On the security of functional encryption in the generic group model

Abstract

In the context of functional encryption (FE), a weak security notion called selective security, which enforces the adversary to complete a challenge prior to seeing the system parameters, is used to argue in favor of the security of proposed cryptosystems. These results are often considered as an intermediate step to design adaptively secure cryptosystems. In fact, selectively secure FE schemes play a role of more than an intermediate step in many cases. If we restrict our attention to group-based constructions, it is not surprising to find several selectively secure FE schemes such that no successful adaptive adversary is found yet and/or it is also believed that no adaptive adversary will be found in practice even in the future. In this paper, we aim at clarifying these beliefs rigorously in the ideal model, called generic group model (GGM). First, we refine the definitions of the GGM and the security notions for FE scheme for clarification. Second, we formalize a group-based FE scheme with some conditions and then show that for any group-based FE scheme satisfying these conditions we can reduce from its selective security in the standard model to adaptive security in the GGM, in particular, regardless of the functionality of FE schemes. Our reduction is applicable to many existing selectively secure FE schemes with various functionalities, e.g., the FE scheme for quadratic functions of Baltico et al. (CRYPTO, 2017), the predicate encryption scheme of Katz et al. (J Cryptol in 26:191–224, 2013), and Boneh and Boyen’s identity-based encryption scheme (EUROCRYPT 2004).