Decentralized Inner-Product Encryption with Constant-Size Ciphertext

Abstract

With the rise of technology in recent years, more people are studying distributed system architecture, such as the e-government system. The advantage of this architecture is that when a single point of failure occurs, it does not cause the system to be invaded by other attackers, making the entire system more secure. On the other hand, inner product encryption (IPE) provides fine-grained access control, and can be used as a fundamental tool to construct other cryptographic primitives. Lots of studies for IPE have been proposed recently. The first and only existing decentralized IPE was proposed by Michalevsky and Joye in 2018. However, some restrictions in their scheme may make it impractical. First, the ciphertext size is linear to the length of the corresponding attribute vector; second, the number of authorities should be the same as the length of predicate vector. To cope with the aforementioned issues, we design the first decentralized IPE with constant-size ciphertext. The security of our scheme is proven under the ℓ-DBDHE assumption in the random oracle model. Compared with Michalevsky and Joye’s work, ours achieves better efficiency in ciphertext length and encryption/decryption cost.

1. Introduction

Identity-based encryption (IBE) was first introduced by Shamir [1] in 1985, which allows a sender to use the recipient’s identity to encrypt a message. An identity is a unique string directly linking to a user, e.g., an email address, a student ID number, an employee ID, etc. The first IBE scheme was proposed by Boneh and Franklin [2] in 2001. Though IBE reduces the management cost for traditional public key infrastructures, a drawback of IBE is that an encrypted datum can be only shared at a coarse-grained control level. This may not be suitable in the real world because the sender should know the particular recipient in advance. In a system, there may be a lot of users, and the identities of recipients may be uncertain when a message is encrypted. To solve the issue, Katz, Sahai and Waters [3] conceptualized inner product encryption (IPE) in 2008. In an IPE scheme, each ciphertext is associated with an attribute vector $\overrightarrow{Y}$ that can be decrypted by a private key associated with a predicate vector $\overrightarrow{X}$ if and only if the inner product of $\overrightarrow{X}$ and $\overrightarrow{Y}$ is zero, denoted by $<\overrightarrow{X},\overrightarrow{Y}>=0$. IPE can be viewed as the generalization for several cryptographic primitives. For example, given two identities, $ID,I{D}^{\prime }$, we can encode it into two vectors, $\overrightarrow{X}=(ID,1),\overrightarrow{Y}=(-1,I{D}^{\prime })$, and we have

$$ID=I{D}^{\prime }\iff <\overrightarrow{X},\overrightarrow{Y}>=0.$$

Thus, we are able to represent the functionality of IBE using IPE. Since then, lots of IPE scheme have been proposed [4,5,6,7,8,9,10,11]. In additional to its theoretical value, IPE provides lots applications in fine-grained access control as well. Using the encoding technique, IPE can be converted into many types of one-to-many encryption, such as broadcast encryption [12,13,14], attribute-based encryption [15,16,17] and subset predicate encryption [18,19,20]. Therefore, by adopting IPE, one can realize multiple kinds of flexible access control using only a single cryptographic primitive. Recently, more applications for IPE have been developed, e.g., privacy-preserving video streaming [21], access control for WBAN [22], secure keyword searching [23] and outsourced data integration [24]. It shows the possibility for the application of IPE in various environments.

Traditionally, IPE is a centralized architecture, which needs a trusted server to issue private keys for all users. However, a centralized paradigm may not be practical in a real-world environment. In practice, the privileges of a user are usually given by different authorities. In addition, a centralized architecture would suffer from the problem of a single point of failure. To cope with these problems, Michalevsky and Joye gave the first Decentralized IPE (DIPE) scheme [25] in 2018. In a DIPE scheme, there are multiple authorities. For a user, each authority will output a partial private key for this user, without interaction with each other.

After studying the DIPE scheme of Michalevsky and Joye, we found two problems. One problem is the large ciphertext size. In their scheme, the ciphertext size is $\mathcal{O}(nk)$ group elements, where n is the length of attribute/predicate vector and k is the parameter of k-linear assumption. Since k can be viewed as a part of the security parameter, which is a constant, the ciphertext size is linear to the length of attribute/predicate vector. Another problem is that, in their scheme, each authority is responsible for issuing a private key for only an element in the user’s predicate vector. This setting brings two disadvantages. First, unlike to decentralized attribute-based encryption [26,27,28], where the attributes of a user is independent to each other, the elements in a predicate vector for a user are usually closely bonded. Second, since each authority issues a partial private key for one element in a predicate vector, the number of authorities must equal to the length of predicate vector, which may not be practical, i.e., in the scheme of [25], an authority cannot responsible for multiple attributes, which is common in practice.

1.1. Contribution

In this manuscript, we propose a novel DIPE scheme with constant-size ciphertexts, and we give a formal security proof for the selective IND-CPA security under q-DBDHE assumption. We also modify the way an authority produces private keys from predicate vectors due to the aforementioned issue. In addition, we implement our construction in Python with Charm-Crypto library and C with PBC library to evaluate the performance.

1.2. Organization

In Section 2, we introduce the notations and complexity assumption used in our manuscript, and the definition of decentralized inner product encryption. The security of DIPE is defined in Section 2, as well. In Section 3, we describe our proposed scheme in detail and show the correctness. In Section 4, we give the formal security proof for our scheme. In Section 5, we show the comparison results between our scheme and the DIPE scheme in [25]. Finally, we conclude our work in Section 6.

2. Preliminaries

In this section, we introduce the definition and security requirements of decentralized inner product encryption. In addition, we demonstrate the notation and complexity assumption used in our work.

2.1. Notation

Given a set S, “randomly choose an element x from the set S” is denoted as $x\stackrel{\$}{\leftarrow }S$. For algorithm A, we write $x\leftarrow A$ to denote “x is the output by running A”. The symbol “⊥” means a failed decryption that recovers the certain message unsuccessfully. “PPT” algorithm means "probabilistic polynomial time" algorithm that can run in polynomial-bounded time.

2.2. Bilinear Maps and Complexity Assumption

Let $\mathbb{G}$ and ${\mathbb{G}}_T$ be two multiplicative cyclic groups with prime order p. A map e is called a bilinear map if the following properties hold:

• Bilinearity: For $u,v\in \mathbb{G}$, and $a,b\in {\mathbb{Z}}_p$, the equation $e(u^a,v^b)=e{(u,v)}^{ab}$ holds.
• Non-Degeneracy: Assume g is the generator of $\mathbb{G}$, then, $e(g,g)\ne 1$.
• Computability: For $u,v\in \mathbb{G}$, there exists an efficient algorithm to compute $e(u,v)$.

Next, we show the complexity assumption, the ℓ-decisional bilinear Diffie–Hellman exponent (ℓ-DBDHE) assumption [29,30], which the security of our scheme based on.

Definition 1

(The ℓ-Decisional Bilinear Diffie–Hellman Exponent Problem). Let $\mathbb{G}$ be a group. g is a generator of $\mathbb{G}$, and $\gamma ,s\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$ are two integers. Given a tuple:

$$(g,g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }},g^{{\gamma }^{\ell +2}},\dots ,g^{{\gamma }^{2\ell }},g^s,T),$$

decide if $T=e{(g,g)}^{{\gamma }^{\ell +1}s}$ or $T\stackrel{\$}{\leftarrow }{\mathbb{G}}_T$ is a random element of ${\mathbb{G}}_T$.

Let $T_0=(g,g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }},g^{{\gamma }^{\ell +2}},\dots ,g^{{\gamma }^{2\ell }},g^s)$. For an algorithm $\mathcal{A}$, the advantage of $\mathcal{A}$ in solving the ℓ-DBDHE problem is defined as:

$${\mathrm{Adv}}_{\mathcal{A}}^{\ell -\mathrm{DBDHE}}=\left|Pr[\mathcal{A}(T_0,T=e{(g,g)}^{{\gamma }^{\ell +1}s})=1]-Pr[\mathcal{A}(T_0,T\stackrel{\$}{\leftarrow }{\mathbb{G}}_T)=1]\right|.$$

Definition 2

(The ℓ-Decisional Bilinear Diffie–Hellman Exponent Assumption). We say that the ℓ-decisional bilinear Diffie–Hellman exponent assumption holds if for all PPT algorithms, ${\mathrm{Adv}}_{\mathcal{A}}^{\ell -\mathrm{DBDHE}}$ is negligible.

2.3. Definition of Decentralized Inner Product Encryption

The difference between DIPE and IPE is that a private key of DIPE is generated by multiple authorities, while a private key of IPE is generated by a centralized authority.

2.3.1. System Model

A DIPE scheme contains three roles, i.e., sender, receiver and authorities. A sender is a participant of the system who transfers the encrypted data to the receiver. The data are encrypted by an attribute vector before delivered to receiver. Authorities are responsible for issuing partial keys for receivers who make a request to obtain partial keys. The authorities will issue partial keys according to the predicate vector of the receiver. A receiver is a participant who wants to receive encrypted data. After a receiver receives all the partial keys from the authorities, the receiver will perform a decryption procedure to recover the data.

2.3.2. Definition of DIPE

A decentralized inner product encryption scheme consists of five PPT algorithms: $\mathrm{Setup}$, $\mathrm{AuthSetup}$, ${\mathrm{KeyGen}}_{A_i}$, $\mathrm{Encrypt}$ and $\mathrm{Decrypt}$. Unlike the single authority construction, in DIPE, the private key of a user is generated by multiple authorities. Each authority $A_i$ computes a “partial key $s{k}_i$” of a user using its master secret key and the user’s predicate vector. The full private key of a user is ${\left\{s{k}_i\right\}}_{i=1,\dots ,n}$, where n is the number of authorities:

• $Setup(1^{\lambda })$. An authority in the system or a third party will run the algorithm. Taking as input a security parameter $1^{\lambda }$, the algorithm outputs a public parameter $pp$.
• $AuthSetup(pp,i)$. All authorities will run the algorithm. Taking as inputs a public parameter $pp$, and a number i, the algorithm outputs a master secret key $MS{K}_i$ and a public key $P{K}_i$ of each authority, where i is the index of authority.
• $KeyGe{n}_{A_i}(pp,MS{K}_i,GID,\overrightarrow{X})$. All authorities will run the algorithm. Taking as inputs a public parameter $pp$, a master secret key $MS{K}_i$, a global identity $GID$ and a predicate vector $\overrightarrow{X}$, the algorithm outputs a partial key of the private key associated with $\overrightarrow{X}$ generated by $i_{th}$ authority. Note that the description of $\overrightarrow{X}$ will be included in the partial keys.
• $Encrypt(pp,{\left\{P{K}_i\right\}}_{i=1,\dots ,n},M,\overrightarrow{Y})$. A sender will run the algorithm. Taking as inputs a public parameter $pp$, all the public keys of each authority ${\left\{P{K}_i\right\}}_{i=1,\dots ,n}$, a message M and an attribute vector $\overrightarrow{Y}$, the algorithm outputs a ciphertext C associated with $\overrightarrow{Y}$. Note that the description of $\overrightarrow{Y}$ will be included in the ciphertext.
• $Decrypt({\left\{s{k}_i\right\}}_{i=1,\dots ,n},C)$. A receiver will run the algorithm. Taking as inputs all the partial key of private keys of each authority ${\left\{s{k}_i\right\}}_{i=1,\dots ,n}$, a ciphertext C and an attribute vector $\overrightarrow{Y}$, the algorithm outputs a message M or ⊥.
• Correctness. For $pp\leftarrow Setup(1^{\lambda })$, $(P{K}_i,MS{K}_i)\leftarrow AuthSetup(pp,i)$,
  $s{k}_i\leftarrow KeyGe{n}_{A_i}(pp,MS{K}_i,GID,\overrightarrow{X})$, $C\leftarrow Encrypt(pp,{\left\{P{K}_i\right\}}_{i=1,\dots ,n},M,\overrightarrow{Y})$, where $i=1,\dots ,n$, we have that:

  -

  If $\langle \overrightarrow{X},\overrightarrow{Y}\rangle =0$, then

  $Decrypt({\left\{s{k}_i\right\}}_{i=1,\dots ,n},C)=M$.

  -

  If $\langle \overrightarrow{X},\overrightarrow{Y}\rangle \ne 0$, then

  $Decrypt({\left\{s{k}_i\right\}}_{i=1,\dots ,n},C)=\perp$.

2.3.3. Security Model

The security definition used in our manuscript is the security against indistinguishability under selective chosen-plaintext attacks (sIND-CPA). “Indistinguishability” means that given a ciphertext, which is the encryption of one of two messages chosen by an adversary, the adversary tries to tell which of the two messages is encrypted. In addition, “chosen-plaintext attacks” means that an adversary is allowed to obtain the ciphertext for the plaintext of its choice. Finally, “selective” means that an adversary chooses a target vector and submits to the challenger before Setup phase.

Definition 3 (The sIND-CPA Security).

Let $\mathcal{A}$ be a probabilistic polynomial-time adversary. We define our security via the following interactive game between $\mathcal{A}$ and a challenger $\mathcal{C}$:

• $\mathit{Initialization}$.
  $\mathcal{A}$ chooses an attribute vector ${\overrightarrow{Y}}^{*}=(y_1^{*},y_2^{*},\dots ,y_{\ell }^{*})$ and sends ${\overrightarrow{Y}}^{*}$ to $\mathcal{C}$.
• $\mathit{Setup}$.
  $\mathcal{C}$ runs the Setup algorithm to generate $P{K}_i$ and $MS{K}_i$, where $1\le i\le n$, is the index of authority. $\mathcal{C}$ sends $P{K}_1,\dots ,P{K}_n$ and $MS{K}_1,\dots ,MS{K}_{n-1}$ to $\mathcal{A}$.
• $\mathit{Phase}\mathit{1}$.
  $\mathcal{A}$ can make polynomially times queries of the following oracle.

  -

  KeyExtract oracle: $\mathcal{A}$ sends a predicate vector $\overrightarrow{X}$ and a global identity $GID$ to $\mathcal{C}$, and $\mathcal{C}$ returns the private key of $\overrightarrow{X}$. There is a restriction, that is, $\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle \ne 0$.

• $\mathit{Challenge}$.
  $\mathcal{A}$ submits two distinct messages $M_0,M_1$ of the same length to $\mathcal{C}$. $\mathcal{C}$ then randomly chooses $\beta \in \{0,1\}$ and generates ciphertexts $C^{*}=Encrypt(pp,{\left\{P{K}_i\right\}}_{i=1,\dots ,n},M_{\beta },{\overrightarrow{Y}}^{*})$. Then, $\mathcal{C}$ sends $C^{*}$ to $\mathcal{A}$.
• $\mathit{Phase}\mathit{2}$.
  Same as Phase1.
• $\mathit{Guess}$.
  $\mathcal{A}$ will output a bit ${\beta }^{\prime }\in \{0,1\}$ and win the game if ${\beta }^{\prime }=\beta$.
  The advantage of $\mathcal{A}$ winning the game is defined as:

  $${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{sIND}-\mathrm{CPA}}=\left|\mathrm{Pr}[{\beta }^{\prime }=\beta ]-\frac{1}{2}\right|.$$

A DIPE scheme is sIND-CPA secure if for all PPT adversaries $\mathcal{A}$, ${\mathrm{Adv}}_A^{\mathrm{sIND}-\mathrm{CPA}}$ is negligible.

3. The Proposed Scheme

In this section, we present our decentralized inner product encryption scheme with constant-size ciphertexts. The notations used in the proposed scheme are defined in

Table 1. Notations.

Notation	Description
$\mathbb{G}$	a bilinear group with prime order p
${\mathbb{G}}_T$	a bilinear group by pairing of the element of $\mathbb{G}$
e	a bilinear mapping; $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$
g	a generator of $\mathbb{G}$
n	total number of authorities
ℓ	the length of predicate/attribute vector
$A_i$	ith authority
$pp$	public parameter
$P{K}_i$	public key of authority i
$MS{K}_i$	master secret key of authority i
$\overrightarrow{X}$	a predicate vector
$\overrightarrow{Y}$	an attribute vector
$GID$	an identity of a receiver
M	a message

.

$\mathrm{Setup}(1^{\lambda })$

The algorithm performs the following steps:

• Randomly choose bilinear groups $\mathbb{G},{\mathbb{G}}_T$ of prime order p with a generator $g\stackrel{\$}{\leftarrow }\mathbb{G}$;
• Choose an one-way hash function, $H:{\{0,1\}}^{*}\times {\mathbb{Z}}_p^{\ell }\to \mathbb{G}$;
• Output the public parameter $pp=\{g,H\}$.

$\mathrm{AuthSetup}(pp,i)$

Each authority $A_i$ in the system performs the following steps to generate its public key and its master secret key:

• Choose ${\overline{\alpha }}_i\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$;
• Choose ${\alpha }_{0,i}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$;
• Choose ${\alpha }_{1,i},{\alpha }_{2,i},\dots ,{\alpha }_{\ell ,i}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$;
• Output a public key of authority i, $P{K}_i=\{g^{{\alpha }_{0,i}},g^{{\alpha }_{1,i}},\dots ,g^{{\alpha }_{\ell ,i}},Z_i=e{(g,g)}^{{\overline{\alpha }}_i}\}$;
• Output a master secret key of authority $A_i$, $MS{K}_i=\{g^{{\overline{\alpha }}_i},{\alpha }_{0,i},{\alpha }_{1,i},\dots ,{\alpha }_{\ell ,i}\}$.

${\mathrm{KeyGen}}_{A_i}(pp,MS{K}_i,GID,\overrightarrow{X}=(x_1,\cdots ,x_{\ell }))$

Each authority $A_i$ in the system performs the following steps to generate a part of private key for receivers in the system"

• Return failure symbol ⊥ if $x_1=0$;
• Output the private key $s{k}_i=\{D_0,D_{1,i},{\left\{K_{j,i}\right\}}_{j=2,\dots ,\ell }\}$, where
  $D_0=H(GID,\overrightarrow{X})$
  $D_{1,i}=g^{{\overline{\alpha }}_i}·H{(GID,\overrightarrow{X})}^{{\alpha }_{0,i}}$
  ${\{K_{j,i}=H{(GID,\overrightarrow{X})}^{-{\alpha }_{1,i}\frac{x_j}{x_1}}·H{(GID,\overrightarrow{X})}^{{\alpha }_{j,i}}\}}_{j=2,\dots ,\ell }$.

Unlike the KeyGen algorithm in [25], we use the entire predicate vector $\overrightarrow{X}$ in ${\mathrm{KeyGen}}_{A_i}$ performed by a single authority $A_i$.

$\mathrm{Encrypt}(pp,{\left\{P{K}_i\right\}}_{i=1,\dots ,n},M,\overrightarrow{Y}=(y_1,\dots ,y_{\ell }))$

A sender computes the ciphertext for a message $M\in {\mathbb{G}}_T$ and an attribute vector $\overrightarrow{Y}=(y_1,\dots ,y_{\ell })$ by the following steps:

• Choose $s\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$;
• Output the ciphertexts as $C=\{E_0,E_1,E_2\}$, where
  $E_0=M·{\left({\prod }_{i=1}^n{Z}_i\right)}^s$
  $E_1={\left(({\prod }_{i=1}^n{g}^{{\alpha }_{0,i}})·{({\prod }_{i=1}^n{g}^{{\alpha }_{1,i}})}^{y_1}·\dots ·{({\prod }_{i=1}^n{g}^{{\alpha }_{\ell ,i}})}^{y_{\ell }}\right)}^s$
  $E_2=g^s$.

$\mathrm{Decrypt}({\left\{s{k}_i\right\}}_{i=1,\dots ,n},C)$

To decrypt, a receiver uses the private key ${\left\{s{k}_i\right\}}_{i=1,\dots ,n}$ to recover the message M from a ciphertext C as follows:

• If $\langle \overrightarrow{X},\overrightarrow{Y}\rangle =0$, perform the following computation; otherwise, return ⊥;
• Compute
  ${\left({\prod }_{i=1}^n{Z}_i\right)}^s={\left({\prod }_{i=1}^{n}e{(g,g)}^{{\overline{\alpha }}_i}\right)}^s={\displaystyle \frac{e(({\prod }_{i=1}^n{D}_{1,i})·{({\prod }_{i=1}^n{K}_{2,i})}^{y_2}\dots {({\prod }_{i=1}^n{K}_{\ell ,i})}^{y_{\ell }},E_2)}{e(E_1,D_0)}}$.
• Compute $M=E_0/{\left({\prod }_{i=1}^n{Z}_i\right)}^s$.

$\mathrm{Correctness}$

The correctness of the decryption algorithm is described as follows. For convenience, let $\overline{\alpha }={\sum }_{i=1}^n\overline{{\alpha }_i},{\alpha }_j={\sum }_{i=1}^n{\alpha }_{j,i}$, for $j=0,\dots ,\ell$. It is enough to show that

$$e{(g,g)}^{{\overline{\alpha }}_{0}s}={\left(\prod _{i=1}^{n}e{(g,g)}^{{\overline{\alpha }}_i}\right)}^s={\displaystyle \frac{e(({\prod }_{i=1}^n{D}_{1,i})·{({\prod }_{i=1}^n{K}_{2,i})}^{y_2}\dots {({\prod }_{i=1}^n{K}_{\ell ,i})}^{y_{\ell }},E_2)}{e(E_1,D_0)}}.$$

We first take a look at the numerator:

$$\begin{array}{cc}{\displaystyle \prod _{i=1}^n{D}_{1,i}}& {\displaystyle =\prod _{i=1}^n{g}^{{\overline{\alpha }}_i}·H{(GID,\overrightarrow{X})}^{{\alpha }_{0,i}}=g^{{\sum }_{i=1}^n{\overline{\alpha }}_i}·H{(GID,\overrightarrow{X})}^{{\sum }_{i=1}^n{\alpha }_{0,i}}=g^{\overline{\alpha }}·H{(GID,\overrightarrow{X})}^{{\alpha }_0}}\hfill \\ {\displaystyle \prod _{i=1}^n{K}_{j,i}}& {\displaystyle =\prod _{i=1}^{n}H{(GID,\overrightarrow{X})}^{-{\alpha }_{1,i}\frac{x_j}{x_1}}·H{(GID,\overrightarrow{X})}^{{\alpha }_{j,i}}=H{(GID,\overrightarrow{X})}^{\frac{-x_j}{x_1}{\sum }_{i=1}^n{\alpha }_{1,i}+{\sum }_{i=1}^n{\alpha }_{j,i}}}\hfill \\ & =H{(GID,\overrightarrow{X})}^{{\alpha }_1(\frac{-x_j}{x_1})+{\alpha }_j},\hfill \end{array}$$

where $j=2,\dots ,\ell$. Using the fact that

$$\langle \overrightarrow{X},\overrightarrow{Y}\rangle =0\iff \sum _{i=1}^{\ell }{x}_i{y}_i=0\iff y_1=\frac{{\sum }_{i=2}^{\ell }(-x_i{y}_i)}{x_1},$$

we have:

$$\begin{array}{cc}& (\prod _{i=1}^n{D}_{1,i})·{(\prod _{i=1}^n{K}_{2,i})}^{y_2}\dots {(\prod _{i=1}^n{K}_{\ell ,i})}^{y_{\ell }}\hfill \\ =& g^{\overline{\alpha }}·H{(GID,\overrightarrow{X})}^{{\alpha }_0}·{(H{(GID,\overrightarrow{X})}^{{\alpha }_1(\frac{-x_2}{x_1})+{\alpha }_2})}^{y_2}·\dots ·{(H{(GID,\overrightarrow{X})}^{{\alpha }_1(\frac{-x_{\ell }}{x_1})+{\alpha }_{\ell }})}^{y_{\ell }}\hfill \\ =& g^{\overline{\alpha }}·H{(GID,\overrightarrow{X})}^{{\alpha }_0}·(H{(GID,\overrightarrow{X})}^{{\alpha }_1\frac{{\sum }_{i=2}^{\ell }(-x_i{y}_i)}{x_1}+{\sum }_{i=2}^{\ell }{\alpha }_i{y}_i}\hfill \\ =& g^{\overline{\alpha }}·H{(GID,\overrightarrow{X})}^{{\alpha }_0}·H{(GID,\overrightarrow{X})}^{{\alpha }_1{y}_1+{\sum }_{i=2}^{\ell }{\alpha }_i{y}_i}\hfill \\ =& g^{\overline{\alpha }}·H{(GID,\overrightarrow{X})}^{{\alpha }_0}·H{(GID,\overrightarrow{X})}^{{\sum }_{i=1}^{\ell }{\alpha }_i{y}_i}.\hfill \end{array}$$

Thus, the numerator is:

$$\begin{array}{cc}& e(g^{\overline{\alpha }}·H{(GID,\overrightarrow{X})}^{{\alpha }_0}·H{(GID,\overrightarrow{X})}^{{\sum }_{i=1}^{\ell }{\alpha }_i{y}_i},E_2)\hfill \\ =& e(g^{\overline{\alpha }}·H{(GID,\overrightarrow{X})}^{{\alpha }_0}·H{(GID,\overrightarrow{X})}^{{\sum }_{i=1}^{\ell }{\alpha }_i{y}_i},g^s)\hfill \\ =& e{(g,g)}^{\overline{\alpha }s}·e{(H(GID,\overrightarrow{X}),g)}^{({\alpha }_0+{\sum }_{i=1}^{\ell }{\alpha }_i{y}_i)s}.\hfill \end{array}$$

In addition, the denominator is:

$$\begin{array}{cc}& e(E_1,D_0)\hfill \\ =& e({\left((\prod _{i=1}^n{g}^{{\alpha }_{0,i}})·{(\prod _{i=1}^n{g}^{{\alpha }_{1,i}})}^{y_1}·\dots ·{(\prod _{i=1}^n{g}^{{\alpha }_{\ell ,i}})}^{y_{\ell }}\right)}^s,H(GID,\overrightarrow{X}))\hfill \\ =& e{(g^{{\sum }_{i=1}^n{\alpha }_{0,j}}·g^{y_1{\sum }_{i=1}^n{\alpha }_{1,j}}·\dots ·g^{y_{\ell }{\sum }_{i=1}^n{\alpha }_{\ell ,j}},H(GID,\overrightarrow{X}))}^s\hfill \\ =& e{(g^{{\alpha }_0}·g^{{\alpha }_1{y}_1}·\dots ·g^{{\alpha }_{\ell }{y}_{\ell }},H(GID,\overrightarrow{X}))}^s\hfill \\ =& e{(g^{{\alpha }_0+{\sum }_{i=1}^{\ell }{\alpha }_i{y}_i},H(GID,\overrightarrow{X}))}^s\hfill \\ =& e{(H(GID,\overrightarrow{X}),g)}^{({\alpha }_0+{\sum }_{i=1}^{\ell }{\alpha }_i{y}_i)s}.\hfill \end{array}$$

Finally, we have:

$$\frac{\mathrm{numerator}}{\mathrm{denominator}}=\frac{e{(g,g)}^{\overline{\alpha }s}·e{(H(GID,\overrightarrow{X}),g)}^{({\alpha }_0+{\sum }_{i=1}^{\ell }{\alpha }_i{y}_i)s}}{e{(H(GID,\overrightarrow{X}),g)}^{({\alpha }_0+{\sum }_{i=1}^{\ell }{\alpha }_i{y}_i)s}}=e{(g,g)}^{\overline{\alpha }s}.$$

4. Security Proof

In this section, we will prove the sIND-CPA security for the proposed under the ℓ-DBDHE assumption in the random oracle model.

Theorem 1.

The proposed DIPE scheme is sIND-CPA secure if the q-DBDHE assumption holds.

Proof .

Assume there is a polynomial-time adversary that can win the sIND-CPA game with a non-negligible advantage. Then, we construct a PPT challenger $\mathcal{C}$ able to solve the ℓ-DBDHE problem as follows:

First of all, $\mathcal{C}$ is given an instance of the q-DBDHE problem, that is,

$$\left(g,g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }},g^{{\gamma }^{\ell +2}},\dots ,g^{{\gamma }^{2\ell }},g^s,T\right),$$

where T is $e{(g,g)}^{{\gamma }^{\ell +1}s}$ or a random element of ${\mathbb{G}}_T$. Then, $\mathcal{C}$ interacts with $\mathcal{A}$ in the game as follows.

Initialization.

$\mathcal{A}$ first sends the target vector ${\overrightarrow{Y}}^{*}=(y_1^{*},y_2^{*},\dots ,y_{\ell }^{*})$ to $\mathcal{C}$.

Setup.

Without loss of generality, we may assume that $\mathcal{A}$ can obtain the first $n-1$ master secret keys $MS{K}_i$ of authorities, where $i=1,\dots ,n-1$:

• Set $(g^{{\alpha }_{1,n}},g^{{\alpha }_{2,n}},\dots ,g^{{\alpha }_{\ell ,n}})=(g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }})$. Define ${\overrightarrow{\alpha }}_n=\langle {\alpha }_{1,n},{\alpha }_{2,n},\dots ,{\alpha }_{\ell ,n}\rangle$;
• Choose $\delta \stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$;
• Compute $Z_n=e{(g,g)}^{{\overline{\alpha }}_n}=e(g^{\gamma },g^{{\gamma }^{\ell }})$ and $g^{{\alpha }_{0,n}}={\left({(g^{\gamma })}^{y_1^{*}}{(g^{{\gamma }^2})}^{y_2^{*}}\dots {(g^{{\gamma }^{\ell }})}^{y_{\ell }^{*}}\right)}^{-1}·g^{\delta }$;
• For $i=1,\dots ,n-1$, $\mathcal{C}$, compute $P{K}_i$ and $MS{K}_i$ following the AuthSetup$(pp,i)$ shown in Section 3;
• Send to $\mathcal{A}$ the public keys ${\left\{P{K}_i\right\}}_{i=1,\dots ,n}={\{g^{{\alpha }_{0,i}},g^{{\alpha }_{1,i}},\dots ,g^{{\alpha }_{\ell ,i}},Z_i=e{(g,g)}^{{\overline{\alpha }}_i}\}}_{i=1,\dots ,n}$, and the master secret key s ${\left\{MS{K}_i\right\}}_{i=1,\dots ,n-1}={\{g^{{\overline{\alpha }}_i},{\alpha }_{0,i},{\alpha }_{1,i},\dots ,{\alpha }_{\ell ,i}\}}_{i=1,\dots ,n-1}$.

Here, we implicitly set

$${\overline{\alpha }}_n={\gamma }^{\ell +1},{\alpha }_{0,n}=-\langle {\overrightarrow{\alpha }}_n,{\overrightarrow{Y}}^{*}\rangle +\delta ,{\{{\alpha }_{j,n}={\gamma }^j\}}_{j=1\dots ,\ell }.$$

Phase1.

$\mathcal{C}$ maintains a hash list, H-list, to store the mapping result of $H(GID,\overrightarrow{X})$. Then, $\mathcal{A}$ is allowed to query the following oracles:

• Hash oracle:
  This oracle takes $\overrightarrow{X}\in {\mathbb{Z}}_p^{\ell }$ and $GID\in {\{0,1\}}^{*}$(global identity) as input and outputs an element of $\mathbb{G}$. If there exists a record $(GID,\overrightarrow{X},v_k,V_k)$ in the H-list, return $V_k$. Otherwise, the oracle performs the following steps:
  • If $\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle =0$, then randomly choose $V_k\stackrel{\$}{\leftarrow }\mathbb{G}$ and return $V_k$ to $\mathcal{A}$;
  • Choose $v_k\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$;
  • Implicitly set

    $$t=\frac{x_1{\gamma }^{\ell }+x_2{\gamma }^{\ell -1}+\dots +x_{\ell }\gamma }{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }+v_k$$

    by computing

    $$V_k=g^t={(g^{\gamma })}^{\frac{x_{\ell }}{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }}·\dots ·{(g^{{\gamma }^{\ell -1}})}^{\frac{x_2}{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }}·{(g^{{\gamma }^{\ell }})}^{\frac{x_1}{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }}·g^{v_k}.$$
    This can be efficiently computed with the instance of q-DBDHE problem;
  • Return $H(GID,\overrightarrow{X})=V_k$ to $\mathcal{A}$ and store $(GID,\overrightarrow{X},v_k,V_k)$ into the H-list.
• KeyExtract oracle:
  Upon receiving a vector $\overrightarrow{X}=(x_1,x_2,\dots ,x_{\ell })$ and a global identity $GID$ from $\mathcal{A}$, where $\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle \ne 0$ (As shown in Definition 3, $\mathcal{A}$ is not allowed to make a KeyExtract query with $\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle =0$, otherwise $\mathcal{A}$ can break the security trivially.) $\mathcal{C}$ performs as follows. For $i=1,\dots ,n-1$, $s{k}_i$ can be easily computed using the algorithm ${\mathrm{KeyGen}}_{{\mathbf{A}}_{\mathbf{i}}}(pp,MS{K}_i,GID,\overrightarrow{X})$ shown in Section 3 since $\mathcal{C}$ knows $MS{K}_i$. As for $s{k}_n$, it can be computed from the instance of the ℓ-DBDHE problem by the following steps:
  • Query $V_k=H(GID,\overrightarrow{X})$ and set $D_0=V_k$. Let $D_0=g^t$, where

    $$t=\frac{x_1{\gamma }^{\ell }+x_2{\gamma }^{\ell -1}+\dots +x_{\ell }\gamma }{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }+v_k.$$
    Note that $v_k$ can be found in the H-list;
  • For $j=2,\dots ,\ell$, compute

    $$K_{j,n}=H{(GID,\overrightarrow{X})}^{-{\alpha }_{1,n}\frac{x_j}{x_1}}·H{(GID,\overrightarrow{X})}^{{\alpha }_{j,n}}={(g^{-{\alpha }_{1,n}\frac{x_j}{x_1}}{g}^{{\alpha }_{j,n}})}^t.$$
    One can note that, in the exponent of $K_{j,n}$,

    $$(-{\alpha }_{1,n}\frac{x_j}{x_1}+{\alpha }_{j,n})t=(-\gamma \frac{x_j}{x_1}+{\gamma }^j)·(\frac{x_1{\gamma }^{\ell }+x_2{\gamma }^{\ell -1}+\dots +x_{\ell }\gamma }{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }+v_k),$$

    the only unknown term is ${\gamma }^{\ell +1}$. However, the coefficient of ${\gamma }^{\ell +1}$ is

    $$-\frac{x_j}{x_1}·\frac{x_1}{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }+\frac{x_j}{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }=0,j=2,\dots ,\ell .$$
    Thus, $K_{j,n}$ can be easily computed using the knowledge of $\overrightarrow{X},{\overrightarrow{Y}}^{*}$ and the instance $(g,g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }},g^{{\gamma }^{\ell +2}},\dots ,g^{{\gamma }^{2\ell }})$ of the ℓ-DBDHE problem;
  • Compute

    $$D_{1,n}=g^{{\overline{\alpha }}_n}·H{(GID,\overrightarrow{X})}^{{\alpha }_{0,n}}=g^{{\overline{\alpha }}_n+{\alpha }_{0,n}t}.$$
    One can note that the exponent of $D_{1,n}$ is

    $$\begin{array}{cc}\hfill & {\overline{\alpha }}_n+{\alpha }_{0,n}t\hfill \\ \hfill =& {\gamma }^{\ell +1}+(-\langle {\overrightarrow{\alpha }}_n,{\overrightarrow{Y}}^{*}\rangle +\delta )·t\hfill \\ \hfill =& {\gamma }^{\ell +1}+(-\langle {\overrightarrow{\alpha }}_n,{\overrightarrow{Y}}^{*}\rangle )·(\frac{x_1{\gamma }^{\ell }+x_2{\gamma }^{\ell -1}+\dots +x_{\ell }\gamma }{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }+v_k)+\delta t\hfill \\ \hfill =& {\gamma }^{\ell +1}-\frac{({\alpha }_1{y}_1^{*}+{\alpha }_2{y}_2^{*}+\dots +{\alpha }_{\ell }{y}_{\ell }^{*})(x_1{\gamma }^{\ell }+x_2{\gamma }^{\ell -1}+\dots +x_{\ell }\gamma )}{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }-\langle {\overrightarrow{\alpha }}_n,{\overrightarrow{Y}}^{*}\rangle ·v_k+\delta t\hfill \\ \hfill =& {\gamma }^{\ell +1}-\frac{(\gamma y_1^{*}+{\gamma }^2{y}_2^{*}+\dots +{\gamma }^{\ell }{y}_{\ell }^{*})(x_1{\gamma }^{\ell }+x_2{\gamma }^{\ell -1}+\dots +x_{\ell }\gamma )}{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }-\langle {\overrightarrow{\alpha }}_n,{\overrightarrow{Y}}^{*}\rangle ·v_k+\delta t\hfill \end{array}$$
    Again, the coefficient of the unknown term ${\gamma }^{\ell +1}$ is

    $$1-\frac{x_1{y}_1^{*}+x_2{y}_2^{*}+\dots +x_{\ell }{y}_{\ell }^{*}}{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }=1-\frac{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }{\langle \overrightarrow{X},{\overrightarrow{Y}}^{*}\rangle }=0.$$
    Therefore, $D_{1,n}$ can be also computed using the knowledge of $\overrightarrow{X},{\overrightarrow{Y}}^{*}$ and the instance $(g,g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }},g^{{\gamma }^{\ell +2}},\dots ,g^{{\gamma }^{2\ell }})$ of the ℓ-DBDHE problem.

Challenge.

$\mathcal{A}$ submits two message $M_0$ and $M_1$ of the same length, and $\mathcal{C}$ computes the challenge ciphertext as follows:

• Choose $\beta \stackrel{\$}{\leftarrow }\{0,1\}$;
• Set $E_2=g^s$;
• Compute

  $$\begin{array}{cc}\hfill E_0& =M_{\beta }·{(\prod _{i=1}^{n-1}{Z}_i)}^s·T\hfill \\ & =M_{\beta }·Z_1^s·\dots ·Z_{n-1}^s·T\hfill \\ & =M_{\beta }·e(g^s,g^{{\overline{\alpha }}_1})·\dots ·e(g^s,g^{{\overline{\alpha }}_{n-1}})·T;\hfill \end{array}$$
• Compute

  $$\begin{array}{cc}\hfill E_1& ={\left((\prod _{i=1}^n{g}^{{\alpha }_{0,i}})·{(\prod _{i=1}^n{g}^{{\alpha }_{1,i}})}^{y_1^{*}}·\dots ·{(\prod _{i=1}^n{g}^{{\alpha }_{\ell ,i}})}^{y_{\ell }^{*}}\right)}^s\hfill \\ & ={\left((g^{{\alpha }_{0,1}}·\dots ·g^{{\alpha }_{0,n-1}})·{(g^{{\alpha }_{1,1}}·\dots ·g^{{\alpha }_{1,n-1}})}^{y_1^{*}}·\dots ·{(g^{{\alpha }_{\ell ,1}}·\dots ·g^{{\alpha }_{\ell ,n-1}})}^{y_{\ell }^{*}}\right)}^s\hfill \\ & ·{\left(g^{{\alpha }_{0,n}}·{(g^{{\alpha }_{1,n}})}^{y_1^{*}}·\dots ·{(g^{{\alpha }_{\ell ,n}})}^{y_{\ell }^{*}}\right)}^s\hfill \\ & ={\left(g^s\right)}^{{\sum }_{i=1}^{n-1}{\alpha }_{0,i}+y_1^{*}{\sum }_{i=1}^{n-1}{\alpha }_{1,i}+\dots +y_{\ell }^{*}{\sum }_{i=1}^{n-1}{\alpha }_{\ell ,i}}·{\left(g^{-\langle {\overrightarrow{\alpha }}_n,{\overrightarrow{Y}}^{*}\rangle +\delta }·g^{\langle {\overrightarrow{\alpha }}_n,{\overrightarrow{Y}}^{*}\rangle }\right)}^s\hfill \\ & ={\left(g^s\right)}^{{\sum }_{i=1}^{n-1}{\alpha }_{0,i}+y_1^{*}{\sum }_{i=1}^{n-1}{\alpha }_{1,i}+\dots +y_{\ell }^{*}{\sum }_{i=1}^{n-1}{\alpha }_{\ell ,i}}·{(g^s)}^{\delta };\hfill \end{array}$$
• Output $C^{*}=(E_0,E_1,E_2)$ to $\mathcal{A}$.

Phase2.

Same as Phase1.

Guess.

$\mathcal{A}$ outputs a bit ${\beta }^{\prime }\in \{0,1\}$. $\mathcal{C}$ outputs 1 if ${\beta }^{\prime }=\beta$; otherwise, $\mathcal{C}$ outputs 0.

If $T=e{(g,g)}^{{\gamma }^{\ell +1}s}$, then:

$$\begin{array}{cc}\hfill E_0& =M_{\beta }\prod _{i=1}^{n-1}{Z}_i^s·T\hfill \\ & =M_{\beta }\prod _{i=1}^{n-1}{Z}_i^s·e{(g,g)}^{{\gamma }^{\ell +1}s}\hfill \\ & =M_{\beta }\prod _{i=1}^{n-1}{Z}_i^s·Z_n^s\hfill \\ & =M_{\beta }\prod _{i=1}^n{Z}_i^s,\hfill \end{array}$$

and hence $C^{*}=(E_0,E_1,E_2)$ is a valid ciphertext. Thus, we have:

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{sIND}-\mathrm{CPA}}=\left|Pr[{\beta }^{\prime }=\beta ]-\frac{1}{2}\right|,$$

and

$$Pr[\mathcal{C}(g,g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }},g^{{\gamma }^{\ell +2}},\dots ,g^{{\gamma }^{2\ell }},g^s,T=e{(g,g)}^{{\gamma }^{\ell +1}s})=1]=Pr[{\beta }^{\prime }=\beta ]$$

$$={\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{sIND}-\mathrm{CPA}}+\frac{1}{2}.$$

If T is a random element from ${\mathbb{G}}_T$, then the message $M_{\beta }$ is completely hidden from the adversary’s view, since $E_0$, $E_1$ and $E_2$ are all independently random elements. Therefore, the advantage of the adversary is:

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{sIND}-\mathrm{CPA}}=\left|\mathrm{Pr}[{\beta }^{\prime }=\beta ]-\frac{1}{2}\right|=0,$$

and

$$Pr[\mathcal{C}(g,g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }},g^{{\gamma }^{\ell +2}},\dots ,g^{{\gamma }^{2\ell }},g^s,T=e{(g,g)}^{{\gamma }^{\ell +1}s})=1]=\frac{1}{2}.$$

Finally, the advantage of $\mathcal{C}$ in solving the ℓ-DBDHE problem is:

$$\begin{array}{cc}\hfill & {\mathrm{Adv}}_{\mathcal{C}}^{\ell -\mathrm{DBDHE}}\hfill \\ \hfill =& \left|\mathrm{Pr}[\mathcal{C}(g,g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }},g^{{\gamma }^{\ell +2}},\dots ,g^{{\gamma }^{2\ell }},g^s,T=e{(g,g)}^{{\gamma }^{\ell +1}s})=1]\right.\hfill \\ \hfill & \left.-\mathrm{Pr}[\mathcal{C}(g,g^{\gamma },g^{{\gamma }^2},\dots ,g^{{\gamma }^{\ell }},g^{{\gamma }^{\ell +2}},\dots ,g^{{\gamma }^{2\ell }},g^s,T\stackrel{\$}{\leftarrow }{\mathbb{G}}_T)=1]\right|\hfill \\ \hfill =& \left|({\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{sIND}-\mathrm{CPA}}+\frac{1}{2})-\frac{1}{2}\right|\hfill \\ \hfill =& {\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{sIND}-\mathrm{CPA}}.\hfill \end{array}$$

Therefore, if there is an adversary that wins the sIND-CPA game with a non-negligible advantage, then we can construct an algorithm $\mathcal{C}$ to solve the ℓ-DBDHE problem with a non-negligible advantage in polynomial time.  □

5. Comparison

In this section, we compare our scheme with [3,5,8,11,25] in time complexity, space complexity and other security features. Among these works, [3,5,8,11] are IPE schemes and [25] is a DIPE scheme. In addition, we implement our scheme and the scheme of [25] in Python and C, and compare the execution time of our algorithms with theirs.

5.1. Asymptotic Comparisons

In

Table 2. Comparison of time complexity.

	Encryption Cost	Decryption Cost
[3]	$(4\ell +1)T_e$	$(2\ell +1)T_p$
[8]	$(2\ell +2)T_e$	$\ell T_e+3T_p$
[5]	$(\ell +3)T_e$	$\ell T_e+2T_p$
[11]	$(2\ell +2)T_e$	$(\ell +2)T_e+T_p$
[25]	$[(2n+1)k^2+(2n+2)k]T_e$	$n{T}_e+(2k+2)T_p$
Ours	$(\ell +3)T_e$	$\ell T_e+2T_p$

T_e: The cost of an exponentiation in multiplicative groups. T_p: The cost of pairing computation. n: The total number of authorities. ℓ: The length of predicate/attribute vector. k: The parameter of k-linear assumption. (k ≥ 2)

, we show the encryption cost and decryption cost of each scheme. For encryption, the exponentiation computation cost is linear with the vector size, which is better than others, except [5]. In addition, we only need ℓ times exponentiation computations plus two pairing computations in decryption. Though our efficiency is not the best among [3,5,8,11], our scheme achieves decentralization while others do not. In [25], they need n times exponentiation computations plus $\mathcal{O}(k)$ pairing computations, where $k\le 2$. Thus, both of the cost for our scheme in encryption and decryption algorithm is more efficient.

The length of ciphertexts and private keys are shown in

Table 3. Comparison with the previous schemes in space complexity.

	Ciphertext Length	Private Key Length
[3]	$(2\ell +1)\left|\mathbb{G}\right|$	$(2\ell +1)\left|\mathbb{G}\right|$
[8]	$(\ell +2)\left|\mathbb{G}\right|$	$3\left|\mathbb{G}\right|+|{\mathbb{Z}}_p^{\ell }|$
[5]	$2\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(\ell +1)\left|\mathbb{G}\right|$
[11]	$1\left|\mathbb{G}\right|+(\ell +1)|{\mathbb{G}}_T|$	$1\left|\mathbb{G}\right|+|{\mathbb{Z}}_p|$
[25]	$(nk+n+k+1)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$n(2k+2)\left|\mathbb{G}\right|$
Ours	$2\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$n(\ell +1)\left|\mathbb{G}\right|$

$\left|\mathbb{G}\right|$: The length of an element in $\mathbb{G}$. $\left|{\mathbb{G}}_T\right|$: The length of an element in ${\mathbb{G}}_T$. $\left|{\mathbb{Z}}_p^{\ell }\right|$: The length of an element in ${\mathbb{Z}}_p^{\ell }$n: The total number of authorities. ℓ: The length of predicate/attribute vector. k: The parameter of k-linear assumption. (k ≥ 2).

. Due to decentralization, it is normal that the private key length of DIPE is larger than that of IPE. In addition, though, we can see that [25] needs about $\mathcal{O}(nk)$ elements in $\mathbb{G}$ for a private key. Indeed, the value of k can be small in their work. However, in our work, the vector size could be large in reality. Therefore, our private key length is larger than others, which may need more storage. Nevertheless, if the value of k is greater or equal than our vector size. Then, we only need less storage than [25] in storing the private key. Note that the work of [11] achieves constant private key size. As a trade-off, their ciphertext size is $\mathcal{O}(\ell )|{\mathbb{G}}_T|$, which might be longer then others in the respect of the curve used in implementation.

In the comparison of ciphertext length, both our work and [5] have the least ciphertext length and only needs two elements in $\mathbb{G}$ plus an element in ${\mathbb{G}}_T$. It means that our ciphertext length is independent with the vector size and the number of the authorities. It can reduce the burden of connection between sender and receiver for transmitting ciphertext. However, the ciphertext length of [25] dependent on n and k. To the best of our knowledge, our work is the first DIPE scheme achieving a constant-size ciphertext.

In

Table 4. Property comparison.

	Decentralization	Confidentiality	Security	Group	Complexity
			Model	Order	Assumption
[3]	No	CPA	STD	Composite	SD
[8]	No	CPA	STD	Prime	$\mathcal{P}$-DBDH
[5]	No	CPA	STD	Prime	ℓ-DBDHE
[11]	No	CPA*	STD	Prime	M-DDH ${}_{{\mathbb{G}}_T}$
[25]	Yes	CPA	ROM	Prime	k-Lin
Ours	Yes	CPA	ROM	Prime	ℓ-DBDHE

CPA: Chosen-plaintext attack. CPA*: CPA in coselective model. STD: Standard model. ROM: Random oracle model. SD: Subgroup decision problem

, only our work, as well as [25], achieves a decentralized framework. In order to avoid collusion between users, a $GID$ and a predicate (or an attribute) vector $\overrightarrow{X}$ are mapped to a value by a random oracle. Therefore, the security of ours and [25]’s are both proven in the random oracle model. As far as we know, there is no standard model for DIPE currently. In addition, although ours and [25]’s are both CPA secure, the latter achieves adaptive security, which is stronger than our selective model. Though all the works in Table 4 achieve CPA security, we should note that [11]’s security is proven in a relatively less used model, called a co-selective model, where an adversary outputs several vectors for querying the Key-Extract oracle in Phase 1 before seeing the system parameter. Although selective security and co-selective security are both weaker than full security, both notions are incomparable in general by definition.

5.2. Experimental Result

In this section, we show the experimental results of our construction and the construction of [25] via Python and C languages, and analyze the execution time of the five algorithms.

Table 5. System configuration and elliptic curve for Python.

CPU	Intel(R) Core(TM) i7-10875H CPU @ 2.30 GHz
Memory	4 GB
OS	Ubuntu-16.04 (64-bit)
Package	Python Charm-Crypto (v0.43) library
Pairing group	SS512

shows the system configuration and the chosen pairing group of Python. We implement our construction by Charm-Crypto library in Python. In our implementation, the pairing group is a symmetric pairing curve with a 512-bit-based field. The experiment is executed on Intel(R) Core(TM) i7-10875H CPU at 3.60GHz processor, 4 GB memory size and under the Ubuntu-16.04 operating system. In addition, we also implement our scheme and [25] in C with the pbc library, where a Type a1 pairing group is used.

Table 6. System configuration and elliptic curve for C.

CPU	Intel(R) Core(TM) i5-8257U CPU @ 1.40 GHz
Memory	2 GB
OS	Docker:Debian10
Package	pbc-0.5.14
Pairing group	Type a1

shows the details for the system configuration of our C implementation.

We analyze the time cost of each algorithm in our DIPE scheme below. In our experiment, the length of $GID$ (global identity) is set to 10 bits for convenience. However, note that the length of a $GID$ can be arbitrarily long since it is a input of the hash function. In [25], since each authority generates a partial key for an element of the predicate vector, therefore, the length of th vector size should be the same as the total number of authorities, ranging from 1 to 25 in our implementation. In addition, the value of k in [25] is set to one to minimize the cost of their work. The value of each point on the figure is obtained by executing the algorithm 1000 times and obtaining the value of the average execution time.

For the implementation using Python, Figure 1b shows that the time spent by [25] on the AuthSetup algorithm is more time-consuming than ours. In Figure 1d,e, we can note that the Encrypt and Decrypt algorithms are both growing linearly in two schemes when the number of authorities increases. However, ours has better performance than theirs. Then, Figure 1c exhibits that KeyGen is the most time-consuming algorithm due to the decentralized network. Nevertheless, we have relatively poorer performance than [25]. Since our decentralization is different from [25], in our scheme, each authority generates a partial key for a whole predicate vector instead of only an element. Therefore, the execution time of KeyGen is longer. Finally, in Figure 1a, the Setup algorithm only generates some generator of $\mathbb{G}$, some elements of $\mathbb{G}$ and the description of a hash function in both schemes. Thus, execution time is independent of the total number of authorities and vector size. In addition, our scheme has one more advantage, that is, the length of the predicate vector does not need to bind with the total number of authorities with same value.

In addition, Figure 2 shows the time cost of our scheme and [25] using C. Similar to the results using Python, Figure 2a,b show that in the comparison of the time costs of Setup and AuthSetup algorithms, our scheme is more efficient than [25]. As shown in Figure 2c,e, the costs for KeyGen and Decryption of ours are pretty close to those of [25]. Interestingly, the result of Encryption in C is opposite to that in Python. Figure 2d shows that the Encrypt algorithm of [25] is faster than ours. The reason for this might be due to the system configuration or the language. We will keep figuring out more details that may be inspired from this difference.

6. Conclusions

Thus far, there is only one decentralized inner product encryption, proposed by Michalevsky et al. in 2018. In their scheme, however, the length of ciphertexts are dependent on the number of authorities, which may become a bottleneck in the system. Therefore, we would like to solve this problem. In this manuscript, we present a novel decentralized inner product encryption which achieves constant-size ciphertexts. In addition, our scheme is proven to be selectively secure under the ℓ-DBDHE assumption. We further implement our scheme and the scheme of [25] to analyze the execution time. Except for the KeyGen algorithm, our work has better performance in the remaining four algorithms (Setup, AuthSetup, Encrypt, Decrypt). Yet, our scheme is the first DIPE scheme achieving constant-size ciphertext, and there are several potential improvements. One direction could be to upgrade the security to chosen-ciphertext security. Several generic methods [31,32,33,34,35] have been proposed in the literature, however, constructing a DIPE scheme with direct chosen-ciphertext security is an open problem. In addition, the security of our scheme is proven under the random oracle model. How to construct a DIPE scheme that is secure in the standard model is also a worth-fighting goal.