Inner product encryption from ring learning with errors

The functional encryption scheme designed using the lattice can realize fine-grained encryption and it can resist quantum attacks. Unfortunately, the sizes of the keys and ciphertexts in cryptographic applications based on learning with errors are large, which makes the algorithm inefficient. Therefore, we construct a functional encryption for inner product predicates scheme by improving the learning with errors scheme of Agrawal et al. [Asiacrypt 2011], and its security relies on the difficulty assumption of ring learning with errors. Our construction can reduce the sizes of the keys and ciphertexts compared with the learning with errors scheme.

Traditional public key encryption is “all or nothing” in accessing data, that is, a user can decrypt successfully or know nothing about the plaintexts. While the presentation of functional encryption (FE) (Boneh et al. 2011; O’Neill 2010) breaks through the restriction which is limited to only one user and has a single decryption result, and it can realize fine-grained encryption. As an extension of the traditional public key, the FE is the advanced cryptographic paradigm.

Two typical examples of FE are attribute-based encryption (ABE) (Goyal et al. 2006; Wang et al. 2019; Yun et al. 2018; Zhang and Wu 2017; Zhang et al. 2019) and predicate encryption (PE) (Attrapadung and Imai 2009; Agrawal et al. 2016; Boneh and Waters 2006; Blundo et al. 2010; Katz et al. 2008). In the (key-policy) ABE system, the secret key s is related to a predicate g and each ciphertext is related to an attribute I. A user who holds the secret key s is able to decrypt successfully if and only if g(I)=1. So does for the PE system. However, there is an obvious difference between these two encryption systems. Namely, the attribute related with each ciphertext is revealed in the ABE system, while the attribute is hidden in the PE system.

ABE is an application of fuzzy identity-based encryption (Sahai and Waters 2005). In the ABE system (Agrawal et al. 2012; Ducas et al. 2014; Libert and Ţiţiu 2019; Yun et al. 2018; Zhang and Wu 2017; Zhang et al. 2019), data is encrypted on the basis of individual identity associated with a series of attributes. Hence, ABE is applicable in cloud storage to provide authorized data privacy. However, there are some issues to solve before applying ABE in practice. For example, when user’s attributes are altered, it is required for ABE supporting attribute revocation to change user’s access privilege timely and effectively. And in 2018, Liu et al. proposed a practical ABE scheme which can solve the aforementioned issue (Liu et al. 2018). ABE also has many other practical applications, such as network privacy (Baden et al. 2009), health record access-control (Camenisch et al. 2012), verifiable computation (Parno et al. 2011), forward-secure messaging (Green and Miers 2015) and so on.

In the PE system, the computation of inner product over \(\mathbb {Z}_{N}\) about predicate was proposed by Katz et al. (2008) where N is a composite number. They also provide a construction about inner product predicate, called inner product encryption (IPE). Due to flexibleness and usefulness of IPE, a number of researchers have proposed schemes about IPE (Agrawal et al. 2011; Abdalla et al. 2020; Abdalla et al. 2015; Chen et al. 2018; Okamoto and Takashima 2015; Kurosawa and Phong 2017; Li et al. 2018; Tseng et al. 2020; Wang et al. 2019; Xagawa 2013).

For example, Chen et al. proposed two IPE schemes achieving both adaptive security and full attribute-hiding in the prime-order bilinear group (Chen et al. 2018). In 2018, Kwangsu et al. first proposed a two-input IPE scheme in composite-order bilinear groups (LEE 2018). And in 2019, Tomida et al. first constructed a multi-user and multi-challenge IPE scheme, which is constructible on a pairing-free group and secure under the matrix decisional Diffie-Hellman (MDDH) assumption (Tomida 2020). While in a pairing-based IPE system, the algorithm tends to be inefficient over computation since a lot of pairings (linear to vector lengths) are used during decryption. Therefore, in 2019, an IPE scheme proposed by Wei et al. with adaptive security based on the dual system encryption method requires only six bilinear pairs to decrypt (Wei and Gao 2019). In 2020, an IPE scheme proposed by Tseng et al. needs only one pairing computation to decrypt, which is the most efficient one in terms of the private key length and the number of pairings computation for decryption (Tseng et al. 2020).

As is known to all, compared with the conventional cryptography (designed based on certain hard problems), the lattice-based cryptography resists against the quantum attacks. What’s more, a great number of lattice-based cryptographic schemes are based directly on two average-case problems, that is the small integer solution (SIS) problem and LWE problem. These two problems have been confirmed to support worst-case hardness guarantees in security.

In 2011, Agrawal et al. proposed the first lattice-based IPE scheme (Agrawal et al. 2011). To optimize the sizes of the public parameters and the ciphertexts, Xagawa et al. proposed an improved lattice-based IPE scheme (Xagawa 2013), Li et al. proposed an IPE scheme reducing the size by a factor of logκ compared with the work of reference (Xagawa 2013), where κ is a security parameter (Li et al. 2018), and Wang et al. proposed the first compact IPE scheme from learning with errors (LWE) in 2018 (Wang et al. 2018). Those schemes are constructed on the basis of the first lattice-based IPE scheme (Agrawal et al. 2011). In addition, Abdalla et al. constructed a multi-input FE scheme combining the access control functionality of ABE with the possibility of performing linear operations on the encrypted data and built identity-based functional encryption for inner products from lattices (Abdalla et al. 2020).

However, nearly all of IPE schemes based upon these two problems will suffer from either large key size or small message space. Although some researchers may improve the sizes of keys and ciphertexts of IPE schemes based on LWE problem to certain extent, they are still too large to be practical.

To acquire more efficiency in computation and confidence in security, we will provide a construction by adapting the scheme based on LWE (Agrawal et al. 2011) to ring-LWE (R-LWE). The R-LWE is an algebraic variant of LWE. In most practical applications, the n samples from the LWE distribution can be replaced by a sample from the R-LWE distribution, which will reduce the size of the public key by a factor of n. As is mentioned above, our construction is of theoretical value and practical significance.

Our construction

Our approach. We construct a functional encryption scheme for inner product predicates based on the R-LWE problem building on the ideas and techniques of the scheme in the reference (Agrawal et al. 2011). In our construction, we generate the secret key associated with the predicate g using of ring-SIS (R-SIS) and the ciphertext c associated with the attribute I using of R-LWE. The user then can decrypt successfully using the secret key when g(I)=1.

It is necessary to simulate an experiment during the process of security proof, which allows the simulator to answer secret key queries whenever g(I)=0. Similarly, just as the thought of proof in the reference (Agrawal et al. 2011), we make use of m+1R-LWE instances to generate a ciphertext that either decrypts correctly or decrypts to a random element in the message space \(\mathcal {M}\) in this simulation. Therefore, we only need to use a weaker security model (“weak attribute hiding”) in the security proof.

Our contribution. In this paper, we present an IPE scheme that is secure under the R-LWE hardness assumption. The scheme is at its core based on the LWE scheme of (Agrawal et al. 2011). Our scheme satisfies the slightly weaker notion considered by Okamoto and Takashima (2009) and Lewko et al. (2010).

Outline. The rest of the paper is organized as follows. In “Predicate encryption”, we review some theoretical knowledge about predicate encryption. In “Preliminaries”, we set some notations and provide some preliminaries about lattice theory and much more. In “A functional encryption scheme for inner product predicates”, we describe concretely an IPE scheme and prove the correctness and security of the scheme. In “Conclusion” sections, we present some concluding remarks.

Let κ be the security parameter for the rest of this paper and let n=n(κ) be a power of two. We first recall the following definition of predicate encryption proposed by Katz et al. (2008), which is based on the definition of searchable encryption proposed by Boneh and Waters (2006).

Definition 1

((Katz et al. 2008), Definition 2.1). A (key-policy) predicate encryption scheme for the class of predicates \(\mathcal {G}\) over the set of attributes Σ consists of four probabilistic polynomial-time (PPT) algorithms Setup, KeyGen, Enc, Dec such that:

• Setup: takes as input a security parameter κ and outputs a set of public parameters PP and a master secret key MK.

• KeyGen: takes as input the master secret key MK and a (description of a) predicate \(g\in \mathcal {G}\). It outputs a key sk_g.

• Enc: takes as input the public parameters PP, an attribute I∈Σ, and a message m in some associated message space \(\mathcal {M}\). It returns a ciphertext C.

• Dec: takes as input a secret key sk_g and a ciphertext C. It outputs either a message m or the distinguished symbol ⊥.

For correctness, we require that for all κ,(PP, MK) are generated by Setup(1^κ), for all \(g\in \mathcal {G}\), any key sk_g is generated by KeyGen(sk,g) and for all I∈Σ, any ciphertext C is generated by Enc(PP,I,m):

• If g(I)=1, then Dec(sk_g,C)=m.

• If g(I)=0, then Dec(sk_g,C)=⊥ with all but negligible probability.

In this paper, the correctness proof satisfies a different correctness condition which is just as the correctness idea of the LWE scheme (Agrawal et al. 2011): when C←Enc(PP,I,m) with probability 1, then m←Dec(sk_g,C) if g(I)=1, however, if g(I)=0 then Dec(sk_g,C) is computationally indistinguishable from a uniformly random element in the message space \(\mathcal {M}\).

Next, we introduce several notations of security about the PE scheme. The basic concept of security is called payload hiding. It will guarantee that the ciphertext about the attribute I can hide all information associated with the message, unless one holds a secret key giving the explicit capability to decrypt. Namely, the adversary \(\mathcal {A}\) holding the keys \(sk_{g_{1}},\cdots,sk_{g_{l}}\) cannot get any information about the message encrypted by any attribute I when satisfying g₁(I)=⋯=g_l(I)=0. A stronger notation of security is called attribute hiding. It requires that the ciphertext can hide all information associated with attribute I except the part which is leaked explicitly by one who holds the key. Namely, \(\mathcal {A}\) who possesses the keys only can obtain the values of g₁(I),⋯,g_l(I). The last is an intermediate notion, weak attribute hiding, in which attribute hiding is guaranteed to hold only if \(\mathcal {A}\) holds the keys that cannot recover the message. And our scheme satisfies the weak attribute hiding.

Definition 2

((Katz et al. 2008), Definition 2.1). A predicate encryption scheme with respect to \(\mathcal {G}\) and Σ is attribute hiding if for any PPT adversaries \(\mathcal {A}\), the advantage of \(\mathcal {A}\) in the following experiment is negligible in the security parameter κ:

• \(\mathcal {A}\left (1^{\kappa }\right)\) outputs I₀,I₁∈Σ.

• Setup(1^κ) is run to generate PP and MK, and the adversary is given PP.

• \(\mathcal {A}\) may adaptively request keys for any predicates \(g_{1},\cdots,g_{l}\in \mathcal {G}\) subject to the restriction that g_i(I₀)=g_i(I₁) for all i. In response, \(\mathcal {A}\) is given the corresponding keys \(sk_{g_{i}}\leftarrow \text {KeyGen}\left (\text {MK},g_{i}\right)\).

• \(\mathcal {A}\) outputs two equal-length messages m₀ and m₁. If there is an i for which g_i(I₀)=g_i(I₁)=1, then it is required that m₀=m₁. A random bit b is chosen, and \(\mathcal {A}\) is given the ciphertext C←Enc(PP,I_b,m_b).

• \(\mathcal {A}\) may continue to request keys for additional predicates, subject to the same restrictions as before.

• \(\mathcal {A}\) outputs a bit b^′, and succeeds if b^′=b. The advantage of \(\mathcal {A}\) is the absolute value of the difference between its success probability and 1/2.

By the above definition, we observe that there exists two relations among the three notations of security. One is that any scheme which is weak attribute hiding is payload hiding, the other is that any scheme which is attribute hiding is weak attribute hiding.

Notation

If no special note, we use lowercase letters (e.g. a) to express polynomials, bold lowercase letters (e.g. a) to express vectors, bold capital letters (e.g. A) to express matrices, the arrows \(\left (\text {e.g.}\ \vec {v}\right)\) to represent predicates or attributes. If A is an m×n matrix and A^′ is an m^′×n matrix, then [A∥A^′] represents an (m+m^′)×n matrix formed by concatenating A and A^′. If a is a length m vector and a^′ is a length m^′ vector, then we denote [a|a^′] as a length (m+m^′) vector which is concatenated by a and a^′. Suppose to denote S as a basis of lattice Λ, then \(\tilde {\mathbf {S}}\) denotes the Gram-Schmidt orthogonalization of S.

For \(n=n(\kappa)\in \mathbb {Z}^{+}\), we let \(R_{q}=\mathbb {Z}_{q}[x]/{f(x)}\) be the integer polynomial ring modulo both f(x) and q, where q is a prime and \(f\in \mathbb {Z}[x]\) is a monic degree n polynomial. In particular, considering the security of our construction, we fix f(x)=xⁿ+1 in the rest of paper. For a∈R_q, we denote ∥a∥ as the Euclidean norm of a vector a=a₀+a₁x+⋯+a_n−1xⁿ⁻¹ for \(a_{i}\in \mathbb {Z}_{q}\). We define \(rot_{f}(a)\in R_{q}^{n\times n}\) as the matrix whose i-th row is given by the coefficients of the polynomial xⁱ⁻¹a mod f(x), for any 1≤i≤n. Note that for a,b∈R_q,a·b=(1,x,⋯,xⁿ⁻¹)·rot_f(a)^T·(b₀,b₁,⋯,b_n−1)^T=(a₀,a₁,⋯,a_n−1)·rot_f(b)·(1,x,⋯,xⁿ⁻¹)^T. The specific form of rot_f is given below:

Let A=rot_f(a), then the set \(\Lambda ^{\perp }(\mathbf {A})=\left \{\mathbf {b}\in \mathbb {Z}^{n}|\mathbf {b}\cdot \mathbf {A}=0\mod q\right \}\) is an n-dimensional lattice. We extend that notation to the vector \(\boldsymbol {a}\in R_{q}^{m}\) by applying rot_f component-wise. Namely, for a=(a₁,a₂,⋯,a_m),rot_f(a)=[rot_f(a₁)∥rot_f(a₂)∥⋯∥rot_f(a_m)].

We define the norm of a matrix R∈{−1,1}^m×m to be sup{∥Rx∥:∥x∥=1}. Then we recall the following result.

Lemma 1

((Agrawal et al. 2011), Lemma A.1). Let R be an m×m matrix chosen at random from {−1,1}^m×m. Then \({Pr}\left \{\|{\mathbf {R}}\|>12\sqrt {2m}\right \}< e^{-2m}\).

Lattice

Now we remind some definitions and properties of lattice that we need to use in our system.

The m-dimension lattice Λ is generated by the set \(\left \{\sum \limits _{i=1}^{n} x_{i}\boldsymbol {b}_{i}\left |\right.{x}_{i}\in \mathbb {Z}\right \}\) for n linearly independent vectors \(\boldsymbol {b}_{1},\cdots,\boldsymbol {b}_{n}\in \mathbb {R}^{m}\). That is to say, the lattice Λ is a full-rank discrete additive subgroup of \(\mathbb {R}^{m}\). For \(\boldsymbol {a}\in R_{q}^{m}, u\in R_{q}\), we define the ring setting as follows:

Next, we introduce the R-SIS (Lyubashevsky and Micciancio 2006; Peikert and Rosen 2006) and R-LWE (Lyubashevsky et al. 2010; Stehlé et al. 2009) as the ring-based variant of SIS and LWE respectively. They have been proven to be at least as hard as the shortest independent vectors problem (SIVP) and the decision version of the shortest vector problem (GapSVP). And there exists a reduction from the search version of R-LWE to the average-case decision R-LWE. If the probability that for all the polynomial-time adversaries \(\mathcal {A}\) who solve the decision R-LWE is negligibly away from \(\frac {1}{2}\), then we call that the decision R-LWE problem is infeasible.

Definition 3

(Lyubashevsky and Micciancio 2006; Peikert and Rosen 2006, R-SIS_q,m,β) Given \(\boldsymbol {a}=\left (a_{1},\cdots,a_{m}\right)\in R_{q}^{m}\) a vector of m uniformly random polynomials, find a non-zero vector of small polynomial \(\mathbf {e}=\left (e_{1},\cdots,e_{m}\right)\in R_{q}^{m}\) such that \(\boldsymbol {a}\boldsymbol {e}^{T}=\sum \limits _{i=1}^{m}a_{i}e_{i}=0\bmod q\), and 0≤∥e∥≤β.

Definition 4

(Lyubashevsky et al. 2010; Stehlé et al. 2009, R-LWE Distribution) For s∈R_q (the “secret”) and an error distribution χ over R_q, a sample from the R-LWE distribution A_s,χ over \(R_{q}^{m}\times R_{q}^{m}\) is generated by choosing \(\boldsymbol {a}\leftarrow R_{q}^{m}\) uniformly at random, choosing η←χ^m, and outputting (a,s·a+η).

Definition 5

(Lyubashevsky et al. 2010; Stehlé et al. 2009, R-LWE Search). For s∈R_q and an error distribution χ over R_q. The search of version of the R-LWE is defined as follows: given access to arbitrarily many independent samples from A_s,χ for some arbitrary s∈R_q and η∈χ^m, find s.

Gaussian distribution. We denote ρ_σ(a) as the standard n-dimensional Gaussian distribution with center 0 and the variance σ>0, that is ρ_σ(a)= exp(−π∥a∥²/σ²). For any \(\sigma \in \mathbb {R}^{+}\) and a lattice Λ as the subset of \(\mathbb {Z}^{n}\), we define the lattice Gaussian distribution as \(D_{\Lambda,\sigma }(a)=\frac {\rho _{\sigma }(a)}{\rho _{\sigma }(\Lambda)}\) where \(\rho _{\sigma }(\Lambda)=\sum \limits _{a'\in \Lambda }\rho _{\sigma }\left (a'\right)\). What’s more, we denote the error distribution Ψ as the discrete Gaussian distribution \(D_{\mathbb {Z}^{n},\sigma }\) for some σ>0. A sample from Ψ is a polynomial in R_q. We will use the following property referring to the Gaussian distribution in our construction.

Lemma 2

((Micciancio and Regev 2004), Theorem 4.4) Let \(n\in \mathbb {N}\). For any real number \(\sigma =\omega \left (\sqrt {\log n}\right)\), we have \(\text {Pr}_{\boldsymbol {a}\leftarrow D_{\mathbb {Z}^{n},\sigma }}\left [\|\boldsymbol {a}\|>\sigma \sqrt {n}\right ]\leq 2^{-n+1}\).

Sample algorithm

Now we introduce the following properties about sample algorithms. The TrapGen algorithm (Lai et al. 2015) is to generate the trapdoor for the R-LWE scheme. The algorithm SampleLeft (Agrawal et al. 2010; Cash et al. 2010) is used in our system, while the algorithm SampleRight (Agrawal et al. 2010) is used in the simulation during the proof of security.

We first recall the definition of the trapdoor in the ring setting.

Definition 6

((Lai et al. 2015), Definition 2) Let \(\boldsymbol {a}\in R_{q}^{m},\boldsymbol {g}\in R_{q}^{k}\). A g-trapdoor for a is a collection of linearly independent vectors of ring elements \({\mathbf {T}}_{\boldsymbol {a}}\in R_{q}^{(m-k)\times k}\) such that \(\boldsymbol {a}\left [\begin {array}{cc} {\mathbf {T}}_{\boldsymbol {a}}\\ {\mathbf {I}}_{k}\end {array}\right ]=h\boldsymbol {g}\) for some non-zero ring element h∈R_q. h is referred as the tag or label of the trapdoor. The quality of the trapdoor is measured by its largest singular value s₁(T_a), which is computed as the largest singular value of the matrix obtained by interpreting T_a as a matrix in \(\mathbb {Z}_{q}^{(m-k)n\times kn}\).

Theorem 1

((Lai et al. 2015)) Let q,m,n,k be positive integers with q≥2 and m>k. There exists a PPT algorithm TrapGen outputs a pair \(\left (\boldsymbol {a}\in R_{q}^{m},{\mathbf {T}}_{\boldsymbol {a}}\in R_{q}^{(m-k)\times k}\right)\) such that a is statistically indistinguishable with the uniform distribution in \(R_{q}^{m}\) and the quality of the trapdoor T_a is measured by its largest singular value s₁(T_a).

By applying the definition and properties of rot_f to interpret a polynomial vector into a type of integer matrix, there are two efficient trapdoor delegation algorithms given as follows referring to the literature (Agrawal et al. 2010).

Lemma 3

((Agrawal et al. 2010), Theorem 3) Let q>2,m>2 logq and \(\sigma >\|\tilde {{\mathbf {T}}}_{\boldsymbol {a}}\|\omega \left (\sqrt {\log (2nm)}\right)\), then the algorithm SampleLeft(a,b,T_a,u,σ) outputs a vector \(\boldsymbol {e}\in R_{q}^{2m}\) distributed statistically close to \(D_{\Lambda _{q}^{u}\left (\boldsymbol {a}'\right),\sigma }\) where a^′=[a|b].

Lemma 4

((Agrawal et al. 2010), Theorem 4) Let q>2,m>1 and \(\sigma >\|\tilde {{\mathbf {T}}}_{\boldsymbol {b}}\|\cdot \sqrt {nm}\cdot \omega (\log nm)\), then the algorithm SampleRight(a,b,R,T_b,u,σ) outputs a vector \(\boldsymbol {e}\in R_{q}^{2m}\) distributed statistically close to \(D_{\Lambda _{q}^{u}\left (\boldsymbol {a}'\right),\sigma }\) where a^′=[a|aR+b].

Universal hash function

For a hash function h, define δ_h(x,y)=1 if h(x)=h(y) and δ_h(x,y)=0 otherwise for x,y∈X,x≠y. That is, δ_h(x,y)=1 if and only if the hashed values of x and y collide. For a finite set \(\mathcal {H}\) of hash functions, define \(\delta _{\mathcal {H}}(x,y)=\sum \limits _{h\in \mathcal {H}}\delta _{h}(x,y)\). Hence, \(\delta _{\mathcal {H}}(x,y)\) counts the number of hash functions in \(\mathcal {H}\) under which x and y collide.

Definition 7

((Roşca et al. 2017)) A (finite) family \(\mathcal {H}\) of hash functions h:X→Y is universal if \(\text {Pr}_{h\leftarrow U(\mathcal {H})}\left [\delta _{h}(x,y)=1\right ]=1/{|Y|}\), for all x,y∈X,x≠y.

We will use the following variant of the leftover hash lemma which is necessary when presenting our construction.

Lemma 5

((Roşca et al. 2017), Lemma 2.1) Let X,Y,Z denote finite sets and let \(\mathcal {H}\) be a universal family of hash functions h:X→Y. Let f:X→Z be arbitrary. Then for any random variable T taking values in X, we have: \(\varDelta ((h,h(T),f(T)),(h,U(Y),f(T)))\leq \frac {1}{2}\sqrt {\gamma (T)\cdot |Y|\cdot |Z|}\), where γ(T)= maxT^′∈XPr[T=T^′].

Lemma 6

Let q be a prime. For R∈{−1,1}^m×m and a∈R_q, define \(\Phi _{\boldsymbol {a}}:\{-1,1\}^{m\times m}\rightarrow R_{q}^{m}\) by the rule: Φ_a(R)=aR. Then {Φ_a} is universal.

Proof

We set a=(a₁,⋯,a_m) and R=(r_ij) where a_i∈R_q and r_ij∈{−1,1} for i,j∈{1,⋯m}. Then

Obviously, we need to prove \(\text {Pr}\left \{\left (\sum \limits _{i=1}^{m}a_{i}r_{i1},\cdots, \sum \limits _{i=1}^{m}a_{i}r_{im}\right)=\left (y_{1},\cdots,y_{m}\right)\right \}=\frac {1}{q^{nm}}\) for all \((y_{1},\cdots,y_{m})\in R_{q}^{m}\). Without loss of generality, we assume that \(\sum \limits _{i=1}^{m}a_{i}r_{i1}\neq 0\). Then by linearity, it suffices to prove that for all \(y_{1}\in R_{q}, \text {Pr}\left \{\sum \limits _{i=1}^{m}a_{i}r_{i1}=y_{1}\right \}=\frac {1}{q^{n}}\).

We write a_i as a_i0+a_i1x+⋯+a_i,n−1xⁿ⁻¹ and y₁ as y₁₀+y₁₁x+⋯+y_1,n−1xⁿ⁻¹ for \(a_{ij},y_{1j}\in \mathbb {Z}_{q}\). Then we calculate the following formula,

Since \(y_{1j}\in \mathbb {Z}_{q}\), it follows that \(\text {Pr}\left \{\sum \limits _{i=1}^{m}r_{i1}a_{ij}=y_{1j}\right \}=\frac {1}{q}\), which is equivalent to \(\text {Pr}\left \{\sum \limits _{i=1}^{m}a_{i}r_{i1}=y_{1}\right \}=\frac {1}{q^{n}}\). Hence the hash function family is universal. □

In this section, we first describe a new predicate encryption scheme and prove its correctness and security. We define our construction consisting of four PPT algorithms: setup, key generation, encryption and decryption algorithms. In this scheme, each secret key is associated with a predicate vector \(\vec {v}\in \mathbb {Z}_{q}^{l}\) (for some fixed l≥2) and each ciphertext is associated with an attribute vector \(\vec {w}\in \mathbb {Z}_{q}^{l}\). The decryption algorithm involves a condition that will decrypt successfully if and only if \(\left \langle \vec {v},\vec {w}\right \rangle =0\pmod q\). Therefore, we define the predicate associated with the secret key as \(g_{\vec {v}}(\vec {w})=1\) when satisfying \(\left \langle \vec {v},\vec {w}\right \rangle =0\pmod q\), and \(g_{\vec {v}}\left (\vec {w}\right)=0\) otherwise.

The construction

Let \(\kappa \in \mathbb {Z}^{+}\) and l be the length of predicate and attribute vectors. Let m=m(κ,l),q=q(κ,l) and t=⌊logq⌋ be positive integers. Let α and σ be positive real Gaussian parameters. Let the error distribution χ=⌊D_αq⌉ denote the discrete Gaussian distribution where each coefficient is sampled from D_αq and then rounded to nearest integer. The plaintext space is {0,1}ⁿ, while the ciphertext space is \(R_{q}^{m}\times \left \{R_{q}^{m}\right \}^{l(t+1)}\times R_{q}\).

FE.Setup (1^κ,1^l): Input a security parameter \(\kappa \in \mathbb {Z}^{+}\) and a parameter l, do the following:

1. 1.

   Using the algorithm TrapGen to obtain a vector \(\boldsymbol {a}\in R_{q}^{m}\) together with the trapdoor T_a.

2. 2.

   Choose l·(1+t) uniformly random vectors \(\boldsymbol {a}_{i,\gamma }\in R_{q}^{m}\) for i=1,⋯,l and γ=0,⋯,t.

3. 3.

   Select a uniformly random polynomial u∈R_q.

Output the public parameters PP =(a,{a_i,γ}_{i∈{1,⋯,l},}(a,{a_i,γ}_{i∈{1,⋯,l},}γ∈{0,⋯,t},u) and MK= T_a.

FE.KeyGen(PP, MK, \(\vec {v}\)): Input the public parameters PP, the master secret key MK and a predicate vector \(\vec {v}\in \mathbb {Z}_{q}^{l}\), do:

1. 1.

   For i=1,⋯,l, let \(\hat {v}_{i}\) be the integer in [0,q−1], which equals to v_i mod q. Let the binary decomposition of \(\hat {v}_{i}\) as \(\hat {v}_{i}=\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\cdot 2^{\gamma }\), where v_i,γ are in {0,1}.

2. 2.

   Define the vectors \(\boldsymbol {a}_{\vec {v}}':=\sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\boldsymbol {a}_{i,\gamma }\) and \(\boldsymbol {a}_{\vec {v}}:=\left [\boldsymbol {a}|\boldsymbol {a}_{\vec {v}}'\right ]\).

3. 3.

   Using the master secret key MK= T_a to compute e←SampleLeft\(\left (\boldsymbol {a},\boldsymbol {a}_{\vec {v}}',\mathbf {T}_{\boldsymbol {a}},u,\sigma \right)\). Then e is a vector in \(R_{q}^{2m}\) satisfying \(\boldsymbol {a}_{\vec {v}}\boldsymbol {e}^{T}=u\).

Output the secret key \(sk_{\vec {v}}=\boldsymbol {e}\).

FE.Enc(PP, \(\vec {w}, \boldsymbol {m}\)): Input the public parameters PP, an attribute vector \(\vec {w}\in \mathbb {Z}_{q}^{l}\) and a message m, do:

• Choose a uniformly random vector \(\boldsymbol {b}\in R_{q}^{m}\).

• Choose a uniformly polynomial s∈R_q.

• Select a noise vector η from χ^m and a noise term η from χ.

• Compute c₀=s·a+2η.

• For i=1,⋯,l and γ=0,⋯,t, do the following:

  1. (a)

     Pick a random matrix R_i,γ∈{−1,1}^m×m.

  2. (b)

     Calculate c_i,γ←s·(a_i,γ+2^γw_ib)+2η·R_i,γ.

• Compute c^′=us+m+2η.

Output the ciphertext CT= (c₀,{c_i,γ}_{i∈{1,⋯,l},γ∈{0,⋯,t}},c^′).

FE.Dec(PP, CT, \(sk_{\vec {v}}\)): Input the public parameters PP, a secret key \(sk_{\vec {v}}\) and a ciphertext CT, do:

• Compute \(\boldsymbol {c}_{\vec {v}}=\sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\boldsymbol {c}_{i,\gamma }\).

• Let \(\boldsymbol {c}=\left [\boldsymbol {c}_{0}|\boldsymbol {c}_{\vec {v}}\right ]\).

Output m^′←(c^′−e·c^T mod f mod q) mod 2.

Next, we need to show that our construction is correct for certain parameter choices and secure under R-LWE hardness assumption. The specific proof is as follows.

The correctness

Lemma 7

Let the parameters q and α satisfy q>16(n+λnm) and \(\alpha <8\left (\sqrt {n}+\lambda \sqrt {nm}\right)^{-1}\) where \(\lambda =\left (1+12\sqrt {2m}l(t+1)\right)\sigma \sqrt {nm}\). When the FE.KeyGen algorithm returns the secret key, FE.Enc encrypts with probability 1 for all the plaintext m. If \(\left \langle \vec {v},\vec {w}\right \rangle =0\), then we have FE.Dec=m with overwhelming probability.

Proof

According to the decryption algorithm, we have,

the last equation holds because of \(\left \langle \vec {v},\vec {w}\right \rangle =0\).

By the above formula, we obtain,

According to Lemma 3, we can get \(\boldsymbol {a}_{\vec {v}}\boldsymbol {e}^{T}=u\) and \(\boldsymbol {e}\cdot \boldsymbol {c}^{T}=us+2\boldsymbol {e}\cdot \left [\boldsymbol {\eta }\left |\right.\sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\boldsymbol {\eta }\cdot \mathbf {R}_{i,\gamma }\right ]^{T}\).

Finally, according to the third step of the decryption algorithm, we compute m^′ as

If \(\left \|\boldsymbol {m}+2\left (\eta -\boldsymbol {e}\left [\boldsymbol {\eta }\left |\right.\sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\boldsymbol {\eta }\mathbf {R}_{i,\gamma }\right ]^{T}\right)\right \|< q/2\), centered reduction modulo q of c^′−e·c^T given us \(\boldsymbol {m}+2\left (\eta -\boldsymbol {e}\left [\boldsymbol {\eta }\left |\right.\sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\boldsymbol {\eta }\mathbf {R}_{i,\gamma }\right ]^{T}\right)\) (over the integers). Hence, in order to obtain m=m^′, it suffices to certify \(\left \|\boldsymbol {m}+2\left (\eta -\boldsymbol {e}\left [\boldsymbol {\eta }\left |\right.\sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\boldsymbol {\eta }\cdot \mathbf {R}_{i,\gamma }\right ]^{T}\right)\right \|< q/2\).

We set \(\boldsymbol {e}\in R_{q}^{2m}\) as [e₁|e₂] for \(\boldsymbol {e}_{i}\in R_{q}^{m}\). Then Eq. (2) can be rewritten as

For η∈χ and η∈χ^m, we have \(\|\eta \|<\alpha q\sqrt {n}+n\) and \(\|\boldsymbol {\eta }\|<\alpha q\sqrt {nm}+nm\) with overwhelming probability because of the Gaussian tail bound. According to Lemma 1 and the triangle inequality, \(\left \|\left (\boldsymbol {e}_{1}+\boldsymbol {e}_{2}\cdot \sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\mathbf {R}_{i,\gamma }^{T}\right)\cdot 2\boldsymbol {\eta }^{T} \right \|\) is not exceeding \(2\lambda \left (\alpha q\sqrt {nm}\,+\,nm\right)\)where \(\lambda =\left (1\,+\,12\sqrt {2m}l(t+1)\right)\sigma \sqrt {nm}\). Thus we have \(\left \|\boldsymbol {m}+2\eta -\left [\left (\boldsymbol {e}_{1}+\boldsymbol {e}_{2}\cdot \sum \limits _{i=1}^{l} \sum \limits _{\gamma =0}^{t}v_{i,\gamma }\mathbf {R}_{i,\gamma }^{T}\right) {{\left \|\boldsymbol {m}+2\eta -\left [\left (\boldsymbol {e}_{1}+\boldsymbol {e}_{2}\cdot \sum \limits _{i=1}^{l} \sum \limits _{\gamma =0}^{t}v_{i,\gamma }\mathbf {R}_{i,\gamma }^{T}\right) \right.\right.}} \cdot 2\boldsymbol {\eta }^{T}\right ] \right \| < \sqrt {n}+2\left (\alpha q\sqrt {n}+n\right)+2\lambda \left (\alpha q\sqrt {nm}+nm\right)< q/2\)with overwhelming probability when α and q satisfy the condition in the lemma.

If \(\left \langle \vec {v},\vec {w}\right \rangle \neq 0, \sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}2^{\gamma } v_{i,\gamma }w_{i}s\cdot \mathbf {b}\) in the formula (1) is unequal to 0. Since s∈R_q and \(\mathbf {b}\in R_{q}^{m}\) are randomly chosen in the formula (1), the decryption algorithm cannot decrypt the message correctly. □

The security

To demonstrate the security, we introduce several security games to prove that the security of the scheme can be reduced to the hardness of R-LWE problem.

Theorem 2

Suppose that m≥3n logq. Then the above predicate encryption scheme is weakly attribute hiding under the R-LWE hardness assumption.

Before introducing these security games, we define a simulation construction as following: alternative setup, key generation, and encryption algorithms.

Sim.Setup\(\left (1^{\kappa },1^{l},\vec {w}^{*}\right)\): Input a security parameter κ, a parameter l and an attribute vector \(\vec {w}^{*}\in \mathbb {Z}_{q}^{l}\), do the following:

1. 1.

   Select a uniformly random vector \(\boldsymbol {a}\in R_{q}^{m}\) and polynomial u∈R_q.

2. 2.

   Using the algorithm TrapGen to obtain a vector \(\boldsymbol {b}^{*}\in R_{q}^{m}\) with a trapdoor \(\mathbf {T}_{\boldsymbol {b}^{*}}\).

3. 3.

   For i=1,⋯,l and γ=0,⋯,t, choose random matrices \(\mathbf {R}_{i,\gamma }^{*}\in \{-1,1\}^{m\times m}\) and set \(\boldsymbol {a}_{i,\gamma }\leftarrow \boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}-2^{\gamma } w_{i}^{*}\boldsymbol {b}^{*}\).

Output the public parameters and the master secret key

PP =(a,{a_i,γ}_{i∈{1,⋯,l},γ∈{0,⋯,t}},u), MK\(=\left (\vec {w}^{*},\left \{\mathbf {R}_{i,\gamma }^{*}\right \}{{\left \{\mathbf {R}_{i,\gamma }^{*}\right \}}}_{i\in \{1,\cdots,l\},\gamma \in \{0,\cdots,t\}},\boldsymbol {b}^{*},\mathbf {T}_{\boldsymbol {b}^{*}}\right)\).

Sim.KeyGen(PP, MK, \(\vec {v}\)): Input the public parameters PP, master secret key MK and a vector \(\vec {v}\in \mathbb {Z}_{q}^{l}\), do:

1. 1.

   If \(\left \langle \vec {v},\vec {w}\right \rangle =0\), output ⊥.

2. 2.

   For i=1,⋯,l, let \(\hat {v}_{i}\) be the integer in [0,q−1] equals to v_i mod q. Write the binary decomposition of \(\hat {v}_{i}\) as \(\hat {v}_{i}=\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\cdot 2^{\gamma }\), where v_i,γ are in {0,1}.

3. 3.

   Define the vectors \(\boldsymbol {a}_{\vec {v}}':=\sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\boldsymbol {a}_{i,\gamma }\) and \(\boldsymbol {a}_{\vec {v}}:=\left [\boldsymbol {a}|\boldsymbol {a}_{\vec {v}}'\right ]\). Then it follows that

   $$\begin{aligned} \boldsymbol{a}_{\vec{v}}=\left[\boldsymbol{a}\left|\right. \boldsymbol{a}\left(\sum\limits_{i=1}^{l}\sum\limits_{\gamma=0}^{t}v_{i,\gamma}\mathbf{R}_{i,\gamma}^{*}\right)-\underbrace{\left(\sum\limits_{i=1}^{l}\sum\limits_{\gamma=0}^{t}2^{\gamma} v_{i,\gamma}w_{i}^{*}\right)}_{\left\langle \vec{v},\vec{w}^{*}\right\rangle}\boldsymbol{b}^{*}\right]. \end{aligned} $$
4. 4.

   Generate e←SampleRight\(\left (\boldsymbol {a},-\left \langle \vec {v},\vec {w}^{*}\right \rangle \boldsymbol {b}^{*},\sum \limits _{i=1}^{l}\sum \limits _{\gamma =0}^{t}v_{i,\gamma }\mathbf {R}_{i,\gamma }^{*},\mathbf {T}_{\boldsymbol {b}^{*}},u,\sigma \right)\).

Output the secret key \(sk_{\vec {v}}=\boldsymbol {e}\).

Sim.Enc(PP, \(\vec {w}, \boldsymbol {m}\), MK): The algorithm is the same as the FE.Enc algorithm, except:

• In Step 1, the random vector b^∗∈MK is used to replace the vector b.

• In Step 5(a), the random matrices \(\mathbf {R}^{*}_{i,\gamma }\in \text {MK}\) are used to replace the matrices R_i,γ for i=1,⋯,l and γ=0,⋯,t.

In order to prove Theorem 2, we consider a security game against the adversary \(\mathcal {A}\) that plays the weak attribute hiding game as follows. The challenger \(\mathcal {C}\) samples a bit b←{0,1} at the beginning of the game. \(\mathcal {A}\) outputs two attribute vectors \(\vec {w}_{b}\) for b∈{0,1}. \(\mathcal {C}\) then runs the FE.Setup and FE.KeyGen algorithms to answer \(\mathcal {A}\)’s queries, and it also generates the ciphertext using the \(\mathbf {FE.Enc}\left (\vec {w}_{b},\boldsymbol {m}_{b}\right)\) and sends it to \(\mathcal {A}\). Finally \(\mathcal {A}\) returns a bit b^′. Our construction is secure if there is no probability polynomial time adversary \(\mathcal {A}\) to output b^′=b with more probability that is non-negligibly away from \(\frac {1}{2}\).

Next, we define a series of games which are statistically or computationally indistinguishable with the above security game against \(\mathcal {A}\). What’s more, according to the simulation scheme, \(\mathcal {A}\) can only request keys when the predicate vector \(\vec {v}\) satisfies \(\left \langle \vec {v},\vec {w}_{b}\right \rangle \neq 0\) for b∈{0,1}.

• Game 1: The challenger \(\mathcal {C}\) runs the FE.Setup and FE.KeyGen to answer the adversary \(\mathcal {A}\)’s key queries. Then \(\mathcal {C}\) computes the challenge ciphertext from \(\mathbf {FE.Enc}\left (\vec {w}_{0},\boldsymbol {m}_{0}\right)\) and sends it to \(\mathcal {A}\).

• Game 2: The challenger \(\mathcal {C}\) runs the \(\mathbf {Sim.Setup}\left (\vec {w}^{*}=\vec {w}_{0}\right)\) and Sim.KeyGen to answer \(\mathcal {A}\)’s key queries. Then \(\mathcal {C}\) computes the challenge ciphertext from \(\mathbf {Sim.Enc}\left (\vec {w}_{0},\boldsymbol {m}_{0}\right)\) and sends it to \(\mathcal {A}\).

• Game 3: The challenger \(\mathcal {C}\) runs the \(\mathbf {Sim.Setup}\left (\vec {w}^{*}=\vec {w}_{0}\right)\) and Sim.KeyGen to answer \(\mathcal {A}\)’s key queries. Then \(\mathcal {C}\) chooses uniformly the challenge ciphertext from the ciphertext space and sends it to \(\mathcal {A}\).

• Game 4: The challenger \(\mathcal {C}\) runs the \(\mathbf {Sim.Setup}\left (\vec {w}^{*}=\vec {w}_{1}\right)\) and Sim.KeyGen to answer \(\mathcal {A}\)’s key queries. Then \(\mathcal {C}\) chooses uniformly the challenge ciphertext from the ciphertext space and sends it to \(\mathcal {A}\).

• Game 5: The challenger \(\mathcal {C}\) runs the \(\mathbf {Sim.Setup}\left (\vec {w}^{*}=\vec {w}_{1}\right)\) and Sim.KeyGen to answer \(\mathcal {A}\)’s key queries. Then \(\mathcal {C}\) computes the challenge ciphertext from \(\mathbf {Sim.Enc}\left (\vec {w}_{1},\boldsymbol {m}_{1}\right)\) and sends it to \(\mathcal {A}\).

• Game 6: The challenger \(\mathcal {C}\) runs the FE.Setup and FE.KeyGen to answer \(\mathcal {A}\)’s key queries. Then \(\mathcal {C}\) computes the challenge ciphertext from \(\mathbf {FE.Enc}\left (\vec {w}_{1},\boldsymbol {m}_{1}\right)\) and sends it to \(\mathcal {A}\).

Lemma 8

Assume that m≥3n logq, then it follows that,

• At the view of the adversary \(\mathcal {A}\), the Game 1 is statistically indistinguishable with the Game 2.

• At the view of the adversary \(\mathcal {A}\), the Game 5 is statistically indistinguishable with the Game 6.

Proof

We prove (a) only because we can prove (b) with the same way.

Firstly, we demonstrate the public parameters and the ciphertext output by the FE.Setup and vFE.Enc algorithms are statistically indistinguishable from those output by the Sim.Setup and Sim.Enc algorithms. That is, for every i=1,⋯,l and γ=0,⋯,t, we need to argue the distributions of the set E_i,γ in Game 1 and Game 2 are statistically indistinguishable, where E_i,γ as the set (a,{a_i,γ,c_i,γ}).

In Game 1, the vector a is selected from the TrapGen. Then for all but a 2^−Ω(κ) fraction of all a follow from uniformly distribution over \(R_{q}^{m}\). While in Game 2, the vector a is sampled uniformly from \(R_{q}^{m}\). Therefore, the distributions of a are statistically indistinguishable in both games.

Next, we discuss the joint distributions {a_i,γ,c_i,γ} in the both games. In Game 1, the vector a_i,γ is sampled uniformly from the \(R_{q}^{m}\) and c_i,γ is equal to \(s\cdot \left (\boldsymbol {a}_{i,\gamma }+2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*}\right)+2\boldsymbol {\eta }\cdot \mathbf {R}_{i,\gamma }^{*}\), where \(\mathbf {R}_{i,\gamma }^{*}\) is random independently in {−1,1}^m×m for every i=1,⋯l,γ=0,⋯,t and b^∗ is uniformly selected from \(R_{q}^{m}\). In Game 2, a_i,γ is calculated as \(\boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}-2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*}\), where \(\mathbf {R}_{i,\gamma }^{*}\) is random independently in {−1,1}^m×m for every i=1,⋯l,γ=0,⋯,t, and b^∗ generated by TrapGen is statistically close to uniformly random in \(R_{q}^{m}, \boldsymbol {c}_{i,\gamma }\) is equal to \(s\cdot \left (\boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}-2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*}+2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*}\right)+2\boldsymbol {\eta }\cdot \mathbf {R}_{i,\gamma }^{*}\) where \(\boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}-2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*}\) is equal to the public parameter a_i,γ.

Furthermore, according to Lemma 6, the function \(\Phi _{\boldsymbol {a}}\left (\mathbf {R}_{i,\gamma }^{*}\right)=\boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}\) is universal. Then it follows from that the statistical distance of the following two distributions is at most \(\frac {1}{2} \left (\frac {1}{2^{m^{2}}}\cdot q^{2nm}\right)^{\frac {1}{2}}\leq \frac {1}{2}q^{-\frac {1}{2}nm}\) by Lemma 5, namely, \(\left (\boldsymbol {a},\boldsymbol {a}\mathbf {R}_{i,\gamma }^{*},2\boldsymbol {\eta }\cdot {\mathbf {R}_{i,\gamma }^{*}}\right)\approx _{s}\left (\boldsymbol {a},\boldsymbol {a}_{i,\gamma },2\boldsymbol {\eta }\cdot {\mathbf {R}_{i,\gamma }^{*}}\right)\). Then for every fixed vector b^∗ and \(\vec {w}^{*}\), it follows that \(\left (\boldsymbol {a},\boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}-2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*},2\boldsymbol {\eta }\cdot {\mathbf {R}_{i,\gamma }^{*}}\right)\approx _{s}\left (\boldsymbol {a},\boldsymbol {a}_{i,\gamma },2\boldsymbol {\eta }\cdot {\mathbf {R}_{i,\gamma }^{*}}\right)\).

Since the matrix \(\mathbf {R}_{i,\gamma }^{*}\) is chosen independently for every i,γ, the joint distributions of these quantities for all i,γ are also statistically close:

Next, we need to add two quantities which are statistically indistinguishable to the both sides of the formula (3). Then we can get the following by the conclusion that applying any function to two statistically indistinguishable ensembles produces statistically indistinguishable ensembles, that is, for every i and γ:

By the above formula, the right side of the formula is the public parameters and the challenge ciphertext in Game 1, while the left side of the formula is the public parameters and the challenge ciphertext in Game 2. Hence, the public parameters and the challenge ciphertexts are statistically indistinguishable at the both games.

To complete the proof, we show that the secret keys output by Sim.KeyGen are statistically indistinguishable from those output by FE.KeyGen when given the public parameters and the challenge ciphertexts. In the two games, the secret key e follows from Gaussian distribution for Gaussian parameter σ, so the distributions of them are statistically indistinguishable when σ is sufficiently large. □

Lemma 9

If the decision R-LWE problem is infeasible, then it follows that:

• At the view of the adversary \(\mathcal {A}\), the Game 2 is computationally indistinguishable with the Game 3.

• At the view of the adversary \(\mathcal {A}\), the Game 4 is computationally indistinguishable with the Game 5.

Proof

It suffices to prove (a). Given m+1R-LWE instances (a_j,y_j) for j=0,⋯,mred, in which we define either y_j=s·a_j+2η_j for s is sampled uniformly from R_q and η_j is sampled from the discrete Gaussian χ, or y_j∈R_q is uniformly random. We denote c₀=(y₁,⋯,y_m).

We consider a variant experiment, in which the challenger \(\mathcal {C}\) runs the \(\mathbf {Sim.Setup}\left (\vec {w}^{*}=\vec {w}_{0}\right)\) and let a=(a₁,⋯,a_m),u=a₀. Then \(\mathcal {C}\) answers the queries of \(\mathcal {A}\) using the Sim.KeyGen algorithm. Finally, for i=1,⋯,l and \(\gamma =0,\cdots,t, \mathcal {C}\) computes \(c'=y_{0}+\boldsymbol {m}, \boldsymbol {c}_{i,\gamma }=\boldsymbol {c}_{0}{\mathbf {R}_{i,\gamma }^{*}}\) where \(\mathbf {R}_{i,\gamma }^{*}\in \) MK and sends (c₀,{c_i,γ},c^′) to \(\mathcal {A}\).

In Game 2, we observe that for i=1,⋯,l and γ=0,⋯,t, the challenge ciphertext c_i,γ using the Sim.Enc as follows,

\(\boldsymbol {c}_{i,\gamma }=s\cdot \left (\boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}-2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*}+2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*}\right)+2\boldsymbol {\eta }\cdot {\mathbf {R}_{i,\gamma }^{*}}=\left (s\cdot \boldsymbol {a}+2\boldsymbol {\eta }\right){\mathbf {R}_{i,\gamma }^{*}}\).

When y_j=s·a_j+2η_j, then \(\boldsymbol {c}_{i,\gamma }=\boldsymbol {c}_{0}{\mathbf {R}_{i,\gamma }^{*}}\) in the variant experiment is identical to corresponding ciphertext in Game 2.

On the other hand, when y_j is uniformly random in R_q, then the simulated ciphertext is \(\left (\boldsymbol {c}_{0},\left \{\boldsymbol {c}_{0}{\mathbf {R}_{i,\gamma }^{*}}\right \},c'\right)\) for i=1,⋯,l and γ=0,⋯,t. By the Lemma 6, we know that the function \(\Phi _{\boldsymbol {c}_{0}}=\mathbf {c}_{0}{\mathbf {R}_{i,\gamma }^{*}}\) is universal. Hence, by the variant of the leftover hash lemma (see Lemma 5), the statistical distance between the distribution of \(\left (\boldsymbol {c}_{0},\left \{\mathbf {c}_{0}{\mathbf {R}_{i,\gamma }^{*}}\right \},c'\right)\) with the uniform distribution is bounded from \(\frac {1}{2}q^{-\frac {1}{2}nm}\). While in the Game 3, the challenge ciphertext is selected uniformly from the ciphertext space. Therefore, the ciphertexts in the variant experiment and the Game 3 are statistically indistinguishable.

So we draw the conclusion that the statistical distance in the both games is negligible close under the hardness of R-LWE problem. □

Lemma 10

The Game 3 and the Game 4 are statistically indistinguishable at the view of the adversary \(\mathcal {A}\).

Proof

The only difference between the Game 3 and the Game 4 is the vector \(\vec {w}^{*}\) which is used to calculate the public parameter \(\boldsymbol {a}_{i,\gamma }=\boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}-2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*}\), where a and \(\mathbf {R}_{i,\gamma }^{*}\) are independent uniformly random samples. The function \(\Phi _{\boldsymbol {a}}:\mathbf {R}_{i,\gamma }^{*}\rightarrow \boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}\) is universal according to Lemma 6. For every i∈{1,⋯,l} and \(\gamma \in \{0,\cdots,t\}, \left (\boldsymbol {a},\boldsymbol {a}\mathbf {R}_{i,\gamma }^{*}\right)\) is statistically indistinguishable from (a,U) where U is uniformly random. For the value \(C=2^{\gamma }w_{i}^{*}\boldsymbol {b}^{*}\) associated with the fixed b^∗ and \(w_{i}^{*}\), the distribution of U−C is also uniformly random.

Therefore, we conclude that for all i=1,⋯,l and γ=0,⋯,t, the distributions of a_i,γ in the both games are statistically indistinguishable. □

Proof of Theorem 2. Based on the Lemmas 8, 9 and 10, the Game 1 and Game 6 are statistically indistinguishable under the R-LWE hardness assumption. It indicates that there is no efficient adversary \(\mathcal {A}\) that can win the security experiment.

We have constructed a new functional encryption scheme for inner product predicates from R-LWE problem. In our construction, firstly, we use setup algorithm to generate the public parameters and the master secret key. Secondly, we compute the secret key associated with the predicate vector \(\vec {v}\) based on R-SIS problem using key generation algorithm. Thirdly, we calculate the ciphertext associated with the attribute vector \(\vec {w}\) based on R-LWE problem using encryption algorithm. Finally, the user then can decrypt successfully using the secret key when \(\left \langle \vec {v},\vec {w}\right \rangle =0\).

What’s more, the n samples from the LWE distribution can be replaced by a sample from the R-LWE distribution, which will reduce the size of the public key by a factor of n. Hence, our scheme is more efficiency in computation than the scheme of the reference (Agrawal et al. 2011).

Some questions still remain. For example, one direction is to improve the security of our construction for researchers. Firstly, our scheme is secure under the R-LWE hardness assumption. While Rosca et al. proposed Middle-Product LWE (MP-LWE) problem as a variant of the LWE problem and proved a reduction from polynomial LWE to MP-LWE (Roşca et al. 2017). Hence, it is a open question to construct functional encryption schemes based on MP-LWE hardness assumption. Secondly, our scheme is weakly attribute hiding in security model. Therefore, we can try to construct a functional encryption scheme that is fully attribute hiding.

All data generated or analysed during this study are included in this published article.

Not applicable.

project is supported by the National Natural Science Foundation of China (11701089, 61822202, 61872089) and Science and Technology Program of Fujian Province, China (2019J01428).

1. Shisen Fang and Shaojun Yang contributed equally to this work.

Authors and Affiliations

1. The Fujian Provincial Key Laboratory of Network Security and Cryptology, College of Mathematics and Informatics, Fujian Normal University, Fuzhou, 350108, PR, China

   Shisen Fang, Shaojun Yang & Yuexin Zhang

Contributions

This work is the original idea of Yang. All reporting including validating for correctness and security were performed by Fang. Correctness and security of the scheme were modified by Yang. Language modification of the article was completed by Zhang. All author(s) read and approved the final manuscript.

Corresponding author

Correspondence to Shisen Fang.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions