5

In the definition of functional encryption ($FE$):

$FE.Setup(1^k)$ takes as input the security parameter $1^k$ and outputs a master public key $fmpk$ and a master secret key $fmsk$.

$FE.KeyGen(fmsk, f)$ takes as input the master secret key $fmsk$ and a function $f$ and outputs a key $sk_f$.

$FE.Enc(fmpk,x)$ takes as input the master public key $fmpk$ and an input $x$ and outputs a ciphertext $c$.

$FE.Dec(sk_f,c)$ takes as input a key $fsk_f$ and a ciphertext $c$ and outputs a value $f(x)$.

Suppose that Alice runs $FE.Setup(1^k)$ and $FE.KeyGen(fmsk, f)$ where $f$ is a probabilistic function. Then she sends $sk_f$ and $fmpk$ to Bob.

Bob runs $FE.Enc(fmk,x)$ and $FE.Dec(sk_f,c)$ to get $f(x)$.

Is this possible? I mean as $f$ is probabilistic, it has to access Bob's randomness pool.
Bob can provide a faked pool. How can one guarantee the privacy of $f$?

Jan Leo
  • 925
  • 6
  • 14

1 Answers1

3

There are ways to prevent Bob from having complete control over the randomness pool. You could use some form of verified randomness, where your function $f$ checks that the random string is signed before executing. This would work using, for instance, the NIST randomness beacon. You could also contain within $f$ a PRNG, so Bob does not need to provide all the randomness but only a seed (which could actually be signed and provided by Alice or another trusted party). But in the end, there is no way to guarantee statefullness between function calls, so nothing stops Bob from providing the same randomness to $f$ every time. This is a fundamental issue I believe.

Travis Mayberry
  • 1,315
  • 9
  • 8