Private Predicate Encryption for Inner Product from Key-Homomorphic Pseudorandom Function

Tseng, Yi-Fan; Liu, Zi-Yuan; Hsu, Jen-Chieh; Tso, Raylin

doi:https://doi.org/10.1155/2021/6678194

Security and Communication Networks

On this page

Abstract Introduction Analysis Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security, Trust and Privacy for Cloud, Fog and Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 6678194 | https://doi.org/10.1155/2021/6678194

Private Predicate Encryption for Inner Product from Key-Homomorphic Pseudorandom Function

Yi-Fan Tseng,¹Zi-Yuan Liu,¹Jen-Chieh Hsu,¹and Raylin Tso¹

Academic Editor: David Megías

Received04 Nov 2020

Revised07 Dec 2020

Accepted21 Jan 2021

Published12 Feb 2021

Abstract

Predicate encryption (PE), formalized by Katz et al., is a new paradigm of public-key encryption that conceptually captures the public-key encryption that supports fine-grained access control policy. Because of the nature of PE, it is used for cloud storage so that users can retrieve encrypted data without revealing any information about the data to cloud servers and other users. Although lots of PE schemes have been studied, the predicate-hiding security is seldom considered; that is, the user’s secret key may leak sensitive information of the predicate. Additionally, the security of the current predicate-hiding PE schemes relies on the discrete logarithm assumption which cannot resist the quantum attacks in the future. In this paper, we propose a generic PE for inner product under symmetric-key setting, called private IPE, from specific key-homomorphic pseudorandom function (PRF). The rigorous proofs are provided to show that the construction is payload-hiding, attribute-hiding, and predicate-hiding secure. With the advantage of the generic construction, if the underlying PRF can resist quantum attacks, then, through our proposed generic construction, a quantum-resistant private IPE can be obtained.

1. Introduction

In recent years, cloud computing has become increasingly important as smartphones and Internet of Things devices are widely used in our life. Users typically upload their data to the cloud to achieve efficient computing and reduce storage requirements of their devices. Due to the fact that the uploaded data are sensitive, users may consider using authentication protocol [1–4] and encryption schemes [5, 6] to protect their data privacy in cloud environment. One novel approach is to encrypt data before it is uploaded to the cloud. However, encrypted data loses flexibility in data usage, such as fine-grained control over access to encrypted data. For example, a user may want to search for and download ciphertext that corresponds to certain attributes. If each piece of data is purely encrypted, the only way is to download all the ciphertexts and decrypt them for search. Unfortunately, this approach would be very inefficient. Therefore, how to efficiently control the access to encrypted data and ensure the privacy and security of data is an urgent issue for cloud computing.

Predicate encryption (PE) [7], formalized by Katz et al., is a general paradigm that conceptually captures the public-key encryption supporting fine-grained access control policy. In a PE scheme for a predicate function , a secret key, issued by a trusted authority, is associated with a key attribute , while the ciphertext is associated with a ciphertext attribute . Specifically, the ciphertext can be decrypted using the secret key if and only if . Therefore, PE can be used as access control mechanism for the previous cloud storage scenario and provide the flexibility for encryption schemes, which allows sender to encrypt data with more complicated access policy. For example, in a school scenario, the secret keys of each teacher and each student are associated with key attributes “teacher” and “student,” respectively. If the principal wants to encrypt a file that can only be decrypted by each student and teacher, he/she can use a PE supporting “belong to” functionality and encrypt this file with a ciphertext attribute “student or teacher.” Because the key attributes “teacher” and “student” belong to ciphertext attribute “student or teacher,” the secret keys associated with these key attributes can decrypt the ciphertext.

Additionally, Katz et al. proposed the first PE supporting inner product predicate, called PE for inner product (IPE), whereas ciphertext can be decrypted if and only if the inner product of and is equal to 0. They further suggested that IPE can be used to build other more flexible schemes, such as (anonymous) identity-based encryption [8], hidden vector encryption [9, 10], CNF/DNF formulas [7], PE schemes supporting polynomial evaluation [11], and exact thresholds [12]. The most basic security requirement of IPE, called payload-hiding, stipulates that a ciphertext does not reveal any information of the plaintext if . A stronger security requirement of PE is attribute-hiding, which stipulates that a ciphertext reveals nothing about the ciphertext attribute. Although a lot of attribute-hiding IPE schemes [13–16] have been studied, seldom schemes [17–19] focus on the predicate-hiding security. In more detail, a secret key may reveal some sensitive information of the predicate that belongs to the key holder. Actually, in public-key cryptosystem, since the encryption algorithm is publicly accessible, any user can adaptively generate a ciphertext. The user who has obtained a secret key can evaluate its predicate with possible ciphertexts; thus it is hard to achieve predicate-hiding in the public-key setting.

Shen et al. [18] first considered constructing the IPE under symmetric-key setting, a.k.a. private IPE, to achieve predicate-hiding security requirement. More precisely, in the work, when generating a secret key, generating a ciphertext requires a master secret key, so that not every user can adaptively generate a ciphertext to test which predicate is embedded in the secret key. Compared with IPE under public-key setting, private IPE is more suitable for cloud storage under self-use scenario. For example, as shown in Figure 1, Alice uses the cloud storage service to store her files. For privacy concern, she uses private IPE as an access control mechanism. Alice not only uploads an encrypted file but also uploads another ciphertext for a specific ciphertext attribute by using private IPE. When Alice wants to retrieve encrypted files, she can send the secret key for some key attribute, that is, , to the cloud. The cloud can then evaluate the predicate on each ciphertext by performing decryption. If the predicate is satisfied, that is, , the cloud returns the corresponding encrypted files of those ciphertexts.

After Shen et al.’s pioneering work [18], Yoshino et al. [19] provided a more practical IPE scheme that uses only three groups, whereas [18] required four groups. In addition, Kawai and Takashima [17] then introduced a predicate-hiding IPE, where the security is proven under the decision linear assumption without random oracles. However, the sizes of the secret keys of the above schemes [17–19] are linearly related to the lengths of the key attributes. Due to the fact that users may obtain many secret keys for decrypting different ciphertext, it is important to reduce the key size of secret key. In addition, Shor [20, 21] has shown that existing quantum algorithms can break the discrete logarithm and factoring assumptions. Therefore, the current private IPE schemes [17–19] are susceptible to quantum attack. Hence, how to construct a quantum-resistant private IPE scheme where the secret key is of constant size remains an open issue.

1.1. Our Contributions

In this paper, inspired by Alamati et al.’s work [22], we propose a generic private IPE construction by utilizing specific key-homomorphic pseudorandom functions (PRF). By the advantage of the generic construction, the construction enjoys the security properties of the underlying primitives. Therefore, if the underlying key-homomorphic PRF is quantum-resistant, we further obtain a quantum-resistant private IPE scheme. In particular, in our construction, we require the underlying key-homomorphic PRF to have the following property for decryption correctness: the key space and the output space are equal to , for some prime .

To obtain a private IPE scheme with constant-size secret key, we carefully use the key-homomorphic property of the key-homomorphic PRF to map each predicate attribute to the inner product of master secret key and secret key. That is, , where is a predicate vector and is the master secret key. Hence, the size of secret key is only , where is the underlying modulo.

In addition, the rigorous security proofs are provided to demonstrate that if the underlying key-homomorphic PRF satisfies pseudorandomness (i.e., the output value of key-homomorphic PRF is indistinguishable from the value randomly chosen from ), the proposed construction satisfies the criteria of payload-hiding, attribute-hiding, and predicate-hiding privacy. The comparison of our construction with other state-of-the-art private IPE schemes is presented to show that our result is not only more secure but also more efficient with respect to the size of secret key.

In summary, this work introduces a generic construction to show how to obtain the first quantum-resistant private IPE scheme with a constant-size secret key.

1.2. Paper Organization

The rest of the paper is organized as follows. Section 2 recalls the definition of the PRF used in our generic construction. Moreover, Section 3 provides the definition and security requirement of the private PE. Next, Sections 4 and Section 5 introduce and provide the security proofs of our generic constriction, respectively. Section 6 compares our proposed construction with the related private IPE schemes. Finally, Section 7 concludes this study.

2. Pseudorandom Function (PRF)

In this section, we recall the definition of pseudorandom function from [23].

Definition 1. (pseudorandom functions [23]). A PRF is a keyed function defined over a key space , a domain , and a range (these sets may be parameterized by the security parameter ), whose output is indistinguishable from a truly random value. The security of a PRF can be defined by the two experiments and with an adversary . At first, a key is uniformly randomly chosen from the key space . Given the description of the PRF, the adversary is then allowed to make queries to the following oracles:(i)Evaluate. Given from , the oracle returns to .(ii)Challenge. Given from , where has not been queried to evaluate Oracle, if , then the oracle returns , and if , then the oracle returns a random .Once the adversary is done querying the oracles, it outputs a bit . For , we define as the event where the adversary outputs in the experiment . The advantage of an adversary is defined asWe say that a PRF is secure if, for all PPT adversary , is negligible.

Definition 2. (key-homomorphic PRF [24]). Let and be groups. Then, a keyed function is a key-homomorphic PRF:(i) is a secure PRF.(ii)For every and every input , we have

Definition 3. (pseudorandom generators [24]). A pseudorandom generator (PRG) is an efficiently computable function with the following security, where and are groups. The security of a PRG is secure if, for any PPT algorithm , is negligible.

3. Private Predicate Encryption

Let for some constant be a predicate family, where is a predicate function defined over a ciphertext attribute space and a key attribute space . The family index specifies the description of a predicate from the family. We would occasionally omit the index when the context is clear.

3.1. System Model

A private PE for predicate function consists of four algorithms: , , and . The details of the algorithms are shown as follows:(i). Given the security parameters and the family index , the algorithm outputs the system parameter and the secret key . Note that the description of and will be implicitly included in .(ii). Given the system parameter , a secret key , a ciphertext attribute , and a message , the algorithm outputs a ciphertext for .(iii). Given the system parameter , a secret key , and a key attribute , the algorithm outputs the secret key for .(iv). Given the system parameter , a ciphertext , and a secret key , the algorithm outputs a message or an error symbol .

Definition 4. (correctness). For all , , and , letting and , we havewhere .
In this paper, we construct a private PE scheme supporting inner product predicate function defined over , where is a large prime. That is,(i) denotes the dimension of the vector space.(ii).(iii)For all , if .Such encryption schemes are called “private PE for inner product” (private IPE), and and are called attribute vector space and predicate vector space, respectively.

3.2. Security Definitions

In private PE, there exist three types of adversary that want to retrieve the information of message, ciphertext attribute, and key attribute from ciphertext and secret key. Therefore, we model three security requirements of private PE, payload-hiding, attribute-hiding, and predicate-hiding securities, to model the attacks from these adversaries.

The payload-hiding security [7] for predicate function is defined as an interactive game between a challenger and an adversary . In payload-hiding models, a ciphertext reveals nothing about the encrypted message, and thus in some literature it is defined as IND-CPA security.

3.2.1. Payload-Hiding Game

(i)Setup. The challenger runs to generate a secret key and the system parameter . Then, it sends the system parameter to the adversary and keeps the secret key secretly.(ii)Query Phase 1. can query polynomially many times of the oracles described as follows:(i)KeyGen Oracle: when issues a query with , returns a secret key .(ii)Encrypt Oracle: when issues a query with and a message , returns a ciphertext .(iii)Challenge. The adversary submits such that for all , which has been queried to KeyGen Oracle in Query Phase 1, and two massages with the same length to the challenger . Then randomly chooses and returns a challenge ciphertext .(iv)Query Phase 2. This phase is the same as Query Phase 1, except that is only allowed to make a query to KeyGen Oracle with such that .(v)Guess. The adversary outputs a bit and wins the game if .

The advantage of an adversary for winning the payload-hiding game is defined as

Definition 5. (payload-hiding for private predicate encryption). We say that private PE is payload-hiding if there is no probabilistic polynomial-time adversary winning the above payload-hiding game with a nonnegligible advantage.
Next, we define the “attribute-hiding” security for private PE, which can be also extended from the attribute-hiding definition for conventional PE [7]. Attribute-hiding security models that there is no adversary can obtain any information of the ciphertext attribute from the ciphertext. We then define attribute-hiding via a security game between a challenger and an adversary .

3.2.2. Attribute-Hiding Game

(i)Setup, Query Phase 1, Query Phase 2, and Guess are the same as those in the payload-hiding game.(ii)Challenge. The adversary submits two ciphertext attributes such that for all , which has been queried to KeyGen Oracle in Query Phase 1, and a massage with the same length to the challenger . Then, randomly chooses and returns a challenge ciphertext .

The advantage of an adversary for winning the attribute-hiding game is defined as

Definition 6. (attribute-hiding for private predicate encryption). We say that private PE is attribute-hiding, if there is no probabilistic polynomial-time adversary winning the above attribute-hiding game with a nonnegligible advantage.
There is another weaker notion, called “weak attribute-hiding” [25]. The weak attribute-hiding game is the same as the above attribute-hiding game, except the following:(i)The adversary sends to invoke the Challenge phase.(ii)The restriction on is modified to “ for all which has been queried to KeyGen Oracle in Query Phase 1.”Furthermore, we define the “predicate-hiding” for private PE scheme via the following game, which models the notion that a secret key reveals nothing about the key attribute .

3.2.3. Predicate-Hiding Game

(i)Setup, Query Phase 1, Query Phase 2, and Guess are the same as those in the payload-hiding game.(ii)Challenge. The adversary submits two key attributes to the challenger , such that for all which has been queried to Encrypt Oracle in Query Phase 1. Then, randomly chooses and returns a challenge secret key .

The advantage of an adversary for winning the predicate-hiding game is defined as

Definition 7. (predicate-hiding for private predicate encryption). We say that private PE achieves predicate-hiding if there is no probabilistic polynomial-time adversary winning the above predicate-hiding game with nonnegligible advantage.

4. A Private IPE from Key-Homomorphic PRF

In the following, we describe how to obtain a private IPE from a key-homomorphic PRF. In our construction, we require that , for some prime . Additionally, we assume that the decryptor knows the value of predicate vector of his/her secret key .(i). Suppose that the message space is for some positive integer . Given the security parameters , where , the algorithm outputs the system parameter and the secret key as follows:(i)Choose a prime .(ii)Choose a key-homomorphic PRF , where is the domain and is a ring.(iii)Choose .(iv)Choose a pseudorandom generator .(v)Choose .(vi)Output and the secret key . Note that the descriptions of and are implicitly included in the system parameter .(ii). Given the system parameter , a secret key , an attribute vector , and a message , the algorithm runs the following steps:(i)Choose random .(ii) for .(iii).(iv)Output ciphertext .(iii). Given the system parameter , a secret key , and a predicate vector , the algorithm computes the following steps:(i).(ii)Output .(iv). Given the system parameter , a ciphertext , and a secret key , the algorithm computes the following steps:(i).(ii)Compute .(iii)Compute .

Correctness. Let and be as above. Then,

If , we have

Then, we can compute , and the plaintext can be decrypted by

Our scheme accommodates approximate homomorphism [26], as long as the error term is bounded.

5. Security Proofs

5.1. Payload-Hiding Security

We prove the payload-hiding security of our scheme using the sequence-of-game approach [27]. Let be the challenge ciphertext given to the adversary in the payload-hiding game. Besides, let be a random element in and let be random elements in . We define the following hybrid games differing in what challenge ciphertext is sent to the adversary:(i). The challenge ciphertext is . It is identical to the original payload-hiding game defined in Section 3.2.(ii). The challenge ciphertext is .(iii). The challenge ciphertext is .

We remark that the challenge ciphertext in leaks no information about the encrypted message, since it is composed of random elements, whereas the challenge ciphertext in is well formed. Therefore, the advantage of the adversary in the last game is 0. We then prove the indistinguishability between the adjacent games in the following lemmas.

Lemma 1. If the underlying PRF is secure, then is indistinguishable from , for .

Proof. Suppose that there is an adversary that is able to distinguish from with a nonnegligible advantage. Then we can build a challenger to distinguish the experiment from the experiment shown in Section 2. After invoking the experiment and receiving the description of the PRF , the challenger simulates a hybrid game for an adversary as follows:
Setup. The challenger first randomly chooses from and from and a pseudorandom generator and then sends to the adversary. Next, the challenger makes a Challenge query with to the underlying experiment and obtains as the response. The value of will be used in the later simulation for KeyGen and Encryption Oracle.
Query Phase 1. In this phase, the adversary is allowed to make polynomially many queries to the following oracles.(i)KeyGen Oracle: taking as inputs a vector , the challenger computes and returns to the adversary. By implicitly setting to the chosen key of the underlying experiment, it is easy to verify that is a valid secret key for .(ii)Encryption Oracle: taking as inputs a vector and a message , the challenger performs as follows:(1)Randomly choose from .(2)Compute .(3)For , compute the same as in the algorithm since the challenger knows .(4)Compute .(5)Return .Challenge. The adversary submits two messages with the same length and a vector , such that for all queried to KeyGen Oracle. After receiving , the challenger randomly chooses and then can compute the challenge ciphertext as follows:(1)Randomly choose from .(2)For ,(i)if , choose a random element and set .(ii)if , compute(iii)if , compute the same way as that in the scheme since the challenger knows and .(3)Compute .(4)Return .Query Phase 2. It is the same as Query Phase 1 except that the adversary is not allowed to make a query to KeyGen Oracle with such that .
Guess. The adversary outputs a bit . Then the challenger outputs 1 if and 0 otherwise. Before analyzing the advantages of the challenger in breaking the underlying PRF, we first discuss that the outputs of the oracles are well formed, no matter which experiment the challenger interacts with. Let be the event where the adversary makes a right guess in . First, if the challenger is actually interacting with the experiment , then is a random element in . In this case, the answer to a KeyGen Oracle,is an element of and the answer to an Encryption query is a vector in , andTherefore, the answers to KeyGen and Encryption queries are well formed.
Next, we analyze the advantage of in breaking the underlying PRF. First, if the challenger is interacting with the experiment , then is a random element in . Thus, in the challenge ciphertext are random elements, and thus we are in . Thus, the probability that the challenger outputs 1 isSecond, if the challenger is interacting with the experiment , then is the output of the PRF with input . By implicitly setting the encryption key component as the chosen key of the underlying experiment, we have , and thus the challenger answers the KeyGen and Encryption queries correctly. As for the challenge ciphertext, we have thatis a valid ciphertext component. Since are random elements from , we are in . In this case, the probability that the challenger outputs 1 isFinally, combining the above two cases, we have thatand hence, is indistinguishable from , if the underlying pseudorandom function is secure, for .

Lemma 2. If the underlying PRG is secure, then is indistinguishable from .

Proof. Given the description of the PRG and a challenge , the challenger simulates the following hybrid game for an adversary : Setup. The challenger first chooses a key-homomorphic pseudorandom function , from and from and then sends to the adversary. Query Phase 1. The challenger is able to answer the KeyGen (Encryption, resp.) queries by following the (, resp.) algorithms to generate the secret keys (ciphertexts , resp.), since the challenger knows the secret key . Challenge. The adversary submits two messages with the same length and a vector , such that for all queried to KeyGen Oracle. After receiving , the challenger randomly chooses and then can compute the challenge ciphertext as follows:(1)Randomly choose .(2)For , set .(3)Compute .(4)Return the challenge ciphertext . Query Phase 2. It is the same as Query Phase 1 except that the adversary is not allowed to make a query to KeyGen Oracle with such that . Guess. The adversary outputs a bit . Then, the challenger outputs 1 if . Let be the event where the adversary makes a right guess in . If the term is generated from the PRG for some , then we are in , and we haveIf is randomly chosen from , then we are in , and we haveFinally, we have thatis negligible.

Theorem 1. The proposed private IPE scheme achieves payload-hiding, if the underlying pseudorandom function is key-homomorphic and secure and the pseudorandom generator is secure.

Proof. By combining Lemmas 1 and 2, we haveNote that since is the payload-hiding game, and since leaks no information about the encrypted message in . Therefore, for any PPT adversary , there exist algorithms such thatis negligible.

5.2. Attribute-Hiding Security

We then prove that our scheme achieves attribute-hiding. The proof is similar to the proof for payload-hiding security, and hence we will omit some content to avoid the unnecessary redundancy. Let be the challenge ciphertext given to the adversary in the attribute-hiding game. Besides, let be random elements in and let be a random element in . We define the following hybrid games differing in what challenge ciphertext is sent to the adversary:(i). The challenge ciphertext is . It is identical to the original attribute-hiding game defined in Section 3.2.(ii). The challenge ciphertext is .(iii). The challenge ciphertext is .

In the last game, the challenge ciphertext is composed of random elements, and hence the adversary obtains no information about the attribute vector from the challenge ciphertext. We then prove that the adjacent games are indistinguishable in the following lemmas.

Lemma 3. If the underlying PRF is secure, then is indistinguishable from , for .

Proof. Suppose that there is an adversary that is able to distinguish from with a nonnegligible advantage. Then we can build a challenger to distinguish the experiment from the experiment shown in Section 2. After invoking the experiment and receiving the description of the PRF , the challenger simulates a hybrid game for an adversary as follows.
For Setup, Query Phase 1, Query Phase 2, and Guess, the challenger performs the same as in the proof of Lemma 1.
For Challenge phase, after receiving , and from the adversary, wherefor all queried to KeyGen Oracle in Query Phase 1, the challenger performs as follows:(1)Randomly choose .(2)Randomly choose from .(3)For ,(i)if , choose a random element and set .(ii)if , compute the following.(iii)if , compute the same way as that in the scheme since the challenger knows and .(4)Compute .(5)Return .The analysis of the correctness of the simulation is similar to that in the proof of Lemma 1. Let be the event where the adversary makes a right guess in . If from the PRF game is a random element in , then we are in ; otherwise, we are in . Therefore, we haveThat is, is indistinguishable from , if the underlying pseudorandom function is secure, for .

Lemma 4. If the underlying PRG is secure, then is indistinguishable from .

Proof. The proof of this lemma is similar to the proof of Lemma 2, with the only difference being that the challenger received two vectors with a message ; in Lemma 2, the challenger received two messages with a vector from the adversary.
Given the description of the PRG and a challenge , the challenger simulates the following hybrid game for an adversary .
For Setup, Query Phase 1, Query Phase 2, and Guess, the challenger performs the same as in the proof of Lemma 1.
For Challenge phase, after receiving , and from the adversary, wherefor all queried to KeyGen Oracle in Query Phase 1, the challenger performs as follows:(1)Randomly choose .(2)For , set .(3)Compute .(4)Return the challenge ciphertext .The analysis of the correctness of the simulation is similar to that in the proof of Lemma 3. Let be the event where the adversary makes a right guess in . If from the PRG game is a random element in , then we are in ; otherwise, we are in . Therefore, we have thatis negligible. That is, is indistinguishable from , if the underlying pseudorandom generator is secure.

Theorem 2. The proposed private IPE scheme achieves attribute-hiding, if the underlying pseudorandom function is key-homomorphic and secure and the pseudorandom generator is secure.

Proof. By combining Lemma 3 and Lemma 4, we haveNote that since is the attribute-hiding game, and since leaks no information about the encrypted message in . Therefore, for any PPT adversary , there exist algorithms such thatis negligible.

5.3. Predicate-Hiding Security

We first give the intuition for the proof. Let denote the challenge secret key generated using the vector . Besides, let be the two vectors sent from the adversary in the Challenge phase. To prove the indistinguishability between the cases and given to the adversary, we define a sequence of games below and show the indistinguishability of any two adjacent games. Each game differs in the challenge secret key given to the adversary. Let be random elements from . : is given () : is given ()

Note that and are identical, and and are the games where and are given to the adversary, respectively. We then give the following lemma to prove that

Lemma 5. If the underlying PRF is secure, then and are indistinguishable, for .

Proof. Suppose that there is an adversary which is able to distinguish from with a nonnegligible advantage. Then we can build a challenger to distinguish the experiment from shown in Section 2. After invoking the experiment and receiving the description of the PRF , the challenger simulates a hybrid game for an adversary as follows.
For Setup, Query Phase 1, Query Phase 2, and Guess, the challenger performs the same as in the proof of Lemma 1.
For Challenge phase, after receiving from the adversary, wherefor all queried to Encrypt Oracle in Query Phase 1, the challenger performs as follows.(1)Randomly choose from .(2)Compute(3)Return .If the challenger is interacting with the experiment , then is the output of the PRF with input . By implicitly setting the encryption key component as the chosen key of the underlying experiment, we have , and thus we haveand thus we are in . Otherwise, is a random element in ; then we can rewrite for some random element . Besides, there must exist an element such that . By implicitly setting , we haveSince is a random element in , is also a random element in . That means , and thus we are in . Let be the event where the adversary makes a right guess in . Therefore, we haveThat is, is indistinguishable from , if the underlying PRF is secure, for .

Theorem 3. The proposed private IPE scheme achieves predicate-hiding, if the underlying pseudorandom function is key-homomorphic and secure and the pseudorandom generator is secure.

Proof. The proof for the indistinguishability between and is the same as that for the indistinguishability between and , due to the symmetry of the game sequence. This completes the proof of the predicate-hiding.

6. Comparison and Analysis

To the best of our knowledge, although existing private IPE schemes [17–19] can resist payload-hiding, attribute-hiding, and predicate-hiding security, these schemes cannot resist quantum attacks because their security is based on discrete logarithm assumption. In this section, we compare our scheme with the existing private IPE schemes in terms of security properties and the size of master secret key, secret key, and ciphertext, as shown in Table 1.

Table 1

Comparison with other related private IPE schemes [17–19]. Here, the length of ciphertext attribute and key attribute is . and represent size of an element of and message, respectively. MSK, SK, CT, Qun. Res., GSD, C3DH, and 3FCOBGA stand for master secret key, secret key for some key attribute, ciphertext for some ciphertext attribute, quantum-resistant, general subgroup decision, composite 3-party (decisional) Diffie-Hellman, and 3-factor-based composite-order bilinear groups assumption, respectively.

The results show that our construction has higher security and efficiency in terms of secret key size because the size is not related to attribute length. In particular, the security of [18, 19] is only selective security; meanwhile that in [17] and our construction is adaptive security, making it more resistant to real attacks. In secret key size, our construction is of constant size, while the secret key sizes of [17–19] are linearly related to the key attribute length. In terms of ciphertext size, the encryption algorithm in schemes [17–19] only encrypts ciphertext predicate, while our proposed construction further encrypts message; therefore, the ciphertext size of our scheme is , where is the length of message. Finally, [17–19] are not resistant to quantum attacks, while our construction is resistant to quantum attacks if the underlying PRF is resistant to quantum attacks.

7. Conclusions and Future Works

With the development of cloud computing, the privacy of uploaded data needs to be concerned and protected. Private IPE is well suited to cloud computing scenario because it provides encryption for access control. In this paper, we propose a generic private IPE construction that achieves payload-hiding, attribute-hiding, and predicate-hiding security by utilizing specific key-homomorphic PRF. For future works, because the current construction requires that the key space and output space of the underlying key-homomorphic PRF be , how to provide construction with less restriction is an open problem that remains to be solved.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was supported by the Ministry of Science and Technology, Taiwan (ROC), under Project nos. MOST 108-2218-E-004-001-, MOST 108-2218-E-004-002-MY2, MOST 109-2218-E-011-007-, and by Taiwan Information Security Center at National Sun Yat-sen University (TWISC@NSYSU).

References

L. Zhou, X. Li, K.-H. Yeh, C. Su, and W. Chiu, “Lightweight IoT-based authentication scheme in cloud computing circumstance,” Future Generation Computer, vol. 91, pp. 244–251, 2019.
View at: Publisher Site | Google Scholar
S. Kumari, P. Chaudhary, C.-M. Chen, and M. K. Khan, “Questioning key compromise attack on Ostad-Sharif et al.‘s authentication and session key generation scheme for healthcare applications,” IEEE Access, vol. 7, pp. 39717–39720, 2019.
View at: Publisher Site | Google Scholar
P. Wang, C.-M. Chen, S. Kumari, M. Shojafar, R. Tafazolli, and Y. N. Liu, “HDMA: hybrid D2D message authentication scheme for 5G-enabled VANETs,” IEEE Access, vol. 2020, 2020.
View at: Google Scholar
C.-M. Chen, B. Xiang, K.-H. Wang, K.-H. Yeh, and T.-Y. Wu, “A robust mutual authentication with a key agreement scheme for session initiation protocol,” Applied Sciences, vol. 8, no. 10, p. 1789, 2018.
View at: Publisher Site | Google Scholar
J. Li, S. Wang, Y. Li et al., “An efficient attribute-based encryption scheme with policy update and file update in cloud computing,” IEEE Transactions on Industrial Informatics, vol. 15, no. 12, pp. 6500–6509, 2019.
View at: Publisher Site | Google Scholar
M. Zhang, Yu Chen, and S. E. P. P. F. M. Jiajun Huang., “A searchable encryption scheme supporting privacy-preserving fuzzy multikeyword in cloud systems,” 2020.
View at: Google Scholar
J. Katz, S. Amit, and B. Waters, “Predicate encryption supporting disjunctions, polynomial equations, and inner products,” in EUROCRYPT 2008. LNCS, N. Smart, Ed., vol. 4965, pp. 146–162, Springer, Berlin, Heidelberg, 2008.
View at: Google Scholar
A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” CCS, vol. 417–426, 2008.
View at: Google Scholar
D. Boneh and B. Waters, “Conjunctive, subset, and range queries on encrypted data,” in TCC 2007. LNCS, S. P. Vadhan, Ed., vol. 4932, pp. 535–554, Springer, Berlin, Heidelberg, 2007.
View at: Google Scholar
V. Iovino and G. Persiano, “Hidden-vector encryption with groups of prime order,” in Pairing 2008. LNCS, S. D Galbraith and K. G. Paterson, Eds., vol. 5209, pp. 75–88, Springer, Berlin, Heidelberg, 2008.
View at: Google Scholar
M. Naor and B. Pinkas, “Oblivious transfer and polynomial evaluation,” STOC, vol. 1999, pp. 245–254, 1999.
View at: Google Scholar
A. Ge, R. Zhang, C. Chen, C. Ma, and Z. Zhang, “Threshold ciphertext policy attribute-based encryption with constant size ciphertexts,” in ACISP 2012. LNCS, W. Susilo, Y. Mu, and J. Seberry, Eds., vol. 7372, pp. 336–349, pringer, Berlin, Heidelberg, 2012.
View at: Google Scholar
S. Agrawal, D. M. Freeman, and V. Vaikuntanathan, “Functional encryption for inner product predicates from learning with errors,” in ASIACRYPT 2011. LNCS, D. H. Lee and X. Wang, Eds., vol. 7073, pp. 21–40, Springer, Berlin, Heidelberg, 2011.
View at: Google Scholar
T. Okamoto and K. Takashima, “Hierarchical predicate encryption for inner-products,” in ASIACRYPT 2009. LNCS, M. Matsui, Ed., vol. 5912, pp. 214–231, Springer, Berlin, Heidelberg, 2009.
View at: Google Scholar
T. Okamoto and K. Takashima, “Adaptively attribute-hiding (hierarchical) inner product encryption,” in EUROCRYPT 2012. LNCS, D. Pointcheval and T. Johansson, Eds., vol. 7237, pp. 591–608, Springer, Berlin, Heidelberg, 2012.
View at: Google Scholar
K. Xagawa, “Improved (hierarchical) inner-product encryption from lattices,” in PKC 2013. LNCS, K. Kurosawa and G. Hanaoka, Eds., vol. 7778, pp. 235–252, Springer, Berlin, Heidelberg, 2013.
View at: Google Scholar
Y. Kawai and K. Takashima, “Predicate- and attribute-hiding inner product encryption in a public key setting,” in Pairing 2013. LNCS, Z. Cao and F. Zhang, Eds., vol. 8365, pp. 113–130, Springer, Berlin, Heidelberg, 2013.
View at: Google Scholar
E. Shen, E. Shi, and B. Waters, “Predicate privacy in encryption systems,” in TCC 2009. LNCS, O. Reingold, Ed., vol. 5444, pp. 457–473, Springer, Berlin, Heidelberg, 2009.
View at: Google Scholar
M. Yoshino, N. Kunihiro, K. Naganuma, and H. Sato, “Symmetric inner-product predicate encryption based on three groups,” in ProvSec 2012. LNCS, T. Takagi, G. Wang, Z. Qin, S. Jiang, and Y. Yu, Eds., vol. 7496, pp. 215–234, Springer, Berlin, Heidelberg, 2012.
View at: Google Scholar
P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” FOCS, vol. 1994, pp. 124–134, 1994.
View at: Google Scholar
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Review, vol. 41, no. 2, pp. 303–332, 1999.
View at: Publisher Site | Google Scholar
N. Alamati, H. Montgomery, and S. Patranabis, “Ring key-homomorphic weak PRFs and applications,” 2020.
View at: Google Scholar
O. Goldreich, S. Goldwasser, and S. Micali, “How to construct random functions,” Journal of the ACM, vol. 33, no. 4, pp. 792–807, 1986.
View at: Publisher Site | Google Scholar
D. Boneh, K. Lewi, H. Montgomery, and A. Raghunathan, “Key homomorphic PRFs and their applications,” in CRYPTO 2013. LNCS, R. Canetti and J. A. Garay, Eds., vol. 8042, pp. 410–428, Springer, Berlin, Heidelberg, 2013.
View at: Google Scholar
J. Chen and J. Gong, “ABE with tag made easy,” in ASIACRYPT 2017. LNCS, T. Takagi and T. Peyrin, Eds., vol. 10625, pp. 35–65, Springer, Berlin, Heidelberg, 2017.
View at: Google Scholar
D. Boneh, S. Eskandarian, S. Kim, and M. Shih, “Improving speed and security in updatable encryption schemes,” 2020.
View at: Google Scholar
V. Shoup, “Sequences of games: a tool for taming complexity in security proofs,” 2004.
View at: Google Scholar

Copyright

Copyright © 2021 Yi-Fan Tseng et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies