Improved Construction for Inner Product Functional Encryption
Functional encryption (FE) is a vast new paradigm for encryption scheme which allows tremendous flexibility in accessing encrypted data. In a FE scheme, a user can learn specific function of encrypted messages by restricted functional key and reveals nothing else about the messages. Besides the standard notion of data privacy in FE, it should protect the privacy of the function itself which is also crucial for practical applications. In this paper, we construct a secret key FE scheme for the inner product functionality using asymmetric bilinear pairing groups of prime order. Compared with the existing similar schemes, our construction reduces both necessary storage and computational complexity by a factor of 2 or more. It achieves simulation-based security, security strength which is higher than that of indistinguishability-based security, against adversaries who get hold of an unbounded number of ciphertext queries and adaptive secret key queries under the External Decisional Linear (XDLIN) assumption in the standard model. In addition, we implement the secret key inner product scheme and compare the performance with the similar schemes.
Traditional public-key encryption provides all-or-nothing access to data: you can either recover the entire plaintext or reveal nothing from the ciphertext. Functional encryption (FE) [1–3] is a vast new paradigm for encryption scheme which allows tremendous flexibility in accessing encrypted data. In a FE scheme, a secret key embedded with a function can be created from a master secret key msk. Then, given a ciphertext for , a user learns and reveals nothing else about . In recent years, the cryptographic community has made great progress in research on the security of FE and constructions for such schemes (see, for instance, [4–11] and any more).
There are two notions of security for a FE scheme, i.e., indistinguishability-based security and simulation-based security. The former one requires that an adversary cannot distinguish between ciphertexts of any two messages , with access to a secret key for a function such that . In contrast, the latter one requires that the view of the adversary can be simulated by a simulator, given only access to the secret keys and the function evaluated on the corresponding messages. Note that simulation-based security has higher security strength than indistinguishability-based security such that there exists an indistinguishability-based secure FE scheme for a certain functionality which is not able to be proved secure under simulation-based security [1, 3].
The traditional FE only considers data privacy and omits to protect the privacy of the function itself which is also crucial for practical applications. Consider the case where Bob wants to store his files in a cloud. Before uploading his files to the cloud, he employs a FE scheme to encrypt them avoiding leakage of data privacy and then he uploads the encryption form to the cloud. Later on, Bob wants to query his data by offering the cloud a key for a function of his choice. However, if the FE scheme cannot support the privacy for the function, the key may reveal Bob’s query entirely to the cloud, which is not desirable when the function includes confidential information.
Due to the importance, some works focus on function privacy of FE, and this was first studied in  in the secret key setting. This is later followed by the work of [5, 13] in the secret key setting and that of [14, 15] in the public-key setting. During the two scenarios of the public-key setting and the secret key setting, the degree to which function privacy can be satisfied differs dramatically. Specifically, a public-key FE scheme is inherent in leaking confidential information about the function. Note that an attacker who holds a secret key can always generate, on its own, the ciphertext for for message of her choice and then use to learn . This can reveal nontrivial information about the function . On the other hand, since an attacker holding a secret key cannot encrypt new messages in the secret key setting, such kind of attack is no longer applied.
1.1. Functional Encryption for Inner Product
Although FE supports the computation of general circuits relying on a wide spectrum of assumptions, there are two major problems with the state-of-the-art general FE constructions. First, the security of some constructions is only ensured so long as the adversary gets hold of a priori bounded number of secret keys [9, 10, 20]. Second, some solutions rely on tools such as multilinear maps  and indistinguishability obfuscation [8, 22] which are both impractical and founded on new security assumption undergone minimal scrutiny. This inspires us to explore constructions for firsthand and effective FE schemes for functionalities which focus on the inner product functionality as a first attempt [16–19, 23–26].
In an inner product encryption (IPE) scheme, a ciphertext is related to a vector of length and a secret key to a vector of length . Given the ciphertext and the secret key, the decryption algorithm computes the inner product . Notice that the formulation of IPE is distinct from that of inner product predicate encryption in [12, 13, 27–30]. The ciphertext for a message in an inner product predicate encryption scheme comes along with an attribute , and a secret key corresponds to a vector . When the ciphertext with is decrypted with the secret key for , the decryption algorithm outputs iff . By contrast, the output in the IPE formulation is the actual value of the inner product. In this paper, we consider functional privacy in inner product encryption, i.e., secret key inner product encryption.
1.2. Related Work
Abdalla et al.  presented a direct construction of public-key IPE under an indistinguishability-based definition. The construction is only proved to be secure against selective adversaries which are asked to commit to their challenges at the beginning of the security game. Following work  presented adaptively secure schemes where the messages and may be adaptively chosen at any point in time, based on the previously collected information. Bishop et al.  proposed a function-hiding IPE scheme under the Symmetric External Diffie-Hellman (SXDH) assumption, which satisfies an indistinguishability-based definition, and considered adaptive adversaries. However, the scheme is available in a rather weak security model which places limit on adversaries' queries. Specially, all ciphertext queries and all secret key queries are constrained by . The constraint obviously weakens the security of the scheme, and this is in violation of the intuitive spirit of function privacy. Recently, Datta et al.  developed a function-hiding IPE scheme under the SXDH assumption where the restriction on adversaries' queries is only . Tomida et al.  constructed a more efficient function-hiding IPE scheme than that of  under the External Decisional Linear (XDLIN) assumption. Kim et al.  put forth a fully-secure function-hiding IPE scheme with less parameter sizes and run time complexity than in [16, 17]. The scheme is proved simulation-based secure in the generic model of bilinear maps. For the first time Zhao et al.  presented a simulation-based secure secret key IPE scheme under the SXDH assumption in the standard model. The scheme can tolerate an unbounded number of ciphertext queries and adaptive key queries.
1.3. Our Contribution
We construct an efficient simulation-based secure secret key IPE (SSSK-IPE) scheme in the standard model. We compare our scheme with related works in Table 1 where group exponentiations on cyclic groups are involved in key generation algorithm and encryption algorithm, and pairing operations on bilinear pairing groups are involved in decryption algorithm. We achieve an outstanding reduction by a factor of 2 or more in computational complexity. Our scheme achieves group elements in secret key and ciphtertext, which also reduces storage complexity by a factor of 2 or more. Hence, performance in the SSSK-IPE scheme is superior to that in the previous schemes in both storage complexity and computation complexity. Furthermore, our scheme is based on the XDLIN assumption which is weaker than the SXDH assumption. In more detail, the SXDH assumption relies on type 3 bilinear pairing groups, while the XDLIN assumption relies on any type of bilinear pairing groups . Therefore from this angle, the SXDH assumption is stronger than the XDLIN assumption. Although the construction of  was proved to be indistinguishability-based secure under the XDLIN assumption and also succeeded in improving efficiency, both storage complexity and computation complexity of our scheme are better than that of  and our scheme achieves simulation-base security, security strength of which is higher than that of indistinguishability-based security. In addition, we implement our SSSK-IPE scheme and compare the performance with the similar schemes in Section 5.
To guarantee correctness, our scheme requires that inner products be within a range of polynomial-size, which is consistent with other schemes in Table 1. As pointed out in , this is reasonable for statistical computations because the computations, like the average over a polynomial-size database, will naturally be contained within a polynomial range. Furthermore, our scheme is simulation-based secure against adversaries who hold in an unbounded number of ciphertext queries and adaptive key queries. Although very basic functionalities such as IBE are simulation-based secure for a priori bounded number of ciphertext queries in the standard model [1, 3, 4], this is possible for an unbounded number of ciphertext queries if adversaries have an underlying polynomial-size range.
1.4. Technical Overview
Our SSSK-IPE scheme uses dual pairing vector spaces (DPVS) to construct, as in [16–19], which is brought forward by Okamoto et al. [31, 32]. DPVS has the features of hidden linear subspaces in prime order bilinear group setting. A DPVS of dimension is introduced in our construction, where is the dimension of inner product vectors. Typically, we sample a pair of dual orthonormal bases and only use the dimension and the dimension to encode vector and vector , respectively. Compared with the previous schemes, our scheme at least saves n dimensions of vector spaces. We preserve the remaining hidden dimensions of and for the security reduction. Specially, between two hybrid experiments, a hidden dimension can be used for reducing a difference of one coefficient in a secret key or a cipertext to a XDLIN instance.
Let be the security parameter. If is a set, denotes the process of choosing uniformly at random from . Let and be distribution ensembles. We say that are computationally indistinguishable between and , if for all nonuniform probabilistic polynomial time and every , the difference between and is negligible. Let be a negligible function in . Moreover, we write to denote a vector of length for some positive integer and . We use to denote the inner product, mod , of vectors and . We use upper case boldface to denote matrices. denotes transpose of the matrix . denotes the general linear group of degree over . denotes a set of integers .
2.1. Definition of SSSK-IPE
We introduce the definition of simulation-based secure secret key IPE (SSSK-IPE).
Definition 1 (SSSK-IPE). A SSSK-IPE scheme is composed of the four PPT algorithms defined below:(i)- : The setup algorithm receives as input the security parameters and , being vector length, and outputs a master secret key msk and public parameters pp.(ii)- : The encryption algorithm receives as input the master secret key msk, the public parameters pp, and a vector and outputs a ciphertext .(iii)- : The key generation algorithm receives as input the master secret key msk, the public parameters pp, and a vector and outputs a secret key .(iv)- or : The decryption algorithm receives as input the public parameters pp, the ciphertext , and a secret key and outputs either a value or the dedicated symbol .
We make the following correctness requirement: for all SSSK-IPE.Setup, all , and for SSSK-IPE.Encrypt and SSSK-IPE.KeyGen, SSSK-IPE.Decrypt is sure to output whenever with nonnegligible probability. The correctness requires the fact that it is and not when is from a fixed polynomial range of value inside .
Definition 2 (indistinguishability-based security). A SSSK-IPE scheme has indistinguishability-based security if for all PPT adversaries , the advantage of in the game defined as follows is negligible:(1)A challenger runs SSSK-IPE.Setup to generate msk and pp, and pp is given to . It also chooses a random bit .(2)The challenger responds to the following two types of queries made by :(i)Secret key query: submits a pair of vectors and the challenger computes and returns SSSK-IPE.KeyGen.(ii)Ciphertext query: submits a pair of vectors and the challenger computes and returns SSSK-IPE.Encrypt.(3) outputs a bit , and wins if . A SSSK-IPE scheme is indistinguishability-based secure if for all PPT adversaries , the advantage of in the above game, is , where this game is by definition if and if .
Definition 3 (simulation-based security [1, 3, 7]). For a SSSK-IPE scheme, if there exits a PPT adversary and a PPT simulator , we define two experiments and in Box 1. (in the public-key setting, the adversary can encrypt plaintexts using the public parameters pp but cannot in the secret key setting). Let be the number of challenge messages output by and be the number of secret key queries in the first stage. The oracles and are defined as follows:(1)The oracle =SSSK-IPE.KeyGen.(2)The oracle is the second stage of , i.e., for , where and are inputs of the ciphertext query and the th secret key query by , respectively. The simulator is stateful and after each query it updates the state . A SSSK-IPE scheme is simulation-based secure if there exists a PPT simulator such that, for all PPT adversaries ,
2.2. Asymmetric Bilinear Pairing Groups
Definition 4 (asymmetric bilinear pairing groups). We say that an algorithm is an asymmetric bilinear group generator and it outputs a bilinear pairing group which is defined by the tuple , where is a prime and and are cyclic groups of order , with a bilinear pairing with the following properties:(i)(Bilinearity) , , , and(ii)(Nondegeneracy) , such that has order in .
2.3. External Decisional Linear Assumption
Definition 5 (external decisional linear (XDLIN) assumption ). , is a tuple produced by . Consider the following problem: given the distributions , , for , where , , , and , output if is 0, and output otherwise, we refer to the problem as the External Decisional Linear (XDLIN) problem.
For a PPT algorithm , the advantage of is defined as . If for all PPT algorithms , is negligible in , we say that satisfies the XDLIN assumption.
2.4. Dual Pairing Vector Spaces
Definition 6 (dual pairing vector spaces (DPVS) [31, 32]). A dual pairing vector space (DPVS) is directly defined by the tuple . and over are -dimensional vector spaces. of and of are canonical bases, where and . is pairing which is defined by , where and with the following properties:(1)(Bilinearity) for and(2)(Nondegeneracy) if for all , then .Let be the output of algorithm , where .
We then describe random dual orthonormal basis generator as follows: , , , , , , , , returning ().
Let denote , where and . Then we have
3. Our SSSK-IPE Scheme
In this section, we present the construction of SSSK-IPE.
SSSK-IPE.Setup(, n) (msk, pp): The setup algorithm runs . It then generatesThe algorithm outputs msk, where , , and .
SSSK-IPE.Encrypt(msk, pp, ): The encryption algorithm samples independently and uniformly at random and outputsSSSK-IPE.KeyGen(msk, pp, ): The secret key generation algorithm samples independently and uniformly at random and outputsSSSK-IPE.Decrypt (pp, or : The decryption algorithm outputs
It then attempts to determine such that . If there is that satisfies the equation, the algorithm outputs . Otherwise, it outputs . Due to a polynomial-size range of possible values for , the decryption algorithm certainly runs in polynomial time.
Correctness. For any and by calling SSSK-IPE.Encrypt(msk, pp, ) and SSSK-IPE.KeyGen(msk, pp, ), respectively, the pairing evaluations in the decryption algorithm proceed as follows:
If the decryption algorithm takes polynomial time in the size of the plaintext space, it will output as desired.
Remark 7. We can easily notice that our scheme is malleable, where a ciphertext can be created from certain other ciphertexts. The scheme in  is also malleable, while it seems difficult to prove the schemes in [16, 17, 19] to be malleable.
Remark 8. In contrast to the scheme of Tomida et al. , we provides a more efficient scheme with better security strength. The construction of  achieves indistinguishability-based security where the constraint on the adversaries is that, for all ciphertext queries and all key queries , should hold. and of dimension are introduced in their construction. There are at least dimensions of vector spaces because of changing a ciphertext including (respectively, a secret key including ) into one including (respectively, a secret key including ) in the security game. As mentioned in Section 1, in our scheme, a hidden dimension can be used to convert a corresponding coefficient to another coefficient in a secret key or a ciphertext, so that no PPT adversary can distinguish the two hybrid experiments. Our scheme therefore saves n dimensions of vector spaces.
4. Security Proof
4.1. Theorem 9
Now, we prove that our construction has many-AD-SIM (many messages secure, adaptive simulation definition) security from the XDLIN assumption in the standard model against adaptive adversaries obtaining an unbounded number of ciphertexts and secret keys.
Theorem 9. Under the XDLIN assumption the proposed scheme is many-AD-SIM-secure.
Definition 10 (problem 0). Problem 0 is to guess , given , where , and , for , , for , , and , , and and .
Definition 11 (problem 1). Problem 1 is to guess , given , where , , , , , , and and .
Definition 12 (problem 2). Problem 2 is to guess , given , where , , , , , , and and .
Definition 13 (problem 3). Problem 3 is to guess , given , where , , , , , , and and .
Definition 14 (problem 4). Problem 4 is to guess , given , where , , , , , , and and .
For a PPT adversary , the advantage of for Problem , where , is defined aswhere the instance is by definition if and if .
Lemma 15. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .
Proof. Let be a random linear transformation. On inputting an instance of XDLIN , , , sets , , and , ,, and , and . can calculate for and for . Next, generates for , for , and . Then sets . Finally, gives .
If and , then and when and (with probability ).
If and , then and when , and (with probability ). Therefore, .
Lemma 16. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .
Proof. Let be a random linear transformation. On inputting an instance of Porblem 0 , calculates for , for , , , , for , for , , , and , and .Then sets and . Finally, gives . If , , and if , , where , , and . This is the same as an instance of Problem 0.
Lemma 17. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .
Proof. Let be a random linear transformation. On inputting an instance of Porblem 0 , calculates for , for , and , , for , for , and , and , , and .Then sets and . Finally, gives . If , , and if , , where , , and . This is the same as an instance of Problem 0.
Lemma 18. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .
Proof. The proof follows in the same manner as Lemma 16.
Lemma 19. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .
Proof. The proof follows in the same manner as Lemma 17.
4.3. Security Proof of Theorem 9
For the security proof, we follow the simulation-based security notion [1, 3]. A simulator responds to queries by an adversary and provides simulated secret keys and simulated ciphertexts to . The simulator is made of three algorithms: , , and .
It generates a master secret key and public parameters , which is transferred to . Specially, on input (, it sets (msk, pp)SSSK-IPE.Setup. The simulator will use the master secret key and the public parameters to answer the queries of in and .
It simulates the ciphertexts of challenge messages , where are output by and is the number of the challenge messages. Let be the number of secret key queries in the first stage. receives as input msk, pp, nonadaptive secret key queries made by , together with for each , and the secret keys . The normal ciphertext is , generated by SSSK-IPE.Encrypt, where . The simulated ciphertext is generated by , where . In order to prove the views of in SSSK-IPE.Encrypt and that in have the same distribution, we define a new algorithm , where .
It simulates the answer to the second stage queries of . It receives as input msk, pp, the vector , where is the secret key query made by , and the values , where are the challenge messages. The normal secret key is generated by SSSK-IPE.KeyGen, where . The simulated secret key is generated by , where . Analogous to , we also define a new algorithm where .
Next, we will prove it is indistinguishable between the output of an ideal world experiment and the output of the real world experiment via a hybrid argument.
Proof. A high-level overview of the security proof is given in Figure 1. By a standard hybrid argument, we prove the distributions of the outputs of and are computationally indistinguishable from that of the normal ciphertexts and the normal secret keys, respectively. We proceed via a series of hybrid experiments , where is the real world experiment and is the ideal world experiment. We then prove that each hybrid experiment is indistinguishable from the neighboring one.(i): This is the real experiment.(ii): This experiment is the same as except that the master secret key and the public parameters are generated by