Abstract
Functional encryption (FE) is a primitive where the holder of a master secret key can control which functions a user can evaluate on encrypted data. It is a powerful primitive that even implies indistinguishability obfuscation (iO), given sufficiently compact ciphertexts (Ananth-Jain, CRYPTO’15 and Bitansky-Vaikuntanathan, FOCS’15). However, despite being extensively studied, there are FE schemes, such as function-hiding inner-product FE (Bishop-Jain-Kowalczyk, AC’15, Abdalla-Catalano-Fiore-Gay-Ursu, CRYPTO’18) and compact quadratic FE (Baltico-Catalano-Fiore-Gay, Lin, CRYPTO’17), that can be only realized using pairings. This raises the question if there are some mathematical barriers that hinder us from realizing these FE schemes from other assumptions.
In this paper, we study the difficulty of constructing lattice-based compact FE. We generalize the impossibility results of Ünal (EC’20) for lattice-based function-hiding FE, and extend it to the case of compact FE. Concretely, we prove lower bounds for lattice-based compact FE schemes which meet some (natural) algebraic restrictions at encryption and decryption, and have ciphertexts of linear size and secret keys of minimal degree. We see our results as important indications of why it is hard to construct lattice-based FE schemes for new functionalities, and which mathematical barriers have to be overcome.
E. Tairi—work done while the author was at TU Wien.
A. Ünal—work done while the author was at ETH Zurich.
You have full access to this open access chapter, Download conference paper PDF
1 Introduction
Functional encryption (FE) [28, 49] is an advanced encryption primitive that allows fine-grained access control over the encrypted data. In contrast to conventional encryption schemes, which are all-or-nothing, in FE there is a master secret key \({\textsf{msk}}\) that allows to generate constrained functional secret keys. More precisely, every secret key \(\textsf{sk}_f\) is associated with a function f and, given an encryption of some message x, the decryption with \(\textsf{sk}_f\) only reveals f(x), and nothing more about x.
Since its introduction, FE has been subject to intense study, which resulted in both FE schemes for general functionalities [17, 21, 30, 35], thereby entailing feasibility results, and FE schemes for limited classes of functions that are of particular interest for practical applications, e.g., (function-hiding) inner-product FE (IPFE) [3, 14, 15, 25, 45, 53] and compact FE for quadratic functions [20, 23, 36, 45, 54]. Furthermore, IPFE and quadratic FE have been extended to multi-input [4, 6, 11, 13], (decentralized) multi-client [1, 2, 12, 31, 44], and identity/attribute-based [5, 32] settings.
We also know that FE is a powerful primitive that even implies indistinguishability obfuscation (iO). In fact, it has been shown that a succinct subexponentially secure single-key FE implies iO [8, 16, 18, 26, 40,41,42, 46].
Moreover, we know that FE for general functionalities with a bounded number of secret keys (that an adversary can learn), can be achieved from minimal assumptions [21], such as public-key encryption (PKE) and one-way functions (OWFs). However, if we want to achieve security for an unbounded number of secret keys, we either need to rely on heavy-machinery, such as iO [35], or restrict ourselves to (function-hiding) IPFE, linearly compact quadratic FE or FE for constant-degree polynomials which are obtained by relinearization. Even so, for linearly compact quadratic FE and function-hiding FE the only known constructions are pairing-based [23, 25, 36, 45].
In a recent work, Ünal [55] showed implausibility of constructing lattice-based function-hiding IPFE. More precisely, he extracted the common properties (of decryption and encryption algorithms) of known lattice-based FE schemes, and showed that under these properties an FE scheme cannot be function-hiding. Given this result and the usefulness of compact FE for constructing advanced primitives, such as iO, we ask the following question in this work:
What hinders us from constructing compact lattice-based FE?
1.1 Lattice-Based Functional Encryption Framework
To investigate the above question, we need to capture lattice-based FE schemes in a non-black box way. Towards this end, we reintroduce here the framework of Ünal [55]:
Definition 1
(Lattice-Based FE Scheme). Let \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})\) be an FE scheme. Let q be a prime and \(p < q\) be the modulus of the message space. We call \(\textsf{FE}\) lattice-based if the following conditions are met:
-
1.
\(\textsf{Enc}\) computes ciphertexts as follows: On input a master secret key \({\textsf{msk}}\) and a message \(x \in \mathbb {Z}_p^n\), \(\textsf{Enc}\) first samples (potentially correlated) polynomials \(r_1, \ldots , r_m \in \mathbb {Z}_q[X_1,\ldots , X_n]\) of constant degree without looking at x. It then evaluates \(r_1,\ldots , r_m\) at x and outputs the ciphertext
$$\begin{aligned} \textsf{ct}_x :=(r_1(x), \ldots , r_m(x)) \in \mathbb {Z}_q^m. \end{aligned}$$ -
2.
Each secret key output by \(\textsf{KeyGen}\) is a polynomial in \(\mathbb {Z}_q[Z_1,\ldots ,Z_m]\) of constant degree.
-
3.
On input a secret key \(\textsf{sk}\in \mathbb {Z}_q[Z_1,\ldots ,Z_m]\) and a ciphertext \(\textsf{ct}\in \mathbb {Z}_q^m\), the decryption algorithm \(\textsf{Dec}\) evaluates the polynomial \(\textsf{sk}\) at \(\textsf{ct}_x\) and rounds the result to the nearest integer modulo p, i.e.,
$$\begin{aligned} \textsf{Dec}(\textsf{sk}, \textsf{ct}) = \left\lceil \textsf{sk}(\textsf{ct}) \cdot {p}/{q} \right\rfloor \in \mathbb {Z}_p. \end{aligned}$$
The lattice-based FE framework makes strong restrictions on the encryption and decryption algorithms of FE schemes. However, since compact and function-hiding FE schemes do exist assuming the security of pairing groups [25, 36], it is necessary to restrict the computational model of an FE scheme at some points. We argue that the restrictions made by the framework of [55] are the right ones, in the sense that they are loose enough to capture all relevant FE schemes whose security relies on the Learning With Errors (LWE) assumption. Moreover, these restrictions are decisive enough to make impossibility results for schemes captured by this framework provable. Let us discuss this in more detail. A closer look at the existing lattice-based IBE/ABE/PE/FE schemes [9, 15,16,17, 27, 37] reveals that the restrictions imposed in Definition 1 are quite natural and fulfilled by mostFootnote 1 of these schemes. As a prime example, we can present here the encryption algorithm of the IPFE scheme due to Agrwal, Libert and Stehlé [15]: The public key consists of two matrices \(A \in \mathbb {Z}_q^{m \times n}, B \in \mathbb {Z}_q^{\ell \times n}\). To encrypt input vectors \(x \in \mathbb {Z}_p^\ell \), ciphertexts are generated by sampling a uniformly random vector \(s \leftarrow \mathbb {Z}_q^n\), two Gaussian noise vectors \(e_0 \leftarrow \mathcal {D}_{\mathbb {Z}^m,\sigma }, e_1 \leftarrow \mathcal {D}_{\mathbb {Z}^\ell , \sigma }\) and computing
where f is the scaling factor (commonly \(\left\lfloor q/K \right\rfloor \), for some integer K). Now observe that we can rewrite this in two parts:
-
a complex offline part, where \(m + \ell \) multivariate degree-1 polynomials
$$\begin{aligned} g_1(X),\ldots ,g_m(X),h_1(X),\ldots ,h_\ell (X) \in \mathbb {Z}_q[X_1,\ldots , X_\ell ] \end{aligned}$$are sampled using only the public values (p, q, f, A, B) (and without looking at the input x),
$$\begin{aligned} &g_i(X_1,\ldots ,X_\ell ) := \langle a_i \mid s \rangle + e_{0,i}, {} & {} i \in [m], \\ &h_j(X_1,\ldots ,X_\ell ) := \langle b_j \mid s \rangle + e_{1,j} + f \cdot X_j, {} & {} j \in [\ell ], \end{aligned}$$ -
and a simple online part, where the previously sampled polynomials are evaluated on input x in order to compute the ciphertext,
$$\begin{aligned} \textsf{ct}= (g_1(x),\ldots ,g_m(x),h_1(x),\ldots ,h_\ell (x)). \end{aligned}$$
This shows that the encryption algorithm of [15] fits into our framework (their decryption algorithm falls into our framework too, which is easy to verify).
For our restrictions at decryption, we point out that it was already noted by Brakerski et al. [29] that even all lattice-based fully homomorphic encryption (FHE) schemesFootnote 2 decrypt by evaluating a low-degree polynomial at the ciphertext and then rounding to the nearest result.
Moreover, we note that since the publication of [55] there has been no construction of function-hiding FE from LWE (or any other lattice-based assumption). While the results of [55] only hold in the aforementioned lattice-based FE framework, they (up to now) correctly predicted that constructing function-hiding FE from LWE requires breakthrough methods. This justifies to see the framework of [55] as a gauge for measuring the hardness of lattice-based FE schemes and understanding the mathematical barriers that are needed to be overcome.
1.2 Contribution
We generalize the results of Ünal [55] for lattice-based function-hiding FE, and extend them to the setting of lattice-based compact FE. Our main contribution is captured with the following informal theorem.
Theorem 1
(Informal Main Theorem 5). Let \(q > p\) be s.t. q is prime, \(q/p \in \textsf{poly}(\lambda )\) and p is greater than some constant.
Let \(\textsf{FE}\) be a lattice-based functional encryption scheme for polynomials of degree \(d > 1\) with input space \(\mathbb {Z}_p^n\), where each ciphertext is contained in \(\mathbb {Z}_q^m\).
Assume that \(\textsf{FE}\) is linearly compact, i.e., \(m \in O(n)\), and that each secret key output by \(\textsf{KeyGen}\) is a degree-d polynomial over the ciphertexts.
If \(\textsf{FE}\) is correct, then it cannot be selectively IND-CPA secure.
At a high level, our proof idea consists of deriving a (special) SKE scheme from a lattice-based compact FE scheme. By using the existence of low-degree algebraic relationships, which has been shown in [56], we can use the compactness of the FE scheme to prove correctness of the aforementioned SKE scheme. This in turn leads to a contradiction to Corollary 3 of [55] (cf. Theorem 2) and gives us implicitly an attack on lattice-based compact FE scheme.
1.3 Interpretation, Limitations and Open Problems
Parameter Restrictions. We have analogous parameter restrictions as in [55]. More precisely, in order to prove Theorem 1, we require that the exterior modulus q of the FE scheme is prime. Furthermore, the fraction q/p needs to be bounded by a polynomialFootnote 3 in the security parameter \(\lambda \), where p is the interior modulus, and p needs to be greater than some constant that depends on the depth of the FE scheme. These parameter restrictions are usual for schemes whose security is implied by standard LWE, i.e., LWE with polynomial modulus q, which admits a reduction to worst-case lattice problems [50].
Additionally, we require a strict notion of compactness where we demand the dimensional length of ciphertexts to be linear in the length of messages. Furthermore, we assume decryption to be as simple as possible, i.e., the algebraic degree of secret keys must equal the algebraic degree of the functionality supported by the FE scheme.
To relax both requirements it would be necessary to prove some technical theorem about homogeneity of ciphertexts (Theorem 6) for more general FE schemes. Concretely, we suspect the following:
Conjecture 1
Let \(\textsf{FE}\) be a lattice-based FE scheme for degree-d polynomials over n variables. Furthermore, let \(\textsf{FE}\) be relaxed compact, i.e., we have \(m \in O(n^{d-e})\) where m is the dimension of ciphertexts of \(\textsf{FE}\) and \(e > 0\) is some fixed constant. Denote by \(d_2\) the decryption depth of \(\textsf{FE}\).
If \(\textsf{FE}\) is IND-CPA secure against adversaries of complexity \(n^{O(n^{d-e\cdot {d_2}/(d_2 - 1)})}\), then Theorem 6 does hold for \(\textsf{FE}\). This implies that \(\textsf{FE}\) cannot be IND-CPA secure against adversaries of size \(n^{O(n^{d-e\cdot {d_2}/(d_2 - 1)})}\) if \(\textsf{FE}\) is correct.
Interpretation and Open Problems. We view the results in this paper as a useful argument in understanding the difficulties of constructing lattice-based compact FE schemes. We leave it as an interesting open problem to derive similar lower bounds for other types of FE schemes, such as noisy linear FE [16] or FE for attribute-weighted sums [7].
A potential approach to circumvent the lower bounds introduced here is to consider gadget matrices (as in FHE schemes and as in the predicate encryption scheme of [38]). More precisely, if during encryption we compute a bit-decomposition, \(G^{-1}(x)\), of an input vector x, then our techniques are not applicable anymore, and one would need to develop more advanced techniques. However, it is still unclear if inverse gadget sampling is helpful for constructing lattice-based FE schemes. We discuss more open questions and ways to circumvent our results in the full version of this paper [52]
Note on Algebraic LWE. A natural question to ask is whether more algebraically structured variants of LWE, such as Ring-LWE [47] or Module-LWE [43], can be used to overcome the lower bounds introduced in this work. Analogous to the results of [55], the additional algebraic structure does not help, as long as the requirements of Theorem 1 are met. The reason for this is that the rings and modules considered in algebraic LWE variants are vector spaces over \(\mathbb {Z}_q\) with the natural addition whose multiplication operation can be modeled by quadratic polynomials.
1.4 Related Work
Ananth and Vaikuntanathan [21] showed that FE for \(\mathsf {P/poly}\) with a bounded number of secret keys can be achieved from minimal assumptions, i.e., PKE in the public-key setting and OWFs in the secret-key setting. But, the ciphertexts in their schemes are growing linearly with the number of secret keys handed out to the adversary. This is not surprising given that a bounded public-key FE scheme with relaxed compact ciphertext size, i.e., sublinear in the number of secret keys, impliesFootnote 4 iO [18, 26]. Similarly, Kitagawa, Nishimaki and Tanaka [42] showed that a bounded and compact secret-key FE scheme implies iO. Moreover, Ananth, Jain and Sahai [19] showed how to transform any collusion-resistant FE into a single-key FE scheme with compact encryption circuit. De Caro, Iovino, Jain, O’Neill, Paneth and Persiano [33] showed that compact FE with simulation-based security is impossible for general functions [10, 33], however, for constructing iO from compact FE selective indistinguishability security suffices.
Other Models of Computation. Computational models are a popular approach in cryptography to prove lower bounds for solving certain problems. Nonetheless, the most well-known models, such as the generic group model [48, 51], the algebraic group model [34] and the random oracle model [24] only deal with group-based resp. hash-based problems and primitives.
We are not aware of many other models besides [55] for lattice-based settings. Guo, Kamath, Rosen and Sotiraki [39] studied the lattice-based non-interactive key exchange (NIKE) problem and introduced a (comparatively more rigid) model where Alice and Bob always send LWE samples \(A \cdot x_1 + e_1\) and \(A^T \cdot x_2 + e_2\) as their key parts, respectively. Afterwards, they may apply any key reconciliation function to extract a common secret key. The authors could show lower bounds for the complexity and amount of information the reconciliation function needs.
There are some similarities between the lower bounds obtained in our model and the lower bounds obtained by Applebaum, Avron and Brzuska [22] for arithmetic circuits. In our setting, the encryption and decryption functionalities come close to arithmetizing circuits, i.e., their algebraic descriptions are (almost) independent of the underlying field \(\mathbb {Z}_q\). The lower bound for lattice-based function-hiding FE, for example, could almost be reduced to a lower bound in [22] for three-party protocols where a semi-arithmetic Alice and a non-arithmetic Bob want to make a fully arithmetic Carol learn a function of both parties’ data without learning any non-trivial information. However, the crux is that we allow the decryption algorithm to perform a rounding operation from \(\mathbb {Z}_q\) to \(\mathbb {Z}_p\) at the end. Since rounding is a non-arithmetic of forbiddingly high degree, the decryption algorithm of lattice-based FE schemes is non-arithmetic and, hence, not fully captured by the lower bounds in [22].
1.5 Technical Overview
In this subsection, we will sketch a proof for Theorem 1. Towards this end, we will first introduce the framework of Ünal [55] for modeling lattice-based FE schemes, which we use in this work. Next, we will revisit a strategy for proving lower bounds for lattice-based function-hiding FE schemes and generalize it. Finally, we will attempt to adapt the generalized strategy on relaxed compact lattice-based FE schemes. Unfortunately, our first attempt will fail, however, we will be able to fix the strategy for linearly compact lattice-based FE schemes with secret keys of minimal degree.
Our Framework. A (secret-key) functional encryption (FE) scheme consists of four algorithms: \(\textsf{Setup}, \textsf{KeyGen},\textsf{Enc}\) and \(\textsf{Dec}\). On input the security parameter \(1^\lambda \), \(\textsf{Setup}\) computes a master secret key \({\textsf{msk}}\). On input \({\textsf{msk}}\) and a suitable function \(f :\mathbb {Z}_p^n \rightarrow \mathbb {Z}_p\), \(\textsf{KeyGen}\) generates a secret key \(\textsf{sk}_f\) for f. On input \({\textsf{msk}}\) and a message \(x \in \mathbb {Z}_p^n\), \(\textsf{Enc}\) outputs a ciphertext \(\textsf{ct}_x\). Finally, on input \(\textsf{sk}_f\) and \(\textsf{ct}_x\), \(\textsf{Dec}\) outputs f(x).
In this work, we want to prove lower bounds for lattice-based FE schemes. In order to do so, we focus on FE schemes \(\textsf{FE}=(\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) that are subject to the following two restrictions:
-
\(\textsf{Enc}\) is of constant depth, i.e., the output of \(\textsf{Enc}({\textsf{msk}}, x)\) is computed in two phases: in the complex offline phase, \(\textsf{Enc}\) only knows \({\textsf{msk}}\) and computes arbitrarily complicated randomness \((r_1, \ldots , r_m)\). In the simple online phase, \(\textsf{Enc}\) sees the message \(x \in \mathbb {Z}_p^n\) and the randomness \((r_1,\ldots , r_m)\) from the previous phase. However, in this phase \(\textsf{Enc}\) must compute the ciphertext by an arithmetic circuit of constant depth.
Formally, we require that there exists an offline algorithm \(\textsf{Enc}_{\textsf{off}}\) that on input \({\textsf{msk}}\) outputs random polynomials \(r_1, \ldots , r_m \in \mathbb {Z}_q[X_1, \ldots , X_n]\) of constant degree. \(\textsf{Enc}({\textsf{msk}}, x)\) is then expected to work by first sampling \((r_1,\ldots , r_m) \leftarrow \textsf{Enc}_{\textsf{off}}({\textsf{msk}})\), and then outputting the ciphertext \(\textsf{ct}_x = (r_1(x), \ldots , r_m(x)) \in \mathbb {Z}_q^m\). We call the maximum degree of \(r_1,\ldots , r_m\) the depth of \(\textsf{Enc}\).
-
Each secret key \(\textsf{sk}_f\) is a polynomial in \(\mathbb {Z}_q[Y_1,\ldots , Y_m]\) of constant degree and \(\textsf{Dec}\) works in a typical lattice-based manner: it evaluates \(\textsf{sk}_f\) on the ciphertext \(\textsf{ct}_x\) and rounds the result to the next number modulo p. Formally, we require
$$\begin{aligned} \textsf{Dec}(\textsf{sk}_f, \textsf{ct}_x) = \left\lceil \frac{p}{q} \cdot \textsf{sk}_f(\textsf{ct}_x) \right\rfloor . \end{aligned}$$
For simplicity, we call FE schemes that adhere to these restrictions lattice-based.
Lower Bounds for Function-Hiding FE. We explain here the strategy of [55] for showing implausibility of lattice-based function-hiding FE schemes, before we generalize and adapt it to the case of compact FE.
First, remember that in a function-hiding FE scheme the secret key \(\textsf{sk}_f\) hides the function f it evaluates at decryption, i.e., given \(\textsf{sk}_f\) and \(\textsf{ct}_x\) an adversary learns nothing about x and f besides f(x). If we are given a function-hiding FE scheme \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})\) for computing linear functions over \(\mathbb {Z}_p^n\), we can construct a secret-key encryption scheme \(\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \textsf{Dec}')\) for messages in \(\mathbb {Z}_p\) from \(\textsf{FE}\) s.t. its encryption algorithm \(\textsf{Enc}'\) is of constant depth and produces short ciphertexts. In fact, consider the following setup and encryption algorithms:
- \(\textsf{Setup}'\)::
-
On input \(1^\lambda \), \(\textsf{Setup}'\) samples \({\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\). Then, it derives secret keys \(\textsf{sk}_1, \ldots , \textsf{sk}_{Q-1} \leftarrow \textsf{KeyGen}({\textsf{msk}}, 0)\) for the zero function and one secret key \(\textsf{sk}_Q \leftarrow \textsf{KeyGen}({\textsf{msk}}, f)\) for the function f that maps a vector \(x \in \mathbb {Z}_p^n\) to its first coordinate \(x_1\). It returns \({\textsf{msk}}' := ({\textsf{msk}}, \textsf{sk}_1,\ldots , \textsf{sk}_Q)\).
- \(\textsf{Enc}'\)::
-
On input \({\textsf{msk}}' = ({\textsf{msk}}, \textsf{sk}_1,\ldots , \textsf{sk}_Q)\) and a message \(x_1 \in \mathbb {Z}_p\), \(\textsf{Enc}'\) computes the ciphertext \(\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, (x_1, 0, \ldots , 0))\) and then applies the polynomials \(\textsf{sk}_1,\ldots , \textsf{sk}_{Q-1}\) on it and outputs
$$\begin{aligned} \textsf{ct}' = (\textsf{sk}_1(\textsf{ct}), \ldots , \textsf{sk}_{Q-1}(\textsf{ct})) \in \mathbb {Z}_q^{Q-1}. \end{aligned}$$
Since \(\textsf{FE}\) is a lattice-based FE scheme in the sense of our framework, its encryption algorithm \(\textsf{Enc}\) is offline/online of constant depth. It follows that \(\textsf{Enc}'\) is of constant depth as well, since \(\textsf{Enc}'\) first runs \(\textsf{Enc}\) and then again evaluates \(Q-1\) fixed polynomials \(\textsf{sk}_1,\ldots , \textsf{sk}_{Q-1} \in \mathbb {Z}_q[Y_1,\ldots , Y_m]\) of constant degree on the output of \(\textsf{Enc}\). Therefore, the depth of the online phase of \(\textsf{Enc}'\) is bounded by the depth of \(\textsf{Enc}\) times the maximum degree of \(\textsf{sk}_1, \ldots , \textsf{sk}_Q\).
Additionally, each ciphertext output by \(\textsf{Enc}'\) is short, i.e.,
To see this, note that the decryption algorithm of \(\textsf{FE}\) is given by \(\textsf{Dec}(\textsf{sk}, \textsf{ct}) = \left\lceil \textsf{sk}(\textsf{ct}) \cdot p/q \right\rfloor \). Now for \(i\in [Q-1]\), we know that \(\textsf{Dec}(\textsf{sk}_i, \textsf{ct})\) must be zero, because \(\textsf{sk}_i\) is a secret key for the zero function. It follows that \(\textsf{sk}_i(\textsf{ct}) \cdot p / q\) must be rounded to zero in \(\mathbb {Z}_p\), which implies that the absolute value of \(\textsf{sk}_i(\textsf{ct})\) cannot be larger than q/p.
Ideally, it should be infeasible to extract the message \(x_1\) out of \(\textsf{ct}'\). However, since \(\textsf{FE}\) is function-hiding and lattice-based, decryption with non-trivial success probability is possible. In fact, the distributions \(\textsf{KeyGen}({\textsf{msk}}, 0)\) and \(\textsf{KeyGen}({\textsf{msk}}, f)\) must look indistinguishable for a \(\textsf{PPT}\) adversary. If Q is large enough, one can show that the polynomial \(\textsf{sk}_Q\) must lie in the span of the polynomials \(\textsf{sk}_1,\ldots , \textsf{sk}_{Q-1}\) with probability \(1-o(1)\), i.e., for \(Q\in \textsf{poly}(\lambda )\) large enough, we have that
This phenomenon gives rise to the following decryption algorithm \(\textsf{Dec}'\) for \(\textsf{SKE}'\):
- \(\textsf{Dec}'\)::
-
On input \({\textsf{msk}}' = ({\textsf{msk}}, \textsf{sk}_1,\ldots , \textsf{sk}_Q)\) and a ciphertext \(\textsf{ct}' = (c_1, \ldots , c_{Q-1}) \in \mathbb {Z}_q^{Q-1}\), \(\textsf{Dec}'\) checks if \(\textsf{sk}_Q\in \textrm{span}_{\mathbb {Z}_q}\left\{ \textsf{sk}_1,\ldots , \textsf{sk}_{Q-1}\right\} \). If so, \(\textsf{Dec}'\) computes scalars \(\alpha _1, \ldots , \alpha _{Q-1}\) s.t. \(\textsf{sk}_Q = \alpha _1 \cdot \textsf{sk}_1 + \ldots + \alpha _{Q-1} \cdot \textsf{sk}_{Q-1}\), otherwise \(\textsf{Dec}'\) aborts. \(\textsf{Dec}'\) can now reconstruct \(\textsf{sk}_Q(\textsf{ct})\) by computing
$$\begin{aligned} \textsf{sk}_Q(\textsf{ct}) &= (\alpha _1 \cdot \textsf{sk}_1 + \ldots + \alpha _{Q-1} \cdot \textsf{sk}_{Q-1})(\textsf{ct})\\ &= \alpha _1 \cdot \textsf{sk}_1(\textsf{ct}) + \ldots + \alpha _{Q-1} \cdot \textsf{sk}_{Q-1}(\textsf{ct})\\ &= \alpha _1 \cdot c_1 + \ldots + \alpha _{Q-1} \cdot c_{Q-1}. \end{aligned}$$Given \(\textsf{sk}_Q(\textsf{ct})\), \(\textsf{Dec}'\) can now output
$$\begin{aligned} \textsf{Dec}(\textsf{sk}_Q, \textsf{ct}) = \left\lceil \textsf{sk}_Q(\textsf{ct}) \cdot p / q \right\rfloor \in \mathbb {Z}_p. \end{aligned}$$
Assuming that \(\textsf{FE}\) is correct, the probability of \(\textsf{Dec}'\) to return the correct message is at least \(1 - o(1)\).
In summary, by assuming a lattice-based correct function-hiding FE scheme \(\textsf{FE}\), we can construct an SKE scheme \(\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \textsf{Dec}')\) with the following properties:
-
\(\textsf{Enc}'\) encrypts messages in \(\mathbb {Z}_p\) and is of constant depth.
-
Each ciphertext output by \(\textsf{Enc}'\) is short, i.e., lies in \([-q/p, q/p]^{Q-1}\).
-
The probability of \(\textsf{Dec}'\) decrypting correctly is at least \(1-o(1)\).
-
Additionally, if \(\textsf{FE}\) is selectively IND-CPA secure, it can be shown—by a direct reduction—that \(\textsf{SKE}'\) is selectively IND-CPA secure, too.
The key observation of [55] is that such a secret-key encryption scheme cannot exist, if \(q/p \in \textsf{poly}(\lambda )\). In fact, the following result has been proven:
Theorem 2
([55] (Informal Corollary 3)). Let \(\textsf{SKE}\) be a secret-key encryption scheme of depth \(d \in O(1)\) (with prime modulus q). Let \(B \in \textsf{poly}(\lambda )\) s.t. q/B is larger than some constant and assume that each ciphertext of \(\textsf{SKE}\) lies in \([-B, B]^{Q-1}\). Let \(\{0,\ldots , 2d\}\) be the message space of \(\textsf{SKE}\).
\(\textsf{SKE}\) is selectively IND-CPA secure iff the statistical distance of the distributions \(({\textsf{msk}}, \textsf{Enc}({\textsf{msk}}, x))\) and \(({\textsf{msk}}, \textsf{Enc}({\textsf{msk}}, y))\) is negligible for each pair of messages \(x,y \in \{0,\ldots , 2d\}\).
This yields a contradiction to the scheme \(\textsf{SKE}'\) we constructed, because \(\textsf{Dec}'\) cannot have a high decryption advantage when ciphertexts \(\textsf{ct}'_x \leftarrow \textsf{Enc}'({\textsf{msk}}, x)\) and \(\textsf{ct}_y' \leftarrow \textsf{Enc}'({\textsf{msk}}, y)\) are statistically close to each other.
It follows that one of the premises must have been wrong. Hence, if \(\textsf{FE}\) is lattice-based, correct and function-hiding, it cannot be selectively IND-CPA secure.
Generalization. In the following, we generalize the previous strategy to show lower bounds for arbitrary lattice-based FE schemes. We follow the idea to construct a special secret-key encryption scheme \(\textsf{SKE}'' = (\textsf{Setup}'', \textsf{Enc}'', \textsf{Dec}'')\) from a given lattice-based FE scheme \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})\). Since \(\textsf{FE}\) is lattice-based and correct, \(\textsf{SKE}''\) will have an encryption algorithm of constant depth and short ciphertexts. Furthermore, if \(\textsf{FE}\) is selectively IND-CPA secure, then \(\textsf{SKE}''\) is as well (by a direct reduction). By Theorem 2, it follows that \(\textsf{Dec}''\) can have no meaningful success at decrypting ciphertexts of \(\textsf{SKE}''\). A contradiction to the security of \(\textsf{FE}\) now follows if we can show that \(\textsf{Dec}''\) must have a non-trivial success probability at decryption.
Concretely, \(\textsf{SKE}''\) is given by the following algorithms:
- \(\textsf{Setup}''\)::
-
Let \(\mathcal {F}\) denote the space of functions supported by \(\textsf{FE}\). On input \(1^\lambda \), \(\textsf{Setup}''\) chooses Q functions \(f_1,\ldots , f_Q\) from \(\mathcal {F}\). Additionally, it chooses an index \(i_* \in [Q]\) and a degree-1 function \(\nu _{i_*} :\mathbb {Z}_p \rightarrow \mathbb {Z}_p^n\) s.t. we have for each \(x_1 \in \mathbb {Z}_p\)
$$\begin{aligned} f_i(\nu _{i_*}(x_1)) = 0~~\text {for all }i\ne i_*, \qquad \text {but} ~~f_{i_*}(\nu _{i_*}(x_1)) = x_1. \end{aligned}$$Then, \(\textsf{Setup}''\) samples \({\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\) and \(\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\) for \(i \in [Q]\), and outputs
$$\begin{aligned} {\textsf{msk}}'' := ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu _{i_*}, i_*). \end{aligned}$$ - \(\textsf{Enc}''\)::
-
Given \({\textsf{msk}}''\) and \(x_1 \in \mathbb {Z}_p\), \(\textsf{Enc}''\) computes \(\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu _{i_*}(x_1))\). It applies the polynomials \(\textsf{sk}_1,\ldots ,\textsf{sk}_{i_* - 1},0, \textsf{sk}_{i_* + 1},\ldots , \textsf{sk}_Q\) at \(\textsf{ct}\) and returns
$$\begin{aligned} \textsf{ct}'' := (\textsf{sk}_1(\textsf{ct}), \ldots ,\textsf{sk}_{i_* - 1}(\textsf{ct}),0, \textsf{sk}_{i_* + 1}(\textsf{ct}),\ldots , \textsf{sk}_Q(\textsf{ct})) \in \mathbb {Z}_q^Q. \end{aligned}$$ - \(\textsf{Dec}''\)::
-
On input \({\textsf{msk}}''\) and \(\textsf{ct}'' = (c_1,\ldots , c_Q)\), \(\textsf{Dec}''\) computes the set
$$\begin{aligned} S := \left\{ \textsf{sk}_{i_*}(w) ~|~ w \in \mathbb {Z}_q^m, \forall i \ne i_* :\textsf{sk}_i(w) = c_i \right\} . \end{aligned}$$(1)It chooses a uniformly random element \(\textsf{sk}_{i_*}(w) \leftarrow S\) and outputs
$$\begin{aligned} \left\lceil \textsf{sk}_{i_*}(w) \cdot p / q \right\rfloor = \textsf{Dec}(\textsf{sk}_{i_*}, w) \in \mathbb {Z}_p. \end{aligned}$$
Note that \(\textsf{SKE}''\) generalizes the ideas of \(\textsf{SKE}'\) and does not fully specify \(\textsf{Setup}''\). In fact, the choice of the functions \(f_1,\ldots , f_Q\) in \(\textsf{Setup}''\) will depend on the concrete \(\textsf{FE}\) scheme. Similarly to \(\textsf{SKE}'\), \(\textsf{SKE}''\) is of constant depth if \(\textsf{FE}\) is lattice-based. Moreover, it has short ciphertexts if \(\textsf{FE}\) is lattice-based and correct, and \(\textsf{SKE}''\) is selectively IND-CPA secure if \(\textsf{FE}\) is so. We show these properties in detail in the proof of Lemma 2.
Because of Theorem 2, we know that \(\textsf{SKE}''\) cannot be correct if \(\textsf{FE}\) is lattice-based, correct and selectively IND-CPA secure. However, in the case of a function-hiding FE scheme, it can be shown that \(\textsf{Dec}''\) has a high probability to correctly decrypt ciphertexts. The idea in this text is to prove that \(\textsf{Dec}''\) also has a high success probability at decryption in the case of compact FE schemes. However, as it turns out, grasping and using the compactness property of a lattice-based FE scheme is more complex than using the function-hiding property and requires a more algebraic approach.
Compact Case. In the following, we outline our strategy for the case of (relaxed) compact FE and sketch a proof attempt to show why \(\textsf{Dec}''\)—intuitively—has a non-trivial advantage at decrypting compact ciphertexts. However, as we explain later, this proof attempt has some gaps. In this work, we fill these gaps in the case of linear compactness and minimal decryption depth.
First, we give an informal definition of compactness (resp. succinctness):
Definition 2
Let \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})\) be an FE scheme with ciphertexts in \(\mathbb {Z}_q^m\) and message space \(\mathbb {Z}^n_p\) for polynomials of degree d. We call \(\textsf{FE}\) relaxed compact if there is a constant \(e > 0\) s.t.
In other words, we demand that ciphertexts are by a polynomial amount smaller than encrypting the relinearization \(x^{\otimes d}\) of a message \(x \in \mathbb {Z}_p^n\) and using an IPFE scheme. In the literature, there are different definitions of compactness and succinctness (cf. [18, 21, 26, 42]). We note that Definition 2 is comparatively weaker and is implicitly fulfilled by the notions of the aforementioned works.
Now, let \(\textsf{FE}=(\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) be a compact lattice-based FE scheme that supports the evaluation of quadratic polynomials, i.e., the function space of \(\textsf{FE}\) is given by
while its message space is \(\mathbb {Z}_p^n\). Compactness now states that we have \(m \in O(n^{2 - e})\) for a constant \(e > 0\). This implies that the number of coordinates of a ciphertext of \(\textsf{FE}\) is significantly smaller than the number of secret keys for linearly independent functions of \(\mathcal {F}\). Our idea is to combine this together with a result of [56] to achieve a non-trivial success probability at decryption.
First, we will specify how \(\textsf{Setup}''\) chooses the functions \(f_1,\ldots , f_Q \in \mathcal {F}\), the index \(i_* \in [Q]\) and the function \(\nu _{i_*} :\mathbb {Z}_p\rightarrow \mathbb {Z}_p^n\). \(\textsf{Setup}''\) enumerates all pairs (a, b) with \(1\le a<b \le n\) and indexes them by
for \(Q := \left( {\begin{array}{c}n\\ 2\end{array}}\right) = \frac{n^2 - n}{2}\). For \(i \in [Q]\), it sets \(f_i\) to be the monomial of the \(a_i\)-th and \(b_i\)-th variable, i.e.,
It draws \(i_* \leftarrow [Q]\) uniformly at random and sets \(\nu _{i_*}\) to be the affine linear map
where \(e_{a_{i_*}}\) and \(e_{b_{i_*}}\) denote the \(a_{i_*}\)-th and \(b_{i_*}\)-th unit vectors. More precisely, the vector \(\nu _{i_*}(x)\) has the value x at position \(a_{i_*}\), 1 at position \(b_{i_*}\) and 0 at every other position. It now follows for all \(i \in [Q]\) and \(x \in \mathbb {Z}_p\),
To prove that \(\textsf{Dec}''\) has non-trivial advantage at decryption when receiving \({\textsf{msk}}''\) and a ciphertext \(\textsf{ct}''\), we need to show that the set S computed by \(\textsf{Dec}''\) in Eq. (1) is small. Let \(\textsf{ct}'':=(\textsf{sk}_1(\textsf{ct}), \ldots , \textsf{sk}_{i_*-1}(\textsf{ct}), 0, \textsf{sk}_{i_*+1}(\textsf{ct}), \ldots , \textsf{sk}_{Q}(\textsf{ct}))\) for some \(\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}'', \nu _{i_*}(x))\). Then, S must contain the correct value \(\textsf{sk}_{i_*}(\textsf{ct})\) besides other values \(\textsf{sk}_{i_*}(w)\). Algebraically, showing that S is small boils down to the problem of polynomial prediction: we do not know \(\textsf{ct}\), but we know its evaluations \(\textsf{sk}_{i}(\textsf{ct})\) for many polynomials \(\textsf{sk}_1,\ldots ,\textsf{sk}_{i_*-1}, \textsf{sk}_{i_*+1}, \ldots , \textsf{sk}_{Q} \in \mathbb {Z}_q[Y_1,\ldots , Y_m]\) of constant degree. Therefore, we can substantially bound the number of possible values of \(\textsf{sk}_{i_*}(\textsf{ct})\). We illustrate this idea with a toy example:
Example 1
In our toy example, we assume that ciphertexts of \(\textsf{FE}\) have two coordinates \(\textsf{ct}= (c_1, c_2)\). Furthermore, assume that \(i_* = 3\) and that the first three secret keys are given by
Now, when we are given a ciphertext \(\textsf{ct}''\) of \(\textsf{SKE}''\), the values \(a := \textsf{sk}_1(\textsf{ct}) = c_1 + c_2\) and \(b := \textsf{sk}_2(\textsf{ct}) = c_2^2\) are fixed. In this situation, can we limit the number of possible values of \(\textsf{sk}_3(\textsf{ct})\)?
The answer turns out to be yes. Indeed, set \(h(T_1, T_2, T_3) := (T_1 - T_3)^2 - T_2 = T_1^2 - 2 T_1T_3 - T_2 + T_3^2\) and note that we have
Now, if we plug in the values \(a,b \in \mathbb {Z}_p\), we get the univariate degree-2 polynomial
Because of Eq. (2), we know that \(h(\textsf{sk}_1(\textsf{ct}),\textsf{sk}_2(\textsf{ct}), T_3)\) must vanish at \(\textsf{sk}_3(\textsf{ct})\). In fact, \(\textsf{sk}_3(\textsf{ct})\) is a root of \(h(a,b,T_3)\) and S is contained in the set of points where \(h(a,b,T_3)\) vanishes. Since \(h(a,b,T_3)\) is of degree 2, there are at most 2 possible values for \(\textsf{sk}_3(\textsf{ct})\). Hence, the probability of \(\textsf{Dec}''\) to draw the correct value \(\textsf{sk}_3(\textsf{ct})\) from S and decrypting correctly is at least 1/2, which is noticeably larger than 1/p.
In general, the polynomials \(\textsf{sk}_1,\ldots , \textsf{sk}_Q\) are of some constant degree, let’s say \(d \in O(1)\), and their number \(Q = \left( {\begin{array}{c}n\\ 2\end{array}}\right) \in \varOmega (n^2)\) is substantially larger than the number of coordinates \(m \in O(n^{2 -e})\) of a ciphertext \(\textsf{ct}\) of \(\textsf{FE}\). It has been shown in [56] that in such cases there exists a polynomial h of sublinear degree that algebraically relates the polynomials \(\textsf{sk}_1, \ldots , \textsf{sk}_Q\):
Theorem 3
(Adapted from [56]). Let \(Q \in \varOmega (n^{d_0})\) and \(m \in O(n^{d_0-e})\) for a constant \(e > 0\). Let \(g_1, \ldots , g_Q \in \mathbb {Z}_q[Y_1, \ldots , Y_m]\) be of degree \(d \in O(1)\).
Then, there exists a polynomial \(h \in \mathbb {Z}_q[T_1, \ldots , T_Q]\) with the following properties:
Given this polynomial h, we can show that each element of the set S computed by \(\textsf{Dec}''\) in Eq. (1) must be a root of the polynomial
Hence, the size of S is bounded by \(\deg h \in O(n^{2 - e - e/(d-1)})\). Therefore, the success probability of \(\textsf{Dec}''\) to decrypt correctly is at least \(n^{ e + e/(d-1) - 2}\), which is significantly larger than the trivial success probability 1/p, if \(p \in \omega (n^{2 - e - e/(d-1)})\).
The above reasoning illustrates how we can use the compactness of \(\textsf{FE}\) to construct a correct and secure SKE scheme \(\textsf{SKE}''\) with special properties to ultimately derive a contradiction to Theorem 2 and an attack on the security of \(\textsf{FE}\). However, there is one gap that needs to be addressed: what happens if the univariate polynomial in Eq. (3) is zero? In this case, the size of S does not need to be bounded by \(\deg h\) and S could contain each element of \(\mathbb {Z}_q\). Now, what happens if the polynomial in Eq. (3) is zero for almost all ciphertexts generated by \(\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu _{i_*}(x))\)? In this case, we cannot guarantee a non-trivial success probability for \(\textsf{Dec}''\). Subsequently, \(\textsf{SKE}''\) is not sufficiently correct, and we fail to reach a contradiction with Theorem 2.
In an attempt to fix this problem, one can consider the coefficients of the polynomial in Eq. (3). Each coefficient is computed by a polynomial in the variables \(T_1,\ldots , T_{i_* -1}\), \(T_{i_* + 1}, \ldots , T_m\) of lower degree. Concretely, we have
for fitting polynomials \(h_0,\ldots , h_{\deg h} \in \mathbb {Z}_q[T_1,\ldots , T_{i_* -1}, T_{i_* + 1}, \ldots , T_m]\) of sublinear degree. We can assume that the highest degree coefficient \(h_{\deg h}\) is non-zero. If the polynomial in Eq. (3) is almost always zero for \(\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu _{i_*}(x))\), it follows that \(h_{\deg h}\) will almost always vanish on \(\textsf{ct}\), and we could replace h with its coefficient \(h_{\deg h}\). If \(h_{\deg h}\) does always vanish on \(\textsf{sk}_1(\textsf{ct}), \ldots , \textsf{sk}_{i_* - 1}(\textsf{ct})\), \(\textsf{sk}_{i_* + 1}(\textsf{ct}), \ldots , \textsf{sk}_{Q}(\textsf{ct})\), but does not become zero when we plug in \(\textsf{sk}_1(\textsf{ct}), \ldots ,\textsf{sk}_{i_* - 1}(\textsf{ct}), \textsf{sk}_{i_* + 1}(\textsf{ct}),\ldots , \textsf{sk}_{Q - 1}(\textsf{ct})\), we could use it to bound the number of possible values of \(\textsf{sk}_{Q}(\textsf{ct})\) while fixing the values of \(\textsf{sk}_1(\textsf{ct}), \ldots , \textsf{sk}_{Q - 1}(\textsf{ct})\). However, \(\textsf{sk}_Q(\textsf{ct})\) will not be of great help to us if \(\textsf{ct}\) encrypts \(\nu _{i_*}(x)\), since we have \(\textsf{Dec}(\textsf{sk}_Q, \textsf{ct}) = f_Q(\nu _{i_*}(x)) = 0\). In fact, we need that \(h_{\deg h}\) behaves well for the different distribution \(\textsf{Enc}({\textsf{msk}}, \nu _Q(x))\) of ciphertexts. This yields a problem: it may happen that \(h_{\deg h}(\textsf{sk}_1(\textsf{ct}),\ldots , \textsf{sk}_{i_* - 1}(\textsf{ct}), \textsf{sk}_{i_* + 1}(\textsf{ct}), \ldots , \textsf{sk}_{Q - 1}(\textsf{ct}))\) is always zero when we sample \(\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu _{i_*}(x))\), but does not become zero when \(\textsf{ct}\) encrypts a useful message and is sampled from \(\textsf{Enc}({\textsf{msk}}, \nu _Q(x))\).
Linear Compactness and Secret Keys of Minimal Degree. To solve the above problem, we need that some kind of homogeneity among the ciphertexts of \(\textsf{FE}\) for different messages does hold. In particular, we need that whenever a polynomial g vanishes with overwhelming probability on the distribution \(\textsf{Enc}({\textsf{msk}}, x)\), for some \(x \in \mathbb {Z}_p^n\), then for each \(y \in \mathbb {Z}_p^n\), g vanishes with overwhelming probability on the distribution \(\textsf{Enc}({\textsf{msk}}, y)\). However, we can show this kind of homogeneity only in cases where g has a constant degree.
Now, the algebraic relationship h is of degree \(O(n^{2-e-e/(d-1)})\) according to Theorem 3, where \(e>0\) describes the compactness of ciphertexts and d the degree of secret keys. If our ciphertexts are linearly compact, i.e., \(m\in O(n)\), then e equals 1. Furthermore, if our secret keys are of minimal degree \(d = 2\), then h is of constant degree \(O(n^{2-e-e/(d-1)}) = O(n^0) = O(1)\), and we can guarantee some kind of homogeneity among the ciphertexts for h. Now, the insecurity of \(\textsf{FE}\) follows. In Sect. 4, we will generalize this result for FE schemes for polynomials of degree \(d > 1\) with linear compactness \(m \in O(n)\) and secret keys of degree d.
2 Preliminaries
Notation. In this text, we always denote the security parameter by \(\lambda \in \mathbb {N}= \{1,2, \ldots \}\), by which each scheme and adversary is parametrized. For \(n \in \mathbb {N}\), set \([n] = \{1,2,\ldots , n\}\). Define
In this text, we will work with two moduli \(p,q> 2\) s.t. q is always prime and we always have \(2p< q\). We will identify the finite field with the corresponding sets of integers centered around zero, \(\mathbb {Z}_q = \left\{ \frac{-q+1}{2}, \ldots , \frac{q-1}{2} \right\} \), and embed \(\mathbb {Z}_p\) into \(\mathbb {Z}_q\) as the non-negative numbers \(\mathbb {Z}_p = \{0,\ldots , p-1\} \subset \mathbb {Z}_q\).
For two distributions A, B with the same support S, we define their statistical distance by
We will denote by \(\forall _\infty \), resp. \(\exists _\infty \), the quantifiers for almost all and for infinitely many.
Lemma 1
(Simplified from [56]). Let k be a field. Let \(d > 1\) be a constant and let \(Q \in \varOmega (m^d)\). There is a constant degree bound \(D \in O(1)\) s.t. for each list of polynomials \(f_1,\ldots , f_Q \in k[Y_1,\ldots , Y_m]\) of degree d there is one polynomial \(h \in k[T_1,\ldots , T_Q]\) s.t.
2.1 Functional Encryption
Definition 3
Let \(\mathcal {X}= (\mathcal {X}_\lambda )_\lambda \) be a family of sets. We call \(\mathcal {X}\) a message space or value space if there is an \(s \in \textsf{poly}(\lambda )\) s.t. each \(x_\lambda \in \mathcal {X}_\lambda \) has a binary representation of size \(\# x_\lambda \le s(\lambda )\). A subspace \(\widetilde{\mathcal {X}}\subset \mathcal {X}\) is a family of sets \(\widetilde{\mathcal {X}}= (\widetilde{\mathcal {X}}_\lambda )_\lambda \) s.t. \(\widetilde{\mathcal {X}}_\lambda \subseteq \mathcal {X}_\lambda \) for all \(\lambda \). \(\mathcal {X}\) is called poly-size if we have \(\#\mathcal {X}_\lambda \in \textsf{poly}(\lambda )\) and there is a poly-time algorithm that on input \(1^\lambda \) can enumerate \(\mathcal {X}_\lambda \).
If \(\mathcal {X}= (\mathcal {X}_\lambda )_\lambda \) is a message space and \(\mathcal {Y}=(\mathcal {Y}_\lambda )_\lambda \) is a value space, we call \(\mathcal {F}= (\mathcal {F}_\lambda )_\lambda \) a function space if each \(f_\lambda \in \mathcal {F}_\lambda \) is a function of type \(f_\lambda :\mathcal {X}_\lambda \rightarrow \mathcal {Y}_\lambda \) and if there is an \(s \in \textsf{poly}(\lambda )\) s.t. each \(f_\lambda \in \mathcal {F}_\lambda \) has a binary representation of size \(\# f_\lambda \le s(\lambda )\). In this case, we will write \(\mathcal {F}:\mathcal {X}\rightarrow \mathcal {Y}\).
Definition 4
(Functional Encryption). A (secret-key) functional encryption (FE) scheme for the function space \(\mathcal {F}:\mathcal {X}\rightarrow \mathcal {Y}\) is a tuple of four algorithms \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) that are described as follows:
-
\(\textsf{Setup}\): On input a (unary encoded) security parameter \(1^\lambda \), it outputs a master secret key \({\textsf{msk}}\).
-
\(\textsf{KeyGen}\): On input a master secret key \({\textsf{msk}}\) and a description of a function f in the function space \(\mathcal {F}\) of \(\textsf{FE}\), it outputs a secret key \(\textsf{sk}_f\) for \(f\in \mathcal {F}_\lambda \).
-
\(\textsf{Enc}\): On input a master secret key \({\textsf{msk}}\) and a message \(x \in \mathcal {X}_\lambda \), it outputs a ciphertext \(\textsf{ct}_{x}\) of x.
-
\(\textsf{Dec}\): On input a secret key \(\textsf{sk}_f\) and a ciphertext \(\textsf{ct}_{x}\), it outputs a value \(y \in \mathcal {Y}_\lambda \).
We call \(\textsf{FE}\) correct, if there is an \(\varepsilon \in \textsf{negl}(\lambda )\) s.t. we have for all \((f_\lambda )_\lambda \in \mathcal {F}\) and \((x_\lambda )_\lambda \in \mathcal {X}\) that \(\Pr [\textsf{Dec}(\textsf{sk}_{f}, \textsf{ct}_{x}) \ne f_\lambda (x_\lambda )] \le \varepsilon (\lambda )\), where we sample \({\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\), \(\textsf{sk}_{f} \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_\lambda )\) and \(\textsf{ct}_{x} \leftarrow \textsf{Enc}({\textsf{msk}}, x_\lambda )\).
Definition 5
(Selective IND-CPA Security). Let \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) be an FE scheme for a functionality \(\mathcal {F}:\mathcal {X}\rightarrow \mathcal {Y}\). We define the selective IND-CPA security game of \(\textsf{FE}\) as an experiment \(\textsf{Exp}_{\textsf{FE},\mathcal {A}}^{\mathsf {ind\text {-}cpa}}(\lambda ,\mathcal {F})\) between an adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\) that proceeds in the following steps:
For a fixed algorithm \(\mathcal {A}\) and an FE scheme \(\textsf{FE}\), the advantage of \(\mathcal {A}\) is definedFootnote 5 by
We call \(\textsf{FE}\) selectively IND-CPA secure if any \(\textsf{PPT}\) adversary \(\mathcal {A}\) has negligible advantage in the above game.
2.2 Lattice-Based Encryption Algorithms
In the following, we will recapitulate the definition of offline/online encryption of constant depth that has been introduced in [55]. This notion allows the master secret key to have a computationally unbounded influence on the computed ciphertext as long as the message only influences the ciphertext polynomially:
Definition 6
Let \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) be an FE scheme with message space \(\mathcal {X}= \mathbb {Z}_p^n\). Furthermore, let \(q = q(\lambda )\) be a prime s.t. each ciphertext output by \(\textsf{Enc}\) is a vector in \(\mathbb {Z}_q^m\).
Let \(d \in \mathbb {N}\) be a constant. We say that \(\textsf{Enc}\) is of depth d if there is an off-line algorithm \(\textsf{Enc}_{\textsf{off}}\) that on input \({\textsf{msk}}\) outputs m polynomials \(r_1, \ldots , r_m \in \mathbb {Z}_q[X_1, \ldots , X_n]\) of degree \(\le d\) s.t. the following distributions are identical for each \({\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\) and \(x \in \mathbb {Z}_p^n\):
Note that we do not impose any bounds on the computational complexity of \(\textsf{Enc}_{\textsf{off}}\).
In other words, an encryption algorithm of constant depth works in two phases. In an offline phase, it first sees the secret key, but does not get to know the message that is to be encrypted. It can then use any amount of time to compute polynomially bounded randomness for the second step. In the online phase, the algorithm gets the randomness from the first phase and sees the message. It must now compute each entry of the ciphertext vector in an arithmetically very simple way, i.e., by applying constant degree polynomials over the randomness from the offline phase and the coordinates of the message vector.
Since we want to build upon the results of [55], we also need to introduce the notion of encryption of polynomial width.
Definition 7
Let \(\textsf{Enc}\) be an encryption algorithm that outputs vectors in \(\mathbb {Z}_q^m\). We say that \(\textsf{Enc}\) is of width \(B = B(\lambda ) < q/2\) if there is an \(\varepsilon \in \textsf{negl}(\lambda )\) s.t. we have for each \((x_\lambda )_\lambda \in \mathcal {X}\)
where \(\left| \left| \textsf{ct} \right| \right| _\infty \) is defined as the largest absolute value among entries of \(\textsf{ct}\in \left\{ -\frac{q - 1}{2}, \ldots , \frac{q - 1}{2} \right\} ^m = \mathbb {Z}_q^m\).
When we speak of lattice-based FE schemes, we will make the same restrictions on FE schemes that have been made in [55]:
Definition 8
(Lattice-Based FE Scheme). Let \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) be an FE scheme. Let q be a prime and \(n,m \in \textsf{poly}(\lambda )\). Let \(d_1, d_2 \in \mathbb {N}\) be constants. We call \(\textsf{FE}\) lattice-based if the following conditions are met:
-
1.
The message space of \(\textsf{FE}\) is \(\mathcal {X}= \mathbb {Z}_p^n\).
-
2.
Each ciphertext of \(\textsf{FE}\) is an element of \(\mathbb {Z}_q^m\) for prime q.
-
3.
\(\textsf{Enc}\) is of depth \(d_1\).
-
4.
Each secret key output by \(\textsf{KeyGen}\) is a polynomial in \(\mathbb {Z}_q[Z_1,\ldots ,Z_m]\) of total degree \(\le d_2\), i.e., each secret key can be written as a linear combination of monomials containing at most \(d_2\) (not necessarily different) Z-variables.
-
5.
We have \(p < q\) and the decryption algorithm \(\textsf{Dec}\) works as follows:
$$\begin{aligned} \textsf{Dec}(\textsf{sk}, \textsf{ct}) = \left\lceil \textsf{sk}(\textsf{ct}) \cdot {p}/{q} \right\rfloor \in \mathbb {Z}_p. \end{aligned}$$
We call \(d_1\) the encryption depth and \(d_2\) the decryption depth of \(\textsf{FE}\).
Definition 9
We call \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) (linearly) compact if the dimension of ciphertexts is linear in the message length, i.e., \(m \in O(n)\).
2.3 Secret-Key Encryption
We will define here secret-key encryption schemes as a special case of functional encryption schemes where the function spaces only contain the identity function.
Definition 10
(Secret-Key Encryption). A secret-key encryption (SKE) scheme is an FE scheme \(\textsf{SKE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\) for a function space \(\mathcal {F}\), where each \(\mathcal {F}_\lambda \) only contains the identity function \(\textsf{id}:\mathcal {X}_\lambda \rightarrow \mathcal {X}_\lambda \).
For an SKE scheme \(\textsf{SKE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})\), we will always assume that the master secret key \({\textsf{msk}}\) and the derived key \(\textsf{sk}_{\textsf{id}}\) of the identity are identical and that \(\textsf{KeyGen}({\textsf{msk}}, \textsf{id})\) will always output \({\textsf{msk}}\). Subsequently, we will omit the algorithm \(\textsf{KeyGen}\) from the list of algorithms, i.e., \(\textsf{SKE}= (\textsf{Setup}, \textsf{Enc}, \textsf{Dec})\).
For convenience, we also introduce the notion of partial secret-key encryption schemes. A partial SKE is essentially a normal SKE without a decryption algorithm.
Definition 11
(Partial Secret-Key Encryption). A partial secret-key encryption scheme \(\textsf{SKE}= (\textsf{Setup}, \textsf{Enc}, \_)\) is a pair of algorithms \(\textsf{Setup}\) and \(\textsf{Enc}\) with a fitting message space \(\mathcal {X}\) that adheres to the syntax in Definition 4.
A fitting decryption algorithm for \((\textsf{Setup}, \textsf{Enc}, \_)\) is an algorithm \(\textsf{Dec}\) s.t. the tuple \((\textsf{Setup}, \textsf{Enc}, \textsf{Dec})\) is an SKE in the sense of Definition 10.
Note that the notion of selective IND-CPA security in the sense of Definition 5 is well-defined for partial SKEs. Additionally, the notions of bounded encryption depth and width in the sense of Definitions 6 and 7 are well-defined for partial SKEs.
3 General Approach
We present here a general approach for showing lower bounds of lattice-based FE schemes in the sense of Definition 8. This approach generalizes the strategy of Ünal [55] for function-hiding FE schemes and will be applied by us again on compact FE schemes. The key element for showing IND-CPA insecurity in [55] was the following theorem.
Theorem 4
([55]). Let q be a prime, d be a constant and \(B\in \textsf{poly}(\lambda )\). Let \(M = M(\lambda ) \in \mathbb {N}\) be such that \(M \ge 2d\) and \(c\cdot M^d \cdot B < q\) for some constantFootnote 6 \(c\in \mathbb {N}\) that depends on d.
Let \(\textsf{SKE}= (\textsf{Setup}, \textsf{Enc},\_)\) be a partial SKE scheme with message space \(\mathcal {X}:= \{0, \ldots , M\}\) s.t. \(\textsf{Enc}\) is of depth d and width B. Then, the following are equivalent:
-
1.
\(\textsf{SKE}\) is selectively IND-CPA secure against \(\textsf{PPT}\) adversaries.
-
2.
\(\textsf{SKE}\) is selectively IND-CPA secure against unbounded adversaries (that get to know the secret key of \(\textsf{SKE}\)).
-
3.
For each polynomial \(r \in \textsf{poly}(\lambda )\) there is an \(\varepsilon \in \textsf{negl}(\lambda )\) s.t. for \({\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\), it holds that
$$\begin{aligned} \Pr \left[ \forall x,y\in \mathcal {X}_\lambda :\varDelta (\textsf{Enc}({\textsf{msk}}, x), \textsf{Enc}({\textsf{msk}}, y))< \frac{1}{r(\lambda )} \right] \ge 1 - \varepsilon (\lambda ). \end{aligned}$$ -
4.
There is an \(\varepsilon \in \textsf{negl}(\lambda )\) s.t. we have \(\varDelta (C_x, C_y) \le \varepsilon (\lambda )\) for all \(x,y \in \mathcal {X}\), where \(C_x\) is the distribution that computes \({\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda ), \textsf{ct}_x \leftarrow \textsf{Enc}({\textsf{msk}}, x_\lambda )\) and outputs \(({\textsf{msk}}, \textsf{ct}_x)\).
In [55], only the equivalence of the first and third statement has been shown. However, it is easy to see that the second and fourth statement are equivalent to the third statement.
Given a lattice-based FE scheme \(\textsf{FE}\) of encryption depth \(d_1\in O(1)\) and decryption depth \(d_2 \in O(1)\), we want to use Theorem 4 to deduce lower bounds for \(\textsf{FE}\). Towards this end, we construct a partial SKE for integer messages from \(\textsf{FE}\) as follows:
Definition 12
Let \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc},\textsf{Dec})\) be an FE scheme with functionality \(\mathcal {F}:\mathbb {Z}_p^n \rightarrow \mathbb {Z}_p\). Let \(M \le p\). We construct a partial SKE scheme \(\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \_)\) with message space \(\mathcal {X}' := \{0,\ldots , M\}\) with the following algorithms:
- \(\textsf{Setup}_{\textsf{Pre}}'\)::
-
There is a preceding setup algorithm that on input \(1^\lambda \) chooses functions \(f_1, \ldots , f_Q \in \mathcal {F}\). Then, it chooses an index \(i_* \in [Q]\) and a degree-1 map
$$\begin{aligned} \nu :\mathbb {Z}_p &\longrightarrow \mathbb {Z}_p^{n}, \end{aligned}$$s.t. we have for all \(x \in \mathbb {Z}_p\),
$$\begin{aligned} \forall i\ne i_* :& f_i(\nu (x)) = 0,\\ & f_{i_*}(\nu (x)) = x. \end{aligned}$$It outputs \((f_1,\ldots , f_Q, \nu , i_*)\).
- \(\textsf{Setup}':\):
-
On input \(1^\lambda \), \(\textsf{Setup}'\) runs \((f_1,\ldots , f_Q, \nu , i_*) \leftarrow \textsf{Setup}_{\textsf{Pre}}'(1^\lambda )\). Then, \(\textsf{Setup}'\) computes \({\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\) and \(\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\) for \(i \in [Q]\), and outputs the new master secret key
$$\begin{aligned} {\textsf{msk}}' := ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*). \end{aligned}$$ - \(\textsf{Enc}':\):
-
On input \({\textsf{msk}}' := ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*)\) and a message \(x \in \{0,\ldots , M\}\), \(\textsf{Enc}'\) runs \(\textsf{ct}_x \leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x))\) and outputs the new ciphertext
$$\begin{aligned} \textsf{ct}_x' := (\textsf{sk}_1(\textsf{ct}_x), \ldots ,\textsf{sk}_{i_*-1}(\textsf{ct}_x), 0, \textsf{sk}_{i_*+1}(\textsf{ct}_x), \ldots , \textsf{sk}_Q(\textsf{ct}_x)). \end{aligned}$$
We demand that \(\textsf{Setup}_{\textsf{Pre}}'\) can be computed by a \(\textsf{PPT}\) algorithm.
We now have the following result:
Lemma 2
In the scheme \(\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \_)\) from Definition 12, \(\textsf{Enc}'\) is of depth \(d_1 \cdot d_2\), if \(\textsf{FE}\) is lattice-based with encryption depth \(d_1\) and decryption depth \(d_2\).
If \(\textsf{FE}\) is correct and lattice-based, then \(\textsf{Enc}'\) is of width \(\left\lceil q / p \right\rfloor \), and if \(\textsf{FE}\) is selectively IND-CPA secure, then \(\textsf{SKE}'\) is selectively IND-CPA secure.
Proof
-
1.
Let \(\textsf{FE}\) be lattice-based with encryption depth \(d_1\) and decryption depth \(d_2\). Then, there is an algorithm \(\textsf{Enc}_{\textsf{off}}\) that on input \({\textsf{msk}}\) outputs m polynomials \(r_1, \ldots , r_m \in \mathbb {Z}_q[X_1, \ldots , X_{n}]\) of degree \(\le d_1\) s.t. \(\textsf{Enc}({\textsf{msk}}, x)\) is equally distributed as \((r_1(x), \ldots , r_m(x))\) for each \(x \in \mathbb {Z}_p^{n}\).
We now define \(\textsf{Enc}_{\textsf{off}}'\) as follows. On input \({\textsf{msk}}' := ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*)\), \(\textsf{Enc}_{\textsf{off}}'\) first computes \((r_1, \ldots , r_m)\leftarrow \textsf{Enc}_{\textsf{off}}({\textsf{msk}})\) and then returns the polynomials
$$\begin{aligned} \forall i \ne i_* :& r_i'(X) := \textsf{sk}_i(r_1(\nu (X)), \ldots , r_m(\nu (X))) \in \mathbb {Z}_q[X],\\ & r_{i_*}'(X) := 0. \end{aligned}$$The degree of each \(\textsf{sk}_i(r_1(\nu (X)), \ldots , r_m(\nu (X)))\) is bounded by \(d_1 \cdot d_2 \cdot 1\), since each \(\textsf{sk}_i\) is a polynomial in \(\mathbb {Z}_q[Z_1, \ldots , Z_m]\) of degree \(\le d_2\) and \(\nu \) is an affine linear function, i.e., a degree-1 polynomial.
Moreover, for each \(x \in \{0,\ldots , M\}\) and \({\textsf{msk}}'\), the output of \(\textsf{Enc}'({\textsf{msk}}', x)\) is identically distributed as \((r_1'(x), \ldots , r_Q'(x))\) for \((r_1', \ldots , r_Q') \leftarrow \textsf{Enc}_{\textsf{off}}'({\textsf{msk}}')\).
-
2.
Let \(\textsf{FE}\) be correct, i.e., there is an \(\varepsilon \in \textsf{negl}(\lambda )\) s.t. for each \((g_\lambda )_\lambda \in \mathcal {F}\) and \((x_\lambda )_\lambda \in \mathcal {X}\) we have
$$\begin{aligned} \mathop {\Pr }\limits _{\begin{array}{c} {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \textsf{sk}\leftarrow \textsf{KeyGen}({\textsf{msk}}, g_\lambda )\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, x_\lambda ) \end{array}}\left[ \textsf{Dec}(\textsf{sk}, \textsf{ct}) = g_\lambda (x_\lambda ) \right] \ge 1 - \varepsilon (\lambda ). \end{aligned}$$Since \(\textsf{FE}\) is lattice-based, \(\textsf{Dec}\) works as \(\textsf{Dec}(\textsf{sk}, \textsf{ct}) = \left\lceil \textsf{sk}(\textsf{ct}) \cdot {p}/{q} \right\rfloor \).
Assume, for the sake of contradiction, that \(\textsf{Enc}'\) is not of width q/p. This implies that there is one \(\lambda \in \mathbb {N}\) and an \(x' \in \{0, \ldots , M(\lambda )\}\) s.t.
$$\begin{aligned} & Q(\lambda ) \cdot \varepsilon (\lambda ) < \mathop {\Pr }\limits _{\begin{array}{c} {\textsf{msk}}'\leftarrow \textsf{Setup}'(1^\lambda )\\ \textsf{ct}' \leftarrow \textsf{Enc}'({\textsf{msk}}', x') \end{array} } \left[ \left| \left| \textsf{ct}' \right| \right| _\infty > \frac{q}{p} \right] \\ =&\mathop {\Pr }\limits _{ \begin{array}{c} (f_1,\ldots , f_Q, \nu , i_*) \leftarrow \textsf{Setup}_{\textsf{Pre}}'(1^\lambda )\\ {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \forall i :\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x')) \end{array} } \left[ \exists i\ne i_* :\left| \textsf{sk}_i(\textsf{ct}) \right| > \frac{q}{p} \right] \\ =&\mathop {\Pr }\limits _{ \begin{array}{c} (f_1,\ldots , f_Q, \nu , i_*) \leftarrow \textsf{Setup}_{\textsf{Pre}}'(1^\lambda )\\ {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \forall i :\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x')) \end{array} } \left[ \exists i\ne i_* :\textsf{Dec}(\textsf{sk}_i, \textsf{ct}) \ne 0 = f_i(\nu (x')) \right] . \end{aligned}$$In particular, for this \(\lambda \in \mathbb {N}\), there exists a tuple \((f_1,\ldots , f_Q, \nu , i_*)\) s.t.
$$\begin{aligned} Q(\lambda ) \cdot \varepsilon (\lambda ) < &\mathop {\Pr }\limits _{ \begin{array}{c} {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \forall i :\textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x')) \end{array} } \left[ \exists i\ne i_* :\textsf{Dec}(\textsf{sk}_i, \textsf{ct}) \ne f_i(\nu (x')) \right] \\ \le &\sum _{i\ne i_*}\mathop {\Pr }\limits _{ \begin{array}{c} {\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\\ \textsf{sk}_i \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_i)\\ \textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x')) \end{array} } \left[ \textsf{Dec}(\textsf{sk}_i, \textsf{ct}) \ne f_i(\nu (x')) \right] . \end{aligned}$$Hence, there is one \(i \in [Q]\) s.t. \(\Pr [\textsf{Dec}(\textsf{sk}_i, \textsf{ct}) \ne f_i(\nu (x'))] > \varepsilon \). This contradicts the correctness of \(\textsf{FE}\). Hence, our assumption must be wrong and \(\textsf{Enc}'\) must be of width q/p.
-
3.
Let \(\textsf{FE}\) be selectively IND-CPA secure. We reduce the selective IND-CPA security of \(\textsf{SKE}'\) to the selective IND-CPA security of \(\textsf{FE}\) by constructing a reduction that transforms a \(\textsf{PPT}\) adversary \(\mathcal {A}'\) against the selective IND-CPA security of \(\textsf{SKE}'\) to a \(\textsf{PPT}\) adversary \(\mathcal {A}\) against the selective IND-CPA security of \(\textsf{FE}\).
If \(\mathcal {A}'\) is an adversary against the selective IND-CPA security of \(\textsf{SKE}'\) and \(\mathcal {C}'\) is a challenger for the selective IND-CPA security of \(\textsf{FE}\), then \(\mathcal {A}\) proceeds as follows:
-
(a)
On input \(1^\lambda \), \(\mathcal {A}\) computes \((f_1,\ldots , f_Q, \nu , i_*) \leftarrow \textsf{Setup}_{\textsf{Pre}}(1^\lambda )\).
-
(b)
\(\mathcal {A}\) runs \(\mathcal {A}'(1^\lambda )\) to receive two lists \(({x'_1}^0, \ldots , {x'_N}^0)\), \(({x'_1}^1, \ldots , {x'_N}^1) \in \{0, \ldots , M\}^N\) of candidate messages.
-
(c)
For each \(i \in [N], \beta \in \{0,1\}\), \(\mathcal {A}\) sets \(x_i^{\beta } := \nu ({x'_i}^\beta ) \in \mathbb {Z}_p^{n_1}\).
-
(d)
\(\mathcal {A}\) submits the message lists \((x_1^0, \ldots , x_N^0)\), \((x_1^1, \ldots , x_N^1)\) and the function list \((f_1, \ldots , f_{i_*-1}, f_{i_* +1}, \ldots , f_Q)\) to \(\mathcal {C}'\). It receives secret keys \(\textsf{sk}_1, \ldots , \textsf{sk}_{i_* -1}, \textsf{sk}_{i_* + 1},\ldots , \textsf{sk}_Q\) for the functions \(f_1, \ldots , f_{i_*-1}, f_{i_* +1},\ldots , f_Q\) and ciphertexts \(\textsf{ct}_1,\ldots , \textsf{ct}_N\) for \(x_1^b, \ldots , x_N^b\) with an unknown b.
-
(e)
For each \(i\in [N]\), \(\mathcal {A}\) computes
$$\begin{aligned} \textsf{ct}_i' := ( \textsf{sk}_1(\textsf{ct}_i), \ldots ,\textsf{sk}_{i_* -1}(\textsf{ct}_i), 0, \textsf{sk}_{i_* + 1}(\textsf{ct}_i) \ldots , \textsf{sk}_Q(\textsf{ct}_i) ), \end{aligned}$$and sends the list \((\textsf{ct}_1', \ldots , \textsf{ct}_N')\) to \(\mathcal {A}'\).
-
(f)
\(\mathcal {A}'\) responds with a guess \(b' \in \{0,1\}\). \(\mathcal {A}\) forwards \(b'\) to \(\mathcal {C}'\).
The view of \(\mathcal {A}'\) in the interaction with \(\mathcal {A}\) is identical to its view in \(\textsf{Exp}_{\textsf{SKE}'}^{\mathsf {ind\text {-}cpa}}\). Furthermore, \(\mathcal {A}\) wins exactly iff \(\mathcal {A}'\) wins. This is, because we have for all \(j \in [N]\) and \( i \ne i_*\),
$$\begin{aligned} f_i(x_j^0) = f_i(\nu ({x'_j}^0)) = 0 = f_i(\nu ({x'_j}^1)) = f_i(x_j^1). \end{aligned}$$In other words, \(\mathcal {A}\) does not submit any combination of function and message pairs that would help it to win trivially. Hence, \(\mathcal {A}\) is a valid adversary in the selective IND-CPA security game of \(\textsf{FE}\). In conclusion, the advantage of \(\mathcal {A}\) in the selective IND-CPA security game of \(\textsf{FE}\) is equal to the advantage of \(\mathcal {A}'\) in the selective IND-CPA security game of \(\textsf{SKE}'\).
-
(a)
Hence, the claims of the lemma are proven. \(\square \)
Corollary 1
Let \(\textsf{FE}\) be a lattice-based, correct and selectively IND-CPA secure FE scheme of constant encryption depth \(d_1 \in O(1)\) and decryption depth \(d_2 \in O(1)\) s.t. the message space of \(\textsf{FE}\) is \(\mathbb {Z}_p^n\) and each ciphertext of \(\textsf{FE}\) is a vector in \(\mathbb {Z}_q^m\) for \(q > p > 2\), where q is prime.
Let \(M \in \textsf{poly}(\lambda )\) and assume that we have \({q}/{p} \in \textsf{poly}(\lambda )\), \(M \ge 2d_1\cdot d_2\) and \(c \cdot M^{d_1\cdot d_2} < p\) for some constant c that depends on \(d_1\cdot d_2\).
Let \(\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \_)\) be the partial SKE scheme from Definition 12 that is constructed from \(\textsf{FE}\) with message space \(\{0, \ldots , M\}\).
Then, there is no (computationally unbounded) algorithm \(\textsf{Dec}'\) s.t. the scheme \((\textsf{Setup}', \textsf{Enc}', \textsf{Dec}')\) has a non-negligible advantage at correctly decrypting ciphertexts, i.e., there is an \(\varepsilon \in \textsf{negl}(\lambda )\) s.t. we have for each \(\textsf{Dec}'\),
We give a proof of Corollary 1 in the full version of this paper [52].
4 Lower Bounds for Compact Functional Encryption
In this section we prove the main result of this paper. Towards this end, we introduce the space of d-linear functions over \(\mathbb {Z}_p\). A function \(f :(\mathbb {Z}_p^n)^d \rightarrow \mathbb {Z}_p\) is called d -linear iff, for vectors of variables \(X^{(1)} = (X^{(1)}_1,\ldots , X^{(1)}_n)\), ..., \(X^{(d)} = (X^{(d)}_1,\ldots , X^{(d)}_n)\), the expression \(f(X^{(1)},\ldots , X^{(d)})\) is linear in \(X^{(i)}\) for each \(i \in [d]\). Equivalently, one can require that \(f(X^{(1)},\ldots , X^{(d)})\) is given by \(\phi (X^{(1)}\otimes \cdots \otimes X^{(d)})\), for a linear function \(\phi \), where \(\otimes \) denotes the Kronecker product.
In the following, we consider the functionality \(\mathcal {F}:\mathcal {X}\rightarrow \mathcal {Y}\) of d-linear functions, where the message space is \(\mathcal {X}= \mathbb {Z}_p^{d\times n}\) and the value space is \(\mathcal {Y}= \mathbb {Z}_p\).
Theorem 5
Let \(d > 1\) be a constant and \(q > p > 2\) with q prime. Let \(Q = n^d\), \(m \in O(n)\) and let \(D \in O(1)\) be the constant from Lemma 1.
Let \(\textsf{FE}= (\textsf{Setup}, \textsf{KeyGen},\textsf{Enc},\textsf{Dec})\) be a lattice-based FE for the functionality \(\mathcal {F}\) s.t. we have:
-
1.
\(\textsf{FE}\) is compact, i.e., the dimension \(m \in O(n)\) of ciphertexts is linear.
-
2.
The decryption depth of \(\textsf{FE}\) is d.
-
3.
We have
$$\begin{aligned} {q}/{p} \in \textsf{poly}(\lambda ) \qquad \text {and} \qquad c \cdot (\max \{2 d_1 \cdot d + 1, 2D + 1\})^{d_1 \cdot d} < p, \end{aligned}$$where \(d_1\) denotes the encryption depth of \(\textsf{FE}\) and c is the constant from Theorem 4.
If \(\textsf{FE}\) is correct, then \(\textsf{FE}\) is not selectively IND-CPA secure.
Remark 1
We remark two things about the requirements of Theorem 5:
-
1.
We do not specify if there is an arithmetic reduction modulo p when evaluating the polynomials in \(\mathcal {F}\subset \mathbb {Z}_p[X^{(1)}, \ldots , X^{(d)}]\) on messages. In fact, this is irrelevant for our proof, since it will only consider monomial functions \(X^{(1)}_{i_1}\cdots X^{(d)}_{i_d} \in \mathcal {F}\). Furthermore, at most one entry of each message vector that our adversary considers will not lie in \(\{0,1\}\). Hence, evaluations f(x) will never exceed p.
-
2.
The space of d-linear functions is contained in the space of degree-d polynomials. Hence, any compact FE scheme with decryption depth d for degree-d polynomials implies a compact FE scheme for d-linear functions with the same decryption depth d.
Our proof idea for Theorem 5 is to assume that \(\textsf{FE}\) is secure, and then, to use Corollary 1 to deduce a contradiction. Set \(M = \max \{2D+1, 2d_1\cdot d + 1\}\) and let \(\mathcal {X}' := \{0,\ldots ,M\}\) be the message space of a new SKE scheme \(\textsf{SKE}'\) that we will construct in the following according to Definition 12. Towards this end, we define the following \(\textsf{Setup}_{\textsf{Pre}}'\) algorithm for the FE scheme in Theorem 5:
- \(\textsf{Setup}_{\textsf{Pre}}'\)::
-
On input \(1^\lambda \), \(\textsf{Setup}_{\textsf{Pre}}'\) sets \(Q = n^d\) and fixes deterministically an enumeration \(\alpha _1,\ldots , \alpha _Q\) of \([n]^d\). For each tuple of indices \(\alpha _i = (\alpha _{i,1},\ldots , \alpha _{i,d}) \in [n]^d\), it sets
$$\begin{aligned} f_{i}(X^{(1)}, \ldots , X^{(d)}) := X_{\alpha _{i,1}}^{(1)} \cdots X_{\alpha _{i,d}}^{(d)}. \end{aligned}$$Additionally, it draws \(i_* \leftarrow [Q]\) uniformly at random and sets \((\alpha _{*,1}, \ldots , \alpha _{*,d}) := \alpha _* := \alpha _{i_*} \in [n]^d\). Furthermore, it sets
$$\begin{aligned} \nu :\mathbb {Z}_p & \longrightarrow \mathbb {Z}_p^{d\times n}\\ x &\longmapsto (x \cdot e_{\alpha _{*,1}}, e_{\alpha _{*, 2}}, \ldots , e_{\alpha _{*,d}}), \end{aligned}$$where \(e_j\) denotes the j-th unit vector in \(\mathbb {Z}_p^n\) for \(j \in [n]\). It outputs \(f_1,\ldots , f_Q\), \(\nu \) and \(i_*\). Note that we have for all \(x \in \mathbb {Z}_p\),
$$\begin{aligned} \forall i \ne i_* :f_i(\nu (x)) &= 0,\\ f_{i_*}(\nu (x)) &= x. \end{aligned}$$
Given \(\textsf{Setup}_{\textsf{Pre}}'\), we can define the partial SKE scheme \(\textsf{SKE}' = (\textsf{Setup}', \textsf{Enc}', \_)\) as in Definition 12. To prove Theorem 5, we assume that \(\textsf{FE}\) is selectively IND-CPA secure. Subsequently, we construct a fitting decryption algorithm \(\textsf{Dec}'\) that has a non-negligible advantage at decrypting ciphertexts of \(\textsf{SKE}'\). This in turn yields a contradiction to Corollary 1, thereby, proving that \(\textsf{FE}\) cannot be secure. To construct \(\textsf{Dec}'\), we first derandomize the key generation algorithm \(\textsf{KeyGen}\) of \(\textsf{FE}\), i.e., we can assume—without loss of generality—that \(\textsf{KeyGen}\) is a deterministic algorithm. In fact, if \(\textsf{KeyGen}\) is probabilistic, we can distinguish two cases: first, if one-way functions (OWFs) do not exist, then in particular IND-CPA secure SKEs cannot exist, and hence, FE cannot be IND-CPA secure. Second, if OWFs do exist, we can construct secure pseudorandom functions (PRFs) out of them. Using a PRF \(\textsf{PRF}\), we can derandomize \(\textsf{KeyGen}\) as follows: we change \(\textsf{Setup}\) s.t. it additionally samples a random key k for \(\textsf{PRF}\) and adds it to the output master secret key \({\textsf{msk}}\). Then, \(\textsf{KeyGen}\) on input \({\textsf{msk}}\) and \(f\in \mathcal {F}\), does not generate new random coins, instead it evaluates \(\textsf{PRF}\) on k and a description of f and uses the output of \(\textsf{PRF}(k,f)\) as bits for its random tape.
To continue the proof, we will now show some necessary properties of \(\textsf{FE}\):
Lemma 3
There is a constant \(D \in O(1)\) s.t. for each master secret key \({\textsf{msk}}' = ({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*)\) output by \(\textsf{Setup}'\), there exists a polynomial \(h_{{\textsf{msk}}} \in \mathbb {Z}_q[T_1,\ldots , T_Q]\) with the following properties:
Furthermore, \(h_{{\textsf{msk}}}\) only depends on \({\textsf{msk}}\).
Proof
Since \(Q = n^d\) and \(m = O(n)\), we have \(Q \in \varOmega (m^d)\). Moreover, Theorem 5 requires each secret key \(\textsf{sk}_i\) to be a polynomial over \(\mathbb {Z}_q\) of degree d. Lemma 1 now implies that there is a constant D such that for each collection of degree-d polynomials \(\textsf{sk}_1,\ldots , \textsf{sk}_Q \in \mathbb {Z}_q[Y_1,\ldots , Y_m]\) there exists an algebraic relationship h that fulfills the requirements in Eqs. (4) to (6).
Now, fix some \({\textsf{msk}}\). Since \(\textsf{Setup}_{\textsf{Pre}}'\) chooses the functions \(f_1,\ldots , f_Q\) deterministically and since we can assume that \(\textsf{KeyGen}\) is derandomized, the secret keys \(\textsf{sk}_1\leftarrow \textsf{KeyGen}({\textsf{msk}}, f_1)\),..., \(\textsf{sk}_Q \leftarrow \textsf{KeyGen}({\textsf{msk}}, f_Q)\) only depend on \({\textsf{msk}}\). Since the algebraic relationship h only depends on q and \(\textsf{sk}_1,\ldots ,\textsf{sk}_Q\), it follows that each choice of \({\textsf{msk}}\) determines a relationship \(h_{\textsf{msk}}\) of degree \(\le D\). \(\square \)
Note that \(h_{{\textsf{msk}}}(\textsf{sk}_1(Y), \ldots , \textsf{sk}_m(Y))\) is the zero polynomial of \(\mathbb {Z}_q[Y_1,\ldots , Y_m]\), which vanishes on each ciphertext of \(\textsf{FE}\). If we choose \(h_{{\textsf{msk}}}\) of minimal degree, we know that \(h_{{\textsf{msk}}}(T_1,\textsf{sk}_2(Y), \ldots ,\textsf{sk}_{m}(Y))\in \mathbb {Z}_q[T_1,Y_2,\ldots ,Y_m]\) cannot be zero. However, it may happen that \(h_{{\textsf{msk}}}(T_1,\textsf{sk}_2(Y), \ldots ,\textsf{sk}_{m}(Y))\) vanishes on almost all ciphertexts of \(\textsf{FE}\). For our decryption algorithm \(\textsf{Dec}'\), it will be important that we have for \(\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, x)\),
Because, if there is a ciphertext \(\textsf{ct}\in \mathbb {Z}_q^m\) s.t. \(h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*-1},\textsf{sk}_{i_*}(\textsf{ct}), \ldots ,\textsf{sk}_{m}(\textsf{ct})) = 0\), but \(h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*},\textsf{sk}_{i_*+1}(\textsf{ct}), \ldots , \textsf{sk}_{m}(\textsf{ct})) \ne 0\), then \(\textsf{sk}_{i_*}(\textsf{ct})\) is a root of the polynomial \(h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*},\textsf{sk}_{i_* + 1}(\textsf{ct}), \ldots , \textsf{sk}_{m}(\textsf{ct}))\), which we consider as a univariate polynomial with coefficients in \(\mathbb {Z}_q[T_{1}, \ldots , T_{i_* - 1}]\) and unknown \(T_{i_*}\). Since this polynomial is non-zero, it has at most \(\deg h_{{\textsf{msk}}} \le D\) different roots. In such cases, \(\textsf{Dec}'\) can limit the number of potential values for \(f_{i_*}(x)\) to D, which gives \(\textsf{Dec}'\) a non-negligible advantage at decryption. To make these ideas concrete, let us introduce some technicalities.
Lemma 4
There exists a map \(\mathcal {I}:\mathbb {N}\rightarrow P(\mathbb {N})\) s.t.
Additionally, the probability when we sample \({\textsf{msk}}\leftarrow \textsf{Setup}(1^\lambda )\) that \(h_{\textsf{msk}}\) contains non-trivially a monomial \(T_{i_1}\cdots T_{i_{D'}}\) for some \(D' \le D\) with \(i_1,\ldots , i_{D'} \in \mathcal {I}(\lambda )\) is larger than \(Q(\lambda )^{-D}\).
Proof
For each \({\textsf{msk}}\), \(h_{{\textsf{msk}}}\) must be a non-zero polynomial in \(\mathbb {Z}_q[T_1,\ldots , T_Q]\) of degree \(\le D\). Since \(\mathbb {Z}_q[T_1,\ldots , T_Q]\) contains \(\left( {\begin{array}{c}Q + D\\ D\end{array}}\right) \le Q^D\) monomials of degree \(\le D\), there must exist one monomial \(T_{i_1}\cdots T_{i_{D'}}\) for each \(\lambda \in \mathbb {N}\) s.t.
Hence, we can choose \(\mathcal {I}(\lambda )\) s.t. it contains \(i_1,\ldots , i_{D'}\). \(\square \)
By permuting the indices \(1,\ldots , Q(\lambda )\) for each \(\lambda \in \mathbb {N}\), we can enforce that the set \(\mathcal {I}(\lambda )\) will be \(\{1,\ldots , D\}\) for each \(\lambda \). This is simply a relabeling of indices that does not change the algorithms \(\textsf{Setup}\) and \(\textsf{Setup}'\), but reduces some notations in the following.
We will call a master secret key \({\textsf{msk}}\) good, if \(h_{{\textsf{msk}}}\) contains non-trivially a monomial \(T_{i_1}\cdots T_{i_{D'}}\) with \(i_1,\ldots , i_{D'} \in \mathcal {I}(\lambda ) = \{1,\ldots , D\}\), and we will call \({\textsf{msk}}\) bad, otherwise. Denote by \(\textsf{Setup}_{\textsf{good}}(1^\lambda )\) the distribution of \(\textsf{Setup}(1^\lambda )\) conditioned on the output \({\textsf{msk}}\) being good. For \(\textsf{Setup}_{\textsf{good}}\), we have the following:
Theorem 6
For \(u,n \in \mathbb {N}\), set \(E_u := \left\{ e_i \cdot v ~|~ i \in [n], v \in \{0,\ldots ,u\} \right\} \subset \mathbb {Z}_p^n\) where \(e_i\) denotes the i-th unit vector. Consider the poly-size subspace
For \(\lambda \in \mathbb {N}\), \(x \in \widetilde{\mathcal {X}}_\lambda \) and \(i \in \{1,\ldots , D+1\}\), set
There is an index \(i_\dagger \in [D]\) and functions \(\varepsilon \in \textsf{negl}(\lambda )\), \(\rho \notin \textsf{negl}(\lambda ), \rho \ge 0\) s.t. we have for all \(\lambda \in \mathbb {N}\) and \(x \in \widetilde{\mathcal {X}}_\lambda \),
The proof of Theorem 6 turns out to be very technical. The interested reader will find it in the full version of this paper [52]. Theorem 6 guarantees some homogeneity among ciphertexts of different messages. In particular, it states that the polynomial \(h_{{\textsf{msk}}}(T_1,\ldots , T_{i_\dagger - 1}, \textsf{sk}_{i_\dagger }(\textsf{ct}), \ldots , \textsf{sk}_{Q}(\textsf{ct}))\) will almost always vanish on a ciphertext \(\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, x)\), for any message \(x \in \widetilde{\mathcal {X}}\), while the polynomial \(h_{{\textsf{msk}}}(T_1,\ldots , T_{i_\dagger }, \textsf{sk}_{i_\dagger + 1}(\textsf{ct}), \ldots , \textsf{sk}_{Q}(\textsf{ct}))\) (in which the variable \(T_{i_\dagger }\) remains unsubstituted) will with non-negligible probability not vanish.
Proof
(Theorem 5). Assume, for the sake of contradiction, that \(\textsf{FE}\) is selectively IND-CPA secure. If that was the case, then \(\textsf{SKE}'\) would be selectively IND-CPA secure as well. We lead this assumption to a contradiction by constructing a (computationally unbounded) decryption algorithm \(\textsf{Dec}'\) for \(\textsf{SKE}'\) that has a non-negligible advantage at decrypting correctly, i.e., there is a \(\rho '(\lambda )\notin \textsf{negl}(\lambda )\) s.t.
This directly contradicts Corollary 1 and proves that the assumption is wrong. Hence, \(\textsf{FE}\) must be insecure.
First, we sketch the strategy of \(\textsf{Dec}'\). Towards this end, let \({\textsf{msk}}' =({\textsf{msk}}, \textsf{sk}_1, \ldots , \textsf{sk}_Q, \nu , i_*) \leftarrow \textsf{Setup}'(1^\lambda )\), \(x' \in \mathcal {X}'\) and \(\textsf{ct}\leftarrow \textsf{Enc}({\textsf{msk}}, \nu (x'))\). Then, a ciphertext \(\textsf{ct}' := (c_1,\ldots , c_Q) \leftarrow \textsf{Enc}'({\textsf{msk}}', x')\) is given by
On input \(({\textsf{msk}}', \textsf{ct}')\), \(\textsf{Dec}'\) proceeds as follows:
-
1.
\(\textsf{Dec}'\) checks if \({\textsf{msk}}\) is good. If \({\textsf{msk}}\) is bad, \(\textsf{Dec}'\) terminates by outputting a uniformly random element of \(\mathcal {X}' := \{0,\ldots , M\}\).
-
2.
\(\textsf{Dec}'\) computes \(i_\dagger \in [D]\) from Theorem 6. If \(i_\dagger \ne i_*\), \(\textsf{Dec}'\) terminates by outputting a uniformly random element of \(\mathcal {X}' := \{0,\ldots , M\}\).
-
3.
\(\textsf{Dec}'\) computes the set
$$\begin{aligned} A({\textsf{msk}}) := \left\{ w \in \mathbb {Z}_q^m ~|~ h_{{\textsf{msk}}}(T_1,\ldots , T_{i_* - 1}, \textsf{sk}_{i_*}(w), \ldots , \textsf{sk}_Q(w)) = 0 \right\} . \end{aligned}$$According to Theorem 6, the original ciphertext \(\textsf{ct}\) of \(\textsf{Enc}({\textsf{msk}}, \nu (x'))\) lies in \(A({\textsf{msk}})\) with overwhelming probability \(p_\lambda (i_\dagger , x')\ge 1 - \varepsilon (\lambda )\). However, since \(\textsf{Dec}'\) does not know \(\textsf{ct}\), it cannot check if \(\textsf{ct}\) lies in \(A({\textsf{msk}})\). Hence, \(\textsf{Dec}\) assumes from here on that \(\textsf{ct}\) lies in \(A({\textsf{msk}})\).
-
4.
\(\textsf{Dec}'\) computes the subset
$$\begin{aligned} B({\textsf{msk}}) := \left\{ w \in A({\textsf{msk}}) ~|~ h_{{\textsf{msk}}}(T_1,\ldots , T_{i_*}, \textsf{sk}_{i_* + 1}(w), \ldots , \textsf{sk}_Q(w)) \ne 0 \right\} . \end{aligned}$$Again, according to Theorem 6, \(\textsf{ct}\) lies with non-negligible probability \(1 - p_{\lambda }(i_\dagger +1, x')\ge \rho (\lambda )\) in \(B({\textsf{msk}})\). Under the assumption that \(\textsf{ct}\) lies in \(A({\textsf{msk}})\), \(\textsf{Dec}'\) can now check if \(\textsf{ct}\) lies in \(B({\textsf{msk}})\). If \(\textsf{ct}\) does not lie in \(B({\textsf{msk}})\), \(\textsf{Dec}'\) outputs a uniformly random element of \(\mathcal {X}'\) and stops.
-
5.
At this point, \(\textsf{Dec}'\) knows that \(\textsf{ct}\) lies in \(B({\textsf{msk}})\) and can compute the set
$$\begin{aligned} S({\textsf{msk}}, \textsf{ct}') := \left\{ \textsf{sk}_{i_*}(w) ~|~ w \in B({\textsf{msk}}), \forall i \ne i_* :\textsf{sk}_i(w) = \textsf{sk}_i(\textsf{ct}) \right\} . \end{aligned}$$It is clear that \(S({\textsf{msk}}, \textsf{ct}')\) must contain \(\textsf{sk}_{i_*}(\textsf{ct})\). We will show that \(S({\textsf{msk}}, \textsf{ct}')\) contains at most \(\deg h_{{\textsf{msk}}} \le D \le M/2\) different values. \(\textsf{Dec}'\) chooses a uniformly random value \(\textsf{sk}_{i_*}(w)\) from \(S({\textsf{msk}}, \textsf{ct}')\) and outputs
$$\begin{aligned} \left\lceil \textsf{sk}_{i_*}(w) \cdot \frac{p}{q} \right\rfloor = \textsf{Dec}(\textsf{sk}_{i_*}, w) \in \mathbb {Z}_p. \end{aligned}$$
Let \(y'\) be the value output by \(\textsf{Dec}'({\textsf{msk}}', \textsf{ct}')\). Since \(\textsf{Dec}'\) outputs a uniformly random element of \(\{0,\ldots , M\}\) whenever \({\textsf{msk}}\) is bad or \(i_* \ne i_\dagger \), it suffices to lower-bound the probability of \(\textsf{Dec}'\) to return the correct message \(x'\) in the case where \({\textsf{msk}}\) is good and \(i_* = i_\dagger \) (both events will happen with non-negligible probability \(\ge Q^{-D-1}\)). In this case, we have
This yields a contradiction with the statement of Corollary 1.
What remains is to show that the set \(S({\textsf{msk}}, \textsf{ct}')\) contains at most \(D < M/2\) elements for \(\textsf{ct}\in B({\textsf{msk}})\). To this end, set
We consider g as a univariate polynomial with coefficients in \(\mathbb {Z}_q[T_{1}, \ldots , T_{i_* - 1}]\) and of degree \(\le D\). Since \(\textsf{ct}\in B({\textsf{msk}})\), we know that g is not the zero polynomial. On the other hand, we know that \(g(\textsf{sk}_*(\textsf{ct})) = 0\), since we assume \(\textsf{ct}\in A({\textsf{msk}})\). In fact, each element of \(S({\textsf{msk}}, \textsf{ct}')\) is a root of g. It follows that \(S({\textsf{msk}}, \textsf{ct}')\) has at most \(\deg g \le \deg h_{{\textsf{msk}}} \le D < M/2\) elements. Since \(x'\in \mathcal {X}'\) was chosen arbitrarily, the non-negligible advantage of \(\textsf{Dec}'\) at decryption follows. \(\square \)
Notes
- 1.
An exception is the decryption algorithms of some ABE schemes [27, 37], that need to evaluate a predicate of high depth at decryption. If those ABE schemes are only instantiated with constant depth predicates, then their decryption algorithm also fits our framework. For more exceptions, see the limits on our results in the full version of this paper [52].
- 2.
However, it should be noted that most FHE schemes use an inverse gadget matrix at homomorphic evaluations, which circumvents our restrictions at encryption.
- 3.
The runtime of the attack that is implicitly used by Theorem 2 lies in \(\textsf{poly}(q/p)\). If q/p is superpolynomial, then our result still yields an adversary with equally superpolynomial time complexity.
- 4.
Technically, [18, 26] define compactness with respect to the running time of the encryption algorithm. More precisely, the running time of the encryption algorithm must only be a polynomial in the security parameter and input message length, and has only sublinear dependency on the function size, i.e., \(\textsf{poly}(\lambda ,|x|) \cdot |f|^{1-e}\) for some constant \(e \in (0,1]\).
- 5.
Note that we allow the advantage of \(\mathcal {A}\) to be negative. This may seem strange, however, this notion of advantage is linear, i.e., we may condition and partition \(\mathcal {A}\)’s advantage on different events.
- 6.
More precisely, we have that \(c = 2(d+1)^2(d!)^3d^d\) as shown in [55].
References
Abdalla, M., Benhamouda, F., Gay, R.: From single-input to multi-client inner-product functional encryption. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 552–582. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_19
Abdalla, M., Benhamouda, F., Kohlweiss, M., Waldner, H.: Decentralizing inner-product functional encryption. In: Lin, D., Sako, K. (eds.) PKC 2019, Part II. LNCS, vol. 11443, pp. 128–157. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_5
Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_33
Abdalla, M., Catalano, D., Fiore, D., Gay, R., Ursu, B.: Multi-input functional encryption for inner products: function-hiding realizations and constructions without pairings. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 597–627. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_20
Abdalla, M., Catalano, D., Gay, R., Ursu, B.: Inner-product functional encryption with fine-grained access control. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 467–497. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_16
Abdalla, M., Gay, R., Raykova, M., Wee, H.: Multi-input inner-product functional encryption from pairings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 601–626. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_21
Abdalla, M., Gong, J., Wee, H.: Functional encryption for attribute-weighted sums from k-Lin. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 685–716. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_23
Agrawal, S.: Indistinguishability obfuscation without multilinear maps: new methods for bootstrapping and instantiation. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 191–225. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_7
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_28
Agrawal, S., Goyal, R., Tomida, J.: Multi-input quadratic functional encryption from pairings. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part IV. LNCS, vol. 12828, pp. 208–238. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_8
Agrawal, S., Goyal, R., Tomida, J.: Multi-party functional encryption. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part II. LNCS, vol. 13043, pp. 224–255. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90453-1_8
Agrawal, S., Goyal, R., Tomida, J.: Multi-input quadratic functional encryption: stronger security, broader functionality. In: Kiltz, E., Vaikuntanathan, V. (eds.) Theory of Cryptography, TCC 2022, Part I. LNCS, vol. 13747, pp. 711–740. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22318-1_25
Agrawal, S., Libert, B., Maitra, M., Titiu, R.: Adaptive simulation security for inner product functional encryption. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part I. LNCS, vol. 12110, pp. 34–64. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_2
Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_12
Agrawal, S., Pellet-Mary, A.: Indistinguishability obfuscation without maps: attacks and fixes for noisy linear FE. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 110–140. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_5
Agrawal, S., Rosen, A.: Functional encryption for bounded collusions, revisited. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 173–205. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_7
Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_15
Ananth, P., Jain, A., Sahai, A.: Indistinguishability obfuscation from functional encryption for simple functions. Cryptology ePrint Archive, Report 2015/730 (2015). https://eprint.iacr.org/2015/730
Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 152–181. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_6
Ananth, P., Vaikuntanathan, V.: Optimal bounded-collusion secure functional encryption. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part I. LNCS, vol. 11891, pp. 174–198. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_8
Applebaum, B., Avron, J., Brzuska, C.: Arithmetic cryptography: extended abstract. In: Roughgarden, T. (ed.) ITCS 2015, pp. 143–151. ACM (2015). https://doi.org/10.1145/2688073.2688114
Baltico, C.E.Z., Catalano, D., Fiore, D., Gay, R.: Practical functional encryption for quadratic functions with applications to predicate encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 67–98. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_3
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93, pp. 62–73. ACM Press (1993). https://doi.org/10.1145/168588.168596
Bishop, A., Jain, A., Kowalczyk, L.: Function-hiding inner product encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part I. LNCS, vol. 9452, pp. 470–491. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_20
Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. In: Guruswami, V. (ed.) 56th FOCS, pp. 171–190. IEEE Computer Society Press (2015). https://doi.org/10.1109/FOCS.2015.20
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Brakerski, Z., Döttling, N., Garg, S., Malavolta, G.: Leveraging linear decryption: rate-1 fully-homomorphic encryption and time-lock puzzles. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 407–437. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_16
Chen, Y., Vaikuntanathan, V., Waters, B., Wee, H., Wichs, D.: Traitor-tracing from LWE made simple and attribute-based. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part II. LNCS, vol. 11240, pp. 341–369. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_13
Chotard, J., Dufour Sans, E., Gay, R., Phan, D.H., Pointcheval, D.: Decentralized multi-client functional encryption for inner product. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 703–732. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_24
Cini, V., Ramacher, S., Slamanig, D., Striecks, C., Tairi, E.: (inner-product) functional encryption with updatable ciphertexts. J. Cryptol. 37(1), 8 (2023). https://doi.org/10.1007/s00145-023-09486-y
De Caro, A., Iovino, V., Jain, A., O’Neill, A., Paneth, O., Persiano, G.: On the achievability of simulation-based security for functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 519–535. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_29
Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press (2013). https://doi.org/10.1109/FOCS.2013.13
Gay, R.: A new paradigm for public-key functional encryption for degree-2 polynomials. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part I. LNCS, vol. 12110, pp. 95–120. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_4
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 545–554. ACM Press, June 2013. https://doi.org/10.1145/2488608.2488677
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Guo, S., Kamath, P., Rosen, A., Sotiraki, K.: Limits on the efficiency of (ring) LWE-based non-interactive key exchange. J. Cryptol. 35(1), 1 (2022). https://doi.org/10.1007/s00145-021-09406-y
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In: Khuller, S., Williams, V.V. (eds.) 53rd ACM STOC, pp. 60–73. ACM Press, June 2021. https://doi.org/10.1145/3406325.3451093
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from LPN over \(\mathbb{F}_p\), DLIN, and PRGs in \({NC}^0\). In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, May/Jun 2022, vol. 13275, pp. 670–699. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-06944-4_23
Kitagawa, F., Nishimaki, R., Tanaka, K.: Obfustopia built on secret-key functional encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 603–648. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_20
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. DCC 75(3), 565–599 (2015). https://doi.org/10.1007/s10623-014-9938-4
Libert, B., Ţiţiu, R.: Multi-client functional encryption for linear functions in the standard model from LWE. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 520–551. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_18
Lin, H.: Indistinguishability obfuscation from SXDH on 5-Linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_20
Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 630–660. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_21
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Maurer, U.M.: Abstract models of computation in cryptography (invited paper). In: Smart, N.P. (ed.) 10th IMA International Conference on Cryptography and Coding. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (Dec (2005). https://doi.org/10.1007/11586821_1
O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010). https://eprint.iacr.org/2010/556
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, May 2005, pp. 84–93. ACM Press (2005). https://doi.org/10.1145/1060590.1060603
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Tairi, E., Ünal, A.: Lower bounds for lattice-based compact functional encryption. Cryptology ePrint Archive, Paper 2023/719 (2023). https://eprint.iacr.org/2023/719
Tomida, J.: Tightly secure inner product functional encryption: multi-input and function-hiding constructions. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 459–488. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_16
Tomida, J.: Unbounded quadratic functional encryption and more from pairings. In: Hazay, C., Stam, M. (eds.) Proceedings of the Advances in Cryptology – EUROCRYPT 2023, Part III: 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, 23–27 April 2023, pp. 543–572. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_18
Ünal, A.: Impossibility results for lattice-based functional encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part I. LNCS, vol. 12105, pp. 169–199. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_7
Ünal, A.: Worst-case subexponential attacks on PRGs of constant Degree or constant locality. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology – EUROCRYPT 2023, Part I: Proceedings of the 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, France, 23–27 April 2023, pp. 25–54. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30545-0_2
Acknowledgements
We want to thank the anonymous reviewers of TCC and Eurocrypt for their very helpful comments and suggestions. This work has received funding from the Austrian Science Fund (FWF) and netidee SCIENCE via grant P31621-N38 (PROFET).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Tairi, E., Ünal, A. (2024). Lower Bounds for Lattice-Based Compact Functional Encryption. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14652. Springer, Cham. https://doi.org/10.1007/978-3-031-58723-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-58723-8_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58722-1
Online ISBN: 978-3-031-58723-8
eBook Packages: Computer ScienceComputer Science (R0)