## Section: New Results

### Cryptographic Protocols

Participants : Guilhem Castagnos, Ida Tucker.

In [24], G. Castagnos, F. Laguillaumie and I. Tucker revisit a recent cryptographic primitive called *Functional encryption for inner products* (FE4IP).

Functional encryption (FE) is an advanced cryptographic primitive which allows, for a single encrypted message, to finely control how much information on the encrypted data each receiver can recover. To this end many functional secret keys are derived from a master secret key. Each functional secret key allows, for a ciphertext encrypted under the associated public key, to recover a specific function of the underlying plaintext.

Since constructions for general FE that appear in the past five years are far from practical, the problem arose of building efficient FE schemes for restricted classes of functions; and in particular for linear functions, (i.e. the inner product functionality). Such constructions yield many practical applications, while developing our understanding of FE.

Though such schemes had already been conceived in the past three years (Abdalla *et al.* 2015, Agrawal *et al.* 2016), they all suffered of practical drawbacks. Namely the computation of inner products modulo a prime are restricted, in that they require that the resulting inner product be small for decryption to be efficient. The only existing scheme that overcame this constraint suffered of poor efficiency due in part to very large ciphertexts.
This work overcomes these limitations and we build the first FE schemes for inner products modulo a prime that are both efficient and recover the result whatever its size.

To this end, Castagnos *et al.* introduce two new cryptographic assumptions. These are variants of the assumptions used for the Castagnos-Laguillaumie encryption of 2015. This supposes the existence of a cyclic group $G$ where the decision Diffie-Hellman assumption holds together with a subgroup $F$ of $G$ where the discrete logarithm problem is easy. This setting allows to encode information in the exponent of the subgroup $F$, which can be efficiently recovered whatever its size.

From these assumptions Castagnos *et al.* construct generic, linearly homomorphic encryption schemes over a field of prime order which are semantically secure under chosen plaintext attacks.
They then use the homomorphic properties of the above schemes to construct generic inner product FE schemes over the integers and over fields of prime order. They thereby provide constructions for inner product FE modulo a prime $p$ that do not restrict the size of the inputs or of the resulting inner product, which are the most efficient such schemes to date.

This paper was presented at the ASIACRYPT Conference 2018, and is part of the Alambic project.