Privacy-Preserving Traceable Functional Encryption for Inner Product
Muyao Qiu, Jinguang Han
TL;DR
This paper introduces Privacy-Preserving Traceable Functional Encryption for Inner Product (PPTFE-IP), addressing the keyEscrow/privacy tension in FE-IP by binding a user’s identity to their secret key while enabling a privacy-preserving two-party key generation with a dedicated tracer. It presents a concrete construction based on asymmetric pairings, formalizes the PPTFE-IP definitions and security models, and provides a PPKeyGen protocol that ensures leakage-freeness and selective-failure-blindness, enabling tracing only by an authorized tracer. The authors prove security reductions under standard assumptions (e.g., DL, q-SDH) and compare efficiency with existing TFE-IP schemes, including an implementation and evaluation showing practical performance and tracing efficiency. Overall, the work delivers a viable framework for privacy-preserving traceable FE-IP with concrete algorithms, security proofs, and empirical validation, enabling accountable data processing without compromising user anonymity when tracing is not required.
Abstract
Functional encryption introduces a new paradigm of public key encryption that decryption only reveals the function value of encrypted data. To curb key leakage issues and trace users in FE-IP, a new primitive called traceable functional encryption for inner product (TFE-IP) has been proposed. However, the privacy protection of user's identities has not been considered in the existing TFE-IP schemes. In order to balance privacy and accountability, we propose the concept of privacy-preserving traceable functional encryption for inner product (PPTFE-IP) and give a concrete construction. Our scheme provides the following features: (1) To prevent key sharing, a user's key is bound with both his/her identity and a vector; (2) The key generation center (KGC) and a user execute a two-party secure computing protocol to generate a key without the former knowing anything about the latter's identity; (3) Each user can verify the correctness of his/her key; (4) A user can calculate the inner product of the two vectors embedded in his/her key and in a ciphertext; (5) Only the tracer can trace the identity embedded in a key. The security of our scheme is formally reduced to well-known complexity assumptions, and the implementation is conducted to evaluate its efficiency. The novelty of our scheme is to protect users' privacy and provide traceability if required.