Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and Constructions without Pairings

. We present new constructions of multi-input functional encryption (MIFE) schemes for the inner-product functionality that improve the state of the art solution of Abdalla et al. (Eurocrypt 2017) in two main directions. First, we put forward a novel methodology to convert single-input functional encryption for inner products into multi-input schemes for the same functionality. Our transformation is surprisingly simple, general and eﬃcient. In particular, it does not require pairings and it can be instantiated with all known single-input schemes. This leads to two main advances. First, we enlarge the set of assumptions this primitive can be based on, notably, obtaining new MIFEs for inner products from plain DDH, LWE, and Decisional Composite Residuosity. Second, we obtain the ﬁrst MIFE schemes from standard assumptions where decryption works eﬃciently even for messages of super-polynomial size. Our second main contribution is the ﬁrst function-hiding MIFE scheme for inner products based on standard assumptions. To this end, we show how to extend the original, pairing-based, MIFE by Abdalla et al. in order to make it function hiding, thus obtaining a function-hiding MIFE from the MDDH assumption.


Introduction
Functional Encryption (FE) [SW05,O'N10,BSW11] is an emerging cryptographic paradigm that allows fine-grained access control over encrypted data.Functional encryption schemes come equipped with a key generation mechanism that allows the owner of a master secret key to generate decryption keys that have a somehow restricted capability.Namely, each decryption key sk f is associated with a function f and using sk f to decrypt a ciphertext Enc(x) allows for recovering f (x), with the guarantee that no more information about x is revealed.The basic notion of functional encryption considers functionalities where all the inputs are provided and encrypted by a single party.The more general case of multi-input functionalities is captured by the notion of multi-input functional encryption (MIFE, for short) [GGG + 14].Informally, this notion can be thought of as an FE scheme where n encryption slots are explicitly given, in the sense that a user who is assigned the i-th slot can, independently, create a ciphertext Enc(x i ) from his own plaintext x i .Given ciphertexts Enc(x 1 ), . . ., Enc(x n ), one can use a secret key sk f to retrieve f (x 1 , . . ., x n ), similarly to the basic FE notion.This multi-input capability makes MIFE particularly well suited for many real life scenarios (such as data mining over encrypted data or multi-client delegation of computation) where the (encrypted) data may come from different and unrelated sources.
The security requirement for both FE and MIFE imposes that decryption keys should be collusion resistant.This means that a group of users, holding different decryption keys, should not be able to gain information about the encrypted messages, beyond the union of what they can individually learn.More precisely, the standard notion of security for functional encryption is indistinguishability. Informally, this states that an adversary that obtains the secret keys corresponding to functions f 1 , . . ., f n should not be able to decide which of the challenge messages x 0 , x 1 was encrypted, as long as f i (x 0 ) = f i (x 1 ) for all i.This indistinguishability notion has been put forward in [BSW11,O'N10] and it has been shown inadequate for certain cases (see [BSW11,O'N10] for details).They also proposed an alternative simulation-based security notion which is also problematic as, for instance, it cannot be satisfied in general.
As an additional security property, functional encryption schemes might also be required to guarantee so-called function hiding.Intuitively, this means that a secret key sk f should not reveal information about the function f it encodes, beyond what is implicitly leaked by f (x).Slightly more in detail, in the indistinguishability setting, this is formalized by imposing that the adversary should not be able to decide for which of the challenge functions f (0) i , f (1) i it is holding secret keys, as long as as f (0) i (x 0 ) = f (1) i (x 1 ) for all i.Over the last few years, functional encryption has attracted a lot of interest, both in its basic and in its multi-input incarnations.Known results can be broadly categorized as focusing on (1) feasibility results for general functionalities, and on (2) concrete, efficient realizations for restricted functionalities of practical interest.
For the specific case of MIFE, which is the focus of this paper, constructions of the first type [GGG + 14,BGJS15,AJ15,BKS16] all rely on quite unstable assumptions, such as indistinguishability obfuscation or multilinear maps6 .The only known construction of the second category has been recently proposed by Abdalla et al. in [AGRW17].There, they propose a (secret-key) MIFE scheme for the inner product functionality that relies on the standard k-linear assumption in (primeorder) bilinear groups 7 .Remarkably, their scheme allows for unbounded collusions and supports any (polynomially bounded) number of encryption slots.On the negative side, as in previous discretelog-based constructions of functional inner-product encryption schemes, it employs an inefficient decryption procedure that requires to extract discrete logarithms and thus imposes serious restrictions on the size of supported messages.Moreover, the scheme is not function hiding as decryption requires the function f to be provided explicitly in the clear.

Our Contributions
In this paper we propose new constructions of multi-input functional encryption schemes for the inner product functionality that address the aforementioned shortcomings of the state-of-the-art solution of Abdalla et al. [AGRW17].
MIFE for inner products without pairings.Our first contribution consists of (secret-key) MIFE schemes for inner products based on a variety of assumptions, notably without the need of bilinear maps, and where decryption works efficiently, even for messages of super-polynomial size.We achieve this result by proposing a generic construction of MIFE from any single-input FE (for inner products) in which the encryption algorithm is linearly-homomorphic.Our transformation is surprisingly simple, general and efficient.In particular, it does not require pairings (as in the case of [AGRW17]), and it can be instantiated with all known single-input functional encryption schemes (e.g., [ABDP15,ABDP16,ALS16]).This allows us to obtain new MIFE for inner products from plain DDH, composite residuosity, and LWE.Beyond the obvious advantage of enlarging the set of assumptions on which MIFE can be based, this result yields schemes that can be used with a much larger message space.Indeed, dropping the bilinear groups requirement allows us to employ schemes where the decryption time is polynomial, rather than exponential, in the message bit size.From a more theoretical perspective, our results also show that, contrary to what was previously conjectured [AGRW17], MIFE for inner product does not need any (qualitatively) stronger assumption than their single-input counterpart.
Our solution, in more detail.To better describe our solution, let us first explain the basic ideas behind Abdalla et al.'s scheme [AGRW17].Informally, the latter builds upon a clever twostep decryption blueprint.The ciphertexts ct 1 = Enc(x 1 ), . . ., ct n = Enc(x n ) (corresponding to slots 1, . . ., n) are all created using different instances of a single-input FE.Decryption is performed in two stages.One first decrypts each single ct i separately using the secret key sk y i of the underlying single-input FE, and then the outputs of these decryptions are added up to get the final result.
The main technical challenge of this approach is that the stage one of the above decryption algorithm leaks information on each partial inner product x i , y i .To avoid this leakage, their idea is to let source i encrypt its plaintext vector x i augmented with some fixed (random) value u i , which is part of the secret key.Moreover, sk y i are built by running the single-input FE key generation algorithm on input y i ||r, i.e., the vector y i augmented with fresh randomness r.
By these modifications, and skipping many technical details, stage-one decryption then consists of using pairings to compute, in G T , the values8 [ x i , y i + u i r] T for every slot i.From these quantities, the result [ x, y ] T is obtained as which can be easily computed if [−( n i=1 u i )r] T is included in the secret key.
Intuitively, the scheme is secure as the quantities [u i r] T are all pseudo random (under the DDH assumption) and thus hide all the partial information [ x i , y i + u i r] T may leak.Notice that, in order for this argument to go through, it is crucial that the quantities [ x i , y i + u i r] T are all encoded in the exponent, and thus decoding is possible only for small norm exponents.Furthermore, this technique seems to inherently require pairings, as both u i and r have to remain hidden while allowing to compute an encoding of their product at decryption time.This is why the possibility of a scheme without pairings was considered as "quite surprising" in [AGRW17].
We overcome these difficulties via a new FE to MIFE transform, which manages to avoid leakage in a much simpler and efficient way.Our transformation works in two steps.First, we consider a simplified scheme where only one ciphertext query is allowed and messages live in the ring Z L , for some integer L. In this setting, we build the following multi-input scheme.For each slot i the (master) secret key for slot i consists of one random vector u i ∈ Z m L .Encrypting x i merely consists in computing c i = x i + u i mod L. The secret key for function y = (y 1 , . . ., y n ), is just Security comes from the fact that, if only one ciphertext query is allowed, the above can be seen as the functional encryption equivalent of the one-time pad9 .Next, to guarantee security in the more challenging setting where many ciphertext queries are allowed, we just add a layer of (functional) encryption on top of the above one-time encryption.More specifically, we encrypt each c i using a FE (supporting inner products) that is both linearly homomorphic and whose message space is compatible with L. So, given ciphertexts {ct i = Enc(c i )} and secret key sk y = ({sk y i } i , z y ), one can first obtain { c i , y i = Dec(ct i , sk y i )}, and then extract the result as x, y = n i=1 c i , y i − u, y .Our transformation actually comes in two flavors: the first one addresses the case where the underlying FE computes inner products over some finite ring Z L ; the second one instead considers FE schemes that compute bounded-norm inner products over the integers.In both cases the transformations are generic enough to be instantiated with known single-input FE schemes for inner products.This gives us new MIFE relying on plain DDH [ABDP15], LWE [ALS16] and Composite residuosity [ALS16,ABDP16].Moreover, the proposed transform is security-preserving in the sense that, if the underlying FE achieves adaptive security, so does our resulting MIFE.
Function-Hiding MIFE for inner products.Our second contribution are new MIFE schemes for inner products that achieve function hiding.Our constructions build on the pairing-based solution from [AGRW17] and, as such, they also rely on pairings.More precisely, we propose transformations that, starting from the MIFE from [AGRW17], build function hiding MIFEs using single input FE for inner products as additional building block.Ours transforms are generic with respect to this latter component, in the sense that they can be instantiated using any single input FE satisfying some natural additional requirements (details of which are given in Section 5).
Our methods build from the two-layer encryption technique recently developed by Lin [Lin17] to generically achieve function hiding in the context of (single input) FE for inner products.Intuitively, Lin's idea consists in doing similar operations both at encryption and at key derivation time.Starting from two independent instances of the underlying FE, an "inner" one and an "outer" one, the idea is to encrypt the plaintext x in two steps.One first uses the "inner" FE to compute ct 1 = Enc(msk 1 , x) and then "extracts" the key corresponding to ct 1 , i.e., ct 2 = KeyGen(msk 2 , ct 1 ).Key derivation is done similarly, one first computes sk 1 = KeyGen(msk 1 , y) and then encrypts sk 1 using the outer scheme, i.e., sk 2 = Enc(msk 2 , sk 1 ).
If one encodes ciphertexts in G 1 and secret keys in G 2 , then one can use pairings to compute an encoding, in G T , of [ ct 2 , sk 2 ] T .Since decryption essentially performs inner product, the latter computation actually decrypts also the inner ct 1 component using secret key sk 1 , thus yielding an encoding of x, y .Moreover, since now y is encrypted, the FE security also provides function hiding 10 .
An obvious drawback of Lin's transformation is that, when applied generically, it would induce an extra-level of multilinearity in the process.This means that, starting from a pairing-free FE for inner products, one ends up with a scheme that is function hiding but also pairing-based.
We propose similar two-layer encryption techniques that do not, inherently, induce extra levels of multi-linearity with respect to those of the underlying primitives.Our transforms achieve this by using the MIFE from [AGRW17] as inner scheme and, several instances of, a single input FE, one for each encryption slot, as outer schemes.In particular, by carefully exploiting the specific algebraic properties of the MIFE, we manage to achieve function hiding from the Matrix Decisional Diffie Hellman assumption over standard bilinear groups (i.e., without resorting to multi-linear maps).Specifically, our schemes come in two flavors: a simpler one for selective security and a more convoluted one achieving adaptive security.A high level overview of our technique appears in Section 5.The MIFE schemes from Lin [Lin17] are selectively secure and function-hiding, but are based on multi-linear maps (d − 1 slots require a multilinear map of degree d).In comparison, our schemes support a polynomial number of inputs and achieve adaptive-security, while using only pairings and while being based only on standard assumptions.Generality of our approach.As mentioned above, our function-hiding transforms are not entirely generic as they impose restrictions on the underlying MIFE.These restrictions, while compatible with the pairing-based realization from [AGRW17], do not cope well with our newly constructed MIFEs without pairings.Very informally, this is due to the fact that our transform relies on the two-step decryption blueprint in which one learns [ x i , y i + z i ], and each z i is "sufficiently" random to guarantee security in the MIFE security experiment.Specifically, in Abdalla et al.'s scheme z i = u i r whereas in our new scheme z i = u i , y i .While the latter value is sufficiently random in the MIFE indistinguishability experiment, this is no longer the case in the functionhiding experiment, where the adversary asks for pairs of keys (y 0 , y 1 ), and z i = u i , y β i may actually leak information about which of the two keys was chosen (i.e.information about the value of the bit β).With a different interpretation, if one sees [ x i , y i + z i ] as a secret sharing of x, y , then in our new scheme this secret sharing depends on the function y whereas in [AGRW17] this is function independent and more suitable for function-hiding.We believe that coming up with more powerful transforms, capable of exploiting the potential of our efficient MIFEs, is a very natural and interesting open problem.
Concurrent work on function-hiding.Concurrently and independently of our work, Datta et al. [DOT18] proposed a multi-input function-hiding scheme for inner products.Their construction uses the framework of dual pairing vector spaces and require the use of pairings.They achieve slightly shorter ciphertexts and decryption keys (ciphertexts are shorter by 2 group elements, while decryption keys require 2n+1 less group elements).However, this comes at the expense of a larger master secret key, which contains 4n(m 2 − 1) more group elements (a quadratic blow-up in m).
Interestingly, Datta et al. [DOT18] also provide a technique based on pseudorandom functions to extend their multi-input function-hiding scheme to an unbounded number of slots.Although their techniques also appear to be applicable to our schemes, hence capable of extending both the pairing-free and the pairing-based constructions to the unbounded setting, we leave it as future work.

Preliminaries
Notation.We denote with λ ∈ N a security parameter.A probabilistic polynomial time (PPT) algorithm A is a randomized algorithm for which there exists a polynomial p(•) such that for every input x the running time of A(x) is bounded by p(|x|).We say that a function ε : N → R + is negligible if for every positive polynomial p(λ) there exists λ 0 ∈ N such that for all λ > λ 0 : ε(λ) < 1/p(λ).If S is a set, x ← r S denotes the process of selecting x uniformly at random in S. If A is a probabilistic algorithm, y ← r A(•) denotes the process of running A on some appropriate input and assigning its output to y.For a positive integer n, we denote by [n] the set {1, . . ., n}.We denote vectors x = (x i ) and matrices A = (a i,j ) in bold.For a set S (resp.vector x) |S| (resp.|x|) denotes its cardinality (resp.number of entries).Also, given two vectors x and x we denote by x x their concatenation.By ≡, we denote the equality of statistical distributions, and for any ε > 0, we denote by ≈ ε the ε-statistical difference of two distributions.

Definitions for Multi-Input Functional Encryption
In this section we recall the definitions of multi-input functional encryption [GGG + 14] specialized to the private-key setting, as this is the one relevant for our constructions.
Definition 1 (Multi-input Function Encryption).Let F = {F n } n∈N be an ensemble where each F n is a family of n-ary functions.A function f ∈ F n is defined as follows f : X 1 ×. ..×X n → Y.A multi-input functional encryption scheme MIFE for F consists of the following algorithms: -Setup(1 λ , F n ) takes as input the security parameter λ and a description of F n ∈ F, and outputs a master public key mpk11 and a master secret key msk.The master public key mpk is assumed to be part of the input of all the remaining algorithms.-Enc(msk, i, x i ) takes as input the master secret key msk, an index i ∈ [n], and a message x i ∈ X i , and it outputs a ciphertext ct.Each ciphertext is assumed to be associated with an index i denoting for which slot this ciphertext can be used for.When n = 1, the input i is omitted.-KeyGen(msk, f ) takes as input the master secret key msk and a function f ∈ F n , and it outputs a decryption key sk f .-Dec(sk f , ct 1 , . . ., ct n ) takes as input a decryption key sk f for function f and n ciphertexts, and it outputs a value y ∈ Y.
A scheme MIFE as defined above is correct if for all n ∈ N, f ∈ F n and all x i ∈ X i for 1 ≤ i ≤ n, we have where the probability is taken over the coins of Setup, KeyGen and Enc.
Security notions.Here we recall the definitions of security for multi-input functional encryption.We give both one-time and many-time indistinguishability-based security definitions.Namely, we consider several security notions denoted xx-AD-IND and xx-SEL-IND, where: xx ∈ {one, many}.We also give simulation-based security definitions in Appendix A.
Definition 2 (xx-AD-IND-secure MIFE).For every multi-input functional encryption MIFE for F, every stateful adversary A, every security parameter λ ∈ N, and every xx ∈ {one,many}, we define the following experiments for β ∈ {0, 1}: where Enc is an oracle that on input (i, x 0 i , x 1 i ) outputs Enc(msk, i, x β i ).Also, A is restricted to only make queries f to KeyGen(msk, •) satisfying where for all i ∈ [n], Q i denotes the number of encryption queries for input slot i.We denote by Q f the number of key queries.Note that w.l.o.g.(as shown in [AGRW17, Lemma 3]), we can assume that for all i ∈ [n], Q i > 0. When xx = one, we also require that A queries Enc(i, •, •) once per slot, namely that A private-key multi-input functional encryption MIFE for F is xx-AD-IND-secure if every PPT adversary A has advantage negligible in λ, where the advantage is defined as: Remark 1 (winning condition).The winning condition may not always efficiently checkable because of the combinatorial explosion in the restrictions on the queries.
Definition 3 (xx-SEL-IND-secure MIFE).For every multi-input functional encryption MIFE for F, every stateful adversary A, every security parameter λ ∈ N, and every xx ∈ {one,many}, we define the following experiments for β ∈ {0, 1}: where A is restricted to only make queries f to KeyGen(msk, •) satisfying A MIFE for F is xx-SEL-IND-secure if every PPT adversary A has negligible advantage in λ, where the advantage is defined as: Zero vs multiple queries in the private-key setting.A nice feature enjoyed by all the schemes in Section 3 is that the owner of a decryption key sk y associated with the vector y = y 1 • • • y n does not need to know a specific value ct i of the ciphertext vector ct = (ct 1 , . . ., ct n ) in order to decrypt ct if y i = 0.In other words, Q i can be 0 whenever y i = 0.In this case, the adversary is only allowed to obtain a secret key sk y for a vector y satisfying the condition i∈I x j,0 i , , where I ⊆ [n] denotes the set of slots for which the adversary made at least one query to Enc, that is, for which Q i > 0. Though we believe this feature can be useful in practice (for instance, if one of the encrypting parties decides to stop collaborating), certain applications may require at least one ciphertext for each encryption slot in order for decryption to be possible.
In such cases, one can apply to our schemes the simple generic compiler given in [AGRW17, Lemma 3] to ensure that the set I = [n], thus obtaining new schemes which leak no information in the setting where some Q i = 0.For this reason, we assume without loss of generality that Q i > 0 in all our security definitions and proofs.

Function-Hiding Multi-Input Functional Encryption
For function-hiding, we focus on indistinguishability security notions.This is because even singleinput function-hiding inner-product encryption is known to be unrealizable in a simulation sense under standard assumptions.
Definition 4 (xx-SEL-Function-hiding MIFE).For every multi-input functional encryption MIFE for F, every security parameter λ, every stateful adversary A, and every xx ∈ {one,many}, we define the following experiments for β ∈ {0, 1}: where A only makes Q i selective queries of plaintext pairs (x j i ,0 i , x j i ,1 i ) and Q f selective queries of key pairs (f j f ,0 , f j f ,1 ), that must satisfy: A MIFE is xx-SEL-FH-IND-secure if every PPT adversary A has negligible advantage in λ, where the advantage is defined as: Definition 5 (xx-AD-Function-hiding MIFE).For every multi-input functional encryption MIFE := (Setup, Enc, KeyGen, Dec) for F, every security parameter λ, every stateful adversary A, and every xx ∈ {one,many}, we define the following experiments for β ∈ {0, 1}: where Enc is an oracle that on input (i, and KeyGen is an oracle that on input (f 0 , f 1 ) outputs KeyGen(msk, f β ).Additionally, A queries must satisfy: A MIFE is xx-AD-FH-IND-secure if every PPT adversary has negligible advantage in λ, where the advantage is defined as: Definition 6 (Weak function hiding MIFE).Following the approach from [LV16], we define the notion of weak function hiding (denoted xx-yy-wFH-IND) in the multi-input case, which is as in Definitions 4 and 5, with the exception that the previous constraints on ciphertext and key challenges: are extended with additional constraints to help with our hybrid proof:

Inner-product functionality
In this paper we construct multi-input functional encryption schemes that support the following two variants of the multi-input inner product functionality: Multi-Input Inner Product over Z L .This is a family of functions that is defined as x i , y i mod L.
Multi-Input Bounded-Norm Inner Product over Z.This is defined as F m,X,Y n = {f y 1 ,...,yn : (Z m ) n → Z} where f y 1 ,...,yn (x 1 , . . ., x n ) is the same as above except that the result is not reduced mod L, and vectors are required to satisfy the following bounds: x ∞ < X, y ∞ < Y .

Computational assumptions
Prime-order groups.Let GGen be a probabilistic polynomial time (PPT) algorithm that on input 1 λ returns a description G = (G, p, g) of an cyclic group G of order p for a 2λ-bit prime p, whose generator is g.
We use implicit representation of group elements as introduced in where probabilities are over Pairing groups.Let PGGen be a probabilistic polynomial time (PPT) algorithm that on input 1 λ returns a description PG = (G 1 , G 2 , q, g 1 , g 2 ) of asymmetric pairing groups where G 1 , G 2 , G T are cyclic group of order p for a 2λ-bit prime p, g 1 and g 2 are generators of G 1 and G 2 , respectively, and e : G 1 ×G 2 → G T is an efficiently computable (non-degenerate) bilinear map.Define g T := e(g 1 , g 2 ), which is a generator of G T .We again use implicit representation of group elements.For s ∈ 1, 2, T and a ∈ Z p , define [a] s = g a s ∈ G s as the implicit representation of a in G s .Given [a] 1 , [a] 2 , one can efficiently compute [ab] T using the pairing e.For two matrices A, B with matching dimensions define e( We define the D k -MDDH assumption in pairing groups similarly than in prime-order groups (see Definition 8).
Definition 9 (D k -MDDH assumption in pairing groups).Let D k be a matrix distribution.The D k -MDDH assumption holds relative to PGGen in G s , for s ∈ {1, 2, T }, if for all PPT adversaries A, the following is negl(λ): Next, we recall a result on the uniform distribution over full-rank matrices: Definition 10 (Uniform distribution).Let , k ∈ N, with > k.We denote by U ,k the uniform distribution over all full-rank × k matrices over Z p .Among all possible matrix distributions D k , the uniform matrix distribution U ,k is the hardest possible instance, so in particular k-Lin ⇒ U k -MDDH, as stated in Lemma 1.
For any PPT adversary A, there exists a PPT B such that .
3 From Single to Multi-Input FE for Inner Product In this section, we give a generic construction of MIFE for inner product from any single-input FE (Setup, Enc, KeyGen, Dec) for the same functionality.More precisely, we show two transformations: the first one addresses FE schemes that compute the inner product functionality over a finite ring Z L for some integer L, while the second transformation addresses FE schemes for bounded-norm inner product.The two transformations are almost the same, and the only difference is that in the case of bounded-norm inner product, we require additional structural properties on the singleinput FE.Yet we stress that these properties are satisfied by all existing constructions.Both our constructions rely on a simple MIFE scheme that is one-AD-IND secure unconditionally.In particular, our constructions show how to use single-input FE in order to bootstrap the informationtheoretic MIFE from one-time to many-time security.

Information-Theoretic MIFE with One-Time Security
Here we present the multi-input scheme MIFE ot for the class F m L,n , and we prove its one-AD-IND security.The scheme is described in Figure 1.
Theorem 1.The MIFE described in Figure 1 is one-AD-IND secure.Namely, for any adversary Proof overview.The proof of Theorem 1 has two main steps.First, we use the fact that any adaptive distinguisher against MIFE ot with advantage ε can be transformed into a selective distinguisher with advantage ε/|X| 2 by randomly guessing the two challenge input vectors, where |X| is the size of the input space (|X| = L nm in our case).Then, in a second step, we show that any selective distinguisher against MIFE ot has advantage 0 since MIFE ot behaves as the FE equivalent of the one-time pad.Hence, it follows that any adaptive distinguisher must also have advantage 0.
Proof.Let A be an adversary against the one-AD-IND security of the MIFE.First, we use a complexity leveraging argument to build an adversary B such that: The adversary B simply guesses the challenge {x b i } i∈[n],b∈{0,1} in advance, then simulates A's experiment using its own selective experiment.When B receives A's challenge, it checks if the guess was successful (call E that event): if it was, it continues simulating A's experiment, otherwise, it returns 0. When the guess is successful, B perfectly simulate A's view.Since event E happens with probability exactly L −2nm , and is independent of the adversary A's view, we obtain (λ) = 0. To do so, we introduce hybrid games H β (1 λ , B) described in Figure 2. We prove that for all β ∈ {0, 1}, H β (1 λ , B) is identical to the experiment one-SEL-IND MIF E β (1 λ , B).This can be seen using the fact that for all {x β i ∈ Z m } i∈[n] , the following distributions are identical: Recall that here i ∈ [n] is an index for input slots.Note that the independence of the x β i from the u i is only true in the selective security game.Finally, we show that B's view in H β (1 λ , B) is independent of β.Indeed, the only information about β that leaks in this experiment is i x β i , y i , which is independent of β by definition of the security game.Remark 2 (one-SEL-SIM security).As a result of independent interest, in Appendix A we show that the MIFE presented in Figure 1 satisfies perfect one-SEL-SIM security, which implies perfect one-SEL-IND (which itself implies perfect one-AD-IND security via complexity leveraging, as shown in the proof above).
Remark 3 (Linear homomorphism).We use the fact that Enc ot is linearly homomorphic, that is, for all input slots i ∈ . This property will be used when using the one-time scheme MIFE ot from Figure 1 as a building block to obtain a full-fledged many-AD-IND MIFE.

Our Transformation for Inner Product over Z L
We present our multi-input scheme MIFE for the class F m L,n in Figure 3.The construction relies on the one-time scheme MIFE ot of Figure 1, and any single-input FE for the class F m L,1 .The correctness of MIFE follows from the correctness properties of the single-input scheme FE and the multi-input scheme MIFE ot .Indeed, correctness of the former implies that, for all input slots i ∈ For the security we state the following theorem: Theorem 2. If the single-input FE, FE is many-AD-IND-secure, and the multi-input scheme MIFE ot is one-AD-IND-secure, then the multi-input FE, MIFE, described in Figure 3, is many-AD-IND-secure.
Since the proof of the above theorem is almost the same as the one for the case of bounded-norm inner product, we only provide an overview here, and defer to the proof of Theorem 3 for further details.
Proof overview.Here, for any intput slot i ∈ [n], we denote by (x j,0 i , x j,1 i ) the j'th query to Enc(i, •, •), for any j ∈ [Q i ], where Q i is the total number of queries to Enc(i, •, •).
The proof is in two main steps.First, we switch encryptions of x 1,0 1 , . . ., x 1,0 n to those of x 1,1 1 , . . ., x 1,1 n , using the one-AD-IND security of MIFE ot .For the remaining ciphertexts, we switch from an encryption of x j,0 i = (x j,0 i − x 1,0 i ) + x 1,0 i to that of (x j,0 i − x 1,0 i ) + x 1,1 i .In this step we use the fact that one can compute an encryption of Enc ot (u, i, (x j,0 i − x 1,0 i ) + x 1,0 i ) from an encryption Enc ot (u, i, x 1,0 i ), because the encryption algorithm Enc ot of MIFE ot is linearly homomorphic (see Remark 3).Finally, we apply a hybrid argument across the slots to switch from encryptions of Instantiations.The construction in Figure 3 can be instantiated using the single-input FE schemes of Agrawal,Libert,and Stehlé [ALS16] that are many-AD-IND-secure and allow for computing inner products over a finite ring.Specifically, we obtain: -A MIFE for inner product over Z p for a prime p, based on the LWE assumption.This is obtained by using the LWE-based scheme of We note that since both these schemes in [ALS16] have a stateful key generation, our MIFE inherits this stateful property.Stateless MIFE instantiations are obtained from the transformation in the next section.

Our Transformation for Inner Product over Z
Here we present our transformation for the case of bounded-norm inner product.In particular, in Figure 4 we present a multi-input scheme MIFE for the class F m,X,Y n from the one-time scheme MIFE ot of Figure 1, and a (single-input) scheme FE for the class F m,3X,Y 1 .12For our transformation to work, we require FE to satisfy two properties.The first one, that we call two-step decryption, intuitively says that the FE decryption algorithm works in two steps: the first step uses the secret key to output an encoding of the result, while the second step returns the actual result x, y provided that the bounds x ∞ < X, y ∞ < Y hold.The second property informally says that the FE encryption algorithm is additively homomorphic.
We note that the two-step property also says that the encryption algorithm accepts inputs x such that x ∞ > X, yet correctness is guaranteed as long as the encrypted inputs are within the bound at the moment of invoking the second step of decryption.
Two-step decryption is formally defined as follows.
Property 1 (Two-step decryption).An FE scheme FE = (Setup, Enc, KeyGen, Dec) satisfies two-step decryption if it admits PPT algorithms Setup , Dec 1 , Dec 2 and an encoding function E such that: 1.For all λ, m, n, X, Y ∈ N, Setup (1 λ , F m,X,Y 1 , 1 n ) outputs (msk, mpk) where mpk includes a bound B ∈ N, and the description of a group G (with group law and sk ← KeyGen(msk, y), we have for some noise ∈ N that depends on ct and sk.Furthermore, it holds that for all x, y ∈ Z m , Pr[noise < B] = 1 − negl(λ), where the probability is taken over the random coins of Setup , Enc and KeyGen.Note that there is no restriction on the norm of x, y here, and that we are assuming that Enc accepts inputs x whose norm may be larger than the bound.3. Given any γ ∈ Z L , and mpk, one can efficiently compute E(γ, 0). 4. The encoding E is linear, that is: for all γ, γ ∈ Z L , , noise, noise ∈ Z, we have The second property is as follows.
Property 2 (Linear encryption).For any FE scheme FE = (Setup, Enc, KeyGen, Dec) satisfying the two-step property, we define the following additional property.There exists a deterministic algorithm Add that takes as input a ciphertext and a message, such that for all x, x ∈ Z m , the following are identically distributed: Add(Enc(msk, x), x ), and Enc msk, (x + x mod L) .
Note that the value L ∈ N is defined as part of the output of the algorithm Setup * (see the twostep property above).We later use a single input FE with this property as a building block for a multi-input FE (see Figure 4); this property however is only used in the security proof of our transformation.
Instantiations.It is not hard to check that these two properties are satisfied by known functional encryption schemes for (bounded-norm) inner product.In particular, in Section 4 we show that this is satisfied by the many-AD-IND secure FE schemes of Agrawal,Libert and Stehlé [ALS16]. 13This allows us to obtain MIFE schemes for bounded-norm inner product based on a variety of assumptions such as plain DDH, Decisional Composite Residuosity, and LWE.In addition to obtaining the first schemes without the need of pairing groups, we also obtain schemes where decryption works efficiently even for large outputs.This stands in contrast to the previous result [AGRW17], where decryption requires to extract discrete logarithms.
Correctness.The correctness of the scheme MIFE follows from (i) the correctness and Property 1 (two-step decryption) of the single-input scheme, and (ii) from the correctness of MIFE ot and the linear property of its decryption algorithm Dec ot .More precisely, consider any vector By (2) of Property 1, the decryption algorithm Dec (sk y , ct 1 , . . ., By (4) of Property 1 (linearity of E), and the correctness of MIFE ot we have: .
Proof of Theorem 3.
The proof proceeds by a sequence of games where G 0 is the many-AD-IND MIF E 0 (1 λ , A) experiment.A formal description of all the experiments used in this proof is given in Figure 6, and a high-level summary is provided in Figure 5.For any game G i , we denote by Adv , where the probability is taken over the random coins of G i and A. In what follows we adopt the same notation from [AGRW17] for queried plaintexts, namely (x j,0 i , x j,1 i ) denotes the j-th encryption query on the i-th slot.Game G 1 : Here we change the way the challenge ciphertexts are created.In particular, for all slots and all queries simultaneously, we switch from Enc (msk, i, Proof.Here we replace encryptions of x j,0 i − x 1,0 i + x 1,0 i with encryptions of x j,0 i − x 1,0 i + x 1,1 i in all slots simultaneously.Recall that here, j is the index of the encryption query while i is the index for the slot.The argument relies on the one-AD-IND security of the multi-input scheme MIFE ot and on the fact that ciphertexts produced by the latter can be used as plaintext for the underlying single input FE scheme FE that we are using as additional basic building block.
More in details, we build the adversary B 1 so that it simulates G β to A when interacting with experiment one-AD-IND MIF E β .Initially B 1 does not receive anything, since the one-AD-IND information-theoretically secure MIFE does not have any public key.For all i ∈ and hands the public parameters to A. Also, whenever A queries a secret key, B 1 first queries its own oracle (on the same input) to get a corresponding key z.Next, for all i ∈ [n], it sets sk i ← KeyGen(msk i , y i ) and gives back to A the secret key sk y When A asks encryption queries, B 1 proceeds as follows.For each slot i, when receiving the first query (i, x 1,0 i , x 1,1 i ), it computes the challenge ciphertext, for slot i, by invoking its own encryption oracle on the same input.Calling Subsequent queries, on slot i, are answered as follows.B 1 produces ct j i (for j > 1) by encrypting x j,0 i − x 1,0 i + w 1 i mod L, using msk i .Note that Enc ot is linearly homomorphic (see Remark 3), thus, x j,0 i − x 1,0 i + w 1 i mod L = Enc ot (u, i, x 1,β i + x j,0 i − x 1,0 i ).Finally, B 1 outputs 1 iff A outputs 1.One can see that B 1 provides a perfect simulation to A and thus: KeyGen (msk, y) return sky Fig. 6.Experiments for the proof of Theorem 3.
Game G 2 : Here we change again the way the challenge ciphertexts are created.In particular, for all slots i and all queries j, we switch ct j i from Enc (msk, i, x j,0 i − x 1,0 i + x 1,1 i ) to Enc (msk, i, x j,1 i − x 1,1 i + x 1,1 i ).G 2 can be proved indistinguishable from G 1 via an hybrid argument over the n slots, relying on the security of the underlying single-input scheme.
By looking at the games defined in Figure 6, one can see that since G 1 corresponds to game G 1.0 and whereas G 2 is identical to game G 1.n .Therefore, for every we bound the difference between each consecutive pair of games in the following lemma: Lemma 3.For every ∈ [n], there exists a PPT adversary B 1. against the many-AD-IND security of the single-input scheme FE such that

(λ).
Proof.Here, we replace encryptions of x j,0 i − x 1,0 i + x 1,1 i with encryptions of x j,1 i − x 1,1 i + x 1,1 i in all slots.Let us recall that j is the index of the encryption query while i is the index for the slot.The argument relies on (1) the many-AD-IND security of the underlying single input scheme FE := (Setup, KeyGen, Enc, Dec), (2) the fact that Enc satisfies Property 2 (linear encryption), and (3) the restrictions imposed by the security game (see [AGRW17]).As for this latter point we notice that, indeed, the security experiment restriction in the case of the inner product functionality imposes that x j,0 i − x 1,0 i , y i = x j,1 i − x 1,1 i , y i , for all slots i ∈ [n].In our scheme this becomes x j,0 i − x 1,0 i , y i mod L = x j,1 i − x 1,1 i , y i mod L, which in turn is equivalent to More formally, we build an adversary B 1. that simulates G 1. −1+β to A when interacting with the experiment many-AD-IND F E β .B 1. starts by receiving a public key for the scheme FE, which is set to be the key mpk for the -th instance of FE.Next, it runs u ← Setup ot , and for all i = , it runs Setup to get (mpk i , msk i ).It gives (mpk 1 , . . ., mpk n ) to A.
B 1. answers secret key queries y = y 1 || . . .||y n by first running sk i ← KeyGen(msk i , y i ) for i = .Also it invokes its own key generation oracle on y , to get sk .Finally, it computes z ← KeyGen ot (u, y 1 || . . .||y n ) (recall that B 1. knows u).This key material is then sent to A.
B 1. answers encryption queries (i, x j,0 i , x j,1 i ) to Enc as follows.If i < , it computes Enc(msk i , Enc ot (u, i, x j,1 i )).If i > , it computes Enc(msk i , Enc ot (u, i, x j,0 i − x 1,0 i + x 1,1 i )).If i = , at the j-th encryption query on slot , B 1. queries its own oracle on input (x j,0 − x 1,0 + x 1,1 , x j,1 − x 1,1 + x 1,1 ) (note that these vectors have norm less than 3X, and as such, are valid input to the encryption oracle), to get back ct j * := Enc msk , x j,β −x 1,β +x 1,1 from the experiment many-AD-IND F E β .Then, B 1. computes ct j := Add(ct j * , u ), and sends it to A. Note that by Property 2 ct j is identically distributed to Enc msk , x j,β −x 1,β +x 1,1 +u mod L , the latter being equal to Enc msk , Enc ot (x j,β − x 1,β + x 1,1 ) .Also, we remark that because B 1. plays in the many-AD-IND security game, it can make several queries to its encryption oracle, which means that every ct j * obtained from the oracle is encrypted under fresh randomness r j , i.e., ct j * := Enc msk , x j,β − x 1,β + x 1,1 ; r j .Therefore, the simulated ciphertext ct j uses randomness r j which is independent of the randomness r j used in ct j , for all j = j .This means ct j is distributed as in game G 1. −1+β .
Finally, B 1. outputs the same bit β returned by A. Thus: The proof of Theorem 3 follows by combining the bounds obtained in the previous lemmas.

Concrete instances of FE for Inner Product
In this section we discuss three instantiations of our generic construction from Section 3.3.In particular, we show that the existing (single-input) FE schemes proposed by Agrawal et al. [ALS16] (that are proven many-AD-IND-secure) satisfy Property 1 (two-step decryption) and Property 2 (linear encryption).Note that all of these (single-input) FE schemes happen to be public-key, although we stress that this property is not required by our generic construction from Section 3.3.
2. We have for all x, y ∈ Z m , Dec 1 sk y , ct x := (c 0 , c 1 ) = c 0 c 1 sk y mod q = x, y • q K + y e 1 − e 0 Z y mod q = E( x, y mod q, noise), where noise := y e 1 − e 0 Z y, and Pr[noise < B] = 1 − negl(λ).3. It is straightforward to see that E(γ, 0) is efficiently and publicly computable.4. It is also easy to see that E is linear.

Finally, for all
follows by the same decryption correctness argument in [ALS16], with the only difference that here we used a larger bound K.

Inner Product FE from Paillier
Here we show that the Inner Product FE from [ALS16, Section 5.1] and recalled in Figure 9 satisfies Property 1 (two-step decryption) and Property 2 (linear encryption).
1.The algorithm Setup (1 λ , F m,X,Y 1 , 1 n ) works the same as Setup except that it additionally uses n to ensure n • m • X • Y < N .Also, it returns the bound B := 0, L := N , G as the subgroup of Z * N 2 of order N generated by (1 + N ), and the encoding function We let Dec 1 and Dec 2 be the first and second line of Dec in Figure 9. 2. We have for all x, y ∈ Z m , 3. It is straightforward to see that see that E(γ, 0) can be efficiently computed from public information.4. It is also easy to see that E is linear.

MIFE for Inner Product from DDH
Here we present a concrete construction of MIFE for Inner Product whose security relies on the DDH assumption (without pairings).This concrete instantiation can be found in Figure 10.

Function-Hiding Multi-Input FE for Inner Product
In this section, we give a function-hiding MIFE.We transform the MIFE for inner product proposed by Abdalla et al. in [AGRW17] into a function-hiding scheme, using a double layered encryption approach, similar to the one of Lin [Lin17].Namely, in Section 5.1, we give a generic construction that use any single-input FE on top of the MIFE from [AGRW17], which can prove selectively secure.Unlike the results in Section 3 that can be instantiated without pairings, for function-hiding we rely on pairing groups.Finally, in Section 5.2, we prove adaptive security, considering a specific instantiation of our construction.
Our construction.We present our function-hiding scheme MIFE in Figure 12.The construction relies on the multi-input scheme MIFE of Abdalla et al. [AGRW17] (recalled in Figure 11), used together with any one-SEL-SIM secure, single-input FE for the functionality where 2 ) is a pairing group, and is the size of the ciphertext and secret keys in MIFE .
Concretely, we use the single-input FE from [ALS16], generalized to the MDDH assumption, whose one-SEL-SIM security is proven in [AGRW17,Wee17], and whose description is recalled in Figure 7.Note that this single-input FE happens to be public-key, but this is not a property that we need for our overall MIFE.
Outline of the construction.Our starting point is the MIFE scheme for inner-products from [AGRW17], denoted by MIFE := (Setup , Enc , KeyGen , Dec ) and recalled in Figure 11.This scheme is clearly not function-hiding, as the vector y is given in the clear as part of functional secret key, in order to make decryption possible.In order to avoid the leakage of y, we employ an approach similar to the one proposed in [Lin17], which intuitively consists into adding a layer of encryption on top of the MIFE keys and ciphertexts; this is done by using a single-input inner product encryption scheme FE.Slightly more in detail, using the FE and MIFE schemes, we design our new function-hiding multi-input scheme MIFE as follows.
We generate master keys (mpk i , for computing inner products on vectors of dimension , where is the size of the ciphertexts and secret keys of MIFE .To encrypt x i ∈ Z m p for each slot i ∈ [n], we first compute [ct in i ] 1 using MIFE , and then we compute ).To generate a key for y := (y 1 • • • y n ) ∈ Z nm p , we first compute the keys sk in from MIFE , and then we would like to encrypt these keys using FE in order to hide information about y.A generic way to do it would be to set our secret key to be Enc(msk i , sk in ), for all possible i ∈ [n], so that we can compute the inner product of [ct in i ] 1 with sk in for all i ∈ [n].But that would yield keys of size O(n 2 m), since the key sk in itself is of size O(nm).We can do better, however.If we consider the specific MIFE scheme from [AGRW17] Definition 11 (one-SEL-SIM-secure FE).A single-input functional encryption FE for the functionality F G 1 ,G 2 ,G T is one-SEL-SIM-secure if there exist PPT simulator algorithms ( Setup, Enc, KeyGen) such that for every PPT (stateful) adversary A and every λ ∈ N, the following two distributions are computationally indistinguishable: The oracle O(•) in the ideal experiment above is given access to another oracle that, given For every stateful adversary A, we define its advantage as and we require that for every PPT A, there exists a negligible function negl such that for all λ ∈ N,

Proof of Selective Security
In the following theorem we state the selective security of our scheme MIFE.Precisely, the theorem proves that our scheme is weakly function-hiding.We stress that this does not entail any limitation in the final result, as full-fledged function-hiding can be achieved in a generic way via a simple transformation, proposed in [LV16] (for single-input FE).The main idea is to work with slightly larger vectors where both input vectors x and secret-key vectors y are padded with zeros.In Appendix B we show how to do this transformation in the multi-input setting.

Multi-input scheme MIFE [AGRW17]
Setup Proof Overview.The proof is done via a hybrid argument that consists of two main phases: we first switch the ciphertexts from encryptions of x j i ,0 i to encryptions of x j i ,1 i for all slots i ∈ [n], and ciphertext queries where Q i denotes the number of ciphertext query on the i'th slot.This change is justified by the many-SEL-IND security of the underlying MIFE in a black box manner.In addition, this change relies on the weak-function-hiding property that imposes the constraints n i=1 x j i ,0 i , y , for all secret key queries j f ∈ [Q f ], where Q f denotes the number of secret key queries, which thus disallow the adversary from trivially distinguishing the two games.
The second main change in the proof is to switch the decryption keys from keys corresponding to y j,0 1 . . .y j,0 n to keys corresponding to y j,1 1 . . .y j,1 n for every j ∈ [Q f ].This in turn requires a hybrid argument over all decryption keys, changing one key at a time.To switch the ρ'th key, we use the selective simulation security of the underlying FE to embed the value x j,1 i , y ρ,β i + r ρ , z i in the ciphertexts ct j i , for all slots i ∈ [n] and all j ∈ [Q i ].Next, we use the D k -MDDH assumption to argue that [ r ρ , z i ] T is indistinguishable from a uniform random value and thus perfectly hides x 1,1 i , y ρ,β i for the first ciphertext of each slot: ct 1 i .For all the other remaining x j,1 i , , as implied by the game's restrictions.
Proof of Theorem 4. We proceed via a series of Games G 0 , G 1 , G 1.ρ , for ρ ∈ [Q f + 1], described in Figure 14.An overview is provided in Figure 13.Let A be a PPT adversary, and λ ∈ N be the security parameter.We denote by Adv G i (A) the advantage of A in game G i .
G 1 : we replace the inner encryption of x j,0 i by encryptions of x j,1 i , for all i ∈ [n], j ∈ [Q i ], using the many-SEL-IND security of MIFE .This is possible due to the weak function-hiding New function-hiding scheme MIFE , where by we denote the output size of Enc and KeyGen , and MIFE := (Setup , Enc , KeyGen , Dec ) is the many-AD-IND secure, multi-input FE from Figure 11.constraint, which states in particular that n i=1 x j i ,0 i , y G 1.ρ : for the first ρ − 1 queries to KeyGen, we replace inner secret key KeyGen msk , y 0 Lemma 4 (G 0 to G 1 ).There exists a PPT adversary B 1 such that Proof.In order to show that we can switch x j,0 i to x j,1 i , we rely on the security of the underlying MIFE scheme.Intuitively, adding an additional layer of encryption on the decryption keys sk in i cannot invalidate the security of the underlying MIFE .
More formally, we design an adversary B 1 against the many-SEL-IND security of MIFE .Adversary B 1 draws public and secret keys for the outer encryption layer and then uses its own experiment to simulate either G 0 or G 1 .We describe adversary B 1 in Figure 15 and give a textual description here.
Simulation of master public key mpk.Since the game is selective, the adversary B 1 first gets the challenges {x j,b i } i∈[n],j∈[Q i ],b∈{0,1} from A, and it sends them to its experiment many-SEL-IND MIF E β .Then, B 1 receives the public key mpk of the MIFE scheme.To construct the full KeyGen (msk , y j,1 1 . . .y j,1 n ), for j < ρ KeyGen (msk , y j,0 1 . . .y j,0 n ), for j ≥ ρ Lemma 5 Fig. 13.An overview of the games used in the proof of Theorem 4. By [ct in,k i ]1 and [sk in,j i ]2 we denote the k th ciphertext and the j th decryption key of the inner scheme MIFE .
-Simulation of the master public key mpk: receives [ct in,j i ]1 from Exp ct out,j i := FE.KeyGen(mski, [ct in,j  i ]1) return ct out,j i -Simulation of KeyGen msk, (y j,b i ]1 := Enc (msk , i, x j,0 i ) and case 2: KeyGen queries are answered identically in both cases without knowing msk by calling the KeyGen oracle of Exp and encrypting the sk in,j i responses under mpk i .
Lemma 5 (G 1.ρ to G 1.ρ+1 ).For all ρ ∈ [Q f ], there exist PPT adversaries B ρ and B ρ such that Proof of Lemma 5. We proceed via a series of Games H ρ , H ρ.β , H ρ.β , for ρ ∈ [Q f +1], and β ∈ {0, 1}, described in Figure 17.Note that H ρ is G 1.ρ .We prove that:  16).Note that H ρ.0.0 is H ρ and H ρ.0.n is H ρ.0 .Using the one-SEL-SIM security of FE, we have The reduction showing adversary B ρ.t is rather straightforward and is omitted.The idea is that B ρ.t generates all the keys involved in the scheme, except for (mpk t , msk t ).For the t-th one, it plugs the one it receives from the one-SEL-SIM F E experiment, i.e., either mpk t or mpk t ; this allows it to perfectly simulate the view of A. KeyGen(mski, [ct in,j  i ]1) 2) On the j'th query, j = ρ: for i < t: [z]T Fig. 16.Games for the proof of Lemma 6.
, where r ρ ← r Z k p is the randomness picked by KeyGen on its ρ'th query, z i ← r Z k p , and z i ← r Z p .This is justified using the D k -MDDH assumption in G 1 .
Proof.Precisely we first build an adversary B ρ,β against U n,k -MDDH, and then the proof is obtained by applying Lemma 1 (D k -MDDH ⇒ U n,k -MDDH).Such adversary can be defined quite straightforwardly so that it provides either [z] T Fig. 17.Games for the proof of Lemma 5.In each procedure, the components inside a solid (dotted, gray) frame are only present in the games marked by a solid (dotted, gray) frame.
of Lemma 14), we use complexity leveraging, and we simulate the selective proof arguments.This multiplies the security loss by an exponential factor.We can do so here because this particular transition is perfect: the exponential term is multiplied by a zero advantage.Although this proof strategy shares similarities with the adaptive security proof the MIFE in [AGRW17], our proof has some crucial differences: mainly, the role of the keys and ciphertexts in our proof is switched.Since the multi-input model is asymmetric with respect to the ciphertexts and decryption keys (only ciphertexts can be mixed-and-matched), this results in a different proof strategy.Proof of Theorem 5. We proceed via a series of Games G   G 1 : we replace the inner encryption of x j,0 i by encryptions of x j,1 i , for all i ∈ [n], j ∈ [Q i ], using the many-AD-IND security of MIFE := (Setup , Enc , KeyGen , Dec ).We prove G 0 ≈ c G 1 in Lemma 10, and Lemma 10 (G 0 to G 1 ).There exists a PPT adversary B 0 such that Proof.This proof is very similar to the proof of Lemma 4. We design an adversary B 0 against the many-AD-IND security of the scheme from Figure 24 (which is many-AD-IND-secure by Theorem 6).
Note that the vectors [c i ] 1 , [c i ] 1 output by Enc (see Figure 18) exactly correspond to a ciphertext for the MIFE scheme from [AGRW17].Thus, using the many-AD-IND security of the latter, we can switch encryption of x j,0 i into encryption of x j,1 i for all i ∈ [n], j ∈ [Q i ].We now describe how B 1 simulates A's view.
Simulation of the public key.Given the mpk := PG, B 0 draws matrices , and forwards the public key PG to A.
Simulation of the ciphertexts.Consider the case when A makes a plaintext query (x j,0 i , x j,1 i ) to B 1 .Adversary B 0 forwards the queries to the many-AD-IND challenger, which replies with Simulation of the decryption keys.Upon receiving a query (y j,0 1 . . .y j,0 n , y j,1 there exists PPT adversary B ρ such that: Proof of Lemma 11.We proceed via a series of games H ρ , H ρ.β , H ρ.β , H ρ.β for ρ ∈ [Q f + 1] and β ∈ {0, 1} described in Figure 21.Note that H ρ is G 1.ρ .We summarize our sequence of hybrids between G 1,ρ and G 1,ρ+1 in Figure 19.Lemma 12 (H ρ to H ρ.0 ).For all ρ ∈ [Q f ], there exists a PPT adversary B ρ such that: Proof of Lemma 10.Here, we switch ( We do so for all input slots i ∈ [n], using a hybrid argument.This change is justified by the facts that: H ρ.β ≡ H ρ.β , for all β ∈ {0, 1}: here, for all slots i ∈ [n], we replace the way the vector [d i ] 1 is computed by KeyGen(msk, •) on its ρ'th query, using an information theoretic argument.Looking ahead, we want to make it possible to simulate the adversary's view only knowing [r ρ ] 1 , [z i ] 1 , [ z i , r ρ ] T , and not [r ρ ] 2 .This is in order to apply D k -MDDH in H ρ.β in the next transition.
Proof of Lemma 13.We argue that H ρ.β and H ρ.β are the same, using the fact that for all i ∈ [n], and all r ρ ∈ Z k p , the following distributions are identical: where V i ← r Z (2k+m+1)×(k+1) p . This way, we obtain as in H ρ.β .
, where z i ← r Z p , using the D k -MDDH assumption.
More precisely, note that z 1 • • • z n is uniformly random over Z n×k p , which is k p -close to uniformly random over full-rank n times k matrices over Z p (assuming n > k).Thus, using the U n,k -MDDH assumption, we can switch , where z i ← r Z p .
H ρ.0 ≡ H ρ.1 : we go the selective variant of H ρ.0 , called H ρ.0 , via complexity leveraging (i.e.guessing the challenge), then use the following change of variables: and z i → z i − x 1,1 i , y ρ,1 i − y ρ,0 i to switch to H ρ.1 .We use the fact that i x 1,1 i , y ρ,1 i − y ρ,0 i = 0, and that for all i ∈ [n], j ∈ [Q i ], we have: x j,1 i −x 1,1 i , y ρ,1 i −y ρ,0 i = 0, by definition of the security game.We switch back to the adaptive variant, H ρ.1 , "unguessing", which incurs an exponential security loss, multiplied by zero.
Summing up, we have G 1.ρ ≈ c G 1.ρ+1 (see Figure 19 for a summary of the hybrids).

B From Weak to Full Function-Hiding
In [LV16], the authors propose a simple transformation for turning a weak function-hiding FE scheme into a full-fledged function hiding one.In this section, we show that the same transformation is applicable in the multi-input case.For brevity, we use x i 0 to denote that x i ∈ Z m p is padded with m trailing zero.The new scheme consists in using the original MIFE scheme to encrypt x i = x i 0 instead of x i , for every slot i ∈ [n].Likewise, instead of generating keys for y = y 1 . . .y n , the keys will be generated for y = (y 1 0) . . .(y n 0).This does not change the result of the decryption, since: Security is justified via a hybrid argument over Games 0 to 3. For every i ∈ {0, 1, 2}, the advantage of an adversary A distinguishing between Game i and Game i+1 is negligible based on the weak function-hiding security property.The transitions are more precisely described in Figure 23.Notice that for every i ∈ {0, 1, 2}, Game i can be argued computationally indistinguishable from Game i+1 based only on the weak function-hiding property.For example, for Game 0 and Game 1 , x 0 , y 0 = x 1 , y 0 = x 1 , y 1 , which implies that Game 0 and Game 1 are computationally indistinguishable only due to the weak function-hiding of the underlying scheme.Applying the same argument for i ∈ {1, 2}, we get that the scheme using paddings is fully function-hiding.

C Appendix -Adaptive (Non-Function-Hiding) Multi-Input Scheme
In this section we recall the adaptively-secure multi-input encryption scheme from [AGRW17], where it was proven to be many-AD-IND-secure.This ensures that encryptions of x j,0 i are indistinguishable We will always use this implicit notation of elements in G, i.e., we let [a] ∈ G be an element in G.Note that from a random [a] ∈ G it is generally hard to compute the value a (discrete logarithm problem in G).Obviously, given [a], [b] ∈ G and a scalar x ∈ Z p , one can efficiently compute [ax] ∈ G and [a + b] ∈ G. Matrix Diffie-Hellman Assumption for prime-order groups.We recall the definition of the Matrix Decision Diffie-Hellman (MDDH) Assumption [EHK + 13].Definition 7 (Matrix Distribution).Let k ∈ N. We call D k a matrix distribution if it outputs matrices in Z (k+1)×k p of full rank k in polynomial time.W.l.o.g.we assume the first k rows of A ← r D k form an invertible matrix.The D k -Matrix Diffie-Hellman problem is to distinguish the two distributions ([A], [Aw]) and ([A], [u]) where A ← r D k , w ← r Z k p and u ← r Z p .Definition 8 (D k -Matrix Diffie-Hellman (D k -MDDH) assumption in prime-order groups).Let D k be a matrix distribution.The D k -Matrix Diffie-Hellman (D k -MDDH) assumption holds relative to GGen if for all PPT adversaries A,
λ).It remains to prove that the MIFE presented in Figure 1 satisfies perfect one-SEL-IND security, namely, for any adversary B, Adv one-SEL-IN D MIF E,B

Fig. 3 .
Fig. 3. Private-key multi-input FE scheme MIFE := (Setup , Enc , KeyGen , Dec ) for the class F m L,n from a public-key single-input FE FE := (Setup, Enc, KeyGen, Dec) for the class F m L,1 , and one-time multi-input FE MIFE ot = (Setup ot , Enc ot , KeyGen ot , Dec ot ) for the class F m L,n .

Fig. 4 .
Fig. 4. Private-key multi-input FE scheme MIFE = (Setup , Enc , KeyGen , Dec ) for the class F m,X,Y n from publickey single-input FE scheme FE = (Setup, Enc, KeyGen, Dec) for the class F m,X,Y 1 and one-time multi-input FE MIF E ot = (Setup ot , Enc ot , KeyGen ot , Dec ot ).
5) of Property 1.Proof of Security.In the following theorem we show that our construction is a many-AD-INDsecure MIFE, assuming that the underlying single-input FE scheme is many-AD-IND-secure, and the scheme MIFE ot is one-AD-IND secure.Theorem 3. Assume that the single-input FE is many-AD-IND-secure and the multi-input FE MIFE ot is one-AD-IND-secure.Then the multi-input FE MIFE in Figure4is many-AD-INDsecure.Namely, for any PPT adversary A, there exist PPT adversaries B and B such that

Fig. 5 .
Fig. 5.An overview of the games used in the proof of Theorem 3.
G 1 can be proved indistinguishable from G 0 by relying on the one-time security of the multi-input scheme.More formally, Lemma 2. There exists a PPT adversary B 1 against the one-AD-IND security of MIFE ot scheme such that |Adv 0 (A) − Adv 1 (A)| ≤ Adv one-AD-IN D MIF E ot ,B 1 (λ).

Fig. 9 .
Fig. 9. Functional encryption scheme for the class F m,X,Y 1

Fig. 10 .
Fig. 10.Multi-Input Functional encryption scheme for the class F m,X,Y n

Fig. 14 .
Fig.14.Games for the proof of Theorem 4. In each procedure, the components inside a solid (dotted) frame are only present in the games marked by a solid (dotted) frame.

Figure 20 .
Let A be a PPT adversary, and λ ∈ N be the security parameter.For all games G i , we denote by Adv G i (A) the advantage of A in G i .G 0 : is the experiment many-AD-wFH-IND MIF E 0 (see Definition 5).

Fig. 18 .
Fig. 18.Many-AD-IND-wFH secure, multi-input FE scheme for the class F m,X,Y n

G
1.ρ : for the first ρ − 1 queries to KeyGen, we replace the inner secret key KeyGen msk , y 0 1 • • • y 0 n , by KeyGen msk , y 1 1 • • • y 1 n .Note that Game 1 is the same as Game 1.1 , and Game 1.Q f +1 is the same as many-AD-wFH-IND MIF E 1 .

Fig. 19 .
Fig. 19.Summary of the sequence of hybrids in the proof of Lemma 11

Fig. 22 .
Fig. 20.G0, G1.ρ for ρ ∈[Q f + 1],for the proof of .In each procedure, the components inside a solid (dotted) frame are only present in the games marked by a solid (dotted) frame.
Fig. 23.Sequence of games for transforming a weak multi-input function-hiding inner-product encryption scheme into a full function-hiding one.
, a secret key sk in for y consists of the components ([sk in 1 . . .sk in n ] 2 , [z] T ), where each [sk in i ] 2 only depends on y i and is of size O(m), while [z] T ∈ G T does not depend on y at all.Hence, we encrypt each vectors [sk in i ] 2 to obtain sk out FE.Enc(mpk i , [sk in i ] 2 ), which gives us a secret key sk out := {sk out i } i∈[n] , [z] T of total size O(nm).This way, decrypting the outer layer as FE.Dec(sk out i , ct out i ) yields [ sk in i , ct in i ] T , which is what needs to be computed in the MIFE decryption algorithm Dec .More precisely, correctness of MIFE follows from the correctness of MIFE , and the structural requirement of FE.Dec that is used in the MIFE decryption algorithm, namely: i :=

.
H ρ to H ρ.0 : we replace (FE.Setup, FE.KeyGen, FE.Enc) by the efficient simulator (FE.Setup, FE.KeyGen, FE.Enc), using the one-SEL-SIM security of the single-input FE, via a hybrid argument across all slots i ∈ [n].Lemma 6 (H ρ ≈ c H ρ.0 :).There exists a PPT adversary B 1.ρ such thatAdv Hρ (A) − Adv H ρ.0 (A) ≤ n • Adv one-SEL-SIMProof.We use a hybrid argument over all slots t ∈ [n].That is, we define H ρ.1.tfor t ∈ [n], where the for the first t slots, (FE.Setup, FE.KeyGen, FE.Enc) is replaced with (FE.Setup, FE.KeyGen, FE.Enc) (the games are described in Figure thus simulating either H ρ.β or H ρ.β respectively) according to the distribution of its own input.The only observation is that by the U n,k -MDDH definition, z 1 • • • z n is uniformly random over full-rank matrices in Z n×k p.However, these two distributions are k/p-close (assuming n > k).Hρ , H ρ.β , H ρ.β for ρ ∈ and u i ← r Z k+1 p .