Efficient functional encryption for inner product with simulation-based security

Functional encryption (FE) is a novel paradigm for encryption scheme which allows tremendous flexibility in accessing encrypted information. In FE, a user can learn specific function of encrypted messages by restricted functional key and reveal nothing else about the messages. Inner product encryption (IPE) is a special type of functional encryption where the decryption algorithm, given a ciphertext related to a vector x and a secret key related to a vector y, computes the inner product x·y. In this paper, we construct an efficient private-key functional encryption (FE) for inner product with simulation-based security, which is much stronger than indistinguishability-based security, under the External Decisional Linear assumption in the standard model. Compared with the existing schemes, our construction is faster in encryption and decryption, and the master secret key, secret keys and ciphertexts are shorter.


Introduction
Traditional public key encryption provides all-or-nothing access to data, either recovering the entire plaintext or revealing nothing from the ciphertext. Functional Encryption (FE) (Dan et al. 2011;O'Neill 2010) is a very useful tool for non-interactive computation on encrypted data. In FE, the owner of master secret key msk can create a secret key sk f for a function f, which enables users to compute the value of f (x) by decrypting a ciphertext of x without revealing anything else about x. As cloud services are increasing rapidly, users' demand for computation on encrypted data is also increasing because cloud servers are by no means trustful. FE is one solution to this problem, providing a paradigm where users can compute a function f on encrypted data using a secret key sk f without revealing anything else about the encrypted data using data to the cloud server.
One of the principal interests in FE is what class of functions F can be supported and what kind of security can be achieved. It started from identity-based encryption (Boneh and Franklin 2001), followed by attributed-based encryption (Goyal et al. 2006), hidden vector encryption (Iovino and Persiano 2008;Caro et al. 2012) and predicate encryption (Katz et al. 2008;Shen et al. 2009). Amazingly, recent works realize computation of general polynomial-size circuits (Garg et al. 2016), although they require expensive assumptions like indistinguishability obfuscation, which are far from being practical. Motivated by this unreality, (Abdalla et al. 2015) introduced a new non-generic FE scheme specialized for computation of the evaluation of inner product values, which is efficient and constructed from standard assumptions. As (Abdalla et al. 2015) mentioned in their work, innerproduct is a very useful tool for statistics because it can provide the weighted mean. In an inner product encryption (IPE) scheme, a ciphertext ct x is related to a vector x ∈ Z n q of length n and a secret key sk y related to a vector y ∈ Z n q . Given the ciphertext and the secret key, the decryption algorithm computes the inner product x · y = encryption), a secret key corresponds to a predicate vector y ∈ Z n q and a ciphertext for a message m comes along with an attribute vector x ∈ Z n q , the decryption algorithm outputs m if x·y = 0. By contrast, the result of the IPE scheme in this paper is the actual value of the inner product.
Private-key IPE has several practical applications (Kim et al. 2018; as well, such as biometric authentication and nearest-neighbor search on encrypted data. Biometric-based authentication system is prevalent. It is well-known that biometrics are inherently noisy, authentication should be successful when the supplied biometric is close to a user's credential stored in the system. It is achieved by computing the Hamming distance between them, which is the number of bits differing from each other. Private-key inner product encryption can be used to compute the Hamming distance between the bitstrings of two vectors. Another application of IPE is the nearest-neighbor search on encrypted data. Consider an encrypted database of files F. Given a file f, the problem of k-nearest neighbor search is to find the prior-k files in F that are the most similar to f. The common measure of file similarity is the Euclidean distance between the vector representations of files. Private-key IPE gives an efficient way of performing the nearest-neighbor search over an encrypted database. Readers could refer to (Kim et al. 2018;) for a detailed introduction to these applications of IPE.

Related works
The first construction of IPE was presented by Abdalla et al. (2015) who developed a selectively secure scheme under the indistinguishability-based security. Subsequently, (Agrawal et al. 2016) and (Abdalla et al. 2016) have designed adaptively secure IPE constructions where the messages x 0 and x 1 may be adaptively chosen in time, based on the previously collected information. However, these constructions are built with public key and do not support any forms of function privacy. Then, researchers explored the possibility of attaining function privacy in the context of IPE. Bishop et al. (2015) constructed a functionhiding IPE scheme in the private key domain under the well-studied Symmetric External Diffie-Hellman(SXDH) assumption, which satisfies an indistinguishability-based definition, and considered adaptive adversaries. Roughly speaking, an IPE scheme is function-hiding if the keys and ciphertexts reveal no additional information about both x and y beyond their inner product. However, their security model imposes a little unrealistic admissibility constraint on the adversary's queries. All ciphertexts queries x 0 , x 1 and all secret key queries y 0 , y 1 are restrained by x 0 · y 0 = x 0 · y 1 = x 1 · y 0 = x 1 · y 1 .That makes the security of the scheme become weak. Datta et al. (2017) constructed a private-key function-hiding IPE scheme from the SXDH assumption that changed the restriction on adversaries' queries is only x 0 ·y 0 = x 1 ·y 1 . In their construction, secret keys and ciphertexts of n-dimensional vectors consist of 4n+8 groups elements. This was further improved upon in a work by Tomida et al. (2016) who gave a construction of a private-key function hiding IPE from the DLIN assumption where the secret keys and ciphertexts consist of 2n+5 groups elements. Recently, (Kim et al. 2019) put forth a construction of function-hiding IPE scheme with less parameter sizes and run time complexity than in Bishop et al. (2015); Datta et al. (2017). The scheme is proved simulation-based secure in the generic model of bilinear maps.
There are also several research works about Inner product encryption (Agrawal et al. 2015;Caro et al. 2013;Goldwasser et al. 2014;Abdalla et al. 2017); (Datta et al. 2018), such as Multi-Input inner product encryption(MIPE) and predicate encryption for inner product (Okamoto and Takashima 2009;Attrapadung and Libert 2010;Lewko et al. 2010;Okamoto 2011;Park 2011;Okamoto and Takashima 2012a;Okamoto and Takashima 2012b;Kawai and Takashima 2013;Zhenlin and Wei 2015;Zhang et al. 2019). In Goldwasser et al. (2014) introduced the definition of Multi-Input functional encryption, the functions can be evaluated on encrypted information to take multiple inputs, with each input corresponding to a different ciphertext. Abdalla et al. (2017) constructed the first scheme of Multi-Input inner product encryption which achieves message privacy, and (Datta et al. 2018) proposed a new scheme which they call unbounded private-key Multi-Input inner product functional encryption. Their scheme achieved function-hiding privacy, meanwhile they enabled the encryption of ciphertexts, and the generation of secret keys for unbounded vectors. In Dufour-Sans and Pointcheval (2019), described an unbounded inner product encryption which supported identity access control with succinct keys. Their construction is proven selectively secure in the random-oracle model based on the standard DBDH assumption. Tomida and Takashima (2018) did the similar research, but their construction didn't supported the function of identity access control. In Agrawal et al. (2020), resolved the question of simulation-based security for inner product encryption based on DDH, Paillier and LWE assumption. In 2008, the first predicate encryption for inner product was introduced by Katz et al. (2008), which allows evaluating predicates over Z N using inner product, where N is a composite number. In Okamoto and Takashima (2009) proposed the first hierarchical predicate encryption for inner product predicate, which allows a user with functionality that can delegate more restrictive functionality to another user, but their schemes had low inefficiency. Attrapadung and Libert (2010); Lewko et al. (2010); Okamoto (2011) constructed their IPE schemes respectively, which improves the efficiency of the previous scheme. However, the security proof of all previous studies based on non-standard assumptions. In order to address this issue, (Park 2011) proposed the first IPE scheme under the standard assumptions (i.e., decisional bilinear Diffie-Hellman (DBDH) and decisional linear (DLIN) assumptions). Okamoto and Takashima (2012a) proposed the first IPE scheme that is fully secure and fully attribute-hiding, and then (Okamoto and Takashima 2012b) further proposed the first unbounded IPE scheme that is also fully secure and fully attribute-hiding in the standard model under DLIN assumption. Kawai and Takashima (2013) introduced a new concept, called IPE with ciphertext conversion, which takes into account the security of predicate hiding. Zhenlin and Wei (2015) introduced another notion, called multi-party cloud computation IPE with multiplicative homomorphic property, which enables IPE to support multi-party cloud computation. Zhang et al. (2019) proposed a new IPE scheme based on double encryption system, which is proven to be adaptive security under weak attribute hiding model.
A lot of the problems mentioned above will lead an IPE scheme impractical and takes us the following problem: Can we optimize the length of the master secret key, ciphertexts and secret keys with the simulation-based security?

Our contribution
We construct a more efficient and flexible private-key IPE scheme with simulation-based security. To ensure correctness, our scheme requires that the computation of inner products is within a polynomial range (Datta et al. 2016), where discrete logarithm of g x·y can be found in polynomial time.

Efficiency
Our scheme is constructed based on dual paring vector spaces (DPVS). Namely, a master secret key is orthonormal bases of DPVS, secret keys and ciphertexts are vectors of DPVS, both key generation algorithm and encryption algorithm involve scalar multiplications on cyclic groups, and a decryption algorithm involves paring operations on bilinear paring groups. Our scheme is superior to other schemes, in terms of both necessary storage and computational efficiency.

Assumption and flexibility
The schemes of Bishop et al. (2015); Datta et al. (2016) are secure under the symmetric external Diffie-Hellman (SXDH) assumption, while our scheme is based on decision linear (DLIN) assumption or its variant (XDLIN). SXDH holds in only Type-3 bilinear pairing groups, DLIN and XDLIN hold in any type of bilinear pairing groups, so DLIN and XDLIN are weaker assumptions than SXDH.
For this reason, the schemes of Bishop et al. (2015) Datta et al. (2016) work in only Type-3 groups while we can use our scheme in any type of bilinear pairing groups.

Security
There are two notions of security for a FE scheme, indistinguishability-based security and simulation based security model. The former one requires that an adversary cannot distinguish between ciphertexts of any two messages m 0 , m 1 with access to a secret key sk f of function f such that f (m 0 ) = f (m 1 ). By contrast, the latter one requires that the view of the adversary can be simulated by a simulator, given only access to secret keys and functions evaluated on the corresponding messages. Note that simulation-based security has higher security strength than indistinguishability-based security such that there exists an indistinguishability-based secure FE scheme for a certain functionality which is not able to be proved secure under simulation-based security. Our scheme achieves simulation-based security, which is more secure than indistinguishability-based security.

Notation
For a set S, x U ← S denotes that x is uniformly chosen from S. For a probability distribution X, x R ← X denotes that x is chosen from X according to its distributions. For a prime q, Z q denotes a set of integers {0, · · · , q − 1}, and Z × q denotes a set of integers {1, · · · , q − 1}, 0 denotes a zero vector. For an n-dimensional vector x, x i (1 ≤ i ≤ n) denotes the i-th component of x. For vectors x, y ∈ Z n q , x · y denotes inner-product of x and y over Z q . For vector components, 0 n denotes a line of n zeros, e.g., a :=(0,0,0,1)=(0 3 ,1). Let A = {A n } n∈N and B = {B n } n∈N be distribution ensembles. We denote by A ≈ c B that A and B are computationally indistinguishable. Let negl(λ) be a negligible function in λ. B T denotes the transpose of matrix B. GL(n, Z q ) denotes the general linear group of degree n over Z q .

Bilinear pairing groups
Bilinear pairing groups are defined by the tuple (q, G 1 , G 2 , G T , e), where q is a prime, G 1 , G 2 and G T are cyclic groups of order q, and e : G 1 × G 2 → G T is a map that has the following properties: There are three types of bilinear groups according to whether efficient isomorphisms exist or not between G 1 and G 2 . In Type-1 bilinear groups, both the isomorphism φ: G 2 → G 1 and its inverse φ −1 : G 1 → G 2 can be computed efficiently, i.e., G 1 = G 2 . In Type-2 bilinear groups, the isomorphism φ: G 2 → G 1 is computed efficiently but its inverse is not. Type-3 groups do not have efficient isomorphisms between G 1 and G 2 . Type-1 groups are called symmetric bilinear pairing groups, and Type-2 and Type-3 are called asymmetric bilinear pairing groups. We use Type-3 groups to build our scheme in the paper. Let G abpg be an asymmetric bilinear pairing group generators that takes 1 λ and outputs a description of (q, G 1 , G 2 , G T , e) and generators of groups

Dual pairing vector space
Definition 1 (Lewko et al. 2010;Okamoto and Takashima 2009;Okamoto and Takashima 2015) (Dual Pairing Vector Spaces : DPVS): We briefly introduce the concept of DPVS. DPVS are defined by the tuple (q, V, V * , G T , A, A * , e), which is directly Then we describe random dual orthonormal bases as follows: We randomly select a new non-singular matrix X to do a linear transformation and achieve base change.
Let G ob be the random dual orthonormal basis generator that takes 1 λ and a dimension of bases n and outputs (param G , B, B * , g T ), where B, B * , g T are computed as above. We denote the combination(param G , g T ) by param V . For a vector x = (x 1 , · · · , x n ) T ∈ Z n q and a basis B :

External decision linear assumption
Definition 2  We choose an arbitrary For any probabilistic polynomial time (PPT) adversary A, if its advantage (defined as below) in solving XDLIN problem is negligible in λ, we say that the XDLIN assumption holds. Namely,

Private-key inner product encryption
A private-key IPE scheme is composed of the following four PPT algorithms.
• IPE.Setup 1 λ , n → (msk, pp): The setup algorithm takes as input the security parameters 1 λ and vector length n. Then it outputs a master secret key msk and public parameters pp. • IPE.Encrypt(msk, pp, x) → ct x : The encryption algorithm takes as input the master secret key msk, the public parameters pp, and a vector x ∈ Z n q . Then it outputs a ciphertext ct x . • IPE.KeyGen(msk, pp, y) → sk y : The key generation algorithm takes as input the master secret key msk, the public parameters pp, and a vector y ∈ Z n q . Then it outputs a secret key sk y .
• IPE.Decryption pp, ct x , sk y → m ∈ Z q or ⊥: The decryption algorithm takes as input the public parameters pp, a ciphertext ct x and a secret key sk y . Then it outputs either a value m = x · y ∈ Z q or a dedicated symbol ⊥.

Simulation-based security
The simulation-based security (Caro et al. 2013;O'Neill 2010) in the Fig. 1  (msk, st, ·), for l ∈ 1, · · · , q 1 , μ ∈ 1, · · · , q 2 , where x (l) and y (μ) are inputs of the l -th ciphertext query and the μ-th secret key query by A 1 , respectively. Note that the simulator algorithm S is stateful so that after each invocation, it updates the state st which is carried over to its next invocation.
An IPE scheme is simulation-based secure if there exists a PPT simulator S such that, for all PPT adversaries A, the outputs of the following two experiments are computationally indistinguishable:

Preliminary problems of security proof
In this section, we will introduce six lemmas and their security proofs. we firstly consider the following problems and use them to prove the security of our scheme.

Fig. 1 Simulation-based security
Definition 4 Problem1 is to guess b ∈ {0, 1}, given Definition 5 Problem2 is to guess a bit b ∈ {0, 1}, given Definition 6 Problem3 is to guess a bit b ∈ {0, 1}, given Definition 8 Problem5 is to guess a bit b ∈ {0, 1}, given For a PPT algorithm A, the advantage of A against Problem n (n = 1, 1 , 2, 3, 4, 5) is defined as where P b is an instance of Problem n defined above. Then following six lemmas hold.

Lemma 2 For all PPT adversary B for Problem1 , there exists a PPT adversary
Proof The proof follows in the same condition as Lemma 1.

Lemma 3 For all PPT adversary B for Problem2, there exists a PPT adversary
Proof We construct a PPT adversary A for Problem1 from any PPT adversary B for Problem2. A is given an instance of Problem1 param P1 , B, B * , y b , κG 1 , ξ G 2 . Then A generates a random linear transformation W on G n+5 , and sets We can see that (D, D * ) are dual orthonormal bases. A does not have b * 2 but it can compute

Lemma 4 For all PPT adversary B for Problem3, there exists a PPT adversary A such that
Proof We can construct a PPT adversary A for Prob-lem1 from any PPT adversary B for Problem3. A is given an instance of Problem1, (param P1 , B, B * , y b , κG 1 , ξ G 2 ). Then A generates a random linear transformation W on G n+5 , and sets We can see that (D, D * ) are dual orthonormal bases. A does not have b * 2 but it can compute Then A gives param V , D, D * , h b to B, and outputs b if B outputs b . We can see that h 0 := 0 n , α, 0, η, 0, γ D , h 1 := 0 n , α, 0, 0, 0, γ D , where α := δ, γ := σ and η := ρ. It is the same as an instance of Problem3. If B succeeds in solving Problem3, so does A in solving XDLIN problem.

Lemma 5 For all PPT adversary B for Problem4, there exists a PPT adversary
Proof We can construct a PPT adversary A for Problem1 from any PPT adversary B for Problem4. A is given an instance of Problem1 param P1 , B * , B, y * b , κG 1 , ξ G 2 . Then A generates a random linear transformation W on G n+5 , and sets We can see that (D, D * ) are dual orthonormal bases. A does not have b 2 but it can compute Then A gives (param V , D, D * , h * b ) to B, and outputs b if B outputs b . We can see that h * 0 := (0 n , 0, β, 0, θ, 0) D * , h * 1 := (0 n , 0, β, τ , θ, 0) D * ,where β := δ, θ := σ and τ := ρ. It is the same as an instance of Problem4. If B succeeds in solving Problem4, so does A in solving XDLIN problem.

Lemma 6 For all PPT adversary B for Problem5, there exists a PPT adversary
Proof We can construct a PPT adversary A for Problem1 from any PPT adversary B for Problem5. A is given an instance of Problem1 (param P1 , B * , B, y * b , κG 1 , ξ G 2 ). Then A generates a random linear transformation W on G n+5 , and sets We can see that (D, D * ) are dual orthonormal bases. A does not have b 2 but it can compute to B, and outputs b if B outputs b . We can see that h * 0 := 0 n , 0, β, τ , θ, 0 D * , h * 1 := 0 n , 0, θ, τ , 0, 0 D * , where β := δ, τ := σ and θ := ρ. It is the same as an instance of Problem5. If B succeeds in solving Problem5, so does A in solving XDLIN problem.

Scheme
In this section, we present our construction of IPE scheme with simulation-based security.
The encryption algorithm samples α, η ∈ Z q at random and outputs a ciphertext ct x as • IPE.KeyGen(msk, pp, y) → sk y : The secret key generation algorithm samples β, θ ∈ Z q at random and outputs a secret key sk y as It then attempts to determine m ∈ Z q such that g m T = d. If there is m that satisfies the equation, the algorithm outputs m. Otherwise, it outputs ⊥. Due to the polynomial-size range of possible values for m, the decryption algorithm runs in polynomial time.
Remark. We stress that the polynomial running time of our decryption algorithm is ensured by restricting the output to lie within a fixed polynomial-size range.
Correctness: For any ct x and sk y in IPE.Encrypt and IPE.KeyGen algorithms respectively, the pairing evaluations in the decryption algorithm compute as follows: ( 1 ) If the decryption algorithm takes polynomial time in the size of the plaintext space, it will output m = x · y as desired.

Security proof
In this section, we will prove that our construction is secure under the simulation-based security based on XDLIN assumption in the standard model.

Security proof of our scheme
In order to finish the security proof, we follow the simulation-based security definition (Caro et al. 2013;O'Neill 2010). A simulator responds to queries by an adversary A and provides simulated secret keys and simulated ciphertexts to A. The simulator is comprised of three algorithms: Setup, Encrypt and KeyGen.
• Setup: It generates a master secret key msk and public parameters pp, which are transferred to the adversary A. Specially, on input (1 λ , n), it sets (msk, pp) ← IPE.Setup. The simulator will use the master secret key and the public parameters to respond the queries of A in Encrypt and KeyGen. • Encrypt: It simulates the ciphertexts of challenge messages x (1) , · · · , x (q 1 ) , where x (1) , . . . , x (q 1 ) are output by A. q 1 is the number of the challenge messages. Let q 2 be the number of secret key queries in the first stage. Encrypt receives as input msk, pp, nonadaptive secret key queries y (1) , · · · , y (q 2 ) made by A, together with x (l) · y (1) , · · · , x (l) · y (q 2 ) for each 1 ≤ l ≤ q 1 , and the secret keys (y, sk y ), · · · , (y, sk y ).
In order to prove the views of A in IPE.Encrypt and that in Encrypt have the same distribution, we introduce a new algorithm Encrypt as a transition, where ct x = (x, α, 0, η, 0, γ ) B .
• KeyGen: It simulates the answer to the second stage queries of A. It receives as input msk, pp, the vector y, where y is the secret key query made by A, and the values (x (1) · y), · · · , x (q 1 ) · y , where x (1) , · · · , x (q 1 ) are the challenge messages. The normal secret key is (y, 0, β, 0, θ, 0) B * generated by IPE.KeyGen, where β, θ U ← Z q . The simulated secret key is Analogous to Encrypt, we also introduce a new algorithm KeyGen as a transition, where sk y = y, 0, β, τ , θ, 0 B * .
In our scheme the decryption result should satisfy Eq. (1), so we define the simulated ciphertext and simulated secret key as (x, α, 0, 0, 0, γ ) B and (y, 0, β, τ , 0, 0) B * , respectively, which would make the Eq. (1) hold as well. Next, we will prove that the output of an ideal world experiment and output of the real world experiment are indistinguishable via a hybrid argument.
Proof A brief overview of the security proof is shown in the Fig. 2. By a standard hybrid argument, we prove the distributions of the outputs in Encrypt and KeyGen are computationally indistinguishable from the normal ciphertexts and the normal secret keys, respectively. We list a series of hybrid experiments H 1 , · · · , H 6 in Table 1, where H 1 is the real world experiment and H 6 is the ideal world experiment. We then prove that hybrid experiment is indistinguishable from the neighboring one.
1 Hybrid H 1 : This is the real experiment. 2 Hybrid H 2 : This experiment is the same as H 1 except that the master secret key and the public parameters are generated by Setup. Namely, the ciphertext ct x and the secret key sk y are generated by IPE.Encrypt and IPE.KeyGen: 3 Hybrid H 3 : This experiment is the same as H 2 except that every challenge ciphertext is ct x = x, α, 0, η, 0, γ B , which is generated by Encrypt . 4 Hybrid H 4 : This experiment is the same as H 3 except that every challenge ciphertext is ct x = x, α, 0, 0, 0, γ B , which is generated by Encrypt. 5 Hybrid H 5 : This experiment is the same as H 4 except that, for every secret key query y, the corresponding secret key is sk y = (y, 0, β, τ , θ, 0) B * , which is generated by KeyGen . 6 Hybrid H 6 : This experiment is the same as H 5 except that, for every secret key query y, the corresponding secret key is sk y = (y, 0, β, τ , 0, 0) B * , which is generated by KeyGen.
We analyse that the view of A is composed of the public parameters and the answers of the secret key queries Simulated Ciphertexts: B randomly chooses μ = {1, · · · , q 1 }, where q 1 is the number of the ciphertext queries asked by adversary A. To answer the ciphertext query that A makes, B chooses random α, η U ← Z q and γ U ← Z × q and computes and answers as We analyse that the view of A is composed of the public parameters and the answers of the secret key queries and the ciphertext queries.
We analyse that the view of A is composed of the public parameters and the answers of the ciphertexts queries and the secret key queries. Proof Suppose that there exists a PPT adversary A that can distinguish the output distributions of H 5 and H 6 . Then, we construct a PPT algorithm B which is given an instance of Problem5 (param V , B, B * , g * b ) for b ∈ {0, 1} and simulates H 5 and H 6 .
Setup: B runs IPE.Setup(1 λ , n) and outputs msk = B, B * and pp = 1 λ , param V . B gives A the public parameters pp and the master secret key msk is only known to B.
So we complete the proof.

Comparison
To demonstrate the advantage of our IPE scheme, we compare it with some related schemes (Bishop et al. 2015;Tomida et al. 2016;Datta et al. 2017; in the Table 2. Performance in our scheme is superior to that in the previous schemes in both storage complexity and computation complexity. Our scheme has shorter secret keys and ciphertexts. Additionally, our scheme is secure under weaker assumptions than other schemes. IND and SIM mean indistinguishabilitybased security and simulation-based security, respectively. KeyGen and Encrypt mean scalar multiplication on a cyclic group of IPE.KeyGen algorithm and IPE.Encrypt algorithm, respectively, and Decrypt means pairing operation on a bilinear pairing group of IPE.Decryption algorithm.

Conclusion
In this paper, we presented an efficient private-key inner product encryption scheme which achieves simulationbased security. Our scheme utilizes asymmetric bilinear pairing groups of prime order under the XDLIN assumption. There are still some open problems for inner product encryption can be explored and researched further.
One of the problems is to build unbounded FE schemes for different functionalities, such as Quadratic Polynomials (Baltico et al. 2017). Another one is to construct a Multi-Input inner product encryption scheme under simulation-based security. Abdalla et al. (2017).