Improved Inner-product Encryption with Adaptive Security and Full Attribute-hiding

. In this work, we propose two IPE schemes achieving both adaptive security and full attribute-hiding in the prime-order bilinear group, which improve upon the unique existing result satisfying both features from Okamoto and Takashima [Eurocrypt ’12] in terms of efﬁciency. – Our ﬁrst IPE scheme is based on the standard k - LIN assumption and has shorter master public key and shorter secret keys than Okamoto and Takashima’s IPE under weaker DLIN = 2 - LIN assumption. – Our second IPE scheme is adapted from the ﬁrst one; the security is based on the XDLIN assumption (as Okamoto and Takashima’s IPE) but now it also enjoys shorter ciphertexts. Technically, instead of starting from composite-order IPE and applying existing transformation, we start from an IPE scheme in a very restricted setting but already in the prime-order group, and then gradually upgrade it to our full-ﬂedged IPE scheme. This method allows us to integrate Chen et al. ’s framework [Eurocrypt ’15] with recent new techniques [TCC ’17, Eurocrypt ’18] in an optimized way.


Introduction
Attribute-based encryption (ABE) is an advanced public-key encryption system supporting fine-grained access control [31,20]. In an ABE system, an authority publishes a master public key mpk for encryption and issues secret keys to users for decryption; a ciphertext for message m is associated with an attribute x while a secret key is associated with a policy f , a boolean function over the set of all attributes; when f (x) = 1, the secret key can be used to recover message m. The basic security requirement for ABE is message-hiding: an adversary holding a secret key with f (x) = 0 cannot infer any information about m from the ciphertext; furthermore, this should be ensured when the adversary has more than one such secret key, which is called collusion resistance.
However it is much harder to obtain ABE with the full attribute-hiding feature. In fact, all known schemes only support so-called inner-product encryption (IPE), in which both ciphertexts and secret keys are associated with vectors and the decryption procedure succeeds when the two vectors has zero inner-product. Furthermore, almost all of them are selectively or semi-adaptively secure which means the adversary has to choose the vectors associated with the challenge ciphertext (called challenge vector/attribute) before seeing mpk or before seeing any secret keys [10,22,29,36]. Both of them are much weaker than the standard adaptive security (i.e., the one we have mentioned in the prior paragraph) where the choice can be made at any time. (Note that Wee achieved simulation-based security in [36].) What's worse, some schemes [10,22] are built on the composite-order group, on which group operations are slower and more memory space is required to store group elements. The best result so far comes from Okamoto and Takashima [27]: the IPE scheme is adaptively secure and fully attributehiding based on external decisional linear assumption 4 (XDLIN) in efficient prime-order bilinear groups.

Our Results
In this work, we propose two IPE schemes in prime-order bilinear groups achieving both adaptive security and full attribute-hiding, which improve upon Okamoto and Takashima's IPE scheme [27] in terms of space efficiency: -Our first construction is proven secure under standard k-Linear (k-LIN) assumption. When instantiating with k = 2 (i.e., DLIN assumption), it enjoys shorter master public key and secret keys under weaker assumption than Okamoto and Takashima's IPE, but we have slightly larger ciphertexts. With parameter k = 1 (i.e., SXDH assumption), we can also achieve shorter ciphertexts but at the cost of basing the security on a stronger assumption.
-Our second construction is proven secure under the XDLIN assumption, which is stronger than DLIN assumption. This gives another balance point between (space) efficiency and assumption. Now we can get better efficiency than Okamoto and Takashima's IPE in terms of master public key, ciphertext and secret keys without sacrificing anything -Okamoto and Takashima also worked with XDLIN.
A detailed comparison is provided in Table 1. Table 1. Comparison among our two IPE schemes and Okamoto and Takashima's IPE [27]. All schemes are built on an asymmetric prime-order bilinear group (p, G1, G2, GT , e : G1 × G2 → GT ). In the

Our Technique in Composite-Order Groups
As a warm-up, we present a scheme in asymmetric composite-order bilinear groups.
Here, we will rely on composite-order groups whose order is the product of four primes; this is different from the settings of adaptively secure ABE schemes and selectively secure full attribute-hiding inner product encryption where it suffices to use two primes.
The scheme. Assume an asymmetric composite-order bilinear group G = (N, G N , H N , G T , e : G N ×H N → G T ) where N = p 1 p 2 p 3 p 4 . Let g 1 , h 14 be respective random generators of subgroups G p1 , H p1p4 . Pick α, u, w 1 , . . . , w n ← Z N . We describe an IPE scheme for n dimensional space over Z N as follows.
mpk : g 1 , g u 1 , g w1 1 , . . . , g wn 1 , e(g 1 , h 14 ) α sk y : h where x = (x 1 , . . . , x n ) ∈ Z n N and y = (y 1 , . . . , y n ) ∈ Z n N . The construction is adapted from Chen et al. IPE [11] (without attribute-hiding feature) by embedding it into groups with four subgroups. This allows us to carry out the proof strategy introduced by Okamoto and Takashima [27], which involves a non-trivial extension of the standard dual system method [32]. We only give a high-level sketch for the proof below but show the complete game sequence in Fig 1 for reference. As is the case for adaptively secure ABE [32,35], we will rely on the following private-key one-ciphertext one-key fully attribute-hiding inner product encryption scheme in the proof of security. Here, g 3 , h 3 denote the respective generators for the subgroups of order p 3 .
Note that the scheme satisfies (simulation-based) information-theoretic security in the selective setting, which immediately yields (indistinguishability-based) adaptive security via complexity leveraging.
In the proof of security (outlined in Fig 1), we will first switch the ciphertext to having just a p 2 p 3 p 4 -component via the subgroup decision assumption. At the beginning of the proof, all the secret keys will have a p 4 -component, and at the end, all the secret keys will have a p 2 -component; throughout, the secret keys will also always have a p 1 -component but no p 3 -components at the beginning or the end. To carry out the change in the secret keys from p 4 -components to p 2 -components, we will switch the keys one by one. For the switch, we will introduce a p 3 -component into one secret key and then invoke security of the above private-key one-ciphertext one-key scheme in the p 3 -subgroup. It is important here that throughout the hybrids, at most one secret key has a p 3 -component.
Game ct κth sk:  Game sequence for composite-order IPE. In the table, x0 = (x1,0, . . . , xn,0) and x1 = (x1,1, . . . , xn,1) are the challenge vectors; b ∈ {0, 1} is the secret bit we hope to hide against the adversary. The gray background highlights the difference between adjacent games. The column "ct" shows the structure of the challenge ciphertext on four subgroups whose generators are g1, g2, g3, g4, while the next column gives the subgroup where every secret keys lie in. In the last column, the notation "p1 → p2p3p4 in G" is indicating the subgroup decision assumption stating that Gp 1 ≈c Gp 2 p 3 p 4 .

Our Technique in Prime-Order Groups
Assume a prime-order bilinear group G = (p, G 1 , G 2 , G T , e : T denote the entry-wise exponentiation on G 1 , G 2 , G T , respectively. Naively, we simulate a composite-order group whose order is the product of four primes using vectors of dimension 4k "in the exponent" under k-LIN assumption. That is, we However, the resulting IPE scheme is less efficient than Okamoto and Takashima's scheme [27]. Instead, we will show that it suffices to use Then, with the correspondence by Chen et al. [11,16,13]: we have the following prime-order IPE scheme: Note that, with matrices A 1 ∈ Z (k+1)×k p and B ∈ Z (2k+1)×k p , we only simulate two and three subgroups, respectively, rather than four subgroups; meanwhile some of them are simulated as low-dimension subspaces. Although it has become a common optimization technique to adjust dimensions of subspaces, it is not direct to justify that we can work with less subspaces. In fact, these optimizations are based on elaborate investigations of the proof strategy sketched in Section 1.2. In the rest of this section, we explain our method leading to the optimized parameter shown in (3).
Our Translation. We start from an IPE scheme in a very restricted setting and then gradually upgrade it to our full-fledged IPE scheme in the prime-order group. In particular, we follow the roadmap private-key one-key IPE Step 1 − −−− → [11,13] private-key IPE Step 2 − −−− → [11,36] public-key IPE The private key one-key IPE corresponds to scheme (2) over p 3 -subgroup (cf. Game 2.j−1.2 in Fig 1). In Step 1, we move from one-key to multi-key model using the technique from [13], which is related to the argument just after we change ciphertext in proof of scheme (1) (cf. Game 2.0 to Game 2.q and Game 3 in Fig 1). In Step 2, we move from private-key to public-key setting with the compiler in [36], which is related to the change of ciphertext at the beginning of the proof (cf. Game 1 in Fig 1). By handling these proof techniques underlying the proof sketched in Section 1.2 (cf. Fig 1) one by one as above, we are able to integrate Chen et al.'s framework [11] with recent new techniques [36,13] in an optimized way.
Private-key IPE in One-key Setting. We start from a private-key IPE where the ciphertext is created from msk rather than mpk. We also consider a weaker one-key model where the adversary can get only one secret key. Pick α, u, w 1 , . . . , w n ← R Z p and let message m ∈ Z p . We give the following private-key IPE over Z p : msk : α, u, w 1 , . . . , w n sk y : α + (y 1 · w 1 + · · · + y n · w n ) Analogous to scheme (2), the scheme satisfies (simulation-based) information-theoretic security in the selective setting (cf. [36]). By the implication from simulation-based security to indistinguishability-based security and standard complexity leveraging technique, we have the following statement: For adaptively chosen x 0 = (x 1,0 , . . . , x n,0 ) ∈ Z n p , x 1 = (x 1,1 , . . . , x n,1 ) ∈ Z n p and y = (y 1 , . . . , y n ) ∈ Z n p satisfying either Note that the statement here is different from that used in Fig 1 ( . Looking ahead, this choice is made to employ the "change of basis" technique when moving from one-key to multi-key model (see the next paragraph).
Private-key IPE in Multi-key Setting. To handle multiple keys revealed to the adversary, we employ Chen et al.'s prime-order generic framework 5 [11] based on the dual system method [32] to scheme (6). The framework works with prime-order finite cyclic group G on which the k-LIN assumption holds. Let [·] denote the entry-wise exponentiation on G. In order to avoid collusion of multiple secret keys, we will re-randomize each secret key [8,34,31] using fresh vector d ← span(B 1 ) where B 1 ← Z (k+1)×k p , which supports standard dual system method [32] with a hidden subspace B 2 ← Z k+1 p . For this purpose, we need to do the following "scalar to vector" substitutions: Then the re-randomization is done by multiplying u and each w i in secret keys by d and moving them from Z p to G. This yields the following private-key IPE: To carry out the non-trivial extension by Okamoto and Takashima [27] which involves three subgroups of H N (cf. game sequence from Game 2.0 to Game 2.q ), we increase the dimension of vectors u, w 1 , . . . , w n , d in secret keys by k (i.e., from k + 1 to 2k + 1) as in [13] such that the support of d can accommodate three subspaces defined by play the roles similar to p 4 , p 2 , p 3 -subgroup respectively. Following the proof strategy in [13] and statement (7) for the one-key scheme (6), we can change secret keys and the challenge ciphertext revealed to the adversary into the form: ). Finally, by the "change of basis" commonly appeared in the proof with dual pairing vector space [23,27] (and a simple statistical argument), we claim that ct * has the same distribution as . This means that ct * hides b and scheme (8) is fully attribute-hiding.
Note that the support of randomness d (after the change) is span(B 1 , B 2 ) rather than span(B 2 ), which simulates p 2 -subgroup in the composite-order scheme (1). This is crucial to derive more efficient IPE scheme but slightly complicates the final argument above where "change of basis" technique has to be used to deal with (Public-key) IPE scheme. To upgrade our private-key IPE to public-key IPE, we will employ the "private-key to public-key" compiler in [36]. The compiler relies on bilinear groups (p, G 1 , G 2 , G T , e : G 1 × G 2 → G T ) in which the k-LIN assumption holds. In detail, we do the following "vector to matrix"/"scalar to vector" substitution for entries in msk and secret keys: p and publish them as parts of mpk in the form of In the ciphertext, we translate u, Finally, secret keys are now moved to group G 2 . This results in the following IPE scheme: Note that the translation does not involve To prove the security of the resulting public-key IPE scheme, we first show that we can change the support of c from span(A) to Z k+1 p by the following statement implied by the k-LIN assumption: Since (A | c) is full-rank with overwhelming probability, we can see that are distributed independently. Then the security of scheme (9) can be reduced to that of private-key scheme (8) by observations: (i) msk is necessary for generating mpk in scheme (9); (ii) we can view a ciphertext in scheme (9) as a ciphertext of our privatekey IPE scheme under master secret key msk * ; (iii) a secret key in scheme (9) can be produced from a secret key of private-key IPE scheme (8) under master secret key msk * with the help of msk.
How to Shorten the Ciphertext. The ciphertext size of our IPE scheme (9) mainly depends on the width of matrix U and W i , which is further determined by the dimensions of subspaces defined by B 1 , B 2 , B 3 . Therefore, in order to reduce the ciphertext size, we employ the "dimension compress" technique used in [16]. The basic idea is to let B 1 and B 3 "share some dimensions" and finally decrease the width of U and W i , the cost is that we have to use the XDLIN assumption. Compared with our first scheme, a qualitative difference is that the private-key variant now works with bilinear maps. This is not needed when we work with the k-LIN assumption in the first scheme.
Organization. The paper is organized as follows. In section 2, we review some basic notions. The next two sections, Section 3 and Section 4, will be devoted to our two IPE schemes, respectively. In both sections, we will first develop a private-key scheme and then transform it to the public-key version as [36].

Preliminaries
Notation. Let A be a matrix over Z p . We use span(A) to denote the column span of A, use basis(A) to denote a basis of span(A), and use (A 1 |A 2 ) to denote the concatenation of matrices A 1 , A 2 . By span(A ), we are indicating the row span of A . We let I n be the n-by-n identity matrix and 0 be a zero matrix of proper size. Given an invertible matrix B, we use B * to denote its dual satisfying B B * = I.

Inner-product encryption
Algorithms. An inner-product encryption (IPE) scheme consists of four algorithms (Setup, KeyGen, Enc, Dec): msk). The setup algorithm gets as input the security parameter λ and the dimension n of the vector space. It outputs the master public key mpk and the master key msk.
KeyGen(msk, y) → sk y . The key generation algorithm gets as input msk and a vector y. It outputs a secret key sk y for vector y.
Enc(mpk, x, m) → ct x . The encryption algorithm gets as input mpk, a vector x and a message m. It outputs a ciphertext ct x for vector x.
Dec(ct x , sk y ) → m. The decryption algorithm gets as a ciphertext ct x for x and a secret key sk y for vector y satisfying x, y = 0. It outputs message m.
Correctness. For all vectors x, y satisfying x, y = 0 and all m, it holds that Security. For a stateful adversary A, we define the advantage function with the following restrictions on all queries y that A submitted to KeyGen(msk, ·): An IPE scheme is adaptively secure and fully attribute-hiding if for all PPT adversaries A, the advantage Adv IPE A (λ) is a negligible function in λ.
Private-key IPE. In a private-key IPE, the Setup algorithm does not output mpk; and the Enc algorithm takes msk instead of mpk as input. The adaptive security and full attribute-hiding can be defined analogously except that A only gets ct * and has access to KeyGen(msk, ·). The advantage function is denoted by Adv IPE* A (λ). Accordingly, we may call the standard IPE public-key IPE.

Prime-order groups and matrix Diffie-Hellman assumptions
A group generator G takes as input security parameter λ and outputs group description G = (p, G 1 , G 2 , G T , e), where p is a prime of Θ(λ) bits, G 1 , G 2 and G T are cyclic groups of order p, and e : G 1 × G 2 → G T is a non-degenerate bilinear map. We require that group operations in G 1 , G 2 and G T as well the bilinear map e are computable in deterministic polynomial time with respect to λ. Let g 1 ∈ G 1 , g 2 ∈ G 2 and g T = e(g 1 , g 2 ) ∈ G T be the respective generators. We employ the implicit representation of group elements: for a matrix M over Z p , we define We reivew the matrix Diffie-Hellman (MDDH) assumption on G 1 [14]. The MDDH k, assumption on G 2 can be defined analogously and it is known that k-LIN ⇒ MDDH k, [14].
We say that the MDDH k, assumption holds with respect to G if for all PPT adversaries A, the following advantage function is negligible in λ.

Adv
We also use the external decisional linear (XDLIN) assumption on G 2 [1]: Assumption 2 (XDLIN Assumption) We say that the XDLIN assumption holds with respect to G if for all PPT adversaries A, the following advantage function is negligible in λ.
3 Construction from k-LIN assumption
] 2 ) (as described above) along with base basis(B 3 ) and basis(B 1 , B 2 ) (of arbitrary choice) such that the following advantage function is negligible in λ.

Step One: A Private-key IPE in Prime-order Groups
Our first prime-order private-key IPE is described as follows. We use the basis described in Section 3.1 with ( 1 , 2 , 3 ) = (k, 1, k). As mentioned in Section 1.2, we do not need bilinear map for this private-key IPE. However, for our future use in Section 3.4, we describe the IPE in bilinear groups and note that only one of source groups is used. α, u, w 1 , . . . , w n , B 1 ).

Security of Private-key IPE
We will prove the following theorem.
Theorem 1. Under the k-LIN assumption, the private-key IPE scheme described in Section 3.2 is adaptively secure and fully attribute-hiding (cf. Section 2.1).
Following [35,11], we can reduce the case m 0 = m 1 to the case m 0 = m 1 by arguing that an encryption for m b is indistinguishable with an encryption for m 0 . Therefore it is sufficient to prove the following lemma for m 0 = m 1 .

Lemma 2.
For any adversary A that makes at most Q key queries and outputs m 0 = m 1 , there exists adversaries B 1 , B 2 , B 3 such that and Game sequence. We prove Lemma 2 via the following game sequence, which is summarized in Fig 3. -Game 0 is the real game in which the challenge ciphertext for x b = (x 1,b , . . . , x n,b ) is of the form Here b ← {0, 1} is a secret bit. -Game 1 is identical to Game 0 except that the challenge ciphertext is We claim that Game 1 ≡ Game 0 . This follows from facts that (1) secret keys will not reveal w n ; (2) for all x 0 , x 1 ∈ Z n p and u (2) ∈ span(B 2 ), it holds when w 1 , . . . , w n ← span(B 2 ). See Lemma 4 for more details.
Game ct κ-th sk (d ← span( ? )) Remark ; statistical argument: change of basis w.r.t. span(B1, B2) 4 xi,0 · u0 + xi,1 · u1 B1, B2 statistical argument: analogous to Game2.j−1 Fig. 3. Game sequence for private-key IPE based on k-LIN assumption. The gray background highlights the difference between adjacent games. Here, B1, B2, B3 play a role similar to the p4, p2, p3-subgroups in Fig 1. -Game 2.j for j ∈ [0, q] is identical to Game 1 except that the first j secret keys are We claim that Game 2.j−1 ≈ c Game 2.j for j ∈ [q] and give a proof sketch later. -Game 3 is identical to Game 2.q except that the challenge ciphertext is . We claim that Game 2.q ≡ Game 3 . This follows from the "change of basis" technique used in dual pairing vector spaces [23,28]. In particular, we argue that when u, u 0 , u 1 and basis B 1 , B 2 are chosen at random. Here we use the fact that randomness d in secret keys reveals no information about the basis of span(B 1 , B 2 ). See Lemma 5 for more details.
-Game 4 is identical to Game 3 except that the challenge ciphertext is in which the adversary has no advantage in guessing b. We claim that Game 3 ≡ Game 4 . The proof is similar to that for Game 1 ≡ Game 0 . See Lemma 6 for details. Proving Game 2.j−1 ≈ c Game 2.j . We now prove Game 2.j−1 ≈ c Game 2.j and thus complete the proof for Lemma 2. For all j ∈ [q], we employ the following game sequence, which has been included in Fig 3. -Game 2.j−1.1 is identical to Game 2.j−1 except that the jth secret key is We claim that Game 2.j−1.1 ≈ c Game 2.j−1 . This follows from the SD G2 B1 →B1,B3 assumption: given In the reduction, we sample α ← Z p , w 1 , . . . , w n ← Z 1×(2k+1) p and pick using basis(B 1 , B 3 ) and basis(B 2 ), respectively. The challenge ciphertext is generated using the jth secret key is created from w 1 , . . . , w n and [t] 2 while the remaining keys can be generated using [B 1 ] 2 and [B 2 ] 2 along with α, w 1 , . . . , w n . See Lemma 7 for more details.
-Game 2.j−1.2 is identical to Game 2.j−1.1 except that the challenge ciphertext is We claim that Game 2.j−1.2 ≡ Game 2.j−1.1 . This follows from facts that: (1) u (3) and w (3) i are only revealed from the challenge ciphertext and the jth secret key; (2) for all x 0 , x 1 and y with the restriction that (a) x 0 , y = x 1 , y = 0; or (b) x 0 , y = 0 ∧ x 1 , y = 0, it holds that See Lemma 8 for more details.
-Game 2.j−1.3 is identical to Game 2.j−1.2 except that the jth secret key is We claim that Game 2.j−1.3 ≈ c Game 2.j−1.2 . This follows from the SD G2 In the reduction, we sample α ← Z p , w 1 , . . . , w n ← Z using basis(B 1 ) and basis(B 2 , B 3 ), respectively. The challenge ciphertext is generated using the jth secret key is created from α, w 1 , . . . , w n and [B 1 ], [t] 2 while the remaining keys can be generated using [B 1 , B 2 ] 2 along with α, w 1 , . . . , w n . See Lemma 9 for more details. -Game 2.j−1.4 is identical to Game 2.j−1.3 except that the challenge ciphertext is We claim that Game 2.j−1.4 ≡ Game 2.j−1.3 . The proof is identical to that for Game 2.j−1.2 ≡ Game 2.j−1.1 . See Lemma 10 for more details.
-Game 2.j−1.5 is identical to Game 2.j−1.4 except that the jth secret key is We claim that Game 2.j−1.5 ≈ c Game 2.j−1.4 . The proof is identical to that for Game 2.j−1 ≈ c Game 2.j−1.1 . See Lemma 11 for more details. Note that Game 2.j−1.5 = Game 2.j .

Step Two: From private-key to public-key
We describe our prime-order full-fledged IPE, which is derived from our private-key IPE in Section 3.2 via the "private-key to public-key" compiler [36].
The correctness is straightforward.
Security. We will prove the following theorem.

Theorem 2.
Under the k-LIN assumption, the IPE scheme described above is adaptively secure and fully attribute-hiding (cf. Section 2.1).
For the same reason as in Section 3.3, we prove the lemma for the m 0 = m 1 , which shows that the security of the IPE described above is implied by that of our private-key IPE in Section 3.2 and the MDDH k assumption.
Lemma 3. For any adversary A that makes at most Q key queries and outputs m 0 = m 1 , there exists adversaries B 0 , B such that We prove Lemma 3 via the following game sequence.
-Game 0 is the real game in which the challenge ciphertext for x b = (x 1,b , . . . , x n,b ) is of the form -Game 1 is identical to Game 0 except that we pick c ← Z k+1 p when generating the challenge ciphertext. We claim that Game 1 ≈ c Game 0 . This follows from the MDDH k assumption: In the reduction, we sample k, U, W 1 , . . . , W n and B 1 . The master public key mpk and the challenge ciphertext are simulated using k, U, W 1 , . . . , W n along with [A] 1 , [c] 1 ; all secret keys can be created honestly. See Lemma 12 for details.
It remains to show that the advantage in guessing b ∈ {0, 1} in Game 1 is negligible. This follows from the security of our private-key IPE in Section 3.2. For A and c, define We can then rewrite mpk as Assume that (A|c) is full-rank which occurs with high probability and define T = [ k + (y 1 · W 1 + · · · + y n · W n )d] 2 [α + (y 1 · w 1 + · · · + y n · w n )d] 2 Observe that the underlined parts are exactly the ciphertext and secret keys of our private-key IPE in Section 3.2; and ( U, W i , k), (u, w i , α) are distributed uniformly and independently. This means we can simulate mpk honestly and transform a ciphertext/secret key from our private-key IPE to its public-key counterpart using A, c, U, W i , k. This is sufficient for the reduction from the public-key IPE to private-key IPE. See Lemma 13 for more details.

Lemmas for Private-key IPE
Let Adv x be the advantage function with respect to A in Game x . We prove the following lemma for the game sequence in Section 3.3.
Proof. It is sufficient to prove that, for all u ← Z 1×(2k+1) p , it holds that . By the facts shown in Section 3.1, it is implied by the statement that, for all u (2) ∈ span(B 2 ), it holds that when w 1 , . . . , w n ← span(B 2 ). This completes the proof.
Although we sample d using B 1 , B 2 , the vector is uniformly distributed over span(B 1 , B 2 ) as required and our simulation is perfect. Ciphertext. On input (x 0 , x 1 , m 0 , m 1 ) with m 0 = m 1 , we create the challenge ciphertext honestly using (B 1 , B 2 , B 3 ). That is, we pick b ← {0, 1} and output Observe that, we have a 2-by-(k + 1) matrix V of rank 2 such that Since R is independent of other part of simulation, VR −1 are uniformly distributed over Z 2×(k+1) p and thus it is equivalent to sample v 0 , v 1 ← span(( B 1 | B 2 ) ) when creating the challenge ciphertext. This leads to the simulation of Game 3 (with respect to B 1 , B 2 , B 3 ).
Proof. The proof is similar to that for Lemma 4, except that we work with u (3) , u 0 , u Proof. This follows from the SD G2 B1 →B1,B3 assumption stating that, given [t] 2 , the adversary B 1 works as follows: . Implicitly sample u by picking using basis(B 1 , B 3 ) and basis(B 2 ), respectively. Key Queries. On the κth query y = (y 1 , . . . , y n ), output Observe that, when t is uniformly distributed over span(B 1 ), the simulation is identical to Game 2.j−1 ; otherwise, when t is uniformly distributed over span (B 1 , B 3 ), the simulation is identical to Game 2.j−1.1 . This proves the lemma.
Proof. By complexity leveraging and the facts shown in Section 3.1, it is sufficient to prove the following statement: for all x 0 , x 1 and y (corresponding to the jth key query) satisfying that (a) x 0 , y = x 1 , y = 0; or (b) x 0 , y = 0 ∧ x 1 , y = 0, it holds that n ← span(B 3 ). By the linearity, it in turn follows from the following statement { x 1,b · u + w 1 , . . . , x n,b · u + w n , y 1 · w 1 + · · · + y n · w n } ≡ { x 1,1−b · u + w 1 , . . . , x n,1−b · u + w n , y 1 · w 1 + · · · + y n · w n } where u, w 1 , . . . , w n ← Z p . This follows from the statistical argument for all x = (x 1 , . . . , x n ) which is implicitly used in the proof of Wee's simulation-based selectively secure IPE [36]: by programmingw i = x i · u + w i for all i ∈ [n], we have { x 1 · u + w 1 , . . . , x n · u + w n , y 1 · w 1 + · · · + y n · w n } ≡ {w 1 , . . . ,w n , (y 1 ·w 1 + · · · + y n ·w n ) − u · (x 1 y 1 + · · · + x n y n ) } which means that the left-hand side distributions for all vector x not orthogonal to y are identical (since u hides the information about the inner-product) and so do all vector x orthogonal to y. This proves the above statement and thus proves the lemma.

Lemmas for Public-key IPE
Let Adv x be the advantage function with respect to A in Game x . We prove the following lemma for the game sequence in Section 3.4.
Proof. The proof is direct, we omit it here and refer the reader to the full paper. Proof. We construct the adversary B as below: . Since (A|c) is full-rank which occurs with high probability, T is well-defined. Pick U, W 1 , . . . , W n ← Z k×(2k+1) p and k ← Z k p and output Key Queries. On input y, adversary B forwards the query to its environment and receives (K 0 , K 1 ). Compute and output Ciphertext. On input (x 0 , x 1 , m 0 , m 1 ), adversary B sends query (x 0 , x 1 , 1, 1) to its environment and receives (C 1 , . . . , C n , C). Create the challenge ciphertext as The adversary B outputs A's guess bit. By the observation in Section 3.4, mpk is simulated perfectly; if (K 0 , K 1 ) is a private-key IPE secret key, secret keys we computed is for our public-key IPE; if (C 1 , . . . , C n , C) is a private-key IPE ciphertext for b = 0, the ciphertext we created is a public-key IPE ciphertext for b = 0; this also holds for b = 1. This readily proves the lemma.

Construction from XDLIN assumption
In this section, we improve the IPE scheme presented in Section 3 by the optimization technique in [16]. As in Section 3, we will first develop a private-key IPE from that in Section 3.2 and then compile it into the public-key setting.

Adv
The proof is analogous to that for Lemma 1 (cf. [13]).

Adv
We note that we do not give out basis(B 2 , B 3 , B 4 ) as usual; instead, basis(B 4 ) on Z p and [basis(B 2 , B 3 )] 1 on G 1 are provided. We then prove the following lemma saying that, for a specific set of parameters, the assumption is implied by XDLIN assumption.
Proof. For any PPT adversary A, we construct an algorithm B with Time(B) ≈ Time(A) such that On input ( [a 1 , a 2 , a 3 , a 1 s 1 , a 2 s 2 ] 1 , [a 1 , a 2 , a 3 , a 1 s 1 , a 2 s 2 ] 2 , T ) where a 1 , a 2 , a 3 , s 1 , s 2 ← Z p and T is either [a 3 (s 1 + s 2 )] 2 or uniformly distributed over G 2 , algorithm B works as follows: such that [basis(B 2 , B 3 )] 1 (over G 1 ) can be simulated using B * and [a 1 , a 3 ] 1 . Simulating the challenge. Output the challenge Observe that if T = [a 3 (s 1 + s 2 )] 2 , the output challenge is uniformly distributed over [span(B 3 , B 4 )] 2 ; if T is uniformly distributed over G 2 , the output challenge is then uniformly distributed over [span(B 2 , B 3 , B 4 )] 2 . This readily proves the lemma.

Step One: A Private-key IPE from XDLIN Assumption
Our second private-key IPE is described as follows, which is translated from the privatekey IPE in Section 3.2 with the correspondence (10). Here we employ the basis defined in Section 4.1 with parameter ( 1 , 2 , 3 , 4 ) = (1, 1, 1, 1).

Security
We will prove the following theorem.
Theorem 3. Under the XDLIN assumption, the private-key IPE scheme described in Section 4.2 is adaptively secure and fully attribute-hiding (cf. Section 2.1).
As before, we only need to prove the following lemma for m 0 = m 1 .

Lemma 16.
For any adversary A that makes at most Q key queries and outputs m 0 = m 1 , there exists adversaries B 1 , B 2 , B 3 such that and Game sequence. With the correspondence in Section 4.1, the proof for lemma 16 is almost the same as that for Lemma 2 presented in Section 3. Here we only give the game sequence, summarized in Fig 4. -Game 0 is the real game in which the challenge ciphertext for Here b ← {0, 1} is a secret bit.
We claim that Game 2.j−1 ≈ c Game 2.j for j ∈ [q] and give a proof sketch later. -Game 3 is identical to Game 2.q except that the challenge ciphertext is where u 0 , u 1 ← Z 1×(k+1) p . We claim that Game 2.q ≡ Game 3 . The proof is analogous to that for Game 2.q ≡ Game 3 in Section 3.3 using "change of basis" technique [23,28], except that we now work with subspace span(B 1 , B 2 , B 4 ) corresponding to span(B 1 , B 2 ) there (cf. Section 4.1).
-Game 4 is identical to Game 3 except that the challenge ciphertext is [ x 1,0 · u 0 + x 1,1 · u 1 + w 1 ] 1 , . . . , [ x n,0 · u 0 + x n,1 · u 1 + w n ] 1 , [α] T · m 0 We claim that Game 3 ≡ Game 4 and the adversary has no advantage in guessing b in Game 4 . The proof for the former claim is similar to that for Game 1 ≡ Game 0 .
-Game 2.j−1.3 is identical to Game 2.j−1.2 except that the j-th secret key is [α + (y 1 · w 1 + · · · + y n · w n )d] 2   We prove Lemma 17 via the following game sequence, as in Section 3.4.
-Game 0 is the real game in which the challenge ciphertext for x b = (x 1,b , . . . , x n,b ) is of the form where c ← span(A). Here b ← {0, 1} is a secret bit. -Game 1 is identical to Game 0 except that we sample c ← Z k+1 p when generating the challenge ciphertext. We claim that Game 1 ≈ c Game 0 . This follows from MDDH 2 assumption and the proof is analogous to that for Game 1 ≈ c Game 0 in Section 3.4.
Analogous to Section 3.4 and Section 3.6, we can prove that adversary's advantage in Game 1 is bounded by that against our private-key IPE in Section 4.2.