FunctionHiding Inner Product Encryption
Abstract
We extend the reach of functional encryption schemes that are provably secure under simple assumptions against unbounded collusion to include functionhiding inner product schemes. Our scheme is a private key functional encryption scheme, where ciphertexts correspond to vectors \(\vec {x}\), secret keys correspond to vectors \(\vec {y}\), and a decryptor learns \(\langle \vec {x}, \vec {y} \rangle \). Our scheme employs asymmetric bilinear maps and relies only on the SXDH assumption to satisfy a natural indistinguishabilitybased security notion where arbitrarily many key and ciphertext vectors can be simultaneously changed as long as the keyciphertext dot product relationships are all preserved.
1 Introduction
Functional encryption (FE) [8, 23, 25] is an exciting paradigm for noninteractively computing on encrypted data. In a functional encryption scheme for a family \(\mathcal {F}\), it is possible to derive “specialpurpose” decryption keys \(K_f\) for any function \(f\in \mathcal {F}\) from a master secret key. Given such a decryption key \(K_f\) and an encryption of some input x, a user should be able to learn f(x) and nothing else about x.
A driving force behind FE has been to understand what class of functions \(\mathcal {F}\) can be supported and what notions of security can be achieved. In terms of functionality, research in FE started with the early works on attributebased encryption [16, 25], progressively evolving to support more expressive classes of functions, leading to the state of art works that are now able to support computation of general polynomialsize circuits [11, 14, 15, 24]. In terms of security, most of the prior work in this area focuses on the privacy of (encrypted) messages (see, e.g., [8, 10, 23] for various security definitions considered in the literature for message privacy).
In many application scenarios, however, it is important to also consider privacy of the function being computed. Consider the following motivating example: suppose a hospital subscribes to a cloud service provider to store medical records of its patients. To protect the privacy of the data, these records are stored in an encrypted form. At a later point in time, the hospital can request the cloud to perform some analysis on the encrypted records by releasing a decryption key \(K_f\) for a function f of its choice. If the FE scheme in use does not guarantee any hiding of the function (which is the case for many existing FE schemes), then the key \(K_f\) might reveal f completely to the cloud, which is undesirable when f itself contains sensitive information.
This has motivated the study of function privacy in FE, starting with the work of Shen et al. [26], and more recently by [2, 6, 7, 9]. Intuitively speaking, function privacy requires that given a decryption key \(K_f\) for a function f, one should not be able to learn any unnecessary information about f. Using the analogy to secure computation, function private FE can be seen as the noninteractive analogue of private function evaluation (which guarantees the privacy of both the input x and the function f being computed on x) just like standard FE can be seen as the noninteractive analogue of secure function evaluation (which only guarantees privacy of the input x). One may also observe that the notion of function privacy is similar in spirit to program obfuscation [5, 11]. Indeed, in the publickey setting, function private FE, in fact, implies program obfuscation.^{1} In the secretkey setting, however, no such implication is known.
In this work, we continue the study of function privacy in FE. In particular, we focus on the inner product functionality \(\mathcal {IP}\): a function \(\mathrm {IP}_{\vec {y}}\in \mathcal {IP}\) in this function family is parametrized by a vector \(\vec {y}\) in the finite field \(\mathbb {Z}_p\). On an input \(\vec {x}\in \mathbb {Z}_p\), \(\mathrm {IP}_{\vec {y}}(\vec {x})=\langle \vec {x},\vec {y}\rangle \), where \(\langle \vec {x},\vec {y}\rangle \) denotes the inner product \(\sum _{i=1}^{n} x_i y_i \in \mathbb {Z}_p\). Inner product is a particularly useful function for statistical analysis. In particular, in the context of FE, (as shown by [17]) it enables computation of conjunctions, disjunctions, CNF/DNF formulas, polynomial evaluation and exact thresholds.

Generic constructions: By now, we have a large sequence of works [4, 10, 11, 12, 14, 15, 24, 27] on FE that support computation of general circuits. Very recently, Brakerski and Segev [9] give a general transformation from any FE scheme for general circuits into one that achieves function privacy. Then, by combining [9] with the aforementioned works, one can obtain a functionprivate FE scheme for inner product as a special case.
We note, however, that these generic FE constructions use heavyduty tools for secure computation (such as fullyhomomorphic encryption [13] and program obfuscation [5, 11]) and are therefore extremely inefficient. Furthermore, in order to achieve collusionresistance – one of the central goals in FE since its inception – the above solution would rely on indistinguishability obfuscation [5, 11], which is a strong assumption.

Direct constructions: To the best of our knowledge, the only “direct” construction of FE for inner product that avoids the aforementioned expensive tools is due to the recent work of Abdalla et al. [1]. Their work, however, does not consider function privacy.
We clarify that our formulation of inner product FE is different from that considered in the works of [3, 7, 17, 18, 21, 22, 26]. Very briefly, these works study inner product in the context of predicate encryption, where a message m is encrypted along with a tag \(\vec {x}\) and decryption with a key \(K_y\) yields m iff \(\langle \vec {x},\vec {y}\rangle =0\). In contrast, as discussed above, we are interested in learning the actual inner product value (in \(\mathbb {Z}_p\)).
In summary, the state of the art leaves open the problem of constructing a collusionresistant, functionprivate FE scheme for inner product from standard assumptions. We stress that unless we put some restrictions on the distribution of the messages (as in the work of [6, 7]), this question only makes sense in the secretkey setting.
Our Results. In this work, we resolve this open problem. Specifically, we construct a functionprivate secretkey FE scheme for the inner product functionality that supports any arbitrary polynomial number of key queries and message queries. Our construction makes use of asymmetric bilinear maps and is significantly more efficient than the generic solutions discussed earlier. The security notion we prove for our construction is a natural indistinguishabilitybased notion, and we establish it under the Symmetric External DiffieHellman Assumption (SXDH). To obtain correctness for our scheme, we assume that inner products will be contained in a polynomiallysized range. This assumption is quite reasonable for statistical applications, where the average or count of some bounded quantity over a polynomiallysized database will naturally be in a polynomial range.
Our Techniques. We begin with the basic idea for inner product encryption developed in [17], which is the observation that one can place two vectors in the exponents on opposite sides of a bilinear group and compute the dot product via the pairing. This already provides some protection for the vectors as discrete log is thought to be hard in these groups, but without further randomization, this is vulnerable to many attacks, such as guessing the vector or learning whether two coordinates of a vector are the same. For this reason, the construction in [17] multiplies each of the exponent vectors by a random scalar value and uses additional subgroups in a composite order group to supply more randomization. The use of composite order groups in this way is by no means inherent, as subsequent works [18, 21, 22] (for example) demonstrate how to supply a sufficient amount of randomization in prime order bilinear groups using dual pairing vector spaces. However, in all of these schemes, the random scalars prevent a decryptor from learning the actual value of the inner product. Of course this is intentional and required, as these are predicate encryption schemes where the prescribed functionality only depends on whether the inner product is zero or nonzero. To adapt these methods to allow a decryptor to learn the inner product, we must augment the construction with additional group elements that produce the same product of scalars in the exponent. Then the decryptor can produce the value by finding a ratio between the exponents of two group elements. This will be efficiently computable when the value of the inner product is in a known polynomiallysized range. Crucially, we must prove that these additional group elements do not reveal any unintended information.
We note that the construction in [17] is not known to be functionhiding. And since we are further allowing the inner product itself to be learned, functionhiding for our scheme means something different than functionhiding for schemes such as [17]. In particular, function hiding for a public key scheme in our setting would be impossible: one could simply create ciphertexts for a basis of vectors and test decryption of one’s key against all of them to fully reconstruct the vector embedded in the key. It is thus fundamental that the public key scheme in [1] is not functionhiding. Indeed, their secret keys include vectors given in the clear and have no hiding properties.
To prove functionhiding for our construction, we thus leverage our private key setting to obtain a perfect symmetry between secret keys and ciphertexts, both in our construction and in our security reduction. Since no public parameters for encryption need to be published, the same techniques that we use to hide the underlying vectors in the ciphertexts can be flipped to argue that functionhiding holds for the secret keys.
The core of our security argument is an informationtheoretic step (in the setting of dual pairing vector spaces as introduced by Okamoto and Takashima [19, 20]). Essentially, our master secret key consists of two dual orthonormal bases that will be employed in the exponents to encode the vectors for ciphertexts and secret keys respectively. Secret keys and ciphertexts thus correspond to linear combinations of these basis vectors in the exponent. Since the bases themselves are never made public, if all of the secret keys (for example) are orthogonal to a particular vector, then there is a hidden “dimension” in the bases that can be used to argue that the ciphertext vector can be switched to another vector that has the same inner products with the provided keys. In fact, if we did not want any function privacy and instead only wanted to hide whether a single ciphertext corresponded to a vector \(\vec {x}_0\) or \(\vec {x}_1\) while giving out secret keys for vectors \(\vec {y}\) orthogonal to \(\vec {x}_0  \vec {x}_1\), then we would do this informationtheoretically. When we instead have many ciphertexts and we also demand function privacy for the keys, we use a hybrid argument, employing various applications of the SXDH assumption to move things around in the exponent bases and isolate a single ciphertext or key in a particular portion of the bases to apply our informationtheoretic argument. The symmetry between keys and ciphertexts in our construction allows us to perform the same hybrid argument to obtain function privacy as in the case of multipleciphertext security.
2 Preliminaries
2.1 Functional Encryption Specifications and Security Definitions
In the rest of this paper, we will consider a specialization of the general definition of functional encryption to the particular functionality of computing dot products of nlength vectors over a finite field \(\mathbb Z_p\). A private key functional encryption scheme for this class of functions will have the following PPT algorithms:
\({Setup(1^\lambda , n) \rightarrow \mathrm {PP}, \mathrm {MSK}}\) The setup algorithm will take in the security parameter \(\lambda \) and the vector length parameter n (a positive integer that is polynomial in \(\lambda \)). It will produce a master secret key \(\mathrm {MSK}\) and public parameters \(\mathrm {PP}\). (Note that this is not a public key scheme, so the \(\mathrm {PP}\) are not sufficient to encrypt  they are just parameters that do not need to be kept secret.)
\({Encrypt(\mathrm {MSK}, \mathrm {PP}, \vec {x}) \rightarrow \mathrm {CT}}\) The encryption algorithm will take in the master secret key \(\mathrm {MSK}\), the public parameters \(\mathrm {PP}\), and a vector \(\vec {x} \in \mathbb Z_p^n\). It produces a ciphertext \(\mathrm {CT}\).
\({KeyGen(\mathrm {MSK}, \mathrm {PP}, \vec {y}) \rightarrow \mathrm {SK}}\) The key generation algorithm will take in the master secret key \(\mathrm {MSK}\), the public parameters \(\mathrm {PP}\), and a vector \(\vec {y} \in \mathbb Z_p^n\). It produces a secret key \(\mathrm {SK}\).
\({Decrypt(\mathrm {PP}, \mathrm {CT}, \mathrm {SK})\rightarrow m \in \mathbb Z_p or \bot }\) The decryption algorithm will take in the public parameters \(\mathrm {PP}\), a ciphertext \(\mathrm {CT}\), and a secret key \(\mathrm {SK}\). It will output either a value \(m \in \mathbb Z_p\) or \(\bot \).
For correctness, we will require the following. We suppose that \(\mathrm {PP}, \mathrm {MSK}\) are the result of calling Setup\((1^\lambda , n\)), and \(\mathrm {CT}, \mathrm {SK}\) are then the result of calling Encrypt\((\mathrm {MSK}, \mathrm {PP}, \vec {x})\) and KeyGen\((\mathrm {MSK}, \mathrm {PP}, \vec {y})\) respectively. We then require that the output of Decrypt\((\mathrm {PP},\mathrm {CT},\mathrm {SK})\) must be either \(m = \langle \vec {x}, \vec {y} \rangle \) or \(\bot \). We will only require that it is \(\langle \vec {x}, \vec {y} \rangle \) and not \(\bot \) when \(\langle \vec {x}, \vec {y} \rangle \) is from a fixed polynomial range of values inside \(\mathbb Z_p\), as this will allow a decryption algorithm to compute it as a discrete log in a group where discrete log is generally hard.
Security. We will consider an indistinguishabilitybased security notion defined by a game between a challenger and an attacker. At the beginning of the game, the challenger calls Setup\((1^\lambda , n, B\)) to produce \(\mathrm {MSK}, \mathrm {PP}\). It gives \(\mathrm {PP}\) to the attacker. The challenger also selects a random bit b.
Definition 1
We say a private key functional encryption scheme for dot products over \(\mathbb Z_p^n\) satisfies functionhiding indistinguishabilitybased security if any PPT attacker’s advantage in the above game is negligible as a function of the security parameter \(\lambda \).
Remark 1
We note that the attacker can trivially win the security game if we allowed a key query \(\vec {y}^0, \vec {y}^1\) and ciphertext query \(\vec {x}^0, \vec {x}^1\) such that \(\langle \vec {y}^0, \vec {x}^0\rangle \ne \langle \vec {y}^1, \vec {x}^1 \rangle \). Our stronger requirement that \(\langle \vec {y}^0, \vec {x}^1 \rangle \) and \(\langle \vec {y}^1, \vec {x}^0 \rangle \) is used for our hybrid security proof, but it might be possible to remove it by developing different proof techniques.
2.2 Asymmetric Bilinear Groups
 1.
(Bilinear) \(\forall g_1 \in G_1, g_2 \in G_2,\; a, b \in \mathbb Z_p, \; e(g_1^a,g_2^b) = e(g_1,g_2)^{ab}\)
 2.
(Nondegenerate) \(\exists g_1 \in G_1, g_2 \in G_2\) such that \(e(g_1,g_2)\) has order p in \(G_T\).
We refer to \(G_1\) and \(G_2\) as the source groups and \(G_T\) as the target group. We assume that the group operations in \(G_1\), \(G_2\), and \(G_T\) and the map e are computable in polynomial time with respect to \(\lambda \), and the group descriptions of \(G_1\), \(G_2\), and \(G_T\) include a generator of each group.
The SXDH Assumption states that no polynomialtime algorithm can achieve nonnegligible advantage in deciding between \(D_1\) and \(D_2\). It also states that the same is true for the analogous distributions formed from switching the roles of \(G_1, G_2\) (that is, \(D_1 = (g_2, g_2^{a}, g_2^{b}, g_2^{ab}, g_1)\) and \(D_2 = (g_2, g_2^{a}, g_2^{b}, g_2^{ab + r}, g_1)\))
2.3 Dual Pairing Vector Spaces
3 Construction
We now present our construction in asymmetric bilinear groups. We will choose dual orthonormal bases \(\mathbb {B}\) and \(\mathbb {B}^*\) that will be used in the exponent to encode ciphertext and key vectors respectively. Vectors will be encoded twice to create space for a hybrid security proof and will be additionally masked by random scalars (these basic features are also present in [17]). We will use additional dual bases \(\mathbb {D}, \mathbb {D}^*\) to separately encode these same scalars in the exponent so that their effect can be removed from the final decryption result. We view it as a core feature of our construction that the structure of keys and ciphertexts in our scheme is perfectly symmetric, just on different sides of dual orthonormal bases. This enables us to prove function hiding for the keys with exactly the same techniques we use to prove indistinguishability security for the ciphertexts.
\({Setup(1^\lambda , n), \rightarrow \mathrm {MSK}, \mathrm {PP}}\) The setup algorithm takes in the security parameter \(\lambda \) and a positive integer n specifying the desired length of vectors for the keys and ciphertexts. It chooses an asymmetric bilinear group consisting of \(G_1, G_2, G_T\), all with prime order p. It fixes generators \(g_1, g_2\) of \(G_1\) and \(G_2\) respectively. It then samples dual orthonormal bases \(\mathbb {B}, \mathbb {B}^* \leftarrow Dual(\mathbb Z_p^{2n})\) and dual orthonormal bases \(\mathbb {D}, \mathbb {D}^* \leftarrow Dual(\mathbb Z_p^2)\). It defines the master secret key as \(\mathrm {MSK}:= \mathbb {B}, \mathbb {B}^*, \mathbb {D}, \mathbb {D}^*\). The groups \(G_1, G_2, G_T\), the generators \(g_1, g_2\), and p are set to be public parameters.
4 Security Proof
Our security proof is structured as a hybrid argument over a series of games which differ in how the ciphertext and keys are constructed. Intuitively, if there were only one ciphertext, we could embed the difference of the two possible ciphertext vectors, namely \(\vec {x}^0  \vec {x}^1\), into the definition of the bases \(\mathbb {B}, \mathbb {B}^*\) to argue that this difference is hidden when only key vectors orthogonal to \(\vec {x}^0  \vec {x}^1\) are provided. In other words, there is ambiguity in the choice of \(\mathbb {B}, \mathbb {B}^*\) left conditioned on the provided keys, and this can be exploited to switch \(\vec {x}^0\) for \(\vec {x}^1\). But there is a limited amount of such ambiguity, so to repurpose it for many ciphertexts, we employ a hybrid argument that isolates each ciphertext in turn in a portion of the basis. Since keys and ciphertexts are constructed and treated symmetrically in our scheme, we can apply the same hybrid argument over keys to prove function hiding, just reversing the roles of \(\mathbb {B}\) and \(\mathbb {B}^*\).
Notice that a normal ciphertext for a vector \(\vec {x}\) contains two parallel copies of \(\vec {x}\) in the exponent of \(C_1\): one attached to \(\vec {b}^*_i\)’s and one attached to \(\vec {b}^*_{n+i}\)’s for \(i = 1, ..., n\). We will refer to this as a type\((\vec {x}, \vec {x})\) ciphertext. We will use this notation to define a type\((\vec {0}, \vec {x})\) ciphertext  one which is normally formed but has no \(\vec {b}^*_i\) components for \(i = 1, ..., n\) and no \(\vec {d}^{*}_1\) component in \(C_2\). We will also use the same terminology to refer to keys (i.e.: type\((\vec {y}, \vec {y})\) / type\((\vec {0}, \vec {y})\) / type\((\vec {y}, \vec {0})\) keys).
Letting \(Q_1\) denote the total number of ciphertext queries the attacker makes, we define 7 games for each \(j = 0, ..., Q_1\):
\({Game_{j, Z}^{1}}\) In Game\(_{j,Z}^{1}\) all ciphertexts before the jth ciphertext are of type\((\vec {0}, \vec {x}_i^{1})\), the jth ciphertext is of type\((\vec {0}, \vec {x}_i^{0})\), all ciphertexts after the jth ciphertext are also type\((\vec {0}, \vec {x}_i^{0})\) ciphertexts, and all keys are of type\((\vec {y}_i^{0}, \vec {y}_i^{0})\).
\({Game_{j, Z}^{2}}\) Game\(_{j,Z}^{2}\) is the same as Game\(_{j,Z}^{1}\) except that the jth ciphertext is now of type\((\vec {x}_j^{0}, \vec {x}_j^{0})\).
\({Game_{j, Z}^{3}}\) Game\(_{j,Z}^{3}\) is the same as Game\(_{j,Z}^{2}\) except that the jth ciphertext is now of type\((\vec {x}_j^{0}, \vec {x}_j^{1})\).
\({Game_{j, Z}^{4}}\) Game\(_{j,Z}^{4}\) is the same as Game\(_{j,Z}^{3}\) except that all ciphertexts before the jth ciphertext are now of type\((\vec {x}_i^{1}, \vec {x}_i^{1})\) and all ciphertexts after the jth ciphertext are now type\((\vec {x}_i^{0}, \vec {x}_i^{0})\) ciphertexts.
\({Game_{j, Z}^{5}}\) Game\(_{j,Z}^{5}\) is the same as Game\(_{j,Z}^{4}\) except that all ciphertexts before the jth ciphertext are now of type\((\vec {x}_i^{1}, \vec {0})\) and all ciphertexts after the jth ciphertext are now type\((\vec {x}_i^{0}, \vec {0})\) ciphertexts.
\({Game_{j, Z}^{6}}\) Game\(_{j,Z}^{6}\) is the same as Game\(_{j,Z}^{5}\) except that the jth ciphertext is now of type\((\vec {x}_j^{1}, \vec {x}_j^{1})\).
\({Game_{j, Z}^{7}}\) Game\(_{j,Z}^{7}\) is the same as Game\(_{j,Z}^{6}\) except that all ciphertexts before the jth ciphertext are now of type\((\vec {x}_i^{1}, \vec {x}_i^{1})\) and all ciphertexts after the jth ciphertext are now type\((\vec {x}_i^{0}, \vec {x}_i^{0})\) ciphertexts.
Letting \(Q_2\) denote the total number of key requests the attacker makes, we define 7 additional games for each \(j = 0, ..., Q_2\):
\({Game_{O, j}^{1}}\) In Game\(_{O, j}^{1}\) all keys before the jth key are of type\((\vec {0}, \vec {y}_i^{1})\), the jth key is of type\((\vec {0}, \vec {y}_i^{0})\), all keys after the jth key are also type\((\vec {0}, \vec {y}_i^{0})\) keys, and all ciphertexts are of type\((\vec {x}_i^{1}, \vec {x}_i^{1})\).
\({Game_{O, j}^{2}}\) Game\(_{O, j}^{2}\) is the same as Game\(_{O, j}^{1}\) except that the jth key is now of type\((\vec {y}_j^{0}, \vec {y}_j^{0})\).
\({Game_{O, j}^{3}}\) Game\(_{O, j}^{3}\) is the same as Game\(_{O, j}^{2}\) except that the jth key is now of type\((\vec {y}_j^{0}, \vec {y}_j^{1})\).
\({Game_{O, j}^{4}}\) Game\(_{O, j}^{4}\) is the same as Game\(_{O, j}^{3}\) except that all keys before the jth key are now of type\((\vec {y}_i^{1}, \vec {y}_i^{1})\) and all keys after the jth key are now type\((\vec {y}_i^{0}, \vec {y}_i^{0})\) keys.
\({Game_{O, j}^{5}}\) Game\(_{O, j}^{5}\) is the same as Game\(_{O, j}^{4}\) except that all keys before the jth key are now of type\((\vec {y}_i^{1}, \vec {0})\) and all keys after the jth key are now type\((\vec {y}_i^{0}, \vec {0})\) keys.
\({Game_{O, j}^{6}}\) Game\(_{O, j}^{6}\) is the same as Game\(_{O, j}^{5}\) except that the jth key is now of type\((\vec {y}_j^{1}, \vec {y}_j^{1})\).
\({Game_{O, j}^{7}}\) Game\(_{O, j}^{7}\) is the same as Game\(_{O, j}^{6}\) except that all keys before the jth key are now of type\((\vec {y}_i^{1}, \vec {y}_i^{1})\) and all keys after the jth key are now type\((\vec {y}_i^{0}, \vec {y}_i^{0})\) keys.
Note that Game\(_{0,Z}^{7}\) is the real security game played with \(b = 0\) and Game\(_{O,Q_2}^{7}\) is the real security game played with \(b = 1\). Note also that Game\(_{Q_1,Z}^{7}\) and Game\(_{O,0}^{7}\) are identical.
We will use a hybrid argument to transition between the two to show that no polynomial attacker can achieve nonnegligible advantage in the security game (distinguishing between \(b = 0\) and \(b = 1\).). Our hybrid works in two parts, first transitioning all ciphertexts from type\((\vec {x}_i^{0}, \vec {x}_i^{0})\) to type\((\vec {x}_i^{1}, \vec {x}_i^{1})\) (using the Game\(_{j,Z}^{i}\)’s), then transitioning all keys from type\((\vec {y}_i^{0}, \vec {y}_i^{0})\) to type\((\vec {y}_i^{1}, \vec {y}_i^{1})\) (using the Game\(_{O,j}^{i}\)’s).
First we will transition from Game\(_{0,Z}^{7}\) (the real security game played with \(b = 0\)) to Game\(_{1,Z}^{1}\). We then transition from Game\(_{1,Z}^{1}\) to Game\(_{1,Z}^{2}\), to Game\(_{1,Z}^{3}\), ...., to Game\(_{1,Z}^{7}\), to Game\(_{2,Z}^{1}\) etc. until reaching Game\(_{Q_1, Z}^{7}\), where all ciphertexts are of type \((\vec {x}_i^{1}, \vec {x}_i^{1})\) (but all keys are still of type \((\vec {y}_i^{0}, \vec {y}_i^{0})\)). Recall that Game\(_{Q_1, Z}^{7}\) is identical to Game\(_{O, 0}^{7}\). We will then transition from Game\(_{Q_1, Z}^{7} =\) Game\(_{O, 0}^{7}\) to Game\(_{O,1}^{1}\), to Game\(_{O, 1}^{2}\), ...., to Game\(_{O,1}^{7}\), to Game\(_{O,2}^{1}\), etc. until reaching Game\(_{O, Q_2}^{7}\), where all keys are of type \((\vec {y}_i^{1}, \vec {y}_i^{1})\) (and all ciphertexts are of type \((\vec {x}_i^{1}, \vec {x}_i^{1})\)). This is identical to the real security game played with \(b = 1\).
We begin the first transition in a hybrid over the \(Q_1\) ciphertexts. Recall that the real security game played with \(b = 0\) is identical to Game\(_{0, Z}^{7}\), so in particular, the following lemma allows us to make the first transition from Game\(_{0, Z}^{7}\) to Game\(_{1, Z}^{1}\) .
Lemma 1
No polynomialtime attacker can achieve a nonnegligible difference in advantage between Game\(_{(j1), Z}^{7}\) and Game\(_{j, Z}^{1}\) for \(j = 1, ..., Q_1\) under the SXDH assumption.
Proof
Given an attacker that achieves nonnegligible difference in advantage between Game\(_{(j1), Z}^{7}\) and Game\(_{j, Z}^{1}\) for some \(j \in [1, Q_1]\), we could achieve nonnegligible advantage in deciding the SXDH problem as follows:
When \(r \leftarrow \mathbb {Z}_p\), all ciphertexts before the jth ciphertext are properly distributed type\(( \vec {x}^{1}_i, \vec {x}^{1}_i)\) ciphertexts and the remaining ciphertexts are properly distributed type\(( \vec {x}^{0}_i, \vec {x}^{0}_i)\) ciphertexts where \(\alpha _i = \alpha '_i r\) and \(\tilde{\alpha }_i = \tilde{\alpha }'_i + \alpha '_i b\). This is as would be expected in Game\(_{(j1),Z}^{7}\).
When \(r = 0\), all ciphertexts before the jth ciphertext are properly distributed type\(( \vec {0}, \vec {x}^{1}_i)\) ciphertexts and the remaining ciphertexts are properly distributed type\(( \vec {0}, \vec {x}^{0}_i)\) ciphertexts where \(\tilde{\alpha }_i = \tilde{\alpha }'_i + \alpha '_i b\). This is as would be expected in Game\(_{j,Z}^{1}\).
Our simulation is therefore identical to either Game\(_{(j1), Z}^{7}\) or Game\(_{j, Z}^{1}\) depending on the SXDH challenge \(T = g_1^{ab + r}\) having \(r \leftarrow \mathbb {Z}_p\) or \(r = 0\) respectively. Therefore, by playing the security game in this manner with the supposed attacker and using the attacker’s output as an answer to the SXDH challenge, we will enjoy the same nonnegligible advantage as the supposed attacker in deciding the SXDH problem.
By the SXDH assumption, this is not possible, so no such adversary can exist.
Lemma 2
No polynomialtime attacker can achieve a nonnegligible difference in advantage between Game\(_{j, Z}^{1}\) and Game\(_{j, Z}^{2}\) for \(j = 1, ..., Q_1\) under the SXDH assumption.
Proof
Given an attacker that achieves nonnegligible difference in advantage between Game\(_{j, Z}^{1}\) and Game\(_{j, Z}^{2}\) for some \(j \in [1, Q_1]\), we could achieve nonnegligible advantage in deciding the SXDH problem as follows:
When \(r \leftarrow \mathbb {Z}_p\), this is a properly distributed type\(( \vec {x}^{0}_j, \vec {x}^{0}_j)\) ciphertext where \(\alpha _j = r\) and \(\tilde{\alpha }_j = b\) (as would be expected in Game\(_{j, Z}^{2}\)).
Our simulation is therefore identical to either Game\(_{j, Z}^{1}\) or Game\(_{j, Z}^{2}\) depending on the SXDH challenge \(T = g_1^{ab + r}\) having \(r = 0\) or \(r \leftarrow \mathbb {Z}_p\) respectively. Therefore, by playing the security game in this manner with the supposed attacker and using the attacker’s output as an answer to the SXDH challenge, we will enjoy the same nonnegligible advantage as the supposed attacker in deciding the SXDH problem.
By the SXDH assumption, this is not possible, so no such adversary can exist.
Lemma 3
No attacker can achieve a nonnegligible difference in advantage between Game\(_{j, Z}^{2}\) and Game\(_{j, Z}^{3}\) for \(j = 1, ..., Q_1\).
Proof
This lemma is unconditionally true because both games are informationtheoretically identical.
(\(\vec {x}_j^{0} , \vec {x}_j^{1} \) are vectors requested in the game where we require \(\langle \vec {y}^{0}, \vec {x}_j^{0} \rangle = \langle \vec {y}^{0}, \vec {x}_j^{1} \rangle \implies \langle \vec {y}^{0}, \vec {x}_j^{0}  \vec {x}_j^{1} \rangle = 0\)). This is a type\((\vec {y}^{0}, \vec {y}^{0})\) key in the \((\mathbb {B}, \mathbb {B}^{*})\) basis (as expected in both Game\(_{j, Z}^{2}\) and Game\(_{j, Z}^{3}\)).
Lemma 4
No polynomialtime attacker can achieve a nonnegligible difference in advantage between Game\(_{j, Z}^{3}\) and Game\(_{j, Z}^{4}\) for \(j = 1, ..., Q_1\) under the SXDH assumption.
Proof
Given an attacker that achieves nonnegligible difference in advantage between Game\(_{j, Z}^{3}\) and Game\(_{j, Z}^{4}\) for some \(j \in [1, Q_1]\), we could achieve nonnegligible advantage in deciding the SXDH problem as follows:
When \(r = 0\), all ciphertexts before the jth ciphertext are properly distributed type\(( \vec {0}, \vec {x}^{1}_i)\) ciphertexts and all ciphertexts after the jth are properly distributed type\(( \vec {0}, \vec {x}^{0}_i)\) ciphertexts where \(\tilde{\alpha }_i = \tilde{\alpha }'_i + \alpha '_i b\). This is as would be expected in Game\(_{j, Z}^{3}\).
When \(r \leftarrow \mathbb {Z}_p\), all ciphertexts before the jth are properly distributed type\(( \vec {x}^{1}_i, \vec {x}^{1}_i)\) ciphertexts and all ciphertexts after the jth are properly distributed type\(( \vec {x}^{0}_i, \vec {x}^{0}_i)\) ciphertexts where \(\alpha _i = \alpha '_i r\) and \(\tilde{\alpha }_i = \tilde{\alpha }'_i + \alpha '_i b\). This is as would be expected in Game\(_{j, Z}^{4}\).
Our simulation is therefore identical to either Game\(_{j, Z}^{3}\) or Game\(_{j, Z}^{4}\) depending on the SXDH challenge \(T = g_1^{ab + r}\) having \(r = 0\) or \(r \leftarrow \mathbb {Z}_p\) respectively. Therefore, by playing the security game in this manner with the supposed attacker and using the attacker’s output as an answer to the SXDH challenge, we will enjoy the same nonnegligible advantage as the supposed attacker in deciding the SXDH problem.
By the SXDH assumption, this is not possible, so no such adversary can exist.
Lemma 5
No polynomialtime attacker can achieve a nonnegligible difference in advantage between Game\(_{j, Z}^{4}\) and Game\(_{j, Z}^{5}\) for \(j = 1, ..., Q_1\) under the SXDH assumption.
Proof
The proof of this lemma is symmetric to that of the previous Lemma 4, just flipping the role of the two parallel bases.
Lemma 4 showed how to create keys of type\((\vec {y}^{0}, \vec {y}^{0})\) and a type\((\vec {x}_j^{0}, \vec {x}_j^{1})\) ciphertext while having the ciphertexts before and after the jth be type\((\vec {0}, \vec {x}^{1}_i)\) and type\((\vec {0}, \vec {x}^{0}_i)\) or type\((\vec {x}^{1}_i, \vec {x}^{1}_i)\) and type\((\vec {x}^{0}_i, \vec {x}^{0}_i)\) respectively based on the challenge elements of the SXDH problem. By symmetrically applying the same embedding to the opposite halves of the parallel bases, we can achieve the same result, but with the ciphertexts before and after the jth being type\((\vec {x}^{1}_i, \vec {x}^{1}_i)\) and type\((\vec {x}^{0}_i, \vec {x}^{0}_i)\) or type\((\vec {x}^{1}_i, \vec {0})\) and type\((\vec {x}^{0}_i, \vec {0})\) respectively based on the challenge elements of the SXDH problem, which is what we need for this transition.
Lemma 6
No attacker can achieve a nonnegligible difference in advantage between Game\(_{j, Z}^{5}\) and Game\(_{j, Z}^{6}\) for \(j = 1, ..., Q_1\).
Proof
The proof of this lemma is informationtheoretic and similarly symmetric to that of Lemma 3, just flipping the role of the two parallel bases (just like the previous lemma did with Lemma 4).
Lemma 7
No polynomialtime attacker can achieve a nonnegligible difference in advantage between Game\(_{j, Z}^{6}\) and Game\(_{j, Z}^{7}\) for \(j = 1, ..., Q_1\) under the SXDH assumption.
Proof
The proof of this lemma is nearly identical to that of Lemma 5 (which transitioned ciphertexts before the jth between type\((\vec {x}_i^{1}, \vec {0})\) and type\((\vec {x}_i^{1}, \vec {x}_i^{1})\) and ciphertexts after the jth between type\((\vec {x}_i^{0}, \vec {0})\) and type\((\vec {x}_i^{0}, \vec {x}_i^{0})\)) but instead constructing the jth ciphertext as type\((\vec {x}_i^{1}, \vec {x}_i^{1})\) instead of type\((\vec {x}_i^{0}, \vec {x}_i^{1})\).
The previous lemmas let us transition to Game\(_{Q_1, Z}^{7}\), where all ciphertexts are of type\((\vec {x}_i^{1}, \vec {x}_i^{1})\) and all keys are type\((\vec {y}_i^{0}, \vec {y}_i^{0})\) keys. Notice that Game\(_{Q_1, Z}^{7}\) is identical to Game\(_{O, 0}^{7}\). It is easy to see that we can now use a symmetric set of hybrids to transition all keys to type\((\vec {y}_i^{1}, \vec {y}_i^{1})\) in a similar manner: starting by transitioning from Game\(_{Q_1, Z}^{7}=\) Game\(_{O, 0}^{7}\) to Game\(_{O,1}^{1}\), then proceeding through the Game\(_{O,j}^{i}\) using the same methods as in the Game\(_{j, Z}^{i}\), just switching the roles of the basis vectors (switching all \(\vec {b}^{*}\) with \(\vec {b}\), \(\vec {d}^{*}\) with \(\vec {d}\), \(\alpha \) with \(\beta \), \(\tilde{\alpha }\) with \(\tilde{\beta }\), and \(\vec {x}_i\) with \(\vec {y}_i\), while always producing type \((\vec {x}_i^{1}, \vec {x}_i^{1})\) ciphertexts (instead of always producing type \((\vec {y}_i^{0}, \vec {y}_i^{0})\) keys).
These symmetric arguments let us transition to Game\(_{O, Q_2}^{7}\), where all ciphertexts are of type\((\vec {x}^{1}, \vec {x}^{1})\) and all keys are type\(( \vec {y}_i^{1}, \vec {y}_i^{1})\) keys. This is identical to the original security game when \(b = 1\). So, by a hybrid argument, we have shown that no polynomialtime attacker gan achieve nonnegligible difference in advantage in the security game when \(b = 0\) (Game\(_{0, Z}^{7}\)) vs when \(b = 1\) (Game\(_{O, Q_2}^{7}\)) under the SXDH assumption, so our construction is therefore secure.
Footnotes
References
 1.Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015) Google Scholar
 2.Agrawal, S., Agrawal, S., Badrinarayanan, S., Kumarasubramanian, A., Prabhakaran, M., Sahai, A.: On the practical security of inner product functional encryption. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 777–798. Springer, Heidelberg (2015) Google Scholar
 3.Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 4.Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015) CrossRefGoogle Scholar
 5.Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 6.Boneh, D., Raghunathan, A., Segev, G.: Functionprivate identitybased encryption: hiding the function in functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 461–478. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 7.Boneh, D., Raghunathan, A., Segev, G.: Functionprivate subspacemembership encryption and its applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 255–275. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 8.Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 9.Brakerski, Z., Segev, G.: Functionprivate functional encryption in the privatekey setting. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 306–324. Springer, Heidelberg (2015) CrossRefGoogle Scholar
 10.De Caro, A., Iovino, V., Jain, A., O’Neill, A., Paneth, O., Persiano, G.: On the achievability of simulationbased security for functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 519–535. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 11.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)Google Scholar
 12.Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Fully secure functional encryption without obfuscation. Cryptology ePrint Archive, report 2014/666 (2014). http://eprint.iacr.org/
 13.Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, p. 169–178 (2009)Google Scholar
 14.Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 15.Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multiparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 16.Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute based encryption for finegrained access control of encrypted data. In: ACM conference on Computer and Communications Security, pp. 89–98 (2006)Google Scholar
 17.Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 18.Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attributebased encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 19.Okamoto, T., Takashima, K.: Homomorphic encryption and signatures from vector decomposition. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 57–74. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 20.Okamoto, T., Takashima, K.: Hierarchical predicate encryption for innerproducts. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 214–231. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 21.Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 22.Okamoto, T., Takashima, K.: Fully secure unbounded innerproduct and attributebased encryption. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 349–366. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 23.O’Neill, A.: Definitional issues in functional encryption. IACR Cryptology ePrint Archive (2010)Google Scholar
 24.Sahai, A., Seyalioglu, H.: Worryfree encryption: functional encryption with public keys. In CCS, pp. 463–472 (2010)Google Scholar
 25.Sahai, A., Waters, B.: Fuzzy identitybased encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 26.Shen, E., Shi, E., Waters, B.: Predicate privacy in encryption systems. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 457–473. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 27.Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 678–697. Springer, Heidelberg (2015) CrossRefGoogle Scholar