A tighter proof for CCA secure inner product functional encryption: Genericity meets efficiency

Inner product functional encryption (IPFE) is a primitive which produces, from a master secret key, decryption keys skk associated to vectors k over some specified base ring. Decrypting an encryption of vector m with skk only reveals 〈k,m〉. Benhamouda et al. [7] provided a generic construction for CCA-secure IPFE from projective hash functions (PHFs), unfortunately their security reduction suffers an exponential loss. Their only instantiation capable of decrypting inner products of large sizes, which relies on the decisional composite residuosity (DCR) assumption, is impractical due to the large size of ciphertexts, decryption keys, and the prohibitive speed of the scheme. Our core contribution is a new approach to proving CCA security. Our constructions maintain the genericity of [7], while our security proof relaxes the requirements on the underlying PHFs and gains in reduction tightness. We instantiate these constructions from the DCR assumption, an assumption in class groups (HSMCL) and the decision Diffie Hellman (DDH) assumption. Our CCA-secure constructions from DCR and HSMCL are the first such schemes to efficiently decrypt inner products of large size, improving by multiple orders of magnitude upon the work of [7]. A single-core C implementation of these schemes shows that, for a 112 bit security, and 100-dimensional vectors, their DCR-based scheme takes 1 h 20 min to encrypt, and over 5 min to decrypt, whereas our slowest scheme takes 5.2 s to encrypt and 0.5 s to decrypt. Similarly a ciphertext for their scheme is of 283 MB; those of our HSMCL-based scheme are of 30 kB.