Decentralized multi-client functional encryption for set intersection with improved efficiency

Functional encryption (FE) is a new paradigm of public key encryption that can control the exposed information of plaintexts by supporting computation on encrypted data. In this paper, we propose efficient multi-client FE (MCFE) schemes that compute the set intersection of ciphertexts generated by two clients. First, we propose an MCFE scheme that calculates the set intersection cardinality (MCFE-SIC) and prove its static security under dynamic assumptions. Next, we extend our MCFE-SIC scheme to an MCFE scheme for set intersection (MCFE-SI) and prove its static security under dynamic assumptions. The decryption algorithm of our MCFE-SI scheme is more efficient than the existing MCFE-SI scheme because it requires fewer pairing operations to calculate the intersection of two clients. Finally, we propose a decentralized MCFE scheme for set intersection (DMCFE-SI) that decentralizes the generation of function keys. Our MCFE schemes can be effectively applied to a privacy-preserving contact tracing system to prevent the spread of recent infectious diseases.


Introduction
Functional encryption (FE) is a cryptographic technique that supports a controlled functional evaluation on encrypted data and has an interesting feature that the result of the function evaluation is directly revealed in the decryption [13].In FE, a user creates a ciphertext CT for a plaintext x using a public key, and an entity who possesses a function key DK f for a function f issued by a trusted center can obtain f (x) by decrypting the ciphertext.As interesting extensions of FE, multi-input FE (MIFE) that handles multiple ciphertexts during decryption and multi-client FE (MCFE) that provides independent encryption keys for each client were proposed [20].FE schemes that support arbitrary functions can be constructed by using indistinguishability obfuscation, but indistinguishability obfuscation is still inefficient to implement.In order to construct efficient FE schemes, research on FE that supports only special functions instead of general functions has been actively conducted [3,5,7].
Recently, FE schemes that support the set intersection operation were proposed [32,37].An interesting application of the FE schemes for set intersection is privacy-preserving contact tracing [1], which allows a user to check the possibility of contact with a confirmed patient while preserving the location privacy of the user.A specific example is as follows.First, a hospital cloud server encrypts and stores the visited places of a confirmed patient by associating with time periods.If a user wants to know whether he or she has been in contact with the confirmed patient, the user encrypts visited places associated with time periods and uploads them to the cloud server.Then, the cloud server receives a function key that computes the set intersection cardinality between the confirmed patient and the user, and calculates the cardinality of an intersection set between them.If the cardinality has a positive value, then the cloud server notifies the user that the probability of contact is high.In the later, if the user wants to determine the exact intersection place, the user can calculate the intersection by requesting a function key for set intersection.
The first FE schemes for set intersection were proposed by Kamp et al. [37], but their schemes have some problems such that the result of set intersection is publicly revealed to anybody since there is no function key and the setup algorithm should be independently performed among all pairs of clients.To solve these problems, Lee and Seo proposed MCFE for set intersection (MCFE-SI) schemes that support the generation of function keys between multiple clients after running the setup algorithm just once initially [32].They designed their MCFE-SI schemes in bilinear groups by inventing the equal-then-derive technique.That is, a client with an index i who has a set X = {x k } of items creates a ciphertext element H(x k ) α i for each item, and it additionally sets a temporal key K = e(H(x k ), ĝ) β i as a symmetric key to encrypt an item x k .If both i and j clients encrypt the equal item x, then the temporal key K = e(H(x) α i H(x) α j , ĝβ i /(α i +α j ) ) can be derived if a function key ĝβ i /(α i +α j ) is provided.
In this paper, we intend to improve the performance and functionality of the MCFE-SI schemes of Lee and Seo [32].The first problem with the MCFE-SI schemes of Lee and Seo is that their decryption algorithm is inefficient.In other words, the decryption algorithm of their MCFE-SI schemes require the process of decrypting all combinations of ciphertext elements of two clients i and j and checking that a correct value is derived.Thus, this decryption algorithm requires approximately ℓ 2 pairing operations where ℓ is the number of items in a set, and it causes a serious problem in performance when the number of items increases.The second problem is that their MCFE-SI schemes require a trusted center to generate function keys.The existence of a trusted center can hinder the deployment of this system to the real environment since there are issues such that a central authority can monitor the activities of users.Therefore, in this paper, we ask whether it is possible to design an MCFE-SI scheme that supports efficient decryption and decentralized function key generation.Let λ be a security parameter, n be the number of users, and ℓ be the number of items in a set.We use |G| for the bit size of a group element in G.We use symbols H for a map-to-point hash operation, E for an exponentiation operation, and P for a pairing operation.

Our Contributions
In this paper, we devise efficient MCFE-SI schemes and give positive answers to the preceding questions.
The detailed results of our contributions are summarized as follows.
MCFE for Set Intersection Cardinality.We first propose an MCFE for set intersection cardinality scheme (MCFE-SIC) that calculates the cardinality of the intersection of two client's sets.To support the set intersection cardinality, we use the ciphertext structure of the MCFE-SI scheme proposed by Lee and Seo [32] and modify their scheme to provide a new function key to check whether the ciphertext elements generated by different clients contain equal items.At this time, in order to test the equality of the ciphertext elements generated by different clients, we notice that the ciphertext structure of Lee and Seo uses an algebraic pseudo-random function (PRF) which is defined as H(x) α i where x is an item and α i is the secret key of an i-index client and H is a hash function.If a function key is provided as ( ĝα i r , ĝα j r ) where r is a random exponent, it is possible to check whether the ciphertext elements of two clients i and j are encryption of the same item through the equation e(H(x) α i , ĝα j r ) = e(H(x) α j , ĝα j r ) by using a pairing operation.The decryption algorithm of this scheme additionally exposes the equality pattern between ciphertext elements in addition to the set intersection cardinality.The ciphertext of our MCFE-SIC scheme consists of ℓ ciphertext elements, the function key consists of two group elements, and the decryption algorithm requires 2ℓ pairing operations and O(ℓ log ℓ) comparison operations for sorting where ℓ is the number of items in a set.
MCFE for Set Intersection.Next, we propose an MCFE for Set Intersection (MCFE-SI) scheme with improved decryption performance compared to the previous MCFE-SI scheme.The idea of improving the decryption performance is to efficiently find a matching pair of ciphertext elements that contain the same item from two client ciphertexts by using the function key of our MCFE-SIC scheme.To decrypt the ciphertext elements of the actual set item in the ciphertext, we use the same equal-then-derive method proposed by Lee and Seo [32].That is, when two matching ciphertext elements of two clients are H(x) α i and H(x) α j , we can derive a temporal key K = e(H(x) α i H(x) α j , ĝβ i /(α i +α j ) ) = e(H(x), ĝ) β i for symmetric-key decryption if a function key ĝβ i /(α i +α j ) is provided.To analyze the security of our MCFE-SI scheme, we prove the security of our scheme by using newly introduced complexity assumptions in the static-IND security model in which function key queries, corrupted clients, and challenge messages are initially submitted by an attacker.Compared to the MCFE-SI scheme of Lee and Seo that requires ℓ 2 pairing operations in decryption, Our MCFE-SI scheme is more efficient since the decryption algorithm requires only 2ℓ pairing operations and O(ℓ log ℓ) comparison operations where ℓ is the number of items in a set.The comparison of our MCFE schemes with other similar schemes is given in Table 1.
Decentralized MCFE for Set Intersection.Finally, we propose a decentralized MCFE scheme for set intersection (DMCFE-SI) that removes the trusted center that generates function keys in our MCFE-SI scheme.The function key of our MCFE-SI scheme is composed of two key elements ĝα i r and ĝα j r for calculating the set intersection cardinality and one key element ĝβ i /(α i +α j ) for deriving a temporal key.The difficulty of decentralizing the generation of function keys is that two clients i and j should select the same random exponent r and the exponent inverse operation (α i + α j ) −1 which includes client secret keys should be decentralized.To select the same random exponent, each client exposes a public key and runs the Diffie-Hellman non-interactive key exchange scheme between two clients.Decentralizing the exponent inverse operation cannot be solved in a simple way.To solve this problem, each client creates an encoded secret key by encrypting a secret key with one-time pad, and an entity that combines the partial function keys to perform the exponent inversion operation by itself after combining the encoded secret keys of two clients.We can prove the security of our DMCFE-SI scheme because the additionally exposed encoded secret keys are information theoretically secure.

Related Work
Functional Encryption.Boneh, Sahai, and Waters [13] introduced the concept of functional encryption (FE) as a new paradigm for public key encryption.They showed that identity-based encryption [12], attribute-based encryption [23,34], and predicate encryption [14,28] are all special forms of FE.The first FE scheme that supports arbitrary functions was designed by Garg et al. [19] by using indistinguishability obfuscation, public-key encryption, and non-interactive zero-knowledge proof.In addition, there have been various attempts to design FE schemes that support arbitrary functions with bounded collusion by using weaker cryptographic primitives instead of using indistinguishability obfuscation [21,22].In order to improve the practicality of FE schemes, an FE scheme for inner-products (FE-IP) that support the inner product operation between attributes in a ciphertext and a function key was proposed by Abdalla et al. [3].
Since then, the research on FE-IP has been expanded to support function hiding, full security, and quadratic functions [7,9,10].
Multi-Input and Multi-Client Functional Encryption.Goldwasser et al. [20] extended the concept of FE that handles only one ciphertext in decryption to the concept of multi-input functional encryption (MIFE) and multi-client functional encryption (MCFE) that support the evaluation of a function on multiple ciphertexts.They also showed that these MIFE and MCFE schemes can be constructed by using indistinguishability obfuscation.MIFE and MCFE are the same in terms of processing multiple ciphertexts, but MCFE has an important difference in that ciphertexts are additionally associated time periods and only ciphertexts associated with the same time period are processed during decryption.The research on FE-IP has been expanded to support multiple inputs, multiple clients, and decentralized key generation [2,4,5,15,31].In addition, FE for quadratic function also can be extended to support multiple inputs [6].As another efficient MCFE schemes, MCFE schemes that support the set intersection operation and MCFE scheme that support conjunctive equality and range query operations between multiple clients have been proposed [30,32,37].
Private Set Intersection.Private set intersection (PSI) is a cryptographic technique that allows two parties compute the intersection of their private sets without revealing any other information of the sets.Compared to an FE scheme that supports the set intersection operation, a PSI protocol requires additional interactions between two parties when calculating the set intersection.A simple way to implement a PSI protocol is to use the Diffie-Hellman key exchange protocol, which is efficient in the terms of communication, but it requires public key operations [26].A PSI protocol by using oblivious polynomial evaluation that expresses sets as polynomials was proposed by Freedman et al. [17].After that, oblivious PRF based PSI protocols, garbled circuit based PSI protocols, and oblivious transfer based PSI protocols have been proposed [24,25,29,33].In order to reduce the communication overhead of PSI protocols, delegated PSI protocols in which a cloud server performs most of the computation of clients were proposed [27].Recently, private set intersection cardinality (PSI-CA) protocols for contact tracing have been proposed [16,36].

Preliminaries
In this section, we define functional encryption, symmetric-key encryption, and pseudo-random function.
We also introduce complexity assumptions to prove the security of our functional encryption schemes.

Multi-Client Functional Encryption
Multi-client functional encryption (MCFE) is an extension of functional encryption (FE) that supports computation on encrypted data, and it requires a client secret key for encryption and handles multiple ciphertexts during decryption [20].In MCFE, the client of an index i encrypts a plaintext x i with a time label T using the client secret key SK i to generate a ciphertext CT i,T .Subsequently, an entity who has a function key DK f for a function f decrypts ciphertexts CT 1,T , . . .,CT n,T with the same time label T and obtains a decrypted result f (x 1 , . . ., x n ).The IND security model of MCFE is defined by Goldwasser et al. [20].A more detailed syntax of MCFE is given as follows.
Definition 2.1 (Multi-Client Functional Encryption).A multi-client functional encryption (MCFE) scheme consists of four algorithms Setup, GenKey, Encrypt, and Decrypt, which are defined as follows: Setup(1 λ , n).The setup algorithm takes as input the security parameter λ in unary and the number of clients n.It outputs a master key MK, client secret keys (SK 1 , . . ., SK n ), and public parameters PP.

GenKey( f , MK, PP).
The key generation algorithm takes as input a function f , the master key MK, and public parameters PP.It outputs a function key DK f .
Encrypt(x, T, SK i , PP).The encryption algorithm takes as input a message x, a time period T , a client secret key SK i , and public parameters PP.It outputs a ciphertext CT i,T .
Decrypt((CT 1,T , . . .,CT n,T ), DK f , PP).The decryption algorithm takes as input ciphertexts (CT 1,T , . . .,CT n,T ) in which each CT i,T is an encryption of a message x i on the same time period T , a function key DK f corresponding to a function f , and public parameters PP.It outputs a value f (x 1 , . . ., x n ).
The correctness of the MCFE scheme is defined as follows: For all (MK, (SK 1 , . . .,

Symmetric Key Encryption
Symmetric key encryption (SKE) is an encryption method that uses the same key for encryption and decryption.The general security model of SKE is the IND security model that allows multiple challenge ciphertext queries.For this paper, we use a one-message IND security model that only allows only one challenge ciphertext query.The detailed syntax of SKE is given as follows.
Definition 2.2 (Symmetric Key Encryption).A symmetric key encryption (SKE) scheme consists of three algorithms GenKey, Encrypt, and Decrypt, which are defined as follows: GenKey(1 λ ).The key generation algorithm takes as input the security parameter λ .It outputs a symmetric key K.
Encrypt(M, K).The encryption algorithm takes as input a message M ∈ M and the symmetric key K.It outputs a ciphertext C.
Decrypt(C, K).The decryption algorithm takes as input a ciphertext CT and the symmetric key K.It outputs a message M or a symbol ⊥.
The correctness of the SKE scheme is defined as follows: For all K generated by GenKey and any message M ∈ M, it is required that Decrypt(Encrypt(M, K), K) = M.

Pseudo-Random Function
A pseudo-random function (PRF) is a function F : K × X → Y where K is a key space, X is a domain, and Y is a codomain.Let F(k, •) be an oracle for a uniformly chosen k ∈ K and f (•) be an oracle for a uniformly chosen function f : X → Y.We say that a PRF F is secure if for all efficient adversaries A, the advantage of A defined as is negligible in the security parameter λ .

Bilinear Groups
A bilinear group generator G takes as input a security parameter λ and outputs a tuple (p, G, Ĝ, G T , e) where p is a random prime and G, Ĝ, and G T are three cyclic groups of prime order p.Let g and ĝ be generators of G and Ĝ, respectively.The bilinear map e : G × Ĝ → G T has the following properties: 2. Non-degeneracy: ∃g ∈ G, ĝ ∈ Ĝ such that e(g, ĝ) has order p in G T .
We say that G, Ĝ, G T are asymmetric bilinear groups with no efficiently computable isomorphisms if the group operations in G, Ĝ, and G T as well as the bilinear map e are all efficiently computable, but there are no efficiently computable isomorphisms between G and Ĝ.

Complexity Assumptions
We introduce complexity assumptions necessary to prove the security of our MCFE schemes.These complexity assumptions are dynamic assumptions that are defined depending on the key queries of an attacker.Note that these assumptions are slight modifications of the assumptions introduced by Lee and Seo [32].We analyze that these complexity assumptions hold in the generic group model in Section 7.
Let n be a positive integer, ρ be a target index such that ρ ∈ [n], and Q = {(i, j)} be a set of index pairs that i, j ∈ [n] and i < j.From n, ρ, and Q, we define an index set This set can be computed by using the function ComputeJ which is described as follows: For example, if we let n = 4, ρ = 2, and Q = {(1, 4), (2, 3), (2, 4)}, then we obtain J = {1} since (1, 2) / ∈ Q, (2, 3) ∈ Q, and (2, 4) ∈ Q. Assumption 1.Let (p, G, Ĝ, G T , e) be a bilinear group randomly generated by G(1 λ ).Let g, ĝ be random generators of G, Ĝ respectively.Let n, ρ, Q, J be defined above.The Assumption 1 for (n, ρ, Q, J) is that if the challenge tuple D = (p, G, Ĝ, G T , e), g, g a , {g b i } n i=1 , {g ab k } k∈J , ĝ, {( ĝb i c i, j , ĝb j c i, j )} (i, j)∈Q and Z are given, no probabilistic polynomial-time (PPT) algorithm A can distinguish Z = Z 0 = g ab ρ from Z = Z 1 = g d with more than a negligible advantage.The advantage of A is defined as Adv where the probability is taken over random choices of parameters to A and over the coin tosses of A.
Assumption 2. Let (p, G, Ĝ, G T , e) be a bilinear group randomly generated by G(1 λ ).Let g, ĝ be random generators of G, Ĝ respectively.Let n, ρ, Q, J be defined above.The Assumption 2 for (n, ρ, Q, J) is that if the challenge tuple D = (p, G, Ĝ, G T , e), g, g a , {g b i } n i=1 , {g ab k } k∈J , ĝ, {( ĝb i c i, j , ĝb j c i, j , ĝ1/(b i +b j ) )} (i, j)∈Q and Z are given, no probabilistic polynomial-time (PPT) algorithm A can distinguish Z = Z 0 = g ab ρ from Z = Z 1 = g d with more than a negligible advantage.The advantage of A is defined as where the probability is taken over random choices of parameters to A and over the coin tosses of A. Assumption 3. Let (p, G, Ĝ, G T , e) be a bilinear group randomly generated by G(1 λ ).Let g, ĝ be random generators of G, Ĝ respectively.Let n, ρ, Q be defined above.The Assumption 3 for (n, ρ, Q) is that if the challenge tuple D = (p, G, Ĝ, G T , e), g, g a , {g b i } n i=1 , {g ab k } 1≤k̸ =ρ≤n , ĝ, {( ĝb i c i, j , ĝb j c i, j , ĝd i /(b i +b j ) )} (i, j)∈Q , { ĝd i } 1≤i̸ =ρ≤n , e(g, ĝ) d ρ and Z are given, no probabilistic polynomial-time (PPT) algorithm A can distinguish Z = Z 0 = e(g, ĝ) ad ρ from Z = Z 1 = e(g, ĝ) f with more than a negligible advantage.The advantage of A is defined as where the probability is taken over random choices of parameters to A and over the coin tosses of A.

MCFE for Set Intersection Cardinality
In this section, we define the syntax and security model of MCFE that calculates the set intersection cardinality.And then we propose an efficient MCFE-SIC scheme by using a bilinear map and analyze the security of our scheme.

Definition
We define the syntax of MCFE for set intersection cardinality (MCFE-SIC).MCFE-SIC is a special form of FE and supports a function key for calculating the set intersection cardinality in which a ciphertext is associated with a time label T and each client has its own secret key SK i for encryption.In MCFE-SIC, a trusted center creates client secret keys and public parameters.After that, an individual client associates an item set X i with a time label T and generate a ciphertext CT i,T by using its secret key SK i .A third entity who wants to calculate the set intersection cardinality receives a function key DK for client indexes (i, j) from the trusted center.After that, the third entity decrypts the ciphertexts of the i-index client and the j-index client by using the function key, and obtains the value |X i ∩ X j |.The detailed syntax of MCFE-SIC is described as follows.
Definition 3.1 (MCFE for Set Intersection Cardinality).A multi-client functional encryption for set intersection cardinality (MCFE-SIC) scheme for an item space D and a time space T consists of four algorithms Setup, GenKey, Encrypt, and Decrypt, which are defined as follows: Decrypt(CT i,T ,CT j,T , DK f , PP).The decryption algorithm takes as input two ciphertexts CT i,T and CT j,T for the same time T , a function key DK f for a function f = (i, j), and public parameters PP.It outputs |X i ∩ X j | where X i and X j are associated with CT i,T and CT j,T respectively.
The correctness of the MCFE-SIC scheme is defined as follows: For all MK, (SK i ) n i=1 , PP ← Setup(1 λ , n), any DK f ← GenKey( f , MK, PP) of a function f = (i, j), and all CT i,T ← Encrypt(X i , T, SK i , PP) and CT j,T ← Encrypt(X j , T, SK j , PP) for any X i , X j and the same time period T , it is required that • Decrypt(CT i,T ,CT j,T , DK f , PP) = |X i ∩ X j | except with negligible probability.
We define the IND security model of MCFE-SIC.The security model of MCFE was first defined by Goldwasser et al. [20].For the security model of MCFE-SIC, we use the static IND security model of MCFE-SI defined by Lee and Seo with slight modification [32].The static IND security model defined by Lee and Seo is a security model in which an attacker fixes function key queries and a list of corrupted clients in advance and submits the target challenge sets X * 0 and X * 1 in advance.At this time, we set a constraint that the cardinality of set intersection exposed in the challenge sets is the same even if many function keys are provided to an attacker.We consider a limited security model in which the cardinality of set intersections and the equality patterns of the challenge ciphertexts are exposed when an attacker decrypts the challenge ciphertexts using function keys.
We first define a function CSIC((X k ) k∈I , Q) for a tuple (X k ) k∈I of item sets X k and a set Q = {(i, j)} that computes the set intersection cardinality of X i and X j for each (i, j) ∈ Q as follows: Additionally, we define a function CSIP((X k ) k∈I , Q) for a tuple (X k ) k∈I of item sets X k and a set Q = {(i, j)} that computes the set intersection pattern of X i and X j for each (i, j) ∈ Q as follows: For each i ∈ I: Calculate P i by calling CSIPA(i, (X k ) k∈I , Q). 2. Output a tuple (P i ) i∈I of pattern multisets.
For example, if we let n = 3, (X 1 = {a, b, c}, X 2 = {b, c}, X 3 = {c, a}), and 1. Init: A initially submits an index set I ⊂ [n] of corrupted clients.Let I = {1, . . ., n} \ I be an index set of uncorrupted clients.A also submits two challenge tuples (X * 0,k ) k∈I and (X * 1,k ) k∈I of item sets X * b,k = {x b,k, j }, a challenge time period T * , and a set Q = {(i, j)} of function key queries with the three restrictions such that (a) i, j ∈ I for each 2. Setup: C generates a master key MK, client secret keys (SK i ) n i=1 , and public parameters PP by running Setup(1 λ , n).It keeps MK and (SK i ) i∈I to itself and gives (SK i ) i∈I and PP to A.

3.
Challenge: C flips a random bit µ ∈ {0, 1} and obtains a ciphertext CT i,T * by running Encrypt(X * µ,i , T * , SK i , PP) for each i ∈ I. C gives the challenge ciphertexts (CT i,T * ) i∈I to A 4. Query: A requests function keys and ciphertexts.C handles these queries as follows: • If this is a function key query for a function f = (i, j) ∈ Q, then C gives a function key DK f to A by running GenKey( f , MK, PP).
• If this is a ciphertext query for a client index k ∈ I, an item set X k , and a time period T ̸ = T * , then C gives a ciphertext CT k,T to A by running Encrypt(X k , T, SK k , PP).
An MCFE-SIC scheme is static-IND secure with corruptions if for all PPT adversary A, the advantage of is negligible in the security parameter λ .

Construction
The basic idea of designing an MCFE scheme that computes the set intersection cardinality of two clients is to provide a function key that can check whether ciphertext elements generated by two clients are related to the same item.For this, we can consider to provide a function key ( ĝα i , ĝα j ) because ciphertext elements are in the form of H(T ∥x) α i and H(T ∥x) α j .In this case, by deriving the same e(H(T ∥x), ĝ) α i ,α j through the pairing operation, it is possible to compare whether the ciphertext elements are associated to the same item x.However, providing a function key in this simple form has the risk of a collusion attack, so we provide a function key ( ĝα i r , ĝα j r ) with additional randomization to prevent the collusion attack.In this case, only the set intersection of two clients i and j can be compared due to the additionally included random exponent, and comparison with the ciphertexts of other clients is impossible.An MCFE-SIC scheme is described as follows: of prime order p with random generators g ∈ G and ĝ ∈ Ĝ.It chooses a hash function It selects a random exponent r ∈ Z p and outputs a function key Encrypt(X i , T, SK i , PP).Let X i = {x i,1 , . . ., x i,ℓ i } be a set of items where It chooses a random permutation π and outputs a ciphertext k=1 by implicitly including i, T .

It prepares two sets
k=1 and computes the intersection S = E i ∩ E j by comparing group elements.
3. It outputs the cardinality of S by counting the number of elements.

Correctness
We show the correctness of the MCFE-SIC scheme.For this, it is sufficient to show that the same group element is derived by combining a ciphertext element and a function key when the items of two clients are the same.We can derive the following equation when the item x of the client i and the item x ′ of the client j are the same.

Security Analysis
We define a function CIQ((X k ), Q) for a tuple (X k ) of item sets and a set Q = {(i, j)} of index pairs that computes the collected intersection of X i and X j for each (i, j) ∈ Q as follows: For each x ∈ Y : Add x to E i and E j respectively.3. Output a tuple (E i ) i∈I of common sets.Proof.Suppose there exists an adversary that breaks the static-IND security of the MCFE-SIC scheme with no corruptions.We can assume that I = {1, . . ., n} and where µ is the challenge random bit of the security game.To argue that the adversary cannot win this game, we define a sequence of hybrid games G 0 , and G 1 .The game G i is defined as follows: Game G 0 .The first game G 0 is the original security game defined in Definition 3.2.
Game G 1 .This game G 1 is similar to the game G 0 except that the challenge ciphertext components {C i,k } are generated as random for all Let S G i A be the event that an adversary wins in a game G i .From the following lemmas 3.2 and 3.3, we obtain the following result where n is the number of clients, ℓ is the maximum size of the challenge item set.This completes our proof.
Lemma 3.2.If the Assumption1 for (n, ρ, Q, J) holds, then no polynomial-time adversary can distinguish between G 0 and G 1 with a non-negligible advantage.
Proof.To prove this lemma, we additionally define hybrid games The game H ρ,δ is defined as follows: Game H ρ,δ .This game H ρ,δ is almost identical to the game G 1 except the generation of the components {C i,k } in the challenge ciphertexts. • Suppose there exists an adversary A that distinguishes between H ρ,δ −1 and H ρ,δ with a non-negligible advantage.Without loss of generality, we assume that A simulator B that solves the Assumption 1 for (n, ρ, Q, J) is described as follows: Init: A submits challenge tuples (X * 0,1 , . . ., X * 0,n ) and (X * 1,1 , . . ., X * 1,n ), a challenge time period T * , and a set Q = {(i, j)} of function key queries.B proceeds as follows: 1. From n, ρ, Q, it derives an index set J by calling ComputeJ(n, ρ, Q).

It receives a challenge tuple
) and Z of the Assumption 1 for (n, ρ, Q, J) where Z = g ab ρ or Z = R ∈ G.

It flips a random bit µ ∈ {0, 1} internally and derives a tuple
It prepares a hash table H-list for the H hash function as the empty set.For each i ∈ [n] and k ∈ [ℓ i ], it updates the H-list as follows: • Case i = ρ and k = δ : It adds (T * ∥x * µ,ρ,δ , −, g a ) to the H-list.Challenge: B creates challenge ciphertexts CT 1,T * , . . .,CT n,T * as follows: 1.For each i ∈ [n] and k ∈ [ℓ i ], it generates ciphertext elements C i,k depending on the following cases: from the H-list and sets C i,k = g ab i .For this case, we show that g ab i is given in the assumption.If a function key for (i, ρ) was queried, we have x * µ,ρ,δ ∈ E * ρ by the definition of CIQ.However, we assumed that x * µ,ρ,δ / ∈ E * ρ for this game.Thus a function key for (i, ρ) was not queried and it means that i ∈ J by the definition of J. - ) from the H-list and creates from the H-list and sets C i,k = g ab i .For this case, we show that g ab i is given in the assumption.If a function key for f = (ρ, i) was queried, we have x * µ,ρ,δ ∈ E * ρ by the definition of CIQ.However, we assumed that x * µ,ρ,δ / ∈ E * ρ for this game.Thus a function key for f = (ρ, i) was not queried and it means that i ∈ J by the definition of J. - , it chooses a random permutation π i and sets CT i,T * = (C i,π i (k) ) ℓ i k=1 .Query: B handles hash, function key, and ciphertext queries of A as follows: • If this is a hash query for a time period T and an item x, then it proceeds as follows: If T ∥x exists in the H-list, then it retrieves (T ∥x, −, h) from the H-list and gives h to A. Otherwise, it adds (T ∥x, u ′ , g u ′ ) to the H-list by selecting a random exponent u ′ ∈ Z p and gives g u ′ to A.
• If this is a function key query for a function f = (i, j) ∈ Q, then it generates a function key DK f = ( ĝb i c i, j , ĝb j c i, j ) since these elements are given in the assumption.
• If this is a ciphertext query for a client index i, a set X i = {x i,1 , . . ., x i,ℓ }, and a time period T ̸ = T * , then it generates a ciphertext as follows: Guess: A outputs a guess µ ′ .If µ = µ ′ , it outputs 1.Otherwise, it outputs 0. Proof.Let A be a statistical adversary.A simulator B is described as follows: Init: A submits challenge tuples (X * 0,1 , . . ., X * 0,n ) and (X * 1,1 , . . ., X * 1,n ), a challenge time period T * , and a set Q = {(i, j)} of function key queries.B proceeds as follows: 1.It flips a random bit µ ∈ {0, 1} internally and derives a tuple Setup: B first chooses random exponents α 1 , . . ., α n ∈ Z p .Next, it sets (SK i = α i ) n i=1 and PP = ((p, G, Ĝ, G T , e), g, ĝ, H, n).It prepares a hash table H-list for the H hash function as the empty set.

For each
it also updates the H-list as follows: Challenge: B creates challenge ciphertexts CT 1,T * , . . .,CT n,T * as follows: 2. For each i ∈ [n], it chooses a random permutation π i and sets CT i,T * = (C i,π i (k) ) ℓ i k=1 .
Query: B handles hash, function key, and ciphertext queries of A as follows: • If this is a hash query for a time period T and an item x, then it proceeds as follows: If T ∥x exists in the H-list, then it retrieves (T ∥x, u ′ , g u ′ ) from the H-list.Otherwise, it selects a random exponent u ′ ∈ Z p and adds (T ∥x, u ′ , g u ′ ) to the H-list.It gives g u ′ to A.
• If this is a function key query for f = (i, j) ∈ Q, then B generates DK f by running GenKey since it knows SK i and SK j .
• If this is a ciphertext query for a client index i, a set X i = {x i,1 , . . ., x i,ℓ }, and a time period T ̸ = T * , then B generates a ciphertext CT i,T by running Encrypt algorithm since it knows SK i .
We first show that the simulation described above is correct.Since the simulator knows all the secret key SK i of individual clients, it is possible to correctly generate function keys and all ciphertexts.When the simulator creates the challenge ciphertext, it creates the correct ciphertext element if x * µ,i,k ∈ E * i is established as in the definition of the game G 1 , and generates a random element if x * µ,i,k / ∈ E * i is established.Now we show that the advantage of the statistical adversary is zero in the game G 1 .To do this, we show that it is possible to change the challenge ciphertext for the challenge bit µ to the challenge ciphertext for the complement bit 1 − µ by modifying the mapping of the random oracle table.Such a change only modifies the mapping of the simulator's random oracle table without modifying the challenge ciphertexts.A detailed description of how to change the random oracle table is given as follows.
1.For each i ∈ [n], it proceeds as follows: } by changing the order of items with the condition that the pattern set respectively, and modifies the H-list as follows: ) from the H-list, and then adds If the random oracle table is changed in the same way as above, the actual elements of the challenge ciphertext is maintained as it is, so the equality pattern of the challenge ciphertext is not changed.Thus, if the challenge tuples of item sets with the same equality pattern are given, it is possible to change the challenge bit without changing the ciphertext through the above process.Therefore, the statistical adversary cannot distinguish the challenge ciphertext.Proof.To prove this theorem, we use the fact that in the static-IND security model, the two indexes i and j of a function f = (i, j) in a function key query requested by an attacker must be uncorrupted clients.In other words, the simulator of this proof generates the secret keys of corrupted clients I, and it can handle all other challenge ciphertext, ciphertext, and function key queries requested by the attacker by using the queries of the MCFE-SIC scheme with no corruptions.We omit the detailed description of this simulator.

Discussions
Efficiency Analysis.We analyze the efficiency of our MCFE-SIC scheme described above.First, the function key generation algorithm requires two exponentiation operations, and a function key consists of two group elements.The encryption algorithm requires ℓ map-to-point hash operations and ℓ exponentiation operations, and a ciphertext consists of ℓ group elements where ℓ is the number of items in a set.Finally, the decryption algorithm requires 2ℓ pairing operations and 2ℓ log ℓ comparison operations for sorting to perform the intersection of pairing elements since it requires a pairing operation for each individual ciphertext element.The detailed comparison of MCFE schemes is given in Table 1.
Decentralized Function Key Generation.The function key generation algorithm of our MCFE-SIC scheme should be performed by a trusted center that knows the secret keys of all clients.To reduce trust in the trusted center, it is necessary to decentralize the function key generation so that individual clients are involved to generate function keys without the trusted center.One method is that when creating a function key for a function f = (i, j), two clients with indexes i, j generate partial function keys independently of each other, and the requestor of the function key later combines these partial function keys to derive a complete function key.At this time, in order for the two clients to generate the same random exponent r, a non-interactive key exchange (NIKE) scheme can be used.For more detailed description of this method, refer to the DMCFE-SI scheme in Section 5.
Multi-Party Set Intersection Cardinality.The MCFE-SIC scheme can only process the set intersection cardinality between two clients.To process the set intersection cardinality between three clients, we may consider to provide a function key ( ĝα j α k r , ĝα i α k r , ĝα i α j r ) for the client indexes (i, j, k).However, this method has a problem of exposing information on the set intersection cardinality of clients (i, j), ( j, k), and (i, k) as well as the set intersection cardinality of clients (i, j, k).Another way is to select random exponents r i , r j , r k to satisfy r i + r j + r k = 0 and provide a function key ( ĝr i /α i , ĝr j /α j , ĝr k /α k ).At this time, the decryption algorithm calculates e(H(T ∥x) α i , ĝr i /α i ) = e(H(T ∥x), ĝ) r i for each ciphertext elements of each client.And then it multiplies all combinations to check that e(H(T ∥x), ĝ) r i +r j +r k = 1 holds.This method can prevent the leakage of additional information, but it requires 3ℓ pairing operations and O(ℓ 3 ) multiplication operations since all combinations must be considered to calculate the set intersection cardinality.

Definition
We define the syntax of MCFE for set intersection (MCFE-SI).The definition of MCFE-SI was introduced by Lee and Seo [32], and it was modified to issue a function key for the set intersection instead of the function key for the set intersection cardinality in MCFE-SIC we introduced in the previous section.Thus, the decryption algorithm of MCFE-SI outputs the set intersection X i ∩ X j of two item sets X i and X j associated with two client ciphertexts CT i,T and CT j,T .The detailed syntax of MCFE-SI is described as follows.
Definition 4.1 (MCFE for Set Intersection).A multi-client functional encryption for set intersection (MCFE-SI) scheme for an item space D and a time space T consists of four algorithms Setup, GenKey, Encrypt, and Decrypt, which are defined as follows: Setup(1 λ , n).The setup algorithm takes as input the security parameter λ and the number of clients n.It outputs a master key MK, client secret keys (SK i ) n i=1 , and public parameters PP.
GenKey( f , MK, PP).The key generation algorithm takes as input a function f = (i, j), the master key MK, and public parameters PP.It outputs a function key DK f .
Encrypt(X i , T, SK i , PP).The encryption algorithm takes as input a set X i = {x i,1 , . . ., x i,ℓ i } of items where x i,k ∈ D, a time period T ∈ T , the client secret key SK i , and public parameters PP.It outputs a ciphertext CT i,T .
Decrypt(CT i,T ,CT j,T , DK f , PP).The decryption algorithm takes as input two ciphertexts CT i,T and CT j,T for the same time T , a function key DK f for a function f = (i, j), and public parameters PP.It outputs a set X i ∩ X j where X i and X j are associated with CT i,T and CT j,T respectively.
The correctness of the MCFE-SI scheme is defined as follows: For all MK, (SK i ) n i=1 , PP ← Setup(1 λ , n), any DK f ← GenKey( f , MK, PP) for a function f = (i, j), and all CT i,T ← Encrypt(X i , T, SK i , PP) and CT j,T ← Encrypt(X j , T, SK j , PP) for any X i , X j and the same time T , it is required that • Decrypt(CT i,T ,CT j,T , DK f , PP) = X i ∩ X j except with negligible probability.
We define the IND security model of MCFE-SI.The IND security model of MCFE was defined by Goldwasser et al. [20], and Lee and Seo modified this model to define a static IND security model of MCFE-SI [32].We adopt the same static IND security model defined by Lee and Seo.In the static IND security model, an attacker first submits challenge sets X * 0 , X * 1 , a challenge time period T * , and all function key queries, and corrupted client indexes with additional constraints.After that, the attacker receives the challenge ciphertext, and can request additional function key and ciphertext queries.Finally, if the attacker correctly guesses the challenge set of the challenge ciphertext, it wins the security game.A more detailed definition of the static IND security model is given as follows.
We first define a function CSI((X k ) k∈I , Q) for a tuple (X k ) k∈I of item sets X k and a set Q = {(i, j)} that computes the set intersection of X i and X j for each (i, j) ∈ Q as follows: Calculate A = X i ∩ X j and add ((i, j), A) to S.

Construction
We combine our MCFE-SIC scheme of the previous section and the MCFE-SI scheme of Lee and Seo [32] in order to design an efficient MCFE-SI scheme with improved decryption.The MCFE-SI scheme of Lee and Seo uses an equal-then-derive technique in which if the items of two client ciphertext elements are equal, then a temporal key is derived by combining these ciphertexts and a function key.However, their MCFE-SI scheme has a disadvantage that the decryption algorithm requires approximately ℓ 2 pairing operations because the pairing operation must be performed for all possible combinations of two client ciphertext elements to calculate the set intersection.To improve the decryption performance, we first use our MCFE-SIC scheme to find matching pairs of ciphertext elements corresponding to the set intersection.And then we apply the equal-then-derive method to derive a temporal key to obtain an encrypted item.In this case, the total number of pairing operations can be reduced to 3ℓ.Let SKE = (GenKey, Encrypt, Decrypt) be an SKE scheme.An MCFE-SI scheme is described as follows.
Encrypt(X i , T, SK i , PP).Let X i = {x i,1 , . . ., x i,ℓ i } be a set of items where |X i | = ℓ i and SK i = (α i , β i ).
1.For each k ∈ [ℓ i ], it proceed as follows: It computes C i,k = H(T ∥x i,k ) α i and derives a temporal key T K i,k = e(H(T ∥x i,k ), ĝ) β i .It obtains D i,k by running SKE.Encrypt(T ∥x i,k , F(T K i,k )).
2. It chooses a random permutation π and outputs a ciphertext CT i,T = (C i,π(k) , D i,π(k) ) ℓ i k=1 by implicitly including i, T .

It prepares two sets
k=1 and computes the intersection S = E i ∩ E j by comparing the group elements.

3.
For each E k ∈ S, it proceeds as follows:

Correctness
We show the correctness of the above MCFE-SI scheme.To this end, we need to show that when the ciphertext elements of two clients are the encryption of the same item, the matching ciphertext elements of the set intersection can be found, and when these matching ciphertext elements are decrypted with a function key, the set intersection item can be obtained.First, we already showed that if client ciphertext elements are the encryption of the same item, then matching ciphertext elements can be found by using a function key through the correctness of the MCFE-SIC scheme.Now, we can confirm that the correct item is decrypted from the matching ciphertext elements since a correct temporal key is derived by the following equation Proof.Suppose there exists an adversary that breaks the static-IND security of the MCFE-SI scheme with no corruptions.We can assume that I = {1, . . ., n} and I = / 0. Let (X * 0,1 , . . ., X * 0,n ) and (X * 1,1 , . . ., X * 1,n ) be the challenge tuples where X * b,i = {x * b,i,1 , . . ., x * b,i,ℓ i } and |X * b,i | = ℓ i .Let Q = {(i, j)} be the set of index pairs related to function key queries.We can derive a tuple (E * 1 , . . ., E * n ) by calling CIQ((X * µ,k ), Q) where µ is the challenge random bit of the security game.To argue that the adversary cannot win this game, we define a sequence of hybrid games G 0 , G 1 , G 2 , and G 3 .The game G i is defined as follows:

Security Analysis
Game G 0 .The first game G 0 is the original security game defined in Definition 4.2.
Game G 1 .This game G 1 is similar to the game G 0 except that the challenge ciphertext components {C i,k } are generated as random for all x * µ,i,k / ∈ E * i .
Game G 2 .This game G 2 is slightly changed from the game G 1 .That is, the challenge temporal keys {T K i,k } are generated as random for all x * µ,i,k / ∈ E * i .
Game G 3 .In the final game G 3 , we change the generation of challenge ciphertext components {D i,k }.That is, the challenge ciphertext components {D i,k } are the encryption of random values for all x * µ,i,k / ∈ E * i .Note that the advantage of the adversary in this game is zero since challenge ciphertext components {C i,k } are random and {D i,k } are the encryption of random values for all x * µ,i,k / ∈ E * i .
Let S G i A be the event that an adversary wins in a game G i .From the following lemmas 4.2, 4.3, and 4.4, we obtain the following result where n is the number of clients, ℓ is the maximum size of the challenge item set.This completes our proof.
Lemma 4.2.If the Assumption 2 for (n, ρ, Q, J) holds, then no polynomial-time adversary can distinguish between G 0 and G 1 with a non-negligible advantage.
Proof.To prove this lemma, we additionally define hybrid games H 1,0 , H Game H ρ,δ .This game H ρ,δ is almost identical to the game G 0 except the generation of the components {C i,k } in the challenge ciphertexts.
• Case (i < ρ) or Suppose there exists an adversary A that distinguishes between H ρ,δ −1 and H ρ,δ with a non-negligible advantage.Without loss of generality, we assume that A simulator B that solves the Assumption 2 for (n, ρ, Q, J) which will be defined later is described as follows: Init: A submits challenge tuples (X * 0,1 , . . ., X * 0,n ) and (X * 1,1 , . . ., X * 1,n ), a challenge time period T * , and a set Q = {(i, j)} of function key queries.B proceeds as follows: 1. From n, ρ, Q, it derives an index set J by calling ComputeJ(n, ρ, Q).
2. It receives a challenge tuple D = (g, g a , {g b i } n i=1 , {g ab k } k∈J , ĝ, {( ĝb i c i, j , ĝb j c i, j , ĝ1/(b i +b j ) )} (i, j)∈Q ) and Z of the Assumption 2 for (n, ρ, Q, J) where Z = g ab ρ or Z = R ∈ G.
3. It flips a random bit µ ∈ {0, 1} internally and derives a tuple (E * 1 , . . ., E * n ) by calling CIQ((X * µ,k ), Q).Setup: B first chooses random exponents β 1 , . . ., β n ∈ Z p .Next, it sets PP = ((p, G, Ĝ, G T , e), g, ĝ, H, F, n).It prepares a hash table H-list for the H hash function as follows: 1.For each i ∈ [n] and k ∈ [ℓ i ], it proceeds as follows: If i ̸ = ρ or k ̸ = δ , then it selects a random exponent u ′ i,k ∈ Z p and adds (T * ∥x * µ,i,k , u ′ i,k , g u ′ i,k ) to the H-list.Otherwise (i = ρ ∧ k = δ ), it adds (T * ∥x * µ,ρ,δ , −, g a ) to the H-list.Challenge: B creates challenge ciphertexts CT 1,T * , . . .,CT n,T * as follows: 1.For each i ∈ [n] and k ∈ [ℓ i ], it generates ciphertext elements C i,k and T K i,k depending on the following cases: from the H-list, and sets C i,k = g ab i and creates T K i,k = e(g a , ĝ) β i .For this case, we show that g ab i is given in the assumption.If a function key for f = (i, ρ) was queried, we have x * µ,ρ,δ ∈ E * ρ by the definition of CIQ.However, we assumed that x * µ,ρ,δ / ∈ E * ρ for this game.Thus a function key for f = (i, ρ) was not queried and it means that i ∈ J by the definition of J. - ) from the H-list, and creates ) from the H-list, and chooses a random C i,k ∈ G and creates T K i,k = e(g u ′ i,k , ĝ) ) from the H-list, and creates from the H-list, and sets C i,k = g ab i and creates T K i,k = e(g a , ĝ) β i .For this case, we show that g ab i is given in the assumption.If a function key for f = (ρ, i) was queried, we have x * µ,ρ,δ ∈ E * ρ by the definition of CIQ.However, we assumed that x * µ,ρ,δ / ∈ E * ρ for this game.Thus a function key for f = (ρ, i) was not queried and it means that i ∈ J by the definition of J. - ) from the H-list, and creates Next, it generates a ciphertext element D i,k by running SKE.Encrypt(T * ∥x * µ,i,k , T K i,k ) 2. For each i ∈ [n], it chooses a random permutation π i and sets CT i,T * = ((C i,π i (k) , D i,π i (k) )) ℓ i k=1 .
Query: B handles hash, function key, and ciphertext queries of A as follows: • If this is a hash query for a time period T and an item x, then B proceeds as follows: If T ∥x exists in the H-list, then it retrieves (T ∥x, −, u) from H-list and gives u to A. Otherwise, it selects a random exponent u ′ ∈ Z p and adds (T ∥x, u ′ , g u ′ ) to the H-list, and then it gives the hash value g u ′ to A.
• If this is a function key query for a function f = (i, j) ∈ Q, then B generates DK f = ĝb i c i, j , ĝb j c i, j , ( ĝ1/(b i +b j ) ) β i since these elements are given in the assumption.
• If this is a ciphertext query for a client index i, a set X i = {x i,1 , . . ., x i,ℓ }, and a time period T ̸ = T * , then B generates a ciphertext as follows: 1.For each k ∈ [ℓ i ], it proceeds as follows: It retrieves ) from the H-list, and sets

It chooses a random permutation π and sets
Guess: A outputs a guess µ ′ .If µ = µ ′ , it outputs 1.Otherwise, it outputs 0. Proof.To prove this lemma, we additionally define hybrid games The game H ′ ρ,δ is defined as follows: Game H ′ ρ,δ .This game H ′ ρ,δ is almost identical to the game G 1 except the generation of temporal keys {T K i,k } in the challenge ciphertexts.
• Case (i < ρ) or Suppose there exists an adversary A that distinguishes between H ′ ρ,δ −1 and H ′ ρ,δ with a non-negligible advantage.Without loss of generality, we assume that A simulator B that solves the Assumption 3 for (n, ρ, Q) which will be defined later is described as follows: ), a challenge time period T * , and a set Q = {(i, j)} of function key queries.B proceeds as follows: 1.It receives a challenge tuple D = (g, g a , {g b i } n i=1 , {g ab k } 1≤k̸ =ρ≤n , ĝ, {( ĝb i c i, j , ĝb j c i, j , ĝd i /(b i +b j ) )} (i, j)∈Q , { ĝd i } 1≤i̸ =ρ≤n , e(g, ĝ) d ρ ) and Z of the Assumption 3 for (n, ρ, Q) where Z = e(g, ĝ) ad ρ or Z = R ∈ G T .

It flips a random bit µ ∈ {0, 1} internally and derives a tuple
Setup: B sets PP = ((p, G, Ĝ, G T , e), g, ĝ, H, F, n).It prepares a hash table H-list for the H hash function as follows: 1.For each i ∈ [n] and k ∈ [ℓ i ], it proceeds as follows: to the H-list.Challenge: B creates challenge ciphertexts CT 1,T * , . . .,CT n,T * as follows: 1.For each i ∈ [n] and k ∈ [ℓ i ], it generates ciphertext elements C i,k and T K i,k depending on the following cases: • Case i < ρ: - from the H-list, and sets C i,k = g ab i and T K i,k = e(g a , ĝd i ).In this case, g ab i is given in the assumption since i ̸ = ρ. - ) from the H-list, and sets ) from the H-list, and selects random ) from the H-list, and sets ) from the H-list, and sets ) from the H-list, and selects a random C ρ,k ∈ G and creates T K ρ,k = (e(g, ĝ) from the H-list, and sets C i,k = g ab i and T K i,k = e(g a , ĝd i ).In this case, g ab i is given in the assumption since i ̸ = ρ. - ) from the H-list, and sets ) from the H-list, and selects a random Next, it generates a ciphertext element D i,k by running SKE.Encrypt(T * ∥x * µ,i,k , T K i,k ) 2. For each i ∈ [n], it chooses a random permutation π i and sets CT i,T * = ((C i,π i (k) , D i,π i (k) )) ℓ i k=1 .
Query: B handles hash, function key, and ciphertext queries of A as follows: • If this is a hash query for a time period T and an item x, then B proceeds as follows: If T ∥x exists in the H-list, then it retrieves (T ∥x, −, u) from H-list and gives u to A. Otherwise, it selects a random exponent u ′ ∈ Z p and adds (T ∥x, u ′ , g u ′ ) to the H-list, and then it gives the hash value g u ′ to A.
• If this is a function key query for a function f = (i, j) ∈ Q, then B generates DK f = ĝb i c i, j , ĝb j c i, j , ĝd i /(b i +b j ) since these elements are given in the assumption.
• If this is a ciphertext query for a client index i, a set X i = {x i,1 , . . ., x i,ℓ }, and a time period T ̸ = T * , then B generates a ciphertext as follows: 1.For each k ∈ [ℓ i ], it proceeds as follows: It retrieves ) from the H-list and sets

It chooses a random permutation π and creates CT
Guess: Suppose there exists an adversary A that distinguishes between H ′′ ρ,δ −1 and H ′′ ρ,δ with a non-negligible advantage.Without loss of generality, we assume that Then B that interacts with A is described as follows: Init: A submits challenge tuples (X * 0,1 , . . ., X * 0,n ) and (X * 1,1 , . . ., X * 1,n ) of item sets, a challenge time period T * , and a set Q = {(i, j)} of function key queries.B then flips a random bit µ ∈ {0, 1} internally and derives a tuple g, ĝ,  H, F, n).It prepares a hash table H-list for the H hash function as follows: Challenge: B creates challenge ciphertexts CT 1,T * , . . .,CT n,T * as follows: 1.For each i ∈ [n] and k ∈ [ℓ i ], it generates ciphertext elements C i,k and T K i,k depending on the following cases: ) from the H-list, and creates Next, it also generates a ciphertext element D i,k depending on the following cases: , it selects a random y ∈ D and creates D i,k by running SKE.Encrypt (T * ∥y, T K i,k ).
• Case (i = ρ ∧ k = δ ): It selects a random y ∈ D and submits challenge message x * µ,ρ,δ and y to the encryption oracle of SKE.Next, it receives a challenge ciphertext CT * SKE from SKE and sets 2. For each i ∈ [n], it chooses a random permutation π i and sets Query: B handles hash, function key, and ciphertext queries of A as follows: • If this is a hash query for a time period T and an item x, then B proceeds as follows: If T ∥x exists in the H-list, then it retrieves (T ∥x, −, u) from H-list and gives u to A. Otherwise, it selects a random exponent u ′ ∈ Z p and adds (T ∥x, u ′ , g u ′ ) to the H-list, and then it gives the hash value g u ′ to A.
• If this is a function key query for a function f = (i, j), then B simply generates DK f by using α i , α j , β i .
• If this is a ciphertext query for a client index i, a set X i , and a time period T ̸ = T * , then B simply generates a ciphertext CT i,T by using α i , β i .
Guess: A outputs a guess µ ′ .If µ = µ ′ , it outputs 1.Otherwise, it outputs 0. Proof.The proof of this theorem is similar to that of Theorem 3.4.In other words, the simulator of this proof generates the secret keys of corrupted clients by itself, and processes all other queries of an attacker using the queries of the MCFE-SI scheme with no corruptions.We omit the description of more detailed proofs.

Discussions
Efficiency Analysis.We analyze the efficiency of the proposed MCFE-SI scheme.First, the function key is composed of two group elements for the set intersection cardinality and one group element for deriving a temporal key.The encryption algorithm requires ℓ map-to-point hash operations, ℓ exponentiation operations, and ℓ pairing operations since it requires operations in proportion to the size of a set.The decryption algorithm requires 2ℓ pairing operations, ℓ log ℓ comparison operations for sorting of group elements, and ℓ pairing operations for deriving temporal keys to decrypt intersection items.The detailed comparison of MCFE schemes is given in Table 1.Compared to the decryption algorithm of the MCFE-SI scheme of Lee and Seo [32] that requires approximately ℓ 2 pairing operations, the decryption algorithm of our scheme is more efficient since it only requires 2ℓ pairing operations.
Outsourcing the Decryption of MCFE.If the ciphertexts generated by clients are stored on a cloud server, we can consider outsourcing part of the decryption operation to the cloud server.At this time, since the cloud server is not a trusted entity, we must be careful not to expose the set intersection information of the ciphertext to the cloud server.To this end, a client owning a function key DK = (K 1 , K 2 , K 3 ) for indexes (i, j) selects a random exponent z and provides an outsourcing function key oDK = (K 1 , K 2 , K z 3 ) to the cloud server.Then, the cloud server finds ciphertext elements that satisfy the set intersection by using K 1 and K 2 , derives outsourced temporal keys oT K = e(C i,k C j,k ′ , K z 3 ) = e(H(T ∥x), ĝβ i ) z , and then it passes these keys back to the client.Then, the client raises all outsourced temporal keys to z −1 and decrypts corresponding ciphertexts with the temporal keys.At this time, the cloud server obtains information on the set intersection cardinality and information on the equality patterns but does not obtain the set intersection items.
Multi-Party Set Intersection.In the previous section, we presented a method of extending the MCFE-SIC scheme to support the set intersection cardinality for multiple parties.Using this method, our MCFE-SI scheme can also be extended to support multi-party set intersection.That is, for calculating the set intersection cardinality, random exponents r i , r j , and r k that satisfy r i + r j + r k = 0 are selected and key elements ĝr i /α i , ĝr j /α j , ĝr k /α k are created.After that, an additional key element ĝβ i /(α i +α j +α k ) is provided to derive temporal keys.This method has the disadvantage that it requires O(ℓ 3 ) multiplication operations to find matching ciphertext elements, but it only requires O(ℓ) pairing operations.

Decentralized MCFE for Set Intersection
In this section, we define the syntax and security model of DMCFE-SI that generates function keys in a distributed way.And we propose an efficient DMCFE-SI scheme and analyze the security of the proposed scheme.

Definition
We define the syntax of decentralized MCFE-SI (DMCFE-SI).DMCFE-SI is a decentralized version of MCFE-SI in the previous section so that individual clients generate partial function keys instead of a trusted center generating a function key.In DMCFE-SI, individual clients set their own private key SK i and public key PK i using the ClientSetup algorithm.And then individual clients generate partial function keys using the GenPartKey algorithm, and a third entity combines the partial function keys using the CombPartKey algorithm to derive a correct function key.That is, if the third entity wants to obtain a function key for client indexes (i, j), it receives a partial function key pDK i from the i-index client and a partial function key pDK j from the j-index client.And then, it combines the two partial function keys to derive the correct function key DK to decrypt a ciphertext.At this point, the encryption and decryption algorithms of DMCFE-SI are the same as those of MCFE-SI.The detailed syntax of DMCFE-SI is described as follows.
Definition 5.1 (Decentralized MCFE for Set Intersection).A decentralized multi-client functional encryption for set intersection (DMCFE-SI) scheme for an item space D and a time space T consists of six algorithms Setup, ClientSetup, GenPartKey, CombPartKey, Encrypt, and Decrypt, which are defined as follows: Setup(1 λ , n).The global setup algorithm takes as input the security parameter λ and the number of clients n.It outputs public parameters PP.
ClientSetup(i, PP).The client setup algorithm takes as input an index i of a client and public parameters PP.It outputs a secret key SK i and a public key PK i .
GenPartKey( f , SK i , PK, PP).The partial key generation algorithm takes as input a function f , a secret key SK i , and a tuple PK of public keys, and public parameters PP.It outputs a partial function key pDK i, f .
CombPartKey(pDK i, f , pDK j, f , PP).The partial key combining algorithm takes as input two partial decryption keys pDK i, f and pDK j, f for a function f = (i, j) and public parameters PP.It outputs a function key DK f .
Encrypt(X i , T, SK i , PP).The encryption algorithm takes as input a set X i = {x i,1 , . . ., x i,ℓ i } of items where x i, j ∈ D, a time period T ∈ T , a secret key SK i , and public parameters PP.It outputs a ciphertext CT i,T .
Decrypt(CT i,T ,CT j,T , DK f , PP).The decryption algorithm takes as input two ciphertexts CT i,T and CT j,T for the same time T , a function key DK f , and public parameters PP.It outputs a set X i ∩ X j where X i and X j are associated with CT i,T and CT j,T respectively.
The correctness of the DMCFE-SI scheme is defined as follows: For any PP ← Setup(1 λ , n), all SK i , PK i ← ClientSetup(i, PP), and all CT i,T ← Encrypt(X i , T, SK i , PP) and CT j,T ← Encrypt(X j , T, SK j , PP) for any X i , X j and the same time T , it is required that • CombPartKey(GenPartKey( f , SK i , PK, PP), GenPartKey( f , SK j , PK, PP), PP) = DK f .
• Decrypt(CT i,T ,CT j,T , DK f , PP) = X i ∩ X j except with negligible probability.
We define the security model of DMCFE-SI.We define the static IND security model of DMCFE-SI by modifying the static IND security model of MCFE-SI defined in the previous section.This security model of DMCFE-SI is the same as that of MCFE-SI in Section 4.1, except that it allows partial function key queries instead of function key queries.In this security model of DMCFE-SI, partial function key queries requested by an attacker have two limitations.If a partial function key for a function f = (i, j) requested by the attacker belongs to the predefined function key query set, then the attacker can request both a partial function key for a client i and a partial function key for a client j.However, if a partial function key for f = (i, j) does not belong to the predefined function key query set, then the attacker can request only one partial function key for a client i or j.Thus, the attacker of DMCFE-SI allows not only predefined function key queries, but also additional partial function key queries.The more detailed security model of DMCFE-SI is defined as follows.A also submits two challenge tuples (X * 0,k ) k∈I and (X * 1,k ) k∈I of item sets, a challenge time period T * , and a set Q = {(i, j)} of function key queries with the two restrictions that (1) i, j ∈ I for each (i, j) ∈ Q and (2) CSI(( • If this is a partial function key query for a tuple f = (i, j) and a client index k such that k = i or k = j, then C gives a partial function key pDK k, f to A by running GenPartKey( f , SK k , PK, PP) with the restrictions that (1) if f ∈ Q, then two partial function keys of i and j can be queried and (2) if f / ∈ Q, then only one partial function key of i or j can be queried when i, j ∈ I.
• If this is a ciphertext query for a client index k ∈ I, an item set X k , and a time period T ̸ = T * , then C gives a ciphertext CT k,T to A by running Encrypt(X k , T, SK k , PP).
A DMCFE-SI scheme is static-IND secure with corruptions if for all PPT adversary A, the advantage of A defined as is negligible in the security parameter λ .

Construction
The function key of the MCFE-SI scheme proposed in the previous section consist of K 1 and K 2 for set intersection cardinality and K 3 for deriving a temporal key for set intersection.We first devise a method to decentralize the generation of K 1 and K 2 .In order for individual clients to generate these two group elements in an independent way, it is necessary to generate a common random exponent r.To this end, we derive the same shared key K by using a non-interactive key exchange NIKE scheme and we use PRF to derive the exponent r from the shared key K.That is, if an individual client additionally selects a private key γ i and exposes a public key h i = g γ i , then it can derive a shared key K = g γ i γ j by using a NIKE scheme.Thus, individual clients can generate partial function keys of ĝα i r and ĝα j r where r = PRF(K, 1).Now we devise a method to decentralize the generation of K 3 for derivation of a temporal key.However, it cannot be decentralized by a simple method since it requires the inverse operation of an exponent.In order to decentralize the calculation of the inverse operation while hiding the secret keys of two clients, we introduce a method in which the secret key is encrypted with a one-time pad scheme and a client requesting the partial function key combines the encrypted keys to calculate the inverse operation.That is, individual clients first derive the same shared key K i, j using the NIKE scheme, and derives the same random exponents s and t.Then, each client encrypts its secret key as E i = sα i + t and E j = sα j − t, respectively.At this time, if the i index client additionally provides ĝβ i s , the client that received E i and E j can compute a key ( ĝβ i s ) 1/(E i +E j ) .Note that, since E i and E j have a one-to-one correspondence with random exponents s and t, the information of the secret keys is not exposed.
Let SKE = (GenKey, Encrypt, Decrypt) be an SKE scheme.A DMCFE-SI scheme is described as follows.
Setup(1 λ , n).ClientSetup(i, PP).Let i be the index of a client.It selects random exponents α i , β i , γ i ∈ Z p , and then it outputs a secret key SK i = (α i , β i , γ i ) and a public key PK i = h i = g γ i .
1.If k = i, it retrieves PK j = h j from PK and computes a shared key K i, j = h γ i j .Otherwise (k = j), it retrieves PK i = h i from PK and computes a shared key K i, j = h γ j i .Next, it derives random exponents r, s,t ∈ Z p by running PRF(K i, j , 1), PRF(K i, j , 2), PRF(K i, j , 3) respectively.

If k
CombPartKey(pDK i, f , pDK j, f , PP).Let f = (i, j) such that i < j.Let pDK i, f = (A 1 , A 2 , E) and pDK j, f = (A ′ 1 , A ′ 2 , E ′ ).It selects a random exponent r ∈ Z p and outputs a function key .
ℓ i k=1 by implicitly including i, T .

It prepares two sets
k=1 and computes the intersection S = E i ∩ E j by comparing the group elements.

Correctness
We show the correctness of the DMCFE-SI scheme.First, two clients i and j can obtain the same shared key K i, j from the correctness of the Diffie-Hellman non-interactive key exchange scheme.And two clients i and j can derive the same random exponents r, s, and t since PRF is a deterministic function.Now, when a combing client combines the partial function key elements generated by using the same random exponents r, s, and t, it can derive a function key by the following equation Since the correct function key is derived from the partial function key, it is guaranteed that the set intersection is correctly calculated from the ciphertexts of two clients from the correctness of the MCFE-SI scheme.

Security Analysis
Theorem 5.1.The above DMCFE-SI scheme is static-IND secure with no corruptions in the random oracle model if the PRF scheme is secure and the Assumptions 2 and 3 hold.
Proof.Suppose there exists an adversary that breaks the static-IND security of the DMCFE-SI scheme with no corruptions.We can assume that I = {1, . . ., n} and I = / 0. Let (X * 0,1 , . . ., X * 0,n ) and (X * 1,1 , . . ., X * 1,n ) be the challenge tuples where X * b,i = {x * b,i,1 , . . ., x * b,i,ℓ i } and |X * b,i | = ℓ i .Let Q = {(i, j)} be the set of index pairs related to function key queries.We can derive a tuple (E * 1 , . . ., E * n ) by calling CIQ((X * µ,k ), Q) where µ is the challenge random bit of the security game.To argue that the adversary cannot win this game, we define a sequence of hybrid games G 0 , G 1 , G 2 , and G 3 .The game G i is defined as follows: Game G 0 .The first game G 0 is the original security game defined in Definition 5.2.
Game G 1 .In this game G 1 , when processing partial function key queries, we change all shared keys {K i, j } derived by non-interactive key agreement to random elements.
Game G 2 .In this game, we modify the previous game G 1 to generate random exponents r, s,t by using the a truly random function instead of using a pseudo-random function when processing partial function key queries.
Game G 3 .This game G 3 is similar to the game G 2 except that the challenge ciphertext components {C i,k } are generated as random for all x * µ,i,k / ∈ E * i .
Game G 4 .This game G 4 is slightly changed from the game G 3 .That is, the challenge temporal keys {T K i,k } are generated as random for all x * µ,i,k / ∈ E * i .
Game G 5 .In the final game G 5 , we change the generation of challenge ciphertext components {D i,k }.That is, the challenge ciphertext components {D i,k } are the encryption of random values for all x * µ,i,k / ∈ E * i .Recall that the advantage of the adversary in this game is zero since challenge ciphertext components {C i,k } are random and {D i,k } are the encryption of random values for all x * µ,i,k / ∈ E * i .
Let S G i A be the event that an adversary wins in a game G i .From the following lemmas 5.2, 5.3, 5.4, 5.5, and 5.6, we obtain the following result lowing equations: Now we should show that the distribution of the partial function keys generated in this way has the same distribution as that of the original game.Note that in the case of f / ∈ Q, an attacker can obtain only one of pDK i, f or pDK j, f due to the constraints of the security model.First, in the case of k = i, if we define the random exponents as follows, then we can see that the elements of the partial function key are correctly distributed by the following equations: Next, in the case of k = j, if we define the random exponents as follows, then we can see that the elements of the partial function key are correctly distributed by the following equations: This completes our proof.
Lemma 5.5.If the Assumption 3 for (n, ρ, Q, J) holds, then no polynomial-time adversary can distinguish between G 3 and G 4 with a non-negligible advantage.
Proof.The proof of this lemma is the same as that of Lemma 4.3 by removing the function key query and adding additional client public key generation and partial function key query.In order to perform the proof, we define additional hybrid games, identical to Lemma 4.3, and perform indistinguishability proof of individual hybrid games.In the proof of individual hybrid games, a simulator proceeds client public key generation and partial function key query processing as the similar manner as in Lemma 5.4.We omit the detailed proof.
Lemma 5.6.If the SKE scheme is one-message secure, then no polynomial-time adversary can distinguish between G 4 and G 5 with a non-negligible advantage.
Proof.The proof of this lemma is almost the same by removing the function key generation from the proof of Lemma 4.4, and adding client public key generation and partial function key query processing.
A simulator can easily handle client public key generation and partial function key query by using α i , β i , and γ i selected by the simulator.We omit the detailed description of this proof.
Theorem 5.7.The above DMCFE-SIC scheme is static-IND secure with corruptions in the random oracle model if the DMCFE-SIC scheme is static-IND secure with no corruptions.
Proof.The proof of this theorem is almost the same as Theorem 4.5 by replacing the function key query with a partial function key query.In other words, the simulator of this theorem generates the secret keys of corrupted clients by itself, and partial function key queries requested by an attacker are also processed by using the queries of the DMCFE-SI scheme with no corruption.Since all other parts of this proof are the same as Theorem 4.5, we will omit the detailed proof.

Discussions
Efficiency Analysis.The encryption and decryption algorithms of our DMCFE-SI scheme has the same performance as those of our MCFE-SI scheme in the previous section.The partial function key generation algorithm requires three exponentiations and three PRF operations to generate random exponents.And the partial function key combining algorithm requires one inverse and one exponentiation operations.Thus, the partial function key generation and partial function key combining algorithms are very efficient.The detailed comparison of MCFE schemes is given in Table 1.
Public Verification of Function Keys.A client that performs the partial function key combination algorithm needs to check whether the derived function key is correct or not.In order to publicly verify the function key, it is necessary to additionally expose public keys for private keys of individual clients.In other words, individual clients publish a public key (g α i , e(g, ĝ) β i , g γ i ) for their private key (α i , β i , γ i ).Since the function key is composed of ( ĝα i r , ĝα j r , ĝβ i /(α i +α j ) ), it is possible to verify the function key by checking the following equations.e(g α j , ĝα i r ) = e(g α i , ĝα j r ) ∧ e(g α i g α j , ĝβ i /(α i +α j ) ) = e(g, ĝ) β i .Note that it is secure for a client to expose g α i , e(g, ĝ) β i in the public key since these elements are already included in the two assumptions used to prove the security of the DMCFE-SI scheme.
Decentralized Three-Party Set Intersection.Previously, we could extend the MCFE-SIC and MCFE-SI schemes to support the set intersection between multiple parties.Here, we extend our DMCFE-SI scheme to support multi-party set intersection.In the case of the DMCFE-SI scheme, the function key generation is divided into partial function key generation and partial function key combination algorithms.Thus, it is necessary to modify the partial function key generation algorithm to support the multi-party set intersection.The partial function key generation algorithm needs to derive a shared key through noninteractive key exchange between entities involved in the set intersection.Fortunately, three-party noninteractive key exchange is possible by using the pairing operation.In other words, we first derive a shared key K i, j,k = e(g γ i , ĝγ j ) γ k for three clients (i, j, k).We then select random exponents r 1 , r 2 , s,t 1 ,t 2 and set r 3 = −r 1 − r 2 ,t 3 = −t 1 − t 2 .Then the partial key of the client i is (g α i r 1 , g β i s , E i = sα i + t 1 ), and the partial key of the client j is (g α j r 2 , 1, E j = sα j + t 2 ), and the partial key of the client k is (g α k r 3 , 1, E k = sα k + t 3 ).
In this case, the correct function key ( ĝβ i s ) 1/(E i +E j +E k ) = ĝβ i /(α i +α j +α k ) is derived from the partial function keys.All results are measured in milliseconds.We use symbols Hash for a map-to-point hash operation, Exp for an exponentiation operation, and Pairing for a pairing operation.All results are estimated in seconds.We let ℓ to be the number of items in a set.

Efficiency Comparison
In this section, we estimate the performance of our MCFE schemes for set intersection when our schemes are instantiated in asymmetric bilinear groups.To do this, we first measure the speed of basic group operations in asymmetric pairing groups by using the Charm library [8], which is a framework for quickly implementing public-key cryptographic schemes in the Python language.To measure the performance of these basic operations, we used a desktop computer with Intel Core i9-11900 2.5GHz CPU and 16GB RAM.The Charm library supports the MNT159, MNT201, and MNT224 pairing curves as asymmetric bilinear groups that provide 80-bit, 100-bit, and 112-bit security, respectively.The performance of basic operators in these curves is given in Table 2.
We compare the performance of our MCFE schemes with the MCFE scheme of Lee and Seo [32].For this comparison, we estimate the performance of these MCFE schemes by using the number of basic operations in Table 1 and the speed of basic operations in Table 2 instead of actually implementing these MCFE schemes.We select the MNT224 curve that provides 112-bit security as an asymmetric bilinear group, and analyze the performance of individual algorithms while changing the number of items in a set differently.The performance comparison between MCFE schemes is given in Table 3.In this table, we did not describe the performance of our DMCFE-SI scheme because the encryption and decryption algorithms of our DMCFE-SI scheme are the same as those of our MCFE-SI scheme.The estimated performance is based on a single-threaded environment, and this performance can be improved as much as the number of physical cores if multiple-threads are used.
First, the function key generation algorithms of three schemes are very efficient regardless of the size of a set because all of them only require constant number of exponentiations.Next, the encryption algorithms of three schemes require basic group operations in proportion to the size of a set.The encryption algorithm of our MCFE-SIC scheme is the most efficient because there is no pairing operation, and the encryption algorithms of the MCFE scheme of Lee and Seo and our MCFE-SI scheme have the same performance.Lastly, the decryption algorithms have the biggest difference in three schemes.The decryption algorithm of the MCFE scheme of Lee and Seo is efficient only for small-sized sets because it requires ℓ 2 pairing operations.In contrast, the decryption algorithm of our MCFE-SI scheme takes about 38 seconds for the ℓ = 2048 size set because it only requires 3ℓ pairing operations.Thus, our decryption algorithm is about 700 times faster than that of the MCFE scheme of Lee and Seo when ℓ = 2048.

Generic Group Model
In this section, we describe the master theorem of Freeman [18] and analyze our three complexity assumptions in the generic group model of Shoup [35].

Master Theorem
We use the master theorem of Freeman [18] to analyze the complexity assumptions introduced in the previous section.This master theorem is the generalization of the master theorem of Boneh et al. [11] so that the target challenge element is either G or G T in asymmetric bilinear groups of prime order.
Let G, Ĝ, and G T be asymmetric bilinear groups of prime order p equipped with the bilinear map e : G × Ĝ → G T .A group element u ∈ G can be represented as a multi-variate polynomial, which indicates the exponent of u relative to some fixed generator g.We can also represent group elements in Ĝ and G T as similar way.For instance, the general Diffie-Hellman tuple is represented as the expression (1, X,Y, XY ) where X and Y are random variables.
In this definition, the multi-variate polynomials p i , r j ,t k represent the exponents of group elements in G, Ĝ, G T respectively, and the polynomial f represents the exponent of the challenge element in complexity assumptions.Additionally, the polynomials s ℓ represent the exponents of group elements in which the challenge element can be paired.
Freeman defined the (P, R, T, f )-DDH problem in G and G T by extending the (P, R, T, f )-DDH problem of Boneh et al. [11] as follows: We show that f 0 = ηAD ρ is independent of P • R and T .The subsets of P • R that contain the random variables A, D ρ are {ηAD i /(B i + B j )} and {ηAB k D i /(B i + B j )}.Here, the subset {ηAD i /(B i + B j )} does not need to be considered because it lacks (B i + B j ).By using the remaining subset {ηAB k D i /(B i + B j )}, we may try to compose a linear equation with ηAD ρ .The only way to create a linear equation is to derive when (ρ, j) ∈ Q, k 1 = ρ, and k 2 = j.To satisfy the above equation, it is required that k 1 = ρ where k 1 is an index for {AB k }.However, we have k 1 ̸ = ρ from the restriction of the Assumption 3. Therefore, f 0 is independent of (P, R, T ).

Conclusion
In this paper, we proposed various MCFE schemes that support set intersection operations and proved the security of our schemes by using the newly introduced complexity assumptions.Our first MCFE-SIC scheme supports the computation of set intersection cardinality and can efficiently find matching ciphertext elements by using a pairing operation.Our second MCFE-SI scheme supports the set intersection operation, and it requires 2ℓ pairing operations in the decryption.Our third DMCFE-SI scheme decentralizes the generation of function keys by removing a trusted center.Using our MCFE-SI schemes, it is possible to construct an effective contact tracing system that preserves privacy of people.We leave two interesting problems related to this study.The first problem is to devise an MCFE-SI scheme that is secure under standard assumptions.Since all our MCFE-SI schemes have disadvantages that they are secure under complex and dynamic assumptions, it is an important problem to prove the security under weaker assumptions.The second problem is to devise an MCFE-SI scheme that can efficiently compute the set intersection between n patients and m users.If our MCFE-SI scheme is directly used, the computation requires 2nmℓ pairing operations with additional comparison operations.Thus, if we can improve the performance, it can be used for more efficient contact tracing.

Definition 3 . 2 (
Static-IND Security).The static-IND security of MCFE-SIC with corruptions is defined in the following experiment EXP ST -IND MCFE-SIC,A (1 λ ) between a challenger C and a PPT adversary A:

Theorem 3 . 1 .
The above MCFE-SIC scheme is static-IND secure with no corruptions in the random oracle model if the Assumption 1 holds.

Lemma 3 . 3 .
No adversary can win the game G 1 with a non-negligible advantage in the random oracle model.

Theorem 3 . 4 .
The above MCFE-SIC scheme is static-IND secure with corruptions in the random oracle model if the MCFE-SIC scheme is static-IND secure with no corruptions.

Definition 4 . 2 ( 1 .
Static-IND Security).The static-IND security of MCFE-SI with corruptions is defined in the following experiment EXP ST -IND MCFE-SI,A (1 λ ) between a challenger C and a PPT adversary A: Init: A initially submits an index set I ⊂ [n] of corrupted clients.Let I = {1, . . ., n} \ I be the index set of uncorrupted clients.

3 . 5 .
Challenge: C flips a random bit µ ∈ {0, 1} and obtains a ciphertext CT i,T * by running Encrypt(X * µ,i , T * , SK i , PP) for each i ∈ I. C gives the challenge ciphertexts (CT i,T * ) i∈I to A 4. Query: A requests function keys and ciphertexts.C handles these queries as follows: • If this is a function key query for a function f = (i, j) ∈ Q, then C gives a function key DK f to A by running GenKey( f , MK, PP).• If this is a ciphertext query for a client index k ∈ I, an item set X k , and a time period T ̸ = T * , then C gives a ciphertext CT k,T to A by running Encrypt(X k , T, SK k , PP).Guess: A outputs a guess µ ′ ∈ {0, 1} of µ.C outputs 1 if µ = µ ′ or 0 otherwise.An MCFE-SI scheme is static-IND secure with corruptions if for all PPT adversary A, the advantage of A defined as Adv ST -IND MCFE-SI,A (λ ) = Pr[EXP ST -IND MCFE-SI,A (1 λ ) = 1] − 1 2 is negligible in the security parameter λ .
and obtains a string T ∥x by running SKE.Decrypt (D i,k i , F(T K k )).(c) It adds an item x into Y .4. It outputs the set Y .

Theorem 4 . 1 .
The above MCFE-SI scheme is static-IND secure with no corruptions in the random oracle model if the Assumptions 2 and 3 hold.

Lemma 4 . 3 .
If the Assumption 3 for (n, ρ, Q) holds, then no polynomial-time adversary can distinguish between G 1 and G 2 with a non-negligible advantage.

Theorem 4 . 5 .
The above MCFE-SI scheme is static-IND secure with corruptions in the random oracle model if the MCFE-SI scheme is static-IND secure with no corruptions.

Definition 5 . 2 ( 1 .
Static-IND Security).The static-IND security of DMCFE-SI with corruptions is defined in the following experiment EXP ST -IND DMCFE-SI,A (1 λ ) between a challenger C and a PPT adversary A: Init: A initially submits an index set I ⊂ [n] of corrupted clients.Let I = {1, . . ., n} \ I be the index set of uncorrupted clients.
Let n be the maximum number of clients.It first generates a bilinear group (p, G, Ĝ, G T , e) of prime order p with random generators g ∈ G and ĝ ∈ Ĝ.It chooses two hash functions H : {0, 1} * → G and F : G T → {0, 1} λ .It outputs public parameters PP = (p, G, Ĝ, G T , e), g, ĝ, H, F, n .

3 .
For each E k ∈ S, it proceeds as follows:(a) It finds (C i,k i , D i,k i ) from CT i,T and (C j,k j , D j,k j ) from CT j,T such that C i,k i and C j,k j are used to derive E k .(b) It computes T K k = e(C i,k i • C j,k j , K 3 ) and obtains a string T ∥x by running SKE.Decrypt (D i,k i , F(T K k )).(c) It adds an item x into Y .4. It outputs the set Y .

Table 1 :
Comparison of functional encryption schemes for set intersection The setup algorithm takes as input the security parameter λ and the number of clients n.It outputs a master key MK, client secret keys (SK 1 , ..., SK n ), and public parameters PP.GenKey( f , MK, PP).The function key generation algorithm takes as input a function f = (i, j), the master key MK, and public parameters PP.It outputs a function key DK f .Encrypt(X i , T, SK i , PP).The encryption algorithm takes as input a set X i = {x i,1 , . . ., x i,ℓ i } of items where x i,k ∈ D, a time period T ∈ T , a client secret key SK i , and public parameters PP.It outputs a ciphertext CT i,T .
it outputs 1.Otherwise, it outputs 0. Lemma 4.4.If the SKE scheme is one-message secure, then no polynomial-time adversary can distinguish between G 2 and G 3 with a non-negligible advantage.

2 .
Setup: C generates public parameters PP by running Setup(1 λ , n).It also generates secret keys and public keys (SK i , PK i ) of clients by running ClientSetup(i, PP) for each i ∈ [n].It keeps (SK i ) i∈I to itself and gives (SK i ) i∈I , PK = (PK i ) n i=1 , and PP to A.3.Challenge: C flips a random bit µ ∈ {0, 1} and obtains a ciphertext CT i,T * by running Encrypt(X * µ,i , T * , SK i , PP) for each i ∈ I. C gives the challenge ciphertexts (CT i,T * ) i∈I to A 4. Query: A requests function keys and ciphertexts.C handles these queries as follows: 1.For each k ∈ [ℓ i ], it proceed as follows: It computes C i,k = H(T ∥x i,k ) α i and derives a temporal keyT K i,k = e(H(T ∥x i,k ), ĝ) β i .It obtains D i,k by running SKE.Encrypt(T ∥x i,k , F(T K i,k )).2.It chooses a random permutation π and outputs a ciphertext CT i,T = (C i,π(k) , D i,π(k)

Table 2 :
Comparison of basic group operations in asymmetric bilinear groups

Table 3 :
Efficiency comparison of MCFE schemes for set intersection in MNT224