Lower Bounds for Lattice-Based Compact Functional Encryption

Tairi, Erkan; Ünal, Akin

doi:10.1007/978-3-031-58723-8_9

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14652))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

257 Accesses

Abstract

Functional encryption (FE) is a primitive where the holder of a master secret key can control which functions a user can evaluate on encrypted data. It is a powerful primitive that even implies indistinguishability obfuscation (iO), given sufficiently compact ciphertexts (Ananth-Jain, CRYPTO’15 and Bitansky-Vaikuntanathan, FOCS’15). However, despite being extensively studied, there are FE schemes, such as function-hiding inner-product FE (Bishop-Jain-Kowalczyk, AC’15, Abdalla-Catalano-Fiore-Gay-Ursu, CRYPTO’18) and compact quadratic FE (Baltico-Catalano-Fiore-Gay, Lin, CRYPTO’17), that can be only realized using pairings. This raises the question if there are some mathematical barriers that hinder us from realizing these FE schemes from other assumptions.

In this paper, we study the difficulty of constructing lattice-based compact FE. We generalize the impossibility results of Ünal (EC’20) for lattice-based function-hiding FE, and extend it to the case of compact FE. Concretely, we prove lower bounds for lattice-based compact FE schemes which meet some (natural) algebraic restrictions at encryption and decryption, and have ciphertexts of linear size and secret keys of minimal degree. We see our results as important indications of why it is hard to construct lattice-based FE schemes for new functionalities, and which mathematical barriers have to be overcome.

E. Tairi—work done while the author was at TU Wien.

A. Ünal—work done while the author was at ETH Zurich.

You have full access to this open access chapter, Download conference paper PDF

1 Introduction

Functional encryption (FE) [28, 49] is an advanced encryption primitive that allows fine-grained access control over the encrypted data. In contrast to conventional encryption schemes, which are all-or-nothing, in FE there is a master secret key ${\textsf{msk}}$ that allows to generate constrained functional secret keys. More precisely, every secret key $\textsf{sk}_f$ is associated with a function f and, given an encryption of some message x, the decryption with $\textsf{sk}_f$ only reveals f(x), and nothing more about x.

Since its introduction, FE has been subject to intense study, which resulted in both FE schemes for general functionalities [17, 21, 30, 35], thereby entailing feasibility results, and FE schemes for limited classes of functions that are of particular interest for practical applications, e.g., (function-hiding) inner-product FE (IPFE) [3, 14, 15, 25, 45, 53] and compact FE for quadratic functions [20, 23, 36, 45, 54]. Furthermore, IPFE and quadratic FE have been extended to multi-input [4, 6, 11, 13], (decentralized) multi-client [1, 2, 12, 31, 44], and identity/attribute-based [5, 32] settings.

We also know that FE is a powerful primitive that even implies indistinguishability obfuscation (iO). In fact, it has been shown that a succinct subexponentially secure single-key FE implies iO [8, 16, 18, 26, 40,41,42, 46].

Moreover, we know that FE for general functionalities with a bounded number of secret keys (that an adversary can learn), can be achieved from minimal assumptions [21], such as public-key encryption (PKE) and one-way functions (OWFs). However, if we want to achieve security for an unbounded number of secret keys, we either need to rely on heavy-machinery, such as iO [35], or restrict ourselves to (function-hiding) IPFE, linearly compact quadratic FE or FE for constant-degree polynomials which are obtained by relinearization. Even so, for linearly compact quadratic FE and function-hiding FE the only known constructions are pairing-based [23, 25, 36, 45].

In a recent work, Ünal [55] showed implausibility of constructing lattice-based function-hiding IPFE. More precisely, he extracted the common properties (of decryption and encryption algorithms) of known lattice-based FE schemes, and showed that under these properties an FE scheme cannot be function-hiding. Given this result and the usefulness of compact FE for constructing advanced primitives, such as iO, we ask the following question in this work:

What hinders us from constructing compact lattice-based FE?

1.1 Lattice-Based Functional Encryption Framework

To investigate the above question, we need to capture lattice-based FE schemes in a non-black box way. Towards this end, we reintroduce here the framework of Ünal [55]:

Definition 1

(Lattice-Based FE Scheme). Let $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})$ be an FE scheme. Let q be a prime and $p < q$ be the modulus of the message space. We call $\textsf{FE}$ lattice-based if the following conditions are met:

1.
$\textsf{Enc}$ computes ciphertexts as follows: On input a master secret key ${\textsf{msk}}$ and a message $x \in \mathbb {Z}_p^n$, $\textsf{Enc}$ first samples (potentially correlated) polynomials $r_1, \ldots , r_m \in \mathbb {Z}_q[X_1,\ldots , X_n]$ of constant degree without looking at x. It then evaluates $r_1,\ldots , r_m$ at x and outputs the ciphertext
$$\begin{aligned} \textsf{ct}_x :=(r_1(x), \ldots , r_m(x)) \in \mathbb {Z}_q^m. \end{aligned}$$
2.
Each secret key output by $\textsf{KeyGen}$ is a polynomial in $\mathbb {Z}_q[Z_1,\ldots ,Z_m]$ of constant degree.
3.
On input a secret key $\textsf{sk}\in \mathbb {Z}_q[Z_1,\ldots ,Z_m]$ and a ciphertext $\textsf{ct}\in \mathbb {Z}_q^m$, the decryption algorithm $\textsf{Dec}$ evaluates the polynomial $\textsf{sk}$ at $\textsf{ct}_x$ and rounds the result to the nearest integer modulo p, i.e.,
$$\begin{aligned} \textsf{Dec}(\textsf{sk}, \textsf{ct}) = \left\lceil \textsf{sk}(\textsf{ct}) \cdot {p}/{q} \right\rfloor \in \mathbb {Z}_p. \end{aligned}$$

The lattice-based FE framework makes strong restrictions on the encryption and decryption algorithms of FE schemes. However, since compact and function-hiding FE schemes do exist assuming the security of pairing groups [25, 36], it is necessary to restrict the computational model of an FE scheme at some points. We argue that the restrictions made by the framework of [55] are the right ones, in the sense that they are loose enough to capture all relevant FE schemes whose security relies on the Learning With Errors (LWE) assumption. Moreover, these restrictions are decisive enough to make impossibility results for schemes captured by this framework provable. Let us discuss this in more detail. A closer look at the existing lattice-based IBE/ABE/PE/FE schemes [9, 15,16,17, 27, 37] reveals that the restrictions imposed in Definition 1 are quite natural and fulfilled by most^{Footnote 1} of these schemes. As a prime example, we can present here the encryption algorithm of the IPFE scheme due to Agrwal, Libert and Stehlé [15]: The public key consists of two matrices $A \in \mathbb {Z}_q^{m \times n}, B \in \mathbb {Z}_q^{\ell \times n}$. To encrypt input vectors $x \in \mathbb {Z}_p^\ell $, ciphertexts are generated by sampling a uniformly random vector $s \leftarrow \mathbb {Z}_q^n$, two Gaussian noise vectors $e_0 \leftarrow \mathcal {D}_{\mathbb {Z}^m,\sigma }, e_1 \leftarrow \mathcal {D}_{\mathbb {Z}^\ell , \sigma }$ and computing

$$\begin{aligned} \textsf{ct}= (As + e_0, Bs + e_1 + f \cdot x), \end{aligned}$$

where f is the scaling factor (commonly $\left\lfloor q/K \right\rfloor $, for some integer K). Now observe that we can rewrite this in two parts:

a complex offline part, where $m + \ell $ multivariate degree-1 polynomials
$$\begin{aligned} g_1(X),\ldots ,g_m(X),h_1(X),\ldots ,h_\ell (X) \in \mathbb {Z}_q[X_1,\ldots , X_\ell ] \end{aligned}$$
are sampled using only the public values (p, q, f, A, B) (and without looking at the input x),
$$\begin{aligned} &g_i(X_1,\ldots ,X_\ell ) := \langle a_i \mid s \rangle + e_{0,i}, {} & {} i \in [m], \\ &h_j(X_1,\ldots ,X_\ell ) := \langle b_j \mid s \rangle + e_{1,j} + f \cdot X_j, {} & {} j \in [\ell ], \end{aligned}$$
and a simple online part, where the previously sampled polynomials are evaluated on input x in order to compute the ciphertext,
$$\begin{aligned} \textsf{ct}= (g_1(x),\ldots ,g_m(x),h_1(x),\ldots ,h_\ell (x)). \end{aligned}$$

This shows that the encryption algorithm of [15] fits into our framework (their decryption algorithm falls into our framework too, which is easy to verify).

For our restrictions at decryption, we point out that it was already noted by Brakerski et al. [29] that even all lattice-based fully homomorphic encryption (FHE) schemes^{Footnote 2} decrypt by evaluating a low-degree polynomial at the ciphertext and then rounding to the nearest result.

Moreover, we note that since the publication of [55] there has been no construction of function-hiding FE from LWE (or any other lattice-based assumption). While the results of [55] only hold in the aforementioned lattice-based FE framework, they (up to now) correctly predicted that constructing function-hiding FE from LWE requires breakthrough methods. This justifies to see the framework of [55] as a gauge for measuring the hardness of lattice-based FE schemes and understanding the mathematical barriers that are needed to be overcome.

1.2 Contribution

We generalize the results of Ünal [55] for lattice-based function-hiding FE, and extend them to the setting of lattice-based compact FE. Our main contribution is captured with the following informal theorem.

Theorem 1

(Informal Main Theorem 5). Let $q > p$ be s.t. q is prime, $q/p \in \textsf{poly}(\lambda )$ and p is greater than some constant.

Let $\textsf{FE}$ be a lattice-based functional encryption scheme for polynomials of degree $d > 1$ with input space $\mathbb {Z}_p^n$, where each ciphertext is contained in $\mathbb {Z}_q^m$.

Assume that $\textsf{FE}$ is linearly compact, i.e., $m \in O(n)$, and that each secret key output by $\textsf{KeyGen}$ is a degree-d polynomial over the ciphertexts.

If $\textsf{FE}$ is correct, then it cannot be selectively IND-CPA secure.

At a high level, our proof idea consists of deriving a (special) SKE scheme from a lattice-based compact FE scheme. By using the existence of low-degree algebraic relationships, which has been shown in [56], we can use the compactness of the FE scheme to prove correctness of the aforementioned SKE scheme. This in turn leads to a contradiction to Corollary 3 of [55] (cf. Theorem 2) and gives us implicitly an attack on lattice-based compact FE scheme.

1.3 Interpretation, Limitations and Open Problems

Parameter Restrictions. We have analogous parameter restrictions as in [55]. More precisely, in order to prove Theorem 1, we require that the exterior modulus q of the FE scheme is prime. Furthermore, the fraction q/p needs to be bounded by a polynomial^{Footnote 3} in the security parameter $\lambda $, where p is the interior modulus, and p needs to be greater than some constant that depends on the depth of the FE scheme. These parameter restrictions are usual for schemes whose security is implied by standard LWE, i.e., LWE with polynomial modulus q, which admits a reduction to worst-case lattice problems [50].

Additionally, we require a strict notion of compactness where we demand the dimensional length of ciphertexts to be linear in the length of messages. Furthermore, we assume decryption to be as simple as possible, i.e., the algebraic degree of secret keys must equal the algebraic degree of the functionality supported by the FE scheme.

To relax both requirements it would be necessary to prove some technical theorem about homogeneity of ciphertexts (Theorem 6) for more general FE schemes. Concretely, we suspect the following:

Conjecture 1

Let $\textsf{FE}$ be a lattice-based FE scheme for degree-d polynomials over n variables. Furthermore, let $\textsf{FE}$ be relaxed compact, i.e., we have $m \in O(n^{d-e})$ where m is the dimension of ciphertexts of $\textsf{FE}$ and $e > 0$ is some fixed constant. Denote by $d_2$ the decryption depth of $\textsf{FE}$.

If $\textsf{FE}$ is IND-CPA secure against adversaries of complexity $n^{O(n^{d-e\cdot {d_2}/(d_2 - 1)})}$, then Theorem 6 does hold for $\textsf{FE}$. This implies that $\textsf{FE}$ cannot be IND-CPA secure against adversaries of size $n^{O(n^{d-e\cdot {d_2}/(d_2 - 1)})}$ if $\textsf{FE}$ is correct.

Interpretation and Open Problems. We view the results in this paper as a useful argument in understanding the difficulties of constructing lattice-based compact FE schemes. We leave it as an interesting open problem to derive similar lower bounds for other types of FE schemes, such as noisy linear FE [16] or FE for attribute-weighted sums [7].

A potential approach to circumvent the lower bounds introduced here is to consider gadget matrices (as in FHE schemes and as in the predicate encryption scheme of [38]). More precisely, if during encryption we compute a bit-decomposition, $G^{-1}(x)$, of an input vector x, then our techniques are not applicable anymore, and one would need to develop more advanced techniques. However, it is still unclear if inverse gadget sampling is helpful for constructing lattice-based FE schemes. We discuss more open questions and ways to circumvent our results in the full version of this paper [52]

Note on Algebraic LWE. A natural question to ask is whether more algebraically structured variants of LWE, such as Ring-LWE [47] or Module-LWE [43], can be used to overcome the lower bounds introduced in this work. Analogous to the results of [55], the additional algebraic structure does not help, as long as the requirements of Theorem 1 are met. The reason for this is that the rings and modules considered in algebraic LWE variants are vector spaces over $\mathbb {Z}_q$ with the natural addition whose multiplication operation can be modeled by quadratic polynomials.

1.4 Related Work

Ananth and Vaikuntanathan [21] showed that FE for $\mathsf {P/poly}$ with a bounded number of secret keys can be achieved from minimal assumptions, i.e., PKE in the public-key setting and OWFs in the secret-key setting. But, the ciphertexts in their schemes are growing linearly with the number of secret keys handed out to the adversary. This is not surprising given that a bounded public-key FE scheme with relaxed compact ciphertext size, i.e., sublinear in the number of secret keys, implies^{Footnote 4} iO [18, 26]. Similarly, Kitagawa, Nishimaki and Tanaka [42] showed that a bounded and compact secret-key FE scheme implies iO. Moreover, Ananth, Jain and Sahai [19] showed how to transform any collusion-resistant FE into a single-key FE scheme with compact encryption circuit. De Caro, Iovino, Jain, O’Neill, Paneth and Persiano [33] showed that compact FE with simulation-based security is impossible for general functions [10, 33], however, for constructing iO from compact FE selective indistinguishability security suffices.

Other Models of Computation. Computational models are a popular approach in cryptography to prove lower bounds for solving certain problems. Nonetheless, the most well-known models, such as the generic group model [48, 51], the algebraic group model [34] and the random oracle model [24] only deal with group-based resp. hash-based problems and primitives.

We are not aware of many other models besides [55] for lattice-based settings. Guo, Kamath, Rosen and Sotiraki [39] studied the lattice-based non-interactive key exchange (NIKE) problem and introduced a (comparatively more rigid) model where Alice and Bob always send LWE samples $A \cdot x_1 + e_1$ and $A^T \cdot x_2 + e_2$ as their key parts, respectively. Afterwards, they may apply any key reconciliation function to extract a common secret key. The authors could show lower bounds for the complexity and amount of information the reconciliation function needs.

There are some similarities between the lower bounds obtained in our model and the lower bounds obtained by Applebaum, Avron and Brzuska [22] for arithmetic circuits. In our setting, the encryption and decryption functionalities come close to arithmetizing circuits, i.e., their algebraic descriptions are (almost) independent of the underlying field $\mathbb {Z}_q$. The lower bound for lattice-based function-hiding FE, for example, could almost be reduced to a lower bound in [22] for three-party protocols where a semi-arithmetic Alice and a non-arithmetic Bob want to make a fully arithmetic Carol learn a function of both parties’ data without learning any non-trivial information. However, the crux is that we allow the decryption algorithm to perform a rounding operation from $\mathbb {Z}_q$ to $\mathbb {Z}_p$ at the end. Since rounding is a non-arithmetic of forbiddingly high degree, the decryption algorithm of lattice-based FE schemes is non-arithmetic and, hence, not fully captured by the lower bounds in [22].

1.5 Technical Overview

In this subsection, we will sketch a proof for Theorem 1. Towards this end, we will first introduce the framework of Ünal [55] for modeling lattice-based FE schemes, which we use in this work. Next, we will revisit a strategy for proving lower bounds for lattice-based function-hiding FE schemes and generalize it. Finally, we will attempt to adapt the generalized strategy on relaxed compact lattice-based FE schemes. Unfortunately, our first attempt will fail, however, we will be able to fix the strategy for linearly compact lattice-based FE schemes with secret keys of minimal degree.

Our Framework. A (secret-key) functional encryption (FE) scheme consists of four algorithms: $\textsf{Setup}, \textsf{KeyGen},\textsf{Enc}$ and $\textsf{Dec}$. On input the security parameter $1^\lambda $, $\textsf{Setup}$ computes a master secret key ${\textsf{msk}}$. On input ${\textsf{msk}}$ and a suitable function $f :\mathbb {Z}_p^n \rightarrow \mathbb {Z}_p$, $\textsf{KeyGen}$ generates a secret key $\textsf{sk}_f$ for f. On input ${\textsf{msk}}$ and a message $x \in \mathbb {Z}_p^n$, $\textsf{Enc}$ outputs a ciphertext $\textsf{ct}_x$. Finally, on input $\textsf{sk}_f$ and $\textsf{ct}_x$, $\textsf{Dec}$ outputs f(x).

In this work, we want to prove lower bounds for lattice-based FE schemes. In order to do so, we focus on FE schemes $\textsf{FE}=(\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$ that are subject to the following two restrictions:

$\textsf{Enc}$ is of constant depth, i.e., the output of $\textsf{Enc}({\textsf{msk}}, x)$ is computed in two phases: in the complex offline phase, $\textsf{Enc}$ only knows ${\textsf{msk}}$ and computes arbitrarily complicated randomness $(r_1, \ldots , r_m)$. In the simple online phase, $\textsf{Enc}$ sees the message $x \in \mathbb {Z}_p^n$ and the randomness $(r_1,\ldots , r_m)$ from the previous phase. However, in this phase $\textsf{Enc}$ must compute the ciphertext by an arithmetic circuit of constant depth.

Formally, we require that there exists an offline algorithm $\textsf{Enc}_{\textsf{off}}$ that on input ${\textsf{msk}}$ outputs random polynomials $r_1, \ldots , r_m \in \mathbb {Z}_q[X_1, \ldots , X_n]$ of constant degree. $\textsf{Enc}({\textsf{msk}}, x)$ is then expected to work by first sampling $(r_1,\ldots , r_m) \leftarrow \textsf{Enc}_{\textsf{off}}({\textsf{msk}})$, and then outputting the ciphertext $\textsf{ct}_x = (r_1(x), \ldots , r_m(x)) \in \mathbb {Z}_q^m$. We call the maximum degree of $r_1,\ldots , r_m$ the depth of $\textsf{Enc}$.
Each secret key $\textsf{sk}_f$ is a polynomial in $\mathbb {Z}_q[Y_1,\ldots , Y_m]$ of constant degree and $\textsf{Dec}$ works in a typical lattice-based manner: it evaluates $\textsf{sk}_f$ on the ciphertext $\textsf{ct}_x$ and rounds the result to the next number modulo p. Formally, we require
$$\begin{aligned} \textsf{Dec}(\textsf{sk}_f, \textsf{ct}_x) = \left\lceil \frac{p}{q} \cdot \textsf{sk}_f(\textsf{ct}_x) \right\rfloor . \end{aligned}$$

For simplicity, we call FE schemes that adhere to these restrictions lattice-based.

Lower Bounds for Function-Hiding FE. We explain here the strategy of [55] for showing implausibility of lattice-based function-hiding FE schemes, before we generalize and adapt it to the case of compact FE.

First, remember that in a function-hiding FE scheme the secret key $\textsf{sk}_f$ hides the function f it evaluates at decryption, i.e., given $\textsf{sk}_f$ and $\textsf{ct}_x$ an adversary learns nothing about x and f besides f(x). If we are given a function-hiding FE scheme $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})$ for computing linear functions over $\mathbb {Z}_p^n$, we can construct a secret-key encryption scheme $\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \textsf{Dec}')$ for messages in $\mathbb {Z}_p$ from $\textsf{FE}$ s.t. its encryption algorithm $\textsf{Enc}'$ is of constant depth and produces short ciphertexts. In fact, consider the following setup and encryption algorithms:

$\textsf{Setup}'$::: On input $1^\lambda $, $\textsf{Setup}'$ samples ${\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )$. Then, it derives secret keys $\textsf{sk}_1, \ldots , \textsf{sk}_{Q-1} \leftarrow \textsf{KeyGen}({\textsf{msk}}, 0)$ for the zero function and one secret key $\textsf{sk}_Q \leftarrow \textsf{KeyGen}({\textsf{msk}}, f)$ for the function f that maps a vector $x \in \mathbb {Z}_p^n$ to its first coordinate $x_1$. It returns ${\textsf{msk}}' := ({\textsf{msk}}, \textsf{sk}_1,\ldots , \textsf{sk}_Q)$.
$\textsf{Enc}'$::: On input ${\textsf{msk}}' = ({\textsf{msk}}, \textsf{sk}_1,\ldots , \textsf{sk}_Q)$ and a message $x_1 \in \mathbb {Z}_p$, $\textsf{Enc}'$ computes the ciphertext $\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, (x_1, 0, \ldots , 0))$ and then applies the polynomials $\textsf{sk}_1,\ldots , \textsf{sk}_{Q-1}$ on it and outputs
$$\begin{aligned} \textsf{ct}' = (\textsf{sk}_1(\textsf{ct}), \ldots , \textsf{sk}_{Q-1}(\textsf{ct})) \in \mathbb {Z}_q^{Q-1}. \end{aligned}$$

Since $\textsf{FE}$ is a lattice-based FE scheme in the sense of our framework, its encryption algorithm $\textsf{Enc}$ is offline/online of constant depth. It follows that $\textsf{Enc}'$ is of constant depth as well, since $\textsf{Enc}'$ first runs $\textsf{Enc}$ and then again evaluates $Q-1$ fixed polynomials $\textsf{sk}_1,\ldots , \textsf{sk}_{Q-1} \in \mathbb {Z}_q[Y_1,\ldots , Y_m]$ of constant degree on the output of $\textsf{Enc}$. Therefore, the depth of the online phase of $\textsf{Enc}'$ is bounded by the depth of $\textsf{Enc}$ times the maximum degree of $\textsf{sk}_1, \ldots , \textsf{sk}_Q$.

Additionally, each ciphertext output by $\textsf{Enc}'$ is short, i.e.,

$$\begin{aligned} \left| \left| \textsf{ct}' \right| \right| _\infty \le \frac{q}{p}. \end{aligned}$$

To see this, note that the decryption algorithm of $\textsf{FE}$ is given by $\textsf{Dec}(\textsf{sk}, \textsf{ct}) = \left\lceil \textsf{sk}(\textsf{ct}) \cdot p/q \right\rfloor $. Now for $i\in [Q-1]$, we know that $\textsf{Dec}(\textsf{sk}_i, \textsf{ct})$ must be zero, because $\textsf{sk}_i$ is a secret key for the zero function. It follows that $\textsf{sk}_i(\textsf{ct}) \cdot p / q$ must be rounded to zero in $\mathbb {Z}_p$, which implies that the absolute value of $\textsf{sk}_i(\textsf{ct})$ cannot be larger than q/p.

Ideally, it should be infeasible to extract the message $x_1$ out of $\textsf{ct}'$. However, since $\textsf{FE}$ is function-hiding and lattice-based, decryption with non-trivial success probability is possible. In fact, the distributions $\textsf{KeyGen}({\textsf{msk}}, 0)$ and $\textsf{KeyGen}({\textsf{msk}}, f)$ must look indistinguishable for a $\textsf{PPT}$ adversary. If Q is large enough, one can show that the polynomial $\textsf{sk}_Q$ must lie in the span of the polynomials $\textsf{sk}_1,\ldots , \textsf{sk}_{Q-1}$ with probability $1-o(1)$, i.e., for $Q\in \textsf{poly}(\lambda )$ large enough, we have that

$$\begin{aligned} \mathop {\Pr }\limits _{\begin{array}{c} \textsf{sk}_1,\ldots , \textsf{sk}_{Q-1} \leftarrow \textsf{KeyGen}({\textsf{msk}}, 0)\\ \textsf{sk}_{Q} \leftarrow \textsf{KeyGen}({\textsf{msk}}, f) \end{array}} \left[ \textsf{sk}_{Q} \in \textrm{span}_{\mathbb {Z}_q}\left\{ \textsf{sk}_1,\ldots , \textsf{sk}_{Q-1}\right\} \right] \ge 1 - o(1). \end{aligned}$$

This phenomenon gives rise to the following decryption algorithm $\textsf{Dec}'$ for $\textsf{SKE}'$:

$\textsf{Dec}'$::

On input ${\textsf{msk}}' = ({\textsf{msk}}, \textsf{sk}_1,\ldots , \textsf{sk}_Q)$ and a ciphertext $\textsf{ct}' = (c_1, \ldots , c_{Q-1}) \in \mathbb {Z}_q^{Q-1}$, $\textsf{Dec}'$ checks if $\textsf{sk}_Q\in \textrm{span}_{\mathbb {Z}_q}\left\{ \textsf{sk}_1,\ldots , \textsf{sk}_{Q-1}\right\} $. If so, $\textsf{Dec}'$ computes scalars $\alpha _1, \ldots , \alpha _{Q-1}$ s.t. $\textsf{sk}_Q = \alpha _1 \cdot \textsf{sk}_1 + \ldots + \alpha _{Q-1} \cdot \textsf{sk}_{Q-1}$, otherwise $\textsf{Dec}'$ aborts. $\textsf{Dec}'$ can now reconstruct $\textsf{sk}_Q(\textsf{ct})$ by computing

$$\begin{aligned} \textsf{sk}_Q(\textsf{ct}) &= (\alpha _1 \cdot \textsf{sk}_1 + \ldots + \alpha _{Q-1} \cdot \textsf{sk}_{Q-1})(\textsf{ct})\\ &= \alpha _1 \cdot \textsf{sk}_1(\textsf{ct}) + \ldots + \alpha _{Q-1} \cdot \textsf{sk}_{Q-1}(\textsf{ct})\\ &= \alpha _1 \cdot c_1 + \ldots + \alpha _{Q-1} \cdot c_{Q-1}. \end{aligned}$$

Given $\textsf{sk}_Q(\textsf{ct})$, $\textsf{Dec}'$ can now output

$$\begin{aligned} \textsf{Dec}(\textsf{sk}_Q, \textsf{ct}) = \left\lceil \textsf{sk}_Q(\textsf{ct}) \cdot p / q \right\rfloor \in \mathbb {Z}_p. \end{aligned}$$

Assuming that $\textsf{FE}$ is correct, the probability of $\textsf{Dec}'$ to return the correct message is at least $1 - o(1)$.

In summary, by assuming a lattice-based correct function-hiding FE scheme $\textsf{FE}$, we can construct an SKE scheme $\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \textsf{Dec}')$ with the following properties:

$\textsf{Enc}'$ encrypts messages in $\mathbb {Z}_p$ and is of constant depth.
Each ciphertext output by $\textsf{Enc}'$ is short, i.e., lies in $[-q/p, q/p]^{Q-1}$.
The probability of $\textsf{Dec}'$ decrypting correctly is at least $1-o(1)$.
Additionally, if $\textsf{FE}$ is selectively IND-CPA secure, it can be shown—by a direct reduction—that $\textsf{SKE}'$ is selectively IND-CPA secure, too.

The key observation of [55] is that such a secret-key encryption scheme cannot exist, if $q/p \in \textsf{poly}(\lambda )$. In fact, the following result has been proven:

Theorem 2

([55] (Informal Corollary 3)). Let $\textsf{SKE}$ be a secret-key encryption scheme of depth $d \in O(1)$ (with prime modulus q). Let $B \in \textsf{poly}(\lambda )$ s.t. q/B is larger than some constant and assume that each ciphertext of $\textsf{SKE}$ lies in $[-B, B]^{Q-1}$. Let $\{0,\ldots , 2d\}$ be the message space of $\textsf{SKE}$.

$\textsf{SKE}$ is selectively IND-CPA secure iff the statistical distance of the distributions $({\textsf{msk}}, \textsf{Enc}({\textsf{msk}}, x))$ and $({\textsf{msk}}, \textsf{Enc}({\textsf{msk}}, y))$ is negligible for each pair of messages $x,y \in \{0,\ldots , 2d\}$.

This yields a contradiction to the scheme $\textsf{SKE}'$ we constructed, because $\textsf{Dec}'$ cannot have a high decryption advantage when ciphertexts $\textsf{ct}'_x \leftarrow \textsf{Enc}'({\textsf{msk}}, x)$ and $\textsf{ct}_y' \leftarrow \textsf{Enc}'({\textsf{msk}}, y)$ are statistically close to each other.

It follows that one of the premises must have been wrong. Hence, if $\textsf{FE}$ is lattice-based, correct and function-hiding, it cannot be selectively IND-CPA secure.

Generalization. In the following, we generalize the previous strategy to show lower bounds for arbitrary lattice-based FE schemes. We follow the idea to construct a special secret-key encryption scheme $\textsf{SKE}'' = (\textsf{Setup}'', \textsf{Enc}'', \textsf{Dec}'')$ from a given lattice-based FE scheme $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})$. Since $\textsf{FE}$ is lattice-based and correct, $\textsf{SKE}''$ will have an encryption algorithm of constant depth and short ciphertexts. Furthermore, if $\textsf{FE}$ is selectively IND-CPA secure, then $\textsf{SKE}''$ is as well (by a direct reduction). By Theorem 2, it follows that $\textsf{Dec}''$ can have no meaningful success at decrypting ciphertexts of $\textsf{SKE}''$. A contradiction to the security of $\textsf{FE}$ now follows if we can show that $\textsf{Dec}''$ must have a non-trivial success probability at decryption.

Concretely, $\textsf{SKE}''$ is given by the following algorithms:

$\textsf{Setup}''$::

Let $\mathcal {F}$ denote the space of functions supported by $\textsf{FE}$. On input $1^\lambda $, $\textsf{Setup}''$ chooses Q functions $f_1,\ldots , f_Q$ from $\mathcal {F}$. Additionally, it chooses an index $i_* \in [Q]$ and a degree-1 function $\nu _{i_*} :\mathbb {Z}_p \rightarrow \mathbb {Z}_p^n$ s.t. we have for each $x_1 \in \mathbb {Z}_p$

$$\begin{aligned} f_i(\nu _{i_*}(x_1)) = 0~~\text {for all }i\ne i_*, \qquad \text {but} ~~f_{i_*}(\nu _{i_*}(x_1)) = x_1. \end{aligned}$$

Then, $\textsf{Setup}''$ samples ${\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )$ and $\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)$ for $i \in [Q]$, and outputs

$$\begin{aligned} {\textsf{msk}}'' := ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu _{i_*}, i_*). \end{aligned}$$

$\textsf{Enc}''$::

Given ${\textsf{msk}}''$ and $x_1 \in \mathbb {Z}_p$, $\textsf{Enc}''$ computes $\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu _{i_*}(x_1))$. It applies the polynomials $\textsf{sk}_1,\ldots ,\textsf{sk}_{i_* - 1},0, \textsf{sk}_{i_* + 1},\ldots , \textsf{sk}_Q$ at $\textsf{ct}$ and returns

$$\begin{aligned} \textsf{ct}'' := (\textsf{sk}_1(\textsf{ct}), \ldots ,\textsf{sk}_{i_* - 1}(\textsf{ct}),0, \textsf{sk}_{i_* + 1}(\textsf{ct}),\ldots , \textsf{sk}_Q(\textsf{ct})) \in \mathbb {Z}_q^Q. \end{aligned}$$

$\textsf{Dec}''$::

On input ${\textsf{msk}}''$ and $\textsf{ct}'' = (c_1,\ldots , c_Q)$, $\textsf{Dec}''$ computes the set

$$\begin{aligned} S := \left\{ \textsf{sk}_{i_*}(w) ~|~ w \in \mathbb {Z}_q^m, \forall i \ne i_* :\textsf{sk}_i(w) = c_i \right\} . \end{aligned}$$

(1)

It chooses a uniformly random element $\textsf{sk}_{i_*}(w) \leftarrow S$ and outputs

$$\begin{aligned} \left\lceil \textsf{sk}_{i_*}(w) \cdot p / q \right\rfloor = \textsf{Dec}(\textsf{sk}_{i_*}, w) \in \mathbb {Z}_p. \end{aligned}$$

Note that $\textsf{SKE}''$ generalizes the ideas of $\textsf{SKE}'$ and does not fully specify $\textsf{Setup}''$. In fact, the choice of the functions $f_1,\ldots , f_Q$ in $\textsf{Setup}''$ will depend on the concrete $\textsf{FE}$ scheme. Similarly to $\textsf{SKE}'$, $\textsf{SKE}''$ is of constant depth if $\textsf{FE}$ is lattice-based. Moreover, it has short ciphertexts if $\textsf{FE}$ is lattice-based and correct, and $\textsf{SKE}''$ is selectively IND-CPA secure if $\textsf{FE}$ is so. We show these properties in detail in the proof of Lemma 2.

Because of Theorem 2, we know that $\textsf{SKE}''$ cannot be correct if $\textsf{FE}$ is lattice-based, correct and selectively IND-CPA secure. However, in the case of a function-hiding FE scheme, it can be shown that $\textsf{Dec}''$ has a high probability to correctly decrypt ciphertexts. The idea in this text is to prove that $\textsf{Dec}''$ also has a high success probability at decryption in the case of compact FE schemes. However, as it turns out, grasping and using the compactness property of a lattice-based FE scheme is more complex than using the function-hiding property and requires a more algebraic approach.

Compact Case. In the following, we outline our strategy for the case of (relaxed) compact FE and sketch a proof attempt to show why $\textsf{Dec}''$—intuitively—has a non-trivial advantage at decrypting compact ciphertexts. However, as we explain later, this proof attempt has some gaps. In this work, we fill these gaps in the case of linear compactness and minimal decryption depth.

First, we give an informal definition of compactness (resp. succinctness):

Definition 2

Let $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})$ be an FE scheme with ciphertexts in $\mathbb {Z}_q^m$ and message space $\mathbb {Z}^n_p$ for polynomials of degree d. We call $\textsf{FE}$ relaxed compact if there is a constant $e > 0$ s.t.

$$\begin{aligned} m \in O(n^{d-e}). \end{aligned}$$

In other words, we demand that ciphertexts are by a polynomial amount smaller than encrypting the relinearization $x^{\otimes d}$ of a message $x \in \mathbb {Z}_p^n$ and using an IPFE scheme. In the literature, there are different definitions of compactness and succinctness (cf. [18, 21, 26, 42]). We note that Definition 2 is comparatively weaker and is implicitly fulfilled by the notions of the aforementioned works.

Now, let $\textsf{FE}=(\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$ be a compact lattice-based FE scheme that supports the evaluation of quadratic polynomials, i.e., the function space of $\textsf{FE}$ is given by

$$\begin{aligned} \mathcal {F}= \left\{ f \in \mathbb {Z}_p[X_1,\ldots , X_n] ~|~ \deg f \le 2 \right\} , \end{aligned}$$

while its message space is $\mathbb {Z}_p^n$. Compactness now states that we have $m \in O(n^{2 - e})$ for a constant $e > 0$. This implies that the number of coordinates of a ciphertext of $\textsf{FE}$ is significantly smaller than the number of secret keys for linearly independent functions of $\mathcal {F}$. Our idea is to combine this together with a result of [56] to achieve a non-trivial success probability at decryption.

First, we will specify how $\textsf{Setup}''$ chooses the functions $f_1,\ldots , f_Q \in \mathcal {F}$, the index $i_* \in [Q]$ and the function $\nu _{i_*} :\mathbb {Z}_p\rightarrow \mathbb {Z}_p^n$. $\textsf{Setup}''$ enumerates all pairs (a, b) with $1\le a<b \le n$ and indexes them by

$$\begin{aligned} (a_{i_1},b_{i_1}), \ldots , (a_{i_Q}, b_{i_Q}), \end{aligned}$$

for $Q := \left( {\begin{array}{c}n\\ 2\end{array}}\right) = \frac{n^2 - n}{2}$. For $i \in [Q]$, it sets $f_i$ to be the monomial of the $a_i$-th and $b_i$-th variable, i.e.,

$$\begin{aligned} f_i(X_1,\ldots , X_n) := X_{a_i} \cdot X_{b_i} \in \mathcal {F}. \end{aligned}$$

It draws $i_* \leftarrow [Q]$ uniformly at random and sets $\nu _{i_*}$ to be the affine linear map

$$\begin{aligned} \nu _{i_*} :\mathbb {Z}_p & \longrightarrow \mathbb {Z}_p^n\\ x & \longmapsto x \cdot e_{a_{i_*}} + e_{b_{i_*}}, \end{aligned}$$

where $e_{a_{i_*}}$ and $e_{b_{i_*}}$ denote the $a_{i_*}$-th and $b_{i_*}$-th unit vectors. More precisely, the vector $\nu _{i_*}(x)$ has the value x at position $a_{i_*}$, 1 at position $b_{i_*}$ and 0 at every other position. It now follows for all $i \in [Q]$ and $x \in \mathbb {Z}_p$,

$$\begin{aligned} f_i(\nu _{i_*}(x)) = \left\{ \begin{aligned} x, {} & {} \text { if } i = i_*,\\ 0, {} & {} \text { if } i\ne i_*. \end{aligned} \right. \end{aligned}$$

To prove that $\textsf{Dec}''$ has non-trivial advantage at decryption when receiving ${\textsf{msk}}''$ and a ciphertext $\textsf{ct}''$, we need to show that the set S computed by $\textsf{Dec}''$ in Eq. (1) is small. Let $\textsf{ct}'':=(\textsf{sk}_1(\textsf{ct}), \ldots , \textsf{sk}_{i_*-1}(\textsf{ct}), 0, \textsf{sk}_{i_*+1}(\textsf{ct}), \ldots , \textsf{sk}_{Q}(\textsf{ct}))$ for some $\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}'', \nu _{i_*}(x))$. Then, S must contain the correct value $\textsf{sk}_{i_*}(\textsf{ct})$ besides other values $\textsf{sk}_{i_*}(w)$. Algebraically, showing that S is small boils down to the problem of polynomial prediction: we do not know $\textsf{ct}$, but we know its evaluations $\textsf{sk}_{i}(\textsf{ct})$ for many polynomials $\textsf{sk}_1,\ldots ,\textsf{sk}_{i_*-1}, \textsf{sk}_{i_*+1}, \ldots , \textsf{sk}_{Q} \in \mathbb {Z}_q[Y_1,\ldots , Y_m]$ of constant degree. Therefore, we can substantially bound the number of possible values of $\textsf{sk}_{i_*}(\textsf{ct})$. We illustrate this idea with a toy example:

Example 1

In our toy example, we assume that ciphertexts of $\textsf{FE}$ have two coordinates $\textsf{ct}= (c_1, c_2)$. Furthermore, assume that $i_* = 3$ and that the first three secret keys are given by

$$\begin{aligned} \textsf{sk}_1(Y_1, Y_2) = Y_1 + Y_2, \quad \textsf{sk}_2(Y_1, Y_2) = Y_2^2, \quad \textsf{sk}_3(Y_1, Y_2) = Y_1 \in \mathbb {Z}_q[Y_1, Y_2]. \end{aligned}$$

Now, when we are given a ciphertext $\textsf{ct}''$ of $\textsf{SKE}''$, the values $a := \textsf{sk}_1(\textsf{ct}) = c_1 + c_2$ and $b := \textsf{sk}_2(\textsf{ct}) = c_2^2$ are fixed. In this situation, can we limit the number of possible values of $\textsf{sk}_3(\textsf{ct})$?

The answer turns out to be yes. Indeed, set $h(T_1, T_2, T_3) := (T_1 - T_3)^2 - T_2 = T_1^2 - 2 T_1T_3 - T_2 + T_3^2$ and note that we have

$$\begin{aligned} h(\textsf{sk}_1(Y_1, Y_2), \textsf{sk}_2(Y_1, Y_2), \textsf{sk}_3(Y_1, Y_2)) = 0. \end{aligned}$$

(2)

Now, if we plug in the values $a,b \in \mathbb {Z}_p$, we get the univariate degree-2 polynomial

$$\begin{aligned} h(\textsf{sk}_1(\textsf{ct}),\textsf{sk}_2(\textsf{ct}), T_3) = h(a,b,T_3) = T_3^2 - 2a \cdot T_3 + a^2 - b. \end{aligned}$$

Because of Eq. (2), we know that $h(\textsf{sk}_1(\textsf{ct}),\textsf{sk}_2(\textsf{ct}), T_3)$ must vanish at $\textsf{sk}_3(\textsf{ct})$. In fact, $\textsf{sk}_3(\textsf{ct})$ is a root of $h(a,b,T_3)$ and S is contained in the set of points where $h(a,b,T_3)$ vanishes. Since $h(a,b,T_3)$ is of degree 2, there are at most 2 possible values for $\textsf{sk}_3(\textsf{ct})$. Hence, the probability of $\textsf{Dec}''$ to draw the correct value $\textsf{sk}_3(\textsf{ct})$ from S and decrypting correctly is at least 1/2, which is noticeably larger than 1/p.

In general, the polynomials $\textsf{sk}_1,\ldots , \textsf{sk}_Q$ are of some constant degree, let’s say $d \in O(1)$, and their number $Q = \left( {\begin{array}{c}n\\ 2\end{array}}\right) \in \varOmega (n^2)$ is substantially larger than the number of coordinates $m \in O(n^{2 -e})$ of a ciphertext $\textsf{ct}$ of $\textsf{FE}$. It has been shown in [56] that in such cases there exists a polynomial h of sublinear degree that algebraically relates the polynomials $\textsf{sk}_1, \ldots , \textsf{sk}_Q$:

Theorem 3

(Adapted from [56]). Let $Q \in \varOmega (n^{d_0})$ and $m \in O(n^{d_0-e})$ for a constant $e > 0$. Let $g_1, \ldots , g_Q \in \mathbb {Z}_q[Y_1, \ldots , Y_m]$ be of degree $d \in O(1)$.

Then, there exists a polynomial $h \in \mathbb {Z}_q[T_1, \ldots , T_Q]$ with the following properties:

$$\begin{aligned} & h(T_1,\ldots , T_Q) \ne 0,\\ & h(g_1(Y_1,\ldots , Y_m), \ldots , g_Q(Y_1,\ldots , Y_m) ) = 0,\\ & \deg h \in O(m^{1- \frac{e}{(d_0-e)(d-1)}}) = O(n^{d_0-e - \frac{e}{d-1}}). \end{aligned}$$

Given this polynomial h, we can show that each element of the set S computed by $\textsf{Dec}''$ in Eq. (1) must be a root of the polynomial

$$\begin{aligned} h(\textsf{sk}_1(\textsf{ct}),\ldots ,\textsf{sk}_{i_*-1}(\textsf{ct}), T_{i_*} \textsf{sk}_{i_*+1}(\textsf{ct}), \ldots , \textsf{sk}_{Q}(\textsf{ct}) ) \in \mathbb {Z}_q[T_{i_*}]. \end{aligned}$$

(3)

Hence, the size of S is bounded by $\deg h \in O(n^{2 - e - e/(d-1)})$. Therefore, the success probability of $\textsf{Dec}''$ to decrypt correctly is at least $n^{ e + e/(d-1) - 2}$, which is significantly larger than the trivial success probability 1/p, if $p \in \omega (n^{2 - e - e/(d-1)})$.

The above reasoning illustrates how we can use the compactness of $\textsf{FE}$ to construct a correct and secure SKE scheme $\textsf{SKE}''$ with special properties to ultimately derive a contradiction to Theorem 2 and an attack on the security of $\textsf{FE}$. However, there is one gap that needs to be addressed: what happens if the univariate polynomial in Eq. (3) is zero? In this case, the size of S does not need to be bounded by $\deg h$ and S could contain each element of $\mathbb {Z}_q$. Now, what happens if the polynomial in Eq. (3) is zero for almost all ciphertexts generated by $\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu _{i_*}(x))$? In this case, we cannot guarantee a non-trivial success probability for $\textsf{Dec}''$. Subsequently, $\textsf{SKE}''$ is not sufficiently correct, and we fail to reach a contradiction with Theorem 2.

In an attempt to fix this problem, one can consider the coefficients of the polynomial in Eq. (3). Each coefficient is computed by a polynomial in the variables $T_1,\ldots , T_{i_* -1}$, $T_{i_* + 1}, \ldots , T_m$ of lower degree. Concretely, we have

$$\begin{aligned} h( T_1,\ldots , T_m ) = \sum _{j = 0}^{\deg h} h_j(T_1,\ldots , T_{i_* - 1},T_{i_* + 1}, \ldots , T_m) \cdot T_{i_*}^j, \end{aligned}$$

for fitting polynomials $h_0,\ldots , h_{\deg h} \in \mathbb {Z}_q[T_1,\ldots , T_{i_* -1}, T_{i_* + 1}, \ldots , T_m]$ of sublinear degree. We can assume that the highest degree coefficient $h_{\deg h}$ is non-zero. If the polynomial in Eq. (3) is almost always zero for $\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu _{i_*}(x))$, it follows that $h_{\deg h}$ will almost always vanish on $\textsf{ct}$, and we could replace h with its coefficient $h_{\deg h}$. If $h_{\deg h}$ does always vanish on $\textsf{sk}_1(\textsf{ct}), \ldots , \textsf{sk}_{i_* - 1}(\textsf{ct})$, $\textsf{sk}_{i_* + 1}(\textsf{ct}), \ldots , \textsf{sk}_{Q}(\textsf{ct})$, but does not become zero when we plug in $\textsf{sk}_1(\textsf{ct}), \ldots ,\textsf{sk}_{i_* - 1}(\textsf{ct}), \textsf{sk}_{i_* + 1}(\textsf{ct}),\ldots , \textsf{sk}_{Q - 1}(\textsf{ct})$, we could use it to bound the number of possible values of $\textsf{sk}_{Q}(\textsf{ct})$ while fixing the values of $\textsf{sk}_1(\textsf{ct}), \ldots , \textsf{sk}_{Q - 1}(\textsf{ct})$. However, $\textsf{sk}_Q(\textsf{ct})$ will not be of great help to us if $\textsf{ct}$ encrypts $\nu _{i_*}(x)$, since we have $\textsf{Dec}(\textsf{sk}_Q, \textsf{ct}) = f_Q(\nu _{i_*}(x)) = 0$. In fact, we need that $h_{\deg h}$ behaves well for the different distribution $\textsf{Enc}({\textsf{msk}}, \nu _Q(x))$ of ciphertexts. This yields a problem: it may happen that $h_{\deg h}(\textsf{sk}_1(\textsf{ct}),\ldots , \textsf{sk}_{i_* - 1}(\textsf{ct}), \textsf{sk}_{i_* + 1}(\textsf{ct}), \ldots , \textsf{sk}_{Q - 1}(\textsf{ct}))$ is always zero when we sample $\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu _{i_*}(x))$, but does not become zero when $\textsf{ct}$ encrypts a useful message and is sampled from $\textsf{Enc}({\textsf{msk}}, \nu _Q(x))$.

Linear Compactness and Secret Keys of Minimal Degree. To solve the above problem, we need that some kind of homogeneity among the ciphertexts of $\textsf{FE}$ for different messages does hold. In particular, we need that whenever a polynomial g vanishes with overwhelming probability on the distribution $\textsf{Enc}({\textsf{msk}}, x)$, for some $x \in \mathbb {Z}_p^n$, then for each $y \in \mathbb {Z}_p^n$, g vanishes with overwhelming probability on the distribution $\textsf{Enc}({\textsf{msk}}, y)$. However, we can show this kind of homogeneity only in cases where g has a constant degree.

Now, the algebraic relationship h is of degree $O(n^{2-e-e/(d-1)})$ according to Theorem 3, where $e>0$ describes the compactness of ciphertexts and d the degree of secret keys. If our ciphertexts are linearly compact, i.e., $m\in O(n)$, then e equals 1. Furthermore, if our secret keys are of minimal degree $d = 2$, then h is of constant degree $O(n^{2-e-e/(d-1)}) = O(n^0) = O(1)$, and we can guarantee some kind of homogeneity among the ciphertexts for h. Now, the insecurity of $\textsf{FE}$ follows. In Sect. 4, we will generalize this result for FE schemes for polynomials of degree $d > 1$ with linear compactness $m \in O(n)$ and secret keys of degree d.

2 Preliminaries

Notation. In this text, we always denote the security parameter by $\lambda \in \mathbb {N}= \{1,2, \ldots \}$, by which each scheme and adversary is parametrized. For $n \in \mathbb {N}$, set $[n] = \{1,2,\ldots , n\}$. Define

$$\begin{aligned} \textsf{poly}(\lambda ) := & \left\{ f :\mathbb {N}\rightarrow \mathbb {N} ~|~ \exists d \in \mathbb {N}:f(\lambda ) \in O(\lambda ^d) \right\} , \\ \textsf{negl}(\lambda ) := & \left\{ \varepsilon :\mathbb {N}\rightarrow \mathbb {R} ~|~ \forall d \in \mathbb {N}:\limsup _{\lambda \rightarrow \infty } \varepsilon (\lambda ) \cdot \lambda ^d = 0. \right\} . \end{aligned}$$

In this text, we will work with two moduli $p,q> 2$ s.t. q is always prime and we always have $2p< q$. We will identify the finite field with the corresponding sets of integers centered around zero, $\mathbb {Z}_q = \left\{ \frac{-q+1}{2}, \ldots , \frac{q-1}{2} \right\} $, and embed $\mathbb {Z}_p$ into $\mathbb {Z}_q$ as the non-negative numbers $\mathbb {Z}_p = \{0,\ldots , p-1\} \subset \mathbb {Z}_q$.

For two distributions A, B with the same support S, we define their statistical distance by

$$\begin{aligned} \varDelta (A,B) := \frac{1}{2} \sum _{s \in S} \left| \mathop {\Pr }\limits _{a \leftarrow A}[a = s] - \mathop {\Pr }\limits _{b\leftarrow B}[b = s] \right| . \end{aligned}$$

We will denote by $\forall _\infty $, resp. $\exists _\infty $, the quantifiers for almost all and for infinitely many.

Lemma 1

(Simplified from [56]). Let k be a field. Let $d > 1$ be a constant and let $Q \in \varOmega (m^d)$. There is a constant degree bound $D \in O(1)$ s.t. for each list of polynomials $f_1,\ldots , f_Q \in k[Y_1,\ldots , Y_m]$ of degree d there is one polynomial $h \in k[T_1,\ldots , T_Q]$ s.t.

$$\begin{aligned} h \ne 0, \qquad \deg h \le D, \qquad \text {and} \qquad h(f_1(Y), \ldots , f_Q(Y)) = 0. \end{aligned}$$

2.1 Functional Encryption

Definition 3

Let $\mathcal {X}= (\mathcal {X}_\lambda )_\lambda $ be a family of sets. We call $\mathcal {X}$ a message space or value space if there is an $s \in \textsf{poly}(\lambda )$ s.t. each $x_\lambda \in \mathcal {X}_\lambda $ has a binary representation of size $\# x_\lambda \le s(\lambda )$. A subspace $\widetilde{\mathcal {X}}\subset \mathcal {X}$ is a family of sets $\widetilde{\mathcal {X}}= (\widetilde{\mathcal {X}}_\lambda )_\lambda $ s.t. $\widetilde{\mathcal {X}}_\lambda \subseteq \mathcal {X}_\lambda $ for all $\lambda $. $\mathcal {X}$ is called poly-size if we have $\#\mathcal {X}_\lambda \in \textsf{poly}(\lambda )$ and there is a poly-time algorithm that on input $1^\lambda $ can enumerate $\mathcal {X}_\lambda $.

If $\mathcal {X}= (\mathcal {X}_\lambda )_\lambda $ is a message space and $\mathcal {Y}=(\mathcal {Y}_\lambda )_\lambda $ is a value space, we call $\mathcal {F}= (\mathcal {F}_\lambda )_\lambda $ a function space if each $f_\lambda \in \mathcal {F}_\lambda $ is a function of type $f_\lambda :\mathcal {X}_\lambda \rightarrow \mathcal {Y}_\lambda $ and if there is an $s \in \textsf{poly}(\lambda )$ s.t. each $f_\lambda \in \mathcal {F}_\lambda $ has a binary representation of size $\# f_\lambda \le s(\lambda )$. In this case, we will write $\mathcal {F}:\mathcal {X}\rightarrow \mathcal {Y}$.

Definition 4

(Functional Encryption). A (secret-key) functional encryption (FE) scheme for the function space $\mathcal {F}:\mathcal {X}\rightarrow \mathcal {Y}$ is a tuple of four algorithms $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$ that are described as follows:

$\textsf{Setup}$: On input a (unary encoded) security parameter $1^\lambda $, it outputs a master secret key ${\textsf{msk}}$.
$\textsf{KeyGen}$: On input a master secret key ${\textsf{msk}}$ and a description of a function f in the function space $\mathcal {F}$ of $\textsf{FE}$, it outputs a secret key $\textsf{sk}_f$ for $f\in \mathcal {F}_\lambda $.
$\textsf{Enc}$: On input a master secret key ${\textsf{msk}}$ and a message $x \in \mathcal {X}_\lambda $, it outputs a ciphertext $\textsf{ct}_{x}$ of x.
$\textsf{Dec}$: On input a secret key $\textsf{sk}_f$ and a ciphertext $\textsf{ct}_{x}$, it outputs a value $y \in \mathcal {Y}_\lambda $.

We call $\textsf{FE}$ correct, if there is an $\varepsilon \in \textsf{negl}(\lambda )$ s.t. we have for all $(f_\lambda )_\lambda \in \mathcal {F}$ and $(x_\lambda )_\lambda \in \mathcal {X}$ that $\Pr [\textsf{Dec}(\textsf{sk}_{f}, \textsf{ct}_{x}) \ne f_\lambda (x_\lambda )] \le \varepsilon (\lambda )$, where we sample ${\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )$, $\textsf{sk}_{f} \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_\lambda )$ and $\textsf{ct}_{x} \leftarrow \textsf{Enc}({\textsf{msk}}, x_\lambda )$.

Definition 5

(Selective IND-CPA Security). Let $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$ be an FE scheme for a functionality $\mathcal {F}:\mathcal {X}\rightarrow \mathcal {Y}$. We define the selective IND-CPA security game of $\textsf{FE}$ as an experiment $\textsf{Exp}_{\textsf{FE},\mathcal {A}}^{\mathsf {ind\text {-}cpa}}(\lambda ,\mathcal {F})$ between an adversary $\mathcal {A}$ and a challenger $\mathcal {C}$ that proceeds in the following steps:

For a fixed algorithm $\mathcal {A}$ and an FE scheme $\textsf{FE}$, the advantage of $\mathcal {A}$ is defined^{Footnote 5} by

$$\begin{aligned} \textsf{Adv}_{\textsf{FE},\mathcal {A}}^{\mathsf {ind\text {-}cpa}}\left( \lambda ,\mathcal {F} \right) := 2\cdot \Pr \left[ \textsf{Exp}_{\textsf{FE},\mathcal {A}}^{\mathsf {ind\text {-}cpa}}(\lambda ,\mathcal {F}) = 1 \right] - 1. \end{aligned}$$

We call $\textsf{FE}$ selectively IND-CPA secure if any $\textsf{PPT}$ adversary $\mathcal {A}$ has negligible advantage in the above game.

2.2 Lattice-Based Encryption Algorithms

In the following, we will recapitulate the definition of offline/online encryption of constant depth that has been introduced in [55]. This notion allows the master secret key to have a computationally unbounded influence on the computed ciphertext as long as the message only influences the ciphertext polynomially:

Definition 6

Let $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$ be an FE scheme with message space $\mathcal {X}= \mathbb {Z}_p^n$. Furthermore, let $q = q(\lambda )$ be a prime s.t. each ciphertext output by $\textsf{Enc}$ is a vector in $\mathbb {Z}_q^m$.

Let $d \in \mathbb {N}$ be a constant. We say that $\textsf{Enc}$ is of depth d if there is an off-line algorithm $\textsf{Enc}_{\textsf{off}}$ that on input ${\textsf{msk}}$ outputs m polynomials $r_1, \ldots , r_m \in \mathbb {Z}_q[X_1, \ldots , X_n]$ of degree $\le d$ s.t. the following distributions are identical for each ${\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )$ and $x \in \mathbb {Z}_p^n$:

$$\begin{aligned} \left\{ (r_1(x), \ldots , r_m(x)) ~|~ (r_1, \ldots , r_m) \leftarrow \textsf{Enc}_{\textsf{off}}({\textsf{msk}}) \right\} \text { and } \left\{ \textsf{ct} ~|~ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, x) \right\} . \end{aligned}$$

Note that we do not impose any bounds on the computational complexity of $\textsf{Enc}_{\textsf{off}}$.

In other words, an encryption algorithm of constant depth works in two phases. In an offline phase, it first sees the secret key, but does not get to know the message that is to be encrypted. It can then use any amount of time to compute polynomially bounded randomness for the second step. In the online phase, the algorithm gets the randomness from the first phase and sees the message. It must now compute each entry of the ciphertext vector in an arithmetically very simple way, i.e., by applying constant degree polynomials over the randomness from the offline phase and the coordinates of the message vector.

Since we want to build upon the results of [55], we also need to introduce the notion of encryption of polynomial width.

Definition 7

Let $\textsf{Enc}$ be an encryption algorithm that outputs vectors in $\mathbb {Z}_q^m$. We say that $\textsf{Enc}$ is of width $B = B(\lambda ) < q/2$ if there is an $\varepsilon \in \textsf{negl}(\lambda )$ s.t. we have for each $(x_\lambda )_\lambda \in \mathcal {X}$

$$\begin{aligned} \mathop {\Pr }\limits _{\begin{array}{c} {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda ) \\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, x_\lambda ) \end{array}} \left[ \left| \left| \textsf{ct} \right| \right| _\infty > B \right] \le \varepsilon (\lambda ), \end{aligned}$$

where $\left| \left| \textsf{ct} \right| \right| _\infty $ is defined as the largest absolute value among entries of $\textsf{ct}\in \left\{ -\frac{q - 1}{2}, \ldots , \frac{q - 1}{2} \right\} ^m = \mathbb {Z}_q^m$.

When we speak of lattice-based FE schemes, we will make the same restrictions on FE schemes that have been made in [55]:

Definition 8

(Lattice-Based FE Scheme). Let $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$ be an FE scheme. Let q be a prime and $n,m \in \textsf{poly}(\lambda )$. Let $d_1, d_2 \in \mathbb {N}$ be constants. We call $\textsf{FE}$ lattice-based if the following conditions are met:

1.
The message space of $\textsf{FE}$ is $\mathcal {X}= \mathbb {Z}_p^n$.
2.
Each ciphertext of $\textsf{FE}$ is an element of $\mathbb {Z}_q^m$ for prime q.
3.
$\textsf{Enc}$ is of depth $d_1$.
4.
Each secret key output by $\textsf{KeyGen}$ is a polynomial in $\mathbb {Z}_q[Z_1,\ldots ,Z_m]$ of total degree $\le d_2$, i.e., each secret key can be written as a linear combination of monomials containing at most $d_2$ (not necessarily different) Z-variables.
5.
We have $p < q$ and the decryption algorithm $\textsf{Dec}$ works as follows:
$$\begin{aligned} \textsf{Dec}(\textsf{sk}, \textsf{ct}) = \left\lceil \textsf{sk}(\textsf{ct}) \cdot {p}/{q} \right\rfloor \in \mathbb {Z}_p. \end{aligned}$$

We call $d_1$ the encryption depth and $d_2$ the decryption depth of $\textsf{FE}$.

Definition 9

We call $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$ (linearly) compact if the dimension of ciphertexts is linear in the message length, i.e., $m \in O(n)$.

2.3 Secret-Key Encryption

We will define here secret-key encryption schemes as a special case of functional encryption schemes where the function spaces only contain the identity function.

Definition 10

(Secret-Key Encryption). A secret-key encryption (SKE) scheme is an FE scheme $\textsf{SKE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$ for a function space $\mathcal {F}$, where each $\mathcal {F}_\lambda $ only contains the identity function $\textsf{id}:\mathcal {X}_\lambda \rightarrow \mathcal {X}_\lambda $.

For an SKE scheme $\textsf{SKE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$, we will always assume that the master secret key ${\textsf{msk}}$ and the derived key $\textsf{sk}_{\textsf{id}}$ of the identity are identical and that $\textsf{KeyGen}({\textsf{msk}}, \textsf{id})$ will always output ${\textsf{msk}}$. Subsequently, we will omit the algorithm $\textsf{KeyGen}$ from the list of algorithms, i.e., $\textsf{SKE}= (\textsf{Setup}, \textsf{Enc}, \textsf{Dec})$.

For convenience, we also introduce the notion of partial secret-key encryption schemes. A partial SKE is essentially a normal SKE without a decryption algorithm.

Definition 11

(Partial Secret-Key Encryption). A partial secret-key encryption scheme $\textsf{SKE}= (\textsf{Setup}, \textsf{Enc}, \_)$ is a pair of algorithms $\textsf{Setup}$ and $\textsf{Enc}$ with a fitting message space $\mathcal {X}$ that adheres to the syntax in Definition 4.

A fitting decryption algorithm for $(\textsf{Setup}, \textsf{Enc}, \_)$ is an algorithm $\textsf{Dec}$ s.t. the tuple $(\textsf{Setup}, \textsf{Enc}, \textsf{Dec})$ is an SKE in the sense of Definition 10.

Note that the notion of selective IND-CPA security in the sense of Definition 5 is well-defined for partial SKEs. Additionally, the notions of bounded encryption depth and width in the sense of Definitions 6 and 7 are well-defined for partial SKEs.

3 General Approach

We present here a general approach for showing lower bounds of lattice-based FE schemes in the sense of Definition 8. This approach generalizes the strategy of Ünal [55] for function-hiding FE schemes and will be applied by us again on compact FE schemes. The key element for showing IND-CPA insecurity in [55] was the following theorem.

Theorem 4

([55]). Let q be a prime, d be a constant and $B\in \textsf{poly}(\lambda )$. Let $M = M(\lambda ) \in \mathbb {N}$ be such that $M \ge 2d$ and $c\cdot M^d \cdot B < q$ for some constant^{Footnote 6} $c\in \mathbb {N}$ that depends on d.

Let $\textsf{SKE}= (\textsf{Setup}, \textsf{Enc},\_)$ be a partial SKE scheme with message space $\mathcal {X}:= \{0, \ldots , M\}$ s.t. $\textsf{Enc}$ is of depth d and width B. Then, the following are equivalent:

1.
$\textsf{SKE}$ is selectively IND-CPA secure against $\textsf{PPT}$ adversaries.
2.
$\textsf{SKE}$ is selectively IND-CPA secure against unbounded adversaries (that get to know the secret key of $\textsf{SKE}$).
3.
For each polynomial $r \in \textsf{poly}(\lambda )$ there is an $\varepsilon \in \textsf{negl}(\lambda )$ s.t. for ${\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )$, it holds that
$$\begin{aligned} \Pr \left[ \forall x,y\in \mathcal {X}_\lambda :\varDelta (\textsf{Enc}({\textsf{msk}}, x), \textsf{Enc}({\textsf{msk}}, y))< \frac{1}{r(\lambda )} \right] \ge 1 - \varepsilon (\lambda ). \end{aligned}$$
4.
There is an $\varepsilon \in \textsf{negl}(\lambda )$ s.t. we have $\varDelta (C_x, C_y) \le \varepsilon (\lambda )$ for all $x,y \in \mathcal {X}$, where $C_x$ is the distribution that computes ${\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda ), \textsf{ct}_x \leftarrow \textsf{Enc}({\textsf{msk}}, x_\lambda )$ and outputs $({\textsf{msk}}, \textsf{ct}_x)$.

In [55], only the equivalence of the first and third statement has been shown. However, it is easy to see that the second and fourth statement are equivalent to the third statement.

Given a lattice-based FE scheme $\textsf{FE}$ of encryption depth $d_1\in O(1)$ and decryption depth $d_2 \in O(1)$, we want to use Theorem 4 to deduce lower bounds for $\textsf{FE}$. Towards this end, we construct a partial SKE for integer messages from $\textsf{FE}$ as follows:

Definition 12

Let $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})$ be an FE scheme with functionality $\mathcal {F}:\mathbb {Z}_p^n \rightarrow \mathbb {Z}_p$. Let $M \le p$. We construct a partial SKE scheme $\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \_)$ with message space $\mathcal {X}' := \{0,\ldots , M\}$ with the following algorithms:

$\textsf{Setup}_{\textsf{Pre}}'$::

There is a preceding setup algorithm that on input $1^\lambda $ chooses functions $f_1, \ldots , f_Q \in \mathcal {F}$. Then, it chooses an index $i_* \in [Q]$ and a degree-1 map

$$\begin{aligned} \nu :\mathbb {Z}_p &\longrightarrow \mathbb {Z}_p^{n}, \end{aligned}$$

s.t. we have for all $x \in \mathbb {Z}_p$,

$$\begin{aligned} \forall i\ne i_* :& f_i(\nu (x)) = 0,\\ & f_{i_*}(\nu (x)) = x. \end{aligned}$$

It outputs $(f_1,\ldots , f_Q, \nu , i_*)$.

$\textsf{Setup}':$:

On input $1^\lambda $, $\textsf{Setup}'$ runs $(f_1,\ldots , f_Q, \nu , i_*) \leftarrow \textsf{Setup}_{\textsf{Pre}}'(1^\lambda )$. Then, $\textsf{Setup}'$ computes ${\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )$ and $\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)$ for $i \in [Q]$, and outputs the new master secret key

$$\begin{aligned} {\textsf{msk}}' := ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*). \end{aligned}$$

$\textsf{Enc}':$:

On input ${\textsf{msk}}' := ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*)$ and a message $x \in \{0,\ldots , M\}$, $\textsf{Enc}'$ runs $\textsf{ct}_x \leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x))$ and outputs the new ciphertext

$$\begin{aligned} \textsf{ct}_x' := (\textsf{sk}_1(\textsf{ct}_x), \ldots ,\textsf{sk}_{i_*-1}(\textsf{ct}_x), 0, \textsf{sk}_{i_*+1}(\textsf{ct}_x), \ldots , \textsf{sk}_Q(\textsf{ct}_x)). \end{aligned}$$

We demand that $\textsf{Setup}_{\textsf{Pre}}'$ can be computed by a $\textsf{PPT}$ algorithm.

We now have the following result:

Lemma 2

In the scheme $\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \_)$ from Definition 12, $\textsf{Enc}'$ is of depth $d_1 \cdot d_2$, if $\textsf{FE}$ is lattice-based with encryption depth $d_1$ and decryption depth $d_2$.

If $\textsf{FE}$ is correct and lattice-based, then $\textsf{Enc}'$ is of width $\left\lceil q / p \right\rfloor $, and if $\textsf{FE}$ is selectively IND-CPA secure, then $\textsf{SKE}'$ is selectively IND-CPA secure.

Proof

1.
Let $\textsf{FE}$ be lattice-based with encryption depth $d_1$ and decryption depth $d_2$. Then, there is an algorithm $\textsf{Enc}_{\textsf{off}}$ that on input ${\textsf{msk}}$ outputs m polynomials $r_1, \ldots , r_m \in \mathbb {Z}_q[X_1, \ldots , X_{n}]$ of degree $\le d_1$ s.t. $\textsf{Enc}({\textsf{msk}}, x)$ is equally distributed as $(r_1(x), \ldots , r_m(x))$ for each $x \in \mathbb {Z}_p^{n}$.

We now define $\textsf{Enc}_{\textsf{off}}'$ as follows. On input ${\textsf{msk}}' := ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*)$, $\textsf{Enc}_{\textsf{off}}'$ first computes $(r_1, \ldots , r_m)\leftarrow \textsf{Enc}_{\textsf{off}}({\textsf{msk}})$ and then returns the polynomials
$$\begin{aligned} \forall i \ne i_* :& r_i'(X) := \textsf{sk}_i(r_1(\nu (X)), \ldots , r_m(\nu (X))) \in \mathbb {Z}_q[X],\\ & r_{i_*}'(X) := 0. \end{aligned}$$
The degree of each $\textsf{sk}_i(r_1(\nu (X)), \ldots , r_m(\nu (X)))$ is bounded by $d_1 \cdot d_2 \cdot 1$, since each $\textsf{sk}_i$ is a polynomial in $\mathbb {Z}_q[Z_1, \ldots , Z_m]$ of degree $\le d_2$ and $\nu $ is an affine linear function, i.e., a degree-1 polynomial.

Moreover, for each $x \in \{0,\ldots , M\}$ and ${\textsf{msk}}'$, the output of $\textsf{Enc}'({\textsf{msk}}', x)$ is identically distributed as $(r_1'(x), \ldots , r_Q'(x))$ for $(r_1', \ldots , r_Q') \leftarrow \textsf{Enc}_{\textsf{off}}'({\textsf{msk}}')$.
2.
Let $\textsf{FE}$ be correct, i.e., there is an $\varepsilon \in \textsf{negl}(\lambda )$ s.t. for each $(g_\lambda )_\lambda \in \mathcal {F}$ and $(x_\lambda )_\lambda \in \mathcal {X}$ we have
$$\begin{aligned} \mathop {\Pr }\limits _{\begin{array}{c} {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \textsf{sk}\leftarrow \textsf{KeyGen}({\textsf{msk}}, g_\lambda )\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, x_\lambda ) \end{array}}\left[ \textsf{Dec}(\textsf{sk}, \textsf{ct}) = g_\lambda (x_\lambda ) \right] \ge 1 - \varepsilon (\lambda ). \end{aligned}$$
Since $\textsf{FE}$ is lattice-based, $\textsf{Dec}$ works as $\textsf{Dec}(\textsf{sk}, \textsf{ct}) = \left\lceil \textsf{sk}(\textsf{ct}) \cdot {p}/{q} \right\rfloor $.

Assume, for the sake of contradiction, that $\textsf{Enc}'$ is not of width q/p. This implies that there is one $\lambda \in \mathbb {N}$ and an $x' \in \{0, \ldots , M(\lambda )\}$ s.t.
$$\begin{aligned} & Q(\lambda ) \cdot \varepsilon (\lambda ) < \mathop {\Pr }\limits _{\begin{array}{c} {\textsf{msk}}'\leftarrow \textsf{Setup}'(1^\lambda )\\ \textsf{ct}' \leftarrow \textsf{Enc}'({\textsf{msk}}', x') \end{array} } \left[ \left| \left| \textsf{ct}' \right| \right| _\infty > \frac{q}{p} \right] \\ =&\mathop {\Pr }\limits _{ \begin{array}{c} (f_1,\ldots , f_Q, \nu , i_*) \leftarrow \textsf{Setup}_{\textsf{Pre}}'(1^\lambda )\\ {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \forall i :\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x')) \end{array} } \left[ \exists i\ne i_* :\left| \textsf{sk}_i(\textsf{ct}) \right| > \frac{q}{p} \right] \\ =&\mathop {\Pr }\limits _{ \begin{array}{c} (f_1,\ldots , f_Q, \nu , i_*) \leftarrow \textsf{Setup}_{\textsf{Pre}}'(1^\lambda )\\ {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \forall i :\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x')) \end{array} } \left[ \exists i\ne i_* :\textsf{Dec}(\textsf{sk}_i, \textsf{ct}) \ne 0 = f_i(\nu (x')) \right] . \end{aligned}$$
In particular, for this $\lambda \in \mathbb {N}$, there exists a tuple $(f_1,\ldots , f_Q, \nu , i_*)$ s.t.
$$\begin{aligned} Q(\lambda ) \cdot \varepsilon (\lambda ) < &\mathop {\Pr }\limits _{ \begin{array}{c} {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \forall i :\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x')) \end{array} } \left[ \exists i\ne i_* :\textsf{Dec}(\textsf{sk}_i, \textsf{ct}) \ne f_i(\nu (x')) \right] \\ \le &\sum _{i\ne i_*}\mathop {\Pr }\limits _{ \begin{array}{c} {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x')) \end{array} } \left[ \textsf{Dec}(\textsf{sk}_i, \textsf{ct}) \ne f_i(\nu (x')) \right] . \end{aligned}$$
Hence, there is one $i \in [Q]$ s.t. $\Pr [\textsf{Dec}(\textsf{sk}_i, \textsf{ct}) \ne f_i(\nu (x'))] > \varepsilon $. This contradicts the correctness of $\textsf{FE}$. Hence, our assumption must be wrong and $\textsf{Enc}'$ must be of width q/p.
3.
Let $\textsf{FE}$ be selectively IND-CPA secure. We reduce the selective IND-CPA security of $\textsf{SKE}'$ to the selective IND-CPA security of $\textsf{FE}$ by constructing a reduction that transforms a $\textsf{PPT}$ adversary $\mathcal {A}'$ against the selective IND-CPA security of $\textsf{SKE}'$ to a $\textsf{PPT}$ adversary $\mathcal {A}$ against the selective IND-CPA security of $\textsf{FE}$.

If $\mathcal {A}'$ is an adversary against the selective IND-CPA security of $\textsf{SKE}'$ and $\mathcal {C}'$ is a challenger for the selective IND-CPA security of $\textsf{FE}$, then $\mathcal {A}$ proceeds as follows:
1. (a)
  On input $1^\lambda $, $\mathcal {A}$ computes $(f_1,\ldots , f_Q, \nu , i_*) \leftarrow \textsf{Setup}_{\textsf{Pre}}(1^\lambda )$.
2. (b)
  $\mathcal {A}$ runs $\mathcal {A}'(1^\lambda )$ to receive two lists $({x'_1}^0, \ldots , {x'_N}^0)$, $({x'_1}^1, \ldots , {x'_N}^1) \in \{0, \ldots , M\}^N$ of candidate messages.
3. (c)
  For each $i \in [N], \beta \in \{0,1\}$, $\mathcal {A}$ sets $x_i^{\beta } := \nu ({x'_i}^\beta ) \in \mathbb {Z}_p^{n_1}$.
4. (d)
  $\mathcal {A}$ submits the message lists $(x_1^0, \ldots , x_N^0)$, $(x_1^1, \ldots , x_N^1)$ and the function list $(f_1, \ldots , f_{i_*-1}, f_{i_* +1}, \ldots , f_Q)$ to $\mathcal {C}'$. It receives secret keys $\textsf{sk}_1, \ldots , \textsf{sk}_{i_* -1}, \textsf{sk}_{i_* + 1},\ldots , \textsf{sk}_Q$ for the functions $f_1, \ldots , f_{i_*-1}, f_{i_* +1},\ldots , f_Q$ and ciphertexts $\textsf{ct}_1,\ldots , \textsf{ct}_N$ for $x_1^b, \ldots , x_N^b$ with an unknown b.
5. (e)
  For each $i\in [N]$, $\mathcal {A}$ computes
  $$\begin{aligned} \textsf{ct}_i' := ( \textsf{sk}_1(\textsf{ct}_i), \ldots ,\textsf{sk}_{i_* -1}(\textsf{ct}_i), 0, \textsf{sk}_{i_* + 1}(\textsf{ct}_i) \ldots , \textsf{sk}_Q(\textsf{ct}_i) ), \end{aligned}$$
  and sends the list $(\textsf{ct}_1', \ldots , \textsf{ct}_N')$ to $\mathcal {A}'$.
6. (f)
  $\mathcal {A}'$ responds with a guess $b' \in \{0,1\}$. $\mathcal {A}$ forwards $b'$ to $\mathcal {C}'$.
The view of $\mathcal {A}'$ in the interaction with $\mathcal {A}$ is identical to its view in $\textsf{Exp}_{\textsf{SKE}'}^{\mathsf {ind\text {-}cpa}}$. Furthermore, $\mathcal {A}$ wins exactly iff $\mathcal {A}'$ wins. This is, because we have for all $j \in [N]$ and $ i \ne i_*$,
$$\begin{aligned} f_i(x_j^0) = f_i(\nu ({x'_j}^0)) = 0 = f_i(\nu ({x'_j}^1)) = f_i(x_j^1). \end{aligned}$$
In other words, $\mathcal {A}$ does not submit any combination of function and message pairs that would help it to win trivially. Hence, $\mathcal {A}$ is a valid adversary in the selective IND-CPA security game of $\textsf{FE}$. In conclusion, the advantage of $\mathcal {A}$ in the selective IND-CPA security game of $\textsf{FE}$ is equal to the advantage of $\mathcal {A}'$ in the selective IND-CPA security game of $\textsf{SKE}'$.

Hence, the claims of the lemma are proven. $\square $

Corollary 1

Let $\textsf{FE}$ be a lattice-based, correct and selectively IND-CPA secure FE scheme of constant encryption depth $d_1 \in O(1)$ and decryption depth $d_2 \in O(1)$ s.t. the message space of $\textsf{FE}$ is $\mathbb {Z}_p^n$ and each ciphertext of $\textsf{FE}$ is a vector in $\mathbb {Z}_q^m$ for $q > p > 2$, where q is prime.

Let $M \in \textsf{poly}(\lambda )$ and assume that we have ${q}/{p} \in \textsf{poly}(\lambda )$, $M \ge 2d_1\cdot d_2$ and $c \cdot M^{d_1\cdot d_2} < p$ for some constant c that depends on $d_1\cdot d_2$.

Let $\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \_)$ be the partial SKE scheme from Definition 12 that is constructed from $\textsf{FE}$ with message space $\{0, \ldots , M\}$.

Then, there is no (computationally unbounded) algorithm $\textsf{Dec}'$ s.t. the scheme $(\textsf{Setup}', \textsf{Enc}', \textsf{Dec}')$ has a non-negligible advantage at correctly decrypting ciphertexts, i.e., there is an $\varepsilon \in \textsf{negl}(\lambda )$ s.t. we have for each $\textsf{Dec}'$,

$$\begin{aligned} \mathop {\Pr }\limits _{\begin{array}{c} x \leftarrow \{0,\ldots ,M\}, \\ {\textsf{msk}}' \leftarrow \textsf{Setup}'(1^\lambda ),\\ \textsf{ct}' \leftarrow \textsf{Enc}'({\textsf{msk}}', x), \\ y \leftarrow \textsf{Dec}'({\textsf{msk}}', \textsf{ct}') \end{array}} \left[ x = y \right] \le \frac{1}{M + 1} + \varepsilon (\lambda ). \end{aligned}$$

We give a proof of Corollary 1 in the full version of this paper [52].

4 Lower Bounds for Compact Functional Encryption

In this section we prove the main result of this paper. Towards this end, we introduce the space of d-linear functions over $\mathbb {Z}_p$. A function $f :(\mathbb {Z}_p^n)^d \rightarrow \mathbb {Z}_p$ is called d -linear iff, for vectors of variables $X^{(1)} = (X^{(1)}_1,\ldots , X^{(1)}_n)$, ..., $X^{(d)} = (X^{(d)}_1,\ldots , X^{(d)}_n)$, the expression $f(X^{(1)},\ldots , X^{(d)})$ is linear in $X^{(i)}$ for each $i \in [d]$. Equivalently, one can require that $f(X^{(1)},\ldots , X^{(d)})$ is given by $\phi (X^{(1)}\otimes \cdots \otimes X^{(d)})$, for a linear function $\phi $, where $\otimes $ denotes the Kronecker product.

In the following, we consider the functionality $\mathcal {F}:\mathcal {X}\rightarrow \mathcal {Y}$ of d-linear functions, where the message space is $\mathcal {X}= \mathbb {Z}_p^{d\times n}$ and the value space is $\mathcal {Y}= \mathbb {Z}_p$.

Theorem 5

Let $d > 1$ be a constant and $q > p > 2$ with q prime. Let $Q = n^d$, $m \in O(n)$ and let $D \in O(1)$ be the constant from Lemma 1.

Let $\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen},\textsf{Enc},\textsf{Dec})$ be a lattice-based FE for the functionality $\mathcal {F}$ s.t. we have:

1.
$\textsf{FE}$ is compact, i.e., the dimension $m \in O(n)$ of ciphertexts is linear.
2.
The decryption depth of $\textsf{FE}$ is d.
3.
We have
$$\begin{aligned} {q}/{p} \in \textsf{poly}(\lambda ) \qquad \text {and} \qquad c \cdot (\max \{2 d_1 \cdot d + 1, 2D + 1\})^{d_1 \cdot d} < p, \end{aligned}$$
where $d_1$ denotes the encryption depth of $\textsf{FE}$ and c is the constant from Theorem 4.

If $\textsf{FE}$ is correct, then $\textsf{FE}$ is not selectively IND-CPA secure.

Remark 1

We remark two things about the requirements of Theorem 5:

1.
We do not specify if there is an arithmetic reduction modulo p when evaluating the polynomials in $\mathcal {F}\subset \mathbb {Z}_p[X^{(1)}, \ldots , X^{(d)}]$ on messages. In fact, this is irrelevant for our proof, since it will only consider monomial functions $X^{(1)}_{i_1}\cdots X^{(d)}_{i_d} \in \mathcal {F}$. Furthermore, at most one entry of each message vector that our adversary considers will not lie in $\{0,1\}$. Hence, evaluations f(x) will never exceed p.
2.
The space of d-linear functions is contained in the space of degree-d polynomials. Hence, any compact FE scheme with decryption depth d for degree-d polynomials implies a compact FE scheme for d-linear functions with the same decryption depth d.

Our proof idea for Theorem 5 is to assume that $\textsf{FE}$ is secure, and then, to use Corollary 1 to deduce a contradiction. Set $M = \max \{2D+1, 2d_1\cdot d + 1\}$ and let $\mathcal {X}' := \{0,\ldots ,M\}$ be the message space of a new SKE scheme $\textsf{SKE}'$ that we will construct in the following according to Definition 12. Towards this end, we define the following $\textsf{Setup}_{\textsf{Pre}}'$ algorithm for the FE scheme in Theorem 5:

$\textsf{Setup}_{\textsf{Pre}}'$::

On input $1^\lambda $, $\textsf{Setup}_{\textsf{Pre}}'$ sets $Q = n^d$ and fixes deterministically an enumeration $\alpha _1,\ldots , \alpha _Q$ of $[n]^d$. For each tuple of indices $\alpha _i = (\alpha _{i,1},\ldots , \alpha _{i,d}) \in [n]^d$, it sets

$$\begin{aligned} f_{i}(X^{(1)}, \ldots , X^{(d)}) := X_{\alpha _{i,1}}^{(1)} \cdots X_{\alpha _{i,d}}^{(d)}. \end{aligned}$$

Additionally, it draws $i_* \leftarrow [Q]$ uniformly at random and sets $(\alpha _{*,1}, \ldots , \alpha _{*,d}) := \alpha _* := \alpha _{i_*} \in [n]^d$. Furthermore, it sets

$$\begin{aligned} \nu :\mathbb {Z}_p & \longrightarrow \mathbb {Z}_p^{d\times n}\\ x &\longmapsto (x \cdot e_{\alpha _{*,1}}, e_{\alpha _{*, 2}}, \ldots , e_{\alpha _{*,d}}), \end{aligned}$$

where $e_j$ denotes the j-th unit vector in $\mathbb {Z}_p^n$ for $j \in [n]$. It outputs $f_1,\ldots , f_Q$, $\nu $ and $i_*$. Note that we have for all $x \in \mathbb {Z}_p$,

$$\begin{aligned} \forall i \ne i_* :f_i(\nu (x)) &= 0,\\ f_{i_*}(\nu (x)) &= x. \end{aligned}$$

Given $\textsf{Setup}_{\textsf{Pre}}'$, we can define the partial SKE scheme $\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \_)$ as in Definition 12. To prove Theorem 5, we assume that $\textsf{FE}$ is selectively IND-CPA secure. Subsequently, we construct a fitting decryption algorithm $\textsf{Dec}'$ that has a non-negligible advantage at decrypting ciphertexts of $\textsf{SKE}'$. This in turn yields a contradiction to Corollary 1, thereby, proving that $\textsf{FE}$ cannot be secure. To construct $\textsf{Dec}'$, we first derandomize the key generation algorithm $\textsf{KeyGen}$ of $\textsf{FE}$, i.e., we can assume—without loss of generality—that $\textsf{KeyGen}$ is a deterministic algorithm. In fact, if $\textsf{KeyGen}$ is probabilistic, we can distinguish two cases: first, if one-way functions (OWFs) do not exist, then in particular IND-CPA secure SKEs cannot exist, and hence, FE cannot be IND-CPA secure. Second, if OWFs do exist, we can construct secure pseudorandom functions (PRFs) out of them. Using a PRF $\textsf{PRF}$, we can derandomize $\textsf{KeyGen}$ as follows: we change $\textsf{Setup}$ s.t. it additionally samples a random key k for $\textsf{PRF}$ and adds it to the output master secret key ${\textsf{msk}}$. Then, $\textsf{KeyGen}$ on input ${\textsf{msk}}$ and $f\in \mathcal {F}$, does not generate new random coins, instead it evaluates $\textsf{PRF}$ on k and a description of f and uses the output of $\textsf{PRF}(k,f)$ as bits for its random tape.

To continue the proof, we will now show some necessary properties of $\textsf{FE}$:

Lemma 3

There is a constant $D \in O(1)$ s.t. for each master secret key ${\textsf{msk}}' = ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*)$ output by $\textsf{Setup}'$, there exists a polynomial $h_{{\textsf{msk}}} \in \mathbb {Z}_q[T_1,\ldots , T_Q]$ with the following properties:

$$\begin{aligned} & h_{{\textsf{msk}}} \ne 0 \in \mathbb {Z}_q[T_1,\ldots , T_Q],\end{aligned}$$

(4)

$$\begin{aligned} & h_{{\textsf{msk}}}(\textsf{sk}_1, \ldots , \textsf{sk}_Q) = 0 \in \mathbb {Z}_q[Y_1,\ldots , Y_m],\end{aligned}$$

(5)

$$\begin{aligned} & \deg h_{{\textsf{msk}}} \le D. \end{aligned}$$

(6)

Furthermore, $h_{{\textsf{msk}}}$ only depends on ${\textsf{msk}}$.

Proof

Since $Q = n^d$ and $m = O(n)$, we have $Q \in \varOmega (m^d)$. Moreover, Theorem 5 requires each secret key $\textsf{sk}_i$ to be a polynomial over $\mathbb {Z}_q$ of degree d. Lemma 1 now implies that there is a constant D such that for each collection of degree-d polynomials $\textsf{sk}_1,\ldots , \textsf{sk}_Q \in \mathbb {Z}_q[Y_1,\ldots , Y_m]$ there exists an algebraic relationship h that fulfills the requirements in Eqs. (4) to (6).

Now, fix some ${\textsf{msk}}$. Since $\textsf{Setup}_{\textsf{Pre}}'$ chooses the functions $f_1,\ldots , f_Q$ deterministically and since we can assume that $\textsf{KeyGen}$ is derandomized, the secret keys $\textsf{sk}_1\leftarrow \textsf{KeyGen}({\textsf{msk}}, f_1)$,..., $\textsf{sk}_Q \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_Q)$ only depend on ${\textsf{msk}}$. Since the algebraic relationship h only depends on q and $\textsf{sk}_1,\ldots ,\textsf{sk}_Q$, it follows that each choice of ${\textsf{msk}}$ determines a relationship $h_{\textsf{msk}}$ of degree $\le D$. $\square $

Note that $h_{{\textsf{msk}}}(\textsf{sk}_1(Y), \ldots , \textsf{sk}_m(Y))$ is the zero polynomial of $\mathbb {Z}_q[Y_1,\ldots , Y_m]$, which vanishes on each ciphertext of $\textsf{FE}$. If we choose $h_{{\textsf{msk}}}$ of minimal degree, we know that $h_{{\textsf{msk}}}(T_1,\textsf{sk}_2(Y), \ldots ,\textsf{sk}_{m}(Y))\in \mathbb {Z}_q[T_1,Y_2,\ldots ,Y_m]$ cannot be zero. However, it may happen that $h_{{\textsf{msk}}}(T_1,\textsf{sk}_2(Y), \ldots ,\textsf{sk}_{m}(Y))$ vanishes on almost all ciphertexts of $\textsf{FE}$. For our decryption algorithm $\textsf{Dec}'$, it will be important that we have for $\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, x)$,

$$\begin{aligned} &\Pr \left[ h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*-1},\textsf{sk}_{i_*}(\textsf{ct}),\textsf{sk}_{i_*+1}(\textsf{ct}), \ldots , \textsf{sk}_{m}(\textsf{ct})) = 0 \right] \in 1 -\textsf{negl}(\lambda ), \\ &\Pr \left[ h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*-1}, ~~~T_{i_*}~~~,\textsf{sk}_{i_*+1}(\textsf{ct}), \ldots , \textsf{sk}_{m}(\textsf{ct})) \ne 0 \right] \notin \textsf{negl}(\lambda ). \end{aligned}$$

Because, if there is a ciphertext $\textsf{ct}\in \mathbb {Z}_q^m$ s.t. $h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*-1},\textsf{sk}_{i_*}(\textsf{ct}), \ldots ,\textsf{sk}_{m}(\textsf{ct})) = 0$, but $h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*},\textsf{sk}_{i_*+1}(\textsf{ct}), \ldots , \textsf{sk}_{m}(\textsf{ct})) \ne 0$, then $\textsf{sk}_{i_*}(\textsf{ct})$ is a root of the polynomial $h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*},\textsf{sk}_{i_* + 1}(\textsf{ct}), \ldots , \textsf{sk}_{m}(\textsf{ct}))$, which we consider as a univariate polynomial with coefficients in $\mathbb {Z}_q[T_{1}, \ldots , T_{i_* - 1}]$ and unknown $T_{i_*}$. Since this polynomial is non-zero, it has at most $\deg h_{{\textsf{msk}}} \le D$ different roots. In such cases, $\textsf{Dec}'$ can limit the number of potential values for $f_{i_*}(x)$ to D, which gives $\textsf{Dec}'$ a non-negligible advantage at decryption. To make these ideas concrete, let us introduce some technicalities.

Lemma 4

There exists a map $\mathcal {I}:\mathbb {N}\rightarrow P(\mathbb {N})$ s.t.

$$\begin{aligned} \forall \lambda \in \mathbb {N}:& \mathcal {I}(\lambda ) \subseteq [Q(\lambda )] \quad \text {and} \quad \#\mathcal {I}(\lambda ) = D. \end{aligned}$$

Additionally, the probability when we sample ${\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )$ that $h_{\textsf{msk}}$ contains non-trivially a monomial $T_{i_1}\cdots T_{i_{D'}}$ for some $D' \le D$ with $i_1,\ldots , i_{D'} \in \mathcal {I}(\lambda )$ is larger than $Q(\lambda )^{-D}$.

Proof

For each ${\textsf{msk}}$, $h_{{\textsf{msk}}}$ must be a non-zero polynomial in $\mathbb {Z}_q[T_1,\ldots , T_Q]$ of degree $\le D$. Since $\mathbb {Z}_q[T_1,\ldots , T_Q]$ contains $\left( {\begin{array}{c}Q + D\\ D\end{array}}\right) \le Q^D$ monomials of degree $\le D$, there must exist one monomial $T_{i_1}\cdots T_{i_{D'}}$ for each $\lambda \in \mathbb {N}$ s.t.

$$\begin{aligned} \mathop {\Pr }\limits _{{\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )}\left[ h \text { contains } T_{i_1}\cdots T_{i_{D'}} \right] \ge Q^{-D}. \end{aligned}$$

Hence, we can choose $\mathcal {I}(\lambda )$ s.t. it contains $i_1,\ldots , i_{D'}$. $\square $

By permuting the indices $1,\ldots , Q(\lambda )$ for each $\lambda \in \mathbb {N}$, we can enforce that the set $\mathcal {I}(\lambda )$ will be $\{1,\ldots , D\}$ for each $\lambda $. This is simply a relabeling of indices that does not change the algorithms $\textsf{Setup}$ and $\textsf{Setup}'$, but reduces some notations in the following.

We will call a master secret key ${\textsf{msk}}$ good, if $h_{{\textsf{msk}}}$ contains non-trivially a monomial $T_{i_1}\cdots T_{i_{D'}}$ with $i_1,\ldots , i_{D'} \in \mathcal {I}(\lambda ) = \{1,\ldots , D\}$, and we will call ${\textsf{msk}}$ bad, otherwise. Denote by $\textsf{Setup}_{\textsf{good}}(1^\lambda )$ the distribution of $\textsf{Setup}(1^\lambda )$ conditioned on the output ${\textsf{msk}}$ being good. For $\textsf{Setup}_{\textsf{good}}$, we have the following:

Theorem 6

For $u,n \in \mathbb {N}$, set $E_u := \left\{ e_i \cdot v ~|~ i \in [n], v \in \{0,\ldots ,u\} \right\} \subset \mathbb {Z}_p^n$ where $e_i$ denotes the i-th unit vector. Consider the poly-size subspace

$$\begin{aligned} \widetilde{\mathcal {X}}:= E_M \times E_1 \times \ldots \times E_1 \subset (\mathbb {Z}_p^n)^d. \end{aligned}$$

For $\lambda \in \mathbb {N}$, $x \in \widetilde{\mathcal {X}}_\lambda $ and $i \in \{1,\ldots , D+1\}$, set

$$\begin{aligned} p_\lambda (i,x) := & \mathop {\Pr }\limits _{\begin{array}{c} {\textsf{msk}}\leftarrow \textsf{Setup}_{\textsf{good}}(1^\lambda )\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, x) \end{array} }\left[ h_{{\textsf{msk}}}(T_1,\ldots , T_{i-1}, \textsf{sk}_{i}(\textsf{ct}), \ldots , \textsf{sk}_Q(\textsf{ct})) = 0 \right] . \end{aligned}$$

There is an index $i_\dagger \in [D]$ and functions $\varepsilon \in \textsf{negl}(\lambda )$, $\rho \notin \textsf{negl}(\lambda ), \rho \ge 0$ s.t. we have for all $\lambda \in \mathbb {N}$ and $x \in \widetilde{\mathcal {X}}_\lambda $,

$$\begin{aligned} &p_\lambda (i_\dagger , x) \ge 1 - \varepsilon (\lambda ),\\ &p_\lambda (i_\dagger , x) - p_\lambda (i_\dagger + 1, x) \ge \rho (\lambda ). \end{aligned}$$

The proof of Theorem 6 turns out to be very technical. The interested reader will find it in the full version of this paper [52]. Theorem 6 guarantees some homogeneity among ciphertexts of different messages. In particular, it states that the polynomial $h_{{\textsf{msk}}}(T_1,\ldots , T_{i_\dagger - 1}, \textsf{sk}_{i_\dagger }(\textsf{ct}), \ldots , \textsf{sk}_{Q}(\textsf{ct}))$ will almost always vanish on a ciphertext $\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, x)$, for any message $x \in \widetilde{\mathcal {X}}$, while the polynomial $h_{{\textsf{msk}}}(T_1,\ldots , T_{i_\dagger }, \textsf{sk}_{i_\dagger + 1}(\textsf{ct}), \ldots , \textsf{sk}_{Q}(\textsf{ct}))$ (in which the variable $T_{i_\dagger }$ remains unsubstituted) will with non-negligible probability not vanish.

Proof

(Theorem 5). Assume, for the sake of contradiction, that $\textsf{FE}$ is selectively IND-CPA secure. If that was the case, then $\textsf{SKE}'$ would be selectively IND-CPA secure as well. We lead this assumption to a contradiction by constructing a (computationally unbounded) decryption algorithm $\textsf{Dec}'$ for $\textsf{SKE}'$ that has a non-negligible advantage at decrypting correctly, i.e., there is a $\rho '(\lambda )\notin \textsf{negl}(\lambda )$ s.t.

$$\begin{aligned} \mathop {\Pr }\limits _{\begin{array}{c} x' \leftarrow \{0,\ldots , M\}, {\textsf{msk}}' \leftarrow \textsf{Setup}'(1^\lambda ),\\ \textsf{ct}' \leftarrow \textsf{Enc}'({\textsf{msk}}', x'), y' \leftarrow \textsf{Dec}'({\textsf{msk}}', \textsf{ct}') \end{array} }\left[ x' = y' \right] \ge \frac{1}{M + 1} + \rho '(\lambda ). \end{aligned}$$

This directly contradicts Corollary 1 and proves that the assumption is wrong. Hence, $\textsf{FE}$ must be insecure.

First, we sketch the strategy of $\textsf{Dec}'$. Towards this end, let ${\textsf{msk}}' =({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*) \leftarrow \textsf{Setup}'(1^\lambda )$, $x' \in \mathcal {X}'$ and $\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x'))$. Then, a ciphertext $\textsf{ct}' := (c_1,\ldots , c_Q) \leftarrow \textsf{Enc}'({\textsf{msk}}', x')$ is given by

$$\begin{aligned} c_i = {\left\{ \begin{array}{ll} \textsf{sk}_i(\textsf{ct}), &{} \text { if } i \ne i_*,\\ 0, &{} \text { if } i = i_*.\\ \end{array}\right. } \end{aligned}$$

On input $({\textsf{msk}}', \textsf{ct}')$, $\textsf{Dec}'$ proceeds as follows:

1.
$\textsf{Dec}'$ checks if ${\textsf{msk}}$ is good. If ${\textsf{msk}}$ is bad, $\textsf{Dec}'$ terminates by outputting a uniformly random element of $\mathcal {X}' := \{0,\ldots , M\}$.
2.
$\textsf{Dec}'$ computes $i_\dagger \in [D]$ from Theorem 6. If $i_\dagger \ne i_*$, $\textsf{Dec}'$ terminates by outputting a uniformly random element of $\mathcal {X}' := \{0,\ldots , M\}$.
3.
$\textsf{Dec}'$ computes the set
$$\begin{aligned} A({\textsf{msk}}) := \left\{ w \in \mathbb {Z}_q^m ~|~ h_{{\textsf{msk}}}(T_1,\ldots , T_{i_* - 1}, \textsf{sk}_{i_*}(w), \ldots , \textsf{sk}_Q(w)) = 0 \right\} . \end{aligned}$$
According to Theorem 6, the original ciphertext $\textsf{ct}$ of $\textsf{Enc}({\textsf{msk}}, \nu (x'))$ lies in $A({\textsf{msk}})$ with overwhelming probability $p_\lambda (i_\dagger , x')\ge 1 - \varepsilon (\lambda )$. However, since $\textsf{Dec}'$ does not know $\textsf{ct}$, it cannot check if $\textsf{ct}$ lies in $A({\textsf{msk}})$. Hence, $\textsf{Dec}$ assumes from here on that $\textsf{ct}$ lies in $A({\textsf{msk}})$.
4.
$\textsf{Dec}'$ computes the subset
$$\begin{aligned} B({\textsf{msk}}) := \left\{ w \in A({\textsf{msk}}) ~|~ h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*}, \textsf{sk}_{i_* + 1}(w), \ldots , \textsf{sk}_Q(w)) \ne 0 \right\} . \end{aligned}$$
Again, according to Theorem 6, $\textsf{ct}$ lies with non-negligible probability $1 - p_{\lambda }(i_\dagger +1, x')\ge \rho (\lambda )$ in $B({\textsf{msk}})$. Under the assumption that $\textsf{ct}$ lies in $A({\textsf{msk}})$, $\textsf{Dec}'$ can now check if $\textsf{ct}$ lies in $B({\textsf{msk}})$. If $\textsf{ct}$ does not lie in $B({\textsf{msk}})$, $\textsf{Dec}'$ outputs a uniformly random element of $\mathcal {X}'$ and stops.
5.
At this point, $\textsf{Dec}'$ knows that $\textsf{ct}$ lies in $B({\textsf{msk}})$ and can compute the set
$$\begin{aligned} S({\textsf{msk}}, \textsf{ct}') := \left\{ \textsf{sk}_{i_*}(w) ~|~ w \in B({\textsf{msk}}), \forall i \ne i_* :\textsf{sk}_i(w) = \textsf{sk}_i(\textsf{ct}) \right\} . \end{aligned}$$
It is clear that $S({\textsf{msk}}, \textsf{ct}')$ must contain $\textsf{sk}_{i_*}(\textsf{ct})$. We will show that $S({\textsf{msk}}, \textsf{ct}')$ contains at most $\deg h_{{\textsf{msk}}} \le D \le M/2$ different values. $\textsf{Dec}'$ chooses a uniformly random value $\textsf{sk}_{i_*}(w)$ from $S({\textsf{msk}}, \textsf{ct}')$ and outputs
$$\begin{aligned} \left\lceil \textsf{sk}_{i_*}(w) \cdot \frac{p}{q} \right\rfloor = \textsf{Dec}(\textsf{sk}_{i_*}, w) \in \mathbb {Z}_p. \end{aligned}$$

Let $y'$ be the value output by $\textsf{Dec}'({\textsf{msk}}', \textsf{ct}')$. Since $\textsf{Dec}'$ outputs a uniformly random element of $\{0,\ldots , M\}$ whenever ${\textsf{msk}}$ is bad or $i_* \ne i_\dagger $, it suffices to lower-bound the probability of $\textsf{Dec}'$ to return the correct message $x'$ in the case where ${\textsf{msk}}$ is good and $i_* = i_\dagger $ (both events will happen with non-negligible probability $\ge Q^{-D-1}$). In this case, we have

$$\begin{aligned} \Pr \left[ y' = x' \right] \ge & \Pr \left[ y' = x' \mid \textsf{ct}\in A({\textsf{msk}}) \right] \cdot \Pr [\textsf{ct}\in A({\textsf{msk}})] \\ & + \Pr \left[ y' = x' \mid \textsf{ct}\notin A({\textsf{msk}}) \right] \cdot \Pr [\textsf{ct}\notin A({\textsf{msk}})] \\ \ge & \Pr \left[ y' = x' \mid \textsf{ct}\in A({\textsf{msk}}) \right] \cdot (1 - \varepsilon (\lambda ))\\ \ge & \Pr \left[ y' = x' \mid \textsf{ct}\in A({\textsf{msk}}) \right] - \varepsilon (\lambda )\\ \ge & \Pr \left[ y' = x' \mid \textsf{ct}\in B({\textsf{msk}}) \right] \cdot \rho (\lambda ) \\ & + \Pr \left[ y' = x' \mid \textsf{ct}\in A({\textsf{msk}})\setminus B({\textsf{msk}}) \right] \cdot (1 - \rho (\lambda )) - \varepsilon (\lambda )\\ \ge & \Pr \left[ y' = x' \mid \textsf{ct}\in B({\textsf{msk}}) \right] \cdot \rho (\lambda ) + \frac{1}{M + 1} \cdot (1 - \rho (\lambda )) - \varepsilon (\lambda )\\ \ge & \frac{2}{M} \cdot \rho (\lambda ) + \frac{1}{M + 1} \cdot (1 - \rho (\lambda )) - \varepsilon (\lambda ) \ge \frac{\rho (\lambda )}{M} + \frac{1}{M + 1}. \end{aligned}$$

This yields a contradiction with the statement of Corollary 1.

What remains is to show that the set $S({\textsf{msk}}, \textsf{ct}')$ contains at most $D < M/2$ elements for $\textsf{ct}\in B({\textsf{msk}})$. To this end, set

$$\begin{aligned} g(T_{i_*}) = h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*}, \textsf{sk}_{i_* + 1}(\textsf{ct}), \ldots , \textsf{sk}_Q(\textsf{ct})). \end{aligned}$$

We consider g as a univariate polynomial with coefficients in $\mathbb {Z}_q[T_{1}, \ldots , T_{i_* - 1}]$ and of degree $\le D$. Since $\textsf{ct}\in B({\textsf{msk}})$, we know that g is not the zero polynomial. On the other hand, we know that $g(\textsf{sk}_*(\textsf{ct})) = 0$, since we assume $\textsf{ct}\in A({\textsf{msk}})$. In fact, each element of $S({\textsf{msk}}, \textsf{ct}')$ is a root of g. It follows that $S({\textsf{msk}}, \textsf{ct}')$ has at most $\deg g \le \deg h_{{\textsf{msk}}} \le D < M/2$ elements. Since $x'\in \mathcal {X}'$ was chosen arbitrarily, the non-negligible advantage of $\textsf{Dec}'$ at decryption follows. $\square $

Notes

1.
An exception is the decryption algorithms of some ABE schemes [27, 37], that need to evaluate a predicate of high depth at decryption. If those ABE schemes are only instantiated with constant depth predicates, then their decryption algorithm also fits our framework. For more exceptions, see the limits on our results in the full version of this paper [52].
2.
However, it should be noted that most FHE schemes use an inverse gadget matrix at homomorphic evaluations, which circumvents our restrictions at encryption.
3.
The runtime of the attack that is implicitly used by Theorem 2 lies in $\textsf{poly}(q/p)$. If q/p is superpolynomial, then our result still yields an adversary with equally superpolynomial time complexity.
4.
Technically, [18, 26] define compactness with respect to the running time of the encryption algorithm. More precisely, the running time of the encryption algorithm must only be a polynomial in the security parameter and input message length, and has only sublinear dependency on the function size, i.e., $\textsf{poly}(\lambda ,|x|) \cdot |f|^{1-e}$ for some constant $e \in (0,1]$.
5.
Note that we allow the advantage of $\mathcal {A}$ to be negative. This may seem strange, however, this notion of advantage is linear, i.e., we may condition and partition $\mathcal {A}$’s advantage on different events.
6.
More precisely, we have that $c = 2(d+1)^2(d!)^3d^d$ as shown in [55].

References

Abdalla, M., Benhamouda, F., Gay, R.: From single-input to multi-client inner-product functional encryption. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 552–582. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_19
Chapter Google Scholar
Abdalla, M., Benhamouda, F., Kohlweiss, M., Waldner, H.: Decentralizing inner-product functional encryption. In: Lin, D., Sako, K. (eds.) PKC 2019, Part II. LNCS, vol. 11443, pp. 128–157. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_5
Chapter Google Scholar
Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_33
Chapter Google Scholar
Abdalla, M., Catalano, D., Fiore, D., Gay, R., Ursu, B.: Multi-input functional encryption for inner products: function-hiding realizations and constructions without pairings. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 597–627. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_20
Chapter Google Scholar
Abdalla, M., Catalano, D., Gay, R., Ursu, B.: Inner-product functional encryption with fine-grained access control. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 467–497. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_16
Chapter Google Scholar
Abdalla, M., Gay, R., Raykova, M., Wee, H.: Multi-input inner-product functional encryption from pairings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 601–626. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_21
Chapter Google Scholar
Abdalla, M., Gong, J., Wee, H.: Functional encryption for attribute-weighted sums from k-Lin. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 685–716. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_23
Chapter Google Scholar
Agrawal, S.: Indistinguishability obfuscation without multilinear maps: new methods for bootstrapping and instantiation. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 191–225. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_7
Chapter Google Scholar
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Chapter Google Scholar
Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_28
Chapter Google Scholar
Agrawal, S., Goyal, R., Tomida, J.: Multi-input quadratic functional encryption from pairings. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part IV. LNCS, vol. 12828, pp. 208–238. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_8
Chapter Google Scholar
Agrawal, S., Goyal, R., Tomida, J.: Multi-party functional encryption. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part II. LNCS, vol. 13043, pp. 224–255. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90453-1_8
Chapter Google Scholar
Agrawal, S., Goyal, R., Tomida, J.: Multi-input quadratic functional encryption: stronger security, broader functionality. In: Kiltz, E., Vaikuntanathan, V. (eds.) Theory of Cryptography, TCC 2022, Part I. LNCS, vol. 13747, pp. 711–740. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22318-1_25
Agrawal, S., Libert, B., Maitra, M., Titiu, R.: Adaptive simulation security for inner product functional encryption. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part I. LNCS, vol. 12110, pp. 34–64. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_2
Chapter Google Scholar
Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_12
Chapter Google Scholar
Agrawal, S., Pellet-Mary, A.: Indistinguishability obfuscation without maps: attacks and fixes for noisy linear FE. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 110–140. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_5
Chapter Google Scholar
Agrawal, S., Rosen, A.: Functional encryption for bounded collusions, revisited. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 173–205. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_7
Chapter Google Scholar
Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_15
Chapter Google Scholar
Ananth, P., Jain, A., Sahai, A.: Indistinguishability obfuscation from functional encryption for simple functions. Cryptology ePrint Archive, Report 2015/730 (2015). https://eprint.iacr.org/2015/730
Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 152–181. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_6
Chapter Google Scholar
Ananth, P., Vaikuntanathan, V.: Optimal bounded-collusion secure functional encryption. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part I. LNCS, vol. 11891, pp. 174–198. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_8
Chapter Google Scholar
Applebaum, B., Avron, J., Brzuska, C.: Arithmetic cryptography: extended abstract. In: Roughgarden, T. (ed.) ITCS 2015, pp. 143–151. ACM (2015). https://doi.org/10.1145/2688073.2688114
Baltico, C.E.Z., Catalano, D., Fiore, D., Gay, R.: Practical functional encryption for quadratic functions with applications to predicate encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 67–98. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_3
Chapter Google Scholar
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93, pp. 62–73. ACM Press (1993). https://doi.org/10.1145/168588.168596
Bishop, A., Jain, A., Kowalczyk, L.: Function-hiding inner product encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part I. LNCS, vol. 9452, pp. 470–491. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_20
Chapter Google Scholar
Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. In: Guruswami, V. (ed.) 56th FOCS, pp. 171–190. IEEE Computer Society Press (2015). https://doi.org/10.1109/FOCS.2015.20
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Chapter Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Chapter Google Scholar
Brakerski, Z., Döttling, N., Garg, S., Malavolta, G.: Leveraging linear decryption: rate-1 fully-homomorphic encryption and time-lock puzzles. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 407–437. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_16
Chapter Google Scholar
Chen, Y., Vaikuntanathan, V., Waters, B., Wee, H., Wichs, D.: Traitor-tracing from LWE made simple and attribute-based. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part II. LNCS, vol. 11240, pp. 341–369. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_13
Chapter Google Scholar
Chotard, J., Dufour Sans, E., Gay, R., Phan, D.H., Pointcheval, D.: Decentralized multi-client functional encryption for inner product. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 703–732. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_24
Chapter Google Scholar
Cini, V., Ramacher, S., Slamanig, D., Striecks, C., Tairi, E.: (inner-product) functional encryption with updatable ciphertexts. J. Cryptol. 37(1), 8 (2023). https://doi.org/10.1007/s00145-023-09486-y
Article MathSciNet Google Scholar
De Caro, A., Iovino, V., Jain, A., O’Neill, A., Paneth, O., Persiano, G.: On the achievability of simulation-based security for functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 519–535. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_29
Chapter Google Scholar
Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2
Chapter Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press (2013). https://doi.org/10.1109/FOCS.2013.13
Gay, R.: A new paradigm for public-key functional encryption for degree-2 polynomials. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part I. LNCS, vol. 12110, pp. 95–120. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_4
Chapter Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 545–554. ACM Press, June 2013. https://doi.org/10.1145/2488608.2488677
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Chapter Google Scholar
Guo, S., Kamath, P., Rosen, A., Sotiraki, K.: Limits on the efficiency of (ring) LWE-based non-interactive key exchange. J. Cryptol. 35(1), 1 (2022). https://doi.org/10.1007/s00145-021-09406-y
Article MathSciNet Google Scholar
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In: Khuller, S., Williams, V.V. (eds.) 53rd ACM STOC, pp. 60–73. ACM Press, June 2021. https://doi.org/10.1145/3406325.3451093
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from LPN over $\mathbb{F}_p$, DLIN, and PRGs in ${NC}^0$. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, May/Jun 2022, vol. 13275, pp. 670–699. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-06944-4_23
Kitagawa, F., Nishimaki, R., Tanaka, K.: Obfustopia built on secret-key functional encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 603–648. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_20
Chapter Google Scholar
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. DCC 75(3), 565–599 (2015). https://doi.org/10.1007/s10623-014-9938-4
Article MathSciNet Google Scholar
Libert, B., Ţiţiu, R.: Multi-client functional encryption for linear functions in the standard model from LWE. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 520–551. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_18
Chapter Google Scholar
Lin, H.: Indistinguishability obfuscation from SXDH on 5-Linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_20
Chapter Google Scholar
Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 630–660. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_21
Chapter Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Chapter Google Scholar
Maurer, U.M.: Abstract models of computation in cryptography (invited paper). In: Smart, N.P. (ed.) 10th IMA International Conference on Cryptography and Coding. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (Dec (2005). https://doi.org/10.1007/11586821_1
Chapter Google Scholar
O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010). https://eprint.iacr.org/2010/556
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, May 2005, pp. 84–93. ACM Press (2005). https://doi.org/10.1145/1060590.1060603
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Chapter Google Scholar
Tairi, E., Ünal, A.: Lower bounds for lattice-based compact functional encryption. Cryptology ePrint Archive, Paper 2023/719 (2023). https://eprint.iacr.org/2023/719
Tomida, J.: Tightly secure inner product functional encryption: multi-input and function-hiding constructions. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 459–488. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_16
Chapter Google Scholar
Tomida, J.: Unbounded quadratic functional encryption and more from pairings. In: Hazay, C., Stam, M. (eds.) Proceedings of the Advances in Cryptology – EUROCRYPT 2023, Part III: 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, 23–27 April 2023, pp. 543–572. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_18
Ünal, A.: Impossibility results for lattice-based functional encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 169–199. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_7
Chapter Google Scholar
Ünal, A.: Worst-case subexponential attacks on PRGs of constant Degree or constant locality. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology – EUROCRYPT 2023, Part I: Proceedings of the 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, 23–27 April 2023, pp. 25–54. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30545-0_2

Download references

Acknowledgements

We want to thank the anonymous reviewers of TCC and Eurocrypt for their very helpful comments and suggestions. This work has received funding from the Austrian Science Fund (FWF) and netidee SCIENCE via grant P31621-N38 (PROFET).

Author information

Authors and Affiliations

DIENS, École normale supérieure, CNRS, Inria, PSL University, Paris, France
Erkan Tairi
ISTA, Klosterneuburg, Austria
Akin Ünal

Authors

Erkan Tairi
View author publications
You can also search for this author in PubMed Google Scholar
Akin Ünal
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Erkan Tairi .

Editor information

Editors and Affiliations

Zama, Paris, France
Marc Joye
Ruhr University Bochum, Bochum, Germany
Gregor Leander

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Tairi, E., Ünal, A. (2024). Lower Bounds for Lattice-Based Compact Functional Encryption. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14652. Springer, Cham. https://doi.org/10.1007/978-3-031-58723-8_9

Download citation

DOI: https://doi.org/10.1007/978-3-031-58723-8_9
Published: 08 May 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58722-1
Online ISBN: 978-3-031-58723-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Lower Bounds for Lattice-Based Compact Functional Encryption

Abstract

1 Introduction

1.1 Lattice-Based Functional Encryption Framework

Definition 1

1.2 Contribution

Theorem 1

1.3 Interpretation, Limitations and Open Problems

Conjecture 1

1.4 Related Work

1.5 Technical Overview

Theorem 2

Definition 2

Example 1

Theorem 3

2 Preliminaries

Lemma 1

2.1 Functional Encryption

Definition 3

Definition 4

Definition 5

2.2 Lattice-Based Encryption Algorithms

Definition 6

Definition 7

Definition 8

Definition 9

2.3 Secret-Key Encryption

Definition 10

Definition 11

3 General Approach

Theorem 4

Definition 12

Lemma 2

Proof

Corollary 1

4 Lower Bounds for Compact Functional Encryption

Theorem 5

Remark 1

Lemma 3

Proof

Lemma 4

Proof

Theorem 6

Proof

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation