Search

US-20260128861-A1 - ADAPTIVELY SECURE RANDOMIZED MULTI-INPUT FUNCTIONAL ENCRYPTION SYSTEM AND METHOD

US20260128861A1US 20260128861 A1US20260128861 A1US 20260128861A1US-20260128861-A1

Abstract

The present disclosure provides a method for randomized multi-input functional encryption. A setup processor generates, for each input, a component for generating a proof, public-private key pairs, an obfuscated program for verifying ciphertexts and outputting a proof, and an encryption key. The setup processor generates a master secret key and transmits encryption keys to an encryption processor and the master secret key to a key generation processor. The encryption processor computes ciphertexts, generates proofs, and produces final ciphertexts. The key generation processor receives the master secret key and a randomized function, samples a PRF key, generates an obfuscated program, and transmits a function key to a decryption processor. The decryption processor receives the function key and ciphertexts, calculates a decryption result, and electronically stores the result.

Inventors

  • Pratish DATTA
  • Jiaxin Guan
  • Alexis Korb
  • Amit Sahai

Assignees

  • NTT RESEARCH, INC.

Dates

Publication Date
20260507
Application Date
20251107

Claims (20)

  1. 1 . A method for randomized multi-input functional encryption, comprising: (a) at a setup processor: (i) generating, for each input i in [n] where n is a number of inputs: (a) a component K i for use in generating a proof, wherein K i could be a pseudorandom function (PRF) key; (b) public-private key pairs ( pk i 0 , sk i 0 ) ⁢ and ⁢ ( pk i 1 , sk i 1 ) ; (c) an obfuscated program {tilde over (E)} i using pk i 0 , pk i 1 and K i , which program is configured for taking as input two different ciphertexts, verifying that the two ciphertexts are encryptions of an identical message, and outputting a proof π i that the two ciphertexts are encryptions of an identical message; (d) an encryption key EK i = ( pk i 0 , pk i 1 , E ~ i ) ; (ii) generating a master secret key MSK = { sk i 0 , sk i 1 , K i } i ∈ [ n ] ; (iii) transmitting at least one of the encryption keys {EK i } i∈[n] to at least one encryption processor; (iv) transmitting the master secret key MSK to a key generation processor; (b) at the at least one encryption processor, for each input x i : (i) computing a ciphertext c i 0 of x i using pk i 0 and a ciphertext c i 1 of x i using pk i 1 ; (ii) using {tilde over (E)} i to compute a proof π i c i 0 ⁢ and ⁢ c i 1 encrypt the same message; (iii) generating a ciphertext CT i = ( c i 0 , c i 1 , π i ) ; (c) at a key generation processor: (i) receiving the master secret key MSK from the setup processor, and a randomized function ƒ from a decryption processor; (ii) sampling a PRF key K ƒ used for generating randomness for evaluating the randomized functionalities ƒ on inputs x 1 , . . . , x n ; (iii) generating an obfuscated program {tilde over (G)} ƒ using MSK and K ƒ , which is configured for taking as input ciphertexts { CT i } = { ( c i 0 , c i 1 , π i ) } i ∈ [ n ] , verifying the proof π i for each ciphertext CT i , and outputting ƒ(x 1 , . . . , x n ) computed using randomness generated from K ƒ ; (iv) transmitting a function key {tilde over (G)} ƒ as SK ƒ to the decryption processor; (d) at the decryption processor: (i) receiving the function key SK ƒ from the key generation processor; (ii) receiving ciphertexts {CT i } i∈[n] from the encryption processor; (iii) calculating a decryption result as SK ƒ ({CT i } i∈[n] ) which is G ~ f ( { c i 0 , c i 1 , π i } i ∈ [ n ] ) ; and (iv) electronically storing the decryption result.
  2. 2 . The method of claim 1 where pk i 0 = sk i 0 ⁢ and ⁢ pk i 1 = sk i 1 for all i∈[n].
  3. 3 . The method of claim 1 , wherein the setup processor, encryption processor, key generation processor, and decryption processor are in electronic communication with each other through a secure network.
  4. 4 . The method of claim 1 , further comprising: (a) at the setup processor, generating and transmitting multiple sets of encryption keys {EK i } i∈[n] to multiple encryption entities; (b) at each encryption processor, generating ciphertexts for different inputs using the received encryption keys.
  5. 5 . The method of claim 1 , further comprising: (a) at the key generation processor, generating multiple function keys SK ƒ for different functions ƒ; (b) transmitting the generated function keys to one or more decryption entities.
  6. 6 . The method of claim 1 , wherein the obfuscated program is obtained by an indistinguishability obfuscation scheme i which satisfies the property that for any two equivalent circuits C 0 and C 1 , the distributions i (λ,C 0 ) and i (λ,C 1 ) are computationally indistinguishable, where λ is a security parameter.
  7. 7 . The method of claim 1 , wherein the proof π i is computed as PRF ⁡ ( K i , ( c i 0 , c i 1 ) ) , and the randomness for computing the function ƒ is computed as P ⁢ R ⁢ F ⁡ ( K f , ( c i 0 , c i 1 ) i ∈ [ n ] ) .
  8. 8 . A system for randomized multi-input functional encryption, comprising: (a) a setup processor configured to: (i) generate, for each input i in [n] where n is a number of inputs: (a) a component K i for use in generating a proof, wherein K i could be a pseudorandom function (PRF) key; (b) public-private key pairs ( p ⁢ k i 0 , sk i 0 ) ⁢ and ⁢ ( pk i 1 , sk i 1 ) ; (c) an obfuscated program {tilde over (E)} i using p ⁢ k i 0 , p ⁢ k i 1 and K i , which program is configured for taking as input two different ciphertexts, verifying that the two ciphertexts are encryptions of an identical message, and outputting a proof π i that the two ciphertexts are encryptions of an identical message; (d) an encryption key EK i = ( p ⁢ k i 0 , pk i 1 , E ~ i ) ; (ii) generate a master secret key MSK = { s ⁢ k i 0 , sk i 1 , K i } i ∈ [ n ] ; (iii) transmit at least one of the encryption keys {EK i } i∈[n] to at least one encryption processor; (iv) transmit the master secret key MSK to a key generation processor; (b) at least one encryption processor configured to, for each input x i : (i) compute a ciphertext c i 0 of x i using p ⁢ k i 0 and a ciphertext c i 1 of x i using p ⁢ k i 1 ; (ii) use {tilde over (E)} i to compute a proof π i that c i 0 ⁢ and ⁢ c i 1 encrypt the same message; (iii) generate a ciphertext C ⁢ T i = ( c i 0 , c i 1 , π i ) ; (c) a key generation processor configured to: (i) receive the master secret key MSK from the setup processor, and a randomized function ƒ from a decryption processor; (ii) sample a PRF key K ƒ used for generating randomness for evaluating the randomized functionalities ƒ on inputs x 1 , . . . , x n ; (iii) generate an obfuscated program {tilde over (G)} ƒ using MSK and K ƒ , which is configured for taking as input ciphertexts { C ⁢ T i } = { ( c i 0 , c i 1 , π i ) } i ∈ [ n ] , verifying the proof π i for each ciphertext CT i , and outputting ƒ(x 1 , . . . , x n ) compute using randomness generated from K ƒ ; (iv) transmit a function key {tilde over (G)} ƒ as SK ƒ to the decryption processor; (d) a decryption processor configured to: (i) receive the function key SK ƒ from the key generation processor; (ii) receive ciphertexts {CT i } i∈[n] from the encryption processor; (iii) calculate a decryption result as SK ƒ ({CT i } i∈[n] ) which is G ~ f ( { c i 0 , c i 1 , π i } i ∈ [ n ] ) ; and (iv) electronically store the decryption result.
  9. 9 . The system of claim 8 , wherein p ⁢ k i 0 = s ⁢ k i 0 ⁢ and ⁢ pk i 1 = s ⁢ k i 1 for all i∈[n].
  10. 10 . The system of claim 8 , wherein the setup processor, encryption processor, key generation processor, and decryption processor are in electronic communication with each other through a secure network.
  11. 11 . The system of claim 8 , wherein: (a) the setup processor is further configured to generate and transmit multiple sets of encryption keys {EK i } i∈[n] to multiple encryption entities; (b) each encryption processor is configured to generate ciphertexts for different inputs using the received encryption keys.
  12. 12 . The system of claim 8 , wherein: (a) the key generation processor is further configured to generate multiple function keys SK ƒ for different functions ƒ; (b) the key generation processor is further configured to transmit the generated function keys to one or more decryption entities.
  13. 13 . The system of claim 8 , wherein the obfuscated program is obtained by an indistinguishability obfuscation scheme i which satisfies the property that for any two equivalent circuits C 0 and C 1 , the distributions i (λ,C 0 ) and i (λ,C 1 ) are computationally indistinguishable, where λ is a security parameter.
  14. 14 . The system of claim 8 , wherein the proof π i is computed as P ⁢ R ⁢ F ⁡ ( K i , ( c i 0 , c i 1 ) ) , and the randomness for computing the function ƒ is computed as P ⁢ R ⁢ F ( K f , ( c i 0 , c i 1 ) i ∈ [ n ] ) .
  15. 15 . A non-transitory computer-readable medium storing instructions that, when executed by one or more processors, cause the one or more processors to perform a method for randomized multi-input functional encryption, the method comprising: (a) at a setup processor: (i) generating, for each input i in [n] where n is a number of inputs: (a) a component K i for use in generating a proof, wherein K i could be a pseudorandom function (PRF) key; (b) public-private key pairs ( p ⁢ k i 0 , s ⁢ k i 0 ) ⁢ and ⁢ ( p ⁢ k i 1 , s ⁢ k i 1 ) ; (c) an obfuscated program {tilde over (E)}z i using p ⁢ k i 0 , p ⁢ k i 1 and K i , which program is configured for taking as input two different ciphertexts, verifying that the two ciphertexts are encryptions of an identical message, and outputting a proof π i that the two ciphertexts are encryptions of an identical message; (d) an encryption key E ⁢ K i = ( p ⁢ k i 0 , p ⁢ k i 1 , E ~ i ) ; (ii) generating a master secret key M ⁢ S ⁢ K = { s ⁢ k i 0 , s ⁢ k i 1 , K i } i ∈ [ n ] ; (iii) transmitting at least one of the encryption keys {EK i } i∈[n] to at least one encryption processor; (iv) transmitting the master secret key MSK to a key generation processor; (b) at the at least one encryption processor, for each input x i : (i) computing a ciphertext c i 0 of x i using p ⁢ k i 0 and a ciphertext c i 1 of x i using p ⁢ k i 1 ; (ii) using {tilde over (E)} i to compute a proof π i that c i 0 ⁢ and ⁢ c i 1 encrypt the same message; (iii) generating a ciphertext C ⁢ T i = ( c i 0 , c i 1 , π i ) ; (c) at a key generation processor: (i) receiving the master secret key MSK from the setup processor, and a randomized function ƒ from a decryption processor; (ii) sampling a PRF key K ƒ used for generating randomness for evaluating the randomized functionalities ƒ on inputs x 1 , . . . , x n ; (iii) generating an obfuscated program {tilde over (G)} ƒ using MSK and K ƒ , which is configured for taking as input ciphertexts { C ⁢ T i } = { ( c i 0 , c i 1 , π i ) } , verifying the proof π i for each ciphertext CT i , and outputting ƒ(x i , . . . , x n ) computed using randomness generated from K ƒ ; (iv) transmitting a function key {tilde over (G)} ƒ as SK ƒ to the decryption processor; (d) at the decryption processor: (i) receiving the function key SK ƒ from the key generation processor; (ii) receiving ciphertexts {CT 2 } i∈[n] from the encryption processor; (iii) calculating a decryption result as SK ƒ ({CT i } i∈[n] ) which is G ~ f ( { c i 0 , c i 1 , π i } i ∈ [ n ] ) ; and (iv) electronically storing the decryption result.
  16. 16 . The non-transitory computer-readable medium of claim 15 , wherein p ⁢ k i 0 = s ⁢ k i 0 ⁢ and ⁢ p ⁢ k i 1 = s ⁢ k i 1 for all i∈[n].
  17. 17 . The non-transitory computer-readable medium of claim 15 , wherein the setup processor, encryption processor, key generation processor, and decryption processor are in electronic communication with each other through a secure network.
  18. 18 . The non-transitory computer-readable medium of claim 15 , wherein the method further comprises: (a) at the setup processor, generating and transmitting multiple sets of encryption keys {EK i } i∈[n] to multiple encryption entities; (b) at each encryption processor, generating ciphertexts for different inputs using the received encryption keys.
  19. 19 . The non-transitory computer-readable medium of claim 15 , wherein the method further comprises: (a) at the key generation processor, generating multiple function keys SK ƒ for different functions ƒ; (b) transmitting the generated function keys to one or more decryption entities.
  20. 20 . The non-transitory computer-readable medium of claim 15 , wherein the obfuscated program is obtained by an indistinguishability obfuscation scheme i which satisfies the property that for any two equivalent circuits C 0 and C 1 , the distributions i (λ,C 0 ) and i (λ,C 1 ) are computationally indistinguishable, where λ is a security parameter.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of U.S. Provisional Application No. 63/717,827, filed Nov. 7, 2024, the entire contents of which are incorporated herein by reference for all purposes. FIELD OF THE INVENTION The present disclosure relates to functional encryption schemes, and more particularly to an adaptively secure randomized multi-input functional encryption scheme with unbounded-message security. BACKGROUND OF THE INVENTION Functional encryption (FE) has emerged as a powerful cryptographic primitive that enables fine-grained access control over encrypted data. In traditional public-key encryption schemes, decryption provides an all-or-nothing approach—either the entire plaintext is revealed or nothing at all. FE, on the other hand, allows for more nuanced control, where specific functions of the encrypted data can be computed without revealing the entire plaintext. As research in FE has progressed, there has been increasing interest in extending its capabilities to handle randomized functionalities. Randomized functional encryption (rFE) allows for the evaluation of randomized functions on encrypted data, opening up new possibilities for privacy-preserving computations and secure data analysis. This extension to randomized functionalities introduces additional complexities and security considerations that must be carefully addressed. Multi-input functional encryption (MIFE) further expands the scope of FE by allowing computations on multiple encrypted inputs. This capability is particularly valuable in scenarios involving distributed data sources or multi-party computations. The combination of randomized functionalities with multi-input settings gives rise to randomized multi-input functional encryption (rMIFE), a powerful tool with potential applications in areas such as privacy-preserving data mining, secure multi-party computation, and distributed machine learning. As with any cryptographic primitive, the security of rFE and rMIFE schemes is of paramount importance. Rigorous security definitions and proofs are essential to ensure that these schemes provide the intended level of protection against various types of attacks. Indistinguishability-based (IND) security definitions have been widely used in the context of functional encryption, as they provide a strong and intuitive notion of security. However, as the complexity of functional encryption schemes increases, particularly with the introduction of randomized functionalities and multi-input settings, it becomes crucial to carefully examine and refine existing security definitions. This ongoing process of refinement is necessary to ensure that security definitions accurately capture all relevant threat models and provide comprehensive protection against potential attacks. One area of particular concern in the context of rFE and rMIFE is the threat posed by malicious encryptors. Unlike traditional functional encryption schemes where the focus is primarily on protecting against malicious decryptors, rFE/rMIFE must also consider scenarios where the party generating the ciphertexts may attempt to subvert the system. This additional security requirement introduces new challenges in formulating robust and comprehensive security definitions. As research in this field continues to advance, there is a growing need for security definitions that not only address the capabilities of malicious decryptors but also provide strong guarantees against potential attacks by malicious encryptors. Such comprehensive security definitions are essential for building trust in rFE and rMIFE systems and enabling their widespread adoption in real-world applications. BRIEF SUMMARY OF THE INVENTION This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter. According to an aspect of the present disclosure, a method for randomized multi-input functional encryption is provided. The method includes, at a setup processor: generating, for each input i in [n] where n is a number of inputs to the multi-input functionalities: a component Ki for use in generating a proof, wherein Ki could be a pseudorandom function (PRF) key; public-private key pairs (pki0,ski0)⁢ and⁢ (pki1,ski1); an obfuscated program {tilde over (E)}i using pki0,pki1 and Ki, which program is configured for taking as input two different ciphertexts, verifying that the two ciphertexts are encryptions of an identical message, and outputting a proof πi that the two ciphertexts are encryptions of an identical message; and an encryption key E⁢Ki=(pki0,pki1,E~i). The method further includes generating a master secret key MSK={s⁢ki0,ski1,Ki}i∈[n]; transmitting at least one of the encryption keys {E