From Quadratic Functions to Polynomials: Generic Functional Encryption from Standard Assumptions

Abstract

The “all-or-nothing” notion of traditional public-key encryptions is found to be insufficient for many emerging applications in which users are only allowed to obtain a functional value of the ciphertext without any other information about the ciphertext. Functional encryption was proposed to address this issue. However, existing functional encryption schemes for generic circuits either have bounded collusions or rely on not well studied assumptions. Recently, Abdalla et al. started a new line of work that focuses on specific functions and well-known standard assumptions. Several efficient schemes were proposed for inner-product and quadratic functions. There are still a lot of unsolved problems in this direction, in particular, whether a generic FE scheme can be constructed for quadratic functions and even higher degree polynomials. In this paper, we provide affirmative answers to these questions. First, we show an IND-secure generic functional encryption scheme against adaptive adversary for quadratic functions from standard assumptions. Second, we show how to build a functional encryption scheme for cubic functions (the first in the literature in public-key setting) from a functional encryption scheme for quadratic functions. Finally, we give a generalized method that transforms an IND-secure functional encryption scheme for degree-m polynomials to an IND-secure functional encryption scheme for degree-\((m+1)\) polynomials.

Appendices

Supporting Material

A Requirements of PKE

Our framework constructs functional encryption scheme for quadratic functions \(QFE=(Setup,KeyGen,Encrypt,Decrypt)\) from a public-key encryption scheme \(\varepsilon =(Setup,Encrypt,Decrypt)\). In order to prove the correctness and security of the new scheme, we need some structural and homomorphic properties on \(\varepsilon \) as defined below.

Structure. \(\varepsilon \)’s secret keys and public keys are elements of a group G (with generator \(g_1\)), and the message space is \(M_x \subset Z\). We require the ciphertexts to consist of two parts \(c_0=C(g_1,r)\) and \(ct_1=E(pk,x,r)\), where \(pk(g_1,sk)\) is the public key in G corresponding to the secret key sk. The first part \(c_0\) corresponds to some commitment \(C(g_1,r)\) of the randomness r used for the encryption. The second part \(ct_1\) is the encryption of x with randomness r. Computing a from E(pk(g, 0), a, r) can be reduced to some difficult problems.

We also split the Setup algorithm for convenience in the following two algorithms to sample secret keys, and to sample corresponding public keys:

\(SKGen(1^{\lambda })\) takes in input the security parameter and sample a secret key sk from the secret key space according to the same distribution induced by Setup.

\(PKGen(sk,\tau )\) takes in input a secret key sk and parameters \(\tau \), and generates a public key pk corresponding to sk according to the distribution induced by \(\tau \). We will omit \(\tau \) when it is clear from the context.

Linear Key Homomorphism. We say that a PKE has linear key homomorphism if for any two secret keys \(sk_1,sk_2 \in G\) and any \(y_1,y_2 \in Z_p\), the linear combination formed by \(y_1 sk_1 + y_2 sk_2\) can be computed efficiently only using public parameters, the secret keys and the coefficients. And this combination \(y_1sk_1+y_2sk_2\) also functions as a secret key to a public key that can be computed as \(pk_1^{y_1}\cdot pk_2^{y_2}\), where \(pk_1\) (resp. \(pk_2\)) is a public key corresponding to \(sk_1\) (resp. \(sk_2\)).

Linear Ciphertext Homomorphism Under Shared Randomness. We say that a PKE has linear ciphertext homomorphism under shared randomness if it holds that \(E(pk_1,x,r) \cdot E(pk_2,y,r)=E(pk_1pk_2,x+y,r)\) and \(E(pk(g^q,sk),x,r)= E(pk(g,sk),x,r)^q=E(pk(g,qsk),qx,r)\).

Computation Properties in Bilinear Map. Assume that \(e(g_1^a,g_1^b)=g_T^{ab}\) is a bilinear map \(G \times G \rightarrow G_T\), where \(g_T\) is a generator of \(G_T\) and \(e(g_1,g_1)=g_T\). We require that

$$\begin{aligned} \begin{aligned}&e(E(pk_{(g_1,sk_1)},x,a),E(pk_{(g_1,sk_2)},y,b)) \\&=E(pk_{(g_T,sk_1sk_2)},xy,ab)E(pk_{(g_T,sk_1)},0,a)^{y}E(pk_{(g_T,sk_2)},0,b)^{x} \end{aligned} \end{aligned}$$

And for security, we define two properties via security game. More details can be referred to [3].

l-Public-Key-Reproducibility. For a public-key encryption scheme \(\varepsilon \), we define l-public-key-reproducibility via the following security game:

with \(\mathcal {D}\) samples tuples of the form \((sk,(\alpha _i,sk_i)_{i \in [l]})\) where sk and the \(sk_i\)’s are sampled from SKGen, and the \(\alpha _i\)’s are in \(\mathcal {T}\).

Then, we say that \(\varepsilon \) has \(l{-}public{-}key{-}reproducibility\) if there exists \(\tau ,\tau '(\tau _i)_{i \in [l]}\) such that

$$|Pr[Exp_{\varepsilon ,\lambda }^{l-pk-rep-0}(\mathcal {A}=1)]|-|Pr[Exp_{\varepsilon ,\lambda }^{l-pk-rep-1}(\mathcal {A})=1]|=negl(\lambda )$$

l-Ciphertext-Reproducibility. For a public-key encryption scheme \(\varepsilon \), we define l-ciphertext-reproducibility via the following security game:

where (1) \(\mathcal {D}\) samples tuples of the form \((a,(\alpha _i,x_i,sk_i)_{i \in [l]})\), where \(sk_i\)’s are sampled from SKGen, \(\alpha _i\)’s are in \(\mathcal {T}\) and a and the \(x_i\)’s are in \(\mathcal {M}_x\). (2) \(E'\) is an algorithm that takes in input a secret key in H, a message in \(Z_p\), a first part ciphertext C(r) for some r in the randomness space, and the parameters needed to generate public keys, and output a second part ciphertext.

Then, we say that \(\varepsilon \) has \(l{-}ciphertext{-}reproducibility\) if there exists \(\tau ',\tau _i\)’s and algorithm \(E'\) such that

$$|Pr[Exp_{\varepsilon ,\lambda }^{l-ct-rep-0}(\mathcal {A}=1)]|-|Pr[Exp_{\varepsilon ,\lambda }^{l-ct-rep-1}(\mathcal {A})=1]|=negl(\lambda )$$

.

B Proofs in Our FE Scheme for Quadratic Functions

1.1 B.1 Proof of Theorem 1

Proof

We proof the security via a sequence of hybrid experiments, and then we show they are indistinguishable.

Hybrid H1: This is the IND-FE-CPA game:

Hybrid H2: This is like H1 except that the master public key is generated by invoking the algorithm H2.Setup defined as follows:

\(H2.Setup(1^{\lambda },1^n)\): The algorithm samples \(sk \leftarrow \varepsilon .SKGen(1^{\lambda })\), for \(i \in [n]\), PKE secret key \(s_i \leftarrow \varepsilon .Setup(1^{\lambda })\) and uniformly random scalar \(t_i \leftarrow _R Z_P, q\leftarrow _R Z_p^*\) and a bilinear map \(e(g_1,g_1)=g_T\), where \(g_1,g_T\) are generators of \(G_1,G_T\). Similarly, \(e_2(g_2,g_2)=g_T \leftarrow \mathcal {G}^{1^{\lambda }}\) is a bilinear map \(G_2 \times G_2 \rightarrow G_T\), where \(g_2,g_T\) are generators of \(G_2,G_T\). Then the algorithm sets: \(PK=\varepsilon .PKGen(g_1,qsk,\tau ), sk_i=s_i+t_isk,g'_T=g_T^q\). \(PK_{s_i}=\varepsilon .PKGen(g_1,qs_i,\tau _i)\) \(PK_i=PK^{t_i} \cdot PK_{s_i}\), where \(\tau \) is the same as used in the Setup algorithm, and \(\tau _i\) is such that \(PK^{t_i} \cdot PK_{s_i}\) is close to \(\varepsilon .PKGen(g_1,qsk_i)\).

The algorithm returns \(mpk:=(params,PK,\{PK_i\}_{i \in [n]},g_1,g_2,g_T,g'_T,e(\cdot ,\cdot ))\) and \(msk:=(\varvec{s},\varvec{t},sk,q)\). Under the \(l{-}public{-}key{-}reproducibility\) of \(\varepsilon \), H1 and H2 are indistinguishable.

Hybrid H3: This is like H2 except that the challenge ciphertext is generated by invoking the algorithm H3.Encrypt defined as follows:

\(H3.Encrypt(msk,mpk,\varvec{x})\): Choose shared randomness r and \(\varvec{a}=(a_1,...,a_n)\) in \(Z_p\), and computes

\(ct_0=\varepsilon .C(r^2,g_1),ct_1=\varepsilon .E(PK,0,r),ct_{a,i}=\varepsilon .E(pk(g_1,0),a_i,r)\)

For \(i \in [n]\), \(ct_{x,i}=ct_1^{t_i}\cdot \varepsilon .E(PK_{s_i},x_i,r),ct_{a,x,i}=\varepsilon .E(pk(g_2,1)^{x_i},a_i,r)\)

By linear ciphertext-homomorphism of \(\varepsilon \), H2 = H3.

Hybrid H4: This is like H3 except that the challenge ciphertext is generated by invoking the algorithm H4.Encrypt defined as follows:

\(H4.Encrypt(msk,mpk,Ct,\varvec{x})\): Let \(Ct=(Ct_0,Ct_1)\). Then the algorithm computes the ciphertext for \(\varvec{x}\) in the following way:

\(ct_0=\varepsilon .C(r^2,g_1),ct_{a,i}=\varepsilon .E(pk(g_1,0),a_i,r)\).

For \(i\in [n]\), \(ct_{x,i}=ct_1^{t_i}\cdot \varepsilon .E'(s_i,x_i,Ct_0,\tilde{r}),ct_{a,x,i}=\varepsilon .E(pk(g_2,1)^{x_i},a_i,r)\), where \(\varepsilon .E'\) is the alternative encryption algorithm defined in the \(l{-}ciphertext{-}reproducibility\) game. \(\tilde{r}\) is some randomness shared among all the invocation of \(\varepsilon .E'\).

Under the \(l{-}ciphertext{-}reproducibility\) of \(\varepsilon \), H3 and H4 are indistinguishable.

Hybrid H5: This is like H4 except that the challenge ciphertext is generated by invoking the algorithm H5.Encrypt defined as follows and Ct encrypts a random value in \(Z_p\).

\(H5.Encrypt(msk,mpk,Ct,\varvec{x})\): Let \(Ct=(Ct_0,Ct_1)\). Then the algorithm computes the ciphertext for \(\varvec{x}\) in the following way:

\(ct_0=\varepsilon .C(r^2,g_1),ct_{a,i}=\varepsilon .E(pk(g_1,0),a_i,r)\).

For \(i\in [n]\), \(ct_{x,i}=ct_1^{t_i}\cdot \varepsilon .E'(s_i,x_i,Ct_0,\tilde{r}),ct_{a,x,i}=\varepsilon .E(pk(g_2,1)^{x_i+t_i},a_i,r)\)

Under the s-IND-CPA security of \(\varepsilon \), \(\varepsilon .E(PK,0)\) and \(\varepsilon .E(pk,1)\) are indistinguishable. Now, we need to show that \(\varepsilon .E(pk(g_2,1)^{x_i+t_i},a_i,r)\) and \(\varepsilon .E(pk(g_2,1)^{x_i},a_i,r)\) are indistinguishable.

If \(\exists w(t_i) \in Z_p\), s.t. \(\varepsilon .E(pk(g_2,t_i),0,r)=\varepsilon .E(pk(g_2,0),w(t_i),r)\), then

$$\begin{aligned} \begin{aligned} \varepsilon .E(pk(g_2,1)^{x_i+t_i},a_i,r)&=\varepsilon .E(pk(g_2,x_i),a_i,r)\varepsilon .E(pk(g_2,t_i),0,r)\\&=\varepsilon .E(pk(g_2,x_i),a_i,r)\varepsilon .E(pk(g_2,0),w(t_i),r)\\&=\varepsilon .E(pk(g_2,x_i),a_i+w(t_i),r) \end{aligned} \end{aligned}$$

and \(\varepsilon .E(pk(g_2,1)^{x_i},a_i,r)=\varepsilon .E(pk(g_2,x_i),a_i,r)\). We can refer to \(\varepsilon .E(pk(g_2,\)\(1)^{x_i+t_i},a_i,r)\) as encryption of a random number, so the ciphertext is a random ‘fake’ ciphertext. According to the security of PKE \(\varepsilon \) and the equivalent between IND-security and semantic security of PKE, \(\varepsilon .E(pk(g_2,1)^{x_i},a_i,r)\) should be indistinguishable from a random number. Therefore \(\varepsilon .E(pk(g_2,1)^{x_i},a_i,r)\) and \(\varepsilon .E(pk(g_2,1)^{x_i+t_i},a_i,r)\) are indistinguishable.

Else, \(\forall b \in Z_p\), \(\varepsilon .E(pk(g_2,0),b,r) \ne \varepsilon .E(pk(g_2,t_i),0,r)\). If \(\exists c,d \in Z_p\), \(\varepsilon .E(pk(g_2,0),c,r)=\varepsilon .E(pk(g_2,0),d,r)\), then

$$\begin{aligned} \begin{aligned} c&=\varepsilon .Decrypt(sk,\varepsilon .C(g_2,r),\varepsilon .E(pk(g_2,0),c,r))\\&=\varepsilon .Decrypt(sk,\varepsilon .C(g_2,r),\varepsilon .E(pk(g_2,0),d,r))\\&=d \end{aligned} \end{aligned}$$

Since \(G_T=p\), we have that \(G_T=\{\varepsilon .E(pk(g_2,0),b,r)\}_{b\in Z_p}\). So

$$\{\varepsilon .E(pk(g_2,0),b,r)\}_{b\in Z_p} \cap \varepsilon .E(pk(g_2,t_i),0,r)=G_T \cap \varepsilon .E(pk(g_2,t_i),0,r) \ne \emptyset $$

By contradiction, \(\forall t_i \in Z_p, \exists b \in Z_p\), s.t. \(\varepsilon .E(pk(g_2,0),b,r) = \varepsilon .E(pk(g_2,t_i),0,r)\)

Therefore, H4 and H5 are indistinguishable.

Hybrid H6: This is like H5 except that the challenge ciphertext is generated by invoking the algorithm H6.Encrypt defined as follows:

\(H6.Encrypt(msk,mpk,\varvec{x})\): The algorithm computes the ciphertext for \(\varvec{x}\) in the following way:

\(ct_0=\varepsilon .C(r^2,g_1),ct_1=\varepsilon .E(PK,1,r),ct_{a,i}=\varepsilon .E(pk(g_1,0),a_i,r)\).

For \(i\in [n]\), \(ct_{x,i}=ct_1^{t_i}\cdot \varepsilon .E'(s_i,x_i,Ct_0,\tilde{r}),ct_{a,x,i}=\varepsilon .E(pk(g_2,1)^{x_i+t_i},a_i,r)\)

Under the \(l{-}ciphertext{-}reproducibility\) of \(\varepsilon \), H5 and H6 are indistinguishable.

Hybrid H7: This is like H8 except that the challenge ciphertext is generated by invoking the algorithm \(\varepsilon .Encrypt\)

By linear ciphertext homomorphism of \(\varepsilon \), H6 = H7.

Hybrid H8: This is like H7 except that the master public key is generated by invoking the algorithm Setup.

Under the \(l{-}public{-}key{-}reproducibility\) of \(\varepsilon \), H7 and H8 are indistinguishable.

Advantage of Any PPT Adversary in H8: Notice that \(\varvec{t} + \varvec{x_b}-\varvec{x_{1-b}} \in Z_p^n\). Let \(\varvec{t'}=\varvec{t} + \varvec{x_b}-\varvec{x_{1-b}},s'_i=s_i+(\varvec{x_{1-b}}-\varvec{x_b})_isk\). Then \((\varvec{s'},\varvec{t'})\) equally likely as \((\varvec{s},\varvec{t})\) that gives exactly the same view by replacing \(\varvec{x_b}\) by \(\varvec{x_{1-b}}\).

Moreover, when analyzing \(sk_F \leftarrow FE.KeyGen(F,msk)\), since \(s'_i+t'_isk=s_i+x_{1,b,i}sk-x_{b,i}sk+(t_i+x_{b,i}-x_{1-b,i})sk=s_i+t_isk\), so the \(sk_F\) are same for \((\varvec{s},\varvec{t})\) and \((\varvec{s'},\varvec{t'})\). Therefore, the advantage of the adversary in this game is 0.

C Proofs in Our FE Scheme for Cubic Functions

1.1 C.1 Proof of Theorem 2

Proof

Let \(a_i=f_{i,j,k}, i=j=k\ne 0\), \(b_{i,k}=f_{i,j,k}, i=j\ne k, i,k\ne 0\), \(c_{i,j,k}=f_{i,j,k}, i\ne j \ne k, i,j,k \ne 0\), \(d_i=f_{i,j,k},i=j\ne 0,k=0\), \(e_{i,j}=f_{i,j,k},i\ne j \ne 0, k=0\), \(f_i=f_{i,j,k},i\ne 0 j=k=0\), \(g=f_{i,j,k},i=j=k=0\) and .

Since , we can get the following equations:

$$\begin{aligned} \left\{ \begin{aligned}&a^0_{00}=g\\&a^i_{ii}=a_i, i>0 \\&a^0_{ii}+(a^i_{0i}+a^i_{i0})=d_i, i>0 \\&(a^0_{i0}+a^0_{0i})+a^i_{00}=f_i, i>0 \\&(a^0_{ij}+a^0_{ji})+(a^j_{0i}+a^j_{i0})+(a^i_{j0}+a^i_{0j})=e_{i,j},i>j>0 \\&(a^i_{ik}+a^i_{ki})+a^k_{ii}=b_{i,k}, i>k>0 \\&(a^i_{jk}+a^i_{kj})+(a^j_{ik}+a^j_{ki})+(a^k_{ij}+a^k_{ji})=c_{i,j,k}, i>j>k>0 \end{aligned} \right. \end{aligned}$$

(1)

Since \(\forall i \in [n], \varvec{y_0}A_i\varvec{y_0}=\varvec{y_1}A_i\varvec{y_1}\), where \(\varvec{y_u}=(y_{u0},y_{u1},\ldots ,y_{un}),u=1,2\) we can get the following equations:

$$\begin{aligned} \left\{ \begin{aligned}&\sum _{i=1}^n(a^0_{i0}+a^0_{0i})(y_{0i}-y_{1i})+\sum _{i=1}^{n}a^0_{ii}(y_{0i}^2-y_{1i}^2)+\sum _{i>j=1}^{n}(a^0_{ij}+a^0_{ji})(y_{0i}y_{0j}-y_{1i}y_{1j})=0\\&\vdots \\&\sum _{i=1}^n(a^n_{i0}+a^n_{0i})(y_{0i}-y_{1i})+\sum _{i=1}^{n}a^n_{ii}(y_{0i}^2-y_{1i}^2)+\sum _{i>j=1}^{n}(a^n_{ij}+a^n_{ji})(y_{0i}y_{0j}-y_{1i}y_{1j})=0 \end{aligned} \right. \end{aligned}$$

(2)

Putting Eqs. (1) and (2) together, we can get that:

$$\begin{aligned} \left\{ \begin{aligned}&a^0_{00}=g \\&a^i_{ii}=a_i, i>0 \\&\sum _{i=1}^{n}(f_i-a^i_{00})(y_{0i}-y_{1i})+\sum _{i=1}^{n}(d_i-(a^i_{0i}+a^i_{i0}))(y_{0i}^2-y_{1i}^2)+ \\&\sum _{i>j=1}^{n}(e_{i,j}-(a^j_{0i}+a^j_{i0})-(a^i_{j0}+a^i_{0j}))(y_{0i}y_{0j}-y_{1i}y_{1j})=0 , i>j>0\\&\sum _{i=1}^{n}(a^1_{i0}+a^1_{0i})(y_{0i}-y_{1i})+\sum _{i=1}^{n}(b_{i,1}-(a^i_{i1}+a^i_{1i}))(y_{0i}^2-y_{1i}^2)+ \\&\sum _{i>j=1}^{n}(c_{i,j,1}-(a^i_{j1}+a^i_{1j}+a^j_{i1}+a^j_{1i}))(y_{0i}y_{0j}-y_{1i}y_{1j})=0 ,i>j>0\\&\vdots \\&\sum _{i=1}^{n}(a^n_{i0}+a^n_{0i})(y_{0i}-y_{1i})+\sum _{i=1}^{n}(b_{i,n}-(a^i_{in}+a^i_{ni}))(y_{0i}^2-y_{1i}^2)+ \\&\sum _{i>j=1}^{n}(c_{i,j,n}-(a^i_{jn}+a^i_{nj}+a^j_{in}+a^j_{ni}))(y_{0i}y_{0j}-y_{1i}y_{1j})=0 ,i>j>0\\ \end{aligned} \right. \end{aligned}$$

(3)

Now, we will show that the system of linear Eq. (3) is solvable, i.e., its coefficient matrix is full rank.

Notice that \(a^0_{00}\) only occurs in the first equation of (3), each \(a^i_{ii}\) only occurs in one equation of \(\{a^i_{ii}=a_i,i>0\}\), each \(a^i_{00}\) only occurs in one equation of \(\{\sum _{i=1}^{n}(f_i-a^i_{00})(y_{0i}-y_{1i})+\sum _{i=1}^{n}(d_i-(a^i_{0i}+a^i_{i0}))(y_{0i}^2-y_{1i}^2)+\sum _{i>j=1}^{n}(e_{i,j}-(a^j_{0i}+a^j_{i0})-(a^i_{j0}+a^i_{0j}))(y_{0i}y_{0j}-y_{1i}y_{1j})=0 , i>j>0\}\), each \((a^j_{it}+a^j_{ti})\) only occurs in one equation of \(\{\sum _{i=1}^{n}(a^t_{i0}+a^t_{0i})(y_{0i}-y_{1i})+\sum _{i=1}^{n}(b_{i,n}-(a^i_{it}+a^i_{ti}))(y_{0i}^2-y_{1i}^2)+\sum _{i>j=1}^{n}(c_{i,j,n}-(a^i_{jt}+a^i_{tj}+a^j_{it}+a^j_{ti}))(y_{0i}y_{0j}-y_{1i}y_{1j})=0 ,i>j>0\}\). So the coefficient matrix is full rank.

1.2 C.2 Proof of Theorem 3

Proof

We proof security via a sequence of hybrid experiments, and then we show they are indistinguishable.

Hybrid H1: This is the s-IND-CPA game:

Hybrid H2: This is like H1 except that the master public key is generated by invoking the algorithm H2.Setup defined as follows:

\(H2.Setup(1^{\lambda },1^n,\varvec{x_0},\varvec{x_1})\): The algorithm samples \((mpk1,msk1) \leftarrow QFE.Setup(1^{\lambda },1^n)\). Randomly choose \(\varvec{t}=(t_0,\ldots ,t_n) \leftarrow _R Z_p^{n+1}\). Then sets \(t^0_i=(\frac{x_{1i}}{x_{0i}}t_i^{-1})^{-1}\) and \(t^1_i=(\frac{x_{0i}}{x_{1i}}t_i^{-1})^{-1}\). Return \(mpk := (mpk1,\varvec{t^b})\) and \(msk:=(msk1)\).

\(Z_p\) is a field, so \(t^0_i\) and \(t^1_i\) are uniformly distributed in \(Z_p\). Therefore, H2 and H1 are indistinguishable.

Hybrid H3: This is like H2 except that the challenge ciphertext is generated by invoking the algorithm \(H3.Encrypt(mpk,\varvec{x_b})\) defined as follows:

\(H3.Encrypt(mpk,\varvec{x_b}):\) Choose a matrix \(W= \left( \begin{matrix} w_{11} &{} w_{12} \\ w_{21} &{} w_{22} \\ \end{matrix} \right) \) from \(Z_p^{*(2\times 2)}\), where \(w_{12}=u_1^2,w_{22}=u_2^2\) and \(W W^{-1} = I\). Randomly choose \(\varvec{r}=(r_0,\ldots , \)\( r_n), \varvec{a}=(a_0,\ldots ,a_n) \in Z_p^{n+1}\). Then computes \(Ct_{u_1x}=QFE.\)\(Encrypt(mpk1,u_1\varvec{x_{1-b}},Ct_{u_2x}=QFE.Encrypt(mpk1,u_2\varvec{x_{1-b}})\). Sets \(Ct_{w,x,i}=(r_i,(t_i^{b})^{-1}x_{bi})W^{-1}\), and \(Ct_{a,1,i}=w_{11}a_i,Ct_{a,2,i}=w_{21}a_i, Ct_{ar}=\sum _{i=0}^{n}a_ir_i\).

Return \(Ct_x=(Ct_{u_1x},Ct_{u_2x},\{Ct_{w,x,i},Ct_{a,i,1},Ct_{a,2,i}\}{i\in [n]},Ct_{a,r})\).

Firstly, we show that \(Ct'_{u_1x}=QFE.Encrypt(mpk1,u_1\varvec{x_b})\) and \(Ct_{u_1x}=QFE.Encrypt(mpk1,u_1\varvec{x_{1-b}})\) are indistinguishable. For any \(f \in \mathcal {F}\), exists a set of matrices \(\{A_i\}_{i\in [n]}\), s.t. \(f(\varvec{x})=\sum _{i=0}^{n}x_i\varvec{x}^TA_i\varvec{x}\) and \(\varvec{x_0}^TA_i\varvec{x_0}=\varvec{x_1}^TA_i\varvec{x_1}, i \in [n]\). So,

$$(\varvec{x_{1-b}})^TA_i(\varvec{x_{1-b}})=\varvec{x_b}^TA_i\varvec{x_b}, i\in [n]$$

By the s-IND-CPA of the QFE scheme, these two should be indistinguishable. Similarly, \(Ct'_{u_2x}=QFE.Encrypt(mpk1,u_2\varvec{x_b})\) and \(Ct_{u_2x}=QFE.Encrypt(mpk1,\) \(u_2\varvec{x_{1-b}})\) are also indistinguishable.

Then, we show that \(Ct'_{w,x,i}=(r_i,t_i^{-1}x_{bi})W^{-1}\) and \(Ct_{w,x,i}=(r_i,\)\((t_i^{b})^{-1}x_{bi})W^{-1}\) are indistinguishable. \(t_i\) and \(t^b_i\) are hidden by the matrix W, i.e. without knowing about W, the adversary cannot determine whether \(t_i\) or \(t^b_i\) is used in the encryption. So the only thing we should prove is that the adversary cannot recover W. When considering the ciphertexts \(Ct_{a,1,i}=w_{11}a_i\) and \(Ct_{a,2,i}=w_{21}a_i\), we find that there exists \(\alpha \in Z_p\), s.t. \(w_{11}=\alpha w_{21}\). So \(Ct_{a,1,i}=w_{11}a_i=\alpha w_{21}a_i=\alpha Ct_{a,2,i}\). Actually, there are \(n+1\) unknown values (\(a_1,...,a_n,w_{11}\)) but only n effective equations, so \(w_{11}\) are not achievable. It is easy to see that \(w_{11}\) in other parts of ciphertext is also hidden by some random values.

Therefore, H3 and H2 are indistinguishable.

Hybrid H4: This is like H3 except that the challenge ciphertext is generated by invoking the algorithm CFE.Encrypt as follows:

In H3.Encrypt, \(Ct'_{w,x,i}=(r_i,(t_i^{b})^{-1}x_{bi})W^{-1}=(r_i,\frac{x_{1-b,i}}{x_{bi}}t_i^{-1}x_{bi})W^{-1}=(r_i,\)\(x_{1-b,i}t_i^{-1})W^{-1}\). In CFE.Encrypt, \(Ct'_{w,x,i}=(r_i,x_{1-b,i}t_i^{-1})W^{-1}\). So H4 = H3.

Advantage of Any PPT Adversary in H4: In H4, the challenge ciphertext is a valid ciphertext for the message \(\varvec{x_{1-b}}\). So it gives the same view by replacing \(\varvec{x_b}\) by \(\varvec{x_{1-b}}\). Therefore, the advantage of any adversary in this game is 0.

Notice that we only consider the situation that \(x_{0i} \ne 0,x_{1i} \ne 0, i \in [n]\). And the proof can be extended when considering 0. We need to modify the construction of \(\varvec{t^b}\) and H3.Encrypt as follows:

1. 1.

   If \(x_{0i}=x_{1i}=0\), then \(t_i^0=t_i^1=t_i\), and \(Ct_{w,x.i}=(r_i,(t_i^b)^{-1}x_{bi})W^{-1}\).

2. 2.

   If \(x_{bi}=0,x_{1-b,i} \ne 0\), then \(t_i^b=x_{1-b,i}t_i^{-1}-x_{bi}\), and \(Ct_{w,x,i}=(r_i,t_i^b+x_{bi})W^{-1}\).

3. 3.

   If \(x_{bi} \ne 0, x_{1-b,i} = 0\), then \(t_i^b=-x_{bi}t_i^{-1}\), and \(Ct_{w,x,i}=(r_i,t_i^b+t_i^{-1}x_{bi})W^{-1}\).

The remaining proof can be easily extended from our proof.