Practical CCA-Secure Functional Encryptions for Deterministic Functions

Department of Computer, Anhui Science and Technology University, Bengbu 233030, China School of Computer Science, Fudan University, Shanghai 200433, China Department of Mathematics, Hangzhou Normal University, Hangzhou 311121, China Westone Cryptologic Research Center, Beijing 100070, China State Key Laboratory of Integrated Services Networks, Xidian University, Xi’an 710126, China State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China


Introduction
PKE is the most useful asymmetric encryption, which encrypted the plaintext using a public encryption key pk and decrypted the ciphertext using a private key sk only owned by the receiver. In particular, in this cryptosystem, without sk, nobody can get any sensitive information about plaintext.
is type of cryptosystem does not work well in some special case where fine-grained access control functionality [1,2] is needed to act on the decrypted plaintext. FE with this functionality was introduced by Boneh et al. [3]. Informally speaking, FE scheme [4][5][6] can encrypt a message m into a ciphertext ct using a system public key. However, it can only recover a function value f(m) from the ciphertext ct with a private key associated with the function f.
Security is a most important nature of functional encryption, among which indistinguishable chosen-plaintext attack (IND-CPA) security is the most common. IND-CPA security requires that an efficient adversary cannot distinguish the encryption of two different messages even if it allows the adversary to get some extra information such as allowing them access the private key oracle. Furthermore, according to the capability of the adversary, security can be classified into the selective mode and adaptive mode. In the former, the challenge message must be chosen before the public parameter and private key is generated, while in the latter, it may be chosen at any time.
Constructing FE for general functionalities with adaptive IND-CCA [7] security has been an open problem. Now, expressive functional encryptions with adaptive security have got rapid development. In 2015, Ananth et al. proposed an adaptively secure FE from the selective one [8]. e same year, Waters also presented an adaptively secure FE, but it relies on the strong IO assumption [9][10][11].
1.1. CCA Security. Although a wealth of results have been obtained on IND-CPA security, those schemes can only resist passive attacks. In order to resist active attacks, an IND-CCA security notion is required which is the same as IND-CPA but with exception that it additionally allows the adversary to access a decryption oracle. IND-CCA security in PKE settings has got richly studied by many researchers. Also, in the IBE [12] and ABE [13] settings, it also got extensively studied. Although IBEs and ABEs are subordinate to functional encryption, none of them could apply to general functions. us, studying FE with CCA security for arbitrary functions is necessary. In particular, although we allow the adversary to decrypt any ciphertext with private keys, it obtains by making key queries, and the security equipped with decryption oracle is still stronger than that without decryption oracle. e reason is, for any decryption query (g, ct), the challenger can use the private key sk g to decrypt ct, even conditioned on g(m 0 ) ≠ g(m 1 ), but if without decryption oracle, the private key sk g conditioned on g(m 0 ) ≠ g(m 1 ) is not allowed to obtain, and thus, ct cannot be decrypted with this key. Simulation-based CCA (SIM-CCA) is a stronger notion than IND-CCA, meaning that the reduction can be simulated via a probability polynomial time (PPT) simulator who only knows partial information and parameters that the system allows.
e FEs with CCA security are presented in [14,15]. In [14], Benhamouda et al. proposed a CCA-secure functional encryption (FE) that only solves the CCA security in FE based on the projective hash functions. In [15], Nandi and Pandit also solved this problem but with strong restrictions (e.g., needing restricted delegation or verifiability on the underlying IND-CPA FE). However, up to now, it is not known whether the underlying schemes with these special properties exist. Although the generic transformation of Naor and Yung's [16] from IND-CPA to IND-CCA encryption scheme can be adapted to functional encryption, it is only applied to the nonadaptive case in the public-key setting. Of course, it may achieve unbounded collusions, but which is not the key point we focus on in this paper. In particular, in Naor and Yung's generic transformation, the encryption needs to run the original PK-FE twice.

Our Contributions.
To construct functional encryptions with CCA security, some nontrivial techniques will be needed. We propose two (adaptively) CCA-secure generic construction for FE with CCA security for deterministic generic functions where one is in PKE settings and the other is in private-key settings. ese generic constructions first yield practical FE that can be instantiated in the standard assumptions.
We first construct an (adaptively) SIM-CCA-secure PK-FE for deterministic functions by making a small modification on Agrawal and Wu's SIM-CCA-secure PK-FE for randomized functions. en, using the PK-FE scheme together with a NIZK equipped with the property of extractabilities, we construct an (adaptively) IND-CCA-secure SK-FE scheme. Particularly, in our construction, SIM-CPAsecure PK-FE can be used in a black-box way. us, the constructed SK-FE can also be based on the same assumption as the underlying PK-FE scheme.

An Informal Description of Our
Schemes. Our constructions are inspired by Agrawal and Wu's generic transformation of PK-FE from deterministic functions to randomized functions [17]. Our solutions can work on standard assumptions and are more efficient than that by Naor and Yung's generic transformation (since we only use the original primitive once rather than twice which is the case in Naor and Yung's generic transformation). ey are essentially optimal in communication size: in the derived PK-FE with SIM-CCA security, the public parameter and private key are almost equal to that in the underlying PK-FE, while the ciphertext consists of a PK-FE ciphertext and a NIZK proof. In the SK-FE with IND-CCA security, in addition to a PK-FE ciphertext and a NIZK proof, the final ciphertext also adds an SE ciphertext. In Agrawal and Wu's generic CPA-to-CCA transformation from deterministic functions to randomized functions, they use a simulationsound extractable NIZK to implement CPA-to-CCA transformation and a Φ-RKA-secure PRF and a one-way permutation to implement deterministic-to-randomized function transformation. Concretely, in the decryption query, e.g., (g, ct), where g is a function, the simulator deals with the decryption by first employing the NIZK to extract a message m from the ciphertext ct and then evaluating function g on m. us, the simulator can perfectly realize the decryption functionalities under the extractability of the NIZK. For the deterministic-to-randomized function transformation, the core idea is to use a PRF to remove randomization on the function. Specifically, the scheme transforms the encryption of m to that of the pair (m, h(k′)) with randomness hc(k ′ ) under the SIM-CPA FE scheme where h is a one-way permutation and hc is a hardcore function of h. In the construction of the private key for a randomized function f, the scheme first constructs a "derandomize" function g f k (m, h(k ′ )) � f(m, PRF(k◇h (k ′ ), m)) and then computes a SIM-CPA FE private key sk for function g f k . e decryption algorithm uses sk to recover f(m, PRF(k◇h(k ′ ), m)) from a ciphertext ct which encrypts the message (m, h(k ′ )). For our goals of deterministic functions, we remove the PRF and one-way permutation h used for implementing the deterministic-to-randomization function transformation and directly define the final private key as that of the SIM-CPA PK-FE for deterministic functions. Luckily, the removal operation does not affect the CPA-to-CCA transformation since the PRF and h does not participate in the transformation. In this way, we get a SIM-CCA-secure PK-FE scheme for deterministic functions.
In the construction of adaptive IND-CCA SK-FE, a similar methodology proposed by Elkind and Sahai in [18] is adopted. In their construction, the encryption scheme is designed by first constructing a "bare" oblivious-decryptor scheme (ODS) and then employing a designated-verifier NIZK to achieve adaptive CCA security. More specifically, their scheme first encrypted message m under the ODS encryption into a ciphertext c and then employed a designated-verifier NIZK to prove π of (pk, c) ∈ L.
Compared with their scheme, our work on IND-CCA security for SK-FE uses some seemingly different techniques. In our scheme, beyond a standard simulation-sound NIZK and a PK-FE scheme secure against SIM-CCA, we also use a semantically secure symmetric encryption (SE). e symmetric encryption is used to mask the message directly. Particularly, in order to enable decrypting, the SE ciphertext together with the symmetric key are reencrypted in a PK-FE ciphertext. A simulation-sound NIZK proof functions as a "well-formedness" condition on the symmetric ciphertext and is contained in the overall ciphertext. e underlying PK-FE scheme corresponds to the oblivious-decryptor scheme by Elkind and Sahai [18], whose SIM-CCA security together with the standard NIZK proof is used for rejecting ill-formed ciphertexts.
Note that simulation security is strong; in particular, it implies that we have to restrict ourselves to either secure against bounded collusion, which may hinder the practicability of the scheme, or to simple functionality (for example, IBE), for which the scheme cannot be simulation secure against bounded collusion. Although a weak notion, for example, an IND-CPA-secure SK-FE which may induce a more practical scheme or simple functionality, it is not applicable to our construction.
is is because, when we directly use the weak scheme, during the decryption query phase, the master secret key encrypted in the underlying SK-FE ciphertext can be extracted out by the NIZK.

Noninteractive Zero Knowledge (NIZK).
Here, we first explain several notions. R: L × W ⟶ 0, 1 { } a PPT binary relation which takes as input a statement x ∈ L and the corresponding witness w ∈ W and outputs a bit indicating whether x belongs to the language L. Setup: crs ⟵ ZK.Setup (1 λ ), where crs denotes the common random string, which is public and can be accessed by anyone. Prove: π ⟵ ZK.Prov(crs, x, w), where π denotes the proof which proves that it owns the secret witness w of the statement x. Verification: b ⟵ ZK.Ver(crs, x, π), where b � 1 denotes the verifier "accept" and b � 1 denotes "reject". Perfect completeness: an argument system ZK is perfectly complete if for all PPT adversaries A, the following holds: (1) Computational soundness: the computational soundness of the scheme ZK is demonstrated as follows, where A is a PPT algorithm: where the oracles O(crs, ·, ·) and O ′ (crs, τ, ·, ·) are demonstrated as follows: (i) e oracle O(crs, ·, ·) takes as input a pair (x, w) and outputs ZK.Prov (crs, x, w) if (x, w) ∈ R; o.w. outputs ⊥.

Pr
(crs, τ, ς) ⟵ ξ 1 where Q is the set that contains all queries A makes to S 2 and the answers from S 2 . Correctness of the scheme is obvious.

Symmetric Encryption and Semantic
Definition 4 (semantic security). An SE is called semantic security (SS), if for all PPT A in the game SS SE,b A (λ) (see Figure 1) played by A, the function Adv SS SE,A is negligible in λ (security parameter), where Adv SS  en, we define the advantage of the adversary A in game

Oracles
(i) Real Game. In this game, both oracles O 1 (msk, ·) and O 2 (msk, ·) invoke the algorithm FE.KG(msk, ·) when A makes key queries to O 1 (msk, ·) and copyright has been updated in VTW, please repush task to validation. Oracle O 3 (msk, ·, ·) acts as the decryption oracle, i.e., when A makes a decryption query (g, C), the oracle O 3 (msk, ·, ·) first invokes FE.KG(msk, g) to obtain sk g and then computes and outputs the ordered set y i . In this game, an ordered set g is used to denote the functions that the adversary A 2 made queries to O 3 (msk, ·, ·) and y used to denote the answers of the oracle O 3 . (ii) Ideal Game. In the ideal game, oracles O 1 ′ (st ′ , ·) and O 2 ′ (st ′ , ·) denote the simulator algorithms S 2 (st ′ , ·) and S 4 (st ′ , ·). Simulator S 2 (st ′ , ·) takes a key query f ′ as input and outputs a key sk f′ for function f ′ . For simulator S 4 (st ′ , ·), besides given f ′ as input, it is also allowed to access an oracle KIdeal(m, ·), which inputs a function f ′ and returns y i . e (ordered) set f ′ denotes the functions that the adversary had made key queries to Next, Finally, it outputs the ordered set y k ′ . For convenience, we abbreviate y k ′ as y ′ .
Here, we give a further restriction on decryption queries. First, we give an equivalence relation notation ∼ functioning on ciphertext space C. We say that any two ciphertexts (1 λ ) and sk f ⟵ FE.KG(msk, f) so that one of the following conditions holds: Next, we give the restriction on decryption queries, namely, for each decryption query (g, C), whether in ideal game or real game, we require that, for all i, j ∈ [q d ] and i ≠ j, then ct i ≁ct j , and for all i ∈ [q d ], j ∈ [q c ], and the challenge ciphertext ct * j , it must hold ct i ≠ ct * j .
Definition 5 (SIM-CCA). We say that a PK-FE scheme for deterministic functions is (q 1 , q c , q 2 )-simulation-based chosen-ciphertext secure ((q 1 , q c , q 2 )-SIM-CCA secure) if for any efficient adversary A � (A 1 , A 2 ) where A 1 and A 2 make at most q 1 and q 2 key-generation queries, respectively, there exists an ∼ over ciphertext space ( ∼ ) and a PPT simulator One thing in particular to note is that, in the SIM-CCA security game, if we disallow the adversary A to query decryption oracles O 3 and O 3 ′ , then the game becomes SIM-CPA game.

Indistinguishable-Based Chosen-Ciphertext Security. For the IND-CCA security, IND-CCA FE,b
A,F (λ) (see Figure 3) denotes the IND-CCA game played by a PPT adversary A � (A 1 , A 2 ). We define the advantage function In the above game, we require that if the ordered set f denotes all key queries and (m 0 , m 1 ) denotes all challenge message pairs delivered by the adversary A, then the distributions (mpk, st, f(m 0 )) and (mpk, st, f(m 1 )) are identical. Now, we give the definitions of oracles below.

Oracles
(i) KeyGen(msk, ·) denotes a key-generation oracle which, on inputting a function f, invokes the keygeneration algorithm FE.KG(msk, f) to obtain a key sk f for function f. (ii) O(msk, ·, ·) denotes a decryption oracle which, on taking as input a tuple (g, ct) such that ct ≠ ct * , first invokes the key-generation algorithm FE.KG(msk, g) to obtain a key sk g and then computes y � FE.Dec(sk g , ct) and outputs y.
Note that the above definition is adaptively secure, and it is easily modified to the nonadaptive security by requiring the adversary to specify two challenge messages before obtaining the master public key and function keys. In this paper, we only pay attention to the adaptive security.
Definition 6 (IND-CCA for PK-FE). We say that a PK-FE scheme for deterministic functions is adaptively where A 1 and A 2 make at most q 1 and q 2 key-generation queries, respectively, and we have that the function value In particular, as remarked in [19], the above definition can be trivially extended to multiple challenge message security, i.e., adaptive (q 1 , q c , q 2 )-IND-CCA security where q 1 , q c , and q 2 are polynomials in λ. Particularly, we stress that the SIM-CCA security described in Section 3.2 implies IND-CCA security.

Private-Key Functional Encryption
Here, we give the definition of SK-FE for deterministic functions. Let SFE � (SFE.Setup, SFE.KG, SFE.Enc, and SFE.Dec) be an SK-FE scheme defined over function space F � F λ λ∈N and message space M � M λ λ∈N , respectively. e detailed definition is given as follows: Setup: the setup algorithm computes (ppr, msk) ⟵ SFE.Setup(1 λ ), where ppr denotes the system public parameter ppr, msk denotes the system master secret key, and the public parameter ppr is implied in the following algorithms: Key generation: the key-generation algorithm computes sk f ⟵ SFE. KG(msk, f), where sk f denotes the generated private key. Encryption: the encryption algorithm computes ct ⟵ SFE.Enc(msk, m), where m ∈ M λ denotes the being encrypted message and ct denotes the generated ciphertext. Decryption: the decryption algorithm computes Here, we give the perfect correctness of scheme SK-FE, which says that, for all sufficient large λ ∈ N,

Indistinguishable-Based Chosen-Ciphertext.
Here, we review the IND-CCA of the SK-FE from [8]. In Figure 4, A,F (λ) denotes the IND-CCA game played by a PPT adversary A.
e advantage function is defined as In the above game, we require that all challenge messages that the adversary delivers in the encryption queries to oracle ENC satisfy f(m 0 ) � f(m 1 ) for all the functions f ∈ F that the adversary makes queries to the key-generation oracle KeyGen, where m 0 and m 1 denote the challenge message that the adversary delivers in the challenge phase. In the following, we define the functionalities of the oracles.

Oracles
(i) KeyGen(msk, ·) denotes the key-generation oracle which means that when the adversary makes a function query f, the oracle invokes the algorithm SFE.KG(msk, f) to get a private key sk f . (ii) ENC(msk, ·, ·) denotes an encryption oracle. On taking as input two messages (m 0 , m 1 ), it invokes SFE.Enc(msk, m b ) to obtain ct * for a random bit b⟵ $ 0, 1 { }. We denote all challenge ciphertexts as ct * { }. (iii) O(msk, ·, ·) denotes a decryption oracle which, on taking as input a tuple (g, ct) such that ct ∉ ct * { }, invokes the algorithm SFE.KG(msk, g) to obtain a private key sk g and outputs y � SFE.Dec(sk g , ct).
Note that the above definition is adaptively secure and is easily modified to the nonadaptively security by requiring the adversary to make encryption queries before key queries.
Definition 7 (IND-CCA for SK-FE). We say that an SK-FE scheme for deterministic functions is adaptively indistinguishability-based chosen-ciphertext secure (adaptively

Construction of SIM-CCA-Secure PK-FE
In this section, we modify Agrawal and Wu's generic transformation [17] to the setting of deterministic functions. e modified scheme needs the following building blocks:  Prov(crs, x, w), where x � ct ′ ∈ L, the witness w � (m, r), and (x, w) ∈ R. e relation R and language L satisfy the following equation: ∃(m, r) suchthat ct ′ � CPAFE.Enc mpk ′ , m; r . (6) e final ciphertext is set as ct � (ct ′ , π). (iv) e decryption algorithm: on taking as input a private key sk f � sk f ′ and a ciphertext ct � (ct ′ , π), the decryption algorithm first verifies whether ZK.Ver(crs, x, π) � 1, where x � ct ′ ; if so, it computes y � CPAFE.Dec(sk f ′ , ct ′ ) and outputs y; otherwise, it outputs ⊥.
It is easy to see that the correctness of the scheme CCAFE follows from the completeness of ZK and the correctness of CPAFE.

Theorem 1.
If ZK is a simulation-sound extractable noninteractive zero-knowledge argument, CPAFE is perfectly correct (q 1 , q c , q 2 )-SIM-CPA-secure PK-FE scheme for deterministic function class F, then CCAFE is (q 1 , q c , q 2 )-SIM-CCA-secure functional encryption scheme for the same function class.
) be the simulator for the scheme CPAFE and S ZK � (S ZK 1 , S ZK 2 ) and ξ ZK � (ξ ZK 1 , ξ ZK 2 ) be the simulator and extractor for the scheme ZK, respectively.

Simulator
e prechallenge key-generation query simulator S 2 proceeds as follows. On taking as input where m � (m 1 , . . . , m q c ) are the challenge messages that the adversary delivers. At the end of the simulation, it outputs a challenge ciphertext set ct * i i∈[q c ] and an updated state

Hybrid Games.
For eorem 1, we prove it via 4 hybrid games where the first game G 0 is the real-world game and the last game G 3 is the simulator game. Each game contains the following phases: Setup: in this phase, the challenger generates the system public key mpk ′ . Prechallenge queries: in this procedure, A is allowed to issue the key-generation queries f ∈ F and decryption query (f, ct) ∈ F × C such that for all decryption queries (f, C) and any ct i , ct j ∈ C and i ≠ j, it holds that ct i ≁ct j . Challenge: when the adversary A submits a vector of messages m ∈ M q c to the challenger, the challenger replies with ct * i i∈[q c ] . Postchallenge queries: in this procedure, the adversary A is again allowed to issue key-generation and decryption queries but with a further restriction that decryption query can be only allowed to contain queries (f, C) such that ct j ≠ ct * i , where ct j ∈ C for j ∈ [q d ] and ct * i is the challenge ciphertext for i ∈ [q c ]. Output: finally, the adversary A outputs a guess b ′ ∈ 0, 1 { } of the challenge bit b. Each of the hybrid games is described in detail as follows: Hybrid G 0 : this is the game in the real settings where the challenger interacts with the adversary.

Security and Communication Networks 7
Hybrid G 1 : same as G 0 except that the way that the common random string crs in the setup phase and the arguments in the challenge ciphertexts are generated. Specifically, in the setup phase, the challenger uses (crs, τ) ⟵ S ZK 1 (1 λ ). In the challenge phase, the challenger uses the simulator S ZK 2 to generate the challenge argument in the challenge ciphertexts. Let m * ∈ M q c be the challenge messages. It samples r * i ∈ R and computes ct ′ * i ⟵CPAFE.Enc(mpk ′ , m * i ; r * i ) and where the statement x * i is described as in equation (1). Finally, the challenger sets ct * i � (ct ′ * i , π * i ) and mpk � (mpk ′ , crs) and sends mpk and ct * i to the adversary A. Hybrid G 2 : same as G 1 except that the challenger answers the decryption queries by extracting the message-randomness pair (m, r) from the noninteractive zero-knowledge argument ZK. Specifically, in the setup phase, the procedure is same as hybrid G 1 except that the challenger computes (crs, τ, ς)⟵ξ ZK 1 (1 λ ). In the prechallenge phase, the key-generation queries are dealt with as in G 1 , while the decryption queries are processed as follows: for query and let x i be the statement as described in equation (2). If ZK.Ver(crs, x i , π i ) � 0, set y i � ⊥; otherwise, it invokes the extractor ξ ZK 2 (crs, ς, x i , π i ) to obtain a witness (m i , r i ) and sets y i � g(m i ). Finally, y i i∈[q d ] is sent to A. Hybrid G 3 : same as G 2 but with the difference that the challenger uses the simulator S CPAFE � (S CPAFE (1 λ ). In the prechallenge phase, the decryption queries are dealt with as in hybrid G 2 , while the key generation is handled as follows: for each query f ∈ F, it runs S CPAFE 2 (st CPAFE , f) to obtain private key sk f . In the challenge phase, let f 1 , . . . , f q 1 be the function that the adversary A has made queries in the key-generation phase and m ∈ M q c be the challenge messages that the adversary queries. It computes y ij � f j (m i ) for all i ∈ [q c ] and j ∈ [q 1 ] and invokes the simulator S CPAFE In the postchallenge queries, the decryption queries are processed as in hybrid G 2 , but the key-generation queries are processed differently as below: the challenger invokes S CPAFE 4 (st CPAFE , f) under the help of the oracle CPAFE.KIdeal(m, ·) to obtain the private key sk f .

Claim 1.
If ZK is a computationally noninteractive zeroknowledge argument system, then hybrids G 0 and G 1 are computationally indistinguishable.

Proof.
e hybrid games G 0 and G 1 are different in that, in G 1 , the challenger uses the NIZK simulator to compute the CRS and arguments. It is easy to see that the claim follows from the computational zero-knowledge of NIZK.
Concretely, let A � (A 1 , A 2 ) be an efficient adversary distinguishing hybrid games G 0 and G 1 . A is used to construct an algorithm A ZK that tries to distinguish the real and simulated distributions of the NIZK. A ZK takes as input crs and is allowed to access to an argument oracle. In the setup, A ZK computes (mpk ′ , msk ′ )⟵CPAFE.Setup(1 λ ) and sets mpk � (mpk ′ , crs) and msk � msk ′ . It then sends mpk to A. In the challenge phase, when A delivers challenge message m ∈ M q c λ , the algorithm A ZK samples r * i ⟵R and computes ct ′ * i ⟵CPAFE.Enc(mpk ′ , m i ; r * i ) for each i ∈ [q c ]. Let x * i be the statement in equation (2). A ZK delivers (x * i , (m i , r * i )) to its challenger and obtains an argument π * i . Finally, A obtains ct * i � (ct ′ * i , π * i ) and ct * i . e rest steps are processed in the same way as in G 0 and G 1 . Finally, A ZK outputs whatever A outputs. Obviously, if the CRS and NIZK arguments are computed honestly, then A ZK simulates the settings of G 0 ; otherwise, it simulates the settings of G 1 . us, the lemma follows. □ Claim 2. If ZK is simulation-sound extractable and CPAFE is perfectly correct, then hybrids G 1 and G 2 are computationally indistinguishable.
Proof. Hybrids G 1 and G 2 are identical but only with the difference in the way the challenger responds to decryption queries. Conditioned on the simulation-sound extractability of ZK and perfect correctness of CPAFE, the two games are computationally indistinguishable. Let (g, C) be the decryption query pair that the adversary makes, where C � ct i i∈[q d ] and ct i � (ct i ′ , π i ). e procedure can be classified into two cases. If π can pass the verification, the challenger sets y i � ⊥ in both G 1 and G 2 . Otherwise, it is easy to see that the adversary cannot submit any challenge ciphertexts in the decryption queries.
us, ct i � (ct i ′ , π i ) was not generated by the challenger using S ZK . us, by simulation-sound extractability, with probability at least 1 − negl(λ), the extraction algorithm ξ ZK 2 on x i and π i will produce a witness (m i , r i ) to make ct i ′ � CPAFE.Enc(mpk ′ , m i ; r i ) hold. Furthermore, by perfect correctness of CPAFE, (m i , r i ) is the only pair corresponding to ct i ′ . In addition, in G 1 , the challenger first computes sk g ⟵CPAFE.KG(msk ′ , g) and then sets y i � CPAFE.Dec(sk g , ct i ′ ). By the underlying PK-FE scheme CPAFE, y i � g(m i ), which is exactly the output in G 2 after (m i , r i ) is extracted. erefore, with probability 1 − negl(λ), the distributions in both G 1 and G 2 are identical. □ Claim 3. If CPAFE is a (q 1 , q c , q 2 )-SIM-CPA-secure FE scheme for deterministic function family F, then hybrids G 2 and G 3 are computationally indistinguishable. A � (A 1 , A 2 )  (1 λ ), the setup and prechallenge queries are simulated as follows:

Proof. Suppose
Setup: in this phase, the adversary A CPAFE 1 first computes a simulated tuple (crs, τ, ς)⟵xi ZK 1 (1 λ ). It then sets mpk � (mpk ′ , crs) and sends mpk to A. Prechallenge queries: in this phase, when A 1 makes a function key query f, the adversary A CPAFE 1 queries its prechallenge key-generation oracle to obtain a key sk f ′ which is generated by , f), while the decryption queries are the same as in G 2 and G 3 . A,F , then the view of A is computationally indistinguishable from G 3 . us, the proof follows from the (q 1 , q c , q 2 )-SIM-CPA security of the scheme CPAFE.

Adversary
Remark 1. Note that applying the above simulation-sound extractable NIZK to the secret-key settings for implementing the IND-CPA-to-IND-CCA security transformation is impossible. is is because beyond the encrypted message, the extractor of the NIZK also extracts out the master secret key used for a secret parameter in the encryption process. Once the extractor obtains the master secret key, it can use it to forge the private keys for any functions of its choice.
In the following, we will use the SIM-CCA-secure PK-FE proposed above and a NIZK scheme to put forward an IND-CCA-secure SK-FE.

Construction of SK-FE
Here, we give an IND-CCA-secure SK-FE from SIM-CCAsecure PK-FE. Let SFE � (SFE.Setup, SFE.KG, SFE.Enc, SFE.Dec) be the scheme and F and M SFE the associated function space and message space, respectively. e building blocks used in the scheme are as follows: In particular, note that in this construction, the message space of the scheme SFE is identical to that of the scheme SE, namely, M SFE � M SE .
Setup: taking 1 λ as input, the algorithm SFE.Setup(1 λ ) first computes (fpk, fsk)⟵FE.Setup(1 λ ), sek⟵SE.KG(1 λ ), and crs⟵ZK.Setup(1 λ ). en, it outputs the public parameter ppr � (crs, fpk) and master secret key msk � (fsk, sek). Note that the parameter ppr is implicitly contained in the following algorithms. Encryption: taking a master secret key msk and a message m ∈ M SE as input, the algorithm SFE.Enc(msk, m) first parses msk into msk � (fsk, sek). It then computes a symmetric encryption ciphertext ct SE ⟵SE.Enc(sek, m), an argument π⟵ZK.Prov(crs, ct SE , (sek, m)), and a PK-FE ciphertext ct FE ⟵FE.Enc(fpk, ct SE , sek). It finally outputs the overall ciphertext CT � (ct SE , π, ct FE ). Key generation: taking a master secret key msk and a function f ∈ F as input, the algorithm SFE.KG(msk, f) first parses msk into msk � (fsk, sek) and then constructs a universal circuit U[f] (see Figure 5) and computes sk f ⟵FE. KG □ Proof. Intuition. Our construction is inspired by Agrawal and Wu's generic transformation for PK-FE from deterministic functions to randomized functions [17]. From their scheme, we first derive an SIM-CCA-secure PK-FE for deterministic functions by removing Φ-RKA-secure pseudorandom function PRF and one-way permutation used to implement the deterministic-to-randomized function transformation (note that the details of Agrawal and Wu's scheme can be found in [17], we will not dwell on them here). en using the derived PK-FE together with a semantically secure symmetric encryption (SE) and a standard NIZK, we obtain an SK-FE scheme with IND-CCA security. Roughly speaking, the plaintext is masked with the SE scheme (where the symmetric key of the SE is a part of the master secret key), then it computes a proof under the NIZK which is used for verifying whether the SE ciphertext encrypts correct plaintext. In order to ensure correct decryption, we reencrypt the SE ciphertext together with the proof and the symmetric key under the derived PK-FE scheme, in which the symmetric key and the SE ciphertext make sure that the scheme enables to decrypt and the proof makes sure that ill-formed SE ciphertext can be rejected in the final scheme. e security follows eorem 3.
□ Theorem 3. If the NIZK argument ZK is computationally indistinguishable, the SE scheme SE is semantically secure, the PK-FE scheme FE is perfectly correct (adaptively) (q 1 , q c , q 2 )-SIM-CCA secure, then the SK-FE scheme SFE described above is (adaptively) IND-CCA secure, where the adversary makes at most q 1 + q 2 key queries and q c challenge queries.
Proof. We adopt a similar proof method as that of eorem 1. Likewise, each game contains the following procedures: Setup: the challenger computes the parameter ppr. Key generation query: in this procedure, the adversary A may make prechallenge key queries and postchallenge key queries for functions f ∈ F. Particularly, note that, for all key queries f j j∈[q 1 +q 2 ] and encryption queries (m i 0 , m i 1 ) i∈[q c ] as below, we require that f j (m i 0 ) � f(m i 1 ). Encryption query: in this procedure, A commits a collection of message pairs (m i 0 , m i 1 ) i∈[q c ] , and the challenger responds with ct * i i∈[q c ] . Decryption query: here, A may make decryption queries (g, CT), with a further restriction that decryption queries are only allowed to contain queries (g, CT) such that CT ∉ Q, where Q is the set of all encryption queries that A has made in the encryption query procedure.
In particular, since in the underlying PK-FE scheme us, the admissible condition still holds in our SK-FE scheme. Furthermore, like in the PK-FE, we also require that a similar equation relation ∼ over ciphertext space C is satisfied, i.e., given any two ciphertexts CT 1 � (ct 1 SE , π 1 , ct 1 FE ) and CT 2 � (ct 2 SE , π 2 , ct 2 FE ), we say CT 1 ∼ CT 2 , if ct 1 SE � ct 2 SE . □

Hybrid Games
G 0 : this is the premier game where the message m 0 is encrypted in the encryption query phase. G 1 : same as G 0 except that the generation of the common random string crs and the argument π are replaced with the simulation mode of the scheme ZK. G 2 : same as G 1 but with the difference that the sim- is used to respond to the queries. G 3 : same as G 2 but with the difference that challenge message m 1 instead of m 0 is encrypted in the challenge ciphertext. In particular, the symmetric encryption computes the encryption ct SE ⟵SE.Enc(sek, m 1 ) of m 1 . G 4 : this is the same as G 3 except that the challenger uses the real algorithms of the scheme FE to respond to the queries. G 5 : this is the same as G 4 except that the generation of the common random string crs and argument π is replaced with the real algorithms of the scheme ZK. Proof. Assume G 0 and G 1 are distinguishable, then we can use the adversary A that distinguishes G 0 and G 1 to construct an adversary A ZK that attempts to break the computational zero-knowledge property of ZK. A ZK is given a common random string crs (which comes from the real algorithm or simulation algorithm) and may access to the oracle O(crs, ·, ·), which computes the argument for statements belonging to the language: At the end, A ZK outputs whatever A outputs. From above, we can see that the adversary A ZK perfectly simulates the environment for A. Obviously, if crs and π are from the real algorithm, then A ZK simulates the hybrid G 0 for A; otherwise, it simulates G 1 for A.
Proof. Assume that G 1 and G 2 are distinguishable, then an adversary A that distinguishes G 1 and G 2 can be used to construct an adversary A FE � (A FE 1 , A FE 2 ) which tries to break through the SIM-CCA security of the scheme FE; that is, the experiments REAL and IDEAL can be distinguished. In the security proof, A FE will play the role of the challenger for the adversary A. Let O pre KG be the prechallenge keygeneration oracle corresponding to the oracle O 1 (fsk ′ , ·) in the real experiment and the oracle O 1 ′ (st ′ , ·) in the ideal experiment, O post KG be the postchallenge oracle corresponding to the oracle O 2 (fsk ′ , ·) in the real experiment and the oracle O 2 ′ (st ′ , ·) in the ideal experiment, and O dec be the decryption oracle corresponding to the oracle O 3 (fsk ′ , ·) in the real experiment and the oracle O 3 ′ (st ′ , ·) in the ideal experiment. e reduction is described as follows: is made to the oracle O dec (for both prechallenge decryption queries and postchallenge decryption queries) to get the result y and sends it to A (note that y is generated by the real decryption algorithm or the simulation algorithm of the scheme FE).
At the end, A FE outputs whatever A outputs. From above, we can observe that the environment for A is perfectly simulated by the adversary A FE . Obviously, if the master public key fpk ′ , the private keys sk f ′ , the challenge ciphertexts ct * FE , and the value y are generated as in real experiment, then A FE simulates hybrid G 1 for A; otherwise, it simulates hybrid G 2 for A.
us, if the adversary A distinguishes hybrids G 1 and G 2 , then the adversary A FE breaks the (q 1 , q c , q 2 )-SIM-CCA security of FE. e claims are as follows. □ Claim 6. If the SE scheme SE is semantically secure, then games G 2 and G 3 are computationally indistinguishable.
Proof. Assume that G 2 and G 3 are distinguishable, then an adversary A can be used to construct an algorithm A SE that attempts to break through the semantic security of the scheme SE. In particular, the adversary is allowed to access the oracle O(sek, ·) that can generate ciphertexts for messages that the adversary chooses. Let B be the challenger of the adversary A SE .  Proof. e same as that of Claim 4.

□
Remark 2. Note that, since the generic function f in the SK-FE scheme is hardwired in the circuit U[f] in the underlying PK-FE, the transformation in this paper is restricted to security against bounded collusion only. Removing this restriction by allowing only very specific functions seems violating our goals for genetic functions. Bounded collusion appears inherent in this type of FE schemes and solving it seems not easy. We left this work as an open problem and hope to solve it in the future.

Instantiations of the Primitives.
Both primitives used by our generic construction can be designed under some standard assumptions. For example, the simulation-sound extractable NIZK arguments can be instantiated from RSA assumption, and the SE scheme can be instantiated from one-way functions.

Simulation-Sound Extractable NIZK Arguments.
Agrawal and Wu [17] showed that the simulation-sound extractable NIZK argument can be constructed from trapdoor one-way permutations and dense cryptosystems by De Santis et al. [20] and both of which can be instantiated from RSA assumption.

Semantically Secure Symmetric Encryption.
We note that the semantically secure symmetric encryption SE can be instantiated from one-way functions [21]. For example, it can be constructed from weak pseudorandom functions (wPRF) PRF, namely, SE.Enc(sek, m; r) � (r, PRF (sek, r)⊕m), and this wPRF can be again designed from only one-way functions.

Instantiations of the Underlying PK-FE.
Here, we show several examples of how to instantiate a perfectly correct (q 1 , q c , q 2 )-SIM-CPA-secure functional encryption scheme CPAFE to apply to our generic constructions with CCA security in both public key and private key settings. e results described below show that the SIM-CPA-secure PK-FE used to construct the SIM-CCA-secure PK-FE can be designed from both standard assumptions (such as DDH, RSA, LWE, and LPN) and nonstandard assumptions (such as IO and intractable problems on composite-order multilinear maps). as follows. We first derive an/a (adaptively) SIM-CCA-secure FE for deterministic functionalities in the public-key settings by making modifications on ones for randomized functionalities proposed by Agraval and Wu [17]. en, based on the modified scheme together with a symmetric encryption and a standard NIZK, we present a private-key FE scheme (SK-FE) with adaptive IND-CCA security for deterministic functionalities. e instantiabilities of the underlying base SIM-CPA-secure PK-FEs, symmetric encryption, and NIZK from standard assumptions show that our proposed SK-FE scheme is practical under the standard assumptions.

IND-CCA-Secure SK-FE for Randomized Functionalities.
A precursor to the work on SK-FE scheme supporting randomized functionalities was the work by Komargodski et al. [30]. ey achieve this by utilizing function-private FE scheme for deterministic functionalities in the private-key settings. Brakerski and Segev [31] proposed a functionprivate scheme based on any SK-FE scheme for a sufficiently rich function class. To construct SK-FE with IND-CCA security for randomized functionalities, a function− private FE in the public-key settings with SIM-CCA security for randomized functionalities may be necessary, but deriving such a scheme from existing works is nontrivial, and it may require some new techniques. us, we left them as an open problem.