function value set , proceeds as follows. It first computes ; then for each , it computes argument with the statement described as follows:where are the challenge messages that the adversary delivers. At the end of the simulation, it outputs a challenge ciphertext set and an updated state , where .

5.4. Simulator

simulates the postchallenge key-generation queries with the help of the oracle . Once getting input and , it first computes with the help of oracle and then outputs and , where the oracle is defined as follows: for any input function , it returns for all .

5.5. Simulator

The decryption query simulator takes as input and , and it parses and . Define the statement as

If , it stops and outputs ; otherwise, it computes . Finally, it outputs the massage and state .

5.6. Hybrid Games

For Theorem 1, we prove it via 4 hybrid games where the first game is the real-world game and the last game is the simulator game. Each game contains the following phases: Setup: in this phase, the challenger generates the system public key . Prechallenge queries: in this procedure, is allowed to issue the key-generation queries and decryption query such that for all decryption queries and any , and , it holds that . Challenge: when the adversary submits a vector of messages to the challenger, the challenger replies with . Postchallenge queries: in this procedure, the adversary is again allowed to issue key-generation and decryption queries but with a further restriction that decryption query can be only allowed to contain queries such that , where for and is the challenge ciphertext for . Output: finally, the adversary outputs a guess of the challenge bit . Each of the hybrid games is described in detail as follows: Hybrid : this is the game in the real settings where the challenger interacts with the adversary. Hybrid : same as except that the way that the common random string in the setup phase and the arguments in the challenge ciphertexts are generated. Specifically, in the setup phase, the challenger uses . In the challenge phase, the challenger uses the simulator to generate the challenge argument in the challenge ciphertexts. Let be the challenge messages. It samples and computes and for , where the statement is described as in equation (1). Finally, the challenger sets and and sends and to the adversary . Hybrid : same as except that the challenger answers the decryption queries by extracting the message-randomness pair from the noninteractive zero-knowledge argument . Specifically, in the setup phase, the procedure is same as hybrid except that the challenger computes . In the prechallenge phase, the key-generation queries are dealt with as in , while the decryption queries are processed as follows: for query , where and for , and let be the statement as described in equation (2). If , set ; otherwise, it invokes the extractor to obtain a witness and sets . Finally, is sent to . Hybrid : same as but with the difference that the challenger uses the simulator to interact with the adversary. Specifically, in the setup phase, the challenger computes . In the prechallenge phase, the decryption queries are dealt with as in hybrid , while the key generation is handled as follows: for each query , it runs to obtain private key . In the challenge phase, let be the function that the adversary has made queries in the key-generation phase and be the challenge messages that the adversary queries. It computes for all and and invokes the simulator to obtain . In the postchallenge queries, the decryption queries are processed as in hybrid , but the key-generation queries are processed differently as below: the challenger invokes under the help of the oracle to obtain the private key .

Claim 1. If is a computationally noninteractive zero-knowledge argument system, then hybrids and are computationally indistinguishable.

Proof. The hybrid games and are different in that, in , the challenger uses the NIZK simulator to compute the CRS and arguments. It is easy to see that the claim follows from the computational zero-knowledge of NIZK.
Concretely, let be an efficient adversary distinguishing hybrid games and . is used to construct an algorithm that tries to distinguish the real and simulated distributions of the NIZK. takes as input and is allowed to access to an argument oracle. In the setup, computes and sets and . It then sends to . In the challenge phase, when delivers challenge message , the algorithm samples and computes for each . Let be the statement in equation (2). delivers to its challenger and obtains an argument . Finally, obtains and .
The rest steps are processed in the same way as in and . Finally, outputs whatever outputs. Obviously, if the CRS and NIZK arguments are computed honestly, then simulates the settings of ; otherwise, it simulates the settings of . Thus, the lemma follows.

Claim 2. If is simulation-sound extractable and is perfectly correct, then hybrids and are computationally indistinguishable.

Proof. Hybrids and are identical but only with the difference in the way the challenger responds to decryption queries. Conditioned on the simulation-sound extractability of and perfect correctness of , the two games are computationally indistinguishable. Let be the decryption query pair that the adversary makes, where and .
The procedure can be classified into two cases. If can pass the verification, the challenger sets in both and . Otherwise, it is easy to see that the adversary cannot submit any challenge ciphertexts in the decryption queries. Thus, was not generated by the challenger using . Thus, by simulation-sound extractability, with probability at least , the extraction algorithm on and will produce a witness to make hold. Furthermore, by perfect correctness of , is the only pair corresponding to .
In addition, in , the challenger first computes and then sets . By the underlying PK-FE scheme , , which is exactly the output in after is extracted. Therefore, with probability , the distributions in both and are identical.

Claim 3. If is a -SIM-CPA-secure FE scheme for deterministic function family , then hybrids and are computationally indistinguishable.

Proof. Suppose is a distinguisher for hybrids and . is used to construct an algorithm that distinguishes and . Then, the detailed simulation procedure is processed as follows.

5.7. The Construction of

On taking as input which is generated by or , the setup and prechallenge queries are simulated as follows: : in this phase, the adversary first computes a simulated tuple . It then sets and sends to . : in this phase, when makes a function key query , the adversary queries its prechallenge key-generation oracle to obtain a key which is generated by or , while the decryption queries are the same as in and .

5.8. Adversary

On taking as input and a state from , the adversary simulates the challenge phase and postchallenge queries as follows: : in this procedure, when the adversary outputs a challenge message vector , the adversary queries its challenge oracle to obtain challenge ciphertext set for . It then computes and sets for each , where is described as in equation (1). It finally sends to . : the simulation of this procedure is the same as prechallenge procedure, except that queries his postchallenge key-generation oracle with the help of oracle to obtain a key which is generated by or .

At the end, outputs what outputs. Obviously, if takes part in the game , then the view of is computationally indistinguishable from ; otherwise, if takes part in the ideal game , then the view of is computationally indistinguishable from . Thus, the proof follows from the -SIM-CPA security of the scheme .

Remark 1. Note that applying the above simulation-sound extractable NIZK to the secret-key settings for implementing the IND-CPA-to-IND-CCA security transformation is impossible. This is because beyond the encrypted message, the extractor of the NIZK also extracts out the master secret key used for a secret parameter in the encryption process. Once the extractor obtains the master secret key, it can use it to forge the private keys for any functions of its choice.
In the following, we will use the SIM-CCA-secure PK-FE proposed above and a NIZK scheme to put forward an IND-CCA-secure SK-FE.

6. Construction of SK-FE

Here, we give an IND-CCA-secure SK-FE from SIM-CCA-secure PK-FE. Let = , , , be the scheme and and the associated function space and message space, respectively. The building blocks used in the scheme are as follows:(i)A noninteractive zero-knowledge argument over the common random string space and proof space .(ii)A semantically secure symmetric encryption scheme over the key space , message space , and ciphertext space .(iii)A SIM-CCA-secure PK-FE scheme = , , , over the message space and function space .

In particular, note that in this construction, the message space of the scheme is identical to that of the scheme , namely, . Setup: taking as input, the algorithm first computes , , and . Then, it outputs the public parameter and master secret key . Note that the parameter is implicitly contained in the following algorithms. Encryption: taking a master secret key and a message as input, the algorithm first parses into . It then computes a symmetric encryption ciphertext , an argument , and a PK-FE ciphertext . It finally outputs the overall ciphertext . Key generation: taking a master secret key and a function as input, the algorithm first parses into and then constructs a universal circuit (see Figure 5) and computes . It finally outputs the private key . Decryption: taking a private key and a ciphertext as input, the algorithm first verifies whether ; if so, it computes and outputs ; otherwise, it outputs .

The correctness follows from Theorem 2.

Theorem 2. If is perfectly correct, is a correct SE scheme, is a perfectly complete NIZK, and the circuit is correctly defined, then the scheme is a correct SK-FE scheme.

Proof. It is easily observed the correctness of follows from the perfect-completeness of , the perfect correctness of , the correctness of , and the correct definition of the circuit .

Proof. . Our construction is inspired by Agrawal and Wu’s generic transformation for PK-FE from deterministic functions to randomized functions [17]. From their scheme, we first derive an SIM-CCA-secure PK-FE for deterministic functions by removing -RKA-secure pseudorandom function PRF and one-way permutation used to implement the deterministic-to-randomized function transformation (note that the details of Agrawal and Wu’s scheme can be found in [17], we will not dwell on them here). Then using the derived PK-FE together with a semantically secure symmetric encryption (SE) and a standard NIZK, we obtain an SK-FE scheme with IND-CCA security. Roughly speaking, the plaintext is masked with the SE scheme (where the symmetric key of the SE is a part of the master secret key), then it computes a proof under the NIZK which is used for verifying whether the SE ciphertext encrypts correct plaintext. In order to ensure correct decryption, we reencrypt the SE ciphertext together with the proof and the symmetric key under the derived PK-FE scheme, in which the symmetric key and the SE ciphertext make sure that the scheme enables to decrypt and the proof makes sure that ill-formed SE ciphertext can be rejected in the final scheme.
The security follows Theorem 3.

Theorem 3. If the NIZK argument is computationally indistinguishable, the SE scheme is semantically secure, the PK-FE scheme is perfectly correct (adaptively) -SIM-CCA secure, then the SK-FE scheme described above is (adaptively) IND-CCA secure, where the adversary makes at most key queries and challenge queries.

Proof. We adopt a similar proof method as that of Theorem 1. Likewise, each game contains the following procedures: Setup: the challenger computes the parameter . Key generation query: in this procedure, the adversary may make prechallenge key queries and postchallenge key queries for functions . Particularly, note that, for all key queries and encryption queries as below, we require that . Encryption query: in this procedure, commits a collection of message pairs , and the challenger responds with . Decryption query: here, may make decryption queries , with a further restriction that decryption queries are only allowed to contain queries such that , where is the set of all encryption queries that has made in the encryption query procedure.In particular, since in the underlying PK-FE scheme , for any function and message pair (assume is an SE encryption of message under key and is an SE encryption of message under key , where and are the function and message pair that the IND-CCA adversary of the SK-FE scheme delivers in key query and encryption query phases) that the SIM-CCA adversary delivers in key query and encryption query phases, and it satisfies , namely, . Thus, the admissible condition still holds in our SK-FE scheme. Furthermore, like in the PK-FE, we also require that a similar equation relation over ciphertext space is satisfied, i.e., given any two ciphertexts and , we say , if .

6.1. Hybrid Games

: this is the premier game where the message is encrypted in the encryption query phase. : same as except that the generation of the common random string and the argument are replaced with the simulation mode of the scheme . : same as but with the difference that the simulator = , , , , is used to respond to the queries. : same as but with the difference that challenge message instead of is encrypted in the challenge ciphertext. In particular, the symmetric encryption computes the encryption of . : this is the same as except that the challenger uses the real algorithms of the scheme to respond to the queries. : this is the same as except that the generation of the common random string and argument is replaced with the real algorithms of the scheme .

Claim 4. If the NIZK argument is computational zero knowledge, then hybrids and are computationally indistinguishable.(i)At the setup phase, the adversary first samples and . Then, it sets and .(ii)In the key-generation procedure, when a key query is queried by , the adversary first constructs a universal circuit and then responds with .(iii)During the encryption query, when makes an encryption query , the adversary first computes a symmetric encryption . It then uses to query the oracle and obtains an argument (which is generated by the real algorithm or the simulation algorithm ). It next computes a PK-FE ciphertext . Finally, it sends to . Let denote the set of all challenge ciphertexts that obtains via encryption queries.(iv)In the decryption query phase, when makes query s.t. , the adversary first parses into and verifies whether . If so, it generates , computes, and outputs to .Proof. Assume and are distinguishable, then we can use the adversary that distinguishes and to construct an adversary that attempts to break the computational zero-knowledge property of . is given a common random string (which comes from the real algorithm or simulation algorithm) and may access to the oracle , which computes the argument for statements belonging to the language:
At the end, outputs whatever outputs.
From above, we can see that the adversary perfectly simulates the environment for . Obviously, if and are from the real algorithm, then simulates the hybrid for ; otherwise, it simulates for .

Claim 5. If the PK-FE scheme is (adaptively) -SIM-CCA secure, then hybrids and are computationally indistinguishable.

Proof. Assume that and are distinguishable, then an adversary that distinguishes and can be used to construct an adversary which tries to break through the SIM-CCA security of the scheme ; that is, the experiments and can be distinguished. In the security proof, will play the role of the challenger for the adversary . Let be the prechallenge key-generation oracle corresponding to the oracle in the real experiment and the oracle in the ideal experiment, be the postchallenge oracle corresponding to the oracle in the real experiment and the oracle in the ideal experiment, and be the decryption oracle corresponding to the oracle in the real experiment and the oracle in the ideal experiment. The reduction is described as follows:(i)At the begin, first gets . It then samples and and finally sets the public parameter .(ii)For the key-generation query, when makes a prechallenge key query , first constructs a universal circuit and then makes a query to the oracle , from which it obtains a key (which is generated by or ). When makes a postchallenge key query , the adversary queries to the oracle to obtain a key and sends it to (note that is generated by or ).(iii)During the encryption query, when makes an encryption query , the adversary first computes a symmetric encryption and an argument . It then makes a challenge query to its challenger, from which it obtains a PK-FE ciphertext (which is generated by or , where are the outputs of all functions on , and the set refers to all functions that the adversary makes queries to the oracle ). Finally, it sends the ciphertext to the adversary . Let be the set of all responses of this phase. Note that the adversary can make at most encryption queries in this phase.(iv)In the decryption query phase, when makes a query s.t. (for both prechallenge decryption queries and postchallenge decryption queries), the adversary first parses into . It then verifies whether . If the verification passes, a query is made to the oracle (for both prechallenge decryption queries and postchallenge decryption queries) to get the result and sends it to (note that is generated by the real decryption algorithm or the simulation algorithm of the scheme ).At the end, outputs whatever outputs.
From above, we can observe that the environment for is perfectly simulated by the adversary . Obviously, if the master public key , the private keys , the challenge ciphertexts , and the value are generated as in real experiment, then simulates hybrid for ; otherwise, it simulates hybrid for . Thus, if the adversary distinguishes hybrids and , then the adversary breaks the -SIM-CCA security of . The claims are as follows.

Claim 6. If the SE scheme is semantically secure, then games and are computationally indistinguishable.

Proof. Assume that and are distinguishable, then an adversary can be used to construct an algorithm that attempts to break through the semantic security of the scheme . In particular, the adversary is allowed to access the oracle that can generate ciphertexts for messages that the adversary chooses. Let be the challenger of the adversary .(i)In the setup phase, the adversary samples and and sets .(ii)In the key-generation phase, the adversary deals with the function key queries for as in hybrid .(iii)In the encryption phase, when queries the challenge plaintext pair , the adversary first delivers a pair to (its challenger) to get a symmetric ciphertext (which encrypts the message for a challenge bit ). It then computes an argument and an FE ciphertext (note that ), where the set refers to the functions that the adversary makes queries to the oracle . In the end, it sends the ciphertext to .Finally, outputs whatever outputs.
From above, we can observe that the adversary perfectly simulates the environment for . Obviously, if the challenge ciphertext encrypts the message , then simulates hybrid for ; if it encrypts the message , then simulates hybrid for . Thus, if the adversary distinguishes hybrids and , then the adversary breaks through the security of .

Claim 7. If the PK-FE scheme is SIM-CCA secure, then hybrids and are computationally indistinguishable.

Proof. The same as that of Claim 5.

Claim 8. If the NIZK argument is computationally zero-knowledge, then hybrids and are computationally indistinguishable.

Proof. The same as that of Claim 4.

Remark 2. Note that, since the generic function in the SK-FE scheme is hardwired in the circuit in the underlying PK-FE, the transformation in this paper is restricted to security against bounded collusion only. Removing this restriction by allowing only very specific functions seems violating our goals for genetic functions. Bounded collusion appears inherent in this type of FE schemes and solving it seems not easy. We left this work as an open problem and hope to solve it in the future.

7. Instantiation

7.1. Instantiations of the Primitives

Both primitives used by our generic construction can be designed under some standard assumptions. For example, the simulation-sound extractable NIZK arguments can be instantiated from RSA assumption, and the SE scheme can be instantiated from one-way functions.

7.1.1. Simulation-Sound Extractable NIZK Arguments

Agrawal and Wu [17] showed that the simulation-sound extractable NIZK argument can be constructed from trapdoor one-way permutations and dense cryptosystems by De Santis et al. [20] and both of which can be instantiated from RSA assumption.

7.1.2. Semantically Secure Symmetric Encryption

We note that the semantically secure symmetric encryption can be instantiated from one-way functions [21]. For example, it can be constructed from weak pseudorandom functions (wPRF) , namely, , and this wPRF can be again designed from only one-way functions.

7.2. Instantiations of the Underlying PK-FE

Here, we show several examples of how to instantiate a perfectly correct -SIM-CPA-secure functional encryption scheme to apply to our generic constructions with CCA security in both public key and private key settings. The results described below show that the SIM-CPA-secure PK-FE used to construct the SIM-CCA-secure PK-FE can be designed from both standard assumptions (such as DDH, RSA, LWE, and LPN) and nonstandard assumptions (such as IO and intractable problems on composite-order multilinear maps).

7.2.1. SIM-CPA-Secure PK-FE from Standard Assumptions

As in [22], Gorbunov et al. give a generic construction of PK-FE for a restricted number of secret key queries. Specifically, they proposed two and -SIM-CPA-secure PK-FE schemes for any class of deterministic functions computable by polynomial-size circuits based on the CPA-secure PKE and PRG computable by low-degree circuit. Particularly, both the PKE and PRG can be instantiated from standard assumptions. Concretely, the former can be designed based on the standard assumptions such as RSA [23], DDH [24], LWE [25], and LPN [26] assumptions, while the latter can be instantiated from the RSA assumption. Given the instantiated SIM-CPA-secure PK-FE, we obtain a SIM-CCA-secure PK-FE. Then using the SIM-CCA-secure PK-FE, we obtain an IND-CCA-secure SK-FE instantiable from the same assumptions.

7.2.2. SIM-CPA-Secure PK-FE from Nonstandard Assumptions

As in [17], an adaptively IND-CPA-secure PK-FE with overwhelming correctness from intractable assumptions on composite-order multilinear maps by Garg et al. [10] can be applied to construct a PK-FE with SIM-CPA security by employing the overwhelming-to-perfect correctness transformation proposed by Dwork et al. [27] and the IND-to-SIM security transformation proposed by Caro et al. [28], respectively. In addition, SIM-CPA-secure PK-FE can also be obtained by applying the selective-to-adaptive transformation by Ananth et al. [8] and the IND-to-SIM transformation by Caro et al. [28] to the IO-based selectively-IND-secure PK-FE by Garg et al. [29]. Thus, given the instantiated SIM-CPA-secure PK-FE from nonstandard assumptions, we can obtain SIM-CCA-secure PK-FE and IND-CCA-secure SK-FE and both of which can be based on the nonstandard assumptions.

8. Conclusions and Open Problems

Our works propose two adaptively CCA-secure FEs in the PKE and SKE settings, respectively. The concrete works are as follows. We first derive an/a (adaptively) SIM-CCA-secure FE for deterministic functionalities in the public-key settings by making modifications on ones for randomized functionalities proposed by Agraval and Wu [17]. Then, based on the modified scheme together with a symmetric encryption and a standard NIZK, we present a private-key FE scheme (SK-FE) with adaptive IND-CCA security for deterministic functionalities. The instantiabilities of the underlying base SIM-CPA-secure PK-FEs, symmetric encryption, and NIZK from standard assumptions show that our proposed SK-FE scheme is practical under the standard assumptions.

8.1. IND-CCA-Secure SK-FE for Randomized Functionalities

A precursor to the work on SK-FE scheme supporting randomized functionalities was the work by Komargodski et al. [30]. They achieve this by utilizing function-private FE scheme for deterministic functionalities in the private-key settings. Brakerski and Segev [31] proposed a function-private scheme based on any SK-FE scheme for a sufficiently rich function class. To construct SK-FE with IND-CCA security for randomized functionalities, a FE in the public-key settings with SIM-CCA security for randomized functionalities may be necessary, but deriving such a scheme from existing works is nontrivial, and it may require some new techniques. Thus, we left them as an open problem.

Appendix

A. SIM-CCA Security Implies IND-CCA Security

. Assume that there exists a PPT IND-CCA adversary that can break the IND-CCA security of the PK-FE scheme ; then, there exists a SIM-CCA adversary that can break the SIM-CCA security of scheme . We now use the IND-CCA adversary to construct the SIM-CCA adversary . The adversary is constructed as follows. : in this phase, the SIM-CCA adversary receives a master public key from its challenger . It then sends to the IND-CCA adversary . : in this phase, when the IND-CCA adversary makes a function key query , the SIM-CCA adversary queries its prechallenge key-generation oracle to obtain a key which is generated as in the real mode or in the simulation mode. For the decryption query , queries its prechallenge decryption oracle to obtain and sends to the adversary . : in this phase, once the adversary outputs two challenge messages , , and state (which is sent to the adversary ), chooses and outputs as the challenge message of the SIM-CCA security. Then, it queries its challenge oracle to obtain the challenge ciphertext set which is generated as in the real mode or in the ideal mode. Finally, it sends to the adversary . : in this phase, the key-generation queries and decryption queries are dealt with in the same way as in the prechallenge phase except that when the postchallenge key-generation oracle of the SIM-CCA adversary works in the ideal mode, it also needs an additional help of oracle .

At the end of the experiment, the SIM-CCA adversary outputs what the IND-CCA adversary outputs.

It is easy to see that if the adversary is valid, i.e., for all functions and messages that delivers in function key queries and message queries, we have . By this, the simulators and in the SIM-CCA security game are computationally indistinguishable. Thus, perfectly simulates the attacking environment for . Finally, we conclude that if the adversary can break the IND-CCA security of the scheme , then the adversary can break the SIM-CCA security with almost the same probability.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

The first author was supported by the National Natural Science Foundation of China (Grant nos. NSFC61702007 and NSFC61572318), National Key Research and Development Program of China (Grant no. 2017YFB0802000), and other foundations (Grant nos. 2019M661360(KLH2301024), gxbjZD27, KJ2018A0533, XWWD201801, ahnis20178002, KJ2017A519, 16ZB0140, LD14127X, and ZRC2013380). The second author was supported by the National Key Research and Development Program of China (Grant no. 2017YFB0802000) and National Natural Science Foundation of China (Grant no. NSFC61472114). The fourth author was supported in part by the National Key Research and Development Program of China (Grant no. 2017YFB0802000), National Natural Science Foundation of China (Grant nos. 61877011, 61472084, and U1536205), Shanghai Innovation Action Project (Grant no. 16DZ1100200), Shanghai Science and Technology Development Funds (Grant no. 16JC1400801), and Shandong Provincial Key Research and Development Program of China (Grant nos. 2017CXG0701 and 2018CXGC0701).

References

H. Wang, K. Chen, J. K. Liu, Z. Hu, and Y. Long, “Access control encryption with efficient verifiable sanitized decryption,” Information Sciences, vol. 465, pp. 72–85, 2018.
View at: Publisher Site | Google Scholar
H. G. Wang, K. F. Chen, B. D. Qin, X. J. Lai, and Y. H. Wen, “A new construction on randomized message-locked encryption in the standard model via uces,” Science China Information Sciences, vol. 60, no. 5, 2017.
View at: Publisher Site | Google Scholar
D. Boneh, A. Sahai, and B. Waters, “Functional encryption: definitions and challenges,” in Advance in TCC 2011, Y. Ishai, Ed., pp. 253–273, Springer, Berlin, Germany, 2011.
View at: Google Scholar
H. Wang, K. Chen, J. K. Liu, and Z. Hu, “Leakage-resilient chosen-ciphertext secure functional encryption from garbled circuits,” Information Security Practice and Experience, pp. 119–140, 2018.
View at: Publisher Site | Google Scholar
H. G. Wang, K. F. Chen, Y. Zhang, and Y. L. Zhao, “Functional encryption with application to machine learning: simple conversions from generic functions to quadratic functions,” Peer-to-Peer Networking and Applications, 2020.
View at: Publisher Site | Google Scholar
H. G. Wang, Y. Zhang, K. Chen, G. Y. Sui, Y. L. Zhao, and X. Y. huang, “Functional broadcast encryption with applications to data sharing for cloud storage,” Information Sciences, vol. 502, pp. 109–124, 2019.
View at: Publisher Site | Google Scholar
H. G. Wang, K. F. Chen, B. D. Qin, and Z. Y. Hu, “LR-RRA-CCA secure functional encryption for randomized functionalities from trapdoor HPS and LAF,” Science China Information Sciences, vol. 61, no. 5, 2018.
View at: Publisher Site | Google Scholar
P. Ananth, Z. Brakerski, G. Segev, and V. Vaikuntanathan, “From selective to adaptive security in functional encryption,” in Advance in CRYPTO 2015, R. Gennaro and M. Robshaw, Eds., pp. 657–677, Springer, Berlin, Germany, 2015.
View at: Google Scholar
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters, “Candidate indistinguishability obfuscation and functional encryption for all circuits,” in Proceedings of the 2013 IEEE 54th Annual Symposium on Foundations of Computer Science, pp. 40–49, IEEE, Berkeley, CA, USA, 2013.
View at: Google Scholar
S. Garg, C. Gentry, S. Halevi, and M. Zhandry, “Functional encryption without obfuscation,” in Proceedings of the TCC 2016, pp. 480–511, Beijing, China, 2016.
View at: Google Scholar
B. Waters, “A punctured programming approach to adaptively secure functional encryption,” in Lecture Notes in Computer Science, pp. 678–697, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
E. Kiltz and Y. Vahlis, “CCA2 secure IBE: standard model efficiency through authenticated symmetric encryption,” in CT-RSA 2008, Springer, Berlin, Germany, 2008.
View at: Google Scholar
S. Yamada, N. Attrapadung, G. Hanaoka, and N. Kunihiro, “Generic constructions for chosen-ciphertext secure attribute based encryption,” in Public Key Cryptography-PKC 2011, pp. 71–89, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar
F. Benhamouda, F. Bourse, and H. Lipmaa, “CCA-secure inner-product functional encryption from projective hash functions,” in PKC 2017, pp. 36–66, Springer, Berlin, Germany, 2017.
View at: Google Scholar
M. Nandi and T. Pandit, “Generic conversions from CPA to CCA secure functional encryption,” Tech. Rep., International Association for Cryptologic Research, Lyon, France, 2015, Report 2015/457, https://eprint.iacr.org/2015/457.pdf.
View at: Google Scholar
M. Naor and M. Yung, “Public-key cryptosystems provably secure against chosen ciphertext attacks,” in Proceedings of the ACM Symposium on the Theory of Computing, pp. 427–437, Baltimore, MD, USA, 1990.
View at: Google Scholar
S. Agrawal and D. J. Wu, “Functional encryption: deterministic to randomized functions from simple assumptions,” in Lecture Notes in Computer Science, Springer, Berlin, Germany, 2016, http://eprint.iacr.org/2016/482.pdf.
View at: Google Scholar
E. Elkind and A. Sahai, “A unified methodology for constructing public-key encryption schemes secure against adaptive chosen-ciphertext attack (2002),” in IACR Cryptology Eprint Archive, University of California, Berkeley, CA, USA, 2002.
View at: Google Scholar
V. Goyal, A. Jain, V. Koppula, and A. Sahai, “Functional encryption for randomized functionalities,” in TCC 2015, Part II, LNCS, Y. Dodis and J. B. Nielsen, Eds., vol. 9015, pp. 325–351, Springer, Berlin, Germany, 2015.
View at: Google Scholar
A. D. Santis, G. D. Crescenzo, R. Ostrovsky, G. Persiano, and A. Sahai, “Robust non-interactive zero knowledge,” in Proceedings of the CRYPTO 2001, pp. 566–598, Santa Barbara, CA, USA, 2001.
View at: Google Scholar
O. Goldreich, in Foundations of Cryptography—Volume 2: Basic Applications, Cambridge University Press, Cambridge, UK, 2004.
S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Functional encryption with bounded collusions via multi-party computation,” in Advances in Cryptology-CRYPTO 2012, R. Safavi-Naini and R. Canetti, Eds., vol. 7417, pp. 162–179, Springer, Berlin, Germany, 2012.
View at: Google Scholar
D. Pointcheval, “RSA public-key encryption,” in Encyclopedia of Cryptography and Security, Springer, Berlin, Germany, 2011.
View at: Google Scholar
S. J. Li, F. T. Zhang, Y. X. Sun, and L. M. Shen, “Efficient leakage-resilient public key encryption from ddh assumption,” Cluster Computing, vol. 16, no. 4, pp. 797–806, 2013.
View at: Publisher Site | Google Scholar
X. C. Sun, B. Li, X. H. Lu, and F. Y. Fang, “CCA secure public key encryption scheme based on LWE without Gaussian sampling,” in Proceedings of the International Conference on Information Security and Cryptology, pp. 361–378, Beijing, China, 2015.
View at: Google Scholar
Y. Yu and J. Zhang, “Cryptography with auxiliary input and trapdoor from constant-noise LPN,” in Advances in Cryptology-CRYPTO 2016, pp. 214–243, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar
C. Dwork, M. Naor, and O. Reingold, “Immunizing encryption schemes from decryption errors,” in EUROCRYPT 2004, pp. 342–360, Springer, Berlin, Germany, 2004.
View at: Google Scholar
A. D. Caro, V. Iovino, A. Jain, A. O Neill, O. Paneth, and G. Persiano, “On the achievability of simulation-based security for functional encryption,” in CRYPTO 2013, pp. 519–535, Springer, Berlin, Germany, 2013.
View at: Google Scholar
S. Garg, G. Craig, S. Halevi, M. Raykova, S. Amit, and B. Waters, “Candidate indistinguishability obfuscation and functional encryption for all circuits,” in Proceedings of the 54th Annual Symposium on Foundations of Computer Science, pp. 40–49, IEEE Computer Society Press, Berkeley, CA, USA, 2013.
View at: Google Scholar
I. Komargodski, G. Segev, and E. Yogev, “Functional encryption for randomized functionalities in the private-key setting from minimal assumptions,” in TCC 2015, Y. Dodis and J. B. Nielsen, Eds., vol. 9015, pp. 352–377, Springer, Berlin, Germany, 2015.
View at: Google Scholar
Z. Brakerski and G. Segev, “Function-private functional encryption in the private-key setting,” Journal of Cryptology, vol. 31, no. 1, pp. 202–225, 2018.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Huige Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

995

Downloads

587

Citations