Practical Inner Product Encryption with Constant Private Key ^†

Abstract

Inner product encryption, first introduced by Katz et al., is a type of predicate encryption in which a ciphertext and a private key correspond to an attribute vector and a predicate vector, respectively. Only if the attribute and predicate vectors satisfy the inner product predicate will the decryption in this scheme be correct. In addition, the ability to use inner product encryption as an underlying building block to construct other useful cryptographic primitives has been demonstrated in the context of anonymous identity-based encryption and hidden vector encryption. However, the computing cost and communication cost of performing inner product encryption are very high at present. To resolve this problem, we introduce an efficient inner product encryption approach in this work. Specifically, the size of the private key is only one $\mathbb{G}$ element and one ${\mathbb{Z}}_p$ element, and decryption requires only one pairing computation. The formal security proof and implementation result are also demonstrated. Compared with other state-of-the-art schemes, our scheme is the most efficient in terms of the number of pairing computations for decryption and the private key length.

1. Introduction

Inner product encryption (IPE), first introduced by Katz et al. [1], is a type of predicate encryption [2] in which a ciphertext and a private key correspond to an attribute vector $\mathbf{x}$ and a predicate vector $y$, respectively. In particular, the decryption will be correct if and only if the attribute vector and the predicate vector satisfy the inner product predicate, meaning that the inner product operation of $\mathbf{x}$ and $\mathbf{y}$ equals zero ($\langle \mathbf{x},\mathbf{y}\rangle =0$). Over the past decade, many IPE schemes have been proposed, such as those based on pairing [3,4,5,6,7] and lattice [8,9,10,11]. The security definition of an IPE scheme [1] can be naturally extended from the IND–CPA security of identity-based encryption [12,13,14]. More precisely, under the security approach of IPE, an adversary learns nothing about the encrypted message from a ciphertext associated with an attribute vector $\mathbf{x}$ if they do not own the private key associated with a predicate vector $\mathbf{y}$ such that $\langle \mathbf{x},\mathbf{y}\rangle =0$. Such a definition is also called the IND–CPA security for IPE scheme in some papers [15] and is defined as the payload-hiding property in [1]. Alternatively, the security definition defined in [1], called the attribute-hiding property, states that a ciphertext reveals nothing about the corresponding ciphertext attribute $\mathbf{x}$. However, we emphasize that the attribute-hiding property is not an absolutely necessary property for IPE. Many IPE schemes proposed in the literature achieve only IND–CPA security/payload hiding, such as that in [15,16,17].

In addition to their usefulness in fine-grained access control, IPE schemes can be used to construct various cryptographic primitives or can be converted to more complex primitives, such as identity-based encryption [12,13,14], hidden vector encryption [2,18] and subset predicate encryption [19,20]. We refer readers to the work presented in [1,19] for details.

Although many IPE schemes have been introduced, the computing cost and communication cost of these schemes are high. In particular, the pairing operation required by existing pairing-based IPE schemes is typically linearly related to the vector length; therefore, the computational efficiency of these schemes is low. Moreover, the size of the private key of most schemes is linearly related to vector lengths. However, although the existing lattice-based IPE schemes are considered quantum-resistant, the key size of almost all schemes is too large or the message space is too small. In addition, Internet of Things devices are gradually becoming common in daily life; however, the problems mentioned in the preceding discussion make the application of an IPE scheme impractical for these resource-constrained devices. Thus, an unresolved question remains: can we obtain an efficient IPE scheme by reducing the cost of decryption and optimizing the length of the private key?

1.1. Our Contributions

Herein, we resolve the aforementioned problem by introducing an effective IPE scheme. In particular, in the proposed scheme, the length of a private key is independent of the length of the predicate vector. In addition, the decryption only requires one pairing operation; thus, the decryption is also independent of the length of the predicate vector. Rigorous proofs are provided to demonstrate that, under a modified decisional Diffie–Hellman assumption, our proposed scheme is coselective IND–CPA secure. Moreover, our proposed scheme is more efficient than other advanced schemes, as listed in Tables 1 and 3.

1.2. Related Works

1.2.1. Pairing-Based IPE Schemes

The first IPE scheme, introduced by Katz et al. [1], entails the evaluation of predicates over ${\mathbb{Z}}_N$ using the inner product, where N is a composite number. After this pioneering work, many studies followed. For example, Okamoto and Takashima [3] proposed the first hierarchical predicate encryption method (or delegable predicate encryption) for inner product predicates; this provides a user with functionality to delegate more restrictive functionality to another user. Attrapadung and Libert [16] constructed an IPE scheme that solves the inefficiency problem of the previous scheme. More precisely, provided that the description of the ciphertext attribute vector is not included in the ciphertext, the ciphertext overhead of the scheme is reduced to $O\left(1\right)$. By combining dual system encryption [21] and dual pairing vector spaces [3] carefully, Lewko et al. [22] obtained the first fully secure IPE scheme and hierarchical predicate encryption under the n-extended decisional Diffie–Hellman assumption. However, the security of all these previous studies was based on nonstandard assumptions. To resolve this issue, Park [23] developed the first IPE scheme under the standard assumptions (i.e., decisional bilinear Diffie–Hellman and decisional linear (DLIN) assumptions). Okamoto and Takashima [24] then introduced two nonzero inner product encryption schemes that support constant-size ciphertexts and a constant-size secret key, respectively, which are adaptively secure under the DLIN assumption in the standard model. The authors also proposed the first IPE scheme that is fully secure and fully attribute-hiding [25] as well as the first unbounded IPE scheme that is also fully secure and fully attribute-hiding in the standard model under the DLIN assumption [26]. Kawiai and Takashima [27] introduced a new notion, called IPE with ciphertext conversion, which considers the security of predicate-hiding. Zhenlin and Wei [28] then introduced another concept, called multiparty cloud computation IPE with multiplicative homomorphic property, which enables an IPE scheme to support multiparty cloud computation. Kim et al. [29] proposed a new efficient IPE scheme that only requires n exponentiation and three pairing computations for decryption. Huang et al. [30] proposed the first enabled–disabled IPE, which supports timed-release services and data self-destruction. Ramanna [15] constructed two IPE schemes using tag-based quasi-adaptive noninteractive zero knowledge, where the first and second both have the property of constant-size ciphertext but only the second has the property of attribute-hiding. Zhang et al. [7] recently proposed a new IPE scheme based on a double encryption system; it has been demonstrated to achieve adaptive security under a weak attribute-hiding model.

As discussed subsequently, extensive research has focused on the developed and proposed schemes; however, the private key length of most schemes is linearly dependent on the vector length or requires many pairing operations, making these schemes impractical. Thus, determining how to construct a more practical scheme remains a critical area of research.

1.2.2. Lattice-Based IPE Schemes

To fend off attack from quantum computers in the future, Agrawal et al. [8] proposed the first IPE scheme based on the lattice hard assumption (i.e., the learning with error assumption, which is believed to be able to withstand quantum attacks); to do so, they modified an identity-based encryption approach proposed by Agrawal et al. [31]. Xagawa [9], inspired by the work of Agrawal et al., proposed an improved lattice-based IPE scheme that reduced the size of public parameters and ciphertext. Li et al. [10] proposed a lattice-based IPE scheme that further reduced the size of public parameters and ciphertext. In contrast to [9], their work reduced the size by a factor of $logn$, where n is the security parameter. Wang et al. [11] recently proposed the first compact IPE scheme that employs an IPE scheme [9], fully homomorphic encryption [32] and vector-encoding schemes [33]. Although these constructions are thought to be able to withstand quantum computer attacks, they are based on the learning with errors assumption, resulting in key lengths that are still too large to be practical.

1.3. Organization

The remainder of this paper is organized as follows. In Section 2, we start by discussing some preliminaries on bilinear maps, complexity assumptions and the definition of IPE. In Section 3, we then propose our IPE scheme and demonstrate its correctness. In Section 4, we subsequently demonstrate security proofs using a modified decisional Diffie–Hellman problem, and then in Section 5, we compare our approach with other state-of-the-art schemes and reveal the implementation results. In Section 6, we finally conclude the paper.

2. Preliminaries

Herein, we present the necessary preliminaries, such as notations, complex assumptions, and the definition of an IPE scheme.

2.1. Notations

Throughout this paper, we use $x\stackrel{\$}{\leftarrow }S$ to denote “choose an element x randomly and uniformly from the set S” and $x\leftarrow A$ to denote “x is the output of the algorithm A”. Moreover, we use $\mathbf{a}$ to denote a vector and use ${\mathbf{a}}_i$ to denote the i-th entry of vector $\mathbf{a}$. The inner product of these two vectors $\mathbf{x},\mathbf{y}$ is denoted as $\langle \mathbf{x},\mathbf{y}\rangle$. For a prime p, we use ${\mathbb{Z}}_p$ to denote the set of integers modulo p. Finally, we use $\mathbb{N}$ and $\mathbb{Z}$ to denote the set of positive integers and integers, respectively.

2.2. Bilinear Maps

Let $\mathbb{G}$ and ${\mathbb{G}}_T$ be an additive and a multiplicative cyclic group, respectively; here, the order of $\mathbb{G}$ and ${\mathbb{G}}_T$ is a large prime p (i.e., $\left|\mathbb{G}\right|=|{\mathbb{G}}_T|=p$). Then, let P be a generator of $\mathbb{G}$. A bilinear map (pairing) $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ is a mapping with the following properties:

• Bilinearity: For $a,b\in {\mathbb{Z}}_p$, $e(aP,bP)=e{(P,P)}^{ab}$.
• Nondegeneracy: $\exists P\in \mathbb{G}$, such that $e(P,P)\ne 1_{{\mathbb{G}}_T}$.
• Computability: The mapping e is efficiently computable.

In this work, we take advantage of the generalized decisional Diffie–Hellman exponent (GDDHE) problem, based on [34]. The GDDHE problem is a generic framework within which new complexity assumptions can be created. We first give an overview of the GDDHE problem. Let

• p be a prime;
• $s,n$ be two positive integers;
• $P,Q\in {\mathbb{F}}_p{[{\mathbf{x}}_1,\cdots ,{\mathbf{x}}_n]}^s$ be two s-tuple of n-variate polynomials over ${\mathbb{F}}_p$; and
• f be an n-variate polynomial in ${\mathbb{F}}_p[X_1,\cdots ,X_n]$.

$Q,Q_T$ are two ordered sets with multivariate polynomials, and thus, we define $Q=(q_1,q_2,\cdots ,q_s)$ and $R=(r_1,r_2,\cdots ,r_s)$. As stated in [34], we require $p_1=q_1=1$ to be two constant polynomials. Consider a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ with the generator P of $\mathbb{G}$ and $g_T=e(P,P)\in {\mathbb{G}}_T$. For a vector $(x_1,x_2,\cdots ,x_n)\in {\mathbb{F}}_p^n$, we define

$$Q(x_1,x_2,\cdots ,x_n)P=(q_1(x_1,x_2,\cdots ,x_n)P,\cdots ,q_s(x_1,x_2,\cdots ,x_n)P)\in {\mathbb{G}}^s,$$

and

$$g_T^{R(x_1,x_2,\cdots ,x_n)}=(g_T^{r_1(x_1,x_2,\cdots ,x_n)},\cdots ,g_T^{r_s(x_1,x_2,\cdots ,x_n)})\in {\mathbb{G}}_T^s.$$

By “f depends on $(Q,R)$” we mean that there are $s^2+s$ constants ${\left\{a_{i,j}\right\}}_{i,j=1}^s$ and ${\left\{b_k\right\}}_{k=1}^s$ such that

$$f=\sum _{i,j=1}^s{a}_{i,j}{q}_i{q}_j+\sum _{k=1}^s{b}_k{r}_k.$$

We say that f is independent of $(Q,R)$ if f does not depend on $(Q,R)$.

Definition 1 (The $(Q,R,f)$-GDDHE Problem).

Given $(Q(x_1,\cdots ,x_n)P,g_T^{R(x_1,\cdots ,x_n)},Z)\in {\mathbb{G}}^s\times {\mathbb{G}}_T^s\times {\mathbb{G}}_T$, decide if $Z\stackrel{?}{=}{g}_T^{f(x_1,\cdots ,x_n)}$.

Then, for an algorithm $\mathcal{A}$, the advantage of $\mathcal{A}$ in solving the $(Q,R,f)$-GDDHE problem is defined as

$$Ad{v}^{(Q,R,f)-\mathsf{GDDHE}}\left(\mathcal{A}\right)=\left|\mathcal{A}\left(Q(x_1,\cdots ,x_n)P,g_T^{R(x_1,\cdots ,x_n)},g_T^{f(x_1,\cdots ,x_n)}\right)\right.-\mathcal{A}\left(Q(x_1,\cdots ,x_n)P,g_T^{R(x_1,\cdots ,x_n)},Z\stackrel{\$}{\leftarrow }{\mathbb{G}}_T\right).$$

Boneh et al. propose that the $(Q,R,f)$-GDDHE problem is difficult if f is independent of $(Q,R)$ and demonstrate that a large class of hard problems can be fit into the framework of the GDDHE problem; for instance, the DDH problem over ${\mathbb{G}}_T$.

Definition 2 (The decisional Diffie–Hellman problem over ${\mathbb{G}}_T$ (DDH${}_{{\mathbb{G}}_T}$ problem)).

Let $g_T=e(P,P)$ be a generator of ${\mathbb{G}}_T$. Given $(P,g_T,A=g_T^a,B=g_T^b,C)\in \mathbb{G}\times {\mathbb{G}}_T^4$, where $a,b\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$, decide whether $C=g_T^{ab}$ or an random element from ${\mathbb{G}}_T$.

By setting $Q=\left(1\right),R=(1,a,b),f=ab$, the DDH problem over ${\mathbb{G}}_T$ is equivalent to the $(Q,R,f)$-GDDHE problem. Observe that no constants exist such that the linear combination of $1,a,b$ equals $ab$; therefore, f is independent of $(Q,R)$. Given the result of Boneh et al., we conclude that no algorithm is available with which to solve the DDH${}_{{\mathbb{G}}_T}$ problem with a nonnegligible advantage. See [34] for additional details.

Next, we present a modified version of the DDH${}_{{\mathbb{G}}_T}$ problem, which will be used in the security proof.

Definition 3 (The modified decisional Diffie–Hellman problem over ${\mathbb{G}}_T$ (M-DDH${}_{{\mathbb{G}}_T}$ problem)).

Let $g_T=e(P,P)$ be a generator of ${\mathbb{G}}_T$. Given $(P,A^{\prime }=aP,g_T,A=g_T^a,B=g_T^b,C)\in {\mathbb{G}}^2\times {\mathbb{G}}_T^4$, where $a,b\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$, decide whether $C=g_T^{ab}$ or a random element from ${\mathbb{G}}_T$.

Theorem 1 (The modified decisional Diffie–Hellman assumption over ${\mathbb{G}}_T$ (M-DDH${}_{{\mathbb{G}}_T}$ assumption)).

We say that the M-DDH${}_{{\mathbb{G}}_T}$ assumption holds if there is no algorithm $\mathcal{D}$ for solving the M-DDH${}_{{\mathbb{G}}_T}$ problem with a nonnegligible advantage.

Proof. 

Compared with the DDH${}_{{\mathbb{G}}_T}$ problem, the instance of the M-DDH${}_{{\mathbb{G}}_T}$ problem contains an additional element $A^{\prime }=aP$. The M-DDH${}_{{\mathbb{G}}_T}$ problem is equivalent to the $(Q,R,f)$-GDDHE problem with

$$Q=(1,a),R=(1,a,b),f=ab.$$

No constants exist such that the linear combination of the monomials $(1·a),1,a,b$ equals the polynomial $ab$. Therefore, considering the the results of Boneh et al., we conclude that the M-DDH${}_{{\mathbb{G}}_T}$ problem is hard. Moreover, we define the advantage for an algorithm $\mathcal{D}$ in solving the M-DDH${}_{{\mathbb{G}}_T}$ problem as

$$Ad{v}^{M-DD{H}_{{\mathbb{G}}_T}}\left(\mathcal{D}\right)=\left|Pr[\mathcal{D}(P,A^{\prime },g_T,A,B,C=g_T^{ab})=1]\right.-\left.Pr[\mathcal{D}(P,A^{\prime },g_T,A,B,C\stackrel{\$}{\leftarrow }{\mathbb{G}}_T)=1]\right|.$$

 □

2.3. Definition of Inner Product Encryption

An IPE scheme consists of four algorithms: Setup, KeyGen, Encrypt and Decrypt. The details of the algorithms are as follows:

• $\mathbf{Setup}(1^{\lambda },1^{\ell }).$ Take as inputs the security parameters $(1^{\lambda },1^{\ell })$, where $\lambda ,\ell \in \mathbb{N}$, and the algorithm outputs the system parameter $\mathtt{params}$ and the master secret key $\mathtt{msk}$. The descriptions of the attribute vector space $\mathfrak{A}$ and the predicate vector space $\mathfrak{P}$ are implicitly included in $\mathtt{params}$. Moreover, the inner product operation over $\mathfrak{A}$ and $\mathfrak{P}$ must be well defined.
• $\mathbf{Encrypt}(\mathtt{params},\mathbf{x},M).$ Given the system parameter $\mathtt{params}$, an attribute vector $\mathbf{x}\in \mathfrak{A}$ and a message M, the algorithm outputs a ciphertext ${\mathtt{C}}_{\mathbf{x}}$ for the attribute vector $\mathbf{x}$.
• $\mathbf{KeyGen}(\mathtt{params},\mathtt{msk},\mathbf{y}).$ Given the system parameter $\mathtt{params}$ and a predicate vector $\mathbf{y}\in \mathfrak{P}$, the algorithm outputs the private key ${\mathtt{K}}_{\mathbf{y}}$ for the predicate vector $\mathbf{y}$.
• $\mathbf{Decrypt}(\mathtt{params},{\mathtt{C}}_{\mathbf{x}},{\mathtt{K}}_{\mathbf{y}})$. Given the system parameter $\mathtt{params}$, a ciphertext ${\mathtt{C}}_{\mathbf{x}}$ and the private key ${\mathtt{K}}_{\mathbf{y}}$, the algorithm outputs a message M or a error symbol ⊥.

The correctness is defined as follows. For all $\lambda ,\ell \in \mathbb{N}$, let ${\mathtt{C}}_{\mathbf{x}}\leftarrow \mathbf{Encrypt}(\mathtt{params},\mathbf{x}\in \mathfrak{A},M)$ and let ${\mathtt{K}}_{\mathbf{y}}\leftarrow \mathbf{KeyGen}(\mathtt{params},\mathtt{msk},\mathbf{y}\in \mathfrak{P})$; thus, we have

$$\begin{array}{cc}M\leftarrow \mathbf{Decrypt}(\mathtt{params},{\mathtt{C}}_{\mathbf{x}},{\mathtt{K}}_{\mathbf{y}})& \mathrm{if}\langle \mathbf{x},\mathbf{y}\rangle =0;\hfill \\ \perp \leftarrow \mathbf{Decrypt}(\mathtt{params},{\mathtt{C}}_{\mathbf{x}},{\mathtt{K}}_{\mathbf{y}})& \mathrm{if}\langle \mathbf{x},\mathbf{y}\rangle \ne 0,\hfill \end{array}$$

where $(\mathsf{params},\mathsf{msk})\leftarrow \mathbf{Setup}(1^{\lambda },1^{\ell })$.

2.4. Security Model

Here, we first introduce IND–CPA security for IPE. The IND–CPA game of IPE for the attribute vector space $\mathfrak{A}$ and predicate vector space $\mathfrak{P}$ is defined as an interactive game between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

• Setup. The challenger $\mathcal{C}$ runs $\mathbf{Setup}(1^{\lambda },1^{\ell })$ and sends the system parameter $\mathtt{params}$ to the adversary $\mathcal{A}$.
• Query Phase 1. The challenger polynomially answers many private key queries for $\mathbf{y}\in \mathfrak{P}$ for the adversary $\mathcal{A}$ by returning ${\mathtt{K}}_{\mathbf{y}}\leftarrow \mathbf{KeyGen}(\mathtt{params},\mathtt{msk},\mathbf{y})$.
• Challenge. The adversary $\mathcal{A}$ submits an attribute vector ${\mathbf{x}}^{*}\in \mathfrak{A}$ such that $\langle {\mathbf{x}}^{*},\mathbf{y}\rangle \ne 0$ for all $\mathbf{y}$ that have been queried in Query Phase 1 and two messages $M_0,M_1$ with the same length to challenger $\mathcal{C}$. Then, $\mathcal{C}$ randomly chooses $\beta \in \{0,1\}$ and returns a challenge ciphertext ${\mathtt{C}}_{{\mathbf{x}}^{*}}\leftarrow \mathbf{Encrypt}(\mathtt{params},{\mathbf{x}}^{*},M_{\beta })$.
• Query Phase 2. This phase is the same as Query Phase 1, except that the adversary is not allowed to make a query with $\mathbf{y}\in \mathfrak{P}$ such that $\langle {\mathbf{x}}^{*},\mathbf{y}\rangle \ne 0$.
• Guess. The adversary $\mathcal{A}$ outputs a bit ${\beta }^{\prime }$ and wins the game if ${\beta }^{\prime }=\beta$.

The advantage of an adversary for winning the IND–CPA game is defined as

$$Ad{v}^{\mathsf{IND}-\mathsf{CPA}}\left(\mathcal{A}\right)=\left|Pr[{\beta }^{\prime }=\beta ]-\frac{1}{2}\right|.$$

Definition 4 (IND–CPA Security for IPE).

We say that an IPE is IND–CPA secure if there is no probabilistic polynomial-time adversary $\mathcal{A}$ who wins the IND–CPA game with a nonnegligible advantage.

As we mentioned in Section 1, in some literature [1,23], the security notions for an IPE are defined with the notions “payload hiding” and “attribute hiding”. Informally, payload-hiding (or attribute-hiding) is defined to argue that a ciphertext leaks no information about the encrypted message (or attribute vector). The IND–CPA security shown in this section is equivalent to payload-hiding. We emphasize that attribute-hiding is unnecessary for an IPE scheme; in [15,16,17], schemes have been proposed satisfying only payload hiding.

We next present the selective security and the coselective security [16,35] for IPE. The selective IND-CPA (sIND-CPA) game is defined the same as the IND-CPA game, except that the adversary $\mathcal{A}$ is forced to commit before the Setup phase to an attribute vector ${\mathbf{x}}^{*}$, and $\mathcal{A}$ is not allowed to make private key queries with $\mathbf{y}$ such that $\langle {\mathbf{x}}^{*},\mathbf{y}\rangle \ne 0$ in both Query Phase 1 and Query Phase 2.

Definition 5 (sIND-CPA Security for IPE).

An IPE scheme is said to be sIND–CPA secure if no probabilistic polynomial-time adversary wins the sIND–CPA game with a nonnegligible advantage.

The coselective IND–CPA (csIND–CPA) game is defined as equal to the IND–CPA game, except that the adversary $\mathcal{A}$ is forced to commit before the Setup phase q to predicate vectors ${\mathbf{y}}^{\left(1\right)},\cdots ,{\mathbf{y}}^{\left(q\right)}$ for the private key queries, where q is a polynomial in the security parameter $\lambda$ and $\mathcal{A}$ is required to invoke the Challenge phase with an attribute vector ${\mathbf{x}}^{*}$ such that $\langle {\mathbf{x}}^{*},{\mathbf{y}}^{\left(j\right)}\rangle \ne 0$ for $j=1,\cdots ,q$.

Definition 6 (csIND–CPA Security for IPE).

An IPE scheme is said to be csIND–CPA secure if no probabilistic polynomial-time adversary wins the csIND–CPA game with a nonnegligible advantage.

Coselective security can be understood as a complementary notion to selective security. In the selective security game, the adversary can learn the private key in accordance with its previous choices, whereas in the coselective security game, the adversary can choose its target after seeing the public parameter and learning the private keys of its choice. Although selective security and coselective security are weaker than full security, both notions are, by definition, incomparable in general by definition.

3. Proposed Inner Product Encryption Scheme

Our IPE scheme consists of four algorithms: $\mathbf{Setup}$, $\mathbf{KeyGen}$, $\mathbf{Encrypt}$ and $\mathbf{Decrypt}$. The details of the proposed scheme are explained in the following.

• $\mathbf{Setup}(1^{\lambda },1^{\ell }).$ Given the security parameters $(1^{\lambda },1^{\ell })$, where $\lambda ,\ell \in \mathbb{N}$, the algorithm performs as follows.
  • Choose bilinear groups $\mathbb{G},{\mathbb{G}}_T$ of prime order $p>2^{\lambda }$. Let P and $g_T=e(P,P)$ be the generator of $\mathbb{G}$ and ${\mathbb{G}}_T$, respectively.
  • Set the predicate vector space and the attribute vector space to ${\mathbb{Z}}_p^{\ell }$.
  • Choose $\mathbf{s}=(s_1,s_2,\cdots ,s_{\ell })\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{\ell }$.
  • Compute $\widehat{\mathbf{h}}={\left(g_T^{s_i}\right)}_{i=1}^{\ell }=({\widehat{h}}_1,\cdots ,{\widehat{h}}_{\ell })$.
  • Output the system parameter $\mathtt{params}=(P,g_T,\widehat{\mathbf{h}})$, and the master secret key $\mathtt{msk}=\mathbf{s}$.
• $\mathbf{Encrypt}(\mathtt{params},\mathbf{x},M).$ Given the system parameter $\mathtt{params}$, a vector $\mathbf{x}=(x_1,x_2,\cdots ,x_{\ell })\in {\mathbb{Z}}_p^{\ell }$, and a message $M\in {\mathbb{G}}_T$, the algorithm performs as follows.
  • Choose $r,\delta \stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$.
  • Compute ${\mathtt{C}}_0=rP$, and ${\widehat{\mathtt{C}}}_0=g_T^r$.
  • Compute ${\mathtt{C}}_i={\widehat{h}}_i^r·g_T^{\delta x_i}·M$ for $i=1$ to ℓ.
  • Output the ciphertext ${\mathtt{C}}_{\mathbf{x}}=({\mathtt{C}}_0,{\widehat{\mathtt{C}}}_0,{\mathtt{C}}_1,{\mathtt{C}}_2,\cdots ,{\mathtt{C}}_{\ell })$.
• $\mathbf{KeyGen}(\mathtt{params},\mathtt{msk},\mathbf{y}).$ Given the system parameter $\mathtt{params}$, a master secret key $\mathtt{msk}$, and a vector $\mathbf{y}=(y_1,y_2,\cdots ,y_{\ell })\in {\mathbb{Z}}_p^{\ell }$, where ${\sum }_{i=1}^{\ell }{\mathbf{y}}_i\ne 0$, the algorithm performs as follows.
  • Choose $k\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$.
  • Compute ${\mathtt{K}}_0=kP$, and ${\mathtt{K}}_1=\langle s,\mathbf{y}\rangle +kmodp$.
  • Output the private key ${\mathtt{K}}_{\mathbf{y}}=({\mathtt{K}}_0,{\mathtt{K}}_1)$.
• $\mathbf{Decrypt}(\mathtt{params},{\mathtt{C}}_{\mathbf{x}},{\mathtt{K}}_{\mathbf{y}})$. Given the system parameter $\mathtt{params}$, a ciphertext ${\mathtt{C}}_{\mathbf{x}}$, and the private key ${\mathtt{K}}_{\mathbf{y}}$, where $\mathrm{y}=(y_1,y_2,\cdots ,y_{\ell })$ the algorithm performs as follows.
  • Compute ${\mathtt{D}}_0=e({\mathtt{K}}_0,{\mathtt{C}}_0)$.
  • Compute ${\mathtt{D}}_1={\prod }_{i=1}^{\ell }{\mathtt{C}}_i^{y_i}$.
  • Compute ${\displaystyle \mathtt{D}=\frac{{\mathtt{D}}_0·{\mathtt{D}}_1}{{\widehat{\mathtt{C}}}_0^{{\mathtt{K}}_1}}}$.
  • Compute $d={\left({\sum }_{i=1}^{\ell }{y}_i\right)}^{-1}modp$.
  • Compute $M={\mathtt{D}}^d$.

Correctness

The correctness of the proposed scheme is shown as follows.

• $D_0=e({\mathtt{K}}_0,{\mathtt{C}}_0)=e(kP,rP)=g_T^{kr}$.
• $D_1={\prod }_{i=1}^{\ell }{\mathtt{C}}_i^{y_i}={\prod }_{i=1}^{\ell }{({\widehat{h}}_i^r·g_T^{\delta x_i}·M)}^{y_i}={\prod }_{i=1}^{\ell }{\left({\widehat{h}}_i^{y_i}\right)}^r·\left(g_T^{\delta x_i{y}_i}\right)·\left(M^{y_i}\right)={\prod }_{i=1}^{\ell }{\left({\left(g_T^{s_i}\right)}^{y_i}\right)}^r{\prod }_{i=1}^{\ell }\left(g_T^{\delta x_i{y}_i}\right){\prod }_{i=1}^{\ell }\left(M^{y_i}\right)=g_T^{r\langle \mathbf{s},\mathbf{y}\rangle }·g_T^{\delta \langle \mathbf{x},\mathbf{y}\rangle }·M^{{\sum }_{i=1}^{\ell }{y}_i}.$
• ${\widehat{\mathtt{C}}}_0^{{\mathtt{K}}_1}=g_T^{r{\mathtt{K}}_1}=g_T^{r\langle \mathbf{s},\mathbf{y}\rangle +rk}$.
• ${\displaystyle D=\frac{D_0·D_1}{{\widehat{\mathtt{C}}}_0^{{\mathtt{K}}_1}}=\frac{g_T^{r\langle \mathbf{s},\mathbf{y}\rangle }·g_T^{\delta \langle \mathbf{x},\mathbf{y}\rangle }·M^{{\sum }_{i=1}^{\ell }{y}_i}·g_T^{kr}}{g_T^{r\langle \mathbf{s},\mathbf{y}\rangle +rk}}=g_T^{\delta \langle \mathbf{x},\mathbf{y}\rangle }·M^{{\sum }_{i=1}^{\ell }{y}_i}.}$
• We have $D=M^{{\sum }_{i=1}^{\ell }{y}_i}$ iff $\langle \mathbf{x},\mathbf{y}\rangle =0$.
• Thus $D^d=M^{{\sum }_{i=1}^{\ell }{y}_i·({\left({\sum }_{i=1}^{\ell }{y}_i\right)}^{-1}modp)}=M$.

4. Security Analysis of the Proposed Scheme

We now provide the security proof for the coselective security of the proposed IPE scheme. In the subsequent proof, we view a vector as a row vector.

Theorem 2.

The proposed scheme is csIND–CPA secure for q private key queries, where q is a polynomial in the security parameter λ, under the M-DDH${}_{{\mathbb{G}}_T}$ assumption.

Proof. 

Given $(P,A^{\prime }=aP,g_T,A=g_T^a,B=g_T^b,C)$, we build an algorithm $\mathcal{C}$ using the adversary $\mathcal{A}$ to solve the M-DDH${}_{{\mathbb{G}}_T}$ problem as follows.

• Init. The adversary $\mathcal{A}$ commits q predicate vectors ${\mathbf{y}}^{\left(1\right)},\cdots ,{\mathbf{y}}^{\left(q\right)}$.
• Setup. $\mathcal{C}$ first finds a vector $\mathbf{u}=(u_1,u_2,\cdots ,u_{\ell })$ such that

  $$\left[\begin{array}{c}{\mathbf{y}}_1\\ {\mathbf{y}}_2\\ ⋮\\ {\mathbf{y}}_q\end{array}\right]{\mathbf{u}}^{\top }={\mathbf{0}}_{\ell }^{\top },$$

  where ${\mathbf{0}}_{\ell }={\underbrace{(0,0,\cdots ,0)}}_{\ell }$. Such $\mathbf{u}$ exists when $q>\ell$. The operation is to find a vector $\mathbf{u}$ such that $\langle \mathbf{u},{\mathbf{y}}_j\rangle =0$ for $j=1$ to q. $\mathcal{C}$ then chooses $v=(v_1,v_2,\cdots ,v_{\ell })\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{\ell }$. Next, $\mathcal{C}$ computes $\widehat{\mathbf{h}}={(B^{u_i}·g_T^{v_i})}_{i=1}^{\ell }=({\widehat{h}}_1,\cdots ,{\widehat{h}}_{\ell }).$ Finally, $\mathcal{C}$ sets $\mathtt{params}=(P,g_T,\widehat{\mathbf{h}})$ and sends $\mathtt{params}$ to $\mathcal{A}$. Note that $\mathcal{C}$ implicitly sets $\mathtt{msk}=\mathbf{s}={(s_i=u_i·b+v_i)}_{i=1}^{\ell }$.
• Query Phase 1. After receiving ${\mathbf{y}}^{\left(i\right)}=(y_1^{\left(i\right)},\cdots ,y_{\ell }^{\left(i\right)})$ from $\mathcal{A}$, where $i\in [1,2,\cdots ,q]$, $\mathcal{C}$ first chooses $k\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$ and then computes ${\mathtt{K}}_{{\mathbf{y}}^{\left(i\right)}}=({\mathtt{K}}_0,{\mathtt{K}}_1)=(kP,\langle \mathbf{v},{\mathbf{y}}^{\left(i\right)}\rangle +kmodp)$. The correctness of the private key ${\mathtt{K}}_{{\mathbf{y}}^{\left(i\right)}}$ is demonstrated as follows.

  $$\begin{array}{cc}& {\mathtt{K}}_1\hfill \\ =& \langle \mathbf{s},{\mathbf{y}}^{\left(i\right)}\rangle +kmodp\hfill \\ =& \sum _{j=1}^{\ell }{s}_j{y}_j^{\left(i\right)}+kmodp\hfill \\ =& \sum _{j=1}^{\ell }(u_j·b+v_j)·y_j^{\left(i\right)}+kmodp\hfill \\ =& b\sum _{j=1}^{\ell }{u}_j{y}_j^{\left(i\right)}+\sum _{j=1}^{\ell }{v}_j{y}_j^{\left(i\right)}+kmodp\hfill \\ =& b\langle \mathbf{u},{\mathbf{y}}^{\left(i\right)}\rangle +\langle \mathbf{v},{\mathbf{y}}^{\left(i\right)}\rangle +kmodp\hfill \\ =& \langle \mathbf{v},{\mathbf{y}}^{\left(i\right)}\rangle +kmodp.\hfill \end{array}$$
• Challenge. Upon receiving ${\mathbf{x}}^{*}$, where $\langle {\mathbf{x}}^{*},{\mathbf{y}}^{\left(i\right)}\rangle \ne 0$ for $i=1,\cdots ,q$, and two equal-length messages $M_0,M_1$ from $\mathcal{A}$, the challenger $\mathcal{C}$ performs the following.
  • Choose $\beta \in \{0,1\}$.
  • Choose $\delta \stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$.
  • Set ${\mathtt{C}}_0^{\prime }=A^{\prime }$ and ${\widehat{\mathtt{C}}}_0^{\prime }=A$.
  • For $i=1$ to ℓ, compute ${\mathtt{C}}_i^{\prime }=(C^{u_i}·A^{v_i}·g_T^{\delta {\mathbf{x}}_i^{*}})·M_{\beta }$.
  • Set the challenge ciphertext ${\mathtt{C}}^{*}=({\mathtt{C}}_0^{\prime },{\widehat{\mathtt{C}}}_0^{\prime },{\mathtt{C}}_1^{\prime },{\mathtt{C}}_2^{\prime },\cdots ,{\mathtt{C}}_{\ell }^{\prime })$.
  • Return ${\mathtt{C}}^{*}$ to $\mathcal{A}$.
  Here, we implicitly set the randomness of the encryption procedure to a. Therefore, if $C=g_T^{ab}$, then we have ${\mathtt{C}}_0^{\prime }=aP,{\widehat{\mathtt{C}}}_0^{\prime }=g_T^a$ for $i=1,\cdots ,\ell$,

  $$\begin{array}{cc}{\mathtt{C}}_i^{\prime }& =(C^{u_i}·A^{v_i}·g_T^{\delta x_i^{*}})·M_{\beta }\hfill \\ & =(g_T^{ab{u}_i}·g_T^{a{v}_i}·g_T^{\delta x_i^{*}})·M_{\beta }\hfill \\ & =\left(g_T^{a(b{u}_i+v_i}\right))·\left(g_T^{\delta x_i^{*}}\right)·M_{\beta }\hfill \\ & =h_i^a·g_T^{\delta x_i^{*}}·M_{\beta }.\hfill \end{array}$$
  Thus, the challenge ciphertext ${\mathtt{C}}^{*}$ is a valid ciphertext.
• Query Phase 2. This phase is the same as Query Phase 1.
• Guess. The adversary $\mathcal{A}$ outputs a bit ${\beta }^{\prime }$. The challenger $\mathcal{C}$ outputs 1 if $\mathcal{A}$ wins the game and outputs a random bit otherwise.

Assume that the adversary $\mathcal{A}$ wins the game with advantage $ϵ$:

$$\left|Pr[{\beta }^{\prime }=\beta ]-\frac{1}{2}\right|\ge ϵ.$$

If $C=g_T^{ab}$, then the view of the adversary is identical as that in real world. Thus, we have

$$\begin{array}{cc}& Pr[\mathcal{C}(P,A^{\prime },g_T,A,B,C=g_T^{ab})=1]\hfill \\ =& Pr[{\beta }^{\prime }=\beta ]\hfill \\ \ge & \frac{1}{2}+ϵ.\hfill \end{array}$$

However, if C is a random element in ${\mathbb{G}}_T$, then the choice of $\beta$ is independent from the adversary’s view and we have

$$\begin{array}{cc}& Pr[\mathcal{C}(P,A^{\prime },g_T,A,B,C\stackrel{\$}{\leftarrow }{\mathbb{G}}_T)=1]\hfill \\ =& Pr[{\beta }^{\prime }=\beta ]\hfill \\ =& \frac{1}{2}.\hfill \end{array}$$

Therefore, the advantage of $\mathcal{C}$ in solving the M-DDH${}_{{\mathbb{G}}_T}$ problem is

$$\begin{array}{cc}& \left|Pr[\mathcal{C}(P,A^{\prime },g_T,A,B,C=g_T^{ab})=1]\right.\hfill \\ -& \left.Pr[\mathcal{C}(P,A^{\prime },g_T,A,B,C\stackrel{\$}{\leftarrow }{\mathbb{G}}_T)=1]\right|\hfill \\ \ge & \left|(\frac{1}{2}+ϵ)-\frac{1}{2}\right|\hfill \\ \ge & ϵ.\hfill \end{array}$$

This means that if there is an adversary winning the game with nonadvantage $ϵ$, then there is an algorithm $\mathcal{C}$ solving the M-DDH${}_{{\mathbb{G}}_T}$ problem with a probability greater than $ϵ$. □

5. Efficiency Analysis and Implementation Results

Herein, we compare the efficiency of the proposed IPE scheme with the schemes proposed in [1,3,5,6,7,15,16,22,23,24,25,26,27,28,29,30,36] (Because [4,17] are the complete versions of [16,24], we only compare our work with [16,24]). As shown in

Table 1. Comparison of our scheme’s efficiency with that of other schemes. The vector length for an IPE scheme is denoted by ℓ; the bit lengths of the representations for an element in ${\mathbb{Z}}_p$ and $\mathbb{G}$ are denoted by $|{\mathbb{Z}}_p|$ and $\left|\mathbb{G}\right|$, respectively; the leakage resilience parameter is denoted by m.

Scheme	Private Key Length	Number of Pairings for Decryption	Group Order
[1]	$(2\ell +1)\left|\mathbb{G}\right|$	$2\ell +1$	Composite
[3]	$(\ell +3)\left|\mathbb{G}\right|$	$\ell +3$	Prime
[16]-1	$(\ell +1)\left|\mathbb{G}\right|$	2	Prime
[16]-2	$(\ell +6)\left|\mathbb{G}\right|+(\ell -1)|{\mathbb{Z}}_p|$	9	Prime
[22]	$(2\ell +3)\left|\mathbb{G}\right|$	$2\ell +3$	Prime
[24]-1	$(4\ell +1)\left|\mathbb{G}\right|$	9	Prime
[24]-2	$9\left|\mathbb{G}\right|$	9	Prime
[24]-3	$11\left|\mathbb{G}\right|$	11	Prime
[23]	$(4\ell +2)\left|\mathbb{G}\right|$	$4\ell +2$	Prime
[25]	$(4\ell +2)\left|\mathbb{G}\right|$	$4\ell +2$	Prime
[26]-1	$(15\ell +5)\left|\mathbb{G}\right|$	$15\ell +5$	Prime
[26]-2	$(21\ell +9)\left|\mathbb{G}\right|$	$21\ell +9$	Prime
[27]	$6\ell \left|\mathbb{G}\right|$	$6\ell$	Prime
[28]	$\ell \left|\mathbb{G}\right|$	ℓ	Composite
[29]	$3\left|\mathbb{G}\right|$	3	Prime
[30]	$(4\ell +2)\left|\mathbb{G}\right|$	$4\ell +4$	Prime
[15]-1	$(2\ell +1)\left|\mathbb{G}\right|+(\ell -1)|{\mathbb{Z}}_p|$	3	Prime
[15]-2	$5\left|\mathbb{G}\right|$	3	Prime
[5]	$2m\left|\mathbb{G}\right|$	$2m$	Prime
[36]	$(4\ell +5)\left|\mathbb{G}\right|$	$4\ell +5$	Prime
[6]-1	$5\left|\mathbb{G}\right|$	5	Prime
[6]-2	$7\left|\mathbb{G}\right|$	7	Prime
[7]	$(\ell +1)\left|\mathbb{G}\right|$	$\ell +1$	Composite
Ours	$1\left|\mathbb{G}\right|+1|{\mathbb{Z}}_p|$	1	Prime

, we compare our scheme to others in two aspects: the size of the private key and the number of pairing operations for decryption. The type of group order is also presented because the efficiency of prime order groups is higher than that of composite order bilinear groups.

As is evident in Table 1, our proposed scheme has the shortest private key length and smallest number of pairings. Moreover, both the private key length and the number of pairings in our proposed scheme are independent of the length of the predicate and attribute vectors. The most efficient existing scheme is [29], where the private key length is three group elements and three pairings are needed for decryption. In our scheme, the private key is only an element of $\mathbb{G}$ and an element of ${\mathbb{Z}}_p$, and only one pairing is necessary during decryption. Furthermore, in [5], the private key length ($2m\left|\mathbb{G}\right|$) and the number of pairings ($2m$) are independent of the lengths of the vectors, where m is the leakage-resilience parameter. However, m must be at least equal to or greater than 2. Therefore, the private key length and pairing number are still larger than those obtained with our approach (this is because their scheme degenerates to a conventional IPE scheme without leakage resilience when $m=1$).

We also implemented our scheme and the schemes of [15,17,29] to compare efficiency. We chose these three schemes for the following reasons:

• Among all the existing IPE schemes, the first scheme of [16] requires the smallest number of pairings for decryption (only two pairings required);
• Among the schemes supporting constant private key length, the schemes of [15,29] require the smallest number of pairings for decryption (only three pairings required).

The environment of the implementation is presented in

Table 2. Environment of the implementation.

	Specification
OS	Ubuntu 18.04 LTS
CPU	Intel i7-4790 3.6 GHz
RAM	8 gb
Language	Python 3.6
Library	Charm-Crypto v0.50

, and the implementation results are shown in

Table 3. Implementation results.

Scheme	Encryption Time (ms)	Decryption Time (ms)	Private Key Length (kb)	Ciphertext Length (kb)
[16]	100	100	31.7	0.937
[29]	170	140	0.955	17.5
[15]	260	140	1.59	25.9
Ours	20	10	0.37	31.3

. We implemented these schemes by using the Charm-Crypto library [37] and Python language. For schemes constructed over symmetric paring groups (the approach in [16] and our method), we selected the pairing group SS512 in [38] (also known as type A groups), and for the schemes constructed over asymmetric pairing groups (in [15,29]), we chose the pairing group BN254 in [39] (also known as type F groups). The SS512 group is a supersingular elliptic curve group where the size of the base field order is 512 bits and the embedding degree is two. For a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ over the SS512 group, the bit lengths of elements in $\mathbb{G}$ and ${\mathbb{G}}_T$ are 64 and 128 bytes, respectively. In the case of the BN254 group, the size of the base field order is 256 bits and the embedding degree is 12. For a bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ over the BN254 group, the bit lengths of elements in ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, and ${\mathbb{G}}_T$ are 64, 128, and 384 bytes, respectively. For the length of predicate and attribute vectors, we chose $\ell =100$. As evident in Table 3, the encryption and decryption algorithms of our scheme were highly efficient. For decryption and encryption, only 10 and 20 ms was required, respectively. Our encryption algorithm was 5, 8.5, and 13 times faster than that in [15,16,29], respectively, and our decryption algorithm was 10, 14, and 14 times faster than that in [15,16,29], respectively. Moreover, our private key length was 86, 2.6, and 4.3 times shorter than that in [15,16,29], respectively. However, as a trade-off, the length of the ciphertext in our scheme was the largest among these schemes.

6. Conclusions

In this work, an efficient IPE scheme in which the size of the private keys and the number of pairings for decryption are constant is introduced; moreover, this scheme is coselective IND–CPA secure under the modified decisional Diffie–Hellman assumption. Comparison and experimental results are also provided to illustrate that the size and computing cost of this scheme are small. In future works, we aim to improve the efficiency by reducing the ciphertext length and provide a security proof for stronger security concerns under standard assumptions. Because the proposed scheme is based on bilinear pairing, it cannot resist quantum attacks, unlike lattice-based IPE schemes. In future work, we will explore how to construct an efficient and practical quantum-resistant IPE scheme.