Functional encryption for set intersection in the multi-client setting

Lee, Kwangsu; Seo, Minhye

doi:10.1007/s10623-021-00961-w

Functional encryption for set intersection in the multi-client setting

Published: 30 October 2021

Volume 90, pages 17–47, (2022)
Cite this article

Download PDF

Designs, Codes and Cryptography Aims and scope Submit manuscript

Functional encryption for set intersection in the multi-client setting

Download PDF

2290 Accesses
5 Citations
Explore all metrics

Abstract

Functional encryption for set intersection (FE-SI) in the multi-client environment is that each client i encrypts a set $X_i$ associated with time T by using its own encryption key and uploads it to a cloud server, and then the cloud server which receives a function key of the client indexes i, j from a trusted center can compute the intersection $X_i \cap X_j$ of the two client ciphertexts. In this paper, we first newly define the concept of FE-SI suitable for the multi-client setting. Then, we propose an efficient FE-SI scheme in asymmetric bilinear groups and prove the static security of our scheme under newly introduced assumptions. In our FE-SI scheme, a ciphertext consists of $O(\ell )$ group elements, a function key consists of a single group element, and the decryption algorithm has $O(\ell ^2)$ complexity where $\ell $ is the size of a set in the ciphertext. Next, we propose another FE-SI scheme with time-constrained keys that limits the ability of function keys to be valid only for a specified time period T, and proves the static security of our scheme. Finally, we prove that the two assumptions hold in the general group model to provide confidence in the two newly introduced assumptions.

Two-Client and Multi-client Functional Encryption for Set Intersection

Flexible multi-client functional encryption for set intersection

Article 29 March 2023

Decentralized multi-client functional encryption for set intersection with improved efficiency

Article Open access 29 October 2022

1 Introduction

Functional encryption (FE) is a new extension of public-key encryption [11]. In FE, a ciphertext is associated with a message x and a private key is associated with a function f, and the decryption algorithm reveals the result of function calculation f(x) [10]. An FE scheme that supports an arbitrary function f can be constructed by using indistinguishability obfuscation [21]. However, to date, designing an efficient construction for indistinguishability obfuscation is a difficult problem. Another way to implement an efficient FE scheme is to limit the expressiveness of the functions supported by FE. Recently, a new FE scheme that supports the inner product operations of ciphertexts and private keys was introduced [3, 5]. By using the FE scheme for inner-products, it is possible to build an efficient FE scheme that performs statistical operations such as average and weighted sum.

It is an interesting research direction to devise other efficient FE scheme that provides new functions that cannot be expressed using inner products. In this paper, we pay attention to a function that calculate the intersection of two sets. Many studies have been conducted on private set intersection (PSI) that computes the intersection of two sets without revealing anything else [16, 18, 19, 26]. Basically, PSI is a two-party protocol in which two parties with sets X and Y exchange encrypted messages multiple times with each other to compute the intersection $X \cap Y$. At this time, the two parties cannot obtain information on the other’s set items except the intersection items. Many PSI protocols have been proposed, but fundamentally it has a disadvantage that requires interactions between parties. In an environment where a large number of users stores their encrypted data in a cloud server and do not access the cloud server afterwards, an FE scheme for set intersection that does not require interactions is more suitable than a PSI protocol that requires interactions between users. An FE scheme for set intersection can be constructed by using a multi-input FE scheme for arbitrary functions, but this approach is still ineffective because this FE scheme requires indistinguishability obfuscation [24].

Recently, FE schemes that support set intersection operations was proposed by Kamp et al. [35]. They defined the concept of multi-client FE for set intersection by extending the concept of multi-client FE introduced in [24]. In addition, they proposed a two-client FE scheme for set intersection that operates between two clients and a multi-client FE scheme for set intersection that operates between multiple clients. However, their FE definition for set intersection has a problem of lacking the flexibility to control the set intersection operation because only one function key is set at the setup stage. For this reason, their FE scheme has a problem that the setup algorithm needs to be performed for each pair of clients to perform the set intersection. For example, if there are n clients, a maximum of $n^2$ setups is required for the set intersection between two clients and each client has to store $n^2$ encryption keys.

A better FE scheme for set intersection is that only one setup is performed even if there are n clients, and each client must own only one encryption key. In addition, this FE scheme can issue many function keys for set intersection, and an entity with a function key must be able to freely calculate the set intersection on two ciphertexts of the corresponding clients. In this paper, we ask whether it is possible to efficiently construct this better FE scheme for set intersection.

1.1 Our contributions

In this paper, we define FE that supports the set intersection operation and propose two FE schemes for set intersection in bilinear groups.

Definition First, we define functional encryption for set intersection (FE-SI) that supports basic intersection operation. In FE-SI, a trusted center provides an independent encryption key $EK_i$ for each client i and generates a function key $SK_{i,j}$ for the intersection operation on two clients i, j. Each client with an index i creates a ciphertext $C_i$ on time T by encrypting a set $X_i$ by using its encryption key. After that, a third party with a function key $SK_{i,j}$ can compute the intersection $X_i \cap X_j$ from two ciphertexts $C_i$ and $C_j$ of two clients i, j by running the decryption algorithm when the ciphertexts are generated at the same time T. We modify the definition of FE-SI to define functional encryption for set intersection with time-constrained keys (FE-SI-TCK) that issues a function key that is valid only for a limited time period T. The function key of FE-SI-TCK can limit the life-time of the function key because the function key is additionally associated with time and it is valid only for ciphertexts of the same time.

FE for set intersection In order to design an FE-SI scheme in asymmetric bilinear groups, we devise a method to derive a temporal key TK to be used for encryption and decryption when the ciphertext elements of two clients encrypt the same set item x. That is, when the encryption keys of clients i and j are given as $(\alpha _i, \beta _i)$ and $(\alpha _j, \beta _j)$ respectively, the ciphertext elements of two clients i, j are formed as $H(T\Vert x)^{\alpha _i}, H(T\Vert x)^{\alpha _j}$ where H is a hash function and x is a set item, and a function key for indexes i, j is provided as $SK_{i,j} = \hat{g}^{\beta _i / (\alpha _i + \alpha _j)}$. Then a temporal key is derived as $e(H(T\Vert x)^{\alpha _i} \cdot H(T\Vert x)^{\alpha _j}, SK_{i,j}) = e(H(T\Vert x), \hat{g})^{\beta _i}$ by using a pairing operation. In our FE-SI scheme, a function key is composed of a single group element and the size of a ciphertext is proportional to the number of set items. The decryption algorithm requires $O(\ell ^2)$ complexity where $\ell $ is the size of a set because it needs to try all possible pairs of ciphertext elements of two clients. In order to prove the security of our FE-SI scheme, we define a static-IND security model such that an attacker initially submits all corrupted clients, challenge sets, and all function key queries. To prove the static-IND security of our FE-SI scheme, we newly introduce two dynamic assumptions derived from the FE-SI scheme and show that these assumptions hold in the generic group model. In addition, we present the extensions of our FE-SI scheme that support associated data encryption, set intersection cardinality, and multi-party set intersection.

FE-SI with time-constrained keys The function key for indexes i, j of our FE-SI scheme is very powerful because it can be used to compute the set intersection of all ciphertexts of two clients i, j. A way to provide additional control to the FE-SI scheme is to limit the availability of the function key to a specific time period. By modifying our FE-SI scheme, we propose an FE-SI-TCK scheme that has the ability to issue a function key that is only valid for a time period T. In order to limit the function key for the time T, we derive a time encryption key $(\alpha _{i,T}, \beta _{i,T})$ for each individual time period T from an original encryption key $EK_i$ and use this key for ciphertext encryption on time T. That is, by using the pseudo-random function PRF, we calculate $\alpha _{i,T} = PRF(z, 1\Vert T)$ and $\beta _{i,T} = PRF(z, 2\Vert T)$ where z is the original encryption key. In this case, the function key is generated as $SK_{i,j,T} = \hat{g}^{\beta _{i,T} / (\alpha _{i,T} + \alpha _{j,T})}$ for the time T, which is only valid for the time T. In order to prove security of our FE-SI-TCK scheme, we argue that our FE-SI-TCK scheme is static-IND secure if our FE-SI scheme is also static-IND secure. In addition, the FE-SI-TCK scheme can be easily extended to support a time-range function key that is valid from time $T_L$ to time $T_R$, and to provide forward secrecy that protects past ciphertexts even when the encryption key of a client is exposed.

1.2 Application

Privacy-preserving contact tracing Due to the worldwide spread of infectious diseases such as the coronavirus, there is a need for a way to trace people who have come into contact with a confirmed patient for public health [1]. To this end, people want to check whether a common location exists between their visited locations and the visited locations of the confirmed patient while hiding their locations. One method is to use the existing private set intersection (PSI) protocol to calculate the set intersection. However, this method is difficult to directly apply since additional interactions between users are needed to calculate the intersection and the load of client computation is relatively high. Recently, private set intersection cardinality (PSI-CA) protocols for contact tracing has been proposed [17, 34]. Another way is to use an MCFE scheme for set intersection. To this end, a hospital cloud server stores the encrypted data of the visited locations of the confirmed patient. Then, when a user encrypts his visited locations and uploads them to the cloud server, the hospital cloud server receives a function key for set intersection cardinality and calculates the set intersection cardinality between the user and the confirmed person. If the cardinality of the set intersection is positive, then the cloud server notifies the user that there is a possibility of contact. After that, the user may additionally receive a function key for set intersection and decrypts the exact intersection locations. Another advantage of using the MCFE scheme is that the set intersection operation of ciphertexts corresponding to the same time period is allowed, but the set intersection operation of ciphertexts in different time periods is not allowed.

1.3 Related work

Functional encryption The concept of functional encryption (FE) was introduced by Boneh et al. [10, 11]. Identity-based encryption, hierarchical identity-based encryption, attribute-based encryption, and predicate encryption, which are widely known, can all be viewed as special forms of FE [9, 23, 25, 29]. In terms of performing computation on encrypted data, FE is similar to homomorphic encryption (HE), but there is a difference that unlike the ciphertext of the computation f(x) is the output of the evaluation algorithm in HE, the computation f(x) itself is the output of the decryption algorithm in FE [22]. It is known that an FE scheme that supports all polynomial-size circuits can be designed by using indistinguishability obfuscation [21]. By expanding the concept of FE, the concepts of multi-input FE (MI-FE) and multi-client FE (MC-FE) were introduced, and MI-FE and MC-FE schemes can be also designed with indistinguishability obfuscation [24]. For efficient FE schemes, functional encryption for inner-products (FE-IP) was introduced and many FE-IP schemes were proposed [3, 5]. Since then, the FE-IP scheme has been extended to the multi-input FE-IP and multi-client FE-IP schemes [4, 15, 31]. An efficient FE scheme for quadratic functions has also been proposed, which has more expressive power than inner product operations [6]. Recently, an MC-FE scheme that supports conjunctive equality and range queries has been proposed [30].

Private set intersection The private set intersection (PSI) protocol was introduced by Freedman et al. [18]. The PSI protocol is a protocol that calculates the intersection $X \cap Y$ when two parties A, B each own sets X, Y respectively, and does not expose other set information other than the set intersection of X and Y. Secure PSI protocols can be designed by using various cryptographic tools such as Diffie-Hellman key exchange [27], oblivious polynomial evaluation [18], oblivious pseudo-random functions [19], garbled circuits [26], oblivious transfer protocols [16], and fully homomorphic encryption [14]. Basically, the PSI protocol is an interactive one that exchanges multiple messages between two parties. An interesting variant of the PSI protocol is the outsourced PSI protocol using a cloud server [28]. In the outsourcing PSI protocol, since the cloud server performs the operations performed by individual clients instead, it is possible to reduce conversations and operations between clients. However, this outsourcing PSI protocol also requires interactions between clients during initial setup or at some stage.

Public-key searchable encryption Public-key encryption with keyword search (PEKS) is a kind of public-key encryption that allows to search keywords in ciphertexts by using a trapdoor generated by a trusted party [8]. In PEKS, ciphertext and trapdoor are associated with each keyword, and the test algorithm can check whether the ciphertext keyword and the trapdoor keyword are the same or not. By using a PEKS scheme, we can construct a special kind of the set intersection protocol [12]. That is, one client generates ciphertexts by using a public key where each ciphertext is associated with a keyword $x \in X$, and the other client receives trapdoors for a set Y from the trusted party where each keyword is associated with a keyword $y \in Y$. In this case, the client who has trapdoors can calculate the intersection $X \cap Y$ by running the test algorithm for each pair of ciphertexts and trapdoors. In general, a PEKS scheme can be constructed by using an anonymous IBE scheme [2].

2 Preliminaries

In this section, we define functional encryption, symmetric-key encryption, and pseudo-random function. We also introduce complexity assumptions to prove the security of our FE-SI schemes proposed in this paper.

2.1 Notation

Let n be a positive integer. The notation [n] is defined as a set $\{ 1, \ldots , n \}$, and the notation $[n_1, n_2]$ is defined as a set $\{ n_1, \ldots , n_2 \}$. Given two strings a and b, $a\Vert b$ is the concatenation of the two strings.

2.2 Functional encryption

Functional encryption is an extension of public key encryption that outputs the computation on encrypted data f(x) instead of outputting the original message x in the decryption process in which a ciphertext is associated with a message x, and a private key is associated with a function f [10]. Functional encryption can be modified in various ways and can be extended to multiple-input functional encryption that processes multiple ciphertexts, and multi-client functional encryption that processes ciphertext generated by multiple clients that have independent encryption keys [24]. The following is the syntax of public key functional encryption.

Definition 2.1

(Functional Encryption) A functional encryption (FE) scheme consists of four algorithms Setup, GenKey, Encrypt, and Decrypt, which are defined as follows:

Setup($1^{\lambda }$) The setup algorithm takes as input a security parameter $\lambda $. It outputs a master key MK and public parameters PP.
GenKey(f, MK, PP) The key generation algorithm takes as input a function f, the master key MK, and the public parameters PP. It outputs a secret key $SK_f$.
Encrypt(x, PP) The encryption algorithm takes as input a message x and the public parameters PP. It outputs a ciphertext CT.
Decrypt($CT, SK_f, PP$) The decryption algorithm takes as input a ciphertext CT encrypting a message x, a secret key $SK_f$ corresponding to a function f, and the public parameters PP. It outputs a value f(x).

The correctness property of FE is defined as follows: For all $(MK, PP) \leftarrow \mathbf{Setup} (1^{\lambda })$, $SK_f \leftarrow \mathbf{GenKey} (f, MK, PP)$ for any function $f \in \mathcal {F}$, and $CT \leftarrow \mathbf{Encrypt} (x, PP)$ for any $x \in \mathcal {X}$, it is required that Decrypt$(CT, SK_f, PP) = f(x)$.

2.3 Symmetric key encryption

Symmetric-key encryption is encryption that uses the same secret key for encryption and decryption algorithms. The detailed syntax of the symmetric-key encryption is described as follows.

Definition 2.2

(Symmetric Key Encryption) A symmetric key encryption (SKE) scheme consists of three algorithms GenKey, Encrypt, and Decrypt, which are defined as follows:

GenKey($1^{\lambda }$) The key generation algorithm takes as input a security parameter $\lambda $. It outputs a symmetric key K.
Encrypt(M, K) The encryption algorithm takes as input a message $M \in \mathcal {M}$ and the symmetric key K. It outputs a ciphertext C.
Decrypt(C, K) The decryption algorithm takes as input a ciphertext CT and the symmetric key K. It outputs a message M or a symbol $\perp $.

The correctness property of SKE is defined as follows: For all K generated by $\mathbf{GenKey} $ and any message $M \in \mathcal {M}$, it is required that $\mathbf{Decrypt} (\mathbf{Encrypt} (M, K), K) = M$.

The standard security model of symmetric-key encryption is indistinguishability security against chosen-plaintext attacks (IND-CPA), but we define one-message security as a weaker form of security. One-message security is to provide only one challenge ciphertext to an attacker, and the IND-CPA security guarantees one-message security.

Definition 2.3

(One-Message Security) The one-message security of SKE is defined in the following experiment $\mathbf{EXP} _{\mathcal {A}}^{SKE} (1^\lambda )$ between a challenger $\mathcal {C}$ and a PPT adversary $\mathcal {A}$:

1.
Setup: $\mathcal {C}$ generates a secret key K by running $\mathbf{GenKey} (1^{\lambda })$. It keeps K to itself.
2.
Challenge: $\mathcal {A}$ submits challenge messages $M_0^*, M_1^*$ where $|M_0^*| = |M_1^*|$. $\mathcal {C}$ flips a random coin $\mu \in \{0,1\}$ and gives a challenge ciphertext $CT^*$ to $\mathcal {A}$ by running $\mathbf{Encrypt} (M_{\mu }^*, K)$.
3.
Guess: $\mathcal {A}$ outputs a guess $\mu ' \in \{0,1\}$ of $\mu $. $\mathcal {C}$ outputs 1 if $\mu = \mu '$ or 0 otherwise.

The advantage of $\mathcal {A}$ is defined as $\mathbf{Adv} _{\mathcal {A}}^{SKE} (\lambda ) = \big | \Pr [ \mathbf{EXP} _{\mathcal {A}}^{SKE} (1^\lambda ) = 1 ] - \frac{1}{2} \big |$. An SKE scheme is one-message secure if for all PPT adversary $\mathcal {A}$, the advantage of $\mathcal {A}$ is negligible in the security parameter $\lambda $.

2.4 Pseudo-random function

A pseudo-random function (PRF) is a function $F:\mathcal {K}\times \mathcal {X} \rightarrow \mathcal {Y}$ where $\mathcal {K}$ is a key space, $\mathcal {X}$ is a domain, and $\mathcal {Y}$ is a codomain. Let $F(k, \cdot )$ be an oracle for a uniformly chosen $k \in \mathcal {K}$ and $f(\cdot )$ be an oracle for a uniformly chosen function $f : \mathcal {X} \rightarrow \mathcal {Y}$. We say that a PRF F is secure if for all efficient adversaries $\mathcal {A}$, the advantage of $\mathcal {A}$ defined as $\mathbf{Adv} _{\mathcal {A}}^{PRF}(\lambda ) = \big | \Pr [\mathcal {A}^{F(k,\cdot )} = 1] - \Pr [\mathcal {A}^{f(\cdot )} = 1] \big |$ is negligible in the security parameter $\lambda $.

2.5 Bilinear groups

A bilinear group generator $\mathcal {G}$ takes as input a security parameter $\lambda $ and outputs a tuple $(p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e)$ where p is a random prime and $\mathbb {G}, \hat{\mathbb {G}}$, and $\mathbb {G}_T$ are three cyclic groups of prime order p. Let g and $\hat{g}$ be generators of $\mathbb {G}$ and $\hat{\mathbb {G}}$, respectively. The bilinear map $e : \mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_{T}$ has the following properties:

1.
Bilinearity: $\forall u \in \mathbb {G}, \forall \hat{v} \in \hat{\mathbb {G}}$ and $\forall a,b \in \mathbb {Z}_p$, $e(u^a,\hat{v}^b) = e(u,\hat{v})^{ab}$.
2.
Non-degeneracy: $\exists g \in \mathbb {G}, \hat{g} \in \hat{\mathbb {G}}$ such that $e(g,\hat{g})$ has order p in $\mathbb {G}_T$.

We say that $\mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T$ are asymmetric bilinear groups with no efficiently computable isomorphisms if the group operations in $\mathbb {G}, \hat{\mathbb {G}}$, and $\mathbb {G}_T$ as well as the bilinear map e are all efficiently computable, but there are no efficiently computable isomorphisms between $\mathbb {G}$ and $\hat{\mathbb {G}}$.

2.6 Complexity assumptions

In order to prove the security of the proposed FE-SI schemes, we introduce two new complexity assumptions. These two assumptions are not static assumptions that are composed of fixed group elements, but dynamic assumptions in which the group elements of the assumptions change by given parameters.

The first assumption is an assumption derived from our FE-SI scheme. This is a modification of the widely known external Diffie-Hellman (XDH) assumption, and this assumption says that it is difficult to distinguish the Diffie-Hellman tuple even if additional group elements related to Q and J parameters are provided. The second assumption is also an assumption derived from our FE-SI scheme.

Let n be a positive integer, $\rho $ be a target index such that $\rho \in [n]$, and $Q = \{ (i,j) \}$ be a set of index pairs such that $i, j \in [n]$ and $i < j$. From $n, \rho $, and Q, we define an index set $J = \{ k : 1 \le k \ne \rho \le n \text { such that } (k,\rho ) \notin Q \text { if } k < \rho \text { and } (\rho ,k) \notin Q \text { if } k > \rho \}$. This set can be computed by using the function ComputeJ which is described as follows:

For example, if we let $n = 4$, $\rho = 2$, and $Q = \{ (1,4), (2,3), (2,4) \}$, then we obtain $J = \{ 1 \}$ since $(1,2) \notin Q$, $(2,3) \in Q$, and $(2,4) \in Q$.

Assumption 2.4

Let $(p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e)$ be a bilinear group randomly generated by $\mathcal {G}(1^\lambda )$. Let $g, \hat{g}$ be random generators of $\mathbb {G}, \hat{\mathbb {G}}$ respectively. Let $n, \rho , Q, J$ be defined above. The Assumption 1 for $(n, \rho , Q, J)$ is that if the challenge tuple

$$\begin{aligned} D = \big (&(p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e),~ g,~ g^a,~ \{ g^{b_i} \}_{i=1}^n,~ \{ g^{a b_k} \}_{k \in J},~ \hat{g},~ \{ \hat{g}^{1 / (b_i + b_j)} \}_{(i,j) \in Q} \big ) \text{ and } Z \end{aligned}$$

are given, no probabilistic polynomial-time (PPT) algorithm $\mathcal {A}$ can distinguish $Z = Z_0 = g^{a b_{\rho }}$ from $Z = Z_1 = g^d$ with more than a negligible advantage. The advantage of $\mathcal {A}$ is defined as $\mathbf{Adv} _{\mathcal {A}}^{A1\text {-}(n,\rho ,Q,J)} (\lambda ) = \big | \Pr [\mathcal {A}(D,Z_0) = 0] - \Pr [\mathcal {A}(D,Z_1) = 0] \big |$ where the probability is taken over random choices of $a, b_1, \ldots , b_n, d \in \mathbb {Z}_p$.

Assumption 2.5

Let $(p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e)$ be a bilinear group randomly generated by $\mathcal {G}(1^\lambda )$. Let $g, \hat{g}$ be random generators of $\mathbb {G}, \hat{\mathbb {G}}$ respectively. Let $n, \rho , Q$ be defined above. The Assumption 2 for $(n, \rho , Q)$ is that if the challenge tuple

$$\begin{aligned} D&= \big ( (p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e),~ g,~ g^a,~ \{ g^{b_i} \}_{i=1}^n,~ \{ g^{a b_k} \}_{1 \le k \ne \rho \le n},~ \\&\quad \hat{g},~ \{ \hat{g}^{c_i} \}_{1 \le i \ne \rho \le n},~ e(g, \hat{g})^{c_\rho },~ \{ \hat{g}^{c_i / (b_i + b_j)} \}_{(i,j) \in Q} \big ) \text{ and } Z \end{aligned}$$

are given, no probabilistic polynomial-time (PPT) algorithm $\mathcal {A}$ can distinguish $Z = Z_0 = e(g, \hat{g})^{a c_\rho }$ from $Z = Z_1 = e(g, \hat{g})^d$ with more than a negligible advantage. The advantage of $\mathcal {A}$ is defined as $\mathbf{Adv} _{\mathcal {A}}^{A2\text {-}(n,\rho ,Q)} (\lambda ) = \big | \Pr [\mathcal {A}(D,Z_0) = 0] - \Pr [\mathcal {A}(D,Z_1) = 0] \big |$ where the probability is taken over random choices of $a, b_1, \ldots , b_n, c_1, \ldots , c_n, d \in \mathbb {Z}_p$.

We analyzed that both of these new assumptions hold in the generic group model proposed by Shoup [33] in Sect. 5.

3 Functional encryption for set intersection

In this section, we first introduce functional encryption for set intersection (FE-SI) and define the security model of FE-SI. Next, we construct an FE-SI scheme using a bilinear map and analyze the security of our FE-SI scheme using the cryptographic assumptions of the previous section.

3.1 Definition

To define functional encryption for set intersection, we modify the definition of public key functional encryption to consider a multi-client setting in which individual clients own individual encryption keys [24]. First, a trusted center creates a master key, an encryption key for each client, and public parameters by running the setup algorithm, and the individual encryption keys are delivered securely to clients. After that, a client generates a ciphertext for a set $X_i$ associated with time T by using their own encryption key. If a third party who wants to perform the set intersection operation obtains a function key for client indexes i, j from the trusted center, and computes the set intersection of the ciphertexts generated by two clients i and j at time T by running the decryption algorithm. A more detailed syntax of FE-SI is given as follows.

Definition 3.1

(Functional encryption for set intersection) A functional encryption for set intersection (FE-SI) scheme for $\mathcal {D}$ and $\mathcal {T}$ consists of four algorithms Setup, GenKey, Encrypt, and Decrypt, which are defined as follows:

Setup($1^{\lambda }, n$) The setup algorithm takes as input a security parameter $\lambda $ and the number of clients n. It outputs a master key MK, client encryption keys $\{ EK_i \}_{i=1}^n$, and public parameters PP.
GenKey(i, j, MK, PP) The key generation algorithm takes as input two client indexes $i, j \in [n]$ such that $i < j$, the master key MK, and public parameters PP. It outputs a function key $SK_{i,j}$.
Encrypt($X_i, T, EK_i, PP$) The encryption algorithm takes as input a set $X_i = \{ x_{i,1}, \ldots , x_{i,\ell _i} \}$ where $x_{i,j} \in \mathcal {D}$, a time period $T \in \mathcal {T}$, the client encryption key $EK_i$, and the public parameters PP. It outputs a ciphertext $CT_{i,T}$.
Decrypt($CT_{i,T}, CT_{j,T}, SK_{i,j}, PP$) The decryption algorithm takes as input two ciphertexts $CT_{i,T}$ and $CT_{j,T}$ for the same time T, a function key $SK_{i,j}$, and the public parameters PP. It outputs a set $X_i \cap X_j$ where $X_i$ and $X_j$ are associated with $CT_{i,T}$ and $CT_{j,T}$ respectively.

The correctness property of FE-SI is defined as follows: For all $MK, \{ EK_i \}, PP \leftarrow \mathbf{Setup} (1^{\lambda }, n)$, any $SK_{i,j} \leftarrow \mathbf{GenKey} (i, j, MK, PP)$, and all $CT_{i,T} \leftarrow \mathbf{Encrypt} (X_i, T, EK_i, PP)$ and $CT_{j,T} \leftarrow \mathbf{Encrypt} (X_j, T, EK_j, PP)$ for any $X_i, X_j$ and the same time T, it is required that

Decrypt$(CT_{i,T}, CT_{j,T}, SK_{i,j}, PP) = X_i \cap X_j$ except with negligible probability.

To define the security model of FE-SI, we modify the security model of multi-client functional encryption (MC-FE) defined by Goldwasser et al. [24]. For the security model of FE-SI, we consider a static security model in which an attacker pre-specifies information related to the attack target and function key queries. Initially, the attacker specifies the list of corrupted clients, the challenge target sets, the challenge time period, and the set of function key queries. At this time, the challenge target sets and the set of function key queries submitted by the attacker are restricted so that the challenge target sets cannot be easily identified by using the function keys in order to prevent trivial attacks. After that, the attacker obtains the encryption keys of the corrupted clients and the challenge ciphertexts for the challenge sets. Additionally, the attacker can request the previously specified function keys and ciphertexts for a time period other than the challenge time period. Finally, the attacker identifies the challenge set of the challenge ciphertexts. A more detailed definition of the static security model of FE-SI is defined as follows.

We first define a function $CIQ( \{ X_k \}, Q)$ for a group of item sets $\{ X_k \}$ and a set $Q = \{ (i,j) \}$ that computes the collected intersection of $X_i$ and $X_j$ for each $(i,j) \in Q$ as follows:

Definition 3.2

(Static-IND Security) The static-IND security of FE-SI with corruptions is defined in the following experiment $\mathbf{EXP} _{FE\text {-}SI,\mathcal {A}}^{ST\text {-}IND} (1^\lambda )$ between a challenger $\mathcal {C}$ and a PPT adversary $\mathcal {A}$:

1.
Init: $\mathcal {A}$ initially submits an index set $\overline{I} \subset [n]$ of corrupted clients. Let $I = \{ 1, \ldots , n \} \setminus \overline{I}$ be the index set of uncorrupted clients. $\mathcal {A}$ also submits two challenge sets of item sets $\{ X_{0,k}^* \}_{k \in I}$, $\{ X_{1,k}^* \}_{k \in I}$, a challenge time period $T^*$, and a set $Q = \{ (i,j) \}$ of function key queries with the restriction that $i,j \in I$ for each $(i,j) \in Q$ and $CIQ(\{ X_{0,k}^* \}_{k \in I}, Q) = CIQ(\{ X_{1,k}^* \}_{k \in I}, Q)$.
2.
Setup: $\mathcal {C}$ generates a master key MK, encryption keys $\{ EK_i \}_{i=1}^n$, and public parameters PP by running Setup$(1^{\lambda }, n)$. It keeps MK and $\{ EK_i \}_{i \in I}$ to itself and gives $\{ EK_i \}_{i \in \overline{I}}$ and PP to $\mathcal {A}$.
3.
Challenge: $\mathcal {C}$ flips a random coin $\mu \in \{0,1\}$ and obtains a ciphertext $CT_{i,T^*}$ by running Encrypt$(X_{\mu ,i}^*, T^*, EK_i, PP)$ for each $i \in I$. $\mathcal {C}$ gives the challenge ciphertexts $\{ CT_{i,T^*} \}_{i \in I}$ to $\mathcal {A}$
4.
Query: $\mathcal {A}$ requests function keys and ciphertexts. $\mathcal {C}$ handles these queries as follows:
- If this is a function key query for indexes $i, j \in I$ with the restriction that $(i,j) \in Q$, then $\mathcal {C}$ gives a function key $SK_{i,j}$ to $\mathcal {A}$ by running GenKey(i, j, MK, PP).
- If this is a ciphertext query for a client index k, an item set $X_k$, and a time period T with the restriction that $k \in I$ and $T \ne T^*$, then $\mathcal {C}$ gives a ciphertext $CT_{k,T}$ to $\mathcal {A}$ by running Encrypt$(X_k, T, EK_k, PP)$.
5.
Guess: $\mathcal {A}$ outputs a guess $\mu ' \in \{0,1\}$ of $\mu $. $\mathcal {C}$ outputs 1 if $\mu = \mu '$ or 0 otherwise.

An FE-SI scheme is static-IND secure with corruptions if for all PPT adversary $\mathcal {A}$, the advantage of $\mathcal {A}$ defined as $\mathbf{Adv} _{FE\text {-}SI,\mathcal {A}}^{ST\text {-}IND} (\lambda ) = \big | \Pr [ \mathbf{EXP} _{FE\text {-}SI,\mathcal {A}}^{ST\text {-}IND} (1^\lambda ) = 1 ] - \frac{1}{2} \big |$ is negligible in the security parameter $\lambda $.

3.2 Design principle

The basic idea of supporting set intersection operations is to implement a private equality test. If a hash function $H : \{0,1\}^* \rightarrow \mathbb {G}$ is modeled as a random oracle, a function $H(x)^{\alpha }$ with a secret $\alpha $ can play the role of pseudo-random function because the output of this function is indistinguishable from a completely random value by the DDH assumption [32]. Additionally, this function supports the private equality test because the output of the function is same if the same input is given. If multiple interactions are allowed between clients, the two clients can compute the set intersection of the two sets X and Y by exchanging $\{ H(x)^{\alpha } \}_{x \in X}$, $\{ H(y)^{\alpha '} \}_{y \in Y}$ in the first round and exchanging $\{ H(x)^{\alpha \alpha '} \}_{x \in X}$, $\{ H(y)^{\alpha ' \alpha } \}_{y \in Y}$ in the second round [27].

However, we cannot design a functional encryption scheme for set intersection with the above method because clients are non-interactive in which messages cannot be exchanged between clients in functional encryption. In order to devise a functional encryption scheme that supports the set intersection operation, we have to solve two problems. First, we need to implement a private equality test that non-interactively checks whether the items of two sets are the same. Second, if the items of two sets are the same, we need to implement a method of decrypting the ciphertext of the corresponding item. To this end, we devise an equal-then-derive method in which the correct message decryption key is derived by combining with a function key if the equality of set items is satisfied.

The equal-then-derive method we devised is as follows. The first client generates a ciphertext element $H(x)^{\alpha _1}$ for a set item x using its encryption key $\alpha _1$. And the second client also generates a ciphertext element $H(y)^{\alpha _2}$ for a set item y using its encryption key $\alpha _2$. At this time, if the two set items are identical such as $x = y$, we have $H(x)^{\alpha _1} \cdot H(y)^{\alpha _2} = H(x)^{\alpha _1 + \alpha _2}$ from the ciphertext elements. Here, if the trusted center provides a function key $\hat{g}^{\beta _1 / (\alpha _1 + \alpha _2)}$, it is possible to derives a temporal key $TK = e(H(x)^{\alpha _1 + \alpha _2}, \hat{g}^{\beta _1 / (\alpha _1 + \alpha _2)}) = e(H(x), g)^{\beta _1}$ which can be used to encrypt or decrypt a message. To do this, the encryption key of the first client should contain an additional secret $\beta _1$, and the first client uses the temporary key TK to create another ciphertext element on a message x by using symmetric-key encryption.

The function $H(x)^{\alpha }$ previously used for set intersection is pseudo-random function. Therefore, if a client re-encrypts the previously encrypted set item x, then some information of the set item is exposed because the output of this function is the same when the input is the same. To prevent such information leakage, we set a client to encrypt the set associated with a specific time period T, and the set intersection operation to be performed on the ciphertexts of two clients having the same time T. To do this, we use a modified function $H(T\Vert x)^{\alpha }$, which contains additional time. In this case, even if the same x is encrypted, the value $H(T\Vert x)^{\alpha }$ appears to be a random value when the time T is different. Thus this function is secure since there is no information leakage.

3.3 Construction

Let SKE = (GenKey, Encrypt, Decrypt) be an SKE scheme. An FE-SI scheme is described as follows.

Setup($1^{\lambda }, n$) Let n be the maximum number of clients.
1. 1.
  It first generates a bilinear group $(p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e)$ of prime order p with random generators $g \in \mathbb {G}$ and $\hat{g} \in \hat{\mathbb {G}}$. It chooses two hash functions $H_1: \{0,1\}^* \rightarrow \mathbb {G}$ and $H_2: \mathbb {G}_T \rightarrow \{0,1\}^{\lambda }$.
2. 2.
  Next, it selects a random PRF key $z \in \{0,1\}^{\lambda }$ and computes $\alpha _i = PRF(z, 1\Vert i)$, $\beta _i = PRF(z,2\Vert i))$ for each index $i \in [n]$.
3. 3.
  It outputs a master key $MK = z$, encryption keys $\{ EK_i = (\alpha _i, \beta _i) \}_{i=1}^n$ for clients, and public parameters $PP = \big ( (p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e), g, \hat{g}, H_1, H_2 \big )$.
GenKey(i, j, MK, PP) Let $i < j$ and $MK = z$. It first computes $\alpha _i = PRF(z, 1\Vert i)$, $\alpha _j = PRF(z, 1\Vert j)$, and $\beta _i = PRF(z, 2\Vert i)$. It outputs a function key $SK_{i,j} = \hat{g}^{\beta _i / (\alpha _i + \alpha _j)}$ by implicitly including i, j.
Encrypt($X_i, T, EK_i, PP$) Let $X_i = \{ x_{i,1}, \ldots , x_{i,\ell _i} \}$ where $|X_i| = \ell _i$ and $EK_i = (\alpha _i, \beta _i)$.
1. 1.
  For each index $k \in [\ell _i]$, it proceed as follows: It computes $C_{i,k} = H_1(T \Vert x_{i,k})^{\alpha _i}$ and derives a temporal key $TK_{i,k} = e( H_1(T \Vert x_{i,k}), \hat{g} )^{\beta _i}$. It obtains $D_{i,k}$ by running SKE.Encrypt$(T \Vert x_{i,k}, H_2(TK_{i,k}))$.
2. 2.
  It chooses a random permutation $\pi $ and outputs a ciphertext $CT_{i,T} = \big \{ ( C_{i,\pi (k)}, D_{i,\pi (k)} ) \big \}_{k=1}^{\ell _i}$ by implicitly including i, T.
Decrypt($CT_{i,T}, CT_{j,T'}, SK_{i,j}, PP$) Let $CT_{i,T} = \{ ( C_{i,k}, D_{i,k} ) \}_{k=1}^{\ell _i}$ and $CT_{j,T'} = \{ ( C_{j,k}, D_{j,k} ) \}_{k=1}^{\ell _j}$ be ciphertexts such that $i < j$ and $T = T'$. It first initializes a set $Y = \emptyset $.
1. 1.
  For each index $k_i \in [\ell _i]$ and $k_j \in [\ell _j]$, it proceeds as follows: It computes $TK_{i,k_i} = e(C_{i,k_i} \cdot C_{j,k_j}, SK_{i,j})$ and obtains a message $A \Vert x$ by running SKE.Decrypt$(D_{i,k_i}, H_2(TK_{i,k_i}))$. It adds an item x into Y if $A = T$.
2. 2.
  It outputs the set Y.

3.4 Correctness

For the correctness of our FE-SI scheme, we need to show that the set intersection of two client ciphertexts can be calculated through the decryption process. Let $CT_{i,T} = \{ (C_{i,k}, D_{i,k}) \}$ be the ciphertext of a client i, $CT_{j,T} = \{ (C_{j,k}, D_{j,k}) \}$ be the ciphertext of a client j, and $SK_{i,j}$ be a function key. For the correctness of the decryption process, it is only necessary to show that the correct temporal key TK is derived by combining with a function key if the ciphertext elements from two clients are the encryption on the same item x and these are related to the same time T. The reason is that if the correct temporary key is derived, the message can be decrypted by running the decryption algorithm of symmetric key encryption. If the set items of the two ciphertexts are the same, we can confirm that a temporal key is correctly derived through the following equation

$$\begin{aligned}&e( C_{i,k_i} \cdot C_{j,k_j}, SK_{i,j} ) = e( H_1(T \Vert x_{i,k_i})^{\alpha _i + \alpha _j}, \hat{g}^{\beta _i / (\alpha _i + \alpha _j)} ) = e( H_1(T \Vert x_{i,k_i}), \hat{g} )^{\beta _i}. \end{aligned}$$

3.5 Security analysis

To prove the security of the FE-SI scheme, we analyze the security by dividing the case where there is no corrupted client and the case where there are corrupted clients.

In order to prove the static security without corrupted clients of the FE-SI scheme, we devise additional hybrid games that an attacker cannot distinguish between the two challenge sets $\{ X_{0,k}^* \}$ and $\{ X_{1,k}^* \}$. In the definition of the static security model, the constraint $CIQ(\{ X_{0,k}^* \}, Q) = CIQ(\{ X_{1,k}^* \}, Q)$ must be satisfied because the attacker can compute the set intersection operation on the challenge set by using function keys. This means that the set items related to the common set $\{ E_k^* \} = CIQ(\{ X_{\mu ,k}^* \}, Q)$ can be computed by the attacker, but the remaining items that do not related to $\{ E_k^* \}$ are not revealed to the attacker. Thus even if these ciphertext elements not related to $\{ E_k^* \}$ are changed to random values, the attacker can not distinguish this change. Therefore, we define additional hybrid games and change the challenge ciphertext elements that do not related to $\{ E_k^* \}$ to random values one by one.

To do this, in the first game, we change the pseudo-random function into a truly random function. In the second game, the ciphertext elements $\{ C_{\mu ,k} \}$ that do not related to $\{ E_k^* \}$ are changed to random values. In the third game the temporal keys $\{ TK_{\mu ,k} \}$ that do not related to $\{ E_k^* \}$ are changed to random. After that, in the last game, the ciphertext elements $\{ D_{\mu ,k} \}$ that do not related to $\{ E_k^* \}$ are changed to random values. In this last game, the ciphertext elements related to $\{ E_k^* \}$ are the same as the original ciphertext, but all other ciphertext elements not related to $\{ E_k^* \}$ are changed to random values. Thus the attacker can’t tell whether the challenge ciphertext of the last game is related to $\{ X_{0,k}^* \}$ or $\{ X_{1,k}^* \}$. The details of the security are given as follows.

Theorem 3.3

The above FE-SI scheme is static-IND secure with no corruptions in the random oracle model if the PRF scheme is secure, the SKE scheme is one-message secure, and the Assumptions 1 and 2 hold.

Proof

Suppose there exists an adversary that breaks the static-IND security of the FE-SI scheme with no corruptions. We can assu me that $I = \{ 1, \ldots , n \}$ and $\overline{I} = \emptyset $. Let $\{ X_{0,1}^*, \ldots , X_{0,n}^* \}$ and $\{ X_{1,1}^*, \ldots , X_{1,n}^* \}$ be the challenge sets of item sets where $X_{b,i}^* = \{ x_{b,i,1}^*, \ldots , x_{b,i,\ell _i}^* \}$ and $| X_{b,i}^* | = \ell _i$. Let $Q = \{ (i,j) \}$ be the set of index pairs related to function key queries. We can derive a set of common sets $\{ E_1^*, \ldots , E_n^* \}$ by calling $CIQ(\{ X_{0,k}^* \}, Q)$ since $CIQ(\{ X_{0,k}^* \}, Q) = CIQ(\{ X_{1,k}^* \}, Q)$ by the restriction of the security model. To argue that the adversary cannot win this game, we define a sequence of hybrid games $\mathbf{G} _0, \mathbf{G} _1, \mathbf{G} _2, \mathbf{G} _3$, and $\mathbf{G} _4$. The game $\mathbf{G} _i$ is defined as follows:

Game $\mathbf{G} _0$ The first game $\mathbf{G} _0$ is the original security game defined in Definition 3.2.
Game $\mathbf{G} _1$ In this game $\mathbf{G} _1$, the PRF which is used to generate encryption keys is changed to be truly random function.
Game $\mathbf{G} _2$ This game $\mathbf{G} _2$ is similar to the game $\mathbf{G} _1$ except that the challenge ciphertext components $\{ C_{i,k} \}$ are generated as random for all $x_{\mu ,i,k}^* \notin E_i^*$.
Game $\mathbf{G} _3$ This game $\mathbf{G} _3$ is slightly changed from the game $\mathbf{G} _2$. That is, the challenge temporal keys $\{ TK_{i,k} \}$ are generated as random for all $x_{\mu ,i,k}^* \notin E_i^*$.
Game $\mathbf{G} _4$ In the final game $\mathbf{G} _4$, we change the generation of challenge ciphertext components $\{ D_{i,k} \}$. That is, the challenge ciphertext components $\{ D_{i,k} \}$ are the encryption of random values for all $x_{\mu ,i,k}^* \notin E_i^*$. Note that the advantage of the adversary in this game is zero since challenge ciphertext components $\{ C_{i,k} \}$ are random and $\{ D_{i,k} \}$ are the encryption of random values for all $x_{\mu ,i,k}^* \notin E_i^*$.

Let $S_{\mathcal {A}}^\mathbf{G _i}$ be the event that an adversary wins in a game $\mathbf{G} _i$. From the following Lemmas 3.4, 3.5, 3.6, and 3.7, we obtain the following result

$$\begin{aligned} \mathbf{Adv} _{FE\text {-}SI,\mathcal {A}}^{ST\text {-}IND}(\lambda )&\le \; \left| \Pr [S_{\mathcal {A}}^\mathbf{G _0}] - \Pr [S_{\mathcal {A}}^\mathbf{G _4}] \right| + \Pr [S_{\mathcal {A}}^\mathbf{G _4}] \le \sum _{i=1}^4 \left| \Pr [S_{\mathcal {A}}^\mathbf{G _{i-1}}] - \Pr [S_{\mathcal {A}}^\mathbf{G _i}] \right| + \Pr [S_{\mathcal {A}}^\mathbf{G _4}] \\&\le \; \mathbf{Adv} _{\mathcal {B}}^{PRF}(\lambda ) + n\ell \mathbf{Adv} _{\mathcal {B}}^{A1\text {-}(n,\rho ,Q,J)}(\lambda ) + n\ell \mathbf{Adv} _{\mathcal {B}}^{A2\text {-}(n,\rho ,Q)}(\lambda ) + n\ell \mathbf{Adv} _{\mathcal {B}}^{SKE}(\lambda ) \end{aligned}$$

where n is the number of clients, $\ell $ is the maximum size of the challenge item set. This completes our proof. $\square $

Lemma 3.4

If the PRF is secure, then no polynomial-time adversary can distinguish between $\mathbf{G} _0$ and $\mathbf{G} _1$ with a non-negligible advantage.

Proof

The proof of this lemma is relatively easy from the security of PRF. That is, we simply change a PRF to a truly random function since there is only one PRF in the FE-SI scheme. We omit the details of this proof. $\square $

Lemma 3.5

If the Assumption 1 for $(n, \rho , Q, J)$ holds, then no polynomial-time adversary can distinguish between $\mathbf{G} _1$ and $\mathbf{G} _2$ with a non-negligible advantage.

Proof

To prove this lemma, we additionally define hybrid games $\mathbf{H} _{1,0}, \mathbf{H} _{1,1}, \ldots , \mathbf{H} _{1,\ell _1}, \mathbf{H} _{2,1}, \ldots , \mathbf{H} _{i,k}, \ldots , \mathbf{H} _{n,\ell _n}$ where $\mathbf{H} _{1,0} = \mathbf{G} _0$ and $\mathbf{H} _{n,\ell _n} = \mathbf{G} _1$. The game $\mathbf{H} _{\rho ,\delta }$ is defined as follows:

Game $\mathbf{H} _{\rho ,\delta }$ This game $\mathbf{H} _{\rho ,\delta }$ is almost identical to the game $\mathbf{G} _1$ except the generation of the components $\{ C_{i,k} \}$ in the challenge ciphertexts.

Case $(i < \rho )$ or $(i = \rho \wedge k \le \delta )$: If $x_{\mu ,i,k}^* \in E_i^*$, then the component $C_{i,k}$ is generated as normal. Otherwise ($x_{\mu ,i,k}^* \notin E_i^*$), the component $C_{i,k}$ is generated as random.
Case $(i = \rho \wedge k > \delta )$ or $(i > \rho )$: The component $C_{i,k}$ is generated as normal.

Suppose there exists an adversary $\mathcal {A}$ that distinguishes between $\mathbf{H} _{\rho ,\delta -1}$ and $\mathbf{H} _{\rho ,\delta }$ with a non-negligible advantage. Without loss of generality, we assume that $x_{\mu ,\rho ,\delta }^* \notin E_{\rho }^*$ since $\mathbf{H} _{\rho ,\delta -1}$ and $\mathbf{H} _{\rho ,\delta }$ are equal if $x_{\mu ,\rho ,\delta }^* \in E_{\rho }^*$. A simulator $\mathcal {B}$ that solves the Assumption 1 for $(n, \rho , Q, J)$ which will be defined later is described as follows:

Init $\mathcal {A}$ submits challenge sets $\{ X_{0,1}^*, \ldots , X_{0,n}^* \}$, $\{ X_{1,1}^*, \ldots , X_{1,n}^* \}$, a challenge time period $T^*$, and a set $Q = \{ (i,j) \}$ of function key queries. $\mathcal {B}$ proceeds as follows:

1.
From $n, \rho , Q$, it derives an index set J by calling $ComputeJ(n, \rho , Q)$.
2.
It receives $D = ((p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e), g, g^a, \{ g^{b_i} \}_{i=1}^n, \{ g^{a b_k} \}_{k \in J}, \hat{g}, \{ \hat{g}^{1/(b_i + b_j)} \}_{(i,j) \in Q} )$ and Z of the Assumption 1 for $(n, \rho , Q, J)$ where $Z = g^{a b_\rho }$ or $Z = R \in \mathbb {G}$.
3.
It flips a random coin $\mu \in \{0,1\}$ internally and derives a set of common sets $\{ E_1^*, \ldots , E_n^* \}$ by calling $CIQ(\{ X_{\mu ,k}^* \}, Q)$.

Setup $\mathcal {B}$ first chooses random exponents $\beta _1, \ldots , \beta _n \in \mathbb {Z}_p$. Next, it sets $PP = ((p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e), g, \hat{g}, H_1, H_2)$. It prepares a hash table H-list for the $H_1$ hash function as follows:

1.
For each $i \in [n]$ and $k \in [\ell _i]$, it proceeds as follows: If $i \ne \rho $ or $k \ne \delta $, then it selects a random exponent $f_{i,k} \in \mathbb {Z}_p$ and adds $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ to the H-list.

Otherwise, it adds $(T^* \Vert x_{\mu ,\rho ,\delta }^*, -, g^a)$ to the H-list.

Challenge $\mathcal {B}$ creates challenge ciphertexts $CT_{1,T^*}, \ldots , CT_{n,T^*}$ as follows:

1.
For each i and k, it generates ciphertext elements $C_{i,k}$ and $TK_{i,k}$ depending on the following cases:
- Case $i < \rho $:
  - If $x_{\mu ,i,k}^* \in E_i^*$ and $x_{\mu ,i,k}^* = x_{\mu ,\rho ,\delta }^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, -, g^a)$ from the H-list, and sets $C_{i,k} = g^{a b_i}$ and creates $TK_{i,k} = e(g^a, \hat{g})^{\beta _i}$. For this case, we show that $g^{a b_i}$ is given in the assumption. If a function key with an index pair $(i,\rho )$ was queried, we have $x_{\mu ,\rho ,\delta }^* \in E_\rho ^*$ by the definition of CIQ. However, we assumed that $x_{\mu ,\rho ,\delta }^* \notin E_\rho ^*$ for this game. Thus a function key with $(i,\rho )$ was not queried and it means that $i \in J$ by the definition of J.
  - If $x_{\mu ,i,k}^* \in E_i^*$ and $x_{\mu ,i,k}^* \ne x_{\mu ,\rho ,\delta }^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ from the H-list, and creates $C_{i,k} = (g^{b_i})^{f_{i,k}}$ and $TK_{i,k} = e(g^{f_{i,k}}, \hat{g})^{\beta _i}$.
  - If $x_{\mu ,i,k}^* \notin E_i^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ from the H-list, and chooses a random $C_{i,k} \in \mathbb {G}$ and creates $TK_{i,k} = e(g^{f_{i,k}}, \hat{g})^{\beta _i}$.
- Case $i = \rho $:
  - If $k < \delta $ and $x_{\mu ,\rho ,k}^* \in E_\rho ^*$, it retrieves $(T^* \Vert x_{\mu ,\rho ,k}^*, f_{\rho ,k}, g^{f_{\rho ,k}})$ from the H-list, and creates $C_{\rho ,k} = (g^{b_\rho })^{f_{\rho ,k}}$ and $TK_{\rho ,k} = e(g^{f_{\rho ,k}}, \hat{g})^{\beta _\rho }$ since $x_{\mu ,\rho ,k}^* \ne x_{\mu ,\rho ,\delta }^*$.
  - If $k < \delta $ and $x_{\mu ,\rho ,k}^* \notin E_\rho ^*$, then it retrieves $(T^* \Vert x_{\mu ,\rho ,k}^*, f_{\rho ,k}, g^{f_{\rho ,k}})$ from the H-list, and chooses a random $C_{\rho ,k} \in \mathbb {G}$ and creates $TK_{\rho ,k} = e(g^{f_{\rho ,k}}, \hat{g})^{\beta _\rho }$.
  - If $k = \delta $, it sets $C_{\rho ,\delta } = Z$ and creates $TK_{\rho ,\delta } = e(g^a, \hat{g})^{\beta _\rho }$ since we assumed that $x_{\mu ,\rho ,\delta }^* \notin E_\rho ^*$.
  - If $k > \delta $, it retrieves $(T^* \Vert x_{\mu ,\rho ,k}^*, f_{\rho ,k}, g^{f_{\rho ,k}})$ from the H-list, and creates $C_{\rho ,k} = (g^{b_\rho })^{f_{\rho ,k}}$ and $TK_{\rho ,k} = e(g^{f_{\rho ,k}}, \hat{g})^{\beta _\rho }$ since $x_{\mu ,\rho ,k}^* \ne x_{\mu ,\rho ,\delta }^*$.
- Case $i > \rho $:
  - If $x_{\mu ,i,k}^* = x_{\mu ,\rho ,\delta }^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, -, g^a)$ from the H-list, and sets $C_{i,k} = g^{a b_i}$ and creates $TK_{i,k} = e(g^a, \hat{g})^{\beta _i}$. For this case, we show that $g^{a b_i}$ is given in the assumption. If a function key with an index pair $(\rho ,i)$ was queried, we have $x_{\mu ,\rho ,\delta }^* \in E_\rho ^*$ by the definition of CIQ. However, we assumed that $x_{\mu ,\rho ,\delta }^* \notin E_\rho ^*$ for this game. Thus a function key with $(\rho ,i)$ was not queried and it means that $i \in J$ by the definition of J.
  - If $x_{\mu ,i,k}^* \ne x_{\mu ,\rho ,\delta }^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ from the H-list, and creates $C_{i,k} = (g^{b_i})^{f_{i,k}}$ and $TK_{i,k} = e(g^{f_{i,k}}, \hat{g})^{\beta _i}$.
Next, it generates a ciphertext element $D_{i,k}$ by running SKE.Encrypt$(T^* \Vert x_{\mu ,i,k}^*, TK_{i,k})$
2.
It chooses a random permutation $\pi _i$ and sets a challenge ciphertext $CT_{i,T^*} = \{ (C_{i,\pi _i(k)}, D_{i,\pi _i(k)}) \}_{k=1}^{\ell _i}$ for each client i.

Query $\mathcal {A}$ adaptively requests hash, function key, and ciphertext queries. $\mathcal {B}$ handles these queries as follows:

If this is a hash query for a time period T and an item x, then $\mathcal {B}$ proceeds as follows: If $T \Vert x$ exists in the H-list, then it retrieves $(T \Vert x, -, h)$ from H-list and gives h to $\mathcal {A}$. Otherwise, it selects a random exponent $f \in \mathbb {Z}_p$ and adds $(T \Vert x, f, g^f)$ to the H-list, and then it gives the hash value $g^f$ to $\mathcal {A}$.
If this is a function key query for indexes i, j such that $(i,j) \in Q$, then $\mathcal {B}$ generates a function key $SK_{i,j} = (\hat{g}^{1/(b_i + b_j)})^{\beta _i}$ since $\hat{g}^{1/(b_i + b_j)}$ is given in the assumption.
If this is a ciphertext query for a client index i, a set $X_i = \{ x_{i,1}, \ldots , x_{i,\ell } \}$, and a time period $T \ne T^*$, then $\mathcal {B}$ generates a ciphertext as follows:
1. 1.
  For each $k \in [\ell _i]$, it proceeds as follows: It retrieves $(T \Vert x_{i,k}, f_k, g^{f_k})$ from the H-list, and sets $C_{i,k} = (g^{b_i})^{f_k}$ and $TK_{i,k} = e(g^{f_k}, \hat{g})^{\beta _i}$. Next, it obtains $D_{i,k}$ by running SKE.Encrypt$(T \Vert x_{i,k}, TK_{i,k})$.
2. 2.
  It chooses a random permutation $\pi $ and creates $CT_{i,T} = \{ (C_{i,\pi (k)}, D_{i,\pi (k)}) \}_{k=1}^{\ell _i}$.

Guess $\mathcal {A}$ outputs a guess $\mu '$. If $\mu = \mu '$, it outputs 1. Otherwise, it outputs 0.

To complete the proof, we need to analyze the correctness of the simulation. In the case of the challenge ciphertext, ciphertext elements with indexes $i \ne \rho $ or $k \ne \delta $ are all generated correctly by using the values given in the assumption. The challenge ciphertext elements with indexes $i = \rho $ and $k = \delta $ are generated by using the challenge Z of the assumption. If $Z = Z_0 = g^{a b_\rho }$, then it is the same as the game $H_{\rho ,\delta -1}$. Otherwise ($Z = Z_1$), it is the same as the game $H_{\rho ,\delta }$. The function keys provided to the attacker are easily processed by using the values given in the assumption because function key queries are pre-specified in Q. In the case of ciphertext such as $T \ne T^*$, all ciphertexts are correctly processed by using the hash table and the values given in the assumption. $\square $

Lemma 3.6

If the Assumption 2 for $(n, \rho , Q)$ holds, then no polynomial-time adversary can distinguish between $\mathbf{G} _2$ and $\mathbf{G} _3$ with a non-negligible advantage.

Proof

To prove this lemma, we additionally define hybrid games $\mathbf{H} '_{1,0}, \mathbf{H} '_{1,1}, \ldots , \mathbf{H} '_{1,\ell _1}, \ldots , \mathbf{H} '_{i,k}, \ldots , \mathbf{H} '_{n,\ell _n}$ where $\mathbf{H} '_{1,0} = \mathbf{G} _2$ and $\mathbf{H} '_{n,\ell _n} = \mathbf{G} _3$. The game $\mathbf{H} '_{\rho ,\delta }$ is defined as follows:

Game $\mathbf{H} '_{\rho ,\delta }$ This game $\mathbf{H} '_{\rho ,\delta }$ is almost identical to the game $\mathbf{G} _2$ except the generation of temporal keys $\{ TK_{i,k} \}$ in the challenge ciphertexts.

Case $(i < \rho )$ or $(i = \rho \wedge k \le \delta )$: If $x_{\mu ,i,k}^* \in E_i^*$, then the temporal key $TK_{i,k}$ is generated as normal. Otherwise ($x_{\mu ,i,k}^* \notin E_i^*$), the temporal key $TK_{i,k}$ is generated as random.
Case $(i = \rho \wedge k > \delta )$ or $(i > \rho )$: The temporal key $TK_{i,k}$ is generated as normal.

Suppose there exists an adversary $\mathcal {A}$ that distinguishes between $\mathbf{H} '_{\rho ,\delta -1}$ and $\mathbf{H} '_{\rho ,\delta }$ with a non-negligible advantage. Without loss of generality, we assume that $x_{\mu ,\rho ,\delta }^* \notin E_{\rho }^*$ since $\mathbf{H} '_{\rho ,\delta -1}$ and $\mathbf{H} '_{\rho ,\delta }$ are equal if $x_{\mu ,\rho ,\delta }^* \in E_{\rho }^*$. A simulator $\mathcal {B}$ that solves the Assumption 2 for $(n, \rho , Q)$ which will be defined later is described as follows:

Init $\mathcal {A}$ submits challenge sets of item sets $\{ X_{0,1}^*, \ldots , X_{0,n}^* \}$, $\{ X_{1,1}^*, \ldots , X_{1,n}^* \}$, a challenge time period $T^*$, and a set $Q = \{ (i,j) \}$ of function key queries. $\mathcal {B}$ proceeds as follows:

1.
It receives $D = ((p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e), g, g^a, \{ g^{b_i} \}_{i=1}^n, \{ g^{a b_k} \}_{1 \le k \ne \rho \le n}, \hat{g}, \{ \hat{g}^{c_i} \}_{1 \le i \ne \rho \le n}, e(g,\hat{g})^{c_\rho }, \{ \hat{g}^{c_i / (b_i + b_j)} \}_{(i,j) \in Q} )$ and Z of the Assumption 2 for $(n, \rho , Q)$ where $Z = e(g, \hat{g})^{a c_\rho }$ or $Z = R \in \mathbb {G}_T$.
2.
It flips a random coin $\mu \in \{0,1\}$ internally and derives a set of common sets $\{ E_1^*, \ldots , E_n^* \}$ by calling $CIQ(\{ X_{\mu ,k}^* \}, Q)$.

Setup $\mathcal {B}$ sets $PP = ((p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e), g, \hat{g}, H_1, H_2)$. It prepares a hash table H-list for the $H_1$ hash function as follows:

1.
For each $i \in [n]$ and $k \in [\ell _i]$, it proceeds as follows: If $i \ne \rho $ or $k \ne \delta $, then it selects a random exponent $f_{i,k} \in \mathbb {Z}_p$ and adds $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ to the H-list.

Otherwise ($i = \rho \wedge k = \delta $), it adds $(T^* \Vert x_{\mu ,\rho ,\delta }^*, -, g^a)$ to the H-list.

Challenge $\mathcal {B}$ creates challenge ciphertexts $CT_{1,T^*}, \ldots , CT_{n,T^*}$ as follows:

1.
For each i and k, it generates ciphertext elements $C_{i,k}$ and $TK_{i,k}$ depending on the following cases:
- Case $i < \rho $:
  - If $x_{\mu ,i,k}^* \in E_i^*$ and $x_{\mu ,i,k}^* = x_{\mu ,\rho ,\delta }^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, -, g^a)$ from the H-list, and sets $C_{i,k} = g^{a b_i}$ and $TK_{i,k} = e(g^a, \hat{g}^{c_i})$. In this case, $g^{ab_i}$ is given in the assumption since $i \ne \rho $.
  - If $x_{\mu ,i,k}^* \in E_i^*$ and $x_{\mu ,i,k}^* \ne x_{\mu ,\rho ,\delta }^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ from the H-list, and sets $C_{i,k} = (g^{b_i})^{f_{i,k}}$ and $TK_{i,k} = e(g^{f_{i,k}}, \hat{g}^{c_i})$.
  - If $x_{\mu ,i,k}^* \notin E_i^*$, then it retrieves $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ from the H-list, and selects random $C_{i,k} \in \mathbb {G}$ and $TK_{i,k} \in \mathbb {G}_T$.
- Case $i = \rho $:
  - If $k < \delta $ and $x_{\mu ,\rho ,k}^* \in E_\rho ^*$, it retrieves $(T^* \Vert x_{\mu ,\rho ,k}^*, f_{\rho ,k}, g^{f_{\rho ,k}})$ from the H-list, and sets $C_{\rho ,k} = (g^{b_\rho })^{f_{\rho ,k}}$ and $TK_{\rho ,k} = (e(g, \hat{g})^{c_\rho })^{f_{\rho ,k}}$ since $x_{\mu ,\rho ,k}^* \ne x_{\mu ,\rho ,\delta }^*$.
  - If $k < \delta $ and $x_{\mu ,\rho ,k}^* \notin E_\rho ^*$, then it retrieves $(T^* \Vert x_{\mu ,\rho ,k}^*, f_{\rho ,k}, g^{f_{\rho ,k}})$ from the H-list, and selects random $C_{\rho ,k} \in \mathbb {G}$ and random $TK_{\rho ,k} \in \mathbb {G}_T$.
  - If $k = \delta $, it chooses a random $C_{\rho ,\delta } \in \mathbb {G}$ and sets $TK_{\rho ,\delta } = Z$ since we assumed that $x_{\mu ,\rho ,\delta }^* \notin E_\rho ^*$.
  - If $k > \delta $ and $x_{\mu ,\rho ,k}^* \in E_\rho ^*$, then it retrieves $(T^* \Vert x_{\mu ,\rho ,k}^*, f_{\rho ,k}, g^{f_{\rho ,k}})$ from the H-list, and sets $C_{\rho ,k} = (g^{b_\rho })^{f_{\rho ,k}}$ and $TK_{\rho ,k} = (e(g, \hat{g})^{c_\rho })^{f_{\rho ,k}}$ since $x_{\mu ,\rho ,k}^* \ne x_{\mu ,\rho ,\delta }^*$.
  - If $k > \delta $ and $x_{\mu ,\rho ,k}^* \notin E_\rho ^*$, then it retrieves $(T^* \Vert x_{\mu ,\rho ,k}^*, f_{\rho ,k}, g^{f_{\rho ,k}})$ from the H-list, and selects a random $C_{\rho ,k} \in \mathbb {G}$ and creates $TK_{\rho ,k} = ( e(g,\hat{g})^{c_\rho } )^{f_{\rho ,k}}$.
- Case $i > \rho $:
  - If $x_{\mu ,i,k}^* \in E_i^*$ and $x_{\mu ,i,k}^* = x_{\mu ,\rho ,\delta }^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, -, g^a)$ from the H-list, and sets $C_{i,k} = g^{a b_i}$ and $TK_{i,k} = e(g^a, \hat{g}^{c_i})$. In this case, $g^{ab_i}$ is given in the assumption since $i \ne \rho $.
  - If $x_{\mu ,i,k}^* \in E_i^*$ and $x_{\mu ,i,k}^* \ne x_{\mu ,\rho ,\delta }^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ from the H-list, and sets $C_{i,k} = (g^{b_i})^{f_{i,k}}$ and $TK_{i,k} = e(g^{f_{i,k}}, \hat{g}^{c_i})$.
  - If $x_{\mu ,i,k}^* \notin E_i^*$, it retrieves $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ from the H-list, and selects a random $C_{i,k} \in \mathbb {G}$ and creates $TK_{i,k} = e(g^{f_{i,k}}, \hat{g}^{c_i})$.
Next, it generates a ciphertext element $D_{i,k}$ by running SKE.Encrypt$(T^* \Vert x_{\mu ,i,k}^*, TK_{i,k})$
2.
It chooses a random permutation $\pi _i$ and sets a challenge ciphertext $CT_{i,T^*} = \{ (C_{i,\pi _i(k)}, D_{i,\pi _i(k)}) \}_{k=1}^{\ell _i}$ for each client i.

Query $\mathcal {A}$ adaptively requests hash, token, and ciphertext queries. $\mathcal {B}$ handles these queries as follows:

If this is a hash query for a time period T and an item x, then $\mathcal {B}$ proceeds as follows: If $T \Vert x$ exists in the H-list, then it retrieves $(T \Vert x, -, h)$ from H-list and gives h to $\mathcal {A}$. Otherwise, it selects a random exponent $f \in \mathbb {Z}_p$ and adds $(T \Vert x, f, g^f)$ to the H-list, and then it gives the hash value $g^f$ to $\mathcal {A}$.
If this is a function key query for indexes i, j such that $(i,j) \in Q$, then $\mathcal {B}$ generates a function key $SK_{i,j} = \hat{g}^{c_i / (b_i + b_j)}$ since it is given in the assumption.
If this is a ciphertext query for a client index i, a set $X_i = \{ x_{i,1}, \ldots , x_{i,\ell } \}$, and a time period $T \ne T^*$, then $\mathcal {B}$ generates a ciphertext as follows:
1. 1.
  For each $k \in [\ell _i]$, it proceeds as follows: It retrieves $(T \Vert x_{i,k}, f_{k}, g^{f_{k}})$ from the H-list and sets $C_{i,k} = (g^{b_i})^{f_{k}}$. Next, it sets $TK_{i,k} = (e(g, \hat{g})^{c_\rho })^{f_{k}}$ if $i = \rho $, and it sets $TK_{i,k} = e(g^{f_{k}}, \hat{g}^{c_i})$ if $i \ne \rho $. It obtains $D_{i,k}$ by running SKE.Encrypt$(T \Vert x_{i,k}, TK_{i,k})$.
2. 2.
  It chooses a random permutation $\pi $ and creates $CT_{i,T} = \{ (C_{i,\pi (k)}, D_{i,\pi (k)}) \}_{k=1}^{\ell _i}$.

Guess $\mathcal {A}$ outputs a guess $\mu '$. If $\mu = \mu '$, it outputs 1. Otherwise, it outputs 0.

Lemma 3.7

If the SKE scheme is one-message secure, then no polynomial-time adversary can distinguish between $\mathbf{G} _3$ and $\mathbf{G} _4$ with a non-negligible advantage.

Proof

To prove this lemma, we additionally define hybrid games $\mathbf{H} ''_{1,0}, \mathbf{H} ''_{1,1}, \ldots , \mathbf{H} ''_{1,\ell _1}, \mathbf{H} ''_{1,1}, \ldots , \mathbf{H} ''_{i,k}, \ldots , \mathbf{H} ''_{n,\ell _n}$ where $\mathbf{H} ''_{1,0} = \mathbf{G} _3$ and $\mathbf{H} ''_{n,\ell _n} = \mathbf{G} _4$. The game $\mathbf{H} ''_{\rho ,\delta }$ is defined as follows:

Game $\mathbf{H} ''_{\rho ,\delta }$ This game $\mathbf{H} ''_{\rho ,\delta }$ is almost identical to the game $\mathbf{G} _3$ except the generation of components $\{ D_{i,k} \}$ in the challenge ciphertexts.

Case $(i < \rho )$ or $(i = \rho \wedge k \le \delta )$: If $x_{\mu ,i,k}^* \in E_i^*$, then the component $D_{i,k}$ is generated as normal. Otherwise ($x_{\mu ,i,k}^* \notin E_i^*$), the component $D_{i,k}$ is generated as the encryption of a random value.
Case $(i = \rho \wedge k > \delta )$ or $(i > \rho )$: The component $D_{i,k}$ is generated as normal.

Suppose there exists an adversary $\mathcal {A}$ that distinguishes between $\mathbf{H} ''_{\rho ,\delta -1}$ and $\mathbf{H} ''_{\rho ,\delta }$ with a non-negligible advantage. Without loss of generality, we assume that $x_{\mu ,\rho ,\delta }^* \notin E_{\rho }^*$ since $\mathbf{H} ''_{\rho ,\delta -1}$ and $\mathbf{H} ''_{\rho ,\delta }$ are equal if $x_{\mu ,\rho ,\delta }^* \in E_{\rho }^*$. Then $\mathcal {B}$ that interacts with $\mathcal {A}$ is described as follows:

Init $\mathcal {A}$ submits challenge sets of item sets $\{ X_{0,1}^*, \ldots , X_{0,n}^* \}$, $\{ X_{1,1}^*, \ldots , X_{1,n}^* \}$, a challenge time period $T^*$, and a set $Q = \{ (i,j) \}$ of function key queries. $\mathcal {B}$ then flips a random coin $\mu \in \{0,1\}$ internally and derives a set $\{ E_1^*, \ldots , E_n^* \}$ of common sets by calling $CIQ(\{ X_{\mu ,k}^* \}, Q)$.

Setup $\mathcal {B}$ first chooses random exponents $\alpha _1, \ldots , \alpha _n$, $\beta _1, \ldots , \beta _n \in \mathbb {Z}_p$. Next, it sets $PP = ((p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e), g, \hat{g}, H_1, H_2)$. It prepares a hash table H-list for the $H_1$ hash function as follows:

1.
For each $i \in [n]$ and $k \in [\ell _i]$, it selects a random exponent $f_{i,k} \in \mathbb {Z}_p$ and adds $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ to the H-list.

Challenge $\mathcal {B}$ creates challenge ciphertexts $CT_{1,T^*}, \ldots , CT_{n,T^*}$ as follows:

1.
For each i and k, it generates ciphertext elements $C_{i,k}$ and $TK_{i,k}$ depending on the following cases:
- Case $x_{\mu ,i,k}^* \in E_i$: It retrieves $(T^* \Vert x_{\mu ,i,k}^*, f_{i,k}, g^{f_{i,k}})$ from the H-list, and creates $C_{i,k} = g^{f_{i,k} \alpha _i}$ and $TK_{i,k} = e(g^{f_{i,k}}, \hat{g})^{\beta _i}$.
- Case $x_{\mu ,i,k}^* \notin E_i$: It selects random $C_{i,k} \in \mathbb {G}$ and random $TK_{i,k} \in \mathbb {G}_T$.
Next, it also generates a ciphertext element $D_{i,k}$ depending on the following cases:
- Case $(i < \rho )$ or $(i = \rho \wedge k < \delta )$: If $x_{\mu ,i,k}^* \in E_i^*$, it creates $D_{i,k}$ by running SKE.Encrypt$(T^* \Vert x_{\mu ,i,k}^*, TK_{i,k})$. Otherwise ($x_{\mu ,i,k}^* \notin E_i^*$), it selects a random $y \in \mathcal {D}$ and creates $D_{i,k}$ by running SKE.Encrypt$(T^* \Vert y, TK_{i,k})$.
- Case $(i = \rho \wedge k = \delta )$: It selects a random $y \in \mathcal {D}$ and submits challenge message $x_{\mu ,\rho ,\delta }^*$ and y to the encryption oracle of SKE. Next, it receives a challenge ciphertext $CT_{SKE}^*$ from SKE and sets $D_{\rho ,\delta } = CT_{SKE}^*$. Recall that we assumed $x_{\mu ,\rho ,\delta }^* \notin E_\rho ^*$.
- Case $(i = \rho \wedge k > \delta )$ or $(i > \rho )$: It creates $D_{i,k}$ by running SKE.Encrypt$(T^* \Vert x_{\mu ,i,k}^*, TK_{i,k})$.
2.
It chooses a random permutation $\pi _i$ and sets a challenge ciphertext $CT_{i,T^*} = \{ (C_{i,\pi _i(k)}, D_{i,\pi _i(k)}) \}_{k=1}^{\ell _i}$ for each client i.

Query $\mathcal {A}$ adaptively requests hash, function key, and ciphertext queries. $\mathcal {B}$ handles these queries as follows:

If this is a hash query for a time period T and an item x, then $\mathcal {B}$ proceeds as follows: If $T \Vert x$ exists in the H-list, then it retrieves $(T \Vert x, -, h)$ from H-list and gives h to $\mathcal {A}$. Otherwise, it selects a random exponent $f \in \mathbb {Z}_p$ and adds $(T \Vert x, f, g^f)$ to the H-list, and then it gives the hash value $g^f$ to $\mathcal {A}$.
If this is a function key query for indexes i, j, then $\mathcal {B}$ simply generates a function key $SK_{i,j}$ by using $\alpha _i, \alpha _j, \beta _i$.
If this is a ciphertext query for a client index i, a set $X_i$, and a time period $T \ne T^*$, then $\mathcal {B}$ simply generates a ciphertext CT by using $\alpha _i, \beta _i$.

Guess $\mathcal {A}$ outputs a guess $\mu '$. If $\mu = \mu '$, it outputs 1. Otherwise, it outputs 0. $\square $

Now, we analyze the static security with corrupted clients of the FE-SI scheme. In the definition of the static security model, two indexes of a function key must be associated with corrupted clients, or two indexes of the function key must be associated with non-corrupted clients. Therefore, we can process this proof by selecting encryption keys for corrupted clients and using the static security proof of the FE-SI scheme analyzed earlier for non-corrupted clients.

Theorem 3.8

The above FE-SI scheme is static-IND secure with corruptions in the random oracle model if the FE-SI scheme is static-IND secure with no corruptions.

Proof

Suppose there exists an adversary $\mathcal {A}$ that breaks the static-IND security with corruptions. By using $\mathcal {A}$, a simulator $\mathcal {B}$ try to break the static-IND security with no corruptions played by a challenger $\mathcal {C}$. The simulator $\mathcal {B}$ is described as follows:

Init $\mathcal {A}$ submits the set of corrupted client indexes $\overline{I} \ne \emptyset $. Let $I = \{1, \ldots , n\} \setminus \overline{I}$ be the set of uncorrupted client indexes where $|I| = n'$. $\mathcal {A}$ also submits two challenge sets $\{ X_{0,k}^* \}_{k \in I}, \{ X_{1,k}^* \}_{k \in I}$, a challenge time period $T^*$, and a set $Q = \{ (i,j) \}$ of function key queries.

1.
It first define a one-to-one mapping $\phi $ from I to $I' = \{ 1, \ldots , n' \}$ such that $\phi (i) < \phi (j)$ if $i < j$ for any $i, j \in I$. It also define $\phi ^{-1}$ as the inverse mapping of $\phi $.
2.
Next, it derives a new set $Q' = \{ (\phi (i), \phi (j)) : (i,j) \in Q \}$ from the set Q.
3.
$\mathcal {B}$ submits two challenge sets $\{ X_{0,\phi (k)}^* \}_{\phi (k) \in I'}, \{ X_{1,\phi (k)}^* \}_{\phi (k) \in I'}$, the challenge time period $T^*$, and the set $Q'$ to $\mathcal {C}$. Note that $\mathcal {C}$ plays the static-IND security game with no corruptions for the set $I'$.

Setup $\mathcal {B}$ receives PP from $\mathcal {C}$. It chooses random exponents $\{ \alpha _i, \beta _i \}_{i \in \overline{I}}$. Next, it gives $\{ EK_i = ( \alpha _i, \beta _i ) \}_{i \in \overline{I}}$ and PP to $\mathcal {A}$.

Challenge $\mathcal {B}$ receives challenge ciphertexts $\{ CT_{i',T^*} \}_{i' \in I'}$ from $\mathcal {C}$ and gives $\{ CT_{\phi ^{-1}(i'),T^*} \}_{\phi ^{-1}(i') \in I}$ to $\mathcal {A}$.

Query $\mathcal {A}$ requests hash, function key, and ciphertext queries. $\mathcal {B}$ relays these queries to $\mathcal {C}$ and gives the response of $\mathcal {C}$ to $\mathcal {A}$ by using the mappings $\phi $ and $\phi ^{-1}$ to change the indexes of sets $I'$ and I.

Guess $\mathcal {A}$ outputs a guess $\mu '$. $\mathcal {B}$ also outputs $\mu '$. $\square $

3.6 Discussions

Efficiency analysis We analyze the efficiency of our FE-SI scheme. First, the encryption algorithm requires $2 \ell $ exponentiation operations and $2 \ell $ symmetric key encryption operations since it computes $C_{i,k}, TK_{i,k}$, and $D_{i,k}$ for each item of the set where $\ell $ is the size of the set. The size of the ciphertext is proportional to the size of the set. The key generation algorithm is efficient because it only requires a PRF computation and a single exponentiation operation, and the function key is composed of one group element. The slowest part of the FE-SI scheme is the decryption algorithm. Since the decryption algorithm processes two possible combination of ciphertext elements of two clients, it requires $O(\ell ^2)$ pairing operations and $O(\ell ^2)$ symmetric-key decryptions. Therefore, the decryption algorithm has $O(\ell ^2)$ time complexity when $\ell $ is the size of the set.

Hiding the set sizes In our FE-SI scheme, the ciphertext exposes the set size information because the size of a ciphertext is proportional to the size of the set. A simple way to hide the size of a set is to include additional dummy items in the ciphertext. That is, a dummy element $\tilde{C}_{i,k}$ is generated by computing $H(r)^{\alpha _i}$ with a random string r such that $\text {prefix}(r) \ne T$, and a dummy element $\tilde{D}_{i,k}$ is generated by running a symmetric-key encryption on a message r. In this case, the probability that the two clients select the same random string r is very low, and even if the two clients select the same r, the time string T is not decoded from the decryption of the dummy $\tilde{D}_{i,k}$. Thus the intersection of ciphertexts with dummy elements works correctly.

Encryption with associated data The FE-SI scheme encrypts only the set information during encryption. One natural way to extend the FE-SI scheme is to encrypt a set with additional associated data. This associated data can be easily encrypted by using symmetric-key encryption. In this case, the entity with a function key can decrypt not only the set intersection of two clients but also associated data encrypted by individual clients. Since the function key of our FE-SI scheme only provides $\hat{g}^{\beta _i / (\alpha _i + \alpha _j)}$ for client indexes i, j, only the associated data of the client index i is decrypted. If only the set is encrypted, this is not a problem, but if associated data is included, it is necessary to decrypt the ciphertext elements of the client j as well as the client i. Therefore, for this purpose, the key generation algorithm must provide two group elements, $\hat{g}^{\beta _i / (\alpha _i + \alpha _j)}$ and $\hat{g}^{\beta _j / (\alpha _i + \alpha _j)}$ as function keys.

Set intersection cardinality An interesting variant of the functional encryption for set intersection is functional encryption for set intersection cardinality (FE-SIC) that reveals the cardinality of the set intersection instead of revealing the set intersection of two sets. The simplest way to devise an FE-SIC scheme is to modify our FE-SI scheme to encrypt the string T instead of the concatenated string $T\Vert x$ when generating the ciphertext element $D_{i,k}$. In this case, if the correct string T is derived during decryption, the same item exists, so the number of intersections can be calculated by counting these cases. However, this method has the disadvantage of preserving the decryption complexity $O(\ell ^2)$ of the FE-SI scheme and requiring to create a new ciphertext.

Multi-party set intersection The FE-SI scheme we devised calculates the set intersection of two clients. It is possible to modify the FE-SI scheme to calculate the set intersection of three clients. The basic idea is for the key generation algorithm to receive the indexes of three clients (i, j, k) as an input and to create a function key $SK_{i,j,k} = \hat{g}^{\beta _i / (\alpha _i + \alpha _j + \alpha _k)}$. In this case, if the ciphertexts generated by the clients of indexes i, j, and k are on the same item x, then the decryption algorithm first derives $H(T\Vert x)^{\alpha _i} \cdot H(T\Vert x)^{\alpha _j} \cdot H(T\Vert x)^{\alpha _k} = H(T\Vert x)^{\alpha _i + \alpha _j + \alpha _k}$. If the pairing operation is performed with the function key, the temporary key $e(H(T\Vert x), \hat{g})^{\beta _i}$ can be derived for symmetric-key decryption. The decryption algorithm requires $O(\ell ^3)$ pairing operations since all possible combination of ciphertext elements should be considered. The static security of this scheme with no corruptions can be easily proven by extending the constraints of the security model and using modified assumptions that include additional group elements for key queries. If this method is extended, it is possible to process the set intersection of n clients, but it is inefficient because the decryption algorithm has $O(\ell ^n)$ time complexity.

4 FE for set intersection with time-constrained keys

In this section, we define the syntax and the security model of FE-SI that supports time-constrained keys (FE-SI-TCK). In addition, we propose an FE-SI-TCK scheme by modifying the previous FE-SI scheme and prove the security of the scheme.

4.1 Definition

The syntax of FE-SI-TCK is almost similar to that of FE-SI. The key difference in the syntax of FE-SI-TCK is that a function key is only valid at time T because the function key is associated with client indexes i, j and additional time T. For this reason, the decryption algorithm of FE-SI-TCK correctly proceeds the decryption process only when the time T of the two client’s ciphertexts and the time T of the function key are the same. That is, the function key of the FE-SI-TCK scheme does not always compute the set intersection of the two client’s ciphertexts for any time, but only computes the set intersection of the two client’s ciphertexts corresponding to the limited time T. A more detailed syntax of FE-SI-TCK is defined as follows.

Definition 4.1

(FE-SI with time-constrained keys) An FE-SI with time-constrained keys (FE-SI-TCK) scheme for $\mathcal {D}$ and $\mathcal {T}$ consists of four algorithms Setup, GenKey, Encrypt, and Decrypt, which are defined as follows:

Setup($1^{\lambda }, n$) The setup algorithm takes as input a security parameter $\lambda $ and the number of clients n. It outputs a master key MK, encryption keys $\{ EK_i \}$ for clients, and public parameters PP.
GenKey(i, j, T, MK, PP) The key generation algorithm takes as input two client indexes i, j such that $i < j$, a time period T, the master key MK, and public parameters PP. It outputs a time-constrained function key $SK_{i,j,T}$.
Encrypt($X_i, T, EK_i, PP$) The encryption algorithm takes as input a set $X_i = (x_{i,1}, \ldots , x_{i,\ell _i})$ where $x_{i,j} \in \mathcal {D}$, a time period $T \in \mathcal {T}$, an encryption key $EK_i$, and the public parameters PP. It outputs a ciphertext $CT_{i,T}$.
Decrypt($CT_{i,T}, CT_{j,T}, SK_{i,j,T}, PP$) The decryption algorithm takes as input two ciphertexts $CT_{i,T}$ and $CT_{j,T}$, a function key $SK_{i,j,T}$, and the public parameters PP. It outputs a set $X_i \cap X_j$ where $X_i$ and $X_j$ are associated with $CT_{i,T}$ and $CT_{j,T}$ respectively.

The correctness property of FE-SI-TCK is defined as follows: For all $MK, \{ EK_{i} \}, PP \leftarrow \mathbf{Setup} (1^{\lambda }, n)$, any $SK_{i,j,T} \leftarrow \mathbf{GenKey} (i, j, T, MK, PP)$ for any i, j, T such that $i < j$, $CT_{i,T} \leftarrow \mathbf{Encrypt} (X_i, T, EK_i, PP)$, and $CT_{j,T} \leftarrow \mathbf{Encrypt} (X_j, T, EK_j, PP)$, it is required that

Decrypt$(CT_{i,T}, CT_{j,T}, SK_{i,j,T}, PP) = X_i \cap X_j$ except with negligible probability.

The static security model of FE-SI-TCK is almost similar to the previous defined static security model of FE-SI. An important difference is that the attacker of FE-SI-TCK initially submits a set $Q_{T^*}$ of function key queries related to a challenge time $T^*$ instead of submitting all function key queries. Afterwards, when the attacker queries a function key for time T, the function key query must be specified in $Q_{T^*}$ if $T = T^*$, but the function key query can be any query if $T \ne T^*$. A more detailed static security model of FE-SI-TCK is defined as follows.

Definition 4.2

(Static-IND Security) The static-IND security of FE-SI-TCK with corruptions is defined in the following experiment $\mathbf{EXP} _{FE\text {-}SI\text {-}TCK,\mathcal {A}}^{ST\text {-}IND} (1^\lambda )$ between a challenger $\mathcal {C}$ and a PPT adversary $\mathcal {A}$:

1.
Init: $\mathcal {A}$ initially submits an index set $\overline{I} \subset [n]$ of corrupted clients. Let $I = \{ 1, \ldots , n \} \setminus \overline{I}$ be the index set of uncorrupted clients. $\mathcal {A}$ also submits two challenge sets of item sets $\{ X_{0,k}^* \}_{k \in I}$, $\{ X_{1,k}^* \}_{k \in I}$, a challenge time period $T^*$, and a set $Q_{T^*} = \{ (i,j) \}$ of function key queries on the time period $T^*$ with the restriction that $i,j \in I$ for each $(i,j) \in Q$ and $CIQ(\{ X_{0,k}^* \}_{k \in I}, Q_{T^*}) = CIQ(\{ X_{1,k}^* \}_{k \in I}, Q_{T^*})$.
2.
Setup: $\mathcal {C}$ generates a master key MK, encryption keys $\{ EK_i \}_{i=1}^n$ and public parameters PP by running Setup$(1^{\lambda }, n)$. It keeps MK and $\{ EK_i \}_{i \in I}$ to itself and gives $\{ EK_i \}_{i \in \overline{I}}$ and PP to $\mathcal {A}$.
3.
Challenge: $\mathcal {C}$ flips a random coin $\mu \in \{0,1\}$ and obtains a ciphertext $CT_{i,T^*}$ by running $\mathbf{Encrypt} (X_{\mu ,i}^*, T^*, EK_i, PP)$ for each $i \in I$. $\mathcal {C}$ gives the challenge ciphertexts $\{ CT_{i,T^*} \}_{i \in I}$ to $\mathcal {A}$
4.
Query: $\mathcal {A}$ requests function keys and ciphertexts. $\mathcal {C}$ handles these queries as follows:
- If this is a function key query for indexes $i,j \in I$ and a time period T with the restriction that $(i,j) \in Q_{T^*}$ if $T = T^*$, then $\mathcal {C}$ gives a function key $SK_{i,j,T}$ to $\mathcal {A}$ by running GenKey(i, j, T, MK, PP).
- If this is a ciphertext query for a client index k, a set $X_k$, and a time period T with the restriction that $k \in I$ and $T \ne T^*$, then $\mathcal {C}$ gives $CT_{k,T}$ to $\mathcal {A}$ by running Encrypt$(X_k, T, EK_k, PP)$.
5.
Guess: $\mathcal {A}$ outputs a guess $\mu ' \in \{0,1\}$ of $\mu $. $\mathcal {C}$ outputs 1 if $\mu = \mu '$ or 0 otherwise.

An FE-SI-TCK scheme is static-IND secure with corruptions if for all PPT adversary $\mathcal {A}$, the advantage of $\mathcal {A}$ defined as $\mathbf{Adv} _{\mathcal {A}}^{ST\text {-}IND} (\lambda ) = \big | \Pr [ \mathbf{EXP} _{FE\text {-}SI\text {-}TCK,\mathcal {A}}^{ST\text {-}IND} (1^\lambda ) = 1 ] - \frac{1}{2} \big |$ is negligible in the security parameter $\lambda $.

4.2 Construction

The idea of devising a function key limited to time T is to derive an independent encryption key for each time T from an original client encryption key by slightly modifying our FE-SI scheme. In other words, the client encryption key of the FE-SI-TCK scheme is a PRF key z and two exponents $(\alpha _T = \text {PRF}(z, 1\Vert T), \beta _T = \text {PRF}(z, 2\Vert T))$ are derived for a specific time period T, whereas the client encryption key of the FE-SI scheme is just $(\alpha , \beta )$. The encryption and decryption algorithms are almost the same as those of the FE-SI scheme. An FE-SI-TCK scheme that supports time-constrained function keys is described as follows.

Setup($1^{\lambda }, n$) Let n be the maximum number of clients.
1. 1.
  It first generates a bilinear group $(p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e)$ of prime order p with two random generators $g \in \mathbb {G}$ and $\hat{g} \in \hat{\mathbb {G}}$. It chooses two hash functions $H_1: \{0,1\}^* \rightarrow \mathbb {G}$ and $H_2: \mathbb {G}_T \rightarrow \{0,1\}^{\lambda }$.
2. 2.
  Next, it selects a random PRF key $z \in \{0,1\}^{\lambda }$ and computes $z_i = PRF(z, 0 \Vert i)$ for each index $i \in [n]$.
3. 3.
  Finally, it outputs a master key $MK = z$, encryption keys $\{ EK_i = z_i \}_{i=1}^n$ for clients, and public parameters $PP = \big ( (p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e), g, \hat{g}, H_1, H_2 \big )$.
GenKey(i, j, T, MK, PP) Let i, j be indexes such that $i < j$ and T be a time period.
1. 1.
  It first derives $z_i = PRF(z, 0 \Vert i)$ and $z_j = PRF(z, 0 \Vert j)$ from $MK = z$. It also calculates $\alpha _{i,T} = PRF(z_i, 1 \Vert T)$, $\alpha _{j,T} = PRF(z_j, 1 \Vert T)$, and $\beta _{i,T} = PRF(z_i, 2 \Vert T)$.
2. 2.
  Finally, it outputs a time-constrained function key $SK_{i,j,T} = \hat{g}^{\beta _{i,T} / (\alpha _{i,T} + \alpha _{j,T})}$ by implicitly including i, j, T.
Encrypt($X_i, T, EK_i, PP$) Let $X_i = \{ x_{i,1}, \ldots , x_{i,\ell _i} \}$ be a set of items where $|X_i| = \ell _i$ and $EK_i = z_i$.
1. 1.
  It calculates $\alpha _{i,T} = PRF(z_i, 1 \Vert T)$ and $\beta _{i,T} = PRF(z_i, 2 \Vert T)$.
2. 2.
  For each index $k \in [\ell _i]$, it proceed as follows: It computes a component $C_{i,k} = H_1(x_{i,k})^{\alpha _{i,T}}$ and then derives a temporal key $TK_{i,k} = e( H_1(x_{i,k}), \hat{g} )^{\beta _{i,T}}$. Next, it obtains an encrypted data $D_{i,k}$ by running SKE.Encrypt$(T \Vert x_{i,k}, H_2(TK_{i,k}))$.
3. 3.
  Finally, it chooses a random permutation $\pi $ and outputs a ciphertext $CT_{i,T} = \big \{ ( C_{i,\pi (k)}, D_{i,\pi (k)} ) \big \}_{k=1}^{\ell _i}$ by implicitly including i, T.
Decrypt($CT_{i,T}, CT_{j,T}, SK_{i,j,T}, PP$) Let $CT_{i,T} = \{ ( C_{i,k}, D_{i,k} ) \}_{k=1}^{\ell _i}$ and $CT_{j,T} = \{ ( C_{j,k}, D_{j,k} ) \}_{k=1}^{\ell _j}$ be ciphertexts such that $i < j$ with the same time T. It first initializes a set $Y = \emptyset $.
1. 1.
  For each index $k_i \in [\ell _i]$ and $k_j \in [\ell _j]$, it proceeds as follows: It computes $TK_{i,k_i} = e(C_{i,k_i} \cdot C_{j,k_j}, SK_{i,j,T})$ and obtains a message $A \Vert x$ by running $\mathbf{SKE}.Decrypt (D_{i,k_i}, H_2(TK_{i,k_i}))$. It adds an item x into Y if $A = T$.
2. 2.
  Finally, it outputs the set Y.

4.3 Correctness

The FE-SI-TCK scheme is almost the same as the previous FE-SI scheme except that the encryption key for a specific time period T is derived by using the PRF. Therefore, the correctness of the FE-SI-TCK scheme is easily guaranteed by the correctness of the PRF and the correctness of the FE-SI scheme.

4.4 Security analysis

In order to prove the static security of the FE-SI-TCK scheme, we also analyze by dividing into two cases, the case where there is no corrupted client and the case where there are corrupted clients. Similar to the proof of the FE-SI scheme, we can also prove the static security of the scheme with corrupted clients by using the static security proof of the scheme with non-corrupted clients.

We can show that the FE-SI-TCK scheme without corrupted clients is static secure by using the static security of the FE-SI scheme without corrupted clients. The basic idea of this proof is that ciphertext and function key queries for $T = T^*$ are all handled by the challenger of the FE-SI scheme, and ciphertext and function key queries for $T \ne T^*$ are handled by a simulator itself with randomly selected encryption keys. The security theorem of the FE-SI-TCK scheme is described as follows.

Theorem 4.3

The above FE-SI-TCK scheme is static-IND secure with no corruptions in the random oracle model if the PRF scheme is secure and the FE-SI scheme is static-IND secure with no corruptions.

Proof

To argue that the adversary cannot win this game, we define a sequence of hybrid games $\mathbf{G} _0, \mathbf{G} _1$. The game $\mathbf{G} _i$ is defined as follows:

Game $\mathbf{G} _0$ The first game $\mathbf{G} _0$ is the original security game defined in Definition 4.2.
Game $\mathbf{G} _1$ In this game $\mathbf{G} _1$, the PRFs which are used to generate encryption keys are changed to be truly random functions.

Let $S_{\mathcal {A}}^\mathbf{G _i}$ be the event that an adversary wins in a game $\mathbf{G} _i$. From the following Lemmas 4.4 and 4.5, we obtain the following result

$$\begin{aligned} \mathbf{Adv} _{FE\text {-}SI\text {-}TCK,\mathcal {A}}^{ST\text {-}IND}(\lambda ) \le&\left| \Pr [S_{\mathcal {A}}^\mathbf{G _0}] - \Pr [S_{\mathcal {A}}^\mathbf{G _1}] \right| + \Pr [S_{\mathcal {A}}^\mathbf{G _1}] \le (n+1) \mathbf{Adv} _{\mathcal {B}}^{PRF}(\lambda ) + \mathbf{Adv} _{FE\text {-}SI,\mathcal {B}}^{ST\text {-}IND}(\lambda ) \end{aligned}$$

where n is the number of clients, $\ell $ is the size of the challenge attribute. This completes our proof. $\square $

Lemma 4.4

If the PRF is secure, then no polynomial-time adversary can distinguish between $\mathbf{G} _0$ and $\mathbf{G} _1$ with a non-negligible advantage.

Proof

The proof of this lemma is relatively easy from the security of PRF. That is, we simply change a PRF to a truly random function one by one by defining additional hybrid games. Note that there are at most $n+1$ PRFs are used in the FE-SI-TCK scheme. We omit the details of this proof. $\square $

Lemma 4.5

If the FE-SI scheme is static-IND secure, then no polynomial-time adversary can win $\mathbf{G} _1$ with a non-negligible advantage.

Proof

Suppose there exists an adversary $\mathcal {A}$ that wins the game $\mathbf{G} _1$ with a non-negligible advantage. Then $\mathcal {B}$ that interacts with $\mathcal {A}$ is described as follows:

Init $\mathcal {A}$ submits challenge sets of item sets $\{ X_{0,1}^*, \ldots , X_{0,n}^* \}$, $\{ X_{1,1}^*, \ldots , X_{1,n}^* \}$, a challenge time period $T^*$, and a set $Q_{T^*}$ of function key queries. $\mathcal {B}$ also submits $\{ X_{0,i}^* \}$, $\{ X_{1,i}^* \}$, $T^*$, and $Q_{T^*}$ to the FE-SI scheme.

Setup $\mathcal {B}$ receives $\tilde{PP}$ from the FE-SI scheme and sets $PP = \tilde{PP}$. $\mathcal {B}$ prepares an EK-list as the empty set that stores a tuple $(i, T, \alpha _{i,T}, \beta _{i,T})$.

Challenge $\mathcal {B}$ receives $\tilde{CT}_{1,T^*}, \ldots , \tilde{CT}_{n,T^*}$ of the FE-SI scheme and sets challenge ciphertexts $CT_{i,T^*} = \tilde{CT}_{i,T^*}$ for each i. It gives the challenge ciphertexts to $\mathcal {A}$.

Query $\mathcal {A}$ adaptively requests hash, function key, and ciphertext queries. $\mathcal {B}$ handles these queries as follows:

If this is a hash query for an item x, then $\mathcal {B}$ proceeds as follows: It requests a hash query to the FE-SI scheme on the time period $T^*$ and the item x and receives a hash value $\tilde{h}$. It sets $h = \tilde{h}$ and gives h to $\mathcal {A}$. Note that it implicitly sets $H_1(x) = \tilde{H}_1(T^* \Vert x)$ where $\tilde{H}_1$ is the hash function of the FE-SI scheme.
If this is a time-constrained function key query for indexes i, j and a time period T, then $\mathcal {B}$ generates a function key as follows:
- Case $T = T^*$: It requests a ciphertext query to the FE-SI scheme on input i, j and receives a function key $\tilde{SK}_{i,j}$ since $(i,j) \in Q_{T^*}$. It creates a time-constrained function key $SK_{i,j,T} = \tilde{SK}_{i,j}$.
- Case $T \ne T^*$:
  1. 1.
    If a tuple $(i, T, \alpha _{i,T}, \beta _{i,T})$ already exists in the EK-list, then it retrieves $(i, T, \alpha _{i,T}, \beta _{i,T})$ from the EK-list. Otherwise, it selects random $\alpha _{i,T}, \beta _{i,T} \in \mathbb {Z}_p$ and adds $(i, T, \alpha _{i,T}, \beta _{i,T})$ to the EK-list.
  2. 2.
    If a tuple $(j, T, \alpha _{j,T}, \beta _{j,T})$ already exists in the EK-list, then it retrieves $(j, T, \alpha _{j,T}, \beta _{j,T})$ from the EK-list. Otherwise, it selects random $\alpha _{j,T}, \beta _{j,T} \in \mathbb {Z}_p$ and adds $(j, T, \alpha _{j,T}, \beta _{j,T})$ to the EK-list.
  3. 3.
    Next, it creates a time-constrained function key $SK_{i,j,T} = \hat{g}^{\beta _{i,T} / (\alpha _{i,T} + \alpha _{j,T})}$.
If this is a ciphertext query for a client index i, a set $X_i = \{ x_{i,1}, \ldots , x_{i,\ell _i} \}$, and a time period $T \ne T^*$, then $\mathcal {B}$ generates a ciphertext as follows:
1. 1.
  If a tuple $(i, T, \alpha _{i,T}, \beta _{i,T})$ already exists in the EK-list, then it retrieves $(i, T, \alpha _{i,T}, \beta _{i,T})$ from the EK-list. Otherwise, it selects random $\alpha _{i,T}, \beta _{i,T} \in \mathbb {Z}_p$ and adds $(i, T, \alpha _{i,T}, \beta _{i,T})$ to the EK-list.
2. 2.
  For each index $k \in [\ell _i]$, it obtains h from hash query on input $x_{i,k}$ and creates $C_{i,k} = h^{\alpha _{i,T}}$, $TK_{i,k} = e(h, \hat{g})^{\beta _{i,T}}$, and $D_{i,k}$ by running SKE.Encrypt$(T \Vert x_{i,k}, H_2(TK_{i,k}))$.
3. 3.
  It chooses a random permutation $\pi $ and generates a ciphertext $CT_{i,T} = \{ ( C_{i,\pi (k)}, D_{i,\pi (k)} ) \}_{k=1}^{\ell _i}$.

Guess $\mathcal {A}$ outputs a guess $\mu '$. $\mathcal {B}$ also outputs $\mu '$. $\square $

Theorem 4.6

The above FE-SI-TCK scheme is static-IND secure with corruptions in the random oracle model if the FE-SI-TCK scheme is static-IND secure with no corruptions.

The proof of Theorem 4.6 is almost identical to that of Theorem 3.8.

4.5 Discussions

Time range function key In our FE-SI-TCK scheme, a function key is only valid for a specified time period T. If a third party performing the set intersection operation needs a function key that is valid for time range periods from $T_L$ to $T_R$, the trusted center generates a time range function key which consists of individual function keys for each time period $T \in [T_L, T_R]$. In this case, the size of the time range function key increases in proportion to the size of the time range. We can reduce the size of the time range function key by using a binary tree. That is, if the leaf nodes in the binary tree are related to time periods, a ciphertext is related to the path of the binary tree, and a time range function key is related to the minimum set of internal nodes which include all leaf nodes corresponding to the time range. In this case, the ciphertext is composed of $2 \ell \log (T_{max})$ group elements, and the time range function key can also be composed of $2 \log (T_{max})$ group elements where $T_{max}$ is the maximum time period of the binary tree.

Forward secrecy A forward-secure encryption scheme does not expose information on ciphertexts generated in the past time periods if a long-term key is exposed to an attacker [13]. In our FE-SI-TCK scheme, if the encryption key of an corrupted client, which is the client’s long-term key, is exposed, the attacker can obtain information on the past ciphertexts of another uncorrupted client by using the function key of the past time and the encryption key of the corrupted client. Note that the security model of FE-SI-TCK is not considered forward secrecy because corrupt clients are fixed in advance. We can modify our FE-SI-TCK scheme to provide forward secrecy. First, each client is initially given an encryption key $(\alpha _0, \beta _0)$, and the encryption key evolves over time through $\alpha _T = \text {PRG}(\alpha _{T-1})$ and $\beta _T = \text {PRG}(\beta _{T-1})$. The encryption algorithm uses the evolved encryption key $(\alpha _T, \beta _T)$ to generate a ciphertext as the same as that of our FE-SI-TCK scheme. If an attacker obtains an encryption key $(\alpha _T, \beta _T)$ on time T, the attacker can generate a future ciphertext on time $T'' \ge T$, but he cannot generate a past ciphertext on time $T' < T$ due to the one-wayness of pseudo-random generators.

5 Our assumptions in generic group models

In this section, we prove that our assumptions we introduced earlier hold in the generic group model [33]. To do this, we use the master theorem in [7, 20] to analyze our assumptions in asymmetric bilinear groups.

5.1 Generic group models

The generic group model is an abstract model for analyzing generic algorithms that operate independently of the representation of group elements. For this reason, just because an assumption is analyzed to be secure in the generic group model does not guarantee that the assumption is secure in the real environment. The reason is that there may be a non-generic algorithm that breaks the assumption.

A generic group model is defined as a game between a challenger algorithm $\mathcal {B}$ and an attacker algorithm $\mathcal {A}$. In this case, $\mathcal {A}$ does not directly access the actual representation of group elements, but instead uses unique handles to these elements to access these group elements. That is, $\mathcal {A}$ can query group multiplication, division, exponentiation, and pairing operations by using handles of group elements, and can compare the equality of group elements by directly comparing the handles. Initially, $\mathcal {A}$ is given the handles of group elements with the specified distribution. The processing of the handling the query of $\mathcal {A}$ is described as follows:

Multiplication: $\mathcal {A}$ queries the multiplication operation by submitting two handles $h_1$ and $h_2$ associated with group elements $u_1 = g^{x_1}$ and $u_2 = g^{x_2}$. To answer this query, $\mathcal {B}$ computes $u_3 = u_1 u_2 = g^{x_1 + x_2}$ and returns a new handle $h_3$ if the element $u_3$ has not already been assigned to a handle. If $u_3$ already has a handle, it returns the existing handle. The multiplication operation is processed in a similar way for each group $\mathbb {G}, \hat{\mathbb {G}}$, and $\mathbb {G}_T$ respectively.
Division: $\mathcal {A}$ queries the division operation by submitting two handles $h_1$ and $h_2$ associated with group elements $u_1 = g^{x_1}$ and $u_2 = g^{x_2}$. To answer this query, $\mathcal {B}$ computes the element $u_3 = u_1 / u_2 = g^{x_1 - x_2}$ and returns a new handle $h_3$ if $u_3$ has not already been assigned a handle. If $u_3$ already has a handle, it returns the existing handle. The division operation is processed in a similar way for each group $\mathbb {G}, \hat{\mathbb {G}}$, and $\mathbb {G}_T$ respectively.
Exponentiation: $\mathcal {A}$ queries the exponentiation operation by submitting a handle $h_1$ associated with a group element $u_1 = g^{x_1}$ and an integer $\gamma $. To answer this query, $\mathcal {B}$ computes the element $u_2 = u_1^{\gamma } = g^{x_1 \gamma }$ and returns a new handle $h_2$ if $u_2$ has not already been assigned to a handle. If $u_2$ already has a handle, it returns the existing handle. The exponentiation operation is processed in a similar way for each group $\mathbb {G}, \hat{\mathbb {G}}$, and $\mathbb {G}_T$ respectively.
Pairing: $\mathcal {A}$ queries the pairing operation by submitting two handles $h_1$ and $h_2$ associated with group elements $u_1 = g^{x}$ and $\hat{u}_2 = \hat{g}^{y}$. To answer this query, $\mathcal {B}$ computes the element $u_T = e(u_1, \hat{u}_2) = e(g, \hat{g})^{xy}$ and returns a new handle $h_3$ if $u_T$ is not already assigned to a handle in the group $\mathbb {G}_T$. If $u_T$ already has a handle, it returns the existing handle.

Let $\mathbb {G}, \hat{\mathbb {G}}$, and $\mathbb {G}_T$ be asymmetric bilinear groups of prime order p with the bilinear map $e:\mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T$. A group element $u \in \mathbb {G}$ can be represented as a multi-variate polynomial, which indicates the exponent of u relative to some fixed generator g. We can also represent group elements in $\hat{\mathbb {G}}$ and $\mathbb {G}_T$ as similar way. For instance, the general Diffie-Hellman tuple is represented as the tuple (1, X, Y, XY) where X and Y are random variables.

The generalized dependence and independence of variables is defined by Freeman [20] as follows:

Definition 5.1

([20], Definition D.1) Let $P = (p_1, \ldots , p_u)$, $R = (r_1, \ldots , r_w)$, $T = (t_1, \ldots , t_v)$, $S = (s_1, \ldots , s_t)$ be tuples of multi-variate polynomials in $\mathbb {F}_p[X_1, \ldots , X_n]$ where $X_i$ is a random variable. Let f be a multi-variate polynomial in $\mathbb {F}_p[X_1, \ldots , X_n]$. We say that $f \cdot S$ is dependent on (P, R, T) if there exist integers $\{ \alpha _{i,j} \}, \{ \beta _k \}, \{ \gamma _\ell \}$ such that

$$\begin{aligned} \sum _{i=1}^u \sum _{j=1}^w \alpha _{i,j} \cdot p_i r_j + \sum _{k=1}^v \beta _k \cdot t_k + \sum _{\ell =1}^t \gamma _\ell \cdot Y s_\ell \end{aligned}$$

is nonzero in $\mathbb {F}_p[X_1, \ldots , X_n, Y]$ but becomes zero when we set $Y = f$. We say that $f \cdot S$ is independent of (P, R, T) if $f \cdot S$ is not dependent on (P, R, T). We say that f is independent of (P, R, T) if $f \cdot \{ 1 \}$ is not dependent on (P, R, T).

In this definition, the multi-variate polynomials $p_i, r_j, t_k $ represent the exponents of group elements in $\mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T$ respectively, and the polynomial f represents the exponent of the challenge element in complexity assumptions. Additionally, the polynomials $s_\ell $ represent the exponents of group elements in which the challenge element can be paired.

By extending the (P, R, T, f)-DDH problem of Boneh et al. [7], Freeman defined the (P, R, T, f)-DDH problem in $\mathbb {G}$ and $\mathbb {G}_T$ as follows:

Definition 5.2

[20], Definition D.2 Let $(p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e)$ be a bilinear group randomly generated by $\mathcal {G}(1^\lambda )$. Let $g, \hat{g}$ be random generators of $\mathbb {G}, \hat{\mathbb {G}}$ respectively. Let P, R, T, f be as in Definition 5.1. We select $\mathbf {x} {\mathop {\leftarrow }\limits ^{R}} \mathbb {F}_p^n$ and define the following distribution:

$$\begin{aligned} D&= \big ((p, \mathbb {G}, \hat{\mathbb {G}}, \mathbb {G}_T, e),~ g^{p_1(\mathbf {x})}, \ldots , g^{p_u(\mathbf {x})},~ \hat{g}^{r_1(\mathbf {x})}, \ldots , \hat{g}^{r_w(\mathbf {x})},~ \\&\quad e(g, \hat{g})^{t_1(\mathbf {x})}, \ldots , e(g, \hat{g})^{t_v(\mathbf {x})} \big ),~ Z_0 \leftarrow g^{f(\mathbf {x})},~ Z_1 {\mathop {\leftarrow }\limits ^{R}} \mathbb {G}\end{aligned}$$

We define the advantage of an algorithm $\mathcal {A}$ that outputs $b \in \{0,1\}$ in solving the (P, R, T, f)-decision Diffie-Hellman problem in $\mathbb {G}$ to be

$$\begin{aligned} \mathbf{Adv} _{\mathcal {A}}^{(P,R,T,f)\text {-}DDH}(\lambda ) = \left| \Pr [\mathcal {A}(D, Z_0) = 1] - \Pr [\mathcal {A}(D, Z_1) = 1] \right| \end{aligned}$$

We define the analogous problem in $\mathbb {G}_T$ by taking $Z_0 \leftarrow e(g, \hat{g})^{f(\mathbf {x})}, Z_1 {\mathop {\leftarrow }\limits ^{R}} \mathbb {G}_T$.

The master theorem of Boneh et al. [7] gives the complexity lower bound of the (P, R, T, f)-DDH problem in $\mathbb {G}_T$, but the same argument also works for the (P, R, T, f)-DDH problem in $\mathbb {G}$ as indicated by Freeman [20] using the generalized definition of independence in Definition 5.1.

Theorem 5.3

([7, 20]) Let $P = (p_1, \ldots , p_u)$, $R = (r_1, \ldots , r_w)$, $T = (t_1, \ldots , t_v)$ be tuples of polynomials in $\mathbb {F}_p[X_1, \ldots , X_n]$. Let f be a polynomial in $\mathbb {F}_p[X_1, \ldots , X_n]$. Let $d = 2 \cdot max(d_P, d_R, d_T, d_f)$ where $d_f$ is the total degree of f and $d_X = max\{ d_f | f \in X \}$ for a set X. If f is independent of (P, R, T), then any algorithm $\mathcal {A}$ that solves the (P, R, T, f)-DDH problem in $\mathbb {G}_T$ with advantage 1/2 must take at least $\Omega (\sqrt{p/d} - n)$. If $f \cdot R$ is independent of (P, R, T), then the same statement holds for the (P, R, T, f)-DDH problem in $\mathbb {G}$.

5.2 Analysis of Assumption 1 for $(n, \rho , Q, J)$

We analyze the Assumption 1 for $(n, \rho , Q, J)$ in the generic group model by using Theorem 5.3. However, we cannot directly apply the theorem to this assumption because the assumption contains negative exponents. To solve this negative exponent problem, we set $\hat{h} = \hat{g}^{\prod _{(i,j) \in Q} (b_i + b_j)}$ and use $\hat{h}$ instead of $\hat{g}$. In this case, the Assumption 1 is described as follows:

$$\begin{aligned}&D = \big ( g, g^a, \{ g^{b_k} \}_{k=1}^n, \{ g^{a b_k} \}_{k \in J}, \hat{h}, \{ \hat{h}^{1 / (b_i + b_j)} \}_{(i,j) \in Q} \big ),~ Z_0 = g^{ab_\rho },~ Z_1 = g^d. \end{aligned}$$

Let $\eta = \prod _{(i,j) \in Q} (B_i + B_j)$ be a random variable where the maximum degree of $\eta $ is $n(n-1)/2$. The Assumption 1 is described again as the following sets of multi-variate polynomials:

$$\begin{aligned}&P = \{ 1, A \} \cup \{ B_k \}_{k=1}^n \cup \{ AB_k \}_{k \in J},~ R = \{ \eta \} \cup \{ \eta / (B_i + B_j) \}_{(i,j) \in Q},~ T = \{ \},~ \\&\quad f_0 = A B_\rho ,~ f_1 = D. \end{aligned}$$

To apply the master theorem, we must show that $f_0 \cdot R$ and $f_1 \cdot R$ are independent of (P, R, T) by following Definition 5.1. We can easily show that $f_1 \cdot R$ is independent of (P, R, T) by using the fact that the random variable D in $f_1$ does not exist in P, R, T. To show that $f_0 \cdot R$ is independent of (P, R, T), we derive two sets $f_0 \cdot R$ and $P \cdot R$ as follows:

$$\begin{aligned} f_0 \cdot R =&\;\{ \eta A B_\rho \} \cup \{ \eta A B_\rho / (B_i + B_j) \}_{(i,j) \in Q}, \\ P \cdot R =&\; \{ \eta , \eta A \} \cup \{ \eta B_k \}_{1 \le k \le n} \cup \{ \eta A B_k \}_{k \in J} \cup \\&\{ \eta / (B_i + B_j) \}_{(i,j) \in Q} \cup \{ \eta A / (B_i + B_j) \}_{(i,j) \in Q} \cup \\&\{ \eta B_k / (B_i + B_j) \}_{(i,j) \in Q, 1 \le k \le n} \cup \{ \eta A B_k / (B_i + B_j) \}_{(i,j) \in Q, k \in J}. \end{aligned}$$

The set $f_0 \cdot R$ consists of two component types: $\eta AB_\rho $ and $\eta AB_\rho / (B_i + B_j)$. Since $\eta AB_\rho $ additionally includes $(B_i + B_j)$ compared to $\eta AB_\rho / (B_i + B_j)$, these component types are independent of each other. Thus, we can analyze $\eta AB_\rho $ and $\eta AB_\rho / (B_i + B_j)$ separately.

First, we show that $\eta AB_\rho $ is independent of $P \cdot R$. At this time, since $\eta AB_\rho $ includes random variables A and $B_\rho $, only $\{ \eta AB_k \}$ and $\{ \eta A B_k / (B_i + B_j) \}$ in $\{ e(P_i, R_j) \}$ can have a dependency. However, $\eta AB_\rho $ is independent because of $\rho \notin J$.
Next, we show that $\eta AB_\rho / (B_i + B_j)$ is independent of $P \cdot R$. The subsets of $P \cdot R$ that contain the random variable A are $\{ \eta A \}, \{ \eta AB_k \}, \{ \eta A / (B_i + B_j) \}$, and $\{ \eta AB_k / (B_i + B_j) \}$. Here, the subset $\{ \eta AB_k \}$ need not be considered because of $\rho \notin J$. The subset $\{ \eta A / (B_i + B_j) \}$ does not need to be considered because it does not contain $B_\rho $. Now using the remaining subsets $\{ \eta A = \eta A (B_i + B_j)/(B_i + B_j) \}$ and $\{ \eta AB_k / (B_i + B_j) \}$, we may try to compose a linear equation with $\eta AB_\rho / (B_i +B_j)$. Here, the index k cannot be the index $\rho $ because of $\rho \notin J$. Thus the only way to create a linear equation is to derive
$$\begin{aligned} \frac{\eta AB_\rho }{(B_\rho + B_k)} = \frac{\eta A (B_\rho + B_k)}{(B_\rho + B_k)} - \frac{\eta A B_k}{(B_\rho + B_k)} \end{aligned}$$
when $(\rho , k) \in Q$. To satisfy the above equation, it is required that $k \in J$ when $(\rho , k) \in Q$. However, if $(\rho , k) \in Q$, we have $k \notin J$ according to the definition of J. Thus $\eta AB_\rho / (B_i + B_j)$ is independent because $AB_k \notin P$ when $(\rho , k) \in Q$.

Therefore, we have that $f_0 \cdot R$ is independent of (P, R, T).

5.3 Analysis of Assumption 2 for $(n, \rho , Q)$

We analyze the Assumption 2 for $(n, \rho , Q)$ in the generic group model by using Theorem 5.3. However, we cannot directly apply the theorem to the assumption because the assumption contains negative exponents. To solve this negative exponent problem, we set $\hat{h} = \hat{g}^{\prod _{(i,j) \in Q} (b_i + b_j)}$ and use $\hat{h}$ instead of $\hat{g}$. In this case, the Assumption 2 is described as follows:

$$\begin{aligned}&D = \big ( g, g^a, \{ g^{b_i} \}_{i=1}^n, \{ g^{a b_k} \}_{1 \le k \ne \rho \le n}, \hat{h}, \{ \hat{h}^{c_i} \}_{1 \le i \ne \rho \le n}, e(g, \hat{h})^{c_\rho }, \{ \hat{h}^{c_i / (b_i + b_j)} \}_{(i,j) \in Q} \big ), \\&\quad Z_0 = e(g, \hat{h})^{ac_\rho },~ Z_1 = e(g, \hat{h})^d. \end{aligned}$$

Let $\eta = \prod _{(i,j) \in Q} (B_i + B_j)$ be a random variable where the maximum degree of $\eta $ is $n(n-1)/2$. The Assumption 2 is described again as the following sets of multi-variate polynomials:

$$\begin{aligned}&P = \{ 1, A \} \cup \{ B_k \}_{k=1}^n \cup \{ AB_k \}_{1 \le k \ne \rho \le n},~ \\&R = \{ \eta \} \cup \{ \eta C_i \}_{1 \le i \ne \rho \le n} \cup \{ \eta C_i / (B_i + B_j) \}_{(i,j) \in Q},~ T = \{ \eta C_{\rho } \},~ \\&f_0 = \eta AC_\rho ,~ f_1 = \eta D. \end{aligned}$$

To apply the master theorem, we must show that the random variables $f_0$ and $f_1$ are independent of (P, R, T) by following Definition 5.1. We can easily show that $f_1$ is independent of (P, R, T) by using the fact that the random variable D in $f_1$ does not exist in P, R, T. To show that $f_0$ is independent of (P, R, T), we derive the set $P \cdot R$ as follows:

$$\begin{aligned} P \cdot R =&\; \{ \eta , \eta A \} \cup \{ \eta B_k \}_{i=k}^n \cup \{ \eta A B_k \}_{1 \le k \ne \rho \le n} \cup \{ \eta C_i, \eta AC_i \}_{1 \le i \ne \rho \le n} \cup \\&\{ \eta B_k C_i \}_{1 \le i \ne \rho \le n, 1 \le k \le n} \cup \{ \eta A B_k C_i \}_{1 \le i \ne \rho \le n, 1 \le k \le n} \cup \\&\{ \eta C_i / (B_i + B_j) \}_{(i,j) \in Q} \cup \{ \eta A C_i / (B_i + B_j) \}_{(i,j) \in Q} \cup \\&\{ \eta B_k C_i / (B_i + B_j) \}_{(i,j) \in Q, 1 \le k \ne \rho \le n} \cup \{ \eta A B_k C_i / (B_i + B_j) \}_{(i,j) \in Q, 1 \le k \ne \rho \le n}. \end{aligned}$$

We show that $f_0 = \eta AC_\rho $ is independent of $P \cdot R$ and T. The subsets of $P \cdot R$ that contain the random variables $A, C_\rho $ are $\{ \eta A C_i / (B_i + B_j) \}$ and $\{ \eta AB_k C_i / (B_i + B_j) \}$. Here, the subset $\{ \eta A C_i / (B_i + B_j) \}$ does not need to be considered because it lacks $(B_i + B_j)$. By using the remaining subset $\{ \eta AB_k C_i / (B_i + B_j) \}$, we may try to compose a linear equation with $\eta A C_\rho $. The only way to create a linear equation is to derive

$$\begin{aligned} \eta A C_\rho = \frac{\eta A B_{k_1} C_\rho }{(B_\rho + B_j)} + \frac{\eta A B_{k_2} C_\rho }{(B_\rho + B_j)} \end{aligned}$$

when $(\rho , j) \in Q$, $k_1 = \rho $, and $k_2 = j$. To satisfy the above equation, it is required that $k_1 = \rho $ where $k_1$ is an index for $\{ AB_k \}$. However, we have $k_1 \ne \rho $ from the restriction of the Assumption 2. Therefore, $f_0$ is independent of (P, R, T).

6 Conclusion

From the practical point of view, designing an efficient FE scheme that provides practical functionality is an important issue. In this paper, we newly defined the concept of FE for set intersection (FE-SI) in the multi-client setting and proposed two efficient FE-SI schemes in bilinear groups. The FE-SI scheme issues encryption keys for all clients with a single setup and issues a function key for two client indexes to a third party that wants to perform the set intersection. And we also proposed another FE-SI scheme to add additional control to the function key by limiting the validity of the function key for a specified time period. In addition to this, we have shown that our FE-SI schemes can be extended to provide functionality such as associated message encryption, set intersection cardinality, multi-party set intersection, and forward secrecy.

Because of this research, we have identified interesting problems. The first problem is to prove the security of our FE-SI schemes under simple assumptions. Since the assumptions we have introduced are dynamic assumptions that depend on the function key queries of an attacker, it is necessary to change them to simpler assumptions. The second problem is to prove our FE-SI schemes in a stronger security model than the static security model. In particular, it is necessary to prove the security of FE-SI schemes in a security model that does not requires all function key queries of an attacker in the initial stage. The third problem is to improve the performance of the decryption algorithm of our FE-SI schemes.

References

Apple and google privacy-preserving contact tracing. https://covid19.apple.com/contacttracing (2020).
Abdalla M., Bellare M., Catalano D., Kiltz E., Kohno T., Lange T., Malone-Lee J., Neven G., Paillier P., Shi H.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Shoup V. (ed.) Advances in Cryptology—CRYPTO 2005, vol. 3621, pp. 205–222. LNCS. Springer, Heidelberg (2005).
Chapter Google Scholar
Abdalla M., Bourse F., Caro A.D., Pointcheval D.: Simple functional encryption schemes for inner products. In: Katz J. (ed.) Public-Key Cryptography—PKC 2015, vol. 9020, pp. 733–751. LNCS. Springer, Heidelberg (2015).
Chapter Google Scholar
Abdalla M., Gay R., Raykova M., Wee H.: Multi-input inner-product functional encryption from pairings. In: Coron J., Nielsen J.B. (eds.) Advances in Cryptology—EUROCRYPT 2017, vol. 10210, pp. 601–626. LNCS. Springer, Heidelberg (2017).
Chapter Google Scholar
Agrawal S., Libert B., Stehlé D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw M., Katz J. (eds.) Advances in Cryptology—CRYPTO 2016, vol. 9816, pp. 333–362. LNCS. Springer, Heidelberg (2016).
Chapter Google Scholar
Baltico C.E.Z., Catalano D., Fiore D., Gay R.: Practical functional encryption for quadratic functions with applications to predicate encryption. In: Katz J., Shacham H. (eds.) Advances in Cryptology—CRYPTO 2017, vol. 10401, pp. 67–98. LNCS. Springer, Heidelberg (2017).
Chapter Google Scholar
Boneh D., Boyen X., Goh E.J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer R. (ed.) Advances in Cryptology—EUROCRYPT 2005, vol. 3494, pp. 440–456. LNCS. Springer, Heidelberg (2005).
Chapter Google Scholar
Boneh D., Crescenzo G.D., Ostrovsky R., Persiano G.: Public key encryption with keyword search. In: Cachin C., Camenisch J. (eds.) Advances in Cryptology—EUROCRYPT 2004, vol. 3027, pp. 506–522. LNCS. Springer, Heidelberg (2004).
Chapter Google Scholar
Boneh D., Franklin M.K.: Identity-based encryption from the weil pairing. In: Kilian J. (ed.) Advances in Cryptology—CRYPTO 2001, vol. 2139, pp. 213–229. LNCS. Springer, Heidelberg (2001).
Chapter Google Scholar
Boneh D., Sahai A., Waters B.: Functional encryption: definitions and challenges. In: Ishai Y. (ed.) Advances in Cryptology—CRYPTO 2001, vol. 6597, pp. 253–273. LNCS. Springer, Heidelberg (2011).
Google Scholar
Boneh D., Sahai A., Waters B.: Functional encryption: a new vision for public-key cryptography. Commun. ACM 55(11), 56–64 (2012).
Article Google Scholar
Camenisch J., Kohlweiss M., Rial A., Sheedy C.: Blind and anonymous identity-based encryption and authorised private searches on public key encrypted data. In: Jarecki S., Tsudik G. (eds.) Public Key Cryptography—PKC 2009, vol. 5443, pp. 196–214. LNCS. Springer, Heidelberg (2009).
Chapter Google Scholar
Canetti R., Halevi S., Katz J.: A forward-secure public-key encryption scheme. In: Biham E. (ed.) Advances in Cryptology—EUROCRYPT 2003, vol. 2656, pp. 255–271. LNCS. Springer, Heidelberg (2003).
Chapter Google Scholar
Chen H., Laine K., Rindal P.: Fast private set intersection from homomorphic encryption. In: Thuraisingham B.M., Evans D., Malkin T., Xu D. (eds.) ACM Conference on Computer and Communications Security—CCS 2017, pp. 1243–1255. ACM, New York (2017).
Google Scholar
Chotard J., Dufour Sans E., Gay R., Phan D.H., Pointcheval D.: Decentralized multi-client functional encryption for inner product. In: Peyrin T., Galbraith S.D. (eds.) Advances in Cryptology—ASIACRYPT 2018, vol. 11273, pp. 703–732. LNCS. Springer, Heidelberg (2018).
Chapter Google Scholar
Dong C., Chen L., Wen Z.: When private set intersection meets big data: an efficient and scalable protocol. In: Sadeghi A., Gligor V.D., Yung M. (eds.) ACM Conference on Computer and Communications Security—CCS’13, pp. 789–800. ACM, New York (2013).
Google Scholar
Duong T., Phan D.H., Trieu N.: Catalic: delegated PSI cardinality with applications to contact tracing. In: Moriai S., Wang H. (eds.) Advances in Cryptology—ASIACRYPT 2020, vol. 12493, pp. 870–899. LNCS. Springer, Heidelberg (2020).
Chapter Google Scholar
Freedman M.J., Nissim K., Pinkas B.: Efficient private matching and set intersection. In: Cachin C., Camenisch J. (eds.) Advances in Cryptology—EUROCRYPT 2004, vol. 3027, pp. 1–19. LNCS. Springer, Heidelberg (2004).
Chapter Google Scholar
Freedman M.J., Ishai Y., Pinkas B., Reingold O.: Keyword search and oblivious pseudorandom functions. In: Kilian J. (ed.) Theory of Cryptography—TCC 2005, vol. 3378, pp. 303–324. LNCS. Springer, Heidelberg (2005).
Google Scholar
Freeman D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010, vol. 6110, pp. 44–61. LNCS. Springer, Heidelberg (2010).
Chapter Google Scholar
Garg S., Gentry C., Halevi S., Raykova M., Sahai A., Waters B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS 2013, pp. 40–49. IEEE Computer Society (2013).
Gentry C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher M. (ed.) ACM Symposium on Theory of Computing–STOC 2009, pp. 169–178. ACM, New York (2009).
Google Scholar
Gentry C., Silverberg A.: Hierarchical id-based cryptography. In: Zheng Y. (ed.) Advances in Cryptology—ASIACRYPT 2002, vol. 2501, pp. 548–566. LNCS. Springer, Heidelberg (2002).
Chapter Google Scholar
Goldwasser S., Gordon S.D., Goyal V., Jain A., Katz J., Liu F., Sahai A., Shi E., Zhou H.: Multi-input functional encryption. In: Nguyen P.Q., Oswald E. (eds.) Advances in Cryptology—EUROCRYPT 2014, vol. 8441, pp. 578–602. LNCS. Springer, Heidelberg (2014).
Chapter Google Scholar
Goyal V., Pandey O., Sahai A., Waters B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels A., Wright R.N., di Vimercati S.D.C. (eds.) ACM Conference on Computer and Communications Security—CCS 2006, pp. 89–98. ACM, New York (2006).
Google Scholar
Huang Y., Evans D., Katz J.: Private set intersection: are garbled circuits better than custom protocols? In: Network and Distributed System Security Symposium—NDSS 2012, The Internet Society (2012)
Huberman B.A., Franklin M.K., Hogg T.: Enhancing privacy and trust in electronic communities. In: Feldman S.I., Wellman M.P. (eds.) ACM Conference on Electronic Commerce—EC-99, pp. 78–86. ACM, New York (1999).
Chapter Google Scholar
Kamara S., Mohassel P., Raykova M., Sadeghian S.S.: Scaling private set intersection to billion-element sets. In: Christin N., Safavi-Naini R. (eds.) Financial Cryptography and Data Security—FC 2014, vol. 8437, pp. 195–215. LNCS. Springer, Heidelberg (2014).
Google Scholar
Katz J., Sahai A., Waters B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart N.P. (ed.) Advances in Cryptology—EUROCRYPT 2008, vol. 4965, pp. 146–162. LNCS. Springer, Heidelberg (2008).
Chapter Google Scholar
Lee K.: Efficient multi-client functional encryption for conjunctive equality and range queries. Cryptology ePrint Archive, Report 2020/822. http://eprint.iacr.org/2020/822 (2020).
Lee K., Lee D.H.: Two-input functional encryption for inner products from bilinear maps. IEICE Trans. 101-A(6):915–928 (2018).
Naor M., Pinkas B., Reingold O.: Distributed pseudo-random functions and KDCs. In: Stern J. (ed.) Advances in Cryptology—EUROCRYPT ’99, vol. 1592, pp. 327–346. LNCS. Springer, Heidelberg (1999).
Chapter Google Scholar
Shoup V.: Lower bounds for discrete logarithms and related problems. In: Fumy W. (ed.) Advances in Cryptology—EUROCRYPT ’97, vol. 1233, pp. 256–266. LNCS. Springer, Heidelberg (1997).
Chapter Google Scholar
Trieu N., Shehata K., Saxena P., Shokri R., Song D.: Epione: lightweight contact tracing with strong privacy. IEEE Data Eng. Bull. 43(2), 95–107 (2020).
Google Scholar
van de Kamp T., Stritzl D., Jonker W., Peter A.: Two-client and multi-client functional encryption for set intersection. In: Jang-Jaccard J., Guo F. (eds.) Information Security and Privacy—ACISP 2019, vol. 11547, pp. 97–115. LNCS. Springer, Heidelberg (2019).
MATH Google Scholar

Download references

Acknowledgements

This work was supported by Institute for Information & communications Technology Promotion (IITP) Grant funded by the Korea government (MSIT) (No. 2016-6-00600, A Study on Functional Encryption: Construction, Security Analysis, and Implementation)

Author information

Authors and Affiliations

Sejong University, Seoul, Korea
Kwangsu Lee
Duksung Women’s University, Seoul, Korea
Minhye Seo

Authors

Kwangsu Lee
View author publications
You can also search for this author in PubMed Google Scholar
Minhye Seo
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kwangsu Lee.

Additional information

Communicated by M. Paterson.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lee, K., Seo, M. Functional encryption for set intersection in the multi-client setting. Des. Codes Cryptogr. 90, 17–47 (2022). https://doi.org/10.1007/s10623-021-00961-w

Download citation

Received: 10 November 2020
Revised: 22 July 2021
Accepted: 04 October 2021
Published: 30 October 2021
Issue Date: January 2022
DOI: https://doi.org/10.1007/s10623-021-00961-w

Keywords

Mathematics Subject Classification

94A60

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Functional encryption for set intersection in the multi-client setting

Abstract

Similar content being viewed by others

Two-Client and Multi-client Functional Encryption for Set Intersection

Flexible multi-client functional encryption for set intersection

Decentralized multi-client functional encryption for set intersection with improved efficiency

1 Introduction

1.1 Our contributions

1.2 Application

1.3 Related work

2 Preliminaries

2.1 Notation

2.2 Functional encryption

Definition 2.1

2.3 Symmetric key encryption

Definition 2.2

Definition 2.3

2.4 Pseudo-random function

2.5 Bilinear groups

2.6 Complexity assumptions

Assumption 2.4

Assumption 2.5

3 Functional encryption for set intersection

3.1 Definition

Definition 3.1

Definition 3.2

3.2 Design principle

3.3 Construction

3.4 Correctness

3.5 Security analysis

Theorem 3.3

Proof

Lemma 3.4

Proof

Lemma 3.5

Proof

Lemma 3.6

Proof

Lemma 3.7

Proof

Theorem 3.8

Proof

3.6 Discussions

4 FE for set intersection with time-constrained keys

4.1 Definition

Definition 4.1

Definition 4.2

4.2 Construction

4.3 Correctness

4.4 Security analysis

Theorem 4.3

Proof

Lemma 4.4

Proof

Lemma 4.5

Proof

Theorem 4.6

4.5 Discussions

5 Our assumptions in generic group models

5.1 Generic group models

Definition 5.1

Definition 5.2

Theorem 5.3

5.2 Analysis of Assumption 1 for \((n, \rho , Q, J)\)

5.3 Analysis of Assumption 2 for \((n, \rho , Q)\)

6 Conclusion

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Additional information

Rights and permissions

About this article

Cite this article

Share this article

Keywords

Mathematics Subject Classification

Search

Navigation