Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and Constructions Without Pairings

Abdalla, Michel; Catalano, Dario; Fiore, Dario; Gay, Romain; Ursu, Bogdan

doi:10.1007/978-3-319-96884-1_20

Michel Abdalla ORCID: orcid.org/0000-0002-2447-4329^15,16,
Dario Catalano¹⁷,
Dario Fiore ORCID: orcid.org/0000-0001-7274-6600¹⁸,
Romain Gay^15,16 &
…
Bogdan Ursu¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10991))

Included in the following conference series:

Annual International Cryptology Conference

5048 Accesses
59 Citations

Abstract

We present new constructions of multi-input functional encryption (MIFE) schemes for the inner-product functionality that improve the state of the art solution of Abdalla et al. (Eurocrypt 2017) in two main directions.

First, we put forward a novel methodology to convert single-input functional encryption for inner products into multi-input schemes for the same functionality. Our transformation is surprisingly simple, general and efficient. In particular, it does not require pairings and it can be instantiated with all known single-input schemes. This leads to two main advances. First, we enlarge the set of assumptions this primitive can be based on, notably, obtaining new MIFEs for inner products from plain DDH, LWE, and Decisional Composite Residuosity. Second, we obtain the first MIFE schemes from standard assumptions where decryption works efficiently even for messages of super-polynomial size.

Our second main contribution is the first function-hiding MIFE scheme for inner products based on standard assumptions. To this end, we show how to extend the original, pairing-based, MIFE by Abdalla et al. in order to make it function hiding, thus obtaining a function-hiding MIFE from the MDDH assumption.

You have full access to this open access chapter, Download conference paper PDF

Multi-input Inner-Product Functional Encryption from Pairings

Multi-input Functional Encryption for Unbounded Inner Products

Efficient Functional Encryption for Inner-Product Values with Full-Hiding Security

1 Introduction

Functional Encryption (FE) [8, 15, 16] is an emerging cryptographic paradigm that allows fine-grained access control over encrypted data. Functional encryption schemes come equipped with a key generation mechanism that allows the owner of a master secret key to generate decryption keys that have a somehow restricted capability. Namely, each decryption key ${\mathsf {sk}}_f$ is associated with a function f and using ${\mathsf {sk}}_f$ to decrypt a ciphertext $\mathsf{Enc}(x)$ allows for recovering f(x), with the guarantee that no more information about x is revealed. The basic notion of functional encryption considers functionalities where all the inputs are provided and encrypted by a single party. The more general case of multi-input functionalities is captured by the notion of multi-input functional encryption (MIFE, for short) [12]. Informally, this notion can be thought of as an FE scheme where n encryption slots are explicitly given, in the sense that a user who is assigned the i-th slot can, independently, create a ciphertext $\mathsf{Enc}(x_i)$ from his own plaintext $x_i$. Given ciphertexts $\mathsf{Enc}(x_1),\ldots , \mathsf{Enc}(x_n)$, one can use a secret key ${\mathsf {sk}}_f$ to retrieve $f(x_1,\ldots , x_n)$, similarly to the basic FE notion. This multi-input capability makes MIFE particularly well suited for many real life scenarios (such as data mining over encrypted data or multi-client delegation of computation) where the (encrypted) data may come from different and unrelated sources.

The security requirement for both FE and MIFE imposes that decryption keys should be collusion resistant. This means that a group of users, holding different decryption keys, should not be able to gain information about the encrypted messages, beyond the union of what they can individually learn. More precisely, the standard notion of security for functional encryption is indistinguishability. Informally, this states that an adversary that obtains the secret keys corresponding to functions $f_1, \ldots , f_n$ should not be able to decide which of the challenge messages $x_0, x_1$ was encrypted, as long as $f_i(x_0)=f_i(x_1)$ for all i. This indistinguishability notion has been put forward in [8, 15] and it has been shown inadequate for certain cases (see [8, 15] for details). They also proposed an alternative simulation-based security notion which is also problematic as, for instance, it cannot be satisfied in general.

As an additional security property, functional encryption schemes might also be required to guarantee so-called function hiding. Intuitively, this means that a secret key ${\mathsf {sk}}_f$ should not reveal information about the function f it encodes, beyond what is implicitly leaked by f(x). Slightly more in detail, in the indistinguishability setting, this is formalized by imposing that the adversary should not be able to decide for which of the challenge functions $f_i^{(0)},f_i^{(1)}$ it is holding secret keys, as long as as $f_i^{(0)}(x_0)=f^{(1)}_i(x_1)$ for all i. Over the last few years, functional encryption has attracted a lot of interest, both in its basic and in its multi-input incarnations. Known results can be broadly categorized as focusing on (1) feasibility results for general functionalities, and on (2) concrete, efficient realizations for restricted functionalities of practical interest.

For the specific case of MIFE, which is the focus of this paper, constructions of the first type [6, 7, 9, 12] all rely on quite unstable assumptions, such as indistinguishability obfuscation or multilinear maps^{Footnote 1}. The only known construction of the second category has been recently proposed by Abdalla et al. in [4]. There, they propose a (secret-key) MIFE scheme for the inner product functionality that relies on the standard k-linear assumption in (prime-order) bilinear groups^{Footnote 2}. Remarkably, their scheme allows for unbounded collusions and supports any (polynomially bounded) number of encryption slots. On the negative side, as in previous discrete-log-based constructions of functional inner-product encryption schemes, it employs an inefficient decryption procedure that requires to extract discrete logarithms and thus imposes serious restrictions on the size of supported messages. Moreover, the scheme is not function hiding as decryption requires the function f to be provided explicitly in the clear.

1.1 Our Contributions

In this paper we propose new constructions of multi-input functional encryption schemes for the inner product functionality that address the aforementioned shortcomings of the state-of-the-art solution of Abdalla et al. [4].

MIFE for inner products without pairings. Our first contribution consists of (secret-key) MIFE schemes for inner products based on a variety of assumptions, notably without the need of bilinear maps, and where decryption works efficiently, even for messages of super-polynomial size. We achieve this result by proposing a generic construction of MIFE from any single-input FE (for inner products) in which the encryption algorithm is linearly-homomorphic. Our transformation is surprisingly simple, general and efficient. In particular, it does not require pairings (as in the case of [4]), and it can be instantiated with all known single-input functional encryption schemes (e.g., [1, 2, 5]). This allows us to obtain new MIFE for inner products from plain DDH, composite residuosity, and LWE. Beyond the obvious advantage of enlarging the set of assumptions on which MIFE can be based, this result yields schemes that can be used with a much larger message space. Indeed, dropping the bilinear groups requirement allows us to employ schemes where the decryption time is polynomial, rather than exponential, in the message bit size. From a more theoretical perspective, our results also show that, contrary to what was previously conjectured [4], MIFE for inner product does not need any (qualitatively) stronger assumption than their single-input counterpart.

Our solution, in more detail. To better describe our solution, let us first explain the basic ideas behind Abdalla et al.’s scheme [4]. Informally, the latter builds upon a clever two-step decryption blueprint. The ciphertexts $\mathsf {ct}_1=\mathsf{Enc}(\varvec{x}_1), \ldots , \mathsf {ct}_n=\mathsf{Enc}(\varvec{x}_n)$ (corresponding to slots $1, \ldots , n$) are all created using different instances of a single-input FE. Decryption is performed in two stages. One first decrypts each single $\mathsf {ct}_i$ separately using the secret key ${\mathsf {sk}}_{\varvec{y}_{i}}$ of the underlying single-input FE, and then the outputs of these decryptions are added up to get the final result.

The main technical challenge of this approach is that the stage one of the above decryption algorithm leaks information on each partial inner product $\langle \varvec{x}_i, \varvec{y}_i \rangle $. To avoid this leakage, their idea is to let source i encrypt its plaintext vector $\varvec{x}_i$ augmented with some fixed (random) value $u_i$, which is part of the secret key. Moreover, ${\mathsf {sk}}_{\varvec{y}_{i}}$ are built by running the single-input FE key generation algorithm on input $\varvec{y}_i||r$, i.e., the vector $\varvec{y}_i$ augmented with fresh randomness r.

By these modifications, and skipping many technical details, stage-one decryption then consists of using pairings to compute, in $\mathbb {G}_T$, the values^{Footnote 3} $[\langle \varvec{x}_i , \varvec{y}_i \rangle + u_i r]_T$ for every slot i. From these quantities, the result $[\langle \varvec{x}, \varvec{y} \rangle ]_T$ is obtained as

$$ \prod _{i=1}^n [\langle \varvec{x}_i , \varvec{y}_i \rangle + u_i r]_T \cdot [-(\sum _{i=1}^n u_i) r]_T$$

which can be easily computed if $[-(\sum _{i=1}^n u_i) r]_T$ is included in the secret key.

Intuitively, the scheme is secure as the quantities $[u_i r]_T$ are all pseudo random (under the DDH assumption) and thus hide all the partial information $[\langle \varvec{x}_i , \varvec{y}_i \rangle + u_i r]_T$ may leak. Notice that, in order for this argument to go through, it is crucial that the quantities $[\langle \varvec{x}_i , \varvec{y}_i \rangle + u_i r]_T$ are all encoded in the exponent, and thus decoding is possible only for small norm exponents. Furthermore, this technique seems to inherently require pairings, as both $u_i$ and r have to remain hidden while allowing to compute an encoding of their product at decryption time. This is why the possibility of a scheme without pairings was considered as “quite surprising” in [4].

We overcome these difficulties via a new FE to MIFE transform, which manages to avoid leakage in a much simpler and efficient way. Our transformation works in two steps. First, we consider a simplified scheme where only one ciphertext query is allowed and messages live in the ring $\mathbb {Z}_L$, for some integer L. In this setting, we build the following multi-input scheme. For each slot i the (master) secret key for slot i consists of one random vector $\varvec{u}_i \in \mathbb {Z}_L^{m}$. Encrypting $\varvec{x}_i$ merely consists in computing $\varvec{c}_i=\varvec{x}_i+\varvec{u}_i \bmod L$. The secret key for function $\varvec{y}=(\varvec{y}_1, \ldots , \varvec{y}_n)$, is just $z_{\varvec{y}}=\sum _{i=1}^n \langle \varvec{u}_i, \varvec{y}_i \rangle \bmod L$. To decrypt, one computes

$$ \langle \varvec{x}, \varvec{y}\rangle \bmod L= \langle (\varvec{c}_1, \ldots , \varvec{c}_n), \varvec{y}\rangle - z_{\varvec{y}} \bmod L $$

Security comes from the fact that, if only one ciphertext query is allowed, the above can be seen as the functional encryption equivalent of the one-time pad^{Footnote 4}.

Next, to guarantee security in the more challenging setting where many ciphertext queries are allowed, we just add a layer of (functional) encryption on top of the above one-time encryption. More specifically, we encrypt each $\varvec{c}_i$ using a FE (supporting inner products) that is both linearly homomorphic and whose message space is compatible with L. So, given ciphertexts $\{\mathsf {ct}_i = \mathsf{Enc}(\varvec{c}_i)\}$ and secret key ${\mathsf {sk}}_{\varvec{y}} = (\{{\mathsf {sk}}_{\varvec{y}_i}\}_i, z_{\varvec{y}})$, one can first obtain $\{\langle \varvec{c}_i, \varvec{y}_i \rangle = \mathsf{Dec}(\mathsf {ct}_i, {\mathsf {sk}}_{\varvec{y}_i})\}$, and then extract the result as $\langle \varvec{x}, \varvec{y} \rangle = \sum _{i=1}^{n} \langle \varvec{c}_i, \varvec{y}_i \rangle - \langle \varvec{u}, \varvec{y} \rangle $.

Our transformation actually comes in two flavors: the first one addresses the case where the underlying FE computes inner products over some finite ring $\mathbb {Z}_L$; the second one instead considers FE schemes that compute bounded-norm inner products over the integers. In both cases the transformations are generic enough to be instantiated with known single-input FE schemes for inner products. This gives us new MIFE relying on plain DDH [1], LWE [5] and Composite residuosity [2, 5]. Moreover, the proposed transform is security-preserving in the sense that, if the underlying FE achieves adaptive security, so does our resulting MIFE.

Function-Hiding MIFE for inner products. Our second contribution are new MIFE schemes for inner products that achieve function hiding. Our constructions build on the pairing-based solution from [4] and, as such, they also rely on pairings. More precisely, we propose transformations that, starting from the MIFE from [4], build function hiding MIFEs using single input FE for inner products as additional building block. Ours transforms are generic with respect to this latter component, in the sense that they can be instantiated using any single input FE satisfying some natural additional requirements (details of which are given in Sect. 4).

Our methods build from the two-layer encryption technique recently developed by Lin [13] to generically achieve function hiding in the context of (single input) FE for inner products. Intuitively, Lin’s idea consists in doing similar operations both at encryption and at key derivation time. Starting from two independent instances of the underlying FE, an “inner” one and an “outer” one, the idea is to encrypt the plaintext $\varvec{x}$ in two steps. One first uses the “inner” FE to compute $\mathsf {ct}_1=\mathsf{Enc}(\mathsf {msk}_1, \varvec{x})$ and then “extracts” the key corresponding to $\mathsf {ct}_1$, i.e., $\mathsf {ct}_2={\mathsf {KeyGen}}(\mathsf {msk}_2, \mathsf {ct}_1)$. Key derivation is done similarly, one first computes ${\mathsf {sk}}_1={\mathsf {KeyGen}}(\mathsf {msk}_1, \varvec{y})$ and then encrypts ${\mathsf {sk}}_1$ using the outer scheme, i.e., ${\mathsf {sk}}_2=\mathsf{Enc}(\mathsf {msk}_2, {\mathsf {sk}}_1)$.

If one encodes ciphertexts in $\mathbb {G}_1$ and secret keys in $\mathbb {G}_2$, then one can use pairings to compute an encoding, in $\mathbb {G}_T$, of $[\langle \mathsf {ct}_2, {\mathsf {sk}}_2\rangle ]_T$. Since decryption essentially performs inner product, the latter computation actually decrypts also the inner $\mathsf {ct}_1$ component using secret key ${\mathsf {sk}}_1$, thus yielding an encoding of $\langle \varvec{x}, \varvec{y}\rangle $. Moreover, since now $\varvec{y}$ is encrypted, the FE security also provides function hiding^{Footnote 5}.

An obvious drawback of Lin’s transformation is that, when applied generically, it would induce an extra-level of multilinearity in the process. This means that, starting from a pairing-free FE for inner products, one ends up with a scheme that is function hiding but also pairing-based.

We propose similar two-layer encryption techniques that do not, inherently, induce extra levels of multi-linearity with respect to those of the underlying primitives. Our transforms achieve this by using the MIFE from [4] as inner scheme and, several instances of, a single input FE, one for each encryption slot, as outer schemes. In particular, by carefully exploiting the specific algebraic properties of the MIFE, we manage to achieve function hiding from the Matrix Decisional Diffie Hellman assumption over standard bilinear groups (i.e., without resorting to multi-linear maps). Specifically, our schemes come in two flavors: a simpler one for selective security and a more convoluted one achieving adaptive security. A high level overview of our technique appears in Sect. 4. The MIFE schemes from Lin [13] are selectively secure and function-hiding, but are based on multi-linear maps ($d-1$ slots require a multilinear map of degree d). In comparison, our schemes support a polynomial number of inputs and achieve adaptive-security, while using only pairings and while being based only on standard assumptions.

Generality of our approach. As mentioned above, our function-hiding transforms are not entirely generic as they impose restrictions on the underlying MIFE. These restrictions, while compatible with the pairing-based realization from [4], do not cope well with our newly constructed MIFEs without pairings. Very informally, this is due to the fact that our transform relies on the two-step decryption blueprint in which one learns $[\langle \varvec{x}_i, \varvec{y}_i \rangle + z_i]$, and each $z_i$ is “sufficiently” random to guarantee security in the MIFE security experiment. Specifically, in Abdalla et al.’s scheme $z_i = u_i r$ whereas in our new scheme $z_i = \langle \varvec{u}_i, \varvec{y}_i \rangle $. While the latter value is sufficiently random in the MIFE indistinguishability experiment, this is no longer the case in the function-hiding experiment, where the adversary asks for pairs of keys $(\varvec{y}^{0}, \varvec{y}^1)$, and $z_i = \langle \varvec{u}_i, \varvec{y}^{\beta }_i \rangle $ may actually leak information about which of the two keys was chosen (i.e. information about the value of the bit $\beta $). With a different interpretation, if one sees $[\langle \varvec{x}_i, \varvec{y}_i \rangle + z_i]$ as a secret sharing of $\langle \varvec{x}, \varvec{y} \rangle $, then in our new scheme this secret sharing depends on the function $\varvec{y}$ whereas in [4] this is function independent and more suitable for function-hiding. We believe that coming up with more powerful transforms, capable of exploiting the potential of our efficient MIFEs, is a very natural and interesting open problem.

Concurrent work on function-hiding. Concurrently and independently of our work, Datta et al. [10] proposed a multi-input function-hiding scheme for inner products. Their construction uses the framework of dual pairing vector spaces and require the use of pairings. They achieve slightly shorter ciphertexts and decryption keys (ciphertexts are shorter by 2 group elements, while decryption keys require 2n+1 less group elements). However, this comes at the expense of a larger master secret key, which contains $4n(m^2-1)$ more group elements (a quadratic blow-up in m).

Interestingly, Datta et al. [10] also provide a technique based on pseudorandom functions to extend their multi-input function-hiding scheme to an unbounded number of slots. Although their techniques also appear to be applicable to our schemes, hence capable of extending both the pairing-free and the pairing-based constructions to the unbounded setting, we leave it as future work.

2 Preliminaries

Notation. We denote with $\lambda \in \mathbb {N}$ a security parameter. A probabilistic polynomial time (PPT) algorithm $\mathcal{A}$ is a randomized algorithm for which there exists a polynomial $p(\cdot )$ such that for every input x the running time of $\mathcal{A}(x)$ is bounded by p(|x|). We say that a function $\varepsilon : \mathbb {N} \rightarrow \mathbb {R}^+$ is negligible if for every positive polynomial $p(\lambda )$ there exists ${\lambda }_0 \in \mathbb {N}$ such that for all $\lambda > {\lambda }_0$: $\varepsilon (\lambda ) < 1/p(\lambda )$. If S is a set, $x \leftarrow _{\textsc {r}}S$ denotes the process of selecting x uniformly at random in S. If $\mathcal{A}$ is a probabilistic algorithm, $y \leftarrow _{\textsc {r}}\mathcal{A}(\cdot )$ denotes the process of running $\mathcal{A}$ on some appropriate input and assigning its output to y. For a positive integer n, we denote by [n] the set $\{1,\ldots , n\}$. We denote vectors $\varvec{x} = (x_i)$ and matrices $\mathbf{A}= (a_{i,j})$ in bold. For a set S (resp. vector $\varvec{x}$) |S| (resp. $|\varvec{x}|$) denotes its cardinality (resp. number of entries). Also, given two vectors $\varvec{x}$ and $\varvec{x}'$ we denote by $\varvec{x} \Vert \varvec{x}'$ their concatenation. By $\equiv $, we denote the equality of statistical distributions, and for any $\varepsilon >0$, we denote by $\approx _\varepsilon $ the $\varepsilon $-statistical difference of two distributions.

2.1 Definitions for Multi-Input Functional Encryption

In this section we recall the definitions of multi-input functional encryption [12] specialized to the private-key setting, as this is the one relevant for our constructions.

Definition 1

(Multi-input Function Encryption). Let $\mathcal {F}= \{ \mathcal {F}_n \}_{n \in \mathbb {N}}$ be an ensemble where each $\mathcal {F}_n$ is a family of n-ary functions. A function $f \in \mathcal {F}_n$ is defined as follows $f : \mathcal {X}_{1} \times \ldots \times \mathcal {X}_{n} \rightarrow \mathcal {Y}$. A multi-input functional encryption scheme $\mathcal {MIFE}$ for $\mathcal {F}$ consists of the following algorithms:

$\mathsf{Setup}(1^\lambda , \mathcal {F}_n)$ takes as input the security parameter $\lambda $ and a description of $\mathcal {F}_n \in \mathcal {F}$, and outputs a master public key $\mathsf {mpk}$^{Footnote 6} and a master secret key $\mathsf {msk}$. The master public key $\mathsf {mpk}$ is assumed to be part of the input of all the remaining algorithms.
$\mathsf{Enc}(\mathsf {msk},i,x_i)$ takes as input the master secret key $\mathsf {msk}$, an index $i \in [n]$, and a message $x_i \in \mathcal {X}_i$, and it outputs a ciphertext $\mathsf {ct}$. Each ciphertext is assumed to be associated with an index i denoting for which slot this ciphertext can be used for. When $n=1$, the input i is omitted.
${\mathsf {KeyGen}}(\mathsf {msk}, f)$ takes as input the master secret key $\mathsf {msk}$ and a function $f \in \mathcal {F}_n$, and it outputs a decryption key ${\mathsf {sk}}_f$.
$\mathsf{Dec}({\mathsf {sk}}_f, \mathsf {ct}_{1}, \ldots , \mathsf {ct}_n)$ takes as input a decryption key ${\mathsf {sk}}_f$ for function f and n ciphertexts, and it outputs a value $y \in \mathcal {Y}$.

A scheme $\mathcal {MIFE}$ as defined above is correct if for all $n \in \mathbb {N}$, $f \in \mathcal {F}_n$ and all $x_i \in \mathcal {X}_i$ for $1 \le i \le n$, we have

$$ \mathsf {Pr}\left[ \begin{aligned} (\mathsf {mpk}, \mathsf {msk}) \leftarrow \mathsf{Setup}(1^\lambda , \mathcal {F}_n);~~~{\mathsf {sk}}_f \leftarrow {\mathsf {KeyGen}}(\mathsf {msk}, f);&\\ \mathsf{Dec}({\mathsf {sk}}_f, \mathsf{Enc}(\mathsf {msk},1, x_{1}), \ldots , \mathsf{Enc}(\mathsf {msk},n, x_n)) = f(x_{1}, \ldots , x_{n})&\end{aligned} \right] = 1, $$

where the probability is taken over the coins of $\mathsf{Setup}$, ${\mathsf {KeyGen}}$ and $\mathsf{Enc}$.

Security notions. Here we recall the definitions of security for multi-input functional encryption. We give both one-time and many-time indistinguishability-based security definitions. Namely, we consider several security notions denoted xx-AD-IND and xx-SEL-IND, where: xx $\in \{\mathrm {one}, \mathrm {many}\}$. We also give simulation-based security definitions in the full version of the paper [3].

Definition 2

(xx-AD-IND-secure MIFE). For every multi-input functional encryption $\mathcal {MIFE}$ for $\mathcal {F}$, every stateful adversary $\mathcal {A}$, every security parameter $\lambda \in \mathbb {N}$, and every xx $\in $ {one,many}, we define the following experiments for $\beta \in \{0,1\}$:

where $\mathsf{Enc}$ is an oracle that on input $(i,x_i^0,x_i^1)$ outputs $\mathsf{Enc}(\mathsf {msk},i,x_i^\beta )$. Also, $\mathcal {A}$ is restricted to only make queries f to ${\mathsf {KeyGen}}(\mathsf {msk},\cdot )$ satisfying

$$ f(x_{1}^{j_1,0},\ldots ,x_{n}^{j_n,0}) = f(x_1^{j_1,1},\ldots ,x_n^{j_n,1}) $$

for all $j_1,\ldots ,j_n \in [Q_1] \times \cdots \times [Q_n]$, where for all $i \in [n]$, $Q_i$ denotes the number of encryption queries for input slot i. We denote by $Q_f$ the number of key queries. Note that w.l.o.g. (as shown in [4, Lemma 3]), we can assume that for all $i \in [n]$, $Q_i >0$. When xx $=$ one, we also require that $\mathcal {A}$ queries $\mathsf{Enc}(i,\cdot ,\cdot )$ once per slot, namely that $Q_i = 1$, for all $i \in [n]$.

A private-key multi-input functional encryption $\mathcal {MIFE}$ for $\mathcal {F}$ is xx-AD-IND-secure if every PPT adversary $\mathcal {A}$ has advantage negligible in $\lambda $, where the advantage is defined as:

Remark 1

(winning condition). The winning condition may not always efficiently checkable because of the combinatorial explosion in the restrictions on the queries.

Definition 3

(xx-SEL-IND-secure MIFE). For every multi-input functional encryption $\mathcal {MIFE}$ for $\mathcal {F}$, every stateful adversary $\mathcal {A}$, every security parameter $\lambda \in \mathbb {N}$, and every xx $\in $ {one,many}, we define the following experiments for $\beta \in \{0,1\}$:

where $\mathcal {A}$ is restricted to only make queries f to ${\mathsf {KeyGen}}(\mathsf {msk},\cdot )$ satisfying

$$ f(x_{1}^{j_1,0},\ldots ,x_{n}^{j_n,0}) = f(x_1^{j_1,1},\ldots ,x_n^{j_n,1}) $$

for all $j_1,\ldots ,j_n \in [Q_1] \times \cdots \times [Q_n]$. When xx $=$ one, we also require that $Q_i = 1$, for all $i \in [n]$.

A $\mathcal {MIFE}$ for $\mathcal {F}$ is xx-SEL-IND-secure if every PPT adversary $\mathcal {A}$ has negligible advantage in $\lambda $, where the advantage is defined as:

Zero vs multiple queries in the private-key setting. A nice feature enjoyed by all the schemes in Sect. 3 is that the owner of a decryption key ${\mathsf {sk}}_{ \varvec{y}}$ associated with the vector $ \varvec{y} = \varvec{y}_1 \Vert \cdots \Vert \varvec{y}_n$ does not need to know a specific value $\mathsf {ct}_{i}$ of the ciphertext vector $\mathsf {ct}= (\mathsf {ct}_{1}, \ldots , \mathsf {ct}_{n})$ in order to decrypt $\mathsf {ct}$ if $\varvec{y}_i = \varvec{0}$. In other words, $Q_i$ can be 0 whenever $\varvec{y}_i = \varvec{0}$. In this case, the adversary is only allowed to obtain a secret key ${\mathsf {sk}}_{\varvec{y}}$ for a vector $\varvec{y}$ satisfying the condition

$$\begin{aligned} \sum _{i \in I} \langle \varvec{x}^{j,0}_i, \varvec{y}_i \rangle = \sum _{i \in I} \langle \varvec{x}^{j,1}_i, \varvec{y}_i \rangle , \end{aligned}$$

for all queries $j \in [Q_i]$, where $I \subseteq [n]$ denotes the set of slots for which the adversary made at least one query to $\mathsf{Enc}$, that is, for which $Q_i > 0$. Though we believe this feature can be useful in practice (for instance, if one of the encrypting parties decides to stop collaborating), certain applications may require at least one ciphertext for each encryption slot in order for decryption to be possible. In such cases, one can apply to our schemes the simple generic compiler given in [4, Lemma 3] to ensure that the set $I = [n]$, thus obtaining new schemes which leak no information in the setting where some $Q_i = 0$. For this reason, we assume without loss of generality that $Q_i > 0$ in all our security definitions and proofs.

2.2 Function-Hiding Multi-Input Functional Encryption

For function-hiding, we focus on indistinguishability security notions. This is because even single-input function-hiding inner-product encryption is known to be unrealizable in a simulation sense under standard assumptions.

Definition 4

(xx-SEL-Function-hiding MIFE). For every multi-input functional encryption $\mathcal {MIFE}$ for $\mathcal {F}$, every security parameter $\lambda $, every stateful adversary $\mathcal {A}$, and every xx $\in $ {one,many}, we define the following experiments for $\beta \in \{0,1\}$:

where $\mathcal {A}$ only makes $Q_{i}$ selective queries of plaintext pairs $(x_{i}^{j_i,0},x_{i}^{j_i,1})$ and $Q_f$ selective queries of key pairs $(f^{j_f,0},f^{j_f,1})$, that must satisfy:

$$ f^{j_{f},0}(x_1^{j_1,0},\ldots ,x_n^{j_n,0}) = f^{j_{f},1}(x_1^{j_1,1},\ldots ,x_n^{j_n,1}) $$

for all $j_1,\ldots ,j_n \in [Q_1] \times \cdots \times [Q_n]$ and for all $j_f\in [Q_f]$.

A $\mathcal {MIFE}$ is xx-SEL-FH-IND-secure if every PPT adversary $\mathcal {A}$ has negligible advantage in $\lambda $, where the advantage is defined as:

Definition 5

(xx-AD-Function-hiding MIFE). For every multi-input functional encryption $\mathcal {MIFE}:= (\mathsf{Setup},\mathsf{Enc},{\mathsf {KeyGen}},\mathsf{Dec})$ for $\mathcal {F}$, every security parameter $\lambda $, every stateful adversary $\mathcal {A}$, and every xx $\in $ {one,many}, we define the following experiments for $\beta \in \{0,1\}$:

where $\mathsf{Enc}$ is an oracle that on input $(i,x_i^0,x_i^1)$ outputs $\mathsf{Enc}(\mathsf {msk},i,x_i^\beta )$ and ${\mathsf {KeyGen}}$ is an oracle that on input $(f^{0},f^{1})$ outputs ${\mathsf {KeyGen}}(\mathsf {msk},f^\beta )$. Additionally, $\mathcal {A}$ queries must satisfy:

$$ f^{j_{f},0}(x_1^{j_1,0},\ldots ,x_n^{j_n,0}) = f^{j_{f},1}(x_1^{j_1,1},\ldots ,x_n^{j_n,1}) $$

for all $j_1,\ldots ,j_n \in [Q_1] \times \cdots \times [Q_n]$ and for all $j_f\in [Q_f]$.

A $\mathcal {MIFE}$ is xx-AD-FH-IND-secure if every PPT adversary has negligible advantage in $\lambda $, where the advantage is defined as:

Definition 6

(Weak function hiding MIFE). Following the approach from [14], we define the notion of weak function hiding (denoted xx-yy-wFH-IND) in the multi-input case, which is as in Definitions 4 and 5, with the exception that the previous constraints on ciphertext and key challenges:

$$\begin{aligned} \begin{aligned} f^{j_{f},0}(x_1^{j_1,0},\ldots ,x_n^{j_n,0}) =&f^{j_{f},1}(x_1^{j_1,1},\ldots ,x_n^{j_n,1}), \\&\mathrm {\,\,for\,\, all\,\, } j_1,\ldots ,j_n \in [Q_1] \!\times \! \cdots \times [Q_n] \mathrm {\, and\, for\, all \,\,} j_f\in [Q_f] \end{aligned} \end{aligned}$$

are extended with additional constraints to help with our hybrid proof:

$$\begin{aligned} \begin{aligned} f^{j_{f},0}(x_1^{j_1,0},\ldots ,x_n^{j_n,0}) =&f^{j_{f},0}(x_1^{j_1,1},\ldots ,x_n^{j_n,1})= f^{j_{f},1}(x_1^{j_1,1},\ldots ,x_n^{j_n,1}), \\&\mathrm {\,\, for\,\, all\,\, } j_1,\ldots ,j_n \in [Q_1] \!\times \! \cdots \times [Q_n] \mathrm {\, and \, for\, all\,\, }j_f\in [Q_f]. \end{aligned} \end{aligned}$$

2.3 Inner-Product Functionality

In this paper we construct multi-input functional encryption schemes that support the following two variants of the multi-input inner product functionality:

Multi-Input Inner Product over $\mathbb {Z}_L$. This is a family of functions that is defined as $\mathcal {F}_{L, n}^{m} = \{ f_{\varvec{y}_1,\ldots ,\varvec{y}_n} : (\mathbb {Z}_{L}^m)^n \rightarrow \mathbb {Z}_{L}, \text{ for } \varvec{y}_i \in \mathbb {Z}_L^m\}$ where

$$f_{\varvec{y}_1,\ldots ,\varvec{y}_n}(\varvec{x}_1,\ldots ,\varvec{x}_n) = \sum _{i=1}^n \langle \varvec{x}_i,\varvec{y}_i \rangle \ \mathrm {mod}\ L.$$

Multi-Input Bounded-Norm Inner Product over $\mathbb {Z}$. This is defined as $\mathcal {F}_{n}^{m, X, Y} = \{ f_{\varvec{y}_1,\ldots ,\varvec{y}_n} : (\mathbb {Z}^m)^n \rightarrow \mathbb {Z} \}$ where $f_{\varvec{y}_1,\ldots ,\varvec{y}_n}(\varvec{x}_1,\ldots ,\varvec{x}_n)$ is the same as above except that the result is not reduced $\ \mathrm {mod}\ L$, and vectors are required to satisfy the following bounds: $\Vert \varvec{x}\Vert _\infty < X$, $\Vert \varvec{y}\Vert _\infty < Y$.

2.4 Computational Assumptions

Prime-order groups. Let $\mathsf {GGen}$ be a probabilistic polynomial time (PPT) algorithm that on input $1^\lambda $ returns a description $\mathcal {G}=(\mathbb {G},p,g)$ of an cyclic group $\mathcal{G}$ of order p for a $2\lambda $-bit prime p, whose generator is g.

We use implicit representation of group elements as introduced in [11]. For $a \in \mathbb {Z}_p$, define $[a] = g^a \in \mathbb {G}$ as the implicit representation of a in $\mathcal{G}$. More generally, for a matrix $\mathbf {A}= (a_{ij}) \in \mathbb {Z}_p^{n\times m}$ we define $[\mathbf {A}]$ as the implicit representation of $\mathbf {A}$ in $\mathcal{G}$:

$$[\mathbf {A}] := \begin{pmatrix} g^{a_{11}} &{} ... &{} g^{a_{1m}}\\ &{} &{} \\ g^{a_{n1}}&{} ... &{} g^{a_{nm}} \end{pmatrix} \in \mathbb {G}^{n \times m}$$

We will always use this implicit notation of elements in $\mathbb {G}$, i.e., we let $[a] \in \mathbb {G}$ be an element in $\mathbb {G}$. Note that from a random $[a] \in \mathbb {G}$ it is generally hard to compute the value a (discrete logarithm problem in $\mathbb {G}$). Obviously, given $[a],[b] \in \mathbb {G}$ and a scalar $x \in \mathbb {Z}_p$, one can efficiently compute $[ax] \in \mathbb {G}$ and $[a+b] \in \mathbb {G}$.

Matrix Diffie-Hellman Assumption for prime-order groups. We recall the definition of the Matrix Decision Diffie-Hellman (MDDH) Assumption [11].

Definition 7

(Matrix Distribution). Let $k \in \mathbb {N}$. We call $\mathcal {D}_{k}$ a matrix distribution if it outputs matrices in $\mathbb {Z}_p^{(k+1) \times k}$ of full rank k in polynomial time.

W.l.o.g. we assume the first k rows of $\mathbf {A}\leftarrow _{\textsc {r}}\mathcal {D}_k$ form an invertible matrix. The $\mathcal {D}_{k}$-Matrix Diffie-Hellman problem is to distinguish the two distributions $([\mathbf {A}], [\mathbf {A}\varvec{w}])$ and $([\mathbf {A}],[\varvec{u}])$ where $\mathbf {A}\leftarrow _{\textsc {r}}\mathcal {D}_k$, $\varvec{w}\leftarrow _{\textsc {r}}\mathbb {Z}_p^k$ and $\varvec{u}\leftarrow _{\textsc {r}}\mathbb {Z}_p^{\ell }$.

Definition 8

($\mathcal {D}_k$-Matrix Diffie-Hellman ($\mathcal {D}_k$-MDDH) assumption in prime-order groups). Let $\mathcal {D}_k$ be a matrix distribution. The $\mathcal {D}_k$-Matrix Diffie-Hellman ($\mathcal {D}_k$-MDDH) assumption holds relative to $\mathsf {GGen}$ if for all PPT adversaries $\mathcal {A}$,

$$\begin{aligned} \mathbf {Adv}^{\mathcal {D}_k \text {-} \mathsf {mddh}}_{\mathsf {GGen},\mathcal {A}}(\lambda ) :=| \Pr [\mathcal {A}(\mathcal{G},[\mathbf {A}], [\mathbf {A}\varvec{w}])=1]-\Pr [\mathcal {A}(\mathcal{G},[\mathbf {A}], [\varvec{u}]) =1] |= \mathsf {negl}(\lambda ), \end{aligned}$$

where probabilities are over $\mathcal{G} \leftarrow _{\textsc {r}}\mathsf {GGen}(1^\lambda )$, $\mathbf {A}\leftarrow _{\textsc {r}}\mathcal {D}_k, \varvec{w}\leftarrow _{\textsc {r}}\mathbb {Z}_p^k, \varvec{u}\leftarrow _{\textsc {r}}\mathbb {Z}_p^{k+1}$.

Pairing groups. Let ${\mathsf {PGGen}}$ be a probabilistic polynomial time (PPT) algorithm that on input $1^\lambda $ returns a description $\mathcal {PG}=(\mathbb {G}_1,\mathbb {G}_2,q,g_1,g_2)$ of asymmetric pairing groups where $\mathbb {G}_1$, $\mathbb {G}_2$, $\mathbb {G}_T$ are cyclic group of order p for a $2 \lambda $-bit prime p, $g_1$ and $g_2$ are generators of $\mathbb {G}_1$ and $\mathbb {G}_2$, respectively, and $e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T$ is an efficiently computable (non-degenerate) bilinear map. Define $g_T := e(g_1, g_2)$, which is a generator of $\mathcal{G}_T$. We again use implicit representation of group elements. For $s \in {1, 2, T }$ and $a \in \mathbb {Z}_p$, define $[a]_s = g_s^a \in \mathcal{G}_s$ as the implicit representation of a in $G_s$ . Given $[a]_1$, $[a]_2$, one can efficiently compute $[ab]_T$ using the pairing e. For two matrices $\mathbf {A}$, $\mathbf {B}$ with matching dimensions define $e([\mathbf {A}]_1, [\mathbf {B}]_2 ) := [\mathbf {A}\mathbf {B}]_T \in \mathbb {G}_T$.

We define the $\mathcal {D}_k$-MDDH assumption in pairing groups similarly than in prime-order groups (see Definition 8).

Definition 9

($\mathcal {D}_k$-MDDH assumption in pairing groups). Let $\mathcal {D}_k$ be a matrix distribution. The $\mathcal {D}_k$-MDDH assumption holds relative to ${\mathsf {PGGen}}$ in $\mathbb {G}_s$, for $s \in \{1,2,T\}$, if for all PPT adversaries $\mathcal {A}$, the following is $\mathsf {negl}(\lambda )$:

$$\begin{aligned} \mathbf {Adv}^{\mathcal {D}_k \text {-} \mathsf {mddh}}_{\mathbb {G}_s,\mathcal {A}}(\lambda )&:=| \Pr [\mathcal {A}(\mathcal {PG},[\mathbf {A}]_s, [\mathbf {A}\varvec{w}]_s)=1]-\Pr [\mathcal {A}(\mathcal {PG},[\mathbf {A}]_s, [\varvec{u}]_s) =1] | \end{aligned}$$

where probabilities are over $\mathcal {PG}\leftarrow _{\textsc {r}}{\mathsf {PGGen}}(1^\lambda )$, $\mathbf {A}\leftarrow _{\textsc {r}}\mathcal {D}_k, \varvec{w}\leftarrow _{\textsc {r}}\mathbb {Z}_p^k, \varvec{u}\leftarrow _{\textsc {r}}\mathbb {Z}_p^{k+1}$.

Next, we recall a result on the uniform distribution over full-rank matrices:

Definition 10

(Uniform distribution). Let $\ell ,k\in \mathbb {N}$, with $\ell > k$. We denote by $\mathcal {U}_{\ell ,k}$ the uniform distribution over all full-rank $\ell \times k$ matrices over $\mathbb {Z}_p$.

Among all possible matrix distributions $\mathcal {D}_k$, the uniform matrix distribution $\mathcal {U}_{\ell ,k}$ is the hardest possible instance, so in particular k-Lin $\Rightarrow \mathcal {U}_k$-MDDH, as stated in Lemma 1.

Lemma 1

($\mathcal {D}_k$-MDDH $\Rightarrow \mathcal {U}_{\ell ,k}$-MDDH, [11]). Let $\ell ,k\in \mathbb {N}$ and $\mathcal {D}_k$ a matrix distribution. For any PPT adversary $\mathcal {A}$, there exists a PPT $\mathcal {B}$ such that

$$\begin{aligned} \mathbf {Adv}^{\mathcal {U}_{\ell ,k} \text {-} \mathsf {mddh}}_{\mathbb {G}_s,\mathcal {A}}(\lambda ) \le \mathbf {Adv}^{\mathcal {D}_k \text {-} \mathsf {mddh}}_{\mathbb {G}_s,\mathcal {B}}(\lambda ). \end{aligned}$$

3 From Single to Multi-Input FE for Inner Product

In this section, we give a generic construction of MIFE for inner product from any single-input FE $(\mathsf{Setup}, \mathsf{Enc}, {\mathsf {KeyGen}}, \mathsf{Dec})$ for the same functionality. More precisely, we show two transformations: the first one addresses FE schemes that compute the inner product functionality over a finite ring $\mathbb {Z}_L$ for some integer L, while the second transformation addresses FE schemes for bounded-norm inner product. The two transformations are almost the same, and the only difference is that in the case of bounded-norm inner product, we require additional structural properties on the single-input FE. Yet we stress that these properties are satisfied by all existing constructions. Both our constructions rely on a simple MIFE scheme that is one-AD-IND secure unconditionally. In particular, our constructions show how to use single-input FE in order to bootstrap the information-theoretic MIFE from one-time to many-time security.

3.1 Information-Theoretic MIFE with One-Time Security

Here we present the multi-input scheme $\mathcal {MIFE}^{\mathsf{ot}}$ for the class $\mathcal {F}_{L,n}^{m}$, and we prove its one-AD-IND security. The scheme is described in Fig. 1.

Theorem 1

The MIFE described in Fig. 1 is one-AD-IND secure. Namely, for any adversary $\mathcal {A}$, .

Proof overview. The proof of Theorem 1 has two main steps. First, we use the fact that any adaptive distinguisher against $\mathcal {MIFE}^{\mathsf{ot}}$ with advantage $\varepsilon $ can be transformed into a selective distinguisher with advantage $\varepsilon /|X|^2$ by randomly guessing the two challenge input vectors, where |X| is the size of the input space ($|X|=L^{nm}$ in our case). Then, in a second step, we show that any selective distinguisher against $\mathcal {MIFE}^{\mathsf{ot}}$ has advantage 0 since $\mathcal {MIFE}^{\mathsf{ot}}$ behaves as the FE equivalent of the one-time pad. Hence, it follows that any adaptive distinguisher must also have advantage 0.

Proof

Let $\mathcal {A}$ be an adversary against the one-AD-IND security of the MIFE. First, we use a complexity leveraging argument to build an adversary $\mathcal {B}$ such that:

The adversary $\mathcal {B}$ simply guesses the challenge $\{\varvec{x}_i^b\}_{i \in [n], b \in \{0,1\}}$ in advance, then simulates $\mathcal {A}$’s experiment using its own selective experiment. When $\mathcal {B}$ receives $\mathcal {A}$’s challenge, it checks if the guess was successful (call E that event): if it was, it continues simulating $\mathcal {A}$’s experiment, otherwise, it returns 0. When the guess is successful, $\mathcal {B}$ perfectly simulate $\mathcal {A}$’s view. Since event E happens with probability exactly $L^{-2nm}$, and is independent of the adversary $\mathcal {A}$’s view, we obtain .

It remains to prove that the MIFE presented in Fig. 1 satisfies perfect one-SEL-IND security, namely, for any adversary $\mathcal {B}$, . To do so, we introduce hybrid games $\mathsf {H}_\beta (1^\lambda ,\mathcal {B})$ described in Fig. 2. We prove that for all $\beta \in \{0,1\}$, $\mathsf {H}_\beta (1^\lambda ,\mathcal {B})$ is identical to the experiment . This can be seen using the fact that for all $\{\varvec{x}^\beta _i \in \mathbb {Z}^m\}_{i \in [n]}$, the following distributions are identical: $\{\varvec{u}_i \ \mathrm {mod}\ L\}_{i\in [n]}$ and $\{\varvec{u}_i - \varvec{x}^\beta _i \ \mathrm {mod}\ L\}_{i\in [n]}$, with $\varvec{u}_i \leftarrow _{\textsc {r}}\mathbb {Z}_L^{m}$. Recall that here $i \in [n]$ is an index for input slots. Note that the independence of the $\varvec{x}^\beta _i$ from the $\varvec{u}_i$ is only true in the selective security game. Finally, we show that $\mathcal {B}$’s view in $\mathsf {H}_\beta (1^\lambda ,\mathcal {B})$ is independent of $\beta $. Indeed, the only information about $\beta $ that leaks in this experiment is $\sum _i \langle \varvec{x}_i^\beta ,\varvec{y}_i \rangle $, which is independent of $\beta $ by definition of the security game. $\square $

Remark 2

(one-SEL-SIM security). As a result of independent interest, in the full version of the paper [3] we show that the MIFE presented in Fig. 1 satisfies perfect one-SEL-SIM security, which implies perfect one-SEL-IND (which itself implies perfect one-AD-IND security via complexity leveraging, as shown in the proof above).

Remark 3

(Linear homomorphism). We use the fact that $\mathsf {Enc}^{\mathsf{ot}}$ is linearly homomorphic, that is, for all input slots $i \in [n]$, $\varvec{x}_i, \varvec{x}'_i \in \mathbb {Z}_p^m$, $\varvec{u} \leftarrow \mathsf {Setup}^{\mathsf{ot}}(1^\lambda ,\mathcal {F}_{L,n}^{m})$, $\mathsf {Enc}^{\mathsf{ot}}(\varvec{u},i,\varvec{x}_i) + \varvec{x}'_i \ \mathrm {mod}\ L = \mathsf {Enc}^{\mathsf{ot}}(\varvec{u},i,\varvec{x}_i + \varvec{x}'_i)$. This property will be used when using the one-time scheme $\mathcal {MIFE}^{\mathsf{ot}}$ from Fig. 1 as a building block to obtain a full-fledged many-AD-IND MIFE.

3.2 Our Transformation for Inner Product over $\mathbb {Z}_L$

We present our multi-input scheme $\mathcal {MIFE}$ for the class $\mathcal {F}_{L, n}^{m}$ in Fig. 3. The construction relies on the one-time scheme $\mathcal {MIFE}^{\mathsf{ot}}$ of Fig. 1, and any single-input FE for the class $\mathcal {F}_{L, 1}^{m}$.

The correctness of $\mathcal {MIFE}$ follows from the correctness properties of the single-input scheme $\mathcal {FE}$ and the multi-input scheme $\mathcal {MIFE}^{\mathsf{ot}}$. Indeed, correctness of the former implies that, for all input slots $i\,{\in }\, [n]$, $D_i = \langle \varvec{w}_i, \varvec{y}_i \rangle $ $\ \mathrm {mod}\ L$, while correctness of $\mathcal {MIFE}^{\mathsf{ot}}$ implies that $\sum _{i\in [n]} D_i - z = \mathsf {Dec}^{\mathsf{ot}}(z, \varvec{w}_1, \ldots , \varvec{w}_n) = \sum _{i\in [n]} \langle \varvec{x}_i, \varvec{y}_i \rangle \ \mathrm {mod}\ L$.

For the security we state the following theorem:

Theorem 2

If the single-input FE, $\mathcal {FE}$ is many-AD-IND-secure, and the multi-input scheme $\mathcal {MIFE}^{\mathsf{ot}}$ is one-AD-IND-secure, then the multi-input FE, $\mathcal {MIFE}$, described in Fig. 3, is many-AD-IND-secure.

Since the proof of the above theorem is almost the same as the one for the case of bounded-norm inner product, we only provide an overview here, and defer to the proof of Theorem 3 for further details.

Proof overview. Here, for any input slot $i \in [n]$, we denote by $(\varvec{x}_i^{j,0},\varvec{x}_i^{j,1})$ the j’th query to $\mathsf{Enc}(i,\cdot ,\cdot )$, for any $j \in [Q_i]$, where $Q_i$ is the total number of queries to $\mathsf{Enc}(i,\cdot ,\cdot )$.

The proof is in two main steps. First, we switch encryptions of $\varvec{x}^{1,0}_1,\ldots ,\varvec{x}^{1,0}_n$ to those of $\varvec{x}^{1,1}_1,\ldots ,\varvec{x}^{1,1}_n$, using the one-AD-IND security of $\mathcal {MIFE}^{\mathsf{ot}}$. For the remaining ciphertexts, we switch from an encryption of $\varvec{x}^{j,0}_i = (\varvec{x}^{j,0}_i-\varvec{x}^{1,0}_i)+\varvec{x}^{1,0}_i$ to that of $(\varvec{x}^{j,0}_i-\varvec{x}^{1,0}_i)+\varvec{x}^{1,1}_i$. In this step we use the fact that one can compute an encryption of $\mathsf {Enc}^{\mathsf{ot}}(\varvec{u},i,(\varvec{x}^{j,0}_i-\varvec{x}^{1,0}_i)+\varvec{x}^{1,0}_i)$ from an encryption $\mathsf {Enc}^{\mathsf{ot}}(\varvec{u},i,\varvec{x}^{1,0}_i)$, because the encryption algorithm $\mathsf {Enc}^{\mathsf{ot}}$ of $\mathcal {MIFE}^{\mathsf{ot}}$ is linearly homomorphic (see Remark 3). Finally, we apply a hybrid argument across the slots to switch from encryptions of

$$(\varvec{x}^{2,0}_i-\varvec{x}^{1,0}_i)+\varvec{x}^{1,1}_i, \ldots , (\varvec{x}^{Q_i,0}_i-\varvec{x}^{1,0}_i)+\varvec{x}^{1,1}_i$$

to those of

$$(\varvec{x}^{2,1}_i-\varvec{x}^{1,1}_i)+\varvec{x}^{1,1}_i, \ldots , (\varvec{x}^{Q_i,1}_i-\varvec{x}^{1,1}_i)+\varvec{x}^{1,1}_i,$$

using the many-AD-IND security of $\mathcal {FE}$.

Instantiations. The construction in Fig. 3 can be instantiated using the single-input FE schemes of Agrawal et al. [5] that are many-AD-IND-secure and allow for computing inner products over a finite ring. Specifically, we obtain:

A MIFE for inner product over $\mathbb {Z}_p$ for a prime p, based on the LWE assumption. This is obtained by using the LWE-based scheme of Agrawal et al. [5, Sect. 4.2].
A MIFE for inner product over $\mathbb {Z}_N$ where N is an RSA modulus, based on the Composite Residuosity assumption. This is obtained by using the Paillier-based scheme of Agrawal et al. [5, Sect. 5.2].

We note that since both these schemes in [5] have a stateful key generation, our MIFE inherits this stateful property. Stateless MIFE instantiations are obtained from the transformation in the next section.

3.3 Our Transformation for Inner Product over $\mathbb {Z}$

Here we present our transformation for the case of bounded-norm inner product. In particular, in Fig. 4 we present a multi-input scheme $\mathcal {MIFE}$ for the class $\mathcal {F}_n^{m,X,Y}$ from the one-time scheme $\mathcal {MIFE}^{\mathsf{ot}}$ of Fig. 1, and a (single-input) scheme $\mathcal {FE}$ for the class $\mathcal {F}_1^{m,3X,Y}$.^{Footnote 7} For our transformation to work, we require $\mathcal {FE}$ to satisfy two properties. The first one, that we call two-step decryption, intuitively says that the $\mathcal {FE}$ decryption algorithm works in two steps: the first step uses the secret key to output an encoding of the result, while the second step returns the actual result $\langle \varvec{x}, \varvec{y} \rangle $ provided that the bounds $\Vert \varvec{x}\Vert _\infty < X$, $\Vert \varvec{y}\Vert _\infty < Y$ hold. The second property informally says that the $\mathcal {FE}$ encryption algorithm is additively homomorphic.

We note that the two-step property also says that the encryption algorithm accepts inputs $\varvec{x}$ such that $\Vert \varvec{x}\Vert _\infty > X$, yet correctness is guaranteed as long as the encrypted inputs are within the bound at the moment of invoking the second step of decryption.

Two-step decryption is formally defined as follows.

Property 1

(Two-step decryption). An FE scheme $\mathcal {FE}= (\mathsf{Setup}, \mathsf{Enc},$ ${\mathsf {KeyGen}}, \mathsf{Dec})$ satisfies two-step decryption if it admits PPT algorithms $\mathsf{Setup}^{\star },$ $\mathsf{Dec}_1, \mathsf{Dec}_2$ and an encoding function $\mathcal{E}$ such that:

1.
For all $\lambda ,m, n, X, Y \,{\in }\, \mathbb {N}$, $\mathsf{Setup}^{\star }(1^\lambda ,\mathcal {F}_1^{m,X,Y}, 1^{n})$ outputs $(\mathsf {msk}, \mathsf {mpk})$ where $\mathsf {mpk}$ includes a bound $B \in \mathbb {N}$, and the description of a group $\mathbb {G}$ (with group law $\circ $) of order $L > n \cdot m \cdot X\cdot Y$, which defines the encoding function $\mathcal{E}: \mathbb {Z}_L \times \mathbb {Z} \rightarrow \mathbb {G}$.
2.
For all $(\mathsf {msk},\mathsf {mpk}) \leftarrow \mathsf{Setup}^{\star }(1^\lambda ,\mathcal {F}_1^{m,X,Y}, 1^{n})$, $\varvec{x}\in \mathbb {Z}^m$, $\mathsf {ct}\leftarrow \mathsf{Enc}(\mathsf {msk},\varvec{x})$, $\varvec{y}\in \mathbb {Z}^m$, and ${\mathsf {sk}} \leftarrow {\mathsf {KeyGen}}(\mathsf {msk},\varvec{y})$, we have
$$\begin{aligned} \mathsf{Dec}_1(\mathsf {ct},{\mathsf {sk}}) = \mathcal{E}(\langle \varvec{x},\varvec{y} \rangle \ \mathrm {mod}\ L,\mathsf {noise}), \end{aligned}$$
for some $\mathsf {noise}\in \mathbb {N}$ that depends on $\mathsf {ct}$ and ${\mathsf {sk}}$. Furthermore, it holds that for all $\varvec{x}, \varvec{y}\in \mathbb {Z}^m$, $\Pr [\mathsf {noise}< B] = 1 - \mathsf {negl}(\lambda )$, where the probability is taken over the random coins of $\mathsf{Setup}^{\star }$, $\mathsf{Enc}$ and ${\mathsf {KeyGen}}$. Note that there is no restriction on the norm of $\langle \varvec{x},\varvec{y} \rangle $ here, and that we are assuming that $\mathsf{Enc}$ accepts inputs $\varvec{x}$ whose norm may be larger than the bound.
3.
Given any $\gamma \in \mathbb {Z}_L$, and $\mathsf {mpk}$, one can efficiently compute $\mathcal{E}(\gamma ,0)$.
4.
The encoding $\mathcal{E}$ is linear, that is: for all $\gamma , \gamma ' \in \mathbb {Z}_L, , \mathsf {noise}, \mathsf {noise}' \in \mathbb {Z}$, we have
$$\begin{aligned} \mathcal{E}(\gamma ,\mathsf {noise}) \circ \mathcal{E}(\gamma ',\mathsf {noise}') = \mathcal{E}(\gamma + \gamma ' \ \mathrm {mod}\ L, \mathsf {noise}+ \mathsf {noise}'). \end{aligned}$$
5.
For all $\gamma < n \cdot m \cdot X\cdot Y$, and $\mathsf {noise}< n \cdot B$, $\mathsf{Dec}_2\big (\mathcal{E}(\gamma ,\mathsf {noise})\big )=\gamma $.

The second property is as follows.

Property 2

(Linear encryption). For any FE scheme $\mathcal {FE}= (\mathsf{Setup}, \mathsf{Enc},{\mathsf {KeyGen}}, \mathsf{Dec})$ satisfying the two-step property, we define the following additional property. There exists a deterministic algorithm $\mathsf {Add}$ that takes as input a ciphertext and a message, such that for all $\varvec{x}, \varvec{x}' \in \mathbb {Z}^m$, the following are identically distributed:

Note that the value $L \in \mathbb {N}$ is defined as part of the output of the algorithm $\mathsf{Setup}^*$ (see the two-step property above). We later use a single input FE with this property as a building block for a multi-input FE (see Fig. 4); this property however is only used in the security proof of our transformation.

Instantiations. It is not hard to check that these two properties are satisfied by known functional encryption schemes for (bounded-norm) inner product. In particular, in the full version of the paper we show that this is satisfied by the many-AD-IND secure FE schemes of Agrawal et al. [5].^{Footnote 8} This allows us to obtain MIFE schemes for bounded-norm inner product based on a variety of assumptions such as plain DDH, Decisional Composite Residuosity, and LWE. In addition to obtaining the first schemes without the need of pairing groups, we also obtain schemes where decryption works efficiently even for large outputs. This stands in contrast to the previous result [4], where decryption requires to extract discrete logarithms.

Correctness. The correctness of the scheme $\mathcal {MIFE}$ follows from (i) the correctness and Property 1 (two-step decryption) of the single-input scheme, and (ii) from the correctness of $\mathcal {MIFE}^{\mathsf{ot}}$ and the linear property of its decryption algorithm $\mathsf {Dec}^{\mathsf{ot}}$.

More precisely, consider any vector $\varvec{x}:= (\varvec{x}_1 \Vert \cdots \Vert \varvec{x}_n) \in (\mathbb {Z}^m)^n$, $\varvec{y}\in \mathbb {Z}^{m n}$, such that $\Vert \varvec{x}\Vert _\infty < X$, $\Vert \varvec{y}\Vert _\infty < Y$, and let $(\mathsf {mpk},\mathsf {msk}) \leftarrow \mathsf{Setup}'(1^\lambda ,\mathcal {F}_n^{m,X,Y})$, ${\mathsf {sk}}_{\varvec{y}} \leftarrow {\mathsf {KeyGen}}'(\mathsf {msk},\varvec{y})$, and $\mathsf {ct}_i \leftarrow \mathsf{Enc}'(\mathsf {msk},i,\varvec{x}_i)$ for all $i \in [n]$.

By (2) of Property 1, the decryption algorithm $\mathsf{Dec}'({\mathsf {sk}}_{\varvec{y}}, \mathsf {ct}_1,\ldots ,\mathsf {ct}_n)$ computes $\mathcal{E}(\langle \varvec{w}_i,\varvec{y}_i \rangle \ \mathrm {mod}\ L,\mathsf {noise}_i) \leftarrow \mathsf{Dec}_1({\mathsf {sk}}_i, \mathsf {ct}_i)$ where for all $i \in [n]$, $\mathsf {noise}_i < B$, with probability $1-\mathsf {negl}(\lambda )$.

By (4) of Property 1 (linearity of $\mathcal{E}$), and the correctness of $\mathcal {MIFE}^{\mathsf{ot}}$ we have:

$$\begin{aligned}&\mathcal{E}(\langle \varvec{w}_1,\varvec{y}_1 \rangle \ \mathrm {mod}\ L,\mathsf {noise}_1) \circ \cdots \circ \mathcal{E}(\langle \varvec{w}_n,\varvec{y}_n \rangle \ \mathrm {mod}\ L,\mathsf {noise}_n) \circ \mathcal{E}(- z,0) \\&= \mathcal{E}\left( \mathsf {Dec}^{\mathsf{ot}}(z, \varvec{w}_1, \ldots , \varvec{w}_n), \sum _{i \in [n]}\mathsf {noise}_i\right) = \mathcal{E}\left( \langle \varvec{x},\varvec{y} \rangle \ \mathrm {mod}\ L, \sum _{i \in [n]}\mathsf {noise}_i\right) . \end{aligned}$$

Since $\langle \varvec{x},\varvec{y} \rangle< n \cdot m \cdot X \cdot Y < L$ and $\sum _{i \in [n]} \mathsf {noise}_i < n \cdot B$, we have

$$\begin{aligned} \mathsf{Dec}_2\big (\mathcal{E}(\langle \varvec{x},\varvec{y} \rangle \ \mathrm {mod}\ L, \sum _{i \in [n]}\mathsf {noise}_i)\big ) = \langle \varvec{x},\varvec{y} \rangle , \end{aligned}$$

by (5) of Property 1.

Proof of Security. In the following theorem we show that our construction is a many-AD-IND-secure MIFE, assuming that the underlying single-input FE scheme is many-AD-IND-secure, and the scheme $\mathcal {MIFE}^{\mathsf{ot}}$ is one-AD-IND secure.

Theorem 3

Assume that the single-input FE is many-AD-IND-secure and the multi-input FE $\mathcal {MIFE}^{\mathsf{ot}}$ is one-AD-IND-secure. Then the multi-input FE $\mathcal {MIFE}$ in Fig. 4 is many-AD-IND-secure. Namely, for any PPT adversary $\mathcal {A}$, there exist PPT adversaries $\mathcal {B}$ and $\mathcal {B}'$ such that

Proof

of Theorem 3. The proof proceeds by a sequence of games where $\mathsf {G}_{0}$ is the experiment. A formal description of all the experiments used in this proof is given in Fig. 6, and a high-level summary is provided in Fig. 5. For any game $\mathsf {G}_{i}$, we denote by $\mathbf {Adv}_i(\mathcal {A})$ the advantage of $\mathcal {A}$ in $\mathsf {G}_{i}$, that is, $\Pr [\mathsf {G}_{i}(1^\lambda ,\mathcal {A}) = 1]$, where the probability is taken over the random coins of $\mathsf {G}_{i}$ and $\mathcal {A}$. In what follows we adopt the same notation from [4] for queried plaintexts, namely $(\varvec{x}_i^{j,0},\varvec{x}_i^{j,1})$ denotes the j-th encryption query on the i-th slot.

Game $\mathsf {G}_{1}$: Here we change the way the challenge ciphertexts are created. In particular, for all slots and all queries simultaneously, we switch from $\mathsf{Enc}'(\mathsf {msk},i, \varvec{x}_i^{j,0}-\varvec{x}_i^{1,0} +\varvec{x}_i^{1,0})$ to $\mathsf{Enc}'(\mathsf {msk},i, \varvec{x}_i^{j,0}-\varvec{x}_i^{1,0} +\varvec{x}_i^{1,1})$.

$\mathsf {G}_{1}$ can be proved indistinguishable from $\mathsf {G}_{0}$ by relying on the one-time security of the multi-input scheme. More formally,

Lemma 2

There exists a PPT adversary $\mathcal {B}_1$ against the one-AD-IND security of $\mathcal {MIFE}^{\mathsf{ot}}$ scheme such that

Proof

Here we replace encryptions of $\varvec{x}_i^{j,0}-\varvec{x}_i^{1,0} +\varvec{x}_i^{1,0}$ with encryptions of $\varvec{x}_i^{j,0}-\varvec{x}_i^{1,0} +\varvec{x}_i^{1,1}$ in all slots simultaneously. Recall that here, j is the index of the encryption query while i is the index for the slot. The argument relies on the one-AD-IND security of the multi-input scheme $\mathcal {MIFE}^{\mathsf{ot}}$ and on the fact that ciphertexts produced by the latter can be used as plaintext for the underlying single input FE scheme $\mathcal {FE}$ that we are using as additional basic building block.

More in details, we build the adversary $\mathcal {B}_1$ so that it simulates $\mathsf {G}_{\beta }$ to $\mathcal {A}$ when interacting with experiment .

Initially $\mathcal {B}_1$ does not receive anything, since the one-AD-IND information-theoretically secure MIFE does not have any public key. For all $i \in [n]$ it runs $\left( \mathsf {mpk}_i, \mathsf {msk}_i \right) \leftarrow \mathsf{Setup}^{\star }(1^\lambda ,\mathcal {F}_1^{m,3X,Y}, 1^{n})$, and hands the public parameters to $\mathcal {A}$. Also, whenever $\mathcal {A}$ queries a secret key, $\mathcal {B}_1$ first queries its own oracle (on the same input) to get a corresponding key z. Next, for all $i \in [n]$, it sets ${\mathsf {sk}}_i \leftarrow {\mathsf {KeyGen}}(\mathsf {msk}_i,\varvec{y}_i)$ and gives back to $\mathcal {A}$ the secret key ${\mathsf {sk}}_{\varvec{y}_1 \Vert \cdots \Vert \varvec{y}_n} := \left( \{{\mathsf {sk}}_i\}_{i \in [n]},z \right) $.

When $\mathcal {A}$ asks encryption queries, $\mathcal {B}_1$ proceeds as follows. For each slot i, when receiving the first query $(i,\varvec{x}_i^{1,0},\varvec{x}_i^{1,1})$, it computes the challenge ciphertext, for slot i, by invoking its own encryption oracle on the same input. Calling $\varvec{w}_i^{1} := \mathsf {Enc}^{\mathsf{ot}}(\varvec{u},i,\varvec{x}_i^{1,\beta })$ the received ciphertext, $\mathcal {B}_1$ computes $\mathsf {ct}_i^{1}= \mathsf{Enc}(\mathsf {msk}_i,\varvec{w}_i^{1}) = \mathsf{Enc}'(\mathsf {msk},i,\varvec{x}_i^{1,\beta })$.

Subsequent queries, on slot i, are answered as follows. $\mathcal {B}_1$ produces $\mathsf {ct}_i^{j}$ (for $j>1$) by encrypting $\varvec{x}_i^{j,0}-\varvec{x}_i^{1,0} + \varvec{w}_i^{1} \bmod L$, using $\mathsf {msk}_i$. Note that $\mathsf {Enc}^{\mathsf{ot}}$ is linearly homomorphic (see Remark 3), thus, $\varvec{x}_i^{j,0}-\varvec{x}_i^{1,0} + \varvec{w}_i^{1} \bmod L = \mathsf {Enc}^{\mathsf{ot}}(\varvec{u},i,\varvec{x}_i^{1,\beta } + \varvec{x}_i^{j,0}-\varvec{x}_i^{1,0})$.

Finally, $\mathcal {B}_1$ outputs 1 iff $\mathcal {A}$ outputs 1. One can see that $\mathcal {B}_1$ provides a perfect simulation to $\mathcal {A}$ and thus:

$\square $

Game $\mathsf {G}_{2}$: Here we change again the way the challenge ciphertexts are created. In particular, for all slots i and all queries j, we switch $\mathsf {ct}_i^{j}$ from $\mathsf{Enc}'(\mathsf {msk},i, \varvec{x}_i^{j,0}-\varvec{x}_i^{1,0} +\varvec{x}_i^{1,1})$ to $\mathsf{Enc}'(\mathsf {msk},i, \varvec{x}_i^{j,1}-\varvec{x}_i^{1,1} +\varvec{x}_i^{1,1})$.

$\mathsf {G}_{2}$ can be proved indistinguishable from $\mathsf {G}_{1}$ via an hybrid argument over the n slots, relying on the security of the underlying single-input scheme.

By looking at the games defined in Fig. 6, one can see that

$$|\mathbf {Adv}_1(\mathcal {A})-\mathbf {Adv}_2(\mathcal {A})| = \sum _{\ell =1}^{n} |\mathbf {Adv}_{1,\ell -1}(\mathcal {A})-\mathbf {Adv}_{1,\ell }(\mathcal {A})|$$

since $\mathsf {G}_{1}$ corresponds to game $\mathsf {G}_{1.0}$ and whereas $\mathsf {G}_{2}$ is identical to game $\mathsf {G}_{1.n}$.

Therefore, for every $\ell $ we bound the difference between each consecutive pair of games in the following lemma:

Lemma 3

For every $\ell \in [n]$, there exists a PPT adversary $\mathcal {B}_{1{.}\ell }$ against the many-AD-IND security of the single-input scheme $\mathcal {FE}$ such that

Proof

Here, we replace encryptions of $\varvec{x}_i^{j,0}-\varvec{x}_i^{1,0} +\varvec{x}_i^{1,1}$ with encryptions of $\varvec{x}_i^{j,1}-\varvec{x}_i^{1,1} +\varvec{x}_i^{1,1}$ in all slots. Let us recall that j is the index of the encryption query while i is the index for the slot. The argument relies on (1) the many-AD-IND security of the underlying single input scheme $\mathcal {FE}:= (\mathsf{Setup},{\mathsf {KeyGen}},\mathsf{Enc},\mathsf{Dec})$, (2) the fact that $\mathsf{Enc}$ satisfies Property 2 (linear encryption), and (3) the restrictions imposed by the security game (see [4]). As for this latter point we notice that, indeed, the security experiment restriction in the case of the inner product functionality imposes that $\langle \varvec{x}_i^{j,0}-\varvec{x}_i^{1,0}, \varvec{y}_i\rangle =\langle \varvec{x}_i^{j,1}-\varvec{x}_i^{1,1}, \varvec{y}_i\rangle $, for all slots $i \in [n]$. In our scheme this becomes $\langle \varvec{x}_i^{j,0}-\varvec{x}_i^{1,0}, \varvec{y}_i\rangle \bmod L =\langle \varvec{x}_i^{j,1}-\varvec{x}_i^{1,1}, \varvec{y}_i\rangle \bmod L$, which in turn is equivalent to

$$ \langle \varvec{x}_i^{j,0}-\varvec{x}_i^{1,0} +\varvec{x}_i^{1,1} + \varvec{u}_{i}, \varvec{y}_i\rangle \bmod L= \langle \varvec{x}_i^{j,1}-\varvec{x}_i^{1,1} +\varvec{x}_i^{1,1} + \varvec{u}_{i}, \varvec{y}_i\rangle \bmod L. $$

More formally, we build an adversary $\mathcal {B}_{1{.}\ell }$ that simulates $\mathsf {G}_{1{.}\ell -1+\beta }$ to $\mathcal {A}$ when interacting with the experiment .

$\mathcal {B}_{1{.}\ell }$ starts by receiving a public key for the scheme $\mathcal {FE}$, which is set to be the key $\mathsf {mpk}_{\ell }$ for the $\ell $-th instance of $\mathcal {FE}$. Next, it runs $\varvec{u}\leftarrow \mathsf {Setup}^{\mathsf{ot}}$, and for all $i\ne \ell $, it runs $\mathsf{Setup}^{\star }$ to get $(\mathsf {mpk}_i,\mathsf {msk}_i)$. It gives $(\mathsf {mpk}_1, \ldots , \mathsf {mpk}_n)$ to $\mathcal {A}$.

$\mathcal {B}_{1{.}\ell }$ answers secret key queries $\varvec{y}=\varvec{y}_1||\ldots ||\varvec{y}_n$ by first running ${\mathsf {sk}}_{i}\leftarrow {\mathsf {KeyGen}}(\mathsf {msk}_i,y_i)$ for $i\ne \ell $. Also it invokes its own key generation oracle on $\varvec{y}_\ell $, to get ${\mathsf {sk}}_{\ell }$. Finally, it computes $z \leftarrow \mathsf {KeyGen}^{\mathsf{ot}}(\varvec{u},\varvec{y}_1||\ldots ||\varvec{y}_n)$ (recall that $\mathcal {B}_{1{.}\ell }$ knows $\varvec{u}$). This key material is then sent to $\mathcal {A}$.

$\mathcal {B}_{1{.}\ell }$ answers encryption queries $(i,\varvec{x}_i^{j,0},\varvec{x}_i^{j,1})$ to $\mathsf{Enc}'$ as follows.
If $i<\ell $, it computes $\mathsf{Enc}(\mathsf {msk}_i,\mathsf {Enc}^{\mathsf{ot}}(\varvec{u}, i, \varvec{x}_i^{j,1}))$.
If $i>\ell $, it computes $\mathsf{Enc}(\mathsf {msk}_i,\mathsf {Enc}^{\mathsf{ot}}(\varvec{u}, i, \varvec{x}_i^{j,0} -\varvec{x}_i^{1,0}+\varvec{x}_i^{1,1}))$.
If $i=\ell $, at the j-th encryption query on slot $\ell $, $\mathcal {B}_{1{.}\ell }$ queries its own oracle on input $(\varvec{x}_\ell ^{j,0}-\varvec{x}_\ell ^{1,0}+\varvec{x}_\ell ^{1,1}, \varvec{x}_\ell ^{j,1}-\varvec{x}_\ell ^{1,1}+\varvec{x}_\ell ^{1,1})$ (note that these vectors have norm less than 3X, and as such, are valid input to the encryption oracle), to get back $\mathsf {ct}^j_* := \mathsf{Enc}\big (\mathsf {msk}_\ell ,\varvec{x}_\ell ^{j,\beta }-\varvec{x}_\ell ^{1,\beta }+\varvec{x}_\ell ^{1,1}\big )$ from the experiment . Then, $\mathcal {B}_{1{.}\ell }$ computes $\mathsf {ct}_{\ell }^{j} := \mathsf {Add}(\mathsf {ct}^j_*,\varvec{u}_\ell )$, and sends it to $\mathcal {A}$.

Note that by Property 2 $\mathsf {ct}_{\ell }^{j}$ is identically distributed to $\mathsf{Enc}\big (\mathsf {msk}_\ell ,\varvec{x}_\ell ^{j,\beta }-\varvec{x}_\ell ^{1,\beta }+\varvec{x}_\ell ^{1,1} + \varvec{u}_{\ell } \ \mathrm {mod}\ L\big )$, the latter being equal to $\mathsf{Enc}\big (\mathsf {msk}_\ell ,\mathsf {Enc}^{\mathsf{ot}}(\varvec{x}_\ell ^{j,\beta }-\varvec{x}_\ell ^{1,\beta }+\varvec{x}_\ell ^{1,1})\big )$. Also, we remark that because $\mathcal {B}_{1{.}\ell }$ plays in the many-AD-IND security game, it can make several queries to its encryption oracle, which means that every $\mathsf {ct}^j_{*}$ obtained from the oracle is encrypted under fresh randomness $r_{j}$, i.e., $\mathsf {ct}^j_* := \mathsf{Enc}\big (\mathsf {msk}_\ell ,\varvec{x}_\ell ^{j,\beta }-\varvec{x}_\ell ^{1,\beta }+\varvec{x}_\ell ^{1,1};r_{j}\big )$. Therefore, the simulated ciphertext $\mathsf {ct}_{\ell }^{j}$ uses randomness $r_{j}$ which is independent of the randomness $r_{j^{\prime }}$ used in $\mathsf {ct}_{\ell }^{j^{\prime }}$, for all $j\ne j^\prime $. This means $\mathsf {ct}_{\ell }^{j}$ is distributed as in game $\mathsf {G}_{1{.}\ell -1+\beta }$.

Finally, $\mathcal {B}_{1{.}\ell }$ outputs the same bit $\beta '$ returned by $\mathcal {A}$. Thus:

$$\begin{aligned} \left| \mathbf {Adv}_{1{.}\ell -1}(\mathcal {A})-\mathbf {Adv}_{1{.}\ell }(\mathcal {A}) \right| \le \mathsf {Adv}^{many\hbox {-}AD\hbox {-}IND}_{\mathcal {FE},\mathcal {B}_{1{.}\ell }}(\lambda ). \end{aligned}$$

$\square $

The proof of Theorem 3 follows by combining the bounds obtained in the previous lemmas. $\square $

4 Function-Hiding Multi-Input FE for Inner Product

In this section, we give a function-hiding MIFE. We transform the MIFE for inner product proposed by Abdalla et al. in [4] into a function-hiding scheme, using a double layered encryption approach, similar to the one of Lin [13]. Namely, in Sect. 4.1, we give a generic construction that use any single-input FE on top of the MIFE from [4], which can prove selectively secure. Unlike the results in Sect. 3 that can be instantiated without pairings, for function-hiding we rely on pairing groups. Finally, in Sect. 4.2, we prove adaptive security, considering a specific instantiation of our construction.

Our construction. We present our function-hiding scheme $\mathcal {MIFE}$ in Fig. 8. The construction relies on the multi-input scheme $\mathcal {MIFE}'$ of Abdalla et al. [4] (recalled in Fig. 7), used together with any one-SEL-SIM secure, single-input FE for the functionality

where

$$\begin{aligned} f_{[\varvec{y}]_1}([\varvec{x}]_2) := \left[ \langle \varvec{x}, \varvec{y} \rangle \right] _T, \end{aligned}$$

$\mathcal {PG}:=(\mathbb {G}_1,\mathbb {G}_2,p,g_1,g_2)$ is a pairing group, and $\ell $ is the size of the ciphertext and secret keys in $\mathcal {MIFE}'$.

Concretely, we use the single-input FE from [5], generalized to the MDDH assumption, whose one-SEL-SIM security is proven in [4, 17], and whose description is recalled in the full version of the paper. Note that this single-input FE happens to be public-key, but this is not a property that we need for our overall MIFE.

Outline of the construction. Our starting point is the MIFE scheme for inner-products from [4], denoted by $\mathcal {\mathcal {MIFE}}':=(\mathsf{Setup}',\mathsf{Enc}',{\mathsf {KeyGen}}',\mathsf{Dec}')$ and recalled in Fig. 7. This scheme is clearly not function-hiding, as the vector $\varvec{y}$ is given in the clear as part of functional secret key, in order to make decryption possible. In order to avoid the leakage of $\varvec{y}$, we employ an approach similar to the one proposed in [13], which intuitively consists into adding a layer of encryption on top of the MIFE keys and ciphertexts; this is done by using a single-input inner product encryption scheme $\mathcal {FE}$. Slightly more in detail, using the $\mathcal {FE}$ and $\mathcal {\mathcal {MIFE}}'$ schemes, we design our new function-hiding multi-input scheme $\mathcal {\mathcal {MIFE}}$ as follows.

We generate master keys $(\mathsf {mpk}_{i},\mathsf {msk}_{i})\leftarrow \mathcal {FE}{.}\mathsf{Setup}(1^\lambda ,\mathcal {F}_{\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T}^{\ell })$ for computing inner products on vectors of dimension $\ell $, where $\ell $ is the size of the ciphertexts and secret keys of $\mathcal {MIFE}'$. To encrypt $\varvec{x}_i \in \mathbb {Z}_p^m$ for each slot $i \in [n]$, we first compute $[\mathsf {ct}^{\mathsf {in}}_i]_1$ using $\mathcal {MIFE}'$, and then we compute $\mathsf {ct}_{i}^{\mathsf {out}}:=\mathcal {FE}{.}{\mathsf {KeyGen}}(\mathsf {msk}_{i},[\mathsf {ct}_{i}^{\mathsf {in}}]_1)$. To generate a key for $\varvec{y}:= (\varvec{y}_1\Vert \cdots \Vert \varvec{y}_n) \in \mathbb {Z}_p^{nm}$, we first compute the keys ${\mathsf {sk}}^\mathsf {in}$ from $\mathcal {MIFE}'$, and then we would like to encrypt these keys using $\mathcal {FE}$ in order to hide information about $\varvec{y}$. A generic way to do it would be to set our secret key to be $\mathsf{Enc}(\mathsf {msk}_i,{\mathsf {sk}}^\mathsf {in})$, for all possible $i \in [n]$, so that we can compute the inner product of $[\mathsf {ct}^\mathsf {in}_i]_1$ with ${\mathsf {sk}}^\mathsf {in}$ for all $i \in [n]$. But that would yield keys of size $O(n^2m)$, since the key ${\mathsf {sk}}^\mathsf {in}$ itself is of size O(nm). We can do better, however. If we consider the specific $\mathcal {MIFE}'$ scheme from [4], a secret key ${\mathsf {sk}}^\mathsf {in}$ for $\varvec{y}$ consists of the components $([{\mathsf {sk}}_{1}^{\mathsf {in}}\Vert \ldots \Vert {\mathsf {sk}}^{\mathsf {in}}_{n}]_2, [z]_T)$, where each $[{\mathsf {sk}}_i^{\mathsf {in}}]_2$ only depends on $\varvec{y}_i$ and is of size O(m), while $[z]_T \in \mathbb {G}_T$ does not depend on $\varvec{y}$ at all. Hence, we encrypt each vectors $[{\mathsf {sk}}_{i}^{\mathsf {in}}]_2$ to obtain ${\mathsf {sk}}_{i}^{\mathsf {out}}:=\mathcal {FE}{.}\mathsf{Enc}(\mathsf {mpk}_{i},[{\mathsf {sk}}_{i}^{\mathsf {in}}]_2)$, which gives us a secret key ${\mathsf {sk}}^{\mathsf {out}} := \Big (\{{\mathsf {sk}}_i^{\mathsf {out}}\}_{i \in [n]}, [z]_T \Big )$ of total size O(nm).

This way, decrypting the outer layer as $\mathcal {FE}{.}\mathsf{Dec}({\mathsf {sk}}_{i}^{\mathsf {out}}, \mathsf {ct}_{i}^{\mathsf {out}})$ yields $[\langle {\mathsf {sk}}_{i}^{\mathsf {in}}, \mathsf {ct}_{i}^{\mathsf {in}} \rangle ]_T$, which is what needs to be computed in the $\mathcal {\mathcal {MIFE}}'$ decryption algorithm $\mathsf{Dec}'$. More precisely, correctness of $\mathcal {MIFE}$ follows from the correctness of $\mathcal {\mathcal {MIFE}}'$, and the structural requirement of $\mathcal {FE}{.}\mathsf{Dec}$ that is used in the $\mathcal {MIFE}'$ decryption algorithm, namely:

$$ \begin{aligned}&\mathcal {\mathcal {MIFE}}{.}\mathsf{Dec}(\{{\mathsf {sk}}^{\mathsf {out}}_i\}_{i \in [n]},[z]_T,\{\mathsf {ct}^{\mathsf {out}}_{i}\}_{i \in [n]})\\&=\prod _{i=1}^{n}\mathcal {FE}{.}\mathsf{Dec}(\mathsf {ct}^{\mathsf {out}}_{i},{\mathsf {sk}}_{i}^{\mathsf {out}})/[z]_T=\prod _{i=1}^{n}[\langle {\mathsf {sk}}_{i}^{\mathsf {in}} , \mathsf {ct}_{i}^{\mathsf {in}} \rangle ]_T/[z]_T \\&=\mathcal {\mathcal {MIFE}}'{.}\mathsf{Dec}(\{[{\mathsf {sk}}^{\mathsf {in}}_i]_2\}_{i \in [n]},[z]_T,\{[\mathsf {ct}_{i}^{\mathsf {in}}]_1\}_{i \in [n]}). \end{aligned} $$

Definition 11

(one-SEL-SIM-secure FE). A single-input functional encryption $\mathcal {FE}$ for the functionality $\mathcal {F}_{\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T}^{\ell }$ is one-SEL-SIM-secure if there exist PPT simulator algorithms $(\widetilde{\mathsf{Setup}},\widetilde{\mathsf{Enc}},\widetilde{{\mathsf {KeyGen}}})$ such that for every PPT (stateful) adversary $\mathcal {A}$ and every $\lambda \in \mathbb {N}$, the following two distributions are computationally indistinguishable:

The oracle $\mathcal {O}(\cdot )$ in the ideal experiment above is given access to another oracle that, given $[\varvec{y}]_1 \in \mathcal {F}_{\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T}^{\ell }$, returns $\left[ \langle \varvec{x}, \varvec{y} \rangle \right] _1$, and then $\mathcal {O}(\cdot )$ returns $\widetilde{{\mathsf {KeyGen}}}\left( \widetilde{\mathsf {msk}},[\varvec{y}]_1,\left[ \langle \varvec{x}, \varvec{y} \rangle \right] _1\right) $.

For every stateful adversary $\mathcal {A}$, we define its advantage as

and we require that for every PPT $\mathcal {A}$, there exists a negligible function $\mathsf {negl}$ such that for all $\lambda \in \mathbb {N}$, .

4.1 Proof of Selective Security

In the following theorem we state the selective security of our scheme $\mathcal {MIFE}$. Precisely, the theorem proves that our scheme is weakly function-hiding. We stress that this does not entail any limitation in the final result, as full-fledged function-hiding can be achieved in a generic way via a simple transformation, proposed in [14] (for single-input FE). The main idea is to work with slightly larger vectors where both input vectors $\varvec{x}$ and secret-key vectors $\varvec{y}$ are padded with zeros. In the full version of the paper we show how to do this transformation in the multi-input setting.

Theorem 4

(many-SEL-wFH-IND security). Let $\mathcal {MIFE}'$ be the many-SEL-IND secure multi-input FE from Fig. 7. Suppose the single-input $\mathcal {FE}:=(\mathcal {FE}{.}\mathsf{Setup},\mathcal {FE}{.}\mathsf{Enc},\mathcal {FE}{.}{\mathsf {KeyGen}},\mathcal {FE}{.}\mathsf{Dec})$ is one-SEL-SIM-secure. Then the multi-input scheme $\mathcal {MIFE}:=(\mathsf{Setup},\mathsf{Enc},{\mathsf {KeyGen}},\mathsf{Dec})$ in Fig. 8 is many-SEL-wFH-IND-secure.

Proof Overview. The proof is done via a hybrid argument that consists of two main phases: we first switch the ciphertexts from encryptions of $\varvec{x}_{i}^{j_{i},0}$ to encryptions of $\varvec{x}_{i}^{j_{i},1}$ for all slots $i \in [n]$, and ciphertext queries $j_i \in [Q_i]$, where $Q_i$ denotes the number of ciphertext query on the i’th slot. This change is justified by the many-SEL-IND security of the underlying $\mathcal {MIFE}'$ in a black box manner. In addition, this change relies on the weak-function-hiding property that imposes the constraints $\sum _{i=1}^{n}\langle \varvec{x}_{i}^{j_{i},0},\varvec{y}_{i}^{j_f,0} \rangle =\sum _{i=1}^{n}\langle \varvec{x}_{i}^{j_{i},1},\varvec{y}_{i}^{j_f,0} \rangle $, for all secret key queries $j_f \in [Q_f]$, where $Q_f$ denotes the number of secret key queries, which thus disallow the adversary from trivially distinguishing the two games.

The second main change in the proof is to switch the decryption keys from keys corresponding to $\varvec{y}_{1}^{j,0}\Vert \ldots \Vert \varvec{y}_{n}^{j,0}$ to keys corresponding to $\varvec{y}_{1}^{j,1}\Vert \ldots \Vert \varvec{y}_{n}^{j,1}$ for every $j \in [Q_f]$. This in turn requires a hybrid argument over all decryption keys, changing one key at a time. To switch the $\rho $’th key, we use the selective simulation security of the underlying $\mathcal {FE}$ to embed the value $\langle \varvec{x}_{i}^{j,1},\varvec{y}_{i}^{\rho ,\beta } \rangle +\langle \varvec{r}^{\rho },\varvec{z}_{i} \rangle $ in the ciphertexts $\mathsf {ct}_{i}^{j}$, for all slots $i \in [n]$ and all $j \in [Q_i]$. Next, we use the $\mathcal {D}_{k}$-MDDH assumption to argue that $[\langle \varvec{r}^{\rho },\varvec{z}_{i} \rangle ]_{T}$ is indistinguishable from a uniform random value and thus perfectly hides $\langle \varvec{x}_{i}^{1,1},\varvec{y}_{i}^{\rho ,\beta } \rangle $ for the first ciphertext of each slot: $\mathsf {ct}_i^1$. For all the other remaining $\langle \varvec{x}_{i}^{j,1},\varvec{y}_{i}^{\rho ,\beta } \rangle $, for $j \in [Q_i]$, $j>1$, we use the fact that $\langle \varvec{x}_{i}^{j,1} - \varvec{x}_{i}^{1,1},\varvec{y}_{i}^{\rho .0} \rangle = \langle \varvec{x}_{i}^{j,1} - \varvec{x}_{i}^{1,1},\varvec{y}_{i}^{\rho .1} \rangle $, as implied by the game’s restrictions.

Proof

of Theorem 4. We proceed via a series of Games $\mathsf {G}_{0},\mathsf {G}_{1},\mathsf {G}_{1{.}\rho }$, for $\rho \in [Q_f+1]$, described in Fig. 10. An overview is provided in Fig. 9. Let $\mathcal {A}$ be a PPT adversary, and $\lambda \in \mathbb {N}$ be the security parameter. We denote by ${\mathsf {Adv}}_{\mathsf {G}_{i}}(\mathcal {A})$ the advantage of $\mathcal {A}$ in game $\mathsf {G}_{i}$.

$\varvec{\mathsf {G}_{0}}$: is the experiment (see Definition 6).
$\varvec{\mathsf {G}_{1}}$: we replace the inner encryption of $\varvec{x}^{j,0}_i$ by encryptions of $\varvec{x}^{j,1}_i$, for all $i\in [n]$, $j \in [Q_i]$, using the many-SEL-IND security of $\mathcal {MIFE}'$. This is possible due to the weak function-hiding constraint, which states in particular that $\sum _{i=1}^{n}\langle \varvec{x}_{i}^{j_i,0},\varvec{y}_{i}^{j_f,0} \rangle =\sum _{i=1}^{n}\langle \varvec{x}_{i}^{j_i,1},\varvec{y}_{i}^{j_f,0} \rangle $, for all indices $j_{i} \in [Q_i],j_f \in [Q_f]$.
$\varvec{\mathsf {G}_{1{.}\rho }}$: for the first $\rho -1$ queries to ${\mathsf {KeyGen}}$, we replace inner secret key ${\mathsf {KeyGen}}'\big (\mathsf {msk}',\varvec{y}^0_1 \Vert \cdots \Vert \varvec{y}^0_n\big )$, by ${\mathsf {KeyGen}}'\big (\mathsf {msk}',\varvec{y}^1_1 \Vert \cdots \Vert \varvec{y}^1_n\big )$. Note that $\mathsf {G}_{1}$ is the same as $\mathsf {G}_{1.1}$, and $\mathsf {G}_{1.Q_f+1}$ is the same as .

We prove $\mathsf {G}_{0} \approx _c \mathsf {G}_{1}$ in Lemma 4, and $\mathsf {G}_{1{.}\rho } \approx _c\mathsf {G}_{1{.}\rho +1}$ for all $\rho \in [Q_f]$ in Lemma 5.$\square $

Lemma 4

($\mathsf {G}_{0}$ to $\mathsf {G}_{1}$). There exists a PPT adversary $\mathcal {B}_1$ such that

Proof

In order to show that we can switch $\varvec{x}_{i}^{j,0}$ to $\varvec{x}_{i}^{j,1}$, we rely on the security of the underlying $\mathcal {\mathcal {MIFE}}'$ scheme. Intuitively, adding an additional layer of encryption on the decryption keys ${\mathsf {sk}}_{i}^{\mathsf {in}}$ cannot invalidate the security of the underlying $\mathcal {\mathcal {MIFE}}'$.

More formally, we design an adversary $\mathcal {B}_1$ against the many-SEL-IND security of $\mathcal {\mathcal {MIFE}}'$. Adversary $\mathcal {B}_1$ draws public and secret keys for the outer encryption layer and then uses its own experiment to simulate either $\mathsf {G}_{0}$ or $\mathsf {G}_{1}$. We describe adversary $\mathcal {B}_1$ in the full version of the paper and give a textual description here.

Simulation of master public key $\mathsf {mpk}$. Since the game is selective, the adversary $\mathcal {B}_1$ first gets the challenges $\{\varvec{x}_i^{j,b}\}_{i \in [n],j\in [Q_{i}],b \in \{0,1\}}$ from $\mathcal {A}$, and it sends them to its experiment many-SEL-IND$^{\mathcal {\mathcal {MIFE}}'}_{\beta }$. Then, $\mathcal {B}_1$ receives the public key $\mathsf {mpk}^{\prime }$ of the $\mathcal {\mathcal {MIFE}}'$ scheme. To construct the full public key, it draws $(\mathsf {mpk}_{i},\mathsf {msk}_{i})\leftarrow \mathcal {FE}{.}\mathsf{Setup}(1^\kappa ,\mathcal {F}_1^{\ell ,X,Y})$, for all slots $i \in [n]$, independently. It then sets $\mathsf {mpk} := \{\mathsf {mpk}_i\}_{i \in [n]}\cup \{\mathsf {mpk}^{\prime }\}$ and returns $\mathsf {mpk}$ to adversary $\mathcal {A}$.

Simulation of the challenge ciphertexts. The adversary $\mathcal {B}_1$ receives $[\mathsf {ct}_i^{\mathsf {in},j}]_1$ from the encryption oracle of the experiment many-SEL-IND$^{\mathcal {\mathcal {MIFE}}'}_{\beta }$, for all $i\in [n]$. This corresponds to encryptions of either $\varvec{x}_{i}^{j,\beta }$, for $\beta =0$ or 1. Since it knows $\mathsf {msk}_{i}$, it computes $\mathsf {ct}_{i}^{\mathsf {out},j}:=\mathcal {FE}{.}{\mathsf {KeyGen}}(\mathsf {msk}_{i},[\mathsf {ct}_{i}^{\mathsf {in},j}]_1)$ for all $i\in [n]$ and returns $\{\mathsf {ct}_i^{\mathsf {out},j}\}_{i \in [n]}$ to $\mathcal{A}$.

Simulation of ${\mathsf {KeyGen}}(\mathsf {msk},\cdot )$. On every secret key query $(\varvec{y}^{b}_{1}\Vert \ldots \Vert \varvec{y}^{b}_{n})_{b \in \{0,1\}}$, adversary $\mathcal {B}_1$ queries the ${\mathsf {KeyGen}}'$ oracle of the experiment many-SEL-IND$_{\beta }^{\mathcal {\mathcal {MIFE}}'}$ on $\varvec{y}_{1}^{0}\Vert \ldots \Vert \varvec{y}^{0}_{n}$. It obtains $\{[{\mathsf {sk}}^{\mathsf {in}}_i]_2\}_{i \in [n]},[z]_T$. Finally, it computes ${\mathsf {sk}}_{i}^{\mathsf {out}}:= \mathcal {FE}{.}\mathsf{Enc}(\mathsf {mpk}_{i},[{\mathsf {sk}}^{\mathsf {in}}_i]_2)$ and returns $(\{{\mathsf {sk}}^{\mathsf {out}}_{i}\}_{i \in [n]},[z]_T)$ to $\mathcal {A}$.

$\square $

Lemma 5

($\mathsf {G}_{1{.}\rho }$ to $\mathsf {G}_{1{.}\rho +1}$). For all $\rho \in [Q_f]$, there exist PPT adversaries $\mathcal {B}_{\rho }$ and $\mathcal {B}'_{\rho }$ such that

For lack of space the proof of Lemma 5 appears in the full version of the paper [3].

4.2 Adaptively-Secure Multi-Input Function-Hiding FE for Inner Product

In this section, we prove that if we instantiate the construction described in Fig. 8 (Sect. 4), with the many-AD-IND-secure, single-input FE from [5], we obtain an adaptively secure function-hiding MIFE. Specifically, we consider the generalized version of single-input FE, as described in [4] (recalled in the full version of the paper [3]). For completeness, we present this new MIFE instantiation in Fig. 11. Proving adaptive security for our construction in a generic way would require the underlying $\mathcal {FE}$ to achieve strong security notions, such as one-AD-SIM (which is not achieved by any known scheme). We overcome this issue, managing to prove adaptive security of our concrete MIFE in Fig. 8, using non-generic techniques inspired by [4].

Theorem 5

(many-AD-IND-wFH security). If the $\mathcal {D}_k$-MDDH assumption holds in $\mathbb {G}_1$ and $\mathbb {G}_2$, then the multi-input FE for $\mathcal {F}_n^{m,X,Y}$ described in Fig. 11 is many-AD-IND-wFH-secure.

Proof overview. Similarly to the selective-security proof presented in Sect. 4.1, we prove weakly-function-hiding. This is sufficient, since it can be transformed generically into a fully function-hiding MIFE by using techniques from [14] (see in the full version of the paper [3] for more details).

To prove weak function-hiding we proceed in two stages. First, we switch from $\mathsf{Enc}(\mathsf {msk},i,\varvec{x}_i^{j,0})$ to $\mathsf{Enc}(\mathsf {msk},i,\varvec{x}_i^{j,1})$ for all slots $i \in [n]$ and all queries $j \in [Q_i]$ simultaneously, using the many-AD-IND security of $\mathcal {\mathcal {MIFE}}'$ (the underlying MIFE from [4]). For completeness, we also give a concrete description of $\mathcal {\mathcal {MIFE}}'$ in the full version of the paper.

Secondly, we use a hybrid argument over all $Q_f$ queried keys, switching them one by one from ${\mathsf {KeyGen}}(\mathsf {msk},\varvec{y}^0_1 \Vert \cdots \Vert \varvec{y}^0_n)$ to ${\mathsf {KeyGen}}(\mathsf {msk},\varvec{y}^1_1 \Vert \cdots \Vert \varvec{y}^1_n)$. To switch the $\rho $’th key, we use the security of $\mathcal {FE}$ in a non-generic way. Structurally, we do a proof similar to the selective one of the previous section. In order to apply complexity leveraging, we first do all the computational steps. Afterwards, only at some particular transition in the proof (transition from $\mathsf {H}_{\rho .0}''$ to $\mathsf {H}_{\rho .1}''$ the full version of the paper), we use complexity leveraging, and we simulate the selective proof arguments. This multiplies the security loss by an exponential factor. We can do so here because this particular transition is perfect: the exponential term is multiplied by a zero advantage.

Although this proof strategy shares similarities with the adaptive security proof the MIFE in [4], our proof has some crucial differences: mainly, the role of the keys and ciphertexts in our proof is switched. Since the multi-input model is asymmetric with respect to the ciphertexts and decryption keys (only ciphertexts can be mixed-and-matched), this results in a different proof strategy.

For lack of space, the full proof appears in the full version of the paper.

Notes

1.
Here we only consider schemes where unbounded collusions are allowed. See [9] and references therein for the bounded collusions case.
2.
As discussed in detail in [4], we stress that in the public key setting, MIFE for inner products is both easy to achieve (from its single-input counterpart) and of very limited interest, because of its inherent leakage.
3.
Here we implicitly adopt the, by now standard, bracket notation from [11].
4.
We remark that a similar information theoretic construction was put forward by Wee in [17], as a warm-up scheme towards an FE for inner products achieving simulation security.
5.
Actually the transform sketched here only manages to guarantee a weaker form of function hiding. However this can be generically turned into standard function hiding [14], as described in the full version of the paper [3].
6.
In the private key setting, we think of $\mathsf {mpk}$ as some public parameters common to all algorithms.
7.
The reason why we need 3X instead of X is due to maintain a correct distribution of the inputs in the security proof.
8.
While in [5] the FE schemes are proven only one-AD-IND secure (i.e., for adversaries making a single encryption query), note that these are public-key schemes and thus many-AD-IND security can be obtained via a standard hybrid argument from one-AD-IND security.

References

Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_33
Chapter Google Scholar
Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Better security for functional encryption for inner product evaluations. Cryptology ePrint Archive, Report 2016/011 (2016). http://eprint.iacr.org/2016/011
Abdalla, M., Catalano, D., Fiore, D., Gay, R., Ursu, B.: Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and Constructions without Pairings. Cryptology ePrint Archive, Report 2017/972 (2017). http://eprint.iacr.org/2017/972
Abdalla, M., Gay, R., Raykova, M., Wee, H.: Multi-input inner-product functional encryption from pairings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 601–626. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_21
Chapter Google Scholar
Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_12
Chapter Google Scholar
Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_15
Chapter Google Scholar
Badrinarayanan, S., Gupta, D., Jain, A., Sahai, A.: Multi-input functional encryption for unbounded arity functions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part I. LNCS, vol. 9452, pp. 27–51. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_2
Chapter Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Chapter Google Scholar
Brakerski, Z., Komargodski, I., Segev, G.: Multi-input functional encryption in the private-key setting: stronger security from weaker assumptions. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 852–880. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_30
Chapter MATH Google Scholar
Datta, P., Okamoto, T., Tomida, J.: Full-hiding (unbounded) multi-input inner product functional encryption from the k-linear assumption. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part II. LNCS, vol. 10770, pp. 245–277. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_9
Chapter Google Scholar
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8
Chapter Google Scholar
Goldwasser, S., et al.: Multi-input functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_32
Chapter Google Scholar
Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_20
Chapter Google Scholar
Lin, H., Vaikuntanathan, V.: Indistinguishability obfuscation from DDH-like assumptions on constant-degree graded encodings. In: Dinur, I. (ed.) 57th FOCS, pp. 11–20. IEEE Computer Society Press, October 2016
Google Scholar
O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010). http://eprint.iacr.org/2010/556
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Chapter Google Scholar
Wee, H.: Attribute-hiding predicate encryption in bilinear groups, revisited. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 206–233. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_8
Chapter Google Scholar

Download references

Acknowledgments

Michel Abdalla was supported in part by SAFEcrypto (H2020 ICT-644729) and by the European Union’s Horizon 2020 Research and Innovation Programme under grant agreement 780108 (FENTEC). Dario Fiore was partially supported by the Spanish Ministry of Economy under project references TIN2015-70713-R (DEDETIS), RTC-2016-4930-7 (DataMantium), and by the Madrid Regional Government under project N-Greens (ref. S2013/ICE-2731). Romain Gay was partially supported by a Google PhD Fellowship in Privacy and Security and by the ERC Project aSCEND (H2020 639554). Bogdan Ursu was partially supported by ANR-14-CE28-0003 (Project EnBiD) and by the ERC Project PREP-CRYPTO (H2020 724307).

Author information

Authors and Affiliations

Département informatique de l’ENS, École normale supérieure, CNRS, PSL University, 75005, Paris, France
Michel Abdalla & Romain Gay
INRIA, Paris, France
Michel Abdalla & Romain Gay
Dipartimento di Matematica e Informatica, Università di Catania, Catania, Italy
Dario Catalano
IMDEA Software Institute, Madrid, Spain
Dario Fiore
KIT, Karlsruhe, Germany
Bogdan Ursu

Authors

Michel Abdalla
View author publications
You can also search for this author in PubMed Google Scholar
Dario Catalano
View author publications
You can also search for this author in PubMed Google Scholar
Dario Fiore
View author publications
You can also search for this author in PubMed Google Scholar
Romain Gay
View author publications
You can also search for this author in PubMed Google Scholar
Bogdan Ursu
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michel Abdalla .

Editor information

Editors and Affiliations

The University of Texas at Austin, Austin, Texas, USA
Hovav Shacham
Georgia Institute of Technology, Atlanta, Georgia, USA
Alexandra Boldyreva

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Abdalla, M., Catalano, D., Fiore, D., Gay, R., Ursu, B. (2018). Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and Constructions Without Pairings. In: Shacham, H., Boldyreva, A. (eds) Advances in Cryptology – CRYPTO 2018. CRYPTO 2018. Lecture Notes in Computer Science(), vol 10991. Springer, Cham. https://doi.org/10.1007/978-3-319-96884-1_20

Download citation

DOI: https://doi.org/10.1007/978-3-319-96884-1_20
Published: 25 July 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-96883-4
Online ISBN: 978-3-319-96884-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and Constructions Without Pairings

Abstract

Similar content being viewed by others

Multi-input Inner-Product Functional Encryption from Pairings

Multi-input Functional Encryption for Unbounded Inner Products

Efficient Functional Encryption for Inner-Product Values with Full-Hiding Security

1 Introduction

1.1 Our Contributions

2 Preliminaries

2.1 Definitions for Multi-Input Functional Encryption

Definition 1

Definition 2

Remark 1

Definition 3

2.2 Function-Hiding Multi-Input Functional Encryption

Definition 4

Definition 5

Definition 6

2.3 Inner-Product Functionality

2.4 Computational Assumptions

Definition 7

Definition 8

Definition 9

Definition 10

Lemma 1

3 From Single to Multi-Input FE for Inner Product

3.1 Information-Theoretic MIFE with One-Time Security

Theorem 1

Proof

Remark 2

Remark 3

3.2 Our Transformation for Inner Product over \(\mathbb {Z}_L\)

Theorem 2

3.3 Our Transformation for Inner Product over \(\mathbb {Z}\)

Property 1

Property 2

Theorem 3

Proof

Lemma 2

Proof

Lemma 3

Proof

4 Function-Hiding Multi-Input FE for Inner Product

Definition 11

4.1 Proof of Selective Security

Theorem 4

Proof

Lemma 4

Proof

Lemma 5

4.2 Adaptively-Secure Multi-Input Function-Hiding FE for Inner Product

Theorem 5

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation