An Indistinguishably Secure Function Encryption Scheme

In this work, we rst design a function encryption scheme by using key encapsulation. We combine public key encryption with symmetric encryption to implement the idea of key encapsulation. In the key encapsulation, we use a key to turn a message (plaintext) into a ciphertext by symmetric encryption, and then we use public key encryption to turn this key into another ciphertext. In the design of function encryption scheme, we use the public key encryption system, symmetric encryption system, noninteractive proof system, indistinguishable obfuscator, and commitment scheme. Finally, we prove the indistinguishable security of our function encryption scheme.


Introduction
Nowadays, network technology has been rapidly developed and widely used. Due to the emergence of hacking, virus, and electronic fraud and theft, various information leakage incidents occur frequently. Both personal information security and enterprise information security are getting more and more attention, which makes information security more important than ever.
With the rise of cloud computing, in order to save local storage resources, more and more companies or individuals choose to store local data on third-party servers (such as cloud computing platforms). To prevent user data from leaking, the data can be encrypted before storing it on thirdparty servers. It is noteworthy that in this application, thirdparty servers need to operate something on the user's ciphertext, such as data mining, query, and statistics of the ciphertext. However, the traditional encryption system does not support ciphertext computing.
is problem can be solved by using fully homomorphic encryption [1]. It is possible to compute on the ciphertext using fully homomorphic encryption. In other words, a nontrusted information processing system can process information in ciphertext environment without disclosing any information of users. However, the main problem of fully homomorphic encryption is that the results are encrypted.
at is to say, although the third-party servers can perform ciphertext calculation, it cannot obtain the calculation results. In many application scenarios, third-party servers need to make certain decisions based on the results of the calculations. erefore, fully homomorphic encryption does not meet our requirements. Function encryption rstly appeared in the article [2]. It is an extension of the articles [2][3][4][5][6][7]. It enables the third party to operate and output a function of plaintext without decryption. erefore, it is very suitable for the computing scenario of data outsourcing encryption. Speci cally, in function encryption for a function family, the key generation algorithm can generate the corresponding decryption key for each function in this function family by using the master private key. Given the ciphertext of a plaintext, the owner of the decryption key of each function can calculate the corresponding function value for this plaintext. A secure function encryption system should satisfy that users with decryption key can only get a function value of the plaintext but not any information about the plaintext. e traditional public key encryption scheme is too extreme. It enables users with decrypted key to get all or no messages from the ciphertext.
erefore, it is of great signi cance to study function encryption.
Function encryption is a perfect noninteractive solution to many problems that arise in delegating services to external servers. Consider the following scenario: Suppose a bank subscribes to an external cloud server for storing nancial records of its customers. In order to ensure the security of these records and perform various computations on the outsourced data remotely from time to time, a cost-effective choice for the bank is to use a function encryption scheme to encrypt the records locally prior to uploading to the cloud server. Now, suppose the researchers wish to retrieve investment amount summary of all customers who have joined a certain wealth management product from the cloud server. For this, the bank needs to provide the researchers a decryption key for the corresponding functionality. However, if the encryption scheme used by the bank possesses no function privacy, then the researchers would get to know the specific customer's information from the decryption key provided by the bank. us, after performing the assigned computation, for financial gain, the researchers may leak the information to someone. is is clearly undesirable from the privacy point of view. Our function encryption scheme can solve the aforementioned information leak problem, and it can be applied to the following application scenarios such as spam filtering in the mail service, patient record privacy protection in the hospital, and partial decryption of information in the encrypted information store.

Our Result.
e design of our function encryption scheme depends on the idea of key encapsulation. Key encapsulation (also known as hybrid encryption) consists of two parts: an external scheme and an internal scheme. To encrypt messages in a hybrid encryption scheme, a new key is generated for the internal scheme and used to encrypt messages. e key itself is then encrypted using an external scheme. e final hybrid ciphertext consists of two parts: the external ciphertext and the internal ciphertext. If someone wants to decrypt, he should firstly decrypt the external ciphertext to get the key and use this key to decrypt the internal ciphertext. While the internal scheme is symmetric encryption and the external scheme is public key encryption, the hybrid scheme still belongs to public key encryption. Why use the idea of key encapsulation? e external scheme is inefficient, so it is only used to encrypt relatively short keys, while relatively long messages are encrypted by the internal scheme.
We choose symmetric encryption and public key encryption as the internal and external schemes of key encapsulation, respectively. In the design of the function encryption scheme, our idea is as follows: at first, we choose a key k of the internal scheme to encrypt the message x, and then use the external scheme to encrypt the key k to get the two parts of a complete ciphertext. is will allow for decryption during the two-step process described above. First, the key k of the internal scheme is obtained by decrypting the external ciphertext in the external scheme, and then f(x) is obtained by using this key in the internal scheme. Specifically, we describe how to use the public key encryption system, symmetric encryption system, noninteractive proof system, indistinguishable obfuscator, and commitment scheme to design our function encryption scheme. Our scheme achieves indistinguishable security [8].

Related Works.
e concept of function encryption originates from inner product encryption [6] and attributebased encryption [5]. Early function encryption generally refers to attribute-based encryption, predicate encryption, or inner product encryption. ese three kinds of encryption are the preliminary stages of function encryption. Sahai and Waters firstly created the concept of function encryption in 2008 [9]. Later, O'Neill proposed the security definition of the general function encryption [7], which laid the foundation for the research of function encryption.
In 2011, Boneh et al. [3] not only gave the general form of function encryption, but also gave the formal definition and various security definitions of function encryption. In 2012, Gorbunov et al. [10] proposed a nonconcise general-purpose function encryption scheme based on multiparty security calculation. In 2013, Waters [11], Garg et al., [12] and Ananth et al. [13] further improved the efficiency of universal function encryption system. Subsequently, the function encryption scheme for regular language [14] and the function encryption scheme-based deterministic finite automata [15] were proposed. In the same year, Garg et al. [16] constructed a general function encryption scheme for the first time using indistinguishable obfuscation, which set up a new direction for the research of universal function encryption. Goldwasser et al. [17] proposed a simple universal function encryption scheme which uses fully homomorphic encryption, attribute-based encryption, and obfuscation circuit technology as the underlying modules.
is scheme is a classical function encryption scheme. Later, Goldwasser et al. [18] firstly proposed multi-input function encryption.
ey not only proved the adaptive indistinguishable security of the scheme but also proved the simulation-based security of the scheme. It has to be noted that multi-input function encryption scheme is a refinement of function encryption, which can be applied in many occasions and can realize the security processing of multiuser information at different times.
With the deepening of research on function encryption and fully homomorphic encryption, a new full key homomorphic encryption scheme (FKHE) [19] was proposed at the Eurocrypt 2014. It combines fully homomorphic encryption with function encryption. It overcomes the shortcomings of single key shortage of fully homomorphic encryption and provides possibilities for the use of function encryption in the outsourcing computing environment. In 2015, Goyal et al. [20] proposed for the first time the definition and construction of function encryption for random functions, which proved that the construction scheme was simulation-based security. Ananth et al. [13] proved that any selective secure function encryption can be transformed into adaptive secure function encryption and designed an adaptive function encryption scheme that combines public key function encryption with private key function encryption. Brakerski and Segev [21] studied the symmetric function encryption system with function hiding. Abdalla et al. [22] firstly proposed an internal product function encryption scheme based on public key, which set up a new direction of practical internal product function encryption scheme. Bishop et al. [23] firstly proposed the inner product function encryption scheme of the function hidden in symmetric case. Subsequently, Datta et al. [24] improved Bishop's scheme. In 2018, Kim et al. [25] improved the inner product function encryption scheme of the function hidden to improve its efficiency. ey also described three application scenarios of inner product function encryption of the function hidden. Kim et al. made it possible to use the inner product function encryption of the function hidden in practical applications.

Organization.
is paper is organized as follows. e first section is the introduction of this paper. e second section is the existing definition of function encryption. In the third section, we recall some definitions of cryptographic primitives used in scheme construction. In the fourth section, we propose the design of our function encryption. In the fifth section, we prove the security of our constructed scheme. Finally, in the sixth section, we summarize the full text.

Basic Notation.
In the following sections, the security parameter is λ ∈ N. If |negl(λ)| < 1/poly(λ) holds for all polynomials poly(λ) and all sufficiently large λ, we call negl(λ) as negligible function. In this paper, "PPT" represents probabilistic polynomial time and "x ‖ y" represents a concatenation of x and y. Let F � F(λ) represent an ensemble, each of which is a finite function.

Function Encryption
In the second section, the concept of function encryption [3] and its indistinguishable security are rementioned. Indistinguishable security is not only the first consideration of function encryption but also of predicate encryption [4,6].

Syntax.
For a class of functions F � F(λ) over message space M � M λ , a function encryption scheme is composed of the following four algorithms: is is a random algorithm.
is algorithm requires a security parameter λ as the input of the algorithm, requires the master public key mpk, and the master secret key msk as the output of the algorithm. (ii) Enc(mpk, m) ⟶ CT: is algorithm requires the master public key mpk and the plaintext m ∈ M as the input of the algorithm and requires a ciphertext CT as the output of the algorithm. (iii) KeyGen(msk, f) ⟶ sk f : is algorithm requires the master secret key msk and the randomized function f ∈ F as the input of the algorithm and requires a secret key sk f as the output of the algorithm.
is algorithm requires the ciphertext CT and the secret key sk f as the input of the algorithm and requires a string f(m) as the output of the algorithm.
Definition 1 (correctness). If the following conclusion holds for every function f ∈ F and every message m ∈ M, the function encryption scheme for F is correct.
(1) Definition 2 (indistinguishable security of function encryption). e indistinguishable security can be seen as a game between the attacker A and challenger. is game is divided into five phases. (iv) Query phase 2: key queries continue to be initiated by the attacker A as before, but it also needs to satisfy that for any query In this game, the advantage of the attacker A is

Preliminaries
In the third section, we recall some concepts of primitives in cryptography, which are used in the construction of function encryption. Here, we omit not only the formal definitions of standard semantically secure public key encryption scheme PKE � (PKE.KeyGen, PKE.Enc, PKE.Dec) but also the formal definitions of standard semantically secure symmetric encryption scheme SE � (SE.Enc, SE.Dec). Next, we describe the formal definitions Security and Communication Networks 3 of indistinguishable obfuscation, commitment scheme, and witness indistinguishable proof system in detail.

Indistinguishable Obfuscation.
According to the syntax of [16], the concept of indistinguishable obfuscation was recalled.
Definition 3 (Indistinguishable Obfuscation(iO)). If the following conclusions hold, then the uniform PPT machine iO is known as an indistinguishable obfuscator of a circuit class C λ .
(i) Correctness: for every security parameter λ ∈ N, C ∈ C λ , and every input x, the following formula holds: (ii) Indistinguishability: there is a negligible function negl that makes the following conclusion hold for every PPT distinguisher Samp, D (which is not necessarily uniform). For every security parameter λ ∈ N and every pair of circuits C 0 ,

Commitment Scheme.
According to the syntax of [26], a commitment scheme Com takes a random number r and a string x as the input and takes c ⟵ Com(x; r) as the output. e following two properties are necessary for a perfectly binding commitment scheme: (i) Perfectly binding property: this property means that the commitments for two different strings must also be different. More formally, ∀ x 1 ≠ x 2 and r 1 , r 2 , Com(x 1 ; r 1 ) ≠ Com(x 2 ; r 2 ). (ii) Computational hiding property: for every string x 0 and x 1 (the length of x 0 and x 1 is the same) and for every PPT adversary A, the following formula holds:

Noninteractive Witness Indistinguishable
Proof. e syntax of the noninteractive proof system was firstly recalled, and then the formal concept of noninteractive witness indistinguishable (NIWI) proof [27] was also recalled.

3.3.1.
Syntax. An efficiently computable relation R is composed of pairs (x, w), in which x and w are named as the statement and the witness, respectively. e language consisting of statements in R is denoted by L. e following three algorithms constitute a noninteractive proof system for a language L: (i) NIWI.Setup(1 λ ) ⟶ crs: this algorithm requires a security parameter 1 λ as the input of the algorithm and requires a common reference string crs as the output of the algorithm. (ii) NIWI.Prove(crs, x, w) ⟶ π: this prove algorithm requires the common reference string crs and a statement x along with a witness w as the input of the algorithm. is prove algorithm outputs a proof string π when (x, w) ∈ R or outputs fail when { }: this verify algorithm requires the common reference string crs and a statement x with a corresponding proof π as the input. If the proof is valid, this algorithm outputs 1 and otherwise 0.

Definition 4 (NIWI).
A noninteractive witness indistinguishable proof system for a language L with a PPT relation R needs to satisfy the following properties: (i) Perfect completeness property: for all (x, w) ∈ R, the following formula holds: Pr[NIWI.Verify(crs, x, NIWI.Prove(crs, x, w)) � 1] � 1.

(5)
Here, the reference string crs is generated by the algorithm crs ⟵ NIWI.Setup(1 λ ), and the probability is taken over the coins of NIWI.

Construction
In the fourth section, we propose the design of function encryption scheme. In our construction, we set the key space of the symmetric encryption scheme SE to 0, 1 { } ℓ SE . In our scheme, we set the ciphertext length of the public key encryption scheme PKE � (PKE.KeyGen, PKE.Enc, PKE.Dec) to len c � len c (1 λ ). In the design of our scheme, the parameter len � 2 · len c will be used, and the symmetric encryption scheme SE needs to satisfy this property: where symbol "⊥" denotes an error.
In the design of our scheme, the NIWI proof system used is denoted by (NIWI.Setup, NIWI.Prove, NIWI.Verify), the perfectly binding commitment scheme used is denoted by Com, and the indistinguishable obfuscator used is denoted by iO. Now, we begin to give our scheme FE � (Setup, Enc, KeyGen, Dec).
(1) At first, two pairs of key pairs are generated using the key generation algorithm (pk 1 , sk 1 ) ⟵ PKE.KeyGen(1 λ ) and (pk 2 , sk 2 ) ⟵ PKE.KeyGen(1 λ ) of the public key encryption scheme (note: (pk, sk) ⟵ PKE.KeyGen(1 λ ) is a random algorithm) (2) Compute a common reference string crs ⟵ NIWI.Setup(1 λ ) using the NIWI proof system (3) Choose a symmetric encryption scheme SE (4) Compute C ⟵ Com(0 len ) (5) Let the master public key and the master secret key be mpk � (pk 1 , pk 2 , crs, C, SE) and msk � sk 1 , respectively (ii) Enc(mpk, m) ⟶ CT : (1) Choose a secret key K SE of the symmetric encryption and compute the ciphertexts CT 1 ⟵ PKE.Enc(pk 1 , K SE ) CT 2 ⟵ PKE.Enc(pk 2 , K SE ) CT 3 ⟵ SE.Enc(K SE , m) (2) Compute π ⟵ NIWI.Prove(crs, y, w) (y � (CT 1 , CT 2 , C, pk 1 , pk 2 )) (i) Either CT 1 and CT 2 are encryptions for the same plaintext, or (ii) C is a commitment for CT 1 ‖ CT 2 e real witness w real � (K SE , r 1 , r 2 ) is used to prove the first part of the statement, where the random numbers r 1 and r 2 are used to compute the ciphertexts CT 1 and CT 2 , respectively; the trapdoor witness w trap � s is used to prove the second part of the statement, where the random number s is used to compute C (3) e ciphertext is CT � (CT 1 , CT 2 , CT 3 , π) (iii) KeyGen(msk, f) ⟶ sk f (1) Compute the decryption key sk f ⟵ iO(G) for function f, where the circuit G is showed in Figure 1; it should be noted that the circuit G contains the random function f, the secret key sk 1 , and the master public key mpk

) It inputs CT and decryption key sk f and outputs f(m)
e correctness of the scheme we design is easily derived from the correctness of its components. Next, we will demonstrate the security of this scheme.

Proof of Security
Theorem 1. Assume that the aforementioned function encryption instantiated with a standard semantically secure public key encryption, a standard semantically secure symmetric encryption, a computational hiding commitment, a noninteractive witness indistinguishable proof, and indistinguishably secure obfuscator, it is indistinguishably secure.
Now, we prove that if the aforementioned assumption is true, no polytime attacker can break our scheme. We will prove indistinguishable security of the function encryption using indistinguishable game. We assume that a polytime attacker A makes q private key queries. Let f i (i ∈ [q]) denote the ith function query. ere is a constraint f i (m 0 ) � f i (m 1 ) for each function query.

Security and Communication Networks
Game 2. is game is exactly the same as the previous game (Game 1) except for a little difference. e difference is that for all key queries of f, the corresponding secret key sk f is computed by sk f ⟵ iO(G f ), where the circuit G f is described in Figure 2. Game 3. is game is exactly the same as the previous game (Game 2) except for a little difference. e difference is that the commitment C is computed as follows: the challenge ciphertext is denoted by CT * � (CT * 1 , CT * 2 , CT * 3 , π * ) and C ⟵ Com(CT * 1 ‖ CT * 2 ). Game 4. is game is exactly the same as the previous game (Game 3) except for a little difference. e difference is that in every challenge ciphertext CT * � (CT * 1 , CT * 2 , CT * 3 , π * ) π * is computed using the trapdoor witness. Game 5. is game is exactly the same as the previous game (Game 4) except for a little difference. e difference is that we modify the challenge ciphertext CT * � (CT * 1 , CT * 2 , CT * 3 , π * ): the second ciphertext CT * 2 is an encryption of k 0 , that is, CT * 2 ⟵ PKE.Enc (pk 2 , k 0 ). Game 6. is game is exactly the same as the previous game (Game 5) except for a little difference. e difference is that for all key queries of f, the corresponding secret key sk f is computed by sk f ⟵ iO(G * f ), where the circuit G * f is described in Figure 3. Game 7. is game is exactly the same as the previous game (Game 6) except for a little difference. e difference is that we modify the challenge ciphertext CT * � (CT * 1 , CT * 2 , CT * 3 , π * ): the first ciphertext CT * 1 is an encryption of k 0 , that is, CT * 1 ⟵ PKE.Enc(pk 1 , k 0 ). Game 8. is game is exactly the same as the previous game (Game 7) except for a little difference. e difference is that the symmetric encryption key k 1 is replaced by another key k 2 . Game 9. is game is exactly the same as the previous game (Game 8) except for a little difference. e difference is that we modify the challenge ciphertext CT * � (CT * 1 , CT * 2 , CT * 3 , π * ): the third ciphertext CT * 3 is an encryption of m 1 , that is, CT * 3 ⟵ SE.Enc(k 2 , m 1 ). Game 10. is game is exactly the same as the previous game (Game 9) except for a little difference. e difference is that we modify the challenge ciphertext CT * � (CT * 1 , CT * 2 , CT * 3 , π * ): the first ciphertext CT * 1 is an encryption of k 2 , that is CT * 1 ⟵ PKE.Enc(pk 1 , k 2 ). Game 11. is game is exactly the same as the previous game (Game 10) except for a little difference. e difference is that for all key queries f, the corresponding secret key sk f is computed by sk f ⟵ iO(G f ). Game 12. is game is exactly the same as the previous game (Game 11) except for a little difference. e difference is that we modify the challenge ciphertext CT * � (CT * 1 , CT * 2 , CT * 3 , π * ): the second ciphertext CT * 2 is an encryption of k 2 , that is, CT * 2 ⟵ PKE.Enc(pk 2 , k 2 ). Game 13. is game is exactly the same as the previous game (Game 12) except for a little difference. e difference is that in every challenge ciphertext CT * � (CT * 1 , CT * 2 , CT * 3 , π * ), the proof π * is computed using the real witness. Game 14. is game is exactly the same as the previous game (Game 13) except for a little difference. e difference is that the commitment C is computed as follows: C ⟵ Com(0 len ). Note that this game corresponds to the selective indistinguishable game that has been honestly executed, where the challenger encrypts the message m 1 in the challenge ciphertext. e description for the sequence of games is completed. Next, we prove that the neighbouring games are indistinguishable.

Lemma 1. Game 1 and Game 2 are computationally indistinguishable when iO is an indistinguishable obfuscator.
Proof. We can see that the difference between Game 1 and Game 2 lies only in the calculation method of the secret key sk f . In the former experiment, Game 1, for any key query f, the secret key sk f is outputted by iO(G); however, in the latter experiment, Game 2, the secret key sk f is outputted by iO(G f ). If we want to prove that Game 1 and Game 2 are computationally indistinguishable, we need to prove that for any input CT, G and G f have identical output for identical input. en, according to the security of indistinguishable obfuscator, we can get that iO(G) and iO(G f ) are computationally indistinguishable, which means that Game 1 and Game 2 are computationally indistinguishable.
First, we will prove that for any input CT � (CT 1 , CT 2 , CT 3 , π), G outputs ⊥ if and only if G f outputs ⊥.
We can find that both G and G f output ⊥ if and only if the proof π is invalid, that is, NIWI.Verify(crs, y, π) � 0. Here, y � (CT 1 , CT 2 , C, pk 1 , pk 2 ). If the proof π is valid, we define that an input CT � (CT 1 , CT 2 , CT 3 , π) is valid.

Security and Communication Networks
Here we have to consider two cases: (i) Case 1. ere does not exist a c i , such that c i � CT * 1 ‖ CT * 2 . (ii) Case 2. ere exists a c i , such that c i � CT * 1 ‖ CT * 2 . For the case 1, both G and G f compute k 1 with sk 1 by decrypting CT 1 , compute m with k 1 by decrypting CT 3 , and outputs f(m). In the case 2, G computes k 1 with sk 1 by decrypting CT 1 , computes m with k 1 by decrypting CT 3 , and also outputs f(m). What's more, because c i � CT * 1 ‖ CT * 2 , G f also outputs f(m). So we can get that G(CT) � G f (CT). e experiment G 2,i (0 ≤ i ≤ q) is defined as follows: in G 2,i , the first ith queries are answered by G and the remaining (i + 1)th to qth queries are answered by G f . We can see that G 2,0 happens to be Game 1 and G 2,q happens to be Game 2.
Here, we prove that if there is a PPT adversary A which can distinguish the experiments G 2,i and G 2,i+1 with nonnegligible advantage, there is another PPT adversary B which can break the security of indistinguishable obfuscator with nonnegligible advantage.
We construct B by A as follows: (1) First of all, the adversary B honestly runs the Game 1.
(2) For the first ith key queries f, the adversary B computes the key sk f by G f . For the remaining (i + 2)th to qth key queries f, the adversary B computes the key sk f by G. We happen to be in experiment G 2,i when the challenger of iO chose the circuit G; We happen to be in experiment G 2,i+1 when the challenger of iO chose the circuit G f . erefore, if the adversary A can distinguish between the two experiments with nonnegligible advantage, then the adversary B can break the security of indistinguishable obfuscator with the same advantage.
In summary, Game 1 is computationally indistinguishable from Game 2. Proof. We can see that the difference between Game 2 and Game 3 lies only in the calculation method of the commitment C. In the former game, Game 2, C is a commitment for 0 len ; however, in the latter game, Game 3, C is a commitment for CT * 1 ‖ CT * 2 . It is important to note that the random number used to compute C is never used anywhere.
(2) If NIWI.Verify (crs, y, π) = 0, output ⊥ and stop. If NIWI.Verify (crs, y, π) = 1, continue to the next step. Here the statement corresponding to π is y = (CT 1 , CT 2 , C, pk 1 , pk 2 ).  Proof. We can see that the difference between Game 3 and Game 4 lies only in the witness w used. In Game 3, for proving that CT * 1 and CT * 2 are encryptions of the same message, we use the real witness to compute π. However, in Game 4, for proving that C is a commitment for CT * 1 ‖ CT * 2 , we use the trapdoor witness to compute π. Since NIWI is witness indistinguishable, Game 3 is computationally indistinguishable from Game 4. Proof. We can see that the difference between Game 4 and Game 5 lies only in the calculation method of the second ciphertexts CT * 2 in the challenge ciphertexts CT * . In Game 4, CT * 2 is an encryption of the random message k 1 , while in Game 5, CT * 2 is an encryption of the random message k 0 . Next, we show that if there is an adversary A who can distinguish Game 4 from Game 5, there is an adversary B who can break the semantic security of the public key encryption system. e adversary B is designed as follows: (1) At first, the adversary B received a public key pk from the challenger. (2) B generates (pk 1 , sk 1 ) ⟵ PKE.KeyGen(1 λ ), crs ⟵ NIWI.Setup(1 λ ), and chooses a symmetric encryption scheme SE. Next, the adversary B encrypts the string k 1 using pk 1 to compute the ciphertext CT * 1 . outputs that CT * 2 is an encryption of k 1 , otherwise outputs that CT * 2 is an encryption of k 0 . We can see that the adversary B just runs Game 4 when CT * 2 is an encryption of k 1 , and B just runs Game 5 when CT * 2 is an encryption of k 0 . erefore, if there exists an adversary who can distinguish the outputs of the two games with nonnegligible advantage, we can construct another adversary who can break the semantic security of public key encryption with nonnegligible advantage.

Lemma 5. If Com is perfectly binding, and NIWI is statistically sound, iO is an indistinguishable obfuscator and Game 5 and Game 6 are computationally indistinguishable.
Proof. Similar to the proof of Lemma 1, we firstly prove that for any input CT � (CT 1 , CT 2 , CT 3 , π), G f outputs ⊥ if and only if G * f outputs ⊥. We can see that both G f and G * f output ⊥ if and only if the proof π is invalid, that is, NIWI.Verify(crs, y, π) � 0 (y � (CT 1 , CT 2 , C, pk 1 , pk 2 )).
So we need to consider valid inputs only. en, we will prove that all valid inputs CT � (CT 1 , CT 2 , CT 3 , π) meet one of the following properties: (i) CT 1 and CT 2 are encryptions for the same message (ii) ere exists an i such that CT 1 ‖ CT 2 � c i We are going to use a proof by contradiction here. We assume that there is a valid input that satisfies neither of the above properties. Because NIWI is statistically sound, the statement y � (CT 1 , CT 2 , C, pk 1 , pk 2 ) must have either a real witness or a trapdoor witness when the input is valid. However, because CT 1 and CT 2 are encryptions of different messages, the real witness does not exist. erefore, there must be a trapdoor witness to make the input valid.
at means there is s such that C � Com(CT 1 ‖ CT 2 ; s). On the other hand, since C � Com(CT * 1 ‖ CT * 2 ; s) and Com is perfectly binding, us, we get a contradiction, and the assumption is not true.
Next, we will prove that for any input CT � (CT 1 , CT 2 , CT 3 , π), G f (CT) � G * f (CT). If both CT 1 and CT 2 are encryptions for the same message, then PKE.Dec(sk 1 , CT 1 ) � PKE.Dec(sk 2 , CT 2 ) � k 1 , and SE.Dec(k 1 , CT 3 ) � m. erefore, both G f and G * f output f(m). On the other hand, if there is an i satisfying CT 1 ‖ CT 2 � c i , then both G f and G * f output f(m). erefore, for all valid inputs, G f and G * f have same output for the same input, that is, G f (CT) � G * f (CT). In summary, if there exists an adversary which can distinguish the outputs of these games with nonnegligible advantage, we can construct another adversary which can break the security of indistinguishable obfuscation with the same advantage. □ Lemma 6. Game 6 is computationally indistinguishable from Game 7, when PKE is a semantically secure public key encryption scheme. Proof.
e proof method of this lemma is the same as the proof method of lemma 4, so it is omitted here. Proof. We can see that Game 7 and Game 8 differ in the secret key used in the symmetric encryption scheme. In Game 7, k 1 is used to encrypt m 0 , while in Game 8, k 2 is used to encrypt m 0 . We can find that both k 1 and k 2 are chosen randomly from the key space of symmetric encryption scheme. So Game 7 is computationally indistinguishable from Game 8. Proof. Since the proof method of this lemma is the same as that of lemma 4, the proof process is omitted here. Proof. Since the proof method of this lemma is the same as that of lemma 4, the proof process is omitted here. □ Lemma 10. Game 10 and Game 11 are computationally indistinguishable when NIWI is statistically sound, Com is perfectly binding, and iO is an indistinguishable obfuscator.
Proof. Since the proof method of this lemma is the same as that of lemma 5, the proof process is omitted here.

Proof.
Since the proof method of this lemma is the same as that of lemma 4, the proof process is omitted here. Proof. Since the proof method of this lemma is the same as that of lemma 3, the proof process is omitted here. Proof. Since the proof method of this lemma is the same as that of lemma 2, the proof process is omitted here.

Conclusion
We firstly design a function encryption scheme using the key encapsulation mechanism in this paper. is mechanism combines public key encryption with symmetric encryption. We encrypt the message using symmetric encryption, and then we encrypt the key of symmetric encryption using public key encryption. In the construction of function encryption scheme, we use noninteractive witness indistinguishable proof, commitment scheme, and indistinguishable obfuscator. Finally, the indistinguishable security of the designed function encryption is proven.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.