Paper 2022/1168

Multi-Input Quadratic Functional Encryption: Stronger Security, Broader Functionality

Shweta Agrawal, IIT Madras
Rishab Goyal, UW-Madison
Junichi Tomida, NTT Social Informatics Laboratories

Multi-input functional encryption, MIFE, is a powerful generalization of functional encryption that allows computation on encrypted data coming from multiple different data sources. In a recent work, Agrawal, Goyal, and Tomida (CRYPTO 2021) constructed MIFE for the class of quadratic functions. This was the first MIFE construction from bilinear maps that went beyond inner product computation. We advance the state-of-the-art in MIFE, and propose new constructions with stronger security and broader functionality. Stronger Security: In the typical formulation of MIFE security, an attacker is allowed to either corrupt all or none of the users who can encrypt the data. In this work, we study MIFE security in a stronger and more natural model where we allow an attacker to corrupt any subset of the users, instead of only permitting all-or-nothing corruption. We formalize the model by providing each user a unique encryption key, and letting the attacker corrupt all non-trivial subsets of the encryption keys, while still maintaining the MIFE security for ciphertexts generated using honest keys. We construct a secure MIFE system for quadratic functions in this fine-grained corruption model from bilinear maps. Our construction departs significantly from the existing MIFE schemes as we need to tackle a more general class of attackers. Broader Functionality: The notion of multi-client functional encryption, MCFE, is a useful extension of MIFE. In MCFE, each encryptor can additionally tag each ciphertext with appropriate metadata such that ciphertexts with only matching metadata can be decrypted together. In more detail, each ciphertext is now annotated with a unique label such that ciphertexts encrypted for different slots can now only be combined together during decryption as long as the associated labels are an exact match for all individual ciphertexts. In this work, we upgrade our MIFE scheme to also support ciphertext labelling. While the functionality of our scheme matches that of MCFE for quadratic functions, our security guarantee falls short of the general corruption model studied for MCFE. In our model, all encryptors share a secret key, therefore this yields a secret-key version of quadratic MCFE, which we denote by SK-MCFE. We leave the problem of proving security in the general corruption model as an important open problem.

Available format(s)
Public-key cryptography
Publication info
A major revision of an IACR publication in TCC 2022
functional encryption multi-input functional encryption quadratic functions multi-client functional encryption
Contact author(s)
shweta a @ cse iitm ac in
rishab @ cs wisc edu
tomida junichi @ gmail com
2022-09-07: approved
2022-09-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Shweta Agrawal and Rishab Goyal and Junichi Tomida},
      title = {Multi-Input Quadratic Functional Encryption: Stronger Security, Broader Functionality},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1168},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.