Functional Encryption: Decentralized and Delegatable

Recent advances in encryption schemes have allowed us to go far beyond point to point encryption, the scenario typically envisioned in public key encryption. In particular, Functional Encryption (FE) allows an authority to provide users with keys corresponding to various functions, such that a user with a secret key corresponding to a function f , can compute f(m) (and only that) from a cipher-text that encrypts m. While FE is a very powerful primitive, a key downside is the requirement of a central point of trust. FE requires the assumption of a central trusted authority which performs the system setup as well as manages the credentials of every party in the system on an ongoing basis. This is in contrast to public key infrastructure which may have multiple certificate authorities and allows a party to have different (and varying) level of trust in them. In this work, we address this issue of trust in two ways: ◦ First, we ask how realistic it is to have a central authority that manages all credentials and is trusted by everyone? For example, one may need to either obtain the permission of an income tax official or the permission of the police department and a court judge in order to be able to obtain specific financial information of a user from encrypted financial data. Towards that end, we introduce a new primitive that we call Multi-Authority Functional Encryption (MAFE) as a generalization of both Functional Encryption and Multi-Authority Attribute-Based Encryption (MABE). We show how to obtain MAFE for arbitrary polynomial-time computations based on subexponentially secure indistinguishability obfuscation and injective one-way functions. ◦ Second, we consider the notion of delegatable functional encryption where any user in the system may independently act as a key generation authority. In delegatable FE, any user may derive a decryption key for a policy which is “more restrictive” than its own. Thus, in delegatable functional encryption, keys can be generated in a hierarchical way, instead of directly by a central authority. In contrast to MAFE, however, in a delegatable FE scheme, the trust still “flows” outward from the central authority. Finally, we remark that our techniques are of independent interest: we construct FE in arguably a more natural way where a decryption key for a function f is simply a signature on f . Such a direct approach allows us to obtain a construction with interesting properties enabling multiple authorities as well as delegation. ∗Microsoft Research, India. Email: [email protected]. †Microsoft Research, India. Email: [email protected]. ‡UCLA, USA. Email: [email protected]. Work done in part while at Microsoft Research, India. §UCLA, USA. Email: [email protected].