Achieving short ciphertexts or short secret-keys for adaptively secure general inner-product encryption

In this paper, we present two non-zero inner-product encryption (NIPE) schemes that are adaptively secure under a standard assumption, the decisional linear (DLIN) assumption, in the standard model. One of the proposed NIPE schemes features constant-size ciphertexts and the other features constant-size secret-keys. Our NIPE schemes imply an identity-based revocation (IBR) system with constant-size ciphertexts or constant-size secret-keys that is adaptively secure under the DLIN assumption. Any previous IBR scheme with constant-size ciphertexts or constant-size secret-keys was not adaptively secure in the standard model. This paper also presents two zero inner-product encryption (ZIPE) schemes each of which has constant-size ciphertexts or constant-size secret-keys and is adaptively secure under the DLIN assumption in the standard model. They imply an identity-based broadcast encryption system with constant-size ciphertexts or constant-size secret-keys that is adaptively secure under the DLIN assumption. We also extend the proposed ZIPE schemes in two directions, one is a fully-attribute-hiding ZIPE scheme with constant-size secret-keys, and the other a hierarchical ZIPE scheme with constant-size ciphertexts.


Background
Functional encryption (FE) is an advanced concept of encryption or a generalization of public-key encryption (PKE) and identity-based encryption (IBE).In FE systems, a receiver can decrypt a ciphertext using a secret-key corresponding to a parameter v if and only if v is suitably related to another parameter x specified for the ciphertext, or R(v, x) = 1 for some relation R (i.e., relation R holds for (v, x)).More generally, a secret key in FE is associated with a function f and a ciphertext of plaintext x is decrypted to f (x) by the secret key [9,28].
The first flavor of functional encryption traces back to the work of Sahai and Waters [29], which was subsequently extended in [2,3,6,10,13,14,17,18,20,25,32].In their concept called attribute-based encryption (ABE), for example, parameter v for a secret-key is an access control policy, and parameter x for a ciphertext is a set of attributes.Decryption requires attribute set x to satisfy policy v, i.e., relation R ABE (v, x) = 1 iff x satisfies v. Identity-based broadcast encryption (IBBE) [1,8,12,16,30] and revocation (IBR) [21] schemes can also be thought of as functional encryption systems where a ciphertext is encrypted for a set of identities S = {I D 1 , . . ., I D n } in IBBE (resp.IBR) systems, and to decrypt it by a secret-key associated with I D requires that I D ∈ S (resp.I D / ∈ S), i.e., relation R IBBE (I D, S) = 1 (resp.R IBR (I D, S) = 1) iff I D ∈ S (resp.I D / ∈ S).Katz et al. [19] introduced a functional encryption scheme for zero inner products, zero inner product encryption (ZIPE) where a ciphertext encrypted with vector x can be decrypted by any key associated with vector v such that v • x = 0, i.e., relation R ZIPE ( v, x) = 1 iff v • x = 0. Their scheme is selectively secure in the standard model and the ciphertext size is linear in the dimension of vectors, n, although it achieves an additional security property, attribute-hiding, in which x is hidden from the ciphertext.As shown in [19], ZIPE provides functional encryption for a wide class of relations corresponding to equalities, polynomials and CNF/DNF formulae.
Attrapadung and Libert [4] proposed a ZIPE scheme as well as a non-zero IPE (NIPE) scheme, where NIPE relation R NIPE ( v, x) = 1 iff v • x = 0. NIPE supports a wide class of relations corresponding to the complement of those for ZIPE.In their ZIPE and NIPE schemes, without retaining the attribute-hiding property, the ciphertext size reduces to a constant in n (the dimension of vectors, v and x), as long as the description of the vector is not considered a part of the ciphertext, which is a common assumption in the broadcast encryption/revocation applications.Hereafter in this paper, "constant" will be used in this sense.In addition, the number of pairing operations for decryption in [4] is constant.Their ZIPE system is adaptively secure in the standard model, but the NIPE scheme is not adaptively secure (co-selectively secure) in the standard model.
The ZIPE system [4] implies an adaptively secure identity-based broadcast encryption (IBBE) scheme with constant-size ciphertexts in the standard model, while previous IBBE schemes with constant-size ciphertexts were either only selective-ID secure [1,8,12] or secure in a non-standard model [16,30].Among IBBE systems with short ciphertexts (includ-ing selective-ID secure ones), the IBBE scheme [4] is the only one relying on standard assumptions, namely the DBDH and DLIN assumptions.The NIPE scheme [4] implies a coselectively secure (not adaptively secure) identity-based revocation (IBR) system [21] with constant-size ciphertexts in the standard model.Lewko et al. [21] presented IBR systems with constant-size public and secret keys that are not adaptively secure.Hence, the following problems are still remained.
1.No NIPE scheme with constant-size ciphertexts is adaptively secure in the standard model, and no IBR scheme with constant-size ciphertexts or constant-size secret-keys is adaptively secure in the standard model.No NIPE scheme with constant-size secret-keys has been presented.2. No ZIPE (or no IBBE) scheme with constant-size ciphertexts is adaptively (or selectively) secure under a single standard assumption in the standard model.No ZIPE scheme with constant-size secret-keys has been presented.

Our result
We address the problems.Note that all of our results are obtained in the standard model.
1.This paper presents the first adaptively secure NIPE scheme that has constant-size ciphertexts or constant-size secret-keys (Sects.6 and 7).The security assumption is a standard one, the decisional linear (DLIN) assumption.This implies the first adaptively secure IBR scheme with constant-size ciphertexts or constant-size secret-keys.2. This paper also presents the first ZIPE scheme that has constant-size ciphertexts or constant-size secret-keys and is adaptively secure solely under a single standard assumption, the DLIN assumption (Sects.8 and 9).This implies the first IBBE scheme with constant-size ciphertexts that is adaptively secure solely under a single standard assumption.3. We present two extensions of the proposed ZIPE schemes.One is a fully-attribute-hiding ZIPE scheme with constant-size secret-keys (Sect.10).It is obtained by applying the technique of the fully-attribute-hiding ZIPE scheme in [27] to the proposed ZIPE scheme with constant-size secret-keys in Sect.9, while the ZIPE scheme in Sect.9 is weaklyattribute-hiding.The other extension is a hierarchical ZIPE scheme with constant-size ciphertexts (Sect.12).These schemes are adaptively secure under the DLIN assumption.
The number of pairing operations for decryption is constant in all the proposed schemes.We summarize a comparison of our results with those of [4] in Table 1 in Sect.11 (see the items of 'Security', 'Assump.','CT Size' and 'SK Size' in Table 1, for the features discussed in Sects.1.1 and 1.2).

Related works
Adaptively secure and attribute-hiding ZIPE scheme under the DLIN assumption has been presented [25], but the ciphertext-size is linear in n (not constant), while our ZIPE scheme has constant-size ciphertexts and is adaptively secure but not attribute-hiding.
After the publication of the preliminary version [26] of this paper, Chen-Wee [11] constructed a constant-size ciphertext and adaptively secure spatial encryption scheme, which includes ZIPE as a special case.Although both of our ZIPE scheme and Chen-Wee's scheme have constant-size ciphertexts, the concrete size of a ciphertext in their scheme is shorter than ours.

Key techniques
All of the proposed schemes in this paper are constructed on dual system encryption [22,31] and dual pairing vector spaces (DPVS) [20,24,25].See Sect.1.5 for some notations in this section.In DPVS, a pair of dual (or orthonormal) bases, B and B * , are randomly generated using a fully random linear transformation X U ← G L(N , F q ) (N : dimension of span B and span B * ) such that B and B * are transformed from canonical basis A by X and (X −1 ) T , respectively (see Sect. 2 and [20,24,25]).In a typical application of DPVS to cryptography, a portion of B (say B) is used as a public key and the corresponding portion of B * (say B * ) is used as a secret key or trapdoor.
In this paper, we develop a novel technique on DPVS, where we employ a special form of random linear transformation X ∈ G L(N , F q ), or X ∈ L(4, n, F q ) of Eq. (3) in Sect.6.2, in place of fully random linear transformation X U ← G L(N , F q ).This form of X provides us a framework to achieve short ciphertexts or short secret-keys as well as a small number of pairing operations in decryption.It, however, is a challenging task to find such a special form of X like Eq. ( 3) that meet the several requirements for the dual system encryption method to prove the adaptive security of ZIPE and NIPE schemes under the DLIN assumption.Such requirements are given hereafter.To reduce the security of our schemes, especially Problems 1 and 2 in this paper, to the DLIN assumption, the form of X should be consistent with the distribution of the DLIN problem.The form of X should be sparse enough to achieve short ciphertexts or secret-keys.We should also have a special pairwise independence lemma, Lemma 6 in Sect.6.4, that is due to the special form of X , where linear random transformations U and Z are more restricted (or specific) than those of previous results, e.g., [25], with fully random X .See Sect.6.1 for more details.

Notations
When A is a random variable or distribution, y R ← A denotes that y is randomly selected from A according to its distribution.When A is a set, y U ← A denotes that y is uniformly selected from A. A vector symbol denotes a vector representation over F q , e.g., The vector 0 is used to denote the zero vector in F n q for any n.X T denotes the transpose of matrix X .I denotes the × identity matrix.A boldface letter denotes an element of vector space V, e.g., An n-dimensional vector e j denotes the canonical basis vector ( denotes the general linear group of degree n over F q .For a linear subspace V ⊂ F n q , V ⊥ denotes the orthogonal complement, i.e.,

Dual pairing vector spaces by direct product of symmetric pairing groups
In this paper, for simplicity of description, we will present the proposed schemes on the symmetric version of dual pairing vector spaces (DPVS) [23,24] constructed using symmetric bilinear pairing groups given in Definition 1. Owing to the abstraction of DPVS, the presentation and the security proof of the proposed schemes are essentially the same as those on the asymmetric version of DPVS, (q, V, V * , G T , A, A * , e), for which see Appendix "Proofs of Lemmas 4-12 in Sect.6" in the full version of [25].The symmetric version is a specific (self-dual) case of the asymmetric version, where V = V * and A = A * .
Definition 1 (Symmetric bilinear pairing groups) (q, G, G T , G, e) are a tuple of a prime q, cyclic additive group G and multiplicative group G T of order q, G = 0 ∈ G, and a polynomial-time computable nondegenerate bilinear pairing e : G × G → G T i.e., e(sG, tG) = e(G, G) st and e(G, G) = 1.Let G bpg be an algorithm that takes input 1 λ and outputs a description of bilinear pairing groups (q, G, G T , G, e) with security parameter λ.Definition 2 (Dual pairing vector spaces (DPVS)) (q, V, G T , A, e) by a direct product of symmetric pairing groups (q, G, G T , G, e) are a tuple of prime q, N -dimensional vector space This is nondegenerate bilinear i.e., e(s x, t y) = e(x, y) st and if e(x, y) = 1 for all y ∈ V, then x = 0.For all i and j, e(a i , a j ) = e(G, G) δ i, j where δ i, j = 1 if i = j, and 0 otherwise, and e(G, G) = 1 ∈ G T .
DPVS also has linear transformations φ i, j on V s.t.φ i, j (a j ) = a i and φ i, j (a k ) = 0 if k = j, which can be easily achieved by φ i, j (x) : =( KeyGen This is a randomized algorithm that takes as input vector v, pk and sk.It outputs a decryption key sk v .Enc This is a randomized algorithm that takes as input message m, a vector, x, and public parameters pk.It outputs a ciphertext ct x .Dec This takes as input ciphertext ct x that was encrypted under a vector x, decryption key sk v for vector v, and public parameters pk.It outputs either plaintext m or the distinguished symbol ⊥. A ZIPE (or NIPE) scheme should have the following correctness property: for all We define three security notions in Definitions 4-6.

Definition 4 (Adaptively payload-hiding security)
The model for proving the adaptively payload-hiding security of ZIPE (or NIPE) under chosen plaintext attacks is given hereafter.

Setup
The challenger runs the setup algorithm, (pk, sk) R ← Setup(1 λ ), and gives public parameters pk to the adversary.Phase 1 The adversary is allowed to adaptively issue a polynomial number of queries, v, to the challenger or oracle KeyGen(pk, sk, •) for private keys, sk v , associated with v. Challenge The adversary submits two messages, m (0) and m (1) , and a vector, x, provided that no v queried to the challenger in Phase

Remark 1
We have two remarks on variants of the above security notion.
• In a weaker security notion, selectively payload-hiding, the adversary is required to declare the challenge vector x at the beginning of the game (before Setup).Similarly, the weaker (selective) security variants can be defined in place of the two (adaptive) security notions in Definitions 5 and 6. • The above security notion, which is secure against chosen-plaintext attacks (CPA), can be easily extended to the security notion against chosen-ciphertext attacks (CCA) by allowing an adversary to give decryption queries in Phases 1 and 2. Since there is a standard (efficient) methodology to transform a CPA-secure FE (including NIPE/ZIPE) scheme to a CCA-secure FE scheme by using the Canetti-Halevi-Katz (CHK) transformation or the Boneh-Katz (BK) transformation [7] as is given in [25], we only present CPA-secure NIPE/ZIPE schemes in this paper.

Definition 5 (Adaptively weakly-attribute-hiding security)
The model for proving the adaptively weakly-attribute-hiding security of ZIPE under chosen plaintext attacks is obtained from the above game by replacing Challenge and Phase 2 steps by the following: Challenge The adversary submits two messages, (m (0) , m (1) ), and two vectors, ( x (0) , x (1) ), provided that no v queried to the challenger in Phase 1 satisfies R( v, x (0) ) = 1 or Informally, in adaptively fully-attribute-hiding security game, adversary is allowed to issue both types of key queries, R( v, x (b) ) = 0 and R( v, x (b) ) = 1, in a single security game.It gives a strong security than Definition 5 and is given in the following Definition 6.

Definition 6 (Adaptively fully-attribute-hiding security)
The model for proving the adaptively fully-attribute-hiding security of ZIPE under chosen plaintext attacks is obtained from the above game by replacing Challenge and Phase 2 steps by the following: Challenge The adversary submits challenge attribute vector ( x (0) , x (1) ) and challenge plaintexts (m (0) , m (1) ), subject to the following restrictions: • v • x (0) = 0 and v • x (1) = 0 for all the key queried predicate vectors, v.

Phase 2
The adversary is allowed to adaptively issue a polynomial number of queries, v, to the challenger or oracle KeyGen(pk, sk, •) for private keys, sk v , associated with v, subject to the restriction given in the challenge step.
The advantage of adversary A in the above game is defined as Adv ZIPE,AH A (λ) : =Pr[A wins ] − 1/2 for any security parameter λ.An IPE scheme is adaptively fullyattribute-hiding (AH) (against chosen plaintext attacks) if all probabilistic polynomial-time adversaries A have at most negligible advantage in the above game.
For each run of the game, the variable s is defined as s : =0 if m (0) = m (1) for challenge plaintexts m (0) and m (1) , and s : =1 otherwise.

Decisional linear (DLIN) assumption
Definition 7 The DLIN problem is to guess β ∈ {0, 1}, given for β U ← {0, 1}.For a probabilistic machine E, we define the advantage of E for the DLIN problem as: The DLIN assumption is: For any probabilistic polynomial-time adversary E, the advantage Adv DLIN E (λ) is negligible in λ.

Special matrix subgroups
Lemmas 1-3 are key lemmas for the security proof for our (H)IPE schemes.For a positive integer n, let Lemma 1 is directly verified from the definition of groups.
For positive integers w and n, let Lemma 2 L(w, n, F q ) and L(w, n, F q ) are subgroups of G L(wn, F q ). (5) Proofs of Lemmas 2 and 3 are given in Appendix "Proofs of Lemmas 2 and 3 in Sect.5".

NIPE scheme with constant-size ciphertexts 6.1 Key ideas in constructing the proposed NIPE scheme
In this section, we will explain the key ideas of constructing and proving the security of the proposed NIPE scheme.First, we will show how short ciphertexts and efficient decryption can be achieved in our scheme.Here, we will use a simplified (or toy) version of the proposed NIPE scheme, for which the security is no more ensured in the standard model under the DLIN assumption.
A ciphertext in the simplified NIPE scheme consists of two vector elements, (c 0 , c 1 ) ∈ G 5 × G n , and c 3 ∈ G T .A secret-key consists of two vector elements, (k * 0 , k * 1 ) ∈ G 5 × G n .Therefore, to achieve constant-size ciphertexts, we have to compress c 1 ∈ G n to a constant size in n.We now employ a special form of basis generation matrix, 1) in Sect.6.2, where μ, μ 1 , . . ., μ n U ← F q and a blank in the matrix denotes 0 ∈ F q .The system parameter or DPVS pub- . Let a ciphertext associated with Then, c 1 can be compressed to only two group elements (C 1 : =ωμG, C 2 : =ω( n i=1 x i μ i )G) as well as x, since c 1 can be obtained by . That is, a ciphertext (excluding x) can be just two group elements, or the size is constant in n.
Let B * : =(b * i ) be the dual orthonormal basis of B : =(b i ), and B * be the master secret key in the simplified NIPE scheme.We specify (c 0 , k * 0 , c 3 ) such that e(c 0 , We also set a secret-key for v as k * That is, n − 1 scalar multiplications in G and two pairing operations are enough for computing e(c 1 , k * 1 ).Therefore, only a small (constant) number of pairing operations are required for decryption.
We then explain how our full NIPE scheme is constructed on the above-mentioned simplified NIPE scheme.The target of designing the full NIPE scheme is to achieve adaptive security under the DLIN assumption.Here, we adopt a strategy similar to that of [25], in which the dual system encryption methodology is employed in a modular or hierarchical manner.That is, two top level assumptions, the security of Problems 1 and 2, are directly used in the dual system encryption methodology and these assumptions are reduced to a primitive assumption, the DLIN assumption.
To meet the requirements for applying to the dual system encryption methodology and reducing to the DLIN assumption, the underlying vector space as well as the basis generator matrix X is four times larger than that of the above-mentioned simplified scheme.For exam- 3) in Sect.6.2, where each X i, j is of the form of X ∈ H(n, F q ) in the simplified scheme.The vector space consists of four orthogonal subspaces, i.e., real encoding part, hidden part, secret-key randomness part, and ciphertext randomness part.The simplified NIPE scheme corresponds to the first real encoding part.
A key fact in the security reduction is that L(4, n, F q ) is a subgroup of G L(4n, F q ) (Lemma 2), which enables a random-self-reducibility argument for reducing the DLIN problem to Problems 1 and 2 in this paper.The property that H(n, also crucial for a special form of pairwise independence lemma in this paper ( Lemma 6), where H(n, F q ) is specified in L(4, n, F q ) or X .Our Problem 2, which is based on this lemma, employs special form matrices U U ← H(n, F q ) ∩ G L(n, F q ) and Z : =(U −1 ) T .Informally, our pairwise independence lemma implies that, for all ( x, v), a pair, ( xU, v Z ), is uniformly distributed over (span x, e n \ span e n ) × (F n q \ span e n ⊥ ) with preserving the inner-product value, x • v, i.e., ( xU, v Z ) reveal no information but x and x • v.
A difference of matrix X with the ZIPE scheme will be noted in Remark 10.

Dual orthonormal basis generator
We describe random dual orthonormal basis generator G NIPE,CT ob below, which is used as a subroutine in the proposed NIPE scheme.
where a blank element in the matrix denotes 0

Security
The proofs of Lemmas 4-12 are given in Appendix "Proofs of Lemmas 4-12 in Sect.6".

Theorem 1 The proposed NIPE scheme is adaptively payload-hiding against chosen plaintext attacks under the DLIN assumption.
For any machine A, there exist probabilistic machines E 1 , E 2-1 and E 2-2 whose running times are essentially the same as that of A, such that for any security parameter λ, Adv NIPE,PH , ν is the maximum number of A's key queries and : =(11ν + 6)/q.

Lemmas for the Proof of Theorem 1
We will show Lemmas 4-6 for the proof of Theorem 1.
Using these vector expressions, the output of Lemma 4 For any machine B, there exists a probabilistic machine E, whose running times are essentially the same as that of B, such that for any security parameter λ, where ) in the form of Eq. ( 6), while B 1 : =(b 1,1 , . . ., b 1,4n ) is identified with {B i, j , B i, j,l } i, j=1,...,4;l=1,...,n by Eq. ( 6).If we make e 1,l ∈ V 1 for l = 1, . . ., n as: they are expressed over B 1 as: Using these vector expressions, the output of Lemma 5 For any machine B, there exists a probabilistic machine E, whose running time is essentially the same as that of B, such that for any security parameter λ, Lemma 6 Let e n : =(0, . . ., 0, 1) ∈ F n q .For all x ∈ F n q \ span e n and π

Proof outline
At the top level of strategy of the security proof, we follow the dual system encryption methodology proposed by Waters [31].In the methodology, ciphertexts and secret keys have two forms, normal and semi-functional.In the proof herein, we also introduce other forms of secret keys called 1st-pre-semi-functional and 2nd-pre-semi-functional.The real system uses only normal ciphertexts and normal secret keys, and semi-functional ciphertexts and semifunctional/1st-pre-semi-functional/2nd-pre-semi-functional keys are used only in a sequence of security games for the security proof.To prove this theorem, we employ Game 0 (original adaptive-security game) through Game 3. In Game 1, the challenge ciphertext is changed to semi-functional.When at most ν secret key queries are issued by an adversary, there are 3ν game changes from Game 1 (Game 2-0-3), Game 2-1-1, Game 2-1-2, Game 2-1-3 through Game 2-ν-3.
In Game 2-h-1, the first (h − 1) keys are semi-functional and the h-th key is 1st-presemi-functional, while the remaining keys are normal, and the challenge ciphertext is semifunctional.In Game 2-h-2, the first (h − 1) keys are semi-functional and the h-th key is 2nd-pre-semi-functional, while the remaining keys are normal, and the challenge ciphertext is semi-functional.In Game 2-h-3, the first h keys are semi-functional (i.e., and the h-th key is semi-functional), while the remaining keys are normal, and the challenge ciphertext is semi-functional.
The final game (Game 3) with advantage 0 is conceptually changed from Game 2-ν-3.As usual, we prove that the advantage gaps between neighboring games are negligible.
When at most ν key queries are issued by an adversary, we set a sequence of sk : =sk v 's, i.e., (sk (1) * , . . ., sk (ν) * ), in the order of the adversary's queries.Here we focus on k and c x : =(c 0 , {C 1, j , C 2, j } j=1,...,4 , c 3 ), and ignore the other part of sk v (resp.ct x ), i.e., v (resp.i.e., x), and call them secret key and ciphertext, respectively, in this proof outline.In addition, we ignore a negligible factor in the (informal) descriptions of this proof outline.For example, we say "A is bounded by B" when A ≤ B + (λ) where (λ) is negligible in security parameter λ.
, is the correct form of the secret key of the proposed NIPE scheme, and is expressed by Eq. ( 7).Similarly, a normal ciphertext c norm x , is expressed by Eq. ( 8).A 1st-pre-semi-functional secret key, k , is expressed by Eq. ( 10), a 2ndpre-semi-functional secret key, k , is expressed by Eq.( 11), a semi-functional , is expressed by Eq. ( 12), and a semi-functional ciphertext, c semi x , is expressed by Eq. ( 9).
To prove that the advantage gap between Games 0 and 1 is bounded by the advantage of Problem 1 (to guess β ∈ {0, 1}), we construct a simulator of the challenger of Game 0 (or 1) (against an adversary A) by using an instance with β U ← {0, 1} of Problem 1.We then show that the distribution of the secret keys and challenge ciphertext replied by the simulator is equivalent to those of Game 0 when β = 0 and Game 1 when β = 1.That is, the advantage gap between Games 0 and 1 is bounded by the advantage of Problem 1 (Lemma 7).The advantage of Problem 1 is proven to be bounded by that of the DLIN assumption (Lemma 4).The advantage gap between Games 2-(h −1)-3 and 2-h-1 is similarly shown to be bounded by the advantage of Problem 2 (i.e., advantage of the DLIN assumption) (Lemmas 8 and 5).The distributions of 1st-pre-semi-functional secret key k (h) * 1st-psemi v (Eq.( 10)) and 2nd-pre-semifunctional secret key k (h) * 2nd-psemi v (Eq.( 11)) are distinguishable by the simulator or challenger, but the joint distributions of ( k ) along with the other keys are (information theoretically) equivalent for the adversary's view, when Therefore, as shown in Lemma 9, the advantages of Games 2h-1 and 2-h-2 are equivalent.The advantage gap between Games 2-h-2 and 2-h-3 is similarly shown to be bounded by the advantage of Problem 2 (i.e., advantage of the DLIN assumption) (Lemmas 10 and 5).Finally we show that Game 2-ν-3 can be conceptually changed to Game 3 (Lemma 11) by using the fact that basis vectors b 0,2 and b * 0,3 are unknown to the adversary.

Proof of Theorem 1
To prove Theorem 1, we consider the following (3ν + 3) games.In Game 0, a part framed by a box indicates coefficients to be changed in a subsequent game.In the other games, a part framed by a box indicates coefficients that were changed in a game from the previous game.
Game 0 Original game.That is, the reply to a key query for v is where δ, ϕ 0 The challenge ciphertext for challenge plaintexts (m (0) , m (1) ) and x, ( x, c 0 , {C 1, j , C 2, j } j=1,...,4 , c 3 ), which is identified with where b x l = 0 for some l ∈ {1, . . ., n − 1}.Game 1 Same as Game 0 except that the challenge ciphertext for challenge plaintexts (m (0) , m (1) ) and x is (9) where τ and all the other variables are generated as in Game 0. where in Eq. ( 9) and all the other variables are generated as in Game 2-(h − 1)-3.Game 2-h-2(h= 1, . .., ν) Game 2-h-2 is the same as Game 2-h-1 except that a part of the reply to the h-th key query for v, (k * 0 , k * 1 ), is where w U ← F q and all the other variables are generated as in Game 2-h-1.Game 2-h-3(h= 1, . .., ν) Game 2-h-3 is the same as Game 2-h-2 except that the reply to the h-th key query for v, (k * 0 , k * 1 ), is where all the variables are generated as in Game 2-h-2.Game 3 Same as Game 2-ν-3 except that c 0 and c 3 of the challenge ciphertext are where , and all the other variables are generated as in Game 2-ν-3.

Lemma 7
For any machine A, there exists a probabilistic machine B 1 , whose running time is essentially the same as that of A, such that for any security parameter λ, |Adv (0) Lemma 8 For any machine A, there exists a probabilistic machine B 2-1 , whose running time is essentially the same as that of A, such that for any security parameter λ, |Adv Lemma 9 For any machine A, for any security parameter λ, |Adv Lemma 10 For any machine A, there exists a probabilistic machine B 2-2 , whose running time is essentially the same as that of A, such that for any security parameter λ, |Adv Lemma 11 For any machine A, for any security parameter λ, |Adv Lemma 12 For any machine A, for any security parameter λ, Adv A (λ) = 0.

NIPE scheme with constant-size secret-keys 7.1 Dual orthonormal basis generator
We describe random dual orthonormal basis generator G NIPE,SK ob below, which is used as a subroutine in the proposed NIPE scheme, where G NIPE,CT ob is given in Sect.6.2.

Construction and security
In the description of the scheme, we assume that input vector, v : =(v 1 , . . ., v n ), has an index l (1 ≤ l ≤ n − 1) with v l = 0, and that input vector, x : =(x 1 , . . ., x n ), satisfies x n = 0.The plaintext space is G T .

Construction and security
In the description of the scheme, we assume that input vector, x : =(x 1 , . . ., x n ), has an index l (1 ≤ l ≤ n − 1) with x l = 0, and that input vector, v : =(v 1 , . . ., v n ), satisfies v n = 0.The plaintext space is G T .

Theorem 3
The proposed ZIPE scheme is adaptively payload-hiding against chosen plaintext attacks under the DLIN assumption.For any machine A, there exist probabilistic machines E 1 and E 2 , whose running times are essentially the same as that of A, such that for any security parameter λ, Adv ZIPE,PH , ν is the maximum number of A's key queries, and : =(11ν + 6)/q.Proof To prove Theorem 3, we consider the following (ν + 3) games.In Game 0, a part framed by a box indicates coefficients to be changed in a subsequent game.In the other games, a part framed by a box indicates coefficients that were changed in a game from the previous game.Game 0 Original game.That is, the reply to a key query for v is The challenge ciphertext for challenge plaintexts (m (0) , m (1) ) and x, ( x, c 0 , {C 1, j , C 2, j } j=1,...,4 , c 3 ), which is identified with ( x, c, c 3 ) in Remark 9, is q with x l = 0 for some l ∈ {1, . . ., n − 1}.
Game 1 Same as Game 0 except that the challenge ciphertext for challenge plaintexts (m (0) , m (1) ) and x is where r U ← span x, e n , and all the other variables are generated as in Game 0. Game 2-h(h= 1, . . .,ν) Game 2-0 is Game 1. Game 2-h is the same as Game 2-(h − 1) except that a part of the reply to the h-th key query for v, k * , is where w U ← F n q and all the other variables are generated as in Game 2-(h − 1).Game 3 Same as Game 2-ν except that c and c 3 of the challenge ciphertext are and all the other variables are generated as in Game 2-ν.

A (λ), Adv (2-h)
A (λ) for h = 1, . . ., ν using (variants of) Problems 1 and 2 as in the proof of Theorem 1.The following Lemma 13 gives a gap evaluation between Adv  A (λ), which requires a detailed proof for our ZIPE with constant-size ciphertexts (see Appendix "Proof of Lemma 13 in Sect.8" for the proof).Combining the gap evaluations, we obtain Theorem 3.

ZIPE scheme with constant-size secret-keys 9.1 Dual orthonormal basis generator
We describe random dual orthonormal basis generator G ZIPE,SK ob below, which is used as a subroutine in the proposed ZIPE scheme, where G ZIPE,CT ob is defined in Sect.7.1.Since the definition is employed for the scheme with w = 5 in Sect.10, we describe G ZIPE,SK ob for general w.(We use only the cases with w = 4, 5).

Construction and security
In the description of the scheme, we assume that input vector, v : =(v 1 , . . ., v n ), has an index l (1 ≤ l ≤ n − 1) with v l = 0, and that input vector, x : =(x 1 , . . ., x n ), satisfies x n = 0.The plaintext space is G T .
[Correctness] Using the alternate decryption Dec , F = e(c, k) = g

Theorem 4
The proposed ZIPE scheme is adaptively weakly-attribute-hiding against chosen plaintext attacks under the DLIN assumption.For any machine A, there exist probabilistic machines E 1 and E 2 , whose running times are essentially the same as that of A, such that for any security parameter λ, Adv ZIPE,wAH , ν is the maximum number of A's key queries, and : =(11ν + 6)/q.Proof To prove Theorem 4, we consider the following (ν + 3) games.In Game 0, a part framed by a box indicates coefficients to be changed in a subsequent game.In the other games, a part framed by a box indicates coefficients that were changed in a game from the previous game.Game 0 Original game.That is, the reply to a key query for v is where δ, ϕ U ← F q and v : =(v 1 , . . ., v n ) ∈ F n q with v n = 0.The challenge ciphertext for challenge plaintexts (m (0) , m (1) ) and x, ( x, c 0 , {C 1, j , C 2, j } j=1,...,4 , c 3 ), which is identified with ( x, c, c 3 ) in Remark 9, is q and x : =(x 1 , . . ., x n ) ∈ F n q with x l = 0 for some l ∈ {1, . . ., n − 1}.Game 1 Same as Game 0 except that the challenge ciphertext for challenge plaintexts (m (0) , m (1) ) and x is q , and all the other variables are generated as in Game 0. Game 2-h(h= 1, . .., ν) Game 2-0 is Game 1. Game 2-h is the same as Game 2-(h − 1) except that a part of the reply to the h-th key query for v, k * , is where w U ← span v, e n and all the other variables are generated as in Game 2-(h − 1).Game 3 Same as Game 2-ν except that c and c 3 of the challenge ciphertext are , and all the other variables are generated as in Game 2-ν.

. , ν) and Adv
(3) A (λ) be the advantage of A in Game 0, 1, 2-h and 3, respectively.Adv       A (λ), which requires a detailed proof for our ZIPE with constant-size secret-keys (see Appendix "Proof of Lemma 14 in Sect.9" for the proof).Combining the gap evaluations, we obtain Theorem 4.

Lemma 14 For any machine A, for any security parameter λ, |Adv (2-ν)
10 Fully-attribute-hiding ZIPE scheme with constant-size secret-keys By applying our technique to the fully-attribute-hiding ZIPE scheme in [27], we obtain a fully-attribute-hiding ZIPE scheme with short secret-keys.

Construction and security
In the description of the scheme, we assume that input vector, v : =(v 1 , . . ., v n ), has an index l (1 ≤ l ≤ n − 1) with v l = 0, and that input vector, x : =(x 1 , . . ., x n ), satisfies x n = 0.The plaintext space is G T .
[Correctness] Using the alternate decryption Dec , F = e(c, k) = g

Theorem 5 The proposed ZIPE scheme is adaptively fully-attribute-hiding against chosen plaintext attacks under the DLIN assumption.
For any machine A, there exist probabilistic machines , whose running times are essentially the same as that of A, such that for any security parameter λ, Adv ZIPE,AH , ν is the maximum number of A's key queries and : =(29ν + 17)/q.
Proof Similarly to the proof of Theorem 1 in [27], the proof of Theorem 5 is reduced to that of Lemma 15.
First, we execute a preliminary game transformation from Game 0 (original security game in Definition 6) to Game 0', which is the same as Game 0 except that flip a coin t U ← {0, 1} before setup, and the game is aborted in the challenge step if t = s.We define that A wins with probability 1/2 when the game is aborted (and the advantage in Game 0' is Pr[A wins ]−1/2 as well).Since t is independent from s, the game is aborted with probability 1/2.Hence, the advantage in Game 0' is a half of that in Game 0, i.e., Adv IPE,AH,0 ) in Game 0' since t is uniformly and independently generated.
As for the conditional probability with t = 0, it holds that, for any adversary A, there exist probabilistic machines E 1 and E 2 , whose running times are essentially the same as that of A, such that for any security parameter λ, in Game 0', Pr[A wins and ν is the maximum number of A's key queries and : =(6ν + 5)/q.This is obtained in the same manner as the weakly attribute-hiding security of the OT10 IPE in the full version of [25]: Since the difference between our IPE and the OT10 IPE is only the dimension of the hidden subspaces, i.e., the former has 2n and the latter has n, the weakly attribute-hiding security of the OT10 IPE implies the security with t = 0 of our IPE.
As for the conditional probability with t = 1, i.e., Pr[A wins | t = 1], Lemma 15 holds.Therefore, Adv ZIPE,AH , where : =(29ν + 17)/q.Lemma 15 For any machine A, there exist probabilistic machines E 1 , E 2-1 and E 2-2 , whose running times are essentially the same as that of A, such that for any security parameter λ, in Game 0' (described in the proof of Theorem 5), , ν is the maximum number of A's key queries and : =(23ν + 12)/q.Proof To prove Lemma 15, we consider the following 4ν + 3 games when t = 1.In Game 0', a part framed by a box indicates coefficients to be changed in a subsequent game.In the other games, a part framed by a box indicates coefficients which were changed in a game from the previous game.

Game 0'
Same as Game 0 except that flip a coin t U ← {0, 1} before setup, and the game is aborted in the challenge step if t = s.In order to prove Lemma 15, we consider the case with t = 1.
The reply to a key query for v is: where δ, ϕ U ← F q .The challenge ciphertext for challenge plaintext m : =m (0) = m (1) and vectors ( x (0) , x (1) ) is: Here, we note that c 3 is independent from bit b.

Table 1
Comparison with IPE schemes in [4], where CT, SK, PH, AH, IP and DBDH stand for ciphertexts, secret-keys, payload-hiding, attribute-hiding, inner-product and decisional bilinear Diffie-Hellman, respectively where a blank element in the matrix denotes 0 ∈ G. B 1 is the dual orthonormal basis of

The definition of adaptively payload-hiding security and the advantage Adv HIPE,PH
A (λ) of adversary A can be obtained through a straightforward extension of that of HIBE, e.g., [15], with replacing ID-matching by vector-orthogonality.

Theorem 6 The proposed HIPE scheme is adaptively payload-hiding against chosen plaintext attacks under the DLIN assumption.
For any machine A, there exist probabilistic machines E 1 and E 2 , whose running times are essentially the same as that of A, such that for any security parameter λ, Adv HIPE,PH , ν is the maximum number of adversary A's key queries, and = (11ν + 6)/q.Theorem 6 is proven similarly to Theorem 3.

Concluding remarks
The technique with using special type matrices shown in this paper can reduce the size of ciphertexts or secret-keys of adaptively secure FE schemes in [25] from O(dn) to O(d), where d is the number of sub-universes of attributes, and n is the maximal length of attribute vectors.A key-policy attribute-based encryption (ABE) system with constant-size ciphertext [5] is selectively secure in the standard model.Therefore, it is an interesting open problem to realize an adaptively secure and constant-size ciphertext ABE scheme.
Acknowledgments The authors would like to thank Sherman S.M. Chow for his invaluable comments and suggestions on our preliminary manuscript.We also appreciate anonymous reviewers of CANS 2011 for their valuable comments.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Appendix: Proofs of Lemmas
Proofs of Lemmas 2 and 3 in Sect. 5 For a positive integer x, let [x] : ={1, . . ., x}.Lemma 2 L(w, n, F q ) and L(w, n, F q ) are subgroups of G L(wn, F q ).Proof Below, we will show that L(w, n, F q ) is a subgroup of G L(wn, F q ).For L(w, n, F q ), the lemma is proven in the same manner as for L(w, n, F q ).
Based on the block partition on X ∈ F wn×wn q with submatrices X i, j ∈ F n×n q , i.e., X : ⎞ ⎟ ⎠, we will define a permutation matrix .Since X i, j ∈ which is corresponding to the ((i − 1)n + k)-th row.The swapping of the index pair (i, k) → (k, i) leads to a permutation π on the set [wn] as, π : [wn] → We denote the corresponding permutation matrix by , i.e., the left multiplication by is equivalent to the permutation π on rows (of X ).−1 = T since is a permutation matrix, and we see that the right multiplication by −1 is equivalent to the permutation π on columns (of X ).
Let the conjugate set P(w, n, F q ) : = • L(w, n, F q ) • −1 .Since the rows and columns are permuted by π, for X : =(X i, j ) i, j∈[w] ∈ L(w, n, F q ) with X i, j : where We see that P(w, n, F q ) is a subgroup of G L(wn, F q ).So, L(w, n, F q ) = −1 •P(w, n, F q )• is also a subgroup of G L(wn, F q ).This completes the proof of Lemma 2.
Proof For the proof, we define an injective group homomorphism, We will show the following claim.

Preliminaries
Figure 1 shows the structure of security reduction for Theorem 1, where the security of the scheme is hierarchically reduced to the intractability of the DLIN problem.Basic Problems 0, 1, 2 are defined below.The reduction steps indicated by arrows will be shown below, and the step given by dotted arrow can be shown in the same manner as that in (the full version of) [25].
For the proofs of Lemmas 4 and 5, we give the following intermediate problem, Basic Problem 0 (Definition 10) and Lemma 16.(In [25], an additional element δξ G is included in an output of Basic Problem 0 for a shorter dimension 3n +1 than 4n.Here, it is not necessary.) where for β U ← {0, 1}.For a probabilistic machine D, we define the advantage of D for Basic Problem 0, Adv BP0 D (λ), is similarly defined as in Definition 8.

Lemma 16
For any machine D, there is a probabilistic machine E, whose running time is essentially the same as that of E, such that for any security parameter λ, Proof We note that dual bases (B, B * ) in Basic Problem 0 are generated by a general linear matrix X U ← G L(3, F q ), so Lemma 16 is proven in a similar manner to the security proof of Basic Problem 0 in [25].
The following Remark 16 is for the proofs of Lemmas of 17 and 19.

Proof of Lemma 4
Lemma 4 For any machine B, there exists a probabilistic machine E, whose running times are essentially the same as that of B, such that for any security parameter λ, Proof At the top level, the proof of Lemma 4 is similar to the security proof of Problem 1 in [25].The main difference is that special form matrices Eq. ( 3) are used for generating master public and secret keys in our schemes.One key fact for the security reduction is that L(4, n, F q ) is a subgroup of G L(4n, F q ) (Lemma 2).
For the proof of Lemma 4, we give the following intermediate problem, Basic Problems 1 (Definition 11).From Lemmas 16, 17 and 18, we obtain Lemma 4.
Based on Remark 4, hereafter, we consider the output of ) and also we give the output of Basic Problem 1 as such a vector form over bases {B t } t=0,1 .

Definition 11 (Basic
for β U ← {0, 1}.For a probabilistic machine C, we define the advantage of C for Basic Problem 1, Adv BP1 C (λ), as in Definition 8.

Lemma 17
For any machine C, there is a probabilistic machine D, whose running time is essentially the same as that of C, such that for any security parameter λ, Proof D is given a Basic Problem 0 instance By using param G : =(q, G, G T , G, e) underlying param BP0 , D calculates where g T is contained in param BP0 .

Proof of Lemma 5
Lemma 5 For any machine B, there exists a probabilistic machine E, whose running time is essentially the same as that of B, such that for any security parameter λ, Proof Similarly to Lemma 4, we employ the fact that L(4, n, F q ) is a subgroup of G L(4n, F q ) (Lemma 2) in the proof.For the proof of Lemma for β U ← {0, 1}.For a probabilistic machine C, we define the advantage of C for Basic Problem 2, Adv BP2 C (λ), as in Definition 8.

Lemma 19
For any machine C, there is a probabilistic machine D, whose running time is essentially the same as that of C, such that for any security parameter λ, Adv BP2 C (λ) ≤ Adv BP0 D (λ).
In the light of the adversary's view, both (B, B * ) and (D, D * ) are consistent with public key pk : =(1 λ , param V , B).Therefore, {k ( j) * } j=1,...,ν and c above can be expressed as keys and ciphertext in two ways, in Game 2-ν over bases (B, B * ) and in Game 3 over bases (D, D * ).Thus, Game 2-ν can be conceptually changed to Game 3.

← 2
Enc(pk, m (b) , x).It gives ct (b) x to the adversary.Phase The adversary is allowed to adaptively issue a polynomial number of queries, v, to the challenger or oracle KeyGen(pk, sk, •) for private keys, sk v , associated with v, provided that R( v, x) = 1.Guess The adversary outputs a guess b of b.The advantage of adversary A in the above game, Adv ZIPE,PH A (λ) (or Adv NIPE,PH A (λ)), is defined by Pr[b = b]−1/2 for any security parameter λ.A ZIPE (or NIPE) scheme is adaptively payload-hiding secure if all polynomial time adversaries have at most a negligible advantage in the game.

2
The challenger flips a coin b U ← {0, 1}, and computes ct x (b) R ← Enc(pk, m (b) , x (b) ).It gives ct x (b) to the adversary.Phase The adversary is allowed to adaptively issue a polynomial number of queries, v, to the challenger or oracle KeyGen(pk, sk, •) for private keys, sk v , associated with v, provided that R( v, x (0) ) = 1 and R( v, x (1) ) = 1.The advantage of adversary A in the above game, Adv ZIPE,wAH A (λ), is defined by Pr[b = b]−1/2 for any security parameter λ.A ZIPE scheme is adaptively weakly-attribute-hiding secure if all polynomial time adversaries have at most a negligible advantage in the game.

A
(λ) is equivalent to Adv NIPE,PH A (λ) and it is obtained that Adv is the maximum number of A's key queries and : =(11ν + 6)/q.Theorem 2 is proven similarly to Theorem 1.with w = 5 in Sect.10, we describe G ZIPE,CT ob for general w.(We use only the cases with w = 4, 5).

A
(λ) is equivalent to Adv ZIPE,PH A (λ) and Adv

A
(λ) is equivalent to Adv ZIPE,wAH A (λ) and Adv

( 3 )
A (λ) = 0. We can evaluate the gaps between pairs of Adv for h = 1, . . ., ν using (variants of) Problems 1 and 2 as in the proof of Theorem 1.The following Lemma 14 gives a gap evaluation between Adv

Fig. 1
Fig. 1 Structure of reductions for Theorem 1