FE with authenticated encryption

[r0qs]

Hi, sorry for open a issue to ask this, but I couldn't find other way to send a message to you. I would like to know if there is any construction in gofe that allows the use of FE with authenticated encryption capabilities? For instance, one could use something like DDH-MAC in a similar way that is done with AES?

[tilenmarc]

Hi, unfortunately, we do not have any authentication currently in gofe. If I understand what you are asking for is a way to authenticate that your encryption is coming from the right person? Or would you need also something that the evaluation of the function on the encrypted messages has been done correctly?

[r0qs]

Hi, thanks for the reply. Well, what I want is not exactly if the encryption is coming from the right person but if the data used in the computation were the right one. By the right one I mean data issued by a trusted party, for example. Like, suppose I send you an encrypted vector of integer values and a derivation key for a "weight" function that you provide. In this way, you could compute the inner product of the values with the defined weights without knowing the values. Moreover, let's assume that the values were authenticated by somebody else. How would you know if I use the authenticated dataset or just random values without knowing the values?

In fact, I found this work based on homomorphic signatures, but the server (i.e. who compute the inner product) would need to have access to the plaintext values, as far I could understand. But at least the result of the computation would be authenticated. There is any similar work with functional encryption that you are aware of?

[tilenmarc]

Hi, in some project we were considering a scenario similar to the one that you are mentioning and the conclusion was that it could be achieved with zero-knowledge proofs, in particular with SNARKs. The idea is that you also provide a proof that the same input that was authenticated was also used in the the encryption, without revealing the input itself. Unfortunately, we don't have anything implemented, and moreover most of the ZkP libraries are implemented in Rust, so you would need to use multiple tools to achieve this. But I think it should be possible.

[r0qs]

Thanks @tilenmarc for your inputs. I agree, I think it should be possible too. I was just wondering if there were any other alternatives already implemented in gofe. I guess we can just close this issue now :-)