1 Introduction

Functional encryption (FE) [19, 56] is a generalization of public-key encryption, which overcomes the all-or-nothing, user-based access to data that is inherent to public key encryption and enables fine grained, role-based access that makes it very desirable for modern applications. A bit more formally, given an encryption \(\mathsf{enc}(X)\) and a key corresponding to a function F, the key holder only learns F(X) and nothing else. Apart from its theoretical appeal, the concept of FE also finds numerous applications. In cloud computing platforms, users can store encrypted data on a remote server and subsequently provide the server with a key \(SK_F\) which allows it to compute the function F of the underlying data without learning anything else.

In some cases, the message \(X=(\mathsf {IND},M)\) consists of an index \(\mathsf {IND}\) (which can be thought of as a set of descriptive attributes) and a message M, which is sometimes called “payload”. One distinguishes FE systems with public index, where \(\mathsf {IND}\) is publicly revealed by the ciphertext but M is hidden, from those with private index, where \(\mathsf {IND}\) and M are both hidden. Public index FE is popularly referred to as attribute based encryption.

A Brief History of FE. The birth of Functional Encryption can be traced back to Identity Based Encryption [17, 57] which can be seen as the first nontrivial generalization of Public Key Encryption. However, it was the work of Sahai and Waters [56] that coined the term Attribute Based Encryption, and the subsequent, natural unification of all these primitives under the umbrella of Functional Encryption took place only relatively recently [19, 49]. Constructions of public index FE have matured from specialized – equality testing [13, 17, 35], keyword search [1, 16, 44], Boolean formulae [42], inner product predicates [44], regular languages [58] – to general polynomial-size circuits [18, 34, 40] and even Turing machines [37]. The journey of private index FE has been significantly more difficult, with inner product predicate constructions [3, 44] being the state of the art for a long time until the recent elegant generalization to polynomial-size circuits [41].

However, although private index FE comes closer than ever before to the goal of general FE, it falls frustratingly short. This is because all known constructions of private index FE only achieve weak attribute hiding, which severely restricts the function keys that the adversary can request in the security game – the adversary may request keys for functions \(f_i\) that do not decrypt the challenge ciphertext \((\mathsf {IND}^*, M^*)\), i.e., \(f_i(\mathsf {IND}^*)\ne 0\) holds for all i. The most general notion of FE – private index, strongly attribute hiding – has been built for the restricted case of bounded collusions [38, 39] or using the brilliant, but ill-understoodFootnote 1 machinery of multi-linear maps [33] and indistinguishability obfuscation [33]. These constructions provide FE for general polynomial-size circuits and Turing machines [37], but, perhaps surprisingly, there has been little effort to build the general notion of FE ground-up, starting from smaller functionalities.

This appears as a gaping hole that begs to be filled. Often, from the practical standpoint, efficient constructions for a smaller range of functionalities, such as linear functions or polynomials, are extremely relevant, and such an endeavour will also help us understand the fundamental barriers that thwart our attempts for general FE. This motivates the question:

Can we build FE for restricted classes of functions, satisfying standard security definitions, under well-understood assumptions?

In 2015, Abdalla et al. [2] considered the question of building FE for linear functions. Here, a ciphertext C encrypts a vector \(\varvec{y} \in \mathcal {D}^{\ell }\) over some ring \(\mathcal {D}\), a secret key for the vector \(\varvec{x} \in \mathcal {D}^{\ell }\) allows computing \(\langle \varvec{x}, \varvec{y} \rangle \) and nothing else about \(\varvec{y}\). Note that this is quite different from the inner product predicate functionality of [3, 44]: the former computes the actual value of the inner product while the latter tests whether the inner product is zero or not, and reveals a hidden bit M if so. Abdalla et al. [2] showed, surprisingly, that this functionality allows for very simple and efficient realizations under standard assumptions like the Decision Diffie-Hellman (\(\mathsf {DDH}\)) and Learning-with-Errors (\(\mathsf {LWE}\)) assumptions [53]. The instantiation from \(\mathsf {DDH}\) was especially unexpected since \(\mathsf {DDH}\) is not known to easily lend itself to the design of such primitives.Footnote 2 What enables this surprising result is that the functionality itself is rather limited – note that with \(\ell \) queries, the adversary can reconstruct the entire message vector. Due to this, the scheme need not provide collusion resistance, which posits that no collection of secret keys for functions \(F_1, \ldots , F_q\) should make it possible to decrypt a ciphertext that no individual such key can decrypt. Collusion resistance is usually the chief obstacle in proving security of FE schemes. On the contrary, for linear FE constructions, if two adversaries combine their keys, they do get a valid new key, but this key gives them a plaintext which could anyway be computed by their individual plaintexts. Hence, collusion is permitted by the functionality itself, and constructions can be much simpler. As we shall see below, linear FE is already very useful and yields many interesting applications, as we discuss in the full version of the paper [4].

More recently, Bishop et al. [12] considered the same functionality as Abdalla et al. in the secret-key setting with the motivation of achieving function privacy.

While [12] considers adaptive adversaries, their construction requires bilinear maps and does not operate over standard \(\mathsf {DDH}\)-hard groups. In the public-key setting, Abdalla et al. [2] only proved their schemes to be secure against selective adversaries, that have to declare the challenge messages \(M_0,M_1\) of the semantic security game upfront, before seeing the master public key \(\mathsf {mpk}\). Selective security is usually too weak a notion for practical applications and is often seen as a stepping stone to proving full adaptive security. Historically, most flavors of functional encryption have been first realized for selective adversaries [13, 33, 42, 44, 56] before being upgraded to attain full security. Boneh and Boyen [14] observed that a standard complexity leveraging argument can be used to argue that a selectively-secure system is also adaptively secure. However, this argument is not satisfactory in general as the reduction incurs an exponential security loss in the message length. Quite recently, Ananth et al. [8] described a generic method of building adaptively secure functional encryption systems from selectively secure ones. However their transformation is based on the existence of a sufficiently expressive selectively secure FE scheme, where sufficiently secure roughly means capable of evaluating a weak PRF. Since no such scheme from standard assumptions is known, their transformation does not apply to our case, and in any case would significantly increase the complexity of the construction, even if it did.

Our Results. In this paper, we describe fully secure functional encryption systems for the evaluation of inner products on encrypted data. We propose schemes that evaluate inner products of integer vectors, based on \(\mathsf {DDH}\), \(\mathsf {LWE}\) and the Composite Residuosity hardness assumptions. Our \(\mathsf {DDH}\)-based and \(\mathsf {LWE}\)-based constructions for integer inner products are of efficiency comparable to those of Abdalla et al. [2] and rely on the same standard assumptions. Note that a system based on Paillier’s composite residuosity assumption was an open problem even for the case of selective adversaries, which we resolve in this work.

Additionally, we propose schemes that evaluate inner products modulo a prime p or a composite \(N=pq\), based on the \(\mathsf {LWE}\) and Composite Residuosity hardness assumptions. In contrast, the constructions of [2] must restrict the ring \(\mathcal {D}\) to the ring of integers, which is a significant drawback. Indeed, although their \(\mathsf {DDH}\)-based realization allows evaluating \(\langle \varvec{x},\varvec{y} \rangle \mod p\) when the latter value is sufficiently small, their security proof restricts the functionality to the computation of \(\langle \varvec{x},\varvec{y} \rangle \in \mathbb {Z}\).

The functionality of inner products over a prime field is powerful: we show that it can be bootstrapped all the way to yield a conceptually simple construction for bounded collusion FE for all circuits. The only known construction for general FE handling bounded collusions is by Gorbunov et al. [39]. Our construction is conceptually simpler, albeit a bit more inefficient. Also, since it requires the inner product functionality over a prime field, it can only be instantiated with our \(\mathsf {LWE}\)-based scheme for now.

1.1 Overview of Techniques

We briefly summarize our techniques below.

Fully Secure Linear FE: Hash Proof Systems. Our \(\mathsf {DDH}\)-based construction and its security proof implicitly build on hash proof systems [26]. It involves public parameters comprised of group elements \(\big (g, h, \{h_i=g^{s_i} \cdot h^{t_i} \}_{i=1}^\ell \big )\), where gh generate a cyclic group \(\mathbb {G}\) of prime order q, and the master secret key is \(\mathsf {msk}=(\varvec{s},\varvec{t}) \in \mathbb {Z}_q^{\ell } \times \mathbb {Z}_q^\ell \). On input of a vector \(\varvec{y} =(y_1,\ldots ,y_{\ell }) \in \mathbb {Z}_q^\ell \), the encryption algorithm computes \( (g^r,h^r, \{g^{y_i} \cdot h_i^r \}_{i=1}^\ell )\) in such a way that a secret key of the form \(SK_{\varvec{x}}=(\langle \varvec{s}, \varvec{x} \rangle , \langle \varvec{t},\varvec{x} \rangle )\) allows computing \(g^{\langle \varvec{y},\varvec{x} \rangle }\) in the same way as in [2]. Despite its simplicity and its efficiency (only one more group element than in [2] is needed in the ciphertext), we show that the above system can be proved fully secure using arguments – akin to those of Cramer and Shoup [25] – which consider what the adversary knows about the master secret key \( (\varvec{s},\varvec{t}) \in \mathbb {Z}_q^{\ell } \times \mathbb {Z}_q^\ell \) in the information theoretic sense. The security proof is arguably simpler than its counterpart in the selective case [2]. As in all security proofs based on hash proof systems, it uses the fact that the secret key is known to the reduction at any time, which makes it simpler to handle secret key queries without knowing the adversary’s target messages \(\varvec{y}_0,\varvec{y}_1 \in \mathbb {Z}_q^\ell \) in advance.

While our \(\mathsf {DDH}\)-based realization only enables efficient decryption when the inner product \(\langle \varvec{x}, \varvec{y} \rangle \) is contained in a sufficiently small interval, we show how to eliminate this restriction using Paillier’s cryptosystem in the same way as in [21, 22]. We thus obtain the first solution based on the Composite Residuosity assumption, which was previously an open problem (even in the case of selective security).

\(\mathsf {LWE}\) -Based Fully Secure Linear FE. Our \(\mathsf {LWE}\)-based construction builds on the dual Regev encryption scheme from Gentry et al. [35]. Its security analysis requires more work. The master public key contains a random matrix \(\mathbf {A} \in \mathbb {Z}_q^{m \times n}\). For simplicity, we restrict ourselves to plaintext vectors and secret key vectors with binary coordinates. Each vector coordinate \(i \in \{1,\ldots ,\ell \}\) requires a master public key component \(\varvec{u}_i^T = \varvec{z}_{i}^T \cdot \mathbf {A} \in \mathbb {Z}_q^{n} \), for a small norm vector \(\varvec{z}_i \in \mathbb {Z}^{m}\) made of Gaussian entries which will be part of the master secret key \(\mathsf {msk}= \{\varvec{z}_i\}_{i=1}^\ell \). Each \(\{\mathbf {u}_i \}_{i=1}^\ell \) can be seen as a syndrome in the GPV trapdoor function for which vector \(\mathbf {z}_i\) is a pre-image. Our security analysis will rely on the fact that each GPV syndrome has a large number of pre-images and, conditionally on \(\mathbf {u}_i \in \mathbb {Z}_q^{n}\), each \(\mathbf {z}_i\) retains a large amount of entropy. In the security proof, this will allow us to apply arguments similar to those of hash proof systems [26] when we will generate the challenge ciphertext using \( \{\mathbf {z}_i\}_{i=1}^\ell \). More precisely, when the first part \(\mathbf {c}_0 \in \mathbb {Z}_q^m\) of the ciphertext is a random vector instead of an actual \(\mathsf {LWE}\) sample \(\mathbf {c}_0= \mathbf {A} \cdot \mathbf {s} + \mathbf {e}_0\), the action of \( \{\mathbf {z}_i\}_{i=1}^\ell \) on \(\mathbf {c}_0 \in \mathbb {Z}_q^m\) produces vectors that appear statistically uniform to any legitimate adversary. In order to properly simulate the challenge ciphertext using the master secret key \( \{\mathbf {z}_i\}_{i=1}^\ell \), we use a variant of the extended \(\mathsf {LWE}\) assumption [50] (eLWE) so as to have the (hint) values \(\{\langle \mathbf {z}_i, \mathbf {e}_0 \rangle \}_{i=1}^\ell \) at disposal. One difficulty is that the reductions from \(\mathsf {LWE}\) to eLWE proved in [7, 20] handle a single hint vector \(\varvec{z}\). Fortunately, we extend the techniques of Brakerski et al. [20] using the gadget matrix from [45] to obtain a reduction from \(\mathsf {LWE}\) to the multi-hint variant of eLWE that we use in the security proof. More specifically, we prove that the multi-hint variant of eLWE remains at least as hard as \(\mathsf {LWE}\) when the adversary obtains as many as n / 2 hints, where n is the dimension of the \(\mathsf {LWE}\) secret.

Evaluation Inner Products Modulo p . Our construction from the \(\mathsf {DDH}\) assumption natively supports the computation of inner products modulo a prime p as long as the remainder \(\langle \varvec{x},\varvec{y} \rangle \bmod p\) falls in a polynomial-size interval. Under the Paillier and \(\mathsf {LWE}\) assumptions, we first show how to compute integer inner products \(\langle \varvec{x},\varvec{y} \rangle \in \mathbb {Z}\). In a second step, we upgrade our Paillier and \(\mathsf {LWE}\)-based systems so as to compute inner products modulo a composite \(N=pq\) and a prime p, respectively, without leaking the actual value \(\langle \varvec{x},\varvec{y} \rangle \) over \(\mathbb {Z}\).

Hiding anything but the remainder modulo N or p requires additional techniques. In the context of \(\mathsf {LWE}\)-based FE, this is achieved by using an \(\mathsf {LWE}\) modulus of the form \(q = p \cdot p'\) and multiplying plaintexts by \(p'\), so that an inner product modulo q over the ciphertext space natively translates into an inner product modulo p for the underlying plaintexts.

The latter plaintext/ciphertext manipulations do not solve another difficulty which arises from the discrepancy between the base rings of the master key and the secret key vectors: indeed, the master key consists of integer vectors, whereas the secret keys are defined modulo an integer. When the adversary queries a secret key vector \(\varvec{x} \in \mathbb {Z}_p^{\ell }\) (or \(\mathbb {Z}_N^{\ell }\)), it gets the corresponding combination modulo p of the master key components. By making appropriate vector queries that are linearly dependent modulo p (and hence valid), an attacker could learn a combination of the master key components which is singular modulo p but invertible over the field of rational numbers: it would then obtain the whole master key! However, note that as long as the adversary only queries secret keys for \(\ell -1\) independent vectors over \(\mathbb {Z}_p^\ell \) (or \(\mathbb {Z}_N^{\ell }\)), there is no reason not to reveal more than \(\ell -1\) secret keys overall. In order to make sure that the adversary only obtains redundant information by making more than \(\ell -1\) queries, we assume that a trusted authority keeps track of all vectors \(\varvec{x}\) for which secret keys were previously given out (more formally, the key generation algorithm is stateful).

Compiling Linear FE to Bounded Collusion General FE. We provide a conceptually simpler way to build q-query Functional Encryption for all circuits. The only known construction for this functionality was suggested by Gorbunov et al. in [39]. At a high level, the q-query construction by Gorbunov et al. is built in several layers, as follows:

  1. 1.

    They start with a single key FE scheme for all circuits, which was provided by [55].

  2. 2.

    The single FE scheme is compiled into a q-query scheme for \(\mathsf{NC_1}\) circuits. This is the most non-trivial part of the construction. They run N copies of the single key scheme, where \(N=O(q^4)\). To encrypt, they encrypt the views of some N-party MPC protocol computing some functionality related to C, à la “MPC in the head”. For the MPC protocol, they use the BGW [10] semi-honest MPC protocol without degree reduction and exploit the fact that this protocol is completely non-interactive when used to compute bounded degree functions. The key generator provides the decryptor with a subset of the single query FE keys, where the subsets are guaranteed to have small pairwise intersections. This subset of keys enables the decryptor to recover sufficiently many shares of C(x) which enables her to compute C(x) via polynomial interpolation. However, an attacker with q keys only learns a share \(x_i\) in the clear if two subsets of keys intersect, and due to small pairwise intersections, this does not occur often enough for him learn sufficiently many shares of x, hence, by the guarantees of secret sharing, input x remains hidden.

  3. 3.

    Finally, they bootstrap the q-query FE for \(\mathsf{NC_1}\) to a q-query FE for all circuits using computational randomized encodings [9]. They must additionally use cover-free sets to ensure that fresh randomness is used for each randomized encoding.

Our construction replaces steps 1 and 2 with a inner product modulo p FE scheme, and then uses step 3 as in [39]. Thus, the construction of single key FE in step 1 by Sahai and Seyalioglu, and the nontrivial “MPC in the head” of step 2 can both be replaced by the simple abstraction of an inner product FE scheme. For step 3, observe that the bootstrapping theorem of [39] provides a method to bootstrap an FE for \(\mathsf{NC_1}\) that handles q queries to an FE for all polynomial-size circuits that is also secure against q queries. The bootstrapping relies on the result of Applebaum et al. [9, Theorem 4.11] which states that every polynomial time computable function f admits a perfectly correct computational randomized encoding of degree 3. In more detail, let \(\mathcal {C}\) be a family of polynomial-size circuits. Let \(C \in \mathcal {C}\) and let x be some input. Let \(\widetilde{C}(x, R)\) be a randomized encoding of C that is computable by a constant depth circuit with respect to inputs x and R. Then consider a new family of circuits \(\mathcal {G}\) defined by:

$$\begin{aligned} G_{C, \varDelta }(x, R_1,\ldots ,R_S) = \left\{ \widetilde{C} \Big (x; \underset{a \in \varDelta }{\oplus } R_a \Big ): \ C \in \mathcal {C}, \ \varDelta \subseteq [S] \right\} , \end{aligned}$$

for some sufficiently large S (quadratic in the number of queries q). As observed in [39], circuit \(G_{C,\varDelta }(\cdot , \cdot )\) is computable by a constant degree polynomial (one for each output bit). Given an FE scheme for \(\mathcal {G}\), one may construct a scheme for \(\mathcal {C}\) by having the decryptor first recover the output of \(G_{C, \varDelta }(x, R_1,\ldots ,R_S)\) and then applying the decoder for the randomized encoding to recover C(x).

However, to support q queries the decryptor must compute q randomized encodings, each of which needs fresh randomness. This is handled by hardcoding S random elements in the ciphertext and using random subsets \(\varDelta \subseteq [S]\) (which are cover-free with overwhelming probability) to compute fresh randomness \(\underset{a \in \varDelta }{\oplus } R_a\) for every query. The authors then conclude that bounded query FE for \(\mathsf{NC_1}\) suffices to construct a bounded query FE scheme for all circuits.

We observe that the ingredient required to bootstrap is not FE for the entire circuit class \(\mathsf{NC_1}\) but rather only the particular circuit class \(\mathcal {G}\) as described above. This circuit class, being computable by degree 3 polynomials, may be supported by a linear FE scheme, via linearization of the degree 3 polynomials! To illustrate, let us consider FE secure only for a single key. Then, the functionality that the initial FE must support is exactly the randomized encoding of [9], which, indeed, is in \(\mathsf{NC_0}\). Now, to support q queries, we must ensure that each key uses a fresh piece of randomness, and this is provided using a cover-free set family S as in [39] – the key generator picks a random subset \(\varDelta \subseteq [S]\) and sums up its elements to obtain i.i.d. randomness for the key being requested. To obtain a random element in this manner, addition over the integers does not suffice, we must take addition modulo p. Here, our inner product modulo p construction comes to our rescue!

Putting it together, the encryptor encrypts all degree 3 monomials in the inputs \(R_1,\ldots , R_{S}\) and \(x_1,\ldots ,x_\ell \). Note that this ciphertext is polynomial in size. Now, for a given circuit C, the keygen algorithm samples some \(\varDelta \subseteq [S]\) and computes the symbolic degree 3 polynomials which must be released to the decryptor. It then provides the linear FE keys to compute the same. By correctness and security of Linear FE as well as the randomizing polynomial construction, the decryptor learns C(x) and nothing else. The final notion of security that we obtain is non-adaptive simulation based security NA-SIM [39, 49], i.e. \(({{\mathrm{poly}}}, {{\mathrm{poly}}}, 0)\) SIM security, where the adversary can request a polynomial number of pre-challenge keys, ask for polynomially sized challenge ciphertexts but may not request post-challenge keys. For more details, we refer the reader to Sect. 6. We note that the construction of [39] also achieves the stronger AD-SIM security, but for a scheme that supports only a single ciphertext and bounded number of keys. The bound on the number of ciphertexts is necessary due to a lower bound by [19]. The notion of single ciphertext, bounded key FE appears to be quite restrictive, hence we do not study AD-SIM security here.

We note that subsequent to our work, Agrawal and Rosen [6] used our adaptively secure mod p inner products FE scheme in a more sophisticated manner than we do here, to achieve ciphertext size that improves upon the construction of [39].

2 Background

In this section, we recall the hardness assumptions underlying the security of the schemes we will describe. The functionality and security definitions of functional and non-interactive controlled functional encryption schemes are given in the full version of the paper [4].

Our first scheme relies on the standard \(\mathsf {DDH}\) assumption in ordinary (i.e., non-pairing-friendly) cyclic groups.

Definition 1

In a cyclic group \(\mathbb {G}\) of prime order q, the Decision Diffie-Hellman (\(\mathsf {DDH}\)) problem is to distinguish the distributions \(D_0=\{(g,g^a,g^b,g^{ab}) \mid g \hookleftarrow \mathbb {G}, a, b\hookleftarrow \mathbb {Z}_q \}, D_1=\{(g,g^a,g^b,g^{c}) \mid g \hookleftarrow \mathbb {G}, a, b, c \hookleftarrow \mathbb {Z}_q \}\).

A variant of our first scheme relies on Paillier’s composite residuosity assumption.

Definition 2

[51]. Let \(N=pq\), for prime numbers pq. The Decision Composite Residuosity (\(\mathsf {DCR}\)) problem is to distinguish the distributions \(D_0:=\{z = z_0^{N} \bmod N^{2} \mid z_0 \hookleftarrow \mathbb {Z}_N^*\}\) and \(D_1:=\{ z \hookleftarrow \mathbb {Z}_{N^{2}}^*\}\).

Our third construction builds on the Learning-With-Errors (\(\mathsf {LWE}\)) problem, which is known to be at least as hard as certain standard lattice problems in the worst case [20, 54].

Definition 3

Let \(q, \alpha , m\) be functions of a parameter n. For a secret \(\mathbf {s} \in \mathbb {Z}_q^n\), the distribution \(A_{q,\alpha ,\mathbf {s}}\) over \(\mathbb {Z}_q^n \times \mathbb {Z}_q^{}\) is obtained by sampling \(\mathbf {a} \hookleftarrow \mathbb {Z}_q^n\) and an \(e \hookleftarrow D_{\mathbb {Z}, \alpha q}\), and returning \((\mathbf {a},\langle {\mathbf {a, s}}\rangle +e) \in \mathbb {Z}_q^{n+1}\). The Learning With Errors problem \(\mathsf {LWE}_{q,\alpha , m}\) is as follows: For \(\mathbf {s} \hookleftarrow \mathbb {Z}_q^n\), the goal is to distinguish between the distributions:

$$\begin{aligned} D_0(\mathbf {s}) := U(\mathbb {Z}_q^{m \times (n+1)}) \;\;\; { and } \;\;\; D_1(\mathbf {s}) := (A_{q,\alpha ,{\mathbf {s}}})^m. \end{aligned}$$

We say that a PPT algorithm \(\mathcal {A}\) solves \(\mathsf {LWE}_{q,\alpha }\) if it distinguishes \(D_0(\mathbf {s})\) and \(D_1(\mathbf {s})\) with non-negligible advantage (over the random coins of \(\mathcal {A}\) and the randomness of the samples), with non-negligible probability over the randomness of \(\mathbf {s}\).

3 Fully Secure Functional Encryption for Inner Products from \(\mathsf {DDH}\)

In this section, we show that an adaptation of the \(\mathsf {DDH}\)-based construction of Abdalla et al. [2] provides full security under the standard \(\mathsf {DDH}\) assumption. Like [2], the scheme computes inner products over \(\mathbb {Z}\) as long as they land in a sufficiently small interval.

In comparison with the solution of Abdalla et al., we only introduce one more group element in the ciphertext and all operations are just as efficient as in [2]. Our scheme is obtained by modifying [2] in the same way as Damgård’s encryption scheme [27] was obtained from the Elgamal cryptosystem. The original \(\mathsf {DDH}\)-based system of [2] encrypts a vector \(\varvec{y}=(y_1,\ldots ,y_\ell ) \in \mathbb {Z}_q^\ell \) by computing \((g^r,\{g^{y_i} \cdot h_i^r\}_{i=1}^\ell )\), where \(\{h_i=g^{s_i}\}_{i=1}^\ell \) are part of the master public key and \(\mathsf{sk}_{\varvec{x}}=\sum _{i=1}^\ell s_i \cdot x_i \bmod q\) is the secret key associated with the vector \(\varvec{x}=(x_1,\ldots ,x_\ell ) \in \mathbb {Z}_q^\ell \). Here, we encrypt \(\varvec{y}\) in the fashion of Damgård’s Elgamal, by computing \((g^r,h^r,\{g^{y_i} \cdot h_i^r\}_{i=1}^\ell )\). The decryption algorithm uses secret keys of the form \(\mathsf{sk}_{\varvec{x}}=(\sum _{i=1}^\ell s_i \cdot x_i,\sum _{i=1}^\ell t_i \cdot x_i)\), where \(h_i=g^{s_i} \cdot h^{t_i}\) for each i and \(\varvec{s}=(s_1,\ldots ,s_\ell ) \in \mathbb {Z}_q^\ell \) and \(\varvec{t}=(t_1,\ldots ,t_\ell ) \in \mathbb {Z}_q^\ell \) are part of the master key \(\mathsf {msk}\).

The scheme and its security proof also build on ideas from the Cramer-Shoup cryptosystem [25, 26]. Analogously to the bounded-collusion-resistant IBE schemes of Goldwasser et al. [36], the construction can be seen as an applying a hash proof system [26] with homomorphic properties over the key space. It also bears similarities with the broadcast encryption system of Dodis and Fazio [29] in the way to use hash proof systems to achieve adaptive security.

  • Setup \((1^\lambda ,1^\ell )\) : Choose a cyclic group \(\mathbb {G}\) of prime order \(q>2^\lambda \) with generators \(g,h \hookleftarrow \mathbb {G}\). Then, for each \(i \in \{1,\ldots ,\ell \}\), sample \(s_i,t_i \hookleftarrow \mathbb {Z}_q\) and compute \(h_i=g^{s_i} \cdot h^{t_i}\). Define \(\mathsf {msk}:=\{ (s_i,t_i)\}_{i=1}^\ell \) and

    $$\begin{aligned} \mathsf {mpk} := \Bigl (\mathbb {G}, g,h, \{h_i\}_{i=1}^\ell \Bigr ). \end{aligned}$$

  • Keygen \((\mathsf {msk},\varvec{x})\) : To generate a key for the vector \(\varvec{x}=(x_1,\ldots ,x_\ell ) \in \mathbb {Z}_q^\ell \), compute \(\mathsf{sk}_{\varvec{x}}=(s_{\varvec{x}},t_{\varvec{x}})=(\sum _{i=1}^\ell s_i \cdot x_i, \sum _{i=1}^\ell t_i \cdot x_i)=(\langle \varvec{s}, \varvec{x} \rangle ,\langle \varvec{t}, \varvec{x} \rangle )\).

  • Encrypt \((\mathsf {mpk},\varvec{y})\) : To encrypt a vector \(\varvec{y}=(y_1,\ldots ,y_\ell ) \in \mathbb {Z}_q^\ell \), sample \(r \hookleftarrow \mathbb {Z}_q\) and compute

    $$\begin{aligned} C= & {} g^r, \quad D = h^r, \quad \{ E_i = g^{y_i} \cdot h_i^r \}_{i=1}^\ell . \end{aligned}$$

    Return \(C_{\varvec{y}}=(C,D,E_1,\ldots ,E_\ell )\).

  • Decrypt \((\mathsf {mpk},\mathsf{sk}_{\varvec{x}},C_{\varvec{y}})\) : Given \(\mathsf{sk}_{\varvec{x}}=(s_{\varvec{x}},t_{\varvec{x}})\), compute

    $$\begin{aligned} {E}_{\varvec{x}}=(\prod _{i=1}^\ell E_i^{x_i}) / (C^{s_{\varvec{x}}} \cdot D^{t_{\varvec{x}}}). \end{aligned}$$

    Then, compute and output \(\log _g({E}_{\varvec{x}})\).

The decryption algorithm requires to compute a discrete logarithm. This is in general too expensive. Like in [2], this can be circumvented by imposing that the computed inner product lies in an interval \(\{0,\ldots ,L\}\), for some polynomially bounded integer L. Then, computing the required discrete logarithm may be performed in time \(\widetilde{O}(L^{1/2})\) using Pollard’s kangaroo method [52]. As reported in [11], this can be reduced to \(\widetilde{O}(L^{1/3})\) operations by precomputing a table of size \(\widetilde{O}(L^{1/3})\). Note that even though the functionality is limited (decryption may not be performed efficiently for all key vectors and for all message vectors), while proving security we will let the adversary query any key vector in \(\mathbb {Z}_q^{\ell }\).

Before proceeding with the security proof, we would like to clarify that, although the scheme of [2] only decrypts values in a polynomial-size space, the usual complexity leveraging argument does not prove it fully secure via a polynomial reduction. Indeed, when \(\ell \) is polynomial in \(\lambda \), having the inner product \(\langle \varvec{y},\varvec{x} \rangle \) in a small interval does not mean that original vector \(\varvec{y} \in \mathbb {Z}_q^\ell \) lives in a polynomial-size universe. In Sect. 5, we show how to eliminate the small-interval restriction using Paillier’s cryptosystem [51].

The security analysis uses similar arguments to those of Cramer and Shoup [25, 26] in that it exploits the fact that \(\mathsf {mpk}\) does not reveal too much information about the master secret key. At some step, the challenge ciphertext is generated using \(\mathsf {msk}\) instead of the public key and, as long as \(\mathsf {msk}\) retains a sufficient amount of entropy from the adversary’s view, it will perfectly hide which vector among \(\varvec{y}_0,\varvec{y}_1\) is actually encrypted. The reason why we can prove adaptive security is the fact that, as usual in security proofs relying on hash proof systems [25, 26], the reduction knows the master secret key at any time. It can thus correctly answer all secret key queries without knowing the challenge messages \(\varvec{y}_0,\varvec{y}_1\) beforehand.

The \(\mathsf {DDH}\)-based scheme can easily be generalized so as to rely on weaker variants of \(\mathsf {DDH}\), like the Decision Linear assumption [15] or the Matrix \(\mathsf {DDH}\) assumption [31].

Theorem 1

The scheme provides full security under the \(\mathsf {DDH}\) assumption. (The proof is given in the full version of the paper [4]).

4 Full Security Under the \(\mathsf {LWE}\) Assumption

We describe two \(\mathsf {LWE}\)-based schemes: the first one for integer inner products of short integer vectors, the second one for inner products over a prime field \(\mathbb {Z}_p\).

In both cases, the security relies on the hardness of a variant of the extended-\(\mathsf {LWE}\) problem. The extended-\(\mathsf {LWE}\) problem introduced by O’Neill et al. [50] and further investigated in [7, 20]. At a high level, the extended-\(\mathsf {LWE}\) problem can be seen as \(\mathsf {LWE}_{\alpha , q}\) with a fixed number m of samples, for which some extra information on the \(\mathsf {LWE}\) noises is provided: the adversary is provided a given linear combination of the noise terms. More concretely, the problem is to distinguish between the distributions

$$\begin{aligned} \big (\mathbf {A},~\mathbf {A} \cdot \varvec{s} + \varvec{e}, \varvec{z}, \langle \varvec{e}, \varvec{z} \rangle \big ) \ \text{ and } \ \big (\mathbf {A},~\varvec{u},~\varvec{z},~\langle \varvec{e}, \varvec{z} \rangle \big ), \end{aligned}$$

where \(\mathbf {A} \hookleftarrow \mathbb {Z}_q^{m \times n}, \varvec{s} \hookleftarrow \mathbb {Z}_q^{n}, \varvec{u} \hookleftarrow \mathbb {Z}_q^{m}, \varvec{e} \hookleftarrow D_{\mathbb {Z},\alpha q}^m\), and \(\varvec{z}\) is sampled from a specified distribution. Note that in [50], a noise was added to the term \(\langle \varvec{e}, \varvec{z} \rangle \). The \(\mathsf {LWE}\) to extended-\(\mathsf {LWE}\) reductions from [7, 20] do not require such an extra noise term.

We will use a variant of extended-\(\mathsf {LWE}\) for which multiple hints \((\varvec{z}_{i}, \langle \varvec{e}, \varvec{z}_{i} \rangle )\) are given, for the same noise vector \(\varvec{e}\).

Definition 4

(Multi-hint Extended- \(\mathbf{\mathsf {LWE}}\) ). Let qmt be integers, \(\alpha \) be a real and \(\tau \) be a distribution over \(\mathbb {Z}^{t\times m}\), all of them functions of a parameter n. The multi-hint extended-\(\mathsf {LWE}\) problem \(\mathsf {mheLWE}_{q,\alpha , m, t, \tau }\) is to distinguish between the distributions of the tuples

$$\begin{aligned} \big (\mathbf {A},~\mathbf {A} \cdot \varvec{s} + \varvec{e}, \mathbf {Z},~\mathbf {Z} \cdot \varvec{e} \big ) \;\;\; { and } \;\;\; \big (\mathbf {A},~\varvec{u},~\mathbf {Z},~\mathbf {Z} \cdot \varvec{e} \big ), \end{aligned}$$

where \(\mathbf {A} \hookleftarrow \mathbb {Z}_q^{m \times n}, \varvec{s} \hookleftarrow \mathbb {Z}_q^{n}, \varvec{u} \hookleftarrow \mathbb {Z}_q^{m}, \varvec{e} \hookleftarrow D_{\mathbb {Z},\alpha q}^m\), and \(\mathbf {Z} \hookleftarrow \tau \).

A reduction from \(\mathsf {LWE}\) to \(\mathsf {mheLWE}\) is presented in Subsect. 4.3.

4.1 Integer Inner Products of Short Integer Vectors

In the description hereunder, we consider the message space \(\mathcal {P} = \{0,\ldots ,P-1\}^{\ell }\), for some integer P and where \(\ell \in \mathsf {poly}(n) \) denotes the dimension of vectors to encrypt. Secret keys are associated with vectors in \(\mathcal {V} = \{0,\ldots ,V-1\}^{\ell }\) for some integer V. As in the \(\mathsf {DDH}\) case, inner products are evaluated over \(\mathbb {Z}\). However, unlike our \(\mathsf {DDH}\)-based construction, we can efficiently decrypt without confining inner product values within a small interval: here the inner product between the plaintext and key vectors belongs to \(\{0,\ldots , K - 1 \}\) with \(K = \ell PV\), and it is possible to set parameters so that the scheme is secure under standard hardness assumptions while K is more than polynomial in the security parameter. We compute ciphertexts using a prime modulus q, with q significantly larger than K.

  • Setup \((1^n,1^\ell ,P,V)\) : Set integers \(m, q \ge 2\), real \(\alpha \in (0,1)\) and distribution \(\tau \) over \(\mathbb {Z}^{\ell \times m}\) as explained below. Set \(K = \ell PV\). Sample \(\mathbf {A} \hookleftarrow \mathbb {Z}_q^{m \times n}\) and \(\mathbf {Z} \hookleftarrow \tau \). Compute \(\mathbf {U} = \mathbf {Z} \cdot \mathbf {A} \in \mathbb {Z}_q^{ \ell \times n}\). Define \(\mathsf {mpk} := (\mathbf {A}, \mathbf {U}, K, P, V)\) and \(\mathsf {msk}:= \mathbf {Z}\).

  • Keygen \((\mathsf {msk},\varvec{x})\) : Given a vector \(\varvec{x}\in \mathcal {V}\), compute and return the secret key \(\varvec{z}_{\varvec{x}} := \varvec{x}^T \cdot \mathbf {Z} \in \mathbb {Z}^m\).

  • Encrypt \((\mathsf {mpk},\varvec{y})\) : To encrypt a vector \(\varvec{y}\in \mathcal {P}\), sample \(\varvec{s} \hookleftarrow \mathbb {Z}_q^n\), \(\varvec{e}_0 \hookleftarrow D_{\mathbb {Z},\alpha q}^m\) and \(\varvec{e}_1 \hookleftarrow D_{\mathbb {Z}, \alpha q}^{ \ell }\) and compute

    $$\begin{aligned} \varvec{c}_0= & {} \mathbf {A} \cdot \varvec{s}+ \varvec{e}_0 \ \in \mathbb {Z}_q^m, \\ \varvec{c}_1= & {} \mathbf {U} \cdot \varvec{s} + \varvec{e}_1 + \left\lfloor \frac{q}{K} \right\rfloor \cdot \varvec{y} \ \in \mathbb {Z}_q^{\ell }. \end{aligned}$$

    Then, return \(C:= (\varvec{c}_0,\varvec{c}_1)\).

  • Decrypt \((\mathsf {mpk},\varvec{x},\varvec{z}_{\varvec{x}},C)\) : Given a ciphertext \(C:= (\varvec{c}_0,\varvec{c}_1)\) and a secret key \(\varvec{z}_{\varvec{x}}\) for \(\varvec{x} \in \mathcal {V}\), compute \(\mu '= \langle \varvec{x}, \varvec{c}_1 \rangle - \langle \varvec{z}_{\varvec{x}}, \varvec{c}_0 \rangle \bmod q\) and output the value \(\mu \in \{-K+1,\ldots ,K-1\}\) that minimizes \(|\lfloor \frac{q}{K} \rfloor \cdot \mu - \mu '|\).

Setting the Parameters. Let \(B_{\tau }\) be such that with probability \(\ge \!1- n^{-\omega (1)}\), each row of sample from \(\tau \) has norm \(\le \!B_{\tau }\). As explained just below, correctness may be ensured by setting

$$\begin{aligned} \alpha ^{-1} \ge K^2 B_{\tau } \omega (\sqrt{\log n}) \ \ \text{ and } \ \ q \ge \alpha ^{-1} \omega (\sqrt{\log n}). \end{aligned}$$

The choice of \(\tau \) is driven by the reduction from \(\mathsf {LWE}\) to \(\mathsf {mheLWE}\) (as summarized in Theorem 4), and more precisely from Lemma 4 (another constraint arises from the use of [35, Corollary 2.8] at the end of the security proof). We may choose \(\tau = D_{\mathbb {Z},\sigma _1}^{\ell \times m/2} \times (D_{\mathbb {Z}^{m/2}, \sigma _2, \varvec{\delta }_1} \times \ldots \times D_{\mathbb {Z}^{m/2}, \sigma _2, \varvec{\delta }_{\ell }})\), where \(\varvec{\delta }_i \in \mathbb {Z}^\ell \) denotes the ith canonical vector, and the standard deviation parameters satisfy \(\sigma _1 = \varTheta (\sqrt{n \log m} \max (\sqrt{m},K))\) and \(\sigma _2 = \varTheta (n^{7/2} m^{1/2} \max (m,K^2) \log ^{5/2} m)\).

To ensure security based on \(\mathsf {LWE}_{q,\alpha ',m}\) in dimension \(\ge \!c \cdot n\) for some \(c \in (0,1)\) via Theorems 2 and 4 below, one may further impose that \(\ell \le (1-c) \cdot n\) and \(m = \varTheta (n \log q)\), to obtain \(\alpha ' = \varOmega (\alpha /(n^{6} K \log ^2 q \log ^{5/2} n))\). Note that \(\mathsf {LWE}_{q,\alpha ',m}\) enjoys reductions from lattice problems when \(q \ge \varOmega (\sqrt{n}/\alpha ')\).

Combining the security and correctness requirements, we may choose \(\alpha ' = 1/((n \log q)^{O(1)} \cdot K^2)\) and \(q = \varOmega (\sqrt{n} / \alpha ')\), resulting in \(\mathsf {LWE}\) parameters that make \(\mathsf {LWE}\) resist all known attacks running in time \(2^{\lambda }\), as long as \(n \ge \widetilde{\varOmega }(\lambda \log K)\).

Decryption Correctness. To show the correctness of the scheme, we first observe that, modulo q:

$$\begin{aligned} \mu '= & {} \langle \varvec{x}, \varvec{c}_1 \rangle - \langle \varvec{z}_{\varvec{x}}, \varvec{c}_0 \rangle = \left\lfloor q/K \right\rfloor \cdot \langle \varvec{x}, \varvec{y} \rangle + \langle \varvec{x}, \varvec{e}_1 \rangle - \langle \varvec{z}_{\varvec{x}}, \varvec{e}_0 \rangle . \end{aligned}$$

Below, we show that the magnitude of the term \(\langle \varvec{x}, \varvec{e}_1 \rangle - \langle \varvec{z}_{\varvec{x}}, \varvec{e}_0 \rangle \) is \(\le \!\ell V B_{\tau }\alpha q \omega (\sqrt{\log n})\) with probability \(\ge \!1-n^{-\omega (1)}\). Thanks to the choices of \(\alpha \) and q, the latter upper bound is \(\le \!\lfloor q/K \rfloor / 4\), which suffices to guarantee decryption correctness.

Note that \(\varvec{e}_1\) is an integer Gaussian vector of dimension \(\ell \) and standard deviation \(\alpha q \ge \omega (\sqrt{\log n})\), and that \(\Vert \varvec{x}\Vert \le \sqrt{\ell } V\). As a result, we have that \(|\langle \varvec{x}, \varvec{e}_1 \rangle | \le \sqrt{\ell } V \alpha q \omega (\sqrt{\log n})\) holds with probability \(1-n^{-\omega (1)}\). Similarly, as \(\Vert \varvec{z}_{\varvec{x}}\Vert \le \ell V B_{\tau }\), we obtain that \(|\langle \varvec{z}_{\varvec{x}}, \varvec{e}_0 \rangle | \le \ell V B_{\tau }\alpha q \omega (\sqrt{\log n})\) holds with probability \(1-n^{-\omega (1)}\).

Full Security. In order to prove adaptive security of the scheme, we use the multi-hint extended-\(\mathsf {LWE}\) from Definition 4. Before we provide the formal proof, we provide some intuition.

Intuition. Here we describe some challenges in proving adaptive security for our \(\mathsf {LWE}\) construction. To begin we describe the approach used by Abdalla et al. [2] in showing selective security for a similar construction. In the selective game, the adversary must announce the challenge vectors \(\mathbf {y}_0, \mathbf {y}_1\) at the outset of the game. By definition of an admissible adversary, every query \(\mathbf {x}^i\) made must satisfy the property that \(\langle \varvec{x}^{i}, (\varvec{y}_0 - \mathbf {y}_1) \rangle = 0 \) (over \(\mathbb {Z}\)) for all i. For ease of exposition, consider challenge messages \(\mathbf {y}_0, \mathbf {y}_1\) that only differ in the last co-ordinate. Then, the simulator knows at the very beginning of the game, the subspace within which all queries must lie. Since the secret key is structured as \((\mathbf {x}^i)^T \mathbf {Z}\), it suffices for the simulator to pick all but the final column of \(\mathbf {Z}\) in order to answer all legitimate key requests. It can set the public parameters by constructing all except one row of \(\mathbf {U}\) using its choice of \(\mathbf {Z}\), and receiving the final \(\mathbf {u}_\ell \) from the \(\mathsf {LWE}\) oracle. Now the challenge ciphertext can be embedded along this dimension to argue security.

In the adaptive game however, the simulator cannot know in advance which subspace the adversary’s queries will lie in, hence it must pick the entire master secret key \(\mathbf {Z}\) to answer key requests. Given that the simulator has no secrets, it is unclear how it may leverage the adversary. To handle this, our approach is to carefully analyze the entropy loss that occurs in the master secret \(\mathbf {Z}\) via that keys seen by the adversary. We show that despite seeing linear relations involving \(\mathbf {Z}\), there is enough residual entropy left in the master secret so that the challenge ciphertext created using this appears uniform to the adversary.

To the best of our knowledge, this proof technique has not been used in prior constructions of \(\mathsf {LWE}\) based FE systems, which mostly rely on a “punctured trapdoor” approach. This approach roughly provides the simulator with a trapdoor that can be used to answer key requests but vanishes w.h.p for the challenge. Our simulator does not use trapdoors, but relies on an argument about entropy leakage as described above. We now proceed with the formal proof.

Theorem 2

Assume that \( \ell \le n^{O(1)}\), \(m \ge 4n \log _2 q\), \(q > \ell K^2\) and \(\tau \) is as described above. Then the functional encryption scheme above is fully secure, under the \(\mathsf {mheLWE}_{q,\alpha ,m,\ell ,\tau }\) hardness assumption.

Proof

The proof proceeds with a sequence of games that starts with the real game and ends with a game in which the adversary’s advantage is negligible. For each i, we call \(S_i\) the event that the adversary wins in Game i.

Game 0: This is the genuine full security game. Namely: the adversary \(\mathcal {A}\) is given the master public key \(\mathsf {mpk}\); in the challenge phase, adversary \(\mathcal {A}\) comes up with two distinct vectors \(\varvec{y}_0,\varvec{y}_1 \in \mathcal {P}\) and receives an encryption C of \(\varvec{y}_{\beta }\) for \(\beta \hookleftarrow \{0,1\}\) sampled by the challenger; when \(\mathcal {A}\) halts, it outputs \(\beta ' \in \{0,1\}\) and \(S_0\) is the event that \(\beta '=\beta \). Note that any vector \(\varvec{x} \in \mathcal {V}\) queried by \(\mathcal {A}\) to the secret key extraction oracle must satisfy \(\langle \varvec{x},\varvec{y}_0 \rangle = \langle \varvec{x},\varvec{y}_1 \rangle \) over \(\mathbb {Z}\) if \(\mathcal {A}\) is a legitimate adversary.

Game 1: We modify the generation of \(C= (\varvec{c}_0,\varvec{c}_1)\) in the challenge phase. Namely, at the outset of the game, the challenger picks \(\varvec{s} \hookleftarrow \mathbb {Z}_q^n\), \(\varvec{e}_0 \hookleftarrow D_{\mathbb {Z},\alpha q}^m\) (which may be chosen ahead of time) as well as \(\mathbf {Z} \hookleftarrow \tau \). The master public key \(\mathsf {mpk}\) is computed by setting \(\mathbf {U} = \mathbf {Z} \cdot \mathbf {A} \bmod q\). In the challenge phase, the challenger picks a random bit \(\beta \hookleftarrow \{0,1\}\) and encrypts \(\varvec{y}_{\beta }\) by computing (modulo q)

$$\begin{aligned} \varvec{c}_0= & {} \mathbf {A} \cdot \varvec{s} + \varvec{e}_0, \\ \varvec{c}_1= & {} \mathbf {Z} \cdot \varvec{c}_0 - \mathbf {Z} \cdot \varvec{e}_0 +\varvec{e}_1 + \left\lfloor q/K \right\rfloor \cdot \varvec{y}_{\beta }, \end{aligned}$$

with \(\varvec{e}_1 \hookleftarrow D_{\mathbb {Z}, \alpha q}^{\ell }\). As the distribution of C is the same as in Game 0, we have \(\Pr [S_1]=\Pr [S_0]\).

Game 2: We modify again the generation of \(C= (\varvec{c}_0, \varvec{c}_1)\) in the challenge phase. Namely, the challenger picks \(\varvec{u} \hookleftarrow \mathbb {Z}_q^m\), sets \(\varvec{c}_0 = \varvec{u}\) and computes \(\varvec{c}_1\) using \(\varvec{c}_0, \mathbf {Z}\) and \(\varvec{e}_0\) as in Game 1.

Under the \(\mathsf {mheLWE}\) hardness assumption with \(t= \ell \), this modification has no noticeable effect on the behavior of \(\mathcal {A}\). Below, we prove that \(\Pr [S_2] \approx 1/2\), which completes the proof of the theorem.

Let \(\varvec{x}^{i} \in \mathcal {V}\) be the vectors corresponding to the secret key queries made by \(\mathcal {A}\). As \(\mathcal {A}\) is a legitimate adversary, we have \(\langle \varvec{x}^{i}, \varvec{y}_0 \rangle = \langle \varvec{x}^{i}, \varvec{y}_1 \rangle \) over \(\mathbb {Z}\) for each secret key query \(\varvec{x}^{i}\). Let \(g \ne 0\) be the gcd of the coefficients of \(\varvec{y}_1 - \varvec{y}_0\) and define \(\varvec{y} = (y_1,\ldots , y_{\ell }) = \frac{1}{g} (\varvec{y}_1 - \varvec{y}_0)\). We have that \(\langle \varvec{x}^{i}, \varvec{y}\rangle = 0 \) (over \(\mathbb {Z}\)) for all i. Consider the lattice \(\{\varvec{x} \in \mathbb {Z}^{\ell }: \langle \varvec{x}, \varvec{y} \rangle = 0\}\): all the queries \(\varvec{x}^{i}\) must belong to that lattice. Without loss of generality, we assume the \(n_0\) first entries of \(\varvec{y}\) are zero (for some \(n_0\)), and all remaining entries are non-zero. Further, the rows of the following matrix form a basis of a full-dimensional sublattice:

We may assume that through the secret key queries, the adversary learns exactly \(\mathbf {X}_{top} \mathbf {Z}\), as all the queried vectors \(\varvec{x}^i\) can be obtained as rational combinations of the rows of \(\mathbf {X}_{top}\).

Let \(\mathbf {X}_{bot} = \varvec{y}^T \in \mathbb {Z}^{1 \times \ell }\). Consider the matrix \(\mathbf {X} \in \mathbb {Z}_q^{\ell \times \ell }\) obtained by putting \(\mathbf {X}_{top}\) on top of \(\mathbf {X}_{bot}\). We claim that \(\mathbf {X}\) is invertible modulo q. To see this, observe that

It can be proved by induction that its determinant is

$$\begin{aligned} \det (\mathbf {X}\mathbf {X}^T) = (\prod _{k=n_0+2}^{\ell -1} y_k^2) \cdot \Vert \mathbf {y}\Vert ^4. \end{aligned}$$

As each of the \(y_k\)’s is small and non-zero, they are all non-zero modulo prime q. Similarly, the integer \((\sum _{k=n_0+1}^{\ell } y_k^2)\) is non-zero and \(<\ell P^2 < q\). This shows that \((\det \mathbf {X})^2 \ne 0 \bmod q\), which implies that \(\mathbf {X}\) is invertible modulo q.

In Game 2, we have \(\varvec{c}_1 = \mathbf {Z} \varvec{u} - \varvec{f} + \left\lfloor q/K \right\rfloor \cdot \varvec{y}_{\beta }\), with \(\varvec{f} := -\mathbf {Z} \varvec{e}_0 + \varvec{e}_1\). We write:

$$\begin{aligned} \varvec{c}_1 = \mathbf {X}^{-1} \cdot \mathbf {X} \cdot \left( \mathbf {Z} \varvec{u} - \varvec{f} + \left\lfloor q/K \right\rfloor \cdot \varvec{y}_{\beta } \right) \ \bmod \ q. \end{aligned}$$

We will show that the distribution of \(\mathbf {X} \cdot \varvec{c}_1 \bmod q\) is (almost) independent of \(\beta \). As \(\mathbf {X}\) is (almost) independent of \(\beta \) and invertible over \(\mathbb {Z}_q\), this implies that the distribution of \(\varvec{c}_1\) is (almost) independent of \(\beta \) and \(\Pr [S_2] \approx 1/2\).

The first \( \ell - 1\) entries of \(\mathbf {X} \cdot \varvec{c}_1\) do not depend on \(\beta \) because \(\mathbf {X}_{top} \cdot \varvec{y}_0 = \mathbf {X}_{top} \cdot \varvec{y}_1 \bmod q\).

It remains to prove that the last entry of \(\mathbf {X} \cdot \varvec{c}_1 \bmod q\) is (almost) independent of \(\beta \). For this, we show that the residual distribution of \(\mathbf {X}_{bot} \mathbf {Z}\) given the tuple \((\mathbf {A}, \mathbf {Z} \mathbf {A}, \mathbf {X}_{top} \mathbf {Z})\) has high entropy. Using (a variant of) the leftover hash lemma with randomness \(\mathbf {X}_{bot} \mathbf {Z}\) and seed \(\varvec{u}\), we will then conclude that given \((\mathbf {A}, \mathbf {Z} \mathbf {A}, \mathbf {X}_{top} \mathbf {Z})\), the pair \((\varvec{u}, \mathbf {X}_{bot} \mathbf {Z} \varvec{u})\) is close to uniform and hence statistically hides \(\left\lfloor q/K \right\rfloor \cdot \varvec{y}_{\beta }\) in \(\varvec{c}_1\).

Write \(\mathbf {A} = (\mathbf {A}_1^T | \mathbf {A}_2^T)^T\) with \(\mathbf {A}_1, \mathbf {A}_2 \in \mathbb {Z}_q^{(m/2) \times n}\). Similarly, write \(\mathbf {Z} = (\mathbf {Z}_1 | \mathbf {Z}_2)\) with \(\mathbf {Z}_1, \mathbf {Z}_2 \in \mathbb {Z}_q^{\ell \times (m/2)}\). Recall that by construction, every entry of \(\mathbf {Z}_1\) is independently sampled from a zero-centered integer Gaussian of standard deviation parameter \(\sigma _1 = \varTheta (\sqrt{n \log m} \max (\sqrt{m},K))\). Further, every entry of \(\mathbf {Z}_2\) is independently sampled from a (not zero-centered) integer Gaussian of standard deviation parameter \(\sigma _2\) that is larger than \(\sigma _1\).

Lemma 1

Conditioned on \((\mathbf {A},\mathbf {Z}\mathbf {A}, \mathbf {X}_{top} \mathbf {Z}_1)\), the row vector \(\mathbf {X}_{bot} \mathbf {Z}_1\) is distributed as \(\varvec{c} + D_{\Vert \varvec{y}\Vert ^2 \mathbb {Z}^{m/2}, \Vert \varvec{y}\Vert \sigma _1, -\varvec{c}}\) for some vector \(\varvec{c}\) that depends only on \(\mathbf {X}_{top} \mathbf {Z}_1\).

Proof

Thanks to [35, Corollary 2.8], we have that \(\mathbf {Z}_2\mathbf {A}_2\) is within \(2^{-\varOmega (n)}\) statistical distance to uniform. It hence statistically hides the term \(\mathbf {Z}_1\mathbf {A}_1\) in \(\mathbf {Z}\mathbf {A} = \mathbf {Z}_1\mathbf {A}_1 + \mathbf {Z}_2\mathbf {A}_2\), and we obtain that given \((\mathbf {A},\mathbf {Z}\mathbf {A})\), the distribution of each entry of \(\mathbf {Z}_1\) is still \(D_{\mathbb {Z},\sigma _1}\).

Note that in \(\mathbf {X}_{top} \mathbf {Z}_1\) and \(\mathbf {X}_{bot} \mathbf {Z}_1\), matrices \(\mathbf {X}_{top}\) and \(\mathbf {X}_{bot}\) act in parallel on the columns of \(\mathbf {Z}_1\). To prove the claim, it suffices to consider the distribution of \(\mathbf {X}_{bot} \varvec{z}\) conditioned on \(\mathbf {X}_{top} \varvec{z}\), with \(\varvec{z}\) sampled from \(D_{\mathbb {Z}^\ell , \sigma _1}\). Let \(\varvec{b} = \mathbf {X}_{top} \varvec{z} \in \mathbb {Z}^{\ell -1}\) and fix \(\varvec{z}_0 \in \mathbb {Z}^{\ell }\) arbitrary such that \(\varvec{b} = \mathbf {X}_{top} \varvec{z}_0\). The distribution of \(\varvec{z}\) given that \(\mathbf {X}_{top} \varvec{z} = \varvec{b}\) is \(\varvec{z}_0 + D_{\varLambda , \sigma _1, -\varvec{z}_0}\), with \(\varLambda = \{\varvec{x} \in \mathbb {Z}^{\ell }: \mathbf {X}_{top} \varvec{x} = \varvec{0}\}\). By construction of \(\mathbf {X}\), we have that \(\varLambda = \mathbb {Z}\varvec{y}\). As a result, the conditional distribution of \(\mathbf {X}_{bot} \varvec{z}\) is \(c + D_{\Vert \varvec{y}\Vert ^2 \mathbb {Z}, \Vert \varvec{y}\Vert \sigma _1, -c}\) with \(c = \langle \varvec{y}, \varvec{z}_0 \rangle \in \mathbb {Z}\).     \(\square \)

Now, let us write \(\varvec{u} = (\varvec{u}_1^T | \varvec{u}_2^T)^T\) for vectors \(\varvec{u}_1, \varvec{u}_2 \in \mathbb {Z}_q^{m/2}\). We have \(\varvec{X}_{bot} \mathbf {Z} \varvec{u} = \varvec{X}_{bot} \mathbf {Z}_1 \varvec{u}_1 + \varvec{X}_{bot} \mathbf {Z}_2 \varvec{u}_2\). Thanks to the claim above and the result of [35, Corollay 2.8], we obtain that the distribution of \((\varvec{u}_1, \langle D_{\Vert \varvec{y}\Vert ^2 \mathbb {Z}^{m/2}, \Vert \varvec{y}\Vert \sigma _1, -\varvec{c}}, \varvec{u}_1\rangle )\) is within \(2^{-\varOmega (n)}\) statistical distance to uniform (note that \(\Vert \varvec{y}\Vert ^2\) is invertible modulo q, that \(D_{\Vert \varvec{y}\Vert ^2 \mathbb {Z}^{m/2}, \Vert \varvec{y}\Vert \sigma _1, -\varvec{c}} = \Vert \varvec{y}\Vert ^2 \cdot D_{\mathbb {Z}^{m/2}, \sigma _1/\Vert \varvec{y}\Vert , -\varvec{c}/\Vert \varvec{y}\Vert ^2}\), and that \(\sigma _1/\Vert \varvec{y}\Vert \) satisfies the assumption of [35, Corollay 2.8]). This implies that given \((\mathbf {A}, \mathbf {Z} \mathbf {A}, \mathbf {X}_{top} \mathbf {Z})\), the pair \((\varvec{u}, \mathbf {X}_{bot} \mathbf {Z} \varvec{u})\) is close to uniform, which completes the security proof.    \(\square \)

4.2 Inner Products Modulo a Prime p

We now modify the \(\mathsf {LWE}\)-based scheme above so that it enables secure functional encryption for inner products modulo prime p. The plaintext and key vectors now belong to \(\mathbb {Z}_p^{\ell }\).

Note that the prior scheme evaluates inner products over the integers and is insecure if ported as is to the modulo p setting. To see this, consider the following simple attack in which the adversary requests a single key \(\mathbf {x}\) so that integer inner product with the challenge messages \(\mathbf {y}_0\) and \(\mathbf {y}_1\) are different by a multiple of p. Since the functionality posits that the inner product evaluations only agree modulo p, this is an admissible query. However, since decryption is performed over \(\mathbb {Z}_q\) with q much larger than p, the adversary can easily distinguish. To prevent this attack, we scale the encrypted message by a factor of q / p (instead of \(\lfloor q/K \rfloor \) as in the previous scheme): decryption modulo q forces arithmetic modulo p on the underlying plaintext.

A related difficulty in adapting the previous \(\mathsf {LWE}\)-based scheme to modular inner products is the distribution of the noise component after inner product evaluation. Ciphertexts are manipulated modulo q, which internally manipulates plaintexts modulo p. If implemented naively, the carries of the plaintext computations may spill outside of the plaintext slots and bias the noise components of the ciphertexts. This may result in distinguishing attacks. To handle this, we take q a multiple of p. This adds some technical complications, as \(\mathbb {Z}_q\) is hence not a field anymore.

A different attack is that the adversary may request keys for vectors that are linearly dependent modulo p but linearly independent over the integers. Note that with \(\ell \) such queries, the attacker can recover the master secret key. To prevent this attack, we modify the scheme in that the authority is now stateful and keeps a record of all key queries made so far, so that it can make sure that key queries that are linearly dependent modulo p remain so modulo q. We also take q a power of p to simplify the implementation of this idea.

We note that for our application to bounded query FE for all circuits, all queries will be linearly independent modulo p, hence we will not require a stateful keygen. For details, see Sect. 6.

We now describe our scheme for inner products modulo p.

  • Setup \((1^n,1^\ell ,p)\) : Set integers \(m, q = p^k\) for some integer k, real \(\alpha \in (0,1)\) and distribution \(\tau \) over \(\mathbb {Z}^{\ell \times m}\) as explained below. Sample \(\mathbf {A} \hookleftarrow \mathbb {Z}_q^{m \times n}\) and \(\mathbf {Z} \hookleftarrow \tau \). Compute \(\mathbf {U} = \mathbf {Z} \cdot \mathbf {A} \in \mathbb {Z}_q^{\ell \times n}\). Define \(\mathsf {mpk} := (\mathbf {A}, \mathbf {U})\) and \(\mathsf {msk}:= \mathbf {Z}\).

  • Keygen \((\mathsf {msk},\varvec{x}, \mathsf {st})\) : Given a vector \(\varvec{x}\in \mathbb {Z}_p^{\ell }\), and an internal state \(\mathsf {st}\), compute the secret key \(\varvec{z}_{\varvec{x}}\) as follows. Recall that Keygen is a stateful algorithm with empty initial State \(\mathsf {st}\). At any point in the scheme execution, State \(\mathsf {st}\) contains at most \(\ell \) tuples \((\varvec{x}_i, \overline{\varvec{x}}_i, \varvec{z}_i)\) where the \(\varvec{x}_i\)’s are (a subset of the) key queries that have been made so far, and the \((\overline{\varvec{x}}_i, \varvec{z}_i)\)’s are the corresponding secret keys. If \(\varvec{x}\) is linearly independent from the \(\varvec{x}_i\)’s modulo p, set \(\overline{\varvec{x}} = \varvec{x} \in \mathbb {Z}^{\ell }\) (with coefficients in [0, p)), \(\varvec{z}_{\varvec{x}} = \overline{\varvec{x}}^T \cdot \mathbf {Z} \in \mathbb {Z}^m\) and add \((\varvec{x}, \overline{\varvec{x}}, \varvec{z}_{\varvec{x}})\) to \(\mathsf {st}\). If \(\varvec{x} = \sum _i k_i \varvec{x}_i \bmod p\) for some \(k_i\)’s in [0, p), then set \(\overline{\varvec{x}} = \sum _i k_i \overline{\varvec{x}}_i \in \mathbb {Z}^{\ell }\) and \(\varvec{z}_{\varvec{x}} = \sum _i k_i \varvec{z}_i \in \mathbb {Z}^m\). In both cases, return \((\overline{\varvec{x}}, \varvec{z}_{\varvec{x}})\).

  • Encrypt \((\mathsf {mpk},\varvec{y})\) : To encrypt a vector \(\varvec{y}\in \mathbb {Z}_p^{\ell }\), sample \(\varvec{s} \hookleftarrow \mathbb {Z}_q^n\), \(\varvec{e}_0 \hookleftarrow D_{\mathbb {Z},\alpha q}^m\) and \(\varvec{e}_1 \hookleftarrow D_{\mathbb {Z}, \alpha q}^{\ell }\) and compute

    $$\begin{aligned} \varvec{c}_0= & {} \mathbf {A} \cdot \varvec{s}+ \varvec{e}_0 \in \mathbb {Z}_q^m, \\ \varvec{c}_1= & {} \mathbf {U} \cdot \varvec{s} + \varvec{e}_1 + p^{k-1} \cdot \varvec{y} \in \mathbb {Z}_q^{\ell }. \end{aligned}$$

    Then, return \(C:= (\varvec{c}_0,\varvec{c}_1)\).

  • Decrypt \((\mathsf {mpk}, (\overline{\varvec{x}}, \varvec{z}_{\varvec{x}}),C)\) : Given a ciphertext \(C:= (\varvec{c}_0,\varvec{c}_1)\) and a secret key \((\overline{\varvec{x}}, \varvec{z}_{\varvec{x}})\) for \(\varvec{x} \in \mathbb {Z}_p^{\ell }\), compute \(\mu '= \langle \overline{\varvec{x}}, \varvec{c}_1 \rangle - \langle \varvec{z}_{\varvec{x}}, \varvec{c}_0 \rangle \bmod q\) and output the value \(\mu \in \mathbb {Z}_p\) that minimizes \(|p^{k-1} \cdot \mu - \mu '|\).

Decryption Correctness. Correctness derives from the following observation:

$$\begin{aligned} \mu '= & {} \langle \overline{\varvec{x}}, \varvec{c}_1 \rangle - \langle \varvec{z}_{\varvec{x}}, \varvec{c}_0 \rangle = p^{k-1} \cdot (\langle \varvec{x}, \varvec{y} \rangle \bmod p) + \langle \overline{\varvec{x}}, \varvec{e}_1 \rangle - \langle \varvec{z}_{\varvec{x}}, \varvec{e}_0 \rangle \bmod q. \end{aligned}$$

By adapting the proof of the first \(\mathsf {LWE}\)-based scheme, we can show that the magnitude of the term \(\langle \overline{\varvec{x}}, \varvec{e}_1 \rangle - \langle \varvec{z}_{\varvec{x}}, \varvec{e}_0 \rangle \) is \(\le \!\ell ^2 p^2 B_{\tau }\alpha q \omega (\sqrt{\log n})\) with probability \(\ge \!1-n^{-\omega (1)}\). This follows from the bound \(\Vert \varvec{z}_{\varvec{x}}\Vert \le \ell \Vert \overline{\varvec{x}}\Vert \le \ell ^2 p^2 B_{\tau }\).

Setting the Parameters. The main difference with the previous \(\mathsf {LWE}\)-based scheme with respect to parameter conditions is the choice of q of the form \(q = p^k\) instead of q prime. As explained just above, correctness may be ensured by setting

$$\begin{aligned} \alpha ^{-1} \ge \ell ^2 p^3 B_{\tau } \omega (\sqrt{\log n}) \ \ \text{ and } \ \ q \ge \alpha ^{-1} \omega (\sqrt{\log n}). \end{aligned}$$

The choice of \(\tau \) is driven by Lemma 2 below (the proof requires that \(\sigma _1\) is large) and the reduction from \(\mathsf {LWE}\) to \(\mathsf {mheLWE}\) (as summarized in Theorem 4), and more precisely from Lemma 4. We may choose \(\tau = D_{\mathbb {Z},\sigma _1}^{\ell \times m/2} \times (D_{\mathbb {Z}^{m/2}, \sigma _2, \varvec{\delta }_1} \times \ldots \times D_{\mathbb {Z}^{m/2}, \sigma _2, \varvec{\delta }_{\ell }})\), where \(\varvec{\delta }_i \in \mathbb {Z}^\ell \) denotes the ith canonical vector, and the standard deviation parameters satisfy \(\sigma _1 = \varTheta (\sqrt{n \log m} \max (\sqrt{m},K'))\) and \(\sigma _2 = \varTheta (n^{7/2} m^{1/2} \max (m,K'^2) \log ^{5/2} m)\), with \(K' = (\sqrt{\ell }p)^{\ell }\).

To ensure security based on \(\mathsf {LWE}_{q,\alpha ',m}\) in dimension \(\ge \!c \cdot n\) for some \(c \in (0,1)\) via Theorems 2 and 4 below, one may further impose that \(\ell \le (1-c) \cdot n\) and \(m = \varTheta (n \log q)\), to obtain \(\alpha ' = \varOmega (\alpha /(n^{6}K'\log ^2 q \log ^{5/2} n))\). Remember that \(\mathsf {LWE}_{q,\alpha ',m}\) enjoys reductions from lattice problems when \(q \ge \varOmega (\sqrt{n} / \alpha ')\).

Note that the parameter conditions make the scheme efficiency degrade quickly when \(\ell \) increases, as \(K'\) is exponential in \(\ell \). Assume that \(p \le n^{O(1)}\) and \(\ell = \varOmega (\log n)\). Then \(\sigma _1\), \(\sigma _2\), \(1/\alpha \), \(1/\alpha '\) and q can all be set as \(2^{\widetilde{O}(\ell )}\). To maintain security against all \(2^{o(\lambda )}\) attacks, one may set \(n = \widetilde{\varTheta }(\ell \lambda )\).

Theorem 3

Assume that \( \ell \le n^{O(1)}\), \(m \ge 4n \log _2 q\) and \(\tau \) is as described above. Then the stateful functional encryption scheme above is fully secure, under the \(\mathsf {mheLWE}_{q,\alpha ,m,\ell ,\tau }\) hardness assumption.

Proof

The sequence of games in the proof of Theorem 2 can be adapted to the modified scheme. The main difficulty is to show that in the adapted version of the last game, the winning probability is close to 1 / 2. Let us recall that game.

Game \(2'\) : At the outset of the game, the challenger picks \(\varvec{s} \hookleftarrow \mathbb {Z}_q^n\), \(\varvec{e}_0 \hookleftarrow D_{\mathbb {Z},\alpha q}^m\) as well as \(\mathbf {Z} \hookleftarrow \tau \). The master public key \(\mathsf {mpk}\) is computed by setting \(\mathbf {U} = \mathbf {Z} \cdot \mathbf {A} \bmod q\) and is provided to the adversary. In the challenge phase, adversary \(\mathcal {A}\) comes up with two distinct vectors \(\varvec{y}_0,\varvec{y}_1 \in \mathbb {Z}_p^{\ell }\). The challenger picks a random bit \(\beta \hookleftarrow \{0,1\}, \varvec{u} \hookleftarrow \mathbb {Z}_q^m\) and encrypts \(\varvec{y}_{\beta }\) by computing (modulo q)

$$\begin{aligned} \varvec{c}_0= & {} \varvec{u}, \\ \varvec{c}_1= & {} \mathbf {Z} \cdot \varvec{c}_0 - \mathbf {Z} \cdot \varvec{e}_0 +\varvec{e}_1 + p^{k-1} \cdot \varvec{y}_{\beta }, \end{aligned}$$

with \(\varvec{e}_1 \hookleftarrow D_{\mathbb {Z}, \alpha q}^{\ell }\). Note that any vector \(\varvec{x} \in \mathbb {Z}_p^{\ell }\) queried by \(\mathcal {A}\) to the secret key extraction oracle must satisfy \(\langle \varvec{x},\varvec{y}_0 \rangle = \langle \varvec{x},\varvec{y}_1 \rangle \bmod p\) if \(\mathcal {A}\) is a legitimate adversary. Adversary \(\mathcal {A}\) is then given a secret key \((\overline{\varvec{x}},\varvec{z}_{\varvec{x}})\) as in the real scheme. When \(\mathcal {A}\) halts, it outputs \(\beta ' \in \{0,1\}\) and wins in the event that \(\beta '=\beta \).

Define \(\varvec{y} = \varvec{y}_1 - \varvec{y}_0 \in \mathbb {Z}_p^{\ell }\). Let \(\varvec{x}_{i} \in \mathbb {Z}_p^{\ell }\) be the vectors corresponding to the secret key queries made by \(\mathcal {A}\). As \(\mathcal {A}\) is a legitimate adversary, we have \(\langle \varvec{x}_i, \varvec{y} \rangle = 0 \bmod p\) for each secret key query \(\varvec{x}_i\).

We consider the view of the adversary after it has made exactly j key queries that are linearly independent modulo p, for each j from 0 up to \(\ell -1\). In fact, counter j may stop increasing before reaching \(\ell -1\), but without loss of generality, we may assume that it eventually reaches \(\ell -1\). We are to show by induction that for any j, the view of the adversary is almost independent of \(\beta \). In particular, for all \(j < \ell -1\), this implies that the \((j+1)\)th linearly independent key query is almost (statistically) independent of \(\beta \). It also implies, for \(j = \ell -1\), that the adversary’s view through Game \(2'\) is almost independent of \(\beta \), which is exactly what we are aiming for. In what follows, we take \(j \in \{0, \ldots , \ell -1\}\), and assume that state \(\mathsf {st}\) is independent from \(\beta \). We also assume that the jth private key query occurs after the challenge phase since the adversary’s view is trivially independent of \(\beta \) before the generation of the challenge ciphertext.

At this stage, the state \(\mathsf {st}\) contains exactly j tuples \((\varvec{x}_i, \overline{\varvec{x}}_i, \varvec{z}_i)\), where the vectors \(\{\varvec{x}_i \}_{i=1}^j\) form a \(\mathbb {Z}_p\)-basis of a subspace of the \((\ell -1)\)-dimensional vector space \(\varvec{y}^{\perp }:= \{\varvec{x} \in \mathbb {Z}_p^{\ell }: \langle \varvec{x}, \varvec{y} \rangle = 0 \bmod p\}\). From \(\varvec{y}\), we deterministically extend \(\{\varvec{x}_i \}_{i=1}^j\) into a basis of \(\varvec{y}^{\perp }\) that is statistically independent of \(\beta \). A way to interpret this is to imagine that the challenger makes dummy private key queries \(\{\varvec{x}_i \}_{i=j+1}^{\ell -1}\) for itself so as to get a full basis of \(\varvec{y}^{\perp }\) and creates the corresponding \(\{\overline{\varvec{x}}_i \}_{i=j+1}^{\ell -1}\) in \(\mathbb {Z}^{\ell }\). We define \(\mathbf {X}_{top} \in \mathbb {Z}^{(\ell -1) \times \ell }\) as the matrix whose ith row is \(\overline{\varvec{x}}_i\) for all i, including the genuine and dummy keys. Through the secret key queries, the adversary learns at most \(\mathbf {X}_{top} \mathbf {Z} \in \mathbb {Z}^{(\ell -1) \times m}\).

Let \(\varvec{x}' \in \mathbb {Z}_p^{\ell }\) be a vector that does not belong to \(\varvec{y}^{\perp }\), and \(\mathbf {X}_{bot} \in \mathbb {Z}^{1 \times \ell }\) be the canonical lift of \((\varvec{x}')^T\) over the integers. Consider the matrix \(\mathbf {X} \in \mathbb {Z}^{\ell \times \ell }\) obtained by putting \(\mathbf {X}_{top}\) on top of \(\mathbf {X}_{bot}\). By construction, the matrix \(\mathbf {X}\) is invertible modulo p, and hence modulo \(q = p^k\). Also, by induction and construction, \(\mathbf {X} \in \mathbb {Z}^{\ell \times \ell }\) is statistically independent of \(\beta \in \{0,1\}\).

In Game \(2'\), we have \(\varvec{c}_1 = \mathbf {Z} \varvec{u} - \varvec{f} + p^{k-1} \cdot \varvec{y}_{\beta }\), with \(\varvec{f} := -\mathbf {Z} \varvec{e}_0 + \varvec{e}_1\). We write:

$$\begin{aligned} \varvec{c}_1 = \mathbf {X}^{-1} \cdot \mathbf {X} \cdot \left( \mathbf {Z} \varvec{u} - \varvec{f} + p^{k-1} \cdot \varvec{y}_{\beta } \right) \ \bmod \ q. \end{aligned}$$

We will show that the distribution of \(\mathbf {X} \cdot \varvec{c}_1 \bmod q\) is (almost) independent of \(\beta \). As the matrix \(\mathbf {X}\) is independent of \(\beta \in \{0,1\}\) and invertible over \(\mathbb {Z}_q\), this implies that the distribution of \(\varvec{c}_1\) is statistically independent of \(\beta \) (recall that \(\mathbf {X}\) is information-theoretically known to \(\mathcal {A}\), which means that, if \(\mathbf {c}_1\) carries any noticeable information on \(\beta \), so does \(\mathbf {X} \cdot \mathbf {c}_1 \bmod q\)). This ensures that the winning probability in Game \(2'\) is negligibly far from 1 / 2.

First, the first \(\ell - 1\) entries of \(\mathbf {X} \cdot \varvec{c}_1\) do not depend on \(\beta \) because we have the equality \(p^{k-1} \cdot \mathbf {X}_{top} \cdot \varvec{y}_0 = p^{k-1} \cdot \mathbf {X}_{top} \cdot \varvec{y}_1 \bmod q\) by construction of \(\mathbf {X}_{top}\).

It remains to prove that the last entry of \(\mathbf {X} \cdot \varvec{c}_1 \bmod q\) is (almost) independent of \(\beta \). Let us write \(\mathbf {A} = (\mathbf {A}_1^T | \mathbf {A}_2^T)^T\) with \(\mathbf {A}_1, \mathbf {A}_2 \in \mathbb {Z}_q^{(m/2) \times n}\). Similarly, we also write \(\mathbf {Z} = (\mathbf {Z}_1 | \mathbf {Z}_2)\) with \(\mathbf {Z}_1, \mathbf {Z}_2 \in \mathbb {Z}^{\ell \times (m/2)}\). Recall that by construction, every entry of \(\mathbf {Z}_1\) is independently sampled from a zero-centered integer Gaussian of standard deviation parameter \(\sigma _1 = \varTheta (\sqrt{n \log m} \max (\sqrt{m},K'))\) with \(K' = (\sqrt{\ell }p)^{\ell }\). Further, every entry of \(\mathbf {Z}_2\) is independently sampled from a (not zero-centered) integer Gaussian of standard deviation parameter \(\sigma _2\) that is larger than \(\sigma _1\).

Lemma 2

Conditioned on \((\mathbf {A},\mathbf {Z}\mathbf {A}, \mathbf {X}_{top} \mathbf {Z}_1)\), the row vector \(\mathbf {X}_{bot} \mathbf {Z}_1 \bmod p\) is within negligible statistical distance from the uniform distribution over \(\mathbb {Z}_p^{m/2}\).

Proof

Thanks to [35, Corollary 2.8], we have that \(\mathbf {Z}_2\mathbf {A}_2\) is within \(2^{-\varOmega (n)}\) statistical distance to uniform over \(\mathbb {Z}_q^{(\ell -1)\times m}\). It hence statistically hides the term \(\mathbf {Z}_1\mathbf {A}_1\) in \(\mathbf {Z}\mathbf {A} = \mathbf {Z}_1\mathbf {A}_1 + \mathbf {Z}_2\mathbf {A}_2 \bmod q\), and we obtain that given \((\mathbf {A},\mathbf {Z}\mathbf {A})\), the distribution of each entry of \(\mathbf {Z}_1\) is still \(D_{\mathbb {Z},\sigma _1}\).

Note that in \(\mathbf {X}_{top} \mathbf {Z}_1\) and \(\mathbf {X}_{bot} \mathbf {Z}_1\), matrices \(\mathbf {X}_{top}\) and \(\mathbf {X}_{bot}\) act in parallel on the columns of \(\mathbf {Z}_1\). To prove the claim, it suffices to consider the distribution of \(\mathbf {X}_{bot} \varvec{z}\) conditioned on \(\mathbf {X}_{top} \varvec{z}\), with \(\varvec{z}\) sampled from \(D_{\mathbb {Z}^\ell , \sigma _1}\). Let \(\varvec{b} = \mathbf {X}_{top} \varvec{z} \in \mathbb {Z}^{\ell -1}\) and fix \(\varvec{z}_0 \in \mathbb {Z}^{\ell }\) arbitrary such that \(\varvec{b} = \mathbf {X}_{top} \varvec{z}_0\). The distribution of \(\varvec{z}\) given that \(\mathbf {X}_{top} \varvec{z} = \varvec{b}\) is \(\varvec{z}_0 + D_{\varLambda , \sigma _1, -\varvec{z}_0}\), with \(\varLambda = \{\varvec{x} \in \mathbb {Z}^{\ell }: \mathbf {X}_{top} \varvec{x} = \varvec{0}\}\) (where the equality holds over the integers). Note that \(\varLambda \) is a 1-dimensional lattice in \(\mathbb {Z}^{\ell }\).

We can write \(\varLambda = \varvec{y}'\cdot \mathbb {Z}\), for some \(\varvec{y}'\in \mathbb {Z}^{\ell }\). Note that there exists \(\alpha \in \mathbb {Z}_p\setminus \{0\}\) such that \(\varvec{y}' = \alpha \cdot \varvec{y} \bmod p\): otherwise, the vector \(\varvec{y}' / p\) would belong to \(\varLambda \setminus \varvec{y}' \cdot \mathbb {Z}\), contradicting the definition of \(\varvec{y}'\). Further, we have \(\Vert \varvec{y}'\Vert = \det \varLambda \le \det \varLambda '\), where \(\varLambda '\) is the lattice spanned by the rows of \(\mathbf {X}_{top}\) (see, e.g., [48], for properties on orthogonal lattices). Hadamard’s bound implies that \(\Vert {\varvec{y}}'\Vert \le (\sqrt{\ell } p)^{\ell -1}\).

By [35, Corollary 2.8], the fact that \(\sigma _1 \ge \sqrt{n} (\sqrt{\ell } p)^{\ell }\) implies that the distribution \((D_{\varLambda , \sigma _1, -\varvec{z}_0} \bmod p \varLambda )\) is within \(2^{-\varOmega (n)}\) statistical distance from the uniform distribution over \( \varLambda / p \varLambda \simeq \varvec{y} \mathbb {Z}_p\). We conclude that the conditional distribution of \((\mathbf {X}_{bot} \varvec{z} \bmod p)\) is within exponentially small statistical distance from the uniform distribution over \(\mathbb {Z}_p\) (here we use the facts that p is prime and that \(\mathbf {X}_{bot} \varvec{y} \ne 0 \bmod p\), by construction of \(\mathbf {X}_{bot}\)).    \(\square \)

Now, write \(\varvec{u} = (\varvec{u}_1^T | \varvec{u}_2^T)^T\) with \(\varvec{u}_1, \varvec{u}_2 \in \mathbb {Z}_q^{m/2}\). We have \(\varvec{X}_{bot} \mathbf {Z} \varvec{u} = \varvec{X}_{bot} \mathbf {Z}_1 \varvec{u}_1 + \varvec{X}_{bot} \mathbf {Z}_2 \varvec{u}_2\). Thanks to Lemma 2 and a variant of the leftover hash lemma modulo \(q = p^k\) (given in the full version of the paper [4]), we obtain that conditioned on \((\mathbf {A}, \mathbf {Z} \mathbf {A}, \mathbf {X}_{top} \mathbf {Z})\), the distribution of \((\varvec{u}_1, \mathbf {X}_{bot} \mathbf {Z}_1 \varvec{u}_1)\) is within \(2^{-\varOmega (n)}\) statistical distance to uniform modulo q (here we used the assumption that \(m \ge k + n/(\log p)\)). This implies that given \((\mathbf {A}, \mathbf {Z} \mathbf {A}, \mathbf {X}_{top} \mathbf {Z})\), the pair \((\varvec{u}, \mathbf {X}_{bot} \mathbf {Z} \varvec{u})\) is close to uniform, which completes the security proof.    \(\square \)

4.3 Hardness of Multi-hint Extended-\(\mathsf {LWE}\)

In this section, we prove the following theorem, which shows that for some parameters, the \(\mathsf {mheLWE}\) problem is no easier than the \(\mathsf {LWE}\) problem.

Theorem 4

Let \(n \ge 100\), \(q\ge 2\), \(t < n\) and m with \(m = \varOmega (n \log n)\) and \(m \le n^{O(1)}\). There exists \(\xi \le O(n^4 m^2 \log ^{5/2} n)\) and a distribution \(\tau \) over \(\mathbb {Z}^{t \times m}\) such that the following statements hold:

  • There is a reduction from \(\mathsf {LWE}_{q,\alpha , m}\) in dimension \(n-t\) to \(\mathsf {mheLWE}_{q, \alpha \xi , m, t, \tau }\) that reduces the advantage by at most \(2^{\varOmega (t-n)}\),

  • It is possible to sample from \(\tau \) in time polynomial in n,

  • Each entry of matrix \(\tau \) is an independent discrete Gaussian \(\tau _{i,j} = D_{\mathbb {Z}, \sigma _{i,j}, \varvec{c}_{i,j}}\) for some \(\varvec{c}_{i,j}\) and \(\sigma _{i,j} \ge \varOmega (\sqrt{m n\log m})\),

  • With probability \(\ge \!1-n^{-\omega (1)}\), all rows from a sample from \(\tau \) have norms \(\le \!\xi \).

Our reduction from \(\mathsf {LWE}\) to \(\mathsf {mheLWE}\) proceeds as the reduction from \(\mathsf {LWE}\) to extended-\(\mathsf {LWE}\) from [20], using the matrix gadget from [45] to handle the multiple hints. We first reduce \(\mathsf {LWE}\) to the following variant of \(\mathsf {LWE}\) in which the first samples are noise-free. This problem generalizes the first-is-errorless \(\mathsf {LWE}\) problem from [20].

Definition 5

(First-are-errorless \(\mathsf {LWE}\) ). Let \(q, \alpha , m, t\) be functions of a parameter n. The first-are-errorless \(\mathsf {LWE}\) problem \(\mathsf {faeLWE}_{q,\alpha ,m, t}\) is defined as follows: For \(\mathbf {s} \hookleftarrow \mathbb {Z}_q^n\), the goal is to distinguish between the following two scenarios. In the first, all m samples are uniform over \(\mathbb {Z}_q^n \times \mathbb {Z}_q^{}\). In the second, the first t samples are from \(A_{q,\{0\},\varvec{s}}\) (where \(\{0\}\) denotes the distribution that is deterministically zero) and the rest are from \(A_{q,\alpha ,\varvec{s}}\).

Lemma 3

For any \(n > t\), \(m, q \ge 2\), and \(\alpha \in (0,1)\), there is an efficient reduction from \(\mathsf {LWE}_{q,\alpha ,m}\) in dimension \(n-t\) to \(\mathsf {faeLWE}_{q,\alpha ,m,t}\) in dimension n that reduces the advantage by at most \(2^{-n+t+1}\).

The proof, postponed to the appendices, is a direct adaptation of the one of [20, Lemma 4.3].

In our reduction from \(\mathsf {faeLWE}\) to \(\mathsf {mheLWE}\), we use the following gadget matrix from [45, Corollary 10]. It generalizes the matrix construction from [20, Claim 4.6].

Lemma 4

Let \(n,m_1, m_2\) with \(100 \le n \le m_1 \le m_2 \le n^{O(1)}\). Let \(\sigma _1,\sigma _2>0\) be standard deviation parameters such that \(\sigma _1 \ge \varOmega (\sqrt{m_1n \log m_1})\), \(m_1 \ge \varOmega (n \log (\sigma _1 n))\) and \(\sigma _2 \ge \varOmega (n^{5/2}\sqrt{m_1} \sigma _1^2 \log ^{3/2}(m_1 \sigma _1))\). Let \(m = m_1 + m_2\). There exists a probabilistic polynomial time algorithm that given \(n,m_1,m_2\) (in unary) and \(\sigma _1,\sigma _2\) as inputs, outputs \(\mathbf {G} \in \mathbb {Z}^{m \times m}\) such that:

  • The top \(n \times m\) submatrix of \(\mathbf {G}\) is within statistical distance \(2^{-\varOmega (n)}\) of \(\tau = D_{\mathbb {Z},\sigma _1}^{n \times m_1}\times (D_{\mathbb {Z}^{m_2},\sigma _2,\varvec{\delta }_1} \times \ldots \times D_{\mathbb {Z}^{m_2},\sigma _2,\varvec{\delta }_n})^T\) with \(\varvec{\delta }_i\) denoting the ith canonical unit vector,

  • We have \(|\det (\mathbf {G})|=1\) and \(\Vert \mathbf {G}^{-1}\Vert \le O(\sqrt{n m_2}\sigma _2)\), with probability \(\ge \!1-2^{-\varOmega (n)}\).

Lemma 5

Let \(n, m_1, m_2, m, \sigma _1, \sigma _2, \tau \) be as in Lemma 4, and \(\xi \ge \varOmega (\sqrt{n m_2}\sigma _2)\). Let \(q \ge 2\), \(t \le n\), \(\alpha \ge \varOmega (\sqrt{n}/q)\). Let \(\tau _t\) be the distribution obtained by keeping only the first t rows from a sample from \(\tau \). There is a (dimension-preserving) reduction from \(\mathsf {faeLWE}_{q,\alpha ,m,t}\) to \(\mathsf {mheLWE}_{q,2\alpha \xi , m, t, \tau _t}\) that reduces the advantage by at most \(2^{-\varOmega (n)}\).

Proof

Let us first describe the reduction. Let \((\mathbf {A},\varvec{b}) \in \mathbb {Z}_q^m \times \mathbb {Z}_q^{}\) be the input, which is either sampled from the uniform distribution, or from distribution \(A_{q,\{0\},\varvec{s}}^t \times A_{q,\alpha ,\varvec{s}}^{m-t}\) for some fixed \(\varvec{s}\hookleftarrow \mathbb {Z}_q^n\). Our objective is to distinguish between the two scenarios, using an \(\mathsf {mheLWE}\) oracle. We compute \(\mathbf {G}\) as in Lemma 4 and let \(\mathbf {U}= \mathbf {G}^{-1}\). We let \(\mathbf {Z} \in \mathbb {Z}^{t \times m}\) denote the matrix formed by the top t rows of \(\mathbf {G}\), and let \(\mathbf {U}' \in \mathbb {Z}^{m \times (m-t)}\) denote the matrix formed by the right \(m-t\) columns of \(\mathbf {U}\). By construction, we have \(\mathbf {Z}\mathbf {U}' = \mathbf {0}\). We define \(\mathbf {A'}= \mathbf {U} \cdot \mathbf {A} \bmod q\). We sample \(\varvec{f} \hookleftarrow D_{\alpha q(\xi ^2\mathbf {I} - \mathbf {U}' \mathbf {U}'^T)^{1/2}}\) (thanks to Lemma 4 and the choice of \(\xi \), the matrix \(\xi ^2\mathbf {I} - \mathbf {U}' \mathbf {U}'^T\) is positive definite). We sample \(\varvec{e}'\) from \(\{0\}^t \times D_{\alpha q}^{m-t}\) and define \(\varvec{b}'= \mathbf {U} \cdot (\varvec{b} + \varvec{e}') + \varvec{f}\). We then sample \(\varvec{c} \hookleftarrow D_{\mathbb {Z}^m - \varvec{b}', \sqrt{2} \alpha \xi q}\), and define \(\varvec{h} = \mathbf {Z} (\varvec{f}+\varvec{c})\).

Finally, the reduction calls the \(\mathsf {mheLWE}\) oracle on input \((\mathbf {A'}, \varvec{b}'+\varvec{c}, \mathbf {Z}, \varvec{h})\), and outputs the reply.

Correctness is obtained by showing that distribution \(A_{q,\{0\},\varvec{s}}^t \times A_{q,\alpha ,\varvec{s}}^{m-t}\) is mapped to the \(\mathsf {mheLWE}\) “LWE” distribution and that the uniform distribution is mapped to the \(\mathsf {mheLWE}\) “uniform” distribution, up to \(2^{-\varOmega (n)}\) statistical distances (we do not discuss these tiny statistical discrepancies below). The proof is identical to the reduction analysis in the proof of [20, Lemma 4.7].    \(\square \)

Theorem 4 is obtained by combining Lemmas 3, 4 and 5.

5 Constructions Based on Paillier

In this section, we show how to remove the main limitation of our \(\mathsf {DDH}\)-based system which is its somewhat expensive decryption algorithm. To this end, we use Paillier’s cryptosystem [51] and the property that, for an RSA modulus \(N=pq\), the multiplicative group \(\mathbb {Z}_{N^2}^*\) contains a subgroup of order N (generated by \((N+1)\)) in which the discrete logarithm problem is easy. We also rely on the observation [21, 22] that combining the Paillier and Elgamal encryption schemes makes it possible to decrypt without knowing the factorization of \(N=pq\).

5.1 Computing Inner Products over \(\mathbb {Z}\)

In the following scheme, key vectors \(\varvec{x}\) and message vectors \(\varvec{y}\) are assumed to be of bounded norm \(\Vert \varvec{x}\Vert \le X\) and \(\Vert \varvec{y}\Vert \le Y\), respectively. The bounds X and Y are chosen so that \(X \cdot Y < N\), where N is the composite modulus of Paillier’s cryptosystem. Decryption allows to recover \(\langle \varvec{x}, \varvec{y} \rangle \bmod N\), which is exactly \(\langle \varvec{x}, \varvec{y} \rangle \) over the integers, thanks to the norm bounds. The security proof further requires that \(\ell Y^2 < N \) and we thus assume \(X,Y < (N/\ell )^{1/2}\).

  • Setup \((1^\lambda ,1^\ell , X, Y)\) : Choose safe prime numbers \(p=2p'+1\), \(q=2q'+1\) with sufficiently large primes \(p',q'>2^{l(\lambda )}\), for some polynomial l, and compute \(N=pq > XY\). Then, sample \(g' \hookleftarrow \mathbb {Z}_{N^2}^*\) and compute \(g={g'}^{2N} \bmod N^2\), which generates the subgroup of (2N)th residues in \(\mathbb {Z}_{N^2}^*\) with overwhelming probability. Then, sample an integer vector \(\varvec{s}=(s_1,\ldots ,s_{\ell })^T \hookleftarrow D_{\mathbb {Z}^\ell ,\sigma }\) with discrete Gaussian entries of standard deviation \(\sigma > \sqrt{\lambda } \cdot N^{5/2}\) and compute \(h_i=g^{s_i} \bmod N^2\). Define

    $$\begin{aligned} \mathsf {mpk} := \Bigl (N, g, \{h_i\}_{i=1}^\ell ,Y \Bigr ) \end{aligned}$$

    and \(\mathsf {msk}:=(\{ s_i \}_{i=1}^\ell ,X)\). The prime numbers \(p,p',q,q'\) are no longer needed.

  • Keygen \((\mathsf {msk},\varvec{x})\) : To generate a key for the vector \(\varvec{x}=(x_1,\ldots ,x_\ell ) \in \mathbb {Z}^\ell \) with \(\Vert \varvec{x}\Vert \le X\), compute \(\mathsf{sk}_{\varvec{x}}=\sum _{i=1}^\ell s_i \cdot x_i \) over \(\mathbb {Z}\).

  • Encrypt \((\mathsf {mpk},\varvec{y})\) : To encrypt a vector \(\varvec{y}=(y_1,\ldots ,y_\ell ) \in \mathbb {Z}^\ell \) with \(\Vert \varvec{y}\Vert \le Y\), sample \(r \hookleftarrow \{ 0, \ldots , \lfloor N/4 \rfloor \}\) and compute

    $$\begin{aligned} C_0= & {} g^r \bmod N^2, \\ C_i= & {} (1+y_i N) \cdot h_i^r \bmod N^2, \qquad \forall i \in \{1,\ldots ,\ell \}. \end{aligned}$$

    Return \(C_{\varvec{y}}=(C_0,C_1,\ldots ,C_\ell ) \in \mathbb {Z}_{N^2}^{\ell +1}\).

  • Decrypt \((\mathsf {mpk},\mathsf{sk}_{\varvec{x}},C_{\varvec{y}})\) : Given \(\mathsf{sk}_{\varvec{x}}\in \mathbb {Z}\), compute

    $$\begin{aligned} {C}_{\varvec{x}}=\left( \prod _{i=1}^\ell C_i^{x_i} \right) \cdot C_0^{-\mathsf{sk}_{\varvec{x}}} \bmod N^2. \end{aligned}$$

    Then, compute and output \(\log _{(1+N)}({C}_{\varvec{x}}) = \frac{{C}_{\varvec{x}} -1 \bmod N^2 }{N}\).

As in previous constructions (including those of [2]), our security proof requires inner products to be evaluated over \(\mathbb {Z}\), although the decryptor technically computes \(\langle \varvec{x},\varvec{y} \rangle \bmod N\). The reason is that, since secret keys are computed over the integers, our security proof only goes through if the adversary is restricted to only obtain secret keys for vectors \(\varvec{x}\) such that \(\langle \varvec{x},\varvec{y}_0 \rangle = \langle \varvec{x},\varvec{y}_1 \rangle \) over \(\mathbb {Z}\).

Theorem 5

The scheme provides full security under the \(\mathsf {DCR}\) assumption. (The proof is available in the full version of the paper [4]).

5.2 A Construction for Inner Products over \(\mathbb {Z}_N\)

Here, we show that our first \(\mathsf {DCR}\)-based scheme can be adapted in order to compute the inner product \(\langle \varvec{y},\varvec{x} \rangle \bmod N\) instead of computing it over \(\mathbb {Z}\). To do this, a first difficulty is that, as in our \(\mathsf {LWE}\)-based system, private keys are computed over the integers and the adversary may query private keys for vectors that are linearly dependent over \(\mathbb {Z}_N^{\ell }\) but independent over \(\mathbb {Z}^\ell \). This problem is addressed as previously, by having the authority keep track of all previously revealed private keys. As in our \(\mathsf {LWE}\)-based construction over \(\mathbb {Z}_p\), we also need to increase the size of private keys (by a factor \(\approx \!\ell \)) because we have to use a different information-theoretic argument in the last step of the security proof.

  • Setup \((1^\lambda ,1^\ell )\) : Choose safe prime numbers \(p=2p'+1\), \(q=2q'+1\) with sufficiently large primes \(p',q'>2^{l(\lambda )}\), for some polynomial l, and compute \(N=pq \). Then, sample \(g' \hookleftarrow \mathbb {Z}_{N^2}^*\) and compute \(g={g'}^{2N} \bmod N^2\), which generates the subgroup of (2N)th residues in \(\mathbb {Z}_{N^2}^*\) with overwhelming probability. Then, sample an integer vector \(\varvec{s}=(s_1,\ldots ,s_{\ell })^T \hookleftarrow D_{\mathbb {Z}^\ell ,\sigma }\) with discrete Gaussian entries of standard deviation \(\sigma > \sqrt{\lambda } (\sqrt{\ell } N)^{\ell +1}\) and compute \(h_i=g^{s_i} \bmod N^2\). Define \(\mathsf {msk}:=\{ s_i \}_{i=1}^\ell \) and

    $$\begin{aligned} \mathsf {mpk} := \Bigl (N, g, \{h_i\}_{i=1}^\ell \Bigr ). \end{aligned}$$

  • Keygen \((\mathsf {msk},\varvec{x}, \mathsf {st})\) : To generate the jth secret key \(\mathsf{sk}_{\varvec{x}}\) for a vector \(\varvec{x}\in \mathbb {Z}_N^{\ell }\) using the master secret key \(\mathsf {msk}\) and an (initially empty) internal state \(\mathsf {st}\), a stateful algorithm is used. At any time, \(\mathsf {st}\) contains at most \(\ell \) tuples \((\varvec{x}_i, \overline{\varvec{x}}_i, \varvec{z}_{\varvec{x}_i})\) where the \((\overline{\varvec{x}}_i,\varvec{z}_{\varvec{x}_i})\)’s are the previously revealed secret keys and the \(\varvec{x}_i\) are the corresponding vectors.

    • If \(\varvec{x}\) is linearly independent from the \(\varvec{x}_i\)’s modulo N, set \(\overline{\varvec{x}} = \varvec{x} \in \mathbb {Z}^{\ell }\) (with coefficients in [0, N)), \(\varvec{z}_{\varvec{x}} = \langle \varvec{s}, \varvec{x} \rangle \in \mathbb {Z}\) and add \((\varvec{x}, \overline{\varvec{x}}, \varvec{z}_{\varvec{x}})\) to \(\mathsf {st}\).

    • If \(\varvec{x} = \sum _i k_i \varvec{x}_i \bmod N\) for some coefficients \(\{k_i\}_{i \le j-1}\) in \(\mathbb {Z}_N\), then compute \(\overline{\varvec{x}} = \sum _i k_i \cdot \overline{\varvec{x}}_i \in \mathbb {Z}^{\ell }\) and \(\varvec{z}_{\varvec{x}} = \sum _i k_i \cdot \varvec{z}_{\varvec{x}_i} \in \mathbb {Z}^m\).

    In either case, return \(\mathsf{sk}_{\varvec{x}}=(\overline{\varvec{x}}, \varvec{z}_{\varvec{x}})\).

  • Encrypt \((\mathsf {mpk},\varvec{y})\) : To encrypt a vector \(\varvec{y}=(y_1,\ldots ,y_\ell ) \in \mathbb {Z}_N^\ell \), sample \(r \hookleftarrow \{ 0, \ldots , \lfloor N/4 \rfloor \}\) and compute

    $$\begin{aligned} C_0= & {} g^r \bmod N^2, \\ C_i= & {} (1+y_i N) \cdot h_i^r \bmod N^2, \qquad \forall i \in \{1,\ldots ,\ell \}. \end{aligned}$$

    Return \(C_{\varvec{y}}=(C_0,C_1,\ldots ,C_\ell ) \in \mathbb {Z}_{N^2}^{\ell +1}\).

  • Decrypt \((\mathsf {mpk},\mathsf{sk}_{\varvec{x}},C_{\varvec{y}})\) : Given \(\mathsf{sk}_{\varvec{x}}= (\overline{\varvec{x}}, \varvec{z}_{\varvec{x}}) \in \mathbb {Z}^\ell \times \mathbb {Z}\) with \(\overline{\varvec{x}}=(\overline{x}_1,\ldots ,\overline{x}_{\ell })\), compute

    $$\begin{aligned} {C}_{\varvec{x}}=\left( \prod _{i=1}^\ell C_i^{\overline{x}_i} \right) \cdot C_0^{- \varvec{z}_{\varvec{x}}} \bmod N^2. \end{aligned}$$

    Then, compute and output \(\log _{(1+N)}({C}_{\varvec{x}}) = \frac{{C}_{\varvec{x}} -1 \bmod N^2 }{N}\).

From a security standpoint, the following result is proved in the full version of the paper [4].

Theorem 6

The above stateful scheme provides full security under the \(\mathsf {DCR}\) assumption.

6 Bootstrapping Linear FE to Efficient Bounded FE for All Circuits

In this section, we describe how to compile our Linear FE scheme, denoted by \(\mathsf {LinFE}\) which computes linear functions modulo p (for us \(p=2\)), into a bounded collusion FE scheme for all circuits, denoted by \(\mathsf {BddFE}\). The underlying scheme \(\mathsf {LinFE}\) is assumed to be AD-IND secure, which, by [49], is equivalent to non-adaptive simulation secure NA-SIM, since linear functions are “preimage sampleable”. We refer the reader to [49] for more details.

Let \(\mathcal {C}\) be a family of polynomial-size circuits. Let \(C \in \mathcal {C}\) and let \(\mathbf {x}\) be some input. Let \(\widetilde{C}(\mathbf {x}, R)\) be a randomized encoding of C that is computable by a constant depth circuit with respect to inputs x and R (see [9]). Then consider a new family of circuits \(\mathcal {G}\) defined by:

$$\begin{aligned} G_{C, \varDelta }(x, R_1,\ldots ,R_S) = \left\{ \widetilde{C} \Big (x; \underset{a \in \varDelta }{\oplus } R_a \Big ): \ C \in \mathcal {C}, \ \varDelta \subseteq [S] \right\} , \end{aligned}$$

for some S to be chosen below. As observed in [39, Sect. 6], circuit \(G_{C,\varDelta }(\cdot , \cdot )\) is computable by a constant degree polynomial (one for each output bit). Given an FE scheme for \(\mathcal {G}\), one may construct a scheme for \(\mathcal {C}\) by having the decryptor first recover the output of \(G_{C, \varDelta }(\mathbf {x}, R_1,\ldots ,R_S)\) and then applying the decoder for the randomized encoding to recover \(C(\mathbf {x})\).

Note that to support q queries the decryptor must compute q randomized encodings, each of which needs fresh randomness. As shown above, this is handled by hardcoding sufficiently many random elements in the ciphertext and taking a random subset sum of these to generate fresh random bits for each query. As in [39], the parameters are chosen so that the subsets form a cover-free system, so that every random subset yields fresh randomness (with overwhelming probability).

In more details, we let the set Svm be parameters to the construction. Let \(\varDelta _i\) for \(i \in [q]\) be a uniformly random subset of S of size v. To support q queries, we identify the set \(\varDelta _i \subseteq S\) with query i. If \(v =O(\lambda )\) and \(S=O(\lambda \cdot q^2)\) then the sets \(\varDelta _i\) are cover-free with high probability. For details, we refer the reader to [39, Sect. 5]. We now proceed to describe our construction. Let \(L \triangleq (\ell +S\cdot m)^3\), where \(m \in \mathsf{poly}(\lambda )\) is the size of the random input in the randomized encoding and \(\ell \) is the length of the messages to be encrypted.

  • BddFE.Setup \((1^\lambda , 1^\ell )\) : Upon input the security parameter \(\lambda \) and the message space \(\mathcal{M}= \{0,1\}^\ell \), invoke \((\mathsf {mpk}, \mathsf {msk}) = \mathsf {LinFE}.\textsf {Setup}(1^\lambda , 1^{L})\) and output it.

  • BddFE.KeyGen \((\mathsf {msk},C)\) : Upon input the master secret key and a circuit C, do:

    1. 1.

      Sample a uniformly random subset \(\varDelta \subseteq S\) of size v.

    2. 2.

      Express \(C(\mathbf {x})\) by \(G_{C, \varDelta }(\mathbf {x}, R_1,\ldots ,R_S)\), which in turn can be expressed as a sequence of degree 3 polynomials \(P_{1},\ldots ,P_{k}\), where \(k \in \mathsf{poly}(\lambda )\).

    3. 3.

      Linearize each polynomial \(P_i\) and let \(P'_i\) be its vector of coefficients. Note that the ordering of the coefficients can be aribitrary but should be public.

    4. 4.

      Output \(\mathsf {BddFE}.\mathsf {SK}_C = \{\mathsf {SK}_i = \mathsf {LinFE}.\textsf {KeyGen}(\mathsf {LinFE}.\mathsf {msk}, P'_i)\}_{i \in [k]}\).

  • BddFE.Enc \((\mathbf {x}, \mathsf {mpk})\) : Upon input the public key and the plaintext \(\mathbf {x}\), do:

    1. 1.

      Sample \(R_1, \ldots , R_{S} \leftarrow \{0,1\}^m\).

    2. 2.

      Compute all symbolic monomials of degree 3 in the variables \(x_1,\ldots , x_\ell \) and \(R_{i,j}\) for \(i \in [S]\), \(j \in [m]\). The number of such monomials is \(L = (\ell +S\cdot m)^3\). Arrange them according to the public ordering and denote the resulting vector by \({\varvec{y}}\).

    3. 3.

      Output \(\mathsf {CT}_\mathbf {x}= \mathsf {LinFE}.\textsf {Enc}(\mathsf {LinFE}.\mathsf {mpk}, \varvec{y})\).

  • BddFE.Dec \((\mathsf {mpk}, \mathsf {CT}_\mathbf {x}, \mathsf {SK}_C)\) : Upon input a ciphertext \(\mathsf {CT}_\mathbf {x}\) for vector \(\mathbf {x}\), and a secret key \(\mathsf {SK}_C=\{\mathsf {SK}_i\}_{i \in [k]}\) for circuit C, do the following:

    1. 1.

      Compute \(G_{C, \varDelta }(\mathbf {x}, R_1,\ldots ,R_S) = \{P_i(\mathbf {Y})\}_{i\in [k]} = \{\mathsf {LinFE}.\textsf {Dec}(\mathsf {CT}_\mathbf {x}, \mathsf {SK}_i)\}_{i \in [k]}\).

    2. 2.

      Run the decoder for the randomized encoding to recover \(C(\mathbf {x})\) from \(G_{C, \varDelta }(\mathbf {x}, R_1,\ldots ,R_S)\).

Correctness follows from the correctness of \(\mathsf {LinFE}\) and the correctness of randomized encodings.

Security. The definition for q-NA-SIM security is provided in the full version of the paper [4]. We proceed to describe our simulator \(\textsf {Bdd.Sim}\). Let \(\textsf {RE.Sim}\) be the simulator guaranteed by the security of randomized encodings and \(\textsf {LinFE.Sim}\) be the simulator guaranteed by the security of the \(\mathsf {LinFE}\) scheme.

Simulator \({{\mathbf {\mathsf{{Bdd.Sim}}}}}\big (\{C_i, C_i(\mathbf {x}), \mathsf {SK}_i\}_{i \in [q^*]}\big )\) : The simulator \(\textsf {Bdd.Sim}\) receives the secret key queries \(C_i\), the corresponding (honestly generated) secret keys \(\mathsf {SK}_i\) and the values \(C_i(\mathbf {x})\) for \(i \in [q^*]\) where \(q^* \le q\), and must simulate the ciphertext \(\mathsf {CT}_\mathbf {x}\). It proceeds as follows:

  1. 1.

    Sample \(\varDelta _1,\ldots ,\varDelta _q \subseteq S\), of size v each.

  2. 2.

    For each \(i \in [q^*]\), invoke \(\textsf {RE.Sim}(C_i(x))\) to learn \(G_{C_i}(\mathbf {x},\hat{R}_i)\) for some \(\hat{R}_i\) chosen by the simulator. Interpret

    $$\hat{R}_i = \underset{a \in \varDelta _i}{\oplus R_a}\;\; \text { and } G_{C_i, \varDelta _i}(\mathbf {x}, R_1,\ldots ,R_S) = G_{C_i}(\mathbf {x},\hat{R}_i) = \big (P_1(\mathbf {Y}),\ldots ,P_k(\mathbf {Y})\big ). $$
  3. 3.

    Let \(\mathsf {CT}_\mathbf {x}= \textsf {LinFE.Sim}\big (\{ G_{C_i,\varDelta _i}, G_{C_i,\varDelta _i}(\mathbf {x}, R_1,\ldots ,R_S), \mathsf {SK}_i \}_{i \in [q^*]}\big )\) and output it.

The correctness of \(\textsf {Bdd.Sim}\) follows from the correctness of \(\textsf {RE.Sim}\) and \(\textsf {LinFE.Sim}\).

A last remaining technicality is that the most general version of our construction for FE for inner product modulo p is stateful. This is because a general adversary against \(\mathsf {LinFE}\) may request keys that are linearly dependent modulo p but linearly independent over the integers, thus learning new linear relations in the master secret. This forces the simulator (and hence the key generator) to maintain a state.

However, in our application, we can make do with a stateless variant, since all the queries will be linearly independent over \(\mathbb {Z}_2\). To see this, note that in the above application of \(\mathsf {LinFE}\), each query is randomized by a unique random set \(\varDelta _i\). Recall that by cover-freeness, the element \(\underset{a \in \varDelta _i}{\oplus } R_a\) must contain at least one fresh random element, say \(R^*\), which is not contained by \(\underset{j \ne i}{\cup } \varDelta _j\). Stated a bit differently, if we consider the query vectors of size L, then cover-freeness implies that no query vector lies within the linear span of the remaining queries made by the adversary. For any query Q, there is at least one position \(j \in [L]\) so that this position is nonzero in the L vector representing Q but zero for all other vectors. Hence the query vectors are linearly independent over \(\mathbb {Z}_2\), for which case, our construction of Sect. 4.2 is stateless.