Multi-input Quadratic Functional Encryption from Pairings

Agrawal, Shweta; Goyal, Rishab; Tomida, Junichi

doi:10.1007/978-3-030-84259-8_8

Shweta Agrawal¹⁰,
Rishab Goyal¹¹ &
Junichi Tomida¹²

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12828))

Included in the following conference series:

Annual International Cryptology Conference

2335 Accesses
3 Altmetric

Abstract

We construct the first multi-input functional encryption (MIFE) scheme for quadratic functions from pairings. Our construction supports polynomial number of users, where user i, for $i \in [n]$, encrypts input $\mathbf{x}_i \in \mathbb {Z}^m$ to obtain ciphertext $\mathsf {CT}_i$, the key generator provides a key $\mathsf {SK}_\mathbf{c}$ for vector $\mathbf{c} \in \mathbb {Z}^{({mn})^2}$ and decryption, given $\mathsf {CT}_1,\ldots ,\mathsf {CT}_n$ and $\mathsf {SK}_\mathbf{c}$, recovers $\langle \mathbf{c}, \mathbf{x} \otimes \mathbf{x} \rangle $ and nothing else. We achieve indistinguishability-based (selective) security against unbounded collusions under the standard bilateral matrix Diffie-Hellman assumption. All previous MIFE schemes either support only inner products (linear functions) or rely on strong cryptographic assumptions such as indistinguishability obfuscation or multi-linear maps.

S. Agrawal—Research supported by the DST “Swarnajayanti” fellowship, an Indo-French CEFIPRA project and the CCD Centre of Excellence. Part of the research corresponding to this work was conducted while visiting the Simons Institute for the Theory of Computing.

R. Goyal—Research supported in part by NSF CNS Award #1718161, an IBM-MIT grant, and by the Defense Advanced Research Projects Agency (DARPA) under Contract No. HR00112020023. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA. Work done in part while at the Simons Institute for the Theory of Computing, supported by Simons-Berkeley research fellowship.

You have full access to this open access chapter, Download conference paper PDF

Unbounded Quadratic Functional Encryption and More from Pairings

Practical Functional Encryption for Quadratic Functions with Applications to Predicate Encryption

Identity-Based Functional Encryption for Quadratic Functions from Lattices

Keywords

1 Introduction

Functional encryption (FE) [12, 29] is a novel cryptographic paradigm that moves beyond the “all or nothing” access of traditional public key encryption and enables fine grained access to encrypted data. Concretely, an FE scheme that supports a function class $\mathcal {F}$ allows an owner of a master secret to issue a secret key $\mathsf {SK}_f$ for a function $f \in \mathcal {F}$. Decryption of a ciphertext $\mathsf {CT}_x$ for a message x with $\mathsf {SK}_f$ yields f(x) and nothing else. Functional encryption has been extensively studied in the literature, with elegant constructions supporting various function classes, achieving different notions of security and from diverse assumptions, e.g., [3, 9, 13, 19, 20].

Multi-input functional encryption (MIFE) [22] is a natural generalization of FE, which supports functions that take multiple inputs. In MIFE, multiple parties can encrypt data independently – thus, n users may encrypt their data $x_{1} , \ldots ,x_{n}$ to produce ciphertexts $\mathsf {CT}_{1} , \ldots ,\mathsf {CT}_{n}$, which can be decrypted using a functional key $\mathsf {SK}_f$ to learn $f(x_{1}, \ldots ,x_{n})$ and nothing else.

Research in MIFE has followed two broad directions. On one hand, it was shown that for general function classes (all polynomial sized circuits), FE is powerful enough to imply MIFE (albeit with exponential loss), which in turn implies the powerful notion of indistinguishability obfuscation (iO) [8, 11]. On the other hand, for restricted function classes such as constant degree polynomials, single-input schemes do not generically imply multi-input schemes and constructing multi-input schemes directly proved significantly more challenging. Intuitively, this is because in the multi-input setting, inputs $x_1, \ldots ,x_n$ encrypted using independent sources of randomness must be combined in a secure way to “emulate” the single input setting where encodings of $x_1 , \ldots ,x_n$ may be tied together using common randomness. Nevertheless, for the inner product functionality, several novel MIFE constructions emerged based on simple, standard polynomial hardness assumptions [1, 2, 4, 6, 15, 17, 27, 30].

Beyond Inner Products. While the inner product functionality is useful for several meaningful applications (we refer the reader to [6] for a discussion), it is evidently desirable, from the viewpoint of both theory and practice, to extend the reach of MIFE from standard assumptions beyond inner products. In the single input setting, there has been significant progress in this direction. For quadratic functions, several FE schemes have been constructed from standard assumptions on pairings [9, 21, 28]^{Footnote 1}. Indeed, from pairings, there have also been innovative constructions for “degree 2.5” FE [7], the so-called “partially hiding functional encryption” (PHFE) schemes. Intuitively, PHFE permits part of the encryptor’s input to be public and supports deeper computation on the public input as compared to the private input.

However, in the multi-input setting, constructions going beyond inner products have proved elusive. Note that unlike the single input setting, quadratic MIFE cannot be trivially constructed from inner product MIFE even with large ciphertext, since the naive idea of encrypting all quadratic monomials in advance cannot deal with quadratic terms derived from two different users. Therefore, there are currently no candidate constructions for MIFE supporting quadratic polynomials, from standard, polynomial hardness assumptions^{Footnote 2}. This is a significant gap in our understanding of MIFE, and motivates the fundamental question:

Can we construct MIFE for quadratic functions from pairings?

1.1 Our Results

In this work, we answer the above question affirmatively and construct the first MIFE scheme for quadratic functions from pairings. In more detail, we construct n-input MIFE scheme for the function class $\mathcal {F}_{m,n}$, which is defined as follows. Each function $f \in \mathcal {F}_{m,n}$ is represented by a vector $\mathbf{c} \in \mathbb {Z}^{(mn)^{2}}$. For inputs $\mathbf{x}_{1} , \ldots ,\mathbf{x}_{n} \in \mathbb {Z}^{m}$, f is defined as $ f(\mathbf{x}_{1} , \ldots ,\mathbf{x}_{n}) :=\langle \mathbf{c}, \mathbf{x} \otimes \mathbf{x} \rangle $ where $\mathbf{x}=(\mathbf{x}_{1}|| \cdots ||\mathbf{x}_{n})$ and $\otimes $ denotes the Kronecker product. In a quadratic MIFE scheme for $\mathcal {F}_{m,n}$, a user can encrypt $\mathbf{x}_{i} \in \mathbb {Z}^{m}$ to $\mathsf {CT}_{i}$ for slot $i \in [n]$, a key issuer can generate a secret key $\mathsf {SK}$ for $\mathbf{c} \in \mathbb {Z}^{(mn)^{2}}$, and decryption of $\mathsf {CT}_{1} , \ldots ,\mathsf {CT}_{n}$ with $\mathsf {SK}$ reveals only $\langle \mathbf{c}, \mathbf{x} \otimes \mathbf{x} \rangle $ and nothing else.

To begin, we show that in the public key setting, quadratic MIFE can be generically obtained from public-key IPFE, which can be obtained even without pairings, in a relatively simple manner, as the case of public-key inner product MIFE [6]. Then we provide our main construction in the much more challenging secret-key setting^{Footnote 3}. Our construction relies on the bilateral matrix Diffie-Hellmen assumption [18] and achieves standard indistinguishability-based (selective) security against unbounded collusions. We observe that in the symmetric key setting, selective security is the same as “semi-adaptive” [14, 23] security. Recall that in semi-adaptive security, the adversary is permitted to see the public key before committing to the challenge. In the symmetric key setting, since the “public key” is simply public parameters of the scheme, such as group description, which may always be provided to the adversary in the first step of the game, the distinction between selective and semi-adaptive is moot. Thus, our construction achieves the same level of security as single input quadratic FE [9, 21, 28].

Our construction is built using two newly introduced primitives that we call predicated IPFE and mixed-group multi-input IPFE, which we describe next. Predicated IPFE (pIPFE) is a class of attribute-based IPFE [5], but additionally with a function hiding property. In more detail, a ciphertext $\mathsf {pCT}$ and a secret key $\mathsf {pSK}$ of a pIPFE scheme $\mathsf {pFE}$ are associated with two vectors $\{\mathbf{x}_{1},\mathbf{x}_{2}\}$ and $\{\mathbf{y}_{1},\mathbf{y}_{2}\}$, respectively. Decryption of $\mathsf {pCT}$ with $\mathsf {pSK}$ reveals $\langle \mathbf{x}_{2}, \mathbf{y}_{2} \rangle $ iff $\langle \mathbf{x}_{1}, \mathbf{y}_{1} \rangle =0$. Secret keys are required to hide $\mathbf{y}_{2}$ but not $\mathbf{y}_{1}$, This scheme is the first instantiation of function-hiding attribute-based IPFE, which may be of independent interest. Mixed group multi input IPFE is similar to multi input IPFE but supports mixed groups, as suggested by the name. In more detail, consider a function $f:(G_{1}^{m_{1}}\times G_{2}^{m_{2}})^{n} \rightarrow G_{T}$, specified by $([\mathbf{y}_{1,1}]_{2}, [\mathbf{y}_{1,2}]_{1} , \ldots ,[\mathbf{y}_{n,1}]_{2}, [\mathbf{y}_{n,2}]_{1})$ where $\mathbf{y}_{i,1} \in \mathbb {Z}_p^{m_{1}}$ and $\mathbf{y}_{i,2} \in \mathbb {Z}_p^{m_{2}}$ and defined as $f\big (([\mathbf{x}_{1,1}]_{1},[\mathbf{x}_{1,2}]_{2} ), \ldots ,([\mathbf{x}_{n,1}]_{1},[\mathbf{x}_{n,2}]_{2} )\big ) :=[\langle (\mathbf{x}_{1,1},\mathbf{x}_{1,2}, \ldots ,\mathbf{x}_{n,1},\mathbf{x}_{n,2}), (\mathbf{y}_{1,1},\mathbf{y}_{1,2}, \ldots ,\mathbf{y}_{n,1},\mathbf{y}_{n,2}) \rangle ]_{T}$

Mixed group multi input IPFE is also required to achieve function-hiding. We provide constructions for these primitives by leveraging a (multi-input) function-hiding IPFE scheme based on pairings [4, 10, 17]. These constructions may be of independent interest.

1.2 Our Techniques

As discussed above, quadratic MIFE in the public-key setting is simple to achieve due to the leakage inherent in that setting. We formalize this in the full version of this paper. Hence, as in prior work [6], we focus on the much more challenging secret key setting. In the following, we basically use m for the vector length of each user and n for the number of slots.

Lin’s Single Key Quadratic FE. The starting point of our secret-key quadratic MIFE scheme is the secret-key quadratic FE scheme from pairings by Lin [28], which in turn builds upon the public key IPFE scheme from DDH by Abdalla et al. [3] (ABDP). We begin by recalling the ABDP scheme. In what follows, we let $g_{\ell }$ denote the generator of a cyclic group of order p and for matrix $\mathbf{A} = (a_{i,j})_{i,j}$, we denote $(g_{\ell }^{a_{i,j}})_{i,j}$ by $[\mathbf{A}]_{\ell }$. The ABDP scheme works as follows:

$\mathsf {Setup}(1^{\lambda })$: $\mathbf{w} \leftarrow \mathbb {Z}_p^{m},\; \mathsf {PK}:=[\mathbf{w}],\;\mathsf {MSK}:=\mathbf{w}.$
$\mathsf {Enc}(\mathsf {PK}, \boldsymbol{\mathrm {{x}}} \in \mathbb {Z}^{m})$: $s \leftarrow \mathbb {Z}_p,\; \mathsf {CT}:=([s], [\mathbf{x}+s\mathbf{w}]).$
$\mathsf {KeyGen}(\mathsf {MSK}, \mathbf{c} \in \mathbb {Z}^{m})$: $\mathsf {SK}:=-\mathbf{c}^{\top }{} \mathbf{w}.$
$\mathsf {Dec}(\mathsf {CT}, \mathsf {SK})$: $-\mathbf{c}^{\top }{} \mathbf{w}[s]+\mathbf{c}^{\top }[\mathbf{x}+s\mathbf{w}]=[\langle \mathbf{c}, \mathbf{x} \rangle ]$.

Lin’s quadratic (secret key) FE scheme uses a clever interleaving of IPFE schemes. To compress the size of ABDP ciphertexts for quadratic terms, she leverages function-hiding IPFE, which is inherently secret-key [10]. Decryption of components in this scheme yields ciphertexts under the ABDP IPFE scheme, while secret keys of the ABDP scheme are generated using another function hiding IPFE. Finally, decryption of ABDP IPFE allows to recover the output.

In more detail, let $\mathsf {iFE} = (\mathsf {iSetup}, \mathsf {iEnc}, \mathsf {iKeyGen}, \mathsf {iDec})$ be a function-hiding IPFE scheme based on pairings. Note that all known function-hiding IPFE schemes based on pairings output a decryption value as an exponent of the target-group generator [10, 16, 26, 28, 31]. A simplification of her quadratic FE scheme (we omit the components of the scheme that are only required for the proof of security) is as follows:

$\mathsf {Setup}(1^{\lambda })$: $\mathbf{w}=(w_{1} , \ldots ,w_{m}), \widetilde{\mathbf {w}}=(\widetilde{w}_{1} , \ldots ,\widetilde{w}_{m}) \leftarrow \mathbb {Z}_p^{m},\; \mathsf {iMSK}' \leftarrow \mathsf {iSetup}(1^{\lambda })$

$\mathsf {MSK}:=(\mathsf {iMSK}', \mathbf{w}, \widetilde{\mathbf {w}}).$
$\mathsf {Enc}(\mathsf {MSK}, \boldsymbol{\mathrm {{x}}} \in \mathbb {Z}^{m})$: $s \leftarrow \mathbb {Z}_p,\; \mathsf {iCT}' \leftarrow \mathsf {iEnc}(\mathsf {iMSK}', s),\; \mathsf {iMSK}\leftarrow \mathsf {iSetup}(1^{\lambda })$

$\mathsf {iCT}_{i} \leftarrow \mathsf {iEnc}(\mathsf {iMSK},(x_{i}, w_{i})),\mathsf {iSK}_{i} \leftarrow \mathsf {iKeyGen}(\mathsf {iMSK},(x_{i}, s\widetilde{w}_{i})).$

$\mathsf {CT}:=(\mathsf {iCT}', \{\mathsf {iCT}_{i}, \mathsf {iSK}_{i}\}_{i \in [m]}).$
$\mathsf {KeyGen}(\mathsf {MSK}, \mathbf{c}=\{c_{i,j}\}_{i,j \in [m]} \in \mathbb {Z}^{m^{2}})$:

$\mathsf {SK}:=\mathsf {iSK}' \leftarrow \mathsf {iKeyGen}(\mathsf {MSK}', -\mathbf{c}^{\top }(\mathbf{w} \otimes \widetilde{\mathbf {w}}))$.
$\mathsf {Dec}(\mathsf {CT}, \mathsf {SK})$: $\mathsf {iDec}(\mathsf {iCT}', \mathsf {iSK}')+\sum _{i,j \in [m]}c_{i,j}\mathsf {iDec}(\mathsf {iCT}_{i}, \mathsf {iSK}_{j})=[\langle \mathbf{c}, \mathbf{x} \otimes \mathbf{x} \rangle ]_{T}$.

To decrypt, we compute $\mathsf {iDec}(\mathsf {iCT}_{i}, \mathsf {iSK}_{j})= [x_{i}x_{j} +sw_{i}\widetilde{w}_{j}]_{T}$, which can be seen as the (i, j)-th element of the ABDP ciphertext $[\mathbf{x} \otimes \mathbf{x}+s\mathbf{w} \otimes \widetilde{\mathbf {w}}]_{T}$, and $\mathsf {iDec}(\mathsf {iCT}', \mathsf {iSK}') = [-s\mathbf{c}^{\top }(\mathbf{w} \otimes \widetilde{\mathbf {w}})]_{T}$, where $-\mathbf{c}^{\top }(\mathbf{w} \otimes \widetilde{\mathbf {w}})$ is an ABDP secret key for $\mathbf{c}$. The function-hiding property of $\mathsf {iFE}$ guarantees that $\mathsf {iSK}$ hides $x_{i}$. Since $\mathbf{w} \otimes \widetilde{\mathbf {w}}$ only appears on the exponent, one can argue that it is computationally indistinguishable from random in the security proof using the SXDH assumption.

IP-MIFE instead of IPFE. To generalize the above scheme to the multi-input setting, our first attempt is to modify Lin’s scheme so that decryption of the function hiding IPFE scheme generates ciphertexts of a multi-input IPFE (IP-MIFE) scheme [4] (ACFGU) instead of a single input IPFE scheme (ABDP). Intuitively, the reason for using IP-MIFE instead of IPFE is to deal with multiple independent randomnesses derived from different users, which inherently come in when generating the IPFE ciphertext elements for quadratic terms. Now, we may hope that the key generator can provide a secret key matching the ACFGU scheme so that decryption of ciphertexts of the ACFGU scheme yields the desired result. Fortunately, the ACFGU scheme does not use pairings, so this basic template does not seem impossible. However, this starting point idea runs into several hurdles as we discuss below.

Let us recall the n-input ACFGU scheme:

$\mathsf {Setup}(1^{\lambda })$: $\mathsf {MSK}:=\mathbf{w}_{1} , \ldots ,\mathbf{w}_{n}, \mathbf{u}_{1} , \ldots ,\mathbf{u}_{n} \leftarrow \mathbb {Z}_p^{m}.$
$\mathsf {Enc}(\mathsf {MSK}, i,\mathbf{x}_{i}\in \mathbb {Z}^{m})$: $s_{i} \leftarrow \mathbb {Z}_p,\; \mathsf {CT}_{i} :=([s_{i}], [\mathbf{x}_{i}+s_{i}{} \mathbf{w}_{i}+\mathbf{u}_{i}]).$
$\mathsf {KeyGen}(\mathsf {MSK}, (\mathbf{c}_{1} , \ldots ,\mathbf{c}_{n}) \in \mathbb {Z}^{mn})$: $\mathsf {SK}:=(-\sum _{i \in [n]}\langle \mathbf{c}_{i}, \mathbf{u}_{i} \rangle ,\{-\mathbf{c}_{i}^{\top }{} \mathbf{w}_{i}\}_{i \in [n]} ).$
$\mathsf {Dec}(\mathsf {CT}_{1} , \ldots ,\mathsf {CT}_{n}, \mathsf {SK})$:

$\sum _{i \in [n]}(-\mathbf{c}_{i}^{\top }{} \mathbf{w}_{i}[s_{i}]+\mathbf{c}_{i}^{\top }[\mathbf{x}_{i}+s_{i}{} \mathbf{w}_{i}+\mathbf{u}_{i}])-[\sum _{i \in [n]}\langle \mathbf{c}_{i}, \mathbf{u}_{i} \rangle ]=[\sum _{i \in [n]}\langle \mathbf{c}_{i}, \mathbf{x}_{i} \rangle ]$.

For intuition, we note that the ACFGU scheme may be thought of as running n instances of the ABDP scheme, where each ABDP decryption outputs the $i^{th}$ inner product $\langle \mathbf{c}_{i}, \mathbf{x}_{i} \rangle $. Revealing each partial inner product $\langle \mathbf{c}_{i}, \mathbf{x}_{i} \rangle $ would leak too much information, so these partial decryptions are masked using $\langle \mathbf{c}_{i}, \mathbf{u}_{i} \rangle $ – this creates an extra term $\sum _{i \in [n]}\langle \mathbf{c}_{i}, \mathbf{u}_{i} \rangle $ during decryption, which, fortunately may be computed by the key generator and is compensated for by subtraction.

A First Candidate. Armed with these ideas, we construct a first candidate quadratic MIFE $\mathsf {qFE}=(\mathsf {qSetup}, \mathsf {qEnc}, \mathsf {qKeyGen}, \mathsf {qDec})$ as follows. For ease of exposition, we assume below that the dimension of each user’s input vector m is set to 1.

$\mathsf {qSetup}(1^{\lambda })$: $\mathsf {iMSK}, \mathsf {iMSK}' \leftarrow \mathsf {iSetup}(1^{\lambda }),\;w_{i}, \widetilde{w}_{i}, u_{i}, \widetilde{u}_{i} \leftarrow \mathbb {Z}_p$

$\mathsf {qMSK}:=(\mathsf {iMSK}, \mathsf {iMSK}', \{w_{i}, \widetilde{w}_{i}, u_{i}, \widetilde{u}_{i}\}_{i \in [n]}).$
$\mathsf {qEnc}(\mathsf {qMSK}, i,x_{i} \in \mathbb {Z})$: $s_{i}, \widetilde{s}_{i} \leftarrow \mathbb {Z}_p$

$\mathsf {iCT}'_{i} \leftarrow \mathsf {iEnc}(\mathsf {iMSK}',s_{i}),\;\mathsf {iSK}'_{i} \leftarrow \mathsf {iKeyGen}(\mathsf {iMSK}',\widetilde{s}_{i})$

$\mathsf {iCT}_{i} \leftarrow \mathsf {iEnc}(\mathsf {iMSK},(x_{i}, s_{i}w_{i}, u_{i})), \; \mathsf {iSK}_{i} \leftarrow \mathsf {iKeyGen}(\mathsf {iMSK},(x_{i}, \widetilde{s}_{i}\widetilde{w}_{i},\widetilde{u}_{i}))$ $\mathsf {qCT}_{i} :=( \mathsf {iCT}'_{i}, \mathsf {iSK}'_{i}, \mathsf {iCT}_{i}, \mathsf {iSK}_{i}).$
$\mathsf {qKeyGen}(\mathsf {MSK}, \mathbf{c} \!=\!\{c_{i,j}\}_{i,j \in [n]} )$:

$\mathsf {qSK}\!:=\! ([-\sum _{i,j \in [n]} c_{i,j}u_{i}\widetilde{u}_{j}]_{T}, \{-c_{i,j}w_{i}\widetilde{w}_{j}\}_{i,j \in [n]} ).$
$\mathsf {qDec}(\mathsf {qCT}_{1} , \ldots ,\mathsf {qCT}_{n}, \mathsf {qSK})$:

$-\sum _{i,j \in [n]}c_{i,j}w_{i}\widetilde{w}_{j}\mathsf {iDec}(\mathsf {iCT}'_{i}, \mathsf {iSK}'_{j})+\sum _{i,j \in [n]}c_{i,j}\mathsf {iDec}(\mathsf {iCT}_{i}, \mathsf {iSK}_{j})$ $-[\sum _{i,j \in [n]} c_{i,j}u_{i}\widetilde{u}_{j}]_{T}=[\langle \mathbf{c}, \mathbf{x} \otimes \mathbf{x} \rangle ]_{T}$

Observe that $\{\mathsf {iCT}_{i}, \mathsf {iSK}_{i}\}_{i \in [n]}$ yield $\{[x_{i} x_{j}+s_{i}\widetilde{s}_{j}w_{i}\widetilde{w}_{j}+u_{i} \widetilde{u}_{j}]_{T}\}_{i,j \in [n]}$ in decryption, which can be seen as ciphertexts of the $n^{2}$-input ACFGU scheme. We also remark that we decompose the ACFGU ciphertext into ciphertexts and secret keys of function-hiding IPFE so as to allow decryptors to generate ACFGU ciphertext elements for quadratic terms derived from two different users. This is in contrast to Lin’s quadratic FE scheme, which uses function-hiding IPFE to compress the ciphertext size.

However, this scheme is not secure and leaks unnecessary information to the decryptor. The problem stems for the fact that the candidate scheme allows two types of mix-and-match attacks where an adversary can simultaneously use two different ciphertexts with the same index (slot) for decryption. In more detail, the adversary can learn the following information using the current scheme. Below, the superscript denotes the ciphertext index and subscript denotes the slot in a given ciphertext – thus, $\mathsf {qCT}^{1}_{i}$ denotes the $1^{st}$ ciphertext for the $i^{th}$ slot (recall there can be multiple ciphertexts in a given slot).

1.
Attack 1: For $\mathsf {iCT}^{1}_{i}$ in $\mathsf {qCT}^{1}_{i}$ and $\mathsf {iSK}^{2}_{i}$ in $\mathsf {qCT}^{2}_{i}$, we have that $\mathsf {iDec}(\mathsf {iCT}^{1}_{i}, \mathsf {iSK}^{2}_{i})$ is a valid ACFGU ciphertext and usable for the ACFGU decryption with $\mathsf {qSK}$. This is problematic because it permits combining components from different ciphertexts $\mathsf {qCT}^{1}_{i}$ and $\mathsf {qCT}^{2}_{i}$ for the same slot i, which does not correspond to a valid combination. Recall that in an MIFE scheme, a ciphertext in slot i may be combined with multiple ciphertexts in slot $j \ne i$ but not with other ciphertexts in slot i. However, ciphertext components $\mathsf {iCT}^{1}_{i}$ and $\mathsf {iSK}^{1}_{i}$ from the same ciphertext and in the same slot i are allowed to be combined. Thus, to prevent this attack, we need to enforce that ciphertext components can be combined only when they come either from different slots or the same $\mathsf {qCT}_{i}$.
2.
Attack 2: Let $i_{1} \ne i_{2}$. For $\{\mathsf {iCT}^{1}_{i_{1}},\mathsf {iSK}^{1}_{i_{1}}\} $ in $\mathsf {qCT}^{1}_{i_{1}}$, $\{\mathsf {iCT}^{1}_{i_{2}}, \mathsf {iSK}^{1}_{i_{2}}\} $ in $\mathsf {qCT}^{1}_{i_{2}}$ and $\mathsf {iSK}^{2}_{i_{2}}$ in $\mathsf {qCT}^{2}_{i_{2}}$, we have that $\mathsf {iDec}(\mathsf {iCT}^{1}_{i_{1}}, \mathsf {iSK}^{1}_{i_{1}})$, $\mathsf {iDec}(\mathsf {iCT}^{1}_{i_{1}}, \mathsf {iSK}^{2}_{i_{2}})$ and $ \mathsf {iDec}(\mathsf {iCT}^{1}_{i_{2}}, \mathsf {iSK}^{1}_{i_{2}})$ are valid ACFGU ciphertexts and usable for the decryption with $\mathsf {qSK}$. This decryption leads to an inconsistency attack, where an adversary can compute a function over multiple ciphertexts for a given slot.

As an example, let us consider the case where a decryptor has ciphertexts for (scalar) elements $x^1_1, x^1_2, x^2_2$ and a secret key for quadratic function $f=(c_{1,1}, c_{1,2}, c_{2,2})$ (w.l.o.g., we can assume $c_{2,1}=0$). Now, the only valid function evaluations that an adversary should learn are
However, the above leakage enables the adversary to additionally learn, e.g.,
$$c_{1,1}x^1_1x^1_1+ c_{1,2}x^1_1{\underline{x^2_2}}+ c_{2,2}x^1_2 {\underline{x^1_2}} $$
The above uses two different inputs (underlined) for the second slot for the same function evaluation, which is invalid. More generally, valid combinations correspond to the set of superscripts (in red) (1, 1), (1, 1), (1, 1) and (1, 1), (1, 2), (2, 2). However, the adversary can learn function evaluations corresponding to (1, 1), (1, r), (s, t) for any $r,s,t \in [2]$ in the current candidate scheme.

Thus, both attacks leverage the decomposable structure of the quadratic ciphertext to mix and match invalid components to obtain leakage. While both attacks have the similarity that they combine different ciphertexts for the same slot in a given evaluation, the technical treatment to handle them needs to differ. This is because to address the first attack, we must prevent the attacker from combining (1, 1), (1, r), (s, t) for $s \ne t$ while for the second, we must prevent the same for $r \ne t$. Intuitively, r and t are the indices related to the ciphertexts of $\mathsf {iFE}$ while s is the index related to the secret keys of $\mathsf {iFE}$, and thus prohibiting the case of $s \ne t $ and that of $r \ne t$ are essentially different things, which must be handled separately. Next, we describe how each of these attacks may be prevented.

Preventing Attack 1. Recall that Lin’s quadratic FE scheme does not allow attack 1 since the encryption algorithm generates a new $\mathsf {iMSK}$ for each ciphertext. On the other hand, our candidate uses the same $\mathsf {iMSK}$ for all ciphertexts so that decryptors can generate ACFGU ciphertext elements for quadratic terms from two different users. To prevent this attack, we need a function-hiding IPFE scheme where $\mathsf {iCT}$ is decryptable with $\mathsf {iSK}$ if and only if they come from either different slots or the same $\mathsf {qCT}_{i}$. Thus, we need to extend the functionality of function-hiding IPFE to check the above condition prior to computation. Although this primitive is reminiscent of “attribute-based IPFE” [5], we also need the function-hiding property which has not been considered in prior works.

To address this need, we define and construct a function-hiding “predicated IPFE” (pIPFE), which can be seen as a combination of inner product encryption [25] and IPFE. Informally, a ciphertext $\mathsf {pCT}$ and a secret key $\mathsf {pSK}$ of a pIPFE scheme $\mathsf {pFE}$ are associated with two vectors $\{\mathbf{x}_{1},\mathbf{x}_{2}\}$ and $\{\mathbf{y}_{1},\mathbf{y}_{2}\}$, respectively. Here, the secret key must hide $\mathbf{y}_{2}$ but do not $\mathbf{y}_{1}$. Decryption of $\mathsf {pCT}$ with $\mathsf {pSK}$ reveals $\langle \mathbf{x}_{2}, \mathbf{y}_{2} \rangle $ iff $\langle \mathbf{x}_{1}, \mathbf{y}_{1} \rangle =0$.

To see how function-hiding predicated IPFE yields the desired functionality, let us set $\mathbf{x}_{1}=(0^{2(i-1)},1, L, 0^{2(n-i)}), \;\mathbf{y}_{1}=(0^{2(i-1)},L,-1, 0^{2(n-i)})$ where $L \in \mathbb {Z}_p$ is sampled randomly for each encryption, and $i \in [n]$. Let $(i_{1},L_{1})$ (resp. $(i_{2},L_{2})$) be a pair of a slot index and random element of $\mathbf{x}_{1}$ (resp. $\mathbf{y}_{1}$). It is easy to see that $\langle \mathbf{x}_{1}, \mathbf{y}_{1} \rangle =0$ iff $i_{1} \ne i_{2}$ or $L_{1}=L_{2}$. Since L is chosen from an exponentially large space, we have that $L_{1}\ne L_{2}$ with overwhelming probability. We construct a function-hiding predicated IPFE scheme $\mathsf {pFE}$ from a function-hiding IPFE scheme $\mathsf {iFE}$ in a generic way. Please see Sect. 3 for details.

Preventing Attack 2. Attack 2 is much more tricky to handle. A problematic aspect of this attack is the fact that $\mathsf {iDec}(\mathsf {iCT}^{1}_{i_{1}}, \mathsf {iSK}^{1}_{i_{1}})$ and $\mathsf {iDec}(\mathsf {iCT}^{1}_{i_{2}}, \mathsf {iSK}^{1}_{i_{2}})$ are necessary for decryption of ciphertexts $\mathsf {qCT}^{1}_{i_{1}}, \mathsf {qCT}^{1}_{i_{2}}$ respectively, and $\mathsf {iDec}(\mathsf {iCT}^{2}_{i_{2}}, \mathsf {iSK}^{1}_{i_{1}})$ is necessary for combined decryption of the pair $\mathsf {qCT}^{1}_{i_{1}}, \mathsf {qCT}^{2}_{i_{2}}$. However, they leak inappropriate information if both of them are used in decryption simultaneously. Thus, we cannot solve the problem by building in some sort of access control into $\mathsf {iFE}$ decryption as in the case of attack 1.

Our solution is to bind ACFGU ciphertexts generated from the $\mathsf {iFE}$ decryption with common random elements. That is, $\mathsf {iCT}_{i}$ in $\mathsf {qCT}_{i}$ is changed to encryption of $(x_{i}, s_{i}w_{i}, u_{i}, t_{i}v_{i})$, and $\mathsf {iSK}_{i}$ is changed to a secret key of $(x_{i}, \widetilde{s}_{i}\widetilde{w}_{i}, r_{i}\widetilde{u}_{i}, \widetilde{v}_{i})$ where $v_{i}, \widetilde{v}_{i}$ are new elements in $\mathsf {qMSK}$ and $r_{i}, t_{i}$ are the common random elements for binding ACFGU ciphertexts, which are chosen by $\mathsf {qEnc}$. Then, decryption with $\{\mathsf {iCT}_{i}, \mathsf {iSK}_{i}\}_{i \in [n]}$ yields $\{[x_{i}x_{j}+s_{i}\widetilde{s}_{j}w_{i}\widetilde{w}_{j}+r_{j}u_{i}\widetilde{u}_{j}+t_{i}v_{i}\widetilde{v}_{j} ]_{T}\}_{i,j \in [n]}$.

According to the change of $\mathsf {iCT}, \mathsf {iSK}$, the first element of an ACFGU secret key should be modified as $\mathsf {qSK}_{1} = [-\sum _{i,j \in [n]}c_{i,j}(r_{j}u_{i}\widetilde{u}_{j}+t_{i}v_{i}\widetilde{v}_{j})]_{T}$. By this construction, we cannot simultaneously use $\mathsf {iDec}(\mathsf {iCT}^{1}_{i_{1}}, \mathsf {iSK}^{1}_{i_{1}})$, $\mathsf {iDec}(\mathsf {iCT}^{1}_{i_{2}}, \mathsf {iSK}^{1}_{i_{2}})$ and $\mathsf {iDec}(\mathsf {iCT}^{2}_{i_{2}}, \mathsf {iSK}^{1}_{i_{1}})$ for ACFGU decryption. Intuitively, $\mathsf {qSK}_{1}$ must involve $t^{1}_{i_{2}}$ and $t^{2}_{i_{2}}$ (randomnesses used in $\mathsf {iCT}^{1}_{i_{2}}$ and $\mathsf {iCT}^{2}_{i_{2}}$, respectively) to decrypt the ACFGU ciphertexts generated from $\mathsf {iDec}(\mathsf {iCT}^{1}_{i_{1}}, \mathsf {iSK}^{1}_{i_{1}})$, $\mathsf {iDec}(\mathsf {iCT}^{1}_{i_{2}}, \mathsf {iSK}^{1}_{i_{2}})$ and $\mathsf {iDec}(\mathsf {iCT}^{2}_{i_{2}}, \mathsf {iSK}^{1}_{i_{1}})$ together, but in fact $\mathsf {qSK}_{1}$ can involve only one of $t^{1}_{i_{2}}$ and $t^{2}_{i_{2}}$.

How to Generate the Modified Secret Key. The last challenge is how to generate the modified secret key. It is obvious that $\mathsf {qKeyGen}$ cannot generate the modified key since it contains random elements $r_{i}, t_{i}$ used in ciphertexts. We solve the problem by employing an additional function-hiding IP-MIFE scheme, denoted by $\mathsf {miFE}$, into the candidate scheme. That is, $\mathsf {qEnc}$ additionally generates an IP-MIFE ciphertext $\mathsf {miCT}_{i}$ for $(r_{i}, t_{i})$, and $\mathsf {qKeyGen}$ generates an IP-MIFE secret key $\mathsf {miSK}$ for $\{(\sum _{j \in [n]}c_{j,i}u_{j}\widetilde{u}_{i}, \sum _{j\in [n]} c_{i,j}v_{i}\widetilde{v}_{j} )\}_{i \in [n]}$. Then, a decryptor can generate the secret-key element $-\sum _{i,j \in [n]}c_{i,j}(r_{j}u_{i}\widetilde{u}_{j}+t_{i}v_{i}\widetilde{v}_{j})$ from $\mathsf {miCT}_{1} , \ldots ,\mathsf {miCT}_{n}, \mathsf {miSK}$ without knowing unnecessary information. This technique is similar to Gay’s technique in [21], which uses (partially) function-hiding IPFE to generate a “decryption key” consisting of both elements inherently derived from a ciphertext and a secret key. Note that our actual scheme needs mixed-group multi-input IPFE instead of IP-MIFE, which we construct in Sect. 4.

Putting it all Together. Putting together the ideas discussed above, we now present a second version of our scheme.

$\mathsf {qSetup}(1^{\lambda })$: $\mathsf {iMSK}' \leftarrow \mathsf {iSetup}(1^{\lambda }), \mathsf {pMSK}\leftarrow \mathsf {pSetup}(1^{\lambda }),\mathsf {miMSK}\leftarrow \mathsf {miSetup}(1^{\lambda })$

$w_{i}, \widetilde{w}_{i}, u_{i}, \widetilde{u}_{i}, v_{i}, \widetilde{v}_{i} \leftarrow \mathbb {Z}_p$

$\mathsf {qMSK}:=( \mathsf {iMSK}', \mathsf {pMSK}, \mathsf {miMSK}, \{w_{i}, \widetilde{w}_{i}, u_{i}, \widetilde{u}_{i}, v_{i}, \widetilde{v}_{i}\}_{i \in [n]}).$
$\mathsf {qEnc}(\mathsf {qMSK}, i,x_{i} \in \mathbb {Z})$: $s_{i}, \widetilde{s}_{i}, r_{i}, t_{i}, L \leftarrow \mathbb {Z}_p, \; \boldsymbol{\mathrm {{\ell }}}_{1}=(0^{2(i-1)},1, L, 0^{2(n-i)})$

$ \boldsymbol{\mathrm {{\ell }}}_{2}=(0^{2(i-1)},L,-1, 0^{2(n-i)}),\;\mathsf {iCT}'_{i} \leftarrow \mathsf {iEnc}(\mathsf {iMSK}',s_{i}),\;\mathsf {iSK}'_{i} \leftarrow \mathsf {iKeyGen}(\mathsf {iMSK}',\widetilde{s}_{i})$

$\mathsf {pCT}_{i} \leftarrow \mathsf {pEnc}(\mathsf {pMSK}, \boldsymbol{\mathrm {{\ell }}}_{1},(x_{i}, s_{i}w_{i}, r_{i}u_{i}, v_{i}))$

$\mathsf {pSK}_{i} \leftarrow \mathsf {pKeyGen}(\mathsf {pMSK},\boldsymbol{\mathrm {{\ell }}}_{2},(x_{i}, \widetilde{s}_{i}\widetilde{w}_{i},\widetilde{u}_{i}, t_{i}\widetilde{v}_{i}))$

$\mathsf {miCT}_{i} \leftarrow \mathsf {miEnc}(\mathsf {miMSK}, (r_{i}, t_{i})),\mathsf {qCT}_{i} :=( \mathsf {iCT}'_{i}, \mathsf {iSK}'_{i}, \mathsf {pCT}_{i}, \mathsf {pSK}_{i}, \mathsf {miCT}_{i}).$
$\mathsf {qKeyGen}(\mathsf {MSK}, \mathbf{c} \!=\!\{c_{i,j}\}_{i,j \in [n]} )$:

$\mathsf {miSK}\leftarrow \mathsf {miKeyGen}(\mathsf {miMSK}, \{(\sum _{j \in [n]}c_{j,i}u_{j}\widetilde{u}_{i}, \sum _{j\in [n]} c_{i,j}v_{i}\widetilde{v}_{j} )\}_{i \in [n]})$

$\mathsf {qSK}\!:=\! (\mathsf {miSK}, \{-c_{i,j}w_{i}\widetilde{w}_{j}\}_{i,j \in [n]} ).$
$\mathsf {qDec}(\mathsf {qCT}_{1} , \ldots ,\mathsf {qCT}_{n}, \mathsf {qSK})$:

$-\sum _{i,j \in [n]}c_{i,j}w_{i}\widetilde{w}_{j}\mathsf {iDec}(\mathsf {iCT}'_{i}, \mathsf {iSK}'_{j})+\sum _{i,j \in [n]}c_{i,j}\mathsf {pDec}(\mathsf {pCT}_{i}, \mathsf {pSK}_{j})$ $-\mathsf {miDec}(\mathsf {miCT}_{1} , \ldots ,\mathsf {miCT}_{n}, \mathsf {miSK})=[\langle \mathbf{c}, \mathbf{x} \otimes \mathbf{x} \rangle ]_{T}$

However, while the above candidate satisfies functionality and resists the aforementioned attacks, we are still far from a proof of security. For instance, one hurdle is that we must argue that $\{w_{i}\widetilde{w}_{j}\}_{i,j \in [n]}$ is pseudorandom, which is not true because $\mathsf {qSK}$ contains these elements not as exponents of group elements but as elements in $\mathbb {Z}_p$. Moreover, since we have already “used up” our pairing, we cannot move these to the exponent as in [28]. Another hurdle is that the underlying IPFE schemes satisfy only indistinguishability based security rather than simulation based security. To arrive at a security proof, we must address several such challenges, which we describe next.

Overview of Proof of Security. For ease of exposition, we outline our ideas for the warm-up case of two input quadratic MIFE described in Sect. 5. The general case is handled in Sect. 6.

First, we briefly recall the definition for indistinguishability based security of secret-key MIFE. Intuitvely, security requires that all PPT adversaries cannot guess a randomly chosen bit $\beta $ with meaningful probability in the following game: the adversary first outputs a set of challenge messages $\{i, x^{j,0}_{i}, x^{j,1}_{i}\}_{i \in [n], j \in [q_{\mathsf {CT}}] }$ and obtains ciphertexts for $\{i, x^{j,\beta }_{i}\}$. After that, the adversary can query a key generation oracle on any functions f such that for all $(j_{1} , \ldots ,j_{n}) \in [q_{\mathsf {CT}}]^{n}$, it holds that $f(x^{j_{1},0}_{1} , \ldots ,x^{j_{n},0}_{n})=f(x^{j_{1},1}_{1}, \ldots ,x^{j_{n},1}_{n})$. The goal of the security proof is to show that ciphertexts for $\{i, x^{j,0}_{i}\}$ and $\{i, x^{j,1}_{i}\}$ are indistinguishable.

The first challenge in the security proof is how to design a series of hybrids between the real games $\mathsf {G}^{\beta }$ for $\beta = 0$ and $\beta =1$. A naive strategy is to change each ciphertext from $\beta =0$ to $\beta =1$ one by one, that is, in hybrid $\mathsf {H}^{\eta }_{\iota }$ for $\iota \in [2], \eta \in [q_{\mathsf {CT}}]$, the adversary is given the ciphertext for $x^{j,1}_{i}$ if $(i,j) \le (\iota , \eta )$ and that for $x^{j,0}_{i}$ otherwise, where $(i,j) \le (\iota , \eta ) \Leftrightarrow (i-1)q_{\mathsf {CT}} +j \le (\iota -1)q_{\mathsf {CT}} + \eta $. Then, we may hope to prove that $\mathsf {G}^{0} \approx _{c}\mathsf {H}^{1}_{1} \approx _{c}\cdots \approx _{c}\mathsf {H}^{q_{\mathsf {CT}}}_{1} \approx _{c}\mathsf {H}^{1}_{2} \approx _{c}\cdots \approx _{c}\mathsf {H}^{q_{\mathsf {CT}}}_{2} \approx _{c}\mathsf {G}^{1}$. However, it quickly becomes evident that this strategy does not work. This is since the queried function f does not necessarily satisfy $f(x^{1,0}_{1}, x^{j_{2},0}_{2})=f(x^{1,1}_{1}, x^{j_{2},0}_{2})$, and thus the adversary can trivially distinguish $\mathsf {G}^{0}$ from $\mathsf {H}^{1}_{1}$. Even worse, when we change some input from $\beta =0$ to $\beta =1$, the change affects the quadratic terms that contain an input from another slot such as $x^{1,1}_{1}x^{j_{2},0}_{2}$. This correlation does not appear in IP-MIFE and makes the proof much more complex.

We address this issue as follows. Recall that our quadratic MIFE decryption first generates modified ACFGU ciphertexts $\{\mathsf {aCT}_{i,\ell }\}_{i,\ell \in [2]}$ and a secret key element $\mathsf {aSK}$ where

$$\begin{aligned}&\mathsf {aCT}_{i,\ell } = \mathsf {pDec}(\mathsf {pCT}_{i}, \mathsf {pSK}_{\ell }) = [x_{i}x_{\ell }+s_{i}\widetilde{s}_{\ell }w_{i}\widetilde{w}_{\ell }+r_{\ell }u_{i}\widetilde{u}_{\ell }+t_{i}v_{i}\widetilde{v}_{\ell } ]_{T}\\&\mathsf {aSK}= \mathsf {miDec}(\mathsf {miCT}_{1}, \mathsf {miCT}_{2}, \mathsf {miSK}) = [-\sum _{i,\ell \in [2]}c_{i,\ell }(r_{\ell }u_{i}\widetilde{u}_{\ell }+t_{i}v_{i}\widetilde{v}_{\ell })]_{T}. \end{aligned}$$

Our first idea is to define $\mathsf {H}^{\eta }_{\iota }$ so that $\mathsf {qDec}(\mathsf {qCT}^{j_{1}}_{1}, \mathsf {qCT}^{j_{2}}_{2}, \mathsf {qSK})$ in $\mathsf {H}^{\eta }_{\iota }$ yields $(\{\mathsf {aCT}^{j_{i},j_{\ell }}_{i,\ell }\}_{i, \ell \in [2]}, \mathsf {aSK}^{j_{1},j_{2}})$ where

$$\begin{aligned} \mathsf {aCT}^{j_{i},j_{\ell }}_{i,\ell }&= \begin{array}{ll} {}[x^{1}_{i}x^{1}_{\ell }+s_{i}\widetilde{s}_{\ell }w_{i}\widetilde{w}_{\ell }+r_{\ell }u_{i}\widetilde{u}_{\ell }+t_{i}v_{i}\widetilde{v}_{\ell } ]_{T} &{}\qquad (\ell ,j_{\ell }) \le (\iota , \eta ) \\ {}[x^{0}_{i}x^{0}_{\ell }+s_{i}\widetilde{s}_{\ell }w_{i}\widetilde{w}_{\ell }+r_{\ell }u_{i}\widetilde{u}_{\ell }+t_{i}v_{i}\widetilde{v}_{\ell } ]_{T} &{} \qquad (\ell ,j_{\ell }) > (\iota , \eta ) \end{array}\\ \mathsf {aSK}^{j_{1},j_{2}}&= [-\sum _{i,\ell \in [2]}c_{i,\ell }(r_{\ell }u_{i}\widetilde{u}_{\ell }+t_{i}v_{i}\widetilde{v}_{\ell })-\sum _{\begin{array}{c} i \in [2]\\ \ell \in \{k \in [2]|(k,j_{k}) \le (\iota , \eta )\} \end{array}}c_{i,\ell }(x^{1}_{i}x^{1}_{\ell }-x^{0}_{i}x^{0}_{\ell })]_{T}. \end{aligned}$$

Note that variables $x, s, \widetilde{s}, r, t$ are also indexed by $j_{1}, j_{2}$, but we often omit $j_{1}, j_{2}$ for conciseness if it is clear in context. Observe that, in hybrid $\mathsf {H}^{\eta }_{\iota }$, $\sum _{i, \ell \in [2]} c_{i,\ell } \mathsf {aCT}^{j_{i},j_{\ell }}_{i ,\ell } + \mathsf {aSK}^{j_{1},j_{2}} =\sum _{i, \ell \in [2]} c_{i,\ell }[ x^{ 0}_{i}x^{0}_{\ell }+s_{i}\widetilde{s}_{\ell }w_{i}\widetilde{w}_{\ell } ]_{T}$ for all $(\iota , \eta ,j_{1}, j_{2}) \in [2] \times [q_{\mathsf {CT}}]^{3}$. Therefore, the adversary always obtains $f(x^{0}_{1}, x^{0}_{2})$ by decryption in all hybrids and cannot trivially distinguish them. Since the second term of $\mathsf {aSK}^{j_{1},j_{2}}$, $\sum _{\begin{array}{c} i,\ell \in [2] \end{array}} c_{i,\ell }(x^{1}_{i}x^{1}_{\ell }-x^{0}_{i}x^{0}_{\ell }) = 0$ due to the query condition, $\mathsf {H}^{q_{\mathsf {CT}}}_{2}$ almost can be seen as $\mathsf {G}^{1}$. Thanks to the function-hiding property of $\mathsf {pFE}$ and $\mathsf {miFE}$, information encoded in ciphertexts and secret keys is not revealed other than $\mathsf {aCT}_{i,\ell }, \mathsf {aSK}$.

Next we must define encoded vectors in ciphertexts and secret keys in $\mathsf {pFE}$ and $\mathsf {miFE}$ in each hybrid so that they are indistinguishable in the hybrid sequence. First, let us consider vectors encoded in $\mathsf {pFE}$ that yield $\mathsf {aCT}_{i, \ell }$. In $\mathsf {G}^{0}$, recall that $\mathbf{b}_{i}=(x^{0}_{i}, s_{i}w_{i}, u_{i}, t_{i}v_{i})$ and $\widetilde{\mathbf {b}}_{i} = (x^{0}_{i}, \widetilde{s}_{i}\widetilde{w}_{i}, r_{i}\widetilde{u}_{i}, \widetilde{v}_{i})$ are encoded in $\mathsf {pCT}_{i}$ and $\mathsf {pSK}_{i}$, respectively. To make $[\langle \mathbf{b}^{j_{i}}_{i}, \widetilde{\mathbf {b}}^{j_{\ell }}_{\ell } \rangle ]_{T} = \mathsf {aCT}^{j_{i},j_{\ell }}_{i,\ell }$ in all hybrids, we introduce a free space, used for only the security proof, and define $\mathbf{b}^{j_{i}}_{i},\widetilde{\mathbf {b}}^{j_{i}}_{i}$ in $\mathsf {H}^{\eta }_{\iota }$ as follows:

$$\begin{aligned} \mathbf{b}^{j_{i}}_{i}=(x^{0}_{i}, \underline{x^{1}_{i}}, s_{i}w_{i}, u_{i}, t_{i}v_{i}),\;\;\widetilde{\mathbf {b}}^{j_{i}}_{i}= {\left\{ \begin{array}{ll} (\underline{0, x^{1}_{i}}, \widetilde{s}_{i}\widetilde{w}_{i}, r_{i}\widetilde{u}_{i}, \widetilde{v}_{i}) &{} (i,j_{i})\le (\iota , \eta )\\ (x^{0}_{i},\underline{0}, \widetilde{s}_{i}\widetilde{w}_{i}, r_{i}\widetilde{u}_{i}, \widetilde{v}_{i})&{} (i,j_{i}) > (\iota , \eta ) \end{array}\right. }. \end{aligned}$$

Then, we need to prove that $\{\mathbf{b}^{j_{i}}_{i},\widetilde{\mathbf {b}}^{j_{i}}_{i}\}_{i\in [2], j_{i} \in [q_{\mathsf {CT}}]}$ in $\mathsf {H}^{\eta -1}_{\iota }$ and that in $\mathsf {H}^{\eta }_{\iota }$ are indistinguishable. Initially, it appears that we can prove it similarly to Lin’s technique [28], that is, we introduce a more free space and consider an intermediate hybrid in which we define

$$\begin{aligned} \mathbf{b}^{j_{i}}_{i}&=(x^{j_{i}, 0}_{i}, x^{j_{i},1}_{i}, s_{i}w_{i}, u_{i}, t_{i}v_{i}, \underline{x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }+s_{i}\widetilde{s}_{\iota }w_{i}\widetilde{w}_{\iota }+r_{\iota }u_{i}\widetilde{u}_{\iota }+t_{i}v_{i}\widetilde{v}_{\iota }}) \\ \widetilde{\mathbf {b}}^{j_{i}}_{i}&= {\left\{ \begin{array}{ll} (0, x^{j_{i},1}_{i}, \widetilde{s}_{i}\widetilde{w}_{i}, r_{i}\widetilde{u}_{i}, \widetilde{v}_{i}, \underline{0}) &{} (i,j_{i} )< (\iota , \eta )\\ (\underline{0,0,0,0,0,1})&{} (i,j_{i} ) = (\iota , \eta )\\ (x^{j_{i},0}_{i},0, \widetilde{s}_{i}\widetilde{w}_{i}, r_{i}\widetilde{u}_{i}, \widetilde{v}_{i}, \underline{0})&{} (i,j_{i}) > (\iota , \eta ) \end{array}\right. }\nonumber \end{aligned}$$

(1.1)

Now, we may hope to change $x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }$ in the last entry of $\mathbf{b}^{j_{i}}_{i}$ to $x^{j_{i}, 1}_{i}x^{\eta , 1}_{\iota }$ by the indistinguishability-based security of the (modified) ACFGU IP-MIFE scheme.

However, we get stuck here; the relation between $\{x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }\}_{i \in [2], j_{i} \in [q_{\mathsf {CT}}]}$ and $\{x^{j_{i}, 1}_{i}x^{\eta , 1}_{\iota }\}_{i \in [2], j_{i} \in [q_{\mathsf {CT}}]}$ implied by the query condition $f(x^{j_{1},0}_{1}, x^{j_{2},0}_{2})=f(x^{j_{1},1}_{1}, x^{j_{2},1}_{2})$ is unclear. This is because, in the reduction to ACFGU IP-MIFE, the simulator is expected to simulate $\mathsf {pCT}$ for $\mathbf{b}^{j_{i}}_{i}$ and $\mathsf {qSK}$ for quadratic function f using ACFGU ciphertexts for $\{x^{j_{i}, \beta }_{i}x^{\eta , \beta }_{\iota }\}_{i \in [2], j_{i} \in [q_{\mathsf {CT}}]}$ and secret keys for linear functions $f_{\iota }$, respectively, such that $f_{\iota }(x^{j_{1}, 0}_{1}x^{\eta , 0}_{\iota }, x^{j_{2}, 0}_{2}x^{\eta , 0}_{\iota })=f_{\iota }(x^{j_{1}, 1}_{1}x^{\eta , 1}_{\iota },x^{j_{2}, 1}_{2}x^{\eta , 1}_{\iota } )$. Note that $f_{\iota }$ comprises coefficients of f that are related to the $\iota $-th input. Unfortunately, we cannot derive the above relation on $f_{\iota }$ from the query condition. The critical observation we make here is that we have an alternative equality on $f_{\iota }$ that are implied by the condition: for all $(j_{1}, j_{2}, \eta ) \in [q_{\mathsf {CT}}]^{3}$, we have

$$\begin{aligned} f_{1}(x^{\eta , 0}_{1}x^{\eta , 0}_{1}-x^{1, 0}_{1}x^{1, 0}_{1}, x^{j_{2}, 0}_{2}x^{\eta , 0}_{1}-x^{j_{2}, 0}_{2}x^{1, 0}_{1} )=f_{1}(x^{\eta , 1}_{1}x^{\eta , 1}_{1}-x^{1, 1}_{1}x^{1, 1}_{1}, x^{j_{2}, 1}_{2}x^{\eta , 1}_{1}- x^{j_{2}, 1}_{2}x^{1, 1}_{1}) \end{aligned}$$

(1.2)

$$\begin{aligned} f_{2}(x^{j_{1}, 0}_{1}x^{\eta , 0}_{2}-x^{j_{1}, 0}_{1}x^{1, 0}_{2},x^{\eta , 0}_{2}x^{\eta , 0}_{2}-x^{1, 0}_{2}x^{1, 0}_{2} )=f_{2}(x^{j_{1}, 1}_{1}x^{\eta , 1}_{2}-x^{j_{1}, 1}_{1}x^{1, 1}_{2},x^{\eta , 1}_{2}x^{\eta , 1}_{2}-x^{1, 1}_{2}x^{1, 1}_{2}). \end{aligned}$$

(1.3)

Equation (1.2) and (1.3) can be obtained by Eq. (1.4)–Eq. (1.5) where

$$\begin{aligned} f(x^{\eta ,0}_{1}, x^{j_{2},0}_{2})&=f(x^{\eta ,1}_{1}, x^{j_{2},1}_{2})&f(x^{j_{1},0}_{1}, x^{\eta ,0}_{2})&=f(x^{j_{1},1}_{1}, x^{\eta ,1}_{2}) \end{aligned}$$

(1.4)

$$\begin{aligned} f(x^{1,0}_{1}, x^{j_{2},0}_{2})&=f(x^{1,1}_{1}, x^{j_{2},1}_{2})&f(x^{j_{1},0}_{1}, x^{1,0}_{2})&=f(x^{j_{1},1}_{1}, x^{1,1}_{2}). \end{aligned}$$

(1.5)

The last challenge is to somehow change $x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }$ in the last entry of Eq. (1.1) in to $x^{j_{i}, 1}_{i}x^{\eta , 1}_{\iota }$ leveraging Eq. (1.2) or Eq. (1.3). We first observe that

$$\begin{aligned} x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }+s^{j_{i}}_{i}\widetilde{s}^{j_{\iota }}_{\iota }w_{i}\widetilde{w}_{\iota }+r^{j_{\iota }}_{\iota }u_{i}\widetilde{u}_{\iota }+t^{j_{i}}_{i}v_{i}\widetilde{v}_{\iota }&\approx _{c}x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }+\widehat{s}^{j_{i}}_{i,\iota }\widehat{w}_{i,\iota }+\widehat{u}_{i}+\widehat{v}^{j_{i}}_{i}\\&= \underbrace{x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }-x^{j_{i}, 0}_{i}x^{1, 0}_{\iota }+\widehat{s}^{j_{i}}_{i,\iota }\widehat{w}_{i,\iota }+\widehat{u}_{i}}_{\text {ACFGU ciphertext}}+\ddot{v}^{j_{i}}_{i} \end{aligned}$$

where $\widehat{s}^{j_{i}}_{i,\iota }, \widehat{w}_{i,\iota }, \widehat{u}_{i},\widehat{v}^{j_{i}}_{i}, \ddot{v}^{j_{i}}_{i}$ are fresh random elements. The computational indistinguishability is implied by the SXDH assumption, and the equality follows by implicitly defining $\widehat{v}^{j_{i}}_{i} = \ddot{v}^{j_{i}}_{i} -x^{j_{i}, 0}_{i}x^{1, 0}_{\iota }$. We can see that the last part of the above equation is exactly the ACFGU ciphertext of $x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }-x^{j_{i}, 0}_{i}x^{1, 0}_{\iota }$ plus $\ddot{v}^{j_{i}}_{i}$. At this point, we can use the security of the ACFGU IP-MIFE scheme to change $x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }-x^{j_{i}, 0}_{i}x^{1, 0}_{\iota }$ to $x^{j_{i}, 1}_{i}x^{\eta , 1}_{\iota }-x^{j_{i}, 1}_{i}x^{1, 1}_{\iota }$. This is because they satisfy Eq. (1.2) or Eq. (1.3), and thus the reduction can follow the query condition of IP-MIFE. Perceptive readers may notice that if $i = \iota $, then $x^{j_{i}, 0}_{i}x^{\eta , 0}_{\iota }- x^{j_{i}, 0}_{i}x^{1, 0}_{\iota }= x^{j_{i}, 1}_{i}x^{\eta , 1}_{\iota }-x^{j_{i}, 1}_{i}x^{1, 1}_{\iota }$ holds only when $j_{i} = \eta $. This is not a problem since we can deal with the terms for $i = \iota , j_{i} \ne \eta $ leveraging the security of predicated IPFE.

Next we give some intuition for how to define vectors in $\mathsf {miFE}$. Similarly to $\mathbf{b}^{j_{i}}_{i},\widetilde{\mathbf {b}}^{j_{i}}_{i}$, we want to define $\mathbf{f}^{j_{i}}_{i}, \widetilde{\mathbf {f}}_{i}$ in $\mathsf {H}^{\eta }_{\iota }$, which are encoded in $\mathsf {miFE}$ and yield $\mathsf {aSK}$, but this approach quickly runs into cumbersome issues. The first problem is that the second term of $\mathsf {aSK}^{j_{1},j_{2}}$, $\mathsf {aSK}^{j_{1},j_{2}}[2]=\sum c_{i,\ell }(x^{j_{i},1}_{i}x^{j_{\ell },1}_{\ell }-x^{j_{i},0}_{i}x^{j_{\ell },0}_{\ell })$, in the current definition depends on both $x^{j_{1}}_{1}$ and $x^{j_{2}}_{2}$. Thus, we must somehow encode $x^{j_{1}}_{1}$ and $x^{j_{2}}_{2}$ in $\mathsf {miCT}^{j_{1}}_{1}$ and $\mathsf {miCT}^{j_{2}}_{2}$, respectively. However, we cannot generate the term $x^{j_{1}}_{1}x^{j_{2}}_{2}$ via $\mathsf {miFE}$, which can only compute linear functions! A naive idea may be to program all quadratic terms into additional free spaces in $\mathsf {miCT}$. It immediately ends in failure; we cannot program $q^{2}_{\mathsf {CT}}$ values into $O(q_{\mathsf {CT}})$ spaces.

Our solution is to use Eq. (1.2) and Eq. (1.3) to compress the $q^{2}_{\mathsf {CT}}$ values into $q_{\mathsf {CT}}$ values. For instance, Eq. (1.2) implies

$$ f_{1}(x^{j_{1}, 1}_{1}x^{j_{1}, 1}_{1}-x^{j_{1}, 0}_{1}x^{j_{1}, 0}_{1}, x^{j_{2}, 1}_{2}x^{j_{1}, 1}_{1}-x^{j_{2}, 0}_{2}x^{j_{1}, 0}_{1})=f_{1}(x^{1, 1}_{1}x^{1, 1}_{1}-x^{1, 0}_{1}x^{1, 0}_{1}, x^{j_{2}, 1}_{2}x^{1, 1}_{1}-x^{j_{2}, 0}_{2}x^{1, 0}_{1} ) $$

since $f_{1}$ is a linear function (we change $\eta $ to $j_{1}$). This means that $\sum _{\ell =1} c_{i,\ell }(x^{j_{i},1}_{i}x^{j_{\ell },1}_{\ell }-x^{j_{i},0}_{i}x^{j_{\ell },0}_{\ell }) = \sum _{\ell =1} c_{i,\ell }(x^{j_{i},1}_{i}x^{1,1}_{\ell }-x^{j_{i},0}_{i}x^{1,0}_{\ell })$ for all $j_{i}$. Similarly, we can handle the case for $\ell =2$. Thus, we can program $\mathsf {aSK}^{j_{1},j_{2}}[2]$ in $\mathsf {miCT}^{j_{1}}_{1}$ and $\mathsf {miCT}^{j_{2}}_{2}$ as:

$$\begin{aligned}&\mathbf{f}^{j_{i}}_{i}= {\left\{ \begin{array}{ll} (r_{i}, t_{i}, \underline{ x^{j_{i},1}_{i}x^{1,1}_{1}-x^{j_{i},0}_{i}x^{1,0}_{1}, 0})&{} \iota =1\\ (r_{i}, t_{i}, \underline{ x^{j_{i},1}_{i}x^{1,1}_{1}-x^{j_{i},0}_{i}x^{1,0}_{1}, x^{j_{i},1}_{i}x^{1,1}_{2}-x^{j_{i},0}_{i}x^{1,0}_{2}})&{} \iota =2 \end{array}\right. }\\&\widetilde{\mathbf {f}}_{i} = (\sum _{\ell \in [2]}c_{\ell ,i}u_{\ell }\widetilde{u}_{i}, \sum _{\ell \in [2]} c_{i,\ell }v_{i}\widetilde{v}_{\ell }, \underline{c_{i,1}, c_{i,2}}). \end{aligned}$$

The second problem is the fact that

$$\begin{aligned} \overline{\mathsf {aSK}^{j_{1},j_{2}}}[2] =\langle \mathbf{f}^{j_{i}}_{i}, \widetilde{\mathbf {f}}_{i} \rangle -\sum _{i,\ell \in [2]}c_{i,\ell }(r_{\ell }u_{i}\widetilde{u}_{\ell }+t_{i}v_{i}\widetilde{v}_{\ell })=\sum _{\begin{array}{c} i \in [2],\ell \in [\iota ] \end{array}}c_{i,\ell }(x^{1}_{i}x^{1}_{\ell }-x^{0}_{i}x^{0}_{\ell }) \end{aligned}$$

in the current definition of $\mathbf{f}^{j_{i}}_{i}, \widetilde{\mathbf {f}}_{i}$, while $\mathsf {aSK}^{j_{1},j_{2}}[2]$ should be

$$\begin{aligned} \mathsf {aSK}^{j_{1},j_{2}}[2] = \sum _{\begin{array}{c} i \in [2]\\ \ell \in \{k \in [2]|(k,j_{k}) \le (\iota , \eta )\} \end{array}}c_{i,\ell }(x^{1}_{i}x^{1}_{\ell }-x^{0}_{i}x^{0}_{\ell }). \end{aligned}$$

We adjust them by modifying $\mathsf {aCT}$ as $\overline{\mathsf {aCT}^{j_{i},j_{\ell }}_{i,\ell }} = \mathsf {aCT}^{j_{i},j_{\ell }}_{i,\ell } + Q(\mathbf{x})$ so that $\sum _{i, \ell \in [2]} c_{i,\ell } \overline{\mathsf {aCT}^{j_{i},j_{\ell }}_{i ,\ell }} + \overline{\mathsf {aSK}^{j_{1},j_{2}}} =\sum _{i, \ell \in [2]} c_{i,\ell }[ x^{ 0}_{i}x^{0}_{\ell }+s_{i}\widetilde{s}_{\ell }w_{i}\widetilde{w}_{\ell } ]_{T}$ holds, where Q is a quadratic polynomial over variables $\mathbf{x}=\{x^{j_{i}, \beta }_{i}\}_{i \in [2], j_{i} \in [q_{\mathsf {CT}}], \beta \in \{0,1\}}$. The additional term $Q(\mathbf{x})$ in $\overline{\mathsf {aCT}^{j_{i},j_{\ell }}_{i,\ell }}$ can be programed into $\mathsf {pCT}$ and $\mathsf {pSK}$ by introducing more additional space. Please see Sect. 5 for a detailed argument.

2 Preliminaries

In this section, we define some notation and preliminaries that we require. For vectors $\mathbf{v}_{1} , \ldots ,\mathbf{v}_{n}$, $(\mathbf{v}_{1} , \ldots ,\mathbf{v}_{n})$ denotes the vector concatenation as row vectors regardless of whether each $\mathbf{v}_{i}$ is a row or column vector. We use $\otimes $ for the Kronecker product. We denote an n-dimensional unit vector $(0^{i-1},1,0^{n-1})$ by $\mathbf{e}_{i/n}$. We use standard cryptographic bilinear groups where the matrix decisional Diffie-Hellman assumption (MDDH) holds [18].

2.1 Multi-input Functional Encryption

Definition 2.1

(Multi-Input Functional Encryption). Let $\mathcal {F}$ be a function family such that, for all $f \in \mathcal {F}$, $f: \mathcal {X}_{1} \times \cdots \times \mathcal {X}_{n} \rightarrow \mathcal {Z}$. An MIFE scheme for $\mathcal {F}$, $\mathsf {MIFE}$, consists of four algorithms.

$\mathsf {Setup}(1^{\lambda })$: It takes a security parameter $1^{\lambda }$ and outputs a public parameter $\mathsf {PP}$ and a master secret key $\mathsf {MSK}$. The other algorithms implicitly take $\mathsf {PP}$.
$\mathsf {Enc}( \mathsf {MSK}, i, x_{i})$: It takes $\mathsf {MSK}$, an index $i \in [n]$, and $x_{i} \in \mathcal {X}_{i}$ and outputs a ciphertext $\mathsf {CT}_{i}$.
$\mathsf {KeyGen}( \mathsf {MSK}, f )$: It takes $ \mathsf {MSK}$, and $f \in \mathcal {F}$, and outputs a secret key $\mathsf {SK}$.
$\mathsf {Dec}( \mathsf {CT}_{1} , \ldots ,\mathsf {CT}_{n}, \mathsf {SK})$: It takes $ \mathsf {CT}_{1} , \ldots ,\mathsf {CT}_{n}$ and $\mathsf {SK}$, and outputs a decryption value $d \in \mathcal {Z}$ or a symbol $\bot $.

When $n=1$, we call it just a functional encryption (FE) scheme and omit the second argument of $\mathsf {Enc}$.

Correctness. $\mathsf {MIFE}$ is correct if it satisfies the following condition. For all $\lambda \in \mathbb {N},\; (x_{1} , \ldots ,x_{n}) \in \mathcal {X}_{1} \times \cdots \times \mathcal {X}_{n},\; f \in \mathcal {F}$, we have

$$\begin{aligned} \Pr \left[ d =f(x_{1} , \ldots ,x_{n}) \left| \begin{array}{l} \mathsf {PP}, \mathsf {MSK}\leftarrow \mathsf {Setup}(1^{\lambda })\\ \mathsf {CT}_{i} \leftarrow \mathsf {Enc}( \mathsf {MSK}, i, x_{i})\\ \mathsf {SK}\leftarrow \mathsf {KeyGen}( \mathsf {MSK}, f)\\ d :=\mathsf {Dec}( \mathsf {CT}_{1}, \ldots ,,\mathsf {CT}_{n}, \mathsf {SK}) \end{array}\right. \right] = 1. \end{aligned}$$

Selective Security. We define two indistinguishability-based security definitions for MIFE, namely, message-hiding and function-hiding. For a stateful PPT adversary $\mathcal {A}$ and $\lambda \in \mathbb {N}$, let

$$\begin{aligned} \mathsf {P}_{\mathcal {A}, \textsf {mh}}^{\mathsf {MIFE, \mathrm {\beta }}}(\lambda ) :=\Pr \left[ \beta '=1 \left| \begin{array}{l} \{i, x_{i}^{j, 0}, x_{i}^{j,1}\}_{i \in [n], j \in [q_{\mathsf {CT},i}]} \leftarrow \mathcal {A}(1^{\lambda })\\ \mathsf {PP}, \mathsf {MSK}\leftarrow \mathsf {Setup}(1^{\lambda }),\\ \mathsf {CT}^{j}_{i} \leftarrow \mathsf {Enc}( \mathsf {MSK},i, x^{j,\beta }_{i})\\ \beta ' \leftarrow \mathcal {A}^{\mathsf {KeyGen}( \mathsf {MSK}, \cdot )}(\mathsf {PP}, \{\mathsf {CT}^{j}_{i}\}_{i \in [n], j \in [q_{\mathsf {CT},i}]}) \end{array}\right. \right] . \end{aligned}$$

Let $q_{\mathsf {SK}}$ be a number of queries to $\mathsf {KeyGen}$. We say $\mathcal {A}$ is admissible if, in case of $q_{\mathsf {CT},1} , \ldots ,q_{\mathsf {CT},n}, q_{\mathsf {SK}} \ge 1$, $\mathcal {A}$’s queries satisfy $f^{\ell }(x^{j_{1},0}_{1} , \ldots ,x^{j_{n},0}_{n}) = f^{\ell }(x^{j_{1},1}_{1} , \ldots ,x^{j_{n},1}_{n})$ for all $(j_{1} , \ldots ,j_{n}) \in [q_{\mathsf {CT},1}] \times \cdots \times [q_{\mathsf {CT},n}]$ and $\ell \in [q_{\mathsf {SK}}]$. $\mathsf {MIFE}$ is message-hiding if, for all admissible PPT adversaries $\mathcal {A}$, the following advantage of $\mathcal {A}$ is negligible in $\lambda $: $\mathsf {Adv}_{\mathcal {A}, \textsf {mh}}^{\mathsf {MIFE}}(\lambda ):=|\mathsf {P}_{\mathcal {A}, \textsf {mh}}^{\mathsf {MIFE, \mathrm {0}}}(\lambda ) - \mathsf {P}_{\mathcal {A}, \textsf {mh}}^{\mathsf {MIFE,\mathrm {1}}}(\lambda ) |$.

Next, we define a function-hiding property. Let $\mathsf {P}_{\mathcal {A}, \textsf {fh}}^{\mathsf {MIFE, \mathrm {\beta }}}(\lambda )$ be defined the same as $\mathsf {P}_{\mathcal {A}, \textsf {mh}}^{\mathsf {MIFE, \mathrm {\beta }}}(\lambda )$ except that $\mathcal {A}$’s oracle is $\mathcal {O}_{\mathsf {SK}}(\beta , \cdot )$ instead of $\mathsf {KeyGen}$, where $\mathcal {O}_{\mathsf {SK}}(\beta , \cdot )$ takes $(f^{0}, f^{1})$ and outputs $\mathsf {KeyGen}(\mathsf {MSK},f^{\beta })$. This time, $\mathcal {A}$ is admissible if, in case of $q_{\mathsf {CT},1} , \ldots ,q_{\mathsf {CT},n}, q_{\mathsf {SK}} \ge 1$, $\mathcal {A}$’s queries satisfy $f^{\ell ,0}(x^{j_{1},0}_{1} , \ldots ,x^{j_{n},0}_{n}) = f^{\ell ,1}(x^{j_{1},1}_{1} , \ldots ,x^{j_{n},1}_{n})$ for all $(j_{1} , \ldots ,j_{n}) \in [q_{\mathsf {CT},1}] \times \cdots \times [q_{\mathsf {CT},n}]$ and $\ell \in [q_{\mathsf {SK}}]$. Then, $\mathsf {MIFE}$ is function-hiding if, for all admissible PPT adversaries $\mathcal {A}$, the following advantage of $\mathcal {A}$ is negligible in $\lambda $: $\mathsf {Adv}_{\mathcal {A}, \textsf {fh}}^{\mathsf {MIFE}}(\lambda ):=|\mathsf {P}_{\mathcal {A}, \textsf {fh}}^{\mathsf {MIFE, \mathrm {0}}}(\lambda ) - \mathsf {P}_{\mathcal {A}, \textsf {fh}}^{\mathsf {MIFE,\mathrm {1}}}(\lambda ) |$.

Remark 2.1

In this paper, we assume that $q_{\mathsf {CT},i} \ge 1$ for all $i \in [n]$ and that $q_{\mathsf {CT},1} = \cdots = q_{\mathsf {CT},n} (= q_{\mathsf {CT}})$. This is w.l.o.g as discussed in [6, 17].

We next define quadratic functions.

Definition 2.2

(Bounded-Norm Multi-Input Quadratic functions over $\mathbb {Z}$). A function family $\mathcal {F}^{\mathsf {MQF}}_{m,n,X,C}$ for bounded-norm multi-input quadratic functions consist of functions $f: (\mathcal {X}^{m})^{n} \rightarrow \mathbb {Z}$ where $\mathcal {X}=\{i \mid i \in \mathbb {Z}, |i| \le X\}$. Each $f \in \mathcal {F}^{\mathsf {MQF}}_{m,n,X,C}$ is specified by $\mathbf{c} = \{c_{\mu ,\nu }\}_{\mu , \nu \in [mn]} \in \mathbb {Z}^{(mn)^{2}}$ s.t. $||\mathbf{c}||_{\infty } \le C$ and $c_{\mu ,\nu } = 0$ if $\mu > \nu $. Let $x_{\mu }$ be the $\mu $-th element of $\mathbf{x} = (\boldsymbol{\mathrm {{x}}}_{1} , \ldots ,\boldsymbol{\mathrm {{x}}}_{n}) \in (\mathcal {X}^{m})^{n}$. Then, f specified by $\mathbf{c}$ is defined as $ f(\boldsymbol{\mathrm {{x}}}_{1}, \ldots ,\boldsymbol{\mathrm {{x}}}_{n}) :=\sum _{\mu ,\nu \in [mn]}c_{\mu ,\nu }x_{\mu }x_{\nu }. $

3 Predicated Inner Product Functional Encryption

We define and construct predicated inner product functional encryption.

Definition 3.1

(Inner Products over Bilinear Groups). Let $\mathbb {G} = (p, G_{1}, G_{2}, G_{T}, g_{1}, g_{2},e)$ be bilinear groups. A function family $\mathcal {F}^{\mathsf {IP}}_{m, \mathbb {G}}$ for inner products over bilinear groups consists of functions $f:G_{1}^{m} \rightarrow G_{T}$. Each $f \in \mathcal {F}^{\mathsf {IP}}_{m, \mathbb {G}}$ is specified by $[\mathbf{y}]_{2}$ where $\mathbf{y} \in \mathbb {Z}_p^{m}$ and defined as $f([\mathbf{x}]_{1}) :=[\langle \mathbf{x}, \mathbf{y} \rangle ]_{T}.$

Definition 3.2

(Predicated Inner Products over Bilinear Groups). A function family $\mathcal {F}^{\mathsf {PIP}}_{d, m, \mathbb {G}}$ for predicated inner products over bilinear groups consists of functions $f:\mathbb {Z}_p^{d} \times G_{1}^{m} \rightarrow G_{T} \cup \{\bot \}$. Each $f \in \mathcal {F}^{\mathsf {PIP}}_{d, m, \mathbb {G}}$ is specified by $\mathbf{y}_{1} \in \mathbb {Z}_p^{d}$ and $[\mathbf{y}_{2}]_{2}$ where $\mathbf{y}_{2} \in \mathbb {Z}_p^{m}$ and defined as $ f(\mathbf{x}_{1}, [\mathbf{x}_{2}]_{1}) :={\left\{ \begin{array}{ll} [\langle \mathbf{x}_{2}, \mathbf{y}_{2} \rangle ]_{T} &{} \text {if}\; \langle \mathbf{x}_{1}, \mathbf{y}_{1} \rangle = 0\\ \bot &{} \text {if}\; \langle \mathbf{x}_{1}, \mathbf{y}_{1} \rangle \ne 0 \end{array}\right. }. $

We refer to FE for $\mathcal {F}^{\mathsf {IP}}_{m, \mathbb {G}}$ and $\mathcal {F}^{\mathsf {PIP}}_{d, m, \mathbb {G}}$ as IPFE and predicated IPFE, respectively. We define partially function-hiding security of FE for $\mathcal {F}^{\mathsf {PIP}}_{d, m, \mathbb {G}}$. Partially function-hiding security guarantees that secret keys hide $\mathbf{y}_{2}$ (but do not $\mathbf{y}_{1}$).

Partially Function-Hiding Security. Let $\mathsf {pFE} = (\mathsf {pSetup}, \mathsf {pEnc}, \mathsf {pKeyGen}, \mathsf {pDec})$ be a FE scheme for $\mathcal {F}^{\mathsf {PIP}}_{d, m, \mathbb {G}}$. For a stateful PPT adversary $\mathcal {A}$ and $\lambda \in \mathbb {N}$, let

$$\begin{aligned} \mathsf {P}_{\mathcal {A}, \textsf {pfh}}^{\mathsf {pFE, \mathrm {\beta }}}(\lambda ) :=\Pr \left[ \beta '=1 \left| \begin{array}{l} \{\mathbf{x}^{j}_{1}, [\mathbf{x}^{j,0}_{2}]_{1}, [\mathbf{x}^{j,1}_{2}]_{1}\}_{j \in [q_{\mathsf {CT}}]} \leftarrow \mathcal {A}(1^{\lambda })\\ \mathsf {pPP}, \mathsf {pMSK}\leftarrow \mathsf {pSetup}(1^{\lambda }),\\ \mathsf {pCT}^{j} \leftarrow \mathsf {pEnc}( \mathsf {pMSK}, (\mathbf{x}^{j}_{1}, [\mathbf{x}^{j,\beta }_{2}]_{1}))\\ \beta ' \leftarrow \mathcal {A}^{\mathcal {O}_{\mathsf {SK}}(\beta , \cdot )}(\mathsf {pPP}, \{\mathsf {pCT}^{j}\}_{j \in [q_{\mathsf {CT}}]}) \end{array}\right. \right] \end{aligned}$$

where $\mathcal {O}_{\mathsf {SK}}$ takes $(\mathbf{y}_{1}, [\mathbf{y}^{0}_{2}]_{2}, [\mathbf{y}^{1}_{2}]_{2})$ and outputs $\mathsf {pKeyGen}(\mathsf {MSK},(\mathbf{y}_{1}, [\mathbf{y}^{\beta }_{2}]_{2}))$. Let $q_{\mathsf {SK}}$ be a number of queries to $\mathcal {O}_{\mathsf {SK}}$. We say $\mathcal {A}$ is admissible if $\mathcal {A}$’s queries satisfy $\langle \mathbf{x}^{j,0}_{2}, \mathbf{y}^{\ell ,0}_{2} \rangle = \langle \mathbf{x}^{j,1}_{2}, \mathbf{y}^{\ell ,1}_{2} \rangle $ when $\langle \mathbf{x}^{j}_{1}, \mathbf{y}^{\ell }_{1} \rangle =0$ for all $j \in [q_{\mathsf {CT}}]$ and $\ell \in [q_{\mathsf {SK}}]$. $\mathsf {pFE}$ is partially function-hiding if, for all admissible PPT adversaries $\mathcal {A}$, the following advantage of $\mathcal {A}$ is negligible in $\lambda $: $\mathsf {Adv}_{\mathcal {A}, \textsf {pfh}}^{\mathsf {pFE}}(\lambda ):=|\mathsf {P}_{\mathcal {A}, \textsf {pfh}}^{\mathsf {pFE, \mathrm {0}}}(\lambda ) - \mathsf {P}_{\mathcal {A}, \textsf {pfh}}^{\mathsf {pFE, \mathrm {1}}}(\lambda ) |$.

3.1 Predicated IPFE from IPFE

We construct a partially function-hiding FE scheme for $\mathcal {F}^{\mathsf {PIP}}_{d, m, \mathbb {G}}$ from a function-hiding FE scheme for $\mathcal {F}^{\mathsf {IP}}_{kd+2m+1, \mathbb {G}}$ generically. Note that k is a parameter for the MDDH assumption. A function-hiding FE scheme for $\mathcal {F}^{\mathsf {IP}}_{m, \mathbb {G}}$ based on MDDH is implied by the function-hiding IPFE scheme described in [30, Appx. A]^{Footnote 4}. Let $\mathsf {iFE}=(\mathsf {iSetup}, \mathsf {iEnc}, \mathsf {iKeyGen}, \mathsf {iDec})$ be a function-hiding FE scheme for $\mathcal {F}^{\mathsf {IP}}_{kd+2m+1, \mathbb {G}}$. Then, our partially function-hiding FE scheme $\mathsf {pFE}=(\mathsf {pSetup}, \mathsf {pEnc}, \mathsf {pKeyGen}, \mathsf {pDec})$ for $\mathcal {F}^{\mathsf {PIP}}_{d, m, \mathbb {G}}$ is constructed as shown in Fig. 1.

Correctness. Since $\langle \mathbf{z} \otimes \mathbf{x}_{1}, \mathbf{a} \otimes \mathbf{y}_{1} \rangle = \langle \mathbf{z}, \mathbf{a} \rangle \cdot \langle \mathbf{x}_{1}, \mathbf{y}_{1} \rangle $, $\mathsf {iDec}( \mathsf {iCT}, \mathsf {iSK})$ outputs $[\langle \mathbf{x}, \mathbf{y} \rangle ]_{T} = [\langle v_{2}, \mathbf{y}_{2} \rangle ]_{T}$ if $\langle \mathbf{x}_{1}, \mathbf{y}_{1} \rangle = 0$. This follows from the correctness of $\mathsf {iFE}$.

For security, we have the following theorem.

Theorem 3.1

If $\mathsf {iFE}$ is function-hiding, and the MDDH assumption holds in $\mathbb {G}$, then $\mathsf {pFE}$ is partially function-hiding. More precisely, for all PPT adversaries $\mathcal {A}$, there exist PPT adversaries $\mathcal {B}_{1}, \mathcal {B}_{2}$ such that

$$ \mathsf {Adv}_{\mathcal {A}, \mathsf {pfh}}^{\mathsf {pFE}}(\lambda ) \le q_{\mathsf {CT}}(3\mathsf {Adv}_{\mathcal {B}_{1}, \mathsf {fh}}^{\mathsf {iFE}}(\lambda ) + 2\mathsf {Adv}_{\mathcal {B}_{2}}^{\mathsf {\mathcal {D}_{ k }\text {-}MDDH}}(\lambda )). $$

Due to space constraints, the proof is provided in the full version.

4 Mixed-Group Multi-input IPFE

In this section, we define and construct our mixed-group multi-input inner product functional encryption (mixed-group IP-MIFE).

Definition 4.1

(Multi-Input Inner Products over Bilinear Groups). Let $\mathbb {G} = (p, G_{1}, G_{2}, G_{T}, g_{1}, g_{2},e)$ be bilinear groups. A function family $\mathcal {F}^{\mathsf {MIP}}_{m,n, \mathbb {G}}$ for multi-input inner products over bilinear groups consists of functions $f:(G_{1}^{m})^{n} \rightarrow G_{T}$. Each $f \in \mathcal {F}^{\mathsf {MIP}}_{m,n, \mathbb {G}}$ is specified by $[\mathbf{y}_{1}]_{2} , \ldots ,[\mathbf{y}_{n}]_{2} $ where $\mathbf{y}_{i} \in \mathbb {Z}_p^{m}$ and defined as $f([\mathbf{x}]_{1} , \ldots ,[\mathbf{x}]_{n}) :=[\sum _{i \in [n]}\langle \mathbf{x}_{i}, \mathbf{y}_{i} \rangle ]_{T}.$

Definition 4.2

(Multi-Input Mixed-Group Inner Products over Bilinear Groups). Let $\mathbb {G} = (p, G_{1}, G_{2}, G_{T}, g_{1}, g_{2},e)$ be bilinear groups. A function family $\mathcal {F}^{\mathsf {MGIP}}_{m_{1}, m_{2}, n,\mathbb {G}}$ for multi-input mixed-group inner products over bilinear groups consists of functions $f:(G_{1}^{m_{1}}\times G_{2}^{m_{2}})^{n} \rightarrow G_{T}$. Each $f \in \mathcal {F}^{\mathsf {MGIP}}_{m_{1},m_{2}, n, \mathbb {G}}$ is specified by $([\mathbf{y}_{1,1}]_{2}, [\mathbf{y}_{1,2}]_{1} , \ldots ,[\mathbf{y}_{n,1}]_{2}, [\mathbf{y}_{n,2}]_{1})$ where $\mathbf{y}_{i,1} \in \mathbb {Z}_p^{m_{1}}$ and $\mathbf{y}_{i,2} \in \mathbb {Z}_p^{m_{2}}$ and defined as $f(([\mathbf{x}_{1,1}]_{1},[\mathbf{x}_{1,2}]_{2} ), \ldots ,([\mathbf{x}_{n,1}]_{1},[\mathbf{x}_{n,2}]_{2} )) :=[\langle \mathbf{x}, \mathbf{y} \rangle ]_{T}$ where $\mathbf{x} :=(\mathbf{x}_{1,1},\mathbf{x}_{1,2}, \ldots ,\mathbf{x}_{n,1},\mathbf{x}_{n,2})$ and $\mathbf{y} :=(\mathbf{y}_{1,1},\mathbf{y}_{1,2}, \ldots ,\mathbf{y}_{n,1},\mathbf{y}_{n,2})$.

We refer to MIFE for $\mathcal {F}^{\mathsf {MIP}}_{m,n, \mathbb {G}}$ and $\mathcal {F}^{\mathsf {MGIP}}_{m_{1}, m_{2}, n,\mathbb {G}}$ as IP-MIFE and mixed-group IP-MIFE, respectively. We require mixed-group IP-MIFE to satisfy the standard function-hiding security in Definition 2.1.

4.1 Construction

Let $\mathcal {F}^{\mathsf {IP'}}_{m,\mathbb {G}}$ be a function class defined the same as $\mathcal {F}^{\mathsf {IP}}_{m,\mathbb {G}}$ in Definition 3.1 except that $G_{1}$ and $G_{2}$ are switched, that is, each $f:G^{m}_{2} \rightarrow G_{T}$ is specified by $[\mathbf{y}]_{1}$. We construct a function-hiding MIFE scheme for $\mathcal {F}^{\mathsf {MGIP}}_{m_{1},m_{2},n,\mathbb {G}}$ from a function-hiding MIFE scheme for $\mathcal {F}^{\mathsf {MIP}}_{m_{1}+m_{2}+k+1, n, \mathbb {G}}$ and function-hiding FE scheme for $\mathcal {F}^{\mathsf {IP'}}_{m_{2}+k+1,\mathbb {G}}$ in a generic way. Note that k is a parameter for the MDDH assumption. A function-hiding MIFE scheme for $\mathcal {F}^{\mathsf {MIP}}_{m, n, \mathbb {G}}$ based on MDDH is easily obtained from a function-hiding multi-input IPFE schemes in [4, 17, 30]. This is since these schemes in the literatures work even if input vectors for $\mathsf {Enc}$ and $\mathsf {KeyGen}$ consist of group elements, and $\mathsf {Dec}$ first obtains decryption values on the exponent of a target-group generator and then computes its discrete log.

Let $\mathsf {miFE}=(\mathsf {miSetup}, \mathsf {miEnc}, \mathsf {miKeyGen}, \mathsf {miDec})$ be a function-hiding MIFE scheme for $\mathcal {F}^{\mathsf {MIP}}_{m_{1}+m_{2}+k+1, n, \mathbb {G}}$ and $\mathsf {iFE}=(\mathsf {iSetup}, \mathsf {iEnc}, \mathsf {iKeyGen}, \mathsf {iDec})$ be a function-hiding FE scheme for $\mathcal {F}^{\mathsf {IP'}}_{m_{2}+k+1, \mathbb {G}}$. Then, our function-hiding MIFE scheme $\mathsf {gFE}=(\mathsf {gSetup}, \mathsf {gEnc}, \mathsf {gKeyGen}, \mathsf {gDec})$ for $\mathcal {F}^{\mathsf {MGIP}}_{m_{1},m_{2},n,\mathbb {G}}$ is constructed as shown in Fig. 2.

Correctness. Due to the correctness of $\mathsf {miFE}$ and $\mathsf {iFE}$, $\mathsf {gDec}$ outputs

$$ \left[ \sum _{i \in [n]} (\langle \widetilde{\mathbf {x}}_{i,1}, \widetilde{\mathbf {y}}_{i,1} \rangle +\langle \widetilde{\mathbf {x}}_{i,2}, \widetilde{\mathbf {y}}_{i,2} \rangle ) \right] _{T}= \left[ \sum _{i \in [n]} (\langle \mathbf{x}_{i,1}, \mathbf{y}_{i,1} \rangle +\langle \mathbf{x}_{i,2}, \mathbf{y}_{i,2} \rangle )\right] _{T}. $$

For security, we have the following theorem.

Theorem 4.1

If $\mathsf {miFE}$ and $\mathsf {iFE}$ are function-hiding, and the bilateral MDDH assumption holds in $\mathbb {G}$, then $\mathsf {gFE}$ is function-hiding. More precisely, for all PPT adversaries $\mathcal {A}$, there exist PPT adversaries $\mathcal {B}_{1}, \mathcal {B}_{2}, \mathcal {B}_{3}$ such that

$$ \mathsf {Adv}_{\mathcal {A}, \mathsf {fh}}^{\mathsf {gFE}}(\lambda ) \!\!\le \!\! (4q_{\mathsf {CT}}+1)\mathsf {Adv}_{\mathcal {B}_{1}, \mathsf {fh}}^{\mathsf {miFE}}(\lambda ) +n(4q_{\mathsf {CT}}+1)\mathsf {Adv}_{\mathcal {B}_{2}, \mathsf {fh}}^{\mathsf {iFE}}(\lambda ) +4nq_{\mathsf {CT}}\mathsf {Adv}_{\mathcal {B}_{3}}^{\mathsf {bi\text {-}\mathcal {D}_{ k }\text {-}MDDH}}(\lambda ). $$

Due to space constraints, the proof is provided in the full version.

5 Warm-Up: Two Input Quadratic MIFE

Since our general quadratic MIFE scheme (Sect. 6) is quite complex, we first present a simpler scheme as a warm-up. This scheme is a MIFE scheme for $\mathcal {F}^{\mathsf {MQF}}_{1,2,X,C}$ from the SXDH assumption, that is $m=1, n=2$. For ease of exposition, we also restrict the number of ciphertext queries to 2 per slot. The SXDH assumption is captured as the $\mathcal {D}_{k}$ assumption where $\mathcal {D}_{k}$ consists of all matrices with the form of $(a,1)^{\top } \in \mathbb {Z}_p^{2}$.

Let $\mathsf {pFE}=(\mathsf {pSetup}, \mathsf {pEnc}, \mathsf {pKeyGen}, \mathsf {pDec})$ be an FE scheme for $\mathcal {F}^{\mathsf {PIP}}_{4, 8, \mathbb {G}}$ (Definition 3.2), $\mathsf {iFE}=(\mathsf {iSetup}, \mathsf {iEnc}, \mathsf {iKeyGen}, \mathsf {iDec})$ be an FE scheme for $\mathcal {F}^{\mathsf {IP}}_{2, \mathbb {G}}$ (Definition 3.1), and $\mathsf {gFE}=(\mathsf {gSetup}, \mathsf {gEnc}, \mathsf {gKeyGen}, \mathsf {gDec})$ be an FE scheme for $\mathcal {F}^{\mathsf {MGIP}}_{4, 1, 2,\mathbb {G}}$ (Definition 4.2). The warm-up scheme $\mathsf {qFE} = (\mathsf {qSetup}, \mathsf {qEnc}, \mathsf {qKeyGen}, \mathsf {qDec})$ is constructed from $\mathsf {pFE}$, $\mathsf {iFE}$, and $\mathsf {gFE}$ as shown in Fig. 3. Since $\mathsf {gFE}$ cannot be instantiated from SXDH, the warm-up scheme needs an additional assumption such as XDLIN (bilateral 2-Lin).

Correctness. Let $s_{i}, \widetilde{s}_{i}, r_{i}, t_{i}, \mathbf{l}_{i}, \widetilde{\mathbf {l}}_{i}, \mathbf{b}_{i}, \widetilde{\mathbf {b}}_{i}$ for $i \in [2]$ be random elements used to generate $\mathsf {qCT}_{i}$. Observe that $\langle \mathbf{l}_{i}, \widetilde{\mathbf {l}}_{I} \rangle =0$ for all $i, I \in [2]$, and thus $\mathsf {pDec}(\mathsf {pCT}_{i},\mathsf {pSK}_{I}) = \langle \mathbf{b}_{i}, \widetilde{\mathbf {b}}_{I} \rangle $. Due to the correctness of $\mathsf {pFE},\mathsf {iFE}, \mathsf {gEF}$, we have

$$\begin{aligned}&z_{1} = \sum _{\mu , \nu \in [2]} c_{\mu ,\nu } (x_{\mu }x_{\nu }+s_{\nu }\widetilde{s}_{\mu }w_{\mu ,\nu }+r_{\mu }u_{\nu }+t_{\nu }v_{\mu })\\&z_{2} = \sum _{\mu , \nu \in [2]} c_{\mu ,\nu } s_{\nu }\widetilde{s}_{\mu }w_{\mu ,\nu },\; z_{3} = \sum _{\mu , \nu \in [2]} c_{\mu ,\nu } (r_{\mu }u_{\nu }+t_{\nu }v_{\mu }). \end{aligned}$$

Hence, we have $z = \sum _{\mu , \nu \in [2]} c_{\mu ,\nu } x_{\mu }x_{\nu }$.

5.1 Multi-input IPFE Scheme for Security Analysis

Before going to the security analysis of our quadratic MIFE scheme, we introduce a message-hiding IP-MIFE scheme, i.e. an MIFE scheme for $\mathcal {F}^{\mathsf {MIP}}_{m,n,\mathbb {G}}$, denoted by $\mathsf {miFE} = (\mathsf {miSetup}, \mathsf {miEnc}, \mathsf {miKeyGen}, \mathsf {miDec})$ that we use for the security proof. The scheme is obtained by applying the conversion of single to multi-input IPFE by Abdalla et al. [4, Sec. 4.1], to the single-input IPFE scheme by Abdalla et al. [3, Sec. 5]. The resulting scheme satisfies the message-hiding security under the DDH assumption. Note that although Abdalla et al. considered the conversion in the adaptive setting, it is not hard to see that the conversion works in the selective setting. The original scheme in [3] uses a pairing-free group for the construction, but it is easy to see that their scheme can be similarly built on pairing groups where the SXDH assumption holds. The scheme is described in Fig. 4.

5.2 Proof of Security

Theorem 5.1

If $\mathsf {pFE}$ is partially function-hiding, $\mathsf {iFE}$ and $\mathsf {gFE}$ are function-hiding, and $\mathcal {G}_{\mathsf {BG}}$ outputs bilinear groups where the SXDH assumption holds, then $\mathsf {qFE}$ is message-hiding as long as $q_{\mathsf {CT}}=2$ and $q_{\mathsf {SK}}=1$.

Proof

For ease of exposition, we prove security in the restricted game where an adversary makes two ciphertext queries per slot and one secret key query. This simplification showcases the basic strategy of the general proof, which is provided in Sect. 6. At a high-level view, our security proof is inspired by that of the IP-MIFE schemes by Abdalla et al. [4] in which the first queried ciphertexts of each slot are changed from bit 0 to bit 1 by the information-theoretic property of the one-time pad and the rest of ciphertexts are changed by the security of an IPFE scheme. In our case, the IPFE scheme will instead correspond to the IP-MIFE scheme in Sect. 5.1.

Intuitively, we want to prove $\mathsf {G}_{0} \approx _{c}\mathsf {G}_{1}$ where $\mathsf {G}_{\beta }$ is the message-hiding security game (described in Fig. 5). In $\mathsf {G}_{\beta }$, the vectors in the ciphertexts and the secret key that the adversary obtains are defined as Fig. 6. We introduce a series of hybrid games, $\mathsf {H}_{1} , \ldots ,\mathsf {H}_{15}$, and prove $\mathsf {G}_{0} \approx _{c}\mathsf {H}_{1} \approx _{c}\cdots \approx _{c}\mathsf {H}_{15} \approx _{c}\mathsf {G}_{1}$. In each hybrid game, the vectors for generating the ciphertexts and the secret keys are changed from $\mathsf {G}_{0}$, which is shown in Fig. 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 and 21. We frame the parts that are changed from the previous game by a box and sometimes denote the parts that are not changed by —.

$\underline{\mathsf {G}_{0} \approx _{c}\mathsf {H}_{1}.}$ We can justify this indistinguishability by the (partially) function-hiding property of $\mathsf {pFE}$ and $\mathsf {gFE}$. For all $i,j,I,J \in [2]$, we can see that $\langle \mathbf{b}^{j}_{i}, \widetilde{\mathbf {b}}^{J}_{I} \rangle $ in $\mathsf {G}_{0}$ and that in $\mathsf {H}_{1}$ are equal unless $i=I$ and $j \ne J$. Recall that $\langle \mathbf{l}^{j}_{i}, \widetilde{\mathbf {l}}^{J}_{I} \rangle \ne 0$ with overwhelming probability if $i=I$ and $j \ne J$, since L is chosen from the exponentially large space, $\mathbb {Z}_p$. Hence, the indistinguishability of $\{\mathbf{b}, \widetilde{\mathbf {b}}\}$ between $\mathsf {G}_{0}$ and $\mathsf {H}_{1}$ is implied by the partially function-hiding property of $\mathsf {pFE}$.

Similarly, for all $i,j \in [2]$, $\langle \mathbf{f}^{j}_{i}, \widetilde{\mathbf {f}}_{i} \rangle $ in $\mathsf {G}_{0}$ and that in $\mathsf {H}_{1}$ are equal, which implies, for all $j_{1}, j_{2} \in [2]$, $\sum _{i \in [2]}( \langle \mathbf{f}^{j_{i}}_{i}, \widetilde{\mathbf {f}}_{i} \rangle + h^{j_{i}}_{i}\widetilde{h}_{i})$ in $\mathsf {G}_{0}$ and that in $\mathsf {H}_{1}$ are equal. Thus, the indistinguishability of $\{\mathbf{f}, \widetilde{\mathbf {f}}\}$ between $\mathsf {G}_{0}$ and $\mathsf {H}_{1}$ is implied by the function-hiding property of $\mathsf {gFE}$.

$\underline{\mathsf {H}_{1} \approx _{c}\mathsf {H}_{2}.}$ We can justify this indistinguishability by the SXDH assumption, which implies $(\mathbb {G}, [\mathbf{t}]_{1}, [v_{1}{} \mathbf{t}]_{1}) \approx _{c}(\mathbb {G}, [\mathbf{t}]_{1}, [\ddot{\mathbf {v}}]_{1})$ where $\mathbb {G} \leftarrow \mathcal {G}_{\mathsf {BG}}(1^\lambda ), \mathbf{t} = \{t^{j}_{i}\}_{i,j \in [2]}, \ddot{\mathbf {v}}= \{\ddot{v}^{j}_{i}\}_{i,j \in [2]} \leftarrow \mathbb {Z}_p^{4}, v_{1} \leftarrow \mathbb {Z}_p$.

$\underline{\mathsf {H}_{2} = \mathsf {H}_{3}.}$ These hybrid games are information-theoretically equivalent. This can be confirmed by setting $ \ddot{v}^{j}_{i} :={\left\{ \begin{array}{ll} \ddot{v}'^{j}_{i} +x^{1,1}_{1}x^{1,1}_{i}-x^{1,0}_{1}x^{1,0}_{i} &{} (i=1)\\ \ddot{v}'^{j}_{i} +x^{1,1}_{1}x^{j,1}_{i}-x^{1,0}_{1}x^{j,0}_{i} &{} (i=2) \end{array}\right. } \;\; \text {where }\ddot{v}'^{j}_{i} \leftarrow \mathbb {Z}_p.$

$\underline{\mathsf {H}_{3} \approx _{c}\mathsf {H}_{4}.}$ We can justify this indistinguishability by the SXDH assumption, and the indistinguishability can be shown similarly to that between $\mathsf {H}_{1}$ and $\mathsf {H}_{2}$.

$\underline{\mathsf {H}_{4} \approx _{c}\mathsf {H}_{5}.}$ We can justify this indistinguishability by the (partially) function-hiding property of $\mathsf {pFE}$ and $\mathsf {gFE}$, similarly to the case of $\mathsf {G}_{0} \approx _{c}\mathsf {H}_{1}$.

$\underline{\mathsf {H}_{5} \approx _{c}\mathsf {H}_{6}.}$ We can justify this indistinguishability by the (partially) function-hiding property of $\mathsf {pFE}$, $\mathsf {iFE}$, and $\mathsf {gFE}$, similarly to the case of $\mathsf {G}_{0} \approx _{c}\mathsf {H}_{1}$. Note that here we also need to consider $\mathsf {iFE}$ since $\{\mathbf{d}, \widetilde{\mathbf {d}}\}$ is also changed, but it is easy to see that, for all $i,j,I,J \in [2]$, $\langle \mathbf{d}^{j}_{i}, \widetilde{\mathbf {d}}^{J}_{I} \rangle $ in $\mathsf {H}_{5}$ and that in $\mathsf {H}_{6}$ are equal.

$\underline{\mathsf {H}_{6} \approx _{c}\mathsf {H}_{7}.}$ We can justify this indistinguishability by the SXDH assumption, which implies $(\mathbb {G}, [\mathbf{s}]_{1}, [\widetilde{s}^{2}_{1}{} \mathbf{s}]_{1}) \approx _{c}(\mathbb {G}, [\mathbf{s}]_{1}, [\ddot{\mathbf {s}}]_{1})$ and $(\mathbb {G}, [\mathbf{u}]_{1}, [r^{2}_{1}{} \mathbf{u}]_{1}) \approx _{c}(\mathbb {G}, [\mathbf{u}]_{1}, [\ddot{\mathbf {u}}]_{1})$ where $\mathbb {G} \leftarrow \mathcal {G}_{\mathsf {BG}}(1^\lambda ), \mathbf{s} = \{s^{j}_{i}\}_{i,j \in [2]}, \ddot{\mathbf {s}}= \{\ddot{s}^{j}_{i}\}_{i,j \in [2]} \leftarrow \mathbb {Z}_p^{4}, \widetilde{s}^{2}_{1} \leftarrow \mathbb {Z}_p, \mathbf{u} = \{u_{i}\}_{i \in [2]}, \ddot{\mathbf {u}}= \{\ddot{u}_{i}\}_{i \in [2]} \leftarrow \mathbb {Z}_p^{2}, r^{2}_{1} \leftarrow \mathbb {Z}_p$.

$\underline{\mathsf {H}_{7} \approx _{c}\mathsf {H}_{8}.}$ We can justify this indistinguishability by the message-hiding property of $\mathsf {miFE}$. First, we prove that, for all $j \in [2]$, we have

$$\begin{aligned} \begin{aligned}&c_{1,1}(x^{2,0}_{1}x^{2,0}_{1}-x^{1,0}_{1}x^{1,0}_{1})+c_{1,2}(x^{2,0}_{1}x^{j,0}_{2}-x^{1,0}_{1}x^{j,0}_{2})\\ =&c_{1,1}(x^{2,1}_{1}x^{2,1}_{1}-x^{1,1}_{1}x^{1,1}_{1})+c_{1,2}(x^{2,1}_{1}x^{j,1}_{2}-x^{1,1}_{1}x^{j,1}_{2}). \end{aligned} \end{aligned}$$

(5.1)

Due to the game condition defined in Definition 2.1, the queries by the adversary satisfy

$$\begin{aligned} \sum _{i,\theta \in [2]} c_{i,\theta } x^{f(i),0}_{i}x^{f(\theta ),0}_{\theta }&= \sum _{i,\theta \in [2]} c_{i,\theta } x^{f(i),1}_{i}x^{f(\theta ),1}_{\theta } \end{aligned}$$

(5.2)

$$\begin{aligned} \sum _{i,\theta \in [2]} c_{i,\theta } x^{g(i),0}_{i}x^{g(\theta ),0}_{\theta }&= \sum _{i,\theta \in [2]} c_{i,\theta } x^{g(i),1}_{i}x^{g(\theta ),1}_{\theta } \end{aligned}$$

(5.3)

where $ f(i)= {\left\{ \begin{array}{ll} 2 &{} (i=1)\\ j &{} (i=2) \end{array}\right. },\;\; g(i)= {\left\{ \begin{array}{ll} 1 &{} (i=1)\\ j &{} (i=2) \end{array}\right. }.$ Note that Eq. (5.2) represents the restriction $f(x^{2,0}_{1}, x^{j,0}_{2}) = f(x^{2,1}_{1}, x^{j,1}_{2})$, and Eq. (5.3) represents the restriction $f(x^{1,0}_{1}, x^{j,0}_{2}) = f(x^{1,1}_{1}, x^{j,1}_{2})$. Equation (5.2)–Eq. (5.3) implies Eq. (5.1) by reflecting the fact that $c_{2,1}=0$, which is defined in Definition 2.2.

Thanks to the message-hiding property of 2-slot $\mathsf {miFE}$ and Eq. (5.1), we have

$$ \{\mathsf {miPP}, \mathsf {miCT}^{1,0}_{1}, \mathsf {miCT}^{1,0}_{2}, \mathsf {miCT}^{2,0}_{2}, \mathsf {miSK}\} \approx _{c}\{\mathsf {miPP}, \mathsf {miCT}^{1,1}_{1}, \mathsf {miCT}^{1,1}_{2}, \mathsf {miCT}^{2,1}_{2}, \mathsf {miSK}\} $$

where

$$\begin{aligned}&\mathsf {miPP}= (\mathbb {G}, [w_{1,1}]_{1}, [w_{1,2}]_{1})\\&\mathsf {miCT}^{1,\beta }_{1} = ([\ddot{s}^{2}_{1}]_{1}, [\ddot{s}^{2}_{1}w_{1,1}+\ddot{u}_{1}+x^{2,\beta }_{1}x^{2,\beta }_{1}-x^{1,\beta }_{1}x^{1,\beta }_{1}]_{1} )\\&\mathsf {miCT}^{j,\beta }_{2} = ([\ddot{s}^{j}_{2}]_{1}, [\ddot{s}^{j}_{2}w_{1,2}+\ddot{u}_{2}+\underbrace{x^{2,\beta }_{1}x^{j,\beta }_{2}-x^{1,\beta }_{1}x^{j,\beta }_{2}}_{\text {message vectors}}]_{1} )\\&\mathsf {miSK}= (\sum _{\mu \in [2]}c_{1,\mu }\ddot{u}_{\mu }, -c_{1,1}w_{1,1}, -c_{1,2}w_{1,2}, \underbrace{c_{1,1}, c_{1,2}}_{\text {key vector}}). \end{aligned}$$

Roughly speaking, $[\mathbf{b}]_{1}$ in $\mathsf {qCT}^{2}_{1},\mathsf {qCT}^{1}_{2},\mathsf {qCT}^{2}_{2}$ is simulatable from $\mathsf {miCT}^{1,\beta }_{1},\mathsf {miCT}^{1,\beta }_{2}, \mathsf {miCT}^{2,\beta }_{2}$, respectively, and $[\widetilde{h}_{1}]_{1}$ in $\mathsf {qSK}$ is simulatable from $\mathsf {miSK}$, and the case of $\beta = 0$ corresponds to $\mathsf {H}_{7}$ and $\beta = 1$ corresponds to $\mathsf {H}_{8}$.

$\underline{\mathsf {H}_{8} \approx _{c}\mathsf {H}_{9}.}$ We can justify this indistinguishability by the SXDH assumption similarly to the case of $\mathsf {H}_{6} \approx _{c}\mathsf {H}_{7}$.

$\underline{\mathsf {H}_{9} \approx _{c}\mathsf {H}_{10}.}$ We can justify this indistinguishability by the (partially) function-hiding property of $\mathsf {pFE}$, $\mathsf {iFE}$, and $\mathsf {gFE}$, similarly to the case of $\mathsf {G}_{5} \approx _{c}\mathsf {H}_{6}$. At this point, all ciphertexts for slot 1 are changed from encryption of 0-side to that of 1-side.

$\underline{\mathsf {H}_{10} \approx _{c}\mathsf {H}_{11}.}$ As stated above, $\mathsf {G}_{0}$ to $\mathsf {H}_{10}$ are hybrid games for processing the ciphertexts for slot 1. Next, we apply a similar procedure to slot 2. $\mathsf {H}_{11}$ in the process for slot 2 corresponds to $\mathsf {H}_{7}$ in the process for slot 1. That is, $\mathsf {H}_{10} \approx _{c}\mathsf {H}_{11}$ can be proven similarly to $\mathsf {G}_{0} \approx _{c}\mathsf {H}_{7}$.

$\underline{\mathsf {H}_{11} \approx _{c}\mathsf {H}_{12}.}$ This indistinguishability can be prove similarly to the case of $\mathsf {H}_{7} \approx _{c}\mathsf {H}_{8}$, but we need an additional tweak in this case. First, we prove that, for all $j \in [2]$, we have

$$\begin{aligned} \begin{aligned}&c_{2,1}(x^{2,0}_{2}x^{j,0}_{1}-x^{1,0}_{2}x^{j,0}_{1})+c_{2,2}(x^{2,0}_{2}x^{2,0}_{2}-x^{1,0}_{2}x^{1,0}_{2})+c_{1,2}(x^{1,0}_{1}x^{2,0}_{2}-x^{1,0}_{1}x^{1,0}_{2})\\ =&c_{2,1}(x^{2,1}_{2}x^{j,1}_{1}-x^{1,1}_{2}x^{j,1}_{1})+c_{2,2}(x^{2,1}_{2}x^{2,1}_{2}-x^{1,1}_{2}x^{1,1}_{2})+c_{1,2}(x^{1,1}_{1}x^{2,1}_{2}-x^{1,1}_{1}x^{1,1}_{2}). \end{aligned} \end{aligned}$$

(5.4)

Due to the game condition defined in Definition 2.1, the queries by the adversary satisfy

$$\begin{aligned} \sum _{i,\theta \in [2]} c_{i,\theta } x^{f(i),0}_{i}x^{f(\theta ),0}_{\theta }&= \sum _{i,\theta \in [2]} c_{i,\theta } x^{f(i),1}_{i}x^{f(\theta ),1}_{\theta } \end{aligned}$$

(5.5)

$$\begin{aligned} \sum _{i,\theta \in [2]} c_{i,\theta } x^{g(i),0}_{i}x^{g(\theta ),0}_{\theta }&= \sum _{i,\theta \in [2]} c_{i,\theta } x^{g(i),1}_{i}x^{g(\theta ),1}_{\theta } \end{aligned}$$

(5.6)

where $ f(i)= {\left\{ \begin{array}{ll} 1 &{} (i=1)\\ 2 &{} (i=2) \end{array}\right. },\;\; g(i)= {\left\{ \begin{array}{ll} 1 &{} (i=1)\\ 1 &{} (i=2) \end{array}\right. }.$ Note that Eq. (5.5) represents the restriction $f(x^{1,0}_{1}, x^{2,0}_{2}) = f(x^{1,1}_{1}, x^{2,1}_{2})$, and Eq. (5.6) represents the restriction $f(x^{1,0}_{1}, x^{1,0}_{2}) = f(x^{1,1}_{1}, x^{1,1}_{2})$. Equation (5.5)–Eq. (5.6) implies Eq. (5.4) by reflecting the fact that $c_{2,1}=0$, which is defined in Definition 2.2.

Thanks to the message-hiding property of 3-slot $\mathsf {miFE}$ and Eq. (5.4), we have

$$\begin{aligned}&\{\mathsf {miPP},\mathsf {miCT}^{1,0}_{1}, \mathsf {miCT}^{2,0}_{1}, \mathsf {miCT}^{1,0}_{2}, \mathsf {miCT}^{1,0}_{3},\mathsf {miSK}\}\\ \approx _{c}&\{\mathsf {miPP},\mathsf {miCT}^{1,1}_{1}, \mathsf {miCT}^{2,1}_{1}, \mathsf {miCT}^{1,1}_{2}, \mathsf {miCT}^{1,1}_{3},\mathsf {miSK}\} \end{aligned}$$

where

$$\begin{aligned}&\mathsf {miPP}= (\mathbb {G}, [w_{2,1}]_{1}, [w_{2,2}]_{1}, [w_{2,3}]_{1})\\&\mathsf {miCT}^{j,\beta }_{1} = ([\ddot{s}^{j}_{1}]_{1}, [\ddot{s}^{j}_{1}w_{2,1}+\ddot{u}_{1}+x^{2,\beta }_{2}x^{j,\beta }_{1}-x^{1,\beta }_{2}x^{j,\beta }_{1}]_{1} )\\&\mathsf {miCT}^{1,\beta }_{2} = ([\ddot{s}^{2}_{2}]_{1}, [\ddot{s}^{2}_{2}w_{2,2}+\ddot{u}_{2}+x^{2,\beta }_{2}x^{2,\beta }_{2}-x^{1,\beta }_{2}x^{1,\beta }_{2}]_{1} )\\&\mathsf {miCT}^{1,\beta }_{3} = ([\ddot{s}^{1}_{3}]_{1}, [\ddot{s}^{1}_{3}w_{2,3}+\ddot{u}_{3}+\underbrace{x^{1,\beta }_{1}x^{2,\beta }_{2}-x^{1,\beta }_{1}x^{1,\beta }_{2}}_{\text {message vectors}}]_{1} )\\&\mathsf {miSK}= (\sum _{\mu \in [2]}c_{2,\mu }\ddot{u}_{\mu }+c_{1,2}\ddot{u}_{3}, -c_{2,1}w_{2,1}, -c_{2,2}w_{2,2}, -c_{1,2}w_{2,3}, \underbrace{c_{2,1}, c_{2,2}, c_{1,2}}_{\text {key vector}}). \end{aligned}$$

Roughly speaking, $[\mathbf{b}]_{1}$ in $\mathsf {qCT}^{1}_{1}, \mathsf {qCT}^{2}_{1}, \mathsf {qCT}^{2}_{2}$ is simulatable from $\mathsf {miCT}^{1,\beta }_{1},\mathsf {miCT}^{2,\beta }_{1}, \mathsf {miCT}^{1,\beta }_{2}$, respectively, and $[\widetilde{h}_{2}]_{1}$ in $\mathsf {qSK}$ is simulatable from $\mathsf {miSK}$ and $\mathsf {miCT}^{1,\beta }_{3}$. More precisely,

$$ \widetilde{h}_{2} = \mathsf {K}_{1} -\mathsf {C}_{1}\mathsf {K}_{4} - c_{1,2}(\mathsf {C}_{2}+x^{1,0}_{1}x^{2,0}_{2}-x^{1,0}_{1}x^{1,0}_{2}) $$

where $\mathsf {miCT}^{1,\beta }_{3} = ([\mathsf {C}_{1}]_{1}, [\mathsf {C}_{2}]_{1})$ and $\mathsf {miSK}=(\mathsf {K}_{1} , \ldots ,\mathsf {K}_{7})$. The case of $\beta = 0$ corresponds to $\mathsf {H}_{11}$ and $\beta = 1$ corresponds to $\mathsf {H}_{12}$.

$\underline{\mathsf {H}_{12} \approx _{c}\mathsf {H}_{13}.}$ We can justify this indistinguishability by the function-hiding property of $\mathsf {gFE}$. For all $i,j \in [2]$, $\langle \mathbf{f}^{j}_{i}, \widetilde{\mathbf {f}}_{i} \rangle +h^{j}_{i}\widetilde{h}_{i}$ in $\mathsf {H}_{12}$ and that in $\mathsf {H}_{13}$ are equal (recall that $c_{2,1}=0$), which implies, for all $j_{1}, j_{2} \in [2]$, $\sum _{i \in [2]} (\langle \mathbf{f}^{j_{i}}_{i}, \widetilde{\mathbf {f}}_{i} \rangle + h^{j_{i}}_{i}\widetilde{h}_{i})$ in $\mathsf {H}_{12}$ and that in $\mathsf {H}_{13}$ are equal. Thus, the indistinguishability of $\{\mathbf{f}, \widetilde{\mathbf {f}}, h, \widetilde{h}\}$ between $\mathsf {H}_{12}$ and $\mathsf {H}_{13}$ is implied by the function-hiding property of $\mathsf {gFE}$.

$\underline{\mathsf {H}_{13} \approx _{c}\mathsf {H}_{14}.}$ This indistinguishability can be proven similarly to $\mathsf {H}_{8} \approx _{c}\mathsf {H}_{10}$.

$\underline{\mathsf {H}_{14} \approx _{c}\mathsf {H}_{15}.}$ Due to the game condition defined in Definition 2.1, the queries by the adversary satisfy $ \sum _{i,\theta \in [2]} c_{i,\theta } (x^{1,1}_{i}x^{1,1}_{\theta } -x^{1,0}_{i}x^{1,0}_{\theta })=0, $ which implies, for all $j_{1}, j_{2} \in [2]$, $\sum _{i \in [2]} (\langle \mathbf{f}^{j_{i}}_{i}, \widetilde{\mathbf {f}}_{i} \rangle + h^{j_{i}}_{i}\widetilde{h}_{i})$ in $\mathsf {H}_{14}$ and that in $\mathsf {H}_{15}$ are equal. Thus, the indistinguishability of $\{\mathbf{f}, \widetilde{\mathbf {f}}\}$ between $\mathsf {H}_{14}$ and $\mathsf {H}_{15}$ is implied by the function-hiding property of $\mathsf {gFE}$.

$\underline{\mathsf {H}_{15} \approx _{c}\mathsf {G}_{1}.}$ It is easy to see that this indistinguishability is implied by the partially function-hiding property of $\mathsf {pFE}$, since, for all $i,j,I,J \in [2]$, $\langle \mathbf{b}^{j}_{i}, \widetilde{\mathbf {b}}^{J}_{I} \rangle $ in $\mathsf {H}_{15}$ and that in $\mathsf {G}_{1}$ are equal.

6 Quadratic Multi-input Functional Encryption

We present our quadratic MIFE scheme for $\mathcal {F}^{\mathsf {MQF}}_{m,n,X,C}$. We define the following functions that relate indices in $[n] \times [m]$ with those in [mn]:

location function, $\mathsf {lo}:[n] \times [m] \rightarrow [mn]$, defined as $\mathsf {lo}(x,y) = (x-1)m+y$;
location set function, $\mathsf {ls}:[n]\rightarrow 2^{[mn]}$, defined as $\mathsf {ls}(x) = \{\mathsf {lo}(x,1) , \ldots ,\mathsf {lo}(x,m)\}$;
slot function, $\mathsf {sl}:[mn] \rightarrow [n]$, defined as $\mathsf {sl}(x) = \lceil x/m \rceil $;
entry function, $\mathsf {en}:[mn] \rightarrow [m]$, defined as $\mathsf {en}(x) = x- m(\mathsf {sl}(x)-1)$.

Note that we have $\mathsf {lo}(\mathsf {sl}(x),\mathsf {en}(x))=x$ for all $x \in [mn]$. Let $\mathcal {D}_{k}$ be a matrix distribution. Let $\mathsf {pFE}=(\mathsf {pSetup}, \mathsf {pEnc}, \mathsf {pKeyGen}, \mathsf {pDec})$ be an FE scheme for $\mathcal {F}^{\mathsf {PIP}}_{2n, 2+(mn+2)k+(2+k)m, \mathbb {G}}$ (Definition 3.2), $\mathsf {iFE}=(\mathsf {iSetup}, \mathsf {iEnc}, \mathsf {iKeyGen}, \mathsf {iDec})$ be an FE scheme for $\mathcal {F}^{\mathsf {IP}}_{k+1, \mathbb {G}}$ (Definition 3.1), and $\mathsf {gFE}=(\mathsf {gSetup}, \mathsf {gEnc}, \mathsf {gKeyGen}, \mathsf {gDec})$ be an FE scheme for $\mathcal {F}^{\mathsf {MGIP}}_{2k+m^{2}n, 1, n,\mathbb {G}}$ (Definition 4.2). We construct our quadratic MIFE scheme $\mathsf {qFE}=(\mathsf {qSetup}, \mathsf {qEnc}, \mathsf {qKeyGen}, \mathsf {qDec})$ from $\mathsf {pFE}$, $\mathsf {iFE}$, and $\mathsf {gFE}$ as shown in Fig. 22.

Due to space constraints, we present the proof of correctness and security analysis of our scheme in the full version.

Notes

1.
Note that FE for quadratic functions are trivially constructible from FE for inner products (IPFE) by linearizing and encrypting all quadratic monomials. However, FE for quadratic functions requires that the ciphertext size be linear in input length.
2.
In an exciting recent work, iO has been constructed from sub-exponential hardness of four well-founded assumptions [24]. However, this construction relies on a series of intricate, lossy reductions and is primarily a feasibility result. We will focus on the polynomial hardness of a well-founded problem in this work.
3.
Recall that public-key MIFE does not imply secret-key MIFE. Roughly speaking, a user who has $\mathsf {CT}_{1}$ for $x_{1}$ and $\mathsf {SK}$ for f of a public-key scheme is allowed to learn $f(x_{1},x_{2} , \ldots ,x_{n})$ for all $(x_{2} , \ldots ,x_{n})$, since this is inherent leakage, while it is not the case in secret-key MIFE.
4.
In more detail, this follows since the scheme remains correct and secure even if input vectors for $\mathsf {Enc}$ and $\mathsf {KeyGen}$ consist of group elements, and $\mathsf {Dec}$ first obtains decryption values on the exponent of a target-group generator and then computes its discrete log.

References

Abdalla, M., Benhamouda, F., Gay, R.: From single-input to multi-client inner-product functional encryption. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 552–582. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_19
Chapter Google Scholar
Abdalla, M., Benhamouda, F., Kohlweiss, M., Waldner, H.: Decentralizing inner-product functional encryption. In: Lin, D., Sako, K. (eds.) PKC 2019, Part II. LNCS, vol. 11443, pp. 128–157. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_5
Chapter Google Scholar
Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_33
Chapter Google Scholar
Abdalla, M., Catalano, D., Fiore, D., Gay, R., Ursu, B.: Multi-input functional encryption for inner products: function-hiding realizations and constructions without pairings. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 597–627. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_20
Chapter Google Scholar
Abdalla, M., Catalano, D., Gay, R., Ursu, B.: Inner-product functional encryption with fine-grained access control. Cryptology ePrint Archive, Report 2020/577 (2020). https://eprint.iacr.org/2020/577
Abdalla, M., Gay, R., Raykova, M., Wee, H.: Multi-input inner-product functional encryption from pairings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 601–626. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_21
Chapter Google Scholar
Ananth, P., Jain, A., Lin, H., Matt, C., Sahai, A.: Indistinguishability obfuscation without multilinear maps: new paradigms via low degree weak pseudorandomness and security amplification. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 284–332. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_10
Chapter Google Scholar
Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_15
Chapter Google Scholar
Baltico, C.E.Z., Catalano, D., Fiore, D., Gay, R.: Practical functional encryption for quadratic functions with applications to predicate encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 67–98. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_3
Chapter Google Scholar
Bishop, A., Jain, A., Kowalczyk, L.: Function-hiding inner product encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part I. LNCS, vol. 9452, pp. 470–491. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_20
Chapter Google Scholar
Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. In: Guruswami, V. (ed.) 56th FOCS, pp. 171–190. IEEE Computer Society Press, October 2015
Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Chapter Google Scholar
Brakerski, Z., Segev, G.: Function-private functional encryption in the private-key setting. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 306–324. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_12
Chapter Google Scholar
Chen, J., Wee, H.: Semi-adaptive attribute-based encryption and improved delegation for boolean formula. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 277–297. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_16
Chapter Google Scholar
Chotard, J., Dufour Sans, E., Gay, R., Phan, D.H., Pointcheval, D.: Decentralized multi-client functional encryption for inner product. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 703–732. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_24
Chapter Google Scholar
Datta, P., Dutta, R., Mukhopadhyay, S.: Functional encryption for inner product with full function privacy. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 164–195. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_7
Chapter Google Scholar
Datta, P., Okamoto, T., Tomida, J.: Full-hiding (unbounded) multi-input inner product functional encryption from the k-linear assumption. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part II. LNCS, vol. 10770, pp. 245–277. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_9
Chapter Google Scholar
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.L.: An algebraic framework for Diffie-Hellman assumptions. J. Cryptol. 30(1), 242–288 (2017)
Article MathSciNet Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013
Google Scholar
Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Functional encryption without obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part II. LNCS, vol. 9563, pp. 480–511. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_18
Chapter Google Scholar
Gay, R.: A new paradigm for public-key functional encryption for degree-2 polynomials. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part I. LNCS, vol. 12110, pp. 95–120. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_4
Chapter Google Scholar
Goldwasser, S., et al.: Multi-input functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_32
Chapter Google Scholar
Goyal, R., Koppula, V., Waters, B.: Semi-adaptive security and bundling functionalities made generic and easy. In: Hirt, M., Smith, A.D. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 361–388. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_14
Chapter Google Scholar
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. Cryptology ePrint Archive, Report 2020/1003 (2020). https://eprint.iacr.org/2020/1003
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_9
Chapter Google Scholar
Kim, S., Lewi, K., Mandal, A., Montgomery, H., Roy, A., Wu, D.J.: Function-hiding inner product encryption is practical. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 544–562. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_29
Chapter Google Scholar
Libert, B., Ţiţiu, R.: Multi-client functional encryption for linear functions in the standard model from LWE. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 520–551. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_18
Chapter MATH Google Scholar
Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_20
Chapter Google Scholar
O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010). http://eprint.iacr.org/2010/556
Tomida, J.: Tightly secure inner product functional encryption: multi-input and function-hiding constructions. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 459–488. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_16
Chapter Google Scholar
Tomida, J., Abe, M., Okamoto, T.: Efficient functional encryption for inner-product values with full-hiding security. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 408–425. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45871-7_24
Chapter MATH Google Scholar

Download references

Author information

Authors and Affiliations

IIT Madras, Chennai, India
Shweta Agrawal
MIT, Cambridge, USA
Rishab Goyal
NTT Corporation, Tokyo, Japan
Junichi Tomida

Authors

Shweta Agrawal
View author publications
You can also search for this author in PubMed Google Scholar
Rishab Goyal
View author publications
You can also search for this author in PubMed Google Scholar
Junichi Tomida
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shweta Agrawal .

Editor information

Editors and Affiliations

Columbia University, New York City, NY, USA
Tal Malkin
University of Michigan, Ann Arbor, MI, USA
Chris Peikert

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Agrawal, S., Goyal, R., Tomida, J. (2021). Multi-input Quadratic Functional Encryption from Pairings. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12828. Springer, Cham. https://doi.org/10.1007/978-3-030-84259-8_8

Download citation

DOI: https://doi.org/10.1007/978-3-030-84259-8_8
Published: 11 August 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84258-1
Online ISBN: 978-3-030-84259-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)