1 Introduction
1.1 Background
1.2 Our result
1.3 Related works
1.4 Key techniques
1.5 Notations
2 Dual pairing vector spaces by direct product of symmetric pairing groups
3 Definitions of zero and non-zero inner-product encryption (ZIPE/NIPE)
-
In a weaker security notion, selectively payload-hiding, the adversary is required to declare the challenge vector \(\vec {x}\) at the beginning of the game (before Setup). Similarly, the weaker (selective) security variants can be defined in place of the two (adaptive) security notions in Definitions 5 and 6.
-
The above security notion, which is secure against chosen-plaintext attacks (CPA), can be easily extended to the security notion against chosen-ciphertext attacks (CCA) by allowing an adversary to give decryption queries in Phases 1 and 2. Since there is a standard (efficient) methodology to transform a CPA-secure FE (including NIPE/ZIPE) scheme to a CCA-secure FE scheme by using the Canetti–Halevi–Katz (CHK) transformation or the Boneh–Katz (BK) transformation [7] as is given in [25], we only present CPA-secure NIPE/ZIPE schemes in this paper.
-
\(\vec {v}\cdot \vec {x}^{(0)} \not =0\) and \(\vec {v}\cdot \vec {x}^{(1)} \not =0\) for all the key queried predicate vectors, \(\vec {v}\).
-
Two challenge plaintexts are equal, i.e., \(m^{(0)} = m^{(1)}\), and any key query \(\vec {v}\) satisfies \(R(\vec {v}, \vec {x}^{(0)}) = R(\vec {v},\vec {x}^{(1)})\), i.e., one of the following conditions.
-
\(\vec {v}\cdot \vec {x}^{(0)} =0\) and \(\vec {v}\cdot \vec {x}^{(1)} =0\),
-
\(\vec {v}\cdot \vec {x}^{(0)} \not =0\) and \(\vec {v}\cdot \vec {x}^{(1)} \not =0\),
-
4 Decisional linear (DLIN) assumption
5 Special matrix subgroups
6 NIPE scheme with constant-size ciphertexts
6.1 Key ideas in constructing the proposed NIPE scheme
6.2 Dual orthonormal basis generator
6.3 Construction
6.4 Security
6.4.1 Lemmas for the Proof of Theorem 1
6.4.2 Proof outline
6.4.3 Proof of Theorem 1
7 NIPE scheme with constant-size secret-keys
7.1 Dual orthonormal basis generator
7.2 Construction and security
8 ZIPE scheme with constant-size ciphertexts
8.1 Dual orthonormal basis generator
8.2 Construction and security
9 ZIPE scheme with constant-size secret-keys
9.1 Dual orthonormal basis generator
9.2 Construction and security
10 Fully-attribute-hiding ZIPE scheme with constant-size secret-keys
10.1 Construction and security
11 Comparison
AL10 [4] ZIPE with short CT | AL10 [4] NIPE with short CT | Proposed ZIPE with short CT | Proposed NIPE with short CT | Proposed ZIPE with short SK | Proposed NIPE with short SK | Proposed fully-AH ZIPE with short SK | |
---|---|---|---|---|---|---|---|
Security | Adaptive PH | Co-selective PH | Adaptive PH | Adaptive PH | Adaptive weakly-AH | Adaptive PH | Adaptive fully-AH |
Assump. | DLIN and DBDH | DLIN and DBDH | DLIN | DLIN | DLIN | DLIN | DLIN |
IP rel. | Zero | Non-zero | Zero | Non-zero | Zero | Non-zero | Zero |
PK size |
\((n+11)|\mathbb {G}|\) + \(|\mathbb {G}_T|\)
|
\((n + 11)|\mathbb {G}|\) + \(|\mathbb {G}_T|\)
|
\((10 n + 13)|\mathbb {G}|\) + \(|\mathbb {G}_T|\)
|
\((8 n + 23)|\mathbb {G}|\) + \(|\mathbb {G}_T|\)
|
\((10 n + 13)|\mathbb {G}|\) + \(|\mathbb {G}_T|\)
|
\((8 n + 23)|\mathbb {G}|\) + \(|\mathbb {G}_T|\)
|
\((12 n + 16)|\mathbb {G}|\) + \(|\mathbb {G}_T|\)
|
SK size |
\((n + 6) |\mathbb {G}| + (n - 1) |\mathbb {F}_q|\)
|
\((n + 6) |\mathbb {G}|\)
|
\((4 n + 1) |\mathbb {G}|\)
|
\((4 n + 5) |\mathbb {G}|\)
| 9\(|\mathbb {G}|\)
| 13\(|\mathbb {G}|\)
| 11\(|\mathbb {G}|\)
|
CT size | 9\(|\mathbb {G}| + |\mathbb {G}_T|+ |\mathbb {F}_q|\)
| 9\(|\mathbb {G}|+ |\mathbb {G}_T|\)
| 9\(|\mathbb {G}|+ |\mathbb {G}_T|\)
| 13\(|\mathbb {G}|+ |\mathbb {G}_T|\)
|
\((4 n + 1)|\mathbb {G}|+ |\mathbb {G}_T|\)
|
\((4 n + 5)|\mathbb {G}|+ |\mathbb {G}_T|\)
|
\((5 n + 1)|\mathbb {G}|+ |\mathbb {G}_T|\)
|
Dec time | 9P + nM | 9P + nM | 9P + \(4(n-1)\)M | 13P + \(4(n-1)\)M | 9P + \(4(n-1)\)M | 13P + \(4(n-1)\)M | 11P + \(5(n-1)\)M |