Generic Construction of Trace-and-Revoke Inner Product Functional Encryption

A traitor tracing system is a multi-receiver encryption that allows an authority or an arbitrary party (in the case of public traceability) to identify malicious users (traitors) that collude to create a pirate decoder. A trace-and-revoke system is an extension of the traitor tracing system where there is an additional user revocation mechanism that the content distributor can use to disable the decryption capabilities of compromised keys. Trace-and-revoke systems have been extensively studied in the settings of broadcast encryption (BE), identity-based encryption (IBE), and attribute-based encryption (ABE), but not functional encryption (FE). Recently, Do, Phan and Pointcheval (CT-RSA’20) studied traitor tracing for FE and proposed the first traceable inner-product functional encryption (IPFE) scheme. However, their scheme is selectively secure against chosen-plaintext attacks and supports one-target black-box traceability (a weaker notion of black-box traceability). In addition, their scheme does not support public traceability nor user revocation. In this work, we study trace-and-revoke mechanisms for FE and propose the first efficient trace-and-revoke IPFE systems from standard assumptions. Our schemes support public, black-box traceability, and are proven adaptively secure against chosen-plaintext attacks in the standard model. Technically, our construction is generic and relies on a generic transformation from IPFE schemes to trace-and-revoke IPFE systems. For traitor tracing systems, our generic construction also implies the first traceable IPFE schemes that simultaneously support public, black-box traceability, and achieve adaptive security. This provides a significant improvement over the previous traceable IPFE construction by Do, Phan and Pointcheval.