1.1.1 The Weakness in IPFE

To clearly specify our works, we present the scheme in [19] as follows. Suppose integers $X$ and $Y$ are both bound parameters, the vectors $x=(x_1,\ldots,x_n)$ and $y=(y_1,\ldots,y_n)$ are respectively bounded by $X$ and $Y$. For integer $N=\tilde{p}\cdot \tilde{q}>X\cdot Y$, where $\tilde{p}$, $\tilde{q}$ are two safe primes, we randomly choose a value $g^{\prime }$ from $\mathbb {Z}^{\ast }_{N^2}$ to compute $g=g^{\prime 2N}\ mod \ N^2$, and the vector $s=(s_1,\ldots,s_n)$ from the discrete Gaussian distribution $\mathcal {D}_{\mathbb {Z}^{n},\delta }$ to compute $\left\lbrace h_i=g^{s_i}\ mod \ N^2 \right\rbrace _{i\in \lbrace 1,\ldots,n\rbrace }$. The master public key and the master secret key are respectively \begin{equation*} mpk=\left(N,g,\left(h_1,\ldots,h_n\right),X\right),\ msk=\left(\left(s_1,\ldots,s_n\right),Y\right). \end{equation*} View Source \begin{equation*} mpk=\left(N,g,\left(h_1,\ldots,h_n\right),X\right),\ msk=\left(\left(s_1,\ldots,s_n\right),Y\right). \end{equation*} The secret key regarding $y$ is computed as $sk_y=\sum _{i=1}^{n}s_i y_i$. To generate the ciphertext for $x$, we randomly choose the integer $r$ from $\lbrace 0,\ldots,\lfloor \frac{N}{4}\rfloor \rbrace$ to compute \begin{equation*} C_0=g^{r}\ mod \ N^2,\ \left\lbrace ct_i=\left(1+Nx_i\right)h_i^{r}\ mod \ N^{2} \right\rbrace _{i\in \lbrace 1,\ldots,n\rbrace }. \end{equation*} View Source \begin{equation*} C_0=g^{r}\ mod \ N^2,\ \left\lbrace ct_i=\left(1+Nx_i\right)h_i^{r}\ mod \ N^{2} \right\rbrace _{i\in \lbrace 1,\ldots,n\rbrace }. \end{equation*} The ciphertext is $C_x=\left(C_0,C_1\right)$ where $C_1=\left(ct_1,\ldots,ct_n\right)$. The inner product $\left<x,y\right>$ is obtained by decrypting the ciphertext as follows: \begin{equation*} \frac{1}{N}\cdot \left(\left(\prod _{i=1}^{n}ct_i^{y_i}\cdot C_0^{-sk_y}-1\right)\ mod \ N^2\right). \end{equation*} View Source \begin{equation*} \frac{1}{N}\cdot \left(\left(\prod _{i=1}^{n}ct_i^{y_i}\cdot C_0^{-sk_y}-1\right)\ mod \ N^2\right). \end{equation*} We can observe that $sk_y$ can be used to obtain the relevant inner products when the ciphertexts are encrypted under a public key associated with the master secret key $s$.

The Encrypted Vector Privacy. Thanks to the linearity of inner product, a malicious decryptor can recover the encrypted vector $x$ by querying the secret keys related to $n$ independent vectors, if the encrypted vector is $n$-dimension. For the encrypted vector $x=(x_1, \ldots,x_n)$, a malicious decryptor or an attacker controlling several decryptors queries the secret keys $sk_{y^{(1)}},\ldots,sk_{y^{(n)}}$ regarding the linearly independent vectors $y^{(1)},\ldots,y^{(n)}$. Then it can obtain $x$ by solving below system of linear equations \begin{equation*} \left\lbrace \begin{array}{ll}\displaystyle\mathop \sum \limits _{i=1}^{n}x_{i}y_{i}^{(1)}&=\left\langle x,y^{(1)}\right\rangle \;mod \ N,\\ \cdots \\ \displaystyle\mathop \sum \limits _{i=1}^{n}x_{i}y_{i}^{(n)}&=\left\langle x,y^{(n)}\right\rangle mod\ N.\\ \end{array} \right. \tag{1} \end{equation*} View Source \begin{equation*} \left\lbrace \begin{array}{ll}\displaystyle\mathop \sum \limits _{i=1}^{n}x_{i}y_{i}^{(1)}&=\left\langle x,y^{(1)}\right\rangle \;mod \ N,\\ \cdots \\ \displaystyle\mathop \sum \limits _{i=1}^{n}x_{i}y_{i}^{(n)}&=\left\langle x,y^{(n)}\right\rangle mod\ N.\\ \end{array} \right. \tag{1} \end{equation*} The Master Secret Key Privacy. In order to control the revealed information of the encrypted vector in IPFE, the key generation center will generate a master secret key that includes the vector $s=\left(s_1,\ldots,s_n\right)$. The data user can ask the key generation center to generate the secret key $sk_y$ related to vector $y$, where $sk_y$ is the inner product between $s$ and $y=\left(y_1,\ldots,y_n\right)$, namely $\left<s,y\right>=\sum _{i=1}^{n}s_iy_i$. Clearly, $s$ can be maliciously recovered by solving the system of linear equations similar to (1), which results from $sk_{y^{\left(1\right)}},\ldots,sk_{y^{\left(n\right)}}$. Once $s$ is compromised, the secret key can be generated beyond the key generation center's supervision. IPFE would no longer have the advantage over controlling the revealed information regarding underlying encrypted vector. All of the encrypted vectors related to master secret key $s$ will be totally exposed. For this issue, the work [19] and subsequent works such as [17], [18], [22] require the key generation center to keep track of the vectors for which secret keys are issued. However, the key generation center needs to store the issued vectors, and compare the new vectors with them. Moreover, the domain of vector $y$ is restricted to the space generated from some specific linearly independent vectors, where the number of these vectors is no more than $n-1$. So these schemes fail to preserve the master secret key privacy over the total space that is generated based on $n$ linearly independent vectors.

1.1.2 The Issues Regarding the Deployment of IPFE

As is shown in Fig. 1a, in the initial solution that enables cloud server to compute the inner product, the data user needs to send the secret key $sk_y$ to the cloud server. Obviously, the secret key privacy and the result privacy cannot be preserved. What is worse, the malicious cloud server can abuse the secret key without the data user's permission. After accomplishing the computational query for a data user, the cloud server can still use the secret key to decrypt the new stored ciphertexts for its personal purpose. This is undesirable in many realistic scenarios since the result may contain some sensitive information.

In IPFE, the key generation center is responsible for distributing the secret key to the legitimate ones. However, this key can be applied to all the ciphertexts with which it shares the same master secret key. The resulting outsourced computation scheme also has this property. However, this is undesirable in the data sharing setting, where the data owners usually want to selectively share the information about the outsourced data. For example, the data owner would like to share the information regarding medical data with the doctors, while the information regarding work data with the colleagues.

1.1.3 Our Contributions

We first identify the privacy issues regarding master secret key and encrypted vector in IPFE. To achieve stronger privacy guarantees than the original schemes, we introduce the notion of standard consistency constraint in IPFE and put forward the notion of master secret key hiding.

We construct an IPFE scheme that meets these requirements based on the scheme in [19]. In the resulting scheme, a ciphertext can be decrypted by only one specific secret key. The revealed information of the encrypted vector is just an inner product that is generated from the encrypted vector and the vector embedded in the secret key. In addition, the unbounded number of the secret key queries are allowed, and the master secret key is perfectly hidden in our scheme. The experimental results show that our scheme achieves these new properties at a reasonable price of time cost compared with the scheme in [19].

We propose a new outsourced computation model in the selectively data sharing setting. In this model, the data owner is free of the huge storage overhead, while the data user is free of both the huge storage overhead and the large computation cost. The shared item is the function on the outsourced data instead of the data itself in the conventional way, which is a new way to preserve the outsourced data privacy in the data sharing setting.

We propose an outsourced inner product computation scheme for the selectively data sharing setting based on our IPFE scheme. The verification time and the storage cost for data user are both independent of the vector size. The resulting scheme achieves the secret key privacy and the result privacy, which discourages the malicious cloud server from computing the inner product beyond the data user's request. The outsourced data privacy relies on the indistinguishable based (CCA) security of our IPFE scheme. In addition, the resulting scheme achieves the “double access control” over the outsourced data. This implies that only the authorized data user can compute the inner product on the outsourced data, and other functions are unallowed. It is the first attempt to preserve the outsourced data privacy in such a way for the data sharing setting.

As a side result, the proposed outsourced computation scheme can implement retrieval functionality. The data user can use it to locate and obtain the outsourced data stored in cloud server. More specifically, data owner encrypts the vector $x=\left(x_1,\ldots,x_n\right)$ resulting from the outsourced data $x_1$, $\ldots$, $x_n$ by this proposed scheme. Data user who wants to obtain the data $x_i$ can use the vector $y=\left(0,0,\ldots,0,1,0,\ldots,0\right)$ whose $i$th position is 1 to get $x_i$ by computing the inner product $\left<x,y\right>=\sum _{i=1}^{n}x_iy_i=x_i$.

1.2.1 The Inner Product Functional Encryption

In 2015, Abdalla et al. put forward the novel idea of IPFE in [16] in the public-key setting. They proposed two IPFE schemes under the Decision Diffie-Hellman (DDH) assumption and the Learning-With-Errors (LWE) assumption. These schemes are secure against the Chosen Plaintext Attack (CPA) under selective model. In 2016, they also proposed the adaptively CPA-secure generic constructions and corresponding concrete instantiations in [18]. The subsequent works attempted to increase the security level and implement the practical property. Agrawal et al. proposed the adaptively secure schemes based on the LWE assumption, the DDH assumption and the Decision Composite Residuosity (DCR) assumption [19]. In 2017, Benhamouda et al. proposed the schemes secure against Chosen Ciphertext Attack (CCA) [21]. These works all focused on the works qualified for the inner product computation over $\mathbb {Z}$. In 2018, Castagnos et al. proposed a scheme proper for the inner product computation over $\mathbb {Z}_p$ [17].

The existing works regarding IPFE usually consider the decryptor to be honest. Even though the privacy issue regarding the encrypted vector is mentioned in some existing works, such as [16], [17], they did not plan to solve this issue in the honest decryptor case. For the same reason, the privacy issue regarding the master secret key is not considered in the literature.

Another line of works, such as [23], [24], [25], [26] researched IPFE in the secret-key setting, where the encryptor and the decryptor share the same secret key. The standard consistency constraint in our IPFE scheme seems to be similar with the works in the secret-key setting. However, our work is still in the domain of public-key setting, where distinct encryptors can use the public key to generate ciphertexts for the designated decryptor.

1.2.2 The Outsourced Computation for Inner Product

The work [30] proposed the first practical outsourced computation scheme for high degree polynomial functions. In order to reduce the computation cost of verification, this work researched the primitive of Pseudorandom Functions (PRFs) with the closed form efficiency property. After this work, the work [31] proposed an outsourced computation scheme based on the outsourced database for matrix multiplication. In this work, a scheme supporting multi-function verifiable computation is also proposed, which allows a client to delegate the computation of multiple functions on the fixed outsourced data. The recent work [32] focused on the outsourced polynomial computation on the label-encrypted data under multi-server model. To perform the computation in a privacy-preserving manner, the outsourced data is stored in several cloud servers, and these cloud servers collectively accomplish the computation. Obviously, these schemes can be used to compute the inner product. However, these schemes need to compute the PRF value in the verification process, where the secret key is used. This implies that these schemes are not suitable for our setting where the data owner and the data user are distinct entities.

The works [33], [34] were specified on outsourced inner product computation. Similar to work [32], the work [33] used the technique of data splitting to protect the outsourced data privacy instead of the encryption, and store them in several different cloud servers. This scheme is more efficient than the cryptography-based ones. However, this scheme did not consider the verification. The work [34] proposed a scheme that is proper for inner product evaluation over outsourced data streams under multiple keys. This scheme can be used to compute the inner product on the data from different data owners. However, the storage overhead and the computation cost for data user are both dependent on the vector size.

The work [35] adopted the matrix digest technique to construct an outsourced computation scheme for batch matrix multiplication. This scheme achieves the public delegation that allows multiple data users to compute on the outsourced data. The input data privacy and the result privacy can be preserved, but it did not consider the procedures to preserve the outsourced data. In addition, the outsourced data are involved in the verification process, which contradicts the goal of relieving the local storage burden in the cloud storage.

In the research community, the outsourced computation has attracted more attention. For example, the works [36], [37] considered the applications of outsourced computation in the verifiable database. However, the outsourced computation in the selective data sharing setting is not fully considered. Since this model can largely reduce the local storage overhead and the computation cost, and implement the convenient information sharing in a privacy-preserving manner, it is interesting to investigate.

Definition 1 (DCR Assumption).

Given an integer $N$ which is the multiplication of primes $p$ and $q$, the advantage probability $Adv_{\mathcal {A}}^{\text{DCR}}(\lambda)$ of distinguishing $\mathcal {D}_1=\lbrace z|z \ {\in }_{R}\ \mathbb {Z}_{N^2}^{\ast }\rbrace$ and $\mathcal {D}_2=\lbrace z|z=z_0^N\ mod\ N^2, z_0\ {\in }_{R}\ \mathbb {Z}_{N}^{\ast }\rbrace$ is negligible.

Definition 2 (Access Structure).

If $\lbrace P_1,\ldots,P_n\rbrace$ is a set of parties, $U\subseteqq 2^{\lbrace P_1,\ldots,P_n\rbrace }\setminus \emptyset$ is called an access structure. The set $U^{\prime }$ included in $U$ is called authorized set, and otherwise is called unauthorized set. The monotone access structure implies that, for any set $B_1$ and $B_2$, $B_2\in U$ if $B_1\in U$ and $B_1\subseteqq B_2$.

In our proposed scheme, the role of parties $P_i$ for $i\in \lbrace 1,\ldots,n\rbrace$ is described by their attributes. Thus, the access structure $U$ consists of the attributes of parties in authorized set. For simplicity, we define the attributes as elements in $\mathbb {Z}_p$, i.e., $U=\lbrace 1,\ldots,\left|U\right|\rbrace $.

Definition 3 (Bilinear Map).

Given two cyclic groups $\mathbb {G}$, $\mathbb {G}_{T}$ of prime order $p$ and the generator $g_1$ of $\mathbb {G}$, the bilinear pairing is a map $e$: $\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T$ with following properties:

Non-degeneracy: $e(g_1,g_1)\ne 1$.

Bilinearity: $e(u_1^{a_1},u_2^{a_2})=e(u_1,u_2)^{a_1a_2}$ for all $u_1$, $u_2 \in \mathbb {G}$ and all $a_1$, $a_2\in \mathbb {Z}_p$.

Computability: we can find an efficient algorithm to compute $e(u_1,u_2)$ for all $u_1$, $u_2 \in \mathbb {G}$.

Definition 4 (Lagrange Coefficient).

We assume that $f(\cdot)$ is a $(d-1)$-degree polynomial and $U=\lbrace 1,\ldots,\left|U\right|\rbrace$. For every $i \in U$, the Lagrange coefficient for computing $f(x)$ is defined as \begin{equation*} \Delta _{i,U}(x)=\prod _{j\in U,j\ne i}\frac{x-j}{i-j}. \end{equation*} View Source \begin{equation*} \Delta _{i,U}(x)=\prod _{j\in U,j\ne i}\frac{x-j}{i-j}. \end{equation*} Then $f(x)$ can be represented as \begin{equation*} f(x)=\sum _{i=1}^{\left|U\right|}f(i)\Delta _{i,U}(x). \end{equation*} View Source \begin{equation*} f(x)=\sum _{i=1}^{\left|U\right|}f(i)\Delta _{i,U}(x). \end{equation*}

Definition 5 (Adapted Inner Product Functional Encryption, Ada-IPFE).

This definition of Ada-IPFE is adapted from the work [38], which is shown in Fig. 2

Fig. 2.

This is the adaptation of IPFE. The left subfigure is derived from the definition in [19]. The right subfigure is derived from Definition 5. The processes marked by “$\dashrightarrow$” in these two subfigures collectively reflect the standard consistency constraint of Definition 9.

Show All

• $\mathbf {Setup}(1^{\lambda }, 1^n,X,Y):$ On input security parameter $\lambda$, length parameter $n$ and two bound parameters $X$, $Y$, the setup algorithm outputs the master secret key $msk$ and the master public key $mpk$. This process is conducted by key generation center (KGC).

• $\mathbf {KeyGen}(y,msk):$ On input a vector $y$ and master secret key $msk$, the key generation algorithm outputs the secret key $sk_y$ and the public key $pk_y$. This process is conducted by KGC.

• $\mathbf {Encrypt}(x,mpk,pk_y):$ On input vector $x$, master public key $mpk$ and public key $pk_y$, the encryption algorithm outputs the ciphertext $C_x$. This process is conducted by qencryptor.

• $\mathbf {Decrypt}(sk_y,C_x):$ On input secret key $sk_y$ and ciphertext $C_x$, the decryption algorithm outputs the inner product $\left<x,y\right>$ or the error symbol $\perp$. This process is conducted by decryptor.

Definition 6 (Correctness of Ada-IPFE).

An Ada-IPFE scheme is correct if for all $(msk,mpk)$ $\leftarrow$ $\mathbf {Setup}(1^{\lambda }, 1^n,X,Y)$, $(sk_y,pk_y) \leftarrow \mathbf {KeyGen}(y,msk)$, $C_x\leftarrow \mathbf {Encrypt} (x,mpk,pk_y)$, the algorithm $\mathbf {Decrypt}(sk_y,C_x)$ outputs $\left<x,y\right>$ with probability $1-\epsilon$, where $\epsilon$ is negligible.

Definition 7 (Adaptive Security of Ada-IPFE).

This definition is adapted from [17]. To define the adaptive security of Ada-IPFE, we first give the model defined by the following game $Exp_{\mathcal {A},Ada-IPFE}^{AdpSec}$ played by $\mathcal {A}$ and $\mathcal {C}$.

• $\mathbf {Setup.}$ $\mathcal {C}$ runs $\mathbf {Setup}(1^{\lambda }, 1^n,X,Y)$ to produce $\left(msk,mpk\right)$. It sends $mpk$ to $\mathcal {A}$.

• $\mathbf {Query\ phase\ 1.}$ $\mathcal {A}$ adaptively chooses the vectors $y^{(1)},\ldots,y^{(l_1)}$ for $\mathcal {C}$. $\mathcal {C}$ runs $\mathbf { KeyGen}(y^{(i)},msk)$ to generate the secret keys $sk_{y^{(1)}},\ldots,sk_{y^{(l_1)}}$ and the public keys $pk_{y^{(1)}},\ldots,pk_{y^{(l_1)}}$ for $\mathcal {A}$.

• $\mathbf {Challenge.}$ $\mathcal {A}$ adaptively chooses the vectors $x^{(0)}$ and $x^{(1)}$ with the condition that $\left<x^{(0)},y^{(i)}\right>=\left<x^{(1)},y^{(i)}\right>$ for all $i\in \lbrace 1,\ldots,l_1\rbrace$ for $\mathcal {C}$. Then, $\mathcal {C}$ chooses a bit $\mu \ {\in }_{R}\ \lbrace 0,1\rbrace$, and runs $\mathbf {Encrypt}(x^{(\mu)},mpk,pk_{y^{(i_0)}})$ for one $i_0\in \left\lbrace 1,\ldots,l_1\right\rbrace$ to generate the challenge ciphertext $C_{x^{(\mu)}}$ for $\mathcal {A}$.

• $\mathbf {Query\ phase\ 2.}$ Upon receiving $C_{x^{(\mu)}}$, $\mathcal {A}$ adaptively chooses the vectors $y^{(l_1+1)},\ldots,y^{(l_1+l_2)}$ with the condition that $\left<x^{(0)},y^{(i)}\right>=\left<x^{(1)},y^{(i)}\right>$ for all $i\in \lbrace l_1+1,\ldots,l_1+l_2\rbrace$ for $\mathcal {C}$. $\mathcal {C}$ runs $\mathbf { KeyGen}(y^{(i)},msk)$ to generate the secret keys $sk_{y^{(l_1+1)}},\ldots,sk_{y^{(l_1+l_2)}}$ for $\mathcal {A}$.

• $\mathbf {Guess.}$ $\mathcal {A}$ outputs its guess $\mu ^{\prime }$, and wins in this game if $\mu ^{\prime }=\mu$.

An Ada-IPFE scheme is adaptively secure if $\mathcal {A}$ wins in $Exp_{\mathcal {A},Ada-IPFE}^{AapSec}$ with probability $\frac{1}{2}+\epsilon$, where $\epsilon$ is negligible.

Definition 8 (Master Secret Key Hiding of Ada-IPFE).

To define the master secret key hiding of Ada-IPFE, we first give the model defined by the following game $Exp_{\mathcal {A},Ada-IPFE}^{MSKH}$ played by $\mathcal {A}$ and $\mathcal {C}$.

• $\mathbf {Setup.}$ $\mathcal {C}$ runs $\mathbf {Setup}(1^{\lambda }, 1^n,X,Y)$ to produce $\left(msk,mpk\right)$. It sends $mpk$ to $\mathcal {A}$.

• $\mathbf {Query\ phase.}$ $\mathcal {A}$ adaptively chooses the vectors $y^{(1)},\ldots,y^{(l)}$ for $\mathcal {C}$. $\mathcal {C}$ runs $\mathbf { KeyGen}(y^{(i)}, msk)$ to generate the secret keys $sk_{y^{(1)}},\ldots,sk_{y^{(l)}}$ and the public keys $pk_{y^{(1)}},\ldots,pk_{y^{(l)}}$ for $\mathcal {A}$.

• $\mathbf {Guess.}$ $\mathcal {A}$ outputs its guess of the master secret key $msk^{\ast }$. $\mathcal {A}$ wins in this game if $msk^{\ast }=msk$.

An Ada-IPFE scheme is master secret key hiding if $\mathcal {A}$ wins in $Exp_{\mathcal {A},Ada-IPFE}^{MSKH}$ with probability $\epsilon$, where $\epsilon$ is negligible.

Definition 9 (Standard Consistency Constraint of Ada-IPFE).

An Ada-IPFE scheme guarantees the standard consistency constraint if the ciphertext $C_x$ generated with the public key $pk_y$ can only be decrypted by the secret key $sk_y$ to reveal the inner product $\left<x,y\right>$. This is shown in the Fig. 2.

Definition 10 (Encrypted Vector Hiding of Ada-IPFE).

An Ada-IPFE scheme is encrypted vector hiding if the underlying encrypted vector cannot be recovered.

3.1.1 The Role of Participants

As is shown in Fig. 1b, the outsourced inner product computation with access control over the encrypted database (OIPFE-ACED) involves four participants, namely key generation center (KGC), data owner (DO), cloud server (CS) and data user (DU). The details are described as follows.

1. KGC generates the system parameters which include the master public key and the master secret key. In addition, it is also responsible for generating the secret key for DU.

2. DO uses master public key to encrypt the outsourced data, and then stores it in CS.

3. KGC generates the secret key for DU based on DU's attributes. Then, DU transforms secret key into the evaluation key for CS.

4. Upon receiving the evaluation key, CS uses it to compute the intermediate result for DU. Then, DU recovers the desired inner product and verifies it.

3.1.2 System Components

A scheme for outsourced inner product computation with access control over the outsourced encrypted database consists of following five polynomial time algorithms.

• $\mathbf {Setup}(1^{\lambda }, 1^n, X, Y,U)$: On input the security parameter $\lambda$, the length parameter $n$, the bound parameters $X$ and $Y$, the system attribute universe $U$, the setup algorithm outputs the master secret key $msk$ and the master public key $mpk$. This process is conducted by KGC.

• $\mathbf {Store}(x,mpk,d)$: On input the vector $x$, the master public key $mpk$ and the threshold value $d$, the storage algorithm outputs the ciphertext $C_x$ and the verification key $VK$. Then, it stores $C_x$ in CS. This process is conducted by DO.

• $\mathbf {Query}(y,msk,U^{\prime })$: On input the vector $y$, the master secret key $msk$ and DU's attribute set $U^{\prime }$, the computational query algorithm outputs the secret key $sk_y$, the public information $pk_1$ and $pk_2$, the retrieving key $\pi$ and the evaluation key $EK_y$. This algorithm is divided into two stages. The first one is conducted by KGC, the second one is conducted by DU.

• $\mathbf {Compute} (pk_1,pk_2,EK_y,C_x)$: On input the public information $pk_1$ and $pk_2$, the evaluation key $EK_y$ and the ciphertext $C_x$, the computation algorithm outputs the proof $P$, the intermediate result $I$. This process is conducted by CS.

• $\mathbf {Recover}(I,sk_y,VK,P)$: On input the intermediate result $I$, the secret key $sk_y$, the verification key $VK$ and the proof $P$, the retrieving algorithm outputs the desired result $\left<x,y\right>$ and verifies this result if $\left|U\cap U^{\prime }\right|\geq d$. This process is conducted by DU.

Definition 11 (Correctness of OIPFE-ACED).

An OIPFE-ACED scheme is correct if for all $(msk,mpk)\leftarrow \mathbf {Setup}(1^{\lambda }, 1^n, X, Y,U)$, all $(C_x,VK)\leftarrow \mathbf {Store}(x,mpk,d)$, all $(sk_y,pk_1,pk_2,\pi,EK_y) \leftarrow \mathbf {Query}(y,msk,U^{\prime })$, all $(P,I)$ $\leftarrow \mathbf {Compute} (pk_1,pk_2,EK_y,C_x)$, the algorithm $\mathbf {Recover}(I,sk_y,VK,P)$ outputs the inner product $\left<x,y\right>$ with probability $1-\epsilon$ under the condition of $\left|U\cap U^{\prime }\right|\geq d$, where $\epsilon$ is negligible.

Definition 12 (Outsourced Vector Privacy of OIPFE-ACED).

To define the outsourced vector privacy of OIPFE-ACED, we first give the model defined by following game $Exp_{\mathcal {A},OIPFE}^{OVP}$ played by $\mathcal {A}$ and $\mathcal {C}$.

• $\mathbf {Setup.}$ $\mathcal {C}$ runs $\mathbf {Setup}(1^{\lambda }, 1^n,X,Y,U)$ to produce $\left(msk,mpk\right)$. It sends $mpk$ to $\mathcal {A}$.

• $\mathbf {Query\ phase.}$ $\mathcal {C}$ randomly chooses a vector $x$ and runs $\mathbf {Store}(x,mpk,d)$. Then, it sends the $C_x$ and $VK$ to $\mathcal {A}$. Then, $\mathcal {A}$ adaptively chooses the vectors $y^{(1)},\ldots,y^{(l)}$ and the attribute set $U^{\prime }$ for $\mathcal {C}$, $\mathcal {C}$ runs $\mathbf {Query}(y^{(i)},msk,U^{\prime })$ to produce $(pk_1^{(i)},pk_2^{(i)},EK_{y^{(i)}})$ for $\mathcal {A}$.

• $\mathbf {Challenge.}$ $\mathcal {A}$ adaptively chooses the vectors $y_{0}$ and $y_{1}$ for $\mathcal {C}$. $\mathcal {C}$ chooses $\mu \ {\in }_{R}\ \lbrace 0,1\rbrace$ and runs $\mathbf {Query}(y_\mu,msk,U^{\prime })$ to produce $(pk_1^{(\mu)},pk_2^{(\mu)},EK_{y_{\mu }})$ for $\mathcal {A}$.

• $\mathcal {A}$ outputs its guess $\mu ^{\prime }$, and wins in this game if $\mu ^{\prime }=\mu$.

An OIPFE-ACED scheme can preserve the outsourced vector privacy if $\mathcal {A}$ wins in $Exp_{\mathcal {A},OIPFE}^{OVP}$ with probability $\epsilon$ regardless of whether $\left|U\cap U^{\prime }\right|\geq d$ or $\left|U\cap U^{\prime }\right|< d$ holds, where $\epsilon$ is negligible.

Definition 13 (Unforgeability of OIPFE-ACED).

To define the unforgeability of OIPFE-ACED, we first give the model defined by the following game $Exp_{\mathcal {A},OIPFE}^{Unforge}$ played by $\mathcal {A}$ and $\mathcal {C}$.

• $\mathbf {Setup.}$ $\mathcal {C}$ runs $\mathbf {Setup}(1^{\lambda }, 1^n,X,Y,U)$ to produce $\left(msk,mpk\right)$. It sends $mpk$ to $\mathcal {A}$.

• $\mathbf {Query\ phase.}$ $\mathcal {C}$ chooses a vector $x$ to run $\mathbf {Store}(x,mpk,d)$ to produce the verification key $VK$ and the ciphertext $C_x$ for $\mathcal {A}$. Then, $\mathcal {A}$ adaptively chooses the vectors $y^{(1)},\ldots,y^{(l)}$ and the attribute set $U^{\prime }$ for $\mathcal {C}$. $\mathcal {C}$ runs $\mathbf {Query}(y^{(i)},msk,U^{\prime })$ for $i\in \lbrace 1,\ldots,l\rbrace$ to produce $(pk_1^{(i)},pk_2^{(i)},EK_{y^{(i)}})$ for $\mathcal {A}$.

• $\mathbf {Forgery.}$ $\mathcal {A}$ adaptively chooses the vectors $y^{\ast }$ for $\mathcal {C}$, $\mathcal {C}$ runs $\mathbf {Query}(y^{\ast },msk,U^{\prime })$ to produce $\left(pk_1^{\ast },pk_2^{\ast },EK_{y^{\ast }}\right)$ for $\mathcal {A}$. $\mathcal {A}$ outputs its forged intermediate result $I^{\ast }$ and the forged proof $P^{\ast }$ for $\mathcal {C}$.

• $\mathbf {Output.}$ $\mathcal {A}$ wins in this game if the final inner product resulting from the forged intermediate result passes the verification. Then, this game outputs 1, and otherwise outputs 0.

An OIPFE-ACED scheme achieves the unforgeability if $\mathcal {A}$ wins in $Exp_{\mathcal {A},OIPFE}^{Unforge}$ with probability $\epsilon$ regardless of whether $\left|U\cap U^{\prime }\right|\geq d$ or $\left|U\cap U^{\prime }\right|< d$ holds, where $\epsilon$ is negligible.

4.2.1 An Overview

In the setup phase, the global parameters are generated. The parameters related to Ada-IPFE are used to encrypt the outsourced vector and compute the inner product. Whereas, the rest parameters are used to achieve the access control over the outsourced database. Among the rest algorithms, the data outsourcing is implemented by the $\mathbf {Store}$ algorithm, the computation outsourcing is implemented by the algorithms of $\mathbf {Query}$, $\mathbf {Compute}$ and $\mathbf {Recover}$. In the $\mathbf {Store}$ algorithm, the outsourced vector is encrypted by the encryption procedures of Ada-IPFE scheme. And the components related to access policy and verification are also respectively generated. These items except that related to the verification are stored in CS. The privacy of the outsourced vector relies on the security of underlying Ada-IPFE. In the $\mathbf {Query}$ algorithm, the secret key related to one vector and DU's attribute set is generated. This secret key allows the legitimate DU to learn the desired inner product. For the security and privacy concerns, DU should avoid sending the secret key to CS. So DU needs to transform the secret key into the evaluation key. This is done by blinding the secret key with random factors. Thanks to these random factors, the returned result computed by CS is in the blinded form. This prevents CS from arbitrarily abusing the secret key beyond DU's request. In the $\mathbf {Compute}$ algorithm, CS computes the returned result and the proof. In the $\mathbf {Recover}$ algorithm, DU recovers the desired inner product by using the specific secret information. And it can verify this result in the necessary case.

4.2.2 Description of the Proposed OIPFE-ACED Scheme

Our OIPFE-ACED scheme based on the Paillier cryptographic system is described as follows.

• Setup($1^{\lambda }, 1^n, X, Y,U$): On input the security parameter $\lambda$, the length parameter $n$, the bound parameters $X$, $Y$ and the system attribute universe $U$, KGC chooses the prime numbers $\tilde{p}=2p^{\prime }+1$ and $\tilde{q}=2q^{\prime }+1$ to compute $N=\tilde{p}\tilde{q}$, where $p^{\prime }$, $q^{\prime }$ $>$ $2^{l(\lambda)}$ for some polynomial $l$. Furthermore, it chooses an element $g^{\prime }\ {\in }_{R}\ \mathbb {Z}_{N^2}^{\ast }$ and a vector $s=\left(s_1,\ldots, s_n\right) \ {\in }_{R}\ \mathcal {D}_{\mathbb {Z}^{n},\delta }$ which is the discrete Gaussian distribution with the standard deviation $\delta >\lambda ^{\frac{1}{2}}\cdot N^{\frac{5}{2}}$. For the system attribute universe $U$, KGC chooses the bilinear map $e$: $\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T$ as in Definition 3, the hash functions $H_1:\mathbb {G}_T\rightarrow \mathbb {Z}_N^{\ast }$, $H_2:\mathbb {Z}_{N^2}\rightarrow \mathbb {Z}_{N^2}$, the elements $A_1, \ldots, A_{\left|U\right|} \ {\in }_{R}\ \mathbb {G}$ and the values $a, \beta \ {\in }_{R} \ \mathbb {Z}_p$.

  Then, it computes \begin{align*} &g=g^{\prime 2N}\ mod \ N^2,\ \left\lbrace h_i=g^{s_i}\ mod \ N^2\right\rbrace _{i\in \left[1,n\right]},\\ & A=g_1^{a}, \ h=g_1^{\beta }, \ E=e(g_1,g_1)^{\beta }. \end{align*} View Source \begin{align*} &g=g^{\prime 2N}\ mod \ N^2,\ \left\lbrace h_i=g^{s_i}\ mod \ N^2\right\rbrace _{i\in \left[1,n\right]},\\ & A=g_1^{a}, \ h=g_1^{\beta }, \ E=e(g_1,g_1)^{\beta }. \end{align*} Finally, it sets \begin{align*} &msk=\left(s,h,Y \right),\\ & mpk=(g,\lbrace h_i\rbrace _{i\in \left[1,n\right]}, \lbrace A_i\rbrace _{i\in \left[1,\left|U\right|\right]}, e,\mathbb {G},\mathbb {G}_T,g_1,H_1,\\ &\quad \quad \quad \ \ H_2, A, E, N, X), \end{align*} View Source \begin{align*} &msk=\left(s,h,Y \right),\\ & mpk=(g,\lbrace h_i\rbrace _{i\in \left[1,n\right]}, \lbrace A_i\rbrace _{i\in \left[1,\left|U\right|\right]}, e,\mathbb {G},\mathbb {G}_T,g_1,H_1,\\ &\quad \quad \quad \ \ H_2, A, E, N, X), \end{align*} stores the master secret key $msk$ and makes the master public key $mpk$ public.

• Store($x,mpk,d$): On input $x=(x_1,\ldots,x_n)$, the master public key $mpk$ and the threshold value $d$, DO chooses $c\ {\in }_{R}\ \mathbb {Z}_{p}$, $r\ {\in }_{R}\ \lbrace 0,\ldots,\lfloor \frac{N}{4}\rfloor \rbrace$, the random values $\left\lbrace a_i\right\rbrace _{i\in [1,\left|U\right|]}$ from $\mathbb {Z}_p$ and a $(d-1)$-degree polynomial $f(\chi)\ {\in }_{R}\ \mathbb {Z}_p[\chi ]$ such that $f(0)=c$.

  Then, it computes \begin{align*} \sigma &=H_1(E^{c}),\ C_0=g_1^{c},\ C_1=g^{r}\ mod \ N^2, \\ C_2&=\left\lbrace ct_i=h_i^{r}\cdot (1+N\sigma x_i) \ mod \ N^2\right\rbrace _{i\in \left[1,n\right]}, \\ C_3&=\left\lbrace \left(c_{i,1},c_{i,2}\right)=\left(A^{f(i)}A_{i}^{-a_i},g_1^{a_i}\right)\right\rbrace _{i\in \left[1,\left|U\right|\right]},\\ vk&=H_2(ct_1), \ vk_1=g^{\sigma }\ mod \ N^2. \end{align*} View Source \begin{align*} \sigma &=H_1(E^{c}),\ C_0=g_1^{c},\ C_1=g^{r}\ mod \ N^2, \\ C_2&=\left\lbrace ct_i=h_i^{r}\cdot (1+N\sigma x_i) \ mod \ N^2\right\rbrace _{i\in \left[1,n\right]}, \\ C_3&=\left\lbrace \left(c_{i,1},c_{i,2}\right)=\left(A^{f(i)}A_{i}^{-a_i},g_1^{a_i}\right)\right\rbrace _{i\in \left[1,\left|U\right|\right]},\\ vk&=H_2(ct_1), \ vk_1=g^{\sigma }\ mod \ N^2. \end{align*} Finally, it sets $C_x=\left(C_0,C_1,C_2,C_3\right)$ and $VK=\left(VK_1,VK_2,VK_3\right)=\left(vk,vk_1,C_1\right)$, stores the ciphertext $C_x$ in the cloud server and makes the verification key $VK$ public.

• Query($y,msk,U^{\prime }$): On input $y=(y_1,\ldots,y_n)$, the master secret key $msk$ and the attribute set $U^{\prime }$, this process consists of the below two phases.

  1) Secret key generation. KGC chooses the values $\alpha \ {\in }_{R}\ \mathbb {Z}_{N}$ and $t\ {\in }_{R}\ \mathbb {Z}_p$ to compute \begin{align*} &pk_1=C_1^{\alpha }\ mod\ N^2,\ sk_{0,0}=h A^{t},\ sk_{0,1}=g_1^{t}, \\ &sk=\left\langle s,y\right\rangle +\alpha,\ \left\lbrace sk_i=A_i^{t}\right\rbrace _{i\in U^{\prime }}. \end{align*} View Source \begin{align*} &pk_1=C_1^{\alpha }\ mod\ N^2,\ sk_{0,0}=h A^{t},\ sk_{0,1}=g_1^{t}, \\ &sk=\left\langle s,y\right\rangle +\alpha,\ \left\lbrace sk_i=A_i^{t}\right\rbrace _{i\in U^{\prime }}. \end{align*} It sets $sk_y=\left(sk, sk_{0,0}, sk_{0,1}, \left\lbrace sk_i\right\rbrace _{i\in U^{\prime }}\right),$ sends the secret key $sk_y$ to DU and makes the public information $pk_1$ public.

  2) Evaluation key generation. DU chooses the values $\xi _1 \ {\in }_{R}\ \mathbb {Z}_{N}$ and $\xi _2 \ {\in }_{R}\ \mathbb {Z}_{p}^{\ast }$ to compute \begin{align*} &pk_2=C_1^{\xi _1}\ mod\ N^2, \ sk_{0,0}^{\prime }=sk_{0,0}^{\xi _2},\ sk^{\prime }_{0,1}=sk_{0,1}^{\xi _2}, \\ &sk^{\prime }=sk+\xi _1,\ \left\lbrace sk^{\prime }_i= sk_i^{\xi _2}\right\rbrace _{i\in U^{\prime }}. \end{align*} View Source \begin{align*} &pk_2=C_1^{\xi _1}\ mod\ N^2, \ sk_{0,0}^{\prime }=sk_{0,0}^{\xi _2},\ sk^{\prime }_{0,1}=sk_{0,1}^{\xi _2}, \\ &sk^{\prime }=sk+\xi _1,\ \left\lbrace sk^{\prime }_i= sk_i^{\xi _2}\right\rbrace _{i\in U^{\prime }}. \end{align*} Then, it sets \begin{equation*} \pi =\xi _2,\ EK_y=\left(y, sk^{\prime }, sk^{\prime }_{0,0}, sk^{\prime }_{0,1}, \left\lbrace sk^{\prime }_i\right\rbrace _{i\in U^{\prime }}\right), \end{equation*} View Source \begin{equation*} \pi =\xi _2,\ EK_y=\left(y, sk^{\prime }, sk^{\prime }_{0,0}, sk^{\prime }_{0,1}, \left\lbrace sk^{\prime }_i\right\rbrace _{i\in U^{\prime }}\right), \end{equation*} stores the retrieving key $\pi$, makes the public information $pk_2$ public and sends the evaluation key $EK_y$ to CS.

• Compute$(pk_1,pk_2,EK_y,C_x)$: On input the public information $pk_1$ and $pk_2$, the evaluation key $EK_y$ and the ciphertext $C_x$, CS computes \begin{align*} &\omega _1=\frac{e\left(C_0,sk^{\prime }_{0,0}\right)}{\prod _{i\in U^{\prime }}\left(e\left(c_{i,1},sk_{0,1}^{\prime }\right)e\left(c_{i,2},sk^{\prime }_i\right)\right)^{\Delta _{i,U^{\prime }}(0)}}, \\ &\omega _2=pk_1\cdot pk_2\cdot \prod _{i=2}^{n}ct_i^{y_i}\ mod\ N^2,\\ &\omega _3=ct_1^{y_1}\omega _2/ C_1^{sk^{\prime }}\ mod\ N^2. \end{align*} View Source \begin{align*} &\omega _1=\frac{e\left(C_0,sk^{\prime }_{0,0}\right)}{\prod _{i\in U^{\prime }}\left(e\left(c_{i,1},sk_{0,1}^{\prime }\right)e\left(c_{i,2},sk^{\prime }_i\right)\right)^{\Delta _{i,U^{\prime }}(0)}}, \\ &\omega _2=pk_1\cdot pk_2\cdot \prod _{i=2}^{n}ct_i^{y_i}\ mod\ N^2,\\ &\omega _3=ct_1^{y_1}\omega _2/ C_1^{sk^{\prime }}\ mod\ N^2. \end{align*}

  Then, it sets $P=\left(P_1,P_2\right)=\left(ct_1,\omega _2\right)$, and sends the intermediate result $I=\left(\omega _1,\omega _3\right)$, the proof $P$ to DU.

• Recover($I,sk_y,VK,P$): On input the intermediate result $I$, the secret key $sk_y$, the evaluation key $VK$, the proof $P$, DU computes the following values with the aid of KGC who can compute the inverse in $\mathbb {Z}_N^{\ast }$ (i.e., $\omega _3^{\omega _4^{-1}}$, where $\omega _4$ is computed by DU) \begin{equation*} \omega _4=H_1\left(\omega _1^{\pi ^{-1}}\right),\ \omega _5=\frac{1}{N}\left(\left(\omega _3^{\omega _4^{-1}}-1\right)\ mod \ N^2\right). \end{equation*} View Source \begin{equation*} \omega _4=H_1\left(\omega _1^{\pi ^{-1}}\right),\ \omega _5=\frac{1}{N}\left(\left(\omega _3^{\omega _4^{-1}}-1\right)\ mod \ N^2\right). \end{equation*} It can verify the final result by computing \begin{align*} &H_2\left(P_1\right)\overset{?}{=}VK_1, \tag{2} \end{align*} View Source \begin{align*} &H_2\left(P_1\right)\overset{?}{=}VK_1, \tag{2} \end{align*} \begin{align*} &g^{\omega _4}\ mod\ N^2\overset{?}{=} VK_2,\tag{3} \end{align*} View Source \begin{align*} &g^{\omega _4}\ mod\ N^2\overset{?}{=} VK_2,\tag{3} \end{align*} \begin{align*} &P_1^{y_1} P_2\ mod\ N^2\overset{?}{=} VK_3^{sk^{\prime }}\left(1+N\right)^{\omega _4 \omega _5}\ mod\ N^2. \tag{4} \end{align*} View Source \begin{align*} &P_1^{y_1} P_2\ mod\ N^2\overset{?}{=} VK_3^{sk^{\prime }}\left(1+N\right)^{\omega _4 \omega _5}\ mod\ N^2. \tag{4} \end{align*} If the Equations (2), (3) and (4) hold at the same time, the result $\omega _5$ is correct, and DU accepts it as $\left<x,y\right>$. Otherwise, DU rejects it.

5.1.1 Correctness of Ada-IPFE Scheme

The intuitive sense of the correctness is that the final result obtained by the decryptor is $\left<x,y\right>$ for $x$ and $y$ if the procedures are honestly executed. The proposed Ada-IPFE scheme is correct. Formally, we have the following theorem.

5.1.2 The Adaptive Security of Ada-IPFE Scheme

The security of Ada-IPFE scheme states that given a ciphertext of the vector $x$, the only information revealed by the secret key related to the vector $y$ is the inner product $\left<x,y\right>$. Specifically, no $\mathcal {A}$ can distinguish the encryption of $x_0$ from that of $x_1$ even with the information of the adaptively chosen secret keys $sk_{y^{(1)}},\ldots,sk_{y^{(l_1+l_2)}}$ with the condition that $\left<x^{(0)},y^{(i)}\right>=\left<x^{(1)},y^{(i)}\right>$ for all $i\in \lbrace 1,\ldots,l_1+l_2\rbrace$. The adaptive security allows $\mathcal {A}$ to have access to the system public parameters, and query series of secret keys before choosing the challenge vectors $x_0$ and $x_1$. The Ada-IPFE scheme achieves the adaptive security. Formally, we have the following theorem.

5.1.3 The Master Secret Key Hiding of Ada-IPFE Scheme

In the Ada-IPFE scheme, the master secret key consists of a vector $s=(s_1,\ldots,s_n)$ and a bound parameter $Y$. We do not consider the revealing of $Y$, since it is kept as a secret value by the decryptor and no longer involved in the subsequent operations. However, thanks to the linearity of inner product, the crucial component $s$ could be recovered by solving a system of linear equations in the existing works. The master secret key hiding property requires that $s$ should be hidden all the time. The Ada-IPFE scheme achieves this property, and we have the following theorem.

5.1.4 Standard Consistency Constraint of Ada-IPFE Scheme

The standard consistency constraint states that the public key $pk_y$ is bonded to the secret key $sk_y$, so that the ciphertext $C_x$ generated with $pk_y$ can only be decrypted by $sk_y$ to reveal the inner product $\left<x,y\right>$, and the ciphertext $C_x$ generated with $pk_y$ cannot be decrypted by $sk_{y^{\prime }}$ to reveal the inner product $\left<x,y^{\prime }\right>$. However, the inner product $\left<x^{\prime },y\right>$ is allowed to reveal if the ciphertext for the vector $x^{\prime }$ is generated with $pk_y$. Clearly, the standard consistency constraint can prevent the encrypted vector $x$ from being recovered. Our Ada-IPFE scheme guarantees the standard consistency constraint. We have the following theorem.

5.1.5 Encrypted Vector Hiding of Ada-IPFE Scheme

In the existing works, the encrypted vector $x$ can be recovered if several inner products $\left<x,y^{(1)}\right>,\ldots,\left<x,y^{(n)}\right>$ are allowed to reveal, where $y^{(1)},\ldots,y^{(n)}$ are linearly independent. The encrypted vector hiding requires that $x$ cannot be recovered in any case. The Ada-IPFE scheme can hide the encrypted vector. Formally, we have the following theorem.

5.2.1 Correctness of the OIPFE-ACED Scheme

The intuitive sense of the correctness is that the final result obtained by DU is $\left<x,y\right>$ for $x$ and $y$ if the procedures are honestly executed. The proposed OIPFE-ACED scheme is correct. Formally, we have the following theorem.

5.2.2 The Outsourced Vector Privacy of OIPFE-ACED Scheme

The outsourced vector privacy is a very important issue in the OIPFE-ACED scheme. The basic requirement for the data storage in CS is that the privacy of the outsourced data should be preserved. More formally, we have the below theorem.

5.2.3 The Unforgeability of OIPFE-ACED Scheme

The unforgeability of OIPFE-ACED scheme states that the malicious CS cannot make DU accept the wrong inner product. To be more specific, the forged result by CS which is not equal to the desired inner product cannot pass the verification. Formally, we have the following theorem.

6.1.1 Functionality Analysis

In Table 2, we give the functionality comparisons for our Ada-IPFE scheme with existing works [16], [17], [18], [19], [21] in the public key setting, where different encryptors can generate ciphertexts for the same decryptor. The DDH-based IPFE scheme in [16] is the first concrete scheme for the novel idea of IPFE. In order to obtain the desired inner product, it needs to compute the expensive discrete logarithm in the decryption algorithm. So, this instantiation from ElGamal encryption is restricted to computing the inner product in a prescribed short interval, which makes this scheme not practical. This limitation also exists in other DDH-based schemes. To overcome this limitation, the DCR-based schemes, the LWE-based schemes and the schemes based on variants of DDH assumption are proposed. In these schemes, the desired inner product can be efficiently obtained in decryption algorithm, since they can avoid computing the expensive discrete logarithm. So, the short result interval does not need to be imposed on these IPFE schemes. In order to solve the issue regarding master secret key privacy for the vector that has $n$ components, the existing works such as [17], [19] have considered solving it over a subspace of $n$-dimension space that is generated from $n-1$ linearly independent vectors. The master secret key hiding over the total space (i.e., generated from $n$ linearly independent $n$-dimension vectors) and the encrypted vector hiding are not fully considered in the existing works.

TABLE 2 Functionality Comparisons for Ada-IPFE With Existing Works

6.1.2 Efficiency Analysis

In Table 3, we give the computation cost comparisons between work [19] and our Ada-IPFE scheme. We intend to show that our Ada-IPFE scheme achieves the stronger privacy guarantees at reasonable price of efficiency. Since the security of these schemes is based on the DCR assumption, it is more reasonable to compare our Ada-IPFE scheme with the scheme in [19] than with that in [16]. In this table, we denote an exponent operation, the operation of choosing a random value, a multiplication operation, an addition operation, a subtraction operation and inversion operation by $Exp$, $Rand$, $Mul$, $Add$, $Sub$ and $Inv$ in $\mathbb {Z}_{N^2}$, respectively. We also denote the operation of choosing a random value, a multiplication operation, an addition operation, a subtraction operation and an inversion operation by $rand$, $mul$, $add$, $sub$ and $inv$ in $\mathbb {Z}_{N}$, respectively.

TABLE 3 Computation Cost Comparisons for Ada-IPFE With the Scheme in [19]

In $\mathbf {Setup }$, these two schemes need to take the same actions to initialize the encryption system. In $\mathbf {KeyGen}$, our Ada-IPFE scheme needs to perform additional computations to achieve the desired privacy guarantees. We need to choose two random values to generate the secret key and the public key for one specific vector. We also need to compute the corresponding public commitments for the subsequent procedures. The master secret key hiding is achieved in this phase. In $\mathbf {Encrypt}$, our Ada-IPFE scheme needs to perform additional computations to generate ciphertext for the designated decryptor. That is, the ciphertext is generated corresponding to the specific one secret key held by designated decryptor. These additional computations mainly contribute to building the relationship between ciphertext and designated decryptor. In $\mathbf {Decrypt}$, our Ada-IPFE scheme needs to perform additional computations to remove the items introduced by privacy solutions.

In addition to the theoretical analysis, we also give the experimental results in Fig. 3. And Figs. 3a, 3c and 3d show that the time cost in $\mathbf {Setup }$, $\mathbf {Encrypt }$ and $\mathbf {Decrypt }$ of the scheme in [19] and our IPFE scheme are respectively almost the same. Fig. 3b shows that the time cost of our IPFE scheme in $\mathbf {KeyGen}$ is a bit large than that of the scheme in [19]. As is introduced before, the additional time cost results from the fact that we intend to achieve the privacy guarantees.

Fig. 3.

Time cost comparisons for IPFE.

Show All

6.2.1 Functionality Analysis

Our OIPFE-ACED scheme is a new outsourced inner product computation scheme. This scheme focuses on not only the outsourced inner product computation but also the outsourced storage. For data privacy concerns, the data owner in the system can use this scheme to encrypt the data and then store the encrypted data in the cloud server. The data privacy is preserved based on the security of the underlying IPFE scheme. In our mentioned setting, there are also several data users who may be different entities from data owner. In addition to the traditional privacy issues, the revealed information and the data user are also regulated in this scheme. So, it is proper for the setting where multiple data owners and multiple data users are involved. These entities can share the inner product derived from the outsourced data.

6.2.2 Efficiency Analysis

When making the efficiency analysis, the storage efficiency is also a major aspect of our work. The basic requirements are that the data user can avoid downloading the outsourced data from cloud server and the storage overhead is independent of the vector size, if the data user makes use of the outsourced encrypted data. In Table 4, we show the storage overhead for every entity and the computation cost in every stage. We intend to show that data owner is free of the storage burden (i.e., nothing needs to be stored locally once the data is outsourced to cloud server) and the storage overhead is independent of the vectors size (i.e., constant). Furthermore, the total time cost that data user spends in the evaluation key generation stage of $\mathbf {Query}$ and $\mathbf {Recover}$ is less than that in $\mathbf {Compute}$.

TABLE 4 Computation Cost in OIPFE-ACED Scheme

For storage, we denote an element in $\mathbb {Z}$, $\mathbb {Z}_p$, $\mathbb {Z}_N$, $\mathbb {Z}_{N^2}$, $\mathbb {G}$ and $\mathbb {G}_T$ by $Z$, $Z_p$, $Z_N$, $Z_{N^2}$, $G$ and $G_T$, respectively. For computation, we denote the operation of choosing a random value and an inversion operation in $\mathbb {Z}_p$ by $R_1$ and $I_1$, respectively; we denote the exponent operation, the multiplication operation, the operation of choosing a random value, the addition operation and the inversion operation in $\mathbb {Z}_N$ by $E_2$, $M_2$, $R_2$, $A_2$ and $I_2$, respectively; we denote the exponent operation, the multiplication operation, the operation of choosing a random value and the subtraction operation in $\mathbb {Z}_{N^2}$ by $E_3$, $M_3$, $R_3$ and $S_3$, respectively; we denote an exponent operation, a multiplication operation, the operation of choosing a random value and an inversion operation in $\mathbb {G}$ by $E_4$, $M_4$, $R_4$ and $I_4$, respectively; we denote an exponent operation and a multiplication operation in $\mathbb {G}_T$ by $E_5$ and $M_5$, respectively; we denote a hash computation $H_1$, the hash computation $H_2$ and a pairing computation by $H_1$, $H_2$ and $P$, respectively.

From Tables 4 and 5, the data owner is free of the computation burden once the data is outsourced to cloud server. The data user just stores one element of $\mathbb {Z}$, one element of $\mathbb {Z}_p$ and one element of $\mathbb {G}$. So the storage efficiency is achieved as desired. The data user's computation cost involved in the evaluation key generation stage of $\mathbf { Query}$ and $\mathbf {Recover}$ are respectively $R_1+R_2+A_2+E_3+\left(2+\left|U^{\prime }\right|\right)E_4$ and $2I_1+E_2+M_2+I_2+A_2+4E_3+M_3+S_3+H_1+H_2$, which are both independent of the vector size $n$. If the data user first downloads the outsourced data and then performs the computation locally, the storage overhead and the computation cost for cloud server would be transmitted to data user besides the huge communication overhead. This is infeasible for the resource-limited data user to complete. From these, our proposed OIPFE-ACED scheme reduces lots of storage overhead for both data owner and data user as well as the computation burden for data user.

TABLE 5 Storage Overhead and Communication Cost in OIPFE-ACED Scheme

In Table 5, we also show the communication overhead of every entity in OIPFE-ACED scheme. The key generation center's communication overhead is $Z+\left(\left|U^{\prime }\right|+2\right)G$ because it needs to send the secret key to data user. The cloud server's communication overhead is $3Z_{N^2}+G_T$ that results in the process of returning intermediate result to data user. The data user's communication overhead in requesting cloud server to compute the inner product is $\left(n+1\right)Z+\left(\left|U^{\prime }\right|+2\right)Z_p$. When the data owner stores the data in cloud server, the communication overhead is $\left(n+1\right)Z_{N^2}+\left(2\left|U^{\prime }\right|+1\right)G$.

The experimental results are shown in Fig. 4, where the size of universal attribute set is 20 (i.e., $\left|U\right|=20$) and the size of data user attribute set is 10 (i.e., $\left|U^{\prime }\right|=10$). In order to make the results more credible, the vector size varies from 1000 to 10000. Fig. 4a shows that the time cost in data user's side is constant. And Fig. 4b shows that the time cost in cloud server's side grows with the vector size. These two subfigures explicitly show that the time cost in data user's side is less than that in cloud server's side. And the difference becomes distinct as the vector size grows. This implies that our OIPFE-ACED scheme is practical when the vector size is large.

Fig. 4.

Time cost comparisons for OIPFE-ACED scheme.

Show All