1 Introduction

Traditional public-key encryption provides all-or-nothing access to data: you can either recover the entire plaintext or reveal nothing from the ciphertext. Functional encryption (FE) [5, 15] is a vast new paradigm for encryption which allows tremendous flexibility in accessing encrypted data. In functional encryption, a secret key \(sk_f\) embedded with a function f can be created from a master secret key msk. Then, given a ciphertext for x, a user learns f(x) and reveals nothing else about x. In recent years, the cryptographic community has made great progress in research on the security of FE and construction for such schemes (see for instance [1, 6, 8,9,10] and any more).

There are two notions of security for a FE scheme, i.e., indistinguishability-based security and simulation-based security. The former one requires that an adversary cannot distinguish between ciphertexts of any two messages \(x_0\), \(x_1\) with access to a secret key \(sk_f\) for a function f such that \(f(x_0)=f(x_1)\). In contrast, the latter one requires that the view of the adversary can be simulated by a simulator, given only access to the secret keys and the function evaluated on the corresponding messages. Note that simulation-based security is stronger than indistinguishability-based security such that there exists an indistinguishability-based secure FE scheme for a certain functionality which is not able to be proved secure under simulation-based security [5, 15].

The traditional FE only considers data privacy and omits to protect the privacy of the function itself which is also crucial for practical applications. Consider the case where Bob wants to store his files in a cloud. Before uploading his files to the cloud, he employs a FE scheme to encrypt them avoiding leakage of data privacy and then he uploads the encryption form to the cloud. Later on, Bob wants to query his data by offering the cloud a key \(sk_f\) for a function f of his choice. However, if the FE scheme cannot support the privacy for the function, the key \(sk_f\) may reveal Bob’s query f entirely to the cloud, which is not desirable when the function includes confidential information.

Due to the importance, some works are focus on function privacy of FE, and it was first studied in [16] in the private-key setting. It is later followed by the work of [6] in the private-key setting and that of [4] in the public-key setting. A intuitive definition of function privacy is one where function keys leak no unnecessary information on associated function. During the two scenarios of the public-key setting and the private-key setting, the degree to which function privacy can be satisfied differs dramatically. Specifically, a public-key FE scheme is inherent in leaking confidential information about the function. Note that an attacker who holds a secret key \(sk_f\) can always generate, on its own, the ciphertext for \(x_i\) for message \(x_i\) of her choice, and then use \(sk_f\) to learn \(f(x_i)\). This can reveal non-trivial information about the function f. On the other hand, since an attacker holding a secret key \(sk_f\) cannot encrypt new messages in the private-key setting, such kind of attack is no longer applies.

Functional Encryption for Inner Product. Although FE supports the computation of general circuits relied on a wide spectrum of assumptions, there are two major problems with the state-of-the-art general FE constructions. First, the security of some constructions is only ensured so long as the adversary gets hold of a-priori bounded number of secret keys [9, 10]. Second, some solutions rely on tools such as multilinear maps and indistinguishability obfuscation which are both impractical and founded on new security assumption undergone minimal scrutiny. It inspires us to explore constructions for firsthand and effective FE schemes for functionalities which focus on the inner product functionality as a first attempt [2, 3, 7, 11, 17, 18].

In an inner product encryption (IPE) scheme, a ciphertext CT is related to a vector \({\varvec{x}} \in {\mathbb {Z}}_q^n\) of length n and a secret key SK to a vector \({\varvec{y}} \in {\mathbb {Z}}_q^n\) of length n. Given the ciphertext and the secret key, the decryption algorithm computes the inner product \(\langle {\varvec{x}}, {\varvec{y}}\rangle = \sum _{i=1}^n x_iy_i\). In this paper, we consider IPE with function privacy, i.e., function-hiding inner product encryption.

Function-Hiding IPE. [2] presented adaptively secure schemes where the message \(x_0\) and \(x_1\) may be adaptively chosen at any point in time, based on the previously collected information. Bishop et al. [3] proposed a function-hiding IPE scheme under the Symmetric External Diffie-Hellman (SXDH) assumption, which satisfies an indistinguishability-based definition, and considered adaptive adversaries. However, the scheme is available in a rather weak and unrealistic security model which places limit on adversaries’ queries. Recently, Datta et al. [7] developed a function-hiding IPE under the SXDH assumption where the additional restriction on adversaries’ queries is removed. Tomida et al. [17] constructed a more efficient function-hiding IPE scheme than that of [7] under the External Decisional Linear (XDLIN) assumption. Kim et al. [11] put forth a fully-secure function-hiding IPE scheme with less parameter sizes and run-time complexity than in [3, 7]. The scheme is proved simulation-based secure in the generic model of bilinear maps. For the first time Zhao et al. [18] presented a simulation-based secure functional-hiding IPE scheme under the SXDH assumption in the standard model. The scheme can tolerate an unbounded number of ciphertext queries and adaptive key queries.

Our Contribution. We construct a efficient simulation-based secure function-hiding IPE (SSFH-IPE) scheme in the standard model. We compare our scheme with related works in Table 1 where scalar multiplications on cyclic groups are involved in key generation algorithm and encryption algorithm, and paring operations on bilinear paring groups are involved in decryption algorithm. We achieve an outstanding reduction by a factor of 2 or more in computational complexity. Our scheme achieves \(n+6\) group elements in secret key and ciphertext, which also reduces storage complexity by a factor 2 or more. Hence, performance in the SSFH-IPE scheme is superior to that in the previous schemes in both storage complexity and computation complexity. Furthermore, our scheme is based on the XDLIN assumption which is weaker than the SXDH assumption. In more detail, the SXDH assumption relies on type 3 bilinear pairing groups, while the XDLIN assumption relies on any type of bilinear pairing groups [17]. Therefore from this angle, the SXDH assumption is stronger than the XDLIN assumption. Although the construction of [17] was proved to be indistinguishability-based secure under the XDLIN assumption and also succeeded in improving efficiency, both storage complexity and computation complexity of our scheme are better than that of [17] and our scheme achieves simulation-base security which is much stronger than indistinguishability-based security.

Table 1. Comparison of SSFH-IPE scheme. n is the dimension of vector. We have eight security notions xx-yy-zzz where xx \(\in \) {one, many} refers to a single or multiple challenge ciphertexts; yy \(\in \) {SEL, AD} refers to selectively or adaptively chosen ciphertext queries; zzz \(\in \) {IND, SIM} refers to indistinguishability vs simulation-based security.
Full size table

To guarantee correctness, our scheme requires that inner products are within a range of polynomial-size, which is consistent with other schemes in Table 1. As pointed out in [3], it is reasonable for statistical computations because the computations, like the average over a polynomial-size database, will naturally be contained within a polynomial range. In addition, our scheme is simulation-based secure against adversaries who hold in an unbounded number of ciphertext queries and adaptive key queries. Although very basic functionalities such as IBE is simulation-based secure for a-priori bounded number of ciphertext queries in the standard model [1, 5, 15], it is possible for an unbounded number of ciphertext queries if adversaries have an underlying polynomial-size range.

Technical Overview. The SSFH-IPE scheme uses dual pairing vector spaces (DPVS) to construct, as in [3, 7, 17, 18], which is bring forward by Okamoto and Takashima [13, 14]. DPVS has the features of hidden linear subspaces in prime order bilinear group setting. A DPVS of dimension \(n+6\) is introduced in our construction, where n is the dimension of inner product vectors. Typically, we sample a pair of dual orthonormal bases \(({\mathbb {B}}, {\mathbb {B}}^*)\) and only use the \(n\,+\,4\) dimension \({\mathbb {B}}\) and the \(n\,+\,4\) dimension \({\mathbb {B}}^*\) to encode vector \({\varvec{x}}\) and vector \({\varvec{y}}\) respectively. Compared with the previous schemes, our scheme at least saves n dimensions of vector spaces. We preserve the remaining hidden dimensions of \({\mathbb {B}}\) and \({\mathbb {B}}^*\) for the security reduction. Specially, between two hybrid experiments, a hidden dimension can be used for reducing a difference of one coefficient in a secret key or a ciphertext to a XDLIN instance. In other words, the hidden dimension can be used to convert a corresponding coefficient to another coefficient in a secret key or a ciphertext, so that no PPT adversary can distinguish the two hybrid experiments.

2 Preliminaries

Let \(\lambda \) be the security parameter. If S is a set, \(x \xleftarrow {\$} S\) denotes the process of choosing uniformly at random from S. Let \(X=\{X_n\}_{n \in {\mathbb {N}}}\) and \(Y=\{Y_n\}_{n \in {\mathbb {N}}}\) be distribution ensembles. We say that \( X {\approx }_c Y\) are computationally indistinguishable between X and Y, if for all nonuniform probabilistic polynomial-time D and every \(n \in {\mathbb {N}}\), the difference between \(\mathrm {Pr}[D(X_n)=1]\) and \(\mathrm {Pr}[D(Y_n)=1]\) is negligible. Let \(negl(\lambda )\) be a negligible function in \(\lambda \). Moreover, we write \({\varvec{x}}\) to denote a vector \((x_1,\,\ldots ,\,x_n)\in {\mathbb {Z}}_q^n\) of length n for some positive integer q and n. We use \(\langle {\varvec{a}}, {\varvec{b}} \rangle \) to denote the inner product, \(\sum _{i=1}^n a_i b_i\) mod q, of vectors \({\varvec{a}}\in {\mathbb {Z}}_q^n\) and \({\varvec{b}} \in {\mathbb {Z}}_q^n\). We use upper case boldface to denote matrics. \({\mathbf {X}}^T\) denotes transpose of the matrix \({\mathbf {X}}\). \(GL(n,{\mathbb {Z}}_q)\) denotes the general linear group of degree n over \({\mathbb {Z}}_q\). \({\mathbb {Z}}^{\times }_q\) denotes a set of integers \(\{1,\,\ldots ,\,q-1\}\).

Definition 1

(SSFH-IPE). A SSFH-IPE scheme is composed of the four PPT algorithms defined as below. The setup algorithm \(\mathrm {\mathbf {SSFH}}\)-\(\mathrm {\mathbf {IPE.Setup}}\) receives as input the security parameter \(\lambda \) and n, which is vector length, and outputs a master secret key msk and public parameters pp. The encryption algorithm \(\mathrm {\mathbf {SSFH}}\)-\(\mathrm {\mathbf {IPE.Encrypt}}\) receives as input the master secret key msk, the public parameters pp and a vector \({\varvec{x}} \in {\mathbb {Z}}_q^n\), and outputs a ciphertext \(ct_{{\varvec{x}}}\). The key generation algorithm \(\mathrm {\mathbf {SSFH}}\)-\(\mathrm {\mathbf {IPE.KeyGen}}\) receives as input the master secret key msk, the public parameters pp and a vector \({\varvec{y}} \in {\mathbb {Z}}_q^n\), and outputs a secret key \(sk_{{\varvec{y}}}\). The decryption algorithm \(\mathrm {\mathbf {SSFH}}\)-\(\mathrm {\mathbf {IPE.Decrypt}}\) receives as input the public parameters pp, the ciphertext \(ct_{{\varvec{x}}}\) and a secret key \(sk_{{\varvec{y}}}\), and outputs either a value \(m \in {\mathbb {Z}}_q\) or the dedicated symbol \(\perp \).

We make the following correctness requirement: for all (msk, pp) \(\xleftarrow {\$}\) SSFH-IPE.Setup\((1^{\lambda }, n)\), all \({\varvec{x}}, {\varvec{y}} \in {\mathbb {Z}}_q^n\), for \(\mathrm {ct_{{\varvec{x}}}} \xleftarrow {\$}\) SSFH-IPE.Encrypt(msk, pp, \({\varvec{x}})\) and \(\mathrm {sk_{{\varvec{y}}}} \xleftarrow {\$}\) SSFH-IPE.KeyGen(msk, pp, \({\varvec{y}})\), we have that SSFH-IPE.Decry-pt(pp, \(ct_{{\varvec{x}}}\), \(sk_{{\varvec{y}}}\)) is sure to output \(\langle {\varvec{x}}, {\varvec{y}} \rangle \) whenever \(\langle {\varvec{x}}, {\varvec{y}} \rangle \,\not =\,\perp \) with non-negligible probability. The correctness requires that it is \(\langle {\varvec{x}}, {\varvec{y}} \rangle \) and not \(\perp \) when \(\langle {\varvec{x}}, {\varvec{y}} \rangle \) is from a fixed polynomial range of value inside \({\mathbb {Z}}_q\).

Definition 2

(Simulation-Based Security). For a SSFH-IPE scheme, if there exits a PPT adversary \({\mathcal {A}}=({\mathcal {A}}_1, {\mathcal {A}}_2)\) and a PPT simulator S, we define two experiments \({{\varvec{Real}}}_{\mathcal {A}}^{{SSFH-IPE}}(1^\lambda )\) and \({{\varvec{Ideal}}}_{{\mathcal {A}},S}^{{SSFH-IPE}}(1^\lambda )\) in Fig. 1. Let \(\ell \) be the number of challenge messages output by \({\mathcal {A}}_1\) and \(p_1\) be the number of secret key queries in the first stage. The oracles \({\mathcal {O}}\) and \({\mathcal {O}}^{'}\) are defined as following:

  • The oracle \({\mathcal {O}}(msk, \cdot )\) = SSFH-IPE.KeyGen(msk, \(\cdot , \cdot )\).

  • The oracle \({\mathcal {O}}^{'}(msk, st, \cdot )\) is the second stage of S, i.e., \(S^{\langle {\varvec{x}}_i, {\varvec{y}}_j \rangle }(msk, st, \cdot )\) for \(i \in [\ell ], j \in [p_1]\), where \({\varvec{x}}_i\) and \({\varvec{y}}_j\) are inputs of the \(i^\mathrm{{th}}\) ciphertext query and the \(j^\mathrm{{th}}\) secret key query by \({\mathcal {A}}_1\) respectively.

A SSFH-IPE scheme is simulation-based secure if there exists a PPT simulator S such that for all PPT adversaries \({\mathcal {A}}\),

$$\begin{aligned} {\varvec{Real}}_{\mathcal {A}}^{{SSFH-IPE}}(1^\lambda ){\approx }_c {\varvec{Ideal}}_{{\mathcal {A}},S}^{{SSFH-IPE}}(1^\lambda ). \end{aligned}$$
Fig. 1.
figure 1

Real and ideal experiments.

Full size image

Definition 3

(Asymmetric Bilinear Pairing Groups). We say an algorithm \({\mathcal {G}}_{abpg}(1^{\lambda })\) is an asymmetric bilinear group generator and it outputs a bilinear pairing group which is defined by the tuple \((q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,e)\), where q is a prime, \({\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T\) are cyclic groups of order q, and a bilinear pairing \(e:{\mathbb {G}}_1 \times {\mathbb {G}}_2 \rightarrow {\mathbb {G}}_T\) with the following properties:

  1. 1.

    (Bilinearity) \(\forall g_1 \in {\mathbb {G}}_1\), \(g_2 \in {\mathbb {G}}_2\), \(a,b \in {\mathbb {Z}}_q\), \(e(g_1^a,g_2^b)=e(g_1,g_2)^{ab}\) and

  2. 2.

    (Non-degeneracy) \(\exists g_1 \in {\mathbb {G}}_1\), \(g_2 \in {\mathbb {G}}_2\) such that \(e(g_1,g_2)\) has order q in \({{\mathbb {G}}_T}\).

Definition 4

(External Decisional Linear (XDLIN) Assumption). \((q,{\mathbb {G}}_1,\) \({\mathbb {G}}_2,{\mathbb {G}}_T,e)\) is a tuple produced by \({\mathcal {G}}_{abpg}(1^{\lambda })\). Consider the following problem: given the distributions \({\mathcal {G}}_b^{\mathrm {XDLIN}}(1^{\lambda })=((q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,e),\xi g_1, \kappa g_1, \delta \xi g_1, \sigma \kappa g_1, \xi g_2, \kappa g_2,\) \(\delta \xi g_2, \sigma \kappa g_2,Y_b)\) for \(b \in {0,1}\), where \(\xi , \kappa , \delta , \sigma \xleftarrow {\$} {\mathbb {Z}}_q\), \(Y_0 = (\delta +\sigma )g_c\), \(Y_1 = (\delta +\sigma +\rho ) g_c\), \(\rho \xleftarrow {\$} {\mathbb {Z}}_q\) and \(c \in \{0,1\}\), output \({\mathcal {G}}_0^{\mathrm {XDLIN}}\) if b is 0 and output \({\mathcal {G}}_1^{\mathrm {XDLIN}}\) otherwise. We refer to the problem as the External Decisional Linear (XDLIN) problem.

For a PPT algorithm \({\mathcal {A}}\), the advantage of \({\mathcal {A}}\) is defined as:

\(\mathrm {Adv}_{{\mathcal {A}}}^{\mathrm {XDLIN}}(\lambda )=|\mathrm {Pr}[{\mathcal {A}}(1^{\lambda },{\mathcal {G}}_0^{\mathrm {XDLIN}})\rightarrow 1]- \mathrm {Pr}[{\mathcal {A}}(1^{\lambda },{\mathcal {G}}_1^{\mathrm {XDLIN}}(1^{\lambda }))\rightarrow 1]|\).

If for all PPT algorithms \({\mathcal {A}}\), \(\mathrm {Adv}_{{\mathcal {A}}}^{\mathrm {XDLIN}}(\lambda )\) is negligible in \(\lambda \), we say \({\mathcal {G}}_b^{\mathrm {XDLIN}}(1^{\lambda })\) satisfies the XDLIN assumption.

Definition 5

(Dual Pairing Vector Spaces (DPVS)). A dual pairing vector space (DPVS) \((q,{\mathbb {V}},{\mathbb {V}}^*,{\mathbb {G}}_T,{\mathbb {A}},{\mathbb {A}}^*,E)\) is directly defined by the tuple \((q,{\mathbb {G}}_1,\) \({\mathbb {G}}_2,{\mathbb {G}}_T,\) \(e) \xleftarrow {\$} {\mathcal {G}}_{abpg}(1^{\lambda })\). \({\mathbb {V}}={\mathbb {G}}_1^n\) and \({\mathbb {V}}^*={\mathbb {G}}_2^n\) over \({\mathbb {Z}}_q^n\) are n dimensional vector spaces. \({\mathbb {A}}=\{{\varvec{a}}_1,...,{\varvec{a}}_n\}\) of \({\mathbb {V}}\) and \({\mathbb {A}}^*=\{{\varvec{a}}_1^*,...,{\varvec{a}}_n^*\}\) of \({\mathbb {V}}^*\) are canonical bases, where \({\varvec{a}}_i=(0^{i-1},g_1,0^{n-i})\) and \({\varvec{a}}_i^*=(0^{i-1},g_2,0^{n-i})\). \(E:{\mathbb {V}} \times {\mathbb {V}}^* \rightarrow {\mathbb {G}}_T\) is pairing which is defined by \(E({\varvec{x}},{\varvec{y}})=\prod _{i=1}^n e(X_i,Y_i) \in {\mathbb {G}}_T\) where \({\varvec{x}}=(X_1,...X_n)\in {\mathbb {V}}\) and \({\varvec{y}}=(Y_1,...Y_n)\in {\mathbb {V}}^*\) with the following properties:

  1. 1.

    (Bilinearity) \(E(a{{\varvec{x}}},b{{\varvec{y}}})=E({\varvec{x}},{\varvec{y}})^{ab}\) for \(a,b\in {\mathbb {Z}}_q\) and

  2. 2.

    (Non-degeneracy) if \(E({\varvec{x}},{\varvec{y}})=1\) for all \({\varvec{y}} \in {\mathbb {V}}^*\), then \({\varvec{x}}={\varvec{0}}\).

Let \((q,{\mathbb {V}},{\mathbb {V}}^*,{\mathbb {G}}_T,{\mathbb {A}},{\mathbb {A}}^*,E)\) be the output of algorithm \({\mathcal {G}}_{dpvs}(1^{\lambda }, n, (q,{\mathbb {G}}_1,{\mathbb {G}}_2\), \({\mathbb {G}}_T,e))\), where \(n \in {\mathbb {N}}\).

We then describe random dual orthonormal basis generator \({\mathcal {G}}_{ob}(1^{\lambda }, n)\) as following:

   \({\mathcal {G}}_{ob}(1^{\lambda }, n):\) \((q,{\mathbb {V}},{\mathbb {V}}^*,{\mathbb {G}}_T,{\mathbb {A}},{\mathbb {A}}^*,E)\xleftarrow {\$} {\mathcal {G}}_{dpvs}(1^{\lambda },n,(q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,e)), \)

      \({\mathbf {B}}=({\chi }_{i,j})\xleftarrow {\$}GL(n,{\mathbb {Z}}_q), \) \(({\phi }_{i,j})=\psi ({\mathbf {B}}^T)^{-1}, \)

      \({\varvec{b}}_i=\sum _{j=1}^n{\chi }_{i,j} {\varvec{a}}_j, \) \({\mathbb {B}}=\{{\varvec{b}}_1,...,{\varvec{b}}_n\}, \)

      \({\varvec{b}}_i^*=\sum _{j=1}^n{\phi }_{i,j}{\varvec{a}}_j^*, \) \({\mathbb {B}}^*=\{{\varvec{b}}_1^*,...,{\varvec{b}}_n^*\}, \) \(g_T=e(g_1,g_2)^\psi \),

      return (\({\mathbb {B}},{\mathbb {B}}^*\)).

Let \(({\varvec{x}})_{{\mathbb {B}}}\) denote \(\sum _{i=1}^n x_i {\varvec{b}}_i\), where \({\varvec{x}}={(x_1,...,x_n)}^T \in {\mathbb {Z}}_q^n\) and \({\mathbb {B}}=\{{\varvec{b}}_1,...,{\varvec{b}}_n\}\). Then we have

$$\begin{aligned} \begin{aligned} E(({\varvec{x}})_{{\mathbb {A}}},({\varvec{y}})_{{\mathbb {A}}^*})&=\prod _{i=1}^n e(x_i g_1, y_i g_2)=e(g_1,g_2)^{\sum _{i=1}^n x_i y_i}=e(g_1,g_2)^{\langle {\varvec{x}},{\varvec{y}}\rangle },\quad { } and \\ E(({\varvec{x}}{{\mathbb {B}}},({\varvec{y}})_{{\mathbb {B}}^*})&=E(({\mathbf {B}}{\varvec{x}})_{{\mathbb {A}}},(\psi ({\mathbf {B}}^T)^{-1}{\varvec{y}})_{{\mathbb {A}}^*})=e(g_1,g_2)^{\psi {\mathbf {B}}{\varvec{x}} \cdot ({\mathbf {B}}^T)^{-1}{\varvec{y}}}=g_T^{\langle {\varvec{x}},{\varvec{y}}\rangle }. \end{aligned} \end{aligned}$$

3 SSFH-IPE Scheme

In this section, we present the construction of SSFH-IPE.

SSFH-IPE.Setup(\(1^\lambda \), n)\(\rightarrow \) (msk, pp): The setup algorithm runs \((q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,\) \(e) \xleftarrow {\$} {\mathcal {G}}_{abpg}(1^{\lambda })\). It then generates

$$\begin{aligned}&(q,{\mathbb {V}},{\mathbb {V}}^*,{\mathbb {G}}_T,{\mathbb {A}},{\mathbb {A}}^*,E) \xleftarrow {\$} {\mathcal {G}}_{dpvs}(1^{\lambda },n+6,(q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,e)) \ \mathrm {and} \\&({\mathbb {B}}=\{{\varvec{b}}_1,...,{\varvec{b}}_{n+6}\},{\mathbb {B}}^*=\{{\varvec{b}}^*_1,...,{\varvec{b}}^*_{n+6}\}) \xleftarrow {\$} {\mathcal {G}}_{ob}(1^{\lambda },n+6). \end{aligned}$$

The algorithm outputs msk\(=(\widehat{{\mathbb {B}}},\widehat{{\mathbb {B}}}^*)\), where \(\widehat{{\mathbb {B}}}=\{{\varvec{b}}_1,...,{\varvec{b}}_{n},{\varvec{b}}_{n+1},{\varvec{b}}_{n+2},{\varvec{b}}_{n+5}\}\), \(\widehat{{\mathbb {B}}}^*=\{{\varvec{b}}_1^*,...,{\varvec{b}}_n^*,{\varvec{b}}^*_{n+3},{\varvec{b}}^*_{n+4},{\varvec{b}}^*_{n+6}\}\), and pp\(=(q,{\mathbb {V}},{\mathbb {V}}^*,{\mathbb {G}}_T,{\mathbb {A}}_1,{\mathbb {A}}^*_1, E)\).

SSFH-IPE.Encrypt(msk, pp, \({\varvec{x}}\))\(\rightarrow ct_{{\varvec{x}}}\): The encryption algorithm samples \(\alpha , \beta , \eta \xleftarrow {\$}{\mathbb {Z}}_q\) independently and uniformly at random and outputs

$$\begin{aligned} ct_{{\varvec{x}}}=({\varvec{x}},\alpha , \beta ,0,0,\eta ,0)_{\mathbb {B}}. \end{aligned}$$

SSFH-IPE.KeyGen(msk, pp, \({\varvec{y}}\))\(\rightarrow sk_{{\varvec{y}}}\): The secret key generation algorithm samples \(\theta , \gamma , \zeta \xleftarrow {\$}{\mathbb {Z}}_q\) independently and uniformly at random and outputs

$$\begin{aligned} sk_{{\varvec{y}}}=({\varvec{y}},0,0,\theta , \gamma , 0,\zeta )_{{\mathbb {B}}^*}. \end{aligned}$$

\(\mathbf SSFH-IPE.Decrypt \) (pp, \(ct_{{\varvec{x}}}, sk_{{\varvec{y}}}) \rightarrow m \in {\mathbb {Z}}_q\) or \(\perp \): The decryption algorithm outputs

$$\begin{aligned} d =E(ct_{{\varvec{x}}},sk_{{\varvec{y}}}). \end{aligned}$$

It then attempts to determine \(m \in {\mathbb {Z}}_q\) such that \(g_T^m\,=\,d\). If there is m that satisfies the equation, the algorithm outputs m. Otherwise, it outputs \(\perp \). Due to a polynomial-size range of possible values for m, the decryption algorithm certainly runs in polynomial time.

Correctness. For any \(ct_{{\varvec{x}}}\) and \(sk_{{\varvec{y}}}\) by calling SSFH-IPE.Encrypt(msk, pp, \({\varvec{x}}\)) and SSFH-IPE.KeyGen(msk, pp, \({\varvec{y}}\)) respectively, the pairing evaluations in the decryption algorithm proceed as follows:

$$\begin{aligned} d =E(ct_{{\varvec{x}}},sk_{{\varvec{y}}})=E(g_1,g_2)^{\langle {\varvec{x}},{\varvec{y}}\rangle }=g_T^{\langle {\varvec{x}},{\varvec{y}}\rangle }. \end{aligned}$$

If the decryption algorithm takes polynomial time in the size of the plaintext space, it will output \(m = \langle {\varvec{x}},{\varvec{y}}\rangle \) as desired.

Remark 1

We can easily notice that our scheme is malleable, where a ciphertext can be created from certain other ciphertexts. The scheme in [17] is also malleable, while it seems difficult to prove the schemes in [3, 7, 18] to be malleable.

4 Security Proof

Definition 6

(Problem 0). Problem 0 is to guess \(b \in \{0, 1\}\), given \(((q,{\mathbb {G}}_1, {\mathbb {G}}_2,{\mathbb {G}}_T,\) \(e), {\mathbb {B}},\widehat{{\mathbb {B}}}^*, {\varvec{y}}_b, \kappa g_1, \xi g_2)\), where

   \((q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,e) \xleftarrow {\$} {\mathcal {G}}_{abpg}(1^{\lambda })\),

   \({\mathbf {B}}=({\chi }_{i,j})\xleftarrow {\$}GL(3,{\mathbb {Z}}_q)\), \(({\phi }_{i,j})=({\mathbf {B}}^T)^{-1}, \)

   \(\kappa \xleftarrow {\$}{\mathbb {Z}}_q, {\varvec{b}}_i=\kappa \sum _{j=1}^n {\chi }_{i,j} {\varvec{a}}_j\) for \(i=1,2,3\), \({\mathbb {B}}=\{{\varvec{b}}_1, {\varvec{b}}_2, {\varvec{b}}_3\}, \)

   \(\xi \xleftarrow {\$}{\mathbb {Z}}_q, {\varvec{b}}_i^*=\xi \sum _{j=1}^n{\phi }_{i,j}{\varvec{a}}_j^*\) for \(i=1,3\), \(\widehat{{\mathbb {B}}}^*=\{{\varvec{b}}_1^*, {\varvec{b}}_3^*\}, \)

   \(g_T= e(g_1,g_2)^{\kappa \xi }\), \(\delta , \sigma \xleftarrow {\$} {\mathbb {Z}}_q\), \(\rho \xleftarrow {\$} {\mathbb {Z}}_q^{\times }\),

   \({\varvec{y}}_0 = (\delta , 0, \sigma )_{{\mathbb {B}}}\), \({\varvec{y}}_1 = (\delta , \rho , \sigma )_{{\mathbb {B}}}\).

Definition 7

(Problem 1). Problem 1 is to guess \(b \in \{0, 1\}\), given \(((q,{\mathbb {G}}_1, {\mathbb {G}}_2,{\mathbb {G}}_T,\) \(e), \widehat{{\mathbb {B}}},\widehat{{\mathbb {B}}}^*, {\varvec{Y}}_b)\), where

   \(({\mathbb {B}}, {\mathbb {B}}^*,(q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,e)) \xleftarrow {\$} {\mathcal {G}}_{ob}(1^{\lambda }, n+6)\),

   \(\widehat{{\mathbb {B}}} = \{{\varvec{b}}_1,..., {\varvec{b}}_n, {\varvec{b}}_{n+1}, {\varvec{b}}_{n+2}, {\varvec{b}}_{n+5}\}\), \(\widehat{{\mathbb {B}}}^* = \{{\varvec{b}}_1^*,..., {\varvec{b}}_n^*, {\varvec{b}}_{n+3}^*, {\varvec{b}}_{n+4}^*, {\varvec{b}}_{n+6}^*\}\),

   \(\alpha , \beta \xleftarrow {\$}{\mathbb {Z}}_q\), \(\eta \xleftarrow {\$} {\mathbb {Z}}_q^{\times }\),

   \({\varvec{Y}}_0 = (0^n,\alpha , \beta ,0,0,\eta ,0)_{{\mathbb {B}}}\), \({\varvec{Y}}_1 = (0^n,\alpha , \beta ,0,0,\eta ,\zeta ')_{{\mathbb {B}}}\).

Definition 8

(Problem 2). Problem 2 is to guess \(b \in \{0, 1\}\), given \(((q,{\mathbb {G}}_1, {\mathbb {G}}_2,{\mathbb {G}}_T,\) \(e), \widehat{{\mathbb {B}}},\widehat{{\mathbb {B}}}^*, {\varvec{Y}}_b)\), where

   \(({\mathbb {B}}, {\mathbb {B}}^*,(q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,e)) \xleftarrow {\$} {\mathcal {G}}_{ob}(1^{\lambda }, n+6)\),

   \(\widehat{{\mathbb {B}}} = \{{\varvec{b}}_1,..., {\varvec{b}}_n, {\varvec{b}}_{n+1}, {\varvec{b}}_{n+2}, {\varvec{b}}_{n+5}\}\), \(\widehat{{\mathbb {B}}}^* = \{{\varvec{b}}_1^*,..., {\varvec{b}}_n^*, {\varvec{b}}_{n+3}^*, {\varvec{b}}_{n+4}^*, {\varvec{b}}_{n+6}^*\}\),

   \(\alpha , \beta , \eta \xleftarrow {\$}{\mathbb {Z}}_q\), \(\zeta ' \xleftarrow {\$} {\mathbb {Z}}_q^{\times }\),

   \({\varvec{Y}}_0 = (0^n,\alpha , \beta ,0,0,\eta ,\zeta ')_{{\mathbb {B}}}\), \({\varvec{Y}}_1 = (0^n,\alpha , \beta ,0,0,0,\zeta ')_{{\mathbb {B}}}\).

Definition 9

(Problem 3). Problem 3 is to guess \(b \in \{0, 1\}\), given \(((q,{\mathbb {G}}_1, {\mathbb {G}}_2,{\mathbb {G}}_T,\) \(e), \widehat{{\mathbb {B}}},\widehat{{\mathbb {B}}}^*, {\varvec{Y}}_b^*)\), where

   \(({\mathbb {B}}, {\mathbb {B}}^*,(q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,e)) \xleftarrow {\$} {\mathcal {G}}_{ob}(1^{\lambda }, n+6)\),

   \(\widehat{{\mathbb {B}}} = \{{\varvec{b}}_1,..., {\varvec{b}}_n, {\varvec{b}}_{n+1}, {\varvec{b}}_{n+2}, {\varvec{b}}_{n+5}\}\), \(\widehat{{\mathbb {B}}}^* = \{{\varvec{b}}_1^*,..., {\varvec{b}}_n^*, {\varvec{b}}_{n+3}^*, {\varvec{b}}_{n+4}^*, {\varvec{b}}_{n+6}^*\}\) ,

   \(\theta , \gamma , \zeta \xleftarrow {\$}{\mathbb {Z}}_q\), \(\eta ' \xleftarrow {\$} {\mathbb {Z}}_q^{\times }\),

   \({\varvec{Y}}_0^* = (0^n,0,0,\theta , \gamma , 0,\zeta )_{{\mathbb {B}}^*}\), \({\varvec{Y}}_1^* = (0^n,0,0,\theta , \gamma , \eta ',\zeta )_{{\mathbb {B}}^*}\).

Definition 10

(Problem 4). Problem 4 is to guess \(b \!\in \! \{0, 1\}\), given \(((q,{\mathbb {G}}_1, {\mathbb {G}}_2,{\mathbb {G}}_T,\) \(e), \widehat{{\mathbb {B}}},\widehat{{\mathbb {B}}}^*, {\varvec{Y}}_b^*)\), where

   \(({\mathbb {B}}, {\mathbb {B}}^*,(q,{\mathbb {G}}_1,{\mathbb {G}}_2,{\mathbb {G}}_T,e)) \xleftarrow {\$} {\mathcal {G}}_{ob}(1^{\lambda }, n+6)\),

   \(\widehat{{\mathbb {B}}} = \{{\varvec{b}}_1,..., {\varvec{b}}_n, {\varvec{b}}_{n+1}, {\varvec{b}}_{n+2}, {\varvec{b}}_{n+5}\}\), \(\widehat{{\mathbb {B}}}^* = \{{\varvec{b}}_1^*,..., {\varvec{b}}_n^*, {\varvec{b}}_{n+3}^*, {\varvec{b}}_{n+4}^*, {\varvec{b}}_{n+6}^*\}\),

   \(\theta , \gamma , \zeta \xleftarrow {\$}{\mathbb {Z}}_q\), \(\eta ' \xleftarrow {\$} {\mathbb {Z}}_q^{\times }\),

   \({\varvec{Y}}_0^* = (0^n,0,0,\theta , \gamma , \eta ',\zeta )_{{\mathbb {B}}^*}\), \({\varvec{Y}}_1^* = (0^n,0,0,\theta , \gamma , \eta ',0)_{{\mathbb {B}}^*}\).

For a PPT adversary \({\mathcal {A}}\), the advantage of \({\mathcal {A}}\) for Problem n, where \(n = 0,1,2,3,4,\) is defined as:

$$\begin{aligned} \mathrm {Adv}_{{\mathcal {A}}}^{\mathrm {Prob_n}}(\lambda )=|\mathrm {Pr}[\mathrm {Exp}_{{\mathcal {A}}}^{P_0}(1^\lambda )=1]-\mathrm {Pr}[\mathrm {Exp}_{{\mathcal {A}}}^{P_1}(1^\lambda )=1]|, \end{aligned}$$

where the instance is by definition \(P_0\) if \(b=0\) and \(P_1\) if \(b=1\).

Lemma 1

(Lemma 14 in the full version of [12]). Suppose the XDLIN assumption holds in \({\mathbb {G}}_1\) and \({\mathbb {G}}_2\). Then for all PPT adversary \({\mathcal {B}}\), there is a adversary \({\mathcal {A}}\) such that \(\mathrm {Adv}_{{\mathcal {B}}}^{\mathrm {Prob_0}}(\lambda )\le \mathrm {Adv}_{{\mathcal {A}}}^{\mathrm {XDLIN}}(\lambda ) +5/q\).

Lemma 2

Suppose the XDLIN assumption holds in \({\mathbb {G}}_1\) and \({\mathbb {G}}_2\). Then for all PPT adversary \({\mathcal {B}}\), there is a adversary \({\mathcal {A}}\) such that \(\mathrm {Adv}_{{\mathcal {B}}}^{\mathrm {Prob_1}}(\lambda )\le \mathrm {Adv}_{{\mathcal {A}}}^{\mathrm {Prob_0}}(\lambda )\).

Lemma 3

Suppose the XDLIN assumption holds in \({\mathbb {G}}_1\) and \({\mathbb {G}}_2\). Then for all PPT adversary \({\mathcal {B}}\), there is a adversary \({\mathcal {A}}\) such that \(\mathrm {Adv}_{{\mathcal {B}}}^{\mathrm {Prob_2}}(\lambda )\le \mathrm {Adv}_{{\mathcal {A}}}^{\mathrm {Prob_0}}(\lambda )\).

Lemma 4

Suppose the XDLIN assumption holds in \({\mathbb {G}}_1\) and \({\mathbb {G}}_2\). Then for all PPT adversary \({\mathcal {B}}\), there is a adversary \({\mathcal {A}}\) such that \(\mathrm {Adv}_{{\mathcal {B}}}^{\mathrm {Prob_3}}(\lambda )\le \mathrm {Adv}_{{\mathcal {A}}}^{\mathrm {Prob_0}}(\lambda )\).

Lemma 5

Suppose the XDLIN assumption holds in \({\mathbb {G}}_1\) and \({\mathbb {G}}_2\). Then for all PPT adversary \({\mathcal {B}}\), there is a adversary \({\mathcal {A}}\) such that \(\mathrm {Adv}_{{\mathcal {B}}}^{\mathrm {Prob_4}}(\lambda )\le \mathrm {Adv}_{{\mathcal {A}}}^{\mathrm {Prob_0}}(\lambda )\).

Theorem 1

Under the XDLIN assumption the proposed scheme is many-AD-SIM-secure.

The proofs of Lemmas 25 and Theorem 1 are given in the full version of this paper.