Security and Communication Networks

Volume 2018, Article ID 6561418, 12 pages

https://doi.org/10.1155/2018/6561418

## Improved Construction for Inner Product Functional Encryption

^{1}State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing 210023, China^{2}Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China^{3}College of Information Science and Technology, Nanjing Agricultural University, Nanjing 210095, China^{4}College of Mathematics and Computer Science, Fuzhou University, Fuzhou 350117, China^{5}School of Information Systems, Singapore Management University, 178902, Singapore

Correspondence should be addressed to Qingkai Zeng; nc.ude.ujn@kqz

Received 4 February 2018; Revised 30 June 2018; Accepted 22 July 2018; Published 13 August 2018

Academic Editor: Petros Nicopolitidis

Copyright © 2018 Qingsong Zhao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Functional encryption (FE) is a vast new paradigm for encryption scheme which allows tremendous flexibility in accessing encrypted data. In a FE scheme, a user can learn specific function of encrypted messages by restricted functional key and reveals nothing else about the messages. Besides the standard notion of data privacy in FE, it should protect the privacy of the function itself which is also crucial for practical applications. In this paper, we construct a secret key FE scheme for the inner product functionality using asymmetric bilinear pairing groups of prime order. Compared with the existing similar schemes, our construction reduces both necessary storage and computational complexity by a factor of 2 or more. It achieves simulation-based security, security strength which is higher than that of indistinguishability-based security, against adversaries who get hold of an unbounded number of ciphertext queries and adaptive secret key queries under the External Decisional Linear (XDLIN) assumption in the standard model. In addition, we implement the secret key inner product scheme and compare the performance with the similar schemes.

#### 1. Introduction

Traditional public-key encryption provides all-or-nothing access to data: you can either recover the entire plaintext or reveal nothing from the ciphertext. Functional encryption (FE) [1–3] is a vast new paradigm for encryption scheme which allows tremendous flexibility in accessing encrypted data. In a FE scheme, a secret key embedded with a function can be created from a master secret key msk. Then, given a ciphertext for , a user learns and reveals nothing else about . In recent years, the cryptographic community has made great progress in research on the security of FE and constructions for such schemes (see, for instance, [4–11] and any more).

There are two notions of security for a FE scheme, i.e., indistinguishability-based security and simulation-based security. The former one requires that an adversary cannot distinguish between ciphertexts of any two messages , with access to a secret key for a function such that . In contrast, the latter one requires that the view of the adversary can be simulated by a simulator, given only access to the secret keys and the function evaluated on the corresponding messages. Note that simulation-based security has higher security strength than indistinguishability-based security such that there exists an indistinguishability-based secure FE scheme for a certain functionality which is not able to be proved secure under simulation-based security [1, 3].

The traditional FE only considers data privacy and omits to protect the privacy of the function itself which is also crucial for practical applications. Consider the case where Bob wants to store his files in a cloud. Before uploading his files to the cloud, he employs a FE scheme to encrypt them avoiding leakage of data privacy and then he uploads the encryption form to the cloud. Later on, Bob wants to query his data by offering the cloud a key for a function of his choice. However, if the FE scheme cannot support the privacy for the function, the key may reveal Bob’s query entirely to the cloud, which is not desirable when the function includes confidential information.

Due to the importance, some works focus on function privacy of FE, and this was first studied in [12] in the secret key setting. This is later followed by the work of [5, 13] in the secret key setting and that of [14, 15] in the public-key setting. During the two scenarios of the public-key setting and the secret key setting, the degree to which function privacy can be satisfied differs dramatically. Specifically, a public-key FE scheme is inherent in leaking confidential information about the function. Note that an attacker who holds a secret key can always generate, on its own, the ciphertext for for message of her choice and then use to learn . This can reveal nontrivial information about the function . On the other hand, since an attacker holding a secret key cannot encrypt new messages in the secret key setting, such kind of attack is no longer applied.

##### 1.1. Functional Encryption for Inner Product

Although FE supports the computation of general circuits relying on a wide spectrum of assumptions, there are two major problems with the state-of-the-art general FE constructions. First, the security of some constructions is only ensured so long as the adversary gets hold of a priori bounded number of secret keys [9, 10, 20]. Second, some solutions rely on tools such as multilinear maps [21] and indistinguishability obfuscation [8, 22] which are both impractical and founded on new security assumption undergone minimal scrutiny. This inspires us to explore constructions for firsthand and effective FE schemes for functionalities which focus on the inner product functionality as a first attempt [16–19, 23–26].

In an inner product encryption (IPE) scheme, a ciphertext is related to a vector of length and a secret key to a vector of length . Given the ciphertext and the secret key, the decryption algorithm computes the inner product . Notice that the formulation of IPE is distinct from that of inner product predicate encryption in [12, 13, 27–30]. The ciphertext for a message in an inner product predicate encryption scheme comes along with an attribute , and a secret key corresponds to a vector . When the ciphertext with is decrypted with the secret key for , the decryption algorithm outputs iff . By contrast, the output in the IPE formulation is the actual value of the inner product. In this paper, we consider functional privacy in inner product encryption, i.e., secret key inner product encryption.

##### 1.2. Related Work

Abdalla et al. [23] presented a direct construction of public-key IPE under an indistinguishability-based definition. The construction is only proved to be secure against selective adversaries which are asked to commit to their challenges at the beginning of the security game. Following work [24] presented adaptively secure schemes where the messages and may be adaptively chosen at any point in time, based on the previously collected information. Bishop et al. [16] proposed a function-hiding IPE scheme under the Symmetric External Diffie-Hellman (SXDH) assumption, which satisfies an indistinguishability-based definition, and considered adaptive adversaries. However, the scheme is available in a rather weak security model which places limit on adversaries' queries. Specially, all ciphertext queries and all secret key queries are constrained by . The constraint obviously weakens the security of the scheme, and this is in violation of the intuitive spirit of function privacy. Recently, Datta et al. [17] developed a function-hiding IPE scheme under the SXDH assumption where the restriction on adversaries' queries is only . Tomida et al. [18] constructed a more efficient function-hiding IPE scheme than that of [17] under the External Decisional Linear (XDLIN) assumption. Kim et al. [25] put forth a fully-secure function-hiding IPE scheme with less parameter sizes and run time complexity than in [16, 17]. The scheme is proved simulation-based secure in the generic model of bilinear maps. For the first time Zhao et al. [19] presented a simulation-based secure secret key IPE scheme under the SXDH assumption in the standard model. The scheme can tolerate an unbounded number of ciphertext queries and adaptive key queries.

##### 1.3. Our Contribution

We construct an efficient simulation-based secure secret key IPE (SSSK-IPE) scheme in the standard model. We compare our scheme with related works in Table 1 where group exponentiations on cyclic groups are involved in key generation algorithm and encryption algorithm, and pairing operations on bilinear pairing groups are involved in decryption algorithm. We achieve an outstanding reduction by a factor of 2 or more in computational complexity. Our scheme achieves group elements in secret key and ciphtertext, which also reduces storage complexity by a factor of 2 or more. Hence, performance in the SSSK-IPE scheme is superior to that in the previous schemes in both storage complexity and computation complexity. Furthermore, our scheme is based on the XDLIN assumption which is weaker than the SXDH assumption. In more detail, the SXDH assumption relies on type 3 bilinear pairing groups, while the XDLIN assumption relies on any type of bilinear pairing groups [18]. Therefore from this angle, the SXDH assumption is stronger than the XDLIN assumption. Although the construction of [18] was proved to be indistinguishability-based secure under the XDLIN assumption and also succeeded in improving efficiency, both storage complexity and computation complexity of our scheme are better than that of [18] and our scheme achieves simulation-base security, security strength of which is higher than that of indistinguishability-based security. In addition, we implement our SSSK-IPE scheme and compare the performance with the similar schemes in Section 5.