Inner product functional encryption based on the UOV scheme

1 Introduction

In recent years, with the progressive improvement in the speed and reliability of data networks, we have witnessed a growing diffusion of “cloud computing”. This practice involves entrusting storage functions, software applications, and computation to powerful remote servers capable of meeting the needs of millions or even billions of users. In this context, ensuring the confidentiality of individual user data is of fundamental importance, making the use of specific cryptographic tools indispensable. To allow providers to deliver services through data processing while preserving confidentiality, the paradigms that are emerging as particularly promising are functional encryption [1], 2] and homomorphic encryption [3], briefly FE and HE. These approaches pursue distinct objectives: in HE, the value of functions applied to plaintext data is calculated as a function of the encrypted data and returned to the owner in encrypted form. Only the data owner has the capability to use it, unless they decide to share it with the provider through an additional encryption system. Conversely, in FE, by using specific “functional keys” the provider can directly compute the value of the required functions on plaintext data starting from encrypted data, which are never fully decrypted. These features allow the provider to deliver services to users without requiring further actions from them, except for distributing the necessary functional keys.

To illustrate the paradigm of functional encryption, we provide a couple of examples of its applications. Consider a hospital that records the medical data of its patients. For research purposes, it could be useful to perform data analysis on these records. Using FE, the hospital can delegate the storage of the records to a cloud service without compromising their confidentiality because the data are encrypted before being sent to the server. At the same time, the hospital can distribute functional keys to researchers, enabling them to conduct medical statistical analyses on the records stored in the cloud for purposes such as evaluating a therapy, without accessing the actual content of the records.

Another common application of FE is performing machine learning on encrypted data while ensuring confidentiality. Specifically, after training a classifier on standard data, the data owner can generate specific functional keys for the functions required by the classifier. In other words, the classifier can perform classification on encrypted data without knowing its plaintext content.

If such computations require knowledge of linear functions of the plaintext data, we refer to the FE scheme as an inner product functional encryption, briefly IPFE, protocol. Some examples of inner products widely used in data analysis are the expected value and the convolution product. Recently, in [4], the authors introduced an IPFE protocol based on multivariate cryptography. We recall that this type of post-quantum cryptographic primitives achieves security through the challenge of computing preimages of generic quadratic polynomial maps F : F n → F m where F is a finite field. These primitives are typically digital signatures where signing a vector v ∈ F m corresponds to compute a preimage u ∈ F − 1 ( v ) ⊂ F n . The signer holds a secret that allows for efficient computation of such a preimage.

In the present paper, we discuss the possibility of designing multivariate IPFE schemes. We start by discussing the efficiency and security of the IPFE protocol in [4] modified by leveraging the UOV digital signature [5], [6], [7], [8]. In this version of the protocol, the property that the quadratic map F : F n → F m is an “oil-vinegar map” corresponds to the existence of a secret vector subspace O ⊂ F ⁻¹(0). Using this subspace one can obtain elements in the preimages of F without the need for any linear change of coordinates. If otherwise the subspace O is unknown, an opponent faces a problem currently considered indistinguishable from the NP-hard problem of solving a quadratic polynomial system over a finite field. For a recent paper on solving polynomial systems over finite fields, see for instance [9].

Our analysis of the IPFE scheme reveals that the protocol’s decryption algorithm incurs a computational cost exponential in the scheme’s parameters. To address this inefficiency, we propose a variant aimed at mitigating the issue. However, it appears that circumventing the exponential decryption cost necessitates an increase in ciphertext size, which once again leads to inefficiency. The challenge of developing a practical multivariate IPFE scheme remains an open problem and requires further investigation.

2 Oil-vinegar maps

We start presenting the modern concept of an oil-vinegar map and its corresponding algorithms for the UOV digital signature. References include [5], [6], [7].

Let F be a finite field and denote by S = F [ x 1 , … , x n ] the algebra of the polynomials with coefficients in the field F and variables x ₁, …, x _n . For all 1 ≤ k ≤ m, let f _k ∈ S be a quadratic form, that is, a homogeneous polynomial of degree 2. Let F = (f ₁, …, f _m ) ∈ S ^m . By abuse of notation, we also denote by F : F n → F m the quadratic map such that, for all v = ( v 1 , … , v n ) ∈ F n

Note that each quadratic form f _k (1 ≤ k ≤ m) corresponds to a matrix A k = A k i j ∈ M n ( F ) such that, if x = (x ₁, …, x _n ) ∈ S ⁿ then

To avoid issues arising from the characteristic of the field F, we make the assumption that all the matrices A _k are upper triangular, that is, A k i j = 0 whenever i > j. We have hence that

Consider another variable set {y ₁, …, y _n } which is disjoint from the set {x ₁, …, x _n } and let S ̄ = F [ x 1 , … , x n , y 1 , … , y n ] . The polar form of the quadratic form f _k is by definition the bilinear form

In matrix terms, we have that

that is

Note that A k + A k T is a symmetric matrix with elements along the main diagonal that are divisible by 2. Hence, the monomials x _i y _i (1 ≤ i ≤ n) will not appear in the polar forms f ̄ k whenever c h a r ( F ) = 2 . We call F ̄ = ( f ̄ 1 , … , f ̄ m ) ∈ S ̄ m the polar map of the quadratic map F = (f ₁, …, f _m ) ∈ S. By abuse of notation, we denote by F ̄ : F n × F n → F m the bilinear map such that, for all u , v ∈ F n

Let F = G F ( q ) be the finite field with q elements and consider the ideal E = ⟨ x 1 q − x 1 , … , x n q − x n ⟩ ⊂ S . If J ⊂ S is an ideal and F ̄ is the algebraic closure of the field F , we denote

and V F ( J ) = V ( J ) ∩ F n . The Nullstellensatz over finite fields [10] implies the following result.

Let l ₁, …, l _n−r ∈ S be linear forms and put L = (l ₁, …, l _n−r ) ∈ S ^n−r . By abuse of notation, we also denote L : F n → F n − r the corresponding linear map. If O = V F ( I L ) where I _L = ⟨l ₁, …, l _n−r ⟩, then the inclusion O ⊂ V F ( I F ) is equivalent to the inclusion

due to the fact that I _F + E, I _L + E are radical ideals. By assuming that the linear forms l _k are linearly independent we have that r = dim F O .

Observe that the condition I _F ⊂ I _L + E is equivalent to require that each quadratic form f _i (1 ≤ i ≤ m) can be written in the form

where g _ij ∈ S are linear forms.

3 Preimages of oil–vinegar maps

The computation of a preimage of a quadratic map is generally a difficult task because it corresponds to solve a quadratic polynomial system over a finite field. Indeed, it is well-know that the solution to such a general problem is NP-hard [11]. We show now that computing a preimage of an oil-vinegar map becomes efficient once the oil-subspace is known.

Let w = ( w 1 , … , w m ) ∈ F m . If F = (f ₁, …, f _m ) is a quadratic map, computing v = ( v 1 , … , v n ) ∈ F n such that F(v) = w is equivalent to solve, over the base field F , the following system of quadratic equations

In other words, the vector v is a preimage of w under the map F. We denote this by writing v ∈ F ⁻¹(w). Assume now that F is an oil–vinegar map and we have knowledge of its oil subspace O ⊂ V F ( I F ) = F − 1 ( 0 ) . In particular, let O = V F ( I L ) = L − 1 ( 0 ) where L = (l ₁, …, l _n−r ) and l _k ∈ S are linear independent linear forms. Fix a random vector u ∈ F n . If o ∈ O and hence F(o) = 0, then

To compute a preimage v = u + o ∈ F ⁻¹(w) it is sufficient therefore to solve the system of linear equations L ( x ) = 0 , F ̄ ( u , x ) = w − F ( u ) which is explicitly

Note that if m = r we have a system of n linear equations in exactly n variables. In this case, the matrix of its coefficients has no maximal rank (determinant is zero) with probability 1/q. If we do not obtain maximal rank, it is sufficient to choose a new random vector u ∈ F n . Moreover, by assuming that the equations f ₁(x) = w ₁, …, f _m (x) = w _m are sufficiently generic (complete intersection), one has that the preimage F − 1 ( w ) ⊂ F n is an affine variety of dimension n − m.

The signing algorithm of the UOV protocol corresponding to the oil-vinegar map F : F n → F m is, by definition, the computation of a preimage v ∈ F − 1 ( w ) ⊂ F n for a document w ∈ F m . More precisely, the vector w is generally the hash value of a document, so the parameter m is fixed and not very large. The cryptanalysis of the UOV protocol [12] implies that the condition n > 2m is necessary to achieve a secure signature. As we have just seen, an efficient signing algorithm is made possible by the knowledge of the oil subspace O ⊂ F ⁻¹(0). The verification of the signature v simply consists in checking that F(v) = w which involves the cost of evaluating the quadratic map F. Therefore, the public key of UOV is the map F and the private key is the pair (F, O).

4 Generation of oil–vinegar maps

We address now the task of the key generation in the UOV protocol, that is, how to construct an oil–vinegar map F = (f ₁, …, f _m ) from any subspace O ⊂ F n of dimension r. Up to permutating the coordinates of the vector space F n , we can assume that O is the subspace generated by the rows of a block matrix ( H I ) ∈ M r × n ( F ) where H ∈ M r × n − r ( F ) is any matrix and I ∈ G L r ( F ) is the identity matrix. Consider the upper triangular matrices A k ∈ M n ( F ) corresponding to each quadratic form f _k (1 ≤ k ≤ m), that is

We consider A _k as a block upper triangular matrix of type

where A k ′ ∈ M n − r ( F ) , A k ″ ∈ M n − r × r ( F ) , A k ′ ′ ′ ∈ M r ( F ) and A k ′ , A k ′ ′ ′ are upper triangular matrices. To enforce O ⊂ F ⁻¹(0), or equivalently F(O) = {0}, corresponds to impose, for each 1 ≤ k ≤ m, the following matrix equations

From the above equations, one obtains that

and hence

In other words, by arbitrarily assigning the matrix H that defines the oil subspace O ⊂ F n and arbitrarily choosing the matrices A k ′ , A k ″ (1 ≤ k ≤ m), it is always possible to define the matrices A k ′ ′ ′ (1 ≤ k ≤ m) in such a way that the quadratic map F = (f ₁, …, f _m ) corresponding to the block upper triangular matrices A 1 , … , A m ∈ M n ( F ) satisfies O ⊂ F ⁻¹(0). It is worth noting that the random matrix A k ′ ∈ M n − r ( F ) can be directly generated as an upper triangular matrix, whereas the matrix A k ′ ′ ′ ∈ M r ( F ) is defined as the upper triangular matrix that yields the same quadratic form as the matrix − H A k ″ − H A k ′ H T .

5 Efficient secret key and signature for UOV

In order to reduce the key sizes and make the signing process more efficient in UOV, we observe the following. Assume as before that the oil subspace O ⊂ F n is the subspace generated by the rows of a block matrix ( H I ) ∈ M r × n ( F ) where I is the identity matrix of order r. Under this assumption, note that the last r entries of a vector o′ ∈ O can be arbitrarily chosen.

Let w ∈ F m and u ∈ F n . We have shown that the knowledge of the oil subspace O implies that a vector u + o (o ∈ O) such that F(u + o) = w can be computed by solving a system of linear equations. Let now o′ ∈ O. Note that if o ∈ O is such that L(o) = 0, F(u + o) = w, then o − o′ ∈ O clearly satisfies L(o − o′) = 0, F(u + o′ + (o − o′)) = w. In other words, the computation of a preimage in F ⁻¹(w) can be obtained in the same way if we replace the arbitrary vector u ∈ F n with a vector of the form u + o′ where o′ ∈ O.

Due to the assumption that a basis of the oil subspace O is provided by the rows of a block matrix of type (H I), replacing u with u + o′ offers the advantage that one can require that the last r entries of the vector o′ are precisely the opposite of the corresponding entries of the vector u. In other words, we can assume that the vector u + o′ has its last r coordinates all equal to zero.

Let u = ( u ′ 0 ) ∈ F n with u ′ ∈ F n − r . Recall that f _k (x) = xA _k x ^T (1 ≤ k ≤ m) where

with A k ′ ∈ M n − r ( F ) , A k ″ ∈ M n − r × r ( F ) , A k ′ ′ ′ ∈ M r ( F ) . We have therefore that

Moreover, recall that f ̄ k ( x , y ) = x A k + A k T y T . Since we are assuming that O admits as a basis the row vectors of a block matrix of the form (H I), any vector o ∈ O can be obtained as o = c(H I) = (cH c) where c = ( c 1 , … , c r ) ∈ F r . By computing f ̄ k ( u , o ) one obtains hence

By putting

we finally obtain that

Once a vector u = ( u ′ 0 ) ∈ F n is fixed, we recall that the UOV signature of w = ( w 1 , … , w m ) ∈ F m consists in solving the following system of linear equations

where the vector o ∈ O is unknown. Since such a vector is parametrized by a vector c ∈ F r , once the matrices A 1 ′ , C 1 , … , A m ′ , C m along with the matrix H are stored as the secret key, the signing process involves solving the corresponding linear system, namely

where the vector c ∈ F r is the unknown. After computing c, we put o = c(H I) and the signature is defined as the preimage v = u + o ∈ F ⁻¹(w).

6 Formal description of UOV algorithms

Henceforth, we assume that m = r = dim F O and n > 2m. Note that in order to set and decrease the value of the parameter m, the vector w ∈ F m typically represents a hash value of the message to be signed.

7 Key sizes in the UOV scheme

The public key of UOV is given by an oil–vinegar map F : F n → F m , that is, by m upper triangular matrices A 1 , … , A m ∈ M n ( F ) . Since each element of the finite field F = G F ( q ) is represented by ⌈ log₂(q)⌉ bits, it follows that the size of the public key is

Recall that the matrices A _k (1 ≤ k ≤ m) are block matrices of the form

where A k ′ , A k ″ are random matrices and A k ′ ′ ′ is determined by these matrices along with the oil subspace O ⊂ F n ( dim F O = m ) . By generating the matrices A k ′ , A k ″ (1 ≤ k ≤ m) using a pseudorandom number generator initialized with a public seed, we have that for the public key pk = (A ₁, …, A _m ) we only need to store the upper triangular matrices A k ′ ′ ′ ∈ M m ( F ) (1 ≤ k ≤ m) in addition to the public seed. We conclude that the size of the compact public key is

For the secret key, we need to store the matrix H ∈ M m × n − m ( F ) such that the rows of the block matrix ( H I ) ∈ M m × n ( F ) are a basis of the oil subspace. In addition to the matrix H, the UOV signing process requires the upper triangular matrices A k ′ ∈ M n − m ( F ) alongside the matrices C k ∈ M n − m × m ( F ) , for all k = 1, 2, …, m. The total size of the secret key is hence

As with the public key, we can avoid storing the random matrices A k ′ (1 ≤ k ≤ m) and H by using a pseudorandom number generator initialized with the public seed used for the public key, along with an additional secret seed. We conclude that the size of the compact secret key is

Note that by including the computation of the matrices C k = A k ′ + A k ′ T H T + A k ″ in the UOV signing algorithm, then the size of the compact secret key can be further reduced to

In this case, however, the signing process would result in less efficiency.

The size of the UOV signatures is clearly n⌈ log₂(q)⌉. If the vector w ∈ F m for which we compute a preimage v ∈ F ⁻¹(w) is a hash of the message to be signed and the hashing process includes a random number salt, then the size of the signature is precisely

8 Functional encryption

In this section, we briefly recall the formal notion of Functional Encryption. Let X be the set of plaintexts and Y be the set of ciphertexts. Denote by K the set of functional keys and by V the set of functional values. Then, a function F : K × X → V is given. We also introduce a set K _sec of the secret keys, a set K _pub of the public keys and finally a set K _usr of the user secret keys. Then, we have a function keygen : K × K _sec → K _usr , that is, for any functional key k ∈ K and for each secret key sk ∈ K _sec, we have a user secret key usk _k = keygen(k, sk) ∈ K _usr. For any public key pk ∈ K _pub, there is a functional encryption mapping enc _pk : X → Y. For each user secret key usk _k , we have a functional decryption mapping d e c us k k : Y → V such that if y = enc _pk (x), then d e c us k k ( y ) = F ( k , x ) .

In practice, the secret key sk and the public key pk are owned by a Master user, a central authority, who distributes pk to Alice to enable them to functionally encrypt the plaintext x, that is, to compute y = enc _pk (x). If Bob is a user corresponding to the functional key k, then the Master distributes to Bob the user secret key usk _k = keygen(k, sk). With this key, Bob can decrypt the functional value d e c us k k ( y ) = F ( k , x ) of the plaintext belonging to Alice.

In addition to these algorithms, a protocol of functional encryption, briefly FE, involves a setup function such that for each value of appropriate parameters, it returns a pair (sk, pk) chosen arbitrarily from those satisfying the required parameters. It is assumed that all functions of an FE protocol can be computed efficiently.

If K = X = F d and V = F where F is a finite field, we have an inner product functional encryption, briefly IPFE, if F(k, x) = ⟨k, x⟩ = ∑ _i k _i x _i ∈ V where k = (k ₁, …, k _d ) ∈ K and x = (x ₁, …, x _d ) ∈ X.

9 An IPFE protocol based on the UOV scheme

In this section we introduce an IPFE protocol that leverages modern UOV algorithms, inspired by the protocol introduced by Debnath, Mesnager, Dey and Kundu in [4] (See Algorithms 9.1, 9.2, 9.3, and 9.4). As previously explained for general IPFE schemes, the set of plaintexts and the set of functional keys coincide with a vector space F d over a finite field F . The set of functional values is thus F .

Let {t ₁, …, t _d } and {x ₁, …, x _n } be two disjoint sets of variables and consider the polynomial algebras R = F [ t 1 , … , t d ] and S = F [ x 1 , … , x n ] . We put

Moreover, let K = F ( t 1 , … , t d ) denote the field of rational functions corresponding to R = F [ t 1 , … , t d ] . We consider m quadratic forms in the variables x ₁, …, x _n whose coefficients are polynomials in the variables t ₁, …, t _d . Precisely, if we put t = (t ₁, …, t _d ) ∈ R ^d and x = (x ₁, …, x _n ) ∈ S ⁿ , for each 1 ≤ k ≤ m we define

where A ( t ) k = ( A ( t ) k i j ) ∈ M n ( R ) is an upper triangular matrix. By evaluating the variable vector t = (t ₁, …, t _d ) at a vector a = ( a 1 , … , a d ) ∈ F d , we obtain a quadratic form f k ( a ) ∈ S associated with the matrix A ( a ) k ∈ M n ( F ) , which in turn is obtained by evaluating the matrix A(t) _k . By setting F ( a ) = ( f 1 ( a ) , … , f m ( a ) ) , we have a quadratic map F ( a ) : F n → F m for every vector a = ( a 1 , … , a d ) ∈ F d . This set of maps is clearly obtained by evaluating the quadratic map F ( t ) = ( f 1 ( t ) , … , f m ( t ) ) , where we can assume that F ( t ) : K n → K m .

Let now {y ₁, …, y _n } be a set of variables disjoint from the sets {x ₁, …, x _n } and {t ₁, …, t _d }. We consider the polynomial algebra P ̄ = R [ x 1 , … , x n , y 1 , … , y n ] . The polar form of the quadratic map f k ( t ) is by definition the bilinear form

In other words, we have

Observe that A ( t ) k + A ( t ) k T ∈ M n ( R ) is a symmetric matrix with even elements along the main diagonal. By evaluating the variable vector t = (t ₁, …, t _d ) at a vector a = ( a 1 , … , a d ) ∈ F d , we obtain the polar form f ̄ k ( a ) of f k ( a ) from the polar form f ̄ k ( t ) of f k ( t ) .

By setting F ̄ ( t ) = ( f ̄ 1 ( t ) , … , f ̄ m ( t ) ) ∈ P ̄ m , we call F ̄ ( t ) the polar map of the quadratic map F ^(t). Clearly, F ̄ ( a ) is the polar map of the quadratic map F ^(a), for all a = ( a 1 , … , a d ) ∈ F d .

We now illustrate how to construct an oil–vinegar map F ( t ) = ( f 1 ( t ) , … , f m ( t ) ) . Let H(t) ∈ M _m×n−m (R) be a matrix whose entries are linear forms in the variables t ₁, …, t _d and consider the block matrix (H(t) I) ∈ M _m×n (R) where I is the identity matrix of order m. Denote by O(t) ⊂ R ⁿ the vector subspace generated by the rows of the matrix (H(t) I). Note that if O(a) ⊂ F ⁿ is the vector subspace generated by the rows of the matrix ( H ( a ) I ) ∈ M m × n ( F ) , then dim F O ( a ) = m for every a = ( a 1 , … , a d ) ∈ F d .

Let A ( t ) k ′ ∈ M n − m ( R ) , A ( t ) k ″ ∈ M n − m × m ( R ) (1 ≤ k ≤ m) be matrices whose entries are linear forms in R and assume that A ( t ) k ′ is an upper triangular matrix. Denote by A ( t ) k ′ ′ ′ ∈ M m ( R ) the upper triangular matrix defining the same quadratic form of the matrix

Since the entries of A ( t ) k ′ , A ( t ) k ″ and H(t) are linear forms, it is important to note that the entries of A ( t ) k ′ ′ ′ are cubic polynomials with homogeneous components of degrees 2 and 3.

We finally define the block upper triangular matrices

and the corresponding quadratic forms f k ( t ) = x A ( t ) k x T (1 ≤ k ≤ m). By defining F ( t ) = ( f 1 ( t ) , … , f m ( t ) ) , it is clear that F ^(a) is an oil–vinegar map with O(a) as its oil subspace.

We present now a direct instantiation of the IPFE protocol in [4] with the modern UOV scheme and discuss its limitations. Up to optimizations in key generation similar to those used for UOV, we have that the secret key sk held by the Master consists of an oil–vinegar map F ( t ) = ( f 1 ( t ) , … , f m ( t ) ) along with the corresponding oil subspace O(t) ⊂ R ^m . The public key pk given to Alice is the oil–vinegar map F ^(t) alone, and the user secret key usk _a given to Bob consists of the oil–vinegar map F ( a ) = ( f 1 ( a ) , … , f m ( a ) ) along with the oil subspace O ( a ) ⊂ F m .

We observe that the subspaces O(t) and O(a) are assigned using matrices H(t) ∈ M _m×n−m (R) and H ( a ) ∈ M m × n − m ( F ) . To prevent a collusion attack on the protocol that could, for example, determine H(t) from the knowledge of various matrices H(a ₁), …, H(a _l ), it is essential to limit the number s of functional keys { a 1 , … , a s } ⊂ F d allowed by the protocol relative to the dimension d of the plaintexts b ∈ F d .

We will now illustrate how Alice performs the functional encryption of their plaintext b = ( b 1 , … , b d ) ∈ F d using the public key F ^(t) and how Bob can perform the functional decryption using the user secret key usk _a = (F ^(a), O(a)). We recall that the goal of the (inner product) functional decryption is to determine the inner product F(a, b) = ⟨a, b⟩ = ∑ _i a _i b _i .

Following the general framework, the functional encryption is defined for any functional key a = (a ₁, …, a _d ). We will see that this implies that the corresponding ciphertext is generally a large data. Alternatively, Alice could construct different ciphertexts for different functional keys. Nonetheless, we will examine the general scheme in the following algorithms.

Observe that each component of the vectors u ̄ ( t ) , v ̄ ( t ) ∈ R n is a polynomial of type

The (inner product) functional decryption performed by Bob, namely the computation of ⟨a, b⟩, involves the following operations.

According to the UOV protocol, Bob’s knowledge of the oil subspace O(a) enables him to efficiently compute an element of any preimage of the oil-vinegar map F(a). In fact, we recall that such a computation reduces to solving a system of n linear equations in n variables. Moreover, assuming that the polynomial map F ^(a) is sufficiently generic, the dimension of a preimage, as an algebraic variety, is n − m. Consequently, the dimension of the product of preimages ( F ( a ) ) − 1 ( u ̄ ) × ( F ( a ) ) − 1 ( v ̄ ) is d = 2n − 2m. Under the assumption that n is slightly larger than 2m, we obtain that d ≈ n. If we impose the n linear equations corresponding to the condition v − u = c on the pairs ( u , v ) ∈ ( F ( a ) ) − 1 ( u ̄ ) × ( F ( a ) ) − 1 ( v ̄ ) , we obtain essentially a unique solution that coincides with the pair (u(a), v(a)). In other words, the probability of finding this pair in the product set ( F ( a ) ) − 1 ( u ̄ ) × ( F ( a ) ) − 1 ( v ̄ ) is one out of its number of elements, which can be approximately estimated as 1/q ⁿ . This explains the correctness of the functional encryption-decryption algorithms described above.

Note that the protocol described in Decryption Algorithm 9.3 has a computational cost of the order of q ^n−m . This (exponential, and thus infeasible) approach is directly derived from [4], with whom it shares the trial-and-error decryption algorithm: Bob continues to generate valid preimages u and v for u ̄ and v ̄ until the check v − u = c is satisfied. Looking back at UOV Signature Algorithm 6.2, this method turns out to be equivalent to keep generating random vectors u ′ ∈ F n − m , until the correct preimage u is found.

To solve this issue we consider here a variant in which Alice encodes their information in a particular subspace of R ⁿ , so that, when the ciphertext is specialized by Bob by using their functional key, the decryption algorithm can be speed-up. Before providing the details of the protocol we present the general idea.

Consider a vector subspace V ⊂ F n of dimension ℓ such that its intersection O′ with Bob’s Oil subspace O has dimension kltℓ. Without loss of generality, we can assume that V is defined via a linear map

such that its restriction to the first ℓ coordinates of the co-domain is a bijection. If Alice is given V , they can proceed similarly to Algorithm 9.3, with the difference that Steps 2 and 3, used to compute the vector u(t) = (u(t)₁, …, u(t) _n ) ∈ R ⁿ , are replaced by the following:

1. u′(t) = (u′(t)₁, …, u′(t) _ℓ ) consists of linear forms in the variables t ₁, …, t _d such that ∑ i = 1 ℓ u ′ ( t ) i = ⟨ t , b ⟩ .

2. u(t) = (u(t)₁, …, u(t) _n ) is computed as V ( u ′ ( t ) ) .

Thus, Bob performs the functional decryption using Algorithm 9.4, with the slight modification that the search is confined to the subspace V. In this way, the algorithm runs in O(q ^ℓ−k ), in which ℓ − k can be fixed of the order of log(n). In this way, the computational cost of the decryption algorithm is polynomial in n instead of exponential in n − m.

It is important to note that the variant just described cannot directly be used. Indeed, an attacker can easily guess an element of Bob’s Oil subspace by looking at V . To solve this issue, we consider V to be a parametric space V ^(t), so that, at the cost of increasing the ciphertext’s size, an attacker is not capable of guessing the subspace V associated to Bob’s oil subspace (which, with this newly introduced notation, is V ^(a)) and thus to directly attack the scheme.

Finally, to further improve the decryption algorithm 9.4, instead of searching for two preimages satisfying the check v − u = c we modify the scheme so that Bob can directly check whether u is correct without generating a corresponding v.

In Algorithms 9.5, 9.6, and 9.7 we describe in details the key-generation, encryption, and decryption of our variant of the IPFE protocol based on [4] and UOV.

10 Key and ciphertext sizes in the IPFE protocol

The public key pk possessed by Alice is composed by two parts:

1. a parametric oil–vinegar map F ( t ) = ( f 1 ( t ) , … , f m ( t ) ) ;

2. a parametric linear map V ( t ) .

Recall that the map F ( t ) = ( f 1 ( t ) , … , f m ( t ) ) where f k ( t ) = x A ( t ) k x T ∈ P is a quadratic form defined by the matrix

with A ( t ) k ′ , A ( t ) k ″ being random matrices whose entries are linear forms in R and A ( t ) k ′ ′ ′ is determined by these matrices and the oil subspace O(t) ⊂ R ⁿ . By generating the random matrices A ( t ) k ′ , A ( t ) k ″ (1 ≤ k ≤ m) using a pseudorandom generator from a public seed, for the public key pk we only need to store the upper triangular matrices A ( t ) k ′ ′ ′ ∈ M m ( R ) (1 ≤ k ≤ m) in addition to the public seed. We recall that the entries of A ( t ) k ′ ′ ′ are cubic polynomials with homogeneous components of degree 2 and 3. Since each element of the finite field F = G F ( q ) is represented by ⌈ log₂(q)⌉ bits, each entry of the upper triangular matrix A ( t ) k ′ ′ ′ is represented by the following number of bits

so that we have

The second part of the public key is V ( t ) . Recall that V ( t ) = ∑ i = 1 d t i V i where V i : F ℓ → F n are randomly generated maps. This implies that it is sufficient to store the seed used. In particular, the set { V i } can be obtained again by using seed_pub, which has been already accounted for. Putting everything together we have

The user secret key usk _j owned by Bob is given by a j , A ( a j ) k ′ , A ( a j ) k ″ (1 ≤ k ≤ m), H(a _j ), and V ( a j ) . Using the public seed, Bob can obtain A ( t ) k ′ , A ( t ) k ″ and V ( t ) which can be transformed into A ( a j ) k ′ , A ( a j ) k ″ and V ( a j ) by evaluation. However, the matrix H(t) in the secret key sk must remain unknown to Bob, so the matrix H(a _j ) must be explicitly provided to them. We therefore have

Note that in Algorithm 9.5 Bob is also provided with the matrices

aiming to speed up the computation of preimages. In this case the size becomes