In a Multi-Input Functional Encryption (MIFE) scheme, n clients each obtain a secret encryption key from a trusted authority. Each client i can encrypt its data using its secret key. The authority can use its master secret key to compute a functional key given a function f, and the functional key can be applied to a collection of n clients’ ciphertexts, resulting in the outcome of f on the clients’ data. If an MIFE scheme hides not only the clients’ data but also the function f, we say it is function hiding. In this work, we study function-hiding security of two variants of MIFE for inner-product computations.
Multi-Client Functional Encryption (MCFE) is a strengthening of MIFE where clients associate their encrypted data with some time step t and the outcome of f can be computed only on ciphertexts encrypted to the same time step. Although MCFE for inner-product computation has been extensively studied, most earlier works on MCFE do not achieve func- tion privacy. The recent work by Agrawal et al. showed how to construct a function-hiding MCFE for inner-product from standard assumptions and the existence of a random oracle. An intriguing open question is whether we can achieve the same without random oracles. In this work, we are the first to show such a function-hiding MCFE for inner products, relying on the standard Decisional Linear assumption. Our main technical contribution is a new up- grade from single-input functional encryption for inner-products to a multi-client one; and, if the single-input scheme is function-hiding, so is the resulting multi-client scheme.
Ad Hoc MIFE (AMIFE) is a decentralized version of MIFE. In AMIFE, the users can jointly decide in a decentralized way what function they would allow to be evaluated on their joint data. The aforementioned work by Agrawal et al. also showed how to construct a function-hiding AMIFE scheme for inner-products, relying on standard bilinear group assumptions, and without random oracles. We construct a new AMIFE scheme that provides the same security guarantees as this earlier work but our construction provides a nicer abstraction making the scheme and the security proofs conceptually simpler.