FENTEC project provided the first fully-fledged functional encryption library. By fully-fledged we mean a library where the user can choose via an easy-to-use API between different schemes and each scheme can be instantiated from different cryptographic primitives.
What do we mean by choosing different schemes via an easy-to-use API? Well, functional encryption is a broad area and there are many schemes designed which serve for different purposes. Our libraries offer schemes for linear (also called inner-products) and quadratic polynomials. These can be single- or multi-client. Some offer a trusted key generation authority and some are decentralized which means no central trusted authority is needed. Also, our libraries offer schemes for attribute-based encryption.
These are a lot of new terms for almost anybody who is not a professional cryptographer. Let's try to explain at least some of them.
With inner-products we mean:
- Alice encrypts vector
- Bob would like to know the value
- Central authority generates a functional encryption key for vector let's name it key_y.
- Central authority passes the key to Bob
- With key_y Bob can compute (decrypt) the value of (inner product of vector x and y). Bob knowns absolutely nothing about the vector x (except the inner product x * y)
This means Bob was not able to decrypt x, but only some "function" of vector . This function is given by
How do quadratic polynomial schemes differ from linear (inner-product) schemes? Well, the function in this case is quadratic, for example
where are some constants.
What does it mean single- or multi-client scheme? Let's check another example:
- Alice encrypts vector
- John encrypts a vector
- Andrew encrypts a vector
- Bob would like to know the value of
- Central authority generates a functional encryption key for a vector and passes it to Bob
- Bob can now compute the value of . Not only that he knows nothing about vectors x, z, u, he also does not know the values of:
Bob only knows the value .
Lastly, decentralized schemes enable the generation of functional encryption keys without a central authority.
Attribute-based encryption schemes are slightly different kind of beasts. They provide functionality where a client can access or not access the decryption data of a ciphertext based on a set of attributes that he or she possesses.
At the beginning, we mentioned also different cryptographic primitives. As it turns out most practical functional encryption schemes are based either on modular arithmetic, pairings, or lattices. Implementation of functional encryptions schemes based on modular arithmetic is relatively straight-forward. On the other hand, the implementation of schemes based on pairings and lattices requires lower-level math artillery. Quite surprisingly all the required functionality for pairings is provided only by a handful of libraries. Furthermore, there is no fully-fledged library for lattice-based cryptography that could be easily reused. Therefore we provided a missing functionality for pairings in our fork of Barreto-Naehrig bilinear pairings implementation. Furthermore, in both, GoFE and CiFEr, we provide a wide variety of lattice primitives.
Functional encryption schemes enable various advanced real-world applications. For some examples please see FENTEC use cases . Perhaps surprisingly, these schemes also enable advanced machine learning models (like neural networks) on encrypted data - you might check a tiny demonstrator on our Github account.