Functional Encryption for Attribute-Weighted Sums from k-Lin

Abdalla, Michel; Gong, Junqing; Wee, Hoeteck

doi:10.1007/978-3-030-56784-2_23

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12170))

Included in the following conference series:

Annual International Cryptology Conference

3385 Accesses
3 Altmetric

Abstract

We present functional encryption schemes for attribute-weighted sums, where encryption takes as input N attribute-value pairs $(x_i,z_i)$ where $x_i$ is public and $z_i$ is private; secret keys are associated with arithmetic branching programs f, and decryption returns the weighted sum $\sum _{i=1}^N f(x_i) z_i$ while leaking no additional information about the $z_i$’s. Our main construction achieves

(1) compact public parameters and key sizes that are independent of N and the secret key can decrypt a ciphertext for any a-priori unbounded N;
(2) short ciphertexts that grow with N and the size of $z_i$ but not $x_i$;
(3) simulation-based security against unbounded collusions;
(4) relies on the standard k-linear assumption in prime-order bilinear groups.

M. Abdalla—Supported by ERC Project aSCEND (H2020 639554) and the French FUI project ANBLIC.

J. Gong—Supported by NSFC-ISF Joint Scientific Research Program (61961146004) and the ERC Project aSCEND (H2020 639554). Part of this work was done while at ENS, Paris.

H. Wee—Supported in part by ERC Project aSCEND (H2020 639554).

You have full access to this open access chapter, Download conference paper PDF

(Compact) Adaptively Secure FE for Attribute-Weighted Sums from k-Lin

Compact FE for Unbounded Attribute-Weighted Sums for Logspace from SXDH

Constant-Size Ciphertext Attribute-Based Encryption from Multi-channel Broadcast Encryption

1 Introduction

In this work, we consider the problem of computing aggregate statistics on encrypted databases. Consider a database of N attribute-value pairs $(x_i,z_i)_{i=1,\ldots ,N}$, where $x_i$ is a public attribute of user i (e.g. demographic data), and $z_i$ is private sensitive data associated with user i (e.g. salary, medical condition, loans, college admissions outcome). Given a function f, we want to privately compute weighted sums over the $z_i$’s corresponding to

$$ \sum \nolimits _{{i=1}}^{N} {f(x_i) z_i}$$

We refer to this quantity as an attribute-weighted sum. An important special case is when f is a boolean predicate, so that the attribute-weighted sum

$$\begin{aligned} \sum \nolimits _{{i=1}}^{N} {f(x_i) z_i} = \sum \nolimits _{{i : f(x_i) = 1}} {z_i} \end{aligned}$$

(1)

corresponds to the average $z_i$ over all users whose attribute $x_i$ satisfies the predicate f. Concrete examples include average salaries of minority groups holding a particular job title ($z_i$ = salary) and approval ratings of an election candidate amongst specific demographic groups in a particular state ($z_i$ = rating). Similarly, if $z_i$ is boolean, then the attribute-weighted sum becomes $\sum _{i : z_i = 1} f(x_i)$. This could capture for instance the number of and average age of smokers with lung cancer ($z_i$ = lung cancer).

This work. We study functional encryption (FE) schemes for attribute-weighted sums [13, 24, 26, 36], for a more general setting where the attribute-value pairs and the output of f are vectors. That is, we would like to encrypt N attribute-value pairs $(\mathbf {x}_i,\mathbf {z}_i)_{i = 1,\ldots ,N}$ to produce a ciphertext $ \textsf {ct}$, and generate secret keys $ \textsf {sk}_f$ so that decrypting $ \textsf {ct}$ with $ \textsf {sk}_f$ returns the attribute-weighted sum $\sum _i f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i}$ while leaking no additional information about the individual $\mathbf {z}_i$’s. We want to support rich and expressive functions f, such as boolean formula and simple arithmetic computation. In addition, we want simulation-based security against collusions, so that an adversary holding secret keys for different functions learns nothing about the $\mathbf {z}_i$’s beyond the attribute-weighted sums for all of these functions.

In many databases, it is often the case that the size of each attribute-value pair $(\mathbf {x}_i,\mathbf {z}_i)$ is small and a-priori bounded, whereas the number of slots N is large and a-priori unbounded. This motivates the notion of an unbounded-slot FE scheme for attribute-weighted sums, where a secret key $ \textsf {sk}_f$ can decrypt encrypted databases with an arbitrary number of slots. Indeed, handling arbitrary-sized inputs is also the motivation behind studying ABE and FE schemes for DFA and NFA [7, 38]. In an unbounded-slot FE, key generation and the size of $ \textsf {sk}_f$ depends only on f and not N. This provides stronger flexibility than standard ABE and FE (even in the so-called unbounded setting [14, 19, 25, 32]), where each $ \textsf {sk}_f$ only works for a fixed N. In practice, this means that we can reuse the same set-up and secret keys across multiple databases without an a-priori upper bound on the database size N.

1.1 Our Results

We present an unbounded-slot functional encryption scheme for attribute-weighted sums for the class of functions f captured by arithmetic branching programs (ABP), a powerful model of computation that captures both boolean formula and branching programs with only a linear blow-up in size. Our construction achieves:

(1)
compact public parameters and key sizes that are independent of N;
(2)
short ciphertexts that grow with N and the size of $\mathbf {z}_i$ but not $\mathbf {x}_i$;
(3)
selective^{Footnote 1}, simulation-based security against unbounded collusions;
(4)
relies on the standard k-linear assumption in prime-order bilinear groups.

As with all prior FE schemes that rely on DDH and bilinear groups [1, 3, 6, 10, 17, 28, 29, 33], efficient decryption requires that the output of the computation $\sum _{i=1}^N f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i}$ lies in a polynomial-size domain. We also show how to extend our unbounded-slot scheme to a setting where the database is distributed across multiple clients that do not completely trust one another [18, 21], assuming some simple non-interactive MPC set-up amongst the clients that does not depend on the database and does not require interaction with the key authority.

Prior works. While we regard the unbounded-slot setting as the key conceptual and technical novelty of this work, we note that FE for attribute-weighted sums for $N=1$ already captures many functionalities considered in the literature, e.g.

(i)
FE for inner product [1, 6] where f outputs a fixed vector,
(ii)
attribute-based encryption (ABE) by taking z to be the payload,
(iii)
attribute-based inner-product FE [2, 17], where ciphertexts are associated with a public $\mathbf {x}$ and a private $\mathbf {z}$, and keys with a boolean formula g and a vector $\mathbf {y}$, and decryption returns $\mathbf {z}^{\!\scriptscriptstyle {\top }}\mathbf {y}$ iff $g(\mathbf {x})=1$, by taking $f(\mathbf {x}) := \mathbf {y}\cdot g(\mathbf {x})$, which can be computed using an ABP.

On the other hand, none of these three classes captures the special case of attribute-weighted sums in (1). We show a comparison in Fig. 1. The more recent works in [28, 29] do capture a larger class supporting quadratic instead of linear functions over $\mathbf {z}$,^{Footnote 2} but in a weaker secret-key setting with indistinguishability-based security, which is nonetheless sufficient for the application to obfuscation. As articulated [13], simulation-based security is the right notion for functional encryption applied to real-world data. Finally, none of these works consider the unbounded-slot setting.

1.2 Our Construction

We present a high-level overview of our unbounded-slot FE scheme for attribute-weighted sums. We start with a one-slot scheme that only handles $N=1$, and then “bootstrap” to the unbounded-slot setting. The main technical novelty of this work lies in the bootstrapping, which is what we would focus on in this section.

A one-slot scheme. In a one-slot FE scheme, we want to encrypt $(\mathbf {x},\mathbf {z})$ and generate secret keys $ \textsf {sk}_f$ for computing $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$, while leaking no additional information about $\mathbf {z}$. We adopt the framework of Wee’s [40] (which in turn builds on [27, 30, 37, 39]) that builds a FE scheme for a closely related functionality $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}\,{\mathop {=}\limits ^{?}}\, 0$; the construction also achieves selective, simulation-based security under the k-Lin assumption in prime-order bilinear groups. We achieve a smaller ciphertext, and an algebraically more concise and precise description. Our simulator also embeds the output of the ideal functionality $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$ into the simulated $ \textsf {sk}_f$. This is in some sense inherent for two reasons: (i) the ciphertext has a fixed size and cannot accommodate an a-priori unbounded number of key queries [4], (ii) in the selective setting, we do not know f or $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$ while simulating the ciphertext.

The unbounded-slot scheme. A very natural approach is to use the one-slot scheme to compute

$$\begin{aligned} f(\mathbf {x}_i)^{\!\scriptscriptstyle {\top }}\mathbf {z}_i, i=1,2,\ldots ,N \end{aligned}$$

(2)

by providing N independent encryptions $ \textsf {ct}_{\mathbf {x}_i,\mathbf {z}_i}$ of $(\mathbf {x}_i,\mathbf {z}_i)$. The secret key is exactly that for the one-slot scheme and therefore independent of N, and decryption proceeds by decrypting each of the N one-slot ciphertexts, and then computing their sum. The only problem with this approach is that it is insecure since decryption leaks the intermediate summands.

To avoid this leakage, we would computationally mask the summands using DDH tuples, by using the one-slot scheme to compute

$$\begin{aligned}{}[f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i} + w_i r],\, i = 1,2,\ldots ,N \end{aligned}$$

(3)

where

the $w_i$’s are sampled during encryption subject to the constraint $\sum _{i=1}^N w_i = 0$;
r is fresh per secret key; and
$[\cdot ]$ denotes “in the exponent” of a bilinear group.

Multiplying the partial decryptions yields , and we need to perform a brute-force discrete log to recover the answer. Indeed, we can modify the one-slot scheme to support the functionality in (3), where the one-slot encryption takes as input $(\mathbf {x}_i,\mathbf {z}_i \Vert w_i)$ (where $w_i$ is also private) to produce a ciphertext $ \textsf {ct}_{\mathbf {x}_i,\mathbf {z}_i \Vert w_i}$, and with secret keys $ \textsf {sk}_{f,r}$ associated with (f, r). Henceforth, we describe the proof strategy for a single secret key query for simplicity, but everything we describe extends quite readily to an unbounded number of key queries.

The intuition is that the partial decryptions now yield

$$\begin{aligned} \begin{array}{clllllll} &{}(&{}\mathsf {Dec}( \textsf {sk}_{f,r}, \textsf {ct}_{\mathbf {x}_1,\mathbf {z}_1 \Vert w_1}),&{}\mathsf {Dec}( \textsf {sk}_{f,r}, \textsf {ct}_{\mathbf {x}_2,\mathbf {z}_2 \Vert w_2}),&{}\ldots ,&{}\mathsf {Dec}( \textsf {sk}_{f,r}, \textsf {ct}_{\mathbf {x}_N,\mathbf {z}_N \Vert w_N})&{})\\ =&{}(&{}[f(\mathbf {x}_{1})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{1} + w_1r],&{}[f(\mathbf {x}_{2})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{2} + w_2r],&{}\ldots ,&{}[f(\mathbf {x}_{N})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{N} + w_Nr]&{}),&{} \\ {\mathop {\approx _c}\limits ^{\textsc {DDH}}}&{}(&{}[f(\mathbf {x}_{1})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{1} + w'_{1}],&{}[f(\mathbf {x}_{2})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{2} + w'_{2}],&{}\ldots ,&{}[f(\mathbf {x}_{N})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{N} + w'_{N}]&{}),&{} \sum w'_{i} = 0\\ \approx _s&{}(&{}[\sum _if(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i} + w'_{1}],&{}[w'_{2}],&{}\ldots ,&{}[w'_{N}]&{}),&{}\\ \end{array} \end{aligned}$$

As with the one-slot scheme, we need to embed these N partial descriptions into $ \textsf {sk}_{f,r}$ in the proof of security. Translating this intuition into a proof would then require embedding $\approx N$ units of statistical entropy into the simulated $ \textsf {sk}_{f,r}$ in the final game; this means that the size of $ \textsf {sk}_{f,r}$ would grow with N, which we want to avoid!

Instead, we will do a hybrid argument over the N slots, collecting “partial sums” $\sum _{i \le \eta } f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i}$ (with $1 \le \eta \le N$) as we go along, which we then embed into the simulated $ \textsf {sk}_{f,r}$. This proof strategy is in fact inspired by proof techniques introduced in the recent ABE for DFA from k-Lin [22], notably the idea of propagating entropy along the execution path of a DFA.

In particular, for $N=3$, partial decryption now yields

$$\begin{aligned} \begin{array}{clllllr} &{}(&{}\mathsf {Dec}( \textsf {sk}_{f,r}, \textsf {ct}_{\mathbf {x}_1,\mathbf {z}_1 \Vert w_1}),&{}\mathsf {Dec}( \textsf {sk}_{f,r}, \textsf {ct}_{\mathbf {x}_2,\mathbf {z}_2 \Vert w_2}),&{}\mathsf {Dec}( \textsf {sk}_{f,r}, \textsf {ct}_{\mathbf {x}_3,\mathbf {z}_3 \Vert w_3})&{}) &{} \,\\ =&{}(&{}[f(\mathbf {x}_{1})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{1} + w_1r],&{}[f(\mathbf {x}_{2})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{2} + w_2r],&{}[f(\mathbf {x}_{3})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{3} + w_3r]&{}) \\ {\mathop {\approx _c}\limits ^{\textsc {DDH}}}&{}(&{}[f(\mathbf {x}_{1})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{1} + f(\mathbf {x}_{2})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{2} + w_1r],&{}[w_2r],&{}[f(\mathbf {x}_{3})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{3} + w_3r]&{})\\ {\mathop {\approx _c}\limits ^{\textsc {DDH}}}&{}(&{}[f(\mathbf {x}_{1})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{1} + f(\mathbf {x}_{2})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{2} + f(\mathbf {x}_{3})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{3} + w_1r],&{}[w_2r],&{}[w_3r]&{}) \end{array} \end{aligned}$$

(4)

where the first ${\mathop {\approx _c}\limits ^{\textsc {DDH}}}$ uses pseudorandomness of $([w_2r],[r])$ and the second uses that of $([w_3r],[r])$.

Next, we need to design the ciphertext and key distributions for the unbounded-slot scheme so that partial decryption yields the quantities in (4). We begin by defining the final simulated ciphertext-key pair as follows:

$$\begin{aligned} ( \textsf {ct}^*_{\mathbf {x}_1}, \textsf {ct}_{\mathbf {x}_2,\mathbf {0} \Vert w_2},\ldots , \textsf {ct}_{\mathbf {x}_N,\mathbf {0} \Vert w_N}),\quad \textsf {sk}^*_{f,r} \end{aligned}$$

(5)

where

$( \textsf {ct}^*_{\mathbf {x}_1}, \textsf {sk}^*_{f,r})$ are obtained using the simulator for the one-slot scheme so that
$$\begin{aligned} \mathsf {Dec}( \textsf {sk}^*_{f,r}, \textsf {ct}^*_{\mathbf {x}_1}) = [w_1 r + \sum \nolimits _i f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i}] \end{aligned}$$
That is, we embed $[w_1 r + \sum _i f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i}]$ into the simulated $ \textsf {sk}^*_{f,r}$;
$ \textsf {ct}_{\mathbf {x}_i,\mathbf {0} \Vert w_i}, i > 1$ are generated as normal encryptions of $(\mathbf {x}_i,\mathbf {0} \Vert w_i)$ (instead of normal encryptions of $(\mathbf {x}_i,\mathbf {z}_i \Vert w_i)$) so that
$$\begin{aligned} \mathsf {Dec}( \textsf {sk}^*_{f,r}, \textsf {ct}_{\mathbf {x}_i,\mathbf {0} \Vert w_i}) = \mathsf {Dec}( \textsf {sk}_{f,r}, \textsf {ct}_{\mathbf {x}_i,\mathbf {0} \Vert w_i}) = [w_i r], i > 1 \end{aligned}$$
Here, we use fact that simulated secret keys behave like normal secret keys when used to decrypt normal ciphertexts.

This distribution can be computed given just $\sum _i f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i}$ and matches exactly what we need in the final game in (4).

Now, consider the following attempt to interpolate between the normal distributions and the simulated distributions for the case $N=2$:

$$\begin{aligned} \begin{array}{lllllll} &{}(&{} \textsf {ct}_{\mathbf {x}_1, \mathbf {z}_1 \Vert w_1}, &{} \textsf {ct}_{\mathbf {x}_2, \mathbf {z}_2 \Vert w_2}, &{} \textsf {sk}_{f,r} &{})\\ {\mathop {\approx _c}\limits ^{\textsc {}}}&{}(&{} \textsf {ct}^*_{\mathbf {x}_1}, &{} \textsf {ct}_{\mathbf {x}_2, \mathbf {z}_2 \Vert w_2}, &{} \textsf {sk}^*_{f,r} &{}), &{} \;\mathsf {Dec}( \textsf {sk}^*_{f,r}, \textsf {ct}^*_{\mathbf {x}_1}) = [f(\mathbf {x}_{1})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{1} + w_1 r]\\ {\mathop {\approx _c}\limits ^{\textsc {}}}&{}(&{} \textsf {ct}^*_{\mathbf {x}_1}, &{}\text{??? }, &{} \textsf {sk}^*_{f,r} &{}), &{} \\ {\mathop {\approx _c}\limits ^{\textsc {}}}&{}(&{} \textsf {ct}^*_{\mathbf {x}_1}, &{} \textsf {ct}_{\mathbf {x}_2, \mathbf {0}\Vert w_2}, &{} \textsf {sk}^*_{f,r} &{}), &{} \;\mathsf {Dec}( \textsf {sk}^*_{f,r}, \textsf {ct}^*_{\mathbf {x}_1}) = [f(\mathbf {x}_{1})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{1} + f(\mathbf {x}_{2})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{2} + w_1 r]\\ \end{array} \end{aligned}$$

where the first row is the real distribution, the last row is the simulated distribution in (5), and the first $\approx _c$ follows from simulation-based security of the one-slot scheme. A natural idea is to replace “???” with a simulated ciphertext $ \textsf {ct}^*_{\mathbf {x}_2}$ but this is problematic for two reasons: first, we cannot switch between a normal and simulated ciphertext in the presence of a simulated key, and second, the simulator can only generate a single simulated ciphertext.

Luckily, we can overcome both difficulties by modifying the unbounded-slot FE scheme to use two independent copies of the one-slot scheme as follows:

setup generates two one-slot master public-secret key pairs ;
to encrypt $(\mathbf {x}_i,\mathbf {z}_i)_{i=1,\ldots ,N}$, we generate w.r.t and the remaining w.r.t. ;
the secret key contains two one-slot secret keys $ \textsf {sk}_{f,r,1}, \textsf {sk}_{f,r,2}$ generated for (f, r) but using $ \textsf {msk}_1, \textsf {msk}_2$ respectively.

That would in fact be our final construction, where the asymmetry of encryption with respect to the first slot reflects the asymmetry of the simulated ciphertext in (5). Note that the first issue goes away because we can switch between a normal and simulated ciphertext w.r.t. in the presence of a simulated secret key w.r.t. ; the second goes away because the two simulated ciphertext correspond to and respectively. We defer the remaining details to the technical overview in Sect. 2 and the formal scheme in Sect. 7.

The multi-client setting. Now, consider a setting where the database $(\mathbf {x}_i,\mathbf {z}_i)_{i=1,\ldots ,N}$ are distributed across multiple clients that do not completely trust one another [18, 21]; in practice, the clients could correspond to hospitals holding medical records for different patients, or colleges holding admissions data. It suffices to just consider the setting with N clients where client i holds $(\mathbf {x}_i,\mathbf {z}_i)$. Note that to produce the ciphertext in our unbounded-slot FE scheme, it suffices for the N clients to each hold a random private $w_i$ (per database) subject to the constraint $\sum w_i = 0$, which is simple to generate via a non-interactive MPC protocol where each client sends out additive shares of 0 [11]. Moreover, generating the $w_i$’s can take place in an offline, pre-processing phase before knowing the database, and does not require interacting with the key generation authority. Moreover, our unbounded-slot FE scheme also achieves a meaningful notion of security, namely that if some subset S of clients collude and additionally learn some $ \textsf {sk}_f$, they will not learn anything about the remaining $\mathbf {z}_i$’s apart from $\sum _{i \notin S} f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i}$ (that is, the attribute-weighted sum as applied to the honest clients’ inputs); security is simulation-based and also extends to the many-key setting. In order to achieve this, we require a slight modification to the scheme to break the asymmetry with respect to the first slot: to encrypt $(\mathbf {x}_i,\mathbf {z}_i)$, client i samples random $\mathbf {z}'_i,w'_i$ and publishes a one-slot encryption of $(\mathbf {x}_i,\mathbf {z}'_i\Vert w'_i)$ under and another of $(\mathbf {x}_i,\mathbf {z}-\mathbf {z}'_i\Vert w_i-w'_i)$ under . This readily gives us a multi-client unbounded-slot FE for attribute-weighted sums; we refer the reader to full paper for more details of the definition, construction and proof.

1.3 Discussion

Additional related works. As noted earlier in the introduction, our unbounded-slot notion is closely related to uniform models of computation with unbounded input lengths, such as ABE and FE for DFA and NFA [7, 8, 22, 38]. At a very high level, our construction may be viewed as following the paradigm in [7, 8] for building ABE/FE for uniform models of computation by “stitching” together ABE/FE for the smaller step functions; in our setting, the linear relation between the step functions and the overall computation makes “stitching” much simpler. The way we use two copies of the one-slot scheme is also analogous to the “two-slot, interweaving dual system encryption” argument used in the previous ABE for DFA from k-Lin in [22], except our implementation is simpler and more modular.

On selective vs adaptive security. We believe that selective, simulation-based security already constitutes a meaningful notion of security for many of the applications we have in mind. For instance, in medical studies, medical records and patient conditions (the $\mathbf {x}_i,\mathbf {z}_i$’s) will not depend –not in the short run, at least– adaptively on the correlations (the functions f’s) that researchers would like to investigate. Nonetheless, we do agree that extending our results to achieve adaptive security is an important research direction. Concretely,

Can we show that the one-slot scheme achieves simulation-based, adaptive security in the generic group model, as has been shown for a large class of selectively secure ABEs [9]?
Can we construct an adaptively secure unbounded-slot FE for arithmetic branching programs with compact ciphertexts without the one-use restriction from k-Lin? We conjecture that our transformation from one-slot to unbounded-slot preserves adaptive security. Solving the one-slot problem would require first adapting the techniques for adaptive simulation-based security in [5, 19], and more recent advances in [31] to avoid the one-use restriction.

Open problems. We conclude with two other open problems. One is whether we can construct (one-slot) FE for attribute-weighted sums from LWE, simultaneously generalizing prior ABE and IPFE schemes from LWE [6, 12, 23]; an affirmative solution would likely also avoid the polynomial-size domain limitation. Another is to achieve stronger notions of security for the multi-client setting where the $w_i$’s could be reused across multiple databases.

Organization. We provide a more detailed technical overview in Sect. 2. We present preliminaries, definitions and tools in Sects. 3 and 4. We present our one-slot scheme and an extension in Sects. 5 and 6, and the unbounded-slot scheme in Sect. 7.

2 Technical Overview

We proceed with a more technical overview of our construction, building on the overview given in Sect. 1.2, and giving more details on the one-slot scheme. We summarize the parameters of the one-slot and unbounded-slot scheme in Fig. 2.

2.1 One-Slot Scheme

Notation. We will make extensive use of tensor products. For instance, we will write the linear function $x_1 \mathbf {U}_1 + x_2 \mathbf {U}_2$ as

$$ (\mathbf {U}_1 \Vert \mathbf {U}_2)\begin{pmatrix} x_1 \mathbf {I}\\ x_2 \mathbf {I}\end{pmatrix} = (\mathbf {U}_1 \Vert \mathbf {U}_2) \left( \begin{pmatrix} x_1 \\ x_2\end{pmatrix} \otimes \mathbf {I}\right) $$

This allows us to concisely and precisely capture “compilers” where we substitute scalars with matrices, as well as the underlying linear relations, which may refer to left or right multiplication, and act on scalars or matrices.

Partial garbling. Recall the starting point for ABE for ABP as an “arithmetic secret-sharing scheme” that on input an ABP $f : \mathbb {Z}_p^n \rightarrow \mathbb {Z}_p$ and a secret $z \in \mathbb {Z}_p$, outputs m affine functions $\ell _1,\ldots ,\ell _m : \mathbb {Z}_p^n \rightarrow \mathbb {Z}_p$ such that for all $\mathbf {x}\in \mathbb {Z}_p^n$:

(correctness) given $\ell _1(\mathbf {x}),\ldots ,\ell _m(\mathbf {x})$ along with $f,\mathbf {x}$, we can recover z if $f(\mathbf {x}) \ne 0$.
(privacy) given $\ell _1(\mathbf {x}),\ldots ,\ell _m(\mathbf {x})$ along with $f,\mathbf {x}$, we learn nothing about z if $f(\mathbf {x}) = 0$.

In particular, the coefficients of the functions $\ell _1,\ldots ,\ell _m$ depends linearly on the randomness used in secret sharing.

Partial garbling generalizes the above as follows: on input an ABP $f : \mathbb {Z}_p^n \rightarrow \mathbb {Z}^{n'}_p$, outputs $m + 1$ affine functions $\ell _0,\ell _1,\ldots ,\ell _m$ such that for all $\mathbf {x}\in \mathbb {Z}_p^n, \mathbf {z}\in \mathbb {Z}_p^{n'}$:

(correctness) given $\ell _0(\mathbf {z}),\ell _1(\mathbf {x}),\ldots ,\ell _m(\mathbf {x})$ along with $f,\mathbf {x}$, we can recover $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$.
(privacy) given $\ell _0(\mathbf {z}),\ell _1(\mathbf {x}),\ldots ,\ell _m(\mathbf {x})$ along with $f,\mathbf {x}$, we learn nothing about $\mathbf {z}$ apart from $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$.

Henceforth, we will use $\mathbf {t}^{\!\scriptscriptstyle {\top }}(\mathbf {L}_1 (\mathbf {x}\,\otimes \,\mathbf {I}_m) + \mathbf {L}_0) \in \mathbb {Z}_p^m$ to denote the m linear functions $\ell _1(\mathbf {x}),\ldots ,\ell _m(\mathbf {x})$,^{Footnote 3} where $\mathbf {t}\leftarrow \mathbb {Z}_p^{m + n' - 1}$ corresponds to the randomness used in the secret sharing; $\mathbf {L}_1 \in \mathbb {Z}_p^{(m + n' - 1) \times mn},\mathbf {L}_0 \in \mathbb {Z}_p^{(m + n' - 1) \times m}$ depends only on the function f, and m is linear in the size of the ABP f.

Basic scheme. We rely on an asymmetric bilinear group $(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)$ of prime order p where $e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T$. We use $[\cdot ]_1,[\cdot ]_2,[\cdot ]_T$ to denote component-wise exponentiations in respective groups $\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T$ [20]. Our starting point is the following scheme^{Footnote 4}:

(6)

where

$$\mathbf {w}\leftarrow \mathbb {Z}_p^{n'}, \mathbf {u}\leftarrow \mathbb {Z}_p^n, v \leftarrow \mathbb {Z}_p, \mathbf {t}\leftarrow \mathbb {Z}_p^{m + n' - 1}, \mathbf {r}\leftarrow \mathbb {Z}_p^m$$

Decryption uses the fact that

$$\begin{aligned} \begin{array}{l} \mathbf {t}^{\!\scriptscriptstyle {\top }}(\mathbf {L}_1(\mathbf {x}\otimes \mathbf {I}_m)+\mathbf {L}_0) = \\ (\mathbf {t}^{\!\scriptscriptstyle {\top }}\mathbf {L}_1 + \mathbf {u}^{\!\scriptscriptstyle {\top }}(\mathbf {I}_n\otimes \mathbf {r}^{\!\scriptscriptstyle {\top }})) \cdot (\mathbf {x}\otimes \mathbf {I}_m) + (\mathbf {t}^{\!\scriptscriptstyle {\top }}\mathbf {L}_0 + v\mathbf {r}^{\!\scriptscriptstyle {\top }}) - (\mathbf {u}^{\!\scriptscriptstyle {\top }}\mathbf {x}+ v) \cdot \mathbf {r}^{\!\scriptscriptstyle {\top }}\end{array} \end{aligned}$$

(7)

which in turn uses $(\mathbf {I}_n \otimes \mathbf {r}^{\!\scriptscriptstyle {\top }}) \cdot (\mathbf {x}\otimes \mathbf {I}_m) = \mathbf {x}\cdot \mathbf {r}^{\!\scriptscriptstyle {\top }}$. Using the pairing and the above relation, we can recover

$$[\mathbf {z}- s \underline{\mathbf {t}}]_T, [s \mathbf {t}^{\!\scriptscriptstyle {\top }}(\mathbf {L}_1(\mathbf {x}\otimes \mathbf {I}_m)+\mathbf {L}_0)]_T$$

We can then apply reconstruction “in the exponent” to recover $[f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}]_T$ and thus $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$ via brute-force DLOG.

Security in the secret-key setting. The scheme as written already achieves simulation-based selective security in the secret-key, many-key setting (that is, against an adversary that does not see ); this holds under the DDH assumption in $\mathbb {G}_2$. We sketch how we can simulate $( \textsf {ct}_{\mathbf {x},\mathbf {z}}, \textsf {sk}_f)$ given $\mathbf {x},f,f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$; the proof extends readily to the many-key setting. The idea is to program

$$\tilde{\mathbf {w}} = \mathbf {z}+ s \mathbf {w},\;\tilde{v} = s(\mathbf {u}^{\!\scriptscriptstyle {\top }}\mathbf {x}+ v)$$

In addition, using (7), we can rewrite $( \textsf {ct}_{\mathbf {x},\mathbf {z}}, \textsf {sk}_f)$ as

$$\begin{aligned} \textsf {ct}_{\mathbf {x},\mathbf {z}}= & {} \big (\, [s]_1,\,[\tilde{\mathbf {w}}]_1,\, [\tilde{v}]_1\,\big ) \in \mathbb {G}_1^{n'+2} \nonumber \\ \textsf {sk}_f= & {} \big (\, [\underline{\mathbf {t}}+ s^{-1}(\tilde{\mathbf {w}}-\mathbf {z})]_2,\, [\hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}]_2,\, [\mathbf {t}^{\!\scriptscriptstyle {\top }}(\mathbf {L}_1(\mathbf {x}\otimes \mathbf {I}_m) + \mathbf {L}_0) - \hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}\cdot (\mathbf {x}\otimes \mathbf {I}_m) + s^{-1}\tilde{v}\mathbf {r}^{\!\scriptscriptstyle {\top }}]_2,\, [\mathbf {r}]_2\,\big ) \end{aligned}$$

where $\hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}:= \mathbf {t}^{\!\scriptscriptstyle {\top }}\mathbf {L}_1 + \mathbf {u}^{\!\scriptscriptstyle {\top }}(\mathbf {I}_n\otimes \mathbf {r}^{\!\scriptscriptstyle {\top }})$. Under the DDH assumption in $\mathbb {G}_2$, we know that^{Footnote 5}

$$[\mathbf {u}^{\!\scriptscriptstyle {\top }}(\mathbf {I}_n \otimes \mathbf {r}^{\!\scriptscriptstyle {\top }})]_2, [\mathbf {r}^{\!\scriptscriptstyle {\top }}]_2, \mathbf {u}\leftarrow \mathbb {Z}_p^n, \mathbf {r}\leftarrow \mathbb {Z}_p^m$$

is pseudorandom, which means that $[\hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}]_2, [\mathbf {r}^{\!\scriptscriptstyle {\top }}]_2$ is pseudorandom.

We can therefore simulate $( \textsf {ct}_{\mathbf {x},\mathbf {z}}, \textsf {sk}_f)$ as follows: on input $\mu = f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$,

1.
run the simulator for partial garbling on input $f,\mathbf {x},\mu $ to obtain $(\mathbf {p}_1^{\!\scriptscriptstyle {\top }},\mathbf {p}_2^{\!\scriptscriptstyle {\top }})$;
2.
sample $s \leftarrow \mathbb {Z}_p, \tilde{\mathbf {w}} \leftarrow \mathbb {Z}_p^{n'}, \tilde{v} \leftarrow \mathbb {Z}_p, \hat{\mathbf {u}} \leftarrow \mathbb {Z}_p^{mn}$;
3.
output
$$\begin{aligned} \textsf {ct}_{\mathbf {x},\mathbf {z}}= & {} \big (\, [s]_1,\,[\tilde{\mathbf {w}}]_1,\, [\tilde{v}]_1\,\big ) \in \mathbb {G}_1^{n'+2} \nonumber \\ \textsf {sk}_f= & {} \big (\, [-\mathbf {p}_1 + s^{-1}\tilde{\mathbf {w}}]_2,\, [\hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}]_2,\, [\mathbf {p}_2^{\!\scriptscriptstyle {\top }}- \hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}\cdot (\mathbf {x}\otimes \mathbf {I}_m) + s^{-1}\tilde{v}\mathbf {r}^{\!\scriptscriptstyle {\top }}]_2,\, [\mathbf {r}]_2\,\big ) \end{aligned}$$

Looking ahead, we note that the above analysis extends to the k-Lin assumption, at the cost of blowing up the width of $\mathbf {u},v,\mathbf {r}^{\!\scriptscriptstyle {\top }}$ by a factor of k. In the analysis, we use the fact that under k-Lin over $\mathbb {G}_2$, $([\mathbf {u}^{\!\scriptscriptstyle {\top }}(\mathbf {I}_n \otimes \mathbf {R})]_2,[\mathbf {R}]_2)$ is pseudorandom where $\mathbf {u}\leftarrow \mathbb {Z}_p^{kn}, \mathbf {R}\leftarrow \mathbb {Z}_p^{k \times m}$.

The compiler. To obtain a public-key scheme secure under the k-Lin assumption, we perform the following substitutions to (6), following [15, 40]:

$$ s \mapsto \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\in \mathbb {Z}_p^{1\times (k+1)},\,\mathbf {r}^{\!\scriptscriptstyle {\top }}\mapsto \mathbf {R}\in \mathbb {Z}_p^{k \times m},\,\mathbf {t}^{\!\scriptscriptstyle {\top }}\mapsto \mathbf {T}\in \mathbb {Z}_p^{(k+1) \times (m + n' - 1)} $$

$$ \mathbf {w}^{\!\scriptscriptstyle {\top }}\mapsto \mathbf {W}\in \mathbb {Z}_p^{(k+1) \times n'},\, \mathbf {u}^{\!\scriptscriptstyle {\top }}\mapsto \mathbf {U}\in \mathbb {Z}_p^{(k+1) \times kn},\,v \mapsto \mathbf {V}\in \mathbb {Z}_p^{(k+1) \times k} $$

That is, we blow up the height of $\mathbf {w}^{\!\scriptscriptstyle {\top }},\mathbf {u}^{\!\scriptscriptstyle {\top }},v,\mathbf {t}^{\!\scriptscriptstyle {\top }}$ by a factor of $k+1$, and the width of $\mathbf {u}^{\!\scriptscriptstyle {\top }},v,\mathbf {r}$ by a factor of k. The proof of security follows the high-level strategy in [40]:

We first switch $[\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1$ in the ciphertext with a random $[\mathbf {c}^{\!\scriptscriptstyle {\top }}]_1$.
We decompose $ \textsf {sk}_f$ into two parts, $\mathbf {A}^{\!\scriptscriptstyle {\top }} \textsf {sk}_f, \mathbf {c}^{\!\scriptscriptstyle {\top }} \textsf {sk}_f$, corresponding to component-wise multiplication by $\mathbf {A}^{\!\scriptscriptstyle {\top }},\mathbf {c}^{\!\scriptscriptstyle {\top }}$ respectively, using the fact that $(\mathbf {A}| \mathbf {c})$ forms a full-rank basis.
We simulate $\mathbf {A}^{\!\scriptscriptstyle {\top }} \textsf {sk}_f$ using , and simulate the ciphertext and $\mathbf {c}^{\!\scriptscriptstyle {\top }} \textsf {sk}_f$ as in the secret-key setting we just described.

We refer the reader to Sect. 6 to see how the construction can be extended to handle the “extended” functionality in (3); an overview is given at the beginning of that section.

2.2 Unbounded-Slot Scheme

We refer the reader to Sect. 1.2 for a high-level overview of the unbounded-slot scheme, and proceed directly to describe the construction and the security proof.

The construction. We run two copies of the one-slot scheme, which we denote by for $b=1,2$. We denote the corresponding simulators by $(\mathsf {Enc}^*_b,\mathsf {KeyGen}^*_b)$. Informally, we have

$$(\mathsf {Enc}_b(\mathbf {x},\mathbf {z}\Vert w),\mathsf {KeyGen}_b(f,[r]_2)) \approx _c (\mathsf {Enc}^*_b(\mathbf {x}),\mathsf {KeyGen}^*_b((f,[r]_2),[f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}+ wr]_2))$$

Then, $\mathsf {Enc},\mathsf {KeyGen}$ in the unbounded-slot scheme are given by

$$\begin{aligned} \mathsf {Enc}((\mathbf {x}_i, \mathbf {z}_i )_i)= & {} \textstyle \mathsf {Enc}_1(\mathbf {x}_1,\mathbf {z}_1 \Vert - \sum _{i\in [2,N]} w_i),\, \mathsf {Enc}_2(\mathbf {x}_2,\mathbf {z}_2 \Vert w_2), \cdots , \mathsf {Enc}_2(\mathbf {x}_N,\mathbf {z}_N \Vert w_N)\\ \mathsf {KeyGen}(f)= & {} \mathsf {KeyGen}_1(f,[r]_2),\mathsf {KeyGen}_2(f,[r]_2),[r]_2 \end{aligned}$$

The final simulator is given by:

$$\begin{aligned} \mathsf {Enc}^*((\mathbf {x}_i)_i)= & {} \mathsf {Enc}^*_1(\mathbf {x}_1),\,\mathsf {Enc}_2(\mathbf {x}_2,\mathbf {0}\Vert w_2), \cdots , \mathsf {Enc}_2(\mathbf {x}_N,\mathbf {0}\Vert w_N)\\ \mathsf {KeyGen}^*(f,\mu )= & {} \textstyle \mathsf {KeyGen}_1^*((f,[r]_2),[\mu -\sum _{i\in [2,N]} w_i r]_2),\mathsf {KeyGen}_2(f,[r]_2) \end{aligned}$$

As a sanity check, observe that decrypting $\mathsf {Enc}^*((\mathbf {x}_i)_i)$ using $\mathsf {KeyGen}^*(f,\sum _i f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i})$ returns $\sum _i f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i}$.

Proof overview. For simplicity, we focus on the setting $N=3$ with one secret key query in Fig. 3 where in ${\mathop {\approx _c}\limits ^{\textsc {DDH}}}$, we use pseudorandomness of $([w_1r]_2,[r]_2)$ and $([w_2r]_2,[r]_2)$ respectively; in ${\mathop {\approx _c}\limits ^{\textsc {SIM-1}}}$ and ${\mathop {\approx _c}\limits ^{\textsc {SIM-2}}}$, we use simulation-based semi-adaptive security of $(\mathsf {Enc}_1,\mathsf {KeyGen}_1)$ and $(\mathsf {Enc}_2,\mathsf {KeyGen}_2)$, respectively.

In the setting for general N and Q secret key queries,

we will invoke simulation-based security of once, and that of for $2(N-1)$ times, while using the fact that both of these schemes are also secure against Q secret key queries;
in ${\mathop {\approx _c}\limits ^{\textsc {DDH}}}$, we will rely on pseudorandomness of $\{ [w_i r_j]_2, [r_j]_2) \}_{j \in [Q]}$ for $i \in [2,N]$.

3 Preliminaries

Notations. We denote by $s \leftarrow S$ the fact that s is picked uniformly at random from a finite set S. We use $\approx _s$ to denote two distributions being statistically indistinguishable, and $\approx _c$ to denote two distributions being computationally indistinguishable. We use lower case boldface to denote column vectors and upper case boldcase to denote matrices. We use $\mathbf {e}_i$ to denote the i’th elementary column vector (with 1 at the i’th position and 0 elsewhere, and the total length of the vector specified by the context). For any positive integer N, we use [N] to denote $\{1,2,\ldots ,N\}$ and [2, N] to denote $\{2,\ldots ,N\}$.

The tensor product (Kronecker product) for matrices $\mathbf {A}= (a_{i,j}) \in \mathbb {Z}^{\ell \times m}$, $\mathbf {B}\in \mathbb {Z}^{n\times p}$ is defined as

$$\begin{aligned} \mathbf {A}\otimes \mathbf {B}= \begin{bmatrix} a_{1,1} \mathbf {B}, &{} \ldots , &{} a_{1,m} \mathbf {B}\\ \ldots , &{} \ldots , &{} \ldots \\ a_{\ell ,1} \mathbf {B}, &{} \ldots , &{} a_{\ell ,m} \mathbf {B}\end{bmatrix}\in \mathbb {Z}^{\ell n\times mp}. \end{aligned}$$

(8)

Arithmetic Branching Programs. A branching program is defined by a directed acyclic graph (V, E), two special vertices $v_0, v_1 \in V$ and a labeling function $\phi $. An arithmetic branching program (ABP), where p is a prime, computes a function $f : \mathbb {Z}^n_p \rightarrow \mathbb {Z}_p$. Here, $\phi $ assigns to each edge in E an affine function in some input variable or a constant, and f(x) is the sum over all $v_0-v_1$ paths of the product of all the values along the path. We refer to $|V|+|E|$ as the size of f. The definition extends in a coordinate-wise manner to functions $f : \mathbb {Z}_p^n \rightarrow \mathbb {Z}_p^{n'}$. Henceforth, we use $\mathcal {F}_{\mathsf {ABP},n,n'}$ to denote the class of ABP $f : \mathbb {Z}_p^n \rightarrow \mathbb {Z}_p^{n'}$.

We note that there is a linear-time algorithm that converts any boolean formula, boolean branching program or arithmetic formula to an arithmetic branching program with a constant blow-up in the representation size. Thus, ABPs can be viewed as a stronger computational model than all of the above. Recall also that branching programs and boolean formulas correspond to the complexity classes LOGSPACE and NC1 respectively.

3.1 Prime-Order Bilinear Groups

A generator $\mathcal {G}$ takes as input a security parameter $1^\lambda $ and outputs a description $\mathbb {G}:= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)$, where p is a prime of $\varTheta (\lambda )$ bits, $\mathbb {G}_1$, $\mathbb {G}_2$ and $\mathbb {G}_T$ are cyclic groups of order p, and $e : \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T$ is a non-degenerate bilinear map. We require that the group operations in $\mathbb {G}_1$, $\mathbb {G}_2$, $\mathbb {G}_T$ and the bilinear map e are computable in deterministic polynomial time in $\lambda $. Let $g_1 \in \mathbb {G}_1$, $g_2 \in \mathbb {G}_2$ and $g_T = e(g_1,g_2) \in \mathbb {G}_T$ be the respective generators. We employ the implicit representation of group elements: for a matrix $\mathbf {M}$ over $\mathbb {Z}_p$, we define $[\mathbf {M}]_1:=g_1^{\mathbf {M}},[\mathbf {M}]_2:=g_2^{\mathbf {M}},[\mathbf {M}]_T:=g_T^{\mathbf {M}}$, where exponentiation is carried out component-wise. Also, given $[\mathbf {A}]_1,[\mathbf {B}]_2$, we let $e([\mathbf {A}]_1,[\mathbf {B}]_2) = [\mathbf {A}\mathbf {B}]_T$. We recall the matrix Diffie-Hellman (MDDH) assumption on $\mathbb {G}_1$ [20]:

Assumption 1

($\mathrm {MDDH}^{d}_{k,\ell }$ Assumption). Let $k,\ell ,d \in \mathbb {N}$. We say that the $\mathrm {MDDH}^{d}_{k,\ell }$ assumption holds if for all PPT adversaries $\mathcal {A}$, the following advantage function is negligible in $\lambda $.

where $\mathbb {G}:= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e) \leftarrow \mathcal {G}(1^\lambda )$, $\mathbf {M}\leftarrow \mathbb {Z}_p^{\ell \times k}$, $\mathbf {S}\leftarrow \mathbb {Z}_p^{k \times d}$ and $\mathbf {U}\leftarrow \mathbb {Z}_p^{\ell \times d}$.

The MDDH assumption on $\mathbb {G}_2$ can be defined in an analogous way. Escala et al. [20] showed that

$$ k\text{-Lin } \Rightarrow \mathrm {MDDH}_{k,k+1}^1 \Rightarrow \mathrm {MDDH}_{k,\ell }^d\; \forall \; k, d \ge 1,\ell > k$$

with a tight security reduction. (In the setting where $\ell \le k$, the $\mathrm {MDDH}_{k,\ell }^d$ assumption holds unconditionally.)

We state the following lemma implied by $\mathrm {MDDH}^{1}_{k,Q}$ without proof.

Lemma 1

For all $Q\in \mathbb {N}$ and $\mu _1,\ldots ,\mu _Q \in \mathbb {Z}_p$, we have

where $\mathbf {w},\mathbf {r}_j \leftarrow \mathbb {Z}_p^k$ for all $j\in [Q]$. Concretely, the distinguishing advantage is bounded by $2\cdot \mathsf {Adv}^{\mathrm {MDDH}^{1}_{k,Q}}_{\mathcal {B}}(\lambda )$.

4 Definitions and Tools

In this section, we formalize functional encryption for attribute-weighted sums, using the framework of partially-hiding functional encryption [13, 24, 40].

4.1 FE for Attribute-Weighted Sums

Syntax. An unbounded-slot FE for attribute-weighted sums consists of four algorithms:

$\mathsf {Setup}(1^\lambda ,1^{n},1^{n'}):$ The setup algorithm gets as input the security parameter $1^\lambda $ and function parameters $1^{n},1^{n'}$. It outputs the master public key and the master secret key $ \textsf {msk}$.
The encryption algorithm gets as input and message $(\mathbf {x}_i,\mathbf {z}_i)_{i\in [N]} \in (\mathbb {Z}_p^{n}\times \mathbb {Z}_p^{n'})^\star $. It outputs a ciphertext $ \textsf {ct}_{(\mathbf {x}_i,\mathbf {z}_i)}$ with $(\mathbf {x}_i)$ being public.
$\mathsf {KeyGen}( \textsf {msk},f):$ The key generation algorithm gets as input $ \textsf {msk}$ and a function $f \in \mathcal {F}_{\mathsf {ABP},n,n'}$. It outputs a secret key $ \textsf {sk}_f$ with f being public.
$\mathsf {Dec}(( \textsf {sk}_f,f),( \textsf {ct}_{(\mathbf {x}_i,\mathbf {z}_i)},(\mathbf {x}_i)_{i\in [N]})):$ The decryption algorithm gets as input $ \textsf {sk}_f$ and $ \textsf {ct}_{(\mathbf {x}_i,\mathbf {z}_i)}$ along with f and $(\mathbf {x}_i)_{i\in [N]}$. It outputs a value in $\mathbb {Z}_p$.

Correctness. For all $(\mathbf {x}_i,\mathbf {z}_i)_{i\in [N]} \in (\mathbb {Z}_p^{n}\times \mathbb {Z}_p^{n'})^\star $ and $f \in \mathcal {F}_{\mathsf {ABP},n,n'}$, we require

where , $ \textsf {sk}_f \leftarrow \mathsf {KeyGen}( \textsf {msk},f)$ and .

Remark 1 (Relaxation of correctness.)

Our scheme only achieves a relaxation of correctness where the decryption algorithm takes an additional bound $1^B$ (and runs in time polynomial in B) and outputs $\sum _{i\in [N]}f(\mathbf {x}_{i})^{\!\scriptscriptstyle {\top }}\mathbf {z}_{i}$ if the value is bounded by B. This limitation is also present in prior works on (IP)FE from DDH and bilinear groups [1, 3, 6, 10, 33], due to the reliance on brute-force discrete log to recover the answer “from the exponent”. We stress that the relaxation only refers to functionality and does not affect security.

Security definition. We consider semi-adaptive [16] (strengthening of selective), simulation-based security, which stipulates that there exists a randomized simulator $(\mathsf {Setup}^*,\mathsf {Enc}^*,$ $\mathsf {KeyGen}^*)$ such that for every efficient stateful adversary $\mathcal {A}$,

such that whenever $\mathcal {A}$ makes a query f to $\mathsf {KeyGen}$, the simulator $\mathsf {KeyGen}^*$ gets f along with $\sum _{i\in [N]}f(\mathbf {x}_i^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}_i^*$. We use $\mathsf {Adv}^{\text {FE}}_{\mathcal {A}}(\lambda )$ to denote the advantage in distinguishing the real and ideal games.

One-slot scheme. A one-slot scheme is the same thing, except we always have $N=1$ for both correctness and security.

4.2 Partial Garbling Scheme

The partial garbling scheme [27, 40] for $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$ with $f \in \mathcal {F}_{\mathsf {ABP},n,n'}$ is a randomized algorithm that on input f outputs an affine function in $\mathbf {x},\mathbf {z}$ of the form:

$$\begin{aligned} \mathbf {p}^{\!\scriptscriptstyle {\top }}_{f,\mathbf {x},\mathbf {z}} = \big (\,\mathbf {z}^{\!\scriptscriptstyle {\top }}- \underline{\mathbf {t}}^{\!\scriptscriptstyle {\top }},\mathbf {t}^{\!\scriptscriptstyle {\top }}(\mathbf {L}_1(\mathbf {x}\otimes \mathbf {I}_m) + \mathbf {L}_0)\,\big ) \end{aligned}$$

where $\mathbf {L}_0 \in \mathbb {Z}_p^{(m + n' - 1) \times mn},\mathbf {L}_1 \in \mathbb {Z}_p^{(m + n' - 1) \times m}$ depends only on f; $\mathbf {t}\leftarrow \mathbb {Z}_p^{m + n' - 1}$ is the random coin and $\underline{\mathbf {t}}$ consists of the last $n'$ entries in $\mathbf {t}$, such that given $(\mathbf {p}^{\!\scriptscriptstyle {\top }}_{f,\mathbf {x},\mathbf {z}}, f, \mathbf {x})$, we can recover $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$, while learning nothing else about $\mathbf {z}$.

Lemma 2

(partial garbling [27, 40]). There exists four efficient algorithms $(\mathsf {lgen},\mathsf {pgb},$ $\mathsf {rec},\mathsf {pgb}^*)$ with the following properties:

syntax: on input $f \in \mathcal {F}_{\mathsf {ABP},n,n'}$, $\mathsf {lgen}(f)$ outputs $\mathbf {L}_0 \in \mathbb {Z}_p^{(m + n' - 1) \times mn},\mathbf {L}_1 \in \mathbb {Z}_p^{(m + n' - 1) \times m}$, and
$$\begin{aligned} \begin{array}{rclrl} \mathsf {pgb}(f,\mathbf {x},\mathbf {z};\mathbf {t}) &{}=&{} \big (\,&{} \mathbf {z}^{\!\scriptscriptstyle {\top }}- \underline{\mathbf {t}}^{\!\scriptscriptstyle {\top }},&{} \mathbf {t}^{\!\scriptscriptstyle {\top }}(\mathbf {L}_1(\mathbf {x}\otimes \mathbf {I}_m) + \mathbf {L}_0)\,\big )\\ \mathsf {pgb}^*(f,\mathbf {x},\mu ;\mathbf {t}) &{}=&{} \big (\,&{} - \underline{\mathbf {t}}^{\!\scriptscriptstyle {\top }}, &{}\mathbf {t}^{\!\scriptscriptstyle {\top }}(\mathbf {L}_1(\mathbf {x}\otimes \mathbf {I}_m) + \mathbf {L}_0) + \mu \cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }}\,\big ) \end{array} \end{aligned}$$
where $\mathbf {t}\in \mathbb {Z}_p^{m + n' - 1}$ and $\underline{\mathbf {t}}$ consists of the last $n'$ entries in $\mathbf {t}$ and m are linear in the size of f.
reconstruction: $\mathsf {rec}(f,\mathbf {x})$ outputs $\mathbf {d}_{f,\mathbf {x}}\in \mathbb {Z}_p^{n'+ m}$ such that for all $f,\mathbf {x},\mathbf {z},\mathbf {t}$, we have $ \mathbf {p}_{f,\mathbf {x},\mathbf {z}}^{\!\scriptscriptstyle {\top }}\mathbf {d}_{f,\mathbf {x}} = f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$ where $\mathbf {p}_{f,\mathbf {x},\mathbf {z}}^{\!\scriptscriptstyle {\top }}= \mathsf {pgb}(f,\mathbf {x},\mathbf {z}; \mathbf {t})$.
privacy: for all $f,\mathbf {x},\mathbf {z}$, $\mathsf {pgb}(f,\mathbf {x},\mathbf {z};\mathbf {t}) \approx _s \mathsf {pgb}^*(f,\mathbf {x},f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z};\mathbf {t})$ where the randomness is over $\mathbf {t}\leftarrow \mathbb {Z}_p^{m + n' - 1}$.

Extension. We will also rely on an extra property of the above construction to handle shifts by $\delta \in \mathbb {Z}_p$, namely that, given

$$\begin{aligned} \mathbf {p}^{\!\scriptscriptstyle {\top }}_{f,\mathbf {x},\mathbf {z},{\boxed {\delta }}} = \big (\,\mathbf {z}^{\!\scriptscriptstyle {\top }}- \underline{\mathbf {t}}^{\!\scriptscriptstyle {\top }},\mathbf {t}^{\!\scriptscriptstyle {\top }}(\mathbf {L}_1(\mathbf {x}\otimes \mathbf {I}_m) + \mathbf {L}_0)+ \boxed {\delta \cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }}}\,\big ) \end{aligned}$$

together with $(f, \mathbf {x})$, we can recover $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}+ \delta $, while learning nothing else about $\mathbf {z},\delta $. That is, for all $f,\mathbf {x},\mathbf {z}$ and $\delta \in \mathbb {Z}_p$:

reconstruction: $ (\mathsf {pgb}(f,\mathbf {x},\mathbf {z}; \mathbf {t}) + (\mathbf {0}, \boxed {\delta } \cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }})) \mathbf {d}_{f,\mathbf {x}} = f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}+ \boxed {\delta }$;
privacy: $ \mathsf {pgb}(f,\mathbf {x},\mathbf {z}; \mathbf {t}) + (\mathbf {0}, \boxed {\delta } \cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }}) \approx _s \mathsf {pgb}^*(f,\mathbf {x},f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}+ \boxed {\delta };\mathbf {t})$ where the randomness is over $\mathbf {t}\leftarrow \mathbb {Z}_p^{m + n' - 1}$.

See the full paper for more detail about Lemma 2 and the extension.

5 $\mathrm{\Pi }_\mathsf {one}$: One-Slot Scheme

In this section, we present our one-slot FE scheme for attribute-weighted sums. This scheme achieves simulation-based semi-adaptive security under k-Linear assumptions.

5.1 Construction

Our one-slot FE scheme $\mathrm{\Pi }_\mathsf {one}$ in prime-order bilinear group is described as follows.

$\mathsf {Setup}(1^\lambda ,1^{n},1^{n'})$: Run $\mathbb {G}= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e) \leftarrow \mathcal {G}(1^\lambda )$. Sample
$$ \mathbf {A}\leftarrow \mathbb {Z}_p^{(k+1)\times k} \quad \text{ and }\quad \mathbf {W}\leftarrow \mathbb {Z}_p^{(k+1)\times n'},\, \mathbf {U}\leftarrow \mathbb {Z}_p^{(k+1)\times kn},\, \mathbf {V}\leftarrow \mathbb {Z}_p^{(k+1)\times k} $$
and output
: Sample $\mathbf {s}\leftarrow \mathbb {Z}_p^{k}$ and output
$$ \textsf {ct}_{\mathbf {x},\mathbf {z}} = \big (\, [\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1,\,[\mathbf {z}^{\!\scriptscriptstyle {\top }}+ \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}]_1,\, [\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {U}(\mathbf {x}\otimes \mathbf {I}_k) + \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {V}]_1\,\big ) \quad \text{ and }\quad \mathbf {x}. $$
$\mathsf {KeyGen}( \textsf {msk},f)$: Run $(\mathbf {L}_1,\mathbf {L}_0) \leftarrow \mathsf {lgen}(f)$ where $\mathbf {L}_1 \in \mathbb {Z}_p^{(m + n' - 1) \times mn},\mathbf {L}_0 \in \mathbb {Z}_p^{(m + n' - 1) \times m}$ (cf. Sect. 4.2). Sample $\mathbf {T}\leftarrow \mathbb {Z}_p^{(k+1) \times (m + n' - 1)}$ and $\mathbf {R}\leftarrow \mathbb {Z}_p^{k \times m}$ and output
$$ \textsf {sk}_f = \big (\, [\underline{\mathbf {T}}+ \mathbf {W}]_2,\, [\mathbf {T}\mathbf {L}_1 + \mathbf {U}(\mathbf {I}_n\otimes \mathbf {R})]_2,\, [\mathbf {T}\mathbf {L}_0 + \mathbf {V}\mathbf {R}]_2,\, [\mathbf {R}]_2 \,\big ) \quad \text{ and }\quad f $$
where $\underline{\mathbf {T}}$ refers to the matrix composed of the right most $n'$ columns of $\mathbf {T}$.
$\mathsf {Dec}(( \textsf {sk}_f,f),( \textsf {ct}_{\mathbf {x},\mathbf {z}},\mathbf {x}))$: On input key:
$$ \textsf {sk}_f = \big (\, [\mathbf {K}_1]_2, [\mathbf {K}_2]_2, [\mathbf {K}_3]_2, [\mathbf {R}]_2 \,\big )\quad \text{ and }\quad f $$
and ciphertext:
$$ \textsf {ct}_{\mathbf {x},\mathbf {z}} = \big (\, [\mathbf {c}_0^{\!\scriptscriptstyle {\top }}]_1,\,[\mathbf {c}_1^{\!\scriptscriptstyle {\top }}]_1,\,[\mathbf {c}_2^{\!\scriptscriptstyle {\top }}]_1 \,\big )\quad \text{ and }\quad \mathbf {x}$$
the decryption works as follows:
1. 1.
  compute
  $$\begin{aligned}{}[\mathbf {p}_1^{\!\scriptscriptstyle {\top }}]_T = e([\mathbf {c}_1^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {I}_{n'}]_2) \cdot e([\mathbf {c}_0^{\!\scriptscriptstyle {\top }}]_1,[-\mathbf {K}_1]_2) \end{aligned}$$
  (9)
2. 2.
  compute
  $$\begin{aligned}{}[\mathbf {p}_2^{\!\scriptscriptstyle {\top }}]_T = e([\mathbf {c}_0^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {K}_2 (\mathbf {x}\otimes \mathbf {I}_m) + \mathbf {K}_3]_2) \cdot e([-\mathbf {c}_2^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {R}]_2) \end{aligned}$$
  (10)
3. 3.
  run $\mathbf {d}_{f,\mathbf {x}}\leftarrow \mathsf {rec}(f,\mathbf {x})$ (cf. Sect. 4.2), compute
  $$\begin{aligned}{}[D]_T = [(\mathbf {p}_1^{\!\scriptscriptstyle {\top }},\mathbf {p}_2^{\!\scriptscriptstyle {\top }})\mathbf {d}_{f,\mathbf {x}}]_T \end{aligned}$$
  (11)
  and use brute-force discrete log to recover D as the output.

Correctness. For $ \textsf {ct}_{\mathbf {x},\mathbf {z}}$ and $ \textsf {sk}_f$, we have

$$\begin{aligned} \mathbf {p}_1^{\!\scriptscriptstyle {\top }}= & {} \mathbf {z}^{\!\scriptscriptstyle {\top }}- \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\underline{\mathbf {T}}\end{aligned}$$

(12)

$$\begin{aligned} \mathbf {p}_2^{\!\scriptscriptstyle {\top }}= & {} \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {T}\mathbf {L}_1 (\mathbf {x}\otimes \mathbf {I}_m) + \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {T}\mathbf {L}_0 \end{aligned}$$

(13)

$$\begin{aligned} (\mathbf {p}_1^{\!\scriptscriptstyle {\top }},\mathbf {p}_2^{\!\scriptscriptstyle {\top }})\mathbf {d}_{f,\mathbf {x}}= & {} f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z} \end{aligned}$$

(14)

Here (14) follows from the fact that

$$ (\mathbf {p}_1^{\!\scriptscriptstyle {\top }},\mathbf {p}_2^{\!\scriptscriptstyle {\top }}) = \mathsf {pgb}(f,\mathbf {x},\mathbf {z};(\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {T})^{\!\scriptscriptstyle {\top }}) \quad \text{ and }\quad \mathbf {d}_{f,\mathbf {x}} = \mathsf {rec}(f,\mathbf {x}) $$

and reconstruction of the partial garbling in (9); the remaining two equalities follow from:

in which we use the equality $(\mathbf {I}_n\otimes \mathbf {R})(\mathbf {x}\otimes \mathbf {I}_m)=(\mathbf {x}\otimes \mathbf {I}_k)\mathbf {R}$. This readily proves the correctness.

Remark 2

(Comparison with W17 [40]). The ciphertext in [40] contains a term of the form

$$ [ \mathbf {x}^{\!\scriptscriptstyle {\top }}\otimes \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {V}+ \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {U}]_1 \in \mathbb {G}_1^{kn} \quad \text { in the place of }\quad [\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {U}(\mathbf {x}\otimes \mathbf {I}_k) + \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {V}]_1\in \mathbb {G}_1^{k}$$

where $\mathbf {U}\leftarrow \mathbb {Z}_p^{(k+1)\times kn},\mathbf {V}\leftarrow \mathbb {Z}_p^{(k+1)\times k}$. The secret key sizes in both our schemes and that in [40] are $O(mn + n')$. In our scheme, the multiplicative factor of n comes at the cost of a smaller ciphertext. In [40], the multiplicative factor of n comes from a locality requirement that each column of $\mathbf {L}_1(\mathbf {x}\otimes \mathbf {I}_m)+\mathbf {L}_0$ depends on a single entry of $\mathbf {x}$, which can be achieved generically at the cost of a blow-up of n. We remove the locality requirement in our scheme.

Security. We have the following theorem with the proof shown in the subsequent subsection.

Theorem 1

Our one-slot scheme $\mathrm{\Pi }_\mathsf {one}$ for attribute-weighted sums described in this section achieves simulation-based semi-adaptive security under the MDDH assumption in $\mathbb {G}_1$ and in $\mathbb {G}_2$.

5.2 Simulator

We start by describing the simulator.

$\mathsf {Setup}^*(1^\lambda ,1^{n},1^{n'})$: Run $\mathbb {G}= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e) \leftarrow \mathcal {G}(1^\lambda )$. Sample
and output
where . Here we assume that $(\mathbf {A}| \mathbf {c})$ has full rank, which happens with probability $1-1/p$.
$\mathsf {Enc}^*( \textsf {msk}^*,\mathbf {x}^*)$: Output
$\mathsf {KeyGen}^*( \textsf {msk}^*,\mathbf {x}^*,f,\mu \in \mathbb {Z}_p)$: Run
Sample , $\mathbf {T}\leftarrow \mathbb {Z}_p^{(k+1) \times (m + n' - 1)}$ and $\mathbf {R}\leftarrow \mathbb {Z}_p^{k \times m}$ and output
(15)
where
Here $\underline{\mathbf {T}}$ refers to the matrix composed of the right most $n'$ columns of $\mathbf {T}$. That is,

Remark 3 (decryption checks)

As a sanity check, we check that an adversary cannot use the decryption algorithm to distinguish between the real and simulated output.

Observe that when we decrypt the simulated ciphertext $ \textsf {ct}^*_{\mathbf {x}^*}\leftarrow \mathsf {Enc}^*( \textsf {msk}^*,\mathbf {x}^*)$ with the simulated secret key $ \textsf {sk}^*_f \leftarrow \mathsf {KeyGen}^*( \textsf {msk}^*,\mathbf {x}^*,f,f(\mathbf {x}^*)^{\!\scriptscriptstyle {\top }} \mathbf {z}^*)$, the $ \textsf {sk}^*_f[1]$ part cancels out and leaves just the $ \textsf {sk}^*_f[2]$ part since $\mathbf {c}^{\!\scriptscriptstyle {\top }}\mathbf {C}^{\!\scriptscriptstyle {\perp }}= \mathbf {0}, \mathbf {c}^{\!\scriptscriptstyle {\top }}\mathbf {a}^{\!\scriptscriptstyle {\perp }}= 1$ and we end up with $((\mathbf {p}^*_1)^{\!\scriptscriptstyle {\top }},(\mathbf {p}^*_2)^{\!\scriptscriptstyle {\top }})\mathbf {d}_{f,\mathbf {x}^*} = f(\mathbf {x}^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}^*$ where $((\mathbf {p}^*_1)^{\!\scriptscriptstyle {\top }},(\mathbf {p}^*_2)^{\!\scriptscriptstyle {\top }}) \leftarrow \mathsf {pgb}^*(f,\mathbf {x}^*,f(\mathbf {x}^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}^*)$.

Similarly, when we decrypt a normal ciphertext $ \textsf {ct}_{\mathbf {x},\mathbf {z}} \leftarrow \mathsf {Enc}( \textsf {mpk},(\mathbf {x},\mathbf {z}))$ corresponding to any $(\mathbf {x},\mathbf {z})$ with a simulated secret key, the $ \textsf {sk}^*_f[2]$ part cancels out and leaves just the $ \textsf {sk}^*_f[1]$ part since $\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {C}^{\!\scriptscriptstyle {\perp }}= \mathbf {I}, \mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {a}^{\!\scriptscriptstyle {\perp }}= \mathbf {0}$. We end up with $(\mathbf {p}_1^{\!\scriptscriptstyle {\top }},\mathbf {p}_2^{\!\scriptscriptstyle {\top }})\mathbf {d}_{f,\mathbf {x}} = f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$ where $(\mathbf {p}_1^{\!\scriptscriptstyle {\top }},\mathbf {p}_2^{\!\scriptscriptstyle {\top }}) = \mathsf {pgb}(f,\mathbf {x},\mathbf {z};(\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {T})^{\!\scriptscriptstyle {\top }})$ as in the real $\mathsf {Dec}$ algorithm.

5.3 Proof

With our simulator, we prove the following theorem which implies Theorem 1.

Theorem 2

For all $\mathcal {A}$, there exist $\mathcal {B}_1$ and $\mathcal {B}_2$ with $\mathsf {Time}(\mathcal {B}_1),\mathsf {Time}(\mathcal {B}_2) \approx \mathsf {Time}(\mathcal {A})$ such that

$$ \mathsf {Adv}^{\mathrm{\Pi }_\mathsf {one}}_{\mathcal {A}}(\lambda ) \le \mathsf {Adv}^{\mathrm {MDDH}^{1}_{k,k+1}}_{\mathcal {B}_1}(\lambda ) + \mathsf {Adv}^{\mathrm {MDDH}^{n}_{k,mQ}}_{\mathcal {B}_2}(\lambda ) + 1/p $$

where $n$ is length of public input $\mathbf {x}^*$ in the challenge, m is the parameter depending on size of function f and Q is the number of key queries.

Note that this yields a tight security reduction to the k-Lin assumption. Before we proceed to describe the game sequence and proof, we state the following lemma we will use.

Lemma 3 (statistical lemma)

For any full-rank $(\mathbf {A}|\mathbf {c}) \in \mathbb {Z}_p^{(k+1) \times k}\times \mathbb {Z}_p^{k+1}$, we have

Game sequence. We use $(\mathbf {x}^*,\mathbf {z}^*)$ to denote the semi-adaptive challenge and for notational simplicity, assume that all key queries $f_j$ share the same parameter m. We prove Theorem 2 via a series of games.

: Real game.
: Identical to $\mathsf {Game}_0$ except that $ \textsf {ct}^*$ for $(\mathbf {x}^*,\mathbf {z}^*)$ is given by
$$ \textsf {ct}^* = \big (\, [\boxed {\mathbf {c}^{\!\scriptscriptstyle {\top }}}]_1,\,[(\mathbf {z}^*)^{\!\scriptscriptstyle {\top }}+ \boxed {\mathbf {c}^{\!\scriptscriptstyle {\top }}}\mathbf {W}]_1,\, [\boxed {\mathbf {c}^{\!\scriptscriptstyle {\top }}}\mathbf {U}(\mathbf {x}^*\otimes \mathbf {I}_k) + \boxed {\mathbf {c}^{\!\scriptscriptstyle {\top }}}\mathbf {V}]_1\,\big ) $$
where $\mathbf {c}\leftarrow \mathbb {Z}_p^{k+1}$. We claim that $\mathsf {Game}_0 \approx _c \mathsf {Game}_1$. This follows from $\mathrm {MDDH}^{1}_{k,k+1}$ assumption:
$$ [\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1,\,[\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1 \approx _c [\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1,\,\boxed {[\mathbf {c}^{\!\scriptscriptstyle {\top }}]_1}. $$
In the reduction, we sample $\mathbf {W},\mathbf {U},\mathbf {V}$ honestly and use them to simulate $ \textsf {mpk}$ and $\mathsf {KeyGen}( \textsf {msk},\cdot )$ along with $[\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1$; the challenge ciphertext $ \textsf {ct}^*$ is generated using the challenge term given above.
: Identical to $\mathsf {Game}_1$ except that the j-th query $f_j$ to $\mathsf {KeyGen}\mathsf {KeyGen}( \textsf {msk},\cdot )$ is answered by
$$ \textsf {sk}_{f_j} = \big (\,\mathbf {C}^{\!\scriptscriptstyle {\perp }}\cdot \textsf {sk}_{f_j}[1] + \mathbf {a}^{\!\scriptscriptstyle {\perp }}\cdot \textsf {sk}_{f_j}[2] ,\,[\mathbf {R}_j]_2\,\big ) $$
with
where $(\mathbf {L}_{1,j},\mathbf {L}_{0,j})\leftarrow \mathsf {lgen}(f_j)$, $\mathbf {T}_j \leftarrow \mathbb {Z}_p^{(k+1)\times (m + n' - 1)}$, $ \mathbf {R}_j \leftarrow \mathbb {Z}_p^{k \times m}$, $\mathbf {c}$ is the randomness in $ \textsf {ct}^*$ and $\mathbf {C}^{\!\scriptscriptstyle {\perp }},\mathbf {a}^{\!\scriptscriptstyle {\perp }}$ are defined such that $(\mathbf {A}| \mathbf {c})^{\!\scriptscriptstyle {\top }}(\mathbf {C}^{\!\scriptscriptstyle {\perp }}| \mathbf {a}^{\!\scriptscriptstyle {\perp }}) = \mathbf {I}_{k+1}$ (cf. $\mathsf {Setup}^*$ in Sect. 5.2). By basic linear algebra, we have $\mathsf {Game}_1=\mathsf {Game}_2$.
: Identical to $\mathsf {Game}_2$ except that we replace $\mathsf {Setup},\mathsf {Enc}$ with $\mathsf {Setup}^*,\mathsf {Enc}^*$ where is given by
and replace $\mathsf {KeyGen}( \textsf {msk},\cdot )$ with $\mathsf {KeyGen}^*_3( \textsf {msk}^*,\cdot )$, which works as $\mathsf {KeyGen}( \textsf {msk},\cdot )$ in $\mathsf {Game}_2$ except that, for the j-th query $f_j$, we compute
where $\tilde{\mathbf {w}},\tilde{\mathbf {v}}$ are given in $ \textsf {msk}^*$ (output by $\mathsf {Setup}^*$) and $\tilde{\mathbf {u}} \leftarrow \mathbb {Z}_p^{k n}, \mathbf {t}_j \leftarrow \mathbb {Z}_p^{m + n' - 1}$, $\mathbf {R}_j \leftarrow \mathbb {Z}_p^{k \times m}$. We claim that $\mathsf {Game}_2 \approx _s \mathsf {Game}_3$. This follows from the following statement: for any full-rank $(\mathbf {A}|\mathbf {c})$, we have
which is implied by Lemma 3.
: Identical to $\mathsf {Game}_3$ except that we replace with which works as except that, for the j-th query $f_j$, we compute
where $\hat{\mathbf {u}}_j \leftarrow \mathbb {Z}_p^{nm}$ and $\mathbf {R}_j \leftarrow \mathbb {Z}_p^{k \times m}$. We claim that $\mathsf {Game}_3 \approx _c \mathsf {Game}_4$. This follows from $\mathrm {MDDH}^{n}_{k,mQ}$ assumption which tells us that
where Q is the number of key queries.
: Identical to $\mathsf {Game}_4$ except that we replace $\mathsf {KeyGen}^*_4$ with $\mathsf {KeyGen}^*$; this is the ideal game. We claim that $\mathsf {Game}_4 \approx _s \mathsf {Game}_5$. This follows from the privacy of partial garbling scheme in Sect. 4.2.

We prove the indistinguishability of adjacent games listed above in the full paper.

6 $\mathrm{\Pi }_\mathsf {ext}$: Extending $\mathrm{\Pi }_\mathsf {one}$

In this section, we extend our one-slot FE scheme $\mathrm{\Pi }_\mathsf {one}$ in Sect. 5 to handle the randomization offsets $\mathbf {w}^{\!\scriptscriptstyle {\top }}\mathbf {r}$. The scheme achieves simulation-based semi-adaptive security under k-Linear assumption.

Extension. The extended scheme is the same as a one-slot FE for attribute-weighted sums, except we replace functionality $((\mathbf {x},\mathbf {z}),f) \mapsto f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$ with

$$\begin{aligned} ((\mathbf {x},\mathbf {z}\Vert \mathbf {w}),(f,[\mathbf {r}]_2)) \mapsto [f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}+ \mathbf {w}^{\!\scriptscriptstyle {\top }}\mathbf {r}]_T \end{aligned}$$

where $\mathbf {w},\mathbf {r}\in \mathbb {Z}_p^k$. That is, we make the following modifications:

$\mathsf {Enc}$ takes $\mathbf {z}\Vert \mathbf {w}$ instead of $\mathbf {z}$ as the second input;
$\mathsf {KeyGen},\mathsf {KeyGen}^*$ takes $(f,[\mathbf {r}]_2)$ instead of f as input;
in correctness, decryption computes $[f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}+ \mathbf {w}^{\!\scriptscriptstyle {\top }}\mathbf {r}]_T$ instead of $f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}$;
in the security definition, $\mathcal {A}$ produces $(\mathbf {x}^*,\mathbf {z}^* \Vert \mathbf {w}^*)$ instead of $(\mathbf {x}^*,\mathbf {z}^*)$, and $\mathsf {KeyGen}^*$ gets $[f(\mathbf {x}^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}^* + (\mathbf {w}^*)^{\!\scriptscriptstyle {\top }}\mathbf {r}]_2$ instead of $f(\mathbf {x}^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}^*$.

In particular, correctness states that:

$$ \mathsf {Dec}( \mathsf {Enc}( \textsf {mpk},(\mathbf {x},\mathbf {z}\Vert \mathbf {w})), \mathsf {KeyGen}( \textsf {msk},(f,[\mathbf {r}]_2))) = [f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}+\mathbf {w}^{\!\scriptscriptstyle {\top }}\mathbf {r}]_T $$

Construction overview. To obtain a scheme with the extension, the idea —following the IPFE in [6]— is to augment the previous construction $\mathrm{\Pi }_\mathsf {one}$ with $[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}_0]_1$ in $ \textsf {mpk}$, $[\mathbf {w}^{\!\scriptscriptstyle {\top }}+ \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}_0]_1$ in the ciphertext, and $[\mathbf {W}_0 \mathbf {r}]_2$ in the secret key. During decryption, we will additionally compute

$$ e([\mathbf {w}^{\!\scriptscriptstyle {\top }}+ \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}_0]_1, [\mathbf {r}]_2) \cdot e([\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1, [\mathbf {W}_0 \mathbf {r}]_2)^{-1} = [\mathbf {w}^{\!\scriptscriptstyle {\top }}\mathbf {r}]_T$$

This works for correctness, but violates security since the decryptor learns both $[f(\mathbf {x})^{\!\scriptscriptstyle {\top }}\mathbf {z}]_T$ and $[\mathbf {w}^{\!\scriptscriptstyle {\top }}\mathbf {r}]_T$ instead of just the sum. To avoid this leakage while preserving correctness, we will carefully embed $\mathbf {W}_0\mathbf {r}$ into the secret key for $\mathrm{\Pi }_\mathsf {one}$, while relying on the extension of the garbling scheme for handling shifts to argue both correctness and security, cf. Sect. 4.2. We will describe the scheme and simulator but defer the details for the proof to full paper.

6.1 Our Scheme

Scheme. Our extended one-slot FE scheme $\mathrm{\Pi }_\mathsf {ext}$ in prime-order bilinear group is described as follows. The boxes indicate the changes from the scheme in Sect. 5.1.

$\mathsf {Setup}(1^\lambda ,1^{n},1^{n'})$: Run $\mathbb {G}= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e) \leftarrow \mathcal {G}(1^\lambda )$. Sample and
$$ \mathbf {W}\leftarrow \mathbb {Z}_p^{(k+1)\times n'},\,\boxed {\mathbf {W}_0 \leftarrow \mathbb {Z}_p^{(k+1)\times k}},\, \mathbf {U}\leftarrow \mathbb {Z}_p^{(k+1)\times kn},\, \mathbf {V}\leftarrow \mathbb {Z}_p^{(k+1)\times k} $$
and output
$$\begin{aligned} \textsf {mpk}= & {} \big (\,\mathbb {G},\,[\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1,\,[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}]_1,\,[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {U}]_1,\,[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {V}]_1,\,\boxed {[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}_0]_1}\,\big ) \\ \textsf {msk}= & {} \big (\,\mathbf {W},\,\mathbf {U},\,\mathbf {V},\,\boxed {\mathbf {W}_0}\,\big ). \end{aligned}$$
$\mathsf {Enc}( \textsf {mpk},(\mathbf {x},\mathbf {z}\Vert \mathbf {w}))$: Sample $\mathbf {s}\leftarrow \mathbb {Z}_p^{k}$ and output
$$ \textsf {ct}_{\mathbf {x},\mathbf {z}\Vert \mathbf {w}} = \left( \, \begin{array}{c} {[\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1,\,[\mathbf {z}^{\!\scriptscriptstyle {\top }}+ \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}]_1,\,[\mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {U}(\mathbf {x}\otimes \mathbf {I}_k) + \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {V}]_1},\\ {\boxed {[\mathbf {w}^{\!\scriptscriptstyle {\top }}+ \mathbf {s}^{\!\scriptscriptstyle {\top }}\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}_0]_1}} \end{array} \right) ,\,\mathbf {x}. $$
$\mathsf {KeyGen}( \textsf {msk},(f,[\mathbf {r}]_2))$: Run $(\mathbf {L}_1,\mathbf {L}_0) \leftarrow \mathsf {lgen}(f)$ where $\mathbf {L}_1 \in \mathbb {Z}_p^{(m + n' - 1) \times mn},\mathbf {L}_0 \in \mathbb {Z}_p^{(m + n' - 1) \times m}$ (cf. Sect. 4.2). Sample $\mathbf {T}\leftarrow \mathbb {Z}_p^{(k+1) \times (m + n' - 1)}$ and $\mathbf {R}\leftarrow \mathbb {Z}_p^{k \times m}$ and output^{Footnote 6}
$$ \textsf {sk}_{f,\mathbf {r}} = \big (\, [\underline{\mathbf {T}}+ \mathbf {W}]_2,\, [\mathbf {T}\mathbf {L}_1 + \mathbf {U}(\mathbf {I}_n\otimes \mathbf {R})]_2,\, [\mathbf {T}\mathbf {L}_0 - \boxed {\mathbf {W}_0 \mathbf {r}\cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }}} + \mathbf {V}\mathbf {R}]_2,\, [\mathbf {R}]_2 \,\big ),\,(f,\boxed {[\mathbf {r}]_2}) $$
where $\underline{\mathbf {T}}$ refers to the matrix composed of the right most $n'$ columns of $\mathbf {T}$.
$\mathsf {Dec}(( \textsf {sk}_{f,\mathbf {r}},(f,\boxed {[\mathbf {r}]_2})),( \textsf {ct}_{\mathbf {x},\mathbf {z}\Vert \mathbf {w}},\mathbf {x}))$: On input key:
$$ \textsf {sk}_{f,\mathbf {r}} = \big (\, [\mathbf {K}_1]_2, [\mathbf {K}_2]_2, [\mathbf {K}_3]_2, [\mathbf {R}]_2 \,\big ) \quad \text{ and }\quad (f,[\mathbf {r}]_2) $$
and ciphertext:
$$ \textsf {ct}_{\mathbf {x},\mathbf {z}\Vert \mathbf {w}} = \big (\, [\mathbf {c}_0^{\!\scriptscriptstyle {\top }}]_1,\,[\mathbf {c}_1^{\!\scriptscriptstyle {\top }}]_1,\,[\mathbf {c}_2^{\!\scriptscriptstyle {\top }}]_1, \,[\mathbf {c}_3^{\!\scriptscriptstyle {\top }}]_1 \,\big ) \quad \text{ and }\quad \mathbf {x}$$
the decryption works as follows:
1. 1.
  compute
  $$\begin{aligned}{}[\mathbf {p}_1^{\!\scriptscriptstyle {\top }}]_T = e([\mathbf {c}_1^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {I}_{n'}]_2) \cdot e([\mathbf {c}_0^{\!\scriptscriptstyle {\top }}]_1,[-\mathbf {K}_1]_2) \end{aligned}$$
  (16)
2. 2.
  compute
  $$\begin{aligned}{}[\mathbf {p}_2^{\!\scriptscriptstyle {\top }}]_T = e([\mathbf {c}_0^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {K}_2 (\mathbf {x}\otimes \mathbf {I}_m) + \mathbf {K}_3]_2) \cdot e([-\mathbf {c}_2^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {R}]_2) \cdot \boxed {e([\mathbf {c}_3^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {r}\cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }}]_2)} \end{aligned}$$
  (17)
3. 3.
  run $\mathbf {d}_{f,\mathbf {x}}\leftarrow \mathsf {rec}(f,\mathbf {x})$ (see Sect. 4.2), output
  $$\begin{aligned}{}[D]_T = [(\mathbf {p}_1^{\!\scriptscriptstyle {\top }},\mathbf {p}_2^{\!\scriptscriptstyle {\top }})\mathbf {d}_{f,\mathbf {x}}]_T \end{aligned}$$
  (18)

Simulator. The simulator for $\mathrm{\Pi }_\mathsf {ext}$ is as follows. The boxes indicate the changes from the simulator for $\mathrm{\Pi }_\mathsf {one}$ in Sect. 5.2.

$\mathsf {Setup}^*(1^\lambda ,1^{n},1^{n'})$: Run $\mathbb {G}= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e) \leftarrow \mathcal {G}(1^\lambda )$. Sample
$$\mathbf {A}\leftarrow \mathbb {Z}_p^{(k+1)\times k} \quad \text{ and }\quad \mathbf {c}\leftarrow \mathbb {Z}_p^{k+1} \quad \text{ and }\quad $$

$$ \begin{array}{llll} \mathbf {W}\leftarrow \mathbb {Z}_p^{(k+1)\times n'}, &{} \boxed {\mathbf {W}_0 \leftarrow \mathbb {Z}_p^{(k+1)\times k}}, &{} \mathbf {U}\leftarrow \mathbb {Z}_p^{(k+1)\times kn}, &{} \mathbf {V}\leftarrow \mathbb {Z}_p^{(k+1)\times k}\\ \widetilde{\mathbf {w}} \leftarrow \mathbb {Z}_p^{n'},&{} \boxed {\widetilde{\mathbf {w}}_0 \leftarrow \mathbb {Z}_p^{k}},&{} &{} \widetilde{\mathbf {v}} \leftarrow \mathbb {Z}_p^{k} \end{array} $$
and output
$$\begin{aligned} \textsf {mpk}= & {} \big (\,\mathbb {G},\,[\mathbf {A}^{\!\scriptscriptstyle {\top }}]_1,\,[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}]_1,\,\boxed {[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}_0]_1},\,[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {U}]_1,\,[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {V}]_1\,\big )\\ \textsf {msk}^*= & {} \big (\,\mathbf {W},\,\boxed {\mathbf {W}_0},\,\mathbf {U},\,\mathbf {V},\,\widetilde{\mathbf {w}},\,\boxed {\widetilde{\mathbf {w}}_0},\, \widetilde{\mathbf {v}},\,\mathbf {c},\mathbf {C}^{\!\scriptscriptstyle {\perp }},\mathbf {A},\mathbf {a}^{\!\scriptscriptstyle {\perp }}\,\big ) \end{aligned}$$
where $(\mathbf {A}| \mathbf {c})^{\!\scriptscriptstyle {\top }}(\mathbf {C}^{\!\scriptscriptstyle {\perp }}| \mathbf {a}^{\!\scriptscriptstyle {\perp }}) = \mathbf {I}_{k+1}$. Here we assume that $(\mathbf {A}| \mathbf {c})$ has full rank, which happens with probability $1-1/p$.
$\mathsf {Enc}^*( \textsf {msk}^*,\mathbf {x}^*)$: Output
$$ \textsf {ct}^* = \big (\, [\mathbf {c}^{\!\scriptscriptstyle {\top }}]_1,\,[\widetilde{\mathbf {w}}^{\!\scriptscriptstyle {\top }}]_1,\, [\widetilde{\mathbf {v}}^{\!\scriptscriptstyle {\top }}]_1,\boxed {[\widetilde{\mathbf {w}}_0^{\!\scriptscriptstyle {\top }}]_1}\,\big ) \quad \text{ and }\quad \mathbf {x}^*. $$
$\mathsf {KeyGen}^*( \textsf {msk}^*,\mathbf {x}^*,(f,[\mathbf {r}]_2),[\mu ]_2)$: Run
$$ (\mathbf {L}_1,\mathbf {L}_0) \leftarrow \mathsf {lgen}(f) \quad \text{ and }\quad ([(\mathbf {p}^*_1)^{\!\scriptscriptstyle {\top }}]_2,[(\mathbf {p}^*_2)^{\!\scriptscriptstyle {\top }}]_2) \leftarrow \mathsf {pgb}^*(f,\mathbf {x}^*,\boxed {[\mu ]_2}). $$
Here, we use the fact that $\mathsf {pgb}^*(f,\mathbf {x}^*,\cdot )$ is an affine function. Sample $\hat{\mathbf {u}}\leftarrow \mathbb {Z}_p^{nm}$, $\mathbf {T}\leftarrow \mathbb {Z}_p^{(k+1) \times (m + n' - 1)}$ and $\mathbf {R}\leftarrow \mathbb {Z}_p^{k \times m}$ and output
$$\begin{aligned} \textsf {sk}^*_{f,\mathbf {r}} = \big (\,\mathbf {C}^{\!\scriptscriptstyle {\perp }}\cdot \textsf {sk}^*_{f,\mathbf {r}}[1] + \mathbf {a}^{\!\scriptscriptstyle {\perp }}\cdot \textsf {sk}^*_{f,\mathbf {r}}[2] ,\,[\mathbf {R}]_2\,\big ) \quad \text{ and }\quad (f,[\mathbf {r}]_2) \end{aligned}$$
(19)
where
$$\begin{aligned} \textsf {sk}^*_{f,\mathbf {r}}[1]= & {} \big (\, [\mathbf {A}^{\!\scriptscriptstyle {\top }}\underline{\mathbf {T}}+ \mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}]_2,\, [\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {T}\mathbf {L}_1 + \mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {U}(\mathbf {I}_n\otimes \mathbf {R})]_2,\, \\&[\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {T}\mathbf {L}_0 - \boxed {\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}_0\mathbf {r}\cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }}} + \mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {V}\mathbf {R}]_2 \,\big ) \\ \textsf {sk}^*_{f,\mathbf {r}}[2]= & {} \big (\, [-(\mathbf {p}_1^*)^{\!\scriptscriptstyle {\top }}+ \widetilde{\mathbf {w}}^{\!\scriptscriptstyle {\top }}]_2,\, [ \hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}]_2,\, [(\mathbf {p}_2^*)^{\!\scriptscriptstyle {\top }}- \hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}(\mathbf {x}^* \otimes \mathbf {I}_m)- \boxed {\widetilde{\mathbf {w}}_0^{\!\scriptscriptstyle {\top }}\mathbf {r}\cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }}} +\widetilde{\mathbf {v}}^{\!\scriptscriptstyle {\top }}\mathbf {R}]_2 \,\big ) \end{aligned}$$
Here $\underline{\mathbf {T}}$ refers to the matrix composed of the right most $n'$ columns of $\mathbf {T}$. That is,
$$\begin{aligned}\begin{array}{l} \textsf {sk}^*_{f,\mathbf {r}} = \\ \left( \begin{array}{lll} [\mathbf {C}^{\!\scriptscriptstyle {\perp }}(\mathbf {A}^{\!\scriptscriptstyle {\top }}\underline{\mathbf {T}}+ \mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}) &{}+ {\mathbf {a}^{\scriptscriptstyle {\perp }}}(-(\mathbf {p}_1^*)^{\!\scriptscriptstyle {\top }}+ \widetilde{\mathbf {w}}^{\!\scriptscriptstyle {\top }}) ]_2,\,\\ \,[\mathbf {C}^{\!\scriptscriptstyle {\perp }}(\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {T}\mathbf {L}_1 + \mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {U}(\mathbf {I}_n\otimes \mathbf {R})) &{}+ {\mathbf {a}^{\scriptscriptstyle {\perp }}}(\hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}) ]_2\,&{},\,[\mathbf {R}]_2\\ \,[\mathbf {C}^{\!\scriptscriptstyle {\perp }}(\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {T}\mathbf {L}_0 - \boxed {\mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {W}_0\mathbf {r}\cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }}} + \mathbf {A}^{\!\scriptscriptstyle {\top }}\mathbf {V}\mathbf {R}) &{}+ {\mathbf {a}^{\scriptscriptstyle {\perp }}}\big ((\mathbf {p}\ _2^*)^{\!\scriptscriptstyle {\top }}- \hat{\mathbf {u}}^{\!\scriptscriptstyle {\top }}(\mathbf {x}^* \otimes \mathbf {I}_m)- \boxed {\widetilde{\mathbf {w}}_0^{\!\scriptscriptstyle {\top }}\mathbf {r}\cdot \mathbf {e}_1^{\!\scriptscriptstyle {\top }}}+\widetilde{\mathbf {v}}^{\!\scriptscriptstyle {\top }}\mathbf {R}\big ) ]_2\end{array} \right) \end{array}\end{aligned}$$

7 $\mathrm{\Pi }_\mathsf {ubd}$: Unbounded-Slot Scheme

In this section, we describe our unbounded-slot FE scheme. We give a generic transformation from scheme $\mathrm{\Pi }_\mathsf {ext}$ in Sect. 6 and present a self-contained description of the scheme in the full paper.

7.1 Scheme

Let $\mathrm{\Pi }_\mathsf {ext}=(\mathsf {Setup}_\mathsf {ext},\mathsf {Enc}_\mathsf {ext},\mathsf {KeyGen}_\mathsf {ext},\mathsf {Dec}_\mathsf {ext})$ be the extended one-slot FE scheme in Sect. 6. Our unbounded-slot FE scheme $\mathrm{\Pi }_\mathsf {ubd}$ is as follows:

$\mathsf {Setup}(1^\lambda ,1^{n},1^{n'})$: Run
$$ ( \textsf {mpk}_1, \textsf {msk}_1) \leftarrow \mathsf {Setup}_\mathsf {ext}(1^\lambda ,1^{n},1^{n'});\quad ( \textsf {mpk}_2, \textsf {msk}_2) \leftarrow \mathsf {Setup}_\mathsf {ext}(1^\lambda ,1^{n},1^{n'}) $$
and output
$$ \textsf {mpk}= ( \textsf {mpk}_1, \textsf {mpk}_2) \quad \text{ and }\quad \textsf {msk}=( \textsf {msk}_1, \textsf {msk}_2). $$
$\mathsf {Enc}( \textsf {mpk},(\mathbf {x}_i,\mathbf {z}_i)_{i \in [N]})$: Sample $\mathbf {w}_2,\ldots ,\mathbf {w}_{N} \leftarrow \mathbb {Z}_p^k,$ compute
$$ \begin{array}{lcll}\textstyle \textsf {ct}_1 &{} \leftarrow &{} \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_1,(\mathbf {x}_1,\mathbf {z}_1\Vert -\sum _{i\in [2,N]}\mathbf {w}_i)) \\ \textsf {ct}_i &{} \leftarrow &{} \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_i,\mathbf {z}_i\Vert \mathbf {w}_i)),\quad \forall i \in [2,N]\\ \end{array} $$
and output
$$ \textsf {ct}_{(\mathbf {x}_i,\mathbf {z}_i)} = ( \textsf {ct}_1,\ldots , \textsf {ct}_N) \quad \text{ and }\quad (\mathbf {x}_i)_{i\in [N]}. $$
$\mathsf {KeyGen}( \textsf {msk},f)$: Pick $\mathbf {r}\leftarrow \mathbb {Z}_p^k$, compute
$$ \textsf {sk}_{f,1} \leftarrow \mathsf {KeyGen}_\mathsf {ext}( \textsf {msk}_1,(f,[\mathbf {r}]_2));\qquad \textsf {sk}_{f,2} \leftarrow \mathsf {KeyGen}_\mathsf {ext}( \textsf {msk}_2,(f,[\mathbf {r}]_2)) $$
and output
$$ \textsf {sk}_f = ( \textsf {sk}_{f,1}, \textsf {sk}_{f,2},[\mathbf {r}]_2) \quad \text{ and }\quad f. $$
$\mathsf {Dec}(( \textsf {sk}_f,f),( \textsf {ct}_{(\mathbf {x}_i,\mathbf {z}_i)},(\mathbf {x}_i)_{i\in [N]}))$: Parse ciphertext and key as
$$ \textsf {sk}_f = ( \textsf {sk}_{f,1}, \textsf {sk}_{f,2},[\mathbf {r}]_2) \quad \text{ and }\quad \textsf {ct}_{(\mathbf {x}_i,\mathbf {z}_i)} = ( \textsf {ct}_1,\ldots , \textsf {ct}_N). $$
We proceed as follows:
1. 1.
  Compute
  $$\begin{aligned}{}[D_1]_T \leftarrow \mathsf {Dec}_\mathsf {ext}\big (( \textsf {sk}_{f,1},(f,[\mathbf {r}]_2)),( \textsf {ct}_1,\mathbf {x}_1)\big ); \end{aligned}$$
  (20)
2. 2.
  For all $i \in [2,N]$, compute
  $$\begin{aligned}{}[D_{i}]_T \leftarrow \mathsf {Dec}_\mathsf {ext}\big (( \textsf {sk}_{f,2},(f,[\mathbf {r}]_2)),( \textsf {ct}_i,\mathbf {x}_i)\big ); \end{aligned}$$
  (21)
3. 3.
  Compute
  $$\begin{aligned}{}[D]_T = [D_1]_T \cdots [D_{N}]_T \end{aligned}$$
  (22)
  and output D via brute-force discrete log.

Correctness. For $ \textsf {ct}_{(\mathbf {x}_i,\mathbf {z}_i)}$ with randomness $\mathbf {w}_2,\ldots ,\mathbf {w}_N$ and $ \textsf {sk}_f$ with randomness $\mathbf {r}$, we have

$$\begin{aligned} D_1= & {} \textstyle f(\mathbf {x}_1)^{\!\scriptscriptstyle {\top }}\mathbf {z}_1 - \sum _{i\in [2,N]}\mathbf {w}_i^{\!\scriptscriptstyle {\top }}\mathbf {r}\end{aligned}$$

(23)

$$\begin{aligned} D_i= & {} f(\mathbf {x}_i)^{\!\scriptscriptstyle {\top }}\mathbf {z}_i+\mathbf {w}_i^{\!\scriptscriptstyle {\top }}\mathbf {r},\qquad \qquad \qquad \forall i \in [2,N] \end{aligned}$$

(24)

$$\begin{aligned} D= & {} \textstyle \sum _{i\in [N]}f(\mathbf {x}_i)^{\!\scriptscriptstyle {\top }}\mathbf {z}_i \end{aligned}$$

(25)

Here (23) and (24) follow from the correctness of $\mathrm{\Pi }_\mathsf {ext}$ and the last (25) is implied by (23) and (24). This readily proves the correctness.

Security. We have the following theorem with the proof shown in the subsequent subsection.

Theorem 3

Assume that extended one-slot scheme $\mathrm{\Pi }_\mathsf {ext}$ achieves simulation-based semi-adaptive security, our unbounded-slot FE scheme $\mathrm{\Pi }_\mathsf {ubd}$ described in this section achieves simulation-based semi-adaptive security under the k-Linear assumption in $\mathbb {G}_2$.

7.2 Simulator

Let $(\mathsf {Setup}^*_\mathsf {ext},\mathsf {Enc}^*_\mathsf {ext},\mathsf {KeyGen}^*_\mathsf {ext})$ be the simulator for $\mathrm{\Pi }_\mathsf {ext}$, we start by describing the simulator for $\mathrm{\Pi }_\mathsf {ubd}$. As written, the adversary needs to commit to the length N in advance; this is merely an artifact of our formalization of simulation-based security, and can be avoided by having $\mathsf {Enc}^*$ pass auxiliary information to $\mathsf {KeyGen}^*$.

$\mathsf {Setup}^*(1^\lambda ,1^{n},1^{n'},1^N)$: Sample $\mathbf {w}_2,\ldots ,\mathbf {w}_{N} \leftarrow \mathbb {Z}_p^k,$ run
$$( \textsf {mpk}_1, \textsf {msk}_1^*) \leftarrow \mathsf {Setup}^*_\mathsf {ext}(1^\lambda ,1^{n},1^{n'});{\,} ( \textsf {mpk}_2, \textsf {msk}_2) \leftarrow \mathsf {Setup}_\mathsf {ext}(1^\lambda ,1^{n},1^{n'}) $$
and output
$$ \textsf {mpk}= ( \textsf {mpk}_1, \textsf {mpk}_2) \quad \text{ and }\quad \textsf {msk}^* =( \textsf {msk}_1^*, \textsf {msk}_2,\mathbf {w}_2,\ldots ,\mathbf {w}_{N}). $$
$\mathsf {Enc}^*( \textsf {msk}^*,(\mathbf {x}^*_i)_{i\in [N]})$: Compute
$$ \textsf {ct}_1^* \leftarrow \mathsf {Enc}^*_\mathsf {ext}( \textsf {msk}^*_1,\mathbf {x}_1^*) \quad \text{ and }\quad \textsf {ct}_i \leftarrow \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_i^*,\mathbf {0}\Vert \mathbf {w}_i)),\,\forall i \in [2,N] $$
and output
$$ \textsf {ct}^* = ( \textsf {ct}_1^*, \textsf {ct}_2,\ldots , \textsf {ct}_N) \quad \text{ and }\quad (\mathbf {x}^*_i)_{i\in [N]}. $$
$\mathsf {KeyGen}^*( \textsf {msk}^*,(\mathbf {x}^*_i)_{i\in [N]},f,\mu \in \mathbb {Z}_p)$: Pick $\mathbf {r}\leftarrow \mathbb {Z}_p^k$, compute
$$\begin{aligned} \textsf {sk}_{f,1}^*\leftarrow & {} \textstyle \mathsf {KeyGen}^*_\mathsf {ext}( \textsf {msk}^*_1,\mathbf {x}_1^*,(f,[\mathbf {r}]_2),[\mu -\sum _{i\in [2,N]}\mathbf {w}_i^{\!\scriptscriptstyle {\top }}\mathbf {r}]_2)\\ \textsf {sk}_{f,2}\leftarrow & {} \mathsf {KeyGen}_\mathsf {ext}( \textsf {msk}_2,(f,[\mathbf {r}]_2)) \end{aligned}$$
and output
$$ \textsf {sk}_f^* = ( \textsf {sk}^*_{f,1}, \textsf {sk}_{f,2},[\mathbf {r}]_2) \quad \text{ and }\quad f. $$

7.3 Proof

With our simulator, we prove the following theorem which implies Theorem 3.

Theorem 4

For all $\mathcal {A}$, there exist $\mathcal {B}_1$ and $\mathcal {B}_2$ with $\mathsf {Time}(\mathcal {B}_1),\mathsf {Time}(\mathcal {B}_2) \approx \mathsf {Time}(\mathcal {A})$ such that

$$ \mathsf {Adv}^{\mathrm{\Pi }_\mathsf {ubd}}_{\mathcal {A}}(\lambda ) \le (2N-1) \cdot \mathsf {Adv}^{\mathrm{\Pi }_\mathsf {ext}}_{\mathcal {B}_1}(\lambda ) + (N-1) \cdot \mathsf {Adv}^{\mathrm {MDDH}^{1}_{k, Q}}_{\mathcal {B}_2}(\lambda ) $$

where Q is the number of key queries and N is number of slots.

Game sequence. We use $(\mathbf {x}^*_1,\mathbf {z}^*_1,\ldots ,\mathbf {x}^*_N,\mathbf {z}^*_N)$ to denote the semi-adaptive challenge and prove Theorem 4 via the following game sequence summarized in Fig. 4, where

$$\begin{aligned} \begin{array}{lllll} \mathsf {Game}_0 \approx _c \mathsf {Game}_1 &{}= \mathsf {Game}_{2.0} &{}\approx _c \mathsf {Game}_{2.1} &{}\approx _c \mathsf {Game}_{2.2} &{}\approx _c \mathsf {Game}_{2.3}\\ &{}\ldots \\ &{}= \mathsf {Game}_{N.0} &{}\approx _c \mathsf {Game}_{N.1} &{}\approx _c \mathsf {Game}_{N.2} &{}\approx _c \mathsf {Game}_{N.3}\\ \end{array} \end{aligned}$$

: Real game.
: Identical to $\mathsf {Game}_0$ except for the boxed terms below:
- we generate $ \textsf {mpk}=( \textsf {mpk}_1, \textsf {mpk}_2)$ and $ \textsf {msk}=(\boxed { \textsf {msk}_1^*}, \textsf {msk}_2)$ where
  $$ \boxed {( \textsf {mpk}_1, \textsf {msk}_1^*) \leftarrow \mathsf {Setup}^*_\mathsf {ext}(1^\lambda ,1^{n},1^{n'})};{\quad }{\,} ( \textsf {mpk}_2, \textsf {msk}_2) \leftarrow \mathsf {Setup}_\mathsf {ext}(1^\lambda ,1^{n},1^{n'}) $$
- the challenge ciphertext for $(\mathbf {x}^*_1,\mathbf {z}^*_1,\ldots ,\mathbf {x}^*_N,\mathbf {z}^*_N)$ is $ \textsf {ct}^* = (\boxed { \textsf {ct}^*_1}, \textsf {ct}_2,\ldots , \textsf {ct}_{N})$ where
  $$ \boxed { \textsf {ct}_1^* \leftarrow \mathsf {Enc}^*_\mathsf {ext}( \textsf {msk}^*_1,\mathbf {x}^*_1)};\quad \textsf {ct}_i \leftarrow \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_i^*,\mathbf {z}_i^*\Vert \mathbf {w}_i)),\,\forall i \in [2,N] $$
- the key for the j-th query $f_j$ is $ \textsf {sk}_{f_j} = (\boxed { \textsf {sk}_{f_j,1}^*}, \textsf {sk}_{f_j,2},[\mathbf {r}_j]_2)$ where
  $$\boxed {\textstyle \textsf {sk}_{f_j,1}^* \leftarrow \mathsf {KeyGen}^*_\mathsf {ext}\big ( \textsf {msk}^*_1,\mathbf {x}^*_1,(f_j,[\mathbf {r}_j]_2),[f_j(\mathbf {x}_1^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}_1^*- \sum _{i\in [2,N]}\mathbf {w}_i^{\!\scriptscriptstyle {\top }}\mathbf {r}_j]_2\big )} $$
  
  $$ \textsf {sk}_{f_j,2} \leftarrow \mathsf {KeyGen}_\mathsf {ext}( \textsf {msk}_2,(f_j,[\mathbf {r}_j]_2)); $$
where $\mathbf {w}_2,\ldots ,\mathbf {w}_{N} \leftarrow \mathbb {Z}_p^k$ and $\mathbf {r}_j\leftarrow \mathbb {Z}_p^k$ for all $j\in [Q]$. We claim that $\mathsf {Game}_0 \approx _c \mathsf {Game}_1$. This follows from the simulation-based semi-adaptive security of $\mathrm{\Pi }_\mathsf {ext}$.
for $\eta \in [2,N]$: Identical to $\mathsf {Game}_1$ except for the boxed terms below:
- the challenge ciphertext for $(\mathbf {x}^*_1,\mathbf {z}^*_1,\ldots ,\mathbf {x}^*_N,\mathbf {z}^*_N)$ is $ \textsf {ct}^* = ( \textsf {ct}_1^*, \textsf {ct}_2,\ldots , \textsf {ct}_N)$ where
  $$ \textsf {ct}_1^* \leftarrow \mathsf {Enc}^*_\mathsf {ext}( \textsf {msk}^*_1,\mathbf {x}^*_1);{\quad }{\,} \textsf {ct}_i \leftarrow {\left\{ \begin{array}{ll} \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_i^*,\boxed {\mathbf {0}}\Vert \mathbf {w}_i)) &{} i \in [2,\eta -1]\\ \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_i^*,\,\mathbf {z}_i^*\Vert \mathbf {w}_i)) &{} i \in [\eta ,N]\\ \end{array}\right. } $$
- the key for the j-th query $f_j$ is $ \textsf {sk}_{f_j} = ( \textsf {sk}_{f_j,1}^*, \textsf {sk}_{f_j,2},[\mathbf {r}_j]_2)$ where
  $$\textstyle \textsf {sk}_{f_j,1}^* \leftarrow \mathsf {KeyGen}^*_\mathsf {ext}\big ( \textsf {msk}^*_1,\mathbf {x}_1^*,(f_j,[\mathbf {r}_j]_2),[\boxed {\textstyle \sum _{i \in [\eta -1]} f_j(\mathbf {x}_i^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}_i^*} -\sum _{i\in [2,N]}\mathbf {w}_i^{\!\scriptscriptstyle {\top }}\mathbf {r}_j]_2\big ) $$
  
  $$ \textsf {sk}_{f_j,2} \leftarrow \mathsf {KeyGen}_\mathsf {ext}( \textsf {msk}_2,(f_j,[\mathbf {r}_j]_2)); $$
where $\mathbf {w}_2,\ldots ,\mathbf {w}_N \leftarrow \mathbb {Z}_p^k$ and $\mathbf {r}_j\leftarrow \mathbb {Z}_p^k$ for all $j\in [Q]$.
for $\eta \in [2,N]$: Identical to $\mathsf {Game}_{\eta .0}$ except for the boxed terms below:
- we generate $ \textsf {mpk}=( \textsf {mpk}_1, \textsf {mpk}_2)$ and $ \textsf {msk}=( \textsf {msk}_1^*,\boxed { \textsf {msk}_2^*})$ where
  $$ ( \textsf {mpk}_1, \textsf {msk}_1^*) \leftarrow \mathsf {Setup}^*_\mathsf {ext}(1^\lambda ,1^{n},1^{n'});{\quad }{\,} \boxed {( \textsf {mpk}_2, \textsf {msk}_2^*) \leftarrow \mathsf {Setup}^*_\mathsf {ext}(1^\lambda ,1^{n},1^{n'})} $$
- the challenge ciphertext for $(\mathbf {x}^*_1,\mathbf {z}^*_1,\ldots ,\mathbf {x}^*_N,\mathbf {z}^*_N)$ is $ \textsf {ct}^* = ( \textsf {ct}_1^*, \textsf {ct}_2,\ldots , \textsf {ct}_{\eta -1},$ $\boxed { \textsf {ct}^*_{\eta }}, \textsf {ct}_{\eta +1},\ldots , \textsf {ct}_N)$ where
  $$ \textsf {ct}_1^* \leftarrow \mathsf {Enc}^*_\mathsf {ext}( \textsf {msk}^*_1,\mathbf {x}^*_1),\, {\left\{ \begin{array}{ll} \textsf {ct}_i \leftarrow \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_i^*,\mathbf {0}\Vert \mathbf {w}_i)) &{} i \in [2,\eta -1]\\ \boxed { \textsf {ct}^*_\eta \leftarrow \mathsf {Enc}^*_\mathsf {ext}( \textsf {msk}^*_2,\mathbf {x}^*_\eta )} &{} i = \eta \\ \textsf {ct}_i \leftarrow \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_i^*,\,\mathbf {z}_i^*\Vert \mathbf {w}_i)) &{} i \in [\eta +1,N]\\ \end{array}\right. } $$
- the key for the j-th query $f_j$ is $ \textsf {sk}_{f_j} = ( \textsf {sk}_{f_j,1}^*,\boxed { \textsf {sk}^*_{f_j,2}},[\mathbf {r}_j]_2)$ where
  $$\textstyle \textsf {sk}_{f_j,1}^* \leftarrow \mathsf {KeyGen}^*_\mathsf {ext}\big ( \textsf {msk}^*_1,\mathbf {x}_1^*,(f_j,[\mathbf {r}_j]_2),[\textstyle \sum _{i \in [\eta -1]} f_j(\mathbf {x}_i^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}_i^* -\sum _{i\in [2,N]}\mathbf {w}_i^{\!\scriptscriptstyle {\top }}\mathbf {r}_j]_2\big ) $$
  
  $$ \boxed { \textsf {sk}^*_{f_j,2} \leftarrow \mathsf {KeyGen}^*_\mathsf {ext}( \textsf {msk}^*_2,\mathbf {x}^*_{\eta },(f_j,[\mathbf {r}_j]_2),[f_j(\mathbf {x}^*_{\eta })^{\!\scriptscriptstyle {\top }}\mathbf {z}^*_{\eta }+\mathbf {w}_{\eta }^{\!\scriptscriptstyle {\top }}\mathbf {r}_j]_2)} $$
where $\mathbf {w}_2,\ldots ,\mathbf {w}_N \leftarrow \mathbb {Z}_p^k$ and $\mathbf {r}_j\leftarrow \mathbb {Z}_p^k$ for all $j\in [Q]$. We claim that $\mathsf {Game}_{\eta .0} \approx _c \mathsf {Game}_{\eta .1}$. This follows from the simulation-based semi-adaptive security of $\mathrm{\Pi }_\mathsf {ext}$.
for $\eta \in [2,N]$: Identical to $\mathsf {Game}_{\eta .1}$ except for the boxed terms below:
- the key for the j-th query $f_j$ is $ \textsf {sk}_{f_j} = ( \textsf {sk}_{f_j,1}^*, \textsf {sk}^*_{f_j,2},[\mathbf {r}_j]_2)$ where
  $$\textstyle \textsf {sk}_{f_j,1}^* \leftarrow \mathsf {KeyGen}^*_\mathsf {ext}\big ( \textsf {msk}^*_1,\mathbf {x}_1^*,(f_j,[\mathbf {r}_j]_2),[\boxed {\textstyle \sum _{i \in [\eta ]} f_j(\mathbf {x}_i^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}_i^*} -\sum _{i\in [2,N]}\mathbf {w}_i^{\!\scriptscriptstyle {\top }}\mathbf {r}_j]_2\big ) $$
  
  $$ \textsf {sk}^*_{f_j,2} \leftarrow \mathsf {KeyGen}^*_\mathsf {ext}( \textsf {msk}^*_2,\mathbf {x}^*_{\eta },(f_j,[\mathbf {r}_j]_2),[\boxed {\mathbf {w}_{\eta }^{\!\scriptscriptstyle {\top }}\mathbf {r}_j}]_2) $$
where $\mathbf {w}_2,\ldots ,\mathbf {w}_N \leftarrow \mathbb {Z}_p^k$ and $\mathbf {r}_j\leftarrow \mathbb {Z}_p^k$ for all $j\in [Q]$. We claim that $\mathsf {Game}_{\eta .1} \approx _c \mathsf {Game}_{\eta .2}$. This follows from Lemma 1 w.r.t. $\mathbf {w}_\eta $ and $f_j(\mathbf {x}^*_\eta )^{\!\scriptscriptstyle {\top }}\mathbf {z}^*_\eta $ which is implied by $\mathrm {MDDH}^{1}_{k, Q}$ assumption: for all $f_j,\mathbf {x}_\eta ^*,\mathbf {z}_\eta ^*$,
$$\begin{aligned} \begin{array}{clrrr} &{} \big \{ &{} \overbrace{[ - \mathbf {w}_\eta ^{\!\scriptscriptstyle {\top }}\mathbf {r}_j]_2}^{ \textsf {sk}^*_{f_j,1}}, &{} \overbrace{[ \boxed { f_j(\mathbf {x}_\eta ^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}_\eta ^*} + \mathbf {w}_\eta ^{\!\scriptscriptstyle {\top }}\mathbf {r}_j ]_2}^{ \textsf {sk}^*_{f_j,2}}, &{} [\mathbf {r}_j]_2 \;\big \}_{j\in [Q]} \\ \approx _c&{} \big \{ &{} [ \boxed { f_j(\mathbf {x}_\eta ^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}_\eta ^*} - \mathbf {w}_\eta ^{\!\scriptscriptstyle {\top }}\mathbf {r}_j]_2, &{} [ \mathbf {w}_\eta ^{\!\scriptscriptstyle {\top }}\mathbf {r}_j]_2, &{} [\mathbf {r}_j]_2 \;\big \}_{j\in [Q]} \\ \end{array} \end{aligned}$$
(26)
where $\mathbf {w}_\eta ,\mathbf {r}_j \leftarrow \mathbb {Z}_p^k$ for all $j\in [Q]$.
for $\eta \in [2,N]$: Identical to $\mathsf {Game}_{\eta .2}$ except for the boxed terms below:
- we generate $ \textsf {mpk}=( \textsf {mpk}_1, \textsf {mpk}_2)$ and $ \textsf {msk}=( \textsf {msk}_1^*,\boxed { \textsf {msk}_2})$ where
  $$ ( \textsf {mpk}_1, \textsf {msk}_1^*) \leftarrow \mathsf {Setup}^*_\mathsf {ext}(1^\lambda ,1^{n},1^{n'}),\, \boxed {( \textsf {mpk}_2, \textsf {msk}_2) \leftarrow \mathsf {Setup}_\mathsf {ext}(1^\lambda ,1^{n},1^{n'})} $$
- the challenge ciphertext for $(\mathbf {x}^*_1,\mathbf {z}^*_1,\ldots ,\mathbf {x}^*_N,\mathbf {z}^*_N)$ is $ \textsf {ct}^* = ( \textsf {ct}_1^*, \textsf {ct}_2,\ldots , \textsf {ct}_{\eta -1},$ $\boxed { \textsf {ct}_{\eta }}, \textsf {ct}_{\eta +1},\ldots , \textsf {ct}_N)$ where
  $$ \textsf {ct}_1^* \leftarrow \mathsf {Enc}^*_\mathsf {ext}( \textsf {msk}^*_1,\mathbf {x}^*_1){,\;} {\left\{ \begin{array}{ll} \textsf {ct}_i \leftarrow \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_i^*,\mathbf {0}\Vert \mathbf {w}_i)) &{} i \in [2,\eta -1]\\ \boxed { \textsf {ct}_i \leftarrow \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_\eta ^*,\mathbf {0}\Vert \mathbf {w}_\eta ))} &{} i = \eta \\ \textsf {ct}_i \leftarrow \mathsf {Enc}_\mathsf {ext}( \textsf {mpk}_2,(\mathbf {x}_i^*,\,\mathbf {z}_i^*\Vert \mathbf {w}_i)) &{} i \in [\eta +1,N]\\ \end{array}\right. } $$
- the key for the j-th query $f_j$ is $ \textsf {sk}_{f_j} = ( \textsf {sk}_{f_j,1}^*,\boxed { \textsf {sk}_{f_j,2}},[\mathbf {r}_j]_2)$ where
  $$\textstyle \textsf {sk}_{f_j,1}^* \leftarrow \mathsf {KeyGen}^*_\mathsf {ext}\big ( \textsf {msk}^*_1,\mathbf {x}_1^*,(f_j,[\mathbf {r}_j]_2),[\textstyle \sum _{i \in [\eta ]} f_j(\mathbf {x}_i^*)^{\!\scriptscriptstyle {\top }}\mathbf {z}_i^* -\sum _{i\in [2,N]}\mathbf {w}_i^{\!\scriptscriptstyle {\top }}\mathbf {r}_j]_2\big ) $$
  
  $$ \boxed { \textsf {sk}_{f_j,2} \leftarrow \mathsf {KeyGen}_\mathsf {ext}( \textsf {msk}_2,(f_j,[\mathbf {r}_j]_2))} $$
where $\mathbf {w}_2,\ldots ,\mathbf {w}_N \leftarrow \mathbb {Z}_p^k$ and $\mathbf {r}_j\leftarrow \mathbb {Z}_p^k$ for all $j\in [Q]$. We claim that $\mathsf {Game}_{\eta .2} \approx _c \mathsf {Game}_{\eta .3}$. This follows from the simulation-based semi-adaptive security of $\mathrm{\Pi }_\mathsf {ext}$ with the fact $f_j(\mathbf {x}^*_\eta )^{\!\scriptscriptstyle {\top }}\mathbf {0}+ \mathbf {w}_\eta ^{\!\scriptscriptstyle {\top }}\mathbf {r}= \mathbf {w}_\eta ^{\!\scriptscriptstyle {\top }}\mathbf {r}$.

Here we have $\mathsf {Game}_{2.0}=\mathsf {Game}_1$ and $\mathsf {Game}_{\eta .0} = \mathsf {Game}_{\eta -1.3}$ for all $\eta \in [3,N]$. Note that $\mathsf {Game}_{N.3}$ corresponds to the output of the simulator in the ideal game. We summarize the game sequence in Fig. 4. We prove the indistinguishability of adjacent games listed above in the full paper.

Notes

1.
We actually achieve semi-adaptive security [16], a slight strengthening of selective security.
2.
Note that we can also capture the same class with a quadratic blow-up in ciphertext size.
3.
As an example with $n=2,m=3$, we have
4.
The scheme in [40] has a larger ciphertext of the form: $ \textsf {ct}_{\mathbf {x},\mathbf {z}}= \big (\, [s]_1,\,[\mathbf {z}+ s\mathbf {w}]_1,\, [s(\mathbf {u}+ v\mathbf {x})]_1\,\big ) \in \mathbb {G}_1^{n+n'+1}$.
5.
Recall that if we write $\mathbf {u}= (u_1,\ldots ,u_n)$, then $\mathbf {u}^{\!\scriptscriptstyle {\top }}(\mathbf {I}_n \otimes \mathbf {r}^{\!\scriptscriptstyle {\top }}) = (u_1 \mathbf {r}^{\!\scriptscriptstyle {\top }},\ldots ,u_n \mathbf {r}^{\!\scriptscriptstyle {\top }})$.
6.
We use $\mathbf {r}$ instead of $[\mathbf {r}]_2$ in the subscript here and note that the function is described by $(f,[\mathbf {r}]_2)$ rather than $(f,\mathbf {r})$.

References

Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 733–751. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_33
Chapter Google Scholar
Abdalla, M., Catalano, D., Gay, R., Ursu, B.: Inner-product functional encryption with fine-grained access control. Cryptology ePrint Archive, Report 2020/577 (2020)
Google Scholar
Abdalla, M., Gay, R., Raykova, M., Wee, H.: Multi-input inner-product functional encryption from pairings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 601–626. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_21
Chapter Google Scholar
Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_28
Chapter Google Scholar
Agrawal, S., Libert, B., Maitra, M., Titiu, R.: Adaptive simulation security for inner product functional encryption. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part I. LNCS, vol. 12110, pp. 34–64. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_2
Chapter Google Scholar
Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_12
Chapter Google Scholar
Agrawal, S., Maitra, M., Yamada, S.: Attribute based encryption (and more) for nondeterministic finite automata from LWE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 765–797. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_26
Chapter Google Scholar
Agrawal, S., Maitra, M., Yamada, S.: Attribute based encryption for deterministic finite automata from $\sf DLIN$. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019, Part II. LNCS, vol. 11892, pp. 91–117. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_4
Chapter Google Scholar
Ambrona, M., Barthe, G., Gay, R., Wee, H.: Attribute-based encryption in the generic group model: automated proofs and new constructions. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 647–664. ACM Press, October/November 2017
Google Scholar
Baltico, C.E.Z., Catalano, D., Fiore, D., Gay, R.: Practical functional encryption for quadratic functions with applications to predicate encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 67–98. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_3
Chapter Google Scholar
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: 20th ACM STOC, pp. 1–10. ACM Press, May 1988
Google Scholar
Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit ABE and Compact Garbled Circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Chapter Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Chapter Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Circuit-ABE from LWE: unbounded attributes and semi-adaptive security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 363–384. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_13
Chapter Google Scholar
Chen, J., Gay, R., Wee, H.: Improved dual system ABE in prime-order groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_20
Chapter Google Scholar
Chen, J., Wee, H.: Semi-adaptive attribute-based encryption and improved delegation for Boolean formula. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 277–297. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_16
Chapter Google Scholar
Chen, Y., Zhang, L., Yiu, S.-M.: Practical attribute based inner product functional encryption from simple assumptions. Cryptology ePrint Archive, Report 2019/846 (2019)
Google Scholar
Chotard, J., Dufour Sans, E., Gay, R., Phan, D.H., Pointcheval, D.: Decentralized multi-client functional encryption for inner product. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 703–732. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_24
Chapter Google Scholar
Datta, P., Okamoto, T., Takashima, K.: Adaptively simulation-secure attribute-hiding predicate encryption. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 640–672. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_22
Chapter Google Scholar
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8
Chapter Google Scholar
Goldwasser, S., Gordon, S.D., Goyal, V., Jain, A., Katz, J., Liu, F.-H., Sahai, A., Shi, E., Zhou, H.-S.: Multi-input functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_32
Chapter Google Scholar
Gong, J., Waters, B., Wee, H.: ABE for DFA from k-Lin. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 732–764. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_25
Chapter Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 545–554. ACM Press, June 2013
Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Chapter Google Scholar
Goyal, R., Koppula, V., Waters, B.: Semi-adaptive security and bundling functionalities made generic and easy. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 361–388. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_14
Chapter Google Scholar
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM CCS 2006, pp. 89–98. ACM Press, October/November 2006. Available as Cryptology ePrint Archive Report 2006/309
Google Scholar
Ishai, Y., Wee, H.: Partial garbling schemes and their applications. In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014, Part I. LNCS, vol. 8572, pp. 650–662. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43948-7_54
Chapter MATH Google Scholar
Jain, A., Lin, H., Matt, C., Sahai, A.: How to leverage hardness of constant-degree expanding polynomials over $\mathbb{R}$ to build $i\cal{O}$. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 251–281. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_9
Chapter Google Scholar
Jain, A., Lin, H., Sahai, A.: Simplifying constructions and assumptions for $i\cal{{O}}$. IACR Cryptology ePrint Archive, 2019:1252 (2019)
Google Scholar
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_9
Chapter Google Scholar
Kowalczyk, L., Wee, H.: Compact adaptively secure ABE for $\sf NC^1$ from k-Lin. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 3–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_1
Chapter Google Scholar
Lewko, A., Waters, B.: Unbounded HIBE and attribute-based encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 547–567. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_30
Chapter Google Scholar
Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_20
Chapter Google Scholar
Okamoto, T., Takashima, K.: Adaptively attribute-hiding (hierarchical) inner product encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 591–608. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_35
Chapter Google Scholar
Okamoto, T., Takashima, K.: Efficient (hierarchical) inner-product encryption tightly reduced from the decisional linear assumption. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 96–A(1), 42–52 (2013)
Article Google Scholar
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Chapter Google Scholar
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36
Chapter Google Scholar
Waters, B.: Functional encryption for regular languages. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 218–235. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_14
Chapter Google Scholar
Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_26
Chapter Google Scholar
Wee, H.: Attribute-hiding predicate encryption in bilinear groups, revisited. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 206–233. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_8
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

CNRS, ENS and PSL, Paris, France
Michel Abdalla & Hoeteck Wee
East China Normal University, Shanghai, China
Junqing Gong
NTT Research, Palo Alto, CA, USA
Hoeteck Wee

Authors

Michel Abdalla
View author publications
You can also search for this author in PubMed Google Scholar
Junqing Gong
View author publications
You can also search for this author in PubMed Google Scholar
Hoeteck Wee
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Junqing Gong .

Editor information

Editors and Affiliations

UC San Diego, La Jolla, CA, USA
Daniele Micciancio
Cornell Tech, New York, NY, USA
Thomas Ristenpart

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Abdalla, M., Gong, J., Wee, H. (2020). Functional Encryption for Attribute-Weighted Sums from k-Lin. In: Micciancio, D., Ristenpart, T. (eds) Advances in Cryptology – CRYPTO 2020. CRYPTO 2020. Lecture Notes in Computer Science(), vol 12170. Springer, Cham. https://doi.org/10.1007/978-3-030-56784-2_23

Download citation

DOI: https://doi.org/10.1007/978-3-030-56784-2_23
Published: 10 August 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-56783-5
Online ISBN: 978-3-030-56784-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Functional Encryption for Attribute-Weighted Sums from k-Lin

Abstract

Similar content being viewed by others

(Compact) Adaptively Secure FE for Attribute-Weighted Sums from k-Lin

Compact FE for Unbounded Attribute-Weighted Sums for Logspace from SXDH

Constant-Size Ciphertext Attribute-Based Encryption from Multi-channel Broadcast Encryption

1 Introduction

1.1 Our Results

1.2 Our Construction

1.3 Discussion

2 Technical Overview

2.1 One-Slot Scheme

2.2 Unbounded-Slot Scheme

3 Preliminaries

3.1 Prime-Order Bilinear Groups

Assumption 1

Lemma 1

4 Definitions and Tools

4.1 FE for Attribute-Weighted Sums

Remark 1 (Relaxation of correctness.)

4.2 Partial Garbling Scheme

Lemma 2

5 \(\mathrm{\Pi }_\mathsf {one}\): One-Slot Scheme

5.1 Construction

Remark 2

Theorem 1

5.2 Simulator

Remark 3 (decryption checks)

5.3 Proof

Theorem 2

Lemma 3 (statistical lemma)

6 \(\mathrm{\Pi }_\mathsf {ext}\): Extending \(\mathrm{\Pi }_\mathsf {one}\)

6.1 Our Scheme

7 \(\mathrm{\Pi }_\mathsf {ubd}\): Unbounded-Slot Scheme

7.1 Scheme

Theorem 3

7.2 Simulator

7.3 Proof

Theorem 4

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships