Simulation-Based Secure Functional Encryption in the Random Oracle Model

Abstract

One of the main lines of research in functional encryption (FE) has consisted in studying the security notions for FE and their achievability. This study was initiated by [Boneh et al. – TCC’11, O’Neill – ePrint’10] where it was first shown that for FE the indistinguishability-based (IND) security notion is not sufficient in the sense that there are FE schemes that are provably IND-Secure but concretely insecure. For this reason, researchers investigated the achievability of Simulation-based (SIM) security, a stronger notion of security. Unfortunately, the above-mentioned works and others [e.g., Agrawal et al. – CRYPTO’13] have shown strong impossibility results for SIM-Security. One way to overcome these impossibility results was first suggested in the work of Boneh et al. where it was shown how to construct, in the Random Oracle (RO) model, SIM-Secure FE for restricted functionalities and was asked the generalization to more complex functionalities as a challenging problem in the area. Subsequently, [De Caro et al. – CRYPTO’13] proposed a candidate construction of SIM-Secure FE for all circuits in the RO model assuming the existence of an IND-Secure FE scheme for circuits with RO gates. To our knowledge there are no proposed candidate IND-Secure FE schemes for circuits with RO gates and they seem unlikely to exist. We propose the first constructions of SIM-Secure FE schemes in the RO model that overcome the current impossibility results in different settings. We can do that because we resort to the two following models:

• In the public-key setting we assume a bound on the number of queries but this bound only affects the running-times of our encryption and decryption procedures. We stress that our FE schemes in this model are SIM-Secure and have ciphertexts and tokens of constant-size, whereas in the standard model, the current SIM-Secure FE schemes for general functionalities [De Caro et al., Gorbunov et al. – CRYPTO’12] have ciphertexts and tokens of size growing as the number of queries.

• In the symmetric-key setting we assume a timestamp on both ciphertexts and tokens. In this model, we provide FE schemes with short ciphertexts and tokens that are SIM-Secure against adversaries asking an unbounded number of queries.

Both results also assume the RO model, but not functionalities with RO gates and rely on extractability obfuscation [Boyle et al. – TCC’14] (and other standard primitives) secure only in the standard model.

A Proof of Theorem 8

Proof

We define the following hybrids. Let \(q(\lambda )\) be a bound on the number of post-challenge token queries asked by \(\mathcal {B}\) in any execution with security parameter \(1^\lambda \). Such bound exists because \(\mathcal {B}\) is a PPT algorithm.

• Hybrid \(H_0^\mathcal {B}\) : This is the real experiment \(\mathsf{CRIND}^{\mathsf {CRFE}[{\mathsf{e}\mathcal{O}},\mathsf {FS}]}_\mathcal {B}\).

• Hybrid \(H_i^\mathcal {B},i=0,\ldots ,q\) : Same as the previous hybrid, except that the first i post-challenge token queries are answered with respect to a restricted signing key \(\mathsf{sk}_C\) for the Boolean predicate C that allows one to sign exactly Turing machines T for which Checker \((T,m_0,m_1)=1\). (This is one of the differences with the proof of Boyle et al. wherein, being the scope to prove IND-Security, the signing key is for a predicate that allows one to sign exactly the machines T for which \(T(m_0)=T(m_1)\). This is not possible in our case, but we make use of the definition of valid adversary that dictates that such adversary will only make queries for machines approved by the checker.). Specifically, at the beginning of the game the challenger generates a restricted signing key \(\mathsf{sk}_C\leftarrow \mathsf {FS}.\mathsf{KeyGen}(\mathsf{Msk},C)\). The pre-challenge queries are answered using the standard signing key \(\mathsf{sk}_1\) as in hybrid \(H_0\). The first i post-challenge token queries are answered using the restricted key \(\mathsf{sk}_C\), that is a token query for machine T is answered with \(\sigma _T\leftarrow \mathsf {FS}.\mathsf{Sign}(\mathsf{sk}_\mathrm{C},T)\). All remaining token queries are anwered using the standard key \(\mathsf{sk}_1\).

Claim 9

For \(i=1,\ldots ,q\), the advantage of \(\mathcal {B}\) in guessing the bit b in hybrid \(H_i^\mathcal {B}\) is equal to the advantage of \(\mathcal {B}\) in guessing the bit b in hybrid \(H_{i-1}^\mathcal {B}\) up to a negligible factor.

We prove the claim by using the function privacy property of \(\mathsf {FS}\). Namely, for any \(i\in [q]\), consider the following adversary \(\mathcal {A}_{\mathsf{priv}}(1^\lambda )\) against function privacy of \(\mathsf {FS}\).

• \(\mathcal {A}^i_\mathsf{priv}\) is given keys \((\mathsf{vk},\mathsf{msk})\leftarrow \mathsf {FS}.\mathsf{Setup}(1^\lambda )\) from the function privacy challenger.

• \(\mathcal {A}^i_\mathsf{priv}\) submits the all-accepting function 1 as the first of its two challenge functions, and receives a corresponding signing key \(\mathsf{sk}_1\leftarrow \mathsf {FS}.\mathsf{KeyGen}(\mathsf{msk},1)\).

• \(\mathcal {A}^i_\mathsf{priv}\) simulates interaction with \(\mathcal {B}\). First, it forwards \(\mathsf{vk}\) to \(\mathcal {B}\) as the public-key and chooses a random string \(r\in \{0,1\}^\lambda \). For each token query T made by \(\mathcal {B}\), it generates a signature on T using key \(\mathsf{sk}_1\).

• \(\mathcal {A}^i_\mathsf{priv}\) At some point \(\mathcal {B}\) outputs a pair of messages \(m_0,m_1\). \(\mathcal {A}^i_\mathsf{priv}\) generates a challenge ciphertext in the CRIND-Security game by sampling a random bit b and encrypting \((m_b||r)\) and sending it to \(\mathcal {B}\).

• \(\mathcal {A}^i_\mathsf{priv}\) submits as its second challenge function C (as defined above). It receives a corresponding signing key \(\mathsf{sk}_C\leftarrow \mathsf {FS}.\mathsf{KeyGen}(\mathsf{msk},\mathrm{{P}}_\mathrm{{C}})\).

• \(\mathcal {A}^i_\mathsf{priv}\) now simulates interaction with \(\mathcal {B}\) as follows. For the first \(i-1\) post-challenge token queries T made by \(\mathcal {B}\), \(\mathcal {A}^i_\mathsf{priv}\) generates a signature using key \(\mathsf{sk}_C\), i.e., \(\sigma _T\leftarrow \mathsf {FS}.\mathsf{Sign}(\mathsf{sk}_C,T)\). For \(\mathcal {B}\)’s i-th post-challenge query, \(\mathcal {A}^i_\mathsf{priv}\) submits the pair of preimages (T, T) to the function privacy challenger (note that \(1(T)=C(T)=T)\) since, being \(\mathcal {B}\) a valid adversary, it only asks queries T such that \(\mathsf{Checker}(T,m_0,m_1)=1\)), and receives a signature \(\sigma _T\) generated either using key \(\mathsf{sk}_1\) or key \(\mathsf{sk}_C\). \(\mathcal {A}^i_\mathsf{priv}\) generates the remaining post-challenge queries of \(\mathcal {B}\) using key \(\mathsf{sk}_1\).

• Eventually \(\mathcal {B}\) outputs a bit \(b'\). If \(b'=b\) is a correct guess, then \(\mathcal {A}^i_\mathsf{priv}\) outputs function 1; otherwise, it outputs function C.

Note that if the function privacy challenger selected the function 1, then \(\mathcal {A}^i_\mathsf{priv}\) perfectly simulates hybrid \(H_{i-1}^\mathcal {B}\), otherwise it perfectly simulates hybrid \(H_i^\mathcal {B}\). Thus, the advantage of \(\mathcal {A}^i_\mathsf{priv}\) is exactly the difference in guessing the bit b in the two hybrids, \(H_i^\mathcal {B}\) and \(H_{i-1}^\mathcal {B}\) and the claim follows from the function privacy property.

Next, we define the following distribution \(\mathcal{D}\) depending on \(\mathcal {B}\).

• \(\mathcal{D}(1^\lambda )\) gets \(r\mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\{0,1\}^\lambda \), samples a key pair \((\mathsf{vk},\mathsf{msk}\leftarrow \mathsf {FS}.\mathsf{Setup}(1^\lambda )\) and generates the signing key for the all-accepting function 1 by \(\mathsf{sk}_1\leftarrow \mathsf {FS}.\mathsf{KeyGen}(\mathsf{msk},1)\).

• Using \(\mathsf{sk}_1\) and \(\mathsf{vk}\), \(\mathcal{D}\) simulates the action of \(\mathcal {B}\) in experiment \(H_q^\mathcal {B}\) up to the point in which \(\mathcal {B}\) outputs a pair of challenge messages \(m_1,m_1\). Denote by \(\mathsf{view}_\mathcal {B}\) the current view of \(\mathcal {B}\) up to this point of the simulation.

• \(\mathcal{D}\) generates a signing key \(\mathsf{sk}_C\) for the function C as defined above and machines \(M_{m_0||r}\) and \(M_{m_1||r}\) as defined above (recall that as usual we omit to specify the subscript relative to \(\mathsf{vk}\)).

• \(\mathcal{D}\) outputs the tuple \((M_{m_0||r},M_{m_1||r}, z=(\mathsf{view}_\mathcal {B},\mathsf{sk}_\mathrm{C}))\).

We now can construct an adversary \(\mathcal {A}(1^\lambda ,M',M_0,M_1,z)\) against the security of \({\mathsf{e}\mathcal{O}}\).

• \(\mathcal {A}\) takes as input the security parameter \(1^\lambda \), an obfuscation \(M'\) of machine \(M_b\) for randomly chosen bit b, two machines \(M_0\) and \(M_1\), and auxiliary input \(z=(\mathsf{view}_\mathcal {B},\mathsf{sk}_\mathrm{C})\).

• Using \(\mathsf{view}_\mathcal {B}\), \(\mathcal {A}\) returns \(\mathcal {B}\) to the state of execution as in the corresponding earlier simulation during the \(\mathcal{D}\) sampling process.

• Simulate the challenge ciphertex to \(\mathcal {B}\) as \(M'\). For each subsequent token query M made by \(\mathcal {B}\), \(\mathcal {A}\) answers it by producing a signature on M using \(\mathsf{sk}_C\).

• Eventually, \(\mathcal {B}\) outputs a bit \(b'\) for the challenge ciphertext that \(\mathcal {A}\) returns as its own guess.

Note that the interaction with the adversary \(\mathcal {B}\) in sampling from \(\mathcal{D}\) is precisely a simulation in hybrid \(H_q^\mathcal {B}\) up to the point in which \(\mathcal {B}\) outputs the challenge messages,and the interaction with \(\mathcal {B}\) made by \(\mathcal {A}\) is precisely a simulation of the remaining steps in hybrid \(H_q^\mathcal {B}\). We are assuming that the advantage of \(\mathcal {B}\) in hybrid \(H_q^i\) is \(\ge 2a(\lambda )\) for some non-negligible function \(a(\lambda )\). This implies that there is a polynomial \(p(\lambda )\) such that for an infinite set S of values \(\lambda \), it holds that the advantage of \(\mathcal {B}\) in hybrid \(H_q^i\) for parameter \(\lambda \) is greater than \(1/2p(\lambda )\). Thus, by an averaging argument, for all \(\lambda \in S\), \(\mathcal {A}\)’s advantage (with respect to \(\lambda \)) in guessing the bit b on which it is challenged upon is greater than 1 / p with probability greater than 1 / p over the output of \(\mathcal{D}\). By the security of \({\mathsf{e}\mathcal{O}}\) this implies a corresponding PPT extractor \(\mathsf{E}\) and polynomial \(q(\lambda )\) and negligible function \(\mathsf{negl}(\lambda )\) such for all \(\lambda \in S\), with probability \(1-\mathsf{negl}(\lambda )\) over the output \((M_0,M_1,z)\) of \(\mathcal{D}\), it holds that:

if \({\Pr \left[ \,{b\mathop {\leftarrow }\limits ^{{\scriptscriptstyle R}}\{0,1\};M'\leftarrow {\mathsf{e}\mathcal{O}}(1^\lambda ,M_b):\mathcal {A}(1^\lambda ,M',M_0,M_1,z)=b}\,\right] }\ge \frac{1}{2}+\frac{1}{p(\lambda )}\),

then \({\Pr \left[ \,{w\leftarrow \mathsf{E}(1^\lambda ,M_0,M_1,z):M_0(w)\ne M_1(w)}\,\right] }\ge 1/q(\lambda )\). This implies that for an infinite number of values \(\lambda \), with probability \(\ge 1/p(\lambda )-\mathsf{negl}(\lambda )\) over the output \((M_0,M_1,z)\) of \(\mathcal{D}\), it holds that

\({\Pr \left[ \,{w\leftarrow \mathsf{E}(1^\lambda ,M_0,M_1,z):M_0(w)\ne M_1(w)}\,\right] }\ge 1/q(\lambda )\).

We now show that such PPT extractor can not exist.

Claim 10

There can not exist a PPT extractor as above.

Suppose toward a contradiction that there exists such extractor that outputs a signature \(\sigma _A\) for some machine A , and a second input \(m_2\) that distinguishes \(M_{m_0||r}\) from \(M_{m_1||r}\). We note that any signature output by the extractor must be a valid signature for a machine A for which the adversary asked a query. This follows from the unforgeability of \(\mathsf {FS}\). From this fact, and from the fact that the checker approved the triple \((A,m_0,m_1)\), it follows that \(m_0\) and \(m_1\) are collision-resistant compatible with \(\{A\}\). Therefore, this adversary can be used to break the collision-resistance compatibility with respect to \(m_0\) and \(m_1\) and \(\{A\}\), contradicting the hypothesis.

It is trivial to see that the claim on input-specific run time holds if the scheme is used with Turing machines of input-specific run time and that the claim on the succinctness follows easily from our construction and the succinctness of \(\mathsf {FS}\). This concludes the proof.