Unbounded inner product functional encryption from bilinear maps

Abstract

Inner product functional encryption (IPFE) is one class of functional encryption supporting only inner product functionality. All previous IPFE schemes are bounded schemes, meaning that the vector length that can be handled in the scheme is fixed in the setup phase. In this paper, we propose the first unbounded IPFE schemes, in which we do not have to fix the lengths of vectors in the setup phase and can handle (a priori) unbounded polynomial lengths of vectors. Our first scheme is private-key based and fully function hiding. That is, secret keys hide the information of the associated function. Our second scheme is public-key based and provides adaptive security in the indistinguishability based security definition. Both our schemes are based on SXDH, which is a well-studied standard assumption, and secure in the standard model. Furthermore, our schemes are quite efficient, incurring an efficiency loss by only a small constant factor from previous bounded function hiding schemes.

Appendices

Appendices

A Dual pairing vector spaces

Definition 7

(Dual pairing vector spaces [26]) For a natural number \(n \in \mathbb {N}\), we choose random dual orthonormal bases \((\mathbf{B}, \mathbf{B}^{*})\) as \(\mathbf{B} \xleftarrow {\mathsf{U}}\mathsf{GL}_{n}(\mathbb {Z}_p)\) and \(\mathbf{B}^{*} :=(\mathbf{B}^{-1})^{\top }\). Then \([\mathbf{B}]_{1}\) and \([\mathbf{B}^{*}]_{2}\) are dual orthonormal bases of vector spaces \(V :=G_{1}^{n}\) and \(V^{*} :=G_{2}^{n}\) respectively. Observe that the following two properties hold.

1. 1.

   For any vectors \(\mathbf{x}, \mathbf{y} \in \mathbb {Z}_p^{n}\), \(e([\mathbf{x}\mathbf{B}]_{1}, [\mathbf{y}\mathbf{B^{*}}]_{2}) = e(g_{1}, g_{2})^{\langle \mathbf{x}, \mathbf{y} \rangle }\).

2. 2.

   For any vectors \(\mathbf{x}_{1} , \ldots ,\mathbf{x}_{k}, \mathbf{y}_{1} , \ldots ,\mathbf{y}_{\ell } \in \mathbb {Z}_p^{n}\) and any matrix \(\mathbf{M} \in \mathsf{GL}_{n}(\mathbb {Z}_p)\), \((\{ \mathbf{x}_{i}\mathbf{B} \}_{i \in [k]}, \{ \mathbf{y}_{i}\mathbf{B}^{*} \}_{i \in [\ell ]})\) and \((\{ \mathbf{x}_{i}\mathbf{M}\mathbf{B} \}_{i \in [k]}, \{ \mathbf{y}_{i}\mathbf{M}^{*}\mathbf{B}^{*} \}_{i \in [\ell ]})\) are identically distributed. More generally, for any set \(S \subseteq [n]\) s.t. \(\forall i \in S, \mathbf{b}_{i} = \mathbf{M}^{-1}\mathbf{b}_{i}\), \((\{\mathbf{b}_{i} \}_{i \in S},\{ \mathbf{x}_{i}\mathbf{B} \}_{i \in [k]}, \{ \mathbf{y}_{i}\mathbf{B}^{*} \}_{i \in [\ell ]})\) and \((\{\mathbf{b}_{i} \}_{i \in S}, \{ \mathbf{x}_{i}\mathbf{M}\mathbf{B} \}_{i \in [k]}, \{ \mathbf{y}_{i}\mathbf{M}^{*}\mathbf{B}^{*} \}_{i \in [\ell ]})\) are also identically distributed. This is because \((\mathbf{D}, \mathbf{D}^{*}) :=(\mathbf{M}^{-1}\mathbf{B} ,\mathbf{M}^{\top }\mathbf{B}^{*} )\) are also random dual orthonormal bases and \((\{\mathbf{b}_{i} \}_{i \in S}, \{ \mathbf{x}_{i}\mathbf{B} \}_{i \in [k]}, \{ \mathbf{y}_{i}\mathbf{B}^{*} \}_{i \in [\ell ]})\) = \((\{\mathbf{d}_{i} \}_{i \in S}, \{ \mathbf{x}_{i}\mathbf{M}\mathbf{D} \}_{i \in [k]}, \{ \mathbf{y}_{i}\mathbf{M}^{*}\mathbf{D}^{*} \}_{i \in [\ell ]})\).

In our private-key based scheme, we leverage the fact that randomly chosen matrices whose elements are in \(\mathbb {Z}_p\) have a high probability of being invertible. More concretely, we have the following lemma implicitly shown in [15].

Lemma 38

Let p be a \(\varOmega {\lambda }\)-bit prime. For any polynomial \(m :=m(\lambda )\)and \(n :=n(\lambda )\), we have

$$\begin{aligned} \mathsf{Pr}[\exists i, \det \mathbf{B}_{i} = 0| \mathbf{B}_{1} , \ldots ,\mathbf{B}_{m} \xleftarrow {\mathsf{U}}\mathsf{M}_{n}(\mathbb {Z}_p)] = 2^{-\varOmega (\lambda )}. \end{aligned}$$

B Inner products for the unbounded setting

For generality, we define inner products for the unbounded setting without norm limit.

1.1 B.1 D:ct-dom settings

Definition 8

(E:con, K:con, D:ct-dom) This function family \(\mathcal {F}\) consists of functions \(f_{\mathbf{y}}:\mathbb {Z}^{m} \rightarrow \mathbb {Z}\) where \(n \in \mathbb {N}\), \(\mathbf{y} :=(y_{1}, \ldots ,y_{n}) \in \mathbb {Z}^{n}\), and \(m \in \mathbb {N}\) s.t. \(n \le m\). We define the function for every \(\mathbf{x} :=(x_{1} , \ldots ,x_{m}) \in \mathbb {Z}^{m}\) as

$$\begin{aligned} f_{\mathbf{y}}(\mathbf{x}) :=\sum _{i \in [n]}x_{i}y_{i}. \end{aligned}$$

Definition 9

(E:sep, K:sep, D:ct-dom) This function family \(\mathcal {F}\) consists of functions \(f_{S,\mathbf{y}}:\mathbb {Z}^{U} \rightarrow \mathbb {Z}\) where \(S \subset \mathbb {N}\), \(\mathbf{y} :=(y_{i})_{i \in S} \in \mathbb {Z}^{S}\), and \(U \subset \mathbb {N}\) s.t. \(S \subseteq U\). We define the function for every \(\mathbf{x} :=(x_{i})_{i \in U} \in \mathbb {Z}^{U}\) as

$$\begin{aligned} f_{S, \mathbf{y}}(\mathbf{x}) :=\sum _{i \in S}x_{i}y_{i}. \end{aligned}$$

1.2 B.2 D:sk-dom settings

Definition 10

(E:con, K:con, D:sk-dom) This function family \(\mathcal {F}\) consists of functions \(f_{\mathbf{y}}:\mathbb {Z}^{m} \rightarrow \mathbb {Z}\) where \(n \in \mathbb {N}\), \(\mathbf{y} :=(y_{1}, \ldots ,y_{n}) \in \mathbb {Z}^{n}\), and \(m \in \mathbb {N}\) s.t. \(m \le n\). We define the function for every \(\mathbf{x} :=(x_{1} , \ldots ,x_{m}) \in \mathbb {Z}^{m}\) as

$$\begin{aligned} f_{\mathbf{y}}(\mathbf{x}) :=\sum _{i \in [m]}x_{i}y_{i}. \end{aligned}$$

Definition 11

(E:sep, K:con, D:sk-dom) This function family \(\mathcal {F}\) consists of functions \(f_{\mathbf{y}}:\mathbb {Z}^{U} \rightarrow \mathbb {Z}\) where \(n \in \mathbb {N}\), \(\mathbf{y} :=(y_{1}, \ldots ,y_{n}) \in \mathbb {Z}^{n}\), and \(U \subset \mathbb {N}\) s.t. \(U \subseteq [n]\). We define the function for every \(\mathbf{x} :=(x_{i})_{i \in U} \in \mathbb {Z}^{U}\) as

$$\begin{aligned} f_{\mathbf{y}}(\mathbf{x}) :=\sum _{i \in U}x_{i}y_{i}. \end{aligned}$$

Definition 12

(E:sep, K:sep, D:sk-dom) This function family \(\mathcal {F}\) consists of functions \(f_{S,\mathbf{y}}:\mathbb {Z}^{U} \rightarrow \mathbb {Z}\) where \(S \subset \mathbb {N}\), \(\mathbf{y} :=(y_{i})_{i \in S} \in \mathbb {Z}^{S}\), and \(U \subset \mathbb {N}\) s.t. \(U \subseteq S\). We define the function for every \(\mathbf{x} :=(x_{i})_{i \in U} \in \mathbb {Z}^{U}\) as

$$\begin{aligned} f_{S, \mathbf{y}}(\mathbf{x}) :=\sum _{i \in U}x_{i}y_{i}. \end{aligned}$$

1.3 B.3 D:eq settings

Definition 13

(E:con, K:con, D:eq) This function family \(\mathcal {F}\) consists of functions \(f_{\mathbf{y}}:\mathbb {Z}^{m} \rightarrow \mathbb {Z}\) where \(m \in \mathbb {N}\) and \(\mathbf{y} :=(y_{1}, \ldots ,y_{m}) \in \mathbb {Z}^{m}\). We define the function for every \(\mathbf{x} :=(x_{1} , \ldots ,x_{m}) \in \mathbb {Z}^{m}\) as

$$\begin{aligned} f_{\mathbf{y}}(\mathbf{x}) :=\sum _{i \in [m]}x_{i}y_{i}. \end{aligned}$$

Definition 14

(E:sep, K:sep, D:eq) This function family \(\mathcal {F}\) consists of functions \(f_{S,\mathbf{y}}:\mathbb {Z}^{S} \rightarrow \mathbb {Z}\) where \(S \subset \mathbb {N}\) and \(\mathbf{y} :=(y_{i})_{i \in S} \in \mathbb {Z}^{S}\). We define the function for every \(\mathbf{x} :=(x_{i})_{i \in S} \in \mathbb {Z}^{S}\) as

$$\begin{aligned} f_{S, \mathbf{y}}(\mathbf{x}) :=\sum _{i \in S}x_{i}y_{i}. \end{aligned}$$

C Selective or semi-adaptive schemes for (E:sep, K:sep, D:ct-dom)

In this section, we explain a selectively function hiding Priv-UIPFE scheme and a semi-adaptively secure Pub-UIPFE scheme for (E:sep, K:sep, D:ct-dom). The syntax of UIPFE for (E:sep, K:sep, D:ct-dom) is the same as that of UIPFE for (E:con, K:sep, D:ct-dom) except that vectors to be encrypted can be a separate one. More precisely, a vector to be encrypted has a form such that \(\mathbf{x} :=(x_{i})_{i \in U}\) for a index set U rather than \(\mathbf{x} :=(x_{i})_{i \in [m]}\).

1.1 C.1 Selectively function hiding Priv-UIPFE scheme

The construction of our selectively function hiding scheme for (E:sep, K:sep, D:ct-dom) is the same as our E:con scheme (Sect. 3) except that the form of vectors to be encrypted is \(\mathbf{x} :=(x_{i})_{i \in U}\) rather than \(\mathbf{x} :=(x_{i})_{i \in [m]}\), where \(U \subseteq [u]\) for any polynomial \(u :=u(\lambda )\). The correctness holds in the same manner as our E:con scheme. The security statement is somewhat different from that of our E:con scheme as follows.

Theorem 3

Assume that the SXDH assumption holds and \(\mathcal {F}\)is a PRF family, then our Priv-UIPFE is selectively function hiding in the (E:sep, K:sep, D:ct-dom) setting. More formally, for any PPT adversary \(\mathcal {A}\)and security parameter \(\lambda \), there exists a PPT adversary \(\mathcal {B}_{1}\)for the SXDH and \(\mathcal {B}_{2}\)for the PRF family, we have

$$\begin{aligned} \mathsf{Adv}_{\mathcal {A}}^{\textsf {Priv-UIPFE}}(\lambda ) \le (4q_{\mathsf{sk}}+4q_{\mathsf{ct}}+2) \mathsf{Adv}_{\mathcal {B}_{1}}^{\textsf {SXDH}}(\lambda ) + 2\mathsf{Adv}_{\mathcal {B}_{2}}^{\textsf {PRF}}(\lambda ) + 2^{-\varOmega (\lambda )}. \end{aligned}$$

Proof

The proof of Theorem 3 is almost the same as that of Theorem 1 except the Game 3 sequence. That is, instead of guessing the index set of the \(\nu \)-th ciphertext between Game 3-\(\nu \)-1 and 3-\(\nu \)-2, which incurs exponential security loss in the adaptive E:sep setting, the reduction obtains the index set before it generates the secret keys in the selective setting. Concretely, the game transition is changed to the following way.

Game 3-\(\nu \)-1 \((\nu \in [q_{\mathsf{ct}}])\):

Game 2 is equivalent to Game 3-0-5. This game is the same as Game 3-\((\nu -1)\)-5 except that in the \(\nu \)-th ciphertext query, \(\mathbf{c}_{\nu ,i}\) is set as

$$\begin{aligned} \tilde{z}_{\nu } \xleftarrow {\mathsf{U}}\mathbb {Z}_p,\;\;\mathbf{c}_{\nu ,i} :=\left( x^{0}_{\nu ,i}, 0, z_{\nu }, \boxed {\tilde{z}_{\nu }}\right) \mathbf{B}_{i} \;\; \text {for all } i \in U_{\nu }. \end{aligned}$$

Game 3-\(\nu \)-2 \((\nu \in [q_{\mathsf{ct}}])\):

This game is the same as Game 3-\(\nu \)-1 except the following. In the \(\ell \)-th secret key query for all \(\ell \) s.t. whose index set \(S_{\ell }\) contains both elements that are contained in \(U_{\nu }\) and not contained in \(U_{\nu }\), i.e., \((S_{\ell } \cap U_{\nu } \ne \phi ) \wedge (S_{\ell } \backslash U_{\nu } \ne \phi )\), \(\mathbf{k}_{\ell ,i}\) is set as

$$\begin{aligned} \mathbf{k}_{\ell ,i} :={\left\{ \begin{array}{ll} (y^{0}_{\ell ,i}, y^{1}_{\ell ,i} , r_{\ell ,i}, \tilde{r}_{\ell ,i})\mathbf{B}^{*}_{i} &{} (i \in S_{\ell }, i \in U_{\nu })\\ \left( y^{0}_{\ell ,i}, y^{1}_{\ell ,i} , r_{\ell ,i}, \boxed {a\tilde{r}_{\ell ,i}}\right) \mathbf{B}^{*}_{i} &{} (i \in S_{\ell }, i \not \in U_{\nu }) \end{array}\right. } \end{aligned}$$

where \(a \xleftarrow {\mathsf{U}}\mathbb {Z}_p, \tilde{r}_{\ell ,i} \xleftarrow {\mathsf{U}}\mathbb {Z}_p\) s.t. \(\sum _{i \in S_{\ell }} \tilde{r}_{\ell ,i} = 0\).

Game 3-\(\nu \)-3 \((\nu \in [q_{\mathsf{ct}}])\):

This game is the same as Game 3-\(\nu \)-2 except that in the \(\ell \)-th secret key query for all \(\ell \) s.t. \((S_{\ell } \cap U_{\nu } \ne \phi ) \wedge (S_{\ell } \backslash U_{\nu } \ne \phi )\), \(\mathbf{k}_{\ell ,i}\) is set as

$$\begin{aligned} \bar{r}_{\ell ,i} \xleftarrow {\mathsf{U}}\mathbb {Z}_p, \;\;\mathbf{k}_{\ell ,i} :=\left( y^{0}_{\ell ,i}, y^{1}_{\ell ,i} , r_{\ell ,i}, \boxed {\bar{r}_{\ell ,i}}\right) \mathbf{B}^{*}_{i} \;\; \text {for all } i \in S_{\ell }. \end{aligned}$$

Game 3-\(\nu \)-4 \((\nu \in [q_{\mathsf{ct}}])\):

This game is the same as Game 3-\(\nu \)-3 except that in the \(\nu \)-th ciphertext query, \(\mathbf{c}_{\nu ,i}\) is set as

$$\begin{aligned} v \xleftarrow {\mathsf{U}}\mathbb {Z}_p,\;\;\mathbf{c}_{\nu ,i} :=\left( \boxed {0, x^{1}_{\nu ,i}}, z_{\nu }, \tilde{z}_{\nu }\right) \mathbf{B}_{i} \;\; \text {for all } i \in U_{\nu }. \end{aligned}$$

Game 3-\(\nu \)-5 \((\nu \in [q_{\mathsf{ct}}])\):

This game is the same as Game 3-\(\nu \)-4 except that in the \(\nu \)-th ciphertext query and all secret key queries, \(\mathbf{c}_{\nu ,i}\) and \(\mathbf{k}_{\ell ,i}\) are set as

$$\begin{aligned}&\mathbf{c}_{\nu ,i} :=\left( 0,x^{1}_{\nu ,i}, z_{\nu }, \boxed {0}\right) \mathbf{B}_{i} \;\; \text {for all } i \in U_{\nu },\\&\mathbf{k}_{\ell ,i} :=\left( y^{0}_{\ell ,i}, y^{1}_{\ell ,i} , r_{\ell ,i}, \boxed {\tilde{r}_{\ell ,i}}\right) \mathbf{B}^{*}_{i}\;\; \text {for all } i \in S_{\ell }, \end{aligned}$$

where \(\tilde{r}_{\ell ,i} \xleftarrow {\mathsf{U}}\mathbb {Z}_p\) s.t. \(\sum _{i \in S_{\ell }} \tilde{r}_{\ell ,i} = 0\).

In the E:sep setting, we can classify secret keys into three types for \(\nu \)-th ciphertext in the same way as the E:con setting. Namely,

1. 1.

   The index set S of the secret key is included in \(U_{\nu }\), i,e., \(S \subseteq U_{\nu }\).

2. 2.

   A part of the index set S is included in \(U_{\nu }\), i.e., \((S_{\ell } \cap U_{\nu } \ne \phi ) \wedge (S_{\ell } \backslash U_{\nu } \ne \phi )\).

3. 3.

   The index set S and \(U_{\nu }\) are disjoint, i.e., \(S \cap U_{\nu } = \phi \).

Observe that the way of the classification is the same as the E:con case. In addition, proofs of lemmas in the game transition are almost the same because the treatment of each type of keys is not changed. Note that the reduction from the difference between Game 3-\(\nu \)-1 and 3-\(\nu \)-2 to the SXDH problem in the E:con case does not need guess. Then we have

$$\begin{aligned} |\mathsf{Pr}[\mathsf{E}_{3-(\nu -1)-5}] - \mathsf{Pr}[\mathsf{E}_{3-\nu -5}]|&\le 4\mathsf{Adv}_{\mathcal {B}}^{\textsf {SXDH}}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

\(\square \)

1.2 C.2 Semi-adaptively secure pub-UIPFE scheme

The construction of our semi-adaptively secure scheme for (E:sep, K:sep, D:ct-dom) is the same as our E:con scheme (Sect. 4) except that \(\mathbf{x} :=(x_{i})_{i \in [m]}\) is replaced by \(\mathbf{x} :=(x_{i})_{i \in U}\), where \(U \subseteq [u]\) for any polynomial \(u :=u(\lambda )\). The correctness holds in the same manner as our E:con scheme. The security statement is somewhat different from that of our E:con scheme as follows.

Theorem 4

Assume that the SXDH assumption holds, then our Pub-UIPFE is semi-adaptively secure. More formally, let \(u_{\mathsf{max}}\)be the maximum cardinality of challenge index set that \(\mathcal {A}\)outputs and \(s_{\mathsf{max}}\)be the maximum index with which \(\mathcal {A}\)queries the key generation oracle, then for any PPT adversary \(\mathcal {A}\)and security parameter \(\lambda \), there exists a PPT adversary \(\mathcal {B}\)for the SXDH s.t.

$$\begin{aligned} \mathsf{Adv}_{\mathcal {A}}^{\textsf {Pub-UIPFE}}(\lambda ) \le \{16u_{\mathsf{max}}+8(s_{\mathsf{max}}-1)+4 \} \mathsf{Adv}_{\mathcal {B}}^{\textsf {SXDH}}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

Proof

The idea is the same as the private-key based scheme in the selective E:sep setting. That is, instead of guessing the index set of the challenge ciphertext, the reduction algorithm knows it before simulating secret keys by considering semi-adaptive setting. Then the game sequence after Game 3 is modified from the E:con scheme as follows. Let \(U^{*}\) be the index set of the challenge vector, and \([m^{*}]\) is changed to \(U^{*}\) in all games other than the games below.

Game 3:

This game is the same as Game 2 except that in the \(\ell \)-th secret key query for all \(\ell \) s.t. \((S_{\ell } \cap U^{*} \ne \phi ) \wedge (S_{\ell } \backslash U^{*} \ne \phi )\), \(\mathbf{k}_{\ell ,i}\) is set as

$$\begin{aligned}&\bar{r}_{\ell , i} \xleftarrow {\mathsf{U}}\mathbb {Z}_p,\\&\mathbf{k}_{\ell , i} :=\left( \rho _{\ell , i}(-i, 1), y_{\ell , i}, r_{\ell , i}, \boxed {\bar{r}_{\ell , i}},0,0\right) \mathbf{B}^{*}\;\;\text {for all } i \in S_{\ell }. \end{aligned}$$

Game 4:

This game is the same as Game 3 except that \(\mathbf{c}_{i}\) and \(\mathbf{k}_{\ell , i}\) in the challenge ciphertext and the \(\ell \)-th secret key for all \(\ell \) s.t. \((S_{\ell } \cap U^{*} \ne \phi )\) are generated as

$$\begin{aligned}&w_{i}, \tilde{r}_{\ell , i}, \bar{r}_{\ell , i} \xleftarrow {\mathsf{U}}\mathbb {Z}_p\;\; \text {s.t.} \; \sum _{i \in S_{\ell }} \tilde{r}_{\ell , i}=0,\\&\mathbf{c}_{i} :=\left( \pi _{i}(1, i), \boxed {x^{0}_{i} + w_{i}\tilde{z}}, z, \tilde{z},0,0\right) \mathbf{B}\;\; \text {for all } i \in U^{*}, \\&\mathbf{k}_{\ell , i} {:=} {\left\{ \begin{array}{ll} \left( \rho _{\ell , i}(-i, 1), y_{\ell , i}, r_{\ell , i}, \boxed {\tilde{r}_{\ell , i} - w_{i}y_{\ell ,i}} ,0,0\right) \mathbf{B}^{*} &{} (i \in U^{*}, S_{\ell } \subseteq U^{*})\\ \left( \rho _{\ell , i}(-i, 1), y_{\ell , i}, r_{\ell , i}, \boxed {\bar{r}_{\ell , i} - w_{i}y_{\ell ,i}} ,0,0\right) \mathbf{B}^{*} &{} (i \in U^{*}, S_{\ell } \backslash U^{*} \ne \phi ) \end{array}\right. }. \end{aligned}$$

Game 5:

This game is the same as Game 4 except that \(\mathbf{c}_{i}\) in the challenge ciphertext is set as

$$\begin{aligned} w_{i}, \tilde{z} \xleftarrow {\mathsf{U}}\mathbb {Z}_p,\;\;\mathbf{c}_{i} :=\left( \pi _{i}(1, i), \boxed {x^{1}_{i}+w_{i}\tilde{z}}, z,\tilde{z},0,0\right) \mathbf{B} \;\; \text {for all } i \in U^{*}. \end{aligned}$$

Game 6:

This game is the same as the real security game where the challenge ciphertext is the encryption of \(\mathbf{x}^{1}\) as described in Definition 6. That is, the challenge ciphertext for a pair of vectors \((\mathbf{x}^{0}, \mathbf{x}^{1}) \in (\mathbb {Z}^{m^{*}})^{2}\) is replied as

$$\begin{aligned}&\mathbf{c}_{i} :=\left( \pi _{i}(1, i), \boxed {x^{1}_{i}}, z,\boxed {0},0,0\right) \mathbf{B}\;\; \text {for all } i \in U^{*}\\&\mathsf{ct}_{m^{*}} :=([\mathbf{c}_{1}]_{1} , \ldots ,[\mathbf{c}_{m^{*}}]_{1}). \end{aligned}$$

The \(\ell \)-th secret key query with an index set \(S_{\ell }\) and vector \(\mathbf{y}_{\ell } \in \mathbb {Z}^{S_{\ell }}\) is replied as

$$\begin{aligned}&\mathbf{k}_{\ell , i} :=\left( \rho _{\ell , i}(-i, 1), y_{\ell , i}, r_{\ell , i}, \boxed {0},0,0\right) \mathbf{B}^{*}\;\; \text {for all } i \in S_{\ell }\\&\mathsf{sk}_{\ell , S_{\ell }} :=(S_{\ell }, \{ [\mathbf{k}_{\ell ,i}]_{2} \}_{i \in S_{\ell }}). \end{aligned}$$

We modify the Lemmas 17 and 18 to be suitable for the E:sep setting.

Lemma 39

For any polynomial \(n :=n(\lambda )\)and any set \(M \subseteq [m]\)with any polynomial \(m :=m(\lambda )\), we define the following distribution,

$$\begin{aligned}&\mathbb {G}\leftarrow \mathcal {G}_\mathsf{BG}(1^\lambda ), \;\; \mathbf{B} \xleftarrow {\mathsf{U}}\mathsf{GL}_{7}(\mathbb {Z}_p), \;\;\{ \pi _{i} \}_{i \in M} ,\tilde{z} \xleftarrow {\mathsf{U}}\mathbb {Z}_p,\\&\mathbf{u}_{i} :=(\pi _{i}(1, i),0,0, \tilde{z},0,0)\mathbf{B} \;\; \text { for all } i \in M,\\&D :=(\mathbb {G}, [\mathbf{b}_{1}]_{1} , \ldots ,[\mathbf{b}_{4}]_{1}, [\mathbf{b}^{*}_{1}]_{2} , \ldots ,[\mathbf{b}^{*}_{5}]_{2}, \{[\mathbf{u}_{i}]_{1} \}_{i \in M}),\\&\{ \rho '_{i} \}_{i \in [n] \backslash M}, \{ r'_{i} \}_{i \in [n] \backslash M} \xleftarrow {\mathsf{U}}\mathbb {Z}_p,\\&\mathbf{u}^{*}_{i,\beta } :=(\rho '_{i}(-i, 1),0,0,\beta r'_{i},0,0)\mathbf{B}^{*} \;\; \text { for all } i \in [n] \backslash M,\\&U_{\beta } :=\{[\mathbf{u}^{*}_{i,\beta }]_{2} \}_{i \in [n] \backslash M}. \end{aligned}$$

For any PPT adversary \(\mathcal {A}\), there exists a PPT adversary \(\mathcal {B}\) for the SXDH s.t.

$$\begin{aligned} \mathsf{Adv}_{\mathcal {A}}^{\textsf {P1}}(\lambda ) :=\,&|\mathsf{Pr}[1 \leftarrow \mathcal {A}(D, U_{0})] - \mathsf{Pr}[1 \leftarrow \mathcal {A}(D, U_{1})]| \\ \le&\, 4|[n] \backslash M |\mathsf{Adv}_{\mathcal {B}}^{\textsf {SXDH}}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

Lemma 40

For any polynomial \(n :=n(\lambda )\)and any set \(M \subseteq [m]\)with any polynomial \(m :=m(\lambda )\), we define the following distribution,

$$\begin{aligned}&\mathbb {G}\leftarrow \mathcal {G}_\mathsf{BG}(1^\lambda ), \;\; \mathbf{B} \xleftarrow {\mathsf{U}}\mathsf{GL}_{7}(\mathbb {Z}_p),\;\; \{ \rho '_{i} \}_{i \in [n] \backslash M} \xleftarrow {\mathsf{U}}\mathbb {Z}_p,\\&\mathbf{u}_{i}^{*} :=(\rho '_{i}(-i, 1),1,0,0,0,0)\mathbf{B}^{*}\;\; \text { for all } i \in [n] \backslash M, \\&D :=(\mathbb {G}, [\mathbf{b}_{1}]_{1} , \ldots ,[\mathbf{b}_{4}]_{1}, [\mathbf{b}^{*}_{1}]_{2}, [\mathbf{b}^{*}_{2}]_{2},[\mathbf{b}^{*}_{4}]_{2}, [\mathbf{b}^{*}_{5}]_{2}, \{[\mathbf{u}^{*}_{i}]_{2} \}_{i \in [n] \backslash M} ),\\&\{ \pi '_{i} \}_{i \in [m]}, \{ \rho '_{i} \}_{i \in [m]}, \{ w_{i} \}_{i \in M} \xleftarrow {\mathsf{U}}\mathbb {Z}_p,\\&\mathbf{u}_{i,\beta } :=(\pi '_{i}(1, i), \beta w_{i},0, 1,0,0)\mathbf{B} \;\; \text { for all } i \in M,\\&\mathbf{u}_{i,\beta }^{*} :=(\rho '_{i}(-i, 1),1,0,-\beta w_{i},0,0)\mathbf{B}^{*} \;\; \text { for all } i \in M,\\&U_{\beta } :=\{[\mathbf{u}_{i,\beta }]_{1}, [\mathbf{u}^{*}_{i,\beta }]_{2} \}_{i \in M}. \end{aligned}$$

For any PPT adversary \(\mathcal {A}\), there exists a PPT adversary \(\mathcal {B}\) for the SXDH s.t.

$$\begin{aligned} \mathsf{Adv}_{\mathcal {A}}^{\textsf {P2}}(\lambda ) :=|\mathsf{Pr}[1 \leftarrow \mathcal {A}(D, U_{0})] - \mathsf{Pr}[1 \leftarrow \mathcal {A}(D, U_{1})]| \le 8|M|\mathsf{Adv}_{\mathcal {B}}^{\textsf {SXDH}}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

The proofs of Lemmas 39 and  40 is similar to those of Lemmas 17 and  18 respectively.

Applying these lemmas, we have

$$\begin{aligned}&|\mathsf{Pr}[\mathsf{E}_{2}] - \mathsf{Pr}[\mathsf{E}_{3}]| \le 4(s_{\mathsf{max}}-1)\mathsf{Adv}_{\mathcal {B}}^{\textsf {SXDH}}(\lambda )+2^{-\varOmega (\lambda )},\\&|\mathsf{Pr}[\mathsf{E}_{3}] - \mathsf{Pr}[\mathsf{E}_{4}]| \le 8u_{\mathsf{max}}\mathsf{Adv}_{\mathcal {B}}^{\textsf {SXDH}}(\lambda )+2^{-\varOmega (\lambda )}.\\&|\mathsf{Pr}[\mathsf{E}_{4}] - \mathsf{Pr}[\mathsf{E}_{5}]| \le 2^{-\varOmega (\lambda )},\\&|\mathsf{Pr}[\mathsf{E}_{5}] - \mathsf{Pr}[\mathsf{E}_{6}]| \le \{8u_{\mathsf{max}} + 4(s_{\mathsf{max}}-1)+2 \}\mathsf{Adv}_{\mathcal {B}}^{\textsf {SXDH}}(\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

\(\square \)

D Fully function hiding priv-UIPFE for (E:sep, K:sep, D:eq)

1.1 D.1 Syntax

Let \(\mathcal {X}:=\{X_{\lambda } \}_{\lambda \in \mathbb {N}}, \mathcal {Y}:=\{Y_{\lambda } \}_{\lambda \in \mathbb {N}}\) be ensembles of norm-limit.

\(\mathsf{Setup}(1^{\lambda })\):

This algorithm takes a security parameter \(1^{\lambda }\), and outputs a public parameter \(\mathsf{pp}\) and a master secret key \(\mathsf{msk}\).

\(\mathsf{Enc}(\mathsf{pp}, \mathsf{msk}, U, \mathbf{x})\):

This algorithm takes \(\mathsf{pp}, \mathsf{msk}\), a non-empty index set \(U \subseteq [u]\) where \(u :=u(\lambda )\) is any polynomial, and an indexed vector \(\mathbf{x} :=(x_{i})_{i \in U} \in \mathbb {Z}^{U}\). It outputs a ciphertext \(\mathsf{ct}_{U}\).

\(\mathsf{KeyGen}(\mathsf{pp}, \mathsf{msk}, S, \mathbf{y})\):

This algorithm takes \(\mathsf{pp}, \mathsf{msk}\), a non-empty index set \(S \subseteq [s]\) where \(s :=s(\lambda )\) is any polynomial, and an indexed vector \(\mathbf{y} :=(y_{i})_{i \in S} \in \mathbb {Z}^{S}\). It outputs a secret key \(\mathsf{sk}_{S}\).

\(\mathsf{Dec}(\mathsf{pp}, \mathsf{ct}_{U}, \mathsf{sk}_{S})\):

This algorithm takes \(\mathsf{pp}, \mathsf{ct}_{U}\) and \(\mathsf{sk}_{S}\) and outputs a decrypted value \(d \in \mathbb {Z}\) or a symbol \(\bot \).

Correctness Priv-UIPFE is correct if it satisfies the following condition. For any \(\lambda \in \mathbb {N}\), \(\mathbf{x}, \mathbf{y} \in \mathbb {Z}^{S}\) s.t. \(S \subseteq [s]\) where \(s :=s(\lambda )\) is any polynomial, \(||\mathbf{x}||_{\infty } \le X_{\lambda }\), and \(||\mathbf{y}||_{\infty } \le Y_{\lambda }\), we have

$$\begin{aligned} \mathsf{Pr}\left[ d = \langle \mathbf{x}, \mathbf{y} \rangle \; \begin{array}{|l} \;(\mathsf{pp},\mathsf{msk}) \leftarrow \mathsf{Setup}(1^{\lambda })\\ \;\mathsf{ct}_{S} \leftarrow \mathsf{Enc}(\mathsf{pp}, \mathsf{msk}, S,\mathbf{x})\\ \;\mathsf{sk}_{S} \leftarrow \mathsf{KeyGen}(\mathsf{pp}, \mathsf{msk}, S,\mathbf{y})\\ \;d :=\mathsf{Dec}(\mathsf{pp}, \mathsf{ct}_{S}, \mathsf{sk}_{S}) \end{array} \right] \ge 1 - \mathsf {negl}(\lambda ). \end{aligned}$$

Security Priv-UIPFE is fully function hiding if it satisfies the following condition. That is, the advantage of \(\mathcal {A}\) against Priv-UIPFE defined as follows is negligible in \(\lambda \) for any PPT adversary \(\mathcal {A}\),

$$\begin{aligned} \mathsf{Adv}_{\mathcal {A}}^{\textsf {Priv-UIPFE}}(\lambda ) :=\left| \begin{array}{l} \textsf {Pr} \left[ \begin{array}{l} 1 \leftarrow \mathcal {A}^{\mathcal {O}_{\mathsf{Enc},0}(\mathsf{pp},\mathsf{msk},\cdot ,\cdot ), \mathcal {O}_{\mathsf{KG},0}(\mathsf{pp},\mathsf{msk},\cdot ,\cdot )}(\mathsf{pp}):\\ (\mathsf{pp}, \mathsf{msk}) \leftarrow \textsf {Setup}(1^\lambda ) \end{array} \right] \\ - \textsf {Pr} \left[ \begin{array}{l} 1 \leftarrow \mathcal {A}^{ \mathcal {O}_{\mathsf{Enc},1}(\mathsf{pp},\mathsf{msk},\cdot ,\cdot ), \mathcal {O}_{\mathsf{KG},1}(\mathsf{pp},\mathsf{msk},\cdot ,\cdot )}(\mathsf{pp}):\\ (\mathsf{pp}, \mathsf{msk}) \leftarrow \textsf {Setup}(1^\lambda ) \end{array} \right] \end{array} \right| . \end{aligned}$$

Here, \(\mathcal {O}_{\mathsf{Enc},\beta }(\mathsf{pp},\mathsf{msk},\cdot ,\cdot )\) with \(\beta \in \{0,1\}\) is an encryption oracle that takes an index set U and a pair of vectors \((\mathbf{x}^{0}, \mathbf{x}^{1}) \in (\mathbb {Z}^{U})^{2}\), and outputs \(\mathsf{Enc}(\mathsf{pp},\mathsf{msk}, U, \mathbf{x}^{\beta })\). \(\mathcal {O}_{\mathsf{KG},\beta }(\mathsf{pp},\mathsf{msk},\cdot ,\cdot )\) with \(\beta \in \{0,1\}\) is a key generation oracle that takes an index set S and a pair of indexed vectors \((\mathbf{y}^{0}, \mathbf{y}^{1}) \in (\mathbb {Z}^{S})^{2}\) and outputs \(\mathsf{KeyGen}(\mathsf{pp},\mathsf{msk}, S, \mathbf{y}^{\beta })\). To avoid a trivial attack of \(\mathcal {A}\), we have the following condition on \(\mathcal {A}\)’s queries. Let \(q_{\mathsf{ct}}\) (resp. \(q_{\mathsf{sk}}\)) be a total number of ciphertext query (resp. secret key query) of \(\mathcal {A}\). For all \(j \in [q_{\mathsf{ct}}]\) and \(\ell \in [q_{\mathsf{sk}}]\), if \(U_{j} = S_{\ell }\), then

$$\begin{aligned} \sum _{i \in [U_{j}]} x^{0}_{j,i}y^{0}_{\ell ,i} =\sum _{i \in [U_{j}]} x^{1}_{j,i}y^{1}_{\ell ,i}. \end{aligned}$$

1.2 D.2 Construction

In the following scheme, norm limits \(X_{\lambda }, Y_{\lambda }\) are some polynomials. Let \(\mathcal {F}:=\{F_{K} \}_{K \in \mathcal {K}_{\lambda }}\) be a PRF family with a key space \(\mathcal {K}_{\lambda }\) consisting of functions \(F_{K}:\{0,1\}^{*} \rightarrow \mathbb {Z}_p\). Note that a PRF family with variable length is constructible from one-way functions in the standard model [9].

\(\mathsf{Setup}(1^{\lambda })\):

Takes a security parameter \(1^\lambda \) and chooses bilinear groups \(\mathbb {G}\leftarrow \mathcal {G}_\mathsf{BG}(1^\lambda )\) a PRF key \(K \xleftarrow {\mathsf{U}}\mathcal {K}_{\lambda }\). Outputs

$$\begin{aligned} \mathsf{pp}:=\mathbb {G},\;\; \mathsf{msk}:=K. \end{aligned}$$

\(\mathsf{Enc}(\mathsf{pp}, \mathsf{msk}, U, \mathbf{x})\):

Takes \(\mathsf{pp}, \mathsf{msk}, U,\) and \(\mathbf{x} :=(x_{i})_{i \in U} \in \mathbb {Z}^{U}\). Sets \(b_{i,j} :=F_{K}(U||\$ || i(2|U|+5)+j)\), \(\mathbf{B}_{U} :=(b_{i,j})_{i,j \in [2|U|+5]} \in \mathsf{M}_{2|U|+5}(\mathbb {Z}_p)\), and \(\mathbf{c}_{U} :=(\mathbf{x},0^{|U|}, \mathbf{r}, 0, 0, 0)\mathbf{B}_{U} \in \mathbb {Z}_p^{2|U|+5}\) where \(\mathbf{r} \xleftarrow {\mathsf{U}}\mathbb {Z}_p^{2}\). Outputs

$$\begin{aligned} \mathsf{ct}_{U} :=(U, [\mathbf{c}_{U}]_{1}). \end{aligned}$$

If \(\mathbf{B}_{U}\) is a singular matrix, outputs \(\bot \). Note that $ is a special symbol that is not used to encode U and \(i(2|U|+5)+j\).

\(\mathsf{KeyGen}(\mathsf{pp}, \mathsf{msk}, S, \mathbf{y})\):

Takes \(\mathsf{pp}, \mathsf{msk}, S, \) and \(\mathbf{y} :=(y_{i})_{i \in S} \in \mathbb {Z}^{S}\). Sets \(b_{i,j} :=F_{K}(S||\$||i(2|S|+5)+j)\) and \(\mathbf{B}_{S} :=(b_{i,j})_{i,j \in [2|S|+5]} \in \mathsf{M}_{2|S|+5}(\mathbb {Z}_p)\). Then computes \(\mathbf{k}_{S} :=(\mathbf{y},0^{|S|}, 0,0, \mathbf{s}, 0)\mathbf{B}^{*}_{S} \in \mathbb {Z}_p^{2|S|+5}\) where \(\mathbf{s} \xleftarrow {\mathsf{U}}\mathbb {Z}_p^{2}\). Outputs

$$\begin{aligned} \mathsf{sk}_{S} :=(S, [\mathbf{k}_{S}]_{2}). \end{aligned}$$

If \(\mathbf{B}_{S}\) is a singular matrix, outputs \(\bot \).

\(\mathsf{Dec}(\mathsf{pp}, \mathsf{ct}_{U}, \mathsf{sk}_{S})\):

Takes \(\mathsf{pp}\), a ciphertext \(\mathsf{ct}_{U}\), and a secret key \(\mathsf{sk}_{S}\). If \(U=S\), then computes

$$\begin{aligned} h :=e([\mathbf{c}_{U}]_{1}, [\mathbf{k}_{S}]_{2}), \end{aligned}$$

and searches for d s.t. \(e(g_{1}, g_{2})^{d} = h\) exhaustively in the range of \(-|U|X_{\lambda }Y_{\lambda }\) to \(|U|X_{\lambda }Y_{\lambda }\). If such d is found, outputs d. Otherwise, outputs \(\bot \).

Correctness This scheme is correct if \(\mathcal {F}\) is a PRF family. We consider the case where \(\mathbf{B}_{U}\) is invertible. Observe that if \(U = S\),

$$\begin{aligned} h = e([\mathbf{c}_{U}]_{1}, [\mathbf{k}_{S}]_{2}) = e(g_{1}, g_{2})^{\sum _{i \in U}x_{i}y_{i}}. \end{aligned}$$

If \(||\mathbf{x}||_{\infty } \le X_{\lambda }\) and \(||\mathbf{y}||_{\infty } \le Y_{\lambda }\), then \(|\langle \mathbf{x}, \mathbf{y} \rangle | \le |U|X_{\lambda }Y_{\lambda }\) and \(\mathsf{Dec}\) outputs \(\sum _{i \in U}x_{i}y_{i}\). Hence, if \(\mathbf{B}_{U}\) is invertible without a negligible probability, our scheme is correct. By the similar logic to our Priv-UIPFE scheme in Sect. 3, the above statement holds.

Security We briefly explain the proof idea. The challenger first changes the way to generate a matrix \(\mathbf{B}_{U}\) as \(\mathbf{B}_{U} \xleftarrow {\mathsf{U}}\mathsf{GL}_{2|U|+5}(\mathbb {Z}_p)\). A PPT adversary cannot distinguish this change similarly to Lemma 1. At this point, the situation is the same as one where the fully function hiding bounded IPFE schemes by Tomida et al. [29] are executed in parallel for each index set. Hence, the security of the above scheme is reduced to that of their scheme.