Inner product encryption from ring learning with errors

The functional encryption scheme designed using the lattice can realize fine-grained encryption and it can resist quantum attacks. Unfortunately, the sizes of the keys and ciphertexts in cryptographic applications based on learning with errors are large, which makes the algorithm inefficient. Therefore, we construct a functional encryption for inner product predicates scheme by improving the learning with errors scheme of Agrawal et al. [Asiacrypt 2011], and its security relies on the difficulty assumption of ring learning with errors. Our construction can reduce the sizes of the keys and ciphertexts compared with the learning with errors scheme.


Introduction
Traditional public key encryption is "all or nothing" in accessing data, that is, a user can decrypt successfully or know nothing about the plaintexts. While the presentation of functional encryption (FE) (Boneh et al. 2011;O'Neill 2010) breaks through the restriction which is limited to only one user and has a single decryption result, and it can realize fine-grained encryption. As an extension of the traditional public key, the FE is the advanced cryptographic paradigm.
Two typical examples of FE are attribute-based encryption (ABE) (Goyal et al. 2006;Wang et al. 2019;Yun et al. 2018;Zhang and Wu 2017;Zhang et al. 2019) and predicate encryption (PE) (Attrapadung and Imai 2009;Agrawal et al. 2016;Boneh and Waters 2006;Blundo et al. 2010;Katz et al. 2008). In the (key-policy) ABE system, the secret key s is related to a predicate g and each ciphertext is related to an attribute I. A user who holds the secret key s is able to decrypt successfully if and only if g(I) = 1. So does for the PE system. However, there is an obvious difference between these two encryption systems. Namely, the attribute related with each ciphertext is revealed in the ABE system, while the attribute is hidden in the PE system.
ABE is an application of fuzzy identity-based encryption (Sahai and Waters 2005). In the ABE system (Agrawal et al. 2012;Ducas et al. 2014;Libert andŢiţiu 2019;Yun et al. 2018;Zhang and Wu 2017;Zhang et al. 2019), data is encrypted on the basis of individual identity associated with a series of attributes. Hence, ABE is applicable in cloud storage to provide authorized data privacy. However, there are some issues to solve before applying ABE in practice. For example, when user's attributes are altered, it is required for ABE supporting attribute revocation to change user's access privilege timely and effectively. And in 2018, Liu et al. proposed a practical ABE scheme which can solve the aforementioned issue (Liu et al. 2018). ABE also has many other practical applications, such as network privacy (Baden et al. 2009), health record accesscontrol (Camenisch et al. 2012), verifiable computation (Parno et al. 2011), forward-secure messaging (Green and Miers 2015) and so on. In the PE system, the computation of inner product over Z N about predicate was proposed by Katz et al. (2008) where N is a composite number. They also provide a construction about inner product predicate, called inner product encryption (IPE). Due to flexibleness and usefulness of IPE, a number of researchers have proposed schemes about IPE (Agrawal et al. 2011;Abdalla et al. 2020;Abdalla et al. 2015;Chen et al. 2018;Okamoto and Takashima 2015;Kurosawa and Phong 2017;Li et al. 2018;Tseng et al. 2020;Wang et al. 2019;Xagawa 2013).
For example, Chen et al. proposed two IPE schemes achieving both adaptive security and full attribute-hiding in the prime-order bilinear group (Chen et al. 2018). In 2018, Kwangsu et al. first proposed a two-input IPE scheme in composite-order bilinear groups (LEE 2018). And in 2019, Tomida et al. first constructed a multi-user and multi-challenge IPE scheme, which is constructible on a pairing-free group and secure under the matrix decisional Diffie-Hellman (MDDH) assumption (Tomida 2020). While in a pairing-based IPE system, the algorithm tends to be inefficient over computation since a lot of pairings (linear to vector lengths) are used during decryption. Therefore, in 2019, an IPE scheme proposed by Wei et al. with adaptive security based on the dual system encryption method requires only six bilinear pairs to decrypt (Wei and Gao 2019). In 2020, an IPE scheme proposed by Tseng et al. needs only one pairing computation to decrypt, which is the most efficient one in terms of the private key length and the number of pairings computation for decryption (Tseng et al. 2020).
As is known to all, compared with the conventional cryptography (designed based on certain hard problems), the lattice-based cryptography resists against the quantum attacks. What's more, a great number of lattice-based cryptographic schemes are based directly on two averagecase problems, that is the small integer solution (SIS) problem and LWE problem. These two problems have been confirmed to support worst-case hardness guarantees in security.
In 2011, Agrawal et al. proposed the first lattice-based IPE scheme (Agrawal et al. 2011). To optimize the sizes of the public parameters and the ciphertexts, Xagawa et al. proposed an improved lattice-based IPE scheme (Xagawa 2013), Li et al. proposed an IPE scheme reducing the size by a factor of log κ compared with the work of reference (Xagawa 2013), where κ is a security parameter (Li et al. 2018), and Wang et al. proposed the first compact IPE scheme from learning with errors (LWE) in 2018 . Those schemes are constructed on the basis of the first lattice-based IPE scheme (Agrawal et al. 2011). In addition, Abdalla et al. constructed a multi-input FE scheme combining the access control functionality of ABE with the possibility of performing linear operations on the encrypted data and built identity-based functional encryption for inner products from lattices (Abdalla et al. 2020).
However, nearly all of IPE schemes based upon these two problems will suffer from either large key size or small message space. Although some researchers may improve the sizes of keys and ciphertexts of IPE schemes based on LWE problem to certain extent, they are still too large to be practical.
To acquire more efficiency in computation and confidence in security, we will provide a construction by adapting the scheme based on LWE (Agrawal et al. 2011) to ring-LWE (R-LWE). The R-LWE is an algebraic variant of LWE. In most practical applications, the n samples from the LWE distribution can be replaced by a sample from the R-LWE distribution, which will reduce the size of the public key by a factor of n. As is mentioned above, our construction is of theoretical value and practical significance.

Our construction
Our approach. We construct a functional encryption scheme for inner product predicates based on the R-LWE problem building on the ideas and techniques of the scheme in the reference (Agrawal et al. 2011). In our construction, we generate the secret key associated with the predicate g using of ring-SIS (R-SIS) and the ciphertext c associated with the attribute I using of R-LWE. The user then can decrypt successfully using the secret key when g(I) = 1.
It is necessary to simulate an experiment during the process of security proof, which allows the simulator to answer secret key queries whenever g(I) = 0. Similarly, just as the thought of proof in the reference (Agrawal et al. 2011), we make use of m + 1 R-LWE instances to generate a ciphertext that either decrypts correctly or decrypts to a random element in the message space M in this simulation. Therefore, we only need to use a weaker security model ("weak attribute hiding") in the security proof.
Our contribution. In this paper, we present an IPE scheme that is secure under the R-LWE hardness assumption. The scheme is at its core based on the LWE scheme of (Agrawal et al. 2011). Our scheme satisfies the slightly weaker notion considered by Okamoto and Takashima (2009) and Lewko et al. (2010).
Outline. The rest of the paper is organized as follows. In "Predicate encryption", we review some theoretical knowledge about predicate encryption. In "Preliminaries", we set some notations and provide some preliminaries about lattice theory and much more. In "A functional encryption scheme for inner product predicates", we describe concretely an IPE scheme and prove the correctness and security of the scheme. In "Conclusion" sections, we present some concluding remarks.

Predicate encryption
Let κ be the security parameter for the rest of this paper and let n = n(κ) be a power of two. We first recall the following definition of predicate encryption proposed by Katz et al. (2008), which is based on the definition of searchable encryption proposed by Boneh and Waters (2006). Definition 1 ( (Katz et al. 2008), Definition 2.1). A (keypolicy) predicate encryption scheme for the class of predicates G over the set of attributes consists of four probabilistic polynomial-time (PPT) algorithms Setup, KeyGen, Enc, Dec such that: • Setup: takes as input a security parameter κ and outputs a set of public parameters PP and a master secret key MK. • KeyGen: takes as input the master secret key MK and a (description of a) predicate g ∈ G. It outputs a key sk g . • Enc: takes as input the public parameters PP, an attribute I ∈ , and a message m in some associated message space M. It returns a ciphertext C. • Dec: takes as input a secret key sk g and a ciphertext C. It outputs either a message m or the distinguished symbol ⊥.
For correctness, we require that for all κ, (PP, MK) are generated by Setup (1 κ ), for all g ∈ G, any key sk g is generated by KeyGen(sk, g) and for all I ∈ , any ciphertext C is generated by Enc(PP, I, m): • If g(I) = 1, then Dec sk g , C = m.
• If g(I) = 0, then Dec sk g , C =⊥ with all but negligible probability.
In this paper, the correctness proof satisfies a different correctness condition which is just as the correctness idea of the LWE scheme (Agrawal et al. 2011): when C ← Enc(PP, I, m) with probability 1, then m ← Dec(sk g , C) if g(I) = 1, however, if g(I) = 0 then Dec sk g , C is computationally indistinguishable from a uniformly random element in the message space M.
Next, we introduce several notations of security about the PE scheme. The basic concept of security is called payload hiding. It will guarantee that the ciphertext about the attribute I can hide all information associated with the message, unless one holds a secret key giving the explicit capability to decrypt. Namely, the adversary A holding the keys sk g 1 , · · · , sk g l cannot get any information about the message encrypted by any attribute I when satisfying g 1 (I) = · · · = g l (I) = 0. A stronger notation of security is called attribute hiding. It requires that the ciphertext can hide all information associated with attribute I except the part which is leaked explicitly by one who holds the key. Namely, A who possesses the keys only can obtain the values of g 1 (I), · · · , g l (I). The last is an intermediate notion, weak attribute hiding, in which attribute hiding is guaranteed to hold only if A holds the keys that cannot recover the message. And our scheme satisfies the weak attribute hiding.
Definition 2 ( (Katz et al. 2008), Definition 2.1). A predicate encryption scheme with respect to G and is attribute hiding if for any PPT adversaries A, the advantage of A in the following experiment is negligible in the security parameter κ: is run to generate PP and MK, and the adversary is given PP. 3. A may adaptively request keys for any predicates g 1 , · · · , g l ∈ G subject to the restriction that g i (I 0 ) = g i (I 1 ) for all i. In response, A is given the corresponding keys sk g i ← KeyGen MK, g i . 4. A outputs two equal-length messages m 0 and m 1 . If there is an i for which g i (I 0 ) = g i (I 1 ) = 1, then it is required that m 0 = m 1 . A random bit b is chosen, and A is given the ciphertext C ← Enc(PP, I b , m b ). 5. A may continue to request keys for additional predicates, subject to the same restrictions as before. 6. A outputs a bit b , and succeeds if b = b. The advantage of A is the absolute value of the difference between its success probability and 1/2.
By the above definition, we observe that there exists two relations among the three notations of security. One is that any scheme which is weak attribute hiding is payload hiding, the other is that any scheme which is attribute hiding is weak attribute hiding.

Notation
If no special note, we use lowercase letters (e.g. a) to express polynomials, bold lowercase letters (e.g. a) to express vectors, bold capital letters (e.g. A) to express matrices, the arrows e.g. v to represent predicates or attributes. If A is an m × n matrix and A is an m × n matrix, then A A represents an m + m × n matrix formed by concatenating A and A . If a is a length m vector and a is a length m vector, then we denote a|a as a length m + m vector which is concatenated by a and a . Suppose to denote S as a basis of lattice , thenS denotes the Gram-Schmidt orthogonalization of S.
be the integer polynomial ring modulo both f (x) and q, where q is a prime and f ∈ Z[ x] is a monic degree n polynomial. In particular, considering the security of our construction, we fix f (x) = x n + 1 in the rest of paper. For a ∈ R q , we denote a as the Euclidean norm of a vector a = a 0 + a 1 x + · · · + a n−1 x n−1 for a i ∈ Z q . We define rot f (a) ∈ R n×n q as the matrix whose i-th row is given by the coefficients of the polynomial 1, x, · · · , x n−1 T . The specific form of rot f is given below: a 1 · · · a n−1 −a n−1 a 0 · · · a n−2 . . .
We extend that notation to the vector a ∈ R m q by applying rot f component-wise. Namely, for a = (a 1 , a 2 , · · · , a m ), We define the norm of a matrix R ∈ {−1, 1} m×m to be sup { Rx : x = 1}. Then we recall the following result.

Lattice
Now we remind some definitions and properties of lattice that we need to use in our system. The m-dimension lattice is generated by the set That is to say, the lattice is a full-rank discrete additive subgroup of R m . For a ∈ R m q , u ∈ R q , we define the ring setting as follows: Next, we introduce the R-SIS (Lyubashevsky and Micciancio 2006;Peikert and Rosen 2006) and R-LWE (Lyubashevsky et al. 2010;Stehlé et al. 2009) as the ring-based variant of SIS and LWE respectively. They have been proven to be at least as hard as the shortest independent vectors problem (SIVP) and the decision version of the shortest vector problem (GapSVP). And there exists a reduction from the search version of R-LWE to the average-case decision R-LWE. If the probability that for all the polynomial-time adversaries A who solve the decision R-LWE is negligibly away from 1 2 , then we call that the decision R-LWE problem is infeasible.
Definition 3 (Lyubashevsky and Micciancio 2006;Peikert and Rosen 2006, R-SIS q,m,β ) Given a = (a 1 , · · · , a m ) ∈ R m q a vector of m uniformly random polynomials, find a non-zero vector of small polynomial e = (e 1 , · · · , e m ) ∈ R m q such that ae T = m i=1 a i e i = 0 mod q, and 0 ≤ e ≤ β.
Definition 4 (Lyubashevsky et al. 2010;Stehlé et al. 2009, R-LWE Distribution) For s ∈ R q (the "secret") and an error distribution χ over R q , a sample from the R-LWE distribution A s,χ over R m q × R m q is generated by choosing a ← R m q uniformly at random, choosing η ← χ m , and outputting (a, s · a + η).
Definition 5 (Lyubashevsky et al. 2010;Stehlé et al. 2009, R-LWE Search). For s ∈ R q and an error distribution χ over R q . The search of version of the R-LWE is defined as follows: given access to arbitrarily many independent samples from A s,χ for some arbitrary s ∈ R q and η ∈ χ m , find s. Gaussian distribution. We denote ρ σ (a) as the standard n-dimensional Gaussian distribution with center 0 and the variance σ > 0, that is ρ σ (a) = exp −π a 2 /σ 2 . For any σ ∈ R + and a lattice as the subset of Z n , we define the lattice Gaussian distribution as What's more, we denote the error distribution as the discrete Gaussian distribution D Z n ,σ for some σ > 0. A sample from is a polynomial in R q . We will use the following property referring to the Gaussian distribution in our construction.

Sample algorithm
Now we introduce the following properties about sample algorithms. The TrapGen algorithm (Lai et al. 2015) is to generate the trapdoor for the R-LWE scheme. The algorithm SampleLeft (Agrawal et al. 2010;Cash et al. 2010) is used in our system, while the algorithm SampleRight (Agrawal et al. 2010) is used in the simulation during the proof of security. We first recall the definition of the trapdoor in the ring setting.
Definition 6 ( (Lai et al. 2015), Definition 2) Let a ∈ R m q , g ∈ R k q . A g-trapdoor for a is a collection of linearly independent vectors of ring elements T a ∈ R Theorem 1 ( (Lai et al. 2015)) Let q, m, n, k be positive integers with q ≥ 2 and m > k. There exists a PPT algorithm TrapGen outputs a pair a ∈ R m q , T a ∈ R (m−k)×k q such that a is statistically indistinguishable with the uniform distribution in R m q and the quality of the trapdoor T a is measured by its largest singular value s 1 (T a ).
By applying the definition and properties of rot f to interpret a polynomial vector into a type of integer matrix, there are two efficient trapdoor delegation algorithms given as follows referring to the literature (Agrawal et al. 2010).
Algorithm 1 SampleLeft(a, b, T a , u, σ ) (Agrawal et al. 2010) Input: a vector a ∈ R m q with the trapdoor T a , a vector b ∈ R m q , a polynomial u ∈ R q and a Gaussian parameter σ . Output: a vector e ∈ R 2m q satisfying a e T = u, where a = Lemma 4 ( (Agrawal et al. 2010), Theorem 4) Let q > 2, m > 1 and σ > T b · √ nm · ω(log nm), then the algorithm SampleRight(a, b, R, T b , u, σ ) We will use the following variant of the leftover hash lemma which is necessary when presenting our construction.
Lemma 5 ( (Roşca et al. 2017), Lemma 2.1) Let X, Y , Z denote finite sets and let H be a universal family of hash functions h : X → Y . Let f : X → Z be arbitrary. Then for any random variable T taking values in X, we have: Lemma 6 Let q be a prime. For R ∈ {−1, 1} m×m and a ∈ R q , define a : {−1, 1} m×m → R m q by the rule: a (R) = aR. Then { a } is universal.
Obviously, we need to prove Pr m i=1 a i r i1 , · · · , m i=1 a i r im = (y 1 , · · · , y m ) = 1 q nm for all (y 1 , · · · , y m ) ∈ R m q . Without loss of generality, we assume that m i=1 a i r i1 = 0. Then by linearity, it suffices to prove that for all y 1 ∈ R q , Pr m i=1 a i r i1 = y 1 = 1 q n . We write a i as a i0 + a i1 x + · · · + a i,n−1 x n−1 and y 1 as y 10 + y 11 x + · · · + y 1,n−1 x n−1 for a ij , y 1j ∈ Z q . Then we calculate the following formula, m i=1 a i r i1 =a 1 r 11 + a 2 r 21 + · · · + a m r m1 =r 11 n−1 j=0 a 1j x j + · · · + r m1 which is equivalent to Pr m i=1 a i r i1 = y 1 = 1 q n . Hence the hash function family is universal.

A functional encryption scheme for inner product predicates
In this section, we first describe a new predicate encryption scheme and prove its correctness and security. We define our construction consisting of four PPT algorithms: setup, key generation, encryption and decryption algorithms. In this scheme, each secret key is associated with a predicate vector v ∈ Z l q (for some fixed l ≥ 2) and each ciphertext is associated with an attribute vector w ∈ Z l q . The decryption algorithm involves a condition that will decrypt successfully if and only if v, w = 0 (mod q). Therefore, we define the predicate associated with the secret key as g v ( w) = 1 when satisfying v, w = 0 (mod q), and g v w = 0 otherwise.

The construction
Let κ ∈ Z + and l be the length of predicate and attribute vectors. Let m = m(κ, l), q = q(κ, l) and t = log q be positive integers. Let α and σ be positive real Gaussian parameters. Let the error distribution χ = D αq denote the discrete Gaussian distribution where each coefficient is sampled from D αq and then rounded to nearest integer. The plaintext space is {0, 1} n , while the ciphertext space is FE.Setup 1 κ , 1 l : Input a security parameter κ ∈ Z + and a parameter l, do the following: 1. Using the algorithm TrapGen to obtain a vector a ∈ R m q together with the trapdoor T a . 2. Choose l · (1 + t) uniformly random vectors a i,γ ∈ R m q for i = 1, · · · , l and γ = 0, · · · , t. 3. Select a uniformly random polynomial u ∈ R q .

FE.KeyGen(PP, MK, v):
Input the public parameters PP, the master secret key MK and a predicate vector v ∈ Z l q , do: 1. For i = 1, · · · , l, letv i be the integer in [ 0, q − 1], which equals to v i mod q. Let the binary Output the secret key sk v = e.
Next, we need to show that our construction is correct for certain parameter choices and secure under R-LWE hardness assumption. The specific proof is as follows.

The correctness
Lemma 7 Let the parameters q and α satisfy q > 16 (n + λnm) and α < 8 Proof According to the decryption algorithm, we have, the last equation holds because of v, w = 0. By the above formula, we obtain, According to Lemma 3, we can get a v e T = u and e·c T = Finally, according to the third step of the decryption algorithm, we compute m as ( 2 ) Hence, in order to obtain m = m , it suffices to certify We set e ∈ R 2m q as [e 1 |e 2 ] for e i ∈ R m q . Then Eq.
(2) can be rewritten as For η ∈ χ and η ∈ χ m , we have η < αq √ n + n and η < αq √ nm + nm with overwhelming probability because of the Gaussian tail bound. According to Lemma 1 and the triangle inequality, q/2 with overwhelming probability when α and q satisfy the condition in the lemma.
If (1) is unequal to 0. Since s ∈ R q and b ∈ R m q are randomly chosen in the formula (1), the decryption algorithm cannot decrypt the message correctly.

The security
To demonstrate the security, we introduce several security games to prove that the security of the scheme can be reduced to the hardness of R-LWE problem.
Theorem 2 Suppose that m ≥ 3n log q. Then the above predicate encryption scheme is weakly attribute hiding under the R-LWE hardness assumption.
Before introducing these security games, we define a simulation construction as following: alternative setup, key generation, and encryption algorithms.

Define the vectors a
a v := a|a v . Then it follows that Output the secret key sk v = e. Sim.Enc(PP, w, m, MK): The algorithm is the same as the FE.Enc algorithm, except: 1. In Step 1, the random vector b * ∈ MK is used to replace the vector b.
In order to prove Theorem 2, we consider a security game against the adversary A that plays the weak attribute hiding game as follows. The challenger C samples a bit b ← {0, 1} at the beginning of the game. A outputs two attribute vectors w b for b ∈ {0, 1}. C then runs the FE.Setup and FE.KeyGen algorithms to answer A's queries, and it also generates the ciphertext using the FE.Enc w b , m b and sends it to A. Finally A returns a bit b . Our construction is secure if there is no probability polynomial time adversary A to output b = b with more probability that is non-negligibly away from 1 2 . Next, we define a series of games which are statistically or computationally indistinguishable with the above security game against A. What's more, according to the simulation scheme, A can only request keys when the predicate vector v satisfies v, w b = 0 for b ∈ {0, 1}. Proof We prove (a) only because we can prove (b) with the same way.
Firstly, we demonstrate the public parameters and the ciphertext output by the FE.Setup and FE.Enc algorithms are statistically indistinguishable from those output by the Sim.Setup and Sim.Enc algorithms. That is, for every i = 1, · · · , l and γ = 0, · · · , t, we need to argue the distributions of the set E i,γ in Game 1 and Game 2 are statistically indistinguishable, where E i,γ as the set a, a i,γ , c i,γ .
In Game 1, the vector a is selected from the TrapGen. Then for all but a 2 − (κ) fraction of all a follow from uniformly distribution over R m q . While in Game 2, the vector a is sampled uniformly from R m q . Therefore, the distributions of a are statistically indistinguishable in both games.
Next, we discuss the joint distributions a i,γ , c i,γ in the both games. In Game 1, the vector a i,γ is sampled uniformly from the R m q and c i,γ is equal to s · a i,γ + 2 γ w * i b * +2η ·R * i,γ , where R * i,γ is random independently in {−1, 1} m×m for every i = 1, · · · l, γ = 0, · · · , t and b * is uniformly selected from R m q . In Game 2, a i,γ is calculated as aR * i,γ − 2 γ w * i b * , where R * i,γ is random independently in {−1, 1} m×m for every i = 1, · · · l, γ = 0, · · · , t, and b * generated by TrapGen is statistically close to uniformly random in R m i,γ is chosen independently for every i, γ , the joint distributions of these quantities for all i, γ are also statistically close: Next, we need to add two quantities which are statistically indistinguishable to the both sides of the formula (3). Then we can get the following by the conclusion that applying any function to two statistically indistinguishable ensembles produces statistically indistinguishable ensembles, that is, for every i and γ : By the above formula, the right side of the formula is the public parameters and the challenge ciphertext in Game 1, while the left side of the formula is the public parameters and the challenge ciphertext in Game 2. Hence, the public parameters and the challenge ciphertexts are statistically indistinguishable at the both games.
To complete the proof, we show that the secret keys output by Sim.KeyGen are statistically indistinguishable from those output by FE.KeyGen when given the public parameters and the challenge ciphertexts. In the two games, the secret key e follows from Gaussian distribution for Gaussian parameter σ , so the distributions of them are statistically indistinguishable when σ is sufficiently large.

Lemma 9 If the decision R-LWE problem is infeasible, then it follows that:
(a) At the view of the adversary A, the Game 2 is computationally indistinguishable with the Game 3. (b) At the view of the adversary A, the Game 4 is computationally indistinguishable with the Game 5.
Proof It suffices to prove (a). Given m + 1 R-LWE instances a j , y j for j = 0, · · · , m, in which we define either y j = s · a j + 2η j for s is sampled uniformly from R q and η j is sampled from the discrete Gaussian χ, or y j ∈ R q is uniformly random. We denote c 0 = (y 1 , · · · , y m ).
We consider a variant experiment, in which the challenger C runs the Sim.Setup w * = w 0 and let a = (a 1 , · · · , a m ), u = a 0 . Then C answers the queries of A using the Sim.KeyGen algorithm. Finally, for i = 1, · · · , l and γ = 0, · · · , t, C computes c = y 0 + m, where R * i,γ ∈ MK and sends c 0 , c i,γ , c to A. In Game 2, we observe that for i = 1, · · · , l and γ = 0, · · · , t, the challenge ciphertext c i,γ using the Sim.Enc as follows, When y j = s · a j + 2η j , then c i,γ = c 0 R * i,γ in the variant experiment is identical to corresponding ciphertext in Game 2.
On the other hand, when y j is uniformly random in R q , then the simulated ciphertext is c 0 , c 0 R * i,γ , c for i = 1, · · · , l and γ = 0, · · · , t. By the Lemma 6, we know that the function c 0 = c 0 R * i,γ is universal. Hence, by the variant of the leftover hash lemma (see Lemma 5), the statistical distance between the distribution of c 0 , c 0 R * i,γ , c with the uniform distribution is bounded from 1 2 q − 1 2 nm . While in the Game 3, the challenge ciphertext is selected uniformly from the ciphertext space. Therefore, the ciphertexts in the variant experiment and the Game 3 are statistically indistinguishable.
So we draw the conclusion that the statistical distance in the both games is negligible close under the hardness of R-LWE problem.

Lemma 10 The Game 3 and the Game 4 are statistically indistinguishable at the view of the adversary A.
Proof The only difference between the Game 3 and the Game 4 is the vector w * which is used to calculate the public parameter a i,γ = aR * i,γ − 2 γ w * i b * , where a and R * i,γ are independent uniformly random samples. The function a : R * i,γ → aR * i,γ is universal according to Lemma 6. For every i ∈ {1, · · · , l} and γ ∈ {0, · · · , t}, a, aR * i,γ is statistically indistinguishable from (a, U) where U is uniformly random. For the value C = 2 γ w * i b * associated with the fixed b * and w * i , the distribution of U − C is also uniformly random.
Therefore, we conclude that for all i = 1, · · · , l and γ = 0, · · · , t, the distributions of a i,γ in the both games are statistically indistinguishable.
Proof of Theorem 2. Based on the Lemmas 8, 9 and 10, the Game 1 and Game 6 are statistically indistinguishable under the R-LWE hardness assumption. It indicates that there is no efficient adversary A that can win the security experiment.

Conclusion
We have constructed a new functional encryption scheme for inner product predicates from R-LWE problem. In our construction, firstly, we use setup algorithm to generate the public parameters and the master secret key. Secondly, we compute the secret key associated with the predicate vector v based on R-SIS problem using key generation algorithm. Thirdly, we calculate the ciphertext associated with the attribute vector w based on R-LWE problem using encryption algorithm. Finally, the user then can decrypt successfully using the secret key when v, w = 0.
What's more, the n samples from the LWE distribution can be replaced by a sample from the R-LWE distribution, which will reduce the size of the public key by a factor of n. Hence, our scheme is more efficiency in computation than the scheme of the reference (Agrawal et al. 2011).
Some questions still remain. For example, one direction is to improve the security of our construction for researchers. Firstly, our scheme is secure under the R-LWE hardness assumption. While Rosca et al. proposed Middle-Product LWE (MP-LWE) problem as a variant of the LWE problem and proved a reduction from polynomial LWE to MP-LWE (Roşca et al. 2017). Hence, it is a open question to construct functional encryption schemes based on MP-LWE hardness assumption. Secondly, our scheme is weakly attribute hiding in security model. Therefore, we can try to construct a functional encryption scheme that is fully attribute hiding.