Research Article  Open Access
Improved Construction for Inner Product Functional Encryption
Abstract
Functional encryption (FE) is a vast new paradigm for encryption scheme which allows tremendous flexibility in accessing encrypted data. In a FE scheme, a user can learn specific function of encrypted messages by restricted functional key and reveals nothing else about the messages. Besides the standard notion of data privacy in FE, it should protect the privacy of the function itself which is also crucial for practical applications. In this paper, we construct a secret key FE scheme for the inner product functionality using asymmetric bilinear pairing groups of prime order. Compared with the existing similar schemes, our construction reduces both necessary storage and computational complexity by a factor of 2 or more. It achieves simulationbased security, security strength which is higher than that of indistinguishabilitybased security, against adversaries who get hold of an unbounded number of ciphertext queries and adaptive secret key queries under the External Decisional Linear (XDLIN) assumption in the standard model. In addition, we implement the secret key inner product scheme and compare the performance with the similar schemes.
1. Introduction
Traditional publickey encryption provides allornothing access to data: you can either recover the entire plaintext or reveal nothing from the ciphertext. Functional encryption (FE) [1–3] is a vast new paradigm for encryption scheme which allows tremendous flexibility in accessing encrypted data. In a FE scheme, a secret key embedded with a function can be created from a master secret key msk. Then, given a ciphertext for , a user learns and reveals nothing else about . In recent years, the cryptographic community has made great progress in research on the security of FE and constructions for such schemes (see, for instance, [4–11] and any more).
There are two notions of security for a FE scheme, i.e., indistinguishabilitybased security and simulationbased security. The former one requires that an adversary cannot distinguish between ciphertexts of any two messages , with access to a secret key for a function such that . In contrast, the latter one requires that the view of the adversary can be simulated by a simulator, given only access to the secret keys and the function evaluated on the corresponding messages. Note that simulationbased security has higher security strength than indistinguishabilitybased security such that there exists an indistinguishabilitybased secure FE scheme for a certain functionality which is not able to be proved secure under simulationbased security [1, 3].
The traditional FE only considers data privacy and omits to protect the privacy of the function itself which is also crucial for practical applications. Consider the case where Bob wants to store his files in a cloud. Before uploading his files to the cloud, he employs a FE scheme to encrypt them avoiding leakage of data privacy and then he uploads the encryption form to the cloud. Later on, Bob wants to query his data by offering the cloud a key for a function of his choice. However, if the FE scheme cannot support the privacy for the function, the key may reveal Bob’s query entirely to the cloud, which is not desirable when the function includes confidential information.
Due to the importance, some works focus on function privacy of FE, and this was first studied in [12] in the secret key setting. This is later followed by the work of [5, 13] in the secret key setting and that of [14, 15] in the publickey setting. During the two scenarios of the publickey setting and the secret key setting, the degree to which function privacy can be satisfied differs dramatically. Specifically, a publickey FE scheme is inherent in leaking confidential information about the function. Note that an attacker who holds a secret key can always generate, on its own, the ciphertext for for message of her choice and then use to learn . This can reveal nontrivial information about the function . On the other hand, since an attacker holding a secret key cannot encrypt new messages in the secret key setting, such kind of attack is no longer applied.
1.1. Functional Encryption for Inner Product
Although FE supports the computation of general circuits relying on a wide spectrum of assumptions, there are two major problems with the stateoftheart general FE constructions. First, the security of some constructions is only ensured so long as the adversary gets hold of a priori bounded number of secret keys [9, 10, 20]. Second, some solutions rely on tools such as multilinear maps [21] and indistinguishability obfuscation [8, 22] which are both impractical and founded on new security assumption undergone minimal scrutiny. This inspires us to explore constructions for firsthand and effective FE schemes for functionalities which focus on the inner product functionality as a first attempt [16–19, 23–26].
In an inner product encryption (IPE) scheme, a ciphertext is related to a vector of length and a secret key to a vector of length . Given the ciphertext and the secret key, the decryption algorithm computes the inner product . Notice that the formulation of IPE is distinct from that of inner product predicate encryption in [12, 13, 27–30]. The ciphertext for a message in an inner product predicate encryption scheme comes along with an attribute , and a secret key corresponds to a vector . When the ciphertext with is decrypted with the secret key for , the decryption algorithm outputs iff . By contrast, the output in the IPE formulation is the actual value of the inner product. In this paper, we consider functional privacy in inner product encryption, i.e., secret key inner product encryption.
1.2. Related Work
Abdalla et al. [23] presented a direct construction of publickey IPE under an indistinguishabilitybased definition. The construction is only proved to be secure against selective adversaries which are asked to commit to their challenges at the beginning of the security game. Following work [24] presented adaptively secure schemes where the messages and may be adaptively chosen at any point in time, based on the previously collected information. Bishop et al. [16] proposed a functionhiding IPE scheme under the Symmetric External DiffieHellman (SXDH) assumption, which satisfies an indistinguishabilitybased definition, and considered adaptive adversaries. However, the scheme is available in a rather weak security model which places limit on adversaries' queries. Specially, all ciphertext queries and all secret key queries are constrained by . The constraint obviously weakens the security of the scheme, and this is in violation of the intuitive spirit of function privacy. Recently, Datta et al. [17] developed a functionhiding IPE scheme under the SXDH assumption where the restriction on adversaries' queries is only . Tomida et al. [18] constructed a more efficient functionhiding IPE scheme than that of [17] under the External Decisional Linear (XDLIN) assumption. Kim et al. [25] put forth a fullysecure functionhiding IPE scheme with less parameter sizes and run time complexity than in [16, 17]. The scheme is proved simulationbased secure in the generic model of bilinear maps. For the first time Zhao et al. [19] presented a simulationbased secure secret key IPE scheme under the SXDH assumption in the standard model. The scheme can tolerate an unbounded number of ciphertext queries and adaptive key queries.
1.3. Our Contribution
We construct an efficient simulationbased secure secret key IPE (SSSKIPE) scheme in the standard model. We compare our scheme with related works in Table 1 where group exponentiations on cyclic groups are involved in key generation algorithm and encryption algorithm, and pairing operations on bilinear pairing groups are involved in decryption algorithm. We achieve an outstanding reduction by a factor of 2 or more in computational complexity. Our scheme achieves group elements in secret key and ciphtertext, which also reduces storage complexity by a factor of 2 or more. Hence, performance in the SSSKIPE scheme is superior to that in the previous schemes in both storage complexity and computation complexity. Furthermore, our scheme is based on the XDLIN assumption which is weaker than the SXDH assumption. In more detail, the SXDH assumption relies on type 3 bilinear pairing groups, while the XDLIN assumption relies on any type of bilinear pairing groups [18]. Therefore from this angle, the SXDH assumption is stronger than the XDLIN assumption. Although the construction of [18] was proved to be indistinguishabilitybased secure under the XDLIN assumption and also succeeded in improving efficiency, both storage complexity and computation complexity of our scheme are better than that of [18] and our scheme achieves simulationbase security, security strength of which is higher than that of indistinguishabilitybased security. In addition, we implement our SSSKIPE scheme and compare the performance with the similar schemes in Section 5.
To guarantee correctness, our scheme requires that inner products be within a range of polynomialsize, which is consistent with other schemes in Table 1. As pointed out in [16], this is reasonable for statistical computations because the computations, like the average over a polynomialsize database, will naturally be contained within a polynomial range. Furthermore, our scheme is simulationbased secure against adversaries who hold in an unbounded number of ciphertext queries and adaptive key queries. Although very basic functionalities such as IBE are simulationbased secure for a priori bounded number of ciphertext queries in the standard model [1, 3, 4], this is possible for an unbounded number of ciphertext queries if adversaries have an underlying polynomialsize range.
1.4. Technical Overview
Our SSSKIPE scheme uses dual pairing vector spaces (DPVS) to construct, as in [16–19], which is brought forward by Okamoto et al. [31, 32]. DPVS has the features of hidden linear subspaces in prime order bilinear group setting. A DPVS of dimension is introduced in our construction, where is the dimension of inner product vectors. Typically, we sample a pair of dual orthonormal bases and only use the dimension and the dimension to encode vector and vector , respectively. Compared with the previous schemes, our scheme at least saves n dimensions of vector spaces. We preserve the remaining hidden dimensions of and for the security reduction. Specially, between two hybrid experiments, a hidden dimension can be used for reducing a difference of one coefficient in a secret key or a cipertext to a XDLIN instance.
2. Preliminaries
Let be the security parameter. If is a set, denotes the process of choosing uniformly at random from . Let and be distribution ensembles. We say that are computationally indistinguishable between and , if for all nonuniform probabilistic polynomial time and every , the difference between and is negligible. Let be a negligible function in . Moreover, we write to denote a vector of length for some positive integer and . We use to denote the inner product, mod , of vectors and . We use upper case boldface to denote matrices. denotes transpose of the matrix . denotes the general linear group of degree over . denotes a set of integers .
2.1. Definition of SSSKIPE
We introduce the definition of simulationbased secure secret key IPE (SSSKIPE).
Definition 1 (SSSKIPE). A SSSKIPE scheme is composed of the four PPT algorithms defined below:(i) : The setup algorithm receives as input the security parameters and , being vector length, and outputs a master secret key msk and public parameters pp.(ii) : The encryption algorithm receives as input the master secret key msk, the public parameters pp, and a vector and outputs a ciphertext .(iii) : The key generation algorithm receives as input the master secret key msk, the public parameters pp, and a vector and outputs a secret key .(iv) or : The decryption algorithm receives as input the public parameters pp, the ciphertext , and a secret key and outputs either a value or the dedicated symbol .
We make the following correctness requirement: for all SSSKIPE.Setup, all , and for SSSKIPE.Encrypt and SSSKIPE.KeyGen, SSSKIPE.Decrypt is sure to output whenever with nonnegligible probability. The correctness requires the fact that it is and not when is from a fixed polynomial range of value inside .
Definition 2 (indistinguishabilitybased security). A SSSKIPE scheme has indistinguishabilitybased security if for all PPT adversaries , the advantage of in the game defined as follows is negligible:(1)A challenger runs SSSKIPE.Setup to generate msk and pp, and pp is given to . It also chooses a random bit .(2)The challenger responds to the following two types of queries made by :(i)Secret key query: submits a pair of vectors and the challenger computes and returns SSSKIPE.KeyGen.(ii)Ciphertext query: submits a pair of vectors and the challenger computes and returns SSSKIPE.Encrypt.(3) outputs a bit , and wins if . A SSSKIPE scheme is indistinguishabilitybased secure if for all PPT adversaries , the advantage of in the above game, is , where this game is by definition if and if .
Definition 3 (simulationbased security [1, 3, 7]). For a SSSKIPE scheme, if there exits a PPT adversary and a PPT simulator , we define two experiments and in Box 1. (in the publickey setting, the adversary can encrypt plaintexts using the public parameters pp but cannot in the secret key setting). Let be the number of challenge messages output by and be the number of secret key queries in the first stage. The oracles and are defined as follows:(1)The oracle =SSSKIPE.KeyGen.(2)The oracle is the second stage of , i.e., for , where and are inputs of the ciphertext query and the th secret key query by , respectively. The simulator is stateful and after each query it updates the state . A SSSKIPE scheme is simulationbased secure if there exists a PPT simulator such that, for all PPT adversaries ,

2.2. Asymmetric Bilinear Pairing Groups
Definition 4 (asymmetric bilinear pairing groups). We say that an algorithm is an asymmetric bilinear group generator and it outputs a bilinear pairing group which is defined by the tuple , where is a prime and and are cyclic groups of order , with a bilinear pairing with the following properties:(i)(Bilinearity) , , , and(ii)(Nondegeneracy) , such that has order in .
2.3. External Decisional Linear Assumption
Definition 5 (external decisional linear (XDLIN) assumption [33]). , is a tuple produced by . Consider the following problem: given the distributions , , for , where , , , and , output if is 0, and output otherwise, we refer to the problem as the External Decisional Linear (XDLIN) problem.
For a PPT algorithm , the advantage of is defined as . If for all PPT algorithms , is negligible in , we say that satisfies the XDLIN assumption.
2.4. Dual Pairing Vector Spaces
Definition 6 (dual pairing vector spaces (DPVS) [31, 32]). A dual pairing vector space (DPVS) is directly defined by the tuple . and over are dimensional vector spaces. of and of are canonical bases, where and . is pairing which is defined by , where and with the following properties:(1)(Bilinearity) for and(2)(Nondegeneracy) if for all , then .Let be the output of algorithm , where .
We then describe random dual orthonormal basis generator as follows: , , , , , , , , returning ().
Let denote , where and . Then we have
3. Our SSSKIPE Scheme
In this section, we present the construction of SSSKIPE.
SSSKIPE.Setup(, n) (msk, pp): The setup algorithm runs . It then generatesThe algorithm outputs msk, where , , and .
SSSKIPE.Encrypt(msk, pp, ): The encryption algorithm samples independently and uniformly at random and outputsSSSKIPE.KeyGen(msk, pp, ): The secret key generation algorithm samples independently and uniformly at random and outputsSSSKIPE.Decrypt (pp, or : The decryption algorithm outputs
It then attempts to determine such that . If there is that satisfies the equation, the algorithm outputs . Otherwise, it outputs . Due to a polynomialsize range of possible values for , the decryption algorithm certainly runs in polynomial time.
Correctness. For any and by calling SSSKIPE.Encrypt(msk, pp, ) and SSSKIPE.KeyGen(msk, pp, ), respectively, the pairing evaluations in the decryption algorithm proceed as follows:
If the decryption algorithm takes polynomial time in the size of the plaintext space, it will output as desired.
Remark 7. We can easily notice that our scheme is malleable, where a ciphertext can be created from certain other ciphertexts. The scheme in [18] is also malleable, while it seems difficult to prove the schemes in [16, 17, 19] to be malleable.
Remark 8. In contrast to the scheme of Tomida et al. [18], we provides a more efficient scheme with better security strength. The construction of [18] achieves indistinguishabilitybased security where the constraint on the adversaries is that, for all ciphertext queries and all key queries , should hold. and of dimension are introduced in their construction. There are at least dimensions of vector spaces because of changing a ciphertext including (respectively, a secret key including ) into one including (respectively, a secret key including ) in the security game. As mentioned in Section 1, in our scheme, a hidden dimension can be used to convert a corresponding coefficient to another coefficient in a secret key or a ciphertext, so that no PPT adversary can distinguish the two hybrid experiments. Our scheme therefore saves n dimensions of vector spaces.
4. Security Proof
4.1. Theorem 9
Now, we prove that our construction has manyADSIM (many messages secure, adaptive simulation definition) security from the XDLIN assumption in the standard model against adaptive adversaries obtaining an unbounded number of ciphertexts and secret keys.
Theorem 9. Under the XDLIN assumption the proposed scheme is manyADSIMsecure.
We will show Lemmas 15, 16, 17, 18, and 19 for the security proof of Theorem 9.
4.2. Lemmas
Definition 10 (problem 0). Problem 0 is to guess , given , where , and , for , , for , , and , , and and .
Definition 11 (problem 1). Problem 1 is to guess , given , where , , , , , , and and .
Definition 12 (problem 2). Problem 2 is to guess , given , where , , , , , , and and .
Definition 13 (problem 3). Problem 3 is to guess , given , where , , , , , , and and .
Definition 14 (problem 4). Problem 4 is to guess , given , where , , , , , , and and .
For a PPT adversary , the advantage of for Problem , where , is defined aswhere the instance is by definition if and if .
Lemma 15. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .
Proof. Let be a random linear transformation. On inputting an instance of XDLIN , , , sets , , and , ,, and , and . can calculate for and for . Next, generates for , for , and . Then sets . Finally, gives .
If and , then and when and (with probability ).
If and , then and when , and (with probability ). Therefore, .
Lemma 16. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .
Proof. Let be a random linear transformation. On inputting an instance of Porblem 0 , calculates for ,