## Abstract

Private-key functional encryption enables fine-grained access to symmetrically encrypted data. Although private-key functional encryption (supporting an unbounded number of keys and ciphertexts) seems significantly weaker than its public-key variant, its known realizations all rely on public-key functional encryption. At the same time, however, up until recently it was not known to imply any public-key primitive, demonstrating our poor understanding of this primitive. Bitansky et al. (Theory of cryptography—14th international conference, TCC 2016-B, 2016) showed that sub-exponentially secure private-key function encryption bridges from nearly exponential security in Minicrypt to slightly super-polynomial security in Cryptomania, and from sub-exponential security in Cryptomania to Obfustopia. Specifically, given any sub-exponentially secure private-key functional encryption scheme and a nearly exponentially secure one-way function, they constructed a public-key encryption scheme with slightly super-polynomial security. Assuming, in addition, a sub-exponentially secure public-key encryption scheme, they then constructed an indistinguishability obfuscator (or a public-key functional encryption scheme if the given building blocks are polynomially secure).

We show that quasi-polynomially secure private-key functional encryption bridges from sub-exponential security in Minicrypt all the way to Cryptomania. First, given any quasi-polynomially secure private-key functional encryption scheme, we construct an indistinguishability obfuscator for circuits with inputs of poly-logarithmic length. Then, we observe that such an obfuscator can be used to instantiate many natural applications of indistinguishability obfuscation. Specifically, relying on sub-exponentially secure one-way functions, we show that quasi-polynomially secure private-key functional encryption implies not just public-key encryption but leads all the way to public-key functional encryption for circuits with inputs of poly-logarithmic length. Moreover, relying on sub-exponentially secure injective one-way functions, we show that quasi-polynomially secure private-key functional encryption implies a hard-on-average distribution over instances of a PPAD-complete problem. Underlying our constructions is a new transformation from single-input functional encryption to multi-input functional encryption in the private-key setting. The previously known such transformation (Brakerski et al. J Cryptol 31(2):434–520, 2018) required a sub-exponentially secure single-input scheme, and obtained a scheme supporting only a slightly super-constant number of inputs. Our transformation both relaxes the underlying assumption and supports more inputs: Given any quasi-polynomially secure single-input scheme, we obtain a scheme supporting a poly-logarithmic number of inputs.

This is a preview of subscription content, log in to check access.

## Notes

- 1.
As a concrete (yet quite general) example, consider a user who stores her data on a remote server: The user uses the master secret key both for encrypting her data, and for generating functional keys that will enable the server to offer her various useful services.

- 2.
This is not true in various restricted cases, for example, when the functional encryption scheme has to support an a priori bounded number of functional keys or ciphertexts [39]. However, as mentioned, we focus on schemes that support an unbounded number of functional keys and ciphertexts.

- 3.
This holds even if the construction is allowed to generate functional keys (in a non-black-box manner) for any circuit that invokes one-way functions in a black-box manner.

- 4.
- 5.
In this work, we focus on selectively secure schemes, where an adversary first submits all of its encryption queries, and can then adaptively interact with the key-generation oracle (see Definition 2.7). This notion of security suffices for the applications we consider in this paper.

- 6.
A similar strategy was also employed by Ananth and Jain [4] that showed how to use any

*t*-input private-key scheme to get a private-key \((t+1)\)-input scheme under the additional assumption that a*public-key*functional encryption scheme exists. Their construction, however, did not incur the polynomial blowup and could be applied all the way to get a scheme that supports a polynomial number of inputs. - 7.
We note that the notion of

*function privacy*is very different from the one in the private-key setting, and in particular, natural definitions already imply obfuscation. - 8.
We focus on selective security and do not define full security since there is a generic transformation [3].

- 9.
The injective one-way function can be relaxed to be a family of one-way functions such that a random element is an injective function with high probability. Furthermore, this primitive will not be used in the construction, but rather only in the proof of security.

## References

- 1.
S. Agrawal, S. Agrawal, S. Badrinarayanan, A. Kumarasubramanian, M. Prabhakaran, A. Sahai, Function private functional encryption and property preserving encryption: new definitions and positive results. Cryptology ePrint Archive, Report 2013/744 (2013)

- 2.
P. Ananth, D. Boneh, S. Garg, A. Sahai, M. Zhandry, Differing-inputs obfuscation and applications. Cryptology ePrint Archive, Report 2013/689 (2013)

- 3.
P. Ananth, Z. Brakerski, G. Segev, V. Vaikuntanathan, From selective to adaptive security in functional encryption, in

*Advances in Cryptology—CRYPTO ’15*(2015), pp. 657–677 - 4.
P. Ananth, A. Jain, Indistinguishability obfuscation from compact functional encryption, in

*Advances in Cryptology—CRYPTO ’15*(2015), pp. 308–326 - 5.
P. Ananth, A. Jain, M. Naor, A. Sahai, E. Yogev, Universal constructions and robust combiners for indistinguishability obfuscation and witness encryption, in

*Advances in Cryptology—CRYPTO ’16*(2016), pp. 491–520 - 6.
P. Ananth, A. Jain, A. Sahai, Achieving compactness generically: indistinguishability obfuscation from non-compact functional encryption. Cryptology ePrint Archive, Report 2015/730 (2015)

- 7.
T. Abbot, D. Kane, P. Valiant, On algorithms for Nash equilibria (2004)

- 8.
G. Asharov, G. Segev, Limits on the power of indistinguishability obfuscation and functional encryption.

*SIAM J. Comput.*,**45**(6), 2117–2176 (2016) - 9.
E. Boyle, K. Chung, R. Pass, On extractability obfuscation, in

*Proceedings of the 11th Theory of Cryptography Conference, TCC*(2014), pp. 52–73 - 10.
Z. Brakerski, C. Gentry, S. Halevi, T. Lepoint, A. Sahai, M. Tibouchi, Cryptanalysis of the quadratic zero-testing of GGH. Cryptology ePrint Archive, Report 2015/845 (2015)

- 11.
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs.

*J. ACM*,**59**(2), 6 (2012) - 12.
E. Boyle, S. Goldwasser, I. Ivan, Functional signatures and pseudorandom functions, in

*Proceedings of the 17th International Conference on Practice and Theory in Public-Key Cryptography*(2014), pp. 501–519 - 13.
Z. Brakerski, I. Komargodski, G. Segev, Multi-input functional encryption in the private-key setting: stronger security from weaker assumptions.

*J. Cryptol.*,**31**(2), 434–520 (2018) - 14.
D. Boneh, K. Lewi, M. Raykova, A. Sahai, M. Zhandry, J. Zimmerman, Semantically secure order-revealing encryption: Multi-input functional encryption without obfuscation, in

*Advances in Cryptology—EUROCRYPT ’15*(2015), pp. 563–594 - 15.
N. Bitansky, R. Nishimaki, A. Passelègue, D. Wichs, From Cryptomania to Obfustopia through secret-key functional encryption, in

*Theory of Cryptography—14th International Conference, TCC 2016-B*(2016), pp. 391–418 - 16.
N. Bitansky, O. Paneth, A. Rosen, On the cryptographic hardness of finding a Nash equilibrium, in

*Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science*(2015), pp. 1480–1498 - 17.
D. Boneh, A. Raghunathan, G. Segev, Function-private identity-based encryption: hiding the function in functional encryption, in

*Advances in Cryptology—CRYPTO ’13*(2013), pp. 461–478 - 18.
D. Boneh, A. Raghunathan, G. Segev, Function-private subspace-membership encryption and its applications, in

*Advances in Cryptology—ASIACRYPT ’13*(2013), pp. 255–275 - 19.
Z. Brakerski, G. Segev, Function-private functional encryption in the private-key setting, in

*Proceedings of the 12th Theory of Cryptography Conference, TCC*(2015), pp. 306–324 - 20.
D. Boneh, A. Sahai, B. Waters, Functional encryption: definitions and challenges, in

*Proceedings of the 8th Theory of Cryptography Conference, TCC*(2011), pp. 253–273 - 21.
D. Boneh, A. Sahai, B. Waters, Functional encryption: a new vision for public-key cryptography.

*Commun. ACM*,**55**(11), 56–64 (2012) - 22.
N. Bitansky, V. Vaikuntanathan, Indistinguishability obfuscation from functional encryption, in

*Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science*(2015), pp. 171–190 - 23.
D. Boneh, B. Waters, Constrained pseudorandom functions and their applications, in

*Advances in Cryptology—ASIACRYPT ’13*(2013), pp. 280–300 - 24.
X. Chen, X. Deng, S. Teng, Settling the complexity of computing two-player Nash equilibria.

*J. ACM*,**56**(3), 14 (2009) - 25.
J.H. Cheon, P. Fouque, C. Lee, B. Minaud, H. Ryu, Cryptanalysis of the new CLT multilinear map over the integers, in

*Advances in Cryptology—EUROCRYPT*(2016), pp. 509–536 - 26.
J. Coron, C. Gentry, S. Halevi, T. Lepoint, H.K. Maji, E. Miles, M. Raykova, A. Sahai, M. Tibouchi, Zeroizing without low-level zeroes: new MMAP attacks and their limitations, in

*Advances in Cryptology—CRYPTO ’15*(2015), pp. 247–266 - 27.
J.H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehlé, Cryptanalysis of the multilinear map over the integers, in

*Advances in Cryptology—EUROCRYPT ’15*(2015), pp. 3–12 - 28.
J.H. Cheon, J. Jeong, C. Lee, An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without an encoding of zero. Cryptology ePrint Archive, Report 2016/139 (2016)

- 29.
C. Daskalakis, P. W. Goldberg, C.H. Papadimitriou, The complexity of computing a Nash equilibrium.

*Commun. ACM*,**52**(2), 89–97 (2009) - 30.
C. Daskalakis, P.W. Goldberg, C.H. Papadimitriou, The complexity of computing a Nash equilibrium.

*SIAM J. Comput.*,**39**(1), 195—259 (2009) - 31.
C. Daskalakis, C.H. Papadimitriou, Continuous local search, in

*Proceedings of the 22nd Annual ACM-SIAM Symposium on Discrete Algorithms*(2011), pp. 790–804 - 32.
S. Goldwasser, S.D. Gordon, V. Goyal, A. Jain, J. Katz, F.-H. Liu, A. Sahai, E. Shi, H.-S. Zhou, Multi-input functional encryption, in

*Advances in Cryptology—EUROCRYPT ’14*(2014), pp. 578–602 - 33.
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in

*Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science*(2013), pp. 40–49 - 34.
S. Garg, C. Gentry, S. Halevi, M. Zhandry, Functional encryption without obfuscation, in

*Proceedings of the 13th Theory of Cryptography Conference, TCC*(2016), pp. 480–511 - 35.
O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions.

*J. ACM*,**33**(4), 792-807 (1986) - 36.
S. Goldwasser, Y. Kalai, R.A. Popa, V. Vaikuntanathan, N. Zeldovich, Reusable garbled circuits and succinct functional encryption, in

*Proceedings of the 45th Annual ACM Symposium on Theory of Computing*(2013), pp. 555–564 - 37.
S. Garg, O. Pandey, A. Srinivasan, Revisiting the cryptographic hardness of finding a Nash equilibrium, in

*Advances in Cryptology—CRYPTO ’16*(2016), pp. 579–604 - 38.
S. Garg, A. Srinivasan, Single-key to multi-key functional encryption with polynomial loss, in

*Theory of Cryptography—14th International Conference, TCC*(2016), pp. 419–442 - 39.
S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption with bounded collusions via multi-party computation, in

*Advances in Cryptology—CRYPTO ’12*(2012), pp. 162–179 - 40.
Y. Hu, H. Jia, Cryptanalysis of GGH map, in

*Advances in Cryptology—EUROCRYPT*(2016), pp. 537–565 - 41.
P. Hubácek, E. Yogev, Hardness of continuous local search: Query complexity and cryptographic lower bounds, in

*Proceedings of the 28th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA*(2017), pp. 1352–1371 - 42.
R. Impagliazzo, A personal view of average-case complexity, in

*Proceedings of the 10th Annual Structure in Complexity Theory Conference*(1995), pp. 134–147 - 43.
I. Komargodski, T. Moran, M. Naor, R. Pass, A. Rosen, E. Yogev, One-way functions and (im)perfect obfuscation, in

*Proceedings of the 55th Annual IEEE Symposium on Foundations of Computer Science*(2014), pp. 374–383 - 44.
F. Kitagawa, R. Nishimaki, K. Tanaka, Obfustopia built on secret-key functional encryption, in

*Advances in Cryptology—EUROCRYPT*(2018), pp. 603–648 - 45.
A. Kiayias, S. Papadopoulos, N. Triandopoulos, T. Zacharias, Delegatable pseudorandom functions and applications, in

*Proceedings of the 20th Annual ACM Conference on Computer and Communications Security*(2013), pp. 669–684 - 46.
I. Komargodski, G. Segev, E. Yogev, Functional encryption for randomized functionalities in the private-key setting from minimal assumptions.

*J. Cryptol.*,**31**(1), 60–100 (2018) - 47.
B. Li, D. Micciancio, Compactness vs collusion resistance in functional encryption, in

*Theory of Cryptography—14th International Conference, TCC*(2016), pp. 443–468 - 48.
E. Miles, A. Sahai, M. Zhandry, Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13, in

*Advances in Cryptology—CRYPTO*(2016), pp. 629–658 - 49.
A. O’Neill, Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010)

- 50.
C.H. Papadimitriou, On the complexity of the parity argument and other inefficient proofs of existence.

*J. Comput. Syst. Sci.*,**48**(3), 498-532 (1994) - 51.
E. Shen, E. Shi, B. Waters, Predicate privacy in encryption systems, in

*Proceedings of the 6th Theory of Cryptography Conference, TCC*(2009), pp. 457–473 - 52.
A. Sahai, B. Waters, Slides on functional encryption (2008). http://www.cs.utexas.edu/~bwaters/presentations/files/functional.ppt

- 53.
A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in

*Proceedings of the 46th Annual ACM Symposium on Theory of Computing*(2014), pp. 475–484 - 54.
B. Waters, A punctured programming approach to adaptively secure functional encryption, in

*Advances in Cryptology—CRYPTO ’15*(2015), pp. 678–697

## Acknowledgements

We thank Zvika Brakerski and the anonymous referees for many valuable comments. The first author thanks his advisor Moni Naor for his support and guidance.

## Author information

### Affiliations

### Corresponding author

## Additional information

### Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Ilan Komargodski: Supported in part by a Packard Foundation Fellowship and by an AFOSR Grant FA9550-15-1-0262. Work done while being a Ph.D. student at the Weizmann Institute of Science, supported by grants from the Israel Science Foundation (No. 950/16) and by a Levzion Fellowship.

Gil Segev: Supported by the European Union’s 7th Framework Program (FP7) via a Marie Curie Career Integration Grant, by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253), by the Israel Science Foundation (Grant No. 483/13), by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11), by the US-Israel Binational Science Foundation (Grant No. 2014632), and by a Google Faculty Research Award.

Communicated by Rafail Ostrovsky.

## Rights and permissions

## About this article

### Cite this article

Komargodski, I., Segev, G. From Minicrypt to Obfustopia via Private-Key Functional Encryption.
*J Cryptol* **33, **406–458 (2020). https://doi.org/10.1007/s00145-019-09327-x

Received:

Revised:

Published:

Issue Date:

### Keywords

- Private-key functional encryption
- Multi-input functional encryption
- PPAD hardness
- Indistinguishability obfuscation