Paper 2021/1442

$P/poly$ Invalidity of the Agr17 Functional Encryption Scheme

Yupu Hu and Jun Liu and Baocang Wang and Xingting Dong and Yanbin Pan

Abstract

Functional encryption (FE) is an advanced topic in the research of cryptography, and the Agr17 FE scheme is one of the major FE schemes. It took the BGG+14 attribute-based encryption (ABE) scheme as a bottom structure, which was upgraded into a `partially hiding predicate encryption' (PHPE) scheme and combined with a fully homomorphic encryption (FHE) scheme. However, there is a remaining problem, the implementation of the modulus reduction, in the Agr17 FE scheme. First, a modulus reduction is necessary for the polynomial-time computability of the scheme. Second, the detailed steps of the modulus reduction were absent in the scheme (including its conference version and full version). Instead, the authors only pointed out several reference works. The author's meaning seemed to be that the modulus reduction of the Agr17 FE scheme can be obtained by directly using or simply generalizing these reference works. Third, these reference works only described various modulus reductions of FHE schemes, without the hint of how to generalize them into the modulus reduction of FE schemes. Finally, any modulus reduction of FHE can not be simply generalized into the modulus reduction of the Agr17 FE scheme due to the following two facts: (1) The Agr17 FE scheme has two moduli, which are the modulus of the FHE ciphertext and of the ABE ciphertext, both are originally superpolynomial in size for processing $P/poly$ functions. (2) Both moduli need to be scaled down to polynomial size, and both of them need to be reduced to the same new modulus, otherwise, the correctness of the scheme will fail. In this paper, we demonstrate that the Agr17 FE scheme is $P/poly$ invalid. More specifically, we show that, when processing $P/poly$ functions, the Agr17 FE scheme cannot be implemented again after its modulus reduction. To show the soundness of our demonstration, we present the statements in two stages. At the first stage, we show that the modulus reduction of the Agr17 FE scheme should be a double modulus reduction, which includes two modulus reductions for the FHE ciphertext and ABE ciphertext, respectively. This double modulus reduction has the following three key points: (1) The modulus reduction for the FHE ciphertext should be seen as a series of Boolean operations, and converted into `attribute quasi-homomorphic operations'. (2) The modulus reduction for the ABE ciphertext is a learning-with-errors (LWE) -based modulus reduction, which is an ordinary modulus reduction. (3) The two modulus reductions should obtain the same new modulus, otherwise, the scheme would not be implemented again. At the second stage, we show that the modulus reduction for the ABE ciphertext will destroy the structure of ABE so that the subsequent decryption would not be executed. The reason lies in that the decryption of ABE is an LWE decryption with conditions rather than an ordinary LWE decryption, and the modulus reduction will destroy the conditions of decryption. Besides, to show such invalidity cannot be easily crossed by revising the scheme, we design two revised versions of the Agr17 scheme. The first revised version is a `natural' revised version of the Agr17 scheme. The key point is to change the small modulus inner product into an arithmetic inner product, which can be obtained by the modulus inner product of the ABE ciphertext. The first revised scheme is valid, i.e., the decryption can be implemented correctly. However, the revised scheme is insecure because the decryptor knows much more secret information, and hence the scheme can be broken by collusion attacks with much less cost. The second revised version is an application of the GGH+13b verification circuit technology which transforms a $P/poly$ function into an $NC^1$ circuit. The second revised scheme is valid, but it is far from the design idea of the Agr17 scheme, and its function class is quite limited, that is, those functions which can be equally transformed from $P/poly$ into $NC^1$ by equal verification transformation, rather than any $P/poly$ functions.