Abstract
Functional encryption (FE) is a modern publickey cryptographic primitive allowing an encryptor to finely control the information revealed to recipients from a given ciphertext. Abdalla, Bourse, De Caro, and Pointcheval (PKC 2015) were the first to consider FE restricted to the class of linear functions, i.e. inner products. Though their schemes are only secure in the selective model, Agrawal, Libert, and Stehlé (CRYPTO 16) soon provided adaptively secure schemes for the same functionality. These constructions, which rely on standard assumptions such as the Decision DiffieHellman (\(\mathsf {DDH}\)), the LearningwithErrors (\(\mathsf {LWE}\)), and Paillier’s Decision Composite Residuosity (DCR) problems, do however suffer of various practical drawbacks. Namely, the DCR based scheme only computes inner products modulo an RSA integer which is oversized for many practical applications, while the computation of inner products modulo a prime p either requires, for their \(\mathsf {DDH}\) based scheme, that the inner product be contained in a sufficiently small interval for decryption to be efficient, or, as in the \(\mathsf {LWE}\) based scheme, suffers of poor efficiency due to impractical parameters.
In this paper, we provide adaptively secure FE schemes for the inner product functionality which are both efficient and allow for the evaluation of unbounded inner products modulo a prime p. Our constructions rely on new natural cryptographic assumptions in a cyclic group containing a subgroup where the discrete logarithm (\(\mathsf {DL}\)) problem is easy which extend Castagnos and Laguillaumie’s assumption (RSA 2015) of a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup. Instantiating our generic constructions using class groups of imaginary quadratic fields gives rise to the most efficient FE for inner products modulo an arbitrary large prime p. One of our schemes outperforms the DCR variant of Agrawal et al.’s protocols in terms of size of keys and ciphertexts by factors varying between 2 and 20 for a 112bit security.
Keywords
 Inner product functional encryption
 Adaptive security
 DiffieHellman assumptions
Download conference paper PDF
1 Introduction
Traditional public key encryption (PKE) provides an allornothing approach to data access. This somewhat restricting property implies that a receiver can either recover the entire message with the appropriate secret key, or learns nothing about the encrypted message. In many real life applications however, the encryptor may wish for a more subtle encryption primitive, allowing him to disclose distinct and restricted information on the encrypted data according to the receivers privileges. For instance, in a cloudbased email service, users may want the cloud to perform spam filtering on their encrypted emails but learn nothing more about the contents of these emails. Here the cloud should only learn one bit indicating whether or not the message is spam, but nothing more.
Functional encryption (FE) [BSW11, O’N10] emerged from a series of refinements of PKE, starting with identity based encryption [Sha84], which was later extended to fuzzy identitybased encryption by Sahai and Waters [SW05]. This work also introduced attributebased encryption, where a message is encrypted for all users that have a certain set of attributes. FE encompasses all three of these primitives, and goes further still, as it allows not only to devise policies regulating which users can decrypt, but also provides control over which piece or function of the data each user can recover. Specifically, FE allows for a receiver to recover a function f(y) of the encrypted message y, without learning anything else about y. The primitive requires a trusted authority, which possesses a master secret key msk, to deliver secret keys \(sk_{f_i}\) – associated to specific functionalities \(f_i\) – to the appropriate recipients. The encryptor computes a single ciphertext associated to the plaintext \(c=\mathsf {Encrypt}(y)\), from which any user, given a decryption key \(sk_{f_i}\), can recover \(f_i(y)=\mathsf {Decrypt}(sk_i, c)\).
There exist two main security definitions for FE, indistinguishabilitybased and a stronger simulationbased security. The former – which is the model we adopt throughout this paper – requires that no efficient adversary, having chosen plaintext messages \( y_0\) and \(y_1\), can guess, given the encryption of one of these, which is the underlying message with probability significantly greater than \(1 \slash 2\). The adversary can query a key derivation oracle for functionalities f, with the restriction that \(f(y_0)=f(y_1)\), otherwise one could trivially tell apart both ciphertexts. Though constructions for general FE have been put forth, these schemes are far from practical, and only allow the adversary to request an a priori bounded number of secret keys [GKP+13b, SS10], or rely on nonstandard and illunderstood cryptographic assumptions such as indistinguishability obfuscation or multilinear maps [ABSV15, BGJS16, GKP+13a, GVW12, Wat15, GGHZ16].
The problem thus arose of building efficient FE schemes for restricted classes of functions; such constructions could be of great use for many practical applications, while developing our understanding of FE.
Inner Product Functional Encryption (IPFE). The restriction of FE to linear functions, i.e. the inner product functionality yields many interesting applications. Among other uses, linear functions allow for the computation of weighted averages and sums, useful for statistical analysis on encrypted data, where the statistical analysis itself has sensitive information. As mentioned by Katz, Sahai and Waters [KSW08], another application is the evaluation of polynomials over encrypted data. Agrawal, Libert and Stehlé [ALS16, Sect. 6] motivate FE for computing linear functions modulo a prime p by demonstrating that such a scheme can be turned into a bounded collusion FE scheme for all circuits^{Footnote 1}. And as a final example, Agrawal, Bhattacherjee, Phan, Stehlé and Yamada provide a generic transformation from FE for linear functions to traceandrevoke systems in [ABP+17]. As they are performing linear algebra, their transformation requires the modulus to be prime and preferably quite large (\(\sim \)128 or 256 bits).
The primitive can succinctly be defined as follows: plaintexts are vectors \({\varvec{y}} \in \mathcal {R}^\ell \), where \(\mathcal {R}\) is a ring. Function specific secret keys \(sk_{{\varvec{x}}}\) are derived from vectors \({\varvec{x}} \in \mathcal {R}^\ell \) and allow to recover \(\langle {\varvec{y}}, {\varvec{x}} \rangle \in \mathcal {R}\) but reveal no further information about \({\varvec{y}}\). It is worth noting that due to the linearity of inner products, if the adversary requests decryption keys derived from independent vectors \({\varvec{x}}_i\) for \(i\in \{1,\dots ,\ell \}\), it can recover \({\varvec{y}}\) by resolving a simple system of linear equations resulting from \(\langle {\varvec{y}}, {\varvec{x}}_i \rangle \) for \(i\in \{1,\dots ,\ell \}\).
This specific line of research was initiated by Abdalla, Bourse, De Caro and Pointcheval in 2015 [ABDP15]. They provided the first IPFE schemes which rely on standard assumptions such as learning with errors (\(\mathsf {LWE}\)) and decision Diffie Hellman (\(\mathsf {DDH}\)). However their schemes are only selectively secure, i.e. the adversary must commit to challenge messages before having access to the schemes’ public parameters. Though of great theoretical interest, such schemes are not sufficiently secure for practical applications, indeed selective security is often considered a first step towards proving full adaptive security. The first fully secure schemes were put forth by Agrawal et al. [ALS16] under the \(\mathsf {LWE}\), \(\mathsf {DDH}\) and Paillier’s Decision Composite Residuosity (DCR, cf. [Pai99]) assumptions. Abdalla et al. in [ABCP16] also put forth an adaptively secure generic construction and provide instantiations from the \(\mathsf {DDH}\), \(\mathsf {DCR}\) and \(\mathsf {LWE}\) assumptions. However, their instantiation from Elgamal gives the same construction as the \(\mathsf {DDH}\) based scheme of [ALS16], and their obtained schemes from \(\mathsf {LWE}\) are restricted to the computation of inner products over the integers \(\mathbf {Z}\), and are less efficient than those of [ALS16]. Finally Benhamouda et al. [BBL17, Bou17] provided generic constructions from hash proof systems to both chosen plaintext and chosen ciphertext secure IPFE schemes. The resulting schemes are again restricted to the computation of inner products over the integers \(\mathbf {Z}\) and the sizes of secret keys are larger than those of [ALS16] (see details at the end of this introduction).
These brilliant developments do however still suffer of practical drawbacks. Namely the computation of inner products modulo a prime p are restricted, in that they require that the inner product \(\langle {\varvec{y}}, {\varvec{x}} \rangle \) be small for decryption to be efficient (as is the case for the schemes of [ABDP15, ABCP16], and the \(\mathsf {DDH}\) based scheme of [ALS16]). To our knowledge, the only scheme that allows for decryption of inner products of any size modulo a prime p is the \(\mathsf {LWE}\) based scheme of [ALS16], which suffers of poor efficiency since the modulus should be exponentially large in the dimension of encrypted vectors while the size of ciphertexts is cubic in this dimension.
Our Contributions. In this paper we put forth IPFE schemes which resolve the aforementioned issue. Our constructions compute inner products over the integers and modulo a prime p, and rely on novel cryptographic assumptions defined in Sect. 3.1. These are variants of the [CL15] assumption, which supposes the existence of a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup: a cyclic group \(G=\langle g \rangle \) where the \(\mathsf {DDH}\) assumption holds together with a subgroup \(F=\langle f \rangle \) of G where the discrete logarithm (\(\mathsf {DL}\)) problem is easy.
The first assumption we introduce relies on a hard subgroup membership (\(\mathsf {HSM}\)) problem (according to Gjøsteen’s terminology [Gjø05]), and somewhat generalises Paillier’s \(\mathsf {DCR}\) assumption, which follows a long line of assumptions of distinguishing powers in \(\mathbf {Z}/N\mathbf {Z}\). Known attacks for these require computing the groups’ order which reduces to factoring N. In the [CL15] framework, the group G is cyclic of order ps where s is unknown and \(\gcd (p,s)=1\). We denote \(G^p = \langle g_p\rangle \) the subgroup of \(p\)th powers in G. In this setting one has \(G=F\times G^p\). The assumption is that it is hard to distinguish the elements of \(G^p\) in G.
We then define the \(\mathsf {DDH\text {}f}\) assumption, which is weaker than both the \(\mathsf {DDH}\) assumption of [CL15], and the aforementioned \(\mathsf {HSM}\) assumption. Denoting \(\mathcal {D}\) a distribution statistically close to the uniform distribution modulo ps, this assumption states that it is hard to distinguish distributions (i.e. DiffieHellman triplets in G) and . We prove this assumption is equivalent to the semantic security of the generic \(\mathsf {CL}\) homomorphic encryption scheme of [CL15], an Elgamal variant in G where messages are encoded in the exponent in the subgroup F. In fact, the \(\mathsf {DDH\text {}f}\) assumption is better suited to mask elements of F, thus providing clearer proofs.
These new assumptions allow us to construct generic, linearly homomorphic encryption schemes over \(\mathbf {Z}/p\mathbf {Z}\) which are semantically secure under chosen plaintext attacks (\(\mathsf {ind\text {}cpa}\)), which we call \(\mathsf {HSM}\)CL and Modified CL (cf. Sect. 3.2). The reductions between their semantic security and the underlying assumptions are given in Fig. 1, where \(A\rightarrow B\) indicates that assumption B holds if assumption A holds, i.e. A is a stronger assumption than B.
We then use the homomorphic properties of the above schemes to construct generic IPFE schemes over the integers and over \(\mathbf {Z}/p\mathbf {Z}\), both from the weaker \(\mathsf {DDH\text {}f}\) assumption in Sect. 4, and from the \(\mathsf {HSM}\) assumption in Sect. 5, somewhat generalising the scheme based on \(\mathsf {DCR}\) of [ALS16]. Since the inner product is encoded in the exponent in the subgroup F, it can efficiently be recovered, whatever its size. We thereby present the first IPFE schemes which are both efficient and recover \(\langle {\varvec{y}}, {\varvec{x}} \rangle \mod p\) whatever its size.
Our security proofs for the \(\mathsf {HSM}\) based schemes follow a similar logic to those of [ALS16], analysing the entropy loss that occurs via queried keys, and demonstrating that there is enough residual entropy left for the challenge ciphertext to appear uniform to the adversary. However, significant difficulties occur for the schemes arising from the weaker \(\mathsf {DDH\text {}f}\) assumption. As in the \(\mathsf {DDH}\) based scheme of [ALS16], we use a variant of Elgamal à la CramerShoup. But unlike previous uses of this approach, the order of our group is unknown and may have small factors, so with constant probability an element may not be a generator. This calls for various subtleties: any element of the group can not be masked, however, if p is large enough, elements of the subgroup F of order p can be.
Moreover, in order to handle the information given by private key queries, instead of computing the global distribution of the master secret keys, we carefully simplify the description of the adversary’s view, since merely restricting the adversary’s view modulo p could potentially result in a loss of information.
We note that for our schemes over \(\mathbf {Z}/p\mathbf {Z}\), vectors \({\varvec{x}}_i\) from which keys are derived are in \(\mathbf {Z}/p\mathbf {Z}\), whereas decryption keys are computed in \(\mathbf {Z}\), so a lift of the \({\varvec{x}}_i\) in \(\mathbf {Z}\) must be done. Since lifting does not preserve linear dependencies, it is essential (as in [ALS16]) the key generation algorithm be stateful to lift vectors while maintaining linear dependencies. Without this restriction an adversary could learn a combination of the master key components which is singular modulo p but invertible over \(\mathbf {Z}\), thus revealing the whole master key.
To instantiate our generic constructions we use class groups of imaginary quadratic fields. Although the devastating attack from [CL09] eliminates a whole family of protocols built from such groups, this attack applies to schemes whose security is based on factoring a discriminant while here this factorisation is public. Moreover [CL15] showed that designing with care \(\mathsf {DL}\) based cryptosystems within such groups is still possible and allows for efficient and versatile protocols (Encryption switching protocols for instance, cf. [CIL17]). The problem of computing a \(\mathsf {DL}\) in class groups of imaginary quadratic fields has been extensively studied since the 80’s, and the complexity of best known subexponential algorithms is^{Footnote 2} \(\mathcal {O}(L_{1/2})\) (cf. [BJS10]) as opposed to \(\mathcal {O}(L_{1/3})\) (cf. [Adl94]) for the \(\mathsf {DL}\) problem in finite field or factoring. In particular this implies that our keys can be chosen shorter and corroborates the above claim that the assumptions on which we rely are indeed weak.
In terms of efficiency, we show in Sect. 6 that for a security parameter of \(\lambda = 112\) we outperform Paillier’s variant of [ALS16] on all possible sizes by factors varying between 2 and 20.
Relation to Hash Proof Systems. Hash proof systems (HPS) were introduced in [CS02] as a generalisation of the techniques used in [CS98]. Consider a set of words \(\mathcal {X}\), an NP language \(\mathcal {L}\subset \mathcal {X}\) such that \(\mathcal {L}=\{x \in \mathcal {X}\,\, w : (x,w)\in \mathsf {R}\}\) where \(\mathsf {R}\) is the relation defining the language, \(\mathcal {L}\) is the language of true statements in \(\mathcal {X}\), and for \((x,w)\in \mathsf {R}\), w is a witness for \(x\in \mathcal {L}\). A HPS defines a key generation algorithm which outputs a secret hashing key \(\mathsf {hk}\) and a public projection key \(\mathsf {hp}\) such that \(\mathsf {hk}\) defines a hash function \(\mathcal {H}_{\mathsf {hk}}:\mathcal {X}\mapsto \varPi \), and \(\mathsf {hp}\) allows for the (public) evaluation of the hash function on words \(x\in \mathcal {L}\), i.e. \(\mathcal {H}_{\mathsf {hp}}(x,w)= \mathcal {H}_{\mathsf {hk}} (x)\) for \((x,w) \in \mathsf {R}\). The smoothness property requires that for any \(x\notin \mathcal {L}\), the value \(\mathcal {H}_{\mathsf {hk}}(x)\) be uniformly distributed knowing \(\mathsf {hp}\).
The \(\mathsf {DDH}\) and \(\mathsf {DCR}\) assumptions yield smooth HPSs where the languages \(\mathcal {L}\subset \mathcal {X}\) define hard subset membership problems. Such HPSs, endowed with homomorphic properties over the key space, underly the IPFE schemes of [ALS16]. In fact Benhamouda, Bourse, and Lipmaa in [BBL17, Bou17], present a generic construction from a key homomorphic HPS (satisfying various properties) to an IPFE scheme in \(\mathbf {Z}\) which is secure under chosen plaintext attacks. They instantiate it from \(\mathsf {DDH}\) and from \(\mathsf {DCR}\) but leave out \(\mathsf {LWE}\) due to the complexity of the resulting scheme, as simpler constructions can be attained without using HPSs.
We note that though our constructions resemble the above – one can deduce new subset membership problems from the assumptions in Sect. 3.1 and associated HPSs – our proof techniques are very different to those of [Bou17], to achieve adaptive security, their game challenger must guess the difference between challenge ciphertexts prior to generating the public/private key pair. If the hash key is not sampled uniformly at random from the key space (as in our constructions), then in order to maintain a level of security equivalent to that of the HPS the size of the secret keys increases substantially. Indeed, to encrypt \(\ell \)dimensional vectors whose coordinates are bounded by Y, their proof techniques cause an additional \(\ell \log (Y)\)bit term to appear in each coordinate of the secret key, whereas in our constructions over \(\mathbf {Z}\), the bit length of the coordinates is independent of \(\ell \). Consequently, this approach leads to less efficient schemes.
Our goal has been to build practical IPFE schemes, therefore we avoid this genericity and the key blow up it entails, carefully evaluating the information leaked to the adversary by the public key, the secret key queries and the challenge ciphertext, thus ensuring that the challenge bit remains statistically hidden. This style of proof is closer to those of [ALS16], it allows us to obtain constructions for IPFE over \(\mathbf {Z}\) that are substantially more efficient than those of [BBL17, Bou17], and constructions for IPFE modulo a prime p that do not restrict the size of the resulting inner product, which are the most efficient such schemes to date.
2 Background
Notations. We denote sets by uppercase letters, vectors by bold lowercase letters, and \(\langle {\varvec{x}},{\varvec{y}}\rangle \) denotes the inner product of vectors \({\varvec{x}}\) and \({\varvec{y}}\). For a distribution \(\mathcal {D}\), we write to refer to d being sampled from \(\mathcal {D}\). We overload the notation as to say that b is sampled uniformaly at random in the set B. For an integer x, we denote its size by x, and by [x] the set of integers \(\{1, \dots ,x\}\). For any \({\varvec{c}} \in \mathbf {R}^\ell \), real \(\sigma > 0\), and \(\ell \)dimensional lattice \(\varLambda \), \(\mathcal {D}_{\varLambda ,\sigma ,{\varvec{c}}}\) will denote the usual discrete Gaussian distribution over \(\varLambda \).
Definition of Inner Product Functional Encryption. This is a special case of functional encryption, as first formalised by Boneh, Sahai and Waters in [BSW11]. To start with, we provide the definition of a functionality.
Definition 1
(Functionality). A functionality F defined over \((\mathcal {K},\mathcal {Y})\) is a function \(F: \mathcal {K} \times \mathcal {Y} \rightarrow \varSigma \cup \{\perp \}\), where \(\mathcal {K}\) is a key space, \(\mathcal {Y}\) is a message space and \(\varSigma \) is an output space, which does not contain the special symbol \(\perp \).
In this article, we consider the inner product functionality, s.t. decrypting the encryption of a vector \(\mathbf{y}\) with a key associated to a vector \(\mathbf{x}\) only reveals \(\langle \mathbf{x},\mathbf{y}\rangle \). So we consider the function \(F:(\mathbf {Z}/p\mathbf {Z})^\ell \times (\mathbf {Z}/p\mathbf {Z})^\ell \rightarrow \mathbf {Z}/p\mathbf {Z}\cup \{\perp \}\) s.t. \(F(\mathbf{x},\mathbf{y})= \langle \mathbf{x},\mathbf{y}\rangle \). The syntax of a functional encryption scheme is described below.
Definition 2
(Functional encryption scheme). Let \(\lambda \) be a positive integer. A functional encryption (FE) scheme for a functionality F over \((\mathcal {K},\mathcal {Y})\) is a tuple \((\mathsf{Setup},\mathsf{KeyDer}, \mathsf{Encrypt}, \mathsf{Decrypt})\) of algorithms with the following specifications:

\(\mathsf{Setup}\) on input a security parameter \(1^\lambda \), outputs a master key pair (mpk, msk);

\(\mathsf{KeyDer}\) on input the master key msk and a key \(K \in \mathcal {K}\), outputs a key \(sk_K\);

\(\mathsf{Encrypt}\) on input the master public key mpk and a message \(Y \in \mathcal {Y}\), outputs a ciphertext C;

\(\mathsf{Decrypt}\) takes as input the master public key mpk, a key \(sk_K\) and a ciphertext C and outputs \(v \in \varSigma \cup \{\perp \}\).
Correctness requires that for all \((mpk,msk) \leftarrow \mathsf{Setup}(1^\lambda )\), all keys \(K \in \mathcal {K}\) and all messages \(Y \in \mathcal {Y}\), if \(sk_K \leftarrow \mathsf{KeyDer}(msk,K)\) and \(C \leftarrow \mathsf{Encrypt}(mpk,Y)\), with overwhelming probability it holds that, if \(v \leftarrow \mathsf{Decrypt}(mpk,sk_K,C)\) then \(v = F(K,Y)\) whenever \(F(K,Y) \ne \perp \).
Security. We define below the security notion for FE, which states that given the ciphertext of a message Y, the only information obtained from the secret key \(sk_K\) is the evaluation of the function f(K, Y). More precisely, no adversary can distinguish an encryption of \(Y_0\) from an encryption of \(Y_1\) even with the knowledge of secret keys \(sk_K\) chosen adaptatively but satisfying \(F(K,Y_0)=F(K,Y_1)\). The following definition is that of adaptive security, meaning that the adversary has access to the systems’ public parameters, and can perform a series of secret key requests before choosing \(Y_0\) and \(Y_1\). We consider an indistinguishabilitybased definition instead of the simulationbased security definition of [BSW11]. This adaptive indistinguishability notion is easier to handle, and it is also the strongest adaptive notion of security that can be achieved for numerous interesting functionalities. In particular, it has been demonstrated in [BSW11, AGVW13, BO13] that the strong simulationbased definition cannot be met in the standard model, while O’Neill showed in [O’N10] that indistinguishabilitybased security is equivalent to nonadaptive simulationbased security for a class of functions that includes the inner product. Moreover, De Caro et al. [DIJ+13] describe a method to transform an FE achieving an indistinguishabilitybased security notion into an FE attaining a certain simulationbased security.
Definition 3
(Indistinguishabilitybased security). A functional encryption scheme \(\mathsf{FE} = (\mathsf{Setup},\mathsf{KeyDer}, \mathsf{Encrypt}, \mathsf{Decrypt})\) provides semantic security under chosenplaintext attacks (indfecpa) if no PPT adversary \(\mathcal {A}\) has nonnegligible advantage \(\mathsf{Adv}_{\mathcal {A}}(\lambda )\), under the constraints that \(\mathcal {A}\)’s secretkey queries before and after its choice of challenge messages \(Y_0\) and \(Y_1\) satisfy \(F(K,Y_0)=F(K,Y_1)\) for all K in the set of key queries. \(\mathcal {A}\)’s advantage is defined as:
Backgound on Lattices. We recall some definitions and basic results on Gaussian distributions. These are useful for our security proofs, in which we evaluate the distribution of an inner product when one of the two vectors follows a Gaussian distribution. We also recall a result from [GPV08] giving the conditions for a Gaussian distribution over a lattice, which is reduced modulo a sublattice, to be close to a uniform distribution, another crucial point of our proofs.
Definition 4
(Gaussian Function). For any \(\sigma > 0\) define the Gaussian function on \(\mathbf {R}^\ell \) centred at \({\varvec{c}}\) with parameter \(\sigma \): \(\forall {\varvec{x}} \in \mathbf {R}^\ell , \rho _{\sigma ,{\varvec{c}}}({\varvec{x}}) = \exp (\pi {\varvec{x}}  {\varvec{c}} ^2 / \sigma ^2 ).\) If \(\sigma =1\) (resp. \({\varvec{c}}={\varvec{0}}\)), then the subscript \(\sigma \) (resp. \({\varvec{c}}\)) is omitted.
Definition 5
(Discrete Gaussian). For any \({\varvec{c}} \in \mathbf {R}^\ell \), real \(\sigma > 0\), and \(\ell \)dimensional lattice \(\varLambda \), define the discrete Gaussian distribution over \(\varLambda \) as:
\(\forall {\varvec{x}} \in \varLambda , \quad \mathcal {D}_{\varLambda ,\sigma ,{\varvec{c}}}({\varvec{x}}) = \rho _{\sigma ,{\varvec{c}}}({\varvec{x}})/\rho _{\sigma ,{\varvec{c}}} (\varLambda ),\) where \(\rho _{\sigma ,{\varvec{c}}} (\varLambda ) = \sum _{{{\varvec{x}}}\in \varLambda }\rho _{\sigma ,{\varvec{c}}}({\varvec{x}})\).
Lemma 1
Let \( {\varvec{x}}\in \mathbf {R}^\ell \setminus \{{\varvec{0}}\}\), \({\varvec{c}} \in \mathbf {R}^\ell \), \(\sigma \in \mathbf {R}\) with \(\sigma >0\) and \(\sigma ' = \sigma /{\varvec{x}}_2\), \(c' = \frac{\langle {\varvec{c}} , {\varvec{x}} \rangle }{\langle {\varvec{x}}, {\varvec{x}} \rangle }\). A random variable K is distributed according to \(\mathcal {D}_{\mathbf {Z},\sigma ',c'}\) if and only if \(V:=K{\varvec{x}}\) is distributed according to \(\mathcal {D}_{{\varvec{x}} \mathbf {Z}, \sigma ,{\varvec{c}}}\).
In dimension 1, Lemma 1 implies that if \(x \in \mathbf {R}\), then Kx is distributed according to \(\mathcal {D}_{x\mathbf {Z},\sigma ,c}\) iff. K is distributed according to \(\mathcal {D}_{\mathbf {Z},\sigma /x,c/x}\). Lemma 2 gives the distribution of the inner product resulting from a constant vector \({\varvec{x}}\), and a vector with coordinates sampled from a Gaussian distribution over the lattice \({\varvec{x}} \cdot \mathbf {Z}\). Please refer to the full version [CLT18, Aux. Material I] for proofs of Lemmas 1 and 2.
Lemma 2
Let \( {\varvec{x}}\in \mathbf {R}^\ell \) with \({\varvec{x}} \ne {\varvec{0}}\), \({\varvec{c}} \in \mathbf {R}^\ell \), \(\sigma \in \mathbf {R}\) with \(\sigma >0\). Let V be a random variable distributed according to \(\mathcal {D}_{{\varvec{x}} \cdot \mathbf {Z}, \sigma ,{\varvec{c}}}\). Then the random variable S defined as \(S =\langle {\varvec{x}} , V \rangle \) is distributed according to \(\mathcal {D}_{{\varvec{x}}_2^2 \cdot \mathbf {Z}, \sigma \cdot  {\varvec{x}} _2 ,\langle {\varvec{c}}, {\varvec{x}} \rangle }\).
Lemma 3
([GPV08]). Let \(\varLambda _0'\subset \varLambda _0 \subset \mathbf {R}^\ell \) be two lattices with the same dimension. Let \(\epsilon \in (0, 1/2)\) and \(\eta _\epsilon (\varLambda '_0)\) be the smoothing parameter of \(\varLambda '_0\) (cf. [MR04]). Then for any \(c \in \mathbf {R}^\ell \) and any \(\sigma \ge \eta _\epsilon (\varLambda '_0)\), the distribution \(D_{\varLambda _0,\sigma ,c} \mod \varLambda _0'\) is within statistical distance \(2\epsilon \) from the uniform distribution over \(\varLambda _0/\varLambda '_0\).
3 Variants of \(\mathsf {CL}\): Assumptions and \(\mathsf {ind\text {}cpa}\) Schemes
In [CL15], Castagnos and Laguillaumie introduced the framework of a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup: a cyclic group G where the \(\mathsf {DDH}\) assumption holds along with a subgroup F of G where the \(\mathsf {DL}\) problem is easy. Within this framework, they designed a linearly homomorphic variant of Elgamal [CL15], denoted \(\mathsf {CL}\). Moreover, they gave an instantiation using class groups of quadratic fields allowing for the computation of linear operations modulo a prime p.
Their protocol is similar to the one of Bresson et. al. [BCP03] whose \(\mathsf {ind\text {}cpa}\) security relies on the \(\mathsf {DDH}\) assumption in \((\mathbf {Z}/{N^2}\mathbf {Z})^\times \), where \(N = pq\), using the arithmetic ideas of Paillier’s encryption [Pai99]. Another encryption scheme based on Elgamal over \((\mathbf {Z}/ N^2\mathbf {Z})^\times \) was proposed by Camenisch and Shoup in [CS03]. Its \(\mathsf {ind\text {}cpa}\) security relies on the Decision Composite Residuosity assumption (DCR), which consists in distinguishing the \(N\)th powers in \((\mathbf {Z}/N^2\mathbf {Z})^\times \).
In the following subsection, we recall the framework of [CL15] and then generalise the DCR assumption to fit this framework of a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup with a hard subgroup membership problem (following [Gjø05]’s terminology). We also introduce a new \(\mathsf {DDH}\)like assumption which is weaker than the original \(\mathsf {DDH}\) in G. Then, in Subsect. 3.2, we give generic encryption schemes whose \(\mathsf {ind\text {}cpa}\) security are based on these assumptions. In particular we give a generalisation of the scheme of [CS03] in a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup, and a modification of \(\mathsf {CL}\) à la CramerShoup. Finally, in Subsect. 3.3, we discuss the relations between these assumptions.
3.1 Algorithmic Assumptions
We first define the generator GenGroup used in the framework of a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup [CL15], with a few modifications as discussed below.
Definition 6
(Generator for a \(\mathsf {DDH}\) group with an easy \(\mathsf {DL}\) subgroup). Let GenGroup be a pair of algorithms \((\mathsf {Gen}, \mathsf {Solve})\). The \(\mathsf {Gen}\) algorithm is a group generator which takes as inputs two parameters \(\lambda \) and \(\mu \) and outputs a tuple \((p,\tilde{s},g,f,g_p,G,F,G^p)\). The set \((G,\cdot )\) is a cyclic group of order ps where s is an integer, p is a \(\mu \)bit prime, and \(\gcd (p,s)=1\). The algorithm \(\mathsf {Gen}\) only outputs an upper bound \(\tilde{s}\) of s. The set \(G^p=\{x^p, x \in G\}\) is the subgroup of order s of G, and F is the subgroup of order p of G, so that \(G = F \times G^p\). The algorithm \(\mathsf {Gen}\) outputs f, \(g_p\) and \(g=f \cdot g_p\) which are respective generators of F, \(G^p\) and G. Moreover, the \(\mathsf {DL}\) problem is easy in F, which means that the \(\mathsf {Solve}\) algorithm is a deterministic polynomial time algorithm that solves the \(\mathsf {DL}\) problem in F:
Remark 1
In practice the size of s is chosen so that computing discrete logarithms in \(G^p\) takes time \(\mathcal {O}(2^\lambda )\).
We note that this definition differs slightly from the original definition of [CL15]. Here F is of prime order p as our agenda is to use the instantiation with class groups of quadratic fields so as to have \(\mathbf {Z}/p\mathbf {Z}\) as the message space. This means that our generic constructions do not encompass the schemes built from Paillier where the message space is \(\mathbf {Z}/N\mathbf {Z}\), with \(N=pq\). If using \(N=pq\) as the order of F, the proofs must rely on factoring assumptions to deal with the nonzero noninvertible elements of \(\mathbf {Z}/N \mathbf {Z}\). Consequently, this restriction simplifies the proofs, since an element of \(\mathbf {Z}/p\mathbf {Z}\) is invertible if and only if it is nonzero.
Another modification is outputting the element \(g_p\) that generates \(G^p\) to define the \(\mathsf {HSM}\) assumption below, and setting \(g=f \cdot g_p\). In practice, the instantiation of [CL15] with class groups of quadratic fields already computes an element \(g_p\) and thus defines the generator g of G. Note that this explicit definition of g is only needed in proof of Theorem 4, for the relation between the \(\mathsf {HSM}\), \(\mathsf {DDH\text {}f}\) (defined below) and \(\mathsf {DDH}\) [CL15, Definition 1] assumptions. A last modification is that \(\mathsf {Gen}\) only outputs an upper bound \(\tilde{s}\) of s and not n. This is more accurate than the original definition as n is not used in the applications and actually, the instantiation does not compute n as it is a class number that requires subexponential time (with an \(\mathcal {O}(L_{1/2})\) complexity) to be computed. This implies that in the following assumptions, exponents are sampled from distributions statistically close to uniform distributions. We discuss this in Remark 2.
We now define a hard subgroup membership (\(\mathsf {HSM}\)) problem, which somewhat generalises Paillier’s \(\mathsf {DCR}\) assumption. In Definition 6, one has \(G=F\times G^p\), the assumption is that it is hard to distinguish the elements of \(G^p\) in G.
Definition 7
(\(\mathsf {HSM}\) assumption). Let GenGroup \(=(\mathsf {Gen}, \mathsf {Solve})\) be a generator for \(\mathsf {DDH}\) groups with an easy \(\mathsf {DL}\) subgroup. Using the notations introduced in Definition 6, the \(\mathsf {HSM}\) assumption requires that the \(\mathsf {HSM}\) problem is hard in G even with access to the \(\mathsf {Solve}\) algorithm. Let \(\mathcal D\) (resp. \(\mathcal {D}_p\)) be a distribution over the integers such that the distribution (resp. ) is at distance less than \(2^{\lambda }\) from the uniform distribution in G (resp. in \(G^p\)). Let \(\mathcal {A}\) be an adversary for the \(\mathsf {HSM}\) problem, its advantage is defined as:
The \(\mathsf {HSM}\) problem is said to be hard in G if for all probabilistic polynomial time attacker \(\mathcal {A}\), \(\mathsf {Adv}^{\mathsf {HSM}}_\mathcal {A}(\lambda ,\mu )\) is negligible.
Remark 2
In contrast to the traditional formulation of \(\mathsf {DDH}\) or \(\mathsf {DCR}\), we can not sample uniformly elements in \(G^p\) or G as the order s (resp. ps) of \(G^p\) (resp. of G) is unknown. As a result we use the upper bound \(\tilde{s}\) of s to instantiate the distributions \(\mathcal {D}_p\) and \(\mathcal {D}\) of Definition 7. Choosing \(\mathcal {D}\) and \(\mathcal {D}_p\) statistically close to the uniform distributions in G and \(G^p\) allows for more flexibility in our upcoming proofs, which is of interest, since it is easy to see that the \(\mathsf {DDH}\) and \(\mathsf {HSM}\) assumptions do not depend on the choice of the distribution.
In practice, we will instantiate \(\mathcal {D}_p\) and \(\mathcal {D}\) thanks to Lemma 4 (proved in the full version [CLT18, Aux. Material III.]). We use folded gaussians as they provide better efficiency than folded uniforms, and allow us to apply Lemma 3 in our security proofs.
Lemma 4
Distributions \(\mathcal {D}_p\) and \(\mathcal {D}\) can be implemented from the output of \(\mathsf {Gen}\):

1.
One can choose \(\mathcal {D}\) to be the uniform distribution over \(\{0, \dots , 2^{\lambda 2} \cdot \tilde{s} \cdot p\}\).

2.
Alternatively, choosing \(\mathcal {D}=\mathcal D_{\mathbf {Z}, \sigma }\) with \(\sigma = \tilde{s} \cdot p \cdot \sqrt{\lambda }\) allows for more efficient constructions as the sampled elements will tend to be smaller.

3.
Likewise, one can choose \(\mathcal {D}_p=\mathcal D_{\mathbf {Z}, \sigma '}\) with \(\sigma ' = \tilde{s} \cdot \sqrt{\lambda } \)

4.
One can also, less efficiently, define \(\mathcal {D}_p= \mathcal {D}\).

5.
Conversely, one can also define \(\mathcal {D}\) from \(\mathcal {D}_p\) and the uniform distribution modulo p: the distribution is statistically close to the uniform distribution in G.
Finally, we introduce a new assumption called \(\mathsf {DDH\text {}f}\). Roughly speaking, it means that it is hard to distinguish the distributions:
In other words, we have on the left, a DiffieHellman (DH) triplet in G, and on the right, a triplet whose components in \(G^p\) form a DH triplet, and whose components in F form a random triplet: \((f^{x},f^{y},f^{xy+u})\) since \(g=g_p\cdot f\) (as noted in Remark 2, \(\mathcal {D}\) induces distributions statistically close to the uniform in \(G^p\) and F).
We will see in the next subsection that the security of the \(\mathsf {CL}\) encryption scheme is actually equivalent to this assumption and that this assumption is weaker than the \(\mathsf {DDH}\) assumption and the \(\mathsf {HSM}\) assumption (see Theorem 4). As a side effect, using this assumption will simplify the forthcoming proofs as it is tightly related to the \(\mathsf {ind\text {}cpa}\) security of the underlying encryption scheme.
We note that \(\mathsf {DDH\text {}f}\) can be seen as an instance of the ExtendedDDH (\(\mathsf {EDDH}\)) problem defined by Hemenway and Ostrovsky [HO12]. They show that \(\mathsf {QR}\) and \(\mathsf {DCR}\) imply two different instantiations of \(\mathsf {EDDH}\), our implication from \(\mathsf {HSM}\) to \(\mathsf {DDH\text {}f}\) somewhat generalises their proof as \(\mathsf {DDH\text {}f}\) is more generic than either of the hardness assumptions obtained from their reductions.
Definition 8
(\(\mathsf {DDH\text {}f}\) assumption). Let GenGroup \(=(\mathsf {Gen}, \mathsf {Solve})\) be a generator for \(\mathsf {DDH}\) groups with an easy \(\mathsf {DL}\) subgroup. Using the notations of Definition 6, the \(\mathsf {DDH\text {}f}\) assumption requires that the \(\mathsf {DDH\text {}f}\) problem is hard in G even with access to the \(\mathsf {Solve}\) algorithm. Let \(\mathcal D\) be a distribution over the integers such that is at distance less than \(2^{\lambda }\) of the uniform distribution in G. Let \(\mathcal {A}\) be an adversary for the \(\mathsf {DDH\text {}f}\) problem, its advantage is defined as:
The \(\mathsf {DDH\text {}f}\) problem is said to be hard in G if for all probabilistic polynomial time attacker \(\mathcal {A}\), \(\mathsf {Adv}^{\mathsf {DDH\text {}f}}_\mathcal {A}(\lambda ,\mu )\) is negligible.
3.2 Some Variants of the \(\mathsf {CL}\) Generic Encryption Scheme
The Original CastagnosLaguillaumie Encryption Scheme. Castagnos and Laguillaumie put forth in [CL15, Sect. 2.3] a generic construction for a linearly homomorphic encryption scheme over \(\mathbf {Z}/p\mathbf {Z}\) based on a cyclic group with a subgroup of order p where the \(\mathsf {DL}\) problem is easy, as given by the GenGroup generator of Definition 6. They prove this scheme is \(\mathsf {ind\text {}cpa}\) under the \(\mathsf {DDH}\) assumption [CL15, Definition 1]. We demonstrate below that we can be more precise and prove that the security of this scheme is equivalent to the \(\mathsf {DDH\text {}f}\) assumption of Definition 8: the key idea is to perform a onetime pad in F, instead of in the whole group G.
Theorem 1
The CL encryption scheme is semantically secure under chosen plaintext attacks (\(\mathsf {ind\text {}cpa}\)) if and only if the \(\mathsf {DDH\text {}f}\) assumption holds.
Proof
(sketch). Suppose that the \(\mathsf {DDH\text {}f}\) assumption holds. Let us consider the \(\mathsf {ind\text {}cpa}\) game, with a public key, \(h= g^x\), , and a challenge ciphertext \((c_1,c_2) = (g^r,f^{m_\beta }h^r)\) with and \(\beta \hookleftarrow \{0,1\}\), \(m_0,m_1 \in \mathbf {Z}/p\mathbf {Z}\). We can replace \((h,c_1, h^r)=(g^x,g^r,g^{xr})\) by \((g^x,g^r, g^{xr}f^u)=(g^x,g^r, h^rf^u)\) with . As a result \(c_2 = h^r f^{u+m_\beta }\). For the adversary, the value of r modulo n is fixed by \(c_1=g^r\) as g is a generator, so the value of \(h^r\) is fixed. As a result from \(c_2\) an unbounded adversary can infer \(u+m_\beta \in \mathbf {Z}/p\mathbf {Z}\) but as u is uniformly distributed in \(\mathbf {Z}/p\mathbf {Z}\), he will have no information on \(\beta \).
Conversely, we construct an \(\mathsf {ind\text {}cpa}\) adversary from a distinguisher for the \(\mathsf {DDH\text {}f}\) problem. Choose \(m_0 \in \mathbf {Z}_p\) and \(m_1 := m_0 +u\) with . From the public key and the challenge ciphertext, construct the triplet
This gives a DH triplet if and only \(\beta =0\) and the exponent of f is uniformly distributed in \(\mathbf {Z}/p\mathbf {Z}\) if and only \(\beta = 1\). As a result, one can use the output of a distinguisher for the \(\mathsf {DDH\text {}f}\) problem to win the \(\mathsf {ind\text {}cpa}\) game. \(\square \)
A linearly homomorphic encryption scheme from \({\mathbf {\mathsf{{HSM}}}}\). As noted in this section’s introduction, the \(\mathsf {CL}\) scheme was inspired by the scheme of [BCP03]. We here slightly modify the \(\mathsf {CL}\) scheme so that it relies on the \(\mathsf {HSM}\) assumption of Definition 7 and somewhat generalises the approach of Camenisch and Shoup’s scheme in [CS03]. This \(\mathsf {ind\text {}cpa}\) scheme will be the basis of the IPFE scheme of Sect. 5.
Setting the parameters. We use the output \((p,\tilde{s},g,f,g_p,G,F,G^p)\) of the GenGroup generator of Definition 6, ignoring the generator g which is useless here. Following Lemma 4, Item 3, we require \(\sigma ' > \tilde{s} \sqrt{\lambda }\) so that is at distance less than \(2^{\lambda }\) from the uniform distribution in \(G^p\). The plaintext space is \(\mathbf {Z}/p\mathbf {Z}\), where p is a \(\mu \) bit prime, with \(\mu \ge \lambda \). The scheme is depicted in Fig. 2a.
Theorem 2
The scheme described in Fig. 2a is semantically secure under chosen plaintext attacks (\(\mathsf {ind\text {}cpa}\)) under the \(\mathsf {HSM}\) assumption.
Please see the full version [CLT18, Aux. Material IV] for the proof.
Enhanced variant of the \(\mathsf {CL}\) encryption scheme. We here modify the original \(\mathsf {CL}\) scheme by adding a key à la CramerShoup (cf. [CS98]). The security of this scheme also relies on the \(\mathsf {DDH\text {}f}\) assumption. This \(\mathsf {ind\text {}cpa}\) scheme will be the basis of the IPFE scheme of Sect. 4.
This modification incurs some challenges: consider the vanilla Elgamal encryption scheme defined over a cyclic group of prime order q, generated by g. The modification leading to the [CS03] encryption scheme uses a second generator h to create a key \(\eta = g^xh^y\) where . Then \(\eta ^r\), with is used to mask the message. In the proof under the \(\mathsf {DDH}\) assumption, one replaces the DH triplet (h, \(g^r\) \(,h^r)\) built from the public key and the ciphertext by a random triplet and proves that the mask \(\eta ^r\) is then uniformly distributed and acts as a onetime pad for the plaintext, even knowing \(\eta \). The triplet \((h,g^r,h^r)\) is indeed a DH triplet, because if h is a generator, \(h=g^\alpha \) with \(\alpha \in (\mathbf {Z}/q \mathbf {Z})^*\). As a result, \(\alpha \) is almost uniformly distributed in \(\mathbf {Z}/q\mathbf {Z}\) ( is s.t. \( \alpha \ne 0\) with overwhelming probability if q is large). The same happens in a composite group of order \(N'\) where \(N'\) is an RSA integer as in [Luc02], under the factoring assumption.
In our case, we use the GenGroup generator of Definition 6, i.e. a cyclic group G of order \(n=p\cdot s\) generated by g, where s is unknown and may have small factors. As a result, a random element \(h = g^\alpha \), with may not be a generator with constant probability. Consequently, the padding \(\eta ^r\) where and \(\eta = g^xh^y\), with may not be uniformly distributed in G knowing \(\eta \). However, we only need \(\eta ^r\) to act as a onetime pad in the subgroup \(F=\langle f \rangle \) of G of order p, since the message \(m \in \mathbf {Z}/p\mathbf {Z}\) is encoded as \(f^m \in F\). Supposing that p is a \(\mu \)bit prime, with \(\mu \ge \lambda \) is sufficient to prove this. As the exponents are taken close to uniform modulo n and \(n=p\cdot s\) with \(\gcd (p,s)=1\), they behave independently and close to uniform mod p and mod s. As we are interested only in what happens mod p, we can ignore the behaviour mod s and get \(\mathsf {ind\text {}cpa}\) security under the \(\mathsf {DDH\text {}f}\) assumption. Note that the use of this assumption instead of the stronger \(\mathsf {DDH}\) assumption greatly simplifies the proof.
Setting the parameters. We use the output \((p,\tilde{s},g,f,g_p,G,F,G^p)\) of the generator GenGroup of Definition 6, ignoring the group \(G^p\) and its generator. Following Lemma 4, Item 2 we require \(\sigma > p\tilde{s} \sqrt{\lambda }\) to ensure that is at distance less than \(2^{\lambda }\) from the uniform distribution in G. The plaintext space is \(\mathbf {Z}/p\mathbf {Z}\), where p is a \(\mu \) bit prime, with \(\mu \ge \lambda \). The scheme is depicted in Fig. 2b.
Theorem 3
The scheme described in Fig. 2b is semantically secure under chosen plaintext attacks (\(\mathsf {ind\text {}cpa}\)) under the \(\mathsf {DDH\text {}f}\) assumption.
Please see the full version [CLT18, Aux. Material V] for the proof.
3.3 Relations Between the Assumptions
Although one can establish direct reductions from the problems underlying the \(\mathsf {DDH}\), \(\mathsf {DDH\text {}f}\) and \(\mathsf {HSM}\) assumptions, it is easier to use intermediate results on the \(\mathsf {ind\text {}cpa}\) security of the schemes defined in Subsect. 3.2 to see these reductions.
Theorem 1 states that the original \(\mathsf {CL}\) cryptosystem is \(\mathsf {ind\text {}cpa}\) iff. the \(\mathsf {DDH\text {}f}\) assumption holds. In [CL15], it was proven that this scheme is \(\mathsf {ind\text {}cpa}\) under the \(\mathsf {DDH}\) assumption. As a result, \(\mathsf {DDH\text {}f}\) is a weaker assumption than \(\mathsf {DDH}\). Furthermore, if the \(\mathsf {HSM}\) scheme of Fig. 2a is \(\mathsf {ind\text {}cpa}\) then the original \(\mathsf {CL}\) cryptosystem is \(\mathsf {ind\text {}cpa}\): from a public key \(h= g_p^x\), and a ciphertext \(c=(c_1,c_2)=(g_p^r,f^m \cdot h^r)\), for the \(\mathsf {HSM}\) scheme, one can chose and construct \(h' = h \cdot f^a\), and the ciphertext \(c'=(c_1',c_2')=(c_1 \cdot f^b,c_2 \cdot f^{ab})\). According to Lemma 4, Item 5 \(h'\) and \(c_1'\) are statistically indistinguishable from the uniform distribution in G. Furthermore, \(h'= g_p^xf^a = g^\alpha \) where \(\alpha \) is defined mod n from the Chinese remainder theorem, such that \(\alpha \equiv x \pmod s\) and \(\alpha \equiv a \pmod p\). Likewise, \(c_1' = g_p^r f^b = g^\beta \) for some \(\beta \) defined equivalently. Finally, one has \(c_2'/f^m = g_p^{xr}f^{ab} = g_p^{\alpha \beta \mod s}f^{\alpha \beta \mod p} = g^{\alpha \beta }\). As a result, \((h',c_1',c_2'/f^m)\) is a DH triplet in G, so \(h',c'\) are a public key and a ciphertext for m for the \(\mathsf {CL}\) cryptosystem. Consequently, an \(\mathsf {ind\text {}cpa}\) attacker against the cryptosystem based on \(\mathsf {HSM}\) can be built from an \(\mathsf {ind\text {}cpa}\) attacker against \(\mathsf {CL}\). Now, if the \(\mathsf {HSM}\) assumption holds, from Theorem 2, the \(\mathsf {HSM}\) scheme is \(\mathsf {ind\text {}cpa}\), so the \(\mathsf {CL}\) scheme is also \(\mathsf {ind\text {}cpa}\) and the \(\mathsf {DDH\text {}f}\) assumption holds. We sum up these results in Theorem 4 (see also Fig. 1).
Theorem 4
The \(\mathsf {DDH}\) assumption implies the \(\mathsf {DDH\text {}f}\) assumption. Furthermore, the \(\mathsf {HSM}\) assumption implies the \(\mathsf {DDH\text {}f}\) assumption.
4 Inner Product FE Relying on the \(\mathsf {DDH\text {}f}\) Assumption
In this section, we build an IPFE scheme from the \(\mathsf {DDH\text {}f}\) assumption (Definition 8). As proven in Theorem 4, this assumption is weaker than both the \(\mathsf {DDH}\) and the \(\mathsf {HSM}\) assumptions and yields simple proofs as it is suited to deal with the encoding of the message into a subgroup of prime order p. We use the formalism of a cyclic group with an easy \(\mathsf {DL}\) subgroup. Our approach is based on the enhanced variant of the \(\mathsf {CL}\) scheme, described in Fig. 2b. The resulting scheme over \(\mathbf {Z}/p\mathbf {Z}\) can be viewed as an adaptation of the \(\mathsf {DDH}\) scheme of [ALS16] to this setting, thereby removing the restriction on the size of the inner product.
The proof technique somewhat differs from the general approach of [ALS16]. We start from the \(\mathsf {ind\text {}cpa}\) proof of the enhanced variant of \(\mathsf {CL}\) and then deal with the information leaked by key queries. Instead of computing the global distribution of the keys given this information, so as to make the proof go through, we carefully simplify the description of the adversary’s view. A technical point is that even if we are only interested in what happens mod p, as the plaintexts are defined in \((\mathbf {Z}/p\mathbf {Z})^\ell \), we cannot restrict the adversary’s view mod p: this could potentially result in a loss of information, as the key queries are defined in \(\mathbf {Z}\).
We first present an FE scheme for inner products over \(\mathbf {Z}\) (Sect. 4.1) and then consider a scheme for inner products over \(\mathbf {Z}/p\mathbf {Z}\) (Sect. 4.2).
4.1 \(\mathsf {DDH\text {}f}\)Based FE for Inner Product over \(\mathbf {Z}\)
Setting the parameters. As in the \(\mathsf {ind\text {}cpa}\) scheme of Fig. 2b, we use the output \((p,\tilde{s},g,f,g_p,G,F,G^p)\) of the GenGroup generator of Definition 6, ignoring the group \(G^p\) and its generator \(g_p\). We require that p is a \(\mu \)bit prime, with \(\mu \ge \lambda \).
From Lemma 4, Item 2 choosing \(\sigma > \tilde{s} \cdot p \cdot \sqrt{\lambda }\) suffices to ensure that the distribution is at distance less than \(2^{\lambda }\) from the uniform distribution in G, however for security we must take a larger \(\sigma > \tilde{s} \cdot p^{3/2} \cdot \sqrt{2\lambda }\) (cf. proof of Theorem 5). The \(\mathsf {Encrypt}\) algorithm operates on plaintext messages \({\varvec{y}}\in \mathbf {Z}^\ell \) and the key derivation algorithm derives keys from vectors \(\mathbf x \in \mathbf {Z}^\ell \). Norm bounds X and Y are chosen s.t. \(X, Y < (p/2\ell )^{1/2}\) to ensure decryption correctness. Indeed key vectors \(\mathbf x \) and message vectors \(\mathbf y \) are assumed to be of bounded norm \(\mathbf{x}_{\infty } \le X\) and \(\mathbf{y}_{\infty } \le Y\). The decryption algorithm recovers \(\langle \mathbf{x}, \mathbf{y} \rangle \mod p\) (using a centered modulus), which is exactly \(\langle \mathbf{x}, \mathbf{y} \rangle \) over the integers, thanks to the Cauchy–Schwarz inequality and the norm bounds, since \(X\cdot Y < p/2\ell \).
Construction. Figure 3 depicts the FE scheme for inner products in \(\mathbf {Z}\) secure under the \(\mathsf {DDH\text {}f}\) assumption (cf. Definition 8).
Correctness. We have
Applying the \(\mathsf {Solve}\) algorithm to \(C_\mathbf{x }\) yields \( \langle {\varvec{x}}, {\varvec{y}} \rangle \mod p\), which, thanks to the norm bounds, is either \(\langle \mathbf{x}, \mathbf{y} \rangle \) or \(\langle \mathbf{x}, \mathbf{y} \rangle + p\). Since the absolute value of \(\langle \mathbf{x}, \mathbf{y} \rangle \) is lower than \(p \slash 2\), if \(\mathsf {sol}< p/2\) then \(\langle \mathbf{x}, \mathbf{y} \rangle = \mathsf {sol}\) in \(\mathbf {Z}\), otherwise \(\langle \mathbf{x}, \mathbf{y} \rangle =(\mathsf {sol}p)\).
Theorem 5
Under the \(\mathsf {DDH\text {}f}\) assumption, the functional encryption scheme for inner products over \(\mathbf {Z}\) of Fig. 3 provides full security (indfecpa).
Proof
The proof proceeds as a sequence of games, starting in Game 0 with the real indfecpa game and ending in a game where the ciphertext statistically hides the random bit \(\beta \) chosen by the challenger from the adversary \(\mathcal {A}\)’s point of view. The beginning of the proof is similar to the proof of Theorem 3 on \(\mathsf {ind\text {}cpa}\) security. Then we take into account the fact that \(\mathcal {A}\) has access to a key derivation oracle. For each Game i, we denote \(S_i\) the event \(\beta = \beta '\).
Game 0 \(\Rightarrow \) Game 1: In Game 1 the challenger, who has access to the master secret key msk, computes the ciphertext using msk instead of mpk. The resulting ciphertext has exactly the same distribution therefore \(\Pr [S_0]=\Pr [S_1].\)
Game 1 \(\Rightarrow \) Game 2:
In Game 1, the tuple \((h=g^\alpha , C=g^r, D=h^r=g^{\alpha r})\), with , is a DH triplet as \(\sigma >p^{3/2} \cdot \tilde{s} \cdot \sqrt{2\lambda }\) ensures that the induced distribution is at distance less than \(2^{\lambda }\) of the uniform distribution in G. In Game 2, the challenger samples a random and computes \(D = h^rf^u\). Both games are indistinguishable under the \(\mathsf {DDH\text {}f}\) assumption: \(\Pr [S_2]\Pr [S_1] = \mathsf {Adv}^{\mathsf {DDH\text {}f}}_\mathcal {B}(\lambda ,\mu ).\) Now in Game 2 the challenge ciphertext is:
Lemma 5
In Game 2 the ciphertext \( (C,D,E_1, \dots ,E_{\ell })\in G^{\ell +2}\) statistically hides \(\beta \) such that \(Pr[S_2]1/2 \le 2^{\lambda }\).
Intuition. Following the proof methodology of [ALS16], we first delimit the information that is leaked in the challenge ciphertext by only considering the dimension in which both potential challenge ciphertexts differ. Indeed, denoting \(\mathbf z _\beta = \mathbf y _\beta + u\cdot {\varvec{t}}\mod p\), then projecting \(\mathbf z _\beta \) onto the subspace generated by \(\mathbf y _0\mathbf y _1\) encapsulates all the information revealed by the challenge ciphertext.
Next, we consider the distribution of the projection of the secret key component \(\mathbf t\) on the subspace generated by \(\mathbf y _0\mathbf y _1\), conditionally on \(\mathcal {A}\)’s view (i.e. on the information leaked by private key queries and the public key). This amounts to a distribution over a one dimensional lattice \(\varLambda _0\). We then reduce this distribution modulo a sublattice \(\varLambda '_0\) such that \(\varLambda _0/\varLambda '_0\simeq \mathbf {Z}/n\mathbf {Z}\), and using Lemma 3 we demonstrate that for an appropriate choice of the standard deviation \(\sigma \) (which defines \(\mathcal {D}_{\mathbf {Z}^\ell , \sigma }\), from which \({\varvec{t}}\) is sampled), the projection of \({\varvec{t}}\) on the subspace generated by \(\mathbf y _0\mathbf y _1\) is statistically close to the uniform distribution over \(\mathbf {Z}/n\mathbf {Z}\). As a result, \(\langle \mathbf y , {\varvec{t}} \rangle \) modulo p is also close to the uniform distribution over \(\mathbf {Z}/p\mathbf {Z}\), and thus \(\mathbf y _\beta \) (and therefore \(\beta \)) is statistically hidden in \(\mathbf z _\beta \).
Proof
(Lemma 5). The ciphertext component \(C = g^r\) information theoretically reveals \(r\mod n\). Furthermore, \( \forall i \in [\ell ]\), \(E_i\) information theoretically reveals \(y_{\beta ,i}+ut_i \mod p\) as the value of \(h_i^r\) is fixed from C and the public key. Therefore the challenge ciphertext information theoretically reveals \({\varvec{z}}_\beta = {\varvec{y}}_{\beta } + u \cdot {\varvec{t}} \mod p.\)
Throughout the rest of this proof we demonstrate that \({\varvec{y}}_{\beta }\) is statistically hidden mod p, thanks to the distribution of \({\varvec{t}}\) conditioned on \(\mathcal {A}\)’s view.
We denote \({\varvec{x}}_i\) \(\mathcal {A}\)’s ith query to the key derivation oracle. It must hold that, for all i, \(\langle {\varvec{x}}_i, {\varvec{y}}_0\rangle = \langle {\varvec{x}}_i, {\varvec{y}}_1\rangle \). Let \(d \ne 0\) be the gcd of the coefficients of \({\varvec{y}}_1{\varvec{y}}_0\) and define \({\varvec{y}} = (y_1, \dots , y_\ell ) = 1/d \cdot ({\varvec{y}}_1{\varvec{y}}_0) \in \mathbf {Z}^\ell \). It holds that \(\langle {\varvec{x}}_i, {\varvec{y}} \rangle = 0\) over \(\mathbf {Z}\) for all i. Therefore if we consider the lattice \({\varvec{y}}^\perp = \{{\varvec{x}}\in \mathbf {Z}^\ell : \langle {\varvec{x}}, {\varvec{y}} \rangle = 0\}\), all the queries \({\varvec{x}}_i\) must belong to that lattice. W.l.o.g., we assume the \(n_0\) first coordinates of \({\varvec{y}}\) are zero (for some \(n_0\)), and all remaining entries are nonzero. Further, the rows of the following matrix form a basis of \({\varvec{y}}^\perp \):
We define the matrix:
and claim that \(\mathbf X \) is invertible mod p (proof provided in the full version [CLT18, Aux. Material VI]). Now since \(\mathbf X \) does not depend on \(\beta \in \{0, 1\}\), it suffices to show that \(\mathbf X \cdot \mathbf z _\beta \in (\mathbf {Z}/p\mathbf {Z})^\ell \) is statistically independent of \(\beta \). Moreover by construction \(\mathbf X _{\textsf {top}}\cdot {\varvec{y}}_0= \mathbf X _{\textsf {top}}\cdot {\varvec{y}}_1\) (over the integers), so \(\mathbf X _{\textsf {top}}\cdot \mathbf z _\beta \) is clearly independent of \(\beta \) and we only need to worry about the last row of \(\mathbf X \cdot \mathbf z _\beta \) mod p, i.e. the information about \(\beta \) leaked by the challenge ciphertext is contained in:
We hereafter prove that, from \(\mathcal {A}\)’s perspective, \(\langle {\varvec{y}}, {\varvec{t}} \rangle \) follows a distribution statistically close to the uniform distribution mod p, thus proving that \(\beta \) is statistically hidden: since u is sampled uniformly at random from \(\mathbf {Z}/p\mathbf {Z}\), \(u\ne 0 \mod p\) with all but negligible probability as p is a \(\mu \)bit prime, with \(\mu \ge \lambda \). To this end, we analyse the information that \(\mathcal {A}\) gains on \({\varvec{t}}\) mod n. From this, we will prove that the distribution of \(\langle {\varvec{y}}, {\varvec{t}} \rangle \) is close to uniform mod n, and thus, mod p.
As in the proof of Theorem 3, \(\mathcal {A}\) learns \({\varvec{z}}={\varvec{s}} +\alpha {\varvec{t}}\) mod n from the public key as \(\forall i \in [\ell ], h_i = g^{s_i}h^{t_i}\). Knowing \({\varvec{z}}\), the joint distribution of \(({\varvec{s}} ,{\varvec{t}})\) mod n is As a result, knowing \({\varvec{z}}\) does not give more information on \({\varvec{t}}\) modulo n to \(\mathcal {A}\).
One may assume that through its secret key queries, the information learned by \(\mathcal {A}\) is completely determined by \(\mathbf X _{\textsf {top}}\cdot {\varvec{s}}\) and \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\in \mathbf {Z}^{(\ell 1)}\), as all the queried vectors \({\varvec{x}}_i\) can be obtained as linear combinations of the rows of \(\mathbf X _{\textsf {top}}\).
The value of \(\mathbf X _{\textsf {top}}\cdot {\varvec{s}}\) does not give \(\mathcal {A}\) more information on \({\varvec{t}}\) mod n than what he obtains from \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\). Indeed the remainder of the Euclidean division of \(\mathbf X _{\textsf {top}}\cdot {\varvec{s}}\) by n can be deduced from \({\varvec{z}}\) and \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\); while the quotient is independent of \({\varvec{t}}\) mod n and \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\), as \({\varvec{s}}\) and \({\varvec{t}}\) are sampled independently and \({\varvec{z}}\) only brings a relation mod n. It is thus sufficient to analyse the distribution of \({\varvec{t}}\) mod n knowing \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\).
Let \({\varvec{t}}_{0}\in \mathbf {Z}^\ell \) be an arbitrary vector s.t. \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}_{0}= \mathbf X _{\textsf {top}}\cdot {\varvec{t}}\). Knowing \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\), the distribution of \({\varvec{t}}\) is \({\varvec{t}}_{0}+ \mathcal {D}_{\varLambda , \sigma , {\varvec{t}}_{0}}\) where \(\varLambda = \{ \mathbf t \in \mathbf {Z}^\ell : \mathbf X _{\textsf {top}}\cdot \mathbf t = \mathbf 0 \}\). This lattice has dimension 1 and contains \({\varvec{y}}\cdot \mathbf {Z}\). In fact, as \(\gcd (y_1, \dots , y_\ell )=1\), one has \({\varvec{y}}\cdot \mathbf {Z}= \varLambda \) (there exits \({\varvec{y}}' \in \mathbf {Z}^\ell \) s.t. \(\varLambda = {\varvec{y}}'\cdot \mathbf {Z}\) and \({\varvec{y}} = \alpha {\varvec{y}}'\) so \(\alpha \) must divide \(\gcd (y_1, \dots , y_\ell )=1\)). Therefore, applying Lemma 2, we see that conditioned on \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\), \(\langle {\varvec{y}},{\varvec{t}}\rangle \) is distributed according to \(\langle {\varvec{y}},{\varvec{t}}_{0}\rangle + \mathcal {D}_{{\varvec{y}}^2_2\mathbf {Z}, {\varvec{y}}_2\sigma , \langle {\varvec{t}}_{0}, {\varvec{y}} \rangle }.\)
Now consider the distribution obtained by reducing \(\mathcal {D}_{{\varvec{y}}^2_2\mathbf {Z}, {\varvec{y}}_2\sigma , \langle {\varvec{t}}_{0}, {\varvec{y}} \rangle }\) over \(\varLambda _0={\varvec{y}}_2^2\cdot \mathbf {Z}\) modulo the sublattice \(\varLambda _0'=n\cdot {\varvec{y}}_2^2\cdot \mathbf {Z}\). In order to apply Lemma 3 we need \({\varvec{y}}_2 \cdot \sigma > \eta _{\epsilon }(\varLambda _0')\), which – applying a bound on the smoothing parameter from [MR07] for \(\epsilon =2^{\lambda 1}\) – is guaranteed by choosing \({\varvec{y}}_2 \cdot \sigma > \lambda _1(\varLambda '_0) \cdot \sqrt{\lambda } \). Moreover since \(\lambda _1(\varLambda '_0) = n \cdot {\varvec{y}}^2_2\), we require \({\varvec{y}}_2 \cdot \sigma > p \cdot \tilde{s} \cdot {\varvec{y}}^2_2 \cdot \sqrt{\lambda } \), thus \(\sigma > p \cdot \tilde{s} \cdot {\varvec{y}}_2 \cdot \sqrt{\lambda } \). Now from the norm bounds on \({\varvec{y}}_0\) and \({\varvec{y}}_1\) it holds that \({\varvec{y}}_2< \sqrt{2p}\), so choosing \(\sigma > p^{3/2} \cdot \tilde{s} \cdot \sqrt{2\lambda } \) suffices to ensure that from \(\mathcal {A}'s\) view, \(\langle {\varvec{y}}, {\varvec{t}} \rangle \) modulo n is within distance \(2^{\lambda }\) from the uniform distribution over \(\varLambda _0/\varLambda '_0 \simeq \mathbf {Z}/n\mathbf {Z}\). As a result, \(\langle {\varvec{y}}, {\varvec{t}} \rangle \) modulo p is also close to the uniform distribution over \(\mathbf {Z}/p\mathbf {Z}\).
We have therefore demonstrated that with overwhelming probability the term \(\langle {\varvec{y}}, {\varvec{y}}_\beta \rangle \) in Eq. (2) is statistically hidden modulo p and \(Pr[S_2]1/2 \le 2^{\lambda }\). \(\square \)
Combining the different transition probabilities provides a bound for \(\mathcal {A}\)’s advantage, thus concluding the proof: \(\mathsf {Adv}^{\textsf {ind}\text {}\textsf {fe}\text {}\textsf {cpa}}_\mathcal {A}(\lambda ,\mu ) \le \mathsf {Adv}^{\mathsf {DDH\text {}f}}_\mathcal {B}(\lambda ,\mu ) + 2^{\lambda }\). \(\square \)
4.2 \(\mathsf {DDH\text {}f}\)Based FE for Inner Product over \(\mathbf {Z}/p\mathbf {Z}\)
As in the \(\mathsf {LWE}\) and Paillierbased IPFE modulo p of [ALS16], the main problem here is that private key queries are performed over \(\mathbf {Z}\). An adversary may therefore query keys for vectors that are linearly dependent over \((\mathbf {Z}/p\mathbf {Z})^\ell \) but independent over \(\mathbf {Z}^\ell \). To solve this issue we require, as in [ALS16], that the authority distributing private keys keeps track of previously revealed private keys.
Setting the parameters. We use the output \((p,\tilde{s},f,g_p,G,F,G^p)\) of the GenGroup generator of Definition 6, with p a \(\mu \) bit prime, and with \(\mu \ge \lambda \). We sample the coordinates of the secret key from \(\mathcal {D}_{\mathbf {Z}^\ell , \sigma }\). Choosing \(\sigma > \tilde{s} \cdot p^\ell \cdot \sqrt{\lambda } \cdot (\sqrt{\ell })^{\ell 1}\) suffices for security to hold (cf. proof of Theorem 6), and ensures the distribution is at distance less than \(2^{\lambda }\) from the uniform distribution in G (cf. Lemma 4, Item 2. The \(\mathsf {Encrypt}\) algorithm encrypts plaintexts \({\varvec{y}}\in (\mathbf {Z}/p\mathbf {Z})^\ell \) and the key derivation algorithm derives keys from vectors \(\mathbf x \in (\mathbf {Z}/p\mathbf {Z})^\ell \).
Construction. Algorithms \(\mathsf {Setup}\) and \(\mathsf {Encrypt}\) proceed exactly as in the construction for inner products over \(\mathbf {Z}\) under \(\mathsf {DDH\text {}f}\) (cf. Fig. 3). Algorithms \(\mathsf {KeyDer}\) and \(\mathsf {Decrypt}\), which differ from those of the previous construction, are defined in Fig. 4. Again, correctness follows from the linearity of the inner product.
Theorem 6
Under the \(\mathsf {DDH\text {}f}\) assumption, the functional encryption scheme for inner products over \(\mathbf {Z}/p\mathbf {Z}\) of Fig. 4 provides full security (indfecpa).
Proof
The proof proceeds similarly to that of Theorem 5, only we must define the matrix \(\mathbf X _{\textsf {top}}\) differently, as we can no longer guarantee that it is invertible modulo p. So we here follow the same steps as in the previous proof up until the definition of Game 2. The only difference being that the adversary \(\mathcal {A}\) queries the stateful key derivation algorithm. We denote Game \(i'\) the variant of Game i in which the key derivation algorithm is stateful. From the proof of Theorem 5, it holds that \( \Pr [S_2']\Pr [S_0'] = \mathsf {Adv}^{\mathsf {DDH\text {}f}}_\mathcal {B}(\lambda ,\mu )\).
As in the original Game 2, here in Game \(2'\) the challenge ciphertext information theoretically reveals \({\varvec{z}}_\beta = {\varvec{y}}_{\beta } + u \cdot {\varvec{t}} \mod p\).
We define \({\varvec{y}} = (y_1, \dots , y_\ell ) = {\varvec{y}}_1{\varvec{y}}_0 \in (\mathbf {Z}/p\mathbf {Z})^\ell \); and, assuming \(\mathcal {A}\) has performed j private key queries, for \(1\le i\le j\), we denote \({\varvec{x}}_i \in (\mathbf {Z}/p\mathbf {Z})^\ell \) the vectors for which keys have been derived.
We want to demonstrate that from \(\mathcal {A}\)’s view, the bit \(\beta \) is statistically hidden in Game \(2'\). However we cannot use the same matrix \(\mathbf X _{\textsf {top}}\) as in the proof of Theorem 5; indeed, if we define \({\varvec{X}}\) as in Eq. (1) we cannot guarantee that \({\varvec{X}}\) is invertible modulo p, since \(\det ({\varvec{X}}{\varvec{X}}^T)\) could be a multiple of p. Therefore, so as to ensure that the queried vectors \({\varvec{x}}_i\) do not in some way depend on \(\beta \), we prove via induction that after the j first private key queries (where \(j \in \{0, \dots , \ell 1\}\)), \(\mathcal {A}\)’s view remains statistically independent of \(\beta \), thus proving that the challenge ciphertext in Game \(2'\) statistically hides \(\beta \) such that \(Pr[S_2']1/2 \le 2^{\lambda }\). The induction proceeds on the value of j.
Recall that Game 2 and Game \(2'\) are identical but for the key derivation algorithm. Therefore if \(\mathcal {A}\) can make no calls to its key derivation oracle, the indistinguishability of ciphertexts in Game \(2'\) follows immediately from that in Game 2, demonstrated in proof of Theorem 5, thus the induction hypothesis holds for \(j=0\). Now consider \(j \in \{0, \dots , \ell 1\}\). From the induction hypothesis one may assume that at this point the state \(st=\{({\varvec{x}}_i, \overline{\mathbf{x }}_i, z_\mathbf{x _i})\}_{i\in [j]}\) is independent of \(\beta \). Indeed if \(\mathcal {A}\)’s view after \(j1\) requests is independent of \(\beta \) then the jth request performed by \(\mathcal {A}\) must be so.
W.l.o.g. we assume that the key requests \({\varvec{x}}_i\) performed by \(\mathcal {A}\) are linearly independent. This implies that the \(\overline{\mathbf{x }}_i\)’s are linearly independent mod p and generate a subspace of \({\varvec{y}}^{\perp p} = \{{\varvec{x}} \in (\mathbf {Z}/p\mathbf {Z})^\ell : \langle {\varvec{x}}, {\varvec{y}} \rangle =0 \mod p\}.\) The set \(\{\overline{\mathbf{x }}_i\}_{i \in [j]}\) can be extended to a basis \(\{\overline{\mathbf{x }}_i\}_{i \in [\ell 1]}\) of \({\varvec{y}}^{\perp p}\). We define \(\mathbf X _{\textsf {top}}\in \mathbf {Z}^{(\ell 1) \times \ell }\) to be the matrix whose rows are the vectors \(\overline{\mathbf{x }}_i\) for \(i\in [\ell 1]\). Let \({\varvec{x}}'\in (\mathbf {Z}/p\mathbf {Z})^\ell \) be a vector chosen deterministically, \({\varvec{x}}'\notin {\varvec{y}}^{\perp p}\), such that \(\mathcal {A}\) can also easily compute \({\varvec{x}}'\). We define \(\mathbf x _{\textsf {bot}}\) to be the canonical lift of \({\varvec{x}}'\) over \(\mathbf {Z}\), and \(\mathbf X \) as:
The matrix \(\mathbf X \) is invertible mod p, statistically independent of \(\beta \) by induction and by construction, and computable by \(\mathcal {A}\), thus we need only prove that \(\mathbf X \cdot {\varvec{z}}_\beta \) is statistically independent of \(\beta \). And since \(\mathbf X _{\textsf {top}}\cdot ({\varvec{y}}_1{\varvec{y}}_0)=0 \mod p\), we need only consider \( \langle \mathbf x _{\textsf {bot}}, {\varvec{z}}_\beta \rangle = \langle \mathbf x _{\textsf {bot}}, {\varvec{y}}_\beta \rangle + u\cdot \langle \mathbf x _{\textsf {bot}}, {\varvec{t}} \rangle \mod p.\)
We hereafter prove that, from \(\mathcal {A}\)’s view, \(\langle \mathbf x _{\textsf {bot}}, {\varvec{t}} \rangle \) follows a distribution statistically close to the uniform distribution mod p, thus proving that \(\beta \) is statistically hidden (since u is sampled uniformly at random from \(\mathbf {Z}/p\mathbf {Z}\), \(u\ne 0 \mod p\) with all but negligible probability as p is a \(\mu \) bit prime, with \(\mu \ge \lambda \)). To this end, we analyse the information \(\mathcal {A}\) gets on \({\varvec{t}}\) mod n, so as to prove that \({\varvec{t}}\) mod p follows a distribution statistically close to the uniform distribution over \({\varvec{y}} \cdot \mathbf {Z}/p\mathbf {Z}\), thus proving that \(\langle \mathbf x _{\textsf {bot}}, {\varvec{t}} \rangle \) follows a distribution statistically close to uniform mod p.
As in the proof of Theorem 3, \(\mathcal {A}\) learns \({\varvec{z}}:={\varvec{s}} +\alpha {\varvec{t}}\) mod n from the public key as \(\forall i \in [\ell ], h_i = g^{s_i}h^{t_i}\). Knowing \({\varvec{z}}\), the joint distribution of \(({\varvec{s}} ,{\varvec{t}})\) mod n is As a result, knowing \({\varvec{z}}\) does not give \(\mathcal {A}\) more information on \({\varvec{t}}\) mod n. Then, as in the proof of Theorem 5, private key queries give \(\mathcal {A}\) the knowledge of \(\mathbf X _{\textsf {top}}\cdot {\varvec{s}}\) and \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\) in \(\mathbf {Z}^{\ell 1}\). The value of \(\mathbf X _{\textsf {top}}\cdot {\varvec{s}}\) does not give \(\mathcal {A}\) more information on \({\varvec{t}}\) mod n than what he obtains from \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\). It thus suffices to analyse the distribution of \({\varvec{t}}\) mod n knowing \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\).
We define \(\varLambda = \{{\varvec{x}} \in \mathbf {Z}^\ell  \mathbf X _{\textsf {top}}\cdot {\varvec{x}} = {\varvec{0}} \in \mathbf {Z}^\ell \}\). This one dimensional lattice can equivalently be defined as \(\varLambda = {\varvec{y}}' \cdot \mathbf {Z}\) where \({\varvec{y}}' = \gamma \cdot {\varvec{y}}\mod p\) for some \(\gamma \in (\mathbf {Z}/p\mathbf {Z})^*\). One should note that all the coefficients of \({\varvec{y}}'\) are coprime since \({\varvec{y}}' / \gcd (y_1', \dots , y_\ell ') \in \varLambda \).
Let \({\varvec{t}}_{0}\in \mathbf {Z}^\ell \) be an arbitrary vector such that \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}_{0}= \mathbf X _{\textsf {top}}\cdot {\varvec{t}}\). Knowing \(\mathbf X _{\textsf {top}}\cdot {\varvec{t}}\), the distribution of \({\varvec{t}}\) is \({\varvec{t}}_{0}+ \mathcal {D}_{\varLambda , \sigma , {\varvec{t}}_{0}}\). Now consider the distribution obtained by reducing the distribution \(\mathcal {D}_{\varLambda , \sigma , {\varvec{t}}_{0}}\) over \(\varLambda \) modulo the sublattice \(\varLambda ' := n\cdot \varLambda \). We first bound \({\varvec{y}}'_2\) so as to bound \(\lambda _1(\varLambda ')\). We can then apply Lemma 3 by imposing a lower bound for \(\sigma \).
Since \(\varLambda ={\varvec{y}}' \cdot \mathbf {Z}\), it holds that \({\varvec{y}}'_2 = \det (\varLambda )\). We define \(\varLambda _{\textsf {top}}\) as the lattice generated by the rows of \(\mathbf X _{\textsf {top}}\), then applying results from [Mar03] and [Ngu91], one gets \({\varvec{y}}'_2 = \det (\varLambda ) \le \det ({\varLambda _{\textsf {top}}})\). We now apply Hadamard’s bound, which tells us that, since the coordinates of each \(\overline{\mathbf{x }}_i\) are smaller than p and since we assumed all requested \(\overline{\mathbf{x }}_i\)’s are linearly independent, \(\det (\varLambda _{\textsf {top}}) \le \prod _{i=1}^{\ell 1}\overline{\mathbf{x }}_i_2 \le (\sqrt{\ell }p)^{\ell 1}\). Therefore \({\varvec{y}}'_2 \le (\sqrt{\ell }p)^{\ell 1}\), this implies \(\lambda _1(\varLambda ') \le n \cdot (\sqrt{\ell }p)^{\ell 1} < \tilde{s} \cdot p^\ell \cdot (\sqrt{\ell })^{\ell 1}\). From [MR07] we know that the smoothing parameter verifies \(\eta _\epsilon (\varLambda ') \le \sqrt{\frac{ \ln (2 (1+1/\epsilon ))}{\pi }} \cdot \lambda _1(\varLambda ')\). Thus for \(\epsilon = 2^{\lambda 1}\), we have \(\eta _\epsilon (\varLambda ') \le \tilde{s} \cdot p^\ell \cdot \sqrt{\lambda } \cdot (\sqrt{\ell })^{\ell 1} \). Therefore setting \(\sigma > \tilde{s} \cdot p^\ell \cdot \sqrt{\lambda } \cdot (\sqrt{\ell })^{\ell 1}\) and applying Lemma 3 ensures that the distribution \(\mathcal {D}_{\varLambda , \sigma , {\varvec{t}}_{0}} \mod \varLambda '\), and therefore that of \({\varvec{t}}\) mod n is within distance \(2^{\lambda }\) from the uniform distribution over \(\varLambda /\varLambda ' \simeq {\varvec{y}}' \cdot \mathbf {Z}/n\mathbf {Z}\). This entails that \({\varvec{t}}\) mod p is within distance \(2^{\lambda }\) from the uniform distribution over \({\varvec{y}}' \cdot \mathbf {Z}/p\mathbf {Z}\simeq {\varvec{y}} \cdot \mathbf {Z}/p\mathbf {Z}\) since \({\varvec{y}}'= \gamma \cdot {\varvec{y}}\mod p\) for some \(\gamma \in (\mathbf {Z}/p\mathbf {Z})^*\).
Since by construction \(\langle \mathbf x _{\textsf {bot}}, {\varvec{y}} \rangle \ne 0 \mod p\), we get that \(\langle \mathbf x _{\textsf {bot}},{\varvec{t}} \rangle \) mod p is statistically close to the uniform distribution over \(\mathbf {Z}/p\mathbf {Z}\). Moreover, with overwhelming probability \(u \ne 0 \mod p\), so \(u \cdot \langle \mathbf x _{\textsf {bot}}, {\varvec{t}} \rangle \) statistically hides \(\langle \mathbf x _{\textsf {bot}}, {\varvec{y}}_\beta \rangle \) which implies that \(\langle \mathbf x _{\textsf {bot}}, {\varvec{z}}_\beta \rangle \) does not carry significant information about \(\beta \), thus concluding the proof. \(\square \)
5 Inner Product FE Relying on the \(\mathsf {HSM}\) Assumption
We here build IPFE schemes from the \(\mathsf {HSM}\) assumption and the \(\mathsf {ind\text {}cpa}\) scheme described in Fig. 2a, using the formalism of a cyclic group with an easy \(\mathsf {DL}\) subgroup. Our approach is inspired by, and somewhat generalises, the approach of [ALS16] with Paillier’s \(\mathsf {DCR}\) assumption (an RSA integer N plays the role of p in this scheme so one should invoke the factoring assumption in our proof in order to encompass this construction). We first present an FE scheme for inner products over \(\mathbf {Z}\) and then consider a scheme for inner products over \(\mathbf {Z}/p\mathbf {Z}\).
5.1 \(\mathsf{HSM}\)Based FE for Inner Product over \(\mathbf {Z}\)
Setting the parameters. As in the \(\mathsf {ind\text {}cpa}\) scheme of Fig. 2a, we use the output \((p,\tilde{s},g,f,g_p,G,F,G^p)\) of the GenGroup generator of Definition 6, ignoring the generator g. We require that p is a \(\mu \) bit prime, with \(\mu \ge \lambda \). The message space and decryption key space is \(\mathbf {Z}^\ell \). As in Subsect. 4.1 norm bounds \(X, Y < (p/2\ell )^{1/2}\) are chosen to ensure decryption correctness. Key vectors \(\mathbf x \) and message vectors \(\mathbf y \) are of bounded norm \(\mathbf{x}_{\infty } \le X\) and \(\mathbf{y}_{\infty } \le Y\). The decryption algorithm uses a centered modulus to recover \(\langle \mathbf{x}, \mathbf{y} \rangle \) over \(\mathbf {Z}\). To guarantee the scheme’s security we sample the coordinates of the secret key with discrete Gaussian entries of standard deviation \(\sigma > \sqrt{2 \lambda } \cdot p^{3/2}\cdot \tilde{s}\). Setting \(\sigma ' > \tilde{s}\sqrt{\lambda }\) ensures that is at distance less than \(2^{\lambda }\) from the uniform distribution in \(G^p\).
Construction. Figure 5 depicts our IPFE construction over \(\mathbf {Z}\) relying on the \(\mathsf {HSM}\) assumption. The proof of correctness is similar to that of the \(\mathsf {DDH\text {}f}\) construction.
Theorem 7
Under the \(\mathsf {HSM}\) assumption, the functional encryption scheme for inner products over \(\mathbf {Z}\) depicted in Fig. 5 provides full security (indfecpa).
Proof
The proof proceeds as a sequence of games, starting with the real indfecpa game (Game 0) and ending in a game where the ciphertext statistically hides the random bit \(\beta \) chosen by the challenger from the adversary \(\mathcal {A}\)’s point of view. The beginning of the proof is similar to the proof of Theorem 2 on \(\mathsf {ind\text {}cpa}\) security. Then we take into account the fact that \(\mathcal {A}\) has access to a key derivation oracle. For each Game i, we denote \(S_i\) the event \(\beta = \beta '\).
Game 0 \(\Rightarrow \) Game 1: In Game 1 the challenger uses the secret key \({\varvec{s}}=(s_1, \dots , s_\ell )\) to compute ciphertext elements \(C_i=f^{y_{\beta ,i}} \cdot (g_p^r)^{s_i}=f^{y_{\beta ,i}}\cdot C_0^{s_i}\). This does not impact the distribution of the obtained ciphertext, therefore \(\mathcal {A}\)’s success probability in both games is identical: \(Pr[S_0]=Pr[S_1]\).
Game 1 \(\Rightarrow \) Game 2: In Game 1, the distribution of \(C_0\) is at distance less than \(2^{\lambda }\) of the uniform distribution in the subgroup \(G^p\). Thus under the \(\mathsf {HSM}\) assumption, we can, in Game 2, substitute \(C_0\) by \(g_p^r\cdot f^a \in G\), with , which, as stated in Lemma 4, Item 5 is also at distance less than \(2^{\lambda }\) of the uniform distribution in G. Therefore, \(Pr[S_2]Pr[S_1] \le \mathsf {Adv}^{\mathsf {HSM}}_\mathcal {B}(\lambda ,\mu )\).
Now in Game 2 we have, for and :
Lemma 6
In Game 2 the ciphertext \(C_\mathbf{y }= (C_0,C_1,\dots ,C_{\ell })\in G^{\ell +1}\) statistically hides \(\beta \) such that \(Pr[S_2]1/2 \le 2^{\lambda }\).
Proof
(sketch). We here give an overview of the proof, details are deferred to the full version [CLT18]. As in proof of Lemma 5, we first delimit the information leaked via the challenge ciphertext by considering the dimension in which both potential challenge ciphertexts differ. Indeed, denoting \(\mathbf z _\beta = \mathbf y _\beta + a{\varvec{s}}\mod p\), then projecting \(\mathbf z _\beta \) onto the subspace generated by \(\mathbf y _0\mathbf y _1\) encapsulates all the information revealed by the challenge ciphertext.
Next, we consider the distribution of the projection of the secret key \(\mathbf s\) on the subspace generated by \(\mathbf y _0\mathbf y _1\), conditionally on \(\mathcal {A}\)’s view (given the information leaked by private key queries and the public key). This amounts to a distribution over a one dimensional lattice \(\varLambda _0\). We then reduce this distribution modulo a sublattice \(\varLambda '_0\) s.t. \(\varLambda _0/\varLambda '_0\simeq \mathbf {Z}/p\mathbf {Z}\), and Lemma 3 tells us that choosing \(\sigma > \sqrt{2 \lambda } \cdot \tilde{s} \cdot p^{3/2 }\) suffices to ensure the distribution of the projection of \({\varvec{s}}\) on the subspace generated by \(\mathbf y _0\mathbf y _1\) is within distance \(2^{\lambda }\) of the uniform distribution over \(\mathbf {Z}/p\mathbf {Z}\), and thus \(\mathbf y _\beta \) (and therefore \(\beta \)) is statistically hidden in \(\mathbf z _\beta \). \(\square \)
Over all game transitions, after adding up the different probabilities, we find that \(\mathcal {A}\)’s advantage in the real game can be bounded as \( Pr[S_0]  1/2 \le \mathsf {Adv}^{\mathsf {HSM}}_\mathcal {B}(\lambda ,\mu ) + 2^{\lambda }\) which is negligible if the \(\mathsf {HSM}\) assumption holds in G. \(\square \)
5.2 \(\mathsf{HSM}\)Based FE for Inner Product over \(\mathbf {Z}/p\mathbf {Z}\)
As in the \(\mathsf {DDH\text {}f}\) based scheme for inner products over \(\mathbf {Z}/p\mathbf {Z}\) of Sect. 4.2, the key generation algorithm is stateful to ensure the adversary cannot query keys for vectors that are linearly dependant over \((\mathbf {Z}/p\mathbf {Z})^\ell \) but independent over \(\mathbf {Z}^\ell \).
Setting the parameters. As in the previous construction, we use the output \((p,\tilde{s},f,g_p,G,F,G^p)\) of the GenGroup generator of Definition 6, with p a \(\mu \)bit prime, and \(\mu \ge \lambda \). The message space and vector space from which decryption keys are derived are now \((\mathbf {Z}/p\mathbf {Z})^\ell \). Given an encryption of \({\varvec{y}} \in (\mathbf {Z}/p\mathbf {Z})^\ell \) and a decryption key for \({\varvec{x}} \in (\mathbf {Z}/p\mathbf {Z})^\ell \), the decryption algorithm recovers \(\langle \mathbf{x}, \mathbf{y} \rangle \in \mathbf {Z}/p\mathbf {Z}\). To guarantee the scheme’s security we sample the coordinates of the secret key \({\varvec{s}}\) from \(\mathcal {D}_{\mathbf {Z}^\ell , \sigma }\) with discrete Gaussian entries of standard deviation \(\sigma > \sqrt{\lambda } \cdot p \cdot \tilde{s} \cdot (\sqrt{\ell }p)^{\ell 1} \). We require \(\sigma ' > \tilde{s}\sqrt{\lambda }\) to ensure that is at distance less than \(2^{\lambda }\) from the uniform distribution in \(G^p\).
Construction. The \(\mathsf {Setup}\) and \(\mathsf {Encrypt}\) algorithms proceed exactly as in Fig. 5, only \(\mathsf {Encrypt}\) operates on message vectors \({\varvec{y}} \in (\mathbf {Z}/p\mathbf {Z})^\ell \) instead of \({\varvec{y}}\in \mathbf {Z}^\ell \). In Fig. 6 we only define algorithms \(\mathsf {KeyDer}\) and \(\mathsf {Decrypt}\), since they differ from those of the previous construction.
Theorem 8
Under the \(\mathsf {HSM}\) assumption the above stateful functional encryption scheme for inner products over \(\mathbf {Z}/p\mathbf {Z}\) provides full security (indfecpa).
The proof resembles that of Theorem 7 and is adapted from the proofs of [ALS16], so we defer it to the full version [CLT18]. The main issue is that we can no longer guarantee \({\varvec{X}}\) is invertible modulo p. We need to compute onthefly a basis for \(\{{\varvec{x}} \in (\mathbf {Z}/p\mathbf {Z})^\ell : \langle {\varvec{x}}, {\varvec{y}} \rangle =0 \mod p\}\) to apply the same techniques as in Theorem 7. The analysis gives significantly larger standard deviations as mentioned above due a bad approximation of the determinant of a related matrix.
6 Instantiation and Efficiency Considerations
Both generic constructions we put forth of IPFE are based on variants of Elgamal in the same group and both sample their master secret keys from Gaussian distributions with the same standard deviation. As a result their asymptotic complexities are the same. The second scheme’s security relies on a hard subgroup membership assumption (\(\mathsf {HSM}\)) and this scheme appears to be the most efficient FE evaluating inner products modulo a prime p. At the (small) expense of a single additional element in the keys and in the ciphertext, the first scheme’s security relies on a weaker DDHlike assumption, which is also weaker than the DDH assumption in the group. We compare, in Table 1, an implementation of our \(\mathsf {HSM}\)based IPFE mod p of Subsect. 5.2 within the class group of an imaginary quadratic field and Paillier’s variant of [ALS16]. This is the most relevant comparison since their \(\mathsf {DDH}\) variant does not allow a full recovery of large inner products over \(\mathbf {Z}/p\mathbf {Z}\), and, as detailed in the following paragraph, the \(\mathsf{LWE}\) variant is far from being efficient, as ciphertexts are computed using arithmetic modulo \(q=2^\ell \) where \(\ell \) is the dimension of the plaintext vectors.
Comparison with the \(\mathsf {LWE}\) based scheme of [ALS16]. Parameter choices for latticebased cryptography are complex, indeed [ALS16] do not provide a concrete set of parameters. This being said, using [ALS16, Theorem 3], and setting \(\log p = \lambda \) as in Table 1, we give rough bit sizes for their \(\mathsf {LWE}\) based scheme over \(\mathbf {Z}/p\mathbf {Z}\). Basic elements are integers mod q of size \(\ell \) since \(q\approx 2^\ell \) for security to hold. The largest component in the public key mpk consists of \(\lambda ^2\ell ^3\) elements, so mpk is of size greater than \(\lambda ^2\ell ^4\). The component \(z_{{\varvec{x}}}\) in secret keys is the product of a vector of \((\mathbf {Z}/p\mathbf {Z})^\ell \) with a matrix, resulting in a vector made up of \(\lambda \ell ^2\) inner products, where each inner product is of size \(\ell \lambda \). Thus these keys are of size \(\lambda ^2\ell ^3\). Finally ciphertexts consist of \(\lambda \ell ^2\) elements, and are thus of size \(\lambda \ell ^3\). As a result, although it is hard to compare the complexities in \(\lambda \), for a fixed security level, the complexity in \(\ell \) for all the parameters of the \(\mathsf {LWE}\) based scheme is in \(\ell ^3\) or \(\ell ^4\) whereas we are linear in \(\ell \) (see Table 1). For example, for \(\lambda =128, \ell =100\), their \(sk_{{\varvec{x}}}\) is of approximately \(2^{34}\) bits vs. 13852 bits in our instantiation.
Instantiation. To instantiate the protocol of Sect. 5.2, we must first define the algorithm GenGroup of Definition 6. We follow the lines of [CL15], starting from a fundamental discriminant \(\varDelta _K = p\cdot q\) with its class group \(Cl(\varDelta _K)\), where q is a prime such that \(p\cdot q \equiv 1 \pmod 4\) and \(( p / q ) = 1\). Then, we consider a nonmaximal order of discriminant \(\varDelta _p=p^2 \cdot \varDelta _K\) and its class group \(Cl(\varDelta _p)\). The order of \(Cl(\varDelta _p)\) is \(h(\varDelta _p) = p \cdot h(\varDelta _K)\). It is known [Coh00, p. 295], that \(h(\varDelta _K) < \frac{1}{\pi }\log \varDelta _K \sqrt{\varDelta _K}\) which is the bound we take for \(\tilde{s}\) (a slightly better bound can be computed from the analytic class number formula, cf. [McC89]). In [CL15, Fig. 2] the authors show how to build a generator of a cyclic group of order ps of the class group of discriminant \(\varDelta _p\) and a generator for the subgroup of order p (in which the \(\mathsf {DL}\) problem is easy). We need to modify their generator s.t. it outputs a generator \(g_p\) of the subgroup of \(p\)th powers. The computation of such an element is actually implicit in their generator: this is done by computing an ideal in the maximal order with norm a small prime r such that \(\left( \frac{\varDelta _K}{r} \right) =1\). Then the ideal is lifted into a class of \(Cl(\varDelta _p)\) which is then raised to the power p to define \(g_p\). A second modification is to output \(\tilde{s}\) instead of their larger bound B (since they sampled elements using a folded uniform distribution). We refer to [CL15] for a full description of the implementation. The manipulated objects are reduced ideals represented by two integers smaller than \(\sqrt{p^3q}\), and the arithmetic operations in class groups are very efficient, since the reduction and composition of quadratic forms have a quasi linear time complexity using fast arithmetic (see for instance [Coh00]).
The sole restriction on the size of the prime p is that it must have at least \(\lambda \) bits, where \(\lambda \) is the security parameter. The size of \(\varDelta _K\), and thus of q, is chosen to thwart the best practical attack, which consists in computing discrete logarithms in \(Cl(\varDelta _K)\) (or equivalently the class number \(h(\varDelta _K)\)). An indexcalculus method to solve the \(\mathsf {DL}\) problem in a class group of imaginary quadratic field of discriminant \(\varDelta _K\) was proposed in [Jac00]. It is conjectured in [BJS10] that a state of the art implementation of this algorithm has complexity \(\mathcal {O}(L_{\varDelta _K}[1/2, o(1)])\). They estimate that the \(\mathsf {DL}\) problem with a discriminant \(\varDelta _K\) of 1348 (resp. 1828 bits) is as hard as factoring a 2048 (resp. 3072 bits) RSA integer. This is our reference to estimate the bit size of the different elements in Table 1.
Note that in this case, the size of our group elements (reduced ideals in the class group of discriminant \(p^3q\)), are significantly smaller than those of the Paillier variant of [ALS16] (elements of \(\mathbf {Z}/N^2\mathbf {Z}\)). This is also the case for ciphertexts (which consist in both protocols of \(\ell +1\) group elements). We have the same situation with secret keys: to simplify the comparison we consider linearly independent queries (thus ignoring the vectors in \(\mathbf {Z}^{\ell }\)). As a result, we have, for our scheme, the inner product of a vector from \((\mathbf {Z}/p\mathbf {Z})^\ell \) with a vector sampled from a discrete Gaussian with standard deviation greater than \(\sqrt{\lambda }p\tilde{s}(\sqrt{\ell }p)^{\ell 1} \) over \(\mathbf {Z}^\ell \) vs. the inner product of a vector of \((\mathbf {Z}/N\mathbf {Z})^\ell \) with a vector sampled from a discrete Gaussian with standard deviation greater than \(\sqrt{\lambda }(\sqrt{\ell }N)^{\ell +1}\) over \(\mathbf {Z}^\ell \).
We note however that our underlying message space \(\mathbf {Z}/p\mathbf {Z}\) is much smaller than their message space \(\mathbf {Z}/N\mathbf {Z}\). Using larger message spaces would be more favorable to their Paillier based scheme. But in practice, a 128 bits message space is large enough, if for instance, one needs to perform computations with double or quadruple precision. Our protocols are the most suited for such intermediate computations, since Paillier’s construction from [ALS16] would add a large overhead cost, while their \(\mathsf{DDH}\) construction could not decrypt the result.
In terms of timings, a fair comparison is difficult since to our knowledge, no library for the arithmetic of quadratic forms is as optimized as a standard library for the arithmetic of modular integers. Nevertheless, we note that the exponents involved in the (multi)exponentiations for encryption and decryption are significantly smaller than those in [ALS16], as is the group size. Indeed, the encryption of Paillier’s variant involves \((\ell +1)\) exponentiations to the power a \((N2)\)bit integer modulo \(N^2\), whereas our protocol involves one exponentiation to the power a \(\sigma '\)bit integer in \(Cl(p^3q)\), where \(\sigma ' > \tilde{s} \sqrt{\lambda }\) and \(\ell \) (multi)exponentiations whose maximum exponent size is also \(\sigma '\). Decryptions involve respectively a multiexponentiation whose maximum exponent size is lower than \(\ell \sigma N = \ell \sqrt{\lambda }(\sqrt{\ell }N)^{\ell +1}N\) for [ALS16] and \(\ell p \sigma = \ell p \sqrt{\lambda } p \tilde{s} (\sqrt{\ell }p)^{\ell 1}\) for our protocol. We performed timings with Sage 8.1 on a standard laptop with a straightforward implementation. Using the settings of [CL15], the exponentiation in class groups uses a PARI/GP function (qfbnupow), which is far less optimised than the exponentiation in \(\mathbf {Z}/N\mathbf {Z}\), implying a huge bias in favour of Paillier. Despite this bias, the efficiency improvement we expected from our protocols is reflected in practice, as showed in Table 2. We gain firstly from the fact that we can use smaller parameters for the same security level and secondly, because our security reductions allow to replace \(N^\ell \) with \(p^\ell \) in the derived keys. Thus the gain is not only in the constants and our scheme becomes more and more interesting as the security level and the dimension \(\ell \) increase.
Notes
 1.
We note however that this application of linear FE modulo a prime p can not be instantiated with our schemes, as we require p to be at least a 112bit prime, whereas this application typically calls for small values of p (e.g. \(p=2\)).
 2.
\(L_{\alpha }\) is a shortcut to denote \(L_{\alpha ,c}(x) = \exp (c\log (x)^\alpha \log (\log (x))^{1\alpha })\).
References
Abdalla, M., Bourse, F., Caro, A.D., Pointcheval, D.: Better security for functional encryption for inner product evaluations. Cryptology ePrint Archive, Report 2016/011 (2016). http://eprint.iacr.org/2016/011
Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662464472_33
Agrawal, S., Bhattacherjee, S., Phan, D.H., Stehlé, D., Yamada, S.: Efficient public trace and revoke from standard assumptions: extended abstract. In: ACM CCS 17, pp. 2277–2293. ACM Press (2017)
Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662480007_32
Adleman, L.M.: The function field sieve. In: Adleman, L.M., Huang, M.D. (eds.) ANTS 1994. LNCS, vol. 877, pp. 108–121. Springer, Heidelberg (1994). https://doi.org/10.1007/3540586911_48
Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400841_28
Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530153_12
Benhamouda, F., Bourse, F., Lipmaa, H.: CCAsecure innerproduct functional encryption from projective hash functions. In: Fehr, S. (ed.) PKC 2017, Part II. LNCS, vol. 10175, pp. 36–66. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662543887_2
Bresson, E., Catalano, D., Pointcheval, D.: A simple publickey cryptosystem with a double trapdoor decryption mechanism and its applications. In: Laih, C.S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 37–54. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540400615_3
Badrinarayanan, S., Goyal, V., Jain, A., Sahai, A.: Verifiable functional encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 557–587. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538906_19
Biasse, J.F., Jacobson, M.J., Silvester, A.K.: Security estimates for quadratic field based cryptosystems. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 233–247. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642140815_15
Bellare, M., O’Neill, A.: Semanticallysecure functional encryption: possibility results, impossibility results and the quest for a general definition. In: Abdalla, M., NitaRotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 218–234. Springer, Cham (2013). https://doi.org/10.1007/9783319029375_12
Bourse, F.: Functional encryption for innerproduct evaluations. Ph.D. thesis, PSL Research University, France (2017)
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642195716_16
Castagnos, G., Imbert, L., Laguillaumie, F.: Encryption switching protocols revisited: switching modulo p. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 255–287. Springer, Cham (2017). https://doi.org/10.1007/9783319636887_9
Castagnos, G., Laguillaumie, F.: On the security of cryptosystems with quadratic decryption: the nicest cryptanalysis. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 260–277. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642010019_15
Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from \(\sf DDH\). In: Nyberg, K. (ed.) CTRSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015). https://doi.org/10.1007/9783319167152_26
Castagnos, G., Laguillaumie, F., Tucker, I.: Practical fully secure unrestricted inner product functional encryption modulo \(p\). Cryptology ePrint Archive, Report 2018/791 (2018). https://eprint.iacr.org/2018/791
Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (2000)
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure publickey encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3540460357_4
Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540451464_8
De Caro, A., Iovino, V., Jain, A., O’Neill, A., Paneth, O., Persiano, G.: On the achievability of simulationbased security for functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 519–535. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400841_29
Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Functional encryption without obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part II. LNCS, vol. 9563, pp. 480–511. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662490990_18
Gjøsteen, K.: Symmetric subgroup membership problems. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 104–119. Springer, Heidelberg (2005). https://doi.org/10.1007/9783540305804_8
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400841_30
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: 45th ACM STOC, pp. 555–564. ACM Press (2013)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: 40th ACM STOC, pp. 197–206. ACM Press (2008)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multiparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642320095_11
Hemenway, B., Ostrovsky, R.: ExtendedDDH and lossy trapdoor functions. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 627–643. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642300578_37
Jacobson Jr., M.J.: Computing discrete logarithms in quadratic orders. J. Cryptol. 13(4), 473–492 (2000)
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540789673_9
Lucks, S.: A variant of the CramerShoup cryptosystem for groups of unknown order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 27–45. Springer, Heidelberg (2002). https://doi.org/10.1007/3540361782_2
Martinet, J.: Perfect Lattices in Euclidean Spaces. Grundlehren der mathematischen Wissenschaften, vol. 327, 1st edn. Springer, Heidelberg (2003). https://doi.org/10.1007/9783662051672
McCurley, K.S.: Cryptographic key distribution and computation in class groups. In: Number Theory and Applications (Proc. NATO Advanced Study Inst. on Number Theory and Applications, Banff, 1988). Kluwer (1989)
Micciancio, D., Regev, O.: Worstcase to averagecase reductions based on Gaussian measures. In: 45th FOCS, pp. 372–381. IEEE Computer Society Press (2004)
Micciancio, D., Regev, O.: Worstcase to averagecase reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Nguyen, P.Q.: La Géométrie des Nombres en Cryptologie. Ph.D. thesis, École Normale Supérieure (1991)
O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010). http://eprint.iacr.org/2010/556
Paillier, P.: Publickey cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/354048910X_16
Shamir, A.: Identitybased cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3540395687_5
Sahai, A., Seyalioglu, H.: Worryfree encryption: functional encryption with public keys. In: ACM CCS 10, pp. 463–472. ACM Press (2010)
Sahai, A., Waters, B.: Fuzzy identitybased encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 678–697. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662480007_33
Acknowledgements
The authors would like to thank both Benoît Libert and Damien Stehlé for fruitful discussions. This work was supported by the French ANR ALAMBIC project (ANR16CE390006), and by ERC Starting Grant ERC2013StG335086LATTAC.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
Castagnos, G., Laguillaumie, F., Tucker, I. (2018). Practical Fully Secure Unrestricted Inner Product Functional Encryption Modulo p. In: Peyrin, T., Galbraith, S. (eds) Advances in Cryptology – ASIACRYPT 2018. ASIACRYPT 2018. Lecture Notes in Computer Science(), vol 11273. Springer, Cham. https://doi.org/10.1007/9783030033293_25
Download citation
DOI: https://doi.org/10.1007/9783030033293_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030033286
Online ISBN: 9783030033293
eBook Packages: Computer ScienceComputer Science (R0)