GoFE - Functional Encryption library

<p align="center"> <img src="GoFE_logo.png" width="160" /> </p>

GoFE is a cryptographic library offering different state-of-the-art implementations of functional encryption schemes, specifically FE schemes for linear (e.g. inner products) and quadratic polynomials.

To quickly get familiar with FE, read a short and very high-level introduction on our Introductory Wiki page. A more detailed introduction with lots of interactive diagrams can be found on this blog.

<!-- toc -->

• Installing GoFE
• Using GoFE in your project
  • Select the FE scheme
  • Configure selected scheme
  • Prepare input data
  • Use the scheme (examples)
• Related work
  • Other implementations
  • Example projects

<!-- tocstop -->

Before using the library

Please note that the library is a work in progress and has not yet reached a stable release. Code organization and APIs are not stable. You can expect them to change at any point.

The purpose of GoFE is to support research and proof-of-concept implementations. It should not be used in production.

Installing GoFE

First, download and build the library by running either go install github.com/fentec-project/gofe/... or go get -u -t github.com/fentec-project/gofe/... from the terminal (note that this also downloads and builds all the dependencies of the library). Please note that from Go version 1.18 on, go get will no longer build packages, and go install should be used instead.

To make sure the library works as expected, navigate to your $GOPATH/pkg/mod/github.com/fentec-project/gofe directory and run go test -v ./... . If you are still using Go version below 1.16 or have GO111MODULE=off set, navigate to $GOPATH/src/github.com/fentec-project/gofe instead.

Using GoFE in your project

After you have successfully built the library, you can use it in your project. Instructions below provide a brief introduction to the most important parts of the library, and guide you through a sequence of steps that will quickly get your FE example up and running.

Select the FE scheme

You can choose from the following set of schemes:

Inner product schemes

You will need to import packages from ìnnerprod directory.

We organized implementations in two categories based on their security assumptions:

• Schemes with selective security under chosen-plaintext attacks (s-IND-CPA security):

  • Scheme by Abdalla, Bourse, De Caro, Pointcheval (paper). The scheme can be instantiated from DDH (simple.DDH), LWE (simple.LWE) primitives.
  • Ring-LWE scheme based on Bermudo Mera, Karmakar, Marc, and Soleimanian (paper), see simple.RingLWE.
  • Multi-input scheme based on paper by Abdalla, Catalano, Fiore, Gay, Ursu (paper) and instantiated from the scheme in the first point (simple.DDHMulti).

• Schemes with stronger adaptive security under chosen-plaintext attacks (IND-CPA security) or simulation based security (SIM-Security for IPE):

  • Scheme based on paper by Agrawal, Libert and Stehlé (paper). It can be instantiated from Damgard DDH (fullysec.Damgard - similar to simple.DDH, but uses one more group element to achieve full security, similar to how Damgård's encryption scheme is obtained from ElGamal scheme (paper), LWE (fullysec.LWE) and Paillier (fullysec.Paillier) primitives.
  • Multi-input scheme based on paper by Abdalla, Catalano, Fiore, Gay, Ursu (paper) and instantiated from the scheme in the first point (fullysec.DamgardMulti).
  • Decentralized scheme based on paper by Chotard, Dufour Sans, Gay, Phan and Pointcheval (paper). This scheme does not require a trusted party to generate keys. It is built on pairings (fullysec.DMCFEClient).
  • Decentralized scheme based on paper by Abdalla, Benhamouda, Kohlweiss, Waldner (paper). Similarly as above this scheme this scheme does not require a trusted party to generate keys and is based on a general procedure for decentralization of an inner product scheme, in particular the decentralization of a Damgard DDH scheme (fullysec.DamgardDecMultiClient).
  • Function hiding multi-input scheme based on paper by Datta, Okamoto, Tomida (paper). This scheme allows clients to encrypt vectors and derive functional key that allows a decrytor to decrypt an inner product without revealing the ciphertext or the function (fullysec.FHMultiIPE).
  • Function hiding inner product scheme by Kim, Lewi, Mandal, Montgomery, Roy, Wu (paper). The scheme allows the decryptor to decrypt the inner product of x and y without reveling (ciphertext) x or (function) y (fullysec.fhipe).
  • Partially function hiding inner product scheme by Romain Gay (paper). This scheme is a public key inner product scheme that decrypt the inner product of x and y without reveling (ciphertext) x or (function) y. This is achieved by limiting the space of vectors that can be encrypted with a public key (fullysec.partFHIPE).

Quadratic polynomial schemes

There are two implemented FE schemes for quadratic multi-variate polynomials:

• First is an efficient symmetric FE scheme by Dufour Sans, Gay and Pointcheval (paper) which is based on bilinear pairings, and offers adaptive security under chosen-plaintext attacks (IND-CPA security). You will need SGP scheme from package quadratic.
• Second is an efficient pubic key FE by Romain Gay (paper) that is based on the underlying partially function hiding inner product scheme and offers semi-adaptive simulation based security. You will need quad scheme from package quadratic.

Schemes with the attribute based encryption (ABE)

Schemes are organized under package abe.

It contains four ABE schemes:

• A ciphertext policy (CP) ABE scheme named FAME by Agrawal, Chase (paper) allowing encrypting a message based on a boolean expression defining a policy which attributes are needed for the decryption. It is implemented in abe.fame.
• A key policy (KP) ABE scheme by Goyal, Pandey, Sahai, Waters (paper) allowing a distribution of keys following a boolean expression defining a policy which attributes are needed for the decryption. It is implemented in abe.gpsw.
• A decentralized inner product predicate scheme by Michalevsky, Joye (paper) allowing encryption with policy described as a vector, and a decentralized distribution of keys based on users' vectors so that only users with vectors orthogonal to the encryption vector posses a key that can decrypt the ciphertext. It is implemented in abe.dippe.
• A multi-authority (MA) ciphertext policy (CP) ABE scheme by Lewko, Waters (paper) based on a boolean expression defining a policy which attributes are needed for decryption. This scheme is decentralized - the attributes can be spread across multiple different authorites. It is implemented in abe.ma-abe.

Configure selected scheme

All GoFE schemes are implemented as Go structs with (at least logically) similar APIs. So the first thing we need to do is to create a scheme instance by instantiating the appropriate struct. For this step, we need to pass in some configuration, e.g. values of parameters for the selected scheme.

Let's say we selected a simple.DDH scheme. We create a new scheme instance with:

scheme, _ := simple.NewDDH(5, 1024, big.NewInt(1000))

In the line above, the first argument is length of input vectors x and y, the second argument is bit length of prime modulus p (because this particular scheme operates in the ℤ_p group), and the last argument represents the upper bound for elements of input vectors.

However, configuration parameters for different FE schemes vary quite a bit. Please refer to library documentation regarding the meaning of parameters for specific schemes. For now, examples and reasonable defaults can be found in the test code.

After you successfully created a FE scheme instance, you can call its methods for:

• generation of (secret and public) master keys,
• derivation of functional encryption key,
• encryption, and
• decryption.

Prepare input data

Vectors and matrices

All GoFE chemes rely on vectors (or matrices) of big integer (*big.Int) components.

GoFE schemes use the library's own Vector and Matrix types. They are implemented in the data package. A `Vector