Mergeable functional encryption

Abstract

In this paper we put forward a new generalization of Functional Encryption (FE) that we call Mergeable FE (mFE). In a mFE system, given a ciphertext c1 encrypting m1 and a ciphertext c2 encrypting m2, it is possible to produce in an oblivious way a ciphertext encrypting the merged string m1||m2 under the security constraint that the new ciphertext does not leak more information about the original ciphertexts. For instance, let us suppose to have a token for a program (for inputs of variable length) Px that, on input a string D representing a list of elements, checks if a given element x is in D, and suppose that c1 (resp. c2) encrypts a list D1 (resp. D2). Then the token evaluated on c1 (resp. c2) reveals if x is in list D1 (resp. D2) but the same token evaluated on c, the ciphertext resulting from the merge of c1 and c2, should only reveal if x is in D1 or x is in D2 but not in which of the two lists it is in. This primitive is in some sense FE with the “best possible” homomorphic properties and, besides being interesting in itself, it offers wide applications. For instance, it has as special case multi-inputs FE (and thus indistinguishability obfuscation), but enables applications not possible with the latter.