Professional Documents
Culture Documents
Privacy-Preserving Traceable Functional Encryption For Inner Product
Privacy-Preserving Traceable Functional Encryption For Inner Product
• Each user can anonymously obtain a secret key from the key generation
center without releasing anything about his/her identity.
Abstract
Functional encryption introduces a new paradigm of public key encryption
that decryption only reveals the function value of encrypted data. To curb
key leakage issues and trace users in FE-IP, a new primitive called traceable
functional encryption for inner product (TFE-IP) has been proposed. How-
ever, the privacy protection of user’s identities has not been considered in
the existing TFE-IP schemes. In order to balance privacy and accountability,
we propose the concept of privacy-preserving traceable functional encryption
for inner product (PPTFE-IP) and give a concrete construction. Our scheme
provides the following features: (1) To prevent key sharing, a user’s key is
bound with both his/her identity and a vector; (2) The key generation center
(KGC) and a user execute a two-party secure computing protocol to generate
a key without the former knowing anything about the latter’s identity; (3)
Each user can verify the correctness of his/her key; (4) A user can calculate
the inner product of the two vectors embedded in his/her key and in a ci-
phertext; (5) Only the tracer can trace the identity embedded in a key. The
security of our scheme is formally reduced to well-known complexity assump-
tions, and the implementation is conducted to evaluate its efficiency. The
novelty of our scheme is to protect users’ privacy and provide traceability if
required.
Keywords: Functional Encryption, Inner Production, Traceability, Privacy,
Security
1. Introduction
The increasing advancements in big data and cloud computing has led to a
greater emphasis on data security. Traditional public-key cryptography only
2
al. [10] proposed fully secure FE-IP schemes based on the same assumptions
as [9] and gave a simple method to achieve the bounded collusion FE for
all circuits. Classical FE-IP schemes have a central authority (CA), who
generates a secret key for each user. To simplify the key management in
classical FE-IP, Song et al. [13] proposed a hierarchical identity-based FE-
IP, where identity has a hierarchical structure and supports delegating secret
key. Han et al. [14] proposed a delegatable FE-IP (DFE-IP) scheme where
the delegatee is allowed to decrypt ciphertexts on behalf of the delegator in
a specified time period.
In above FE-IP schemes, CA must be trusted fully because it keeps all
the secret keys of users. This is known as the key escrow problem [15]. Some
FE-IP schemes, such as decentralized FE-IP [16], decentralized multi-client
FE-IP [17] and dynamic decentralized FE-IP [18], were proposed mainly to
reduce trust on the CA and solve the key escrow problem. Abdalla et al. [16]
proposed a decentralized FE-IP to transform any scheme with key-derivation
into a decentralized key-derivation scheme. Chotard et al. [17] proposed a
new primitive decentralized multi-client FE-IP where clients generate cipher-
texts non-interactively, and secret keys are generated in a decentralized way.
Jérémy et al. [18] proposed the first dynamic decentralized FE-IP, which al-
lows participants to join dynamically during the lifetime of a system. In
these schemes, multiple authorities or clients issue keys to users, instead of
one CA.
To reduce trust on CA and protect users’ privacy, Han et al. [11] proposed
a decentralized privacy-preserving FE-IP scheme, where the user’s secret
key is generated jointly by the multiple authorities and the user, and the
authorities do not know the identity embedded in the user’s key.
3
the prime-order group supporting black-box traceability.
In white-box tracing schemes [20, 21], a user’s identity is embedded in
his/her secret key. In [20], the tracer generates part of keys for users and
records some auxiliary information for trace. Han et al. [21] used a similar
method as [20] but a binary tree was applied to reduce the cost of storing
user identities and corresponding information. In [22], if the secret key is
leaked/abused, anyone can trace the owner of the key, this is called public
traceability. However, restricting tracing to only the tracer is essential to
ensure user privacy.
To curb key leakage issues and trace users in FE-IP, [26] defined a new
primitive called traceable functional encryption for inner product (TFE-IP)
and proposed a concrete black-box tracing scheme for FE-IP. Following [26],
Luo et al. [27] proposed the first efficient trace-and-revoke FE-IP scheme
supporting public, black-box traceability, which is adaptively secure against
chosen-plaintext attacks in the standard model. Luo et al. [27] also proposed
the first generic TFE-IP schemes that achieved adaptive security. Dutta et
al. [28] proposed the first fully collusion resistant TFE-IP schemes support-
ing public, black-box traceability, and gave generic constructions of TFE-IP
based on both pairing and√ lattices. The ciphertext size of their pairing-based
schemes is linear with n, while the size is linear with n in lattice-based
schemes, where n is the number of users in the system. Branco et al. [29]
proposed a new traceable FE-IP model based on registered FE where users
generate their secret-public key pairs and register their public keys. They
introduced registered traitor tracing supporting an unbounded collusion of
traitors, and proposed two registered traceable FE schemes for quadratic
functions and inner product functions respectively.
However, a traceable FE-IP scheme with private traceability has not been
considered. Also, users’ privacy and anonymity may be violated by traceabil-
ity. To balance the relationship between privacy and traceability, we propose
a PPTFE-IP scheme.
Table 1 shows the comparison of different features between our scheme
and existing schemes. Our scheme can recover a user’s identity through a
well-formed secret key, while other schemes can trace a user’s identity via
decryption boxes; therefore, our scheme is white-box traceable, while other
schemes are black-box traceable. Among existing schemes, schemes [27, 28,
30, 29] are publicly traceable, which undermines user privacy. [26] provides
similar trace functionality with our scheme, namely, only the tracer can trace
the identity embedded in a key, so [26] and our scheme are private tracing;
4
on the contrary, [27, 28, 30, 29] are public tracing. The novelty of our scheme
is to protect users’ privacy and provide traceability if required.
1 For the sake of tracing and preventing key sharing, a user’s secret key
is bound with a vector (function) and his/her identity.
3 The user can only use the secret key to calculate the inner product
of the vectors embedded in his/her secret key and the ciphertext, and
learn nothing else.
1 The definitions and security models of our PPTFE-IP scheme are for-
malized.
5
3 We propose a privacy-preserving key generation algorithm for our TFE-
IP scheme.
4 We analyse the efficiency of the proposed PPTFE-IP scheme.
5 The security of our PPTFE-IP scheme is formally reduced to well-
known complexity assumptions.
6
Table 2: Notation Summary
4 The key is generated jointly by the user and the KGC, and other users
and the KGC cannot learn the embedded identity from the key. Hence,
the user’s privacy is protected. Meanwhile, the tracer traces the iden-
tity embedded in the key when necessary.
1.4. Organization
In Section 2, we provide an overview of the preliminaries as well as the
formal definition and security models of our scheme. Section 3 presents the
concrete construction of our PPTFE-IP scheme. Section 4 offers a detailed
security proof of our scheme. In Section 5, we conduct a comparative analysis
of our scheme with existing TFE-IP schemes, implement and evaluate our
scheme. Finally, Section 6 concludes this paper and outlines future work.
2. Preliminaries
This section presents the preliminaries utilized in this paper. The nota-
tion used throughout this paper is summarized in Table 2. Figure 1 depicts
the framework of our PPTFE-IP scheme. There are three entities involved
in our scheme: user, KGC and tracer. Each user interacts with KGC and
jointly generates a secret key, which is stored by the user and KGC is un-
aware of the secret key. If a malicious user shares his/her secret key, the
tracer can trace his/her identity id∗ from the shared key.
7
3. Privacy-Preserving Key Generation
𝑠𝑘𝑖
Key 𝑖𝑑𝑖
Generation 4. Decrypt Ԧ𝑚
𝑓,
Center 𝑓Ԧ
𝑓Ԧ 𝐔𝐬𝐞𝐫𝒊 𝑖𝑑𝑖
𝑖𝑑𝑖
1. Setup Key Sharing
DDH
AdvA = Pr A(g α , g β , g αβ ) = 1 − Pr A(g α , g β , g γ ) = 1 ≤ ϵ(λ).
8
DL
AdvA = Pr [y = g x |A (g, y) → x)] <ϵ(λ).
1
2 (xq )
q−SDH x (x ) x+c
AdvA = Pr A g1 , g2 , g2 , g2 , · · · , g2 = c, g1 ≥ ϵ(λ).
9
5 Trace skf⃗,id , T k → id or ⊥. The Tracing algorithm takes user’s
secret key skf⃗,id and tracer’s trace key as input, outputs the user’s id
or failure ⊥.
2.3.2. Traceability
For traceability, we follow the security model proposed in [20, 34, 35]. This
security model is defined by the following game executed by a challenger C
and an adversary A.
• Setup. C runs Setup 1λ and sends public parameters P P to A.
10
• Key Query. A submits (id, f⃗) in which id represents identity and f⃗
represents function. C returns the secret key matching the queried pair
to A. This query can be made multiple times.
• Trace Query. A sends a key (ski )i∈[r] = (K1i , K2i , K3i , K4i , K5i ) to
C. C runs Trace(ski , T k) to recover the identity and returns it to A.
This query can be made multiple times.
• Key Forgery. A forges and outputs a secret key sk∗ . Assume the
identity embedded in sk∗ is id∗ . A wins the game if T race (sk∗ , tsk, P P ) ̸=
id∗ or T race (sk∗ , tsk, P P ) ∈
/ {⊥, id1 , id2 , · · · , idq }.
Definition 7 (Traceability). A traceable functional encryption scheme is
fully traceable if any probabilistic polynomial-time adversary A has a negligi-
ble advantage ϵ(λ) in winning the above game, namely
AdvA = Pr[{T race (sk ∗ , tsk, P P ) ∈
/ {⊥, id1 , id2 , · · · , idq }} ∨
∗
{T race (sk , tsk, P P ) ̸= id∗ }] < ϵ(λ).
PPKeyGen(U ser(P P, id, f⃗, decomu ) ↔ KGC(P P, msk, f⃗, comu ) → (⊥,
skf⃗,id ). This algorithm includes the interaction process between the user and
the KGC. Let Commitment(P P, id) → (comu , decomu ) be a commitment
scheme which takes as input the public parameters and a secret identity id
and outputs the commitment commu and decommitment decomu . Given the
public parameters P P , the private key msk, a vector f⃗ and the commitment
comu , KGC outputs ⊥. The user takes the public parameters P P , an iden-
tity id, a vector f⃗ and decomu as input. If decommitment(P P, id, decomu ,
comu ) = 1, a secret key skf⃗,id is output; Otherwise, the output fails. The
formalization of the security model for PPKeyGen algorithm employs two
games [36, 37]: selective − f ailure − blindness and leakage − f ree.
11
• KGC publishes public parameters P P and submits two identities id0 , id1 .
AdvKGC = Pr[δ ′ = δ] − 1
2
< ϵ(λ).
Leakage-free. Suppose that the user U is malicious and the KGC is honest
in this game, user U has interaction with KGC in an attempt to obtain
information about the secret key. This game is defined by a real-world and an
ideal-world scenario, where a distinguisher D tries to distinguish the outputs
of each scenario.
12
Definition 10 (Security of PPTFE-IP). A PPTFE-IP scheme Ω = (Setup,
Encrypt, PPKeyGen, Decrypt, Trace) is secure if the following two con-
ditions hold:
3. Our Constructions
In this section, we first describe the concrete construction of our trace-
able FE-IP scheme, then present the construction of privacy-preserving key
generation algorithm.
• Firstly, the system runs Setup, KGC generates the master secret key
and public parameters. The tracer generates a pair of secret-public
keys.
• Secondly, to compute the inner product of the vectors ⃗y and ⃗x, the user
needs to get the key sk⃗y,θ = {K1 , K2 , K3 , K4 , K5 } with the identity θ
and a vector ⃗y embedded from KGC and the ciphertext of a vector ⃗x
from data owner. In particular, K1 is bound with the vector ⃗y and
K2 is bound with the identity θ. KGC binds the identity and vector
together in users’ secret keys using a random number. K3 , K4 and K5
are used in tracing and decryption. To prevent collusion attacks, all
elements included in a key are bound together by a random number.
Users can verify the correctness of the secret keys distributed by KGC.
• Thirdly, the data owner can use the public parameters to encrypt a
vector ⃗x.
13
Setup. Let BG(1λ ) → (e, p,G, GT ), and g0 , g1 , g2 be generators of G. KGC selects ⃗s = (s1 , s2 , · · · , sl ) R
s R
←Zl and computes ⃗h = {hi = g i } f or i ∈ [l]. Tracer selects a random b ← Zp as the trace secret key
p 1
and computes B = g2b as the trace public key. KGC selects a random a and publishes Y = g0a . The
public key of KGC is (⃗h, Y ) and the secret key is msk = (a, si ). The secret-public key pair of the
tracer is (b, B). The system’s public parameters are P P = (e, p, G, GT , g0 , g1 , g2 , B, Y, h1 , · · · , hl ).
Encrypt. To encrypt a vector ⃗ x = (x1 , x2 , · · · , xl ) ∈ Zlp , the data owner (DO) first selects a random
R
r ← Zp , then computes
x
cti = hri · g1 i f or i ∈ [l], ctl+1 = g1r , ctl+2 = g2r , ctl+3 = g0r ,
The ciphertext is Ct = (cti )i∈[l] , ctl+1 , ctl+2 , ctl+3 .
y = (y1 , y2 , · · · , yl ), to generate a secret key for a user with an identity θ,
KeyGen. Given a vector ⃗
KGC chooses random numbers w, d ∈ Zp and computes
w 1 1
⟨⃗ s⟩
y ,⃗
· B d+a , K2 = g0 · (g2 · B)w · g2θ , K3 = g1d+a , K4 = w, K5 = d.
K1 = g0 d+a
• e K3 , g0K5 · Y = e (g0 , g1 );
• e K2 , g0K5 · Y =e (g0 , g0 ) · e (g0 , g2 · B)K4 · e (g0 , g2 )θ .
If all the above equations hold, the secret key sky⃗,θ is valid; otherwise, it is invalid.
Decrypt. A user uses his/her secret key (K1 , K2 , K3 , K4 , K5 ) to decrypt the ciphertext as follows.:
!
l
(cti )yi
Q
e g0 , ·e(ctl+1 ,K2 )
i=1
e(g0 , g1 )⟨⃗x,⃗y⟩ = K
e(K1 ,ctl+1 )·e(K3 ,ctl+3 )·e(K3 4 ·K3θ ,ctl+2 )
Further, the user calculates the discrete logarithm of e(g0 , g1 )⟨⃗x,⃗y⟩ with respect to e(g0 , g1 ) to obtain
⟨⃗ y ⟩. This discrete logarithmic operation requires that ⟨⃗
x, ⃗ y ⟩ should not be too large.
x, ⃗
Trace. Given a key sky⃗,θ , the tracer can compute
e(K2 ,g1 )
e (K3 , g2 )θ = K K ·b
e(g0 ,K3 )·e(g2 ,K3 4 ·K3 4 )
to recover the user identity embedded in the key, where b is the tracer’s secret key.
• Fourthly, given a ciphertext, a user can use his/her secret key to calcu-
late the inner-produce of the vectors embedded in the ciphertext and
his/her secret key. Additionally, e(g0 , g1 )⟨⃗x,⃗y⟩ needs to be small to solve
14
⟨⃗x, ⃗y ⟩.
• Finally, if tracing is required, only tracer can use the trace secret key
to recover e (K3 , g2 )θ from the secret key sk⃗y,θ . Tracer computes the
discrete logarithm of each identity based on e (K3 , g2 ) to discover the
identity embedded in the secret key.
Correctness of our TFE-IP Scheme. The scheme described in Figure 2 is
correct since the following equations hold.
l
! l
!
Y Y 1
e g0 , (cti )yi ·e(ctl+1 , K2 ) = e(g0 , hri ·g1xi )yi ·e(g1r , g0 ·(g2 ·B)w ·g2θ d+a )
i=1 i=1
1 w w 1
= e(g0 , g1 )⟨⃗x,⃗y⟩ · e(g0 , g1r )⟨⃗y,⃗s⟩ · e(g1d+a , g0r ) · e(g1d+a , g2r ) · e(g1d+a , B r ) · e(g1d+a , g2r )θ
w 1 w 1
= e(g0 , g1 )⟨⃗x,⃗y⟩ · e(g0 , g1r )⟨⃗y,⃗s⟩ · e(g1d+a , B r ) · e(g1d+a , g0r ) · e(g1d+a , g2r ) · e(g1d+a , g2r )θ
w 1 w 1
⟨⃗
y ,⃗s⟩
= e(g0 , g1 )⟨⃗x,⃗y⟩ · e(g0 · B d+a , g1r ) · e(g1d+a , g0r ) · e(g1d+a , g2r ) · e(g1d+a , g2r )θ
= e(g0 , g1 )⟨⃗x,⃗y⟩ · e(K1 , ctl+1 ) · e(K3 , ctl+3 ) · e(K3 , ctl+2 )w · e(K3 , ctl+2 )θ
= e(g0 , g1 )⟨⃗x,⃗y⟩ · e(K1 , ctl+1 ) · e(K3 , ctl+3 ) · e(K3K4 · K3θ , ctl+2 ),
w 1 1
⟨⃗
y ,⃗s⟩ d+a
and K1 = g0 · B d+a , K2 =! g0 · (g2 · B)w · g2θ , K3 = g1d+a , K4 = w, K5 = d.
l
(cti )yi ·e(ctl+1 ,K2 )
Q
e g0 ,
i=1
Therefore, K = e(g0 , g1 )⟨⃗x,⃗y⟩ .
e(K1 ,ctl+1 )·e(K3 ,ctl+3 )·e(K3 4 ·K3θ ,ctl+2 )
1
e((g0 ·(g2 ·B)w ·g2θ ) d+a ,g1 )
For tracing, e(K2 ,g1 )
K K4 ·b = 1 w w = e (K3 , g2 )θ .
e(g0 ,K3 )·e(g2 ,K3 4 ·K3 )
e(g0 ,g1d+a )·e(g2 ,g1d+a ·(g1d+a )b )
15
PPKeyGen
User
KGC
R R R
GID θ, w1 ← Zp , τ ← Zp msk ⃗s, w2 , d ← Zp
R R
1. Select w1 ← Zp , τ ← Zp , and
compute
R
A1 = hτ · B w1 , A2 = (g2 · B)w1 · g2θ , 2. Select w2 ← Zp and compute
A ,A l 1
y
−−1−−→
2
(g0 i )si · (A1 · B w2 ) d+a ,
Q
Generate ΣU = P oK {(w1 , θ, τ ) : B1 =
ΣU i=1
1
A1 = hτ · B w1 ∧ A2 = (g2 · B)w1 · g2θ B2 = (g0 · A2 · (g2 · B)w2 ) d+a ,
1 1
d+a
B 3 = g1 , B4 = h d+a , B5 = d.
Generate n
ΣK = P oK a, w2 , (si )i∈[l] :
1
3. Compute w = w1 + w2 and set B2 = (g0 · A2 · (g2 · B)w2 ) d+a ∧
1 w2
B1 w ,B ,B ,B ⟨⃗ s⟩
y ,⃗
K1 = τ
B4
, K2 = B2 , K3 = B3 , ←−2−−−
1 2
−− 3
−−− B 1 = g0 · A1 d+a
· B d+a ∧
B4 ,B5 ,ΣK
1
1
K4 = w, K5 = B5 B3 = g1d+a ∧ B4 = h d+a
4. Security Analysis
Theorem 1. Our traceable functional encryption for inner product scheme is
(ϵ(λ), t) secure against chosen-plaintext attack (CPA) in the selective model if
the DDH assumption holds on the bilinear group (e, p, G, GT ) with (ϵ(λ)′ , t′ ),
where ϵ(λ)′ = ϵ(λ)
2
.
Proof. Suppose the existence of a probabilistic polynomial-time adversary A
who can (t, ϵ)-break the TFE-IP scheme in the IND-CPA security model,
16
there exists a simulator B who can run A to solve the DDH problem as
follows. Challenger C flips an unbiased coin with {0, 1} to get a random bit
µ ∈ {0, 1}. If µ = 0, C sends (g α , g β , Z = g αβ ) to B; if µ = 1, C sends
(g α , g β , Z = g τ ) to B, in which τ ∈ Zp is a random number. B will output
his guess µ′ on µ.
w w 1
⟨⃗
y ,⃗s⟩ d+a
K1 = g0 · B d+a = B d+a , K2 = g0 · (g2 · B)w · g2θ , K3 =
1
d+a
g1 , K4 = w, K5 = d.
B returns sk⃗y,U = (Ki )i∈[5] to A.
17
To complete the proof, we need to calculate the advantage with which B can
solve the DDH assumption.
π
• If µ = 0, Z = g αβ , ct∗i = Z πi · g xδ,i = g αβ i · g xδ,i , ct∗l+1 = g β , ct∗l+2 =
c c
g β 2 , ct∗l+3 = g β 0 is a correct ciphertext of xδ . Therefore, Pr[δ ′ = δ|µ =
0] = 21 + ϵ(λ). When δ ′ = δ, B outputs µ′ = 0, so Pr[µ′ = µ|µ = 0] =
1
2
+ ϵ(λ).
4.1. Traceability
Theorem 2. Our TFE-IP scheme is (δ, ϵ) − traceable if the q-SDH assump-
tion holds with an advantage no greater than ϵ1 , and then DL assumption
holds
ϵ1 q ϵ2 p−1
with an advantage no greater than ϵ2 , where ϵ = max 4 1 − p + 4 p3 ,
o
ϵ1 q 1
4
1− p + q and δ < q is the number of key generation queries made
by A.
Proof. Suppose the existence of a probabilistic polynomial-time adversary
A, there is a simulator B who can run A to break theSDH assumption as
2 q
follows. The challenger C sends g, g z , g z , · · · , g z , h, hz to B. B will output
(c, g z+c ) where c ∈ Zp
R
• Setup. B sets (Φi = g zi )i∈[q] , randomly selects a, µ1 , µ2 , · · · µq−1 ← Zp ,
R Qq−1
⃗s = (s1 , s2 , · · · , sl ) ← Zlp , and lets f (z) = i=1 (z + µi ) = Σq−1 i
i=0 δi z ,
(g )δi = g̃ z , ⃗h =
Qq−1 zi δi q−1 z i+1
then computes g̃ = i=0 (g ) = g f (z) , ĝ = i=0
Q
R
{hi = g1si } f or i ∈ [l], Y = g0a . B chooses γ1 , γ2 , γ3 , π, ρ, κ, b ←
1
Zp , sets B = g̃ b , then calculates g0 = g̃ γ1 , g2 = ((ĝg̃ π )κ g̃ −1 ) ρ =
18
(z+π)κ−1
g̃ ρ , g̃ = g γ3 . B is the trace public key. A is given public pa-
rameters (e, p, g̃, ĝ, g0 , g1 , g2 , g3 , B, Y, h1 , · · · , hl ) from B.
q−2
Y f (z) 1
νi = (Φj )ηi j = g fi (z) = g z+µi = g̃ z+µi ,
j=0
⟨⃗
y ,⃗s⟩
K 1 = g0 · νib·w , K3 = νiγ1 , K4 = w, K5 = µi ,
q−2 ηi j · κρ ·(γ2 ·w+θi ) Yq−2 ηi j ·(( (π·κ−1)
Y
z j+1 zj ρ )·(γ2 ·w+θi )+γ1 )
K2 = g · g ,
j=0 j=0
((z+π)κ−1)·(γ2 ·w+θi )
(Σq−2 j
j=0 ηi j ·z )· +γ1
=g ρ
1 γ2 ·w+θi
1
= (g0 · (g2 · B)w · g2θi ) z+µi ,
z+µi z+µi
= g0 · g2
1 γ1
= g̃ z+µi = νiγ1 .
z+µi
K3 = g1
19
B sends the discrete logarithm of identity θ to A.
• Key Forgery. A forges a secret key sk(θ∗ ,⃗y∗ ) = (K1∗ , K2∗ , K3∗ , K4∗ , K5∗ )
and sends the key to B. We consider the following two types of forgery.
• Type I The user’s identity embedded in the key hasn’t been previously
queried, namely, θ∗ ∈ / {θ1 , θ2 , ..θq }. This type can be classified to the
two cases below.
Case − I : θ ∗ ∈ / {θ1 , θ2 , ..θq }, µ∗ ∈ / {µ1 , µ2 , ..µq−1 , π}.
∗ f (z)
Set f (z)1 = z+µi = Σj=0 ψj z , f (z)2 = f (z)·(z+π)
q−2 j ∗
z+µi
= Σq−1 ′ j
j=0 ψ j z , f (z) =
K4∗
(z + µ∗ ) · σ(z) + χ, σ(z) = Σq−2 j ∗
j=0 σj · z and thus K2 = (g0 · (g2 · B) ·
1 1 1 1
∗ ∗ ∗ ∗ ∗ ∗ ∗
g2θ ) z+K5 = (g0 · (g2 · B)w · g2θ ) z+µ∗ = (g0z+µ ) · ((g2 · B)w · g2θ ) z+µ∗ .
Furthermore, we have
1
∗ ∗ ∗ −1 ((z+π)κ−1)·γ2·w∗ ((z+π)κ−1)·θ ∗ −1
g0z+µ = K2∗ ·((g2 ·B)w ·g2θ ) z+µ∗ = K2∗ ·((g̃ ρ )·g̃ ρ ) z+µ∗
−((z+π)κ)·(γ2 ·w∗ +θ ∗ ) γ2·w∗+θ ∗ −f ( z)·((z+π)κ)·(γ2 ·w∗ +θ ∗ ) f ( z)·(γ2 ·w∗ +θ ∗ )
= K2∗ ·g̃ ρ·(z+µ∗ ) ·g̃ ρ·(z+µ∗ ) = K2∗ ·g ρ·(z+µ∗ ) ·g ρ·(z+µ∗ )
Therefore, we have
1 χ·γ1
g z+µ∗ = Θ · g −σ(z) 1
! χ·γ1
q−1 −ψi·κ·(γ2ρ·w ′ ∗ +θ ∗ ) q−2 ψj ·(γ2·wρ ∗ +θ∗ ) Yq−2
k (−σk )
1
zi j
Y Y
∗ z
= K2 · g · g · gz
i=0 j=0 k=0
1
B can output (µ∗ , g z+µ∗ ) from the above generation. Therefore, B can
use A to solve the q − SDH problem. The probability that µ∗ ∈ /
20
{µ1 , µ2 , · · · , µq−1 , µ} is (1 − pq ).
Case − II : θ ∗ ∈ / {θ1 , θ2 , ..θq }, µ∗ = µi .
∗ ∗ 1
In this case, we have K2∗ = (g0 · (g2 · B)w · g2θ ) z+µ∗ , (K2 )i = (g0 · (g2 ·
1
B)wi · g2θi ) z+µi . Given µ∗ = µi , K2∗ = (K2 )i , we obtain
∗ ∗
g0 · (g2 · B)w · g2θ = g0 · (g2 · B)wi · g2θi
∗ ∗
(g2 · B)w · g2θ = (g2 · B)wi · g2θi
∗ −w ∗
(g2 · B)w i
= g2θi −θ
θi −θ ∗ −w∗ +wi
w∗ −wi
B = g2
θi −θ∗ −w∗ +wi
B can compute logg2 B = by using A. Therefore, B can use
w∗ −wi
A to solve the discrete logarithm problem. The probability of this case
is computed as p1 · p1 · (1 − p1 ) = p−1
p3
• Type-II: The user’s identity embedded in the key has been previously
queried, namely, θ∗ ∈ {θ1 , θ2 , ..θq }. We consider the following two cases.
Case − III : θ ∗ ∈ {θ1 , θ2 , ..θq }, µ∗ ∈ / {µ1 , µ2 , ..µq−1 , π}.
1
B can compute (µ, g z+µ ) in the same way as Case-I to solve the q−SDH
problem and the probability that µ∗ ∈ / {µ1 , µ2 , ..µq−1 , µ} is (1 − pq ).
Case − IV : θ ∗ ∈ {θ1 , θ2 , ..θq }, µ∗ ∈ {µ1 , µ2 , ..µq−1 , π}, K2∗ =
(K2 )i .
The probability that µ∗ = µ is 1q . Because µ ∈ / {µ1 , µ2 , ..µq−1 }, B can
1
compute (µ, g z+µ ) in the same way as Case-I to solve the q − SDH
problem.
To complete the proof, we need to calculate the advantage with which
B can solve the q −SDH problem. The probabilities of Case-I, Case-II,
Case-III and Case-IV forgeries are denoted as Pr[Case − I ], Pr[Case−
II ], Pr[Case − III ] and Pr[Case − IV ] respectively. The four cases are
independently and identically distributed, each occurring with a prob-
ability of 41 . Hence, B’s advantage in breaking the q −SDH assumption
and DL assumption can be calculated as follows.
ϵ1 q ϵ2 p − 1
Pr[Type-I] = Pr[Case − I ] + Pr[Case − II ] = 1− +
4 p 4 p3
ϵ1 q 1
Pr[Type-II] = Pr[Case − III ] + Pr[Case − IV ] = 1− +
4 p q
21
ϵ = max {Pr[Type-I], Pr[Type-II]}
ϵ1 q ϵ2 p − 1 ϵ1 q 1
= max 1− + , 1− +
4 p 4 p3 4 p q
Proof. KGC is malicious and tries to distinguish the user’s identity θ embed-
ded in the key. Let BG(1λ ) → (e, p, G, GT ), and g0 , g1 , g2 be generators of G.
R
KGC selects ⃗s = (s1 , s2 , · · · , sl ) ← Zlp and computes ⃗h = {hi = g1si } f or i ∈
R
[l].Tracer selects a random b ← Zp as the trace secret key and computes
B = g2b as the trace public key. KGC selects a random a and publishes
Y = g0a . The public key of KGC is (⃗h, Y ) and the secret key is msk = (a, si ).
The secret-public key pair of the tracer is (b, B). The system’s public param-
eters are P P = (e, p, G, GT , g0 , g1 , g2 , B, Y, h1 , · · · , hl ). KGC submits (θ0 , ⃗y )
and (θ1 , ⃗y ) and chooses a random bit δ ∈ {0, 1}. KGC has access to the user
oracles U (P P, θδ , decomδ ) and U (P P, θ1−δ , decom1−δ ). Subsequently, KGC
and an honest user U execute the protocol illustrated in Figure 3. The oracle
U will output sk0 (θ0 , ⃗y ) and sk1 (θ1 , ⃗y ).
22
A1 , A2 , ΣU to KGC. Until this stage, KGC executes either one or both or-
acles whose perspective on the two oracles remains computational indistin-
guishable, because of the hiding property of commitment schemes and the
zero-knowledge property of zero-knowledge proofs. When KGC has the abil-
ity to compute the k = (K1 , K2 , K3 , K4 , K5 ) for the first oracle, it can predict
kδ without using the steps below.
1 w2
⟨⃗
y ,⃗s⟩
• Firstly, KGC verifies ΣK = P oK{ a, (si )i∈[l] :B1 = g0 ·A1d+a · B d+a ∧
1 1 w2 1
B2 = g0d+a ·A2d+a · (g2 · B) d+a ∧ B3 = g1d+a ∧ e(B3 , g1B5 · Y ) = e(g1 , g1 ) ∧
e(B4 , g1B5 · Y ) = e(g1 , h)}. If it is invalid, KGC returns k0 =⊥.
• For the second oracle, KGC outputs another χ = (B
1 , B2 , B3, B4 , B5 )
and generates a zero-knowledge proof ΣK = P oK{ a, (si )i∈[l] : B1 =
1 w2 1 1 w2 1
⟨⃗
y ,⃗s⟩
g0 · A1d+a · B d+a ∧ B2 = g0d+a · A2d+a · (g2 · B) d+a ∧ B3 = g1d+a ∧ e(B3 , g1B5 ·
Y ) = e(g1 , g1 ) ∧ e(B4 , g1B5 · Y ) = e(g1 , h)}. If it is invalid, KGC returns
k1 =⊥.
• If both of the two steps above are successful, then KGC proceeds as
follows:
1)k0 =⊥, k1 =⊥, U returns (ζ, ζ) to KGC;
2)k0 =⊥, k1 ̸=⊥, U returns (⊥, ζ) to KGC;
3)k0 ̸=⊥, k1 =⊥, U returns (ζ, ⊥) to KGC.
23
Lemma 2. The PPKeyGen algorithm, as delineated in Figure 3, is leakage-
free.
Proof. Assuming the existence of a malicious user U in the real-world exper-
iment, U interacts with an honest KGC executing the PPKeyGen protocol.
A corresponding simulator S can be established in the ideal experimental,
which can access a trusted party performing the ideal KeyGen protocol. S
simulates the communication between D and U by conveying D’s input to
U and U’s output to D. The process of the real-world experiment is shown
below.
• S computes B4 = K4 , B1 = K1 · B4τ , B2 = K2 , B3 = K3 , B5 = K5 .
24
represents the time of executing one hash operation, and P represents the
time of executing one pairing operation.
Table 3 and Table 4 respectively show the computational and communi-
cation costs of the three schemes : [26], Trace-and-Revoke IPFE from DDH
scheme in Section 5.2 of [27] and ours. From Table 3, with the assumption
that l ≫ 1, we know that the communication cost of our Setup and En-
cryption is lower than the other two schemes, while Key Generation is
slightly more expensive than [26, 27]. Moreover, as observed in Table 4, the
computational cost of our traceable scheme is the same as [26, 27].
Table 3: Communication Cost Comparison between Existing Work and Our TFE-IP
Scheme in Figure 2.
Table 4: Computation Cost Comparison between Existing Work and Our TFE-IP Scheme
in Figure 2.
(N +1)λN 2
[27]1 2lEx (2l + 2)Ex 0 (l + 3)Ex µ(λ)
·
(2l + 2)Ex
25
Table 5: Communication Cost of Our Privacy-Preserving Key Generation Algorithm in
Figure 3.
i7-8550U CPU with 8G of RAM. For bilinear pairing, we use the PBC li-
brary [38] in Linux. And we use socket programming for two-party secure
computation. This program is implemented in C language on Linux.
When implementing our scheme, we consider the following five cases:
l = 10, l = 20, l = 30, l = 40 and l = 50, and each time is obtained by taking
the average value after 10 experiments. Figure 4 depicts the time spent by
the algorithms in each stage of our PPTFE-IP scheme.
As shown in Figure 4, the Setup algorithm takes 0.0341988s, 0.0547218s,
0.0695288s, 0.0871566s and 0.1064724s in each case. The Encryption pro-
cess costs 0.0429196s, 0.0748678s, 0.1075483s, 0.1420852s and 0.1828628s for
each case. Encryption takes more time than Setup, but slightly less than
twice Setup time.
Moreover, Figure 4 shows that the Key Generation algorithm takes a
longer execution time than the other algorithms. Our experiment shows that
the Key Generation algorithm (including key verification) takes 0.2387588s,
0.3687528s, 0.4979975s, 0.6324328s, 0.7862466s time in the five cases, respec-
tively. Due to the two party secure computing, the PPKeyGen algorithm
takes more time. On the other hand, multiple pairing and exponentiation op-
erations are required during the key verification, which are time-consuming.
26
Especially, in each cases the Decryption algorithm costs 0.0286769s,
0.0468638s, 0.0649096s, 0.0802697s and 0.098845s, which is faster than Setup.
We use the socket to simulate the communication between the KGC and a
user.
The computation cost of Setup, Encryption, Key Generation and
Decryption algorithm is linear with the dimension of vectors. Conversely,
the Tracing algorithm takes 0.0113066s, 0.0119908s, 0.0122832s, 0.0114053s,
0.0124318s in the five cases, respectively. It is indicated that our Tracing
algorithm is efficient since it is independent of the vector dimension.
0.8
Vector size = 10
Vector size = 20
0.7
Vector size = 30
Vector size = 40
0.6 Vector size = 50
0.5
Time(s)
0.4
0.3
0.2
0.1
0
Setup Encryption Key Generation Decryption Trace
Algorithm
27
ally, we offered a detailed security proof of our proposed scheme. Further-
more, we conducted a comparative analysis of our scheme with existing trace-
able FE-IP schemes, implemented and evaluated the efficiency of our scheme.
However, the computation cost of the key generation algorithm in our
scheme is high. Therefore, it is interesting and challenging to construct a
PPTFE-IP scheme with efficient key generation algorithm. We leave this as
an open problem and our future work.
References
[1] D. Boneh, A. Sahai, B. Waters, Functional encryption: Definitions and
challenges, in: TCC 2011, Vol. 6597 of LNCS, Springer, RI, USA, 2011,
pp. 253–273, https://doi.org/10.1007/978-3-642-19571-6_16.
[6] H. Cui, Z. Wan, X. Wei, S. Nepal, X. Yi, Pay as you decrypt: De-
cryption outsourcing for functional encryption using blockchain, IEEE
Transactions on Information Forensics and Security 15 (2020) 3227–
3238, https://doi.org/10.1109/TIFS.2020.2973864.
28
[7] V. Koutsos, D. Papadopoulos, D. Chatzopoulos, S. Tarkoma, P. Hui,
Agora:a privacy-aware data marketplace, IEEE Transactions on De-
pendable and Secure Computing 19 (6) (2022) 3728–3740, https:
//doi.org/10.1109/ICDCS47774.2020.00156.
29
[15] T. H. Yuen, W. Susilo, Y. Mu, How to construct identity-based sig-
natures without the key escrow problem, International Journal of
Information Security 9 (2010) 297–311, https://doi.org/10.1007/
s10207-010-0110-5.
[19] D. Boneh, M. Franklin, An efficient public key traitor tracing scheme, in:
CRYPTO 1999, Vol. 1666 of LNCS, Springer, Santa Barbara, California,
USA, 1999, pp. 338–353, https://doi.org/10.1007/3-540-48405-1_
22.
30
[23] Z. Liu, Z. Cao, D. S. Wong, Blackbox traceable cp-abe: how to catch
people leaking their keys by selling decryption devices on ebay, in:
SIGSAC 2013, ACM, Berlin, Germany, 2013, pp. 475–486, https:
//doi.org/10.1145/2508859.2516683.
31
[31] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transac-
tions on Information Theory 22 (6) (1976) 644–654, https://doi.org/
10.1109/TIT.1976.1055638.
[32] D. M. Gordon, Discrete logarithms in gf(p) using the number field sieve,
SIAM Journal on Discrete Mathematics 6 (1) (1993) 124–138, https:
//doi.org/10.1137/0406010.
[33] D. Boneh, X. Boyen, Short signatures without random oracles, in: EU-
ROCRYPT 2004, Vol. 3027 of LNCS, Springer, Interlaken, Switzerland,
2004, pp. 56–73, ttps://doi.org/10.1007/978-3-540-24676-3_4.
32
Appendix A. The Details of Zero-Knowledge Proof
Appendix A.1. The Detail of ΣU
An instantiation of the proof ΣU is given as follows.
R
• User selects τ ′ , θ′ , w1′ ← Zp , and computes
′ ′
A′1 = hτ · B w1 ,
′ ′
A′2 = (g2 · B)w1 · g2θ ,
c = H1 (A1 ||A′1 ||A2 ||A′2 ) ,
τ̃ = τ ′ − c · τ,
θ̃ = θ′ − c · θ,
w̃1 = w1′ − c · w1 ,
• User sends (A1 , A′1 , A2 , A′2 ) and c, τ̃ , θ̃, w̃1 to verifier (KGC) .
• After receiving (A1 , A′1 , A2 , A′2 ) and c, τ̃ , θ̃, w̃1 , KGC verifies
?
c = H1 (A1 ||A′1 ||A2 ||A′2 ) ,
?
A′1 = hτ̃ · B w˜1 · Ac1 ,
?
A′2 = (g2 · B)w˜1 · g2θ̃ · Ac2 .
33
g1 ′ (a′ )
( d
) = B3 ,
B3
h (a′ )
( d )′ = B4 ,
B4
B1d g0 · A2 · (g2 · B)w2 ′
g1 ′ h ′
c = H1 (g0 µai )′ ||B1 ||( ′
) ||B2 ||( ) ||B3 ||( d ) ||B4 ||( d ) ||B5 ,
A1 · B w2 B2d B3 B4
ã = a′ − c · a,
s˜i = si ′ − c · si f or i ∈ [l],
Bd w
• KGC sends (g0 ) µai ′
, B1 , ( A1 ·B1w2 )′ , B2 , ( g0 ·A2 ·(g
B2
2 ·B) 2 ′
d ) , B3 , ( Bg1d )′ , B4 , B5
3
34