Function-Revealing Encryption [chapter]

Marc Joye, Alain Passelègue
2018 Lecture Notes in Computer Science  
Multi-input functional encryption is a paradigm that allows an authorized user to compute a certain function-and nothing moreover multiple plaintexts given only their encryption. The particular case of two-input functional encryption has very exciting applications, including comparing the relative order of two plaintexts from their encrypted form (order-revealing encryption). While being extensively studied, multi-input functional encryption is not ready for a practical deployment, mainly for
more » ... o reasons. First, known constructions rely on heavy cryptographic tools such as multilinear maps. Second, their security is still very uncertain, as revealed by recent devastating attacks. In this work, we investigate a simpler approach towards obtaining practical schemes for functions of particular interest. We introduce the notion of function-revealing encryption, a generalization of order-revealing encryption to any multi-input function as well as a relaxation of multi-input functional encryption. We then propose a simple construction of orderrevealing encryption based on function-revealing encryption for simple functions, namely orthogonality testing and intersection cardinality. Our main result is an efficient order-revealing encryption scheme with limited leakage based on the standard DLin assumption. corresponds to a specific function f . Informally, this private key sk f , given the encryption of a plaintext x, allows her holder to learn f (x), and nothing more. An important subclass of functional encryption is predicate encryption [10, 24] . A plaintext x is viewed as pair (I,ẋ) where I is some attribute (associated to the message) andẋ is the message itself; functionality f is then defined as f (I,ẋ) = ẋ if P (I) = 1, and ⊥ otherwise for a given predicate P . The function can be defined over multiple plaintexts given their corresponding ciphertexts. This gives rise to multi-input functional encryption introduced in [19, 8] . Of particular interest is the case of two-input functional encryption. Suppose that given two encrypted plaintexts, a cloud-based service wishes to compute their respective ordering. For a public comparison function, such a functionality is offered by order-revealing encryption (ORE) [6, 8] . We note that order-revealing encryption necessarily requires secret-key encryption as otherwise a binary search from the encryption of chosen plaintexts would yield bit-by-bit the decryption of a given target ciphertext using the ORE comparison procedure. ORE can thus be seen as a secret-key two-input functional encryption for (public) comparison. It is a very useful primitive as it allows one to answer queries over encrypted data, including range queries, sorting queries, searching queries, and more [1, 5] .
doi:10.1007/978-3-319-98113-0_28 fatcat:yjoshcxtxzay7dcp762fmghny4