WO2023014969A1

WO2023014969A1 - Compact Adaptively Secure Functional Encryption For Attribute-Weighted Sums

Info

Publication number: WO2023014969A1
Application number: PCT/US2022/039569
Authority: WO
Inventors: Pratish DATTA; Tapas Pal
Original assignee: Ntt Research, Inc.
Priority date: 2021-08-06
Filing date: 2022-08-05
Publication date: 2023-02-09

Abstract

Adaptively simulation secure functional encryption systems, methods, network devices, and machine-readable media for attribute-weighted sums are implemented. A secret key corresponds to some weight function f, and decryption recovers a weighted sum. The schemes are built upon asymmetric bilinear groups of prime order and the security is derived under the standard (bilateral) k-Linear (k-Lin) assumption.

Description

Compact Adaptively Secure Functional Encryption For Attribute-Weighted Sums FIELD OF THE INVENTION The disclosure relates to functional encryption, and adaptively simulation secure func- tional encryption schemes for attribute-weighted sums. BACKGROUND OF THE INVENTION Functional encryption (FE) redefines the classical encryption procedure with the moti- vation to overcome the limitation of the “all-or-nothing” paradigm of decryption. In a traditional encryption system, there is a single secret key such that a user given a ci- phertext can either recover the whole message or learns nothing about it, depending on the availability of the secret key. FE in contrast provides fine grained access control over encrypted data by generating artistic secret keys according to the desired functions of the encrypted data to be disclosed. More specifically, in a public-key FE scheme for a function class F , there is a setup authority which produces a master secret key and pub- lishes a master public key. Using the master secret key, the setup authority can derive secret keys or functional decryption keys SK_f associated to functions f ∈ F . Anyone can encrypt messages msg belonging to a specified message space msg ∈ M using the master public key to produce a ciphertext CT. The ciphertext CT along with a secret key SK_f recovers the function of the message f(msg) at the time of decryption, while unable to extract any other information about msg. More specifically, the security of FE requires collusion resistance meaning that any polynomial number of secret keys together cannot gather more information about an encrypted message except the union of what each of the secret keys can learn individually. Prior work includes an FE scheme for a new class of functionalities termed as “attribute- weighted sums”. This is a generalization of inner product functional encryption (IPFE). In such a scheme, a database of N attribute-value pairs (x_i, z_i)_i=1,...,N are encrypted using the master public key of the scheme, where x_i is a public attribute (e.g., demographic data) and z_i is a private attribute containing sensitive information (e.g., salary, medical condition, loans, college admission outcomes). A recipient having a secret key corre- sponding to a weight function f can learn the attribute-weighted sum of the database, i.e., The attribute-weighted sum functionality appears naturally in several

real life applications. For instance, if we consider the weight function f as a boolean predicate, then the attribute-weighted sum functionality would correspond

to the average z_i over all users whose attribute x_i satisfies the predicate f . Important practical scenarios include average salaries of minority groups holding a particular job (z_i = salary) and approval ratings of an election candidate amongst specific demographic groups in a particular state (z_i = rating). Similarly, if z_i is boolean, then the attribute- weighted sum becomes This could capture for instance the number of and

average age of smokers with lung cancer (z_i = lung cancer, f = numbers/age). Other work considered a more general case of the notion where the domain and range of the weight functions are vectors over some finite field In particular, the database

consists of N pairs of public/private attribute vectors (x_i, z_i)_i=1,...,N which is encrypted to a ciphertext CT. A secret key SK_f generated for a weight function f allows a recipient to learn from CT without revealing any information about the private

attribute vectors (z_i)_i=1,...,N . To handle a large database where the number of users are not a-priori bounded, prior work considered the notion of unbounded-slot FE scheme for attribute-weighted sum. Thus, in their scheme, the number of slots N is not fixed while generating the system parameters and any secret key SK_f can decrypt an encrypted database having an arbitrary number of slots. Another advantage of unbounded-slot FE is that the same system parameters and secret keys can be reused for different databases with variable lengths, which saves storage space and reduces communication cost signifi- cantly. The unbounded-slot FE work supports expressive function class of arithmetic branch- ing programs (ABPs) which is capable of capturing boolean formulas, boolean span pro- grams, combinatorial computations, and arithmetic span programs. The FE scheme of prior work is built in asymmetric bilinear groups of prime order and is proven secure in the simulation-based security model, which is known to be the desirable security model for FE, under the k-Linear (k-Lin)/Matrix Diffie-Hellman (MDDH) assumption. More- over, their scheme enjoys ciphertext size that grows with the number of slots and the size of the private attribute vectors but is independent of the size of the public attribute vectors. Towards constructing an unbounded-slot scheme, prior work first constructed a one-slot scheme and then bootstrap to the unbounded-slot scheme via a semi-generic transformation. However, one significant limitation of the FE scheme of prior work is that the scheme only achieves semi-adaptive security. While semi-adaptive security, where the adversary is restricted to making secret key queries only after making the ciphertext queries, may be sufficient for certain applications, it is much weaker compared to the strongest and most natural notion of adaptive security which lets the adversary request secret keys both before and after making the ciphertext queries. Thus it is desirable to have an adaptively secure scheme for this important functionality that supports unbounded number of slots. One artifact of the standard techniques for proving adaptive security of FE schemes based on the so called dual system encryption methodology is the use of a core infor- mation theoretic transition limiting the appearance of an attribute in the description of the associated functions at most once (or an a-priori bounded number of times at the expense of ciphertext and key sizes scaling with that upper bound. Recently, others have presented advanced techniques to overcome the one-use restriction. However, their tech- niques were designed in the context of attribute-based encryption (ABE) where attributes are totally public. Currently, it is not known how to remove the one-use restriction in the context of adaptively secure FE schemes where attributes are not fully public as is the case for the attribute-weighted sum functionality. Thus, there is a need to solve the following open problem: To construct adaptively simulation-secure one-slot/unbounded- slot FE scheme for the attribute-weighted sum functionality with the weight functions expressed as arithmetic branching programs featuring compact ciphertexts, that is, hav- ing ciphertexts that do not grow with the number of appearances of the attributes within the weight functions, from the k-Lin assumption. BRIEF SUMMARY OF THE INVENTION In various embodiments, a computer-implemented method, computing device, and computer- readable storage media are disclosed. In one example embodiment for a computerized method for encrypting for a functional encryption scheme, the computer-implemented method, computing device, and computer-readable storage media can comprise: execut- ing a computerized setup algorithm, the setup algorithm comprising: executing a func- tional encryption setup algorithm twice to generate a set of master public-secret key pairs FE.MSK and FE.MPK and a set of master public-secret key pairs and

outputting a master secret key MSK as FE.MSK and and a master public key

MPK as FE.MPK and and storing the output master keys in an electronic setup

storage unit; executing a computerized key generation algorithm by: receiving the mas- ter secret key MSK as FE.MSK and

from the setup storage unit and a function f where f comprises sub-functions f_t, wherein t represents an integer index; sampling random values α,β_t such that the sum of all entries of β_t is 0; sampling random values r_t for input for a garbling procedure, wherein the garbling procedure randomizes a function comprising α, f_t,β_t, wherein α and β_t are secrets, and the garbling procedure outputs a set of label functions {ℓ_j,t} where j runs over the number of label functions; setting values v as α and generating an FE secret key FE.SK for the values v; setting values v_1,t comprising ℓ_1,t,α, and generating an FE secret key FE.SK_1,t for the values v_1,t; setting values v_j,t as ℓ_j,t, and generating a FE secret key FE.SK_j,t for the values v_j,t; setting values v̂_t comprising r_t,α; generating a functional encryption secret key

_t for the values v̂_t; and outputting the secret key SK_f as FE.SK, {FE.SK_j,t}, and f , and storing

the output in an electronic key generation storage unit. Further embodiments can include encryption comprising: receiving the master public key MPK as FE.MPK and one or more public attributes x, and one or more

private attributes z; sampling randomness s and setting values u comprising s, x, and computing FE ciphertext FE.CT for the value u; setting values h_t comprising of s and z, and computing FE ciphertext F̂E.CT_t for the value h_t; and outputting the ciphertext CT as FE.CT and and storing the output in an electronic encryption device storage

unit. Further embodiments can include decryption comprising: receiving the function f and the secret key SK_f for function f ; receiving one or more public attributes x and a ciphertext CT for x; retrieving FE.SK, FE.SK_j,t, from SK_f and retrieving FE.CT and from CT; retrieving sub-func

tions f_t from the function f ; decrypting FE.CT by running the decryption algorithm of FE using the secret key FE.SK and get a value ρ; decrypting FE.CT by running the decryption algorithm of FE using the secret key FE.SK_j,t and get a value ℓ_j,t; decrypting by running the decryption algorithm of

FE using the secret key and get a value ℓ_t; running the evaluation algorithm of

the garbling scheme using the values ℓ_j,t, ℓ_t and the one or more public attributes x and the sub-function f_t, and get a value d; and recovering the functional value µ from ρ and d, and outputting the value µ as the plaintext and storing the output in an electronic decryption device storage unit. In further embodiments, the first set is for encrypting a public part of attributes and the second set is for use in encrypting a private part of the attributes. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide further understanding and are incorporated in and constitute a part of this specification, illustrate disclosed embod- iments, and together with the description, serve to explain the principles of the disclosed embodiments. In the drawings: Fig. 1 illustrates an example embodiment of the present invention for a functional encryption system that is adaptively secure for attribute-weighted sums. Fig. 2 illustrates an example system architecture for a functional encryption system that is adaptively secure for attribute-weighted sums. Fig. 3 illustrates an example computer system architecture for implementing the claimed systems and methods. Fig. 4 illustrates further details of an example computer system architecture for implementing the claimed systems and methods. DETAILED DESCRIPTION As disclosed herein, we resolve the above open problem. More precisely, we make the following contributions. (a) We start by presenting the first one-slot FE scheme for the attribute-weighted sum functionality with the weight functions represented as ABPs that achieves adap- tive simulation-based security and compact ciphertexts, that is, the ciphertext size is independent of the number of appearances of the attributes within the weight functions. The scheme is secure against an adversary who is allowed to make an a-priori bounded number of ciphertext queries and an unbounded (polynomial) number of secret key queries both before and after the ciphertext queries, which is the best possible level of security one could hope to achieve in adaptive simulation- based framework. Since simulation-based security also implies indistinguishability- based security and indistinguishability-based security against single and multiple ciphertexts are equivalent, the proposed FE scheme is also adaptively secure in the indistinguishability-based model against adversaries making unbounded number of ciphertext and secret key queries in any arbitrary order. (b) We next bootstrap our one-slot scheme to an unbounded-slot scheme that also achieves simulation-based adaptive security against a bounded number of ciphertext queries and an unbounded polynomial number of secret key queries. Just like our one-slot scheme, the ciphertexts of our unbounded-slot scheme also do not depend on the number of appearances of the attributes within the weight functions. However, the caveat here is that the number of pre-ciphertext secret key queries is a priori bounded and all parameters of the scheme, namely, the master public key, ciphertexts, and secret keys scale linearly with that upper bound. The disclosed FE schemes are built upon asymmetric bilinear groups of prime or- der. We prove the security of our FE schemes based on the standard (bilateral) k-Lin/ (bilateral) MDDH assumption(s). Thus our results can be summarized as follows. Theorem 1 (Informal) Under the (bilateral) k-Lin/MDDH assumption(s), there exist adaptively simulation secure one-slot/unbounded-slot FE scheme for attribute-weighted sums against a bounded number of ciphertext and an unbounded number of secret-key queries, and having compact ciphertexts, that is, without the one-use restriction, in bilin- ear groups of prime order. The bilateral MDDH assumption is the plain MDDH assumption except that the el- ements are available in the exponents of both source groups of a bilinear group simul- taneously. This assumption has recently been utilized in the context of achieving FE for quadratic functions in the standard model and broadcast encryption scheme with O(N^1/3) parameter sizes from bilinear maps, where N is the total number of users in the system. Unlike prior work, our construction is semi-generic and is built upon two cryp- tographic building blocks, namely a slotted inner product functional encryption (IPFE), which is a hybrid of a public-key IPFE and a private-key function-hiding IPFE, and an information theoretic primitive called arithmetic key garbling scheme (AKGS). For boot- strapping from one-slot to unbounded-slot construction, we make use of a semi-generic transformation, but analyze its security in the adaptive simulation-based setting as op- posed to the semi-adaptive setting. By attribute-hiding, we mean the so-called “strong” attribute-hiding, as stipulated by the security definitions of FE, meaning that private attributes must remain hidden even to decryptors who are able to perform a successful decryption. FE schemes under standard computational assumptions. The techniques of prior work are developed to achieve compact ciphertexts, that is, without the one-use restriction in the context of indistinguishability-based adaptively secure ABE (that is, for payload-hiding security and not attribute-hiding). In this work, we extend their techniques to overcome the one-use restriction into the context of adaptive simulation-based attribute-hiding security for the first time. The high level approach of prior work to mitigate the one-use restriction is to replace the core information theoretic step of the dual system technique with a computational step. However the application of this strategy in their framework crucially rely on the payload hiding security requirement, that is, the adversaries are not allowed to query secret keys that enable a successful decryption. In contrast, in the setting of attribute-hiding, adversaries are allowed to request secret keys enabling successful decryption and extending the technique of prior work into this context appears to be non-trivial. We resolve this by developing a three-slot variant of their framework, integrating the pre-image sampleability of the inner product functionality, and carefully exploiting the structures of the underlying building blocks, namely AKGS and slotted IPFE. Herein is disclosed the first adaptively simulation secure functional encryption (FE) schemes for attribute-weighted sums. In such an FE scheme, encryption takes as input N pairs of attribute {(x_i, z_i)}_{i∈[N ]} for some N ∈ N where the attributes {x_i}_{i∈[N ]} are public while the attributes {z_i}_{i∈[N ]} are private. The indices i ∈ [N ] are referred to as the slots. A secret key corresponds to some weight function f , and decryption recovers the weighted sum This is an important functionality with a wide range of potential real l

ife applications. In the proposed FE schemes attributes are viewed as vectors and weight functions are arithmetic branching programs (ABP). We present two schemes with varying parameters and levels of adaptive security. (a) We first present a one-slot scheme that achieves adaptive security in the simulation- based security model against a bounded number of ciphertext queries and an arbi- trary polynomial number of secret key queries both before and after the ciphertext queries. This is the best possible level of security one can achieve in the adap- tive simulation-based framework. From the relations between the simulation-based and indistinguishability-based security frameworks for FE, it follows that the pro- posed FE scheme also achieves indistinguishability-based adaptive security against an a-priori unbounded number of ciphertext queries and an arbitrary polynomial number of secret key queries both before and after the ciphertext queries. More- over, the scheme enjoys compact ciphertexts that do not grow with the number of appearances of the attributes within the weight functions. (b) Next, bootstrapping from the one-slot scheme, we present an unbounded-slot scheme that achieves simulation-based adaptive security against a bounded number of ci- phertext and pre-ciphertext secret key queries while supporting an a-priori un- bounded number of post-ciphertext secret key queries. The scheme achieves public parameters and secret key sizes independent of the number of slots N and a secret key can decrypt a ciphertext for any a-priori unbounded N . Further, just like the one-slot scheme, this scheme also has the ciphertext size independent of the number of appearances of the attributes within the weight functions. However, all the pa- rameters of the scheme, namely, the master public key, ciphertexts, and secret keys scale linearly with the bound on the number of pre-ciphertext secret key queries. Our schemes are built upon asymmetric bilinear groups of prime order and the security is derived under the standard (bilateral) k-Linear (k-Lin) assumption. Our work resolves an open problem posed by an unbounded-slot FE scheme for attribute-weighted sum achiev- ing only semi-adaptive simulation security. At a technical level, the invention extends the adaptive security framework devised to achieve compact ciphertexts in the context of indistinguishability-based payload-hiding security into the setting of simulation-based adaptive attribute-hiding security. Technical Overview In this section, we present our main technical ideas. Let G = (G₁,G₂,G_T , g₁, g₂, e) be a bilinear group of prime order p and [[a]]_i denotes for any a ∈ Z_p and i ∈ {1, 2, T},

which notation can also be extended in case of vectors and matrices. At the top most level of strategy, we first design an adaptively simulation-secure one-slot FE scheme and then apply a compiler to bootstrap to an unbounded-slot scheme. For the later part, we use a known compiler, however, the known compiler only works in the context of semi- adaptive security, that is, the compiler can bootstrap a semi-adaptively secure one-slot FE scheme to a semi-adaptively secure unbounded-slot scheme. In contrast, we analyze the security of the same transformation in the context of the simulation-based adaptive security framework. We observe that in order to prove the adaptive security for the compiler, the (bilateral) k-Lin/(bilateral) MDDH assumption is needed whereas for semi- adaptive security, the plain k-Lin/MDDH was sufficient. Moreover, we are only able to establish the simulation-based adaptive security for the transformation for settings where only a bounded number of secret-key queries are allowed prior to making the ciphertext queries. The technical ideas disclosed herein lie in the design and analysis of our one-slot scheme which we describe first in this technical overview. Next, we would briefly explain the modifications to our one-slot scheme leading to our extended one-slot scheme, followed by explaining our analysis of the one-slot to an unbounded-slot bootstrapping compiler applied on our one-slot extended FE (extFE) scheme. Recall that the adaptive simulation security of an FE scheme is proven by showing the indistinguishability between a real game with all the real algorithms and an ideal game where a simulator simulates all the ciphertexts and secret keys queried by the adversary. When an adversary makes a pre-ciphertext query for some function f , the simulator provides the secret key to the adversary. When the adversary makes a challenge ciphertext query for an attribute vector pair (x, z), the simulator receives the information of x but not z. Instead it receives the functional values f(x)^⊤z for all the pre-ciphertext secret keys. Based on this information, the simulator must simulate the challenge ciphertext. Finally, when an adversary makes a secret-key query for some function f after making a ciphertext query, the simulator receives f along with the functional value f(x)^⊤z for that key and simulates the key based on this information. Designing Adaptively Simulation Secure One-slot extFE Arithmetic Key Garbling Schemes The notion is called arithmetic key garbling scheme (AKGS) which garbles a function

_{p p} along with two secrets α, β ∈ Z_p so that the evaluation with an input gives the value αf(x) + β. Note that the

evaluation does not reveal any information about α and β. In particular, the AKGS has the following algorithms: • (ℓ₁, ... , ℓ_m+1) ← Garble(αf(x)+β; r): The garbling algorithm outputs (m+1) affine label functions L₁, ... , L_m+1, described by their coefficient vectors ℓ₁, ... , ℓ_m+1 over Z_p, using the randomness where (m+1) denotes the size of the function f .

• γ ← Eval(f,x, ℓ₁, ... , ℓ_m+1): The linear evaluation procedure recovers γ = αf(x)+ β using the input x and the label function values ℓ_j = L_j(x) = ℓ_j · (1,x) ∈ Z_p. AKGS is a partial garbling process as it only hides α, β which is captured by the usual simulation security. The simulator produces simulated labels (ℓ̂₁, ... , ℓ̂_m+1) ← SimGarble(f,x, αf(x) + β) which is the same distribution as the actual label function values evaluated at input x. Function-Hiding Slotted IPFE A private-key function-hiding inner product func- tional encryption (IPFE) scheme based on a bilinear group G = (G₁,G₂,G_T , g₁, g₂, e) generates secret keys IPFE.SK for vectors and produces ciphertexts IPFE.CT

for vectors [[u]]₁ ∈ Gⁿ 1 using the master secret key of the system. Both the key gener- ation and encryption algorithm perform linear operations in the exponent of the source groups G₂,G₁ respectively. The decryption recovers the inner product [[v · u]]_T ∈ G_T in the exponent of the target group. The sizes of the secret keys, IPFE.SK, and ciphertexts, IPFE.CT, in such a system grow linearly with the sizes of the vectors v and u respectively. Roughly, the function-hiding security of an IPFE ensures that no information about the vectors v,u is revealed from IPFE.SK and IPFE.CT except the inner product value v · u which is trivially extracted using the decryption algorithm. One slotted version of IPFE is a hybrid between a secret-key function-hiding IPFE and a public-key IPFE. The index set of the vectors u is divided into two subsets: public slots S_pub and private slot S_priv so that the vector u is written as u = (u_pub ∥ u_priv). With addition to the usual (secret- key) encryption algorithm, the slotted IPFE has another encryption algorithm that uses the master public key of the system to encrypt the public slots of u, i.e. vectors with u_priv = 0. The slotted IPFE preserves the function-hiding security with respect to the private slots only as anyone can encrypt arbitrary vectors into the public slots. Our One-Slot FE. We aim to design our decryption algorithm such that given a secret key for a weight function ABP f with coordinate functions f₁, ... , f_n ^′ : Zⁿ p → Z_p and an encryption of an

attribute vector pair

_{p p} the decryption algorithm would first recover the value for each coordinate z[t]f_t(x) masked with a random scalar β_t, that is, z[t]f_t(x)+β_t and then sum over all these values to obtain the desired functional value (we take the scalars {β_t}_t∈[n ^′ _] such that mod p). Thus we want our key

generation algorithm to use AKGS to garble the functions z[t]f_t(x) + β_t. Note that here, β_t is a constant but z[t] is a variable. While doing this garbling, we also want the label functions to involve either only the variables x or the variable z[t]. This is because, in the construction we need to handle x and z[t] separately since x is public whereas z[t] is private. This is unlike prior work which garbles αf(x) + β where both α, β are known constants and only x is a variable. To solve this issue, we garble an extended ABP where we extend the original ABP f_t by adding a new sink node and connecting the original sink node of f_t to this new sink node with a directed edge labeled with the variable z[t]. We also make use of a particular instantiation of AKGS where we observe that the first m coefficient vectors ℓ_1,t, ... , ℓ_m,t are independent of z[t] and the last coefficient vector ℓ_m+1,t involves only the variable z[t]. In the setup phase, two pairs of IPFE keys (IPFE.MSK, IPFE.MPK) and for a slotted IPFE are generated for

appropriate public and private index sets. The first instance of IPFE is used to handle the public attributes x, whereas the second instance for the private attributes z. Let f = (f₁, ... , f_n ^′) be a given weight function ABP such that is

the t-th coordinate ABP of f . To produce a secret-key SK_f , we proceed as follows: t ^k ∑ • Sample vectors α,β ← Z_p such that _t∈[n′_] β_t[ι] = 0 mod p ∀ι ∈ [k] • Suppose we want to base the security of the proposed scheme under the MDDH_k assumption. Generate k instances of the garblings (ℓ(ι) 1_,t, ... , ℓ(ι) m_+1,t) ← Garble(α[ι]z[t]f_t(x) + β_t[ι]; r_t ^(ι) ) for ι ∈ [k] where r_t ^(ι) ← Z^m p . Using an instantiation of AKGS, we have that the (m+1)-th label functions L(ι) m+1,t take the form L(ι) (z[t]) = α ^(ι) m_+1,t [ι]z[t]− r_t [m] with α[ι] a constant. • Compute the IPFE secret keys

Here, we separate public and private slots by “ ∥ ” and 0 denotes a vector of all zero elements. Now, to produce a ciphertext CT for some attribute vectors (x, z), we use the following steps: • Sample s ← Z^k p and use the slotted encryption of IPFE to compute the ciphertexts

where ⊗ denotes the tensor product.

Decryption first uses IPFE.Dec to compute v · u = [[α · s]]_T (1) ∑ v_j,t · u = [[ s[ι](ℓ(ι) j_,t · (1,x))]]_T = [[ℓ_j,t]]_T for j ∈ [m], t ∈ [n^′] (2) ∑ ι v_m+1,t · h_t = [[ s[ι](α[ι]z[t]− r_t ^(ι) [m])]]_T = [[ℓ_m+1,t]]_T for t ∈ [n^′] (3) ι and then apply the evaluation procedure of AKGS to get Eval(f_t,x, [[ℓ_1,t]]_T , ... , [[ℓ_m+1,t]]_T ) = [[(α · s) · z[t]f_t(x) + β_t · s]]_T . (4) Finally, multiplying all these evaluated values and utilizing the fact ∑ recover

The Simulator for Our One-Slot FE Scheme We now describe our simulator of the adaptive game for our one-slot FE scheme. Note that the private slots on the right side of “ ∥ ” will be used by the simulator and we program them during the security analysis. For the q-th secret-key query corresponding to a function f_q = (f_q,1, ... , f_q,n ^′), the simulator sets public slots of all the vectors v_q,v_q,j,t for j ∈ {1, ... ,m_q + 1} as in the original key generation algorithm. Instead of using the linear combination of the label vectors, the simulator uses freshly sampled garblings to set the private slots. The pre-challenge secret key SK_fq takes the form

where

0 mod p. We write 0_ξ as a vector of length ξ with all zero elements. To simulate the ciphertext for the challenge attribute x^∗, the simulator uses the set of all functional values V = {(f_q, f_q(x^∗)^⊤z^∗) : q ∈ [Q_pre]} to compute a dummy vector d satisfying f_q(x^∗)^⊤d = f_q(x^∗)^⊤z^∗ for all q ∈ [Q_pre]. Since the inner product functionality is pre- image sampleable and both f_q,x^∗ are known to the simulator, a dummy vector d can be efficiently computed via a polynomial time algorithm. The simulated ciphertext becomes IPFE.CT = IPFE.Enc(IPFE.MSK, [[0_k,0_kn ∥ 1,x^∗,0_n ^′ ,0_n ^′ ]]₁) IP ^̂FE.CT_t = IPFE.Enc(IPF ^̂E.MSK, [[0_k,0_k ∥ 1, 0,−1,d[t], 0, 0, 0]]₁) The post-challenge secret-key query for the q-th function f_q = (f_q,1, ... , f_q,n ^′) with q > Q ∑_pre is answered using the simulator of AKGS. In particular, we choose β_q,t ← Z_p satisfying t_∈[n′_] β_q,t = 0 mod p and compute the simulated labels as follows:

Note that, for post-challenge secret keys the functional value f_q(x^∗)^⊤z^∗ is known and hence the simulator can directly embed the value into the secret keys. The post-challenge secret key SK_fq takes the form

Bootstrapping from One-Slot FE to Unbounded-Slot FE Prior work includes a compiler that upgrades the one-slot FE into an unbounded-slot FE scheme where the number of slots N can be arbitrarily chosen at the time of encryption. The transformation also preserves the compactness of ciphertexts of the underlying one- slot scheme. However, their transformation actually needs a one-slot extFE scheme as defined above. Preliminaries In this section, we provide the necessary definitions and backgrounds that will be used in the sequence. Notations We denote by λ the security parameter that belongs to the set of natural number N and 1^λ denotes its unary representation. We use the notation s ← S to indicate the fact that s is sampled uniformly at random from the finite set S. For a distribution X , we write x ← X to denote that x is sampled at random according to distribution X . A function negl : N → R is said to be a negligible function of λ, if for every c ∈ N there exists a λ_c ∈ N such that for all λ > λ_c, |negl(λ)| < λ^−c. Let Expt be an interactive security experiment played between a challenger and an adversary, which always outputs a single bit. We assume that Expt^C A is a function of λ and it is parametrized by an adversary A and a cryptographic protocol C. Let Expt^C A^,0 and Expt^C,1 A be two such experiment. The experiments are computationally/statistically indistinguishable if for any PPT/computationally unbounded adversary A there exists a negligible function negl such that for all λ ∈ N,

We write

if they are computationally indistinguishable (or simply in- distinguishable). Similarly, means statistically indistinguishable and 1

means they are identically distributed.

For n ∈ N, we denote [n] the set {1, 2, ... , n} and for n,m ∈ N with n < m, we denote [n,m] be the set {n, n+ 1, ... ,m}. We use lowercase boldface, e.g., v, to denote column vectors in Zⁿ p and uppercase boldface, e.g.,M, to denote matrices in Zⁿ p^×m for p, n,m ∈ N. The i-th component of a vector v ∈ Zⁿ p is written as v[i] and the (i, j)-th element of a matrix M ∈ Zⁿ p^×m is denoted by M[i, j]. The transpose of a matrix M is denoted by M^⊤ such that M^⊤[i, j] = M[j, i].To write a vector of length n with all zero elements, we write 0_n or simply 0 when the length is clear from the context. Let u,v ∈ Zⁿ p , then the inner product between the vectors is denoted as

Let f : Zⁿ p → Z_p be an affine function with coefficient vector f ∑ = (f [const], f [coef₁], ... , f [coef_n]). Then for any x ∈ Zⁿ p , we have f(x) = f [const] + i_∈[n] f [coef_i]x[i] ∈ Z_p. Bilinear Groups and Hardness Assumptions We use a pairing group generator G that takes as input 1^λ and outputs a tuple G = (G₁,G₂,G_T , g₁, g₂, e) where G₁,G₂,G_T are groups of prime order p = p(λ) and g_i is a generator of the group G_i for i ∈ {1, 2}. The map e : G₁×G₂ → G_T satisfies the following properties: – bilinear : e(g₁ ^a , gb 2) = e(g₁, g₂)^ab for all a, b ∈ Z_p. – non-degenerate: e(g₁, g₂) generates G_T . The group operations in G_i for i ∈ {1, 2, T} and the map e are efficiently computable in deterministic polynomial time in the security parameter λ. For a matrix A and each i ∈ {1, 2, T}, we use the notation [[A]]_i to denote g_i ^A where the exponentiation is element- wise. The group operation is written additively while using the bracket notation, i.e. [[A_i +B]]_i = [[A]] + [[B]]_i for matrices A and B. Observe that, given A and [[B]]_i, we can efficiently compute [[AB]]_i = A · [[B]]_i. We write the pairing operation multiplicatively, i.e. e([[A]]₁, [[B]]₂) = [[A]]₁[[B]]₂ = [[AB]]_T . Assumption 1 (Matrix Diffie-Hellman Assumption) Let k = k(λ), ℓ = ℓ(λ), q = q(λ) be positive integers. We say that the MDDH^q k_,ℓ assumption holds in G_i (i ∈ {1, 2, T}) if for all PPT adversary A there exists a negligible function negl such that

Prior work showed that the k-Linear (k-Lin) assumption impliesMDDH¹ an 1 k_,k+1 dMDDHk,k+1 implies MDDH^q k_,ℓ for all k, q ∈ N and ℓ > k with a tight security reduction. Henceforth, we will use MDDH to denote MD 1 k DH_k,k+1. We consider bilateral MDDH^q assumption which is a str q k_,ℓ engthening of the MDDHk,ℓ assumption. The bilateral MDDH^q k_,ℓ assumption is defined as follows. Assumption 2 (Bilateral Matrix Diffie-Hellman Assumption) Let k = k(λ), ℓ = ℓ(λ), q = q(λ) be positive integers. We say that the bilateral MDDH^q q k_,ℓ (bMDDH_k,ℓ) as- sumption holds if for all PPT adversary A there exists a negligible function negl such that bMDDH^q Adv _k,ℓ _A (λ) = |Pr[1 ← A(G, {[[A]]_i, [[S^⊤A]]_i}_i∈{1,2})]−Pr[1 ← A(G, {[[A]]_i, [[U]]_i}_i∈{1,2})]| l( )

Arithmetic Branching Program Arithmetic Branching Program (ABP) is a computational model that can be used to model boolean formula, boolean branching program or arithmetic formula through a linear time reduction with a constant blow-up in their respective sizes. In this work, we consider ABP over Z_p. Definition 1 (Arithmetic Branching Program) An arithmetic branching program (ABP) over Zⁿ p is a weighted directed acyclic graph (V,E, ϕ, v₀, v₁), where V is the set of all vertices, E is the set of all edges, ϕ : E → (Zⁿ p → Z_p) specifies an affine weight function for each edge, and v₀, v₁ ∈ V are two distinguished vertices (called the source and the sink respectively). The in-degree of v₀ and the out-degree of v₁ are 0. It computes a function f : Zⁿ p → Z_p given by ∑ ∏

where P is the set of all v₀-v₁ path and e ∈ P denotes an edge in the path P ∈ P. The size of the ABP is |V |, the number of vertices.

The class of ABP can be extended in a coordinate-wise manner to a ABPs f : Zⁿ p → Z^n′ p . More precisely, an ABP f : Zⁿ p → Z^n′ p has all its weight functions ϕ = (ϕ₁, ... , ϕ_n ^′) : E → (Zⁿ p → Z^n′ p ) with each coordinate function ϕ_t for t ∈ [n^′] of ϕ being an affine function in x having scalar constants and coefficients. Therefore, such a function f can be viewed as f = (f₁, ... , f_n ^′) with each coordinate function f_t : Zⁿ p → Z_p being an ABP that has the same underlying graph structure as that of f and having ϕ_t : E → (Zⁿ p → Z_p) as the weight functions. The class of all such functions is given by

Thus

can alternatively be viewed as

Lemma 1 be an ABP of size m and v₀, v₂, ... , v_m−1, v₁

be stored topologically. Let M be a square matrix of order (m− 1) defined by

Then the entries of M are affine in x and f(x) = det(M). Functional Encryption for Attribute-Weighted Sum We formally present the syntax of FE for attribute-weighted sum and define adaptive simulation security of the primitive. We consider the function class and message

space

Definition 2 (The Attribute-Weighted Sum Functionality) For any n, n^′ ∈ N, the c^{lass of attribute-weighted sum functionalities is defined as}

Definition 3 (Functional Encryption for Attribute-Weighted Sum) An unbounded- slot FE for attribute-weighted sum associated to the function clas and the message

space M consists of four PPT algorithms defined as follows: up(1^λ ′ Set , 1ⁿ, 1ⁿ ) The setup algorithm takes as input a security parameter λ along with two positive integers n, n^′ representing the lengths of message vectors. It outputs the master secret-key MSK and the master public-key MPK. KeyGen(MSK, f) The key generation algorithm takes as input MSK and a function

It outputs a secret-key SK_f and make f available publicly. Enc(MPK, (x_i, z_i)_{i∈[N ]}) The encryption algorithm takes as input MPK and a message (x_i, z_i)_{i∈[N ]} ∈ (Zⁿ p × Z^n′ p )^∗. It outputs a ciphertext CT and make (x_i)_{i∈[N ]} available publicly. Dec((SK_f , f), (CT, (x_i)_{i∈[N ]})) The decryption algorithm takes as input SK_f and CT along with f and (x_i)_{i∈[N ]}. It outputs a value in Z_p. Correctness The unbounded-slot FE for attribute-weighted sum is said to be correct

We consider adaptively simulation-based security of FE for attribute-weighted sum. Definition 4 Let (Setup, KeyGen, Enc, Dec) be an unbounded-slot FE for attribute- weighted sum for function class and message space M. The scheme is said to

be (Q_pre, Q_CT, Q_post)-adaptively sim

ulation secure if for any PPT adversary A making at most Q_CT ciphertext queries and Q_pre, Q_post secret key queries before and after the ci- phertext queries respectively, we have

where the experiments are defined as follows. Also, an unbounded-slot FE for attribute-weighted sums is said to be (poly, Q_CT, poly)-adaptively simulation secure if it is (Q_pre, Q_CT, Q_post)- adaptively simulation secure as well as Q_pre and Q_post are unbounded polynomials in the security parameter λ.

Function-Hiding Slotted Inner Product Functional Encryption A slotted inner product functional encryption (slotted IPFE) is a hybrid variant of secret- key and public-key IPFE. More specifically, the index set S of the vectors is partitioned into two sets S_pub containing public slots and S_priv containing the private slots. While computing secret-keys, the slotted IPFE encodes elements of the vector in public/private slots using the master secret-key, similar to the case of secret-key IPFE. However, the encryption procedure is only allowed to encode vector elements in the public slots using master public-key as is the case for public-key IPFE. It has been demonstrated that slotted IPFE lets us use the dual system encryption techniques during the security analysis of the cryptographic constructions built from it. We consider the definition of slotted IPFE with respect to some pairing group , that is, all the vectors and inner products in the scheme are encoded in the exponent of the underlying pairing group. Definition 5 (Slotted Inner Product Functional Encryption) Let G = (G₁,G₂, G_T , g₁, g₂, e) be a tuple of pairing groups of prime order p. A slotted inner product functional encryption (IPFE) scheme based on G consists of 5 efficient algorithms:

Correctness The correctness of a slotted IPFE scheme requires the following two prop- erties. _{= 1}

Lemma 2 Let G = (G₁,G₂,G_T , g₁, g₂, e) be a tuple of pairing groups of prime order p and k ≥ 1 an integer constant. If MDDH_k holds in both groups G₁,G₂, then there is an adaptively function-hiding secure IPFE scheme based on G. Arithmetic Key Garbling Scheme Prior work introduced arithmetic key garbling scheme (AKGS). The notion of AKGS is an information theoretic primitive, inspired by randomized encodings and partial garbling schemes. It garbles a function f : Zⁿ p → Z_p (possibly of size (m + 1)) along with two secrets z, β ∈ Z_p and produces affine label functions L₁, ... , L_m+1 : Zⁿ p → Z_p. Given f , an input x ∈ Zⁿ p and the values L₁(x), ... , L_m+1(x), there is an efficient algorithm which computes zf(x) + β without revealing any information about z and β. Definition 6 (Arithmetic Key Garbling Scheme (AKGS)) An arithmetic garbling scheme (AKGS) for a function class F = {f}, where f : Zⁿ p → Z_p, consists of two efficient algorithms: Garble(zf(x) + β) The garbling is a randomized algorithm that takes as input a de- scription of the function zf(x) + β with f ∈ F and scalars z, β ∈ Z_p where z,x are treated as variables. It outputs (m+ 1) affine functions L₁, ... , L_m+1 : Zⁿ p⁺¹ → Z_p which are called label functions that specifies how input is encoded as labels. Pragmatically, it outputs the coefficient vectors ℓ₁, ... , ℓ_m+1. Eval(f,x, ℓ₁, ... , ℓ_m+1) The evaluation is a deterministic algorithm that takes as input a function f ∈ F , an input vector x ∈ Zⁿ p and integers ℓ₁, ... , ℓ_m+1 ∈ Z_p which are supposed to be the values of the label functions at (x, z). It outputs a value in Z_p. Correctness The AKGS is said to be correct if for all f : Zⁿ p → Z_p ∈ F , z, β ∈ Z_p and x ∈ Zⁿ p , we have

The scheme have deterministic shape, meaning that m is determined solely by f , inde- pendent of z, β and the randomness in Garble. The number of label functions, (m + 1), is called the garbling size of f under this scheme. Linearity The AKGS is said to be linear if the following conditions hold: • Garble(zf(x) + β) uses a uniformly random vector r ← Z^m′ p as its randomness, where m^′ is determined solely by f , independent of z, β. • The coefficient vectors ℓ₁, ... , ℓ_m+1 produced by Garble(zf(x) + β) are linear in (z, β, r). • Eval(f,x, ℓ₁, ... , ℓ_m+1) is linear in ℓ₁, ... , ℓ_m+1. Simulation-Based Security Herein, we consider linear AKGS for our application. Now, we state the usual simulation-based security of AKGS, which is similar to the security of partial garbling scheme. An AKGS = (Garble, Eval) for a function class F is secure if there exists an efficient algorithm SimGarble such that for all f : Zⁿ p → Z_p, z, β ∈ Z_p and x ∈ Zⁿ p , the following distributions are identically distributed: { }

The simulation security of AKGS is used to obtain semi-adaptive or selective security of FE for attribute-weighted sum, however it is not sufficient for achieving adaptive security. We consider the piecewise security of AKGS where it was used to get adaptive security for ABE. Definition 7 (Piecewise Security of AKGS) An AKGS = (Garble, Eval) for a func- tion class F is piecewise secure if the following conditions hold: • The first label value is reversely sampleable from the other labels together with f and x. This reconstruction is perfect even given all the other label functions. Formally, there exists an efficient algorithm RevSamp such that for all f : Zⁿ p → Z_p ∈ F , z, β ∈ Z_p and x ∈ Zⁿ p , the following distributions are identical: { }

• For the other labels, each is marginally random even given all the label functions after it. Formally, this means for all f : Zⁿ p → Z_p ∈ F , z, β ∈ Z_p,x ∈ Zⁿ p and all j ∈ [2,m+ 1], the following distributions are identical: {

Lemma 3 A piecewise secure AKGS = (Garble, Eval) for a function class F is also simulation secure. We now define special structural properties of AKGS, related to the piecewise security of it. Definition 8 (Special Piecewise Security of AKGS) An AKGS = (Garble, Eval) for a function class F is special piecewise secure if for any

and x ∈ Zⁿ p , it has the following special form: • The first label value ℓ₁ is always non-zero, i.e., Eval(f,x, 1, 0, ... , 0) ̸= 0 where we take ℓ₁ = 1 and ℓ_j = 0 for 1 < j ≤ (m+ 1). • Let r ← Z^m′ p be the randomness used in Garble(zf(x) + β). For all j ∈ [2,m + 1]. the label function L_j produced by Garble(zf(x) + β; r) can be written as L_j(x) = k_jr[j − 1] + L^′ j(x; z, β, r[j], r[j + 1], ... , r[m^′]) where k_j ∈ Z_p is a non-zero constant (not depending on x, z, β, r) and L^′ j is an affine function of x whose coefficient vector is linear in (z, β, r[j], r[j+1], ... , r[m^′]). The component r[j − 1] is called the randomizer of L_j and ℓ_j. Lemma 4 A special piecewise secure AKGS = (Garble, Eval) for a function class F is also piecewise secure. The RevSamp algorithm (required in piecewise security) obtained for a special piecewise secure AKGS is linear in γ, ℓ₂, ... , ℓ_m+1 and perfectly recovers ℓ₁ even if the randomness of Garble is not uniformly sampled. More specifically, we have the following: Eval(f,x, ℓ₁, ... , ℓ_m+1) = ℓ₁Eval(f,x, 1, 0, ... , 0) + Eval(f,x, 0, ℓ₂, ... , ℓ_m+1) (7) RevSamp(f,x, γ, ℓ₂, ... , ℓ_m+1) = (Eval(f,x, 1, 0, ... , 0))⁻¹(γ − Eval(f,x, 0, ℓ₂, ... , ℓ_m+1)) (8) Note that, equation 7 follows from the linearity of Eval and equation 8 ensures that RevSamp perfectly computes ℓ₁ (which can be verified by equation 7 with γ = zf(x)+β). Lemma 5 A piecewise secure AKGS = (Garble, Eval) is also special piecewise secure after an appropriate change of variable for the randomness used by Garble. Instantiation of AKGS . We now discuss an instantiation of AKGS = (Garble, Eval) for the function class

Garble(zf(x) + β) It takes input an A of size (m+ 1) and two

secrets z, β ∈ Z_p. The algorithm works as follows: 1. Using Lemma 1, it computes a matrix M ∈ Z^m p ^×m such that det(M) is the output of the function f . 2. Next, it augments M into an (m+ 1)× (m+ 1) matrix M^′:

( ) I t samples its randomness r ← Z _m r 3. I ^m p and sets N = . 0 1 4. Finally, it defines the label functions by computing

and outputs the coefficient vectors ℓ₁, ... , ℓ_m+1 of L₁, ... , L_m+1. Remark 1 We note down some structural properties of Garble as follows: • The label function L_j for every j ∈ [m] is an affine function of the input x and L_m+1 is an affine function of z. It follows from the fact that M^′ is affine in x, z and N is independent of x, z. Hence, the last column of the product M^′N, which is the label functions L₁, ... , L_m+1, are affine in x, z. • The output size of Garble is determined solely by the size of f (as an ABP), hence Garble has deterministic shape. • Note that Garble is linear in (z, β, r), i.e., the coefficient vectors ℓ₁, ... , ℓ_m+1 are linear in (z, β, r). It follows from the fact that M,m₂ are independent of (z, β, r), and r,m₁, z are linear in (z, β, r). Hence, Mr + m₁, which defines the label functions L₁, ... , L_m, and m⊤ 2 r + z, which is the label function L_m+1, are linear in (z, β, r). • The last label function L_m+1 is in a special form, meaning that it is independent of x, β and r[j < m]. In particular, it takes the form L_m = m⊤ 2 r + z = z − r[m]. Thus, the elements of the coefficient vector ℓ_m+1 are all zero except the constant term, i.e., ℓ_m[const] = z − r[m] and ℓ_m[coef_i] = 0 for all i ∈ [n]. Eval(f,x, ℓ₁, ... , ℓ_m) It takes input an ABP f : Zⁿ p → Z_p ∈ F ^(n,1) A_BP of size (m + 1), an input x ∈ Zⁿ p and (m+ 1) labels ℓ₁, ... , ℓ_m+1. It proceeds as follows: 1. It computes the matrix M using Lemma 1 after substituting x. 2. Next, it augments M to get the matrix

3. It returns det(M̂). For correctness of the evaluation procedure, we see that when ℓ_j = L_j(x) for all j ∈ [m] and ℓ_m+1 = L_m+1(z), Eval computes det(M̂) = det(M^′N) = det(M^′)det(N) = det(M^′) = zdet(M) + β = zf(x) + β. The determinant of M^′ is calculated via Laplace expansion in the last column. Remark 2 Here, we observe some structural properties of Eval which we require for our application. • If we consider the Laplace expansion of det(M̂) in the last column then Eval can be written as Eval(f,x, ℓ₁, ... , ℓ_m+1) = A₁ℓ₁ + A₂ℓ₂ + · · ·+ A_m+1ℓ_m+1 (9) where A_j is the (j, (m + 1))-cofactor of M̂. This shows that Eval is linear in ℓ₁, ... , ℓ_m+1. Due to this linearity feature, Eval can be computed in the exponent of any bilinear group. More precisely, suppose G = (G₁,G₂,G_T , g₁, g₂, e) be a bilinear group then for any i ∈ {1, 2, T}, we have Eval(f,x, [[ℓ₁]]_i, ... , [[ℓ_m+1]]_i) = [[Eval(f,x, ℓ₁, ... , ℓ_m+1)]]_i. • Now, in particular, the coefficient of ℓ₁ is A₁ = (−1)^2+m(−1)^m = 1. Therefore, for any non-zero δ ∈ Z_p, we can write δ + Eval(f,x, ℓ₁, ... , ℓ_m+1) = Eval(f,x, δ, 0, ... , 0) + Eval(f,x, ℓ₁, ... , ℓ_m+1) (10) = Eval(f,x, ℓ₁ + δ, ℓ₂, ... , ℓ_m+1) (11) where equation 10 holds due to equation 9 and A₁ = 1; and equation 11 holds by the linearity of Eval. We will utilize equation 11 in our extended one slot FE construction. Now, we describe the simulator of AKGS which simulates the values of label functions by using f,x and zf(x) + β. SimGarble(f,x, zf(x) + β) The simulator works as follows: 1. It defines a set which forms a matrix subgroup.

2. Following Lemma 1, it computes the matrix M using f,x and sets the matrix

which defines a left coset M^′′H = {M^′′N|N ∈ H}. 3. It uniformly samples a random matrix from the coset M^′′H and returns the last column of the matrix as simulated values of the label functions. Lemma 6 The above construction of AKGS = (Garble, Eval) is secure. Moreover, it is special piecewise secure as per Definition 8. 1-Key 1-Ciphertext Secure One-Slot FE for Attribute-Weighted Sums In this section, we first describe a private-key one-slot FE scheme for the attribute- weighted sum functionality that is proven simulation secure against a single ciphertext query and a single secret key query either before or after the ciphertext query. This scheme would be crucially embedded into the hidden slots for our full-fledged public- key one-slot FE scheme for attribute-weighted sums presented in the next section. We describe the construction for any fixed value of the security parameter λ and suppress the appearance of λ for simplicity of notations. Let (Garble,Eval) be a special piecewise secure S for a function class F ^{( ′} AKG ^{n,n )} A_BP , G = (G₁,G₂,G_T , g₁, g₂, e) a tuple of pairing groups of prime order p, and (SK-IPFE.Setup.SK-IPFE.KeyGen, SK-IPFE.Enc, SK-IPFE.Dec) a secret- key function-hiding SK-IPFE based on G.

for all t ∈ [n^′]. Here we make use of the instantiation of the AKGS described herein. From the description of that AKGS instantiation, we note that the (m + 1)-th label function ℓ_m+1,t would be of the form ℓ_m+1,t = z[t]−r_t[m]. Also all the label functions ℓ_1,t, ... , ℓ_m,t involve only the variables x and not the variable z[t]. Next, for all j ∈ [m] and t ∈ [n^′], it defines the vectors v_j,t corresponding to the label functions ℓ_j,t obtained from the partial garbling:

It generates the secret-keys as

Finally, it returns a value ρ by solving a discrete logarithm problem. We assume that the desired attribute-weighted sum lies within a specified polynomial-sized domain so that discrete logarithm can be solved via brute force.

Therefore, we get by multiplying

One-Slot FE for Attribute-Weighted Sums In this section we present our public-key one-slot FE scheme Π_one for the attribute- weighted sum functionality that is proven adaptively simulation secure against a single ciphertext query and an arbitrary polynomial number of secret key queries both before and after the ciphertext query. As outlined in Remark 3 below, this scheme can naturally be extended to one supporting a bounded number of ciphertext queries. We describe the construction for any fixed value of the security parameter λ and suppress the appearance of λ for simplicity of notations. Let (Garble,Eval) be a special piecewise secure AKGS for a function class

a tuple of pairing groups of prime order p such that MDDH_k holds in G₂, and (IPFE.Setup.IPFE.KeyGen, IPFE.Enc, IPFE.Dec) a slotted IPFE based on G. We construct an FE scheme for attribute-weighted sums with the message space M = Zⁿ p × Z^n′ p . nⁿ′ Setup(1 , 1 ) Define the following index sets as follows { } { }

KeyGen(MSK, f) Let such

^that

Next, sample independent random vectors and computes

(ℓ(ι) 1_,t, ... , ℓ(ι) m_,t, ℓ(ι) m_+1,t) ← Garble(α[ι]z[t]f_t(x) + β_t[ι]; r_t ^(ι) ) for all ι ∈ [k], t ∈ [n^′]. Here we make use of the instantiation of the AKGS described herein. From the description of that AKGS instantiation we note that the (m + 1)-th label function

would be of the form

_, where α[ι] is a constant. Also all the label functions ℓ(ι) (ι) 1_,t, ... , ℓ_m,t involve only the variables x and not the variable z[t]. Next, for all j ∈ [m] and t ∈ [n^′], it defines the vectors v_j,t corresponding to the label functions ℓ(ι) j_,t obtained from the partial garbling above as

for all t ∈ [n^′]. It encrypts the vectors as

[ ] Finally, it returns a value ζ from a polynomially bounded set P such that [[ρ]]_T = [[µ]]_T · [[ζ]]_T ; otherwise ⊥. Correctness By the correctness of IPFE, AKGS and the linearity of the Eval function we have

Remark 3 (Multi-Ciphertext Scheme) The one-slot FE scheme Π_one described above is secure against adversaries that are restricted to query a single ciphertext. However, we can easily modify the FE scheme to another FE that is secure for any a-priori bounded number of ciphertext queries from the adversary’s end. For the extension, we introduce additional (2n^′ + 2)q_CT private slots on each ciphertext and decryption key sides, where q_CT denotes the number of ciphertext queries. More specifically, we add 2n^′q_CT and 2q_CT dimensional hidden slots to S_priv and Ŝ_priv respectively to handle the q_CT ciphertext queries during the security reduction. Consequently, the sizes of system parameters, secret-keys and ciphertext would grow linearly with q_CT. A similar strategy can be followed to convert our extended one-slot FE scheme (described herein) that only supports a single ciphertext query to one that is secure for any a-priori bounded number of ciphertext queries. 1-Key 1-Ciphertext Secure One-Slot Extended FE Designed for Bounded-Key One-Slot Extended FE for Attribute-Weighted Sums In this section, we present a private-key one-slot FE scheme for an extended attribute- weighted sum functionality that is proven simulation secure against a single ciphertext query and a single secret key query either before or after the ciphertext query. This scheme will be embedded into the hidden subspaces of the public-key multi-key FE scheme for the same functionality presented in the next section in its security proof. We describe the construction for any fixed value of the security parameter λ and suppress the appearance of λ for simplicity of notations. Let (Garble,Eval) be a special piecewise secure AKGS function class F ^{(n, ′} for a ^{n )} A_BP , G = (G₁,G₂,G_T , g₁, g₂, e) a tuple of pairing groups of prime order p, and (IPFE.Setup, IPFE.KeyGen, IPFE.Enc, IPFE.Dec) a secret-key function-hiding SK-IPFE based on G. λ^{n n}′ Setup(1 , 1 , 1 ) Define the following index sets as follows { } ←

for each t ∈ [n^′]. Here we make use of the instantiation of the AKGS described in Section . From the description of that AKGS instantiation, we note that the (m+1)-th label function ℓ_m+1,t would be of the form ℓ_m+1,t = z[t]−r_t[m]. Also all the label functions ℓ_1,t, ... , ℓ_m,t involve only the variables x and not the variable z[t]. Next, for all j ∈ [m] and t ∈ [n^′], it defines the vectors v_j,t corresponding to the label functions ℓ_j,t obtained from the partial garbling above and the vector y as

Remark. We note that the key-generation process can be performed if the vector y is not given in the clear, but [[y]]₂ ∈ G^k 2 is known. This is because while running the IPFE.KeyGen algorithm above, the vectors v_j,t are not inputted in the clear but in the exponent of the group G₂. This fact will be used in the security analysis of our unbounded FE scheme.

Bounded-Key One-Slot Extended FE for Attribute-Weighted Sums In this section, we present a public-key one-slot FE scheme

for an extended attribute-weighted sum functionality. This scheme is proven adaptively simulation se- cure against one ciphertext query, an a priori bounded number of pre-ciphertext secret key queries, and an arbitrary polynomial number of post-ciphertext secret key queries. We will apply a bootstrapping compiler onto this FE scheme to obtain our unbounded-slot FE scheme for attribute-weighted sums in the next section. We describe the construc- tion for any fixed value of the security parameter λ and suppress the appearance of λ for simplicity of notations. Let (Garble,Eval) be a special piecewise secure AKGS for a ′ function class F ^{(n,n )} A_BP , G = (G₁,G₂,G_T , g₁, g₂, e) a tuple of pairing groups of prime order p such that MDDH_k holds in G₂, and (IPFE.Setup.IPFE.KeyGen, IPFE.Enc, IPFE.Dec) a slotted IPFE based on G. We construct an FE scheme for attribute-weighted sums with the message space

′ Setup(1^λ, 1ⁿ, 1ⁿ , 1^B) Defines the following index sets as follows { }

for all ι ∈ [k], t ∈ [n^′]. Here, we make use of the instantiation of the AKGS described in Section . From the description of that AKGS instantiation, we note that the (m + 1)- th label function ℓ(ι) (ι) m_+1,t would be of the form ℓ_m+1,t = α[ι]z[t] − r_t ^(ι) [m] where α[ι] is a constant. Also all the label functions ℓ(ι) 1_,t, ... , ℓ(ι) m_,t involve only the variables x and not the variable z[t]. Next, for all j ∈ [2,m] and t ∈ [n^′], it defines the vectors v_j,t corresponding to the label functions ℓ_j,t obtained from the partial garbling above and the vector y as

Remark 4 We note that the vector y is only used to set v (ι) 1_,t[extnd_κ ] and the IPFE.KeyGen only requires [[v_1,t]]₂ ∈ G^k 2 to compute the secret-key IPFE.SK_1,t. Therefore, the key generation process can compute the same secret-key SK_f,y if (f, [[y]]₂) is supplied as input instead of (f,y) and we express this by writing KeyGen(MSK, (f, [[y]]₂)) = Key- Gen(MSK, (f,y)). This fact will be crucial while describing the unbounded slot FE.

Dec((SK_f,y, f), (CT,x)) It parses the secret-key and ciphertext as SK_f,y = (IPFE.SK, {IPFE.SK_j,t}_{j∈[m],t∈[n} ^′ _], {IP ^̂FE.SK_m+1,t}_t∈[n ^′ _]) and CT_x,z = (IPFE.CT, {IP ^̂FE.CT_t}_t∈[n ^′ _]). It uses the decryption algorithm of IPFE to compute [[ρ]]_T ← IPFE.Dec(IPFE.SK, IPFE.CT) [[ℓ_1,t + ψ_t]]_T ← IPFE.Dec(IPFE.SK_1,t, IPFE.CT) [[ℓ_j,t]]_T ← IPFE.Dec(IPFE.SK_j,t, IPFE.CT) for j ∈ [2,m], t ∈ [n^′] [[ℓ_m+1,t]]_T ← IPFE.Dec(IP ^̂FE.SK_m+1,t,IP ^̂FE.CT_t) for t ∈ [n^′] ∑ where ψ_t = _k _ι=1α[ι]s[ι] · ν_t · y^⊤w = α · s · ν_t · y^⊤w. Next, it utilizes the evaluation procedure of AKGS and obtain a combined value ∏ [[ζ]]_T = Eval(f_t,x, [[ℓ_1,t + ψ_t]]_T , ... , [[ℓ_m+1,t]]_T ). t∈[n^′] Finally, it returns a value [[µ]]_T = [[ζ]]_T · [[ρ]]⁻ T ¹ ∈ G_T . Correctness First, the IPFE correctness implies IPFE.Dec(IPFE.SK_1,t, IPFE.CT) = [[ℓ + ∑ _1,t ψ_t]] where ψ_t = _k _ι=1α[ι]s[ι] · ν_t · y^⊤w = α · s · ν_t · y^⊤w. Next, by the correctness of IPFE, AKGS we have Eval(f_t,x, ℓ_1,t + ψ_t, ... , ℓ_m+1,t) = Eval(f_t,x, ℓ_1,t, ... , ℓ_m+1,t) + Eval(f_t,x, ψ_t, 0, ... , 0) = Eval(f_t,x, ℓ_1,t, ... , ℓ_m+1,t) + ψ_t ∑ ^k = (α[ι]s[ι] · z[t]f_t(x) + β_t[ι]s[ι]) +α · s · ν_t · y^⊤w ι=1 = α · s · (z[t]f_t(x) + ν_t · y^⊤w) + β_t · s The first equality follows from the linearity of Eval algorithm. Therefore, multiplying all the evaluated values we have ∏ [[ζ]]_T = Eval(f_t,x, [[ℓ_1,t + ψ_t]]_T , ... , [[ℓ_m+1,t]]_T ) t∈[n^′] ∑ ^n′ = [[ α · s · (z[t]f_t(x) + ν_t · y^⊤w) + β_t · s]]_T = [[α · s · (f(x)^⊤z + y^⊤w)]]_T t=1 ∑ ∑ where the last equality follows from the fact that _t∈n′ ν_t = 1 mod p and _t∈[n′_] β_t[ι] = 0 mod p for all ι ∈ [k]. Also, by the correctness of IPFE we see that [[ρ]]_T = [[α · s]]_T and hence [[µ]]_T = [[f(x)^⊤z + y^⊤w]]_T . Theorem 2 The extended one slot FE scheme for attribute-weighted sum is adap-

tively simulation-secure assuming the AKGS is piecewise-secure as per Definition 7, the MDDH_k assumption holds in group G₂, and the slotted IPFE is function hiding as per Definition 5. 1-Key 1-Ciphertext Secure One-Slot Extended FE Designed for Unbounded- Key One-Slot Extended FE for Attribute-Weighted Sums In this section, we present a private-key one-slot FE scheme for an extended attribute- weighted sum functionality that is proven simulation secure against a single ciphertext query and a single secret key query either before or after the ciphertext query. This scheme will be embedded into the hidden subspaces of the public-key multi-key FE scheme for the same functionality presented in the next section in its security proof. We describe the construction for any fixed value of the security parameter λ and suppress the appearance of λ for simplicity of notations. Let (Garble,Eval) be a special piecewise secure AKGS ion class F ^{(n, ′} for a funct ^{n )} A_BP , G = (G₁,G₂,G_T , g₁, g₂, e) a tuple of pairing groups of prime order p, and (IPFE.Setup, IPFE.KeyGen, IPFE.Enc, IPFE.Dec) a secret-key function-hiding SK-IPFE based on G.

It also sets the vectors v_m+1,t for t ∈ [n^′] corresponding to the (m + 1)-th label function ℓ_m+1,t as

Now, it uses the key generation algorithm of IPFE to generate the secret-keys IPFE.SK_j,t ← SK-IPFE.KeyGen(IPFE.MSK, [[v_j,t]]₂) for j ∈ [m], t ∈ [n^′] IP ^̂FE.SK_m+1,t ← SK-IPFE.KeyGen(IPF ^̂E.MSK, [[v_m+1,t]]₂) for t ∈ [n^′] It returns the secret-key as SK_f,y = ({IPFE.SK_j,t}_{j∈[m],t∈[n} ^′ _], {IP ^̂FE.SK_m+1,t}_t∈[n ^′ _]). Enc It sets the following vectors:

∗ τ

for all t ∈ [n^′]. Then, it encrypts the vectors using IPFE and obtain the ciphertexts IPFE.CT ← SK-IPFE.Enc(IPFE.MSK, [[u]]₁) IP ^̂FE.CT_t ← SK-IPFE.Enc(IPF ^̂E.MSK, [[h_t]]₁) for t ∈ [n^′] Finally, it returns the ciphertext as CT_x,z||w = (IPFE.CT, {IP ^̂FE.CT_t}_t∈[n ^′ _]).

Unbounded-Key One-Slot Extended FE for Attribute-Weighted Sums In this section, we present a public-key one-slot FE scheme

for an extended attribute-weighted sum functionality. This scheme is proven adaptively simulation se- cure against one ciphertext query and an arbitrary polynomial number of secret key queries both before and after the ciphertext query. We describe the construction for any fixed value of the security parameter λ and suppress the appearance of λ for simplicity of notations. Let (Garble,Eval) be a special piecewise secure AKGS for a function class

, G = (G₁,G₂,G_T , g₁, g₂, e) a tuple of pairing groups of prime order p such that MDDH_k holds in G₂, and (IPFE.Setup.IPFE.KeyGen, IPFE.Enc, IPFE.Dec) a slotted IPFE based on G. We construct an FE scheme for attribute-weighted sums with the message space

for all ι ∈ [k], t ∈ [n^′]. Here, we make use of the instantiation of the AKGS described in Section . From the description of that AKGS instantiation, we note that the (m + 1)- th label function ℓ(ι) m_+1,t would be of the form ℓ(ι) m_+1,t = α[ι]z[t] − r_t ^(ι) [m] where α[ι] is a constant. Also all the label functions ℓ(ι) 1_,t, ... , ℓ(ι) m_,t involve only the variables x and not the variable z[t]. Next, for all j ∈ [2,m] and t ∈ [n^′], it defines the vectors v_j,t corresponding to the label functions ℓ_j,t obtained from the partial garbling above and the vector y as

It generates the secret-keys as

for all t ∈ [n^′]. It encrypts the vectors as IPFE.CT ← IPFE.SlotEnc(IPFE.MPK, [[u]]₁) IP ^̂FE.CT_t ← IPFE.SlotEnc(IPF ^̂E.MPK, [[h_t]]₁) for t ∈ [n^′] and returns the ciphertext as CT = (IPFE.CT, {IP ^̂FE.CT_t}_t∈[n ^′ _]) and x. Dec((SK_f,y, f), (CT,x)) It parses the secret-key as SK_f = (IPFE.SK, {IPFE.SK_j,t}_{j∈[m],t∈[n} ^′ _], {IP ^̂FE.SK_m+1,t}_t∈[n ^′ _]) and the ciphertext as CT_x,z = (IPFE.CT, {IP ^̂FE.CT_t}_t∈[n ^′ _]). It uses the decryption algorithm of IPFE to compute

System Implementations Fig. 1 illustrates an encryption system 100 in an embodiment of the present invention in- cluding a setup algorithm Setup, an encryption algorithm Enc, a key generation algorithm KeyGen, and a decryption algorithm Dec of the functional encryption implementations. As illustrated in FIG. 1, the encryption system 100 in the embodiment of the present invention includes a setup device 10, an encryption device 20, a key generation device 30, and a decryption device 40. These devices are communicably connected to each other via a communication network 105. The setup device 10 can be a computer or a computer system configured to execute the setup algorithm Setup. The setup device 10 includes a setup processing unit 101 and a storage unit 102. The setup processing unit 101 executes the setup algorithm Setup as described herein. In the setup algorithm Setup, a functional encryption setup algorithm executes twice to generate and output a set of master public-secret key pairs FE.MSK and FE.MPK and a set of master public-secret key pairs FE ^̂.MSK and FE ^̂.MPK. The first set can be for encrypting a public part of attributes and the second set can be for use in encrypting a private part of the attributes. In the storage unit 102, various types of information used in the setup algorithm Setup, an output result of the setup algorithm Setup, and the like are stored. Note that the setup processing unit 101 can be implemented by the processing of executing, by an arithmetic device such as a processor, one or more programs installed in the setup device 10, for example. The storage unit 102 can be implemented using various memories (e.g., a main storage device and an auxiliary storage device). The encryption device 20 can be a computer or a computer system configured to execute the encryption algorithm Enc. The encryption device 20 includes an encryption processing unit 201 and a storage unit 202. The encryption processing unit 201 executes the encryption algorithm Enc by using, as input, the master public key MPK as FE.MPK and FE ^̂.MPK, one or more public attributes x, and one or more private attributes z. In the encryption algorithm Enc, a ciphertext CT as FE.CT and F̂E.CT_t is generated and output. The storage unit 202 stores various types of information used in the encryption algorithm Enc, an output result (e.g., the ciphertext) of the encryption algorithm Enc, and the like are stored. Note that the encryption processing unit 201 can be implemented by the processing of executing, by an arithmetic device such as a processor, one or more programs installed in the encryption device 20, for example. The storage unit 202 can be implemented using various memories (e.g., a main storage device and an auxiliary storage device). The key generation device 30 is a computer or a computer system configured to execute the key generation algorithm KeyGen. The key generation device 30 can include a key generation processing unit 301 and a storage unit 302. The key generation processing unit 301 executes the key generation algorithm KeyGen by receiving the master secret key MSK as FE.MSK and FE ^̂.MSK and a function f where f consists of sub-functions f_t, wherein t represents an integer index. In the key generation algorithm KeyGen, the secret key SK_f as FE.SK, {FE.SK_j,t}, {F̂E.SK_t} and f are generated and output. In the storage unit 302, various types of information used in the key generation algorithm KeyGen, an output result of the key generation algorithm KeyGen, and the like are stored. Note that the key generation processing unit 301 is implemented by the processing of executing, by an arithmetic device such as a processor, one or more programs installed in the key generation device 30, for example. The storage unit 302 can be implemented using various memories (e.g., a main storage device and an auxiliary storage device). The decryption device 40 can be a computer or a computer system configured to execute the decryption algorithm Dec. The decryption device 40 includes a decryption processing unit 401 and a storage unit 402. The decryption processing unit 401 executes the decryption algorithm Dec by using, as input, the function f and the secret key SK_f for function f . In the decryption algorithm Dec, the functional value µ is recovered from ρ and d, and generates and outputs the value µ as the plaintext. In the storage unit 402, various types of information used in the decryption algorithm Dec, an output result of the decryption algorithm Dec, and the like are stored. Note that the decryption processing unit 401 is implemented by the processing of executing, by an arithmetic device such as a processor, one or more programs installed in the decryption device 40, for example. The storage unit 402 can be implemented using various memories (e.g., a main storage device and an auxiliary storage device). The configuration of the encryption system 100 illustrated in FIG. 1 is an example, and other configurations may be employed. For example, any two or more devices of the setup device 10, the encryption device 20, and the key generation device 30 maybe configured as a single device. The encryption system 100 may include a plurality of decryption devices 40. Similarly, any one or more devices of the setup device 10, the encryption device 20, and the key generation device 30 may be provided as a plurality of devices. With reference to Fig. 2, an example system architecture is illustrated. A user 215 allows a remote server 210 to run a specific function F on a ciphertext by issuing a token T_F . The server executes F on an available ciphertext C and generates a result R_F an encrypted form. The system can include a trusted authority (TA) 220 who is responsible to construct a token T_F for the requested function. As illustrated, data owner 205 uploads ciphertext C onto the remote server 210. Data user 215 requests TA 220 for a token for a function F . TA 220 issues token T_F to the data user. Data user then sends T_F to the server. Server runs F on the encrypted data, and forwards the result R_F to the data user. Figs. 3 and 4 depict example computer systems useful for implementing various embodiments described in the present disclosure. Various embodiments may be imple- mented, for example, using one or more computer systems, such as computer system 500 shown in Fig. 3. One or more computer system(s) 500 may be used, for exam- ple, to implement any of the embodiments discussed herein, as well as combinations and sub-combinations thereof. Computer system 500 may include one or more processors (also called central pro- cessing units, processing devices, or CPUs), such as a processor 504. Processor 504 may be connected to a communication infrastructure 506 (e.g., such as a bus). Computer system 500 may also include user input/output device(s) 503, such as mon- itors, keyboards, pointing devices, etc., which may communicate with communication infrastructure 506 through user input/output interface(s) 502. One or more of processors 504 may be a graphics processing unit (GPU). In an embodiment, a GPU may be a pro- cessor that is a specialized electronic circuit designed to process mathematically intensive applications. The GPU may have a parallel structure that is efficient for parallel process- ing of large blocks of data, such as mathematically intensive data common to computer graphics applications, images, videos, etc. Computer system 500 may also include a main memory 508, such as random-access memory (RAM). Main memory 508 may include one or more levels of cache. Main memory 508 may have stored therein control logic (i.e., computer software, instructions, etc.) and/or data. Computer system 500 may also include one or more secondary storage devices or secondary memory 510. Secondary memory 510 may include, for example, a hard disk drive 512 and/or a removable storage device or removable storage drive 514. Removable storage drive 514 may interact with a removable storage unit 518. Removable storage unit 518 may include a computer-usable or readable storage device having stored thereon computer software (control logic) and/or data. Removable storage drive 514 may read from and/or write to removable storage unit 518. Secondary memory 510 may include other means, devices, components, instrumen- talities, or other approaches for allowing computer programs and/or other instructions and/or data to be accessed by computer system 500. Such means, devices, components, instrumentalities, or other approaches may include, for example, a removable storage unit 522 and an interface 520. Examples of the removable storage unit 522 and the interface 520 may include a program cartridge and cartridge interface, a removable memory chip (such as an EPROM or PROM) and associated socket, a memory stick and USB port, a memory card and associated memory card slot, and/or any other removable storage unit and associated interface. Computer system 500 may further include communications interface 524 (e.g., network interface). Communications interface 524 may enable computer system 500 to communi- cate and interact with any combination of external devices, external networks, external entities, etc. (individually and collectively referenced as remote device(s), network(s), entity(ies) 528). For example, communications interface 524 may allow computer sys- tem 500 to communicate with external or remote device(s), network(s), entity(ies) 528 over communications path 526, which may be wired and/or wireless (or a combination thereof), and which may include any combination of LANs, WANs, the Internet, etc. Control logic and/or data may be transmitted to and from computer system 500 via communications path 526. Computer system 500 may also be any of a personal digital assistant (PDA), desktop workstation, laptop or notebook computer, netbook, tablet, smartphone, smartwatch or other wearable devices, appliance, part of the Internet-of-Things, and/or embedded system, to name a few non-limiting examples, or any combination thereof. Computer system 500 may be a client or server computing device, accessing or hosting any applications and/or data through any delivery paradigm, including but not limited to remote or distributed cloud computing solutions; local or on-premises software (“on- premise” cloud-based solutions); “as a service” models (e.g., content as a service (CaaS), digital content as a service (DCaaS), software as a service (SaaS), managed software as a service (MSaaS), platform as a service (PaaS), desktop as a service (DaaS), framework as a service (FaaS), backend as a service (BaaS), mobile backend as a service (MBaaS), infrastructure as a service (IaaS), etc.); and/or a hybrid model including any combination of the foregoing examples or other services or delivery paradigms. Fig. 4 illustrates an example machine of a computer system 900 within which a set of instructions, for causing the machine to perform any one or more of the operations discussed herein, may be executed. In alternative implementations, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet. The machine may operate in the capacity of a server or a client machine in a client-server network environment, as a peer machine in a peer-to-peer (or distributed) network environment, or as a server or a client machine in a cloud computing infrastructure or environment. The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a net- work router, a switch or bridge, a specialized application or network security appliance or device, or any machine capable of executing a set of instructions (sequential or other- wise) that specify actions to be taken by that machine. Further, while a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein. The example computer system 900 includes a processing device 902, a main memory 904 (e.g., read-only memory (ROM), flash memory, dynamic random-access memory (DRAM) such as synchronous DRAM (SDRAM), etc.), a static memory 906 (e.g., flash memory, static random-access memory (SRAM), etc.), and a data storage device 918, which communicate with each other via a bus 930. Processing device 902 represents one or more processing devices such as a micropro- cessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) micropro- cessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 902 may also be one or more special- purpose processing devices such as an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a digital signal processor (DSP), network pro- cessor, or the like. The processing device 902 is configured to execute instructions 926 for performing the operations and steps discussed herein. The computer system 900 may further include a network interface device 908 to communicate over the network 920. The computer system 900 also may include a video display unit 910, an alphanumeric input device 912 (e.g., a keyboard), a cursor control device 914 (e.g., a mouse), a graphics processing unit 922, a signal generation device 916 (e.g., a speaker), graphics processing unit 922, video processing unit 928, and audio processing unit 932. The data storage device 918 may include a machine-readable medium 924 (also known as a computer-readable storage medium) on which is stored one or more sets of instruc- tions 926 (e.g., software instructions) embodying any one or more of the operations de- scribed herein. The instructions 926 may also reside, completely or at least partially, within the main memory 904 and/or within the processing device 902 during execution thereof by the computer system 900, where the main memory 904 and the processing device 902 also constitute machine-readable storage media. In an example, the instructions 926 include instructions to implement operations and functionality corresponding to the disclosed subject matter. While the machine-readable storage medium 924 is shown in an example implementation to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions 926. The term “machine-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions 926 for execution by the machine and that cause the machine to perform any one or more of the operations of the present disclosure. The term “machine-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media, and magnetic media. Some portions of the detailed description have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self- consistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like. It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels ap- plied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as “identifying” or “determining” or “executing” or “performing” or “collecting” or “creating” or “sending” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system’s registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage devices. The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the intended purposes, or it may comprise a computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer-readable storage medium, such as but not limited to, any type of disk including floppy disks, opti- cal disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus. The operations and illustrations presented herein are not inherently related to any particular computer or other apparatus. Various types of systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the operations. The structure for a variety of these systems will appear as set forth in the description herein. In addition, the present disclosure is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the disclosure as described herein. The present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure. A machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium such as read-only memory (“ROM”), ran- dom access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices, etc. In some embodiments, a tangible, non-transitory apparatus or article of manufacture comprising a tangible, non-transitory computer useable or readable medium having con- trol logic (software) stored thereon may also be referred to herein as a computer program product or program storage device. This includes, but is not limited to, computer system 500, main memory 508, secondary memory 510, and removable storage units 518 and 522, as well as tangible articles of manufacture embodying any combination of the fore- going. Such control logic, when executed by one or more data processing devices (such as computer system 500), may cause such data processing devices to operate as described herein. Based on the teachings contained in this disclosure, it will be apparent to persons skilled in the relevant art(s) how to make and use embodiments of this disclosure using data processing devices, computer systems, and/or computer architectures other than that shown in Figs. 3 and 4. In particular, embodiments can operate with software, hardware, and/or operating system implementations other than those described herein. It is to be appreciated that the Detailed Description section, and not any other section, is intended to be used to interpret the claims. Other sections can set forth one or more but not all exemplary embodiments as contemplated by the inventor(s), and thus, are not intended to limit this disclosure or the appended claims in any way. While this disclosure describes exemplary embodiments for exemplary fields and ap- plications, it should be understood that the disclosure is not limited thereto. Other embodiments and modifications thereto are possible and are within the scope and spirit of this disclosure. For example, and without limiting the generality of this paragraph, embodiments are not limited to the software, hardware, firmware, and/or entities illus- trated in the figures described herein. Further, embodiments (whether or not explicitly described herein) have significant utility to fields and applications beyond the examples described herein. Embodiments have been described herein with the aid of functional building blocks illustrating the implementation of specified functions and relationships thereof. The boundaries of these functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternate boundaries can be defined as long as the specified functions and relationships (or equivalents thereof) are appropriately performed. Also, alternative embodiments can perform functional blocks, steps, operations, methods, etc. using orderings different than those described herein. References herein to “one embodiment,” “an embodiment,” “an example embodi- ment,” or similar phrases, indicate that the embodiment described can include a par- ticular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it would be within the knowledge of persons skilled in the relevant art(s) to incorporate such feature, structure, or characteristic into other embodiments whether or not explicitly mentioned or described herein. Additionally, some embodiments can be described using the ex- pression “coupled” and “connected” along with their derivatives. These terms are not necessarily intended as synonyms for each other. For example, some embodiments can be described using the terms “connected” and/or “coupled” to indicate that two or more elements are in direct physical or electrical contact with each other. The term “coupled,” however, can also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other. The breadth and scope of this disclosure should not be limited by any of the above- described exemplary embodiments but should be defined only in accordance with the following claims and their equivalents. In the foregoing specification, implementations of the disclosure have been described with reference to specific example implementations thereof. It will be evident that various modifications may be made thereto without departing from the broader spirit and scope of implementations of the disclosure as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.

Claims

CLAIMS 1. A computerized method for encrypting for a functional encryption scheme, the method comprising: executing a computerized setup algorithm, the setup algorithm comprising: executing a functional encryption setup algorithm twice to generate a set of master public-secret key pairs FE.MSK and FE.MPK and a set of master public-secret key pairsFE ^̂.MSK and FE ^̂.MPK; outputting a master secret key MSK as FE.MSK and FE ^̂.MSK and a master public key MPK as FE.MPK and FE ^̂.MPK, and storing the output master keys in an electronic setup storage unit; executing a computerized key generation algorithm by: receiving the master secret key MSK as FE.MSK and FE ^̂.MSK from the setup storage unit and a function f where f comprises sub-functions f_t, wherein t represents an integer index; sampling random values α,β_t such that the sum of all entries of β_t is 0; sampling random values r_t for input for a garbling procedure, wherein the garbling procedure randomizes a function comprising α, f_t,β_t, wherein α and β_t are secrets, and the garbling procedure outputs a set of label functions {ℓ_j,t} where j runs over the number of label functions; setting values v as α and generating an FE secret key FE.SK for the values v; setting values v_1,t comprising ℓ_1,t,α, and generating an FE secret key FE.SK_1,t for the values v_1,t; setting values v_j,t as ℓ_j,t, and generating a FE secret key FE.SK_j,t for the values v_j,t; setting values v̂_t comprising r_t,α; generating a functional encryption secret key F̂E.SK_t for the values v̂_t; and outputting the secret key SK_f as FE.SK, {FE.SK_j,t}, {F̂E.SK_t} and f , and storing the output in an electronic key generation storage unit.

2. The method of claim 1, further comprising an encryption method, the encryption method comprising: receiving the master public key MPK as FE.MPK and FE ^̂.MPK, one or more public attributes x, and one or more private attributes z; sampling randomness s and setting values u comprising s, x, and computing FE ciphertext FE.CT for the value u; setting values h_t comprising of s and z, and computing FE ciphertext F̂E.CT_t for the value h_t; and outputting the ciphertext CT as FE.CT and F̂E.CT_t and storing the output in an electronic encryption device storage unit.

3. The method of claim 2, further comprising a decryption method, the decryption method comprising: receiving the function f and the secret key SK_f for function f ; receiving one or more public attributes x and a ciphertext CT for x; retrieving FE.SK, FE.SK_j,t, F̂E.SK_t from SK_f and retrieving FE.CT and F̂E.CT_t from CT; retrieving sub-functions f_t from the function f ; decrypting FE.CT by running the decryption algorithm of FE using the secret key FE.SK and get a value ρ; decrypting FE.CT by running the decryption algorithm of FE using the secret key FE.SK_j,t and get a value ℓ_j,t; decrypting F̂E.CT_t by running the decryption algorithm of FE using the secret key F̂E.SK_t and get a value ℓ_t; running the evaluation algorithm of the garbling scheme using the values ℓ_j,t, ℓ_t and the one or more public attributes x and the sub-function f_t, and get a value d; and recovering the functional value µ from ρ and d, and outputting the value µ as the plaintext and storing the output in an electronic decryption device storage unit.

4. The method of claim 1, wherein the first set is for encrypting a public part of at- tributes and the second set is for use in encrypting a private part of the attributes.

5. A system for encrypting for a functional encryption scheme, comprising a processor, wherein the processor is configured for: executing a computerized setup algorithm, the setup algorithm comprising: executing a functional encryption setup algorithm twice to generate a set of master public-secret key pairs FE.MSK and FE.MPK and a set of master public-secret key pairsFE ^̂.MSK and FE ^̂.MPK; outputting a master secret key MSK as FE.MSK and FE ^̂.MSK and a master public key MPK as FE.MPK and FE ^̂.MPK, and storing the output master keys in an electronic setup storage unit; executing a computerized key generation algorithm by: receiving the master secret key MSK as FE.MSK and FE ^̂.MSK from the setup storage unit and a function f where f comprises sub-functions f_t, wherein t represents an integer index; sampling random values α,β_t such that the sum of all entries of β_t is 0; sampling random values r_t for input for a garbling procedure, wherein the garbling procedure randomizes a function comprising α, f_t,β_t, wherein α and β_t are secrets, and the garbling procedure outputs a set of label functions {ℓ_j,t} where j runs over the number of label functions; setting values v as α and generating an FE secret key FE.SK for the values v; setting values v_1,t comprising ℓ_1,t,α, and generating an FE secret key FE.SK_1,t for the values v_1,t; setting values v_j,t as ℓ_j,t, and generating a FE secret key FE.SK_j,t for the values v_j,t; setting values v̂_t comprising r_t,α; generating a functional encryption secret key F̂E.SK_t for the values v̂_t; and outputting the secret key SK_f as FE.SK, {FE.SK_j,t}, {F̂E.SK_t} and f , and storing the output in an electronic key generation storage unit.

6. The system of claim 5, wherein the processor is further configured for: receiving the master public key MPK as FE.MPK and FE ^̂.MPK, one or more public attributes x, and one or more private attributes z; sampling randomness s and setting values u comprising s, x, and computing FE ciphertext FE.CT for the value u; setting values h_t comprising of s and z, and computing FE ciphertext F̂E.CT_t for the value h_t; and outputting the ciphertext CT as FE.CT and F̂E.CT_t and storing the output in an electronic encryption device storage unit.

7. The system of claim 6, wherein the processor is further configured for: receiving the function f and the secret key SK_f for function f ; receiving one or more public attributes x and a ciphertext CT for x; retrieving FE.SK, FE.SK_j,t, F̂E.SK_t from SK_f and retrieving FE.CT and F̂E.CT_t from CT; retrieving sub-functions f_t from the function f ; decrypting FE.CT by running the decryption algorithm of FE using the secret key FE.SK and get a value ρ; decrypting FE.CT by running the decryption algorithm of FE using the secret key FE.SK_j,t and get a value ℓ_j,t; decrypting F̂E.CT_t by running the decryption algorithm of FE using the secret key F̂E.SK_t and get a value ℓ_t; running the evaluation algorithm of the garbling scheme using the values ℓ_j,t, ℓ_t and the one or more public attributes x and the sub-function f_t, and get a value d; and recovering the functional value µ from ρ and d, and outputting the value µ as the plaintext and storing the output in an electronic decryption device storage unit.

8. The system of claim 5, wherein the first set is for encrypting a public part of attributes and the second set is for use in encrypting a private part of the attributes.

9. One or more tangible, non-transitory, machine-readable media comprising instruc- tions configured to cause a processor to encrypt for a functional encryption scheme, wherein processing the functional encryption scheme comprises: executing a computerized setup algorithm, the setup algorithm comprising: executing a functional encryption setup algorithm twice to generate a set of master public-secret key pairs FE.MSK and FE.MPK and a set of master public-secret key pairsFE ^̂.MSK and FE ^̂.MPK; outputting a master secret key MSK as FE.MSK and FE ^̂.MSK and a master public key MPK as FE.MPK and FE ^̂.MPK, and storing the output master keys in an electronic setup storage unit; executing a computerized key generation algorithm by: receiving the master secret key MSK as FE.MSK and FE ^̂.MSK from the setup storage unit and a function f where f comprises sub-functions f_t, wherein t represents an integer index; sampling random values α,β_t such that the sum of all entries of β_t is 0; sampling random values r_t for input for a garbling procedure, wherein the garbling procedure randomizes a function comprising α, f_t,β_t, wherein α and β_t are secrets, and the garbling procedure outputs a set of label functions {ℓ_j,t} where j runs over the number of label functions; setting values v as α and generating an FE secret key FE.SK for the values v; setting values v_1,t comprising ℓ_1,t,α, and generating an FE secret key FE.SK_1,t for the values v_1,t; setting values v_j,t as ℓ_j,t, and generating a FE secret key FE.SK_j,t for the values v_j,t; setting values v̂_t comprising r_t,α; generating a functional encryption secret key F̂E.SK_t for the values v̂_t; and outputting the secret key SK_f as FE.SK, {FE.SK_j,t}, {F̂E.SK_t} and f , and storing the output in an electronic key generation storage unit.

10. The one or more machine-readable media of claim 9, wherein processing the en- cryption method further comprises: receiving the master public key MPK as FE.MPK and FE ^̂.MPK, one or more public attributes x, and one or more private attributes z; sampling randomness s and setting values u comprising s, x, and computing FE ciphertext FE.CT for the value u; setting values h_t comprising of s and z, and computing FE ciphertext F̂E.CT_t for the value h_t; and outputting the ciphertext CT as FE.CT and F̂E.CT_t and storing the output in an electronic encryption device storage unit.

11. The one or more machine-readable media of claim 10, wherein processing the en- cryption method further comprises: receiving the function f and the secret key SK_f for function f ; receiving one or more public attributes x and a ciphertext CT for x; retrieving FE.SK, FE.SK_j,t, F̂E.SK_t from SK_f and retrieving FE.CT and F̂E.CT_t from CT; retrieving sub-functions f_t from the function f ; decrypting FE.CT by running the decryption algorithm of FE using the secret key FE.SK and get a value ρ; decrypting FE.CT by running the decryption algorithm of FE using the secret key FE.SK_j,t and get a value ℓ_j,t; decrypting F̂E.CT_t by running the decryption algorithm of FE using the secret key F̂E.SK_t and get a value ℓ_t; running the evaluation algorithm of the garbling scheme using the values ℓ_j,t, ℓ_t and the one or more public attributes x and the sub-function f_t, and get a value d; and recovering the functional value µ from ρ and d, and outputting the value µ as the plaintext and storing the output in an electronic decryption device storage unit.

12. The one or more machine-readable media of claim 9, wherein the first set is for encrypting a public part of attributes and the second set is for use in encrypting a private part of the attributes.