Abstract
In a constrained PRF, the owner of the PRF key K can generate constrained keys \(K_f\) that allow anyone to evaluate the PRF on inputs x that satisfy the predicate f (namely, where f(x) is “true”) but reveal no information about the PRF evaluation on the other inputs. A private constrained PRF goes further by requiring that the constrained key \(K_f\) hides the predicate f.
Boneh, Kim and Montgomery (EUROCRYPT 2017) recently presented a construction of private constrained PRF for point function constraints, and Canetti and Chen (EUROCRYPT 2017) presented a completely different construction for more general NC\(^1\) constraints. In this work, we show two constructions of LWE-based constraint-hiding constrained PRFs for general predicates described by polynomial-size circuits.
The two constructions are based on two distinct techniques that we show have further applicability, by constructing weak attribute-hiding predicate encryption schemes. In a nutshell, the first construction imports the technique of modulus switching from the FHE world into the domain of trapdoor extension and homomorphism. The second construction shows how to use the duality between FHE secret-key/randomness and ABE randomness/secret-key to construct a scheme with dual use of the same values for both FHE and ABE purposes.
Z. Brakerski and R. Tsabary—Supported by the Israel Science Foundation (Grant No. 468/14), Binational Science Foundation (Grants No. 2016726, 2014276) and ERC Project 756482 REACT.
V. Vaikuntanathan—Research supported in part by NSF Grants CNS-1350619 and CNS-1414119, Alfred P. Sloan Research Fellowship, Microsoft Faculty Fellowship and by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236.
H. Wee—Supported in part by ERC Project aSCEND (H2020 639554) and NSF Award CNS-1445424.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Lattice-based cryptography, and in particular the construction of cryptographic primitives based on the learning with errors (LWE) assumption [Reg05], has seen a significant leap in recent years. Most notably, we now have a number of constructions of cryptographic primitives that “compute on encrypted data”. For example, fully homomorphic encryption (FHE) [Gen09, BV11, BGV12, GSW13], which enables arbitrary computation on encrypted data without knowledge of the secret key; attribute-based encryption (ABE) [SW05, GPSW06, GVW13, BGG+14], which supports fine-grained access control of encrypted data via the creation of restricted secret keys; new forms of pseudo-random functions (PRF) such as constrained PRFs [BW13, KPTZ13, BGI14]; and many more.
In this paper, we continue this line of inquiry and develop two new constructions of weak attribute-hiding predicate encryption schemes [BW07, KSW08, BSW11, O’N10] and two new constructions of private constrained PRFs [BLW17]. These are private variants of ABE and constrained PRFs respectively, that take us further along in the quest to extend the limits of computing on encrypted data using LWE-based techniques. Our private constrained PRFs support polynomial-time computable constraints, generalizing the recent results of Boneh, Kim and Montgomery [BKM17] for point functions and Canetti and Chen [CC17] for NC\(^1\) functions.
In constructing these schemes, we develop two new techniques that we believe are as interesting in their own right as the end results themselves. We proceed to introduce the protagonists of our work and describe our results and techniques.
Predicate Encryption. Predicate Encryption (PE) is a strengthening of ABE with additional privacy guarantees [BW07, KSW08, BSW11, O’N10]. In a predicate encryption scheme, ciphertexts are associated with descriptive attributes x and a plaintext M; secret keys are associated with Boolean functions f; and a secret key decrypts the ciphertext to recover M if f(x) is true (henceforth, for convenience of notation later in the paper, we denote this by \(f(x)=0\)).
The most basic security guarantee for attribute-based encryption as well as predicate encryption, called payload hiding, stipulates that M should remain private given its encryption under attributes \(x^*\) and an unbounded number of unauthorized keys, namely secret keys \({\textsf {sk}}_{f}\) where \(f(x^*)\) is false (we denote this by \(f(x^*)=1\)). The additional requirement in predicate encryption refers to hiding the attribute \(x^*\) (beyond leaking whether \(f(x^*)\) is true or false). It turns out that this requirement, called attribute-hiding, can be formalized in two ways. The first is the definition of weak attribute-hiding, which stipulates that \(x^*\) remains hidden given an unbounded number of unauthorized keys. The second, called strong attribute-hiding, stipulates that \(x^*\) remains hidden given an unbounded number of keys, which may comprise of both authorized and unauthorized keys. Both these requirements can be formalized using simulation-based and indistinguishability-based definitions (simulation based strong attribute hiding is known to be impossible [AGVW13]); jumping ahead, we remark that our constructions will achieve the stronger simulation-based definition but for weak attribute hiding.
A sequence of works showed the surprising power of strong attribute-hiding predicate encryption [BV15a, AJ15, BKS16]. A strong attribute-hiding PE scheme (for sufficiently powerful classes of predicates) gives us a functional encryption scheme [BSW11], which in turn can be used to build an indistinguishability obfuscation (IO) scheme [BV15a, AJ15], which in turn has emerged as a very powerful “hub of cryptography” [GGH+16, SW14].
The only strong attribute-hiding predicate encryption schemes we have under standard cryptographic assumptions are for very simple functionalities related to the inner product predicate [KSW08, BW07, OT12], and build on bilinear groups. On the other hand, Gorbunov, Vaikuntanathan and Wee (GVW) [GVW15a] recently constructed a weak attribute-hiding predicate encryption scheme for all circuits (of an a-priori bounded polynomial depth) from the LWE assumption. They also pointed out two barriers, two sources of leakage, that prevent their construction from achieving the strong attribute-hiding guarantee. Indeed, Agrawal [Agr16] showed that both sources of leakage can be exploited to recover the private attribute \(x^*\) in the GVW scheme, under strong attribute-hiding attacks (that is, using both authorized and unauthorized secret keys).Footnote 1
Private Constrained PRFs (CPRFs). Constrained Pseudorandom Functions, denoted CPRFs, [BW13, KPTZ13, BGI14] are pseudorandom functions (PRF) where it is possible to delegate the computation of the PRF on a subset of the inputs. Specifically, an adversary can ask for a constrained key \(\sigma _{f}\) corresponding to a function f, which is derived from the (global) seed \(\sigma \). Using \(\sigma _{f}\) it is possible to compute \(\textsf {PRF}_{\sigma }(x)\) for all x where f(x) is true (in our notation, again, \(f(x)=0\)). However, if \(f(x)=1\) then \(\textsf {PRF}_{\sigma }(x)\) is indistinguishable from uniform even for an adversary holding \(\sigma _{f}\). The original definition considers the case of unbounded collusion, i.e. security against an adversary that can ask for many different \(\sigma _{f_i}\), but this is currently only achievable for very simple function classes or under strong assumptions such as multilinear maps or indistinguishability obfuscation. Many of the applications of CPRFs (e.g. for broadcast encryption [BW13] and identity based key exchange [HKKW14]) rely on collusion resilience, but some (such as the puncturing paradigm [SW14]) only require releasing a single key. Brakerski and Vaikuntanathan [BV15b] showed that single-key CPRF is achievable for all functions with a priori depth bound and non-uniformity bound under the LWE assumption.
Boneh, Lewi and Wu [BLW17] recently considered constraint hiding CPRFs (CH-CPRF or private CPRFs) where the constrained key \(\sigma _{f}\) does not reveal f (so, in a sense, the constrained key holder cannot tell whether it is computing the right value or not). They showed various applications for this new primitive, as well as constructions from multilinear maps and obfuscation for various function classes. Very recently, Boneh, Kim and Montgomery [BKM17] showed how to construct single-key private CPRFs for point functions, and Canetti and Chen [CC17] showed how to construct a single-key private CPRF for the class of NC\(^1\) circuits (i.e. polynomial-size formulae). Both their constructions are secure under the LWE assumption. They also showed that even collusion resistance against 2-keys would imply indistinguishability obfuscation.
The technical core of these constructions is lattice-based constructions of PRFs, initiated by Banerjee, Peikert and Rosen [BPR12] and developed in a line of followup works [BP14, BLMR15, BFP+15, BV15b].
1.1 Our Results
In this work, we present two new techniques for achieving the attribute-hiding guarantee from the LWE assumption. We exemplify the novelty and usefulness of our techniques by showing that they can be used to derive new predicate encryption schemes and new constraint-hiding constrained PRFs [BLW17, CC17]. In particular, under the (polynomial hardness of the subexponential noise rate) LWE assumption, we construct:
-
Two single-key constraint-hiding constrained PRF families for all circuits (of an a-priori bounded polynomial depth). This generalizes recent results of [BKM17] who handle point functions and [CC17] who handle NC\(^1\) circuits. Our new techniques allow us to handle arbitrary polynomial-time constraints (of an a-priori bounded depth), which does not seem to follow from previous PE techniques, e.g., [GVW15a]. We describe constrained PRFs, constraint-hiding and our constructions in more detail in the sequel.
-
Two new predicate encryption schemes that achieve the weak attribute-hiding security guarantee. Our predicate secret keys are shorter than in [GVW15a] by a \(\textsf {poly}(\lambda )\) factor. They also avoid the first source of leakage identified in [GVW15a, Agr16]. We will describe these features in more detail in the sequel.
Technical Background. Following [GVW15a] (henceforth GVW), we build a predicate encryption scheme starting from an FHE and an ABE, following the “FHE+ABE” paradigm introduced in [GVW12, GKP+13] for the setting of a-priori bounded collusions. The idea is to first use FHE to produce an encryption \(\varPsi \) of the attribute x, and use \(\varPsi \) as the attribute in an ABE. This paradigm allows us to reduce the problem of protecting arbitrary polynomial-time computation f on a private attribute x to protecting a fixed computation, namely FHE decryption, on the FHE secret key. Henceforth, we suppress the issue of carrying out FHE homomorphic evaluation on the encrypted attribute, which can be handled via the underlying ABE as in [GVW15a], and focus on the issue of FHE decryption, which is where we depart from prior works.
With all LWE-based FHE schemes [BV11, BGV12, GSW13, BV14, AP14], decryption corresponds to computing an inner product modulo q followed by a threshold function. While constructing a strongly attribute hiding PE scheme for this function class is still beyond reach,Footnote 2 GVW construct an LWE-based weakly attribute hiding scheme by extending previous works [AFV11, GMW15], and show how to attach it to the end of the decryption process of [BGG+14] ABE. Specifically, Agrawal, Freeman and Vaikuntanathan [AFV11] showed how to construct weakly attribute hiding PE for orthogonality checking modulo q, i.e. the class where attributes \(\mathbf {{x}}\) and functions \(f_{\mathbf {{y}}}\) correspond to vectors and decryption is possible if \(\langle \mathbf {{x}}, \mathbf {{y}} \rangle =0\pmod {q}\). GVW rely on an additional feature of LWE-based FHE: that the value to be rounded after the inner product can be made polynomially bounded. Thus inner product plus rounding can be interpreted as a sequence of shifted inner products that are supported by [AFV11]. This in particular means that an authorized decryptor learns which of the shifts had been the successful one, a value that depends on the FHE randomness. This is one of the reasons why the GVW scheme is not strongly attribute hiding; there are others as described in [Agr16]. Interestingly, these shifts are also what prevent us from combining the PE techniques in [GVW15a] with the “constrained PRF from ABE” paradigm of [BV15b] to obtain constraint-hiding constrained PRFs.
First New Technique: Dual Use. In this technique, we use the same LWE secret for the FHE and the ABE.Footnote 3 Our main observation is that the structure of the [BGG+14] ABE scheme and that of the [GSW13] FHE scheme are so very similar that we can use the same LWE secret in both schemes. This can be viewed as encrypting the attribute under some FHE key, and then providing partly decrypted pieces as the ABE ciphertext. The PE decryption process first “puts the pieces together” according to the FHE homomorphic evaluation function, which makes the ABE ciphertext decrypt its own FHE component, leaving us with an ABE ciphertext which is ready to be decrypted using the ABE key. Proving security for this approach requires to delicately argue about the randomness used in the FHE encryption.
Second New Technique: Modulus Switching and HNF Lattice Trapdoors. In this technique, we attempt to implement the rounding post inner-product straightforwardly by rounding the resulting ciphertext. This does not work since the attribute is encoded in the ciphertext in a robust way, so it is not affected by rounding (this is why more sophisticated methods were introduced in the past). However, we show how to homomorphically modify the rounding in a way that makes it effective for small noise, and yet preserves the most significant bits properly encoded. We note that a similar idea was also used in [BKM17]. Interestingly, for the proof of security of our PE scheme, we utilize the ability of generating trapdoors for LWE lattices of the form \([\mathbf {I}\Vert \mathbf {{A}}]\) (which corresponds to Hermite Normal Form), even when generating a trapdoor for \(\mathbf {A}\) itself is not possible.
We first construct predicate encryption schemes using our techniques, on the way to our main result, namely constructions of constraint-hiding CPRFs for general constraints. With this executive summary, we move on to a more in-depth technical discussion of our results and techniques.
2 Technical Overview
We provide a brief overview of the GVW predicate encryption scheme, along with our constructions, focusing on the points where they differ and suppressing many technical details.
2.1 The [GVW15a] Scheme
We will largely ignore how ciphertexts and keys are generated and instead start by looking at what happens when one decrypts an encryption with respect to attribute x using the secret key for a function (predicate) f. The decryption algorithm computes a vector over \(\mathbb {Z}_{q}\) of the form:
where \(\mathbf {{s}}\) is the LWE secret (chosen as part of the encryption algorithm) and the matrix \(\mathbf {A}_{f}\) is deterministically derived from the public parameters and the predicate f (the precise derivation is not relevant for the overview). An additional component of the ciphertext, not described here, carries the encrypted message. For this overview, the only property we require is that the message is recoverable given a lattice trapdoor for the lattice defined by \([\mathbf {A}\Vert \mathbf {A}_{f} - (f(x) \cdot t + \delta )\mathbf {G}]\). A lattice trapdoor allows to sample low norm vectors in the kernel of the respective matrix.
The first thing we will zoom into is the term \(f(x) \cdot t + \delta \) which corresponds to the inner product of an FHE ciphertext (upon homomorphic evaluation) and the corresponding secret key. Here, \(\delta \) is a small noise value bounded by B, and \(t \gg B\) is a large constant, most commonly \(t=\left\lfloor \frac{q}{2} \right\rceil \) (but we will also use other values, see below). As usual in LWE-based constructions, the vector \(\mathbf {{s}}\) is an “LWE secret”, and we use \(\textsf {noise}\) to denote non-specific low norm noise that is added to the ciphertext and accumulates as it is processed.Footnote 4
Decryption should be permitted when \(f(x) = 0\), which indicates that the policy f accepts the attribute x (and forbidden when \(f(x)=1\)). Therefore, in the GVW scheme, \({\textsf {sk}}_{f}\) contains trapdoors for the \(2B+1\) lattices
and decryption tries all trapdoors until one works. This is called the “lazy OR” evaluation in [GVW15a] and has at least two problems: (1) In the context of a predicate encryption scheme, this ruins security by letting a successful decryption leak the FHE noise \(\delta \); and (2) Looking ahead, in the context of a constraint-hiding CPRF scheme (where one switches the function f and the input x), it ruins even correctness, preventing the holder of a constrained key from recovering the PRF value \(\mathbf {{s}}^T[\mathbf {A}\Vert \mathbf {A}_{x}]\);Footnote 5 rather, she only gets \(\mathbf {{s}}^T[\mathbf {A}\Vert \mathbf {A}_{x} - \beta \mathbf {G}]\) for some small noise term \(\beta = \beta (f,x)\).
Moving on, in the proof of security, a simulator needs to generate secret keys whenever \(f(x^*)=1\) where \(x^*\) is the challenge attribute. To this end, the reduction knows a short \(\mathbf {R}_{f}\) for which
where \(\delta ^*\) is the noise that results from decrypting a homomorphically evaluated encryption of \(f(x^*)\) using the FHE secret key. We can then rewrite
and since \(\delta ^* + t - \beta \ne 0\), we will be able to generate trapdoors for this lattice knowing only \(\mathbf {R}_{f}\), using the trapdoor extension techniques of [ABB10b, MP12].
2.2 Dual-Use of Secret and Randomness
Our first technique hinges on the key observation that the structure of the [BGG+14] ABE scheme and that of the [GSW13] FHE scheme are so very similar that we can use the same LWE secret in both schemes; we refer to this as the “dual use” technique.
Let us consider the [GSW13] homomorphic encryption scheme (using the later “gadget” formulation). In this scheme, the public key is of the form \({\mathbf {B}\atopwithdelims ()\mathbf {{s}}^T \mathbf {B}+ \mathbf {{e}}}\), the secret key is the vector \((\mathbf {{s}}^T, -1)\) (note that \((\mathbf {{s}}^T, -1)\cdot {\mathbf {B}\atopwithdelims ()\mathbf {{s}}^T \mathbf {B}+ \mathbf {{e}}} \approx 0\)). A ciphertext \(\varPsi \) encrypting the message \(\mu \) is of the form \(\varPsi = {\mathbf {B}\atopwithdelims ()\mathbf {{s}}^T \mathbf {B}+ \mathbf {{e}}} \mathbf {R}+\mu \mathbf {G}\), and has the property that \((\mathbf {{s}}^T, -1)\cdot \varPsi \approx \mu \cdot (\mathbf {{s}}^T, -1) \mathbf {G}\). The structure of the secret key suggests that it might be beneficial to treat the bottom row of \(\varPsi \) differently than the other rows. Let us denote \(\varPsi = {\overline{\varPsi }\atopwithdelims ()\underline{\varPsi }}\) and likewise \(\mathbf {G}={\overline{\mathbf {G}}\atopwithdelims ()\underline{\mathbf {G}}}\). It follows that \((\mathbf {{s}}^T, -1)\cdot \varPsi = \mathbf {{s}}^T\overline{\varPsi }- \underline{\varPsi }\approx \mu \mathbf {{s}}^T \overline{\mathbf {G}}- \mu \underline{\mathbf {G}}\). Specifically when \(\mu =0\) we have \(\mathbf {{s}}^T\overline{\varPsi }\approx \underline{\varPsi }\). We note that the chopped gadget \(\overline{\mathbf {G}}\) has all of the useful properties of \(\mathbf {G}\) itself.
Back to our predicate encryption construction, instead of (1), we will compute a vector of the form
where \(\overline{\varPsi }_f\) is the matrix containing the top rows of a known matrix \(\varPsi _{f}\) which in turn is an encryption of f(x) under the key \((\mathbf {{s}}^T, -1)\).Footnote 6
If we can compute such a vector from our ciphertexts, then it will follow that if \(f(x)=0\) then
and thus we can define \({\textsf {sk}}_{f}\) as containing a trapdoor for \(\mathbf {{s}}^T[\mathbf {B}\Vert \mathbf {B}_{f} - \mathbf {G}]\) (note that the value \([0 \Vert \underline{\varPsi }_f]\) can easily be subtracted off since \(\varPsi _{f}\) is known).
It is left to explain first how to define the ciphertext to allow computing a vector of this form, and second, how to prove security.
Compactification. The problem of defining ciphertexts that will allow computing the term in Eq. (3) is almost solved by previous works [BGG+14, GVW15a]. As in GVW, given an attribute x, we create an ABE ciphertext with respect to the FHE encryption of the bits of x. Then, using techniques from [BGG+14], these bits can be manipulated to apply the FHE homomorphic evaluation of f on the attribute bits. All in all, these techniques show how to create ciphertexts with respect to a hidden attribute x that can be processed into vectors of the form:
where \(\psi _{f,j} \in \mathbb {Z}_q\) are the entries of \(\overline{\varPsi }_j\), and we work with respect to the truncated gadget matrix \(\overline{\mathbf {G}}\) instead of \(\mathbf {G}\). This means that we can formally write \(\varPsi _{f}\) as
where \(\mathbf {E}_{j}\) is a 0, 1-matrix whose j’th entry is 1 and 0 everywhere else. This suggests the following manipulation:
can be applied to the vectors from Eq. (4), thus creating the value from Eq. (3).
Dual Use Decryption. As explained above, the secret key for f is a trapdoor for the lattice \([\mathbf {B}\Vert \mathbf {B}_{f}]\). We now explain how to set up the parameters of the scheme so as to be able to generate secret keys whenever \(f(x)=1\) in the proof of security (i.e. without being able to decrypt the challenge ciphertext or generate keys when \(f(x)=0\)). Given an LWE instance \({\mathbf {B}\atopwithdelims ()\mathbf {{s}}^T \mathbf {B}+ \mathbf {{e}}}\), we will generate all parameters of the scheme such that for all f, the reduction can compute a short \(\mathbf {W}_{f}\) for which
We can then rewrite
However, \(\varPsi _{f}\) is an encryption of \(f(x)=1\) under public key \({\mathbf {B}\atopwithdelims ()\mathbf {{s}}^T \mathbf {B}+ \mathbf {{e}}}\), i.e. \(\varPsi _{f} = {\mathbf {B}\atopwithdelims ()\mathbf {{s}}^T \mathbf {B}+ \mathbf {{e}}} \mathbf {R}_{f}+\mathbf {G}\), which means that \(\overline{\varPsi }_f= \mathbf {B}\mathbf {R}_{f}+\overline{\mathbf {G}}\), and so
and we will be able to generate trapdoors for this lattice knowing only \(\mathbf {R}_f,\mathbf {W}_f\).
2.3 Modulus Switching and Trapdoor Extension in Hermite Normal Form
The crux of this technique is to replace Eq. (1) with a computation producing a vector of the form
where \(\mathbf {G}'\) is a different gadget matrix and \(\mathbf {A}'_f\) is again deterministically derived from the public parameters and f. We will also make sure to sample a small \(\mathbf {{s}}\), specifically from the LWE noise distribution (this is known as LWE in Hermite Normal Form (HNF) and was shown equivalent to the standard form [ACPS09]), the reason for doing so will be clear in a little bit. Next, we will address two challenges: first, how to arrive at a vector of this form, and second, how to generate secret keys for such vectors, both of which require new techniques.
Modulus Switching. We first describe how to get to Eq. (5) starting from Eq. (1) (to get to the latter, we will proceed as in GVW). We would like to use the magnitude gap between t and \(\delta \), and, inspired by modulus switching techniques in FHE [BV11, BGV12], “divide by t” to remove the dependence on \(\delta \). This seems odd at first since \(t \cdot \mathbf {G}\) and \(\delta \cdot \mathbf {G}\) actually have the same magnitude, so dividing by t will not eliminate the \(\delta \) component. Therefore we will first find a linear transformation that maps \(\delta \mathbf {G}\) into a matrix of small entries, while mapping \(t \cdot \mathbf {G}\) into a gadget matrix with big entries. Recall that eventually this transformation is to be applied to the processed ciphertext from Eq. (1), so due to the noise component, we are only allowed linear operations with small coefficients (or more explicitly, multiplying on the right by a matrix with small values).
As we pointed out \(\delta \mathbf {G}\) and \(t \mathbf {G}\) have the same magnitude so it might seem odd that a low-magnitude linear transformation can shift them so far apart. However, since \(\mathbf {G}\) is a matrix with public trapdoor, it is possible to convert \(\mathbf {G}\) into any other matrix \(\mathbf {M}\) using a small magnitude linear transformation which is denoted by \(\mathbf {{G}}^{-1}({\mathbf {M}})\) (note that this is just a formal notation, since \(\mathbf {G}\) doesn’t have an actual inverse). Specifically, we will multiply by \(\mathbf {{G}}^{-1}({\mathbf {G}_p})\), where \(\mathbf {G}_p\) is the gadget matrix w.r.t a smaller modulus \(p = q/t\) (we assume that p is integer). Recall that our conceptual goal is to divide by t, and end up with a ciphertext in \(\mathbb {Z}_p\), we can now reveal that indeed \(\mathbf {G}' = \mathbf {G}_p\). Applying this transformation to the ciphertext results in
and indeed, since we use low-norm \(\mathbf {{s}}\), we have that \(\left\| {\delta \mathbf {{s}}^T\mathbf {G}_p} \right\| \ll q\), and we can now think about it as part of the noise. However, \(t \mathbf {G}_p\) is still not a valid gadget matrix over \(\mathbb {Z}_q\). Still, we can now divide the entire expression by t which results in
as in Eq. (5). This technique is reminiscent of the one used by Boneh, Kim and Montgomery [BKM17] in constructing a private CPRF for point functions (but was obtained independently of theirs).
HNF Trapdoor Extension. The standard way to generate keys that decrypt whenever \(f(x)=0\) is to provide a trapdoor for \([\mathbf {A}'\Vert \mathbf {A}'_f]\) (over \(\mathbb {Z}_p\)) as in previous ABE schemes. Indeed, this will provide the required functionality, but introduce problems in the proof. As in Eq. (2), the simulator can find a low-magnitude \(\mathbf {{R}}_f\) s.t. \(\mathbf {A}\mathbf {R}_f = \mathbf {A}_f + (t + \delta ^*) \mathbf {G}\), however, when applying our modulus switching from above, we get
where \(\mathbf {{E}}\) is a low-magnitude error matrix which is the result of the bias introduced by \(\delta ^*\) and various rounding errors (note that \(\mathbf {{E}}\) is easily computable given \(\mathbf {{R}}'_f\)). Therefore, we have that
which is no longer a form for which we can find a trapdoor using \(\mathbf {{R}}'_f\).
To resolve this, we observe that we can find a trapdoor for the matrix \([\mathbf {I}\Vert \mathbf {A}' \Vert \mathbf {A}'_f] = [\mathbf {I}\Vert \mathbf {{A}}' \Vert \mathbf {{A}}'\mathbf {R}'_f+\mathbf {G}_p+ \mathbf {{E}}]\), which corresponds to generating trapdoors for lattices in Hermite Normal Form. This follows from the trapdoor extension methods of [ABB10b, MP12] since
We will therefore change the way secret keys are generated in our scheme, and generate them as trapdoors for \([\mathbf {I}\Vert \mathbf {A}' \Vert \mathbf {A}'_f]\) instead of trapdoors for \([\mathbf {A}' \Vert \mathbf {A}'_f]\). This might seem problematic because our ciphertext processes to \(\mathbf {{s}}^T[\mathbf {A}' \Vert \mathbf {A}'_f - f(x) \mathbf {G}']+\textsf {noise}\) as in Eq. (5) and not to \(\mathbf {{s}}^T[\mathbf {I}\Vert \mathbf {A}' \Vert \mathbf {A}'_f - f(x) \mathbf {G}']+\textsf {noise}\). However, since \(\mathbf {{s}}\) is short, the zero vector itself has the form \(\mathbf {{0}} = \mathbf {{s}}^T\mathbf {I}+\textsf {noise}\) (with \(\textsf {noise}= -\mathbf {{s}}^T\)), and therefore we can always extend our ciphertext to this new form just by concatenating the zero vector.
Comparison with GVW15 Predicate Encryption. [GVW15a] pointed out that there are two barriers to achieving strongly attribute-hiding predicate encryption from LWE. First, multiple shifts approach to handle threshold inner product for FHE decryption leaks the exact inner product and therefore cannot be used to achieve full attribute-hiding. That is, authorized keys leak the FHE decryption key and in turn the private attribute x. Second, we do not currently know of a fully attribute-hiding inner product encryption scheme under the LWE assumption. Here, authorized keys leak the error terms used in the ciphertext. Indeed, Agrawal [Agr16] showed that both sources of leakage can be exploited to recover the private attribute x in the GVW scheme. Both of our new constructions do not explicitly contain the first source of leakage.
2.4 From PE to Constraint Hiding CPRF
It was shown in [BV15b] that the [BGG+14] ABE structure can be used to construct constrained PRFs for arbitrary bounded-uniformity bounded-depth functions, without collusion. Namely, a pseudorandom function where it is possible to produce a constrained key \(\sigma _f\) for a function f whose description length is a-priori bounded by \(\ell \) and its depth is a-priori bounded by d, s.t. the constrained key can be used to compute \(\textsf {PRF}(x)\) for all x where \(f(x)=0\). At a high level, they considered a set of public parameters for the ABE scheme, and some ciphertext randomness \(\mathbf {{s}}\) (currently not corresponding to any concrete ciphertext). To compute the PRF at point x, they considered the circuit \(\mathcal {U}_x\) which is the universal circuit that takes an \(\ell \)-bit long description of a depth-d function, and evaluates it on x. Now, they compute \(\textsf {PRF}_{\mathbf {{s}}}(x) = \left\lfloor \frac{\mathbf {{s}}^T\mathbf {{A}}_{\mathcal {U}_x}}{T} \right\rceil \) for a sufficiently large T. This essentially the deterministic variant to setting \(\textsf {PRF}_{\mathbf {{s}}}(x) = \mathbf {{s}}^T\mathbf {{A}}_{\mathcal {U}_x}+\textsf {noise}\) except here the noise is deterministic since the PRF computation needs to be deterministic. The matrix \(\mathbf {{A}}_{\mathcal {U}_x}\) is exactly the matrix that would be computed in the ABE decryption process if given a key \({\textsf {sk}}_{\mathcal {U}_x}\). The constrained key corresponds to an ABE ciphertext encrypting the description of f Therefore, constrained keys can be processed like ABE ciphertexts into the form \(\mathbf {{s}}^T(\mathbf {{A}}_{\mathcal {U}_x}-\mathcal {U}_x(f)\mathbf {G})+\textsf {noise}\), for any circuit \(\mathcal {U}_x\). Indeed, when \(f(x)=0\) the constrained key can be used to compute \(\textsf {PRF}(x)\). The construction itself is more complicated and contains additional features to ensure pseudorandomness in all of the points that cannot be computed using the constrained key.
This seems to be readily extendable to the PE setting, where the attribute hiding property should guarantee the constraint hiding of the CPRF. Indeed, now as in Eq. (1), the constrained key will only process to \(\mathbf {{s}}^T(\mathbf {{A}}_{\mathcal {U}_x}-(tf(x)+\delta )\mathbf {G})+\textsf {noise}\). When \(f(x)=0\) this is equal to \(\mathbf {{s}}^T(\mathbf {{A}}_{\mathcal {U}_x}-\delta \mathbf {G})+\textsf {noise}\) which does not allow to compute the correct value.
However, it is easy to see how using either of our new methods it is possible to overcome this issue. In a sense, in both methods the FHE noise which is embodied in the \(\delta \) term is made small enough to be conjoined with the noise. The modulus switching technique allows to remove the \(\delta \) term via multiplication by \(\mathbf {{G}}^{-1}({\mathbf {G}_p})\) and dividing by t, and in the dual use method, the FHE noise is not multiplied by \(\mathbf {G}\) to begin with. There are many other technical details to be dealt with, but they are resolved in ways inspired by [BV15b]. One technical difference between our solution and [BV15b] is that we do not use admissible hash functions to go from unpredictability to pseudorandomness, but instead we “compose” with the Banerjee-Peikert [BP14] pseudorandom function, which saves some complication as well as tightens the reduction somewhat. This could be used even in the setting of [BV15b] when constraint hiding is not sought.
Organization of the Paper. We start the rest of this paper with background information on lattices, LWE, trapdoors and FHE schemes in Sect. 3. Our first technique, namely dual-use, and the resulting PE and private CPRF scheme are presented in Sect. 4. Our second technique, namely HNF trapdoors and modulus switching, and the resulting PE and private CPRF schemes are presented in Sect. 5. These two sections can be read independently of each other. In each section, we first present the PE scheme and then the private CPRF scheme.
3 Preliminaries
3.1 Constrained Pseudo-Random Functions
In a constrained PRF family [BW13, BGI14, KPTZ13], the owner of a PRF key \(\sigma \) can compute a constrained PRF key \(\sigma _f\) corresponding to any Boolean circuit f. Given \(\sigma _f\), anyone can compute the PRF on inputs x such that \(f(x) = 0\). (As described before, our convention throughout this paper is that \(f(x)=0\) corresponds to the predicate f being satisfied). Furthermore, \(\sigma _f\) does not reveal any information about the PRF values at the other locations. A constrained PRF family is constraint-hiding if \(\sigma _f\) does not reveal any information about the internals of f. This requirement can be formalized through either an indistinguishability-based or simulation-based definition [BLW17, CC17, BKM17]. Below, we present the definition of a constrained PRF adapted from [BV15b].
Definition 1 (Constrained PRF)
A constrained pseudo-random function (PRF) family is defined by algorithms \((\textsf {KeyGen},\textsf {Eval},\textsf {Constrain},\textsf {ConstrainEval})\) where:
-
\(\textsf {KeyGen}(1^\lambda ,1^{\ell },1^{d},1^r)\) is a ppt algorithm that takes as input the security parameter \(\lambda \), a circuit max-length \(\ell \), a circuit max-depth d and an output space r, and outputs a PRF key \(\sigma \) and public parameters \({\textsf {pp}}\).
-
\(\textsf {Eval}_{{\textsf {pp}}}(\sigma ,x)\) is a deterministic algorithm that takes as input a key \(\sigma \) and a string \(x\in \{0,1\}^*\), and outputs \(y\in \mathbb {Z}_r\);
-
\(\textsf {Constrain}_{{\textsf {pp}}}(\sigma ,f)\) is a ppt algorithm that takes as input a PRF key \(\sigma \) and a circuit \(f: \{0,1\}^{*} \rightarrow \{0,1\}\), and outputs a constrained key \(\sigma _f\);
-
\(\textsf {ConstrainEval}_{{\textsf {pp}}}(\sigma _f,x)\) is a deterministic algorithm that takes as input a constrained key \(\sigma _f\) and a string \(x \in \{0,1\}^{*}\), and outputs either a string \(y \in \mathbb {Z}_r\) or \(\bot \).
Previous works define and analyze the correctness, pseudorandomness and constraint hiding properties separately. However, for our purposes it will be easiest to define a single game that captures all of these properties at the same time. This definition is equivalent to computational correctness and selective punctured pseudorandomness [BV15b], and selective constraint hiding [BLW15].
Definition 2
Consider the following game between a PPT adversary \(\mathcal {A}\) and a challenger:
-
1.
\(\mathcal {A}\) sends \(1^\ell , 1^d\) and \(f_0, f_1 \in \{0,1\}^{\ell }\) to the challenger.
-
2.
The challenger generates \(({\textsf {pp}},seed) \leftarrow \textsf {Keygen}(1^{\lambda },1^{\ell },1^d,1^r)\). It flips three coins \(b_1, b_2, b_3 {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\{0,1\}\), intuitively \(b_1\) selects whether \(f_0\) or \(f_1\) are used for the constraint, \(b_2\) selects whether a real or random value is returned on queries non-constrained queries, and \(b_3\) selects whether the actual or constrained value is returned on constrained queries.
The challenger creates \(seed_f \leftarrow \textsf {Constrain}_{{\textsf {pp}}}(seed,f_{b_1})\), and sends \(({\textsf {pp}},seed_f)\) to \(\mathcal {A}\).
-
3.
\(\mathcal {A}\) adaptively sends unique queries \(x \in \{0,1\}^*\) to the challenger (i.e. no x is queried more than once). The challenger returns:
$$ y = \left\{ \begin{array}{ll} \bot , &{} if\,\, f_0(x)\,\, \ne \,\, f_1(x).\\ U(\mathbb {Z}_r), &{} if \,\,(f_0(x) = f_1(x) = 1) \wedge (b_2=1).\\ {\mathsf {ConstrainEval_{pp}}}(\sigma _f,x), &{} if\,\, (f_0(x) = f_1(x) = 0) \wedge (b_3=0).\\ {\mathsf {Eval_{pp}}}(\sigma ,x), &{} otherwise.\\ \end{array} \right. $$ -
4.
\(\mathcal {A}\) sends a guess \((i,b')\).
The advantage of the adversary in this game is \(\mathrm {Adv}[\mathcal {A}] = \left| {\Pr [b'=b_i]-1/2} \right| \). A family of PRFs \((\textsf {KeyGen},\textsf {Eval},\textsf {Constrain},\textsf {ConstrainEval})\) is a single-key constraint-hiding selective-function constrained PRF if for every PPT adversary \(\mathcal {A}\), \(\textsf {Adv}[\mathcal {A}] = \mathrm{negl}(\lambda )\).
3.2 Weakly Attribute Hiding Predicate Encryption
Following prior works, we associate \(C(x) = 0\) as true and authorized, and \(C(x) \ne 0\) as false and unauthorized.
Syntax. A Predicate Encryption scheme \(\mathrm {PE}\) for input universe \(\mathcal {X}\), a predicate universe \(\mathcal {C}\), a message space \(\mathcal {M}\), consists of four algorithms \((\mathrm {PE.Setup},\mathrm {PE}\mathrm {.Enc},\) \(\mathrm {PE}\mathrm {.KeyGen}, \mathrm {PE}\mathrm {.Dec})\):
- \(\mathrm {PE.Setup}(1^\lambda ,\mathcal {X},\mathcal {C},\mathcal {M})\rightarrow (\mathsf{{mpk}}, \mathsf{{msk}}){.}\) :
-
The setup algorithm gets as input the security parameter \(\lambda \) and a description of \((\mathcal {X},\mathcal {C},\mathcal {M})\) and outputs the public parameter \({\textsf {mpk}}\), and the master key .
- \(\mathrm {PE}\mathrm {.Enc}(\mathsf{{mpk}},x,\mu )\rightarrow \mathsf{{ct}}{.}\) :
-
The encryption algorithm gets as input \({\textsf {mpk}}\), an attribute \(x \in \mathcal {X}\) and a message \(\mu \in \mathcal {M}\). It outputs a ciphertext \(\textsf {ct}\).
- \(\mathrm {PE}\mathrm {.KeyGen}(\mathsf{{msk}},C)\rightarrow \mathsf{{sk}}_{C}{.}\) :
-
The key generation algorithm gets as input \({\textsf {msk}}\) and a predicate \(C \in \mathcal {C}\). It outputs a secret key \({\textsf {sk}}_{C}\).
- \(\mathrm {PE}\mathrm {.Dec}(({\textsf {sk}}_{C},C),\textsf {ct}) \rightarrow \mu {.}\) :
-
The decryption algorithm gets as input the secret key \({\textsf {sk}}_C\), a predicate C, and a ciphertext \(\textsf {ct}\). It outputs a message \(\mu \in \mathcal {M}\) or \(\perp \).
Correctness. We require that for all \(\mathrm {PE.Setup}(1^\lambda ,\mathcal {X},\mathcal {C},\mathcal {M})\rightarrow ({\textsf {mpk}}, {\textsf {msk}})\), for all \((x,C) \in \mathcal {X}\times \mathcal {C}\) such that \(C(x)=0\), for all \(\mu \in \mathcal {M}\),
where the probabilities are taken over the coins of the setup algorithm \(\mathrm {PE.Setup}\), secret keys \({\textsf {sk}}_{C} \leftarrow \mathrm {PE}\mathrm {.KeyGen}({\textsf {msk}}, C)\) and ciphertexts \(\textsf {ct}\leftarrow \mathrm {PE}\mathrm {.Enc}({\textsf {mpk}},x,\mu )\).
Definition 3 (PE (Weak) Attribute-Hiding)
Fix a predicate encryption scheme \((\mathrm {PE.Setup},\mathrm {PE}\mathrm {.Enc},\mathrm {PE}\mathrm {.KeyGen},\) \(\mathrm {PE}\mathrm {.Dec})\). For every stateful PPT adversary \(\mathrm {Adv}\), and a PPT simulator \(\mathrm {Sim}\), consider the following two experiments:
We say an adversary \(\mathrm {Adv}\) is admissible if all oracle queries that it makes \(C \in \mathcal {C}\) satisfy \(C(x) \ne 0\) (i.e. false). The Predicate Encryption scheme \(\mathcal {PE}\) is then said to be (weak) attribute-hiding if there is a PPT simulator \(\mathrm {Sim}\) such that for every stateful PPT adversary \(\mathrm {Adv}\), the following two distributions are computationally indistinguishable:
3.3 Learning with Errors
The Learning with Errors (\(\mathrm {LWE}\)) problem was introduced by Regev [Reg05]. Our scheme relies on the hardness of its decisional version.
Definition 4
(Decisional LWE (DLWE) [Reg05] and its HNF [ACPS09]). Let \(\lambda \) be the security parameter, \(n=n(\lambda )\) and \(q=q(\lambda )\) be integers and let \(\chi = \chi (\lambda )\) be a probability distribution over \(\mathbb {Z}\). The \(\mathrm {DLWE}_{n,q,\chi }\) problem states that for all \(m=\mathrm{poly}(n)\), letting \(\mathbf {A}\leftarrow \mathbb {Z}_{q}^{n\times m}\), \(\mathbf {{s}}\leftarrow \mathbb {Z}_{q}^n\), \(\mathbf {{e}}\leftarrow \chi ^m\), and \(\mathbf {u}\leftarrow \mathbb {Z}_{q}^m\), it holds that \(\big ( \mathbf {A}, \mathbf {{s}}^T \mathbf {A}+ \mathbf {{e}}\big )\) and \(\big ( \mathbf {A}, \mathbf {u}\big )\) are computationally indistinguishable. The problem is equally hard in its “Hermite Normal Form”: when sampling \(\mathbf {{s}}\leftarrow \chi ^n\).
In this work we only consider the case where \(q \le 2^n\). Recall that \(\textsf {GapSVP}_{\gamma }\) is the (promise) problem of distinguishing, given a basis for a lattice and a parameter d, between the case where the lattice has a vector shorter than d, and the case where the lattice doesn’t have any vector shorter than \(\gamma \cdot d\). \(\textsf {SIVP}\) is the search problem of finding a set of “short” vectors. The best known algorithms for \(\textsf {GapSVP}_{\gamma }\) ([Sch87]) require at least \(2^{\tilde{\varOmega }(n/\log \gamma )}\) time. We refer the reader to [Reg05, Pei09] for more information.
There are known reductions between \(\mathrm {DLWE}_{n,q,\chi }\) and those problems, which allows us to appropriately choose the LWE parameters for our scheme. We summarize in the following corollary (which addresses the regime of sub-exponential modulus-to-noise ratio).
Corollary 1
([Reg05, Pei09, MM11, MP12, BLP+13]). For any function \(B=B(n)\ge {\widetilde{O}}(\sqrt{n})\) there exists a B-bounded distribution ensemble \(\chi =\chi (n)\) over the integers s.t. for all \(q=q(n)\), letting \(\gamma = {\widetilde{O}}(\sqrt{n} q/B)\), it holds that \(\mathrm {DLWE}_{n,q,\chi }\) is at least as hard as the quantum hardness of \(\textsf {GapSVP}_\gamma \) and \(\textsf {SIVP}_\gamma \). Classical hardness \(\textsf {GapSVP}_\gamma \) follows if \(q(n) \ge 2^{n/2}\) or for other values of q for \(\tilde{\varOmega }(\sqrt{n})\) dimensional lattices and approximation factor \(q/B \cdot \mathrm{poly}(n\lceil \log q \rceil )\).
3.4 Trapdoors and Discrete Gaussians
Let \(n,q\in \mathbb {Z}\),
and \(m = n \lceil \log q \rceil \). The gadget matrix \(\mathbf {G}\) is defined as the diagonal concatenation of \(\mathbf {g}\) n times. Formally, \(\mathbf {G}= \mathbf {g}\otimes \mathbf {I}_n \in \mathbb {Z}_{q}^{n\times m}\). For any \(t \in \mathbb {Z}\), the function \(\mathbf {G}^{-1}: \mathbb {Z}_{q}^{n\times t} \rightarrow \{0,1\}^{m\times t}\) expands each entry \(a \in \mathbb {Z}_{q}\) of the input matrix into a column of size \(\lceil \log q \rceil \) consisting of the bit-representation of a. For any matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times t}\), it holds that \(\mathbf {G}\cdot \mathbf {{G}}^{-1}({\mathbf {A}}) = \mathbf {A}\pmod {q}\).
The (centered) discrete Gaussian distribution over \(\mathbb {Z}^m\) with parameter \(\tau \), denoted \(D_{\mathbb {Z}^m, \tau }\), is the distribution over \(\mathbb {Z}^m\) where for all \(\mathbf {{x}}\), \(\Pr [\mathbf {{x}}] \propto e^{-\pi \left\| {\mathbf {{x}}} \right\| ^2/\tau ^2}\).
Let \(n,m,q \in \mathbb {N}\) and consider a matrix \(\mathbf {{A}}\in \mathbb {Z}_q^{n \times m}\). For all \(\mathbf {{v}} \in \mathbb {Z}_q^n\) we let \(\mathbf {{{A}}}^{-1}_{{\tau }}(\mathbf {{v}})\) denote the random variable whose distribution is the Discrete Gaussian \(D_{\mathbb {Z}^m,\tau }\) conditioned on \(\mathbf {{A}}\cdot \mathbf {{{A}}}^{-1}_{{\tau }}(\mathbf {{v}}) = \mathbf {{v}} \pmod {q}\). If \(\mathbf {{h}} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbf {{{A}}}^{-1}_{{\tau }}(\mathbf {{v}})\) then \(\left\| {\mathbf {{h}}} \right\| \le k \tau \sqrt{m}\) with probability at least \(1-e^{-\varOmega (k^2)}\).
A \(\tau \)-trapdoor for \(\mathbf {{A}}\) is a procedure that can sample from a distribution within \(2^{-n}\) statistical distance of \(\mathbf {{{A}}}^{-1}_{{\tau }}(\mathbf {{v}})\) in time \(\mathrm{poly}(n,m,\log q)\), for any \(\mathbf {{v}} \in \mathbb {Z}_q^n\). We denote a \(\tau \)-trapdoor for \(\mathbf {{A}}\) by \(\mathbf {T}_{\mathbf {{A}}}^{\tau }\). The following properties have been established in a long sequence of works.
Corollary 2
(Trapdoor Generation [Ajt96, MP12]). There is a probabilistic polynomial-time algorithm \(\textsf {TrapGen}(1^n,q,m)\) that for all \(m \ge m_0 = m_0(n,q) = O(n \log q)\), outputs \((\mathbf {{A}}, \mathbf {T}_{\mathbf {{A}}}^{\tau })\) s.t. \(\mathbf {{A}}\in \mathbb {Z}_q^{n \times m}\) is within statistical distance \(2^{-n}\) from uniform and \(\tau _0 = O(\sqrt{n \log q \log n})\).
We use the most general form of trapdoor extension as formalized in [MP12].
Theorem 1
(Trapdoor Extension [ABB10b, MP12]). Given \(\mathbf {{A}}\in \mathbb {Z}_q^{n \times m}\), with a trapdoor \(\mathbf {T}_{\mathbf {{A}}}^{\tau }\), and letting \(\mathbf {{B}}\in \mathbb {Z}_q^{n \times m'}\) be s.t. \(\mathbf {{A}}= \mathbf {{B}}\mathbf {{S}}\pmod {q}\) where \(\mathbf {{S}}\in \mathbb {Z}^{m' \times m}\) with largest singular value \(s_1(\mathbf {{S}}) \le \sigma \), then \((\mathbf {T}_{\mathbf {{A}}}^{\tau }, \mathbf {{S}})\) can be used to sample from \(\mathbf {{B}}^{-1}_{\sigma \tau }\).
Note that since only an upper bound on the singular value is required, this theorem implies that \(\mathbf {T}_{\mathbf {{A}}}^{\tau '}\) is derived from \(\mathbf {T}_{\mathbf {{A}}}^{\tau }\) whenever \(\tau \le \tau '\). A few additional important corollaries are derived from this theorem. We recall that \(s_1(\mathbf {{S}}) \le \sqrt{n m} \left\| {\mathbf {{S}}} \right\| _{\infty }\) and that a trapdoor \(\mathbf {T}_{\mathbf {G}}^{O(1)}\) is trivial.
The first is a trapdoor extension that follows by taking \(\mathbf {{S}} = [\mathbf {I}\ \Vert \ \mathbf {{0}}]\).
Corollary 3
Given \(\mathbf {{A}}\in \mathbb {Z}_q^{n \times m}\), with a trapdoor \(\mathbf {T}_{\mathbf {{A}}}^{\tau }\), it is efficient to sample from \([\mathbf {{A}}\Vert \mathbf {{B}}]^{-1}_{\tau }\) for all \(\mathbf {{B}}\).
Next is a trapdoor extension that had been used extensively in prior work. It follows from Theorem 1 with \(\mathbf {{S}}= [-\mathbf {{R}}^T \Vert \mathbf {I}]^T\).
Corollary 4
Given \(\bar{\mathbf {{A}}}\in \mathbb {Z}_q^{n \times m'}\), and \(\mathbf {{R}}\in \mathbb {Z}^{m' \times m}\) with \(m=n\lceil \log q \rceil \), it is efficient to sample from \([\bar{\mathbf {{A}}}\Vert \bar{\mathbf {{A}}}\mathbf {{R}}+ \mathbf {G}]^{-1}_{\tau }\) for \(\tau = O(\sqrt{m m'}\left\| {\mathbf {{R}}} \right\| _{\infty })\).
Note that by taking \(\bar{\mathbf {{A}}}\) uniform and \(\mathbf {{R}}\) to be a high entropy small matrix, e.g. uniform in \(\{-1,0,1\}\) and relying on the leftover hash lemma, Corollary 2 is in fact a special case of this one.
The following shows a different method for trapdoor extension which corresponds to matrices in Hermite Normal Form. This trapdoor generation method is mentioned in passing in [MP12] as a method for improving parameters by relying on computational assumptions. Our use of this property is quite different. Technically it follows from Theorem 1 with \(\mathbf {{S}}= [-\mathbf {{E}}^T \Vert -\mathbf {{R}}^T \Vert \mathbf {I}]^T\).
Corollary 5 (Trapdoor Extension in HNF)
Let \(n,q,m' \ge 1\) and let \(m = n\lceil \log q \rceil \). Given \(\bar{\mathbf {{A}}}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_q^{n \times m'}\), \(\mathbf {{R}}\in \mathbb {Z}^{m' \times m}\) and \(\mathbf {{E}}\in \mathbb {Z}^{n \times m}\), the trapdoor \(\mathbf {T}_{[\mathbf {I}\Vert \bar{\mathbf {{A}}}\Vert \bar{\mathbf {{A}}}\mathbf {{R}}+\mathbf {G}+ \mathbf {{E}}]}^{\tau }\) is efficiently computable for \(\tau = O(\sqrt{m m'}\left\| {\mathbf {{R}}} \right\| _{\infty } + \sqrt{m n}\left\| {\mathbf {{E}}} \right\| _{\infty })\).
3.5 Lattice Evaluation
The following is an abstraction of the evaluation procedure in recent LWE based FHE and ABE schemes that developed in a long sequence of works [ABB10b, MP12, GSW13, AP14, BGG+14, GVW15b]. We use a similar formalism as in [BV15b, BCTW16] but slightly rename the functions.
Theorem 2
There exist efficient deterministic algorithms \(\textsf {EvalF}\) and \(\textsf {EvalFX}\) such that for all \(n,q,\ell \in \mathbb {N}\), and for any sequence of matrices \((\mathbf {A}_1,\ldots ,\mathbf {A}_\ell ) \in (\mathbb {Z}_q^{n \times n\lceil \log q \rceil })^{\ell }\), for any depth-d Boolean circuit \(f: \{0,1\}^\ell \rightarrow \{0,1\}\) and for every \(\mathbf {{x}}= (x_1, \ldots , x_\ell ) \in \{0,1\}^\ell \), the following properties hold.
-
The outputs \(\mathbf {H}_{f} = \textsf {EvalF}(f,\mathbf {A}_1,\ldots ,\mathbf {A}_\ell )\) and \(\mathbf {H}_{f,x} = \textsf {EvalFX}(f,x,\mathbf {A}_1,\ldots ,\mathbf {A}_\ell )\) are both matrices in \(\mathbb {Z}^{(\ell n \lceil \log q \rceil ) \times n\lceil \log q \rceil }\);
-
It holds that \(\left\| {\mathbf {H}_f} \right\| _{\infty }, \left\| {\mathbf {H}_{f,x}} \right\| _{\infty } \le (n \log q)^{O(d)}\).
-
It holds that
$$\begin{aligned}{}[\mathbf {A}_1 - x_1 \mathbf {G}&\Vert \mathbf {A}_2 - x_2 \mathbf {G}\Vert \ldots \Vert \mathbf {A}_\ell - x_\ell \mathbf {G}] \cdot \mathbf {H}_{f,\mathbf {{x}}} \nonumber \\&= \, [\mathbf {A}_1 \Vert \mathbf {A}_2\Vert \ldots \Vert \mathbf {A}_\ell ] \cdot \mathbf {H}_f - f(\mathbf {{x}}) \mathbf {G}\pmod {q} \end{aligned}$$(8)We will call this the “key equation” for matrix evaluation.
For a proof of this theorem, we refer the reader to [BV15b]. This evaluation method was extended by [AFV11, GVW15a] to show that in the case of the inner product function it is possible to compute \(\textsf {EvalFX}\) with only one of the two operands.
Theorem 3
There exist efficient deterministic algorithms \(\textsf {EvalF}^{ip}\) and \(\textsf {EvalFX}^{ip}\) as follows. Let \(n,q,\ell ,\vec {\mathbf {{A}}}= (\mathbf {A}_1,\ldots ,\mathbf {A}_\ell ),\mathbf {{x}}\) be as above. Let \(\ell ' \in \mathbb {N}\) and \(\vec {\mathbf {{B}}}= (\mathbf {B}_1,\ldots ,\mathbf {B}_{\ell '}) \in (\mathbb {Z}_q^{n \times n\lceil \log q \rceil })^{\ell '}\), and let \(f: \{0,1\}^{\ell } \rightarrow \{0,1\}^{\ell '}\) be a depth d boolean circuit with \(\ell '\) output bits. Then:
-
\(\mathbf {H}_{f} = \textsf {EvalF}^{ip}(f,\vec {\mathbf {{A}}},\vec {\mathbf {{B}}})\) and \(\mathbf {H}_{f,x} = \textsf {EvalFX}^{ip}(f,\mathbf {{x}},\vec {\mathbf {{A}}},\vec {\mathbf {{B}}})\) are both in \(\mathbb {Z}^{((\ell +\ell ') n \lceil \log q \rceil ) \times n\lceil \log q \rceil }\);
-
It holds that \(\left\| {\mathbf {H}_f} \right\| _{\infty }, \left\| {\mathbf {H}_{f,x}} \right\| _{\infty } \le \ell ' (n \log q)^{O(d)}\);
-
It holds that for all \(\mathbf {{y}}\in \mathbb {Z}^{\ell '}\)
$$\begin{aligned} \bigg ([\vec {\mathbf {{A}}}\Vert \vec {\mathbf {{B}}}] - [\mathbf {{x}}\Vert \mathbf {{y}}] \otimes \mathbf {G}\bigg ) \cdot \mathbf {H}_{f,\mathbf {{x}}} = [\vec {\mathbf {{A}}}\Vert \vec {\mathbf {{B}}}] \cdot \mathbf {H}_f - \langle f(\mathbf {{x}}),\mathbf {{y}} \rangle \mathbf {G}\pmod {q} , \end{aligned}$$(9)where the inner product is over the integers (or equivalently modulo q).
We note that \(\textsf {EvalFX}^{ip}\) does not take \(\mathbf {{y}}\) as input and furthermore that \(\mathbf {{y}}\) can have arbitrary integer values (not necessarily binary). We will later extend these theorems to functions that output matrices in Sect. 4.1.
3.6 Fully Homomorphic Encryption (FHE)
A (secret-key) homomorphic encryption (HE) scheme w.r.t a function class \(\mathcal {F}\) is a semantically secure encryption scheme adjoined with an additional PPT algorithm \(\textsf {Eval}\) s.t. for all \(f \in \mathcal {F}\) and \(\mathbf {{x}}\in \{0,1\}^\ell \) it holds that if \({\textsf {sk}}\) is properly generated and \(\textsf {ct}_i = \textsf {Enc}_{{\textsf {sk}}}(x_i)\), then \(\textsf {Dec}_{\textsf {sk}}(\textsf {Eval}(f, \textsf {ct}_1, \ldots , \textsf {ct}_\ell )) = f(\mathbf {{x}})\) with all but negligible probability. The following is a corollary of the [GSW13] encryption scheme. We note that the common use of the scheme is with \(t=q/2\) but we will use \(t \approx \sqrt{q}\) in this work.
Lemma 1
(Leveled FHE [GSW13]). Let \(q, n, t, d \ge 1\) and let \(\chi \) be B-bounded. If \(q > 2t \ge 4B(n \lceil \log q \rceil )^{O(d)}\) then there exists an FHE scheme for the class \(\mathcal {F}_d\) of depth d circuits based on \(\mathrm {DLWE}_{n,q,\chi }\) with the following properties.
-
The ciphertext length is \(\ell _c = \mathrm{poly}(n\lceil \log q \rceil )\).
-
Decryption involves (i) preprocessing the ciphertext (independently of the secret key) into a binary vector \(\mathbf {{c}} \in \{0,1\}^{\ell _s}\) for \(\ell _s=\mathrm{poly}(n\lceil \log q \rceil )\); (ii) taking inner product \(\langle \mathbf {{c}}, \mathbf {{s}} \rangle \pmod {q}\) for an integer secret-key vector \(\mathbf {{s}}\), which results in \(t\mu +\delta \) with \(\left| {\delta } \right| \le B(n \lceil \log q \rceil )^{O(d)}\); (iii) extracting the output \(\mu \) from the above expression.
Moreover, for any \(f\in \mathcal {F}_d\), the depth of \(f'(\cdot ) = \mathrm {FHE}.\textsf {Eval}(f,\cdot )\) is at most \(d' = d \cdot \mathrm{polylog}(n\lceil \log q \rceil )\).
3.7 The Banerjee-Peikert Pseudorandom Function
Banerjee and Peikert [BP14] introduced an LWE-based key homomorphic pseudorandom function which was the basis for the [BV15b] constrained PRF. While [BV15b] only drew from the ideas in [BP14], we use their construction explicitly as a building block, which simplifies our analysis. We present their construction using our instance evaluation terminology.
For all \(x \in \{0,1\}^\ell \), consider the circuit (more precisely, arithmetic formula) \(\mathcal {T}_x(y_0, y_1)\) which computes the product \(\prod _{i \in [\ell ]} y_{x_i}\) using a balanced binary multiplication tree. Note that we are never actually computing \(\mathcal {T}_x\) on any input. We are only using its formal combinatorial structure for the purpose of evolution as described next.
Corollary 6
(follows from [BP14, Theorems 3.7 and 3.8]). Let \(n,p, \ell \ge 1\) be integers, let \(\chi \) be B-bounded and assume \(\mathrm {DLWE}_{n,p,\chi }\). Then there exists an efficiently computable randomized function \(E: \{0,1\}^\ell \rightarrow \mathbb {Z}^{n\lceil \log p \rceil }\) with bounded norm \(\left\| {E} \right\| _{\infty } \le B \sqrt{\ell } \cdot (n \lceil \log p \rceil )^{\log \ell }\), such that, letting \(\mathbf {{C}}_0, \mathbf {{C}}_1 {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_p^{n \times n\lceil \log p \rceil }\) and denoting \(\vec {\mathbf {{C}}}=(\mathbf {{C}}_0, \mathbf {{C}}_1)\), \(\mathbf {{C}}_x = \textsf {EvalF}(\mathcal {T}_x, \vec {\mathbf {{C}}})\) for all x.
is pseudorandom, where \(\mathbf {{s}} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_p^n\). Furthermore, the same holds for
where \(\mathbf {{d}} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_p^{n \lceil \log p \rceil }\) and \(\mathbf {{C}}_x, E\) as above.
4 Our First Construction: The Dual-Use Technique
In this section, we present the dual-use technique and construct a new weakly attribute-hiding PE scheme and a constraint-hiding constrained PRF based on LWE. We will use the machinery for lattice evaluation developed in Sect. 3.5. First, in Sect. 4.1, we extend this machinery to work for computations that output not just scalars but matrices. Then, in Sects. 4.2 and 4.3, we describe our weakly attribute-hiding PE scheme and a constraint-hiding constrained PRF scheme, respectively.
4.1 Lattice Evaluation of Matrix-Valued Functions
We first extend evaluation of matrices from Sect. 3.5 to deal with functions whose output is a matrix instead of a bit (we still treat the input as bits).
Notation. Given a matrix \(\mathbf {X}\in \mathbb {Z}_q^{n \times n \log q}\), we will index its \(n^2\log q\) entries by numbers, for convenience of notation (as opposed to the standard practice of using a pair of numbers to index the row and column separately). We use \(x_{j,\tau } \in \{0,1\}\) where \(j \in [n^2\log q], \tau \in [\log q]\) to denote the \(\tau \)’th bit of the j’th entry of \(\mathbf {X}\). This means that we can write
where \(\mathbf {E}_j\) is a 0, 1-matrix whose j’th entry is 1 and 0 everywhere else. Throughout, we use \(j \in [n^2 \log q], \tau \in [\log q]\) and \(i \in [\ell ]\) and we avoid explicitly quantifying over these variables.
Matrix Computation. Suppose \(f : x_1,\ldots ,x_\ell \mapsto \mathbf {X}_f\) where these matrices have the same dimensions as \(\mathbf {A}_1,\mathbf {A}_2,\ldots ,\mathbf {A}_\ell \). Then, we require the following key relation between \(\mathbf {H}_f\) and \(\mathbf {H}_{f,\mathbf {{x}}}\):
Constructing \(\mathbf {H}_{f,\mathbf {{x}}}\) and \(\mathbf {H}_f\). Let \(f_{j,\tau } : x_1,\ldots ,x_\ell \mapsto \{0,1\}\) denote the function that outputs \(\tau \)’th bit of the j’th entry of \(\mathbf {X}_f\). Then, we define \(\mathbf {H}_f\) as follows.
Then, the key relation (Eq. 10) follows readily from the following relations:
where the first equation is the key relation for functions with scalar output. These two relations together show us that the setting of
satisfies Eq. 10.
4.2 Weakly Attribute-Hiding Predicate Encryption
In this section, we describe the dual use technique and use it to construct a weakly attribute-hiding predicate encryption scheme.
Notation. We use gadget matrices \(\mathbf {G}\in \mathbb {Z}_q^{(n+1) \times (n+1) \log q}\) and we write \(\overline{\mathbf {G}} \in \mathbb {Z}_q^{n \times (n+1) \log q}\) to denote all but the last row of \(\mathbf {G}\). Given a circuit computing a function \(f : \{0,1\}^\ell \rightarrow \{0,1\}\), and GSW FHE encryptions \(\varPsi := (\varPsi _1,\ldots ,\varPsi _\ell )\) of \(x_1,\ldots ,x_\ell \), we write \(\varPsi _f\) to denote \(\mathrm {FHE}.\textsf {Eval}(f,\varPsi )\). Noting that \(\varPsi _f\) is a matrix, we let \(\underline{\varPsi }_f\) denote the last row of \(\varPsi _f\), and \(\overline{\varPsi }_f\) to denote all but the last row of \(\varPsi _f\). In addition, we write \(\hat{f}\) to denote the circuit that computes \(\varPsi \mapsto \overline{\varPsi }_f\), namely it takes as input the bits of \(\varPsi \) and outputs the matrix \(\overline{\varPsi }_f\).
We let \(\mathbf {{e}}{\mathop {\longleftarrow }\limits ^{\sigma }} \mathbb {Z}^m\) denote the process of sampling a vector \(\mathbf {{e}}\) where each of its entries is drawn independently from the discrete Gaussian with mean 0 and standard deviation \(\sigma \) over \(\mathbb {Z}\).
Our predicate encryption scheme works as follows.
-
\(\textsf {Setup}(1^\lambda ,1^\ell ,1^d)\): sample \((\mathbf {B},\mathbf {T}_\mathbf {B})\) where \(\mathbf {B}\in \mathbb {Z}_q^{n \times (n+1)\log q}\) and \(\mathbf {T}_\mathbf {B}\) denotes the trapdoor for \(\mathbf {B}\). Pick \(\mathbf {B}_{j} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_q^{n \times (n+1)\log q}\) and \(\mathbf {{p}}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_q^n\). Output
$$\begin{aligned} {\textsf {mpk}}&:= \Bigl (\;\mathbf {B}, \{\mathbf {B}_{j}\}_{j \in [L]}, \mathbf {{p}}\;\Bigr ),\\ {\textsf {msk}}&:= \Bigl (\;\mathbf {T}_\mathbf {B}\;\Bigr ) \end{aligned}$$where \(L = \ell \cdot (n+1)^2 \log ^2 q\).
-
\(\textsf {Enc}({\textsf {mpk}},\mathbf {{x}},M \in \{0,1\})\): pick \(\mathbf {{s}}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_q^n, \mathbf {{e}}, \mathbf {{e}}_0, \mathbf {{e}}_{j} {\mathop {\longleftarrow }\limits ^{\sigma }} \mathbb {Z}^m, e' {\mathop {\longleftarrow }\limits ^{\sigma }} \mathbb {Z}, \mathbf {R}_i \in \{0,1\}^{(n+1)\log q \times (n+1)\log q}\) and compute
$$\varPsi _i := {\mathbf {B}\atopwithdelims ()\mathbf {{s}}^T\mathbf {B}+ \mathbf {{e}}^T} \mathbf {R}_i + x_i \mathbf {G}$$Let \(\psi _1,\ldots ,\psi _L\) denote the binary representation of \(\varPsi := [\varPsi _1 \mid \cdots \mid \varPsi _\ell ]\). Compute
$$\mathbf {{c}}_0^T:= \mathbf {{s}}^T\mathbf {B}+ \mathbf {{e}}_0^T, \qquad \mathbf {{c}}_{j}^T:= \mathbf {{s}}^T[\mathbf {B}_{j} - \psi _{j} \overline{\mathbf {G}}] + \mathbf {{e}}_j^T$$and \(\kappa := \mathbf {{s}}^T\mathbf {{p}}+ e' + M \cdot \lfloor q/2\rfloor \pmod {q}\).
The PE ciphertext consists of the FHE ciphertext \(\varPsi \) and the ABE ciphertexts computed as above. That is,
$$\textsf {ct}:= \bigl (\,\varPsi ,\mathbf {{c}}_0,\{\mathbf {{c}}_{j}\}_{j \in [L]},\kappa \,\bigr )$$ -
\(\textsf {KeyGen}({\textsf {msk}},f\)): Let \(\hat{f}\) denote the circuit computing \(\varPsi \mapsto \overline{\varPsi }_f\) and
$$ \mathbf {H}_{\hat{f}} := \textsf {EvalF}(\hat{f},\{\mathbf {B}_{j}\}_{j \in [L]}), \; \mathbf {B}_{\hat{f}} := [ \mathbf {B}_1 \mid \cdots \mid \mathbf {B}_L ] \cdot \mathbf {H}_{\hat{f}} $$Sample a short \({\textsf {sk}}_f\) using \(\mathbf {T}_\mathbf {B}\) such that
$$\begin{aligned}{}[\mathbf {B}\mid \mathbf {B}_{\hat{f}}] \cdot {\textsf {sk}}_f = \mathbf {{p}}\end{aligned}$$Output \({\textsf {sk}}_f\).
-
\(\textsf {Dec}(({\textsf {sk}}_f,f),\textsf {ct})\): Let \(\hat{f}\) denote the circuit computing \(\varPsi \mapsto \overline{\varPsi }_f\) and parse the ciphertext \(\textsf {ct}\) as \((\varPsi , \mathbf {{c}}_0, \{\mathbf {{c}}_j\}_{j\in L}, \kappa )\). Compute:
$$\begin{aligned} \varPsi _f:= & {} \hat{f}(\varPsi )\\ \mathbf {H}_{\hat{f},\varPsi }:= & {} \textsf {EvalFX}(\hat{f},\varPsi ,\{\mathbf {B}_{j}\}_{j \in [L]})\\ \mathbf {{c}}_{\hat{f}}:= & {} [\mathbf {{c}}_1 \mid \cdots \mid \mathbf {{c}}_L] \cdot \mathbf {H}_{\hat{f},\varPsi } + \underline{\varPsi }_f \end{aligned}$$Compute
$$\kappa ' := [\mathbf {{c}}_0 \mid \mathbf {{c}}_{\hat{f}}] \cdot {\textsf {sk}}_f$$and output the MSB of \(\kappa -\kappa '\).
We now analyze the correctness of the PE scheme (in the process setting the parameters) and prove its (selective) security under the polynomial hardness of LWE with a sub-exponential modulus-to-noise ratio.
Theorem 4 (Correctness)
The \(\textsf {PE}\) construction above is correct as per Definition 3.
Proof
The key relation tells us that
Multiplying both sides by \(\mathbf {{s}}^T\), we have
where the first approximate equality is because of the accumulated error which is a product of the LWE errors and the low-norm matrix \(\mathbf {H}_{\hat{f},\varPsi }\), the second equality is because of the key relation, and the final approximate equality is because of the decryption equation of the GSW FHE scheme. Then, when \(f(\mathbf {{x}})=0\),
Now, decryption succeeds in recovering M since \(\kappa := \mathbf {{s}}^T\mathbf {{p}}+ e' + M \cdot \lfloor q/2\rfloor \pmod {q}\).
Setting Parameters. The error growth on FHE evaluation is by a multiplicative factor of \((n\log q)^{O(d_f)}\) where \(d_f\) is the depth of the circuit computing f. Furthermore, the error growth on ABE evaluation has magnitude at most \((n\log q)^{O(d_{\hat{f}})}\) where \(d_{\hat{f}}\) is the depth of the circuit that performs GSW FHE evaluation for the function f. We know that \(d_{\hat{f}} = d \cdot \textsf {poly}(\log n,\log \log q)\). The total error growth thus has magnitude \((n\log q)^{d\cdot \textsf {poly}(\log n, \log \log q)}\) which should be at most q / 4 for correctness.
On the other hand, we would like to set \(q = O(2^{n^\epsilon })\) for some constant \(\epsilon \) so as to rely on the hardness of sub-exponential-error LWE. It is possible to find a setting of parameters that satisfy all these conditions, analogous to Sect. 5.1.
Theorem 5 (Security)
The scheme \(\textsf {PE}\) is secure as per Definition 3 under the \(\mathrm {LWE}_{n,q,\chi }\) assumption, and thus under the worst case hardness of approximating \(\textsf {GapSVP}, \textsf {SIVP}\) to within a \(2^{{\widetilde{O}}(n^\epsilon )}\) factor in polynomial time.
Proof
We provide a proof sketch for selective security of the PE scheme.
First, we describe a set of auxiliary algorithms consisting of alternative algorithms \((\textsf {Setup}^*,\textsf {KeyGen}^*,\textsf {Enc}^*)\) that will be used in the proof of security. We are given \(\mathbf {A}= {\mathbf {B}\atopwithdelims ()\mathbf {{c}}}, \mathbf {{p}}, p'\) and the selective challenge \(\mathbf {{x}}^*\). Here, \((\mathbf {{c}},p')\) is either \((\mathbf {{s}}^T\mathbf {B}+ \mathbf {{e}}, \mathbf {{s}}^T\mathbf {{p}}+ e')\) or uniformly random.
- \(\mathsf{{Setup}}^*(\mathbf {B},\mathbf {{p}},\mathbf {{x}}^*){:}\) :
-
Pick \(\mathbf {W}'_{j} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\{0,1\}^{n \times (n+1)\log q},\mathbf {R}_i \in \{0,1\}^{(n+1)\log q \times (n+1)\log q}\). Compute
$$\begin{aligned} \varPsi _i:= & {} \mathbf {A}\mathbf {R}_i + x_i^* \mathbf {G}\\ \mathbf {B}_{j}= & {} \mathbf {B}\mathbf {W}'_{j} + \psi _{j} \overline{\mathbf {G}} \end{aligned}$$where, as before, \(\psi _j\) denote the bits of \(\varPsi = [\varPsi _1 \mid \cdots \mid \varPsi _\ell ]\). Output
$$\begin{aligned} {\textsf {mpk}}&:= \Bigl (\;\mathbf {B}, \{\mathbf {B}_{j}\}_{j \in [L]}, \mathbf {{p}}\;\Bigr ),\\ {\textsf {msk}}^*&:= \Bigl (\;\{\mathbf {W}'_{j}\}_{j \in [L]}\;\Bigr ) \end{aligned}$$ - \(\mathsf{{Enc}}^*(\mathbf {B},\mathbf {{p}},\mathbf {{x}}^*){:}\) :
-
Compute
$$ \mathbf {{c}}_0^T:= \mathbf {{c}}^T, \qquad \mathbf {{c}}_{j}^T:= \mathbf {{c}}^T\mathbf {W}'_{j} $$Output
$$\textsf {ct}:= \bigl (\,\varPsi ,\mathbf {{c}}_0,\{\mathbf {{c}}_{j}\}_{j \in [L]}, p' + M \cdot q/2\,\bigr )$$ - \(\mathsf{{KeyGen}}^*({\textsf {msk}}^*,f){:}\) :
-
On input f such that \(f(\mathbf {{x}}^*) \ne 0\),
$$\begin{aligned} \mathbf {B}_{\hat{f}}= & {} [ \mathbf {B}\mathbf {W}'_1 + \psi _1 \overline{\mathbf {G}} \mid \cdots \mid \mathbf {B}\mathbf {W}'_L + \psi _L \overline{\mathbf {G}} ] \cdot \mathbf {H}_{\hat{f}}\\= & {} [ \mathbf {B}\mathbf {W}'_1 \mid \cdots \mid \mathbf {B}\mathbf {W}'_L ] \cdot \mathbf {H}_{\hat{f},\varPsi } + \overline{\varPsi }_f\\= & {} \mathbf {B}( \mathbf {W}'_{\hat{f}} + \mathbf {R}_f ) + f(\mathbf {{x}}^*) \overline{\mathbf {G}} \end{aligned}$$where
$$\begin{aligned} \mathbf {W}'_{\hat{f}} := [\mathbf {W}'_1 \mid \cdots \mid \mathbf {W}'_L] \cdot \mathbf {H}_{\hat{f},\varPsi },\quad \varPsi _f = \mathbf {A}\mathbf {R}_f + f(\mathbf {{x}}^*) \mathbf {G}\end{aligned}$$We can then sample a short \({\textsf {sk}}_f\) using \(\mathbf {W}'_{\hat{f}}+\mathbf {R}_f\) such that
$$\begin{aligned}{}[\mathbf {B}\mid \mathbf {B}_{\hat{f}}] \cdot {\textsf {sk}}_f = \mathbf {{p}}\end{aligned}$$Output \({\textsf {sk}}_f\).
We now proceed to describe a sketch of the proof of security through a sequence of games, using the auxiliary algorithms described above.
Hybrid \(\mathcal {H}_{0}\). Real world.
Hybrid \(\mathcal {H}_{1}\). Switch to \(\textsf {Setup}^*,\textsf {Enc}^*\) that are given \(\mathbf {A}= {\mathbf {B}\atopwithdelims ()\mathbf {{c}}}\) and use \(\mathbf {W}'_j\). When \(\mathbf {{c}}\) is the LWE vector relative to \(\mathbf {B}\), game 0 and game 1 are statistically close by an application of the leftover hash lemma. (In this proof sketch, we ignore the issue of smoothing the errors in the ciphertext, which can be done by noise flooding). Note that in this game, the challenger does not know the LWE secret \(\mathbf {{s}}\).
Hybrid \(\mathcal {H}_{2}\). Switch to \(\textsf {KeyGen}^*\) that uses \((\mathbf {W}'_j, \mathbf {R}_i)\) instead of \(\mathbf {T}_\mathbf {B}\). The difference between game 1 and game 2 is that in the former, secret keys are generated using \(\mathbf {T}_\mathbf {B}\) whereas in the latter, they are generated using \(\mathbf {W}_{\hat{f}}' + \mathbf {R}_f\), by employing the ABB trick [ABB10a]. Thus, games 1 and 2 are statistically indistinguishable.
Hybrid \(\mathcal {H}_{3}\). Switch \(\mathbf {{c}}\) in \(\mathbf {A}\) from \(\mathbf {{s}}^T\mathbf {B}+ \mathbf {{e}}\) to a random \(\mathbf {{c}}\) (this changes both \(\textsf {abe.ct}\) and \(\varPsi \)). Games 2 and 3 are computationally indistinguishable by the LWE assumption.
Hybrid \(\mathcal {H}_{4}\). Switch from \(\textsf {KeyGen}^*\) back to \(\textsf {KeyGen}\). Games 3 and 4 are statistically indistinguishable by the same argument as Games 1 versus 2.
Now, in game 4, we argue that \(x_1^*,\ldots ,x_n^*\) is information-theoretically hidden, as follows:
-
First, note that the distribution of the NO keys only depends on \([\mathbf {B}\mid \mathbf {B}_{\hat{f}}]\), that is, on \(({\textsf {mpk}},f,\mathbf {T}_\mathbf {B})\), and leak no information about the FHE encryption randomness \(\mathbf {R}_{1},\ldots ,\mathbf {R}_{n}\).
-
Secondly, \({\textsf {mpk}}\) and the ciphertext depend on the \(\psi _{i}\)’s and the \(\mathbf {W}{'}_{j}\)’s, but not on the FHE encryption randomness \(\mathbf {R}_{1},\ldots ,\mathbf {R}_{n}\).
-
Using these two observations, we argue that \(\psi _{i}\) hides \(x_{i}^{*}\). Indeed, by left-over hash lemma, we know that \(\mathbf {A}\mathbf {R}_{i}\) is statistically close to uniform given \(\mathbf {A}= {\mathbf {B}\atopwithdelims ()\mathbf {{c}}}\), and therefore completely hides \(x_{i}^*\).
Remark: Relation to the GVW15 Security Proof. Many of the steps in the proof are analogous to what happens in GVW15. The crucial difference is that in GVW15, the leftover hash lemma (LHL) was used to hide the FHE secret key which is embedded as part of the ABE attributes. Using the fact that NO keys do not leak any information about the randomness \(\mathbf {W}_{j}\) used to simulate the ABE ciphertext, one can apply LHL to this randomness and therefore, hide the FHE secret key, and consequently, hiding the attributes. In our scheme, LHL is applied to the randomness \(\mathbf {R}_{j}\) used for FHE encryption, and not on the randomness \(\mathbf {W}'_{j}\) used to simulate the ABE ciphertext.
4.3 Constraint Hiding Constrained PRF
We now present a Constraint Hiding \(\textsf {CPRF}\) construction that relies on the [BV15b] CPRF together with the dual use technique from Sect. 4.2.
Our constraint hiding \(\textsf {CPRF}\) scheme works as follows.
-
\(\textsf {CPRF}.\textsf {Keygen}(1^\lambda ,1^{\ell },1^{\ell _x},1^d)\) takes as input the security parameter \(\lambda \), the maximum description length \(\ell \) of constraint functions, their input length \(\ell _x\) and depth d, and outputs public parameters \({\textsf {pp}}\) and a secret key \(\sigma \) for the \(\textsf {CPRF}\) scheme. Let \(L = \ell \cdot (n+1)^2 \log ^2 q\).
Sample \(\mathbf {B}, \mathbf {B}_{1},\ldots ,\mathbf {B}_{L} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_q^{n \times (n+1)\log q}\) and \(\mathbf {D}, \mathbf {C}_1,\ldots ,\mathbf {C}_{\ell _x} \in \mathbb {Z}_q^{n\times m}\) for some \(m = \varOmega (n\log q)\). Sample a uniformly random vector \(\mathbf {{s}}\in \mathbb {Z}_q^n\). Output
$$\begin{aligned} {\textsf {pp}}&:= \Bigl (\;\mathbf {B}, \{\mathbf {B}_{j}\}_{j \in [L]}, \{\mathbf {C}_j\}_{j\in [\ell _x]}, \mathbf {D}\;\Bigr ),\\ \sigma&:= \mathbf {{s}}\end{aligned}$$ -
\(\textsf {CPRF}.\textsf {Eval}_{\textsf {pp}}(\sigma ,x)\) outputs the evaluation of the PRF on an input x. Let \(\mathcal {U}_x:\{0,1\}^{\ell } \rightarrow \{0,1\}\) be the circuit that takes as input a description of a function f and outputs f(x). Now consider the circuit \(\widehat{\mathcal {U}}_x:\{0,1\}^{L} \rightarrow \mathbb {Z}_q^{n\times (n+1)\log q}\) that takes as input a GSW encryption \(\hat{f}\) of the description of f and outputs \(\overline{\varPsi }_{\mathbf {{x}}}\) where \(\varPsi _\mathbf {{x}}= \mathrm {FHE}.\textsf {Eval}(\mathcal {U}_x,\hat{f})\).
Let \(\widehat{\mathcal {U}}_x\) denote the circuit computing \(\varPsi \mapsto \overline{\varPsi }_\mathbf {{x}}\) and
$$ \mathbf {H}_{\widehat{\mathcal {U}}_x} := \textsf {EvalF}(\widehat{\mathcal {U}}_x,\{\mathbf {B}_{j}\}_{j \in [L]}), \; \mathbf {B}_{\widehat{\mathcal {U}}_x} := [ \mathbf {B}_1 \mid \cdots \mid \mathbf {B}_L ] \cdot \mathbf {H}_{\widehat{\mathcal {U}}_x} $$Compute \(\mathbf {{C}}_x = \textsf {EvalF}(\mathcal {T}_x, \mathbf {C}_1,\ldots ,\mathbf {C}_{\ell _x})\) (as defined in Sect. 3.7) and fix \(\mathbf {{M}}_x = \mathbf {{D}}\mathbf {{G}}^{-1}({\mathbf {{C}}_x})\). The PRF output is
$$\begin{aligned} y = \left\lfloor \mathbf {{s}}^T\cdot \mathbf {{B}}_{\widehat{\mathcal {U}}_x}\mathbf {{G}}^{-1}({\mathbf {M}_x}) \right\rceil . \end{aligned}$$ -
\(\textsf {CPRF}.\textsf {Constrain}_{\textsf {pp}}(\sigma ,f) \) outputs a constrained key \(\sigma _{f}\). Pick \(\mathbf {{e}}, \mathbf {{e}}_0, \mathbf {{e}}_{j} {\mathop {\longleftarrow }\limits ^{\sigma }} \mathbb {Z}^m, \mathbf {R}_i \in \{0,1\}^{(n+1)\log q \times (n+1)\log q}\) and compute GSW ciphertexts
$$\varPsi _i := {\mathbf {B}\atopwithdelims ()\mathbf {{s}}^T\mathbf {B}+ \mathbf {{e}}^T} \mathbf {R}_i + f_i \mathbf {G}$$where \((f_1,\ldots ,f_\ell )\) is the description of the function f.
Let \(\psi _1,\ldots ,\psi _L\) denote the binary representation of \(\varPsi := [\varPsi _1 \mid \cdots \mid \varPsi _\ell ]\). Compute
$$\mathbf {{c}}_0^T:= \mathbf {{s}}^T\mathbf {B}+ \mathbf {{e}}_0^T, \qquad \mathbf {{c}}_{j}^T:= \mathbf {{s}}^T[\mathbf {B}_{j} - \psi _{j} \overline{\mathbf {G}}] + \mathbf {{e}}_j^T$$The constrained key consists of the FHE ciphertext \(\varPsi \) and the “ABE ciphertexts” computed as above. That is,
$$\textsf {ct}:= \bigl (\,\varPsi ,\mathbf {{c}}_0,\{\mathbf {{c}}_{j}\}_{j \in [L]}\,\bigr )$$ -
\(\textsf {CPRF}.\textsf {ConstrainEval}_{\textsf {pp}}(\sigma _f,x)\) takes as input a constrained key \(\sigma _f\) and an input x and outputs a (potential) PRF output.
Let \(\hat{f}\) denote the circuit computing \(\varPsi \mapsto \overline{\varPsi }_\mathbf {{x}}\) (as above) and parse the constrained key \(\textsf {ct}\) as \((\varPsi , \mathbf {{c}}_0, \{\mathbf {{c}}_j\}_{j\in L})\). Compute:
$$\begin{aligned} \overline{\varPsi }_\mathbf {{x}}:= & {} \widehat{\mathcal {U}}_x(\varPsi )\\ \mathbf {H}_{\widehat{\mathcal {U}}_x,\varPsi }:= & {} \textsf {EvalFX}(\widehat{\mathcal {U}}_x,\varPsi ,\{\mathbf {B}_{j}\}_{j \in [L]})\\ \mathbf {{c}}_{\widehat{\mathcal {U}}_x}:= & {} [\mathbf {{c}}_1 \mid \cdots \mid \mathbf {{c}}_L] \cdot \mathbf {H}_{\widehat{\mathcal {U}}_x,\varPsi } + \underline{\varPsi }_\mathbf {{x}}\end{aligned}$$Output
$$\begin{aligned} y' = \left\lfloor \mathbf {{c}}_{\widehat{\mathcal {U}}_x} \mathbf {{G}}^{-1}({\mathbf {M}_x}) \right\rceil \end{aligned}$$
Theorem 6 (Correctness, Pseudorandomness, Constraint Hiding)
Under the \(\mathrm {DLWE}_{n,q,\chi }\) hardness assumption, \(\textsf {CPRF}\) is correct, pseudorandom and constraint hiding.
Proof
Correctness follows from a computation similar to the one in Sect. 4.2. In particular, the key relation tells us that
Multiplying both sides by \(\mathbf {{s}}^T\), we have
Then, when \(f(\mathbf {{x}})=0\), the constrained evaluation algorithm outputs
which is indeed the PRF output on \(\mathbf {{x}}\). The error growth behaves as in the PE scheme and thus, the parameters are set as in Theorem 4.
The proof of security closely follows the outline of Theorem 9 for our modulus-switching based private CPRF construction. We omit the details from this version.
5 Our Second Technique: Modulus Switching in HNF
This section contains our PE and CH-CPRF constructions based on the modulus switching method. We start with a technical lemma that explains how rounding is used to push the FHE noise into the ABE noise, as explained in the introduction. This is followed by our construction of a Weakly Attribute Hiding Predicate Encryption in Sect. 5.1 and our construction of Constraint Hiding Constrained PRF in Sect. 5.2.
Throughout this section we denote \(\left\lfloor x \right\rceil _p = \left\lfloor \frac{x}{q/p} \right\rceil \) when the operand is \(x \in \mathbb {Z}_q\) and output in \(\mathbb {Z}_p\), for q, p that will be defined appropriately in the relevant sections. We extend this operator to vectors and matrices by applying it element-wise. We start with the aforementioned rounding lemma.
Lemma 2
Let \(n, m', t, p\) be integers and consider \(q = t \cdot p\). Let \(\mathrm {FHE}\) be the scheme guaranteed in Lemma 1, with some depth bound d, let \(d', B\) as in the lemma statement, and assume that t conforms with the conditions of the lemma. Denote \(m=n\lceil \log q \rceil \).
Let \({\textsf {sk}}\in \mathbb {Z}_q^{\ell _s} \leftarrow \mathrm {FHE}.\textsf {Keygen}(1^{\lambda })\) and \(\tilde{x} \in \mathbb {Z}_q^{\ell _p} \leftarrow \mathrm {FHE}.\textsf {Enc}({\textsf {sk}},x)\) for some \(x\in \{0,1\}^{\ell }\), and for any circuit \(f:\{0,1\}^{\ell } \rightarrow \{0,1\}\) define the circuit \(f':\{0,1\}^{\ell _p} \rightarrow \{0,1\}^{\ell _s}\) as \(f'(\cdot ) = \mathrm {FHE}.\textsf {Eval}(f,\cdot )\). Let \(\mathbf {M}\in \mathbb {Z}_p^{n \times m'},\vec {\mathbf {{A}}}\in \mathbb {Z}_q^{n \times \ell _pm},\vec {\mathbf {{B}}}\in \mathbb {Z}_q^{n \times \ell _sm}\). Denote
where \( \mathbf {H}_{f} = \textsf {EvalF}^{ip}(f',\vec {\mathbf {{A}}},\vec {\mathbf {{B}}})\) and \( \mathbf {H}_{f,\mathbf {{x}}} = \textsf {EvalFX}^{ip}(f',\tilde{\mathbf {{x}}}, \vec {\mathbf {{A}}},\vec {\mathbf {{B}}}) \) as in Theorem 3. Then
-
1.
\(\varPsi _f = \mathbf {{A}}_f -(f(x)\cdot t + e)\mathbf {G}\) where \(\left| {e} \right| \le B_{\mathrm {FHE}} = B(n\lceil \log q \rceil )^{O(d)}\).
-
2.
\(\left\lfloor \varPsi _f\mathbf {{G}}^{-1}({\mathbf {{M}}}) \right\rceil _p = \left\lfloor \mathbf {{A}}_f\mathbf {{G}}^{-1}({\mathbf {{M}}}) \right\rceil _p - f(x)\mathbf {{M}} + \mathbf {{E}}\) where \(\left\| {\mathbf {{E}}} \right\| _{\infty } \le 2\, +\, \frac{B_{\mathrm {FHE}}\left\| {\mathbf {{M}}} \right\| _{\infty }}{t}\).
Proof
By Theorem 3,
where by Lemma 1, \(\langle \mathrm {FHE}.\textsf {Eval}(f, \tilde{x}),{\textsf {sk}} \rangle = t\cdot f(x) + e\) with \(\left| {e} \right| \le B(n\lceil \log q \rceil )^{O(d)}\), so (1) follows. Moreover,
where \(\mathbf {{E}}= (e/t)\mathbf {M}+ \mathbf {{\Delta }}\) for a rounding-errors matrix \(\left\| {\mathbf {{\Delta }}} \right\| _{\infty }\le 2\), and therefore \(\left\| {\mathbf {{E}}} \right\| _{\infty } \le 2 + \left| {e} \right| \cdot (\left\| {\mathbf {M}} \right\| _{\infty }/t)\).
5.1 Weakly Attribute Hiding Predicate Encryption
The scheme is parameterized by \(\epsilon \in (0,1)\) which governs the lattice hardness assumption that underly the construction. Essentially, with parameter \(\epsilon \) the scheme will be secure under the polynomial hardness of approximating lattice problems to within a \(2^{{\widetilde{O}}(n^\epsilon )}\)-factor.
-
\(\textsf {PE}.\textsf {Setup}(1^\lambda ,1^d) \rightarrow ({\textsf {mpk}},{\textsf {msk}})\). Define \(\ell = \lambda \) (this is the supported attribute length). Set \(n=(\lambda d)^{1/\epsilon }\). Let \(\chi \) be the \(B = {\widetilde{O}}({\sqrt{n}})\)-bounded distribution from Corollary 1. Let \(p, \tau \) be integer parameters set such that \(\tau \ge z_1\), \(p \ge 4 z_2 \cdot \tau \) for parameters \(z_1, z_2 = 2^{d \cdot \mathrm{polylog}(n)}\) that will be specified throughout the analysis. Let \(t = \varTheta (p)\) and \(q = p \cdot t\). Denote \(m=n\lceil \log q \rceil \). Recall Corollary 2 and let \(m_0=m_0(n,q)\) as in the corollary statement. Let \(\mathrm {FHE}\) be the scheme from Lemma 1 with depth parameter d, define \(\ell _s, \ell _c, d'\) as in the lemma statement, and let \(\ell _p = \ell \cdot \ell _c\).
Recall Corollary 2 and let \(m_0=m_0(n,p)\) as in the corollary statement. Consider \(m' = \max \{(n+1)\lceil \log q \rceil +2\lambda , m_0\}\) (note that \(m_0\) is w.r.t p but \(m'\) needs to be larger than \((n+1)\lceil \log q \rceil \)). Generate a matrix with a trapdoor \((\mathbf {{A}}, \mathbf {T}_\mathbf {{A}}) \leftarrow \textsf {TrapGen}(1^n, p, m')\), i.e. \(\mathbf {{A}}\in \mathbb {Z}_p^{n\times m'}\). Sample a uniform \(\mathbf {{v}} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_p^n\). Generate uniform \(\vec {\mathbf {{A}}}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}(\mathbb {Z}_q^{n \times m})^{\ell _p}\) and \(\vec {\mathbf {{B}}}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}(\mathbb {Z}_q^{n \times m})^{\ell _s}\).
Output \({\textsf {msk}}:= \mathbf {T}_{\mathbf {{A}}}\) and \({\textsf {mpk}}:= (\mathbf {{A}}, \mathbf {{v}}, \vec {\mathbf {{A}}}, \vec {\mathbf {{B}}})\).
-
\(\textsf {PE}.\textsf {Enc}({\textsf {mpk}},\mu ,x) \rightarrow \textsf {ct}\). Generate \({\textsf {sk}}\leftarrow \mathrm {FHE}.\textsf {Keygen}(1^\lambda )\), s.t. \({\textsf {sk}}\in \mathbb {Z}_p^{\ell _s}\) and compute \(\tilde{\mathbf {{x}}}\leftarrow \mathrm {FHE}.\textsf {Enc}({\textsf {sk}},x)\). Sample a vector \(\mathbf {{s}} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\chi ^n\), an error vector \(\mathbf {{e}} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\chi ^{m'}\) and an error scalar \(e {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\chi \). Sample \(\mathbf {{R}}_{A}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\{0,1\}^{m' \times m \ell _p}\) and \(\mathbf {{R}}_{B}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\{0,1\}^{m' \times m \ell _s}\). Sample a matrix \(\mathbf {{A}}_t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_t^{n \times m'}\) and a vector \(\mathbf {{v}}_t {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_t^n\). Encrypt as follows:
$$\begin{aligned} \mathbf {{u}}_0&:= \mathbf {{s}}^T\mathbf {{A}}+ \left\lfloor \mathbf {{s}}^T\mathbf {{A}}_t + \mathbf {{e}} \right\rceil _p&\pmod p\\ \mathbf {{u}}_{\mu }&:= \mathbf {{s}}^T\mathbf {{v}} + \left\lfloor \mathbf {{s}}^T\mathbf {{v}}_t+e \right\rceil _p + \mu \lfloor p/2 \rceil&\pmod p\\ \vec {\mathbf {{a}}}&:= \mathbf {{s}}^T(\vec {\mathbf {{A}}}- \tilde{\mathbf {{x}}}\otimes \mathbf {G}_q)+\mathbf {{e}}\mathbf {{R}}_{A}&\pmod {q}\\ \vec {\mathbf {{b}}}&:= \mathbf {{s}}^T(\vec {\mathbf {{B}}}- {\textsf {sk}}\otimes \mathbf {G}_q)+\mathbf {{e}}\mathbf {{R}}_{B}&\pmod {q} \end{aligned}$$Output \(\textsf {ct}:= (\tilde{\mathbf {{x}}}, \mathbf {{u}}_0, \mathbf {{u}}_{\mu }, \vec {\mathbf {{a}}}, \vec {\mathbf {{b}}})\).
-
\(\textsf {PE}.\textsf {Keygen}({\textsf {msk}},f) \rightarrow {\textsf {sk}}_{f}\). Define \(f'(\cdot ) := \mathrm {FHE}.\textsf {Eval}(f,\cdot )\) and compute \(\mathbf {{A}}_f := [\vec {\mathbf {{A}}}\Vert \vec {\mathbf {{B}}}] \cdot \mathbf {{H}}_f\), where \(\mathbf {{H}}_f \leftarrow \textsf {EvalF}^{ip}(f',\vec {\mathbf {{A}}},\vec {\mathbf {{B}}})\). Compute \(\widehat{\mathbf {{A}}}_f := \left\lfloor \mathbf {{A}}_{f} \mathbf {{G}}^{-1}({\mathbf {G}_p}) \right\rceil _p\). Use \(\mathbf {T}_{\mathbf {{A}}}\) to sample \([\mathbf {{h}}_f \Vert \mathbf {{k}}_f] := [\mathbf {I}\Vert \mathbf {{A}}\Vert \widehat{\mathbf {{A}}}_f]_{\tau }^{-1}(\mathbf {{v}})\), i.e. s.t. \([\mathbf {{A}}\Vert \widehat{\mathbf {{A}}}_f] \mathbf {{k}}_f = \mathbf {{v}} - \mathbf {{h}}_f \pmod {p}\). Output \({\textsf {sk}}_f := \mathbf {{k}}_f\).
-
\(\textsf {PE}.\textsf {Dec}({\textsf {mpk}},\textsf {ct}, {\textsf {sk}}_f) \rightarrow \mu \). Compute \(\mathbf {{H}}_{f,x} \leftarrow \textsf {EvalFX}^{ip}(f',\tilde{\mathbf {{x}}},\vec {\mathbf {{A}}},\vec {\mathbf {{B}}})\) and set \(\mathbf {{a}}_{f,x} := [\vec {\mathbf {{a}}}\Vert \vec {\mathbf {{b}}}]\cdot \mathbf {{H}}_{f,x}\). Compute \(\widehat{\mathbf {{a}}}_{f,x} := (1/t)(\mathbf {{a}}_{f,x} \mathbf {{G}}^{-1}({\mathbf {G}_p}))\) and \(b' := \mathbf {{u}}_{\mu } - [\mathbf {{u}}_0 \Vert \widehat{\mathbf {{a}}}_{f,x}]\mathbf {{k}}_f \pmod p\). Return 0 if \(\left| {b'} \right| < \frac{p}{4}\) and 1 otherwise.
Analysis. Correctness and security are stated and proven next. We note that since \(q \le 2^n\) regardless of the exact manner we choose \(p, \tau \) we have that any polynomial of the form \(\mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')})\) is upper bounded by a function of the form \(2^{d \cdot \mathrm{polylog}(n)}\). This is since \(n \lceil \log q \rceil \le n^2\), \(\lambda < n\) and \(d' = d \cdot \mathrm{polylog}(n \lceil \log q \rceil ) = d \cdot \mathrm{polylog}(n)\).
Theorem 7 (Correctness)
The \(\textsf {PE}\) construction above is correct as per Definition 3.
Proof
Let \(\textsf {ct}\) be an encryption of message \(\mu \) under attribute x and let \(\mathbf {{k}}_f\) be a secret key for a function f. Let \(\mathbf {H}_{f} := \textsf {EvalF}^{ip}(f',\vec {\mathbf {{A}}},\vec {\mathbf {{B}}})\), \(\mathbf {H}_{f,\mathbf {{x}}} := \textsf {EvalFX}^{ip}(f',\vec {\mathbf {{A}}},\vec {\mathbf {{B}}})\), \(\mathbf {{A}}_f := [\vec {\mathbf {{A}}}\Vert \vec {\mathbf {{B}}}]\cdot \mathbf {{H}}_f\), and denote \(\varPsi _f := [\vec {\mathbf {{A}}}- \tilde{x} \otimes \mathbf {G}_q\Vert \vec {\mathbf {{B}}}- {\textsf {sk}}\otimes \mathbf {G}_q] \cdot \mathbf {H}_{f,\mathbf {{x}}}\). By Lemma 2, \(\varPsi _f = \mathbf {{A}}_f -(f(x)\cdot t + e)\mathbf {G}\) where \(\left| {e} \right| \le B_{\mathrm {FHE}} = B(n\lceil \log q \rceil )^{O(d)}\). Then
Therefore,
where \(\mathbf {{\Delta }}\) is the matrix of rounding errors, i.e. \(\left\| {\mathbf {{\Delta }}} \right\| _{\infty } \le 1/2\). We can bound the error \(\mathbf {{e}}'=\mathbf {{e}}_1+\mathbf {{e}}_2+\mathbf {{e}}_3\) as follows: \(\left\| {\mathbf {{e}}_1} \right\| _{\infty } \le B m' (\ell _p + \ell _s) (n \lceil \log q \rceil )^{O(d')} n \lceil \log p \rceil / t\), \(\left\| {\mathbf {{e}}_2} \right\| _{\infty } \le n B p (n \lceil \log q \rceil )^{O(d)} /t\), \(\left\| {\mathbf {{e}}_3} \right\| _{\infty } \le n B / 2\). Note that \(\ell _p, \ell _s = \mathrm{poly}(n\lceil \log q \rceil )\), hence \(\left\| {\mathbf {{e}}'} \right\| _{\infty } \le \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')})\).
It follows that if indeed \(f(x)=0\) then \(\widehat{\mathbf {{a}}}_{f,x} = \mathbf {{s}}^T\widehat{\mathbf {{A}}}_f+\mathbf {{e}}'\). Now, recall that the distribution of \(\mathbf {{k}}_f, \mathbf {{h}}_f\) is Gaussian with parameter \(\tau \) subject to \([\mathbf {{A}}\Vert \widehat{\mathbf {{A}}}_f] \mathbf {{k}}_f = \mathbf {{v}} - \mathbf {{h}}_f \pmod {p}\). Therefore \(\left\| {\mathbf {{k}}_f} \right\| _{\infty } \le \tau \sqrt{\lambda (m+m')}\) and \(\left\| {\mathbf {{h}}_f} \right\| _{\infty } \le \tau \sqrt{\lambda n}\) with all but \(2^{-\lambda } = \mathrm{negl}(\lambda )\) probability. By definition,
Denote \(\mathbf {{e}}_0 = \left\lfloor \mathbf {{s}}^T\mathbf {{A}}_t + \mathbf {{e}} \right\rceil _p\) and \(e_{\mu } = \left\lfloor \mathbf {{s}}^T\mathbf {{v}}_t+e \right\rceil _p\), then \(\left\| {\mathbf {{e}}_0} \right\| _{\infty },\left| {e_{\mu }} \right| \le (n+1)B\). Therefore,
where \(\left| {e''} \right| < \tau \cdot \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')})\). Therefore there exists some \(z_2 = 2^{d \mathrm{polylog}(n)}\) s.t. when we set \(p > 4 z_2 \tau \) we get that \(\left| {e''} \right| < \frac{p}{4}\). Hence, if \(f(x) = 0\) then \(b' = \mu \lfloor p/2 \rceil + e'' \in \mu \lfloor p/2 \rceil \pm \frac{p}{4}\) and in particular \( \mu = 0\) implies \(\left| {b'} \right| < \frac{p}{4}\) and \(\mu = 1\) implies \(\left| {b'} \right| > \frac{p}{4}\). \(\square \)
Theorem 8 (Security)
The scheme \(\textsf {PE}\) is secure as per Definition 3 under the \(\mathrm {LWE}_{n,q,\chi }\) assumption, and thus under the worst case hardness of approximating \(\textsf {GapSVP}, \textsf {SIVP}\) to within a \(2^{{\widetilde{O}}(n^\epsilon )}\) factor in polynomial time.
Proof (Sketch)
Define the simulator \(\mathrm {Sim}({\textsf {mpk}}) \rightarrow \textsf {ct}\) that generates a ciphertext \(\textsf {ct}=(\tilde{x}, \mathbf {{u}}_0, \mathbf {{u}}_{\mu },\vec {\mathbf {{a}}}, \vec {\mathbf {{b}}})\) by computing \(\tilde{x} \leftarrow \mathrm {FHE}.\textsf {Enc}({\textsf {sk}},0^{\ell })\) and sampling all the other \(\textsf {ct}\) parts uniformly from \(\mathbb {Z}_q\) as required. We now show a sequence of hybrids, where the first hybrid corresponds to \(\exp _{real}\) and the last hybrid corresponds to \(\exp _{ideal}\) with the simulator \(\mathrm {Sim}\) we just defined.
Hybrid \(\mathcal {H}_{0}\). This is \(\exp _{real}\).
Hybrid \(\mathcal {H}_{1}\). We change the \(\textsf {Setup}\) algorithm, specifically the generation of \(\vec {\mathbf {{A}}},\vec {\mathbf {{B}}}\): Let x be the attribute declared by the adversary. Generate \({\textsf {sk}}\leftarrow \mathrm {FHE}.\textsf {Keygen}(1^\lambda )\) and compute \(\tilde{x} \leftarrow \mathrm {FHE}.\textsf {Enc}({\textsf {sk}},x)\). Sample \(\mathbf {{R}}_{A}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\{0,1\}^{m' \times (m \ell _p)}\) and \(\mathbf {{R}}_{B}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\{0,1\}^{m' \times (m \ell _s)}\), and define
\(\mathbf {{A}}\) is statistically close to uniform in \(\mathbb {Z}_p^{n \times m'}\) and \(\mathbf {{A}}_t\) is uniform in \(\mathbb {Z}_t^{n \times m'}\), therefore the matrix \(t\mathbf {{A}}+ \mathbf {{A}}_t\) is close to uniform in \(\mathbb {Z}_q\). Since each \(\mathbf {{R}}_{A},\mathbf {{R}}_{B}\) are sampled uniformly and independently and \(m' \ge (n+1)\lceil \log q \rceil + 2 \lambda \), indistinguishability follows from the extended leftover hash lemma.
Hybrid \(\mathcal {H}_{2}\). We change the \(\textsf {Enc}\) algorithm. Sample \(\mathbf {{s}} \leftarrow \chi _q^n\), \(\mathbf {{e}} \leftarrow \chi _q^{m'}\) and \(e \leftarrow \chi _q\) as in the original encryption algorithm, then compute
Encrypt as follows:
The distributions remain as in the original scheme so statistical indistinguishability is maintained:
Hybrid \(\mathcal {H}_{3}\). We change the \(\textsf {Keygen}\) algorithm. We’re only required to generate keys for f s.t. \(f(x) = 1\), otherwise the adversary is not admissible. Recall that in \(\textsf {PE}.\textsf {Keygen}\) we sample from \([\mathbf {I}\Vert \mathbf {{A}}\Vert \widehat{\mathbf {{A}}}_f]_{\tau }^{-1}(\mathbf {{v}})\), where \(\widehat{\mathbf {{A}}}_f = \left\lfloor \mathbf {{A}}_f\mathbf {{G}}^{-1}({\mathbf {G}_p}) \right\rceil _p\) and \(\mathbf {{A}}_f = [\vec {\mathbf {{A}}}\Vert \vec {\mathbf {{B}}}] \cdot \mathbf {{H}}_f\). Using the notation
after the changes that were made in the previous hybrid, we have:
so
and by Lemma 2,
Therefore, when \(f(x) = 1\),
where \( \left\| {\mathbf {{E}}' - \mathbf {{E}}} \right\| _{\infty } \le \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')})\). Given \([\mathbf {{R}}_{A}\Vert \mathbf {{R}}_{B}]\mathbf {{H}}_{f,x}\mathbf {G}^{-1}(\mathbf {G}_p)\) we can also compute \(\mathbf {{E}}'-\mathbf {{E}}\), and then, by Corollary 5, we can compute the trapdoor \([\mathbf {I}\Vert \mathbf {{A}}\Vert \widehat{\mathbf {{A}}}_f]^{-1}_{\tau }\) for any \(\tau \ge z_1\) for
We will choose our parameters so that indeed \(\tau \ge z_1\) which will allow us to sample from \([\mathbf {{I}}_n \Vert \mathbf {{A}}\Vert \widehat{\mathbf {{A}}}_{f}]^{-1}_{\tau }(\mathbf {{v}})\). Note that in this hybrid \(\mathbf {T}_\mathbf {{A}}\) is no longer used.
Hybrid \(\mathcal {H}_{4}\). In \(\textsf {Setup}\): Generate \(\mathbf {{A}}\) uniformly instead of generating it with a trapdoor. Statistical indistinguishability holds by Corollary 2.
Hybrid \(\mathcal {H}_{5}\). In \(\textsf {Enc}\): Generate \(\mathbf {{u}}'_0,\mathbf {{u}}'_{\mu }\) uniformly in \(\mathbb {Z}_q^n,\mathbb {Z}_q\) respectively. This is indistinguishable assuming hardness of \(\mathrm {DLWE}_{q,n,\chi }\). Note that now \(\mathbf {{u}}_0 = \left\lfloor \mathbf {{u}}'_0 \right\rceil _p\) and \(\mathbf {{u}}_{\mu } = \left\lfloor \mathbf {{u}}'_{\mu } \right\rceil _p\) are uniform in \(\mathbb {Z}_p^{n},\mathbb {Z}_p\) as well.
Hybrid \(\mathcal {H}_{6}\). In \(\textsf {Enc}\): Generate and uniformly from \(\mathbb {Z}_p^m\). This is indistinguishable by the extended leftover hash lemma since \(\mathbf {{u}}'_0\) is uniform, \(\mathbf {{R}}_{A},\mathbf {{R}}_{B}\) were randomly and independently generated and \(m' \ge (n+1)\lceil \log q \rceil + 2 \lambda \). The only information that \(\textsf {ct}\) reveals now is \(\tilde{x}\).
Hybrid \(\mathcal {H}_{7}\). In \(\textsf {Setup}\): Generate \(\mathbf {{A}}\) together with a trapdoor (the opposite of Hybrid 4). Statistical indistinguishability holds by Corollary 2.
Hybrid \(\mathcal {H}_{8}\). In \(\textsf {Keygen}\): Generate keys with \(\mathbf {T}_\mathbf {{A}}\) (the opposite of Hybrid 3). Indistinguishability holds since the keys are sampled from the same distribution.
Hybrid \(\mathcal {H}_{9}\). In \(\textsf {Setup}\): Generate the matrices \(\vec {\mathbf {{A}}},\vec {\mathbf {{B}}}\) as in the real \(\textsf {Setup}\) algorithm (the opposite of Hybrid 1). Indistinguishability holds by the leftover hash lemma.
Hybrid \(\mathcal {H}_{10}\). Change \(\tilde{x}\) to \(\tilde{x} \leftarrow \mathrm {FHE}.\textsf {Enc}({\textsf {sk}},0^{\ell })\). By Lemma 1, those hybrids are indistinguishable under \(\mathrm {DLWE}_{n,q,\chi }\). In this hybrid the \(\textsf {Enc}\) algorithm is equivalent to the simulator \(\mathrm {Sim}\) that was defined at the beginning of the proof, therefore it is equivalent to \(\exp _{ideal}\). \(\square \)
5.2 Constraint Hiding Constrained PRF
We present a constraint hiding constrained PRF scheme that supports all functions expressible by boolean circuits of depth d, input length \(k\) and description length \(\ell \), for predefined polynomials \(\ell , k, d\). We will rely on the hardness of LWE with sub-exponential noise to modulus ratio, as in our predicate encryption scheme. Working with a predefined polynomial input length \(k\) makes the analysis much simpler than [BV15b], however we note that relying on a different hardness assumption (a variant of one dimensional SIS) it is possible to support a-priori unbounded inputs as in [BV15b].
-
\(\textsf {CPRF}.\textsf {Keygen}(1^\lambda ,1^\ell , 1^k, 1^d) \rightarrow ({\textsf {pp}},\sigma )\). We let n be a parameter to be chosen later as a function of \(\lambda , \ell , k, d\). We let \(q = p \cdot t\) and \(t'\) be s.t. \(t' | p\). If we wish to rely on the hardness of lattice problems with approximation ratio \(2^{\tilde{O}(n^\epsilon )}\), then all values \(p,t,t'\) will be of size \(2^{\tilde{O}(n^\epsilon )}\) as well. The resulting constrained PRF scheme will support constraint functions of description length \(\ell \), input length \(k\) and depth d. The PRF itself outputs random elements in \(\mathbb {Z}_{p/t'}\), i.e. \(\log (p/t')\) bits of randomness.
Denote \(m=n\lceil \log q \rceil \) and \(m'=n\lceil \log p \rceil \). Let \(\mathrm {FHE}\) be the scheme from Lemma 1 with depth parameter d, define \(\ell _c, \ell _s, d'\) as in the lemma statement, where \(\ell _c\) is the FHE ciphertext length, \(\ell _s\) is the FHE key length and \(d'\) is the max depth of \(\mathrm {FHE}.\textsf {Eval}_{\textsf {pp}}(f,\cdot )\) for any f of depth at most d. Denote \(\ell _p = \ell \cdot \ell _c\). Let \(\mathbf {G}_q\) and \(\mathbf {G}_p\) denote the gadget matrices of dimensions \(n \times n\lceil \log q \rceil \) and \(n \times n\lceil \log p \rceil \) respectively.
Generate \(\vec {\mathbf {{A}}}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}(\mathbb {Z}_q^{n \times m})^{\ell _p}\) and \(\vec {\mathbf {{B}}}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}(\mathbb {Z}_q^{n \times m})^{\ell _s}\). Generate \(\mathbf {{D}}{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_p^{n \times m'}\) and \(\vec {\mathbf {{C}}}= [\mathbf {{C}}_0 \Vert \mathbf {{C}}_1] {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}(\mathbb {Z}_p^{n \times m'})^2\). Sample a vector \(\mathbf {{s}} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\chi ^n\) and compute \({\textsf {sk}}\leftarrow \mathrm {FHE}.\textsf {Keygen}(1^\lambda )\). Sample an error vector \(\mathbf {{e}}_b {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\chi ^{m\ell _s}\) and let \(\vec {\mathbf {{b}}}= \mathbf {{s}}^T(\vec {\mathbf {{B}}}- {\textsf {sk}}\otimes \mathbf {G}_q)+\mathbf {{e}}_b\). The public parameters are \({\textsf {pp}}= (\vec {\mathbf {{A}}},\vec {\mathbf {{B}}},\vec {\mathbf {{C}}}, \mathbf {{D}},\vec {\mathbf {{b}}})\) and the master seed is \(\sigma = (\mathbf {{s}},{\textsf {sk}})\).
-
\(\textsf {CPRF}.\textsf {Eval}_{\textsf {pp}}(\sigma ,x) \rightarrow y \in \mathbb {Z}_{p/t'}\). Let \(\mathcal {U}_x:\{0,1\}^{\ell } \rightarrow \{0,1\}\) be the circuit that takes as input a description of a function f and outputs f(x). Now consider the circuit \(\mathcal {U}'_x:\{0,1\}^{\ell _{p}} \rightarrow \{0,1\}^{\ell _{s}}\) that takes as input an encryption of a description of f, i.e. \(\tilde{f} = \mathrm {FHE}.\textsf {Enc}({\textsf {sk}},f)\), and outputs \(\mathrm {FHE}.\textsf {Eval}(\mathcal {U}_x,\tilde{f})\), i.e. an FHE encryption of f(x). Compute \( \mathbf {{A}}_x := [\vec {\mathbf {{A}}}\Vert \vec {\mathbf {{B}}}] \cdot \mathbf {{H}}_x\), where \(\mathbf {{H}}_x \leftarrow \textsf {EvalF}^{ip}(\mathcal {U}'_x, \vec {\mathbf {{A}}}, \vec {\mathbf {{B}}})\). Compute \(\mathbf {{C}}_x := \textsf {EvalF}(\mathcal {T}_x, \vec {\mathbf {{C}}})\) (as defined in Sect. 3.7) and fix \(\mathbf {{M}}_x := \mathbf {{D}}\mathbf {{G}}_p^{-1}({\mathbf {{C}}_x}) \mod p\). Output
$$ y := \left\lfloor \mathbf {{s}}^T\cdot \frac{\mathbf {{A}}_x\mathbf {{G}}_q^{-1}({\mathbf {M}_x})}{t'\cdot t} \right\rceil . $$ -
\(\textsf {CPRF}.\textsf {Constrain}_{\textsf {pp}}(\sigma ,f) \rightarrow \sigma _{f}\). Compute \(\tilde{f} := \mathrm {FHE}.\textsf {Enc}({\textsf {sk}},f)\). Sample an error vector \(\mathbf {{e}}_a {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\chi ^{m\ell _p}\) and compute \( \vec {\mathbf {{a}}}:= \mathbf {{s}}^T(\vec {\mathbf {{A}}}- \tilde{f}\otimes \mathbf {G}_q) + \mathbf {{e}}_a \). Output \(\sigma _f := (\vec {\mathbf {{a}}}, \tilde{f})\).
-
\(\textsf {CPRF}.\textsf {ConstrainEval}_{\textsf {pp}}(\sigma _f,x) \rightarrow y' \in \mathbb {Z}_r\). Compute \( \mathbf {{a}}_{f,x} := [\vec {\mathbf {{a}}}\Vert \vec {\mathbf {{b}}}] \cdot \mathbf {{H}}_{f,x} \), where \( \mathbf {{H}}_{f,x} \leftarrow \textsf {EvalFX}^{ip}(\mathcal {U}_x',\tilde{f},\vec {\mathbf {{A}}}, \vec {\mathbf {{B}}}) \), and output
$$ y' := \left\lfloor \frac{\mathbf {{a}}_{f,x}\mathbf {{G}}_q^{-1}({\mathbf {M}_x})}{t' \cdot t} \right\rceil $$
Analysis. The following will be useful in the security and correctness proof.
Lemma 3
Let \(d'\) denote the depth of the circuit \(\mathcal {U}'_x\). Consider \(\mathbf {{a}}_{f,x}\) and \(\mathbf {{A}}_x\) as defined in \(\textsf {CPRF}.\textsf {ConstrainEval}\) and \(\textsf {CPRF}.\textsf {Eval}\), then:
where \(\left\| {\mathbf {{e}}''} \right\| _{\infty } \le \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')})\).
Proof
Recall that \(\left\| {[\mathbf {{e}}_a \Vert \mathbf {{e}}_b]} \right\| _{\infty } \le B\) and \(\left\| {\mathbf {{H}}_{f,x}} \right\| _{\infty } \le (n\lceil \log q \rceil )^{O(d')}\). Hence
where \( \left\| {\mathbf {{e}}} \right\| _{\infty } \le \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')})\). Therefore
where \(\left\| {\mathbf {{e}}'} \right\| _{\infty } \le \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')})\).
By Lemma 2, \(\varPsi _x = \mathbf {{A}}_x -(f(x)\cdot t + e)\mathbf {G}_q\) where \(\left| {e} \right| \le B_{\mathrm {FHE}} = B(n\lceil \log q \rceil )^{O(d)}\), therefore
where \(\left\| {\mathbf {{e}}''} \right\| _{\infty }\le \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')})\).
Theorem 9 (Correctness, Pseudorandomness, Constraint Hiding)
Under the \(\mathrm {DLWE}_{n,q,\chi }\) hardness assumption, \(\textsf {CPRF}\) is correct, pseudorandom and constraint hiding.
Proof
Let \(\mathcal {A}\) be a PPT adversary against \(\textsf {CPRF}\) and consider the game from Definition 2. The proof proceeds with a sequence of hybrids.
Hybrid \(\mathcal {H}_{0}\). The game from the definition.
Hybrid \(\mathcal {H}_{1}\). Change the way that the vectors and are computed in \(\textsf {Constrain}\) and \(\textsf {Keygen}\) respectively: Define the matrices \(\widehat{\mathbf {{A}}} := \vec {\mathbf {{A}}}- \tilde{f} \otimes \mathbf {G}_q\) and \(\widehat{\mathbf {{B}}} := \vec {\mathbf {{B}}}- {\textsf {sk}}\otimes \mathbf {G}_q\). Then let \(\vec {\mathbf {{a}}}:= \mathbf {{s}}^T\widehat{\mathbf {{A}}} + \mathbf {{e}}_a\) and \(\vec {\mathbf {{b}}}:= \mathbf {{s}}^T\widehat{\mathbf {{B}}} + \mathbf {{e}}_b\) where \(\mathbf {{e}}_a {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\chi ^{m\ell _p}, ~ \mathbf {{e}}_b {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\chi ^{m\ell _s}\). This is simply a change in notation.
Hybrid \(\mathcal {H}_{2}\). Change the \(\textsf {Eval}\) algorithm. Up to this hybrid, in \(\textsf {Eval}\) we computed \(\mathbf {{M}}_x := \mathbf {{D}}\mathbf {{G}}_p^{-1}({\mathbf {{C}}_x})\) and the output was
Consider the vector \(\mathbf {{d}} := \mathbf {{s}}^T \mathbf {{D}}+ \mathbf {{e}}_d\) where \(\mathbf {{e}}_d \leftarrow \chi ^{n\lceil \log p \rceil }\). In this hybrid the output of \(\textsf {Eval}\) will be
and \(E(\cdot )\) is the function from Corollary 6, and in particular \(\left| {E(x)} \right| \le B \sqrt{k} \cdot (n \lceil \log p \rceil )^{\log k}\).
We analyse now the event that \(y^* \ne y\). Note that
By Lemma 3,
where \(\left\| {\mathbf {{e}}''} \right\| _{\infty } \le \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')})\). Hence
where \(\left\| {\mathbf {{e}}'''} \right\| _{\infty }\) is bounded by a value \(E' = \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')},B \sqrt{k} \cdot (n \lceil \log p \rceil )^{\log k})\). Therefore \(y^* \ne y\) only when there exists \(i \in [n\lceil \log p \rceil ]\) such that the ith entry of the vector \(\mathbf {{v}}\) is \(E'\)-close to \(t'\mathbb {Z}+ t'/2\), i.e. when the ith entry of the vector \(t \mathbf {{v}}\) is \(t E'\)-close to \((t \cdot t')\mathbb {Z}+(t \cdot t')/2\). Let \(\mathrm {Borderline}_x\) denote this event, then \(\lnot \mathrm {Borderline}_x \Longrightarrow y^* = y\). We can bound the advantage in distinguishing between this hybrid and the previous one by the probability of \(\mathrm {Borderline}=\bigvee _x\mathrm {Borderline}_x\):
Lemma 4
The following holds:
where the probability is over the randomness of the key generation algorithm in \(\mathcal {H}_{2}\).
Proof
Fix an arbitrary value for x and some coordinate \(i \in [n \lceil \log p \rceil ]\) and note that
where \(\mathbf {{a}}_{f,x} = [\vec {\mathbf {{a}}}\Vert \vec {\mathbf {{b}}}]\mathbf {{H}}_{f,x} = \mathbf {{s}}^T[\widehat{\mathbf {{A}}} \Vert \widehat{\mathbf {{B}}}]\mathbf {{H}}_{f,x} + [\mathbf {{e}}_a \Vert \mathbf {{e}}_b]\mathbf {{H}}_{f,x}\). Recall that \(\left\| {\mathbf {{s}}} \right\| _{\infty } \le B< t < p\), where p, t are prime and \(q = p \cdot t\), so each entry of \(\mathbf {{s}}\) is a unit in \(\mathbb {Z}_q\). Similarly, \(\left\| {\mathbf {{H}}_{f,x}\mathbf {{G}}_q^{-1}({\mathbf {M}_x})} \right\| \le (n\lceil \log q \rceil )^{O(d')}< t \le p\) and so each entry of \(\mathbf {{H}}_{f,x}\mathbf {{G}}_q^{-1}({\mathbf {M}_x})\) is a unit in \(\mathbb {Z}_q\).
Since \([\widehat{\mathbf {{A}}} \Vert \widehat{\mathbf {{B}}}]\) is uniform over \(\mathbb {Z}_q^{n \times m(\ell _p+\ell _s)}\), it follows that each entry of the vector \(\mathbf {{s}}^T[\widehat{\mathbf {{A}}} \Vert \widehat{\mathbf {{B}}}]\mathbf {{H}}_{f,x}\mathbf {{G}}_q^{-1}({\mathbf {M}_x})\) is uniform over \(\mathbb {Z}_q\) and so the marginal distribution of the ith entry of \(t\mathbf {{v}}\) as a function of the randomness of \(\textsf {Keygen}\) is uniform over \(\mathbb {Z}_q\). Therefore, the probability of this value being \(tE'\)-close to \((t\cdot t')\mathbb {Z}+ (t\cdot t')/2\) is at most \(E'/t'\). Applying the union bound over all possible values of x and i, the lemma follows.
Note that in this hybrid, if \(f(x) = 0\) then the output of \(\textsf {Eval}\) is identical to the output of \(\textsf {ConstrainEval}\), so the adversary has no advantage in guessing \(b_3\).
Hybrid \(\mathcal {H}_{3}\). Change \(\mathbf {{d}}\): sample it uniformly from \(\mathbb {Z}_p^{n \lceil \log p \rceil }\). This change is computationally indistinguishable under \(\mathrm {DLWE}_{n,p,\chi }\).
Hybrid \(\mathcal {H}_{4}\). Change again \(\textsf {Eval}\): compute \(\mathbf {{v}}\) by first sampling a vector \(\mathbf {{u}}_x {\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}\mathbb {Z}_p^m\) and setting
Recall that the adversary can query each distinct x once. By Corollary 6, those hybrids are indistinguishable under \(\mathrm {DLWE}_{n,p,\chi }\).
In this hybrid, if \(f(x) =1\) then the output of \(\textsf {Eval}\) is uniformly distributed over \(\mathbb {Z}_p^m\), so the adversary has no advantage in guessing \(b_2\).
Hybrid \(\mathcal {H}_{5}\). Change \(\textsf {Constrain}\): compute \(\tilde{f}\) as \(\tilde{f} \leftarrow \mathrm {FHE}.\textsf {Enc}({\textsf {sk}},0)\). By Lemma 1, those hybrids are indistinguishable under \(\mathrm {DLWE}_{n,q,\chi }\). At this stage the adversary has no information about f and therefore it has no advantage in guessing \(b_1\), which completes the proof.
Choice of Parameters. In order to satisfy the requirements in the above proof, we require that \(n \lceil \log p \rceil 2^{k} E' / t' = \mathrm{negl}(\lambda )\). For the sake of concreteness, we will set \(\mathrm{negl}(\lambda )\) to \(2^{-\lambda }\). Recalling that \(E' = \mathrm{poly}(\lambda ,B,(n\lceil \log q \rceil )^{O(d')},B \sqrt{k} \cdot (n \lceil \log p \rceil )^{\log k})\), we get \(t' \ge 2^{O(\lambda + k+ (d+\log k) \cdot \mathrm{polylog}(n))}\). This can be satisfied by setting \(n = (\lambda kd)^{1/\epsilon }\) and setting \(t' = 2^{\tilde{O}(n^\epsilon )}\) appropriately. Then p, t can be chosen to be polynomially related in size to \(t'\) s.t. \(t, t' ,p/t'\) are prime.
Notes
- 1.
- 2.
There are constructions for function classes that semantically seem astonishingly similar, such as inner product over the integers (and not modulo q) followed by rounding [ALS16] but there appears to be a big technical gap between these classes.
- 3.
An LWE instance contains multiple samples of the form \((\mathbf {{a}}_{i}, \mathbf {{s}}\mathbf {{a}}_{i} + e_{i})\), the vector \(\mathbf {{s}}\) is referred to as the LWE secret.
- 4.
- 5.
In the constrained PRF setting, the role of the function f and input x are reversed, and hence \(\mathbf {A}_{x}\).
- 6.
We use \(\mathbf {{B}}\) instead of \(\mathbf {{A}}\) to denote the public matrices here. This is since actually the matrix \(\mathbf {{A}}\) is analogous to \({\mathbf {B}\atopwithdelims ()\mathbf {{s}}^T \mathbf {B}+ \mathbf {{e}}}\) (as is hinted from \(\mathbf {{B}}\) being matching in dimension to \(\overline{\varPsi }, \overline{\mathbf {G}}\)). In fact, the dual use technique can be viewed as a method for working with \(\mathbf {{A}}\) which is different for every ciphertext.
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Agrawal, S., Boneh, D., Boyen, X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 98–115. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_6
Abdalla, M., Bourse, F., Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_33
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_2
Agrawal, S.: Interpolating predicate and functional encryption from learning with errors. IACR Cryptology ePrint Archive, 2016:654 (2016)
Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_28
Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_15
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108 (1996)
Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_12
Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_17
Brakerski, Z., Cash, D., Tsabary, R., Wee, H.: Targeted homomorphic attribute-based encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 330–360. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_13
Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K., Stevens, S.: Key-homomorphic constrained pseudorandom functions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 31–60. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_2
Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit abe and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_29
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS (2012)
Bishop, A., Jain, A., Kowalczyk, L.: Function-hiding inner product encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 470–491. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_20
Boneh, D., Kim, S., Montgomery, H.: Private puncturable PRFs from standard lattice assumptions. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 415–445. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_15
Brakerski, Z., Komargodski, I., Segev, G.: Multi-input functional encryption in the private-key setting: stronger security from weaker assumptions. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 852–880. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_30
Boneh, D., Lewi, K., Montgomery, H.W., Raghunathan, A.: Key homomorphic PRFs and their applications. IACR Cryptology ePrint Archive, 2015:220 (2015)
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., et al. (eds.) [BRF13], pp. 575–584 (2013)
Boneh, D., Lewi, K., David, J.W.: Constraining pseudorandom functions privately. IACR Cryptology ePrint Archive, 2015:1167 (2015)
Boneh, D., Lewi, K., Wu, D.J.: Constraining pseudorandom functions privately. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 494–524. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_17
Banerjee, A., Peikert, C.: New and improved key-homomorphic pseudorandom functions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 353–370. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_20
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA. ACM, 1–4 June 2013
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS (2011)
Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Naor, M. (ed.) Innovations in Theoretical Computer Science, ITCS 2014, Princeton, NJ, USA, pp. 1–12. ACM, 12–14 January 2014
Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. In: Guruswami, V. (ed.) IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, Berkeley, CA, USA, pp. 171–190. IEEE Computer Society, 17–20 October 2015
Brakerski, Z., Vaikuntanathan, V.: Constrained key-homomorphic PRFs from standard lattice assumptions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 1–30. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_1
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_29
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_15
Canetti, R., Chen, Y.: Constraint-hiding constrained PRFs for NC\(^1\) from LWE. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 446–476. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_16
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Crypt. 25(4), 601–639 (2012)
Gay, R.: Functional encryption for quadratic functions, and applications to predicate encryption. IACR Cryptology ePrint Archive, 2016:1106 (2016)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, pp. 169–178. ACM, 31 May–2 June 2009
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016)
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC, pp. 555–564 (2013)
Gay, R., Méaux, P., Wee, H.: Predicate encryption for multi-dimensional range queries from lattices. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 752–776. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_34
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, pp. 89–98. ACM, 30 October–3 November 2006
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Dwork, C. (ed.) Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, pp. 197–206. ACM, 17–20 May 2008
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_11
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In Boneh, D., et al. (eds.) [BRF13], pp. 545–554 (2013)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices. In: Servedio, R.A., Rubinfeld, R. (eds.) Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, pp. 469–477. ACM, 14–17 June 2015
Hofheinz, D., Kamath, A., Koppula, V., Waters, B.: Adaptively secure constrained pseudorandom functions. Cryptology ePrint Archive, Report 2014/720 (2014)
Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, pp. 669–684. ACM, 4–8 November 2013
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_9
Lin, H.: Indistinguishability obfuscation from constant-degree graded encoding schemes. IACR Cryptology ePrint Archive 2016:257 (2016)
Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 465–484. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_26
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010)
Okamoto, T., Takashima, K.: Adaptively attribute-hiding (hierarchical) inner product encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 591–608. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_35
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, pp. 333–342, 31 May–2 June 2009
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, pp. 84–93, 22–24 May 2005
Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) Symposium on Theory of Computing, STOC 2014, pp. 475–484. ACM, New York, 31 May–03 June 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Association for Cryptologic Research
About this paper
Cite this paper
Brakerski, Z., Tsabary, R., Vaikuntanathan, V., Wee, H. (2017). Private Constrained PRFs (and More) from LWE. In: Kalai, Y., Reyzin, L. (eds) Theory of Cryptography. TCC 2017. Lecture Notes in Computer Science(), vol 10677. Springer, Cham. https://doi.org/10.1007/978-3-319-70500-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-70500-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70499-9
Online ISBN: 978-3-319-70500-2
eBook Packages: Computer ScienceComputer Science (R0)