Attribute-Based Multi-input FE (and More) for Attribute-Weighted Sums.

Recently, Abdalla, Gong and Wee (Crypto 2020) provided the first functional encryption scheme for attribute-weighted sums (AWS), where encryption takes as input N (unbounded) attribute-value pairs { x i , z i } i ∈ [ N ] where x i is public and z i is private, the secret key is associated with an arithmetic branching programs f , and decryption returns the weighted sum ∑ i ∈ [ N ] f ( x i ) ⊤ z i , leaking no additional information about the z i ’s. We extend FE for AWS to the significantly more challenging multi-party setting and provide the first construction for attribute-based multi-input FE (MIFE) supporting AWS. For i ∈ [ n ] , encryptor i can choose an attribute y i together with AWS input { x i , j , z i , j } where j ∈ [ N i ] and N i is unbounded, the key generator can choose an access control policy g i along with its AWS function h i for each i ∈ [ n ] , and the decryptor can compute Our attribute based MIFE implies the notion of multi-input attribute based encryption (MIABE) recently studied by Agrawal, Yadav and Yamada (Crypto 2022) and Francati, Friolo, Malavolta and Venturi (Eurocrypt 2023), for a conjunction of predicates represented as arithmetic branching programs (ABP). Along the way, we also provide the first constructions of multi-client FE (MCFE) 3 and dynamic decentralized FE (DDFE) for the AWS functionality. Previously, the best known MCFE and DDFE schemes were for inner products (Chotard et al. ePrint 2018, Abdalla, Benhamouda and Gay, Asiacrypt 2019, and Chotard et al. Crypto 2020). Our constructions are based on pairings and proven selectively secure under the matrix DDH assumption.( 3 The literature considers two notions termed as MCFE, one strictly stronger than the other. The stronger notion implies MIFE while the weaker does not. Here, we refer to the stronger notion, making MCFE a strict generalization of MIFE.)