Keywords

1 Introduction

Predicate encryption (PE) is a subclass of functional encryption that supports fine-grained access control. In the PE schemes, a receiver corresponding to the secret key \(sk_f\) which is associated with predicate f can decrypt the ciphertext c which is associated with the private attribute x if and only if \(f(x)=0\).

The inner product encryption (IPE) was firstly introduced by Katz et al. [10], which is a special case of PE. In the IPE scheme, the attribute x and predicate f are expressed as vectors \({\varvec{x}}\) and \({\varvec{v}}\), and \(f({\varvec{x}})=0\) if and only if \(\langle {\varvec{x}},{\varvec{v}}\rangle =0\). IPE has many useful application scenarios, such as it can support subset, conjunction and range queries on encrypted data [8] and polynomial evaluation, CNF/DNF formulas [10].

At first, the IPE constructions [4, 10,11,12,13,14,15,16] were based on bilinear groups and constructing IPE scheme from other assumption was left as an open problem. Until 2011, Agrawal et al. [2] proposed the first IPE scheme (denoted by AFV11) from the LWE assumption. One of the drawbacks of the scheme is that it has large sizes of public parameter (i.e., \(O(un^2\log ^3n)\)) and ciphertext (i.e., \(O(un\log ^3n)\)) for \(q=poly(n)\), where u is the dimension of the attribute vector, n is the security parameter. For efficiency, XagawaFootnote 1 [17] improved the AFV11 IPE scheme and obtained a more compact IPE scheme (denoted by Xag13) with public parameter of size \(O(un^2\log ^2n)\) and ciphertext of size \(O(un\log ^2n)\). Whether we can further compress the public parameter and ciphertext size to get a more compact IPE scheme is an interesting problem.

1.1 Our Contribution

In this paper, we mainly focus on the efficiency of the IPE scheme. We construct a selective security IPE scheme from the LWE assumption with compact parameters. Our scheme has smaller public parameter size (i.e., \(O(un^2\log n)\)) and ciphertext size (i.e., \(O(un\log n)\)) for \(q=poly(n)\) and improves both the public parameter size and the ciphertext size by a factor of \(O(\log n)\) when compared with Xag13.

In addition, we further note that we can add homomorphic property to our IPE scheme. More formally, by using the technique proposed by Brakerski et al. [6], we obtain a targeted homomorphic IPE (THIPE) scheme which has more compact public parameters and ciphertexts than the scheme in [6] when only consider the inner product case. Note that, in Brakerski et al.’s scheme, the predicate f can be any efficiently computable polynomial.

In Table 1, we give a rough comparison of the sizes of public parameter and ciphertext, the modulus q, the approximate factor among the existing IPE schemes from LWE.

Table 1. Comparison of IPE schemes based on LWE.
Full size table

1.2 Overview of Our Construction

Here we give the overview of our scheme. We first review the previous IPE scheme for \(u=k\ell \) dimension attribute vector \({\varvec{x}}=(x_{1,1},\ldots ,x_{1\ell },\ldots ,x_{k,1},\dots ,x_{k,\ell })\) and predicate vector \({\varvec{v}}=(v_{1,1},\ldots ,v_{1\ell },\ldots ,v_{k,1},\dots ,v_{k,\ell })\). We give a brief description of them and then we present our construction. For simplicity, we use the special case of \(k=1\) to demonstrate, that is \({\varvec{x}}=(x_1,\ldots ,x_\ell )\) and \({\varvec{v}}=(v_1,\ldots ,v_\ell )\).

Our Construction.We construct a compact IPE scheme based on [2, 17] by using the technique of [1]. Let \(\mathbf {G}_{n,2,m}\) be the gadget matrix with base 2 and matrix size \(n\times m\). In our construction, we use two gadget matrices \(\mathbf {G}_{n\ell ,\ell ^{'},m}\) and \(\mathbf {G}_{n,2,m}\) with different bases and matrix sizes as the critical tool to improve the efficiency.

In our construction, every public matrix can encode \(\ell \) components of \({\varvec{x}}\), where \(\ell =O(\log n)\). That is, for \({\varvec{x}}=(x_1,\dots ,x_\ell )\) and the corresponding \(\mathbf {X}_i=x_i\mathbf {I}_n\) defined as before, let \(\mathbf {X}=[\mathbf {X}_1|\ldots |\mathbf {X}_\ell ]\in \mathbb {Z}_q^{n\times n\ell }\), the encryption lattice is defined as

$$\varLambda _{{\varvec{x}}}=\varLambda _q(\mathbf {A}|\mathbf {A}_1+\mathbf {X}\mathbf {G}_{n\ell ,\ell ^{'},m})$$

The corresponding ciphertext is a vector \(CT=({\varvec{c}},{\varvec{c}}_{1})\in (\mathbb {Z}_q^m)^{2}\).

For predicate vector \({\varvec{v}}=(v_1,\ldots ,v_\ell )\) and the corresponding \(\mathbf {V}_i=v_i\mathbf {I}_n\) as before, let \( \mathbf {V}=\left( \begin{array}{c} v_{1}\mathbf {I}_n \\ v_{2}\mathbf {I}_n \\ \vdots \\ v_{\ell }\mathbf {I}_n \\ \end{array} \right) \in \mathbb {Z}_q^{ n\ell \times n}\), we define the mapping \(T_{{\varvec{v}}}:(\mathbb {Z}_q^m)^{2}\rightarrow (\mathbb {Z}_q^m)^{2}\) by

$$\begin{aligned} T_{{\varvec{v}}}({\varvec{c}},{\varvec{c}}_{1})=({\varvec{c}},{\varvec{c}}_1\mathbf {G}_{n\ell ,\ell ^{'},m}^{-1}(\mathbf {V}\mathbf {G}_{n,2,m})) \end{aligned}$$

We denote \(w=\langle {\varvec{x}},{\varvec{v}}\rangle \) and let \(\mathbf {W}=w\mathbf {I}_n\). And \(T_{{\varvec{v}}}({\varvec{c}},{\varvec{c}}_{1})\) is a vector close to the lattice

$$\begin{aligned} \varLambda _{{\varvec{v}},{\varvec{x}}}=\varLambda _q(\mathbf {A}|\mathbf {A}_{1}\mathbf {G}_{n\ell ,\ell {'},m}^{-1}(\mathbf {V}\mathbf {G}_{n,2,m})+\mathbf {W}\mathbf {G}_{n,2,m}) \end{aligned}$$

The secret key \({\varvec{r}}\) is defined as a short basis of \(\varLambda _q^{\bot }(\mathbf {A}|\mathbf {A}_{1}\mathbf {G}_{n\ell ,\ell {'},m}^{-1}(\mathbf {V}\mathbf {G}_{n,2,m}))\), so if \(\langle {\varvec{x}},{\varvec{v}}\rangle =0\), then \( \mathbf {W}={\varvec{0}}\), and thus the secret key \({\varvec{r}}\) can decrypt the corresponding ciphertext.

Due to the fact that \(n\ell \log _{\ell ^{'}} q =O(m)=O(n\log q)\), then \(\ell =O(\log {\ell {'}})\). And \(\ell {'}\) is a bit decomposition base of modulus \(q=poly(n)\), thus \(\ell {'}=O(n)\) and \(\ell =O(\log n)\). So it’s obvious that our IPE scheme improves the public parameter and ciphertext size by a factor of \(\ell =O(\log n)\).

2 Preliminaries

2.1 Predicate Encryption

Predicate Encryption ([10]). For the set of attribute \(\varSigma \) and the class of the predicate \(\mathcal {F}\), a predicate encryption scheme consists four algorithm \(\textsf {Setup},\textsf {KeyGen},\textsf {Enc}\), \(\textsf {Dec}\) which are PPT algorithms such that:

  • \(\textsf {Setup}\) uses the security parameter \(\lambda \) and outputs the master public key mpk and master secret key msk.

  • \(\textsf {KeyGen}\) uses the master secret key msk and a predicate \(f\in \mathcal {F}\) and outputs a secret key \(sk_f\) for f.

  • \(\textsf {Enc}\) uses the master public key mpk and a attribute \(I\in \varSigma \), outputs a ciphertexts C for message \(\mu \in \mathcal {M} \).

  • \(\textsf {Dec}\) takes as input the ciphertexts C and secret key \(sk_f\). If \(f(I)=0\), it outputs \(\mu \); if \(f(I)=1\), it outputs a distinguished symbol \(\bot \) with all but negligible probability.

Security. We say a PE scheme is weakly attribute hiding in the selective attribute setting if the adversary can’t distinguish \(\textsf {Enc}(mpk,I_1,\mu _1)\) and \(\textsf {Enc}(mpk,I_2,\mu _2)\).

The definition of the weakly attribute hiding security is given in [10].

2.2 Lattices

For positive integers nmq, and a matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\), the m-dimensional integer lattices are defined as: \(\varLambda _{q}(\mathbf {A})=\{\mathbf {y}:\mathbf {y}=\mathbf {A}^\mathrm {T}\mathbf {s}~\mathrm {for}~\mathrm {some}~\mathbf {s}\in \mathbb {Z}^{n}\}\) and \(\varLambda _{q}^{\perp }(\mathbf {A})=\{\mathbf {y}:\mathbf {A}\mathbf {y}=\mathbf {0}\mod q\}\).

For \(\mathbf {x}\in \varLambda \), define the Gaussian function \(\rho _{s,\mathbf {c}}(\mathbf {x})\) over \(\varLambda \subseteq \mathbb {Z}^m\) centered at \(\mathbf {c}\in \mathbb {R}^{m}\) with parameter \(s>0\) as \(\rho _{s,\mathbf {c}}(\mathbf {x})=\exp (-\pi ||\mathbf {x-c}||/s^2)\). Let \(\rho _{s,\mathbf {c}}(\varLambda )=\sum _{\mathbf {x}\in \varLambda }\rho _{s,\mathbf {c}}(\mathbf {x})\), and define the discrete Gaussian distribution over \(\varLambda \) as \(\mathcal {D}_{\varLambda ,s,\mathbf {c}}(\mathbf {x})=\frac{\rho _{s,\mathbf {c}}(\mathbf {x})}{\rho _{s,\mathbf {c}}(\varLambda )}\), where \(\mathbf {x}\in \varLambda \). For simplicity, \(\rho _{s,\mathbf {0}}\) and \(\mathcal {D}_{\varLambda ,s,\mathbf {0}}\) are abbreviated as \(\rho _{s}\) and \(\mathcal {D}_{\varLambda ,s}\), respectively.

Lemma 1

Let pqnm be positive integers with \(q\ge p\ge 2\) and q prime. There exists PPT algorithms such that

  • [3, 5]: \(\mathsf {TrapGen}(n,m,q)\) a randomized algorithm that, when \(m\ge 6n\lceil \log q\rceil \), outputs a pair \((\mathbf {A,T_{A}})\in \mathbb {Z}_{q}^{n\times m}\times \mathbb {Z}^{m\times m}\) such that \(\mathbf {A}\) is statistically close to uniform in \(\mathbb {Z}_{q}^{n\times m}\) and \(\mathbf {T_{A}}\) is a basis of \(\varLambda ^{\perp }_{q}(\mathbf {A})\), satisfying \(\Vert \widetilde{\mathbf {T_{A}}}\Vert \le \mathcal {O}(\sqrt{n\log q})\) with overwhelming probability.

  • [9]: \(\mathsf {SampleLeft}(\mathbf {A},\mathbf {B},\mathbf {T_{A}},\mathbf {u},s)\) a randomized algorithm that, given a full rank matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\), a matrix \(\mathbf {B}\in \mathbb {Z}_{q}^{n\times m}\), a basis \(\mathbf {T_{A}}\) of \(\varLambda ^{\perp }_{q}(\mathbf {A})\), a vector \(\mathbf {u}\in \mathbb {Z}_{q}^{n}\) and \(\sigma \ge \Vert \widetilde{\mathbf {T_{A}}}\Vert \cdot \omega (\sqrt{\log (2m}))\), then outputs a vector \(\mathbf {r}\in \mathbb {Z}_{q}^{2m}\) distributed statistically close to \(\mathcal {D}_{\varLambda _{q}^{\mathbf {u}}(\mathbf {F}),s}\) where \(\mathbf {F}=[\mathbf {A|B}]\).

3 Compact Inner Product Encryption from LWE

In this section, we propose a compact IPE scheme from LWE problem. For attribute vector \({\varvec{x}}=(\mathbb {Z}_q^{\ell })^k\) and predicate vector \({\varvec{v}}=(\mathbb {Z}_q^{\ell })^k\), we use \({\varvec{x}} = ({\varvec{x}}_1,\ldots ,{\varvec{x}}_k)\) and \({\varvec{v}} = ({\varvec{v}}_1,\ldots ,{\varvec{v}}_k)\) to denote them respectively and each \({\varvec{x}}_i=(x_{i,1},\ldots ,x_{i,\ell }),{\varvec{v}}_i=(v_{i,1},\ldots ,v_{i,\ell })\in \mathbb {Z}_q^{\ell }\).

3.1 The Construction

Let \(\lambda \) be the security parameter and \(u=k\ell \) be the dimension of predicate and attribute vectors. Set lattice parameters \(n=n(\lambda ), m=m(\lambda ), q=q(\lambda )\) and Gaussian parameters \(\alpha =\alpha (\lambda ),s=s(\lambda )\), define \(\ell ^{'}=2^{\ell }.\)

  • \(\textsf {IPE.Setup}(1^{\lambda })\): On input the security parameter \(\lambda \), do:

    1. 1.

      Use the algorithm \(\mathsf {TrapGen}\) \((n, m,q)\) to generate a matrix \(\mathbf {A}\in \mathbb {Z}_q^{n\times m}\) and its trapdoor \(\mathbf {T}_{\mathbf {A}}\).

    2. 2.

      Choose k uniformly random matrix \(\mathbf {A}_i\in \mathbb {Z}_q^{n\times m}\) for \(i = 1,\ldots ,k\) and sample a uniformly random matrix \(\mathbf {P}\in \mathbb {Z}_q^{n\times m}\).

    Output \(mpk=(\mathbf {A}, \{\mathbf {A}_i\}_{i\in \{1,\ldots ,k\}},\mathbf {P})\) and \(msk=\mathbf {T}_{\mathbf {A}}\).

  • \(\textsf {IPE.KeyGen}(mpk, msk,{\varvec{x}})\): On input the master public key mpk and master secret key msk, and a predicate vector \({\varvec{v}}= ({\varvec{v}}_1,\ldots ,{\varvec{v}}_k)\in (\mathbb {Z}_q^{\ell })^k\) where \({\varvec{v}}_i= (v_{i,1},\ldots ,v_{i,\ell })\in \mathbb {Z}_q^{\ell }\), do:

    1. 1.

      For \(i=1,\ldots ,\ell \), compute the matrices \(\mathbf {V}_{i}^{'}:=\left( \begin{array}{c} v_{i,1}\mathbf {I}_n \\ v_{i,2}\mathbf {I}_n \\ \vdots \\ v_{i,\ell }\mathbf {I}_n \\ \end{array} \right) \in \mathbb {Z}_q^{\ell n\times n}\), and let \(\mathbf {V}_{i}:=\mathbf {G}_{n\ell ,\ell ^{'},m}^{-1}(\mathbf {V}_{i}^{'}\cdot \mathbf {G}_{n,2,m})\)

    2. 2.

      Define the matrices:

      $$\mathbf {B} := \sum _{i=1}^{k}\mathbf {A}_i\mathbf {V}_i\in \mathbb {Z}_q^{n\times m}$$
    3. 3.

      Using msk to compute \(\mathbf {U}\leftarrow \mathsf {SampleLeft}(\mathbf {A},\mathbf {B},\mathbf {T}_{\mathbf {A}},\mathbf {P},s)\), it holds that \([\mathbf {A}|\mathbf {B}]\cdot \mathbf {U}=\mathbf {P}\mod q\), for \(\mathbf {U}\in \mathbb {Z}_q^{ 2m\times m}\).

    Output the secret key \(sk_{{\varvec{v}}}=\mathbf {U}\).

  • \(\textsf {IPE.Enc}(mpk,{\varvec{x}},\mu )\): On input the master public key mpk, the attribute vector \({\varvec{x}}=({\varvec{x}}_1,\ldots ,{\varvec{x}}_k)\in (\mathbb {Z}_q^{\ell })^k\), and a message \(\mu \in \{0,1\}\), do:

    1. 1.

      For \(i=1,\ldots ,k\), set the matrices \(\mathbf {X}_i=[x_{i,1}\mathbf {I}_n|x_{i,2}\mathbf {I}_n|\ldots |x_{i,\ell }\mathbf {I}_n]\in \mathbb {Z}_q^{n\times n\ell }\).

    2. 2.

      Choose a uniformly random vector \({\varvec{s}}\in \mathbb {Z}_q^{n}\), and sample two noise vectors \({\varvec{e}},{\varvec{e}}^{'}\leftarrow \mathcal {D}_{\mathbb {Z}_q^{m}}\).

    3. 3.

      For \(i=1,\ldots ,k\), choose these random matrices \(\mathbf {R}_{i}\in \{-1, 1\}^{m \times m}\). Then define noise vectors \({\varvec{e}}_{i}^\mathrm {T} := {\varvec{e}}^\mathrm {T}\mathbf {R}_{i}\).

    4. 4.

      For \(i=1,\ldots ,k\), compute the ciphertext

      $$\begin{aligned} {\varvec{c}} := {\varvec{s}}^\mathrm {T}\mathbf {A}+{\varvec{e}}^\mathrm {T}, {\varvec{c}}_i := {\varvec{s}}^\mathrm {T}(\mathbf {A}_i+\mathbf {X}_i\mathbf {G}_{n\ell ,\ell ^{'},m})+{\varvec{e}}_i^\mathrm {T}, {\varvec{c}}^{'} := {\varvec{s}}^\mathrm {T}\mathbf {P}+{\varvec{e}}^{'}+(0,\ldots ,0,\lfloor \frac{q}{2}\rceil \mu ) \end{aligned}$$

    Output the ciphertext \(CT := ({\varvec{c}},\{{\varvec{c}}_i\}_{i\in \{1,\ldots k\}},{\varvec{c}}^{'})\)

  • \(\textsf {IPE.Dec}(mpk, CT, sk_{{\varvec{v}}})\): On input the master public key, a secret key \(sk_{{\varvec{v}}}=\mathbf {U}\) for predicate vector \({\varvec{v}}\) and the ciphertext \(CT := ({\varvec{c}},\{{\varvec{c}}_i\}_{i\in \{1,\ldots k\}},{\varvec{c}}^{'})\), do:

    1. 1.

      For \(i=1,\ldots ,k\), compute the vector \({\varvec{c}}_{{\varvec{v}}}=\sum _{i=1}^{k}{\varvec{c}}_i\mathbf {V}_i\).

    2. 2.

      Compute \({\varvec{z}}\leftarrow {\varvec{c}}^{'}-[{\varvec{c}}|{\varvec{c}}_{{\varvec{v}}}]\cdot \mathbf {U} \mod q\).

    Output \(\lfloor \frac{z_m}{q/2}\rceil \in \{0,1\}\), if \(\Vert (z_1,\ldots ,z_{m-1})\Vert _{\infty }<q/4\); otherwise, output \(\perp \).

3.2 Parameters

In Table 2, we set the parameters of the IPE scheme above.

Table 2. IPE parameters setting.
Full size table

3.3 Security

Theorem 1

Suppose that \(m\ge 6n\log q\), assuming the hardness of the decisional LWE problem, then the above inner product encryption scheme is weakly attribute hiding.

4 A Single Targeted Homomorphic Compact IPE Scheme

In this section, we propose our single targeted homomorphic compact inner product encryption scheme from LWE. Inspired by the idea of [6], we add homomorphic property to our IPE scheme and get compact ciphertext and public parameter size. The construction of the scheme is as follows:

4.1 The THIPE Construction

Let \(\lambda \) be the security parameter and \(u=k\ell \) be the length of predicate and attribute vectors. Set lattice parameters \(n=n(\lambda ), m=m(\lambda ), q=q(\lambda )\) and Gaussian parameters \(\alpha =\alpha (\lambda ), s\,=\,s(\lambda )\), define \(\ell ^{'}=2^{\ell }\) and \(M=(2m+1)\lceil \log q\rceil \).

  • \(\textsf {THIPE.Setup}(1^{\lambda })\): On input a security parameter \(\lambda \), do:

    1. 1.

      Use the algorithm \(\mathsf {TrapGen}\) \((n, m, q)\) to generate a matrix \(\mathbf {A}\) and its trapdoor \(\mathbf {T}_{\mathbf {A}}\).

    2. 2.

      Choose \(k+1\) uniformly random matrix \(\mathbf {A}_i\in \mathbb {Z}_q^{n\times m}\) for \(i = 0,1,\ldots , k\) and sample a uniformly random vector \({\varvec{u}}\in \mathbb {Z}_q^{n}\).

    Output \(mpk=(\mathbf {A}, \mathbf {A}_0, \{\mathbf {A}_i\}_{i\in \{1,\ldots ,k\}},{\varvec{u}})\) and \(msk=\mathbf {T}_{\mathbf {A}}\).

  • \(\textsf {THIPE.KeyGen}(mpk, msk,{\varvec{x}})\): On input the master public key mpk and master secret key msk, and a predicate vector \({\varvec{v}}= ({\varvec{v}}_1,\ldots ,{\varvec{v}}_k)\in (\mathbb {Z}_q^{\ell })^k\) where \({\varvec{v}}_i= (v_{i,1},\ldots ,v_{i,\ell })\in \mathbb {Z}_q^{\ell }\), do:

    1. 1.

      For \(i=1,\ldots ,\ell \), compute the matrices \(\mathbf {V}_{i}^{'}:=\left( \begin{array}{c} v_{i,1}\mathbf {I}_n \\ v_{i,2}\mathbf {I}_n \\ \vdots \\ v_{i,\ell }\mathbf {I}_n \\ \end{array} \right) \in \mathbb {Z}_q^{\ell n\times n}\), and let \(\mathbf {V}_{i}:=\mathbf {G}_{n\ell ,\ell ^{'},m}^{-1}(\mathbf {V}_{i}^{'}\cdot \mathbf {G}_{n,2,m})\)

    2. 2.

      Define the matrices:

      $$\begin{aligned} \mathbf {B} := \sum _{i=1}^{k}\mathbf {A}_i\mathbf {V}_i\in \mathbb {Z}_q^{n\times m} \end{aligned}$$
    3. 3.

      Using msk to compute \({\varvec{r}}_1\leftarrow \mathsf {SampleLeft}(\mathbf {A},\mathbf {A}_0+\mathbf {B},\mathbf {T}_{\mathbf {A}},{\varvec{u}},s)\), it holds that \([\mathbf {A}|\mathbf {A}_0+\mathbf {B}]\cdot {\varvec{r}}_1={\varvec{u}}\mod q\). For \({\varvec{r}}^\mathrm {T}=[-{{\varvec{r}}_1}^\mathrm {T},1]\), we have that \([\mathbf {A}|\mathbf {A}_0+\mathbf {B}|{\varvec{u}}]\cdot {\varvec{r}}={\varvec{0}}.\)

    Output the secret key \(sk_{{\varvec{v}}}={\varvec{r}}\).

  • \(\textsf {THIPE.Enc}(mpk,{\varvec{x}},\mu )\): On input the master public key mpk, the attribute vector \({\varvec{x}}=({\varvec{x}}_1,\ldots ,{\varvec{x}}_k)\in (\mathbb {Z}_q^{\ell })^k\), and a message \(\mu \in \{0,1\}\), do:

    1. 1.

      For \(i=1,\ldots ,k\), set the matrices \(\mathbf {X}_i=[x_{i,1}\mathbf {I}_n|x_{i,2}\mathbf {I}_n|\ldots |x_{i,\ell }\mathbf {I}_n]\in \mathbb {Z}_q^{n\times n\ell }\).

    2. 2.

      Choose a uniformly random vector \(\mathbf {S}\in \mathbb {Z}_q^{n\times M}\), and sample a noise matrix \(\mathbf {E}\leftarrow \mathcal {D}_{\mathbb {Z}_q^{m\times M}, \alpha }\) and a noise vector \({\varvec{e}}\leftarrow \mathcal {D}_{\mathbb {Z}_q^{m}, \alpha }\).

    3. 3.

      For \(i=0,1,\ldots ,k\), choose these random matrices \(\mathbf {R}_{i}\in \{-1, 1\}^{m \times m}\). Then define noise vectors \(\mathbf {E}_i := \mathbf {R}_{i}^\mathrm {T}\mathbf {E}\).

    4. 4.

      Compute the ciphertext as follows:

      $$\begin{aligned} \left( \begin{array}{c} \mathbf {C}_{\mathbf {A}} \\ \mathbf {C}_{0} \\ \mathbf {C}_{{\varvec{u}}} \\ \end{array} \right) = \left( \begin{array}{c} \mathbf {A}^\mathrm { T } \\ \mathbf {A}_0^\mathrm { T } \\ {\varvec{u}}^\mathrm { T }\\ \end{array} \right) \cdot \mathbf {S}+ \left( \begin{array}{c} \mathbf {E} \\ \mathbf {E}_{0} \\ {\varvec{e}} \\ \end{array} \right) +\,\mu \mathbf {G}_{2m+1,2,M} \end{aligned}$$

      And for all \(i=1,\ldots ,k\), we compute:

      $$\begin{aligned} \mathbf {C}_i = (\mathbf {A}_i+\mathbf {X}_i\mathbf {G}_{n\ell ,\ell ^{'},m})^\mathrm {T}\mathbf {S}+\mathbf {E}_i \end{aligned}$$

    Output the ciphertext \(CT := (\mathbf {C}_{\mathbf {A}},\mathbf {C}_0,\mathbf {C}_{{\varvec{u}}},\{\mathbf {C}_i \}_{i\in \{1,\ldots , k\}}).\)

  • \(\textsf {THIPE.Trans}(mpk, CT, {\varvec{v}})\): For predicate vector \({\varvec{v}}\) and ciphertext CT which corresponds to attribute \({\varvec{x}}\), such that \(\langle {\varvec{x}},{\varvec{v}}\rangle =0.\) The evaluator then computes:

    $$\mathbf {C}_{{\varvec{v}}}=\sum _{i=1}^k\mathbf {V}_i^\mathrm {T}\mathbf {C}_i$$

    Then the evaluator sets:

    $$\mathbf {C}=\left( \begin{array}{c} \mathbf {C}_{\mathbf {A}} \\ \mathbf {C}_0+\mathbf {C}_{{\varvec{v}}} \\ {\varvec{c}}_{{\varvec{u}}} \\ \end{array} \right) \in \mathbb {Z}_q^{(2m+1)\times M} $$

    The ciphertext \(\mathbf {C}\) is the final ciphertext that used to do homomorphic evaluation.

  • \(\textsf {THIPE.TEval}(g, \mathbf {C}_1,\ldots ,\mathbf {C}_t)\): The ciphertexts \(\mathbf {C}_i\) which are the outputs of \(\textsf {THIPE.Trans}\) are corresponding to the same predicate vector \({\varvec{v}}\) that the evaluator knows in advance, it outputs \(\mathbf {C}_g=\mathsf {Eval}(g, \mathbf {C}_1,\ldots ,\mathbf {C}_t)\). In the process of evaluation, it computes NAND gate as:

    $$\mathrm {NAND}(\mathbf {C}_1,\mathbf {C}_2)=\mathbf {G}_{2m+1,2,M}-\mathbf {C}_1(\mathbf {G}_{2m+1,2,M}^{-1}\mathbf {C}_2)$$

  • \(\textsf {THIPE.Dec}(mpk,\mathbf {C}_g,sk_{{\varvec{v}}})\): On input the master public key, a secret key \(sk_{{\varvec{v}}}={\varvec{r}}\) for predicate vector \({\varvec{v}}\) and the ciphertext \(\mathbf {C}_g\), do:

    1. 1.

      For \({\varvec{b}}=(0,\ldots ,0,\lfloor q/2\rceil )^\mathrm {T}\), compute \(z\leftarrow {\varvec{r}}^\mathrm {T}\mathbf {C}_g \mathbf {G}_{2m+1,2,M}^{-1}({\varvec{b}}) \mod q\)

    2. 2.

      Output 0, if \(|z|<q/4\); otherwise, output 1.

5 Conclusion

In this work, we built a compact IPE scheme and a targeted homomorphic compact IPE scheme. We make use of two gadget matrix \(\mathbf {G}_{n\ell ,\ell ^{'},m}\) and \(\mathbf {G}_{n,2,m}\) and decrease the public parameter size to \(O(un^2\log n)\), ciphertext size to \(O(un\log n)\). Our IPE scheme improve the public parameters by a factor of \(O(\log n)\) compared with [17].