Plaintext-Verifiably-Checkable Encryption

Abstract

The notion of plaintext-checkable encryption (PCE) has recently emerged in the application of search on encrypted data only by plaintexts. We observe that existing PCE schemes are not sufficient to guarantee check correctness in the case of a malicious encryptor. To address this concern, we put forth the concept of plaintext-verifiably-checkable encryption (PVCE), which captures the basic requirement of output correctness: If M is thought to be the plaintext for a ciphertext \(\textsf {ct}\) by the Check algorithm, \(\textsf {ct}\) is actually a valid encryption of M. In other words, it does not exist any maliciously generated ciphertext could succeed in plaintext checking. This property guarantees a meaningful notion of correctness and is crucial in several applications. We propose a PVCE construction using pairing-friendly smooth projective hash function with modified language representation and prove it to be unlink-cca security in the standard model. This is the first verifiable plaintext-checkable encryption that provides both verifiable checkability and the most desirable security in the standard model. To this end, we show a PVCE instantiation from k-MDDH assumption.

1 Introduction

Encryption technology with functionalities, for example, public/private keyword search or equality test, plays important roles in era of cloud computing, which has been achieved much attraction in recent years. A typical primitive is public key encryption with keyword searh (PEKS) [1,2,3,4,5] to search on ciphertexts by a trapdoor from secret key and keyword. Any user owing the trapdoor could infer whether any ciphertext contains the same keyword in the trapdoor without the knowledge of the underlying keyword. Another variant is public key encryption with equality test (PKEET) [6,7,8,9,10] to search on ciphertexts by a candidate ciphertext. Any tester (or authorized tester) could know whether two ciphertexts share the same message.

In this paper, we consider the primitive plaintext-checkable encryption (PCE) to search on ciphertext only by plaintext. It is no surprise that in PCE framework if the check algorithm on a ciphertext and a plaintext returns true, the tester could easily obtain the plaintext underlying a ciphertext. Otherwise, the ciphertext should not leak any other knowledge of the plaintext. Compared with PEKS, the trapdoor of PCE is a plaintext without taking any secret information as input while the trapdoor of PEKS is generated only by the data owner using its secret key. Compared with PKEET, PCE provides more simple search way (only by plaintext) without additional encryption of compared plaintext, possibly under different public keys.

We observe that existing PCE schemes are not sufficient to guarantee check correctness. This is essential in the case of a malicious encryptor, where the maliciously generated ciphertext could possibly succeed in plaintext checking. A seemly proper technology is to adopt signature to guarantee the well-formedness of ciphertexts, which is similar to [10] to ensure all unchecked elements in the ciphertexts have not been tampered with. However, this technology is only used in the scenario which implies an assumption that all encryptors are honest. Here we emphasize that this intention is different from our goal to exclude all invalid ciphertexts which are possibly generated by malicious encryptors. Next, we use some examples to explain our goal.

• In [11], two PCE constructions in random oracle model do satisfy the verifiable checkability because the test procedure could totally recover the randomness in the encryption procedure and then the verifiability follows.

• In [11], one PCE construction in standard model also satisfies the verifiable checkability, using the pairing property on the check elements in \(\mathbb {G}_{2}\).

• In [12], the ciphertext is \(\textsf {CT}=(W,U,W',V)=(W,\textsf {ProjHash}_{1}(\textsf {hp}_{1},W)*M,W',\textsf {ProjHash}_{2}(\textsf {hp}_{2},(W,U,W')))\). In the check procedure, \(W'\) could be reconstructed and then V is verified by the witness \(\tau \) of \(W'\). However, U could not be guaranteed to be correct. In other words, a ciphertext without well formedness would pass the check phase. For instance, the adversary could randomly choose \(y\in \mathcal {Y}\) and compute the ciphertext \(C'=(W,y*M,W',\textsf {ProjHash}_{2}(\textsf {hp}_{2},(W,U,W)))\), where \(W'=\textsf {WordGen}(\varGamma (W,y,M))\). Therefore, even if \(C'\) is thought to be the encryption of M by the check algorithm, \(C'\) is actually not the encryption of M!

Note that although the schemes in [11] satisfy the verifiable checkability, they can not achieve the best desirable unlink-cca security. To the best of our knowledge, we have not seen PCE constructions that have both verifiable checkability and the strongest unlink-cca security in the literature. This is the motivation of our work.

Fig. 1.

Comparison with related work.

1.1 Related Work

Canard et al. [11] first proposed generic PCE constructions in the random oracle model based on any probabilistic or deterministic encryption and a practical construction using pairing groups in the standard model, whose security notion is defined as unlink. Recently, Ma et al. [12] proposed a PCE scheme with s-priv1-cca security, which is independent with unlink. As shown in [12], the most desired security of PCE is unlink-cca. In the application, PCE is a useful primitive for private join on encrypted database, where a join attribute is sensitive to be protected and another join attribute is stored in plain. Privacy-preserving join on encrypted database has been received much attention, where most constructions work under the condition that both joined attributes are encrypted. Carbunar and Sion [13] first studied private join on outsourced database in a private key setting, which supports general binary join predicates including range, equality and Hamming distance. Furukawa and Isshiki [14] provided a scheme where the server requires an authorization from the data owner to execute an equijoin. Yang et al. [6] introduced the notion of public key encryption with equality test (PKEET) as a useful primitive for join on two encrypted columns in multi-user setting. Several follow-on [7,8,9,10] studies extended PKEET with authorized equality test such that only authorized server can perform equality test on ciphertexts, which is accordance with only authorized server can perform equijoin on encrypted attributes. We show Fig. 1 to summarize the properties of related work according to public/private setting, random oracle/standard model, full/semi-encrypted join, authorization, security with/without authorization and verification, where full-encrypted join denotes join on both two encrypted attributes and semi-encrypted join denotes join on one encrypted attribute and another non-encrypted attribute. We see that only our work has both verifiable checkability and the most desirable security.

2 Pairing-Friendly Smooth Projective Hash Function

2.1 Definition of SPHF

A smooth projective hash function (SPHF) is based on a domain \(\mathcal {X}\) and an \(\mathcal {NP}\) language \(\mathcal {L}\subset \mathcal {X}\). An SPHF system over \(\mathcal {L}\) onto a set \(\mathcal {Y}\) is defined as follows [17].

• SPHFSetup(k): It takes as input a security parameter k and outputs \((\mathcal {L},\textsf {param})\) as the global parameters.

• HashKG(\(\mathcal {L}\), param): It generates a hashing key hk.

• ProjKG(hk,(\(\mathcal {L}\),param),W): It derives the projection key hp from the hashing key hk, possibly depending on the word W.

• Hash(hk,(\(\mathcal {L}\), param), W): It outputs the hash value \(\textsf {hv}\in \mathcal {Y}\) from the hashing key on any word \(W \in \mathcal {X}\).

• ProjHash(hp,(\(\mathcal {L}\),param),W,w): It outputs the hash value \(\textsf {hv}'\in \mathcal {Y}\) from the projection key hp and any word \(W \in \mathcal {X}\) with the witness w.

In this paper, we additionally define a WordVF algorithm to verify a word W using a witness w:

• WordVF(\((\mathcal {L},\textsf {param}),w,W\)): It outputs 1 if w is the witness of W, or 0 otherwise.

Correctness. The correctness of SPHF assures that if \(W \in \mathcal {L}\) with a witness w, then \(\textsf {Hash}(\textsf {hk},(\mathcal {L},\textsf {param}),W )= \textsf {ProjHash}(\textsf {hp},(\mathcal {L}, \textsf {param}), W ,w )\).

Smoothness. The smoothness of SPHF assures that if \(W \in \mathcal {X}\backslash \mathcal {L}\), then the following two distributions are statistically indistinguishable:

$$\begin{aligned}&\lbrace ((\mathcal {L},\textsf {param}),W,\textsf {hp},\textsf {hv})|\textsf {hv}=\textsf {Hash}(\textsf {hk},(\mathcal {L},\textsf {param}),W)\rbrace , \\&\lbrace ((\mathcal {L},\textsf {param}),W,\textsf {hp},\textsf {hv})|\textsf {hv}{\mathop {\leftarrow }\limits ^{\$}}\mathcal {Y} \rbrace . \end{aligned}$$

where \((\mathcal {L},\textsf {param})=\textsf {SPHFSetup}(k)\), \(\textsf {hk}=\textsf {HashKG}(\mathcal {L},\textsf {param})\) and \(\textsf {hp}=\textsf {ProjKG}(\textsf {hk},(\mathcal {L},\textsf {param}),W)\).

2-Smoothness. The 2-smoothness of SPHF assures that if \(W_{1},W_{2} \in \mathcal {X}\backslash \mathcal {L} \wedge W_{1}\ne W_{2}\), then the following two distributions are statistically indistinguishable:

$$\begin{aligned} \begin{aligned}&\lbrace ((\mathcal {L},\textsf {param} ),W_{1},W_{2},\textsf {hp} ,\textsf {hv} _{1},\textsf {hv} _{2})| \textsf {hv} _{2}=\textsf {Hash}(\textsf {hk} ,(\mathcal {L},\textsf {param} ),W_{2})\rbrace , \\&\lbrace ((\mathcal {L},\textsf {param} ),W_{1},W_{2},\textsf {hp} ,\textsf {hv} _{1},\textsf {hv} _{2})|\textsf {hv} _{2}{\mathop {\leftarrow }\limits ^{\$}}\mathcal {Y} \rbrace , \end{aligned} \end{aligned}$$

where \((\mathcal {L},\textsf {param})=\textsf {SPHFSetup}(k)\), \(\textsf {hk}=\textsf {HashKG}(\mathcal {L},\textsf {param})\), \(\textsf {hp}=\textsf {ProjKG}(\textsf {hk},(\mathcal {L}, \textsf {param}),W_{2})\) and \(\textsf {hv} _{1}=\textsf {Hash}(\textsf {hk} ,(\mathcal {L},\textsf {param} ),W_{1})\).

Extended SPHF. An extended SPHF additionally takes an auxiliary element aux along with word W as input of Hash and ProjHash algorithm.

2.2 Modified Language Representation

For SPHF, classical language representation has been described in [17,18,19]. We omit it for brevity. By making modification on classical language representation [17,18,19], we provide an alternative language representation of a language \(\mathcal {L}_{\textsf {aux}}\). For a language \(\mathcal {L}_{\textsf {aux}}\), there exist two positive integers k and n, a word basis function \(\varUpsilon :\mathcal {S}et \mapsto \mathbb {G}^{k \times n}\) and a family of functions \(\varTheta _{\textsf {aux}}:\mathcal {S}et\mapsto \mathbb {G}^{1\times n}\), such that for any word \(C \in \mathcal {S}et\), \((C\in \mathcal {L}_{\textsf {aux}})\Longleftrightarrow (\exists \varvec{\varphi } \in \mathbb {Z}_{p}^{1\times k})\wedge (\exists \varvec{\delta } \in \mathbb {Z}_{p}^{k \times n})\) such that \(\varTheta _{\textsf {aux}}(C)=\varvec{\varphi }\bullet ( \varvec{\delta } \bullet \varGamma (C))\), where \(\varvec{\varphi }\) is independent of any word C. In other words, we say that \(C\in \mathcal {L}_{\textsf {aux}}\) if and only if \(\widetilde{\varTheta }_{\textsf {aux}}(C)\) is a linear combination of (the exponents in) the rows of some matrix \(\varvec{\delta }\bullet \varGamma (C)\). It also requires that a user, who knows a witness w of the membership \(C \in \mathcal {L}_{\textsf {aux}}\), can efficiently compute the above linear combination \(\varvec{\varphi }\). We emphasize that it is difference from the language representation in the literature that the linear combination \(\varvec{\varphi }\) is required to be independently chosen randomness, while the linear combination \(\varvec{\lambda }\) in the classical language representation possibly includes both the independently chosen randomness and possibly non-independently random elements. This might be a quite strong requirement but this is actually verified by very expressive language over ciphertexts such as ElGamal, Cramer-Shoup and variants.

We briefly illustrate it on an SPHF for the language of Cramer-Shoup ciphertext encrypting a message \(M=\textsf {aux}\). Words in the language \(\mathcal {L}_{\textsf {aux}}\) is \(C=(u_{1}=g_{1}^{r},u_{2}=g_{2}^{r},e=M\cdot h^{r},v=(cd^{\xi })^{r})\), with \(r\in \mathbb {Z}_{p}\) and \(\xi =H(\ell ,\varvec{u},e)\in \mathbb {Z}_{p}^{*}\). We choose \(k=2,\textsf {aux}=M,n=5\), and the modified language representation on the language of Cramer-Shoup ciphertext is shown as follows.

2.3 Transformation from SPHF to PF-SPHF

Let PGGen be a probabilistic polynomial time (PPT) algorithm that on input k returns a description \(\mathcal {PG}=(P,\widetilde{\mathbb {G}},\mathbb {G},\mathbb {G}_{T},e,\widetilde{g},g)\) of asymmetric pairing group, where \(\widetilde{\mathbb {G}}\), \(\mathbb {G}\) and \(\mathbb {G}_{T}\) are cyclic groups of order p for a k-bit prime p, \(\widetilde{g}\) and g are generators of \(\widetilde{\mathbb {G}}\) and \(\mathbb {G}\), respectively, and \(e:\widetilde{\mathbb {G}}\times \mathbb {G}\) is a bilinear map between them.

Notations. We focus here on cyclic group \(\mathbb {G}_{s}\) for \(s\in \{1,2,T\}\) of prime order p and define three operators on the group:

1. 1.

   \(\mathbb {G}_s *\mathbb {G}_s \rightarrow \mathbb {G}_s\). For any \(u\in \mathbb {G}_s\) and \(v \in \mathbb {G}_s\), \(u *v\in \mathbb {G}_s\). Specifically, for any element \(u \in \mathbb {G}_s\), we define \(u *u^{-1}=1_{\mathbb {G}_s}\), which is the identity element of \(\mathbb {G}_s\). Sometimes we also use \(uv=vu \in \mathbb {G}_{s}\) for \(u,v \in \mathbb {G}_{s}\).

2. 2.

   \(\mathbb {Z}_{p} \bullet \mathbb {G}_s \rightarrow \mathbb {G}_{s}\) (or \( \mathbb {G}_s \bullet \mathbb {Z}_{p} \rightarrow \mathbb {G}_s\)). For any \(r \in \mathbb {Z}_{p}\) and \(u \in \mathbb {G}_s\), \(r\bullet u=u \bullet r=u^{r}\).

3. 3.

   \(\mathbb {G}_{1}\odot \mathbb {G}_{2} \rightarrow \mathbb {G}_{T}\) (or \(\mathbb {G}_{2}\odot \mathbb {G}_{1}\rightarrow \mathbb {G}_{T}\)). For \(u_{1} \in \mathbb {G}_{1}\) and \(u_{2}\in \mathbb {G}_{2}\), \(u_{1}\odot u_{2}=u_{2}\odot u_{1}=e(u_{1},u_{2})\).

Assume that every pairing-less SPHF has the modified language representation, implying a hash value is represented as \(\varTheta _{\textsf {aux}}(C)=\varvec{\varphi }\bullet (\varvec{\delta } \bullet \gamma (C))\). A first naive approach to transform every pairing-less SPHF into PF-SPHF in a bilinear setting is described in the Table 1, where we will always use the implicit notation of elements in \(\mathbb {G}_{s}\), i.e., we let \([u]_{\mathbb {G}_s}=g_{s}^{u}\) be an element in \(\mathbb {G}_{s}\). The key idea is to put pairing-less SPHF in a source group \(\mathbb {G}\) (resp. \(\widetilde{\mathbb {G}}\)) of pairing along with an element \(\widetilde{g}\) in another source group \(\widetilde{\mathbb {G}}\) (resp. \(\mathbb {G}\)), whose combination contributes to computing a pairing value. Actually, a pairing-friendly SPHF (PF-SPHF) has been used to construct particular SPHFs with the interesting properties, for instance, the structure-preserving SPHF [18] and the trapdoor SPHF [19].

Table 1. Transformation from SPHF to PF-SPHF.

Fig. 2.

Constructing 2-Smoothness SPHF from SPHF

Correctness. Correctness is inherited for word in \(\mathcal {L}\) as this reduces to computing the same value but in \(\mathbb {G}_{T}\).

Smoothness. For the words outside the language, the unchanged projection key do not reveal new information, therefore the hash value remain smoothness.

Examples. Two examples of classical SPHF on Diffie-Hellman and Cramer-Shoup encryption of M and their counterparts with PF-SPHF are described in [18]. We omit them for brevity.

2.4 2-Smoothness SPHF

[17] provides an efficient group-theoretic way (See Theorem 3 in [17]) to construct \(universal_{2}\) projective hash family from universal projective hash family. Actually, applying the same technology we can also obtain 2-smoothness extended SPHF directly from smoothness SPHF. Let SPHF = (SPHFSetup, HashKG, ProjKG, Hash, ProjHash) is smooth projective hash function on \(\mathcal {X}\) derived from \(\mathbb {G}\) of order prime p, we define an extended projective hash function \(\widehat{\textsf {SPHF}}\,=\,(\widehat{\textsf {SPHFSetup}}, \widehat{\textsf {HashKG}}, \widehat{\textsf {ProjKG}}, \widehat{\textsf {Hash}}, \widehat{\textsf {ProjHash}}, \widehat{\textsf {WordVF}})\) for \((\mathcal {X}\times E,\mathcal {L}\times E)\) based on SPHF as follows and fix an collusion-resistance hash function

$$\begin{aligned} \varGamma :\mathcal {X}\times E\rightarrow \{0,\cdots ,p-1\}^{n}, \end{aligned}$$

where n is sufficiently large. The way to construct 2-smoothness SPHF from SPHF is shown in Fig. 2.

3 Definitions

3.1 Plaintext-Verifiably-Checkable Encryption

We define here the notion of plaintext-verifiably-checkable encryption. Let \(k\in \mathbb {N}\) be a security parameter. A plaintext-verifiably-checkable encryption (PVCE) is composed of the following five algorithms:

1. 1.

   Setup\((k)\rightarrow pp\). The setup algorithm takes as input k and outputs a public system parameter pp.

2. 2.

   KeyGen\((pp)\rightarrow (pk,sk)\). The key generation algorithm takes as input a public system parameter pp and outputs a key pair (pk, sk) of public and secret key, respectively.

3. 3.

   Enc\((pk,M)\rightarrow \textsf {ct}\). The encryption algorithm takes as input pk and a plaintext M and outputs a ciphertext \(\textsf {ct}\).

4. 4.

   Dec\((sk,\textsf {ct})\rightarrow M\). The decryption algorithm takes as input sk and a ciphertext ct, and outputs a plaintext M or \(\bot \).

5. 5.

   VerifyCheck\((\textsf {ct},M)\rightarrow 1/0\). The verifiable check algorithm takes as input a ciphertext \(\textsf {ct}\) and a plaintext M, and outputs 1 if \(\textsf {ct}\) is indeed generated correctly for M under the public key pk, and 0 otherwise.

Correctness. The correctness of PCE must verify the following two conditions:

1. 1.

   Correctness of decryption. For any \(k\in \mathbb {N}\) and \(m\in \{0,1\}^{*}\),

   $$\begin{aligned} \Pr [pp {\mathop {\leftarrow }\limits ^{\$}}\textsf {Setup}(k), (pk,sk){\mathop {\leftarrow }\limits ^{\$}}\textsf {KeyGen}(pp),\textsf {ct}{\mathop {\leftarrow }\limits ^{\$}}\textsf {Enc}(pk,M): \\ \textsf {Dec}(sk,\textsf {ct})=M]=1. \end{aligned}$$
2. 2.

   Correctness of plaintext check. For any \(k\in \mathbb {N}\) and \(m\in \{0,1\}^{*}\),

   $$\begin{aligned} \Pr [pp {\mathop {\leftarrow }\limits ^{\$}}\textsf {Setup}(k), (pk,sk){\mathop {\leftarrow }\limits ^{\$}}\textsf {KeyGen}(pp),\textsf {ct}{\mathop {\leftarrow }\limits ^{\$}}\textsf {Enc}(pk,M): \\ \textsf {Check}(M,\textsf {ct})=1]=1. \end{aligned}$$

Verifiability. If M is thought to be the plaintext for a ciphertext \(\textsf {ct}\) by the Check algorithm, \(\textsf {ct}\) is actually a valid encryption of M.

$$\begin{aligned} \Pr [pp {\mathop {\leftarrow }\limits ^{\$}}\textsf {Setup}(k), (pk,sk){\mathop {\leftarrow }\limits ^{\$}}\textsf {KeyGen}(pp),(\textsf {ct},M){\mathop {\leftarrow }\limits ^{\$}}\mathcal {A}(pp,pk): \\ \textsf {Check}(\textsf {ct},M)=1:\exists r \wedge \textsf {Enc}(pk,M;r)=\textsf {ct}]=1. \end{aligned}$$

We assume that PCE plaintexts are drawn from a space of high min-entropy [11] since the adversary could win the game definitely when PCE plaintexts come from a space without enough entropy. This assumption is reasonable and has existed in many searchable encryptions.

Definition 1

(High min-entropy). An adversary \(\mathcal {A}=(\mathcal {A}_{f},\mathcal {A}_{g})\) is legitimate if there exists a function \(\ell (\cdot )\) s.t. for all pk and \(m\in [\mathcal {A}_{f}(1^{k},pk)]\) we have \(|m|=\ell (k)\). Moreover, we say that an adversary \(\mathcal {A}=(\mathcal {A}_{f},\mathcal {A}_{g})\) has min-entropy \(\mu \) if

$$\begin{aligned} \forall k\in \mathbb {N} ~\forall pk~\forall m: \Pr [m'\leftarrow \mathcal {A}_{f}(1^{k},pk):m'=m] \le 2^{-\mu (k)}. \end{aligned}$$

\(\mathcal {A}\) is said to have high min-entropy if it has min-entropy \(\mu \) with \(\mu (k) \in \omega (log k)\).

3.2 Unlink-CCA Security

Informally, the unlink-cca security assures that the adversary \(\mathcal {A}=(\mathcal {A}_{1},\mathcal {A}_{2})\) as a pair of polynomial time algorithms could not get any partial information about the plaintext under the ciphertext even provided the access to a decryption oracle, where \(\mathcal {A}_{1}\) and \(\mathcal {A}_{2}\) share neither coins nor state. \(\mathcal {A}_{1}\) takes input pk and returns two plaintexts \((M_{0},M_{1})\). \(\mathcal {A}_{2}\) takes input pk and a ciphertext ct, and tries to guess b. Note that \(\mathcal {A}_{2}\) does not see \(M_{0}\) and \(M_{1}\) as the output of \(\mathcal {A}_{1}\) and hence cannot guess whether \(\textsf {ct}_{b}^{*}\) is the encryption of \(M_{0}\) and \(M_{1}\). The following experiment Exp\(^{\textsf {unlink-cca}}_{\textsf {PVCE},\mathcal {A}}(k)\) is defined for the adversary \(\mathcal {A}\) with high min-entropy against unlink-cca security, which wins with negligible probability.

\(\underline{\mathbf {Exp}^{\mathsf {unlink-cca}}_{\mathsf {PVCE},\mathcal {A}}(k)}\):

1. 1.

   Setup Phase. The challenger runs the KeyGen(k) algorithm to generate (pk, sk) and sends pk to the adversary \(\mathcal {A}=(\mathcal {A}_{1},\mathcal {A}_{2})\).

2. 2.

   Probing Phase I. The adversary \(\mathcal {A}_{1}\) submits a ciphertext \(\textsf {ct}\) to the challenger. The challenger decrypts ct using its secret key sk and returns the plaintext M back to \(\mathcal {A}_{1}\).

3. 3.

   Challenge Phase. The adversary \(\mathcal {A}_{1}\) randomly selects two messages \(M_{0}\) and \(M_{1}\), and presents them to the challenger. The challenger selects a random bit \(b \in \{0,1\}\) and sends \((\textsf {ct}_{b}^{*},\textsf {ct}_{1}^{*})=(\textsf {Enc}(pk,M_{b}),\textsf {Enc}(pk,M_{1}))\).

4. 4.

   Probing Phase II. For \(\mathcal {A}_{2}\)’s submitted ciphertext \(\textsf {ct}\), the challenger responses the same as in the probing phase I with the only constraint that \(\textsf {ct}\) is not equal to \(\textsf {ct}^{*}\).

5. 5.

   Guessing Phase. \(\mathcal {A}_{2}\) outputs a bit \(b'\). The adversary \(\mathcal {A}\) is said to win the game if \(b'=b\), inducing the output of experiment is 1, and 0 otherwise.

We say \(\textsf {PVCE}\) has unlink-cca security if for any polynomial adversary \(\mathcal {A}\),

$$\begin{aligned} \mathbf {Adv}_{\textsf {PVCE},\mathcal {A}}^{\textsf {unlink-cca}}(k)=\bigg |\Pr [b=b']-\frac{1}{2}\bigg |, \end{aligned}$$

which is negligible on the security parameter k.

4 PVCE Construction

Let the language \(\mathcal {L}\) be hard-partitioned subset. Let SPHF=(SPHFSetup, HashKG, ProjKG, Hash, ProjHash) be a smooth projective hash function and \(\widehat{\textsf {SPHF}}=(\widehat{\textsf {SPHFSetup}}, \widehat{\textsf {HashKG}}, \widehat{\textsf {ProjKG}}, \widehat{\textsf {Hash}}, \widehat{\textsf {ProjHash}})\) be 2-smoothness extended smooth projective hash function, which are both defined on the domain \(\mathcal {X}\) for the same language \(\mathcal {L}\) under the same security parameter k. Let \(\textsf {PF-SPHF}\) and \(\widehat{\textsf {PF-SPHF}}\) be transformed from SPHF and \(\widehat{\textsf {SPHF}}\) using the technology in Sect. 2.4. We present a construction of \(\textsf {PVCE}=(\textsf {PVCE.Setup}, \textsf {PVCE.KeyGen},\textsf {PVCE.Enc}, \textsf {PVCE.Dec},\textsf {PVCE.VerifyCheck})\) as follows.

1. 1.

   Setup PVCE.Setup(k):

   The setup algorithm does the following:

   1. (a)

      Taking the security parameter k as input, run the SPHFSetup algorithm of SPHF to generate the public parameter \((\mathcal {L}, \textsf {param})\) on \((\mathbb {G},p)\).

   2. (b)

      Define the public parameter \((\mathcal {L},\textsf {param}_{e}=(\widetilde{\mathbb {G}},\mathbb {G},\mathbb {G}_{T},e,\widetilde{g},g,p))\) for the transformed PF-SPHF in Type 2 paring, which is a type of pairing with the condition \(\widetilde{\mathbb {G}}\ne \mathbb {G}\) but there is an efficiently computable homomorphism \(\phi :\mathbb {G}\rightarrow \widetilde{\mathbb {G}}\).

   3. (c)

      Generate a collision-resistant hash functions f defined on: \(\mathcal {X}\times \mathbb {G}_{T}\times \mathbb {G}_{T} \rightarrow \widetilde{\mathbb {G}}\) and \(\varGamma : \mathcal {X}\times \mathbb {G}_{T}\times \widetilde{\mathbb {G}}\rightarrow (\mathbb {Z}_{p})^{n}\), n is an integer.

   The public system parameter is \(pp={<}\mathcal {L},\textsf {param}_{e},f,\varGamma {>}\).

2. 2.

   KeyGen PVCE.KeyGen(pp):

   The key generation algorithm does the following:

   1. (a)

      Compute the private key:

      \(\textsf {hk}= \textsf {HashKG}(\mathcal {L}, \textsf {param})\),

      For \(i \in \{0,...,n\}\), \(\textsf {hk}_{i}=\textsf {HashKG}(\mathcal {L},\textsf {param})\).

   2. (b)

      Compute the public key:

      \(\textsf {hp}= \textsf {ProjKG}(\textsf {hk},(\mathcal {L},\textsf {param}))\),

      For \(i \in \{0,...,n\}\), \(\textsf {hp}_{i}= \textsf {ProjKG}(\textsf {hk}_{i},(\mathcal {L},\textsf {param}))\).

      The public/private key pair (pk, sk) is

      $$\begin{aligned} sk:&(\textsf {hk},\widehat{\textsf {hk}}) =(\textsf {hk},(\textsf {hk}_{0},\textsf {hk}_{1},\cdots ,\textsf {hk}_{n})), \\ pk:&(\textsf {hp},\widehat{\textsf {hp}})= (\textsf {hp},(\textsf {hp}_{0}, \textsf {hp}_{1},\cdots ,\textsf {hp}_{n})). \end{aligned}$$
3. 3.

   Encryption \(\textsf {PVCE.Enc} (pk,M ):\)

   To encrypt a message M, the encryption algorithm does the following:

   1. (a)

      Randomly pick a word \(W \in \mathcal {L}\) with the witness \(w\in \mathbb {Z}_{p}\).

   2. (b)

      Assume \(\widehat{\textsf {ProjHash}}(\widehat{\textsf {hp}},(W,X,Y),w)\) is defined as

      $$\begin{aligned} \widehat{\textsf {ProjHash}}(\widehat{\textsf {hp}},(W,X,Y),w)=\textsf {ProjHash}(\textsf {hp}_{0},W,w)\prod _{i=1}^{n}\textsf {ProjHash}(\textsf {hp}_{i},W,w)^{\gamma _{i}}, \end{aligned}$$

      where \((\gamma _{1},\cdots ,\gamma _{n})=\varGamma (W,X,Y)\in (\mathbb {Z}_{p})^{n}\). Compute the encryption of M:

      $$\begin{aligned} X= & {} \textsf {PF-ProjHash}(\widetilde{g},\textsf {ProjHash}(\textsf {hp},W,w))*M, \\ Y= & {} (\widetilde{g}\bullet w)*f(W,X*M^{-1},M),\\ Z= & {} \widehat{\textsf {PF-ProjHash}}(\widetilde{g},\widehat{\textsf {ProjHash}}(\widehat{\textsf {hp}},(W,X,Y),w)). \end{aligned}$$

   The output of the algorithm is the ciphertext \(\textsf {ct}=(W,X,Y,Z)\).

4. 4.

   Dec PVCE.Dec(sk, CT):

   This algorithm decrypts the ciphertext \(\textsf {ct}=(W,X,Y,Z)\) using the secret key sk in the following way:

   1. (a)

      Compute \(M\leftarrow X*\textsf {PF-Hash}(\widetilde{g},\textsf {Hash}(\textsf {hk},W))^{-1}\).

   2. (b)

      Check whether

      $$\begin{aligned}&Z=e\Big (\widetilde{g},\widehat{\textsf {Hash}}(\widehat{\textsf {hk}},(W,X,Y))\Big ), \\&Z=e\Big ( Y*f^{-1}(W,X*M^{-1},M),\widehat{\textsf {hp}}\bullet (1,\gamma _{1},\cdots ,\gamma _{n})\Big ). \end{aligned}$$

      where \((\gamma _{1},\cdots ,\gamma _{n})=\varGamma (W,X,Y)\) and \(\widehat{\textsf {hp}}\bullet (1,\gamma _{1},\cdots ,\gamma _{n})\) is defined as \(\textsf {hp}_{0}\textsf {hp}_{1}^{\gamma _{1}}\dots \textsf {hp}_{n}^{\gamma _{n}}\). If the above equations hold, it outputs the plaintext M for the ciphertext ct. Else it outputs 0.

5. 5.

   Check PVCE.VerifyCheck\((M,\textsf {ct})\):

   Check whether

   $$\begin{aligned}&\textsf {WordVF}(Y*f^{-1}(W,M),W)=1, \\&X*M^{-1}=e\Big (Y*f^{-1}(W,X*M^{-1},M),\widehat{\textsf {hp}}\Big ), \\&Z=e\Big (Y*f^{-1}(W,X*M^{-1},M),\widehat{\textsf {hp}}\bullet (1,\gamma _{1},\cdots ,\gamma _{n})\Big ). \end{aligned}$$

   hold or not, where \((\gamma _{1},\cdots ,\gamma _{n})=\varGamma (W,X,Y)\). If the above equations hold, it outputs 1 indicating that M is the plaintext of ct. Else, it outputs 0.

Correctness. We omit the correctness analysis of Dec algorithm and only provide the correctness analysis of Check algorithm as follows. (1) \(\textsf {WordVF}(Y*f^{-1}(W,M),W)=\textsf {WordVF}(w\bullet \widetilde{g},W)=1\), (2) \(XM^{-1}=e(\widetilde{g},\textsf {ProjHash}(\textsf {hp},W,w))=e(w \bullet \widetilde{g},\textsf {hp})=e(Y*f^{-1}(W,X*M^{-1},M),\textsf {hp})\) and (3) \(Z=e(\widetilde{g},\widehat{\textsf {ProjHash}}(\widehat{\textsf {hp}},(W,X,Y),w) ) =e(w \bullet \widetilde{g}, \widehat{\textsf {hp}}\bullet (1,\gamma _{1},\cdots ,\gamma _{n})) =e(Y*f^{-1}(W,X*M^{-1},M), \widehat{\textsf {hp}}\bullet (1,\gamma _{1},\cdots ,\gamma _{n})) \). Therefore, if the above equations hold, we say that ct is the encryption of M.

Verifiability. Consider any public key pk, any ciphertext ct and any plaintext M such that \(\textsf {VerifyCheck}(pk, \textsf {ct},M)=1\). The key element for verification is \(\pi =Y*f^{-1}(W,X*M^{-1},M)=\widetilde{g}^{w}\). Because of the property of PF-SPHF, \(\pi \) denoted as \(\varvec{\varphi }\odot \widetilde{g}\) in the modified language representation is the witness of both \(\textsf {PF-Hash}(\widetilde{g},\textsf {Hash}(\textsf {hk},W))\) and \(\widehat{\textsf {PF-Hash}}(\widetilde{g},\widehat{\textsf {Hash}}(\widehat{\textsf {hk}},(W,X,Y)))\). Meanwhile, it is also the witness of W under the pairing. Therefore, the ciphertext could be correctly verified.

4.1 Security Proof

Theorem 1

PVCE satisfies unlink-cca if it is computationally hard to distinguish any random element \(W^{*} \in \mathcal {L}\) from any random element from \(\mathcal {X}\backslash \mathcal {L}\).

Proof

We show that the existence of an adversary \(\mathcal {A}\) against unlink-cca security with significant advantage implies the existence of an efficient algorithm \(\mathcal {B}\) that decides a random element \(W\in \mathcal {L}\) or \(W \in \mathcal {X}\backslash \mathcal {L}\). We define the following game between a simulator (as a role of the distinguisher for the hard subset membership problem) and an adversary \(\mathcal {A}=(\mathcal {A}_{1},\mathcal {A}_{2})\) that carries out an unlink-cca attack.

Game\(_{0}\): Game\(_{0}\) is the initial security game.

1. 1.

   Setup Phase. This simulator emulates the initialization of the system as follows. It runs the Setup(k) algorithm by itself to generate the public parameter \(pp=<\mathcal {L}, \textsf {param}_{e}=(\widetilde{\mathbb {G}},\mathbb {G},\mathbb {G}_{T},e, \widetilde{g},g,p), f,\varGamma > \). Then it runs the KeyGen(pp) algorithm to generate a public/secret key pair \((pk,sk)=((\textsf {hp},\widehat{\textsf {hp}}),(\textsf {hk},\widehat{\textsf {hk}}))\). It gives (pp, pk) to \(\mathcal {A}\).

   • Under the alternative language representation in Sect. 2, we define a new function \(\widetilde{\varGamma }:\mathcal {S}et \mapsto \mathbb {G}^{k \times 1}\). It comes possibly from any column of \(\varGamma (W)\) satisfying that \(\varvec{\lambda }\bullet \widetilde{\varGamma }(W)\) is completely determined by \(\varvec{\varphi }\). We denote it by \(\widetilde{\varTheta }_{\textsf {aux}}(W)=\varvec{\lambda }\bullet \widetilde{\varGamma }(W)\), which is an element of the vector in \(\varTheta _{\textsf {aux}}(W)\). The simulator emulates \(\widetilde{g}\in \widetilde{\mathbb {G}}\) in the following special way:

     $$\begin{aligned} \widetilde{g}=\phi ((a\varvec{\lambda })\odot \widetilde{\varGamma }(W)), \end{aligned}$$

     where a is randomly chosen from \(\mathbb {Z}_{p}\).

2. 2.

   Probing Phase I. For \(\mathcal {A}_{1}\)’s submitted ciphertext ct, the simulator returns the plaintext M via the Dec algorithm using its secret key sk.

3. 3.

   Challenge Phase. \(\mathcal {A}_{1}\) presents two random messages \(M_{0}\) and \(M_{1}\) to the simulator. The simulator computes the ciphertext \(\textsf {ct}_{b}^{*}=(W^{*},X^{*},Y^{*},Z^{*})\) of \(M_{b}\) as follows:

   • The simulator chooses a random word \(W^{*}\in \mathcal {L}\), where \(W^{*}\) is the value input to the simulator, and computes

     $$\begin{aligned} X^{*}= & {} \textsf {PF-Hash}(\widetilde{g},\textsf {Hash}(\textsf {hk},W^{*}))*M_{b} \\ Y^{*}= & {} \phi ((a\varvec{\lambda })\bullet \widetilde{\varGamma }(W^{*}))*f(W^{*},X^{*}*M_{b}^{-1},M_{b}) \\= & {} a \odot \phi (\varvec{\lambda }\bullet \widetilde{\varGamma }(W^{*}))*f(W^{*},X^{*}*M_{b}^{-1},M_{b}) \\= & {} a \odot \phi ( \widetilde{\varTheta }(W^{*}))*f(W^{*},X^{*}*M_{b}^{-1},M_{b}) \\ Z^{*}= & {} \widehat{\textsf {PF-Hash}}(\widetilde{g},\widehat{\textsf {Hash}}(\widehat{\textsf {hk}},(W^{*},X^{*},Y^{*})) \end{aligned}$$

   and honestly computes the ciphertext \(\textsf {ct}_{1}^{*}=\textsf {Enc}(pk,M_{1})\). Then it returns \((\textsf {ct}_{b}^{*},\textsf {ct}_{1}^{*})\) to \(\mathcal {A}_{2}\).

4. 4.

   Probing Phase II. For \(\mathcal {A}_{2}\)’s submitted query on the ciphertext ct, the simulator responses the same as in the probing phase I with the only constraint that ct is not equal to \(\textsf {ct}^{*}_{b}\).

5. 5.

   Guessing Phase. \(\mathcal {A}_{2}\) outputs its guess \(b'\).

We consider the behaviour of this simulator in two cases:

• Case 1: The simulator is given a random element \(W^{*}\in \mathcal {L}\). Let Yes\(^{(1)}\) be the event that the simulator outputs 1 in this case.

• Case 2: The simulator is given a random element \(W^{*} \in \mathcal {X}\backslash \mathcal {L}\). Let No\(^{(1)}\) be the event that the simulator outputs 1 in this case.

Let

$$\begin{aligned} \mathbf Adv ^{\textsf {Dist}}(k)=\bigg |\Pr [\textsf {Yes}^{(1)}]-\Pr [\textsf {No}^{(1)}]\bigg |, \end{aligned}$$

(1)

which is the distinguishing advantage of the simulator. Our goal is to show that \(\mathbf Adv _{\textsf {PVCE},\mathcal {A}}^{\textsf {unlink-cca}}(k)\) is negligible provided \(\mathbf Adv ^{\textsf {Dist}}(k)\) is negligible. We now analyze the behaviour of the simulator in these two cases:

• Case 1: \(W^{*}\in \mathcal {L}\). In this case, the simulator is perfect. Therefore, we have

  $$\begin{aligned} \bigg |\Pr [\textsf {Yes}^{(1)}]-\frac{1}{2}\bigg |\ge \mathbf Adv _{\textsf {PVCE},\mathcal {A}}^{\textsf {unlink-cca}}(k) \end{aligned}$$

  (2)

• Case 2: \(W^{*}\in \mathcal {X}\backslash \mathcal {L}\). We will use the game-hopping technique for this case.

Game\(_{1}\): Game\(_{1}\) is the same as Game\(_{0}\), so that in addition to rejecting a ciphertext \(C=(W,X,Y,Z)\) but \( Z=e( (a \bullet \phi ( \widetilde{\varTheta }(W)))*f(W,X*M^{-1},M)), \widehat{\textsf {Hash}}(\widehat{\textsf {hk}},W,X, Y))\). Let F be the event that \( Z=e( (a\bullet \phi ( \widetilde{\varTheta }(W)))*f(W,X*M^{-1},M)), \widehat{\textsf {Hash}}(\widehat{\textsf {hk}}, (W, X,Y)))\). We define the advantage of \(\mathcal {A}\) in Game\(_{1}\) as \(\mathbf Adv _{\textsf {PVCE},\mathcal {A}}^{Game _{1}}(k)\) and claim that

$$\begin{aligned} \bigg | \mathbf Adv _{\textsf {PVCE},\mathcal {A}}^{Game _{1}}(k)-\mathbf Adv _{\textsf {PVCE},\mathcal {A}}^{Game _{0}}(k)\bigg | \le \Pr [F] \end{aligned}$$

(3)

Next, we analyze the probability that the event F happens. For all ciphertxts \(C=(W,X,Y,Z) \in \mathcal {X}\times \mathbb {G}_{T} \times \widetilde{\mathbb {G}} \times \mathbb {G}_{T}\) with \(W \in \mathcal {X}\backslash \mathcal {L}\) submitted to a decryption oracle after the challenge phrase, we divide them into two cases:

1. 1.

   \((W,X,Y)=(W^{*},X^{*},Y^{*})\). Since Z is uniquely determined by (W, X, Y), the simulator returns \(\perp \).

2. 2.

   \((W,X,Y)\ne (W^{*},X^{*},Y^{*})\). Given W and X, sk is still uniformly distributed with the only constraint that \(\textsf {hp}=\textsf {ProjKG} (\textsf {hk})\) and \(\widehat{\textsf {hp}}=\widehat{\textsf {ProjKG}}(\widehat{\textsf {hk}})\). Under this condition, we further divide all queried ciphertexts into two cases:

   1. (a)

      \((W,X)=(W^{*},X^{*}) \). Since Y is uniquely determined by (W, X), the simulator returns \(\perp \).

   2. (b)

      \((W,X)\ne (W^{*},X^{*})\). Due to the 2-smoothness property of \(\widehat{\textsf {PF-SPHF} }\), \(\widehat{\textsf {PF-Hash} }(\widehat{\textsf {hk} },(W,X,Y))\) is uniformly distributed over \(\mathcal {Y}\). Therefore, the probability that the adversary outputs a valid ciphertext \((W,X,Y,\cdot )\) with \(W\in \mathcal {X}\backslash \mathcal {L}\) submitted to the decryption oracle is negligible.

Assume that Q(k) denotes the number of decryption queries. From the above analysis, we have

$$\begin{aligned} Pr [F]\le \textsf {2-smooth}(k)\cdot Q(k), \end{aligned}$$

(4)

where 2-smooth(k) denotes the distinguishable probability in the definition of the 2-smoothness property of PF-SPHF. We define Adv\(^{Game _{1}}_{\textsf {PVCE},\mathcal {A}}(k)\) as the advantage of the adversary \(\mathcal {A}\) in Game\(_{1}\) and claim that

$$\begin{aligned} \bigg |\mathbf Adv _{\textsf {PVCE},\mathcal {A}}^{Game _{1}}(k)-\mathbf Adv _{\textsf {PVCE},\mathcal {A}}^{Game _{0}}(k)\bigg | \le \textsf {2-smooth}(k)\cdot Q(k), \end{aligned}$$

(5)

by combining the relations (3) and (4).

Game\(_{2}\): Game\(_{2}\) is the same as Game\(_{1}\) except that the simulator sets \(X^{*}=y_{1}* M_{b}\) in stead of computing \(X^{*}=\textsf {PF-Hash} (\widetilde{g},\textsf {Hash}(\textsf {hk} ,W^{*}))* M_{b}\) and sets \(Z^{*}=e(a \bullet \phi (\widetilde{\varTheta }(W^{*}))*f(W^{*},y_{1},M_{b}),\widehat{\textsf {Hash}}(\widehat{\textsf {hk}},(W^{*},X^{*},Y^{*})) \) in stead of computing \(Z^{*}=e(a \bullet \phi ( \widetilde{\varTheta }(W^{*}))*f(W^{*}, \textsf {PF-Hash} (\widetilde{g},\textsf {Hash}(\textsf {hk} ,W^{*})),M_{b}), \widehat{\textsf {Hash}}(\widehat{\textsf {hk}},(W^{*},X^{*}, Y^{*})))\), where \(y_{1} \in \mathbb {G}_{T}\) is chosen at random. We define Adv\(^{Game _{2}}_{\textsf {PVCE},\mathcal {A}}(k)\) as the advantage of the adversary \(\mathcal {A}\) in Game\(_{2}\) and claim that

$$\begin{aligned} \bigg |\mathbf Adv _{\textsf {PVCE},\mathcal {A}}^{Game _{2}}(k)-\mathbf Adv _{\textsf {PVCE}, \mathcal {A}}^{Game _{1}}(k)\bigg |\le 2\cdot \textsf {smooth}(k), \end{aligned}$$

(6)

due to the smoothness property of PF-SPHF.

Game\(_{3}\): Game\(_{3}\) is the same as Game\(_{2}\) except that the simulator sets \(Z^{*}=y_{2} {\mathop {\leftarrow }\limits ^{\$}} \mathbb {G}_{T}\) in stead of computing \(Z^{*}=e(a \bullet \phi (\widetilde{\varTheta }(W^{*}))*f(W^{*},y_{1},M_{b}),\widehat{\textsf {Hash}}(\widehat{\textsf {hk}},(W^{*}, X^{*},Y^{*})) \). We define the advantage of \(\mathcal {A}\) in Game\(_{3}\) as \(\mathbf {Adv}^{\mathbf {Game}_{3}}_{\textsf {PVCE},\mathcal {A}}(k)\) be the advantage of the adversary \(\mathcal {A}\) in Game\(_{3}\) and claim that

$$\begin{aligned} \bigg |{\mathbf {Adv}}_{\textsf {PVCE},\mathcal {A}}^{\text {Game}_{3}}(k)-{\mathbf {Adv}}_{\textsf {PVCE},\mathcal {A}}^{\text {Game}_{2}}(k)\bigg | \le \textsf {smooth}(k) \end{aligned}$$

(7)

due to the smooth property of PF-SPHF. It is evident that the output \(b'\) of adversary with high min-entropy in Game\(_{3}\) is totally independent of the hidden bit b. Therefore, we have

$$\begin{aligned} {\mathbf {Adv}}_{\textsf {PVCE},\mathcal {A}}^{\mathbf {Game}_{3}}(k)=\frac{1}{2}+2^{-\mu (k)}. \end{aligned}$$

(8)

Combining the relations (5), (6), (7) and (8), we claim that

$$\begin{aligned} \bigg |Pr [\textsf {No}^{(1)}]-\frac{1}{2}\bigg | \le \textsf {2-smooth}(k)\cdot Q(k) +2\cdot \textsf {smooth}(k)+2^{-\mu (k)}, \end{aligned}$$

(9)

Combining the relations (2) and (9), we claim that

$$\begin{aligned} \mathbf Adv ^{\textsf {unlink-cca} }_{\textsf {PVCE},\mathcal {A}}(k) \le \mathbf Adv ^{\textsf {Dist} }(k) + \textsf {2-smooth}(k)\cdot Q(k) +3\cdot \textsf {smooth}(k)+2^{-\mu (k)}, \end{aligned}$$

from which the theorem immediately follows.

5 Instantiated PVCE Construction Under k-MDDH Assumption

In this section, we show a concrete PVCE construction by instantiating SPHF in pairing groups. Because DDH problem is easy on the group \(\mathbb {G}\) in the a Type-2 pairing used in the PVCE construction, we can not use the SPHF instances from Diffie-Hellman or Cramer Shoup encryption in [18]. Therefore, we choose Matrix Diffie-Hellman assumption on which to instantiate SPHF for the transformation to PF-SPHF since it is still hard in Type-2 pairing.

Notations. For \(s \in \{1,2,T\}\) and \(a\in \mathbb {Z}_{p}\) we let \([a]=g^{a}\in \mathbb {G}\) be an element in \(\mathbb {G}\) or \([b]_{s}\) be an element in \(\mathbb {G}_{s}\). More generally, for a matrix \(\varvec{A}=(a_{ij})\in \mathbb {Z}_{p}^{n\times m}\) we define \([\varvec{A}]_{s}\) as the implicit representation of \(\varvec{A}\) in \(\mathbb {G}_{s}\): \( [\varvec{A}]_{s}:= \left( \begin{array}{ccc} g_{s}^{a_{11}} &{} \cdots &{} g_{s}^{a_{1m}}\\ g_{s}^{a_{n1}} &{} \cdots &{} g_{s}^{a_{nm}} \end{array} \right) \in \mathbb {G}_{s}^{n\times m} \). Given \([a]_{1}\), \([b]_{2}\) one can efficiently compute \([ab]_{T}\) using the pairing e. For \(\varvec{a},\varvec{b}\in \mathbb {Z}_{p}^{k}\) define \(e([\varvec{a}]_{1},[\varvec{b}]_{2})=[\varvec{a}^{\textsf {T}}\varvec{b}]_{T}\in \mathbb {G}_{T}\).

Definition 2

(Matrix Distribution). Let \(k\in \mathbb {N}\). We call \(\mathcal {D}_{k}\) a matrix distribution if it outputs matrices in \(\mathbb {Z}_{p}^{(k+1)\times k}\) of full rank k in polynomial time.

Definition 3

(\(\mathcal {D}_{k}\)-Matrix Diffie-Hellman \(\mathcal {D} _{k}\)-MDDH). Let \(\mathcal {D}_{k}\) be a matrix distribution and \(s\in \{1,2,T\}\). We say that the \(\mathcal {D}_{k}\)-Matrix Diffie-Hellman (\(\mathcal {D}_{k}\)-MDDH) assumption holds relative to PGGen in group \(\mathbb {G}_{s}\) if for all PPT adversaries \(\mathcal {D}\),

$$\begin{aligned} \mathbf Adv _{\mathcal {D}_{k}}(\mathcal {D}):=\big |\Pr [\mathcal {D}(\mathcal {PG},[\varvec{A}]_{s},[\varvec{Aw}]_{s})=1] - \Pr [\mathcal {D}(\mathcal {PG},[\varvec{A}]_{s},[\varvec{u}]_{s})=1]\big |=negl(k), \end{aligned}$$

where the probability is taken over \(\mathcal {PG}{\mathop {\leftarrow }\limits ^{\$}}\textsf {PGGen} (k)\), \(\varvec{A}{\mathop {\leftarrow }\limits ^{\$}}\mathcal {D}_{k}\), \(\varvec{w}{\mathop {\leftarrow }\limits ^{\$}}\mathbb {Z}_{p}^{k}\), \(\varvec{u}{\mathop {\leftarrow }\limits ^{\$}}\mathbb {Z}_{p}^{k+1}\).

5.1 Smooth Projective Hash Function on k-MDDH Assumption

Let \(\mathcal {D}_{k}\) be a matrix distribution. We build a smooth hash proof system \(\textsf {SPHF}=(\textsf {SPHFSetup},\textsf {HashKG},\textsf {ProjKG},\textsf {Hash},\textsf {ProjHash},\textsf {WordVF})\), whose hard subset membership problem is based on the \(\mathcal {D}_{k}\)-Matrix Diffie-Hellman Assumption.

1. 1.

   SPHFSetup(k): It generates a group \(\mathbb {G}\) of prime order p with an underlying matrix assumption using a base matrix \([\varvec{A}]\in \mathbb {G}^{(k+1)\times k}\). Define the language: \(\mathcal {L}_{k\textsf {-MDDH}}=\{[\varvec{c}]=[\varvec{Ar}]\in \mathbb {G}^{k+1}: \varvec{r}\in \mathbb {Z}_{p}^{k}\}.\) The output of param is \((\mathbb {G},p,[\varvec{A}])\).

2. 2.

   HashKG\((\mathcal {L}_{k\textsf {-MDDH}},\textsf {param})\): It generates a hashing key \(\textsf {hk}=\varvec{x}\in \mathbb {Z}^{k+1}_{p}\).

3. 3.

   ProjKG\((\textsf {hk},(\mathcal {L}_{k\textsf {-MDDH}},\textsf {param}))\): It derives the projection key \(\textsf {hp}=[\varvec{x}^{\top }\varvec{A}]\in \mathbb {G}^{k}\).

4. 4.

   Hash\((\textsf {hk},(\mathcal {L}_{k\textsf {-MDDH}},\textsf {param}),[\varvec{c}]\in \mathbb {G}^{k+1})\): It computes the hash value \(\textsf {hv}=[\varvec{x}^{\top }\varvec{c}]\).

5. 5.

   ProjHash\((\textsf {hp},(\mathcal {L}_{k\textsf {-MDDH}},\textsf {param}),[\varvec{c}]\in \mathbb {G}^{k+1},\varvec{r})\): Using the witness \(\varvec{r}\) of \([\varvec{c}]\), it computes the hash value \(\textsf {hv}'=[(\varvec{x}^{\top }\varvec{A})\varvec{r}]\).

6. 6.

   WordVF\(([\varvec{c}]\in \mathbb {G}^{k+1},\varvec{r})\): It outputs 1 if \(e([\varvec{1}]_{\widetilde{\mathbb {G}}},[\varvec{c}])=e([\bar{\varvec{r}}]_{\widetilde{\mathbb {G}}},[\varvec{A}\varvec{1}]_{\mathbb {G}})\in \mathbb {G}_{T}^{k+1}\), where \([\varvec{1}]_{\widetilde{\mathbb {G}}}=(\widetilde{g},\dots ,\widetilde{g})\in \widetilde{\mathbb {G}}_{p}^{k+1}\), \([\bar{\varvec{r}}]=(\widetilde{g}^r,\dots , \widetilde{g}^{r})\in \widetilde{\mathbb {G}}_{p}^{k+1}\) and \(\varvec{1}=(1,\dots , 1)\in \mathbb {Z}_{p}^{k}\).

5.2 PVCE Instantiation Under k-MDDH Assumption

Based on the above SPHF instantiation from k-MDDH assumption, we immediately obtain a PVCE construction under k-MDDH assumption as follows.

1. 1.

   Setup(k): It generates the public parameter \((\mathcal {L}_{k\textsf {-MDDH}},\textsf {param})\) on \(\mathbb {G}\) using the SPHFSetup(k) algorithm of SPHF on k-MDDH assumption and hence the public parameter \((\mathcal {L}_{k\textsf {-MDDH}},\textsf {param}_{e}=(\widetilde{\mathbb {G}},\mathbb {G},\mathbb {G}_{T}, e,\widetilde{g},g,p,\varvec{A}))\) is defined for the transformed PF-SPHF in Type 2 pairing. It chooses a hash \(f: \mathbb {G}^{k+1}\times \mathbb {G}_{T}\times \mathbb {G}_{T}\rightarrow \widetilde{\mathbb {G}}\) and \(\varGamma : \mathbb {G}^{k+1}\times \mathbb {G}_{T}\times \widetilde{G}\rightarrow \mathbb {Z}_{p}\), where we set \(n=1\) for 2-smoothness \(\widehat{\textsf {SPHF}}\) generation [17]. It sets the public system parameter \(pp=<\mathcal {L}_{k\textsf {-MDDH}},\textsf {param}_{e},f,\varGamma>\).

2. 2.

   KeyGen(pp): It outputs the following public/private key pair (pk, sk) for the PVCE scheme.

   $$\begin{aligned} \begin{aligned}&pk: (\textsf {hp},\widehat{\textsf {hp}})=([\varvec{A}x],([\varvec{A\widehat{x}}_{1}],[\varvec{A\widehat{x}}_{2}])), \\&sk: (\textsf {hk},\widehat{\textsf {hk}})=(\varvec{x},(\widehat{\varvec{x}}_{1},\widehat{\varvec{x}}_{2})). \end{aligned} \end{aligned}$$
3. 3.

   Enc(pk, M): It chooses a random number \(r\in \mathbb {Z}_{p}\) and set \(\varvec{r}=(r,\dots ,r) \in \mathbb {Z}_{p}^{k}\) and computes

   $$\begin{aligned} W=[\varvec{c}]=[\varvec{Ar}], ~~X=e(\widetilde{g},[(\varvec{x}^{\top }\varvec{A})\varvec{r}])\cdot M, \\ Y=\widetilde{g}^{r}\cdot f(W,XM^{-1},M),~~ Z=e(\widetilde{g},[(\widehat{\varvec{x}}_{1}^{\top }\varvec{A})\varvec{r}][(\widehat{\varvec{x}}_{2}^{\top }\varvec{A})(\gamma \varvec{r})])), \end{aligned}$$

   where \(\gamma =\varGamma (W,X,Y)\in \mathbb {Z}_{p}\). Finally, it outputs the ciphertext \(\textsf {ct}=(W,X,Y,Z)\) for the plaintext M.

4. 4.

   Dec(\(sk,\textsf {ct}\)): Upon parsing ct as (W, X, Y, Z), it computes \( M\leftarrow X \cdot e(\widetilde{g}, [\varvec{x}^{\top }\varvec{c}]) \) and then verifies if

   $$\begin{aligned} Z= & {} e(\widetilde{g}, [\widehat{\varvec{x}}_{1}^{\top }\varvec{c}]\cdot [\widehat{\varvec{x}}_{2}^{\top }(\gamma \varvec{c})],\\ Z= & {} e(Y\cdot f^{-1}(W,XM^{-1},M),[\widehat{\varvec{x}}_{1}^{\top }\varvec{A}\varvec{1}][\widehat{\varvec{x}}_{2}^{\top }\varvec{A}\varvec{\gamma }]), \end{aligned}$$

   hold or not, where \(\varvec{1}=(1,\cdots ,1)\in \mathbb {Z}_{p}^{k}\), \(\varvec{\gamma }=(\gamma ,\cdots , \gamma )\in \mathbb {Z}_{p}^{k}\) and \(\gamma =\varGamma (W,X,Y)\). Through this validation, it returns the plaintext M for the ciphertext ct, or \(\perp \) otherwise.

5. 5.

   Check\((M,\textsf {ct})\): Upon parsing ct as (W, X, Y, Z), we set \([\varvec{1}]_{\widetilde{\mathbb {G}}}=(\widetilde{g},\dots , \widetilde{g})\in \widetilde{\mathbb {G}}_{p}^{k+1}\), \(\varvec{b}=(b,\dots ,b)\in \widetilde{\mathbb {G}}_{p}^{k+1}\) where \(b=Y\cdot f^{-1}(W,XM^{-1},M)\), \(\varvec{1}=(1,\cdots ,1)\in \mathbb {Z}_{p}^{k}\) and \(\varvec{\gamma }=(\gamma ,\cdots , \gamma )\in \mathbb {Z}_{p}^{k}\) where \(\gamma =\varGamma (W,X,Y)\). Then it checks if

   $$\begin{aligned} e([\varvec{1}]_{\widetilde{\mathbb {G}}},[\varvec{c}])= & {} e(\varvec{b},[\varvec{A}\varvec{1}]), \\ XM^{-1}= & {} e(b,[\varvec{x}^{\top }\varvec{A}\varvec{1}]), \\ Z= & {} e(b,[\widehat{\varvec{x}}_{1}^{\top }\varvec{A}\varvec{1}][\widehat{\varvec{x}}_{2}^{\top }\varvec{A}\varvec{\gamma }]), \end{aligned}$$

   hold or not. Through this validation, it returns 1 indicating that M is the plaintext of ct under pk, or 0 otherwise.

6 Conclusion

We provided a notion of plaintext-verifiably-checkable encryption (PVCE) to ensure that any valid ciphertext could be correctly verified in the test procedure, which prevents a maliciously generated ciphertext passing the check algorithm. We proposed a PVCE construction in the standard model, which has unlink-cca security using pairing-friendly smooth projective hash functions (PF-SPHF) as underlying building block. Finally, we obtain a PVCE instantiation from k-MDDH assumption.