Cryptology ePrint Archive: Report 2018/250

Making Public Key Functional Encryption Function Private, Distributively

Xiong Fan and Qiang Tang

Abstract: We put forth a new notion of distributed public key functional encryption. In such a functional encryption scheme, the secret key for a function $f$ will be split into shares $sk_i^f$. Given a ciphertext $ct$ that encrypts a message $x$, a secret key share $sk_i^f$, one can evaluate and obtain a shared value $y_i$. Adding all the shares up can recover the actual value of $f(x)$, while partial shares reveal nothing about the plaintext. More importantly, this new model allows us to establish {\em function privacy} which was not possible in the setting of regular public key functional encryption. We formalize such notion and construct such a scheme from any public key functional encryption scheme together with learning with error assumption.

We then consider the problem of hosting services in the untrusted cloud. Boneh, Gupta, Mironov, and Sahai (Eurocrypt 2014) first studied such application and gave a construction based on indistinguishability obfuscation. Their construction had the restriction that the number of corrupted clients has to be bounded and known. They left an open problem how to remove such restriction. We resolve this problem by applying our function private (distributed) public key functional encryption to the setting of hosting service in multiple clouds. Furthermore, our construction provides a much simpler and more flexible paradigm which is of both conceptual and practical interests. Along the way, we strengthen and simplify the security notions of the underlying primitives, including function secret sharing.

Category / Keywords: public-key cryptography / functional encryption

Original Publication (with minor differences): IACR-PKC-2018

Date: received 5 Mar 2018

Contact author: xfan at cs cornell edu

Available format(s): PDF | BibTeX Citation

Version: 20180307:182556 (All versions of this report)

Short URL: ia.cr/2018/250

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]