Towards Symmetric Functional Encryption for Regular Languages with Predicate Privacy

Towards Symmetric Functional Encryption for

Regular Languages with Predicate Privacy

Fu-Kuo Tseng, Rong-Jaye Chen, and Bao-Shuh Paul Lin

National Chiao-Tung University, No.1001, Daxue Road, Hsinchu City 300, Taiwan

{fktseng,rjchen)@cs.nctu.edu.tw;[email protected]

Abstract. We present a symmetric-key predicate-only functional en-cryption system, SP-FE, which supports functionality for regular lan-guages described by deterministic finite automata. In SP-FE, a data owner can encrypt a string of symbols as encrypted symbols for match-ing. Later, the data owner can generate predicate tokens of the transi-tions in a deterministic finite automaton (DFA). The server with these tokens can decrypt a sequence of encrypted symbols correctly and trans-fer from one state to another accordingly. If the final state belongs to the set of accept states, the server takes assigned operations or returns the corresponding encrypted data. We have proven SP-FE preserves both keyword privacy and predicate privacy through security analysis and se-curity games. However, to achieve predicate privacy, we put bounds on the length of a string and the number of states of a DFA. Due to these restrictions, SP-FE can only capture finite languages. Finally, we present the performance analysis of SP-FE and mention possible future work.

Keywords: symmetric functional encryption, deterministic finite au-tomaton, regular language, predicate-only scheme, predicate privacy

1

Introduction

Functional public-key encryption schemes [1] and many of their instances like attribute-based encryption schemes [2, 3, 4] and predicate encryption schemes [5, 6, 7] were devised to support expressive search predicates on encrypted data. However, in all of these schemes, search predicates involve only afixednumber of keywords from the predefined keyword universe. Processing a string of encrypted symbols representing a keyword is essential for the predicates of certain regular languages for lexical analysis and pattern matching.

for predicate privacy with keyword-based search predicates [8, 9, 10]. Functional encryption for regular languages, a type of symbol-based search predicates, was considered in [11] and [12], while functional encryption for regular languages with additionalkeyword and predicate privacy is still an open problem.

Our Contributions.We propose a symmetric-key predicate-only functional en-cryption scheme, SP-FE, supporting predicates of deterministic finite automata (DFA). We make use of Yoshino et al. scheme [10] by encrypting each symbol in the plaintext as an encrypted symbol and each symbol set of a transition as a predicate token. However, direct transformation cannot achieve both plaintext and predicate privacy because some information may reveal to the adversary: (1) The length of a plaintext, nw, (2) the number of states of a DFA, nQ, (3) the number of accept states,_|F_|, (4) the number of transitions,_|δ_|, and (5) the path of the transition. Thus, we systematically add special symbols among or-dinary symbols in the plaintext, while inserting dummy states, transitions and shuffling states of a DFA. These designs guarantee the adversaries cannot gain extra advantages in the challenge games. However, to achieve predicate privacy, we put bounds on the length of a string and the number of (accept) states of a DFA, thus SP-FE can only capture finite languages.

Related Works.Functional encryption schemes [1] are non-interactive public-key encryption schemes where anyone possessing a secret public-key skf can compute a function f(x) of a value xfrom the encryption Enc(x) without learning any other information about x. However, the predicate tokens in these functional encryption schemes may reveal the content of the underlying search predicates because encryption does not require a private key in the public-key setting. Thus predicate privacy is inherently impossible to achieve in the public-key setting. Shen et al. [9] was the first to consider predicate privacy in the symmetric-key setting. Blundo et al. [8] used the assumptions related to linear split secret sharing, while Yoshino et al. [10] further enhanced the efficiency by prime-order group instantiation. However, in all of these schemes, search predicates involve only a fixed number of keywords in the keyword univserse. Processing a string of searchable symbols, is essential for the search predicates of regular languages. The functional encryption for regular languages was devised in the public-key setting with message privacy only [11]. The functional encryption for regular languages with extrakeyword andpredicate privacy is still an open problem.

2

Background and Preliminary

This section presents the background and preliminary of SP-FE.

2.1 Deterministic Finite Automata and Regular Languages

A deterministic finite automaton (DFA) is a finite state machine that accepts or rejects finite strings of symbols. A DFA M is a quintuple (Q, Σ, δ, q0, F) where

(1)Qis a finite set of states, (2)Σis the input alphabet, a finite set of symbols, (3)δ:Q_×Σ_→Qis the transition function, where (q, q0_{, σ)∈δiffδ(q, σ) =q}0_,

Given a DFAM = (Q, Σ, δ, q0, F), ifM accepts an stringw=w1w2,· · ·, wn

∈Σn_{, there exists a sequence of states, a transition path,r=r}

0, r1, ..., rn ∈Qn, where (1)r0=q0, (2)δ(ri, wi+1) =ri+1, for 0≤i≤n−1, and (3) rn ∈F. A regular language is also defined as a language recognized by a DFA.

2.2 Definitions and Security Model

A symmetric-key predicate-only functional encryption scheme for DFA-based predicates consists of four algorithms: Setup, Encrypt, KeyGen, and Decrypt. In addition to a security parameter, the setup algorithm takes as input a alpha-betΣ and a special alphabetΣ0_{. The algorithms are described as follows.}

-Setup(1λ_{, Σ, Σ}0_{): It takes a security parameter 1}λ _{as input and outputs public} parameters and a secret key SK. Public parameters include two parameters to decide the maximum length of an input string, Nw, the maximum number of states,NQ, and the maximum number of transitions in a DFA,Nδ =NQ2. -Encrypt(SK, w): It takes a secret keySK and a string (of symbols)w, where

|w_{| ≤}Nw/2, and outputs a ciphertextCT, a string of encrypted symbols. - KeyGen(SK, M=(Q, Σ, δ, q0, F)): It takes a secret keySK and a DFA M as

input, where_|Q_{| ≤}NQ/2 and outputs aT K, a string of encrypted transitions. - Decrypt(T K, CT): It takes a token T K and a ciphertext CT as input, and outputs either ‘1’ (’Accept’) or ‘0’ (’Reject’) indicating that the result of the DFAM encoded inT K on the inputwencrypted inCT.

Security Model.The selective game-based security is considered in SK-FE. -Setup:The challengerCruns the setup algorithm and gives public parameters to the adversary_A._Aoutputs a bitd_{∈ {}0,1_}: ifd= 0,_Atakes up a ciphertext challenge and outputs two plaintextw0 andw1. Otherwise, Atakes up a token

challenge and outputs two description of DFAM0 andM1.

-Phase 1:_Aadaptively outputs one of the following two queries. In a ciphertext challenge,_Aissuesith ciphertext query by requesting for the ciphertextCTi _of

wi_{.C responds withCT}i

←Encrypt(SK, wi_{). Also,}

Aissuesjthtoken query by requesting a DFAMj_{with the restriction thatM}j_{accepts or rejects bothw}

0and

w1 with the same number of accept states in the transition paths.C responds

with T Kj

← KeyGen(SK, Mj_{). In a token challenge,}

A issues ith ciphertext query by requesting for a string of ciphertextCTi_ofwi_{with the restriction that}

wi _{is accepted or rejected by bothM}

0 andM1 with the same number of accept

states in the transition paths.C responds withCTi

←Encrypt(SK, wi_{). Also,}

Aissuesjthtoken query by requesting for a DFAMj_{.C responds withT K}j

←

KeyGen(SK, Mj_{). The restrictions is to ensure the challenge is not trivial.} -Challenge:The challenger C flips a random coinb_{∈ {}0,1_}. If _Ahas chosen the ciphertext challenge, C gives CTb← Encrypt(SK, wb) to A; otherwise (A has chosen the token challenge),C givesT Kb←KeyGen(SK, Mb) toA. -Phase 2:_Acontinues to queryCTi _{andT K}j _{as in Phase 1.}

- Guess:_A outputs a guessb0 _{∈ {0,1} ofb. The advantage of an adversaryA}

Definition 1.A symmetric-key predicate-only functional encryption scheme for DFA-type predicates is token indistinguishable if all polynomial-time adversaries have at most a negligible advantage in winning the token challenge game. This property guarantees predicate privacy.

Definition 2.A symmetric-key predicate-only functional encryption scheme for DFA-type predicates is ciphertext indistinguishable if all polynomial-time adver-saries have at most a negligible advantage in winning the ciphertext challenge game. This property guarantees keyword privacy.

2.3 Notation

Σ is a set of ordinary symbols used to form a keyword/plaintextw, whileΣ0 is a set of special symbols randomly added intowto formw0_{. The special symbols}

cannot be specified in w. The union of these two sets formsΣ00_{. Each symbol}

wi ∈Σ00 has a unique indexsi. The sizes of these three sets are σ, σ0, andσ00 respectively.nwdenotes the length ofw, whileNwdenotes the maximum length ofw0_{, wheren}

w≤ 1₂Nw. In addition, there ared1₂Nwegroups of special symbols, whose size is from 1 to_d1

2Nwe. A group of special symbols are added as a set in

a predefined circular order starting with any one of the symbols in this group. A predicate DFAM is denoted as (Σ, Q, δ, q0, F). Redundant states are

cho-sen fromQto formQ0 and fromF to formF0, while duplicated transitions are included inδto formδ0.Q0andδ0 are randomized to formQ00andδ00. The sizes ofQ,Q0 _{and Q}00 _aren

Q, n0Q andn00Q =NQ respectively, whereNQ≥2nQ. The states in Q are marked from 0 to nQ −1, thus the number of transition in δ is nδ = n2Q. NQ denotes the maximum number of states, thus the maximum number of transitions Nδ isNQ2. Note that we further require |F| ≤NQ/4 and

|Q_{| ≤}NQ/2.q0 andF0 are randomized into q00 andF00.δand its matrix

repre-sentation Aδ can be converted. If Aδ[x][y] is a symbol setW, where W ⊆ Σ00 andx, y_∈Q00_{, there are (x, y, w}

i) transitions in δ, wherewi∈W.

2.4 Complexity Assumption

Given a bilinear 3-factor-based composite-order group generator_G, output three groupsGi of distinct prime orderpi fori= 1,2,3 by the experiment:

1. (p1, p2, p3,G,GT,eˆ)← G(1λ), 2.N _←p1p2p3,g1

R

←G1,g2

R

←G2, g3

R

←G3,

3.P _←(N,_G,_GT,ˆe), 4.D←(g1, g1a1, g2, g2b1, g

c1 3 , g

c2d 3 , gd3, gd

2 3 , g

a2

1 g

c1d

3 ), wherea1, a2←R Zp1,

b1

R

←Zp2, andc1, c,d

R

←Zp3, and

5.T0←ga13g

c2

3 ,T1←ga13g

b2 2 g

c2

3 , where a3

R

←Zp1 andb2

R

←Zp2.

The advantage of an adversaryAin distinguishingT0 fromT1 with the

param-eters (P, D) is defined asAdvA:=|Pr[A(P, D, T0) = 1]-Pr[A(P, D, T1) = 1]|.

Procedure: SymbolSetToVector(W,mode) [6]

Input:W, whereW⊆Σ′′_,|Σ′′_|=σ′′_{;mode=0:T K,mode=1:CT;} Each symbolwi∈Σ′′has a unique indexsi

Output:vW

if(W is∅)thenvW= (aσ′′, aσ′′₋1, . . . , a0) = (0,0,· · ·,0)

else if (modeis0)then

vW = (aσ′′, aσ′′₋1, . . . , ad+1, ad, ad−1, . . . , a0), where

f(x) =Qd₁(x−si) =adxd+ad−1xd−1+. . .+a0andaσ′′=. . .=ad+1= 0.

else(modeis1)then vW = (sσ

′′

i modN, . . . , s0i modN) = (aσ′′, aσ′′₋1, . . . , a0), whereNis the

order of the groupsGandGT

returnvW

Fig. 1.The procedure ‘SymbolSetToVector’

2.5 The Building Block

The scheme by Yoshino et al. [10] provides a good starting point to construct SP-FE. It is a keyword-based predicate-only predicate encryption scheme. - IPE.Setup(1λ_{): It takes a security parameter 1}λ _{as input and outputs public} parameters and a secret keySK.

- IPE.Encrypt(SK, x): It takes a secret key SK and a plaintext x ∈ Σ and outputs a ciphertext CT.

-IPE.GenToken(SK, y): It takes a secret keySKand a description of predicate y as input and outputs a tokenT K.

-IPE.Check(T K, CT): It takes a tokenT K and a ciphertext CT as input and outputs either ‘1’ (’Accept’) or ‘0’ (’Reject’) indicating the result of the predicate y encoded inT K on the inputxencrypted intoCT.

Note that disjunctive predicates are used to protect the input symbols of a transition in SK-FE. The procedure SymbolSetToVector is to generate the vector of a input string and that of a symbol set for a transaction (See Fig. 1).

3

SP-FE Construction

We provide main procedures of SP-FE construction. Following that, we present detailed algorithms with comprehensive explanation.

3.1 Main Procedures

We make use of Yoshino et al. scheme [10] by encrypting each symbol in the plaintext as an encrypted symbol and each symbol set for a transition as a pred-icate token. However, direct transformation cannot achieve both keyword and predicate privacy because the information can be revealed to the adversary: (1) The length of a plaintext, (2) the number of states in a DFA, (3) the number of accept states, (4) the number of transitions, and (5) the transition path. Thus,

Procedure: addSpecialSymbols(w)

Input:w, wherew= (w1, . . . , wnw), wi∈Σ, nw≤ℓ

Output:w′_{, wherew}′_{= (w}′

1, . . . , wN′w), w

′

i∈Σ′′, Nw= 2ℓ

Repeat 1. and 2. untilnw=Nw.

1. Setpos ←R Znw+1andk

R ←ZNw−nw

2. Insert the (k+ 1)thsymbol group at positionposwith a pre-defined circular ordering starting from one of the symbols in the group. Setnw=nw+(k+1).

returnw′_{= (w1, w2, . . . , wN}

w)

Fig. 2.The procedure ‘addSpecialSymbol’

a> <∧a⊣ ⊢a ♯a ax p q ya a a<⊢ ⊣ ∧>a a ay x p♯qa a⊣ ⊢a> <∧a a a♯ <∧♯ >a ♯a a⊢ ⊣♯ ♯a

Fig. 3.The procedure ‘addSpecialSymbol’(‘aaa’) and its seven possible outputs

Procedure: addStatesTransitions(M)

Input:M=(Q, Σ, δ, q0, F), nQ≤ℓ, where

|δ|=nδ,δ={(uj, vj, wk)}nj=1δ ;uj, vj∈Qandwk∈Σ

Output:M′′_=(Q′′_{, Σ}′′_{, δ}′′_{, q}′

0, F′′), whereNQ= 2ℓand|δ′′|=Nδ=NQ2

1. Add Random Symbols: For each rowi in a DFA, each of the symbols in Σ′′_{should appear once and only once. If a symbolw}

iof a group of special

symbols of sizeddoes not appear in the rowi,

(a) Prepare the sequencewi, w1′, w′2,· · ·, w′dstarting withwiand a sequence

of statesi, t1, t2,· · ·, td, wherewidoes not appear in rowiandwj′does

not appear in rowtjfor 1≤j≤dandtj∈Q

(b) Include the transitions (i, t1, wi), (tj, tj+1, wj′) for 1≤ j≤ d−1, and

(td, i, w′d) intoδto formδ′.

2. Add Random States, Add Final States and Transitions: (a) Randomly duplicate (ℓ

2− |F|) states fromF to formF′. The new state

creates a new column and copies the row of its original state as its row. (b) Randomly duplicate ℓ

2states from the ℓ

2states in 1. together withF′to

formQ′_{. DenoteSias the set of equivalent states of the statei, where} Si⊆Q′,∪|iQ=1|Si=Q′, andSi∩Sj=∅for any two sets.

There are extraℓ2_−n2

q transitions added intoδto formδ′.

3. Shuffle Symbols within Equivalent Set: For each rowi, the transition symbols are shuffled among the columns of the equivalent states to formδ′′_. 4. Shuffle States: Randomly choose two statesQi,Qj. Exchangeith row with

jth row, andith column withjth column to formQ′′_andδ′′_{. Set one state} inSq0as a starting stateq0′, while setF′′as the final states after exchange.

returnM′′_=(Q′′_{, Σ}′′_{, δ}′′_{, q}′

0, F′′), whereδ′′={(uj, vj, wk)}Nj=1δ

Fig. 4.The procedure ‘addStatesTransitions’

 

q0 q1 q2

q0 bcd a ∅

q1 cd a b

q2 ∅ ∅ abcd  1.

=⇒  

q0 q1 q2

q0 bcd>yx♯ a⊣ ∧p ⊢<q

q1 cd⊢<qp a>x♯ b⊣ ∨x

q2 ⊣ ∧ ⊢<xq abcd>yp♯   2. =⇒            

q0 q1 q2 q3 q4 q5 q6 q7

q0 bcd>yx♯ a⊣ ∧p ⊢<q ∅ ∅ ∅ ∅ ∅

q1 cd⊢<qp a>x♯ b⊣ ∨x ∅ ∅ ∅ ∅ ∅

q2 ⊣ ∧ ⊢<xq abcd>yp♯ ∅ ∅ ∅ ∅ ∅

q3 bcd>yx♯ a⊣ ∧p ⊢, <,q ∅ ∅ ∅ ∅ ∅

q4 cd⊢<qp a>x♯ b⊣ ∨x ∅ ∅ ∅ ∅ ∅

q5 ⊣ ∧ ⊢<xq abcd>yp♯ ∅ ∅ ∅ ∅ ∅

q6 ⊣ ∧ ⊢<xq abcd>yp♯ ∅ ∅ ∅ ∅ ∅

q7 ⊣ ∧ ⊢<xq abcd>yp♯ ∅ ∅ ∅ ∅ ∅             3. =⇒            

q0 q1 q2 q3 q4 q5 q6 q7

q0 bd♯x ∧ ⊣ ∅ c>y ap q ∅ <⊢

q1 c<⊢ a♯ ∧ dpq y> ∅ ⊣ bx

q2 ∧ ⊢q c> ⊣ x< by a♯ dp

q3 b>x ap ∅ cd♯y ⊣ ∧ ∅ ∅ q<⊢

q4 d⊢< ∅ ∧ ⊣ cpq a♯ >y ∅ bx ∅

q5 ∧ ⊢q > ⊣ <x cd♯ p aby q6 ⊣ ∧ q ay ∅ <⊢x d b>p c♯

q7 ⊣ ⊢qx acpy ∧ < ∅ d♯ b>             4. =⇒             q′

0 q1′ q2′ q′3 q4′ q5′ q′6 q7′

q′

0 a♯ >y bx ∧ ⊣ cpq d⊢< ∅ ∅ ∅

q′

1 <⊢x b>p ay ∅ ⊣ ∧ d q c♯

q′

2 x< a♯ c> ⊣ ∧ by ⊢q dp

q′

3 ⊣ ∧ ∅ ∅ cd♯y b>x ∅ ap q<⊢

q′

4 ap ∅ ∅ c>y bd♯x q ∧ ⊣ <⊢

q′

5 <x p > ⊣ ∧ cd♯ ⊢q aby

q′

6 y> ⊣ ∧ dpq c<⊢ ∅ a♯ bx

q′

7 < d♯ acpy ∧ ⊣ ∅ ⊢qx b>

           

Fig. 5.The procedure ‘addStatesTransitions’ processing ‘containing substringab’

Example. In Fig. 5, ` is set as four and Σ =_{a,b,c,d_}. For each row, every symbols in Σ00 _{should appear once and only once. In addition, the input DFA}

has specified all the symbols in Σ for each row. To fill in a special symbol of a group, there is a transition path from state i back to state i again after consuming the ordered circular sequence starting from this symbol. Take symbol ’>’ as example, the sequence is ’>’, ’<’ and then ’∧’. There is a transition path: q0

>

⇒q0

<

⇒q2⇒∧ q0and there are (q0, q0, >), (q0, q2, <), and (q2, q0,∧) transitions

in δ. The next step is to duplicate the set of accept states so that F0 _{=` and}

duplicate the other states so thatQ00_{= 2`. Therefore, there are three equivalent}

sets:Sq0 ={q0, q3},Sq1={q1, q4}, andSq2 ={q2, q5, q6, q7}. For the third step,

the symbols of one equivalent set in one row can be redistributed. Takeq2row as

example. ‘_a’ is moved fromq0-column intoq3-column, while ‘x’ is moved fromq1

-column, intoq4-column. Finally, exchange state 0 with state 4 and state 1 with

6 by interchanging q0-row with q4-row,q0-column withq4-column, q1-row with

q6-row, andq1-column withq6-column. Set the start stateq00fromS0q0 ={q

0

3, q04}

asq40 and hide the others. Set the set of final statesF00 as{q10, q20, q05, q07}.

3.2 Main Algorithms

SP-FE consists of four probabilistic polynomial-time algorithms (See Fig. 6). In SP-FE.Setup, the user executesIPE.Setupto obtain a SK and system param-eters. In SP-FE.Encrypt, the user executes addSpecialSymbols on input w to producew0. Then the user calls tosymbolSetToVectorand IPE.Encrypt

for each of the symbols in w0 to produce a CT. In SP-FE.GenToken, the user executes addStatesTransitions on the search predicate M to produce M00. Then the user calls tosymbolSetToVectorandIPE.GenTokenfor each of the transitions inδ00to produce a tokenT K. In SP-FE.Decrypt, the server executes

IPE.Checkon inputCTiandT Kqc,jto test a transition (qc, j, T Kqc,j) inδ00. The

server obtains the next statejifIPE.Check(CTi, T Kqc,j) returns ‘1’ and set the

current state qc asj. The server continues to check CTi+1 with the transitions

in δ00 _{starting with q}

c. If the final state qc is in F00 after checking CTNw, the

SP-FE.Setup(1λ_{): SP-FE.Encrypt(SK, w=w1, . . . , w} nw):

SK←IPE.Setup(1λ_{, Σ, Σ}′_{) w}′_{←addSpecialSymbols(w), where|w}′_|=N

w Setℓ, whereNw= 2ℓ, NQ= 2ℓ, Nδ=NQ2 for(i= 1 toNw)do

returnSK xi←symbolSetToVector(w′ i,1)

CT=CT∪CTi=IPE.Encrypt(xi)

end of for returnCT={CTi}Nw

i=1

SP-FE.GenToken(SK,M=(Σ, Q, δ, q0, F)): SP-FE.Decrypt(CT,M′′_=(Q′′_{, Σ}′′_{, δ}′′_{, q}′_{0, F}′′_)): M′′_{←addStatesTransitions(M), where qc=q}′

0, whereqcis current state M′′_=(Σ′′_{, Q}′′_{, δ}′′_{, q}′

0, F′′),|Q′′|=NQ,|δ′′|=NQ2 for(i= 1 toNw)do

for(r= 1 toNQ)do for all(qc, j, T Kqc,j)∈δ′′, wherej∈Q′′do

for(c= 1 toNQ)do if (IPE.Check(CTi, T Kqc,j) == 1)then (r, c,yr,c)←symbolSetToVector(Aδ′′[r][c],0) qc=j,break inner for-loop T K=T K∪T Kr,c, where end of if

T Kr,c= (r, c,IPE.GenToken(SK,yj)) end of for

end of for end of for

end of for if(qc∈F′′)then return1

returnT K else return0

Fig. 6.The main construction SK-FE

3.3 Correctness

If a keyword w is accepted (or rejected) by a DFA M, the corresponding w0

is accepted (rejected)by the DFA M00_{. In addSpecialSymbols, one group of}

special symbols (with predefined order) can be nested in the other group of symbols. On the other hand, a group of special symbols are filled in a DFA is the same order. After a group of the special symbols between two ordinary symbols are consumed by a DFA, their effects are canceled out, namely, the same state is reached as if no special symbols are inserted.

4

Analysis

We describe a sequence of hybrid security games to demonstrate that SP-FE achieves both keyword privacy and predicate privacy.

4.1 Security Analysis

Game 1.The token encrypted by vector (w,w).

{TKj}Nj=1δ =

  

(uj_{, v}j_),{gV1,i

1 g2β1wig

T rj 1,i

3 }σ

′′₊₁ i=1 ,

{gV2,i

1 gβ22wig

T rj2,i

3 }σ

′′₊₁ i=1 , Πσ

′′₊₁ i=1 g

−V1,iqj1,i−V2,iq1,ij

1 g2V1gV32, gT3

  

Nδ

j=1

Game 2.The token encrypted by vector (w,0).

{TKj}Nj=1δ =

  

(uj_{, v}j_),{gV1,i

1 g2β1wig

T rj1,i

3 }σ

′′₊₁ i=1 ,

{gV2,i

1 g

T rj 2,i

3 }σ

′′₊₁ i=1 , Πσ

′′₊₁ i=1 g

−V1,iqj 1,i−V2,iqj

1,i

1 g2V1g3V2, g3T

  

Nδ

j=1

Game 3.The token encrypted by vector (w,z).

{TKj}Nj=1δ =

  

(uj_{, v}j_),{gV1,i

1 g2β1wig

T rj 1,i

3 }σ

′′₊₁ i=1 ,

{gV2,i

1 g

β2zi

2 g

T rj 2,i

3 }σ

′′₊₁ i=1 , Πσ

′′₊₁ i=1 g

−V1,iqj1,i−V2,iqj1,i

1 gV21gV32, gT3

  

Nδ

j=1

Game 4.The token encrypted by vector (0,z).

{TKj}Nj=1δ =

  

(uj_{, v}j_),{gV1,i

1 g

T rj 1,i

3 }σ

′′₊₁ i=1 ,

{gV2,i

1 gβ22zig

T rj2,i

3 }σ

′′₊₁ i=1 , Πσ

′′₊₁ i=1 g

−V1,iqj1,i−V2,iqj1,i

1 gV21gV32, gT3

  

Nδ

j=1

Game 5.The token encrypted by vector (z,z).

{TKj}Nj=1δ =

  

(uj_{, v}j_),{gV1,i

1 g2T β1zig

rj 1,i

3 }σ

′′₊₁ i=1 ,

{gV2,i

1 gβ22zig

T rj 2,i

3 }σ

′′₊₁ i=1 , Πσ

′′₊₁ i=1 g

−V1,iqj1,i−V2,iqj1,i

1 gV21gV32, gT3

  

Nδ

j=1

Fig. 7.The procedure ‘a sequence of hybrid games’

Theorem 1.If G satisfies Assumption 1, SP-FE is token indistinguishable.

Theorem 2.If_G satisfies Assumption1, SP-FE is ciphertext indistinguishable.

Corollary 1. If _G satisfies Assumption 1, SP-FE is selective secure, namely, SP-FE achieves both keyword privacy and predicate privacy.

4.2 Performance Analysis

The performance of SP-FE is as follows: SP-FE.Encrypt requiresNwnumber of SK-PE.Encrypt. SP-FE.GenToken costs N2

Q number of SK-PE.GenToken. SP-FE.Decrypt takes 1

2NQ number of SK-PE.Check in average for each transition.

For the performance of SK-PE,SK-PE.Encrypt(8σ00_+2)·T

add+(13σ00+3)·Tsm, whileSK-PE.GenTokentakes (8σ00_+2)·T

add+(13σ00+3)·Tsm.SK-PE.Checktakes (2σ00+ 2)·Tpairing.Tadd, Tsm andTpairingdenote the time for the point addition inG, the scaler multiplication in Gand the embedded pairing function. On the other hand, a plaintextwof lengthnw is encrypted asNw symbols. The size of the ciphertext isNw·(2σ00+2)· |G|, while that of the token isNδ·(2σ00+2)· |G| plus the description of the DFA, where|G|is the size of the element inG.

5

Conclusions

proven to guarantee keyword privacy and predicate privacy. In addition, SP-FE can be extended to a full-fledged functional encryption scheme by the technique from [6] to further manage messages. For future work, we would like to relax the restrictions in SP-FE to support predicates of more expressive languages.

References

[1] Boneh, D., Sahai, A., Waters, B.: Functional encryption: Definitions and chal-lenges. In Ishai, Y., ed.: Theory of Cryptography. Volume 6597 of LNCS. Springer Berlin Heidelberg (2011) 253–273

[2] Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryp-tion. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy. SP ’07, Washington, DC, USA, IEEE Computer Society (2007) 321–334

[3] Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM conference on Computer and communications security. CCS ’06, New York, NY, USA, ACM (2006) 89–98

[4] Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: Proceedings of the 14th ACM conference on Computer and communications security. CCS ’07, New York, NY, USA, ACM (2007) 195–203

[5] Caro, A., Iovino, V., Persiano, G.: Fully secure hidden vector encryption. In Abdalla, M., Lange, T., eds.: Pairing-Based Cryptography Pairing 2012. Volume 7708 of LNCS. Springer Berlin Heidelberg (2013) 102–121

[6] Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunc-tions, polynomial equadisjunc-tions, and inner products. Advances in Cryptology– EUROCRYPT 2008 (2008) 146–162

[7] Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner prod-uct encryption. In Gilbert, H., ed.: Advances in Cryptology EUROCRYPT 2010. Volume 6110 of LNCS. Springer Berlin Heidelberg (2010) 62–91

[8] Blundo, C., Iovino, V., Persiano, G.: Predicate encryption with partial public keys. In Heng, S.H., Wright, R., Goi, B.M., eds.: Cryptology and Network Security. Volume 6467 of LNCS. Springer Berlin Heidelberg (2010) 298–313

[9] Shen, E., Shi, E., Waters, B.: Predicate privacy in encryption systems. In Rein-gold, O., ed.: Theory of Cryptography. Volume 5444 of LNCS. Springer Berlin Heidelberg (2009) 457–473

[10] Yoshino, M., Kunihiro, N., Naganuma, K., Sato, H.: Symmetric inner-product predicate encryption based on three groups. In Takagi, T., Wang, G., Qin, Z., Jiang, S., Yu, Y., eds.: Provable Security. Volume 7496 of LNCS. Springer Berlin Heidelberg (2012) 215–234

[11] Waters, B.: Functional encryption for regular languages. In Safavi-Naini, R., Canetti, R., eds.: Advances in Cryptology CRYPTO 2012. Volume 7417 of LNCS. Springer Berlin Heidelberg (2012) 218–235

[12] Goldwasser, S., Kalai, Y., Popa, R., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In Canetti, R., Garay, J., eds.: Advances in Cryptology CRYPTO 2013. Volume 8043 of LNCS. Springer Berlin Heidelberg (2013) 536–553

6

Sequence of Hybrid Games

This section proves the proposed SP-FE satisfies Definition 2 (token indistin-guishable) by a sequence of hybrid games from Game 1 to Game 5. Due to space limit, we give these proofs in the full version of our paper [13].

Lemma 1. If_G satisfies Assumption 1, Game 1 and Game2 are computation-ally indistinguishable.

Proof: SimulatorBtries to break Assumption 1 by an adversaryAtrying to dis-tinguish Game 1 from Game 2. Simulator_B is given an instance of Assumption 1: the public parameters (N,_G,_GT,ˆe), (g1, g1a1, g2, gb21, g

c1 3 , g

c2d 3 , gd3, gd

2 3 , g1a2, g

c1d

3 )

and a1, a2, a3

R

← Zp1, b1, b2

R

← Zp2, c1, c2, d

R

← Zp3, g1

R

← G1, g2

R

← G2 and

g3←R G3. Also, generate a random bit b∈ {0,1},and set Tb=g1a3g2bb2g3c2.

-Setup:_Ais given the public parameters and outputs two challengesM1=

(Σ, Q1, δ1={(uj, vj, W)}nj=1δ , q0,1, F1) andM2= (Σ, Q2, δ2={(uj, vj), W}nj=1δ ,

q0,2, F2).B convertsM1 into M10 byaddStatesTransitionsand transformsδ0

into {(uj_{, v}j_),(w

j)}Nj=1δ bysymbolSetToVector. B performs the same

proce-dures onM2 to obtain{(uj, vj),(zj)}Nj=1δ .B sends{wj}Nj=1δ and{zj}Nj=1δ to the

challenger_C. Set_{{q1j,i, q j

2,i}σ

00₊₁

i=1 ,{r

j

1,i}σ

00₊₁

i=1 {r0

j

2,i}σ

00₊₁

i=1 }Nj=1δ randomly fromZN.

-Phase 1:_Aadaptively outputs one of the two queries.

(1) Token Query._Breceives a predicateM=(Σ, Q, δ=_{(uj_{, v}j_{, W)}

}nδ

j=1, q0, F)

fromA.BturnsMintoM00=(Σ00, Q00, δ00={(uj_{, v}j_{), W}}Nδ

j=1, q00, F00) by

addStat-esTransitions and turns δ0 _{into {(u}j_{, v}j_),(y

j)}Nj=1δ by symbolSetToVector. B randomly sets T0_{, β}

1, β2,{V10,i}σ

00₊₁

i=1 ,{V20,i}σ

00₊₁

i=1 , V10, V20 from ZN and outputs

T Kj. DenoteT Kj={(uj, vj),({K1j,i, K j

2,i}σ

00₊₁

i=1 , K

j

1, K

j

2)}

Nδ

j=1, where

                

{K₁j_,i}iσ₌₁00+1=_{gV10,i

1 (g

a1

1 g2)β1yi(gd 2 3 )T

0_rj 1,i}σ00+1

i=1 ={g

V1,i

1 g

β1yi

2 g

T rj1,i

3 }

σ00₊₁

i=1

{K₂j_,i}iσ₌₁00+1=_{gV20,i

1 (g1a1g2)β2,yi(g3d)T 0_w

i_·(gd2

3 )T 0_r0j

2,i}σ00+1

i=1 ={g

V2,i

1 g

β2yi

2 g

T rj 2,i

3 }σ

00₊₁

i=1

K1j=

Qσ00₊₁

i=1 (K

−qj 1,i

1,i K

−qj 2,i 2,i )(g

b1 2 g3c1d)V

0 1(gd

3)V 0 2=g−Σ

σ00+1

i=1 (V1,iqj1,i+V2,iqj1,i)

1 gV21g3V2

K2j=(gd32)T 0

=gT

3                  Nδ j=1

with (uj R_←Z |NQ|, v

j R_←Z

|NQ|), T=d 2_T0_,{V

1,i=β1a1yi+V10,i}σ

00₊₁

i=1 ,{V2,i=β2a1yi+

V0

2,i}σ

00₊₁

i=1 ,{r

j

2,i=d−1wi+r02j,i} σ00+1

i=1 , V1=b1V10−β1Σσ 00₊₁

i=1 q

j

1,iyi−β2Σσ 00₊₁

i=1 q

j

2,iyi, andV2=c1dV10+dV20−T(Σσ

00₊₁

i=1 q

j

1,i)r j

1,i+Σσ

00₊₁

i=1 q

j

2,ir j

2,i).The tokens generated in Phase 1 has the same distribution as that by SP-FE.GenToken because V0

1, V20

R

←ZN.

(2) Ciphertext Query. _B receives a plaintext w= (w1, . . . , wnw) from A. B

transformswintow0 _{= (w}

1, . . . , wNw) by addSpecialSymbolsand transforms

w0into{xj}Nj=1w bysymbolSetToVector.Brandomly setsS, α01, α02,{U10,i}σ

00₊₁

i=1 ,

{U0

2,i} σ00₊₁

i=1 , U10, U20 fromZN and outputsCTjforA. DenoteCTj={{C1j,i, C j

2,i} σ00₊₁

i=1 ,

C₁j, C₂j_}Nδ

                  

{C₁j_,i}iσ₌₁00+1=_{(g1)Sq j 1,i(gb1

2 g3c1)α 0 1xi_(gd2

3 )U 0 1,i}σ00+1

i=1 {g

Sqj 1,i 1 g2α1xig

U1,i

3 }σ

00₊₁

i=1

{C2j,i}σ

00₊₁

i=1 ={(g1)Sq j 2,i_(gb1

2 g3c1)α2,xi(gd 2 3 )U

0 2,i_}σ00+1

i=1 {g

Sqj_2,i

1 g

α0 2xi

2 g

U2,i

3 }σ

00₊₁

i=1

C1j=g1S

C₂j=Qσ_i=100+1[(gd2 3 )−U

0 1,ir

j 1,i−U20,ir0

j 2,i(gc1

3 )α 0

1xi+α01xi_]·

Qσ00₊₁

i=1 (gd3)−U 0 2,iwi

·(ga1

1 g2)U 0 1gU

0 2

1 =g

U1

1 g

U2

2 g

−Σiσ=100+1(U1,irj1,i+U2,irj2,i) 3                    Nδ j=1

withα1=b1α01, α2=b1α02,{U1,i=d2U10,i+c1α01xi}σ

00₊₁

i=1 ,{U2,i=d2U20,i+c1α02xi}σ

00₊₁

i=1 ,

{r₂j_,i=d−1_w

i+r02j,i} σ00+1

i=1 , U1=a1U10 +U20, andU2=U10. The ciphertexts

gener-ated in Phase 1 has the same distribution as that bySP-FE.Encryptbecause U10, U20

R

←ZN.

- Challenge:_B receives query of challenge token from_A. _B is given the chal-lenge query forAssumption 1asTb =g1a3g

bb2

2 g

c2

3 with b∈{0,1}anda3

R

←Zp1,

b2

R

←Zp2, c2, d

R

←Zp3. B randomly setsβ1, β2,{V10,i} σ00₊₁

i=1 ,{V20,i} σ00₊₁

i=1 , V10, and

V0

2 from ZN and generates corresponding tokens forAas follows.             

{K1j,i}σ

00₊₁

i=1 ={g

V0 1,i

1 (g

a1

1 g2)β1wi(g3c2d)r j 1,i}σ00+1

i=1 ={g

V1,i

1 g

β1wi

2 g

T rj_1,i

3 }σ

00₊₁

i=1

{K2j,i}σ

00₊₁

i=1 ={(Tb)wig

V20,i 1 (g3c2d)r

0j 2,i_}σ00+1

i=1 ={g

V2,i

1 g

β2wi

2 g

T r₂j_,i

3 }σ

00₊₁

i=1

K₁j =gc2d 3 =g3T

K2j =Πσ 00₊₁

i=1 (K

−qj 1,i

1,i K

−qj 2,i 2,i )(g

c2d 3 g2b1)V

0 1gV

0 2

3 =g

−Σσ00+1

i=1 (V1,iq1j,i+V2,iq1j,i)

1 g2V1gV32

             Nδ j=1

with (uj R

←Z|Q00_|, vj R←Z_|Q00_|), T =c2d, β2=bb2,{V1,i=d2V10,i+a1β1wi}σ

00₊₁

i=1 ,

{V2,i=V20,i+a3wi}σ

00₊₁

i=1 , V1=b1V10−Σσ 00₊₁

i=1 (β1qj1,i+β2q1j,i)wi, andV2=T V10+

V0

2−T Σσ 00₊₁

i=1 (q

j

1,i·r j

1,i+q j

1,ir j

2,i).The distribution of the ciphertexts generated when T1 =ga13g

b2 2 g

c2

3 is given is exactly the same as the one in Game 1.

Simi-larly, The distribution of the ciphertexts generated whenT0=g1a3g

c2

3 is given is

exactly the same as the one in Game 2.

-Phase 2:Bcontinues to adaptively query as in Phase 1. -Guess:_Aoutputs a guess b0 of b and sends it to_B.

If the adversary_Ahas the advantagein distinguishing Game 1 from Game 2, then the simulator_Bhas the sameadvantage in breaking Assumption 1. This completes the proof of the Lemma 1.

Lemma 2.If _G satisfies Assumption1, Game 2and Game 3are computation-ally indistinguishable.

Proof:SimulatorBtries to break Assumption 1. by an adversaryAtrying to dis-tinguish Game 2 from Game 3. SimulatorB is given an instance of Assumption 1: the public parameter (N,G,GT,ˆe), (g1, g1a1, g2, gb21, g

c1 3 , g

c2d 3 , gd3, gd

2 3 , g

a2 1 , g

c1d

3 )

and a1, a2, a3

R

← Zp1, b1, b2

R

← Zp2, c1, c2, d

R

← Zp3, g1

R

← G1, g2

R

← G2 and

g3

R

← G3. Also, generate a random bit b ∈ {0,1}, and set Tb = g1a3g bb2

2 g

-Setup:_A is given public parameters and outputs the descriptions of two chal-lenges M1 = (Σ, Q1, δ1 = {(uj, vj, W)}jn=1δ , q0,1, F1) and M2 = (Σ, Q2, δ2 =

{(uj_{, v}j_{), W}

}nδ

j=1, q0,2, F2). B converts M1 into M10 by addStatesTransitions

and transformsδ0 _into{(uj_{, v}j_),(w

j)}Nj=1δ bysymbolSetToVector.Bperforms

the same procedures onM2 to obtain{(uj, vj),(zj)}Nj=1δ .B sends{wj}Nj=1δ and {zj}Nj=1δ to the challengerCand sets{{q

j

1,i, q j

2,i} σ00₊₁

i=1 ,{r

j

1,i} σ00₊₁

i=1 ,{r0

j

2,i} σ00₊₁

i=1 }

Nδ

j=1

from_ZN, where|Σ00|=σ00.

-Phase 1:Aadaptively outputs one of the two queries.

(1) Token Query._Breceives a predicateM=(Σ, Q, δ=_{(uj_{, v}j_{, W)}

}nδ

j=1, q0, F)

from A. B transforms M into M00 = (Σ00, Q00, δ00 = {(uj_{, v}j_{), W}}Nδ

j=1, q00, F00)

by addStatesTransitionsand transforms δ0 _{into {(u}j_{, v}j_),(y

j)}Nj=1δ by

sym-bolSetToVector._Brandomly setsT0_{, β}

1, β2,{V10,i}σ

00₊₁

i=1 ,{V20,i}σ

00₊₁

i=1 , V10, V20from

ZN and outputs T Kj. Denote T Kj={(uj, vj),({K1j,i, K j

2,i}σ

00₊₁

i=1 , K

j

1, K

j

2)}

Nδ

j=1.

The only difference between Lemma 1 and Lemma 2 is that Lemma 2 implicitly sets_{rj2,i=d−1zi+r02,i}σ

00₊₁

i=1 in{K

j

2,i}σ

00₊₁

i=1 . The tokens in Phase 1 has the same

distribution as that bySP-FE.GenTokenbecause V10, V20

R

←ZN.

(2) Ciphertext Query. _B receives a plaintext w=(w1, . . . , wnw) from A. B

transformswintow0 _{= (w}

1, . . . , wNw) by addSpecialSymbolsand transforms

w0_into{x

j}Nj=1w bysymbolSetToVector.BsetsS, α01, α02,{U10,i} σ00₊₁

i=1 ,{U20,i} σ00₊₁

i=1 ,

U0

1, U20fromZNand outputsCTjforA. DenoteCTj={{C1j,i, C j

2,i} σ00₊₁

i=1 , C

j

1, C

j

2}Nj=1δ .

The only difference between Lemma 1 and Lemma 2 is that Lemma 2 implicitly sets{rj2,i=d−1zi+r20j,i}

σ00₊₁

i=1 in{K

j

2,i} σ00₊₁

i=1 . The ciphertexts generated in Phase

1 has the same distribution as that bySP-FE.EncryptbecauseU0

1, U20

R

←ZN.

-Challenge:_Breceives query of challenge token from_A._Bis given the challenge query forAssumption 1asTb=g1a3g

bb2

2 g

c2

3 with b ∈{0,1}anda3←R Zp1,b2

R

←

Zp2, c2, d

R

← Zp3. B randomly generates β1, β2,{V10,i}σ

00₊₁

i=1 ,{V20,i}σ

00₊₁

i=1 , V10, V20

fromZN and generates corresponding tokens forAas follows. DenoteT Kj={(uj, vj),{K1j,i, K

j

2,i} σ00₊₁

i=1 , K

j

1, K

j

2}

Nδ

j=1, where

            

{K₁j_,i}iσ₌₁00+1=_{gV10,i

1 (g1a1g2)β1wi(g3c2d)r j 1,i}σ00+1

i=1 ={g

V1,i

1 g

β1wi

2 g

T rj 1,i

3 }σ

00₊₁

i=1

{K2j,i}σ

00₊₁

i=1 ={(Tb)zig

V20,i 1 (g3c2d)r

0j 2,i}σ00+1

i=1 ={g

V2,i

1 g

β2zi

2 g

T rj 2,i

3 }σ

00₊₁

i=1

K1j =gc32d=g3T

K2j =Πσ 00₊₁

i=1 (K

−qj_1,i

1,i K

−qj_2,i

2,i )(g3c2dg2b1)V 0 1gV

0 2

3 =g

−Σσ00+1

i=1 (V1,iq1j,i+V2,iq1j,i)

1 g2V1gV32

             Nδ j=1

with (uj R

←Z|Q00_|, vj R←Z_|Q00_|), T=c2d, β2=bb2,{V1,i=d2V10,i+a1β1wi}σ

00₊₁

i=1 ,

{V2,i=V20,i+a3β2zi}σ

00₊₁

i=1 , V1 = b1V10 −Σσ 00₊₁

i=1 (β1qj1,iwi +β2qj1,izi), andV2 =

T V10+V20−T Σσ 00₊₁

i=1 (q

j

1,i·r j

1,i+q j

1,ir j

2,i). The distribution of the ciphertexts gen-erated when T1 = ga13g

b2 2 g

c2

3 is given is exactly the same as the one in Game

3. Similarly, The distribution of the ciphertexts generated whenT0 =g1a3g

given is exactly the same as the one in Game 2.

-Phase 2:_Bcontinues to adaptively query as in Phase 1.

-Guess:_Aoutputs a guess b0 of b and sends it to_B.

If the adversaryAhas the advantagein distinguishing Game 2 from Game 3, then the simulatorBhas the sameadvantage in breaking Assumption 1. This completes the proof of the Lemma 2.

Lemma 3. If_G satisfies Assumption 1, Game 3 and Game5 are computation-ally indistinguishable.

Proof: Game 3 and Game 4 are computationally indistinguishable following the proof of Lemma 2 by setting Game 4 as Game 2 except for exchanging

{{K1j,i}σ

00₊₁

i=1 }

Nδ

j=1 with {{K

j

2,i}σ

00₊₁

i=1 }

Nδ

j=1 and exchanging {(uj, vj),wj}Nj=1δ with {(uj_{, v}j_),z

j}Nj=1δ . Similarly, Game 4 and Game 5 are computationally

indis-tinguishable following the proof of Lemma 1 by setting Game 4 as Game 2 except for exchanging {{K1j,i}σ

00₊₁

i=1 }

Nδ

j=1 with {{K

j

2,i}σ

00₊₁

i=1 }

Nδ

j=1 and exchanging

{(uj_{, v}j_),w