Efficient Multi-Client Functional Encryption for Conjunctive Equality and Range Queries

In multi-client functional encryption (MC-FE) for predicate queries, clients generate ciphertexts of plaintexts <inline-formula> <tex-math notation="LaTeX">$x_{1}, \ldots, x_{n}$ </tex-math></inline-formula> binding with a time period <inline-formula> <tex-math notation="LaTeX">$T$ </tex-math></inline-formula> and store them on a cloud server, and the cloud server receives a function key corresponding to a predicate <inline-formula> <tex-math notation="LaTeX">$f$ </tex-math></inline-formula> from a trusted center and learns whether <inline-formula> <tex-math notation="LaTeX">$f(x_{1}, \ldots, x_{n}) = 1$ </tex-math></inline-formula> or not by running the decryption algorithm on the multiple ciphertexts of the same time period. MC-FE for predicates can be used for a network event or medical data monitoring system based on time series data gathered by multiple clients. In this paper, we propose efficient MC-FE schemes that support conjunctive equality or range queries on encrypted data in the multi-client settings. First, we propose an efficient multi-client hidden vector encryption (MC-HVE) scheme in bilinear groups and prove the selective security with static corruptions. Our MC-HVE scheme is very efficient since a function key is composed of four group elements, a ciphertext consists of <inline-formula> <tex-math notation="LaTeX">$O(\ell)$ </tex-math></inline-formula> group elements where <inline-formula> <tex-math notation="LaTeX">$\ell $ </tex-math></inline-formula> is the size of a plaintext, and the decryption algorithm only requires four pairing operations. Second, we propose an efficient multi-client range query encryption (MC-RQE) scheme and prove the selective weak security with static corruptions. Our MC-RQE scheme which uses a binary tree is efficient since a ciphertext consists of <inline-formula> <tex-math notation="LaTeX">$O(\log D)$ </tex-math></inline-formula> group elements and a function key consists of <inline-formula> <tex-math notation="LaTeX">$O(n \log D)$ </tex-math></inline-formula> group elements where <inline-formula> <tex-math notation="LaTeX">$D$ </tex-math></inline-formula> is the maximum value of a range.


I. INTRODUCTION
Functional encryption (FE) for predicate queries is a generalization of public-key encryption that can perform queries on encrypted data [1], [2]. In FE for predicates, a sender creates a ciphertext CT by encrypting an input x, and then a receiver who has a function key SK f associated with a predicate f can check whether f (x) = 1 or not by running the decryption algorithm without revealing the input x. FE for predicates can be viewed as a special type of general functional encryption (FE) that allows a function key holder to compute a specific function f (x) on encrypted data without learning anything else about x [3]. FE for predicates can be widely used in situations where querying for encrypted data is required while preserving the privacy of original data such as network log auditing, payment gateway, email filtering, and so on. An initial study on FE for predicate queries began by supporting the equality query on encrypted data [4]. In addition, it has The associate editor coordinating the review of this manuscript and approving it for publication was Sedat Akleylek . been shown that an FE scheme that supports arbitrary circuits can be constructed by using indistinguishability obfuscation at the theoretical level and this FE scheme also can be an FE scheme for arbitrary predicates [5].
In FE for predicates, many clients can generate ciphertexts by using public parameters since it is a public-key system, but the decryption algorithm of FE for predicates can only handle one ciphertext per each operation [1], [2]. If the decryption algorithm can process the query operation on a large number of ciphertexts rather than a single ciphertext, it would be possible to apply FE for predicates to a wider range of applications. One possible application is a network monitoring system that detects risks based on data gathered from multiple network devices. In this case, the distributed network devices independently encrypt the collected data and store the encrypted data in a cloud server. Then, the cloud server queries the abnormal behavior based on the gathered encrypted data for monitoring. For this kind of applications, we can construct a multi-client functional encryption (MC-FE) scheme for predicate queries by using previous MC-FE schemes. However, the previous MC-FE schemes have some problems such that they are based on inefficient indistinguishability obfuscation [6] or they only support a limited number of function key queries because of inner product operations [7].
We would like to build an efficient MC-FE scheme for predicate queries in which multiple clients generate ciphertexts independently and the decryption algorithm can proceed on these multiple ciphertexts. As pointed out above, we can use the MC-FE scheme that supports arbitrary circuits, but this scheme is inefficient due to indistinguishability obfuscation. We can consider extending a previous predicate encryption (PE) scheme to an MC-FE scheme for predicate queries, but it is not easy for the decryption algorithm to process multiple ciphertexts in a single decryption operation because of independent random values in ciphertexts. One possible idea for designing an efficient MC-FE scheme for predicate queries is to modify a hidden vector encryption (HVE) scheme, which is a special PE scheme that supports conjunctive equality [1], to support multiple clients. Kamp et al. [8] proposed the first MC-HVE scheme in bilinear groups by following this approach. However, their MC-HVE scheme is inefficient because the number of pairing operations linearly depends on the number of clients and the number of messages, and the security of their scheme is only proven in the generic group model. Thus, it is an interesting problem to build an efficient MC-HVE scheme with reduction proof under reasonable assumptions or to propose an efficient MC-FE scheme for more expressive predicate queries.
Recently, Chotard et al. [7] proposed an MC-FE for inner product (MC-FE-IP) scheme that supports inner product operations on encrypted data. Since HVE is a special form of FE and Katz et al. [2] proposed a transformation from an inner product predicate encryption (IPE) scheme into an HVE scheme, one can try to construct an MC-HVE scheme from an MC-FE-IP scheme. However, it is not easy to build an MC-HVE scheme from an MC-FE-IP scheme since their transformation only works for IPE, not FE-IP. 1 The reason is that an MC-HVE scheme derived from an MC-FE-IP scheme exposes the inner product results in the decryption process and an attacker can distinguish a challenge ciphertext by using the exposed partial information of ciphertexts if he can obtain enough function keys. A detailed attack is described as follows: Let x 0 , x 1 be challenge messages and y 1 , y 2 be function attributes of HVE such that x 0 , x 1 ∈ {y 1 , y 2 }. By applying the transformation of Katz et al., the challenge message x b is encoded into (rx b , −r) where r is random and the function attributes y 1 , y 2 are encoded into (1, y 1 ) and (1, y 2 ) respectively. An adversary can obtain g r(x b −y 1 ) and g r(x b −y 2 ) by decrypting the challenge ciphertext with two function keys. Next, the adversary derives g r(y 1 −y 2 ) and 1 IPE and FE-IP are similar in that a ciphertext is associated with an attribute vector x and a function key is associated with an attribute vector y, and decryption is related to the inner product operation x, y . However, the decryption of IPE outputs a binary value indicating that x, y = 0 or not, whereas the decryption of FE-IP outputs the inner product value x, y itself. distinguishes the challenge ciphertext by checking whether (g r(y 1 −y 2 ) ) (x 0 −y 1 )/(y 1 −y 2 ) = g r(x b −y 1 ) or not. Thus the adversary can easily break the security of this method with two function keys. Note that function key queries for y 1 and y 2 are allowed in HVE since f y i (x 0 ) = 0 = f y i (x 1 ) by the definition f y (x) = 0 if x = y, but function key queries for (1, y 1 ) and (1, y 2 ) are not allowed in FE-IP since f (1,y i ) ((rx 0 , −r)) = (rx 0 , −r), (1, y i ) = (rx 1 , −r), (1, y i ) = f (1,y i ) ((rx 1 , −r)).
Recall that FE-IP avoid this subtle issue by limiting the number of independent function key queries in the security model. Unlike FE-IP, FE for predicate queries only reveals 0 or 1 in the decryption process, so it is allowed for the attacker to request many independent function keys for a predicate f with the constraint f (X * 0 ) = f (X * 1 ) ∈ {0, 1} where X * 0 , X * 1 are challenge message vectors. Therefore, it is difficult to design an MC-HVE scheme that can allow many independent function keys by using an MC-FE-IP scheme.

A. OUR RESULTS
In this work, we propose efficient MC-FE schemes that support conjunctive equality or range queries and prove the selective security of the proposed schemes. Our results are summarized as follows.

1) MULTI-CLIENT HIDDEN VECTOR ENCRYPTION
We first propose an efficient and secure multi-client hidden vector encryption (MC-HVE) scheme that supports conjunctive equality queries in asymmetric bilinear groups. In MC-HVE, each ciphertext is associated with a message vector x i = (x i,1 , . . . , x i, ) with a time period T and a function key is associated with function attributes Y = ( y 1 , . . . , y n ) where y i = (y i,1 , . . . , y i, ). A conjunctive equality predicate for ciphertexts with the same time period and a function key outputs 1 if x i,j = y i,j for all i and j except wildcard positions. Our MC-HVE scheme is very efficient than the previous MC-HVE scheme of Kamp et al. [8] because the decryption algorithm requires only four pairing operations and a function key consists of just four group elements. Our MC-HVE scheme is proven to be selectively secure with static corruptions in the random oracle model. Note that it provides the selective strong security that allows an attacker to query any function key for a predicate f that satisfies f (X * 0 ) = f (X * 1 ) where X * 0 , X * 1 are challenge message vectors. Additionally, our MC-HVE scheme can be proven without random oracles if the maximum value of a time period is limited to a polynomial value by increasing the size of public parameters. Furthermore, our MC-HVE scheme also can be extended to support more expressive queries by following the HVE encoding method of Boneh and Waters [1].

2) MULTI-CLIENT RANGE QUERY ENCRYPTION
Next, we propose a multi-client range query encryption (MC-RQE) scheme that supports conjunctive range queries on multiple ciphertexts by combining a binary tree with the simple version of our MC-HVE scheme. The simplest way to support range queries is to apply the HVE encoding method VOLUME 10, 2022 of Boneh and Waters [1] to the MC-HVE scheme. However, this encoding method is inefficient since a ciphertext is composed of O(nD) group elements where n is the number of clients and D is the maximum value of the range. In contrast, our MC-RQE scheme is more efficient because a ciphertext is composed of n log D group elements and a function key is composed of O(n log D) group elements. We prove that our MC-RQE scheme provides the selective security with static corruptions under well-known static assumptions in the random oracle model. Our MC-RQE scheme only achieves the selective weak security which allows for an attacker to query any function key satisfying f (X * 0 ) = f (X * 1 ) = 0.

B. OUR TECHNIQUES
In order to design a private-key HVE scheme, we can consider a simple method that encrypts plaintexts by using a pseudo-random function (PRF). However, this PRF-based construction has a problem such that the additional information of plaintexts is leaked because the outputs of PRF on the same plaintexts are the same. To solve this leakage problem, we introduce additional random values and combine them with a cyclic group to form a ciphertext as (g t , g ft ) and a function key as (v fr , v r ) after calculating f = PRF(z, x) for a message x. However, when this method is extended to support multiple clients, it is not easy to check the equality of a message in a ciphertext and an attribute in a function key since individual clients use different random exponents t 1 and t 2 .
To overcome this problem of extending the simple HVE scheme to support multiple clients, we use a method of using a hash function H to synchronize the random values of all clients. For example, two clients generate ciphertexts H (T ) f 1 and H (T ) f 2 , respectively for a time period T , and a center generates a function key (v (f 1 +f 2 )r , v r ) where f 1 = PRF(z 1 , x 1 ) and f 2 = PRF(z 2 , x 2 ). In this case, even though two clients perform encryption independently, they are forced to use the same random element H (T ) = g t . In addition, we modify the function key of this MC-HVE scheme to include additional random values to prove the (strong) security under static assumptions. That is, the ciphertexts are formed as ( 2 ) respectively, and the function key is formed as (v (f 1 +f 2 )r 1 w r 2 1 w where w 1 = v w 1,1 +w 2,1 , w 2 = v w 1,2 +w 2,2 , and r 1 , r 2 , r 3 are random values. The details of our design principle are given in Section III-A.
The idea of designing an MC-RQE scheme that supports efficient range queries is to express the range of values using a binary tree. That is, the value of a range is represented by the path of a binary tree, and a range is represented by the minimum set of internal nodes that cover all leaf nodes corresponding to the range in the binary tree. At this time, each node of the binary tree is set to be associated with the ciphertext and the function key elements of the simple version of our MC-HVE scheme. In addition, we modify this scheme to apply a secret sharing scheme to prevent collusion attacks that derive a new function key by combining different function keys.

C. APPLICATIONS 1) SECURE NETWORK EVENT MONITORING
Hacking attacks on computer systems tend to change from simple attacks targeting a single system to wide-scale organized attacks targeting multiple systems. Thus, it is difficult to grasp such recent network hacking attacks by only monitoring the events of an individual network system. It is necessary to collect information from many network devices and judge a hacking event on the basis of the collected information [9]. One possible solution is for network devices of many companies to collect information at each time period and entrust it to an external security surveillance cloud server. This cloud server can then analyze the collected information to identify hacking attacks. In this case, these companies want to maintain the privacy of the network information they gathered because they do not trust the external surveillance cloud server. By using efficient MC-HVE or MC-RQE scheme, it is possible to build a secure network event monitoring system which allows the cloud server to monitor the network status while preserving the privacy of the information collected by individual devices.

2) PRIVACY-PRESERVING MEDICAL DATA MONITORING
With the development of small medical devices, it is possible to collect medical data of a patient by using these devices that monitor various types of medical information [10]. To diagnose the medical condition of the patient, medical devices collect specialized medical data and store this data in a central cloud server managed by a hospital. The cloud server can then monitor the periodic status of the patient or determine an emergency situation based on the medical data collected by the devices of each patient. However, patients do not want their personal medical data to be exposed for privacy reason. One method to perform health monitoring with ensuring privacy is to use an efficient MC-HVE or MC-RQE scheme. That is, medical devices of a patient periodically store encrypted medical data in a cloud server, and the cloud server performs a query operation on the encrypted data to check the current status of the patient.

D. RELATED WORK 1) SEARCHABLE ENCRYPTION
Searchable symmetric encryption (SSE) is symmetric-key encryption that allows a data owner to outsource encrypted data to a cloud server and then allow keyword searches on the encrypted data. A practical SSE scheme for keyword searches on encrypted data was first proposed by Song et al. [11]. Later, an extended SSE scheme that supports conjunctive keyword searches was proposed by Golle et al. [12]. To improve the performance of search queries, Cash et al. [13] proposed a highly efficient SSE scheme that can handle a large database with supporting conjunctive search queries. A multi-client SSE scheme was presented by Curtmola et al. [14] which one client outsources the encrypted data to a cloud server and other clients can submit search queries on the encrypted data. Although the previous SSE schemes are very efficient, most SSE schemes have additional leakage. Cash et al. [15] presented leakage-abuse attacks on most SSE schemes and showed the danger of many SSE schemes. Recently, Lai et al. [16] proposed an SSE scheme that combines a symmetric-key HVE scheme with Bloom filter indexing to support conjunctive keyword searches with reduced leakage.

2) FUNCTIONAL ENCRYPTION
Functional encryption (FE) is a generalization of public-key encryption that allows fine grained control on disclosure of encrypted data. In FE, a ciphertext CT is associated with an input x, a function key SK f is associated with a function f , and decryption outputs f (x) but nothing else about x is revealed. The concept of FE was introduced by Boneh, Sahai, and Waters [3], [17] and they showed that public-key cryptographic primitives such as identity-based encryption (IBE) [18], attribute-based encryption (ABE) [19], [20], and predicate encryption (PE) [1], [2] are special cases of FE. 2 The first FE scheme for general circuits was proposed by Garg et al. [5] by using indistinguishability obfuscation, public-key encryption, and non-interactive zero-knowledge proof. In the bounded collusion model, FE for general circuits can be constructed from public-key encryption or identity-based encryption [21]- [23]. By extending the concept of FE, Goldwasser et al. [6] proposed a multi-input functional encryption (MI-FE) scheme that handles multiple ciphertexts in a single decryption process and a multiclient functional encryption (MC-FE) scheme that performs the decryption on multiple ciphertexts generated by multiple clients with the same label. Recently, efficient FE schemes that support inner products and quadratic functions were proposed [24]- [27]. These FE schemes for inner products and quadratic functions also can be extended to the multi-input and multi-client settings [7], [27]- [31].

3) PREDICATE ENCRYPTION
A special type of functional encryption is predicate encryption (PE) in which a ciphertext is associated with an input x = (v, m) where v is a hidden attribute and m is a message, and a function key is associated with a predicate f , and decryption outputs the message m if f (v) = 1 is satisfied. Predicateonly encryption (POE) is a specific form of PE in which a binary value f (v) ∈ {0, 1} is only revealed in the decryption process. PE was originally devised for public-key searchable encryption, and anonymous IBE is one of the simplest PE [4]. Boneh and Waters [1] introduced the concept of hidden vector encryption (HVE) that supports conjunctive equality queries with a wildcard character and proposed an efficient HVE scheme in bilinear groups. Katz et al. [2] proposed an innerproduct predicate encryption (IPE) scheme that supports more expressive inner product queries. After that, various PE schemes have been proposed to provide better efficiency or additional functionality [32]- [35]. Shi et al. [36] proposed a multi-dimensional range query on encrypted data (MRQED) scheme that supports efficient conjunctive range queries, and showed that it provides weak attribute hiding security, named the match-revealing security. Later, Lu [37] proposed a symmetric-key PE scheme for range queries that provides strong attribute hiding security. Gay et al. [38] showed that an MRQED scheme can be built in lattices. Gorbunov et al. [39] showed that it is possible to design a PE scheme that supports arbitrary circuits using lattices, but it only guarantees weak attribute hiding security. Recently, Kamp et al. [8] proposed a multi-client HVE (MC-HVE) scheme that supports conjunctive equality queries on multiple clients and analyzed its security in the generic group model.

II. PRELIMINARIES
In this section, we first define asymmetric bilinear groups, complexity assumptions, and pseudo-random functions. Next, we define the syntax and the security of multi-client functional encryption for predicates.

A. BILINEAR GROUPS
A bilinear group generator G takes as input a security parameter λ and outputs a tuple (p, G,Ĝ, G T , e) where p is a random prime and G,Ĝ, and G T be three cyclic groups of prime order p. Let g andĝ be generators of G andĜ, respectively. The bilinear map e : G ×Ĝ → G T has the following properties: 1) Bilinearity: ∀u ∈ G, ∀v ∈Ĝ and ∀a, b ∈ Z p , e(u a ,v b ) = e(u,v) ab . 2) Non-degeneracy: ∃g ∈ G,ĝ ∈Ĝ such that e(g,ĝ) has order p in G T .
We say that G,Ĝ, G T are asymmetric bilinear groups with no efficiently computable isomorphisms if the group operations in G,Ĝ, and G T as well as the bilinear map e are all efficiently computable, but there are no efficiently computable isomorphisms between G andĜ.

B. COMPLEXITY ASSUMPTIONS
We introduce two complexity assumptions in asymmetric bilinear groups. The symmetric external Diffie-Hellman (SXDH) assumption is that the decisional Diffie-Hellman (DDH) assumption holds in two cyclic groups G,Ĝ in asymmetric bilinear groups. The asymmetric 3-party Diffie-Hellman (A3DH) assumption is the asymmetric bilinear group version of the composite 3-party Diffie-Hellman (C3DH) assumption, which was introduced by Boneh and Waters [1] to prove the security of their HVE scheme in composite order bilinear groups. The generalization of this C3DH assumption was used to prove the security of predicate encryption schemes [32], [34].
Assumption 1: (Symmetric eXternal Diffie-Hellman, SXDH): Let (p, G,Ĝ, G T , e) be a bilinear group randomly generated by G(1 λ ). Let g,ĝ be random generators of G,Ĝ respectively. The decisional Diffie-Hellman (DDH) assumption in G is that if the challenge tuple D = (p, G,Ĝ, G T , e), g, g a , g b ,ĝ and Z are given, no probabilistic polynomial-time (PPT) algorithm A can distinguish Z = Z 0 = g ab from Z = Z 1 = g c with more than a negligible advantage. The advantage of A is defined as Adv DDH where the probability is taken over random choices of a, b, c ∈ Z p . The SXDH assumption is that the DDH assumption holds in both G andĜ.
Assumption 2: (Asymmetric 3-party Diffie-Hellman, A3DH): Let (p, G,Ĝ, G T , e) be a bilinear group randomly generated by G(1 λ ). Let g,ĝ be random generators of G,Ĝ respectively. The A3DH assumption is that if the challenge tuple D = (p, G,Ĝ, G T , e), g, g a , g b , g ab , g abc ,ĝ,ĝ a ,ĝ b and Z are given, no PPT algorithm A can distinguish Z = Z 0 = g c from Z = Z 1 = g d with more than a negligible advantage. The advantage of A is defined as Adv A3DH where the probability is taken over random choices of a, b, c, d ∈ Z p .

C. PSEUDO-RANDOM FUNCTION
A pseudo-random function (PRF) is an efficiently computable function F : K × X → Y where K is the key space, X is the domain, and Y is the range. Let F(k, ·) be an oracle for a uniformly chosen k ∈ K and f (·) be an oracle for a uniformly chosen function f : X → Y. We say that a PRF is secure if for all efficient adversaries A the advantage Adv PRF

D. MULTI-CLIENT FUNCTIONAL ENCRYPTION FOR PREDICATES
Multi-client functional encryption (MC-FE) for predicates is a symmetric-key version of multi-input functional encryption (MI-FE) introduced by Goldwasser et al. [6] in which each client holds an encryption key, a ciphertext is additionally associated with a time period, and the output of a function f is restricted to be {0, 1}. A system that uses an MC-FE scheme for predicates consists of a trusted center that generates function keys, a number of clients that create ciphertexts on plaintexts, and a cloud server that performs decryption operations on encrypted plaintexts. First, the trusted center performs the setup algorithm to generate a master key MK , each encryption key EK i for each client, and the public parameter PP. Each client generates a ciphertext CT i by encrypting a message x i for a time period T and transmits the ciphertext to the cloud server. The cloud server receives a function key SK f for a predicate f from the trusted center. If the ciphertexts CT 1 , . . . , CT n sent by the clients are generated at the same time period T , then the cloud server can obtain f (x 1 , . . . , x n ) ∈ {0, 1} by running the decryption algorithm. The detailed syntax of the MC-FE scheme for predicates is described as follows.  [6]. In this security model, an attacker first specifies corrupted clients and all challenge ciphertext queries in which each ciphertext query is specified by two challenge messages X 0 , X 1 and a challenge time period T , and then it receives the encryption keys of corrupted clients and public parameters. After that, the attacker can query a function key for a predicate f with a constraint f (X 0 ) = f (X 1 ). And the attacker also queries a challenge ciphertext for challenge messages X 0 , X 1 and a time period T that were submitted initially and receives challenge ciphertexts that are the encryption of one of the two challenge messages. Finally, if the challenge message is correctly guessed, the attacker wins this game. The detailed definition of this selective security is described as follows. • If this is a function key query for a predicate f with the restriction that f (X 0 , ·) = f (X 1 , ·) for each challenge X 0 , X 1 , then C gives a function key SK f to A by running GenKey(f , MK , PP) where · indicates the messages of corrupted clients.
• If this is a challenge ciphertext query for challenge messages X 0 , X 1 , and a time period T that were already submitted in the initialization step, then C gives challenge ciphertexts

An MC-FE scheme for predicates is selectively IND-secure with static corruptions if for all PPT adversary A, the advantage of A defined as Adv SE-IND
2 is negligible in the security parameter λ. Handling multiple challenge ciphertexts in the selective security proof is rather complicated. To facilitate the proof of the selective security, we define the selective single-challenge security that considers single-challenge ciphertext. Fortunately, it is known through existing studies that the single-challenge security and the multiple-challenge security are the same by using a simple hybrid argument [6], [30].

3) Query: A adaptively requests function keys or ciphertexts. C handles these queries as follows:
• If this is a function key query for a predicate f with the restriction that f (X * 0 , ·) = f (X * 1 , ·), then C gives a function key SK f to A by running GenKey(f , MK , PP) where · indicates the messages of corrupted clients.
• If this is a ciphertext query for a client index i ∈ I , a message x i , and a time period T with the restriction that T = T * , then C gives a ciphertext CT i,T to A by running Encrypt(

5) Query: A additionally requests function keys or cipher-
texts. C handles these queries in a similar way to the previous query step.

III. MULTI-CLIENT HIDDEN VECTOR ENCRYPTION
In this section, we present an efficient MC-HVE scheme in asymmetric bilinear groups and analyze the security of our scheme under static assumptions.

A. DESIGN PRINCIPLE
To understand the design principle of our MC-HVE scheme, we consider a simple example in which two clients encrypt messages x 1 and x 2 , respectively. We first note that an MC-HVE scheme is a private-key setting since each client uses an independent encryption key. A simple method to achieve a conjunctive equality operation in the symmetric-key setting is to use a pseudo-random function (PRF). That is, individual clients encrypt messages x 1 , x 2 as x 2 ) by using a PRF and encryption keys z 1 , z 2 , and a trusted center generates a function key for the list of attributes Y = (y 1 , y 2 ) as f Y = f 1 +f 2 = PRF(z 1 , y 1 ) + PRF(z 2 , y 2 ). In this case, it is easy to check the conjunctive equality of PRF values by simply comparing the PRF values. However, this method has a problem such that ciphertexts leak the partial information of messages since the outputs of the PRF are deterministic. In addition, it is uncertain how to bind a ciphertext with a time period T to prevent mix-and-match attacks.
In order to solve the partial information leakage problem, the PRF values should not be directly exposed to an attacker, and the ciphertexts should be randomized by including additional random values. To do this, we introduce a cyclic group G and form ciphertexts for each client as (g t , g f 1 t ) and (g t , g f 2 t ) in which the PRF values are placed in the exponent of an element g ∈ G and an additional random exponent t is multiplied. If the DDH assumption holds in the cyclic group, then these ciphertexts do not reveal the partial information since these elements are not distinguished from random elements. A function key can also be constructed in the form of (v (f 1 +f 2 )r , v r ) using an additional random exponent r to prevent partial information leakage. The problem of this method is that the handling of conjunctival equality queries is difficult since ciphertexts and function keys are randomized. Fortunately, if an asymmetric bilinear group is used, it is possible to compute e(g t , v (f 1 +f 2 )r ) = e(g (f 1 +f 2 )t , v r ) to check whether the conjunctive equality is satisfied or not.
However, in the multi-client setting, two clients generate ciphertexts by using different random exponents t 1 and t 2 rather than the same random exponent t. Because of this different randomness, it is difficult to perform the conjunctive equality query by using the pairing operation since the exponent values f 1 t 1 and f 2 t 2 are not aggregated into (f 1 + f 2 )(t 1 + t 2 ). To overcome this problem, we adopt the method of using a hash function which was used to build a synchronized aggregate signature scheme [40] and to design a privacy-preserving data aggregation scheme [41]. That is, a hash value H (T ) for a time period T is used to create a ciphertext instead of using g t . In this case, client ciphertexts consist of H (T ) f 1 , H (T ) f 2 and a function key has the same form as before (v (f 1 +f 2 )r , v r ). Here, two clients can agree the same random element by computing H (T ) for the same time period T , and the attacker cannot obtain the partial information of the message without solving the discrete logarithm of H (T ) = g t .
In the above construction, if the attacker does not request function key queries, then the construction can be secure because the structure of ciphertexts is related to the DDH assumption. However, it is not easy to prove the security of the above construction in the selective security model since an attacker can query not only non-matching function key queries but also matching function key queries. In particular, in the security model, the attacker is allowed to query on an arbitrary predicate f satisfying f (X * 0 ) = f (X * 1 ). That is, not only the non-matching function key query of f (X * 0 ) = f (X * 1 ) = 0 but also the matching function key query of f (X * 0 ) = f (X * 1 ) = 1 should be allowed. To prove the selective security, we modify the above construction to include additional two random exponents in a function key. That is, a function key is formed as (v (f 1 +f 2 )r 1 w r 2 and two ciphertexts of clients are formed as ( where w 1 = v w 1,1 +w 2,1 and w 2 = v w 1,2 +w 2,2 . This method of adding additional random exponents to the function key is widely used in the construction of previous HVE schemes [1], [32], [35]. Specifically, we use the proof technique of Shi and Waters [32], used for the construction of an efficient delegatable HVE scheme, by associating two random exponents r 2 , r 3 in a correlated way to handle the matching function key queries in the security proof.

B. PREDICATE FOR CONJUNCTIVE EQUALITY WITH WILDCARDS
Let be a finite set of attributes and let * be a special symbol not in . We define * = ∪ { * } where the star * plays the role of a wildcard character. Let Y = ( y 1 , . . . , y n ) be a list of vectors where y i = (y i,1 , . . . , y i, ) ∈ * and X = ( We define a predicate f Y over n× for conjunctive equality with wildcards as Let PRF be a pseudo-random function. Our MC-HVE scheme that supports conjunctive equality queries with wildcards is described as follows. MC-HVE.Setup(1 λ , n): Let λ be the security parameter and n be the number of clients. It first obtains a bilinear group (p, G,Ĝ, G T , e) of prime order p by running G(1 λ ). Let g,ĝ be random generators of G,Ĝ respectively. It chooses random PRF keys {z i } n i=1 and a random elementv ∈Ĝ. It selects random exponents It selects a hash function H : {0, 1} * → G from the family of hash functions. It outputs a master key MK = for all clients, and public parameters PP as (p, G,Ĝ, G T , e), g,ĝ, n, , H .

MC-HVE.GenKey
by using MK . It chooses random exponents r 1 , r 2 , r 3 ∈ Z p and outputs a function key SK Y by implicitly including the wildcard positions of Y as It outputs a ciphertext CT i,T by implicitly including i and T as 3 ) for a time period T and SK Y = (K 0 , K 1 , K 2 , K 3 ) for a list of vectors Y = ( y 1 , . . . , y n ). Let S be the set of index tuples (i, j) that are not wildcard positions in Y . It checks the following equation If this check succeeds, it outputs 1. Otherwise, it outputs 0.

D. CORRECTNESS
We show that our MC-HVE scheme satisfies the correctness property. If the messages of client's ciphertexts for the same time period and the attributes of a function key are the same except for the wildcard positions, the following equation is satisfied.
In contrast, if the messages in ciphertexts and function key are different at least one position, then the above equation is satisfied only with negligible probability since the outputs of PRF will be different when the inputs are different.

E. SECURITY ANALYSIS
In this section, we show that our proposed MC-HVE scheme provides the selective single-challenge security. To briefly describe the proof, we first show that our scheme is selectively single-challenge secure when all clients are not corrupted. We next show that this scheme also provides the selective single-challenge security even if statically fixed clients are corrupted.
The basic idea of proving the selective single-challenge security with no corruptions of our MC-HVE scheme is to change all challenge ciphertext elements of the message positions having different challenge message values to random elements. In this case, an attacker cannot win the security game because it cannot obtain any useful information to distinguish X * 0 from X * 1 . In order to implement this idea in the proof, it is essential to devise a method to simulate function keys for any predicate f Y satisfying f Y (X * 0 ) = f Y (X * 1 ) requested by the attacker without knowing the master key. Specifically, it is needed for a simulator to generate both nonmatching function keys such that f Y (X * 0 ) = f Y (X * 1 ) = 0 and matching function keys such that f Y (X * 0 ) = f Y (X * 1 ) = 1. In order to handle these non-matching function keys and matching function keys in the security proof, we would like to use the proof methods of the previous HVE schemes [1], [32], [35]. One problem is that the previous HVE schemes are defined in the public-key setting, but our MC-HVE scheme is defined in the private-key setting. To overcome this problem, we observe that changing the pseudo-random function (PRF) to truly random function (TRF) in the security proof allows the simulator to program the TRF outputs of uncorrupted clients as desired by using the lazy sampling technique. Thus, we fix a target challenge message in the selective security game and carefully program the TRF outputs to be similar to the proof setting of the previous HVE schemes. Additionally, we modify the proof methods of previous HVE schemes to be suitable for the multi-client setting. The detailed security proof of our MC-HVE scheme is given as follows.
To argue that the adversary cannot win this security game, we define a sequence of hybrid games which are defined as follows: Game G 0 . This game G 0 denotes the selective singlechallenge game which is defined in Section 3 where I = ∅ for no corruptions. Game G 1 . This game G 1 is almost identical to the game G 0 except the generation of function keys. Let S be the set of index tuple (i, j) that are not wildcard positions in function attributes Y = ( y 1 , . . . , y n ) where y i = (y i,1 , . . . , y i, ). Any function key query requested by the adversary should be one of the following types: In this query, we have In this query, we have In this game, a simulator initially chooses a random value π ∈ Z p . To handle a type-1 function key query, the simulator chooses two random exponents r 1 , r 3 and sets r 2 = π r 3 in a correlated way by using the fixed π.
To handle a type-2 function key query, the simulator chooses three independent random exponents r 1 , r 2 , and r 3 . Game G 2 . In this game G 2 , we replace the pseudo-random function PRF(z i,j , x) with the truly random function TRF i,j (x) for all i, j. This change can be easily done by the security of PRF. VOLUME 10, 2022 Game G 3 . This game G 3 is similar to the game G 2 except the generation of the challenge ciphertext. In this game, the simulator slightly changes the generation of challenge ciphertext elements as Note that even the adversary that has a type-1 function key cannot distinguish the changed challenge ciphertext elements since it gets n i=1 ρ i ·π + n i=1 φ i = 0 during the decryption process. Game G 4 . This final game G 4 differs from the game G 3 in that for all index tuple (i, j) ∈ E, the challenge ciphertext element C i,j,1 is generated as a random element. In this game, the challenge ciphertext gives no information about the challenge message X * µ . Therefore, the advantage of the adversary in this game is zero. Let S G i A be the event that an adversary wins in a game G i . From the following lemmas 1, 2, 3, and 4, we obtain the following result where n is the size of the challenge message. This completes our proof. Lemma 1: If the SXDH assumption holds, then no polynomial-time adversary can distinguish between G 0 and G 1 with a non-negligible advantage.
Proof: To prove this lemma, we introduce a new complexity assumption by extending the DDH assumption. The multi-DDH assumption is that if the challenge tuple D = (p, G,Ĝ, G T , e), g,ĝ,ĝ a ,ĝ b 1 , . . . ,ĝ b n and Z = (Z 1 , . . . , Z n ) are given, no PPT algorithm A can distinguish Z = Z 0 = (ĝ ab 1 , . . . ,ĝ ab n ) from Z = Z 1 = (ĝ c 1 , . . . ,ĝ c n ) with more than a negligible advantage where a, b 1 , . . . , b n , c 1 , . . . , c n are randomly chosen in Z p . The multi-DDH assumption holds if the DDH assumption holds from the random self-reducibility of the DDH assumption [7].
Suppose there exists an adversary A that distinguishes between G 0 and G 1 with a non-negligible advantage. A simulator B that solves the multi-DDH assumption using A is given: a challenge tuple D = ((p, G,Ĝ, G T , e), g,ĝ,ĝ a ,ĝ b 1 , . . . ,ĝ b q ) and Z = (Z 1 , . . . , Z q ) where Z = (ĝ ab 1 , . . . ,ĝ ab q ) or Z = (ĝ c 1 , . . . ,ĝ c q ) where q is the maximum number of type-1 queries. Then B that interacts with A is described as follows: Init: A submits challenge message lists X * 0 = ( x 0,1 , . . . , x 0,n ), X * 1 = ( x 1,1 , . . . , x 1,n ) ∈ n , and a challenge time period T * . B then flips a random coin µ internally to fix X * µ as the target message list. Setup: B first chooses random PRF keys {z i } n i=1 . It also selects random exponents v , 2 , and then implicitly setsv , and PP by using these selected elements.
Query: A adaptively requests hash, function key, and ciphertext queries. B handles these queries as follows: If this is a hash query for a time period T , then B proceeds as follows: If T was queried before, then it retrieves (T , h, −) from a hash list and returns h. Otherwise, it selects a random element h ∈ G, stores (T , h, −) to a hash list, and then returns h. If this is a function key query for a list of vectors Y = ( y 1 , . . . , y n ), then B generates a function key depending on the type of function key queries as follows: • Case Type-1: Let k be the index of type-1 function key queries. It calculates f y = (i,j)∈S PRF(z i,j , y i,j ) by using MK . Next, it chooses a random exponent r 1 ∈ Z p and creates a function key depending on the index k as If Z k =ĝ ab k , then B plays the game G 1 since this function key is correctly distributed with setting r 2 = ab k , 2 . Otherwise (Z k =ĝ c k ), B plays the game G 0 since it implicitly sets r 2 = c k , r 3 = b k .
• Case Type-2: It simply creates a function key by running the GenKey algorithm since it knows MK . If this is a ciphertext query for a client index i, a message vector x i , and a time period T , then B generate a ciphertext by running the Encrypt algorithm since it knows EK i .
Lemma 2: If the PRF scheme is secure, then no polynomial-time adversary can distinguish between G 1 and G 2 with a non-negligible advantage.
Proof: This proof is relatively straightforward from the security of PRF. That is, we can use additional hybrid games that change a PRF to a truly random function one by one. Note that there are at most n number of z i,j in the security proof. We omit the details of this proof.
Lemma 3: If the A3DH assumption holds, then no polynomial-time adversary can distinguish between G 2 and G 3 with a non-negligible advantage.
Proof: Suppose there exists an adversary A that distinguishes between G 2 and G 3 with a nonnegligible advantage. A simulator B that solves the A3DH assumption using A is given: a challenge tuple D = ((p, G,Ĝ, G T , e), g, g a , g b , g ab , g abc ,ĝ,ĝ a ,ĝ b ) and Z where Z = g c or Z = R. Then B that interacts with A is described as follows.
Setup: B proceeds the following steps: 1) It first selects random exponents It also sets π = −φ /ρ for type-1 function key queries. 2) We now define the value of TRF. Let x i,j be a message for a client i and x * µ,i,j be the challenge message for the same client index i. If

3) For the target message list
If Z = g c , then it plays the game G 2 by the following equations d)φ i and plays G 3 by the following equations

Query:
A adaptively requests hash, function key, and ciphertext queries. B handles these queries as follows.
If this is a hash query for a time period T , then B proceeds as follows: If T was queried before, then it retrieves (T , h, −) from a hash list and returns h. Otherwise, it performs: • Case T = T * : It sets H (T * ) = g abc and stores (T * , H (T * ), −) to H -list. It then returns g abc .
• Case T = T * : It selects a random exponent h ∈ Z p and stores (T , H (T ) = (g ab ) h , h ) to H -list. It then returns (g ab ) h . If this is a function key query for a list of vectors Y = ( y 1 , . . . , y n ) where y i = (y i,1 , . . . , y i, ), then B generates a function key as follows: It first defines two index sets A and A for the list of vectors Y as It then creates a function key depending on the type of this function key as follows: It chooses random exponents r 1 , r 3 ∈ Z p and implicitly defines the randomness as where r 2 and r 3 are correlated as r 2 = πr 3 with the fixed π = −φ /ρ . Next, it creates a function key by using the randomness as This type-1 function key is correctly distributed by the following equation by retrieving f i,j for the set A and selecting a fixed random f i,j for the set A since A = ∅ where f S = (i,j)∈S f i,j and f A = (i,j)∈A f i,j . It chooses random exponents r 1 , r 2 , r 3 ∈ Z p and implicitly defines the randomness as r 1 := r 1 /b + φ r 3 /ab, r 2 := φ r 2 /b, where r 1 , r 2 , and r 3 are independent random values since f A = 0 except with negligible probability. Next, it creates a function key by using the defined randomness as This type-2 function key is correctly distributed by the following equation If this is a ciphertext query for a client index i, a message vector x i = (x i,1 , . . . , x i, ), and a time period T = T * , then B retrieves (T , H (T ) = (g ab ) h , h ) from the H -list and generates a ciphertext as follows: For each j ∈ [ ], it performs: Next, it generates a ciphertext as C i,j,1 j=1 , Guess: A outputs a guess µ . If µ = µ , it outputs 1. Otherwise, it outputs 0.
• If (i, j) ∈ E and (i, j) ≤ (i δ , j δ ), then it creates C i,j,1 as a random element in G.
• If (i, j) ∈ E and (i, j) > (i δ , j δ ), then it creates C i,j,1 normally. The simulator generates challenge ciphertext elements C i,2 , C i,3 as the same way as G 3 . It is obvious that H 3,(n, ) = G 4 . Suppose there exists an adversary A that distinguishes between H 3,(i δ ,j δ −1) and H 3,(i δ ,j δ ) with a non-negligible advantage. Without loss of generality, we assume that (i δ , j δ ) ∈ E since H 3,(i δ ,j δ −1) = H 3,(i δ ,j δ ) if (i δ , j δ ) ∈ E. A simulator B that solves the A3DH assumption using A is given: a challenge tuple D = ((p, G,Ĝ, G T , e), g, g a , g b , g ab , g abc ,ĝ a ,ĝ b ) and Z where Z = g c or Z = R. Then B that interacts with A is described as follows.
Query: A adaptively requests hash, function key, and ciphertext queries. B handles these queries as follows. If this is a hash query for a time period T , then B proceeds as follows: If T was queried before, then it retrieves (T , h, −) from a hash list and returns h. Otherwise, it performs: • Case Type-1: In this case, we have (i δ , j δ ) / ∈ S since (i δ , j δ ) ∈ E and S ∩ E = ∅. It implicitly calculates It chooses random exponents r 1 , r 3 ∈ Z n and implicitly defines the randomness as r 1 := r 1 /ab, r 2 := φ r 3 /b, r 3 := −ρ r 3 /b.
Next, it creates a function key by using the defined randomness as This function key is correctly distributed since it is the same as that of Lemma 3.
• Case Type-2 and (i δ , j δ ) / ∈ S: It implicitly calculates by retrieving f i,j for the set A and selecting a fixed ran- It chooses random exponents r 1 , r 2 , r 3 ∈ Z n and implicitly defines the randomness as where r 1 , r 2 , and r 3 are independent random values since (i,j)∈A f i,j = 0 except with negligible probability. Next, it creates a function key by using the randomness as This function key is correctly distributed since it is the same as that of Lemma 3.
• Case Type-2 and (i δ , j δ ) ∈ S: by retrieving f i,j for the set A and selecting a fixed random f i,j for the set µ,i δ ,j δ and τ = 1 otherwise. It chooses random exponents r 1 , r 2 , r 3 ∈ Z n and implicitly defines the randomness as where r 1 , r 2 , r 3 are independent random values since f A δ +τ f i δ ,j δ = 0 except with negligible probability. Next, it creates a function key by using the randomness as −ω 2 (f i δ ,j δ r 1 +ρ r 2 ) g −ω 2 f i δ ,j δ r 3 ,

VOLUME 10, 2022
This function key is correctly distributed by the following equation If this is a ciphertext query for a client index i, a message vector x i = (x i,1 , . . . , x i, ), and a time period T = T * , then B retrieves (T , H (T ) = (g ab ) h , h ) from the H -list and generates a ciphertext as follows: For each j ∈ [ ], it performs: Next, it generates a ciphertext as C i,j,1 j=1 , Guess: A outputs a guess µ . If µ = µ , it outputs 1. Otherwise, it outputs 0.
We have shown that our MC-HVE scheme provides the selective single-challenge security when all clients are not corrupted. Now we show that our MC-HVE scheme still provides the selective single-challenge security when corrupted clients are statically fixed. In other words, if there is an attacker A that breaks the selective single-challenge security with static corruptions of the MC-HVE scheme, then another algorithm B that uses the attacker A as a sub-algorithm can break the selective single-challenge security with no corruptions of the MC-HVE scheme.
The basic idea of this proof is that a simulator directly selects encryption keys for corrupted clients. In this case, the generation of function keys can be problem since function key elements composed of secret components corresponding to corrupted clients and uncorrupted clients. Fortunately, in our MC-HVE scheme, it is possible to convert a function key SK for uncorrupted clients to another function key SK associated with all clients by using the encryption keys of corrupted clients. The detailed proof of this is described in the following theorem.

Theorem 2: The above MC-HVE scheme is selectively single-challenge IND-secure with static corruptions in the random oracle model if the MC-HVE scheme is selectively single-challenge IND-secure with no corruptions.
Proof: Suppose there exists an adversary A that breaks the selective single-challenge IND-security with static corruptions. By using A, a simulator B try to break the selective single-challenge IND-security with no corruptions played by a challenger C. The simulator B is described as follows: Init: A submits the set of corrupted client indexes I , two challenge message lists X * 0 , X * 1 , and a challenge time period T * . Let I = {1, . . . , n} \ I be the set of uncorrupted client indexes. B submits two challenge message lists X * 0 , X * 1 , the challenge time period T * to C. Note that C plays the selective single-challenge game with no corruptions for the set I .
Setup: B receives PP from C. It chooses random PRF keys 1 , ω i,2 )} i∈I and PP to A. It derives z i,j = PRF(z i , j) for all i ∈ I and j ∈ [ ] for later use. Challenge: B receives challenge ciphertexts {CT i,T * } i∈I from C and gives {CT i,T * } i∈I to A.
Query: A adaptively requests hash, function key, and ciphertext queries. B handles these queries as follows: If this is a hash query for a time period T , then B relays this query to C and gives the response of C to A. If this is a function key query for a list of vectors Y = ( y 1 , . . . , y n ), then B proceeds as follows: 1) It first sets Y = {y i } i∈I derived from Y . It requests a function key for Y to C and receives a function key SK Y = (K 0 , K 1 , K 2 , K 3 ) for the set I . 2) Let S be the set of index tuples (i, j) that are not wildcard positions in Y = { y i } i∈I . It calculates f Y = (i,j)∈S PRF(z i,j , y i,j ) and computes to A. If this is a ciphertext query for a client index i ∈ I , a message vector x i , and a time period T = T * , then B relays this query to C and gives CT i,T from C to A.
Guess: A outputs a guess µ . B also outputs µ .

F. DISCUSSIONS 1) EFFICIENCY ANALYSIS
We compare our MC-HVE scheme with other MC-HVE schemes in Table 1. In our MC-HVE scheme, a ciphertext consists of + 2 group elements per each client, and n( + 2) group elements for n clients. A function key in our scheme is very compact because it consists of just 4 group elements, regardless of the number of clients. The encryption algorithm consists of PRF operations and + 2 exponentiation operations per each client. The function key generation algorithm consists of n PRF operations and 6 exponentiation operations. The decryption algorithm consists of O(n ) multiplication operations and only 4 pairing operations, which are independent of the number of clients and the number of messages. In the MC-HVE scheme of Kamp et al. [8], a ciphertext consists of 2n group elements and a function key consists of 2n group elements. The decryption algorithm of their scheme requires 2n pairing operations which are linearly dependent on the number of clients and the number of messages. Therefore, our MC-HVE scheme is more efficient in terms of ciphertext size, function key size, and the performance of the decryption algorithm compared to the previous MC-HVE scheme.

2) SUPPORTING COMPARISON AND RANGE QUERIES
Boneh and Waters [1] presented an HVE scheme which is a special kind of predicate encryption, and showed that it can be extended to support conjunctive comparison, range, and subset queries by carefully encoding the messages of ciphertexts and the attributes of function keys. Our MC-HVE scheme also can be extended to support conjunctive comparison, range, and subset queries in the multi-client setting by using the same extension method of them. However, this extension method only works for a small domain {1, . . . , D} since the ciphertext of this extension method consists of O(D) group elements. In order to overcome this problem, we propose a multi-client range query encryption scheme which supports conjunctive range queries for a large domain in the next section.

3) SUPPORT FOR DYNAMIC NUMBER OF CLIENTS
The number of clients supported by our MC-HVE scheme is fixed at n. In a real environment, the number of clients can start with a small value and grow to a large value over time. Fortunately, our MC-HVE scheme allows the number of clients to grow dynamically over time because it supports a wildcard in the attributes of a function key. Let n be the maximum number of clients and n 1 be the current number of clients. In this case, a trusted center generates a function key so that all vectors y n 1 +1 , . . . , y n have a wildcard character. The encryption algorithm is the same as before, but the center additionally creates ciphertext elements {C i,2 , C i,3 } for n 1 + 1 ≤ i ≤ n and publishes these elements. The decryption algorithm is the same as before. If the number of clients increases from n 1 to n 2 at a time period T , a new function key issued by the center can process ciphertexts associated with the same time period T ≥ T which are generated by n 2 number of clients.

4) SUPPORT FOR DIFFERENT NUMBER OF ATTRIBUTES
In our MC-HVE scheme, the number of attributes supported by each client is fixed to the same value . With a slight modification, our MC-HVE scheme can handle a case where the number of attributes for each individual client is different by using the fact that a wildcard can be included in the attributes of a function key. For example, suppose that a client with an index i supports i number of attributes such that i ≤ where is the maximum number of attributes in each client. In this case, the encryption algorithm is same as before except that it creates ciphertext elements up to i . A center, which stores all number of attributes for individual clients, creates a function key which is set with a wildcard for all attributes y i,j in a client index i and a location j such that 1 ≤ i ≤ n and i + 1 ≤ j ≤ .

5) REMOVING RANDOM ORACLES
To provide multi-client functionality, our MC-HVE scheme uses a hash function which is modeled as a random oracle in the security proof. That is, because each client generates a ciphertext by using the same hash H (T ) for the same time period T , all clients are synchronized to use the same encryption random even if they independently perform the encryption algorithm. However, it is a very strong assumption that the hash function works like the random oracle. Thus, it is necessary to design an efficient MC-HVE scheme that does not use the random oracle. One way to remove the random oracle is to provide all group elements associated with individual time periods to the public parameters. That is, if the maximum time period T max is restricted to be a polynomial value, all group elements h 1 , . . . , h T max are provided in the public parameters and the encryption algorithm uses h T instead of H (T ).

IV. MULTI-CLIENT RANGE QUERY ENCRYPTION
In this section, we propose a multi-client range query encryption scheme by using a binary tree and prove the selective security under static assumptions.

A. DESIGN PRINCIPLE
To support efficient range queries, we use a binary tree to represent values. The method to effectively represent values and ranges using a binary tree was used by Shi et al. [36] VOLUME 10,2022 to design a multi-dimensional range query on encrypted data (MRQED) scheme. In order to design a multi-client range query encryption (MC-RQE) scheme, we try to combine a binary tree and a simplified MC-HVE scheme for each node in the tree. However, the method of simply applying the MC-HVE scheme to the binary tree can lead to collusion attacks such that different function keys can be mixed to derive new function keys. In order to prevent this collusion attacks, we apply a secret sharing scheme so that only the function key elements contained in the same function key can be combined for the decryption process.

B. BINARY TREE
A perfect binary tree BT is a tree data structure in which all internal nodes have two child nodes and all leaf nodes have the same depth. Let D = 2 be the number of leaf nodes in BT . The number of all nodes in BT is 2D − 1 and we denote v i as a node in BT . The depth d i of a node v i is the length of the path from a root node to the node. The root node of a tree has depth zero. The depth of BT is the length of the path from the root node to a leaf node. A level of BT is a set of all nodes at given depth. Each node v i ∈ BT has an identifier L i ∈ {0, 1} * which is a fixed and unique string. A subtree T i in BT is defined as a tree that is rooted at a node v i ∈ BT .
Let BT be a perfect binary tree with D = 2 leaf nodes. We define the following two functions in BT .

Path(BT , x): It takes as input a tree BT and a value x ∈ [D].
Let v x be a leaf node in BT that is assigned to x. Let (v x,0 , v x,1 , . . . , v x, ) be the path from a root node v x,0 to the leaf node v x, = v x . It sets a path set PV x = (v x,0 , . . . , v x, ) and outputs PV x . Cover(BT , y = (y L , y R )): It takes as input a tree BT and a range (y L , y R ) ∈ [D] 2 such that y L ≤ y R . Let v L and v R be leaf nodes assigned to y L and y R respectively. Let S be the set of leaf nodes from v L to v R , and R be the set of all leaf nodes excluding S. It computes the Steiner Tree ST (R) which is the subtree of BT that connects all nodes in R with the root node. Let T y,1 , . . . T y,m be all the subtrees of BT that hang off ST (R), that is all subtrees whose roots v y,1 , . . . v y,m are not in ST (R) but adjacent to nodes of outdegree 1 in ST (R). It outputs a cover set CV y = (v y,1 , . . . , v y,m ). For the path set PV x and the cover set CV y defined in the above two algorithms, the following properties are established. 1) If x ∈ [y L , y R ], then there is only one node in PV x ∩ CV y . 2) If x ∈ [y L , y R ], then PV x ∩ CV y = ∅.
3) The maximum size of CV y is 2 log D.

D. CONSTRUCTION
We propose an MC-RQE scheme that combines a simplified MC-HVE scheme with a binary tree to efficiently process range queries. The detailed description of our scheme is given as follows.

MC-RQE.Setup(1 λ , n):
Let n be the number of clients and be the depth of a perfect binary tree. It obtains a bilinear group (p, G,Ĝ, G T , e) of prime order p by running G(1 λ ). Let g,ĝ be random generators of G,Ĝ respectively. It chooses random PRF keys , and a random element v ∈Ĝ. It selects a hash function H from the family of hash functions. It outputs a master key MK = PRF(z i , v i,j ) and computes a node key NK i,j by selecting random exponents r i,j,1 , r i,j,2 , r i,j,3 ∈ Z p as It outputs a ciphertext CT i,T as MC-RQE.Decrypt(CT 1,T , . . . , CT n,T , SK Y , PP): 3 ) and SK Y = (SK 1 , . . . , SK n ) where SK i = (CV i , NK i,1 , . . . , NK i,m i ) and 3 ) ∈ CT i,T for some j i and (K i,j i ,0 , K i,j i ,1 , K i,j i ,2 , K i,j i ,3 ) ∈ SK i for some j i with the restriction that the node depth of j i and the node depth of j i are the same, it checks the following equation If this check succeeds, it outputs 1 since it found a matching combination. Otherwise, it continues to the next combination. 2) Finally, it outputs 0 since it fails to find a matching combination.

E. CORRECTNESS
If f X (Y ) = 1 is satisfied for the message X of a ciphertext and the range Y of a function key, then one common node exists for each client by the property of the path set in a ciphertext and the cover set in a function key. Thus, we can derive the following equation since the PRF value f i,j of the ciphertext matches one of the PRF values {f i,j } of the function key.

F. SECURITY ANALYSIS
In order to prove the selective single-challenge weak security of our MC-RQE scheme, we first prove this security in the absence of corrupted clients, and then prove this security in the case where the corrupted clients are statically fixed. The basic idea of proving the selective single-challenge weak security of the MC-RQE scheme in the no corrupted clients setting is similar to the proof of the MC-HVE scheme. That is, all challenge ciphertext elements associated with different nodes among the path nodes which are associated with the challenge messages X * 0 , X * 1 are changed to random elements. The overall structure of the security proof is similar to that of the MC-HVE scheme. However, there is a considerable difference from the proof of the MC-HVE scheme since the proof of our MC-RQE scheme must deal with nodes in the binary tree. For further details of this proof, please refer to the following theorem.
} which are partitions of all nodes in the path set. To argue that the adversary cannot win this game, we define a sequence of hybrid games as follows: Game G 0 . The first game G 0 denotes the selective singlechallenge weak security game which is defined in Section 3 where I = ∅ for no corruptions. Game G 1 . In this game G 1 , we replace the pseudo-random functions PRF(z i , x) with the truly random function TRF i (x) for all i. This change can be easily done by the security of PRF. Game G 2 . This game G 2 is similar to the game G 1 except the generation of the challenge ciphertext. In this game, the simulator slightly changes the generation of challenge ciphertext elements as C i,2 = H (T * ) ω i,1 g ρ i and C i,3 = H (T * ) ω i,2 g φ i for all index i ∈ [n] with random exponents ρ i and φ i . Game G 3 . This final game G 3 differs from the game G 2 in that the challenge ciphertext elements {C i,j,1 } associated with E i are generated as random elements for all i ∈ [n]. Thus the challenge ciphertext gives no information about the challenge message X * µ . Therefore, the advantage of the adversary in this final game is zero.

Let S G i
A be the event that an adversary wins in a game G i . From the following lemmas 5, 6, and 7, we obtain the following result where n is the size of the challenge message. This completes our proof. Lemma 5: If the PRF is secure, then no polynomial-time adversary can distinguish between G 0 and G 1 with a nonnegligible advantage.
Proof: This proof of this is relatively straightforward from the security of PRF. That is, we can use additional hybrid games that change a PRF to a truly random function. Note that there are at most n number of z i in the security proof. VOLUME 10, 2022 Lemma 6: If the A3DH assumption holds, then no polynomial-time adversary can distinguish between G 1 and G 2 with a non-negligible advantage.
Proof: Suppose there exists an adversary A that distinguishes between G 1 and G 2 with a nonnegligible advantage. A simulator B that solves the A3DH assumption using A is given: a challenge tuple D = ((p, G,Ĝ, G T , e), g, g a , g b , g ab , g abc ,ĝ,ĝ a ,ĝ b ) and Z where Z = g c or Z = R. Then B that interacts with A is described as follows.
Let v i,j be a node for a client i and PV * µ,i be the challenge path set for the same client i.
If Z = g c , then it plays G 2 since ciphertext elements are well formed as Otherwise (Z = R = g d ), it plays G 3 since ciphertext elements are created with setting

Query:
A adaptively requests hash, function key, and ciphertext queries. B handles these queries as follows. If this is a hash query for a time period T , then B proceeds as follows: If T was queried before, then it retrieves (T , h, −) from H -list and returns h. Otherwise, it performs: • Case T = T * : It sets H (T * ) = g abc and stores (T * , H (T * ), −) to H -list. It then returns g abc .
• Case T = T * : It selects a random exponent h ∈ Z p and stores (T , H (T ) = (g ab ) h , h ) to H -list. It then returns (g ab ) h . If this is a function key query for a list of ranges Y = (y 1 , . . . , y n ) where y i = (y i,L , y i,R ), then B generates a function key as follows: 1) It first derives cover sets CV 1 , . . . , CV n from y 1 , . . . , y n . For each CV i , it defines two node sets PV i and PV i as 2) It also defines three index sets I 1 , I 2 , I 3 ⊆ [n] which are partitions of client indexes. It defines I 1 = {i : ∃v i,j ∈ CV i such that v i,j ∈ PV i }. It next selects a random index i ∈ [n] \ I 1 and defines I 3 = {ĩ}. It then defines . By using these index sets, it will define γ i differently depending on the index sets. For each client index i ∈ I 2 , it chooses a random exponent γ i and implicitly defines γ i := γ i . 3) For each client i ∈ [n], it performs the following steps: a) For each node v i,j such that (i ∈ I 1 ) ∧ (v i,j ∈ PV i ), it proceeds as follows: It defines TRF i (v i,j ) := f i,j by retrieving f i,j chosen at the setup. It chooses random exponents γ i , r i,j,1 , r i,j,2 , r i,j,3 ∈ Z p , sets i = ρ i r i,j,2 + φ i r i,j,3 , and implicitly defines the randomness as γ i := − i /ab + γ i , r i,j,1 := r i,j,1 /ab, r i,j,2 := r i,j,2 /ab, r i,j,3 := r i,j,3 /ab.
Note that this γ i is fixed for this index i since there is only one node v i,j ∈ PV i . Next, it creates a node key by using the defined randomness as This node key is correctly distributed by the following equation  (1, 1) , . . . , H 2, (1, ) , H 2, (2,1) , . . . , H 2, (i δ ,j δ ) , . . . , H 2, (n, ) where H 2,(1,0) = G 2 , (i δ , j δ ) ∈ [n, ]. For notational simplicity, we also define H 2,(i δ −1, ) = H 2,(i δ ,0) . Recall that two node sets E i and E i were defined for each client index i ∈ [n] as The game H 2,(i δ ,j δ ) is defined as follows: Game H 2,(i δ ,j δ ) In this game H 2,(i δ ,j δ ) , we slightly change the generation of challenge ciphertext elements {C i,j,1 }. For each client i and node v i,j ∈ PV * µ,i , a simulator creates the element C i,j,1 as follows: 1 as a random element in G.
• If v i,j ∈ E i and (i, j) > (i δ , j δ ), then it creates C i,j,1 normally. The simulator creates challenge ciphertext elements C i,2 , C i,3 , as the same way as the game G 3 . It is obvious that H 2,(n, ) = G 3 . Suppose there exists an adversary A that distinguishes between H 2,(i δ ,j δ −1) and H 2,(i δ ,j δ ) with a non-negligible advantage. Without loss of generality, we assume that v i δ ,j δ ∈ E i δ since H 2,(i δ ,j δ −1) = H 2,(i δ ,j δ ) if v i δ ,j δ ∈ E i δ . A simulator B that solves the A3DH assumption using A is given: a challenge tuple D = ((p, G,Ĝ, G T , e), g, g a , g b , g ab , g abc ,ĝ a ,ĝ b ) and Z where Z = g c or Z = R. Then B that interacts with A is described as follows.
Let v i,j be a node for a client i and PV * µ,i be the challenge path set for the same client i.
It initializes a hash table H -list and publishes PP = ((p, G,Ĝ, G T , e), g,ĝ, n, , H ). Challenge: B first sets H (T * ) = g abc and creates each challenge ciphertext element C i,j,1 for each client i ∈ [n] and node v i,j ∈ PV * µ,i as follows: , it chooses a random element P i,j,1 ∈ G and sets C i,j,1 = P i,j,1 .
Next, it chooses a random element P ∈ G and generates challenge ciphertexts for the time period T * as If Z = g c , then B plays H 3,(i δ ,j δ −1) . Otherwise, it plays H 3,(i δ ,j δ ) .
Query: A adaptively requests hash, function key, and ciphertext queries. B handles these queries as follows. If this is a hash query for a time period T , then B proceeds as follows: If T was queried before, then it retrieves (T , h, −) from H -list and returns h. Otherwise, it performs: • Case T = T * : It sets H (T * ) = g abc and stores (T * , H (T * ), −) to H -list. It then returns g abc .
• Case T = T * : It selects a random exponent h ∈ Z p and stores (T , H (T ) = (g ab ) h , h ) to H -list. It then returns (g ab ) h . If this is a function key query for a list of vectors Y = (y 1 , . . . , y n ) where y i = (y i,L , y i,R ), then B generates a function key as follows: 1) It first derives cover sets CV 1 , . . . , CV n from y 1 , . . . , y n . For each CV i , it defines two node sets PV i and PV i as  I 3 ). By using these sets, it will define γ i differently depending on the index sets. For each client index i ∈ I 2 , it chooses a random exponent γ i and implicitly defines γ i := γ i . 3) For each client i ∈ [n], it performs the following steps: a) For each node v i,j such that (i ∈ I 1 ) ∧ (v i,j ∈ PV i ), it proceeds as follows: K i,j,1 = (ĝ a ) r 1,jĝ φ i r i,j,3 , K i,j,2 = (ĝ a ) φ i r i,j,2 , This node key is correctly distributed since it is the same as that of Lemma 6. e) Next, it creates a client function key SK i = (CV i , NK i,1 , . . . , NK i,m i ). 4) Finally, it generates a function key SK Y = (SK 1 , . . . , SK n ). If this is a ciphertext query for a client index i, a message vector x i = (x i,1 , . . . , x i, ), and a time period T = T * , then B retrieves (T , H (T ) = (g ab ) h , h ) from the H -list and generates a ciphertext as follows: It obtains PV i = (v i,0 , . . . , v i, ) by running Path(BT , x i ). For each v i,j ∈ PV i , it performs: • Case i = i δ and v i,j = v i δ ,j δ : It creates C i,j,1 = g h f i,j since TRF i (v i,j ) := (1/ab)f i,j .
Next, it generates a ciphertext as C i,j,1 j=0 , C i,2 = (g ab ) h ω i,1 g h ρ i , C i,3 = (g ab ) h ω i,2 g h φ i . Guess: A outputs a guess µ . If µ = µ , it outputs 1. Otherwise, it outputs 0. Proof: Suppose there exists an adversary A that breaks the selective single-challenge weak IND-security with static corruptions. By using A, a simulator B try to break the selective single-challenge weak IND-security with no corruptions played by a challenger C. The simulator B is described as follows: Init: A submits the set of corrupted client indexes I , two challenge message lists X * 0 , X * 1 , and a challenge time period T * . Let I = {1, . . . , n} \ I be the set of uncorrupted client indexes. B submits two challenge message lists X * 0 , X * 1 , the challenge time period T * to C. Note that C plays the selective security game with no corruptions for the set I .
Setup: B receives PP from C. It chooses random PRF keys {z i } i∈I and random exponents {ω i,1 , ω i,2 } i∈I . Next, it gives {EK i = (z i , ω i,1 , ω i,2 )} i∈I and PP to A. Challenge: B receives challenge ciphertexts {CT i,T * } i∈I from C and gives {CT i,T * } i∈I to A.
Query: A adaptively requests hash, function key, and ciphertext queries. B handles these queries as follows: If this is a hash query for a time period T , then B relays this query to C and gives the response of C to A. If this is a function key query for a list of vectors Y = (y 1 , . . . , y n ), then B proceeds as follows: 1) It first sets Y = {y i } i∈I derived from Y . It requests a function key for Y to C and receives a function key SK Y = {SK i = (NK i,1 , . . . , NK i,2 )} i∈I where NK i,j = (K i,j,0 , . . . , K i,j,3 ). It selects a random exponent r ∈ Z p and setsṽ =ĝ r , which is formed asṽ =v r for some unknown random r . 2) It selects random exponents γ 1 , . . . , γ n−1 ∈ Z p and sets γ n = − n−1 i=1 γ i to satisfy n i=1 γ i = 0. 3) For each uncorrupted client i ∈ I , it performs the following steps: a) Let SK i = (NK i,1 , . . . , NK i,2 )} i∈I where NK i,j = (K i,j,0 , . . . , K i,j,3 ). b) For each j ∈ [2 ], it modifies a node key as NK i,j = (K i,j,0 = K i,j,0 ·ĝ γ i , K i,j,1 = K i,j,1 , K i,j,2 = K i,j,2 , K i,j,3 = K i,j,3 ) by using the random γ i . c) It sets SK i = {NK i,1 , . . . , NK i,2 }. 4) For each corrupted client i ∈ I , it performs the following steps: a) It obtains a cover set CV i = (v i,1 , . . . , v i,m i ) by running the Cover algorithm for the range y i = (y i,L , y i,R ). b) For each node v i,j ∈ CV i , it calculates f i,j = PRF(z i , v i,j ) and compute a node key NK i,j by selecting random exponents r i,j,1 , r i,j,2 , r i,j,3 as K i,j,0 =ĝ γ iṽ f i,j ·r i,j,1ṽ ω i,1 r i,j,2ṽ ω i,2 r i,j,3 , K i,j,1 =ṽ r i,j,1 , K i,j,2 =ṽ r i,j,2 , K i,j,3 =ṽ r i,j,3 .
c) Next, it creates a client function key SK i = (CV i , NK i,1 , . . . , NK i,m i ).

5) It gives a function key SK
If this is a ciphertext query for a client index i ∈ I , a message x i , and a time period T = T * , then B relays this query to C and gives CT i,T from C to A. Guess: A outputs a guess µ . B also outputs µ .

G. DISCUSSIONS 1) EFFICIENCY ANALYSIS
In our MC-RQE scheme, a ciphertext consists of + 2 group elements per each client and n( + 2) group elements for n clients where is the depth of a binary tree. Since a function key is associated with 2 tree nodes per each client and each node requires 4 group elements, a function key for n clients consists of 8n group elements. The encryption algorithm requires O(n ) exponentiation operations, and the function key generation algorithm also requires O(n ) exponentiation operations. The decryption algorithm is the slowest algorithm, and it checks whether the pairing expression is satisfied for each combination of function key elements and ciphertext elements. In this case, the number of possible combinations is at most 2 n since the node depth of function keys is known and 3n + 1 pairing operations are required for each combination. Thus, the decryption algorithm requires O(n2 n ) pairing operations. The detailed performance is given in Table 2.

2) ALLOWING MATCHING FUNCTION KEYS
We proved that our MC-RQE scheme is secure in a weak security model where matching function keys (f (X * 0 ) = f (X * 1 ) = 1) are not allowed. In fact, we can prove that our MC-RQE scheme is secure even in a security model where one matching function key is allowed by using the fact that the underlying MC-HVE scheme allows many matching function keys. However, it is not easy to prove the security of our MC-RQE scheme in a strong security model in which two or more matching function keys are allowed. The fundamental reason of the difficulty is that the matching node of a binary tree that succeeds in decryption is additionally exposed during the decryption process of the MC-RQE scheme. That is, for two challenge messages X * 0 and X * 1 , an attacker first prepares two matching function keys in which the tree node of successful decryption is the same for X * 0 , and the tree node for X * 1 is changed. Then the attacker decrypts a challenge ciphertext by using these matching function keys. At this time, the attacker can distinguish the challenge ciphertext by checking whether the tree node that is successfully decrypted is the same or changed.

3) COMPARISON WITH MRQED SCHEME
Our MC-RQE scheme can be compared with the MRQED scheme of Shi et al. [36] in terms of effectively supporting range queries on encrypted data. As described above, our MC-RQE scheme uses the path set and cover set of a binary tree to handle range queries in the same way as the MRQED scheme. However, the MRQED scheme is a public-key cryptosystem that combines an anonymous IBE scheme with a binary tree, and it handles a single ciphertext in the decryption process. In contrast, our MC-HVE scheme is a private-key cryptosystem that combines our MC-HVE scheme and a binary tree, and it can handle multiple ciphertexts in the decryption process. The detailed comparison is given in Table 2.

V. CONCLUSION
In this paper, we presented efficient MC-FE schemes that support conjunctive equality or range queries on encrypted data in bilinear groups. Our MC-HVE scheme is a construction that efficiently supports conjunctive equality queries with wildcards for ciphertexts generated by multiple clients at the same time period. Our MC-RQE scheme uses binary trees to efficiently support conjunctive range queries while the size of a ciphertext and a function key is very compact. We also proved that our MC-HVE and MC-RQE schemes are selectively secure with static corruptions under static assumptions.
This work leaves some interesting problems: The first problem is to devise an efficient MC-FE scheme that supports more expressive predicate queries than conjunctive equality or range queries. As an example, extending an IPE scheme to the multi-client setting can be interesting. The second problem is to construct an MC-HVE scheme that supports not only the message hiding security but also the function hiding security. The third problem is to devise an efficient MC-RQE scheme that provides the strong security.