Private Predicate Encryption for Inner Product from Key-Homomorphic Pseudorandom Function

,


Introduction
In recent years, cloud computing has become increasingly important as smartphones and Internet of ings devices are widely used in our life. Users typically upload their data to the cloud to achieve efficient computing and reduce storage requirements of their devices. Due to the fact that the uploaded data are sensitive, users may consider using authentication protocol [1][2][3][4] and encryption schemes [5,6] to protect their data privacy in cloud environment. One novel approach is to encrypt data before it is uploaded to the cloud. However, encrypted data loses flexibility in data usage, such as finegrained control over access to encrypted data. For example, a user may want to search for and download ciphertext that corresponds to certain attributes. If each piece of data is purely encrypted, the only way is to download all the ciphertexts and decrypt them for search. Unfortunately, this approach would be very inefficient. erefore, how to efficiently control the access to encrypted data and ensure the privacy and security of data is an urgent issue for cloud computing.
Predicate encryption (PE) [7], formalized by Katz et al., is a general paradigm that conceptually captures the public-key encryption supporting fine-grained access control policy. In a PE scheme for a predicate function P, a secret key, issued by a trusted authority, is associated with a key attribute y, while the ciphertext is associated with a ciphertext attribute x. Specifically, the ciphertext can be decrypted using the secret key if and only if P(x, y) � 1. erefore, PE can be used as access control mechanism for the previous cloud storage scenario and provide the flexibility for encryption schemes, which allows sender to encrypt data with more complicated access policy. For example, in a school scenario, the secret keys of each teacher and each student are associated with key attributes "teacher" and "student," respectively. If the principal wants to encrypt a file that can only be decrypted by each student and teacher, he/she can use a PE supporting "belong to" functionality and encrypt this file with a ciphertext attribute "student or teacher." Because the key attributes "teacher" and "student" belong to ciphertext attribute "student or teacher," the secret keys associated with these key attributes can decrypt the ciphertext.
Additionally, Katz et al. proposed the first PE supporting inner product predicate, called PE for inner product (IPE), whereas ciphertext can be decrypted if and only if the inner product of x and y is equal to 0. ey further suggested that IPE can be used to build other more flexible schemes, such as (anonymous) identity-based encryption [8], hidden vector encryption [9,10], CNF/DNF formulas [7], PE schemes supporting polynomial evaluation [11], and exact thresholds [12]. e most basic security requirement of IPE, called payload-hiding, stipulates that a ciphertext does not reveal any information of the plaintext if P(x, y) � 1. A stronger security requirement of PE is attribute-hiding, which stipulates that a ciphertext reveals nothing about the ciphertext attribute. Although a lot of attribute-hiding IPE schemes [13][14][15][16] have been studied, seldom schemes [17][18][19] focus on the predicate-hiding security. In more detail, a secret key may reveal some sensitive information of the predicate that belongs to the key holder. Actually, in public-key cryptosystem, since the encryption algorithm is publicly accessible, any user can adaptively generate a ciphertext. e user who has obtained a secret key can evaluate its predicate with possible ciphertexts; thus it is hard to achieve predicatehiding in the public-key setting.
Shen et al. [18] first considered constructing the IPE under symmetric-key setting, a.k.a. private IPE, to achieve predicate-hiding security requirement. More precisely, in the work, when generating a secret key, generating a ciphertext requires a master secret key, so that not every user can adaptively generate a ciphertext to test which predicate is embedded in the secret key. Compared with IPE under public-key setting, private IPE is more suitable for cloud storage under self-use scenario. For example, as shown in Figure 1, Alice uses the cloud storage service to store her files. For privacy concern, she uses private IPE as an access control mechanism. Alice not only uploads an encrypted file ct File,i but also uploads another ciphertext ct x,i � Encrypt(SK, x, M � 1) for a specific ciphertext attribute by using private IPE. When Alice wants to retrieve encrypted files, she can send the secret key for some key attribute, that is, sk y ⟵KeyGen(SK, y), to the cloud. e cloud can then evaluate the predicate on each ciphertext by performing decryption. If the predicate is satisfied, that is, 1� ? Decrypt(ct x,i , sk y ), the cloud returns the corresponding encrypted files of those ciphertexts. After Shen et al.'s pioneering work [18], Yoshino et al. [19] provided a more practical IPE scheme that uses only three groups, whereas [18] required four groups. In addition, Kawai and Takashima [17] then introduced a predicatehiding IPE, where the security is proven under the decision linear assumption without random oracles. However, the sizes of the secret keys of the above schemes [17][18][19] are linearly related to the lengths of the key attributes. Due to the fact that users may obtain many secret keys for decrypting different ciphertext, it is important to reduce the key size of secret key. In addition, Shor [20,21] has shown that existing quantum algorithms can break the discrete logarithm and factoring assumptions. erefore, the current private IPE schemes [17][18][19] [22], we propose a generic private IPE construction by utilizing specific key-homomorphic pseudorandom functions (PRF). By the advantage of the generic construction, the construction enjoys the security properties of the underlying primitives. erefore, if the underlying key-homomorphic PRF is quantum-resistant, we further obtain a quantum-resistant private IPE scheme. In particular, in our construction, we require the underlying keyhomomorphic PRF to have the following property for decryption correctness: the key space K and the output space Y are equal to Z q , for some prime q.
To obtain a private IPE scheme with constant-size secret key, we carefully use the key-homomorphic property of the key-homomorphic PRF to map each predicate attribute to the inner product of master secret key and secret key. at is, where y � (y 1 , . . . , y ℓ ) is a predicate vector and (a � (a 1 , . . . , a ℓ ), h) is the master secret key. Hence, the size of secret key is only log 2 q, where q is the underlying modulo.
In addition, the rigorous security proofs are provided to demonstrate that if the underlying key-homomorphic PRF satisfies pseudorandomness (i.e., the output value of keyhomomorphic PRF is indistinguishable from the value randomly chosen from Y), the proposed construction satisfies the criteria of payload-hiding, attribute-hiding, and predicate-hiding privacy. e comparison of our construction with other state-of-the-art private IPE schemes is presented to show that our result is not only more secure but also more efficient with respect to the size of secret key.
In summary, this work introduces a generic construction to show how to obtain the first quantum-resistant private IPE scheme with a constant-size secret key.

Paper Organization.
e rest of the paper is organized as follows. Section 2 recalls the definition of the PRF used in our generic construction. Moreover, Section 3 provides the definition and security requirement of the private PE. Next, 2 Security and Communication Networks Sections 4 and Section 5 introduce and provide the security proofs of our generic constriction, respectively. Section 6 compares our proposed construction with the related private IPE schemes. Finally, Section 7 concludes this study.

Pseudorandom Function (PRF)
In this section, we recall the definition of pseudorandom function from [23].
Definition 1 (pseudorandom functions [23]). A PRF F: K × X ⟶ Y is a keyed function defined over a key space K, a domain X, and a range Y (these sets may be parameterized by the security parameter λ), whose output is indistinguishable from a truly random value. e security of a PRF can be defined by the two experiments EXP(0) and EXP (1) with an adversary A. At first, a key k is uniformly randomly chosen from the key space K. Given the description of the PRF, the adversary is then allowed to make queries to the following oracles: Once the adversary is done querying the oracles, it outputs a bit b ′ ∈ 0, 1 { }. For b � 0, 1, we define W b as the event where the adversary outputs b ′ � 1 in the experiment EXP(b). e advantage of an adversary A is defined as We say that a PRF is secure if, for all PPT adversary A, Definition 2 (key-homomorphic PRF [24]). Let (K, ∘ ) and (Y, * ) be groups. en, a keyed function F: K × X ⟶ Y is a key-homomorphic PRF: (ii) For every k 1 , k 2 ∈ K and every input x ∈ X, we have Definition 3 (pseudorandom generators [24]). A pseudorandom generator (PRG) is an efficiently computable function G: X ⟶ Y with the following security, where (X,°) and (Y, * ) are groups. e security of a PRG is secure if, for any PPT algorithm A, is negligible.

Private Predicate Encryption
Let P � P ℓ ℓ∈N c for some constant c ∈ N be a predicate family, where P ℓ : A ℓ × P ℓ ⟶ 0, 1 { } is a predicate function defined over a ciphertext attribute space A ℓ and a key attribute space P ℓ . e family index ℓ specifies the description of a predicate from the family. We would occasionally omit the index ℓ when the context is clear.
{ } consists of four algorithms: Setup, KeyGen, Encrypt, and Decrypt. e details of the algorithms are shown as follows: . Given the security parameters and the family index (λ, ℓ), the algorithm outputs the system parameter pp and the secret key SK. Note that the description of A and P will be implicitly included in pp. (ii) Encrypt(pp, SK, x, M) ⟶ ct x . Given the system parameter pp, a secret key SK, a ciphertext attribute x ∈ A, and a message M, the algorithm outputs a ciphertext ct x for x. (iii) KeyGen(pp, SK, y) ⟶ sk y . Given the system parameter pp, a secret key SK, and a key attribute y ∈ P, the algorithm outputs the secret key sk y for y. (iv) Decrypt(pp, ct x , sk y ) ⟶ (M/⊥). Given the system parameter pp, a ciphertext ct x , and a secret key sk y , the algorithm outputs a message M or an error symbol ⊥.
In this paper, we construct a private PE scheme supporting inner product predicate function defined over Z ℓ q , where q is a large prime. at is, Such encryption schemes are called "private PE for inner product" (private IPE), and A � Z ℓ q and P � Z ℓ q are called attribute vector space and predicate vector space, respectively.

Security Definitions.
In private PE, there exist three types of adversary that want to retrieve the information of message, ciphertext attribute, and key attribute from ciphertext and secret key. erefore, we model three security requirements of private PE, payload-hiding, Security and Communication Networks attribute-hiding, and predicate-hiding securities, to model the attacks from these adversaries. e payload-hiding security [7] for predicate function P: A × P ⟶ 0, 1 { } is defined as an interactive game between a challenger C and an adversary A. In payloadhiding models, a ciphertext reveals nothing about the encrypted message, and thus in some literature it is defined as IND-CPA security.

Payload-Hiding Game
e challenger C runs Setup(1 λ , 1 ℓ ) to generate a secret key SK and the system parameter pp. en, it sends the system parameter pp to the adversary A and keeps the secret key SK secretly.
(ii) Query Phase 1. A can query polynomially many times of the oracles described as follows: (i) KeyGen Oracle: when A issues a query with y ∈ P, C returns a secret key sk y ⟵KeyGen (pp, SK, y). (ii) Encrypt Oracle: when A issues a query with x ∈ A and a message M, C returns a ciphertext ct x ⟵Encrypt(pp, SK, x, M).
(iii) Challenge. e adversary A submits x * ∈ A such that P(x * , y) � 0 for all y ∈ P, which has been queried to KeyGen Oracle in Query Phase 1, and two massages M 0 , M 1 with the same length to the challenger C. en C randomly chooses b ∈ 0, 1 { } and returns a challenge ciphertext c x * ⟵Encrypt (pp, SK, is phase is the same as Query Phase 1, except that A is only allowed to make a query to KeyGen Oracle with y ∈ P such that P(x * , y) � 0.
(v) Guess. e adversary A outputs a bit b ′ and wins the game if b ′ � b.
e advantage of an adversary for winning the payloadhiding game is defined as Definition 5 (payload-hiding for private predicate encryption). We say that private PE is payload-hiding if there is no probabilistic polynomial-time adversary A winning the above payload-hiding game with a nonnegligible advantage. Next, we define the "attribute-hiding" security for private PE, which can be also extended from the attribute-hiding definition for conventional PE [7]. Attribute-hiding security models that there is no adversary can obtain any information of the ciphertext attribute x from the ciphertext. We then define attribute-hiding via a security game between a challenger C and an adversary A.

Attribute-Hiding Game
(i) Setup, Query Phase 1, Query Phase 2, and Guess are the same as those in the payload-hiding game. (ii) Challenge. e adversary A submits two ciphertext attributes (1) , y) for all y ∈ P, which has been queried to KeyGen Oracle in Query Phase 1, and a massage M with the same length to the challenger C.
en, C randomly chooses b ∈ 0, 1 { } and returns a challenge ciphertext c x * ⟵Encrypt(pp, SK, e advantage of an adversary for winning the attributehiding game is defined as Definition 6 (attribute-hiding for private predicate encryption). We say that private PE is attribute-hiding, if there is no probabilistic polynomial-time adversary A winning the above attribute-hiding game with a nonnegligible advantage. ere is another weaker notion, called "weak attributehiding" [25]. e weak attribute-hiding game is the same as the above attribute-hiding game, except the following: (1) , y) � 0 for all y ∈ P which has been queried to KeyGen Oracle in Query Phase 1." Furthermore, we define the "predicate-hiding" for private PE scheme via the following game, which models the notion that a secret key sk y reveals nothing about the key attribute y.

Predicate-Hiding Game
(i) Setup, Query Phase 1, Query Phase 2, and Guess are the same as those in the payload-hiding game. (ii) Challenge. e adversary A submits two key attributes y (0) , y (1) ∈ P to the challenger C, such that P(x, y (0) ) � P(x, y (1) ) � 0 for all x ∈ A which has been queried to Encrypt Oracle in Query Phase 1. en, C randomly chooses b ∈ 0, 1 { } and returns a challenge secret key sk y (b) ⟵KeyGen(pp, SK, y (b) ). e advantage of an adversary for winning the predicatehiding game is defined as Definition 7 (predicate-hiding for private predicate encryption). We say that private PE achieves predicate-hiding if there is no probabilistic polynomial-time adversary A winning the above predicate-hiding game with nonnegligible advantage.

A Private IPE from Key-Homomorphic PRF
In the following, we describe how to obtain a private IPE from a key-homomorphic PRF. In our construction, we require that R � Z q , for some prime q. Additionally, we assume that the decryptor knows the value of predicate vector y of his/her secret key sk y .
Note that the descriptions of F and G are implicitly included in the system parameter pp.
(ii) Encrypt(pp, SK, x, M). Given the system parameter pp, a secret key SK, an attribute vector x � (x 1 , . . . , x ℓ ) ∈ R ℓ , and a message M, the algorithm runs the following steps: (iii) KeyGen(pp, SK, y). Given the system parameter pp, a secret key SK, and a predicate vector y � (y 1 , . . . , y ℓ ) ∈ R ℓ , the algorithm computes the following steps: (iv) Decrypt(pp, ct x , sk y ). Given the system parameter pp, a ciphertext ct x , and a secret key sk y , the algorithm computes the following steps: Correctness. Let ct x and sk y be as above. en, If 〈x, y〉 � 0, we have en, we can compute σ � ct ′ · ( ℓ i�1 y i ) − 1 , and the plaintext can be decrypted by Our scheme accommodates approximate homomorphism [26], as long as the error term is bounded.

Payload-Hiding Security.
We prove the payload-hiding security of our scheme using the sequence-of-game approach [27]. Let (c 0 , c 1 , . . . , c ℓ ) be the challenge ciphertext given to the adversary in the payload-hiding game. Besides, let R 0 be a random element in 0, 1 { } m and let R 1 , . . . , R ℓ be random elements in R. We define the following hybrid games differing in what challenge ciphertext is sent to the adversary: (i) Game 0 . e challenge ciphertext is (c 0 , c 1 , . . . , c ℓ ). It is identical to the original payload-hiding game defined in Section 3.2.
We remark that the challenge ciphertext in Game ℓ+1 leaks no information about the encrypted message, since it is composed of ℓ + 1 random elements, whereas the challenge ciphertext in Game 0 is well formed. erefore, the advantage of the adversary in the last game is 0. We then prove the indistinguishability between the adjacent games in the following lemmas.

Lemma 1. If the underlying PRF F is secure, then
Proof. Suppose that there is an adversary A that is able to distinguish Game k−1 from Game k with a nonnegligible advantage. en we can build a challenger C 1 to distinguish the experiment EXP(0) from the experiment EXP(1)

Security and Communication Networks shown in Section 2. After invoking the experiment EXP(b)
and receiving the description of the PRF F, the challenger C 1 simulates a hybrid game for an adversary A as follows: Setup. e challenger first randomly chooses a 1 , . . . , a k−1 , a k+1 , . . . , a ℓ from R and h from X and a pseudorandom generator G and then sends pp � (F, G) to the adversary. Next, the challenger makes a Challenge query with h to the underlying experiment and obtains f as the response. e value of f will be used in the later simulation for KeyGen and Encryption Oracle.
Query Phase 1. In this phase, the adversary is allowed to make polynomially many queries to the following oracles.
(i) KeyGen Oracle: taking as inputs a vector y � (y 1 , . . . , y ℓ ) ∈ R ℓ , the challenger computes and returns sk y to the adversary. By implicitly setting a j to the chosen key of the underlying experiment, it is easy to verify that sk y is a valid secret key for y.
Query Phase 2. It is the same as Query Phase 1 except that the adversary is not allowed to make a query to KeyGen Oracle with y such that 〈x * , y〉 � 0.
Guess. e adversary outputs a bit β ′ . en the challenger outputs 1 if β ′ � β and 0 otherwise. Before analyzing the advantages of the challenger in breaking the underlying PRF, we first discuss that the outputs of the oracles are well formed, no matter which experiment the challenger interacts with. Let S i be the event where the adversary makes a right guess in Game i . First, if the challenger is actually interacting with the experiment EXP(0), then f is a random element in R. In this case, the answer to a KeyGen Oracle, is an element of R and the answer to an Encryption query erefore, the answers to KeyGen and Encryption queries are well formed.
Next, we analyze the advantage of C 1 in breaking the underlying PRF. First, if the challenger is interacting with the experiment EXP(0), then f is a random element in R. us, c 1 , . . . , c k in the challenge ciphertext are random elements, and thus we are in Game k . us, the probability that the challenger outputs 1 is Second, if the challenger is interacting with the experiment EXP(1), then f is the output of the PRF with input h. By implicitly setting the encryption key component a k as the chosen key of the underlying experiment, we have f � F(a k , h), and thus the challenger answers the KeyGen and Encryption queries correctly. As for the challenge ciphertext, we have that is a valid ciphertext component. Since c 1 , . . . , c k−1 are random elements from R, we are in Game k−1 . In this case, the probability that the challenger outputs 1 is Finally, combining the above two cases, we have that Proof. Given the description of the PRG G and a challenge ψ ∈ 0, 1 { } m , the challenger C 2 simulates the following hybrid game for an adversary A: Setup. e challenger first chooses a key-homomorphic pseudorandom function F: R × X ⟶ R, a 1 , . . . , a ℓ from R and h from X and then sends (F, G) to the adversary. Query Phase 1. e challenger is able to answer the KeyGen (Encryption, resp.) queries by following the KeyGen (Encrypt, resp.) algorithms to generate the secret keys sk y (ciphertexts ct x , resp.), since the challenger knows the secret key SK � (a 1 , . . . , a ℓ , h).
Challenge. e adversary submits two messages M 0 , M 1 with the same length and a vector x * , such that 〈x * , y〉 ≠ 0 for all y queried to KeyGen Oracle. After receiving x * , M 0 , M 1 , the challenger randomly chooses β⟵ $ 0, 1 { } and then can compute the challenge ciphertext ct * as follows:  (c 0 , c 1 , . . . , c ℓ ).
Query Phase 2. It is the same as Query Phase 1 except that the adversary is not allowed to make a query to KeyGen Oracle with y such that 〈x * , y〉 � 0. Guess. e adversary outputs a bit β ′ . en, the challenger outputs 1 if β ′ � β. Let S i be the event where the adversary makes a right guess in Game i . If the term ψ � G(σ) is generated from the PRG G for some σ, then we are in Game ℓ , and we have If ψ is randomly chosen from 0, 1 { } m , then we are in Game ℓ+1 , and we have Finally, we have that is negligible. □ Theorem 1. e proposed private IPE scheme achieves payload-hiding, if the underlying pseudorandom function is key-homomorphic and secure and the pseudorandom generator is secure.
Proof. By combining Lemmas 1 and 2, we have

Security and Communication Networks
Note that Pr[S 0 ] � Adv PH A (1 λ ) since Game 0 is the payload-hiding game, and Pr[S ℓ+1 ] � 0 since ct * leaks no information about the encrypted message in Game ℓ+1 . erefore, for any PPT adversary A, there exist algorithms is negligible.
Attribute-Hiding Security. We then prove that our scheme achieves attribute-hiding. e proof is similar to the proof for payload-hiding security, and hence we will omit some content to avoid the unnecessary redundancy. Let  (c 0 , c 1 , . . . , c ℓ ) be the challenge ciphertext given to the adversary in the attribute-hiding game. Besides, let R 1 , . . . , R ℓ be random elements in R and let R 0 be a random element in 0, 1 { } m . We define the following hybrid games differing in what challenge ciphertext is sent to the adversary: (i) Game 0 . e challenge ciphertext is (c 0 , c 1 , . . . , c ℓ ). It is identical to the original attribute-hiding game defined in Section 3.2.
In the last game, the challenge ciphertext is composed of ℓ + 1 random elements, and hence the adversary obtains no information about the attribute vector from the challenge ciphertext. We then prove that the adjacent games are indistinguishable in the following lemmas.

Lemma 3.
If the underlying PRF F is secure, then Game k−1 is indistinguishable from Game k , for k � 1, . . . , ℓ.
Proof. Suppose that there is an adversary A that is able to distinguish Game k−1 from Game k with a nonnegligible advantage. en we can build a challenger C 3 to distinguish the experiment EXP(0) from the experiment EXP (1) shown in Section 2. After invoking the experiment EXP(b) and receiving the description of the PRF F, the challenger C 1 simulates a hybrid game for an adversary A as follows.
For Setup, Query Phase 1, Query Phase 2, and Guess, the challenger performs the same as in the proof of Lemma 1.
For Challenge phase, after receiving , and M from the adversary, where 〈x (0) , y〉 � 0 � 〈x (1) , y〉 or 〈x (0) , y〉 ≠ 0 ≠ 〈x (1) , y〉, (24) for all y queried to KeyGen Oracle in Query Phase 1, the challenger performs as follows: e analysis of the correctness of the simulation is similar to that in the proof of Lemma 1. Let S i be the event where the adversary makes a right guess in Game i . If f from the PRF game is a random element in R, then we are in Game k ; otherwise, we are in Game k−1 . erefore, we have at is, Game k is indistinguishable from Game k−1 , if the underlying pseudorandom function is secure, for k � 1, . . . , ℓ. □ Lemma 4. If the underlying PRG G is secure, then Game ℓ is indistinguishable from Game ℓ+1 . Proof.
e proof of this lemma is similar to the proof of Lemma 2, with the only difference being that the challenger received two vectors x (0) , x (1) with a message M; in Lemma 2, the challenger received two messages M 0 , M 1 with a vector x * from the adversary.
Given the description of the PRG G and a challenge ψ ∈ 0, 1 { } m , the challenger C 4 simulates the following hybrid game for an adversary A.
For Setup, Query Phase 1, Query Phase 2, and Guess, the challenger performs the same as in the proof of Lemma 1.
(2) For i � 1, . . . , ℓ, set c i � R i . e analysis of the correctness of the simulation is similar to that in the proof of Lemma 3. Let S i be the event where the adversary makes a right guess in Game i . If ψ from the PRG game is a random element in 0, 1 { } m , then we are in Game ℓ+1 ; otherwise, we are in Game ℓ . erefore, we have that is negligible. at is, Game ℓ is indistinguishable from Game ℓ+1 , if the underlying pseudorandom generator is secure.

Theorem 2.
e proposed private IPE scheme achieves attribute-hiding, if the underlying pseudorandom function is key-homomorphic and secure and the pseudorandom generator is secure.
Proof. By combining Lemma 3 and Lemma 4, we have Note that Pr[S 0 ] � Adv AH A (1 λ ) since Game 0 is the attribute-hiding game, and Pr[S ℓ+1 ] � 0 since ct * leaks no information about the encrypted message in Game ℓ+1 . erefore, for any PPT adversary A, there exist algorithms C 3 , C 4 such that For Setup, Query Phase 1, Query Phase 2, and Guess, the challenger performs the same as in the proof of Lemma 1.
For Challenge phase, after receiving for all x queried to Encrypt Oracle in Query Phase 1, the challenger performs as follows.
If the challenger is interacting with the experiment EXP(1), then f is the output of the PRF with input h. By implicitly setting the encryption key component a k as the chosen key of the underlying experiment, we have f � F(a k , h), and thus we have and thus we are in Game k−1 . Otherwise, f is a random element in R; then we can rewrite f � F(a k , h) + R for some random element R ∈ R. Besides, there must exist an element y such that R � (y (0) k ) − 1 yF(a k , h). By implicitly setting y k ′ � y (0) k + y, we have  [17][18][19]. Here, the length of ciphertext attribute and key attribute is n. |G| and m represent size of an element of |G| and message, respectively. MSK, SK, CT, Qun. Res., GSD, C3DH, and 3FCOBGA stand for master secret key, secret key for some key attribute, ciphertext for some ciphertext attribute, quantum-resistant, general subgroup decision, composite 3-party (decisional) Diffie-Hellman, and 3-factor-based composite-order bilinear groups assumption, respectively. Since f is a random element in R, y k ′ is also a random element in R.
at means sk * � [y 1 ′ , . . . , y k ′ , y (0) k+1 , . . . , y (0) ℓ ], and thus we are in Game k . Let S i be the event where the adversary makes a right guess in Game i . erefore, we have at is, Game k is indistinguishable from Game k−1 , if the underlying PRF is secure, for k � 1, . . . , ℓ. □ Theorem 3.
e proposed private IPE scheme achieves predicate-hiding, if the underlying pseudorandom function is key-homomorphic and secure and the pseudorandom generator is secure. Proof.
e proof for the indistinguishability between Game 1,k−1 and Game 1,k is the same as that for the indistinguishability between Game 0,k−1 and Game 0,k , due to the symmetry of the game sequence. is completes the proof of the predicate-hiding.

Comparison and Analysis
To the best of our knowledge, although existing private IPE schemes [17][18][19] can resist payload-hiding, attribute-hiding, and predicate-hiding security, these schemes cannot resist quantum attacks because their security is based on discrete logarithm assumption. In this section, we compare our scheme with the existing private IPE schemes in terms of security properties and the size of master secret key, secret key, and ciphertext, as shown in Table 1.
e results show that our construction has higher security and efficiency in terms of secret key size because the size is not related to attribute length. In particular, the security of [18,19] is only selective security; meanwhile that in [17] and our construction is adaptive security, making it more resistant to real attacks. In secret key size, our construction is of constant size, while the secret key sizes of [17][18][19] are linearly related to the key attribute length. In terms of ciphertext size, the encryption algorithm in schemes [17][18][19] only encrypts ciphertext predicate, while our proposed construction further encrypts message; therefore, the ciphertext size of our scheme is m + n log 2 q, where m is the length of message. Finally, [17][18][19] are not resistant to quantum attacks, while our construction is resistant to quantum attacks if the underlying PRF is resistant to quantum attacks.

Conclusions and Future Works
With the development of cloud computing, the privacy of uploaded data needs to be concerned and protected. Private IPE is well suited to cloud computing scenario because it provides encryption for access control. In this paper, we propose a generic private IPE construction that achieves payload-hiding, attribute-hiding, and predicate-hiding security by utilizing specific key-homomorphic PRF. For future works, because the current construction requires that the key space and output space of the underlying key-homomorphic PRF be Z q , how to provide construction with less restriction is an open problem that remains to be solved.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.