Keywords

1 Introduction

Wee [18] and Attrapadung [3] introduced generic modular frameworks which generalize predicate encryption (PE) using encodings. They extracted common properties that PE schemes shared and formalized them under the encoding frameworks. Their encoding frameworks include generic constructions (i.e., compilers) of PE schemes based on encodings and approaches to proofs of adaptive security only using the properties the encodings commonly have. Therefore, these frameworks give a new insight into building PE schemes as the security of PE schemes can be proven by showing that their corresponding encoding schemes satisfy those properties.

Recently, encoding frameworks have been adopted to find a generic construction in prime order groups [1, 2, 5, 11, 14]. The benefit of the prime order groups is the efficiency gains that they can bring to encryption schemes. However, the constructions based on the prime order groups commonly impose a more structural restriction on encoding schemes. In particular, they require the exponents of public and master secret keys (which are referred to as common variables) to have a simple linear structure.

For example, if we denote the common variables of an encoding scheme by \(h_1, ..., h_m\), the constructions require that public and master secret keys to be set as \(g, g^{h_1}, ..., g^{h_m}\) where g is a group generator. Note that they cannot allow encoding schemes to have the parameters of group elements whose exponents are not linear in \(h_i\) such as \(g^{h_1^2}\) or \(g^{h_1h_2}\). This is because most of the known techniques in prime order groups require parameters in an encryption scheme to be represented using matrices. Hence, the multiplication between parameters cannot be easily handled since those matrices do not commute. It adds more restrictions on the structures of the encoding scheme and limits the usage of encoding frameworks.

1.1 Our Contribution

Framework with Less Structural Requirement. We introduce a modular framework which is applicable to PE schemes having non-linear common variables in prime order groups. Prior to our work, existing frameworks [1, 2, 5, 11, 14] in prime order groups covers PE schemes which have a simple linear structure. Our new framework overcomes this barrier by suggesting a new framework and a new proof technique. To mitigate the structural restriction and effectively express non-linearity of PE schemes, we improve Attrapadung’s pair encoding framework [3] which is one of the most popular encoding frameworks for PE and provide a new adaptively secure compiler that incorporates an encoding scheme under our improved framework to a PE scheme in prime order groups.

ABEs with a Non-monotone Access Structure. As instances of our new encoding technique, we introduce two new attribute-based encryption (ABE) schemes supporting a non-monotone access structure as follows:

  • Non-monotonic CP-ABE (NM-CP-ABE) with short keys (Scheme 1).

  • Non-monotonic KP-ABE (NM-KP-ABE) with short ciphertexts (Scheme 2).

Note that although Yamada et al. already introduced selectively secure schemes in [26], no encoding framework was able to achieve adaptive security in prime order groups due to the non-linearity. For the first time, our new schemes achieve non-monotone access structure, short parameters (key or ciphertexts) and adaptive security at the same time. Table 1 summarizes comparison between our schemes and the existing non-monotonic ABE schemes.

Table 1. Comparisons of Non-monotonic ABE schemes in prime order groups
Full size table

1.2 Overview of Our Technique

Main Idea. Our solution largely adopts the notion of pair encoding framework, which is outlined in Appendix A.1. However, the pair encoding framework cannot properly describe non-linear common variables. Therefore, we modify the syntax of pair encoding to be more flexible. The most significant change in our framework is decomposing common variables in the pair encoding framework into hidden common variables and shared common variables as we describe below:

  • Hidden Common Variables (HCVs) are identical to common variables used in existing frameworks [1, 5, 11, 14]. The HCVs must be linear.

  • Shared Common Variables (SCVs) are variables which are non-linear or cause a non-linearity.

In detail, the exponents of public parameters and master secrets in our encoding framework are the composition of those two types of common variables. We use \(\varvec{b}(\varvec{w}, b_0, \varvec{h})=(b_1, ...., b_{\omega })\) to denote the exponents of those parameters and also use \(\varvec{w} = (w_1, ..., w_{\omega _1})\) and \(\varvec{h} = (h_1, ..., h_{\omega _2})\) to denote SCVs and HCVs, respectively. \(b_i\) is defined as a monomial which is \(b_i = b_0 f_i(\varvec{w}) \text { or }f_i(\varvec{w}) h_j\) where \(f_i(\varvec{w})\) is a monomial consisting of the elements of \(\varvec{w}\) and \(j \in [\omega _2]\) and \(b_0\) is a variable adopted for a linear operation of monomials where HCVs do not appear. This setting makes \(\varvec{b}(\varvec{w},b_0, \varvec{h})\) linear in \((b_0, \varvec{h})\). More formally, by the definition of \(\varvec{b}\), for all \(b_0, b'_0 \in \mathbb {Z}_p\) and \(\varvec{h}, \varvec{h}'\in \mathbb {Z}_p^{\omega _2}\), we have

$$\begin{aligned} \varvec{b}(\varvec{w}, b_0, \varvec{h}) + \varvec{b}(\varvec{w}, b'_0, \varvec{h}') = \varvec{b}(\varvec{w}, b_0+ b'_0, \varvec{h}+\varvec{h}'). \end{aligned}$$

We call this property linearity in HCVs.

HCVs and SCVs work differently in the security proof. Encoding frameworks can be considered as generalizations of Waters’ dual system encryption [25]. In the dual system encryption, semi-functional space is used to partially mimic the construction of an encryption scheme to prove the security more simply, but variables appeared in semi-functional space must not correlate with their original values in the construction, which we call normal space. HCVs are variables which are typically used in the dual system encryption. They are projected from normal space to semi-functional space in the proofs. Their values in semi functional space do not correlate to their original values. However, SCVs are a new type of variables. They are also projected to the semi-functional space, but their projected values are identical to their original values. This is possible since the proof works in a prime order group. In other words, SCVs are shared both in semi-functional and normal spaces, where the construction is defined. We handle these changes by refining the security proof and the property of encodings.

Parameter \(b_0\). Additionally, due to the notational deficiency of the pair encoding to express the linearity of (hidden) common variables, we have adopted a new variable \(b_0\) in our encoding framework as done in Kim et al.’s work [14]. Speaking more precisely, even if HCVs of \(\varvec{b}\) are linear form (i.e. the maximum degree of those variables is set to be 1), the linearity in HCVs of \(\varvec{b}\) cannot properly be notated if coordinates of \(\varvec{b}\) do not have an element of \(\varvec{h}\). Thus, we use a new variable \(b_0\) to denote the change the values during the linear operation and place \(b_0\) where an element of \(\varvec{h}\) does not appear. Consequently, all coordinates of \(\varvec{b}\) must contain either \(b_0\) or \(h_i\) and linear in those variables.

Our Compiler in Prime Order Groups. To construct a new compiler of encodings with a less restrictive structural assumption, we adopt the technique from [14], in which the common variables are projected into semi-functional space. This technique is built upon combining a nested dual system encryption technique and Lewko and Waters’ IBE [17]. In particular, the simulator sets a common variable as \(d \cdot \varvec{h}' + \varvec{h}''\) where \(d \in \mathbb {Z}_p\) is given by \(g^d\) using a group generator g and \(\varvec{h}''\) are values generated by the simulator. This setting hides the values of \(\varvec{h}'\) using \(\varvec{h}''\) to the adversary. Also, the simulator enables to project \(\varvec{h}'\) using \(g^d\), which is indistinguishable from a random value in the assumption to which the security is reduced.

In our framework, the exponents of public parameters are more complex monomials, but the simulator still can hide HCVs before they are projected into semi-functional space. In our proof, we let the simulator set a non-linear monomial \(f_i(\varvec{w})h_j = f_i(\varvec{w})(d h'_j + h''_j) = d \cdot f_i(\varvec{w}) \cdot h'_j + f_i(\varvec{w}) \cdot h''_j\) where \(f_i(\varvec{w})\) is a monomial consisting only of SCVs, which are denoted as \(\varvec{w}\). In particular, if \(g^{d}\) is indistinguishable from a random value (i.e. \(g^{d+r}\) where r is a random value), \(g^{f_i(\varvec{w})h_j}\) becomes \(g^{d \cdot f_i(\varvec{w}) \cdot h'_j}\cdot g^{r\cdot f_i(\varvec{w})h'_j} \cdot g^{f_i(\varvec{w}) \cdot h''_j}\). Hence, \(g^{r\cdot f_i(\varvec{w})h'_j}\) can simulate the semi-functional space, where r and \(h'_j\) simulates a random variable and a HCV, respectively. \(f_i(w)\) appears in the semi-functional space, but its value is the same as that of the normal space as it is defined as SCV.

Table 2. Comparisons of normal and semi-functional parts in encoding frameworks
Full size table

Refined \(\alpha \) Hiding. In our setting, SCVs are not hidden. It means that their projected values in the semi-functional space are identical to their original values as shown in Table 2. Sharing SCVs makes a security proof complex because it means the values must be defined and fixed before receiving any query from the adversary (i.e. when a system sets up). We address this challenge by refining \(\alpha \) hiding property of pair encoding framework. We use two oracles which are indistinguishable from each other to simulate the refined \(\alpha \) hiding property. In our setting, the oracles output \(g^{\varvec{b}(\varvec{w},1,\varvec{1})}\) as an initial instance so that the simulator creates public keys and normal parts of private keys using shared common variables \(\varvec{w}\).

It is worth noting that the oracles in the existing techniques [4, 14] do not output any value related to common values but only outputs a group generator g as an initial instance. In the pair encoding framework, because the initial instance does not include any public parameters, the \(\alpha \) hiding property is proved by selecting public parameters after they obtain the target predicate of the challenge ciphertext (in selective security proof) or the challenge key (in co-selective security proof). However, we observed that, even in selective security proofs, some common variables can be set without using any information about the challenge ciphertext. This makes us use those variables as SCVs. We show that achieving those oracles is feasible by providing new instances.

2 Related Work

Conjunctive schemes of ABE and Identity-based revocation systems were introduced [7, 20] to fill the gap between practice and theory. In those schemes, only an identity can be used to revoke users and the other attributes are used to form an access policy. Inner product encryption [8, 13, 21, 22] naturally achieves a non-monotone access structure using polynomials. However, it is well known that expressing a Boolean formula using inner product is inefficient.

A technique to convert encryption schemes in composite order groups into prime order groups were introduced by Lewko [15] using Dual Pairing Vector Spaces (DPVS) [21, 22]. However, their conversion technique is not generic and the size of parameters and the amount of computational work required for encryption/decryption increase linearly with the size of vector it uses. Dual System Groups (DSG) [12] were recently introduced by Chen and Wee. They showed that DSG can be utilized to construct a broad range of encryption schemes in prime order groups. Since then, many generic constructions [1, 4, 11] of encoding schemes in prime order groups have employed DSG except Kim et al.’s work [14]. In Kim et al.’s work, instead of using DSG, they generalized Lewko and Waters’ IBE [17] as is done in this paper, but their technique does not cover encryption schemes with non-linear structure.

The compiler for pair encoding in a prime order group is proposed by Attrapadung [5]. In their technique, the common values are defined as a matrix form, which makes the encoding need more structural assumptions. To address this, they redefined the pair encoding to regular encoding with additional structural restrictions, which implies the linearity of common values.

Agrawal and Chase also suggested a new way to prove the security of encoding schemes [2]. They proposed a technique where the security of predicate encryption schemes can be proven by showing their encoding satisfy the symbolic property. Namely, if it is shown that the encoding scheme is mapped to a specific format, then the security is proven without any extra efforts. However, the technique still works under the same structural assumptions the pair encoding framework [3] is based on and it is not clear how the symbolic property works with a non-linear structure.

3 Preliminary

3.1 Bilinear Maps

Let \(\mathcal {G}\) be a group generator which takes a security parameter \(\lambda \) as input and outputs (p, \(G_1\), \(G_2\), \(G_T\), e), \(G_1\), \(G_2\) and \(G_T\) are cyclic groups of prime order p, and \(e:G_1 \times G_2 \rightarrow G_T\) is a map such that \(e(g^a, h^b) = e(g, h)^{ab}\) for all \(g \in G_1\) \(h \in G_2\) and \(a,b \in \mathbb {Z}_p\) and \(e(g,h) \ne 1 \in G_T\) whenever \(g \ne 1\) and \(h \ne 1\). We assume that the group operations in \(G_1\), \(G_2\) and \(G_T\), as well as the bilinear map e, are all computable in polynomial time with respect to \(\lambda \). It should be noted that the map e is symmetric if \(G_1 = G_2\). If \(G_1 \ne G_2\), the map e is asymmetric.

3.2 Non-monotone Access Structure

Definition 1 (Access Structure) [10]. Let \(\lbrace P_1, ... , P_n \rbrace \) be a set of parties. A collection \(\mathbb {A} \subset 2^{\lbrace P_1, ... , P_n \rbrace }\) is monotone if \(\forall B, C\): if \(B \in \mathbb {A}\) and \(B \subset C,\) then \(C \in \mathbb {A}\). A monotone access structure is a monotone collection \(\mathbb {A}\) of non-empty subsets of \(\lbrace P_1, ... , P_n \rbrace \), i.e., \(\mathbb {A} \subset 2^{\lbrace P_1, ... , P_n \rbrace } \setminus \lbrace \rbrace \). The sets in \(\mathbb {A}\) are called the authorized sets, and the sets not in \(\mathbb {A}\) are called the unauthorized sets.

Definition 2 (Linear Secret-Sharing Schemes (LSSS)) [10]. A secret sharing scheme \(\varPi \) over a set of parties \(\mathcal {P}\) is called linear (over \(\mathbb {Z}_p\)) if (1) The shares for each party form a vector over \(\mathbb {Z}_p\). (2) There exists a matrix A called the share-generating matrix for \(\varPi \). The matrix A has m rows and \(\ell \) columns. For all \(i = 1, ..., m\), the \(i^{th}\) row of A is labeled by a party \(\rho (x)\) (\(\rho \) is a function from \(\lbrace 1, ... , m \rbrace \) to \(\mathcal {P}\)). When we consider the column vector \(v = (s, r_2, ... , r_\ell )\), where \(s \in \mathbb {Z}_p\) is the secret to be shared and \( r_2, ..., r_\ell \in \mathbb {Z}_p\) are randomly chosen, then Av is the vector of m shares of the secret s according to \(\varPi \). The share \((Av)_i\) belongs to party \(\rho (x)\).

Moving from Monotone to Non-monotone Access Structures. For a non-monotone access structure, we adopt a technique from Ostrovsky, Sahai and Waters [24]. They assume a family of linear secret sharing schemes \(\lbrace \varPi _\mathbb {A} \rbrace _{\mathbb {A} \in \mathcal {A}}\) for a set of monotone access structures \(\mathbb {A} \in \mathcal {A}\). For each access structure \(\mathbb {A} \in \mathcal {A}\), the set of parties \(\mathcal {P}\) underlying the access structures has the following properties: The names of the parties may be of two types: either it is normal (like x) or primed (like \(x'\)), and if \(x \in \mathcal {P}\) then \(x' \in \mathcal {P}\) and vice versa. They conceptually associate primed parties as representing the negation of normal parties.

We let \(\tilde{\mathcal {P}}\) denote the set of all normal parties in \(\mathcal {P}\). For every set \(\tilde{S} \subset \tilde{\mathcal {P}}\), \(N(\tilde{S}) \subset \mathcal {P}\) is defined by \( N(\tilde{S}) = \tilde{S} \cup \lbrace x' \vert x \in \tilde{P}\setminus \tilde{S} \rbrace \). For each access structure \(\mathbb {A} \in \mathcal {A}\) over a set of parties \(\mathcal {P}\), a non-monotone access structure \(NM(\mathbb {A})\) over the set of parties \(\tilde{\mathcal {P}}\) is defined by specifying that \(\tilde{S}\) is authorized in \(NM(\mathbb {A})\) iff \(N(\tilde{S})\) is authorized in \(\mathbb {A}\). Therefore, the non-monotone access structure \(NM(\mathbb {A})\) will have only normal parties in its access sets. For each access set \(X \in NM(\mathbb {A})\), there will be a set in \(\mathbb {A}\) that has the elements in X and primed elements for each party not in X. Finally, a family of non-monotone access structures \(\tilde{\mathcal {A}}\) is defined by the set of these \(NM(\mathbb {A})\) access structures.

3.3 Computational Assumptions

Our compiler needs three simple static assumptions which are also used in [14, 17]. For the following assumptions, we define \(\mathbb {G} = (p, G_1, G_2, G_T, e) \xleftarrow {R} \mathcal {G}\) and let \(f_1 \in G_1\) and \(f_2 \in G_2\) be selected randomly.

Assumption 1

(LW1). Let \(a,c,d \in \mathbb {Z}_p\) be selected randomly. Given

$$\begin{aligned} D := \lbrace f_1, f_1^a, f_1^{ac^2}, f_1^{c}, f_1^{c^2}, f_1^{c^3}, f_1^{d}, f_1^{a d}, f_1^{cd},f_1^{c^2 d}, f_1^{c^3 d} \in G_1, f_2, f_2^c \in G_2 \rbrace , \end{aligned}$$

it is hard to distinguish between \(T_0 = f_1^{ac^2d}\) and \(T_1 \xleftarrow {R} G_1\).

Assumption 2

(LW2). Let \(d,t,w \in \mathbb {Z}_p\) be selected randomly. Given

$$\begin{aligned} D:=\lbrace f_1, f_1^d, f_1^{d^2}, f_1^{tw}, f_1^{dtw}, f_1^{d^2t} \in G_1, f_2, f_2^c, f_2^d, f_2^w \in G_2\rbrace , \end{aligned}$$

it is hard to distinguish between \(T_0 = f_2^{cw}\) and \(T_1 \xleftarrow {R} G_2\).

Assumption 3

(Decisional Bilinear Diffie-Hellman (DBDH) Assumption). Let \(a,c,d\in \mathbb {Z}_p\) be selected randomly. Given

$$\begin{aligned} D:= \lbrace f_1, f_1^a, f_1^{c}, f_1^{d} \in G_1, f_2, f_2^a, f_2^c, f_2^d \in G_2 \rbrace , \end{aligned}$$

it is hard to distinguish between \(T_0 = e(f_1, f_2)^{acd}\) and \(T_1 \xleftarrow {R} G_T\).

3.4 Predicate Encryption

We adopt the definition of PE and its adaptive security of [3].

Definition of Predicate Encryption [3]. A PE for a predicate \(R_\kappa :\mathcal {X} \times \mathcal {Y} \rightarrow \lbrace 0, 1 \rbrace \) consists of Setup, Encrypt, KeyGen and Decrypt as follows:

  • Setup(\(1^\lambda , \kappa \)) \(\rightarrow \) (PKMSK): The algorithm takes in a security parameter \(1^\lambda \) and an index \(\kappa \) which is allocated uniquely for the function \(R_\kappa \). It outputs a public parameter PK and a master secret key MSK.

  • Encrypt(xMPK) \(\rightarrow \) CT: The algorithm takes in an attribute \(x \in \mathcal {X}\), a public parameter PK and a plaintext M. It outputs a ciphertext CT.

  • KeyGen(yMSKPK) \(\rightarrow \) SK: The algorithm takes in an attribute \(y \in \mathcal {Y}\), MSK and PK. It outputs a private key SK.

  • Decrypt(PKSKCT) \(\rightarrow \) M: the algorithm takes in SK for y and CT for x. If \(R_\kappa (x,y) = 1\), it outputs a message \(M \in \mathcal {M}\). Otherwise, it aborts.

Correctness. For all \((x, y) \in \mathcal {X} \times \mathcal {Y}\) such that \(R_\kappa (x,y) = 1\), if SK is the output of KeyGen(yMSKPK) and CT is the output of Encrypt(xMPK) where PK and MSK are the outputs of Setup(\(1^\lambda , \kappa \)), Decrypt(SKCT) outputs M for all \(M \in \mathcal {M}\).

Definition of Adaptive Security of Predicate Encryption [3]. A predicate encryption scheme for a predicate function \(R_\kappa \) is adaptively secure if there is no PPT adversary \(\mathcal {A}\) which has a non-negligible advantage in the game between \(\mathcal {A}\) and the challenge \(\mathcal {C}\) defined below.

  • Setup: \(\mathcal {C}\) runs Setup\((1^\lambda , \kappa )\) to create (PK, MSK). PK is sent to \(\mathcal {A}\).

  • Phase 1: \(\mathcal {A}\) requests a private key for \(y_i \in \mathcal {Y}\) and \(i \in [q_1]\). For each \(y_i\), \(\mathcal {C}\) returns \(SK_i\) created by running KeyGen(\(y_i, MSK, PK\)).

  • Challenge: When \(\mathcal {A}\) requests the challenge ciphertext of \(x \in \mathcal {X}\), for \(R_\kappa (x,y_i) = 0; \, \forall i \in [q_1]\), and submits two messages \(M_0\) and \(M_1\), \(\mathcal {C}\) randomly selects b from \(\lbrace 0, 1\rbrace \) and returns the challenge ciphertext CT created by running Encrypt\((x, M_b, PK)\).

  • Phase 2: This is identical with Phase 1 except for the additional restriction that \(y_i \in \mathcal {Y}\) for \(i = q_1 +1, ..., q_t\) such that \(R_\kappa (x,y_i) = 0 ;\, \forall i \in \lbrace q_1 +1, ..., q_t\rbrace \).

  • Guess: \(\mathcal {A}\) outputs \(b' \in \lbrace 0, 1 \rbrace \). If \(b = b'\), then \(\mathcal {A}\) wins.

We define the advantage of an adversary \(\mathcal {A}\) as \( Adv_{\mathcal {A}}^{PE}(\lambda ) := \vert \Pr [b=b'] -1/2 \vert .\)

4 Our Encoding Framework

We introduce our new encoding framework. We largely take a notion of pair encoding framework to describe our encoding. However, our encoding framework can capture the predicate family that has non-linear common variables.

4.1 Syntax

Our encoding scheme for a predicate function \(R_\kappa \) in prime order p consists of four deterministic algorithms Param, Enc\(_1\), Enc\(_2\) and Pair.

  • Param(\(\kappa \)) \(\rightarrow (\varvec{b}:= (b_1, b_2, ..., b_\omega );\omega _1, \omega _2, \omega )\): It takes as input a predicate family \(\kappa \) and outputs integers \(\omega _1, \omega _2, \omega \in p\) and a sequence of monomials \(\lbrace b_i \rbrace _{i \in [\omega ]} \in \mathbb {Z}_p\) with the sequence of variables of \(\lbrace b_0, h_j; h_j \in \varvec{h} \rbrace \) and functions \(f_i\) where \(b_0 \in \mathbb {Z}_p\), \(\varvec{h} \in \mathbb {Z}_p^{\omega _2}\) and \(f_i(\varvec{w})\) is a monomial consisting of the elements of \(\varvec{w} \in \mathbb {Z}_p^{\omega _1}\). That is, for all \(i \in [\omega ]\), \(b_i = b_0 f_i(\varvec{w})\text { or }f_i(\varvec{w}) h_j\). \(\varvec{b}\) shared by the following two algorithms Enc\(_1\) and Enc\(_2\). We let \(\varvec{w} = (w_1, ..., w_{\omega _1})\) denote the SCVs and \(\varvec{h} = (h_1, ..., h_{\omega _2})\) denote the HCVs.

  • Enc\(_{1}(x \in \mathcal {X}) \rightarrow (\varvec{k}:= (k_1, k_2, ..., k_{m_1});m_2)\): It takes as inputs \(x \in \mathcal {X}\) and outputs a sequence of polynomials \(\lbrace k_i \rbrace _{i \in [m_1]}\) with coefficients in \(\mathbb {Z}_p\), and \(m_2 \in \mathbb {Z}_p\) where \(m_2\) is the number of random variables. Every polynomial \(k_i\) is a linear combination of monomials of the form \(\alpha , r_ib_0, \alpha b_j, r_ib_j\) in variables \(\alpha , r_1 , ..., r_{m_2}\) and \(b_0, b_1, ..., b_\omega \). In more detail, for \(i \in [m_1]\),

    $$\begin{aligned} k_i := \delta _i \alpha + \sum \nolimits _{j \in [m_2]} \delta _{i,j} r_j b_0 + \sum \nolimits _{j \in [m_2],k \in [\omega ]} \delta _{i,j,k} r_j b_k \end{aligned}$$

    where \(\delta _i, \delta _{i,j}, \delta _{i,j,k} \in \mathbb {Z}_p\) are constants which define \(k_i\).

  • Enc\(_{2}(y \in \mathcal {Y}) \rightarrow (\varvec{c}:= (c_1, c_2, ..., c_{\tilde{m}_1});\tilde{m}_2)\): It takes as inputs \(y \in \mathcal {Y}\) and outputs a sequence of polynomials \(\lbrace c_i \rbrace _{i \in [\tilde{m}_1]}\) with coefficients in \(\mathbb {Z}_p\), and \(\tilde{m}_2 \in \mathbb {Z}_p\) where \(\tilde{m}_2\) is the number of random variables. Every polynomial \(c_i\) is a linear combination of monomials of the form \(s b_0, s_ib_0, s b_j, s_ib_j\) in variables \(s, s_1, ..., s_{\tilde{m}_2}\) and \(b_0, b_1, ..., b_\omega \). In more detail, for \(i \in [\tilde{m}_1]\),

    $$\begin{aligned} c_i := \phi _i s \, b_0 + \sum \nolimits _{j \in [\tilde{m}_2]} \phi _{i,j} s_j b_0 + \sum \nolimits _{j \in [\tilde{m}_2],k \in [\omega ]} \phi _{i,j,k} s_j b_k \end{aligned}$$

    where \(\phi _i, \phi _{i,j}, \phi _{i,j,k} \in \mathbb {Z}_p\) are constants which define \(c_i\).

  • Pair(xy) \(\rightarrow \varvec{E}\): It takes inputs \(x \in \mathcal {X}\) and \(y \in \mathcal {Y}\). It outputs \(\varvec{E} \in \mathbb {Z}_p^{m_1 \times \tilde{m}_1}\).

Correctness: The correctness holds symbolically when \(b_0=1\). if \(R_\kappa (x,y) = 1\), for every \((x,y) \in \mathcal {X} \times \mathcal {Y}\) such that \(R_\kappa (x,y) = 1\), there exists \(\varvec{E} \in \mathbb {Z}_p^{m_1 \times \tilde{m}_1}\) satisfying \(\varvec{k} \varvec{E} \varvec{c}^\top = \alpha s\) where \(\varvec{k} \varvec{E} \varvec{c}^\top = \sum _{i \in [m_1],j \in [\tilde{m}_1]}E_{i,j} k_i c_j\).

4.2 Properties

Our encodings satisfy the following properties.

Property 1

(Linearity in hidden common variables). Suppose \(\varvec{w}\), \(\varvec{r}\), s and \(\varvec{s}\) are fixed, our encodings are linear in \(\alpha \) and \(\varvec{h}\) for all \((\alpha , b_0, \varvec{h}) \in \mathbb {Z}_p \times \mathbb {Z}_p \times \mathbb {Z}_p^{\omega _2}\). That is, for all \(\alpha , \alpha ', b_0, b'_0 \in \mathbb {Z}_p, \varvec{h}, \varvec{h}' \in \mathbb {Z}_p^{\omega _2}\), the followings hold:

$$\begin{aligned} \varvec{k}(\alpha , x, \varvec{b}(\varvec{w}, b_0, \varvec{h}); \varvec{r}) + \varvec{k}(\alpha ', x, \varvec{b}(\varvec{w}, b_0', \varvec{h}'); \varvec{r}) = \varvec{k}(\alpha + \alpha ', x, \varvec{b}(\varvec{w}, b_0 + b_0', \varvec{h}+\varvec{h}'); \varvec{r}) \end{aligned}$$
$$\begin{aligned} \varvec{c}(y, \varvec{b}(\varvec{w}, b_0, \varvec{h});s, \varvec{s}) + \varvec{c}(y,\varvec{b}(\varvec{w}, b_0', \varvec{h}');s,\varvec{s}) = \varvec{c}(y, \varvec{b}(\varvec{w}, b_0+b_0', \varvec{h}+\varvec{h}');s,\varvec{s}) \end{aligned}$$

Property 2

(Linearity in random variables). Suppose \(\varvec{w}\) and \(\varvec{h}\) are fixed, our encodings are linear in \(\alpha \), s, \(\varvec{r}\) and \(\varvec{s}\) for all (\(\alpha \), s, \(\varvec{r}\), \(\varvec{s}) \in \mathbb {Z}_p \times \mathbb {Z}_p \times \mathbb {Z}_p^{m_2} \times \mathbb {Z}_p^{\tilde{m}_2}\). That is, for all \(\alpha , \alpha ', s, s' \in \mathbb {Z}_p, \varvec{r}, \varvec{r}' \in \mathbb {Z}_p^{\tilde{m}_2}\) and \(\varvec{s}, \varvec{s}' \in \mathbb {Z}_p^{\tilde{m}_2}\), the followings hold:

$$\begin{aligned} k(\alpha ,x, \varvec{b}(\varvec{w}, b_0, \varvec{h}); \varvec{r}) + k(\alpha ', x, \varvec{b}(\varvec{w}, b_0, \varvec{h}); \varvec{r}') = k(\alpha + \alpha ', x, \varvec{b}(\varvec{w},b_0, \varvec{h}); \varvec{r}+\varvec{r}') \end{aligned}$$
$$\begin{aligned} c(y,\varvec{b}(\varvec{w}, b_0, \varvec{h});\varvec{s}) + c(y, \varvec{b}(\varvec{w},b_0, \varvec{h});\varvec{s}') = c(y, \varvec{b}(\varvec{w}, b_0, \varvec{h});\varvec{s}+\varvec{s}') \end{aligned}$$

where \(\varvec{w}, b_0, \varvec{h} \in \mathbb {Z}_p^{\omega _1} \times \mathbb {Z}_p \times \mathbb {Z}_p^{\omega _2}\).

Property 3

(Parameter Vanishing). For all \(\alpha , b_0,b_0' \in \mathbb {Z}_p, \varvec{w}, \varvec{w}' \in \mathbb {Z}_p^{\omega _1}, \varvec{h}, \varvec{h}' \in \mathbb {Z}_p^{\omega _2}\), there exists \(\varvec{0} \in \mathbb {Z}_p^{2k+1}\) which makes the distributions of \(\varvec{k}(\alpha ,x, \varvec{b}(\varvec{w}, b_0, \varvec{h}); \varvec{0})\) and \(\varvec{k}(\alpha , x, \varvec{b}(\varvec{w}', b'_0, \varvec{h}'); \varvec{0})\) are statistically identical.

Property 4

(\(\alpha \) hiding). We let \(g_1 \xleftarrow {R} G_1\), \(g_2 \xleftarrow {R} G_2\), \(\alpha , s \xleftarrow {R} \mathbb {Z}_p\), \(\varvec{w} \xleftarrow {R} \mathbb {Z}_p^{\omega _1}\), \(\varvec{h} \xleftarrow {R} \mathbb {Z}_p^{\omega _2}, \varvec{r} \xleftarrow {R} \mathbb {Z}_p^{w_2}\) and \(\varvec{s} \xleftarrow {R} \mathbb {Z}_p^{m_2}\). For all \((x,y) \in \mathcal {X} \times \mathcal {Y}\) such that \(R_{\kappa }(x,y) =0\), the following two distributions are indistinguishable:

$$\begin{aligned} \lbrace g_1^{\varvec{b}(\varvec{w},1, \varvec{1})}, g_2^{\varvec{b}(\varvec{w}, 1, \varvec{1})}, g_1^{\varvec{c}(y,(\varvec{b}(\varvec{w}, 1, \varvec{h});s, {{\varvec{s}}})}, g_2^{\varvec{k}(\alpha , x, \varvec{b}(\varvec{w},1, \varvec{h}); {\varvec{r}})} \rbrace \end{aligned}$$
$$\begin{aligned} \approx \lbrace g_1^{\varvec{b}(\varvec{w},1, \varvec{1})}, g_2^{\varvec{b}(\varvec{w}, 1, \varvec{1})}, g_1^{\varvec{c}(y,(\varvec{b}(\varvec{w}, 1, \varvec{h});s, {{\varvec{s}}})}, g_2^{\varvec{k}(0, x, \varvec{b}(\varvec{w},1, \varvec{h}); {\varvec{r}})} \rbrace . \end{aligned}$$

4.3 The Compiler

For a predicate family \(R_\kappa :\mathcal {X} \times \mathcal {Y} \rightarrow \lbrace 0, 1 \rbrace \) and its encoding \(E(R_\kappa ,p)\), A PE scheme \(PE(E(R_\kappa ,p))\) consists of four algorithms Setup, KeyGen, Encrypt and Decrypt.

  • Setup(\(1^\lambda , \kappa \)) \(\rightarrow \langle PK, MSK \rangle \). The setup algorithm randomly chooses bilinear groups \(\mathcal {G} = (p,\, {G}_1 , \, {G}_2, \, {G}_T,e)\) of prime order \(p > 2^\lambda \). It takes group generators \( g_1 \xleftarrow {R} {G}_1, g_2 \xleftarrow {R} {G}_2\) from \(\mathcal {G}\). It executes \((\varvec{b}, \omega _1, \omega _2, \omega ) \leftarrow \) Param and sets \(b_0 =1\). It randomly selects \(\alpha , a, y_u, y_v, y_f \in \mathbb {Z}_p\), \(\varvec{w} \in \mathbb {Z}_p^{\omega _1}\) and \(\varvec{h} \in \mathbb {Z}_p^{\omega _2}\). It sets \(\tau = y_v + a \cdot y_u\). It publishes public parameters (PK) as

    $$\begin{aligned} \lbrace e(g_1,g_2)^\alpha , g_1, g_1^a, g_1^\tau , g_1^{\varvec{b}(\varvec{w}, 1, \varvec{h})}, g_1^{a \cdot \varvec{b}(\varvec{w}, 1, \varvec{h})}, g_1^{\tau \cdot \varvec{b}(\varvec{w}, 1, \varvec{h})} \rbrace . \end{aligned}$$

    It sets MSK as \(\lbrace \alpha , g_2, g_2^{\varvec{b}(\varvec{w}, 1, \varvec{h})}, f_2 = g_2^{y_f}, u_2= f_2^{y_u}, v_2 = f_2^{y_v} \rbrace .\)

  • KeyGen(xMSK) \(\rightarrow SK.\) The algorithm takes as inputs \(x \in \mathcal {X}\) and MSK. To generate SK, it runs \((\varvec{k};m_2) \leftarrow \) Enc\(_1\) and randomly selects \(\varvec{r} \in \mathbb {Z}_p^{m_2}\) and \(\varvec{z} \in \mathbb {Z}_p^{\vert \varvec{k}\vert }\). It parses \(\alpha \) from MSK and outputs \(SK := (\varvec{D}_{1}, \varvec{D}_{2}, \varvec{D}_{3})\) where \(\varvec{D}_{1} = g_2^{\varvec{k}(\alpha ,x, \varvec{b}(\varvec{w}, 1,\varvec{h});\varvec{r})} v_2^{\varvec{z}},\, \varvec{D}_{2} = u_2^{\varvec{z}},\, \varvec{D}_{3} = f_2^{-\varvec{z}}. \)

  • Encrypt(MyPK)\(\rightarrow CT.\) The algorithm takes as inputs \(y \in \mathcal {Y}\), a message M and PK. It runs \((\varvec{c};\tilde{m}_2) \leftarrow \mathsf{Enc_2}\) and randomly selects \(s \in \mathbb {Z}_p\) and \(\varvec{s} \in \mathbb {Z}_p^{\tilde{m}_2+1}\). The algorithm sets \(C_0 = M \cdot e(g_1,g_2)^{\alpha s}\) and outputs \(CT := (C_0, \varvec{C}_{1}, \varvec{C}_{2}, \varvec{C}_{3})\) where \(\varvec{C}_{1} = g_1^{\varvec{c}(y, \varvec{b}(\varvec{w}, 1, \varvec{h}); s,\varvec{s})},\varvec{C}_{2} = (g_1^a)^{\varvec{c}(y, \varvec{b}(\varvec{w}, 1,\varvec{h}); s,\varvec{s})}, \varvec{C}_{3} = (g_1^{\tau })^{\varvec{c}(y, \varvec{b}(\varvec{w},1, \varvec{h});s,\varvec{s})}.\)

  • Decrypt(xySKCT)\(\rightarrow M.\) It takes as inputs SK for \(x \in \mathcal {X}\) and CT for \(y \in \mathcal {Y}\). It runs \(\varvec{E} \leftarrow \) Pair(xy) and computes

    $$\begin{aligned} A_1 = e(\varvec{C}_1^{\varvec{E}^{\top }}, \varvec{D}_1),\,\, A_2 = e(\varvec{C}_2^{\varvec{E}^{\top }}, \,\, \varvec{D}_2), A_3 = e(\varvec{C}_3^{\varvec{E}^{\top }}, \varvec{D}_3). \end{aligned}$$

    Suppose \(R_\kappa (x,y) =1\), \(A_1 \cdot A_2 \cdot A_3 =e(g_1, g_2)^{\alpha s}\). It outputs \(M = C_0/e(g_1, g_2)^{\alpha s}\).

Correctness. For \((x,y) \in \mathcal {X} \times \mathcal {Y}\) such that \(R_\kappa (x,y) =1\), \(\varvec{E}\) is a reconstruction matrix such that \(\varvec{c} \varvec{E}^\top \varvec{k}^\top = \alpha s\) when \(b_0 =1\). Hence, we can compute followings:

$$\begin{aligned} A_1 = e(\varvec{C}_1^{\varvec{E}^{\top }}, \varvec{D}_1) = e(g_1, g_2)^{\varvec{c}\varvec{E}^{\top }\varvec{k}^\top }e(g_1, v_2)^{\varvec{c} \varvec{E}^{\top } \varvec{z}^\top } = e(g_1, g_2)^{\alpha s}e(g_1, v_2)^{\varvec{c} \varvec{E}^{\top } \varvec{z}^\top } \end{aligned}$$
$$\begin{aligned} A_2 = e(\varvec{C}_2^{\varvec{E}^{\top }}, \varvec{D}_2) = e(g_1, u_2)^{a \cdot \varvec{c} \varvec{E}^{\top } \varvec{z}^\top }, \, A_3 = e(\varvec{C}_3^{\varvec{E}^{\top }}, \varvec{D}_3) = e(g_1, f_2)^{-\tau \cdot \varvec{c} \varvec{E}^{\top } \varvec{z}^\top } \end{aligned}$$

It should be noted that \(\tau = y_v + a y_u\) where \(y_v\) and \(y_u\) are discrete logarithms of \(v_2\) and \(u_2\) to the base \(f_2\), respectively. Therefore, \(A_1 \cdot A_2 \cdot A_3 = e(g_1,g_2)^{\alpha s}\).

Theorem 1

Suppose the assumptions LW1, LW2 and DBDH hold in \(\mathcal {G}\), for all encoding \(E(R_\kappa ,p)\) with a predicate family \(R_\kappa \) and a prime p, \(PE(E(R_\kappa ,p))\) is adaptively secure. Precisely, for any PPT adversary \(\mathcal {A}\), there exist PPT algorithms \(\mathcal {B}_1\), \(\mathcal {B}_2\), \(\mathcal {B}_3\) and \(\mathcal {B}_4\), whose running times are the same as \(\mathcal {A}\) such that, for any \(\lambda \),

$$ Adv_{\mathcal {A}}^{FE(P)}(\lambda ) \le w_t \cdot Adv_{\mathcal {B}_1}^{LW1}(\lambda ) + 2 \cdot m_t \cdot Adv_{\mathcal {B}_2}^{LW2}(\lambda ) + Adv_{\mathcal {B}_3}^{DBDH}(\lambda ) + q \cdot Adv_{\mathcal {B}_4}^{\alpha \text {-}hd}(\lambda )$$

where (1) q is the number of key queries in phases I/II, (2) \(m_t\) is the total number of random variables used to simulate all private keys, (3) \(w_t\) is the number of random variables used in the challenge ciphertext and (4) \(Adv_{\mathcal {B}_4}^{\alpha \text {-}hd}(\lambda )\) is the advantage of \(\mathcal {B}_4\) to breaking \(\alpha \) hiding.

5 Security Analysis

We define the semi-functional (SF) algorithms for the security analysis. We let the simulator randomly select \(\varvec{h}' \in \mathbb {Z}_p^{\omega _2}\).

SFKeyGen(\(x ,MSK, \varvec{h}', j, \alpha '\)) \(\rightarrow SK.\) The algorithm takes as inputs the master secret key MSK, \(x \in \mathcal {X}\) and \(j \in \lbrace 0, ..., m_2 \rbrace \). Then, the algorithm selects \(\alpha ' \xleftarrow {R} \mathbb {Z}_p\) and \(\tilde{\varvec{r}}_j \xleftarrow {R} \mathbb {Z}_p^{m_2}\) of which the first j elements are random variables and the others are 0. It also creates a normal key (\(\varvec{D}_1\), \(\varvec{D}_2\), \(\varvec{D}_3\)) using KeyGen. It outputs \(SK:= \langle \varvec{D}'_{1}, \varvec{D}'_{2}, \varvec{D}'_{3} \rangle \) where \(\varvec{D}'_{1} = \varvec{D}_1 \cdot f_2^{-a\varvec{k}(\alpha ', x, \varvec{b}(\varvec{w},1,\varvec{h}');\tilde{\varvec{r}}_j)}, \varvec{D}'_{2} = \varvec{D}_{2} \cdot f_2^{-\tau \varvec{k}(\alpha ', x, \varvec{b}(\varvec{w}, 1,\varvec{h}');\tilde{\varvec{r}}_j)}, \varvec{D}_3' = \varvec{D}_3\). We define the type of SK as follows:

figure a

In SF keys, \(\tilde{\varvec{r}}_0\) equals to the zero vector \(\varvec{0}\) by the definition. Due to the parameter vanishing property, we can rewrite SF keys (SF-SK) as follows:

$$\begin{aligned} \varvec{D}'_{1} = \varvec{D}_1 \cdot f_2^{-a\varvec{k}(\alpha ', x, \varvec{b}(\varvec{w},0,\varvec{0});{\varvec{0})}}, \varvec{D}'_{2} = \varvec{D}_{2} \cdot f_2^{-\tau \varvec{k}(\alpha ', x, \varvec{b}(\varvec{w}, 0,\varvec{0});{\varvec{0}})}. \end{aligned}$$

SFEncrypt(\(M, y, PK, \varvec{h}', j\))\(\rightarrow CT.\) The algorithm takes as inputs a message M, the public key PK and a description \(y \in \mathcal {Y}\) and \(j \in [\tilde{m}_2 +1]\). It sets \(f_1 = g_1^{y_f}\) and \(u_1 = f_1^{y_u}\). It generates a normal ciphertext \((C_0, \varvec{C}_1, \varvec{C}_2, \varvec{C}_3)\). If \(j = 1\), it selects \(\tilde{{s}} \xleftarrow {R} \mathbb {Z}_p\). The algorithm sets \(C'_0 = C_0\) and outputs CT following:

$$\begin{aligned} \varvec{C}'_{1} = \varvec{C}_{1}, \,\, \varvec{C}'_{2} = \varvec{C}_{2} \cdot f_1^{\varvec{c}(y, \varvec{b}(\varvec{w},1,\varvec{h}');\tilde{s}, {\varvec{0}})}, \,\, \varvec{C}'_{3} = \varvec{C}_{3} \cdot {u_1}^{\varvec{c}(y, \varvec{b}(\varvec{w}, 1,\varvec{h}');\tilde{s}, {\varvec{0}})}. \end{aligned}$$

If \(j > 1\), it selects a random value \(\tilde{s} \xleftarrow {R} \mathbb {Z}_p\) and a random vector \(\tilde{\varvec{s}}_{j-1} \xleftarrow {R} \mathbb {Z}_p^{\tilde{m}_2}\) where the first \(j-1\) elements are random variables and the others are 0. The algorithm then sets \(C'_0 = C_0\) and outputs \( CT := \langle {C}'_0, \varvec{C}'_{1}, \varvec{C}'_{2},\varvec{C}'_{3} \rangle \) where

$$\begin{aligned} \varvec{C}'_{1} = \varvec{C}_{1}, \,\, \varvec{C}'_{2} = \varvec{C}_{2} \cdot f_1^{\varvec{c}(y, \varvec{b}(\varvec{w},1,\varvec{h}');\tilde{s}, \tilde{\varvec{s}}_{j-1})}, \,\, \varvec{C}'_{3} = \varvec{C}_{3} \cdot {u_1}^{\varvec{c}(y, \varvec{b}(\varvec{w}, 1,\varvec{h}');\tilde{s}, \tilde{\varvec{s}}_{j-1})}. \end{aligned}$$

In particular, we call CT a semi-functional (SF) ciphertext if \(j = \tilde{m}_2 + 1\).

Table 3. Games for security analysis
Full size table

We summarize the security games that we use for the security proof in Table 3. In the proof, we will show that all games in Table 3 are indistinguishable. The most critical proof among them is the invariance between games G\(^N_{k,j-1}\) and G\(^N_{k,j}\) where \(j \in [m_2]\). This shows how we feature the jth random variable in the normal space to the semi-functional space. We provide this proof in Lemma 2. We will show the other proofs (of Lemmas 1, 3, 4 and 5) in the full version of this paper.

Lemma 1

Suppose there exists a PPT \(\mathcal {A}\) who can distinguish G\(_{0,i}\) and G\(_{0,i+1}\) with non-negligible advantage \(\epsilon \). Then, we can build an algorithm \(\mathcal {B}\) which breaks LW1 with the advantage \(\epsilon \) using \(\mathcal {A}\).

Lemma 2

Suppose there exists a PPT \(\mathcal {A}\) who can distinguish G\(^N_{k,j-1}\) and G\(^N_{k,j}\) for \(j \in [m_2]\) with non-negligible advantage \(\epsilon \) where \(m_2\) is the size of random variables that the kth key uses. Then, we can build an algorithm \(\mathcal {B}\) which breaks LW2 with the advantage \(\epsilon \) using \(\mathcal {A}\).

Proof:

Using the given instance \(\lbrace f_1, f_1^d, f_1^{d^2}, f_1^{tw}, f_1^{dtw}, f_1^{d^2t} \in G_1, f_2,\) \(f_2^c, f_2^d, f_2^w, T \in G_2\rbrace ,\) \(\mathcal {B}\) will simulate either Game\(^N_{k,j-1}\) or Game\(^N_{k,j}\) using \(\mathcal {A}\) to break LW2.

Setup: \(\mathcal {B}\) randomly chooses \(\alpha \in \mathbb {Z}_p, a, y'_v \in \mathbb {Z}_p, \varvec{w} \in \mathbb {Z}_p^{\omega _1}, \varvec{h}',\varvec{h}'' \in \mathbb {Z}_p^{\omega _2}\). It implicitly sets \(y_v = d-aw +y'_v\), \(y_u =w\), \(b = 1/d\) and \(\tau = d - a w + y'_v + aw = d+y'_v\). It sets a public key PK and MSK as follows:

$$\begin{aligned} PK =: \lbrace e(g_1, g_2)^{\alpha } = e(f_1^{d},f_2^d)^\alpha , g_1 = f_1^{d}, \end{aligned}$$
$$\begin{aligned} g_1^{\varvec{b}(\varvec{w}, 1,\varvec{h})} = (f_1^{d})^{\varvec{b}(\varvec{w}, 1, \varvec{h}')}f_1^{\varvec{b}(\varvec{w}, 0, \varvec{h}'')},g_1^a , g_1^{a \cdot \varvec{b}(\varvec{w},1,\varvec{h})}, g_1^\tau = f_1^{d^2}(f_1^{d})^{y'_v}, \end{aligned}$$
$$\begin{aligned} g_1^{\tau \cdot \varvec{b}(\varvec{w}, 1,\varvec{h})}= (f_1^{d^2})^{\varvec{b}(\varvec{w}, 1,\varvec{h}')}(f_1^{d})^{\varvec{b}(\varvec{w}, 0,\varvec{h}'')}(f_1^{d})^{y'_v \varvec{b}(\varvec{w}, 1,\varvec{h}')}(f_1)^{y'_v \varvec{b}(\varvec{w}, 0,\varvec{h}'')} \rbrace . \end{aligned}$$
$$\begin{aligned} MSK := \lbrace g_2 = f_2^{d}, g_2^\alpha = (f_2^{d})^\alpha ,\, g_2^{\varvec{b}(\varvec{w},1,\varvec{h})} =(f_2^{d})^{\varvec{b}(\varvec{w},1,\varvec{h}')}f_2^{\varvec{b}(\varvec{w},0,\varvec{h}'')}, \end{aligned}$$
$$\begin{aligned} v_2 = f_2^{d}(f_2^{w})^{-a}f_2^{y'_v},\, u_2 =f_2^{w}, \, f_2 \rbrace . \end{aligned}$$

Phase I and II: The algorithm knows all MSK. Therefore, it can create the normal keys for (\(> k\)). For the first \(k-1\) key \((<k)\), \(\mathcal {B}\) first generates a normal key. Then, it randomly selects \(\alpha '\) from \(\mathbb {Z}_p\) and creates an SF key. This is possible since \(\mathcal {B}\) knows \(a, \alpha ', x\) and \(f_2\).

For the \(k^{th}\) key, it randomly selects \(\varvec{z}'\) from \(\mathbb {Z}_p^{\vert \varvec{k} \vert }\) and sets \(\varvec{z} = \varvec{z}' + c \cdot \varvec{k}(0,x,\varvec{b}(\varvec{w},1, \varvec{h}'); \varvec{1}_j)\) where \(\varvec{1}_j\) is a vector of which only the \(j^{th}\) coordinate is 1 and all other coordinates are 0. Then, it randomly chooses \(\varvec{r}''\) from \(\mathcal {R}_r\) and sets \(\varvec{r}= \varvec{r}''-c \cdot \varvec{1}_j\). \(\varvec{z}\) and \(\varvec{r}\) are randomly distributed because of \(\varvec{z}'\) and \(\varvec{r}''\). It also generates \(r'_1, ..., r'_{j-1}\) from \(\mathbb {Z}_p\) and sets \(\varvec{r}'_{j-1} = (r'_1, ..., r'_{j-1}, 0,0,0) \in \mathcal {R}_r\).

$$\begin{aligned} \varvec{K}_0 =&(f_2^d)^{\varvec{k}(\alpha , x, \varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{r}'')} f_2^{\varvec{k}(0, x, \varvec{b}(\varvec{w},0,\varvec{h}''); \varvec{r}'')} (f_2^c)^{-\varvec{k}(0, x, \varvec{b}(\varvec{w},0, \varvec{h}''); \varvec{1}_j)} \\&\cdot (f_2^d (f_2^w)^{-a} f_2^{y'_v})^{\varvec{z}'} T^{- a \varvec{k}(0,x,\varvec{b}(\varvec{w},1,\varvec{h}');\varvec{1}_j)}(f_2^c)^{y'_v\varvec{k}(0,x,\varvec{b}(\varvec{w},1,\varvec{h}'); \cdot \varvec{1}_j)}\\&\cdot f_2^{-a\varvec{k}(0, x, \varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{r}_{j-1}')}, \\ \varvec{K}_1 =&(f_2^{ w})^{\varvec{z}'} T^{\varvec{k}(0,x,\varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{1}_j)}f_2^{\varvec{k}(0, x, \varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{r}_{j-1}')}, \\ \varvec{K}_2 =&f_2^{-\varvec{z}'}(f_2^c)^{ - \varvec{k}(0,x,\varvec{b}(\varvec{w},1, \varvec{h}'), \varvec{1}_j)} \end{aligned}$$

If \(T = f_2^{cw}\), then this key is a properly distributed nominally semi-function (NSF) key created using SFKeyGen(\(x,MSK,\varvec{h}',j-1,0)\) because

(1)
$$\begin{aligned}&= f_2^{d\varvec{k}(\alpha ', x, \varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{r})} f_2^{\varvec{k}(0, x, \varvec{b}(\varvec{w},0 ,\varvec{h}''); \varvec{r})} f_2^{(d-wa+y'_v)(\varvec{z}'+\varvec{k}(0,x,\varvec{b}(\varvec{w},1,\varvec{h}'); c \cdot \varvec{1}_j))} \nonumber \\&\quad \cdot f_2^{-a\varvec{k}(0, x, \varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{r}_{j-1}')} \end{aligned}$$
(2)
$$\begin{aligned}&= f_2^{\varvec{k}(d\alpha ', x, \varvec{b}(\varvec{w},d ,d\varvec{h}'+\varvec{h}''); \varvec{r})} f_2^{(d-wa+y'_v)(\varvec{z}' + \varvec{k}(0,x,\varvec{b}(\varvec{w},1,\varvec{h}'); c\cdot \varvec{1}_j))} \nonumber \\&\quad \cdot f_2^{-a\varvec{k}(0, x, \varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{r}_{j-1}')} \\&= g_2^{\varvec{k}(\alpha ', x, \varvec{b}(\varvec{w},1,\varvec{h}); \varvec{r})} v_2^{\varvec{z}}f_2^{-a\varvec{k}(0, x, \varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{r}_{j-1}')} \nonumber \end{aligned}$$
(3)
$$\varvec{K}_1 = (f_2^w)^{ \varvec{z}'} (f_2^{cw})^{\varvec{k}(0,x,\varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{1}_j)}f_2^{\varvec{k}(0, x, \varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{r}_{j-1}')} = u_2^{\varvec{z}}f_2^{\varvec{k}(0, x, \varvec{b}(\varvec{w},1,\varvec{h}'); \varvec{r}_{j-1}')} $$

This implicitly sets \(\varvec{r} = \varvec{r}'' -c \cdot \varvec{1}_j\) and \(\varvec{z} = \varvec{z}' + \varvec{k}(0,x,\varvec{b}(\varvec{w},1,\varvec{h}'); c \cdot \varvec{1}_j)\). The equality (1) in above equation holds by the linearity in random values. The equality (2) holds because of the definition of \(\varvec{r}\) (\( = \varvec{r}''- c \cdot \varvec{1}_j\)) and linearity in random values. The equality (3) holds due to linearity in hidden common variables.

Otherwise, if T is a random and we let \(f_2^{cw + \gamma }\) denote T, this is also a properly distributed (NSF) key but it was created using SFKeyGen(\(x,MSK,\varvec{h}',j,0)\) since this implicitly sets \(\varvec{r}'_j = \varvec{r}'_{j-1} +\gamma \cdot \varvec{1}_j\). It is worth noting that \(\varvec{r}'_j\) is uniformly random because \(\gamma \) is randomly distributed.

Challenge: When the adversary requests the challenge ciphertext with two messages \(M_0\) and \(M_1\), \(\mathcal {B}\) randomly selects \(\beta \) from \(\lbrace 0,1 \rbrace \). Then, it randomly selects \(s'', \tilde{s} \in \mathbb {Z}_p\) and \(\varvec{s}'', \tilde{\varvec{s}} \in \mathcal {R}_s\). Then, it implicitly sets \(s = wt\tilde{s} + s''\), \(s' = -d^2t\tilde{s}\), \(\varvec{s}'= wt \tilde{\varvec{s}}+ \varvec{s}''\) and \(\varvec{s}' = -d^2t\tilde{\varvec{s}}\). Because of \(s'', \tilde{s}\), \(\varvec{s}''\) and \(\tilde{\varvec{s}}\), they are randomly distributed. \(\mathcal {B}\) sets \(C = M_\beta \cdot e(f_1^{dwt}, f_2^d)^{\alpha \tilde{s}} e(f_1^d, f_2^d)^{\alpha s''}\) and the others as

$$\begin{aligned} \varvec{C}_0&= (f_1^{dwt})^{\varvec{c}(y,\varvec{b}(\varvec{w},1,\varvec{h}');\tilde{s},\tilde{\varvec{s}})}(f_1^d)^{\varvec{c}(y,\varvec{b}(\varvec{w},1,\varvec{h}');s'', \varvec{s}'')} (f_1^{wt})^{\varvec{c}(y,\varvec{b}(\varvec{w},0, \varvec{h}'');\tilde{s},\tilde{\varvec{s}})}\\&\quad \cdot f_1^{\varvec{c}(y,\varvec{b}(\varvec{w},0, \varvec{h}'');s'', \varvec{s}'')} \\&= g_1^{\varvec{c}(y,\varvec{b}(\varvec{w},1, \varvec{h});s, \varvec{s})} \\ \varvec{C}_1&= (C_0)^a (f_1^{d^2t})^{-\varvec{c}(y,\varvec{b}(\varvec{w},1, \varvec{h}');\tilde{s},\tilde{\varvec{s}})} = g_1^{a\varvec{c}(y,\varvec{b}(\varvec{w},1, \varvec{h});s, \varvec{s})} f_1^{\varvec{c}(y, \varvec{b}(\varvec{w},1,\varvec{h}');s',\varvec{s}')} \\ \varvec{C}_2&= (f_1^{d^2})^{\varvec{c}(y,\varvec{b}(\varvec{w},1,\varvec{h}');s'',\varvec{s}'')}(f_1^{dwt})^{\varvec{c}(y,\varvec{b}(\varvec{w},y'_v,\varvec{h}''+y'_v\varvec{h}');\tilde{s},\tilde{\varvec{s}})}\\&\quad \cdot (f_1^d)^{c(y,\varvec{b}(\varvec{w},y'_v, \varvec{h}''+y'_v\varvec{h}');s'',\varvec{s}'')} (f_1^{wt})^{\varvec{c}(y,\varvec{b}(\varvec{w},0,y'_v\varvec{h}'');\tilde{s},\tilde{\varvec{s}})}f_1^{\varvec{c}(y,\varvec{b}(\varvec{w},0,y'_v\varvec{h}'');s'',\varvec{s}'')}\\&= g_1^{\tau \cdot \varvec{c}(y, \varvec{b}(\varvec{w},1,\varvec{h});s,\varvec{s})}u_1^{\varvec{c}(y, \varvec{b}(\varvec{w},1,\varvec{h}');s',\varvec{s}')}. \end{aligned}$$

Therefore, the challenge ciphertext is properly distributed. The equalities in the above equations hold by both linearity in hidden common variables and linearity in random values. In particular, the last equalities in \(\varvec{C}_0\), \(\varvec{C}_1\) and \(\varvec{C}_2\) hold because of \(s' = -d^2t \tilde{s}\), \(\varvec{s}' = -d^2t \tilde{\varvec{s}}\) and the definitions of public parameters. \(\tilde{s}\) and \(\tilde{\varvec{s}}\) are randomly distributed to the adversary although they also appear in \(s = wt \tilde{s} + s'', \varvec{s}=wt\tilde{s} + \varvec{s}''\) since their values are not revealed due to \(s''\) and \(\varvec{s}''\), which are uniquely allocated random values.   \(\square \)

Lemma 3

Suppose there exists an \(\mathcal {A}\) who can distinguish G\(^N_{k,m_2}\) and G\(^T_{k,m_2}\) with non-negligible advantage \(\epsilon \) for any \(k < q\). Then, we can build an algorithm \(\mathcal {B}\) who can break the \(\alpha \) hiding property with \(\epsilon \) using \(\mathcal {A}\).

Lemma 4

Suppose there exists a PPT \(\mathcal {A}\) who can distinguish G\(^T_{k,j-1}\) and G\(^T_{k,j}\) for \(j \in [ m_2]\) with non-negligible advantage \(\epsilon \) where \(m_2\) is the size of random variables that the k\(^{th}\) key uses. Then, we can build an algorithm \(\mathcal {B}\) which breaks LW2 with the advantage \(\epsilon \) using \(\mathcal {A}\).

Lemma 5

Suppose there exists a PPT \(\mathcal {A}\) who can distinguish G\(_{q_t}\) and G\(_{Final}\) with non-negligible advantage \(\epsilon \). Then, we can build an algorithm \(\mathcal {B}\) which breaks DBDH with the advantage \(\epsilon \) using \(\mathcal {A}\).

6 Adaptively Secure NM-CP-ABE with Short Keys

We introduce an NM-CP-ABE with short keys. The part of the security proof, co-selective security, is inspired by the selective NM-KP-ABE scheme of [6].

Assumptions for NM-CP-ABE with Short Keys. We define two computational assumptions in an asymmetric pairing. We take (n-A2) from [26] and use n-DBDHE. We modify them to prove \(\alpha \) hiding using the technique that Lewko and Waters introduced in [19]. We provide the security of our assumptions in the generic group model in the full version of this paper.

Assumption 4

(n-A2). If a group generator \(\mathcal {G}\) and a positive integer n are given, we define the following distribution

$$\begin{aligned} \mathbb {G} = (p, G_1, G_2, G_T, e) \xleftarrow {R} \mathcal {G}, \quad c, d, a,b_1,..., b_n \xleftarrow {R} \mathbb {Z}_p, \end{aligned}$$
$$\begin{aligned} g_1 \xleftarrow {R} G_1, \quad g_2 \xleftarrow {R} G_2, \quad D := \lbrace g_1, g_2, g_1^c, g_2^c\rbrace \cup \lbrace g_1^{{z}_1}, g_2^{{z}_2} \vert z_1 \in Z_1, z_2 \in Z_2 \rbrace \end{aligned}$$
figure b

Given the instances, distinguishing between \(T_0 = g_2^{da^{n+1}}\) and \(T_1 \xleftarrow {R} G_2\) is hard.

Assumption 5

(nDBDHE). If a group generator \(\mathcal {G}\) and a positive integer n are given, we define the following distribution

$$\begin{aligned} \mathbb {G} = (p, G_1, G_2, G_T, e) \xleftarrow {R} \mathcal {G},\,\, b,c,d, \xleftarrow {R} \mathbb {Z}_p, \end{aligned}$$
$$\begin{aligned} g_1 \xleftarrow {R} G_1, \, g_2 \xleftarrow {R} G_2, \,\, D := \lbrace g_1, g_2, g_1^c, g_2^c \rbrace \cup \lbrace g_1^{{z}_1}, g_2^{{z}_2} \vert z_1 \in Z_1, z_2 \in Z_2 \rbrace \end{aligned}$$

where \({Z}_1 = Z_2 := \lbrace dc, b^i| \,\, \forall i \in [2n], i \ne n+1\rbrace .\)

Given D, it is hard to distinguish between \(T_0 = g_2^{db^{n+1}}\) and \(T_1 \xleftarrow {R} G_2\).

We define the advantage of an algorithm \(\mathcal {A}\) to break n-A2 or n-DBDHE as

$$\begin{aligned} Adv_{\mathcal {G}, \mathcal {A}, n}^{\{A2, \,\,DBDHE\}} (\lambda ) = \vert Pr[\mathcal {A}(D,T_0) = 1] - Pr[\mathcal {A}(D,T_1) = 1] \vert \end{aligned}$$

Encoding Scheme for NM-CP-ABE with Short Keys. Our encoding scheme for NM-CP-ABE with short keys consists of the following encoding algorithms:

  • Param(\(\kappa \)): It sets \(\omega _1=1, \omega _2= 2N+3\) and \(\omega = 3N+4\). It selects \(\alpha \xleftarrow {R} \mathbb {Z}_p\), \(\varvec{w} = \eta \xleftarrow {R} \mathbb {Z}_p\), \(\varvec{h} = (\delta , \nu , \zeta , y_1, ..., y_{N}, y'_1, ..., y'_{N}) \xleftarrow {R} \mathbb {Z}_p^{2N+3}\). It sets \(\varvec{b}(\varvec{w},1,\varvec{h}) = (\delta ,\, \nu ,\, \zeta ,\,\eta ,\, y_1,\, ..., y_{N},\,y'_1,\, ..., y'_{N}, \, \eta \cdot y'_1, ..., \eta \cdot y'_{N})\).

  • Enc\(_{1}(S)\): The algorithm selects \(r_0, r_1, r_2 \xleftarrow {R} \mathbb {Z}_p\) and sets \(\varvec{r} = (r_0, r_1, r_2)\). It sets \(d_1 = \alpha + \delta r_2 + \nu r_0,\, d_2 = -r_0, \, d_3= r_2\). For all \(w_i \in S = \lbrace w_1, ..., w_{k} \rbrace \) such that S is not an empty set and \(k \le N\). It sets

    $$\begin{aligned} d_{4} = -\zeta r_2 + (y_1 a_1 + ... + y_{N}a_{N})r_1 ,\quad d_{5}= r_1, \end{aligned}$$
    $$\begin{aligned} \, d'_{6} = \eta ( y'_1 a_1 + ... + y'_{N}a_{N})r_2 ,\quad d'_{7}= \eta r_2 \end{aligned}$$

    where \(a_i\) is an coefficient of \(z^{i-1}\) in \(P(z) = \prod _{w\in S} (z- w)\) for \(i \in [k+1]\). It defines \(\varvec{k}(\alpha , S, \varvec{b}( \varvec{w}, 1, \varvec{h}); \varvec{r}) := (d_1, d_2, d_3, d_{4}, d_{5}, d'_{6}, d'_{7})\).

  • Enc\(_{2}(\tilde{\mathbb {A}})\): For the non-monotone access structure \(\tilde{\mathbb {A}}\), there exists a monotone access structure \(\tilde{\mathbb {A}}= NM(\mathbb {A})\) where \(\mathbb {A} = (A,\rho )\) and A is an \(\ell \times m\) access matrix. The algorithm randomly selects \(s, s_2, ..., s_m, t_1, ..., t_\ell \xleftarrow {R} \mathbb {Z}_p\) and sets \(\varvec{s}= (s_2, ..., s_m, t_1,..., t_\ell )\) and \(\lambda _i = A_i \cdot \varvec{\phi }\) where \(A_i\) is the ith row of A and \(\varvec{\phi } = (s, s_2, ..., s_m)\). It sets \(c_1 = s\), \(c_2 = \nu s\). For all \(i \in [\ell ]\), it sets \(\varvec{c}(\tilde{\mathbb {A}},\varvec{b}(\varvec{w}, 1, \varvec{h});s, \varvec{s}):= (c_1, c_2, c_{i,1}, c_{i,2}, ..., c_{i,N+2} ;\, \forall i \in [\ell ])\) as follows:

    $$\begin{aligned} c_{i,1} = \delta \lambda _i + \zeta t_i, \quad c_{i,2} = t_i, \end{aligned}$$
    $$\begin{aligned} c_{i,3} = - (y_2 -y_1 \rho (i)) t_i, \quad ..., \quad c_{i,N+1} = -(y_{N} - y_1 \rho (i)^{N-1}) t_i\quad \text { if } \rho (i) = x_i; \end{aligned}$$
    $$\begin{aligned} c_{i,1} = \delta \lambda _i - \eta y'_1 t_i, \quad c_{i,2} = t_i, \end{aligned}$$
    $$\begin{aligned} c_{i,3} = - ( y'_2 - y'_1 \rho (i)) t_i, \quad ..., \quad c_{i,N+1} = -(y'_{N} - y'_1 \rho (i)^{N-1}) t_i\quad \text { if } \rho (i) = x'_i; \end{aligned}$$

    where the attribute corresponding to the ith row of A by the mapping \(\rho \) is denoted by \(x_i\) (or \(x'_i\), if it is a negated attribute).

  • Pair\((S,\tilde{\mathbb {A}})\): If S satisfies \(\tilde{\mathbb {A}}\), there exists \(S' = N(S)\) which satisfies an access structure \(\mathbb {A}= (A, \rho )\) such that \(\tilde{\mathbb {A}} = NM(\mathbb {A})\). We define \( I = \lbrace i \vert \rho (i) \in S' \rbrace \). It computes \(\varvec{\mu } = (\mu _1, ..., \mu _{\vert I \vert })\) such that \(\varvec{\mu } \cdot A_{I}= (1, 0,..., 0)\). We set \(\gamma \) the index such that \(w_\gamma = x_i\). To compute the share of \(i \in I\), for \(\varLambda _{i \in I} \, \forall i \in I\), it computes \(a_0, ..., a_N\) which are the coefficient of \(z^i\) in P(z). Then, it sets

    $$\begin{aligned} \varLambda _{i} = c_{i,1} \cdot d_{3} + c_{i,2} \cdot d_{4} + \varSigma _{j \in [N]\setminus \lbrace 1 \rbrace } a_j \cdot c_{i,1+j}\cdot d_{5} = \lambda _i \delta r_2 \,\,\quad \text { if } \rho (i) = x_i; \end{aligned}$$
    $$\begin{aligned} \varLambda _{i} = c_{i,1} \cdot d_{3} + \frac{ c_{i,2} \cdot d'_{6} + \varSigma _{j \in [N]\setminus \lbrace 1 \rbrace } a_j \cdot c_{i,1+j}\cdot d'_{7}}{\varSigma _{j \in [N]} a_j \cdot \rho (i)^j}= {\lambda _i \delta r_2} \quad \text { if } \rho (i) = x'_i. \end{aligned}$$

    Finally, the algorithm computes \( c_{1} \cdot d_{1} + c_2 \cdot d_2 - \prod _{i \in [I]} \mu _i \varLambda _i = \alpha s.\)

We computationally prove the \(\alpha \) hiding of our scheme by Lemma 6.

Lemma 6

Suppose there exists a PPT adversary \(\mathcal {A}\) who can break \(\alpha \) hiding with non-negligible advantage \(\epsilon \) . Then, we can build an algorithm \(\mathcal {B}\) breaking \(n_1-DBDHE\) or \(n_2-A2\) with \(\epsilon \) using \(\mathcal {A}\) with an attributes set of size \(k < n_1, n_2\) .

Proof:

We provide this proof in the full version of this paper.    \(\square \)

6.1 Duality

We introduce NM-KP-ABE with short ciphertexts as a dual scheme of our NM-CP-ABE with short keys using the conversion technique in [9]. The following encoding scheme constructs NM-KP-ABE with short ciphertexts:

  • Param(\(\kappa \)): It runs Param of NM-CP-ABE to get \(\varvec{b}(\varvec{w},1, \varvec{h})\) and outputs \(\varvec{b}'(\varvec{w}',1,\varvec{h}')\) := \((\pi , b'(\varvec{w},1,\varvec{h}))\) where \(\pi \xleftarrow {R} \mathbb {Z}_p\). This sets \(\varvec{w}' = \varvec{w}\) and \(\varvec{h}'= (\pi , \varvec{h})\).

  • Enc\(_{1}(\tilde{\mathbb {A}})\): It runs Enc\(_2(\tilde{\mathbb {A}})\) of NM-CP-ABE to get \(c(\tilde{\mathbb {A}},\varvec{b}(\varvec{w}, 1, \varvec{h});s, \varvec{s})\) and sets \(d'_1 = \alpha + \pi s\) and \(\varvec{k}'(\alpha ,\tilde{\mathbb {A}},\varvec{b}(\varvec{w}', 1, \varvec{h}');\varvec{r}'):= (d'_1, c(\tilde{\mathbb {A}},\varvec{b}(\varvec{w}, 1, \varvec{h});s, \varvec{s}))\). It is worth noting that s can be parsed from \(\varvec{c}\). It implicitly sets \(\varvec{r}' = (s,\varvec{s})\).

  • Enc\(_{2}(S)\): It creates \(s' \xleftarrow {R} \mathbb {Z}_p\) and runs Enc\(_1(S)\) of NM-CP-ABE to get \(\varvec{k}(\pi s', \tilde{\mathbb {A}},\) \( \varvec{b}(\varvec{w}, 1, \varvec{h});\varvec{r})\). It sets \(c'_1 = {s'}\) and \(\varvec{c}'({S},\varvec{b}(\varvec{w}', 1, \varvec{h}');s',\varvec{s}'):= (c'_1, \varvec{k}(\pi s', \tilde{\mathbb {A}},\) \(\varvec{b}(\varvec{w}, 1, \varvec{h});\varvec{r}))\). It implicitly sets \(\varvec{s}' = \varvec{r}\).

  • Pair\((S,\tilde{\mathbb {A}})\): Pair\((S,\tilde{\mathbb {A}})\) of NM-CP-ABE outputs \(\varvec{E}\) such that \(\varvec{k} \varvec{E} \varvec{c}^{\top } = \pi s s'\). The algorithm computes \(d'_1 \cdot c'_1 = \alpha s' + \pi s s'\). Finally, the algorithm computes \(\alpha s' = d'_1 \cdot c'_1 - \varvec{k} \varvec{E} \varvec{c}^{\top }\).