Improved Construction for Inner Product Functional Encryption

Zhao, Qingsong; Zeng, Qingkai; Liu, Ximeng

doi:https://doi.org/10.1155/2018/6561418

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Evaluation Applications Conclusion Data Availability Disclosure Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2018 | Article ID 6561418 | https://doi.org/10.1155/2018/6561418

Improved Construction for Inner Product Functional Encryption

Qingsong Zhao,^1,2,3Qingkai Zeng ,^1,2and Ximeng Liu^4,5

Academic Editor: Petros Nicopolitidis

Received04 Feb 2018

Revised30 Jun 2018

Accepted22 Jul 2018

Published13 Aug 2018

Abstract

Functional encryption (FE) is a vast new paradigm for encryption scheme which allows tremendous flexibility in accessing encrypted data. In a FE scheme, a user can learn specific function of encrypted messages by restricted functional key and reveals nothing else about the messages. Besides the standard notion of data privacy in FE, it should protect the privacy of the function itself which is also crucial for practical applications. In this paper, we construct a secret key FE scheme for the inner product functionality using asymmetric bilinear pairing groups of prime order. Compared with the existing similar schemes, our construction reduces both necessary storage and computational complexity by a factor of 2 or more. It achieves simulation-based security, security strength which is higher than that of indistinguishability-based security, against adversaries who get hold of an unbounded number of ciphertext queries and adaptive secret key queries under the External Decisional Linear (XDLIN) assumption in the standard model. In addition, we implement the secret key inner product scheme and compare the performance with the similar schemes.

1. Introduction

Traditional public-key encryption provides all-or-nothing access to data: you can either recover the entire plaintext or reveal nothing from the ciphertext. Functional encryption (FE) [1–3] is a vast new paradigm for encryption scheme which allows tremendous flexibility in accessing encrypted data. In a FE scheme, a secret key embedded with a function can be created from a master secret key msk. Then, given a ciphertext for , a user learns and reveals nothing else about . In recent years, the cryptographic community has made great progress in research on the security of FE and constructions for such schemes (see, for instance, [4–11] and any more).

There are two notions of security for a FE scheme, i.e., indistinguishability-based security and simulation-based security. The former one requires that an adversary cannot distinguish between ciphertexts of any two messages , with access to a secret key for a function such that . In contrast, the latter one requires that the view of the adversary can be simulated by a simulator, given only access to the secret keys and the function evaluated on the corresponding messages. Note that simulation-based security has higher security strength than indistinguishability-based security such that there exists an indistinguishability-based secure FE scheme for a certain functionality which is not able to be proved secure under simulation-based security [1, 3].

The traditional FE only considers data privacy and omits to protect the privacy of the function itself which is also crucial for practical applications. Consider the case where Bob wants to store his files in a cloud. Before uploading his files to the cloud, he employs a FE scheme to encrypt them avoiding leakage of data privacy and then he uploads the encryption form to the cloud. Later on, Bob wants to query his data by offering the cloud a key for a function of his choice. However, if the FE scheme cannot support the privacy for the function, the key may reveal Bob’s query entirely to the cloud, which is not desirable when the function includes confidential information.

Due to the importance, some works focus on function privacy of FE, and this was first studied in [12] in the secret key setting. This is later followed by the work of [5, 13] in the secret key setting and that of [14, 15] in the public-key setting. During the two scenarios of the public-key setting and the secret key setting, the degree to which function privacy can be satisfied differs dramatically. Specifically, a public-key FE scheme is inherent in leaking confidential information about the function. Note that an attacker who holds a secret key can always generate, on its own, the ciphertext for for message of her choice and then use to learn . This can reveal nontrivial information about the function . On the other hand, since an attacker holding a secret key cannot encrypt new messages in the secret key setting, such kind of attack is no longer applied.

1.1. Functional Encryption for Inner Product

Although FE supports the computation of general circuits relying on a wide spectrum of assumptions, there are two major problems with the state-of-the-art general FE constructions. First, the security of some constructions is only ensured so long as the adversary gets hold of a priori bounded number of secret keys [9, 10, 20]. Second, some solutions rely on tools such as multilinear maps [21] and indistinguishability obfuscation [8, 22] which are both impractical and founded on new security assumption undergone minimal scrutiny. This inspires us to explore constructions for firsthand and effective FE schemes for functionalities which focus on the inner product functionality as a first attempt [16–19, 23–26].

In an inner product encryption (IPE) scheme, a ciphertext is related to a vector of length and a secret key to a vector of length . Given the ciphertext and the secret key, the decryption algorithm computes the inner product . Notice that the formulation of IPE is distinct from that of inner product predicate encryption in [12, 13, 27–30]. The ciphertext for a message in an inner product predicate encryption scheme comes along with an attribute , and a secret key corresponds to a vector . When the ciphertext with is decrypted with the secret key for , the decryption algorithm outputs iff . By contrast, the output in the IPE formulation is the actual value of the inner product. In this paper, we consider functional privacy in inner product encryption, i.e., secret key inner product encryption.

1.2. Related Work

Abdalla et al. [23] presented a direct construction of public-key IPE under an indistinguishability-based definition. The construction is only proved to be secure against selective adversaries which are asked to commit to their challenges at the beginning of the security game. Following work [24] presented adaptively secure schemes where the messages and may be adaptively chosen at any point in time, based on the previously collected information. Bishop et al. [16] proposed a function-hiding IPE scheme under the Symmetric External Diffie-Hellman (SXDH) assumption, which satisfies an indistinguishability-based definition, and considered adaptive adversaries. However, the scheme is available in a rather weak security model which places limit on adversaries' queries. Specially, all ciphertext queries and all secret key queries are constrained by . The constraint obviously weakens the security of the scheme, and this is in violation of the intuitive spirit of function privacy. Recently, Datta et al. [17] developed a function-hiding IPE scheme under the SXDH assumption where the restriction on adversaries' queries is only . Tomida et al. [18] constructed a more efficient function-hiding IPE scheme than that of [17] under the External Decisional Linear (XDLIN) assumption. Kim et al. [25] put forth a fully-secure function-hiding IPE scheme with less parameter sizes and run time complexity than in [16, 17]. The scheme is proved simulation-based secure in the generic model of bilinear maps. For the first time Zhao et al. [19] presented a simulation-based secure secret key IPE scheme under the SXDH assumption in the standard model. The scheme can tolerate an unbounded number of ciphertext queries and adaptive key queries.

1.3. Our Contribution

We construct an efficient simulation-based secure secret key IPE (SSSK-IPE) scheme in the standard model. We compare our scheme with related works in Table 1 where group exponentiations on cyclic groups are involved in key generation algorithm and encryption algorithm, and pairing operations on bilinear pairing groups are involved in decryption algorithm. We achieve an outstanding reduction by a factor of 2 or more in computational complexity. Our scheme achieves group elements in secret key and ciphtertext, which also reduces storage complexity by a factor of 2 or more. Hence, performance in the SSSK-IPE scheme is superior to that in the previous schemes in both storage complexity and computation complexity. Furthermore, our scheme is based on the XDLIN assumption which is weaker than the SXDH assumption. In more detail, the SXDH assumption relies on type 3 bilinear pairing groups, while the XDLIN assumption relies on any type of bilinear pairing groups [18]. Therefore from this angle, the SXDH assumption is stronger than the XDLIN assumption. Although the construction of [18] was proved to be indistinguishability-based secure under the XDLIN assumption and also succeeded in improving efficiency, both storage complexity and computation complexity of our scheme are better than that of [18] and our scheme achieves simulation-base security, security strength of which is higher than that of indistinguishability-based security. In addition, we implement our SSSK-IPE scheme and compare the performance with the similar schemes in Section 5.

To guarantee correctness, our scheme requires that inner products be within a range of polynomial-size, which is consistent with other schemes in Table 1. As pointed out in [16], this is reasonable for statistical computations because the computations, like the average over a polynomial-size database, will naturally be contained within a polynomial range. Furthermore, our scheme is simulation-based secure against adversaries who hold in an unbounded number of ciphertext queries and adaptive key queries. Although very basic functionalities such as IBE are simulation-based secure for a priori bounded number of ciphertext queries in the standard model [1, 3, 4], this is possible for an unbounded number of ciphertext queries if adversaries have an underlying polynomial-size range.

1.4. Technical Overview

Our SSSK-IPE scheme uses dual pairing vector spaces (DPVS) to construct, as in [16–19], which is brought forward by Okamoto et al. [31, 32]. DPVS has the features of hidden linear subspaces in prime order bilinear group setting. A DPVS of dimension is introduced in our construction, where is the dimension of inner product vectors. Typically, we sample a pair of dual orthonormal bases and only use the dimension and the dimension to encode vector and vector , respectively. Compared with the previous schemes, our scheme at least saves n dimensions of vector spaces. We preserve the remaining hidden dimensions of and for the security reduction. Specially, between two hybrid experiments, a hidden dimension can be used for reducing a difference of one coefficient in a secret key or a cipertext to a XDLIN instance.

2. Preliminaries

Let be the security parameter. If is a set, denotes the process of choosing uniformly at random from . Let and be distribution ensembles. We say that are computationally indistinguishable between and , if for all nonuniform probabilistic polynomial time and every , the difference between and is negligible. Let be a negligible function in . Moreover, we write to denote a vector of length for some positive integer and . We use to denote the inner product, mod , of vectors and . We use upper case boldface to denote matrices. denotes transpose of the matrix . denotes the general linear group of degree over . denotes a set of integers .

2.1. Definition of SSSK-IPE

We introduce the definition of simulation-based secure secret key IPE (SSSK-IPE).

Definition 1 (SSSK-IPE). A SSSK-IPE scheme is composed of the four PPT algorithms defined below:(i)- : The setup algorithm receives as input the security parameters and , being vector length, and outputs a master secret key msk and public parameters pp.(ii)- : The encryption algorithm receives as input the master secret key msk, the public parameters pp, and a vector and outputs a ciphertext .(iii)- : The key generation algorithm receives as input the master secret key msk, the public parameters pp, and a vector and outputs a secret key .(iv)- or : The decryption algorithm receives as input the public parameters pp, the ciphertext , and a secret key and outputs either a value or the dedicated symbol .

We make the following correctness requirement: for all SSSK-IPE.Setup, all , and for SSSK-IPE.Encrypt and SSSK-IPE.KeyGen, SSSK-IPE.Decrypt is sure to output whenever with nonnegligible probability. The correctness requires the fact that it is and not when is from a fixed polynomial range of value inside .

Definition 2 (indistinguishability-based security). A SSSK-IPE scheme has indistinguishability-based security if for all PPT adversaries , the advantage of in the game defined as follows is negligible:(1)A challenger runs SSSK-IPE.Setup to generate msk and pp, and pp is given to . It also chooses a random bit .(2)The challenger responds to the following two types of queries made by :(i)Secret key query: submits a pair of vectors and the challenger computes and returns SSSK-IPE.KeyGen.(ii)Ciphertext query: submits a pair of vectors and the challenger computes and returns SSSK-IPE.Encrypt.(3) outputs a bit , and wins if . A SSSK-IPE scheme is indistinguishability-based secure if for all PPT adversaries , the advantage of in the above game, is , where this game is by definition if and if .

Definition 3 (simulation-based security [1, 3, 7]). For a SSSK-IPE scheme, if there exits a PPT adversary and a PPT simulator , we define two experiments and in Box 1. (in the public-key setting, the adversary can encrypt plaintexts using the public parameters pp but cannot in the secret key setting). Let be the number of challenge messages output by and be the number of secret key queries in the first stage. The oracles and are defined as follows:(1)The oracle =SSSK-IPE.KeyGen.(2)The oracle is the second stage of , i.e., for , where and are inputs of the ciphertext query and the th secret key query by , respectively. The simulator is stateful and after each query it updates the state . A SSSK-IPE scheme is simulation-based secure if there exists a PPT simulator such that, for all PPT adversaries ,

2.2. Asymmetric Bilinear Pairing Groups

Definition 4 (asymmetric bilinear pairing groups). We say that an algorithm is an asymmetric bilinear group generator and it outputs a bilinear pairing group which is defined by the tuple , where is a prime and and are cyclic groups of order , with a bilinear pairing with the following properties:(i)(Bilinearity) , , , and(ii)(Nondegeneracy) , such that has order in .

2.3. External Decisional Linear Assumption

Definition 5 (external decisional linear (XDLIN) assumption [33]). , is a tuple produced by . Consider the following problem: given the distributions , , for , where , , , and , output if is 0, and output otherwise, we refer to the problem as the External Decisional Linear (XDLIN) problem.
For a PPT algorithm , the advantage of is defined as . If for all PPT algorithms , is negligible in , we say that satisfies the XDLIN assumption.

2.4. Dual Pairing Vector Spaces

Definition 6 (dual pairing vector spaces (DPVS) [31, 32]). A dual pairing vector space (DPVS) is directly defined by the tuple . and over are -dimensional vector spaces. of and of are canonical bases, where and . is pairing which is defined by , where and with the following properties:(1)(Bilinearity) for and(2)(Nondegeneracy) if for all , then .Let be the output of algorithm , where .

We then describe random dual orthonormal basis generator as follows: , , , , , , , , returning ().

Let denote , where and . Then we have

3. Our SSSK-IPE Scheme

In this section, we present the construction of SSSK-IPE.

SSSK-IPE.Setup(, n) (msk, pp): The setup algorithm runs . It then generatesThe algorithm outputs msk, where , , and .

SSSK-IPE.Encrypt(msk, pp, ): The encryption algorithm samples independently and uniformly at random and outputsSSSK-IPE.KeyGen(msk, pp, ): The secret key generation algorithm samples independently and uniformly at random and outputsSSSK-IPE.Decrypt (pp, or : The decryption algorithm outputs

It then attempts to determine such that . If there is that satisfies the equation, the algorithm outputs . Otherwise, it outputs . Due to a polynomial-size range of possible values for , the decryption algorithm certainly runs in polynomial time.

Correctness. For any and by calling SSSK-IPE.Encrypt(msk, pp, ) and SSSK-IPE.KeyGen(msk, pp, ), respectively, the pairing evaluations in the decryption algorithm proceed as follows:

If the decryption algorithm takes polynomial time in the size of the plaintext space, it will output as desired.

Remark 7. We can easily notice that our scheme is malleable, where a ciphertext can be created from certain other ciphertexts. The scheme in [18] is also malleable, while it seems difficult to prove the schemes in [16, 17, 19] to be malleable.

Remark 8. In contrast to the scheme of Tomida et al. [18], we provides a more efficient scheme with better security strength. The construction of [18] achieves indistinguishability-based security where the constraint on the adversaries is that, for all ciphertext queries and all key queries , should hold. and of dimension are introduced in their construction. There are at least dimensions of vector spaces because of changing a ciphertext including (respectively, a secret key including ) into one including (respectively, a secret key including ) in the security game. As mentioned in Section 1, in our scheme, a hidden dimension can be used to convert a corresponding coefficient to another coefficient in a secret key or a ciphertext, so that no PPT adversary can distinguish the two hybrid experiments. Our scheme therefore saves n dimensions of vector spaces.

4. Security Proof

4.1. Theorem 9

Now, we prove that our construction has many-AD-SIM (many messages secure, adaptive simulation definition) security from the XDLIN assumption in the standard model against adaptive adversaries obtaining an unbounded number of ciphertexts and secret keys.

Theorem 9. Under the XDLIN assumption the proposed scheme is many-AD-SIM-secure.

We will show Lemmas 15, 16, 17, 18, and 19 for the security proof of Theorem 9.

4.2. Lemmas

Definition 10 (problem 0). Problem 0 is to guess , given , where , and , for , , for , , and , , and and .

Definition 11 (problem 1). Problem 1 is to guess , given , where , , , , , , and and .

Definition 12 (problem 2). Problem 2 is to guess , given , where , , , , , , and and .

Definition 13 (problem 3). Problem 3 is to guess , given , where , , , , , , and and .

Definition 14 (problem 4). Problem 4 is to guess , given , where , , , , , , and and .

For a PPT adversary , the advantage of for Problem , where , is defined aswhere the instance is by definition if and if .

Lemma 15. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .

Proof. Let be a random linear transformation. On inputting an instance of XDLIN , , , sets , , and , ,, and , and . can calculate for and for . Next, generates for , for , and . Then sets . Finally, gives .
If and , then and when and (with probability ).
If and , then and when , and (with probability ). Therefore, .

Lemma 16. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .

Proof. Let be a random linear transformation. On inputting an instance of Porblem 0 , calculates for , for , , , , for , for , , , and , and .Then sets and . Finally, gives . If , , and if , , where , , and . This is the same as an instance of Problem 0.

Lemma 17. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .

Proof. Let be a random linear transformation. On inputting an instance of Porblem 0 , calculates for , for , and , , for , for , and , and , , and .Then sets and . Finally, gives . If , , and if , , where , , and . This is the same as an instance of Problem 0.

Lemma 18. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .

Proof. The proof follows in the same manner as Lemma 16.

Lemma 19. Suppose that the XDLIN assumption holds in and . Then for all PPT adversary , there is an adversary such that .

Proof. The proof follows in the same manner as Lemma 17.

4.3. Security Proof of Theorem 9

For the security proof, we follow the simulation-based security notion [1, 3]. A simulator responds to queries by an adversary and provides simulated secret keys and simulated ciphertexts to . The simulator is made of three algorithms: , , and .

It generates a master secret key and public parameters , which is transferred to . Specially, on input (, it sets (msk, pp)SSSK-IPE.Setup. The simulator will use the master secret key and the public parameters to answer the queries of in and .

It simulates the ciphertexts of challenge messages , where are output by and is the number of the challenge messages. Let be the number of secret key queries in the first stage. receives as input msk, pp, nonadaptive secret key queries made by , together with for each , and the secret keys . The normal ciphertext is , generated by SSSK-IPE.Encrypt, where . The simulated ciphertext is generated by , where . In order to prove the views of in SSSK-IPE.Encrypt and that in have the same distribution, we define a new algorithm , where .

It simulates the answer to the second stage queries of . It receives as input msk, pp, the vector , where is the secret key query made by , and the values , where are the challenge messages. The normal secret key is generated by SSSK-IPE.KeyGen, where . The simulated secret key is generated by , where . Analogous to , we also define a new algorithm where .

Next, we will prove it is indistinguishable between the output of an ideal world experiment and the output of the real world experiment via a hybrid argument.

Proof. A high-level overview of the security proof is given in Figure 1. By a standard hybrid argument, we prove the distributions of the outputs of and are computationally indistinguishable from that of the normal ciphertexts and the normal secret keys, respectively. We proceed via a series of hybrid experiments , where is the real world experiment and is the ideal world experiment. We then prove that each hybrid experiment is indistinguishable from the neighboring one.(i): This is the real experiment.(ii): This experiment is the same as except that the master secret key and the public parameters are generated by .(iii): This experiment is the same as except that every challenge ciphertext is which is generated by .(iv): This experiment is the same as except that, for every key query , the corresponding secret key is which is generated by .(v): This experiment is the same as except that, for every key query , the corresponding secret key is which is generated by .(vi): This experiment is the same as except that every challenge ciphertext is which is generated by .

Lemma 20. For all PPT adversaries , .

Proof. Because the master secret key and the public parameters are all generated by SSSK-IPE.Setup in and , the view of in and that in has the same distribution.

Lemma 21. Assuming that Problem 1 holds, for all PPT adversaries , .

Proof. Suppose that there exists a PPT adversary that can distinguish the output distributions of and . Then, we construct a PPT algorithm which is given an instance of Problem 1 for and simulates and .
Setup: runs SSSK-IPE.Setup(, n) and outputs msk and pp. gives the public parameters pp and the master secret key msk is only known to .
Secret Key Queries: To answer the key queries made by , runs algorithm SSSK-IPE.Encrypt to respond with .
Simulated Ciphertexts: randomly chooses , where is the number of the ciphertext queries asked by the adversary . To answer the th ciphertext query that makes, chooses and and computes and answers as if , if , if .The view of is composed of the public parameters and the answers of the secret key queries and the ciphertext query. The public parameters in and are all generated by SSSK-IPE.Setup and thus have the same distribution, similar to the answers to the secret key queries. As for the answer to the th ciphertext query, if then the answer is distributed as in and if then the answer is distributed as in .

Lemma 22. Assuming that Problem 3 holds, for all PPT adversaries , .

Proof. Suppose that there exists a PPT adversary that can distinguish the output distributions of and . Then, we construct a PPT algorithm which is given an instance of Problem 3 for and simulates and .
Setup: runs SSSK-IPE.Setup(, n) and outputs msk and pp. gives the public parameters pp, and the master secret key msk is only known to .
First stage key queries: To answer every key query made by , chooses random , runs SSSK-IPE.KeyGen (msk, pp, ), and responds with .
Simulated ciphertexts: To answer every ciphertext query that makes, chooses random and , runs , and answers as .
Second stage key queries: randomly chooses , where is the number of the ciphertext queries asked by the adversary in the second stage. To answer the th key query that makes, chooses random and and computes and answers as if , if , if .We observe the view of in its interaction with . The public parameters in and are all generated by SSSK-IPE.Setup and thus have the same distribution, similarly for the answers to every ciphertext query where in and are all generated by . As for the answer to the th key query, if then the answer is distributed as in and if then the answer is distributed as in .

Lemma 23. Assuming that Problem 4 holds, for all PPT adversaries , .

Proof. The proof follows in the same manner as Lemma 22.

Lemma 24. Assuming that Problem 2 holds, for all PPT adversaries , .

Proof. The proof follows in the same manner as Lemma 21.

5. Evaluation

To assess the practicality of the SSSK-IPE scheme in Section 3, we implement it similar to FHIPE [25], where two libraries are used: the Charm [34] for the pairing group operations and FLINT [35] for the finite field arithmetic in , and the algorithm in [36] is used for evaluating discrete logs. Then we make a comparison among the SSSK-IPE scheme and the previous schemes in Table 1 on the performance. The experiments are performed on a personal computer with a 3.4G 8-core processor and 4GB RAM memory.

5.1. Microbenchmarks

We denote as the length of the binary vectors in the SSSK-IPE scheme. (We take binary vectors for the microbenchmarks, because they can make our search space small during decryption. TThis is similar to PHIPE in [25].). In the microbenchmarks (Tables 2 and 3), we evaluate the run times of Encrypt, KeyGen, and Decrypt, respectively, and the ciphertext sizes which change with the values of . Both bit security level and bit security level in which pairing curves are MNT159 and MNT224, respectively, are considered, respectively. In the offline stage, the algorithm Setup computes the inverse of , naive computation complexity of which is , in order to generate from . Note that we consider an amortized complexity model, in which a larger amount of computational work is invested in the offline phase for obtaining efficiency during the online phase. Although Encrypt and KeyGen have the same number of group exponentiations over and , respectively, there is a difference in the run times between them. This is because the artificial distinction of implementing asymmetric pairing groups. The run time of Decrypt is more than that of Encrypt or KeyGen, as a pairing operation consumes more time than a group exponentiation.

5.2. Comparison with Previous Schemes

In Figures 2 and 3, we compare our scheme with related works in Table 1. Of all the three schemes BJK15[16], TAO16 [18], and ZZL17 [19] in Table 1, BJK15 is selected as the representative of comparison, because the numbers of both group exponentiations and pairing operations of them are almost equal. Figure 2 shows that the run times of the schemes increase with ranging from 50 to 300. This is due to the increase in vector length which results in more group exponentiations and more pairing operations. Compared with BJK15 and DDM16, the SSSK-IPE scheme is 1.8-2.1 times faster and 3.6-5 times faster, respectively. Figure 3 shows that the ciphertext sizes of the schemes increase with vector length . Compared with BJK15 and DDM16, the ciphertext size of the SSSK-IPE scheme is 1.2 - 2.1 times less and 2.5 - 4 times less, respectively.

6. Applications

In this section, we show some direct applications of secret key IPE scheme.

6.1. Search on Encrypted Data

An interesting application of secret key IPE is to achieve encrypted data searching. Consider that a company uses a cloud to back up a large number of files. The company wishes to protect the privacy of these files by encrypting vectors representation of them prior to uploading them to the cloud. The company provides the master secret key for the secret key IPE scheme to an authorized employee who can search encrypted files in the cloud. Later on, the employee wants to search files corresponding to respective function. Firstly he transitions his query into a vector, computes the secret key of it, and sends the secret key to the cloud. The cloud then builds searches on disjunction queries, conjunction queries, and arbitrary CNF and DNF formulas and returns those files which satisfy queries, as shown in Figure 4.

Specifically, to encrypt a keyword value in the finite field , we can encode the value into a vector . Assume a secret key is created based on a disjunction query “ OR Or ”. It can be considered as the univariate polynomial which is expanded in standard form as , where are the corresponding coefficients. The polynomial is encoded as a vector . Note that . If or or such that , the secret key will match the ciphertext for the value . However, we notice that expressiveness of IPE is less than general relations of FE. When IPE is used for such general relations, formulas must be expressed in CNF or DNF form, which can result in a superpolynomial blowup in size for arbitrary formulas.

6.2. Biometric Authentication

In [24, 25], it is shown that secret key IPE can be used for biometric authentication. Consider that a company wants to limit access to certain area in a building. It can employ a biometric-based authentication system, for example, fingerprint readers or iris scanners. The biometric scanner is connected to an external authentication server. The server holds the list of employee biometric signatures and their authorization policies. However, as password-based authentication system employs salted password hashing to protect each user's password, the server should store each employee's biometric information in the form of ciphertext. Due to the noisy nature of biometrics, authentication should be successful when the provided biometric is near to a user’s stored credential. It is achieved by computing the Hamming distance between them, which is the number of bits differing from each other. IPE can be employed to compute the Hamming distance between an encrypted -bit vector and another binary vector embedded in the secret key. We can encode and as and , respectively, where and and for each . Then is exactly twice the Hamming distance between and .

Suppose an employee attempts to authenticate using a fingerprint scanner, which stores the master secret key for a secret key IPE scheme. The scanner may accomplish authentication by the secret key IPE scheme, to read the fingerprint of the employee, compute the ciphertext of the fingerprint with the master secret key, and send it to the server. The server has stored the ciphertext of each user’s fingerprint under the secret key in advance. The server can compute the Hamming distance between the encrypted fingerprint and the stored fingerprint for the employee. If the result is small, authentication will succeed.

7. Conclusion

In this work, we presented an efficient simulation-based inner product encryption scheme with a polynomial-size range in the standard model. Our scheme uses asymmetric bilinear pairing groups of prime order under the XDLIN assumption. Our work raises several interesting open problems on constructions of inner product encryption schemes. One open problem is to explore the simulation-based security notion in IPE with full-hiding security, considering confidentiality for functional keys and encrypted data in a completely symmetric manner, in the secret key setting [17]. Another open problem is to study how to achieve many-AD-SIM security for a multi-input inner product functional encryption scheme with a polynomial-size range [37].

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Disclosure

A preliminary version of this paper was presented at the 19th International Conference on Information and Communications Security.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work has been partly supported by National NSF of China under Grant nos. 61772266, 61572248, and 61431008.

References

D. Boneh, A. Sahai, and B. Waters, “Functional encryption: definitions and challenges,” in Theory of Cryptography, vol. 6597 of Lecture Notes in Computer Science, pp. 253–273, Springer, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh, A. Sahai, and B. Waters, “Functional encryption: A new vision for public-key cryptography,” Communications of the ACM, vol. 55, no. 11, pp. 56–64, 2012.
View at: Publisher Site | Google Scholar
A. O’Neill, “Definitional issues in functional encryption,” https://eprint.iacr.org/2010/556.pdf.
View at: Google Scholar
S. Agrawal, S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Functional encryption: new perspectives and lower bounds,” in Advances in cryptology-CRYPTO, vol. 8043 of Lecture Notes in Computer Science, pp. 500–518, Springer, Heidelberg, Germany, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
Z. Brakerski and G. Segev, “Function-private functional encryption in the private-key setting,” Journal of Cryptology, vol. 31, no. 1, pp. 202–225, 2018.
View at: Publisher Site | Google Scholar | MathSciNet
A. De Caro and V. Iovino, “On the power of rewinding simulators in functional encryption,” Designs, Codes and Cryptography, vol. 84, no. 3, pp. 373–399, 2017.
View at: Publisher Site | Google Scholar | MathSciNet
A. De Caro, V. Iovino, A. Jain, A. O'Neill, O. Paneth, and G. Persiano, “On the achievability of simulation-based security for functional encryption,” in Advances in cryptology-CRYPTO, vol. 8043 of Lecture Notes in Computer Science, pp. 519–535, Springer, Heidelberg, Germany, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters, “Candidate indistinguishability obfuscation and functional encryption for all circuits,” in Proceedings of the 2013 IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS), pp. 40–49, Berkeley, Calif, USA, October 2013.
View at: Publisher Site | Google Scholar
S. Goldwasser, Y. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich, “Reusable garbled circuits and succinct functional encryption,” in Proceedings of the 45th annual ACM symposium on Theory of computing, pp. 555–564, Palo Alto, Calif, USA.
View at: Publisher Site | Google Scholar | MathSciNet
S. Gorbunov, V. Vaikuntanathan, and H. Wee, “Functional encryption with bounded collusions via multi-party computation,” in Advances in cryptology-CRYPTO, vol. 7417 of Lecture Notes in Computer Science, pp. 162–179, Springer, Heidelberg, Germany, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
D. I. Sharma and D. C. Jinwala, “Multiuser searchable encryption with token freshness verification,” Security and Communication Networks, vol. 2017, Article ID 6435138, 16 pages, 2017.
View at: Publisher Site | Google Scholar
E. Shen, E. Shi, and B. Waters, “Predicate privacy in encryption systems,” in Theory of cryptography, vol. 5444 of Lecture Notes in Computer Science, pp. 457–473, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
S. Agrawal, S. Agrawal, S. Badrinarayanan, A. Kumarasubramanian, M. Prabhakaran, and A. Sahai, “On the practical security of inner product functional encryption,” in Public-key cryptography-PKC, vol. 9020 of Lecture Notes in Computer Science, pp. 777–798, Springer, Heidelberg, Germany, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh, A. Raghunathan, and G. Segev, “Function-private subspace-membership encryption and its applications,” in Advances in cryptology-ASIACRYPT, vol. 8269 of Lecture Notes in Computer Science, pp. 255–275, Springer, Heidelberg, Germany, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh, A. Raghunathan, and G. Segev, “Function-private identity-based encryption: hiding the function in functional encryption,” in Advances in Cryptology – CRYPTO 2013, vol. 8043 of Lecture Notes in Computer Science, pp. 461–478, 2013.
View at: Publisher Site | Google Scholar | MathSciNet
A. Bishop, A. Jain, and L. Kowalczyk, “Function-hiding inner product encryption,” in Advances in cryptology-ASIACRYPT, vol. 9452 of Lecture Notes in Computer Science, pp. 470–491, Springer, Heidelberg, Germany, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
P. Datta, R. Dutta, and S. Mukhopadhyay, “Strongly full-hiding inner product encryption,” Theoretical Computer Science, vol. 667, pp. 16–50, 2017.
View at: Publisher Site | Google Scholar | MathSciNet
J. Tomida, M. Abe, and T. Okamoto, “Efficient Functional Encryption for Inner-Product Values with Full-Hiding Security,” in Information Security Journal, vol. 9866 of Lecture Notes in Computer Science, pp. 408–425, Springer International Publishing, 2016.
View at: Publisher Site | Google Scholar
Q. Zhao, Q. Zeng, X. Liu, and H. Xu, “Simulation-based security of function-hiding inner product encryption,” Science China Information Sciences, vol. 61, no. 4, Article ID 048102, 3 pages, 2018.
View at: Publisher Site | Google Scholar | MathSciNet
A. Sahai and H. A. Seyalioglu, “Worry-free encryption: functional encryption with public keys,” in Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS'10, pp. 463–472, Chicago, Ill, USA, October 2010.
View at: Google Scholar
S. Garg, C. Gentry, and S. Halevi, “Candidate multilinear maps from ideal lattices,” in Advances in Cryptology—EUROCRYPT, vol. 7881 of Lecture Notes in Computer Science, pp. 1–17, Springer, Berlin, Germany, 2013.
View at: Publisher Site | Google Scholar
B. Waters, “A punctured programming approach to adaptively secure functional encryption,” in Advances in cryptology-CRYPTO, vol. 9216 of Lecture Notes in Computer Science, pp. 678–697, Springer, Heidelberg, Germany, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
M. Abdalla, F. Bourse, A. De Caro, and D. Pointcheval, “Simple functional encryption schemes for inner products,” in Public-key cryptography-PKC 2015, vol. 9020 of Lecture Notes in Computer Science, pp. 733–751, Springer, Heidelberg, Germany, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
S. Agrawal, B. t. Libert, and D. Stehlé, “Fully secure functional encryption for inner products, from standard assumptions,” in Advances in cryptology-CRYPTO, vol. 9816 of Lecture Notes in Computer Science, pp. 333–362, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
S. Kim, K. Lewi, A. Mandal, H. Montgomery, A. Roy, and D. J. Wu, “Function-hiding inner product encryption is practical,” https://eprint.iacr.org/2016/440.pdf.
View at: Google Scholar
Q. Zhao, Q. Zeng, and X. Liu, “Efficient Inner Product Encryption with Simulation-Based Security,” in Information and Communications Security, vol. 10631 of Lecture Notes in Computer Science, pp. 162–171, Springer International Publishing, 2018.
View at: Publisher Site | Google Scholar
J. Katz, A. Sahai, and B. Waters, “Predicate encryption supporting disjunctions, polynomial equations, and inner products,” in Advances in Cryptology—EUROCRYPT, vol. 4965 of Lecture Notes in Computer Science, pp. 146–162, Springer, Berlin, Germany, 2008.
View at: Publisher Site | Google Scholar | MathSciNet
A. Lewko, T. Okamoto, A. Sahai, and B. Waters, “Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption,” in Advances in Cryptology: EUROCRYPT, vol. 6110 of Lecture Notes in Computer Science, pp. 62–91, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
T. Okamoto and K. Takashima, “Fully secure functional encryption with general relations from the decisional linear assumption,” in Advances in Cryptology—CRYPTO, T. Rabin, Ed., vol. 6223 of Lecture Notes in Computer Science, pp. 191–208, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Fully secure unbounded inner-product and attribute-based encryption,” in Advances in Cryptology—ASIACRYPT, vol. 7658 of Lecture Notes in Computer Science, pp. 349–366, Springer, Berlin, Heidelberg, Germany, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
T. Okamoto and K. Takashima, “Homomorphic encryption and signatures from vector decomposition,” in Pairing-based cryptography-Pairing, vol. 5209 of Lecture Notes in Computer Science, pp. 57–74, Springer, Berlin, Germany, 2008.
View at: Publisher Site | Google Scholar | MathSciNet
T. Okamoto and K. Takashima, “Hierarchical predicate encryption for inner-products,” in Advances in Cryptology—ASIACRYPT, vol. 5912 of Lecture Notes in Computer Science, pp. 214–231, Springer, Berlin, Heidelberg, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
M. Abe, M. Chase, B. David, M. Kohlweiss, R. Nishimaki, and M. Ohkubo, “Constant-size structure-preserving signatures: generic constructions and simple assumptions,” in Advances in cryptology-ASIACRYPT 2012, vol. 7658 of Lecture Notes in Computer Science, pp. 4–24, Springer, Heidelberg, Germany, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
J. A. Akinyele, C. Garman, I. Miers et al., “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013.
View at: Publisher Site | Google Scholar
“FLINT: Fast Library for Number Theory 2.5,” http://flintlib.org.
View at: Google Scholar
D. Shanks, “Class number, a theory of factorization, and genera,” in Proceedings of the Symposia in Pure Mathematics, vol. 20, pp. 415–440, Providence, RI, USA, 1971.
View at: Google Scholar | MathSciNet
M. Abdalla, R. Gay, M. Raykova, and H. Wee, “Multi-input inner-product functional encryption from pairings,” in Advances in cryptology-EUROCRYPT, vol. 10210 of Lecture Notes in Computer Science, pp. 601–626, Springer, 2017.
View at: Publisher Site | Google Scholar | MathSciNet

Copyright

Copyright © 2018 Qingsong Zhao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1606

Downloads

1046

Citations