Verifiable Functional Encryption Using Intel SGX

Abstract

Most functional encryption schemes implicitly assume that inputs to decryption algorithms, i.e., secret keys and ciphertexts, are generated honestly. However, they may be tampered by malicious adversaries. Thus, verifiable functional encryption (VFE) was proposed by Badrinarayanan et al. in ASIACRYPT 2016 where anyone can publicly check the validity of secret keys and ciphertexts. They employed indistinguishability-based (IND-based) security due to an impossibility result of simulation-based (SIM-based) VFE even though SIM-based security is more desirable. In this paper, we propose a SIM-based VFE scheme. To bypass the impossibility result, we introduce a trusted setup assumption. Although it appears to be a strong assumption, we demonstrate that it is reasonable in a hardware-based construction, e.g., Fisch et al. in ACM CCS 2017. Our construction is based on a verifiable public-key encryption scheme (Nieto et al. in SCN 2012), a signature scheme, and a secure hardware scheme, which we refer to as VFE-HW. Finally, we discuss an implementation of VFE-HW using Intel Software Guard Extensions (Intel SGX).

A The Nieto et al. VPKE Scheme

In this appendix, we introduce the Nieto et al. VPKE scheme [33], Fig. 4] as follows. For the underlying One-Time Signature (OTS) scheme, we employ the discrete-log-based Wee OTS scheme [39], and for the DDH test, we employ symmetric pairings whether e(g, \(\pi \)) is the same as e(\(c_1\), \(u^tv\)) or not.

• VPKE.PGen(\(\mathsf{1}^{\lambda }\)): Choose (p, e, g, \({\mathbb G}\), \({\mathbb G}_T\)) where \({\mathbb G}\) and \({\mathbb G}_T\) are groups of \(\lambda \)-bit prime order p, \(g \in {\mathbb G}\) is a generator, and \(e: {\mathbb G} \times {\mathbb G} \rightarrow {\mathbb G}_T\) is a bilinear map. Let \(H: {\mathbb G} \rightarrow \{0,1\}^\mathsf{poly(\lambda )}\), \(H_{OTS}: \{0,1\}^{*} \rightarrow \{0,1\}^\mathsf{poly(\lambda )}\), and \(\mathsf{TCR}: {\mathbb G} \times \{0,1\} \rightarrow {\mathbb Z}_p\) be collision or target collision resistant hash functions where \(\mathsf{poly(\lambda )}\) is a polynomial in \({\lambda }\). Output pars = (p, e, g, \({\mathbb G}\), \({\mathbb G}_T\), H, \(H_{OTS}\), TCR).

• VPKE.KeyGen(pars): Parse pars = (p, e, g, \({\mathbb G}\), \({\mathbb G}_T\), H, \(H_{OTS}\), TCR). Choose \(x_1 \xleftarrow {\$} {\mathbb Z}_p^{*}\) and \(v \xleftarrow {\$} {\mathbb G}\) and compute \(u = g^{x_1}\). Output pk = (u, v) and dk = \(x_1\).

• VPKE.Enc(pars, pk, msg): Parse pars = (p, e, g, \({\mathbb G}\), \({\mathbb G}_T\), H, \(H_{OTS}\), TCR) and pk = (u, v). Choose \(s_0, s_1,x_2,r,n \xleftarrow {\$} {\mathbb Z}_p^{*}\) and compute \(u_0 = g^{s_0}\), \(u_1 = g^{s_1}\), \(c^{\prime } = g^{x_2}\), \(c_1 = g^r\), \(t \leftarrow TCR(c_1, (u_0, u_1, c^{\prime }))\), \(K \leftarrow H(u^r)\) and \(\pi \leftarrow (u^tv)^r\). Set \(c_2 \leftarrow \mathsf{msg} \oplus K\) and \(c = (c_1, c_2, \pi )\). Compute \(w \leftarrow x_2 + ns_0 + s_1(H_{OTS}(c) + n)\). Output \(\mathsf{CT} \leftarrow (c, (n, w), (u_0, u_1, c^{\prime }))\).

• VPKE.Ver(pars, pk, CT): Parse pars = (p, e, g, \({\mathbb G}\), \({\mathbb G}_T\), H, \(H_{OTS}\), TCR), pk = (u, v), \(\mathsf{CT} = (c, (n, w), (u_0, u_1, c^{\prime }))\) and \(c = (c_1, c_2, \pi )\). Compute \(t \leftarrow TCR(c_1, (u_0, u_1, c^{\prime }))\) and \(\pi \leftarrow (u^tv)^r\). If \(e(g, \pi ) \ne e(c_1, u^tv)\) or \(g^w \ne c^{\prime }u_0^n\cdot u_1^{H_{OTS}(c)+n}\), then output 0. Otherwise, output 1.

• VPKE.Conv: Parse pars = (p, e, g, \({\mathbb G}\), \({\mathbb G}_T\), H, \(H_{OTS}\), TCR), pk = (u, v), \(\mathsf{CT} = (c, (n, w), (u_0, u_1, c^{\prime }))\) and \(c = (c_1, c_2, \pi )\). Output \(\mathsf{CT}^{\prime } = (c_1, c_2)\).

• \(\mathsf{VPKE.Dec^{\prime }}\)(pars, pk, dk, \(CT^{\prime }\) ): Parse pars = (p, e, g, \({\mathbb G}\), \({\mathbb G}_T\), H, \(H_{OTS}\), TCR), pk = (u, v), \(\mathsf{dk} =x_1\) and \(\mathsf{CT}^{\prime } = (c_1, c_2)\). Compute \(K \leftarrow H(c_1^{x_1})\) and set \(\mathsf{msg} \leftarrow c_2 \oplus K\). Output msg.