Succinct and Adaptively Secure ABE for ABP from k-Lin

Abstract

We present succinct and adaptively secure attribute-based encryption (ABE) schemes for arithmetic branching programs, based on k-Lin in pairing groups. Our key-policy ABE scheme has ciphertexts of constant size, independent of the length of the attributes, and our ciphertext-policy ABE scheme has secret keys of constant size. Our schemes improve upon the recent succinct ABE schemes in [Tomida and Attrapadung, ePrint ’20], which only handles Boolean formulae. All other prior succinct ABE schemes either achieve only selective security or rely on q-type assumptions.

Our schemes are obtained through a general and modular approach that combines a public-key inner product functional encryption satisfying a new security notion called gradual simulation security and an information-theoretic randomized encoding scheme called arithmetic key garbling scheme.

1 Introduction

Attribute-based encryption (ABE) [21] is an advanced form of public-key encryption for enforcing fine-grained access control. In the key-policy version, an authority generates a pair of master public and secret keys \(\mathsf {mpk},\mathsf {msk}\). Given \(\mathsf {mpk}\), everyone can encrypt a message m with an attribute x to get a ciphertext \(\mathsf {ct}_x(m)\). Using the master secret key \(\mathsf {msk}\), the authority can issue a secret key \(\mathsf {sk}_y\) tied to a policy y. Decrypting a ciphertext \(\mathsf {ct}_x(m)\) using \(\mathsf {sk}_y\) recovers the encrypted message m if the attribute x satisfies the policy y. Otherwise, no information about m is revealed. The security requirement of ABE mandates collusion resistance—no information of m should be revealed, even when multiple secret keys are issued, as long as none of them individually decrypts the ciphertext (i.e., the attribute satisfies none of the associated policies).

Over the past decade, a plethora of ABE schemes have been proposed for different expressive classes of policies, achieving different trade-offs between efficiency, security, and assumptions. Meanwhile, ABE has found numerous cryptographic and security applications. A primary desirata of ABE schemes is efficiency, in particular, having fast encryption algorithms and small ciphertexts. It turns out that the size of ABE ciphertexts can be independent of the length of the attribute x, and dependent only on the length of the message m and security parameter—we say such ciphertexts are succinct or have constant size (in attribute length). Proposed first in [11] as a goal, succinct ciphertexts are possible because ABE does not require hiding the attribute x, and the decryption algorithm can take x as input in the clear. Consequently, ciphertexts only need to contain enough information of x to enforce the integrity of computation on x, which does not necessitate encoding the entire x.

Succinct ABE are highly desirable. For practical applications of ABE where long attributes are involved for sophisticated access control, succinct ciphertexts are much more preferable. From a theoretical point of view, succinct ciphertexts have (asymptotically) optimal size, as dependency on the message length and security parameter is inevitable. From a technical point of view, succinct ABE provides interesting mechanism for enforcing the integrity of computation without encoding the input. So far, several succinct ABE schemes have been proposed [5,6,7, 22, 23, 27, 28], but almost all schemes either rely on non-standard assumption or provide only weak security, as summarized in Tables 1 and 2.

Our Results. In this work, we first construct a succinct key-policy ABE (KP-ABE) simultaneously satisfying the following properties.

1. (1)

   Expressiveness. Support policies expressed as arithmetic branching programs (ABPs).

2. (2)

   Security. Satisfy adaptive security, as opposed to selective or semi-adaptive security.

3. (3)

   Assumption. Based on the standard assumptions as opposed to, e.g., q-type assumptions. Specifically, our scheme relies on the matrix decisional Diffie–Hellman (MDDH) assumption over pairing groups.

4. (4)

   Efficiency. Has succinct ciphertext.

   Concretely, each ciphertext consists of 5 group elements when assuming SXDH, and \(2k+3\) elements for \({{\text {MDDH}}}_k\) (implied by k-Lin). Decryption involves the same number of pairing operations. Additionally, our scheme can work with the more efficient asymmetric prime-order pairing groups.

Next, we construct ciphertext-policy ABE (CP-ABE) with the same properties. Here, the secret keys are tied to attributes and ciphertexts to policies, and succinctness refers to having constant-size secret keys. Our scheme has keys consisting of 7 group elements based on SXDH and \(3k+4\) based on \({{\text {MDDH}}}_k\).

Besides succinctness (4), achieving the strong notion of adaptive security (2) based on standard assumptions (3) is also highly desirable from both a practical and a theoretical point of view. Prior to this work, only the recent construction of (KP and CP) ABE schemes by Tomida and Attrapadung [23] simultaneously achieves (2)–(4), and their scheme handles policies expressed as Boolean formulae. Our construction expands the class of policies to arithmetic branching programs, which is a more expressive model of computation. Our succinct ABE is also the first scheme natively supporting arithmetic computation over large fields,¹ whereas all prior succinct ABE schemes (even ones relying on q-type assumptions and/or achieving only selective security) only work natively with Boolean computation. Lastly, we note that even when relaxing the efficiency requirement from having succinct ciphertext to compact ciphertext, whose size grows linearly with the length of the attribute, only a few schemes [13, 15, 17] simultaneously achieve (2)–(4), and the most expressive class of policies supported is also ABP, due to [17].

Table 1. KP-ABE schemes with succinct ciphertext.

Table 2. CP-ABE schemes with succinct secret key.

Our Techniques. The recent work of [17] presented a general framework for constructing compact adaptively secure ABE from MDDH. In this work, we improve their general framework to achieve succinctness. The framework of [17] yields linear-size ciphertexts because it crucially relies on function-hiding inner-product functional encryption (IPFE) [10, 19]. IPFE allows issuing secret keys and ciphertexts tied to vectors \(\mathbf {v},\mathbf {u}\) respectively, and decryption reveals their inner product \(\langle \mathbf {u},\mathbf {v}\rangle \). The function-hiding property guarantees that nothing about \(\mathbf {u},\mathbf {v}\) beyond the inner product is revealed, which entails that ciphertexts and secret keys must have size linear in the length of the vectors.

Towards succinctness, our key idea is relaxing function-hiding to a new and weaker guarantee, called gradual simulation security, where only the vectors encrypted in the ciphertexts are hidden. Such IPFE can have succinct (constant-size) secret keys and can be public-key. We use new ideas to modify the framework of [17] to work with the weaker gradual simulation security and obtain succinct ciphertexts. Furthermore, we extend the framework to construct ciphertext-policy ABE, which is not handled in [17]. In summary, our techniques give a general and modular approach for constructing succinct and adaptively secure (KP and CP) ABE from MDDH.

Organization. In Sect. 1.1, we give an overview of how we construct our ABE schemes using inner-product functional encryption (IPFE) schemes with gradual simulation security and dual system encryption. We discuss related works in Sect. 1.2. After introducing the preliminaries in Sect. 2, we define gradual simulation security of IPFE and construct such an IPFE scheme in Sect. 3. In Sect. 4, we define 1-ABE and construct CP-1-ABE for ABP with succinct keys from gradually simulation-secure IPFE with succinct keys. In Sect. 5, we show how to construct KP-ABE with succinct ciphertexts using our CP-1-ABE and dual system encryption. Due to the lack of space, we refer the reader to the full version [18] for our construction of CP-ABE with succinct keys similarly to our KP-ABE construction.

1.1 Technical Overview

In this section, we give an overview of our construction of succinct ABE schemes, following the roadmap shown in Fig. 1.

Fig. 1.

The roadmap of our constructions.

1-ABE. The core of many ABE schemes is a 1-key 1-ciphertext secure secret-key ABE, or 1-ABE for short. Our construction improves the recent 1-ABE scheme for ABP by Lin and Luo (LL) [17], which achieves adaptive security but not succinctness.

Suppose we want decryption to recover the message \(\mu \in \mathbb {Z}_p\) if (and only if) \(f(\mathbf {x})\ne 0\) for policy function \(f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\) and attribute \(\mathbf {x}\in \mathbb {Z}_p^n\). This is equivalent to computing \(\mu f(\mathbf {x})\) upon decryption. The basic idea of the LL 1-ABE is that when a key (tied to \(f,\mu \))² and a ciphertext (tied to \(\mathbf {x}\)) are put together, one can compute a randomized encoding of \(\mu f(\mathbf {x})\), denoted by \(\widehat{\mu f(\mathbf {x})}\), which reveals \(\mu f(\mathbf {x})\) and hence \(\mu \) if \(f(\mathbf {x})\ne 0\). Since in ABE, we do not try to hide f or \(\mathbf {x}\), the randomized encoding only needs to hide \(\mu \) beyond the output \(\mu f(\mathbf {x})\), referred to as the partially hiding property, first introduced by [14]. Due to the weak security guarantee, partially hiding randomized encoding can have extremely simple structure. In particular, LL defined a refined version of such randomized encoding, called arithmetic key garbling scheme (AKGS), with the following properties:

Linear Encoding. The encoding is in the form of

$$\begin{aligned} \widehat{\mu f(\mathbf {x})}=\bigl (L_1(\mathbf {x}),\dots ,L_m(\mathbf {x})\bigr ), \end{aligned}$$

where \(L_j\)’s are affine functions of \(\mathbf {x}\) and the coefficients of \(L_j\)’s are linear in the message \(\mu \) and the garbling randomness. \(L_j\)’s are called label functions and \(\ell _j=L_j(\mathbf {x})\) are called labels.

Linear Evaluation. There is a procedure \(\mathsf {Eval}\) that can compute \(\mu f(\mathbf {x})\) from \(f,\mathbf {x}\) and the labels:

$$\begin{aligned} \mathsf {Eval}(f,\mathbf {x},\ell _1,\dots ,\ell _m)=\mu f(\mathbf {x}). \end{aligned}$$

Importantly, \(\mathsf {Eval}\) is linear in the labels.³

The basic security of AKGS is simulation security. There needs to be an efficient simulator \(\mathsf {Sim}\) that can perfectly simulate the labels given \(f,\mathbf {x},\mu f(\mathbf {x})\):

$$\begin{aligned} \mathsf {Sim}(f,\mathbf {x},\mu f(\mathbf {x})) \rightarrow (\ell _1,\dots ,\ell _m) \equiv \bigl (L_1(\mathbf {x}),\dots ,L_m(\mathbf {x})\bigr ). \end{aligned}$$

Since the label functions are affine in \(\mathbf {x}\) thus linear in \((1,\mathbf {x})\), the labels \(\ell _j=L_j(\mathbf{x})\) can be securely computed using a function-hiding IPFE. In IPFE, keys \(\mathsf {isk}(\mathbf {v})\) and ciphertexts \(\mathsf {ict}(\mathbf {u})\) are generated for vectors \(\mathbf {v},\mathbf {u}\), and decryption yields their inner product \(\langle \mathbf {u},\mathbf {v}\rangle \) but nothing else. More precisely, function-hiding says two sets of keys and ciphertexts encoding different vectors are indistinguishable as long as they yield identical inner products:

$$\begin{aligned} \bigl (\{\mathsf {isk}_j(\mathbf {v}_j)\},\{\mathsf {ict}_i(\mathbf {u}_i)\}\bigr ) {\!{}\approx {}\!} \bigl (\{\mathsf {isk}_j(\mathbf {v}_j')\},\{\mathsf {ict}_i(\mathbf {u}_i')\}\bigr ) \ {\text {if }}\langle \mathbf {u}_i,\mathbf {v}_j\rangle =\langle \mathbf {u}_i',\mathbf {v}_j'\rangle {\text { for all }}i,j. \end{aligned}$$

That is, all vectors no matter encoded in keys or ciphertexts are protected. Moreover, function-hiding should hold even when these vectors are chosen adaptively by the adversary, depending on previously observed keys and ciphertexts.

In the LL 1-ABE scheme, an ABE key consists of many IPFE keys encoding the coefficients of the label functions (also denoted by \(L_j\)), and an ABE ciphertext is an IPFE ciphertext encrypting \((1,\mathbf {x})\), as illustrated below in Real Algorithms. When they are put together, IPFE decryption recovers exactly the labels \(\ell _j=L_j(\mathbf {x})=\langle L_j,(1,\mathbf {x})\rangle \), from which we can recover \(\mu f(\mathbf {x})\) using the evaluation procedure. A technicality is that known IPFE are built from pairing groups, and decryption only reveals \(\mu f(\mathbf {x})\) in the exponent of the target group. Nevertheless, one can recover \(\mu f(\mathbf {x})\) also in the exponent, thanks to the linearity of AKGS evaluation.

Intuitively, the LL scheme is secure since IPFE only reveals the labels, and AKGS security guarantees only \(\mu f(\mathbf {x})\) is revealed, given the labels. It is simple to formalize this idea in the selective setting, where \(\mathbf {x}\) is chosen before querying the key for f. By the function-hiding property, it is indistinguishable to hardwire the labels in the IPFE keys as follows.

After labels \(L_j(\mathbf {x})\) are hardwired and label functions removed, AKGS security guarantees that the labels only reveal \(\mu f(\mathbf {x})\), and \(\mu \) is hidden if \(f(\mathbf {x})=0\). Observe that for selective security, we only need hiding in the keys and not the ciphertext.

The above proof fails for adaptive security, in particular in the case where the secret key is queried before the ciphertext (we will focus on this harder case below). At key generation time, \(\mathbf {x}\) is unknown and consequently the labels \(L_j(\mathbf {x})\) are unknown. We also do not want to hardwire all the labels in the ciphertext as that would make the ciphertext as large as the policy. LL solves this problem by relying on a stronger security notion of AKGS called piecewise security:

• The marginal distribution of \(\ell _2,\dots ,\ell _m\) is uniformly random, and \(\ell _1\) can be reversely computed from these other labels \(\ell _2,\dots ,\ell _m\) and \(f, \mathbf{x}\), by finding the unique \(\ell _1\) satisfying the constraint of evaluation correctness.⁴

• The other labels are marginally random even given the coefficients of all subsequent label functions, i.e.,

  

The first property implies a specific simulation strategy: Simply sample \(\ell _2,\dots ,\ell _m\) as random, then solve for \(\ell _1\) from the correctness constraint. This strategy is particularly suitable for the adaptive setting, as only the simulation of \(\ell _1\) depends on the input \(\mathbf {x}\). Thus, a conceivable simulation strategy for 1-ABE is to hardwire \(\ell _2,\dots ,\ell _m\) in the secret key and \(\ell _1\) in the ciphertext. This would not hurt the compactness of the ciphertext.

Proving the indistinguishability of the real and the simulated worlds takes two steps. In the first step, the first label \(\ell _1=L_1(\mathbf {x})\) is hardwired into the IPFE ciphertext \(\mathsf {ict}\), and then changed to be reversely computed from the other labels and \(f, \mathbf {x}\), which is possible since by the time we generate \(\mathsf {ict}\), we know both f and \(\mathbf {x}\). In the second step, each \(\mathsf {isk}_j\) for \(j > 1\) is, one by one, switched from encoding the label function to encoding a random label. To do so, the j^th label \(\ell _j=L_j(\mathbf {x})\) is first hardwired into \(\mathsf {ict}\), after which it is switched to random relying on piecewise security, and lastly moved back to \(\mathsf {isk}_j\). Observe that the proof uses two extra slots in the vectors (one for \(\ell _1\), the other for each \(\ell _j\) temporarily) and relies on hiding in both the keys and the ciphertext.

Lightweight Alternative to Function-Hiding. In a function-hiding IPFE, keys and ciphertexts must be of size at least linear in the vector dimension. This means the resulting ABE scheme can never be succinct. Our first observation is that function-hiding IPFE is an overkill. Since in ABE, \(\mathbf {x}\) is not required to be hidden, it is quite wasteful to protect it inside an IPFE ciphertext. Indeed, selective security of the LL scheme does not rely on hiding in the ciphertext.

Our idea to achieve succinctness is to use a non-function-hiding IPFE scheme instead, e.g., public-key IPFE. Usually the vector in the key is included verbatim as part of the key, and the “essence” of the key (excluding the vector itself) could be significantly shorter than the vector. Indeed, many known public-key IPFE schemes [1, 3] have succinct keys.

Since the coefficients of the label functions (which contains information about \(\mu \) and the garbling randomness) must be hidden for the 1-ABE to be secure, and \(\mathbf {x}\) is public, we should encrypt the coefficients of the label functions in IPFE ciphertexts and use an IPFE key for \((1,\mathbf {x})\) to compute the garbling. Since the message \(\mu \) is together with f and the generation of IPFE ciphertexts is public-key, the 1-ABE scheme is more like a public-key ciphertext-policy ABE than a secret-key ABE, except we only consider security given a single key for some attribute \(\mathbf {x}\). Therefore, we redefine 1-ABE as 1-key secure public-key CP-ABE,⁵ and the idea is to construct it from a public key IPFE and AKGS as follows:

Our CP-1-ABE is \(\mathbf {x}\)-selectively secure if the underlying IPFE is indistinguishability-secure, similar to the selective security of LL scheme.

However, it is not immediate that we can prove adaptive security of this new scheme. The LL adaptive security proof requires hardwiring \(\ell _1\) and one of \(\ell _j\)’s with \(\mathbf {x}\), which is now encoded in the secret key without hiding property. Taking a step back, hardwiring a label is really about removing its label function and only using the label, which is the inner product yielded by IPFE decryption. Our idea is to use simulation security to achieve this goal. A simulator for a public-key IPFE can simulate the master public key, the secret keys, and one (or a few) ciphertext, using only the inner products, and the simulator can do so adaptively. Let us take simulating one ciphertext as an example.

\(J^*\) is the number of keys issued before ciphertext generation. On the left are the honestly generated master public key, secret keys, and ciphertext. On the right is their simulation. The vertical bar separates what the real algorithms use and what the simulator (additionally) use. Since public-key IPFE completely reveals the key vectors,⁶ they are always provided to the simulator. As for the other values:

• Before ciphertext simulation, there is no additional information supplied.

• When the ciphertext is simulated, the vector \(\mathbf {u}\) is not provided, but its inner products with already simulated keys are provided to the simulator.⁷

• After ciphertext simulation, when simulating a key for \(\mathbf {v}_j\), the inner product \(\langle \mathbf {u},\mathbf {v}_j\rangle \) is provided with \(\mathbf {v}_j\).

Observe that the values after the vertical bar are exactly those computable using the functionality of IPFE at that time, so in simulation, anything about the encrypted vector not yet computable by the functionality of IPFE, simply does not exist (information-theoretically) at all. In the setting of our CP-1-ABE, we will simulate an IPFE ciphertext to remove its corresponding label function and only retain the label. Looking from the perspective of hardwiring, when we issue \(\mathsf {sk}_{\mathbf {x}}=\mathsf {isk}(1,\mathbf {x})\) after we have created the ciphertext \(\mathsf {ct}_{f,\mu }\) (in which \(\mathsf {ict}_j\) has been simulated), the inner product \(\ell _j\) is supplied to the simulator when we simulate \(\mathsf {isk}\), after the simulation of \(\mathsf {ict}_j\). This means the label \(\ell _j\) is hardwired into \(\mathsf {isk}\).

Let us exemplify the proof of adaptive security in the more difficult case where \(\mathsf {sk}_{\mathbf {x}}\) is queried after \(\mathsf {ct}_{f,\mu }\). First, we simulate \(\mathsf {ict}_1\) so that the first label is hardwired into \(\mathsf {isk}\).

(We omitted the master public key for brevity.) Note that \(\mathsf {ict}_j\)’s for \(j>1\) do not use ciphertext simulation but are created using the master public key (honest or simulated). Once \(\ell _1\) is hardwired, we can instead solve for it from the correctness equation.

The second step is to switch \(\mathsf {ict}_j(L_j)\) to \(\mathsf {ict}_j(\ell _j,\mathbf {0})\) for \(\ell _j\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p\) one by one, i.e., to simulate \(\ell _j\) as random. To do so, we first simulate \(\mathsf {ict}_j\) (hardwiring \(\ell _j=L_j(\mathbf {x})\) into \(\mathsf {isk}\)), then switch \(\ell _j\) to random (via piecewise security), and lastly revert \(\mathsf {ict}_j\) back to encryption (not simulated), but encrypting \((\ell _j,\mathbf {0})\) instead.

During the proof, there are at most two simulated ciphertexts at any time, so it appears that we can just use a simulation-secure IPFE capable of simulating at most two ciphertexts. This is not the case. The tricky part is that the usual definition of simulation security in (\(\star \)) only requires the real world to be indistinguishable from simulation. However, in the step of simulating \(\ell _j\) as random, we need to switch \(\mathsf {ict}_j\) to simulation when \(\widetilde{\mathsf {ict}}_1\) is already simulated (and symmetrically, reverting \(\widetilde{\mathsf {ict}}_j\) back to encryption while keeping \(\widetilde{\mathsf {ict}}_1\) simulated). It is unclear whether this transition is indistinguishable just via simulation security, because the definition says nothing about the indistinguishability of simulating one more ciphertext when there is already one simulated ciphertext, i.e.,

Note that when we want to simulate \(\ell _j\), the computation of \(\ell _1\) has complicated dependency on \(\mathbf {x}\),⁸ and we cannot hope to get around the issue by first reverting \(\widetilde{\mathsf {ict}}_1\) back to normal encryption then simultaneously simulating \(\mathsf {ict}_1,\mathsf {ict}_j\), because we do not know what to encrypt in \(\mathsf {ict}_1\).

Gradually Simulation-Secure IPFE. To solve the problem above, we define a stronger notion of simulation security, called gradual simulation security. It bridges the gap by capturing the idea that it is indistinguishable to simulate more ciphertexts even when some ciphertexts (and all the keys) are already simulated, as long as the total number of simulated ciphertexts does not exceed a preselected threshold. We show that the IPFE scheme in [3] can be adapted for gradual simulation security. The length of secret keys grows linearly in the maximum number of simulated ciphertexts, but not in the vector dimension. Plugging it into our CP-1-ABE construction, we obtain a CP-1-ABE with succinct keys.

We remark that another way to get around the issue of simulation security is to notice that there are at most two ciphertexts simulated at any time and one of them is \(\mathsf {ict}_1\). Therefore, we can simply prepare two instances of IPFE (with independently generated master public and secret keys), one dedicated to \(\mathsf {ict}_1\) and the other to \(\mathsf {ict}_j\)’s (for \(j>1\)). During the proof, the instance for \(\mathsf {ict}_1\) is always simulated, and the other instance is switched between simulation and normal. The downside of this method is that using two instances doubles 1-ABE key size. In contrast, the solution using gradually simulation-secure IPFE only needs one more \(\mathbb {Z}_p\) element in CP-1-ABE key.

Comparison with Previous Techniques. Previous works constructing succinct ABE only natively support Boolean computations, whereas our method natively supports arithmetic computations. In [5,6,7, 22, 27], succinct ABE schemes are constructed from a special succinct ABE for set-membership policies (keys are tied to a set S and ciphertexts are tied to an element x; decryption succeeds if \(x\in S\)). Based on ABE for set-membership policies, one can obtain ABE for monotone span programs, or policies admitting linear secret sharing schemes. Those ingredients (the special ABE, MSP, LSS) are inherently only native to Boolean computations. Among them, the work of [6] constructs succinct ABE for arithmetic span programs by reduction to MSP at the cost of a \(\Theta (\log p)\) blow-up in key sizes.

In [23, 28], succinct ABE schemes are implicitly based on IPFE with succinct keys. The IPFE is only used to compute linear secret sharing schemes, and is used in a non-black-box way. In contrast, our 1-ABE can be constructed from any IPFE in a modular and black-box fashion, and we use it for arithmetic branching programs.

Dual System Encryption for Full ABE. To lift our CP-1-ABE to full KP-ABE, we need to flip the position of attributes and policies. Our idea is to use CP-1-ABE as a key encapsulation mechanism. More specifically, a KP-ABE key for policy f is a CP-1-ABE ciphertext \(\mathsf {cp}\mathsf {ct}(f,\mu )\), where \(\mu \) is the message in CP-1-ABE and encapsulated key in KP-ABE. A KP-ABE ciphertext for attribute \(\mathbf {x}\) and message m consists of a CP-1-ABE key \(\mathsf {cp}\mathsf {sk}(\mathbf {x})\) and the masked message \(\mu +m\). If decryption is authorized, CP-1-ABE decryption will give us \(\mu \), which can be used to unmask the message. Observe that the security of KP-ABE aligns with the security of CP-1-ABE, namely, in the KP-ABE security game:

• We only need to handle one ciphertext, for which we rely on 1-key security of CP-1-ABE.

• We need to handle multiple keys, which corresponds to multi-ciphertext security of CP-1-ABE. Since our CP-1-ABE is public-key, it indeed satisfies multi-ciphertext security given only one key.

However, we need to resolve the issue that encryption of KP-ABE is now secret-key, since we need to know both the master secret key of CP-1-ABE and \(\mu \) (part of the master secret key of KP-ABE) to generate KP-ABE ciphertext.

We observe that our CP-1-ABE is linear, i.e., the spaces of \(\mathsf {cp}\mathsf {msk},\mathsf {cp}\mathsf {sk},\mathsf {cp}\mathsf {ct}\), messages are vector spaces over \(\mathbb {Z}_p\), and⁹

$$\begin{aligned} \begin{array}{ll} k_1\mathsf {cp}\mathsf {sk}(\mathsf {cp}\mathsf {msk}_1,\mathbf {x})&{}+k_2\mathsf {cp}\mathsf {sk}(\mathsf {cp}\mathsf {msk}_2,\mathbf {x}) \qquad =\mathsf {cp}\mathsf {sk}(k_1\mathsf {cp}\mathsf {msk}_1+k_2\mathsf {cp}\mathsf {msk}_2,\mathbf {x}),\\ k_1\mathsf {cp}\mathsf {ct}(\mathsf {cp}\mathsf {msk}_1,f,\mu _1)&{}+k_2\mathsf {cp}\mathsf {ct}(\mathsf {cp}\mathsf {msk}_1,f,\mu _2)\\ &{}\qquad \qquad \;\quad =\mathsf {cp}\mathsf {ct}(k_1\mathsf {cp}\mathsf {msk}_1+k_2\mathsf {cp}\mathsf {msk}_2,f,k_1\mu _1+k_2\mu _2). \end{array} \end{aligned}$$

Here, \(\mathsf {cp}\mathsf {sk}(\mathsf {cp}\mathsf {msk},\mathbf {x})\) and \(\mathsf {cp}\mathsf {ct}(\mathsf {cp}\mathsf {msk},f,\mu )\) represent that they are generated in the CP-1-ABE instance whose master secret key is \(\mathsf {cp}\mathsf {msk}\). We instantiate our CP-1-ABE with an IPFE such that the keys are linear in the master secret key and the ciphertexts are linear in both the master secret key and the encrypted vector. CP-1-ABE master secret key and keys are IPFE master secret key and keys, so \(\mathsf {cp}\mathsf {sk}\)’s are linear in \(\mathsf {cp}\mathsf {msk}\). CP-1-ABE ciphertexts are IPFE ciphertexts for the label functions of AKGS, and AKGS is linear with respect to the message \(\mu \), so \(\mathsf {cp}\mathsf {ct}\)’s are linear in \(\mathsf {msk},\mu \).

Let G be an additive prime-order group generated by P and write \([\![ a ]\!]=aP\). Concretely, \(\mathsf {cp}\mathsf {msk}\) and \(\mathsf {cp}\mathsf {sk}\)’s will be \(\mathbb {Z}_p\) elements. Now if we encode \(\mathsf {cp}\mathsf {msk}\) in G, by linearity we can compute \(\mathsf {cp}\mathsf {sk}\) in G, and we denote this fact by

$$\begin{aligned}{}[\![ \mathsf {cp}\mathsf {sk}(\mathsf {cp}\mathsf {msk},\mathbf {x}) ]\!]=\mathsf {cp}\mathsf {sk}([\![ \mathsf {cp}\mathsf {msk} ]\!],\mathbf {x}). \end{aligned}$$

Assume for the moment that this can also be done for \(\mathsf {cp}\mathsf {ct}\)’s and decryption still works.¹⁰ Given the linearity, we can employ dual system encryption [24] to make the scheme public-key. In prime-order groups, the classic dual system encryption can be regarded as hash proof systems based on \({{\text {MDDH}}}_k\) [9, 12].¹¹

Take \({{\text {MDDH}}}_1\) (DDH assumption) for example. KP-ABE prepares two instances of CP-1-ABE and two messages, and publishes the projection of them along a randomly sampled vector \((b_1,b_2)\) in the exponent:

$$\begin{aligned} \mathsf {kp}\mathsf {mpk}&{}=[\![ b_1,b_2,b_1\mathsf {cp}\mathsf {msk}_1+b_2\mathsf {cp}\mathsf {msk}_2,b_1\mu _1+b_2\mu _2 ]\!] \quad {\text {for }}b_1,b_2\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p,\\ \mathsf {kp}\mathsf {msk}&{}=(\mathsf {cp}\mathsf {mpk}_1,\mathsf {cp}\mathsf {mpk}_2,\mathsf {cp}\mathsf {msk}_1,\mathsf {cp}\mathsf {msk}_2,\mu _1,\mu _2). \end{aligned}$$

Encryption is now public-key. A KP-ABE ciphertext simply uses a random CP-1-ABE master secret key in the projected space (a.k.a. normal space in dual system encryption) and use the projected \(\mu \) to mask the message. A KP-ABE key consists of two CP-1-ABE ciphertexts, one in each instance encrypting the corresponding encapsulated key.

$$\begin{aligned} \mathsf {kp}\mathsf {ct}(\mathbf {x},m)&{}=\bigl ( s[\![ b_1,b_2 ]\!], \mathsf {cp}\mathsf {sk}(s[\![ b_1\mathsf {cp}\mathsf {msk}_1+b_2\mathsf {cp}\mathsf {msk}_2 ]\!],\mathbf {x}), m+s[\![ b_1\mu _1+b_2\mu _2 ]\!]\bigr )\\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \;\; {\text {for }}s\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p,\\ \mathsf {kp}\mathsf {sk}(f)&{}= \bigl (\mathsf {cp}\mathsf {ct}(\mathsf {cp}\mathsf {msk}_1,f,\mu _1),\mathsf {cp}\mathsf {ct}(\mathsf {cp}\mathsf {msk}_2,f,\mu _2)\bigr ). \end{aligned}$$

To decrypt, we first use linearity to combine the two CP-1-ABE ciphertexts into

$$\begin{aligned}&\mathsf {cp}\mathsf {ct}([\![ sb_1\mathsf {cp}\mathsf {msk}_1+sb_2\mathsf {cp}\mathsf {msk}_2 ]\!],f,[\![ sb_1\mu _1+sb_2\mu _2 ]\!])\\ {}={}&[\![ sb_1 ]\!]\mathsf {cp}\mathsf {ct}(\mathsf {cp}\mathsf {msk}_1,f,\mu _1) \,\,\,{+}\,\,\, [\![ sb_2 ]\!]\mathsf {cp}\mathsf {ct}(\mathsf {cp}\mathsf {msk}_2,f,\mu _2). \end{aligned}$$

The master secret key of the combined \(\mathsf {cp}\mathsf {ct}\) matches that of the \(\mathsf {cp}\mathsf {sk}\) in the KP-ABE ciphertext, and CP-1-ABE decryption will recover \([\![ sb_1\mu _1+sb_2\mu _2 ]\!]\), using which we can unmask to obtain the message m.

To argue security, we first replace \([\![ sb_1,sb_2 ]\!]\) used in the challenge ciphertext by \([\![ a_1,a_2 ]\!]\) for random \(a_1,a_2\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p\) (using DDH), which is not co-linear with \((b_1,b_2)\) with overwhelming probability. Ciphertexts in this form are said to be semi-functional in dual system encryption.

By the linearity, we can look at the ABE scheme from a new basis, namely \((b_1,b_2),(a_1,a_2)\). We denote the CP-1-ABE components and \(\mu \)’s in this basis with prime, e.g., \(\mathsf {cp}\mathsf {msk}'_1 = b_1 \mathsf {cp}\mathsf {msk}_1 + b_2 \mathsf {cp}\mathsf {msk}_2\) and \(\mathsf {cp}\mathsf {msk}'_2 = a_1 \mathsf {cp}\mathsf {msk}_1 + a_2 \mathsf {cp}\mathsf {msk}_2\). The KP-ABE master public key reveals \(\mathsf {cp}\mathsf {msk}_1'\) but not \(\mathsf {cp}\mathsf {msk}_2'\). A KP-ABE secret key for policy f is essentially \(\mathsf {cp}\mathsf {ct}(\mathsf {cp}\mathsf {msk}_1',f,\mu _1')\) and \(\mathsf {cp}\mathsf {ct}(\mathsf {cp}\mathsf {msk}_2',f,\mu _2')\). The challenge ciphertext has \(\mathsf {cp}\mathsf {sk}(\mathsf {cp}\mathsf {msk}_2',\mathbf {x})\), and the message is masked by \(\mu _2'\). By CP-1-ABE security, \(\mu _2'\) (in \(\mathsf {cp}\mathsf {ct}\)’s) should be hidden, which means the message in the challenge ciphertext is hidden by \(\mu _2'\).

The proof completes by replacing \(\mu _2'\) in all the KP-ABE keys by random. ABE keys in this form are said to be semi-functional in dual system encryption.

Lastly, to base the scheme on \({{\text {MDDH}}}_k\), we use \(k+1\) instances of CP-1-ABE, publish a k-dimensional projection (normal space), and reserve the unpublished dimension for the security proof (semi-functional space).

CP-ABE from KP-1-ABE. By symmetry, we can apply the transformation to obtain CP-ABE from KP-1-ABE. Moreover, our KP-ABE trivially serves as a KP-1-ABE. Therefore, the scheme is (ignoring group encoding)

$$\begin{aligned} \mathsf {cp}\mathsf {mpk}&{}=(d_1,d_2,d_1\mathsf {kp}\mathsf {msk}_1+d_2\mathsf {kp}\mathsf {msk}_2,d_1\nu _1+d_2\nu _2) \quad {\text {for }}d_1,d_2\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p,\\ \mathsf {cp}\mathsf {msk}&{}=(\mathsf {kp}\mathsf {mpk}_1,\mathsf {kp}\mathsf {mpk}_2,\mathsf {kp}\mathsf {msk}_1,\mathsf {kp}\mathsf {msk}_2,\nu _1,\nu _2),\\ \mathsf {cp}\mathsf {sk}&{}=\bigl ( \mathsf {kp}\mathsf {ct}(\mathsf {kp}\mathsf {msk}_1,\mathbf {x},\nu _1), \mathsf {kp}\mathsf {ct}(\mathsf {kp}\mathsf {msk}_2,\mathbf {x},\nu _2) \bigr ),\\ \mathsf {cp}\mathsf {ct}&{}=\bigl ( td_1,td_2, \mathsf {kp}\mathsf {sk}(t(d_1\mathsf {msk}_1+d_2\mathsf {msk}_2),f), m+t(d_1\nu _1+d_2\nu _2) \bigr ) \; {\text {for }}t\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p. \end{aligned}$$

Again, KP-1-ABE is used to encapsulate keys \(\nu _1,\nu _2\), whose projection masks the message in CP-ABE. Dual system encryption or hash proof system is used to obtain public-key encryption by publishing a random projection of KP-1-ABE master secret keys (in this case, along \((d_1,d_2)\)).

One final observation is that only \(\mu _1,\mu _2\) in KP-(1-)ABE need to be duplicated and projected, yielding only a small overhead in CP-ABE compared to KP-ABE. We leave the details to the full version [18].

We note that once we obtain KP-ABE from CP-1-ABE, going to CP-ABE using the same method is natural and simple.

1.2 Related Works

Succinct ABE. We compare our scheme with previous KP-ABE schemes with constant-size ciphertexts in Table 1 and CP-ABE schemes with constant-size secret keys in Table 2.

Compact ABE. Previous schemes achieving compactness (linear-size keys and ciphertexts, also known as “unbounded multi-use of attributes”) and adaptive security based on standard assumptions are [15, 23] for Boolean formulae, [13] for Boolean branching programs, and [17] for arithmetic branching programs. Among them, only [23] achieves succinctness.

ABE with Succinct f-Part. From pairing, we know several ABE schemes with succinct \(\mathbf {x}\)-part (ciphertexts in KP-ABE and keys in CP-ABE) and compact f-part (linear in the size of f), including ones in this work. One can also investigate succinctness in f-part (keys in KP-ABE and ciphertexts in CP-ABE). So far, the only schemes with succinct f-part are KP-ABE for polynomial-sized circuits based on LWE [8] and CP-ABE schemes for \(\mathsf {NC}^1\) based on LWE and pairing [4], in which the size of f-part depends on the depth but not the size of the circuit. Yet these schemes have compact but non-succinct \(\mathbf {x}\)-part.

Unbounded ABE. Our succinct ABE schemes have master public key of size linear in the attribute length. In general, one can further improve the size of master keys to be a constant, which requires the scheme to be able to handle attributes of any polynomial length. Such schemes are called unbounded ABE. So far, there are unbounded and compact ABE schemes (e.g., [15] for \(\mathsf {NC}^1\)). It remains an interesting open problem to construct unbounded succinct schemes.

In summary, to the best of our knowledge, our schemes achieve one of the currently best trade-offs in terms of master key/secret key/ciphertext sizes.

2 Preliminaries

For two matrices \(\mathbf {A},\mathbf {B}\), their tensor product is denoted by \(\mathbf {A}\otimes \mathbf {B}\). An affine function \(f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\) over prime field \(\mathbb {Z}_p\) is conveniently associated with its coefficient vector \(\mathbf {f}\in \mathbb {Z}_p^{n+1}\) (the same letter in boldface) such that \(f(\mathbf {x})=\mathbf {f}^{{{\mathsf {T}}}}\left( {\small \,\begin{matrix}1\\ \mathbf {x}\end{matrix}\,}\right) \).

2.1 Arithmetic Branching Programs and Arithmetic Key Garbling

In this paper, we consider the class of decryption policies defined by arithmetic branching programs [20].

Definition 1

(ABP). An arithmetic branching program (ABP) \(f=(V,E,s,t,p,n,w)\) consists of a directed acyclic graph (V, E), two distinguished vertices \({s,t\in V}\), a prime field order p, an arity n, and a weight function \({w:E\times \mathbb {Z}_p^n\rightarrow \mathbb {Z}_p}\) that is affine in the second input. It computes the function \({f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p}\) (written as the same letter) defined by

$$\begin{aligned} f(\mathbf {x})= \sum _{\begin{array}{c} s{\text {-}}t\,\mathrm {path}\\ e_1\cdots e_i \end{array}} {\prod _{j=1}^{i}{w(e_j,\mathbf {x})}}. \end{aligned}$$

Its size (denoted by |f|) is |V|. It induces two zero-test predicates:

$$\begin{aligned} f_{\ne 0}(\mathbf {x})={\left\{ \begin{array}{ll} 0,&{}\mathrm {if }\,f(\mathbf {x})=0;\\ 1,&{}\mathrm {if }\,f(\mathbf {x})\ne 0; \end{array}\right. }\qquad f_{=0}(\mathbf {x})=\lnot f_{\ne 0}(\mathbf {x}). \end{aligned}$$

Denote by \(\mathsf {ABP}\) (resp. \(\mathsf {ABP}_p^n\)) the class of all ABPs (resp. of field order p and arity n), and by \(\mathsf {ztABP}_p^n\) the set of zero-test predicates induced by ABPs in \(\mathsf {ABP}_p^n\).

We rely on an arithmetic key garbling scheme for ABP.

Definition 2

(AKGS). Let \(\mathcal {F}=\{f\}\) be a class of functions \(f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\). An arithmetic key garbling scheme (AKGS) for \(\mathcal {F}\) consists of two efficient algorithms:

• \(\mathsf {Garble}(f,\alpha ,\beta ;\mathbf {r})\) takes a function \(f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\in \mathcal {F}\) and two secrets \(\alpha ,\beta \in \mathbb {Z}_p\) as input, and uses uniform randomness \(\mathbf {r}\in \mathbb {Z}_p^{m'}\). It outputs coefficient vectors \(\mathbf {L}_1,\dots ,\mathbf {L}_m\in \mathbb {Z}_p^{n+1}\) of m affine functions \(L_1,\dots ,L_m:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\) (called label functions). The vectors \(\mathbf {L}_j\) are linear in \((\alpha ,\beta ,\mathbf {r})\). The amount of randomness \(m'\) and the number m of label functions are solely determined by f, and m is called the garbling size of f.

• \(\mathsf {Eval}(f,\mathbf {x},\ell _1,\dots ,\ell _m)\) takes as input a function \(f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\in \mathcal {F}\), an input \(\mathbf {x}\in \mathbb {Z}_p^n\), and m labels \(\ell _1,\dots ,\ell _m\in \mathbb {Z}_p\). It outputs \(\gamma \in \mathbb {Z}_p\) that is linear in \(\ell _1,\dots ,\ell _m\).

The scheme is required to be correct, i.e., for all \({f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\in \mathcal {F}},{\alpha ,\beta \in \mathbb {Z}_p},{\mathbf {x}\in \mathbb {Z}_p^n}\), it holds that

$$\begin{aligned} \mathrm {Pr}\left[ \begin{aligned} (\mathbf {L}_1,\dots ,\mathbf {L}_m)&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Garble}(f,\alpha ,\beta )\\ \forall j\in [m],\, \ell _j&{}\leftarrow L_j(\mathbf {x}) \end{aligned} \,:\, \mathsf {Eval}(f,\mathbf {x},\ell _1,\dots ,\ell _m)=\alpha f(\mathbf {x})+\beta \right] =1. \end{aligned}$$

We rely on the strong notion of piecewise security recently introduced in [17].

Definition 3

(piecewise security). Let \((\mathsf {Garble},\mathsf {Eval})\) be an AKGS for some function class \(\mathcal {F}\). The scheme is piecewise secure if it satisfies the following two properties:

• The first label is reversely sampleable given the input, the output, and the other labels. That is, there is an efficient algorithm \(\mathsf {RevSamp}\) such that for all \({f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\in \mathcal {F}},{\alpha ,\beta \in \mathbb {Z}_p},{\mathbf {x}\in \mathbb {Z}_p^n}\), the following distributions are identical:

  

• The other labels are marginally random even given all the subsequent label functions. That is, for all \({f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\in \mathcal {F}},{\alpha ,\beta \in \mathbb {Z}_p},{\mathbf {x}\in \mathbb {Z}_p^n}\), suppose the garbling size of f is m, then for all \({j\in [m],j>1}\), the following distributions are identical:

  $$\begin{aligned}&\left\{ \begin{aligned} (\mathbf {L}_1,\dots ,\mathbf {L}_m)&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Garble}(f,\alpha ,\beta )\\ \ell _j&{}\leftarrow L_j(\mathbf {x}) \end{aligned} \,:\, (\ell _j,\mathbf {L}_{j+1},\dots ,\mathbf {L}_m) \right\} \\ {}\equiv {}&\left\{ \begin{aligned} (\mathbf {L}_1,\dots ,\mathbf {L}_m)&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Garble}(f,\alpha ,\beta )\\ \ell _j&{}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p \end{aligned} \,:\, (\ell _j,\mathbf {L}_{j+1},\dots ,\mathbf {L}_m) \right\} \!. \end{aligned}$$

A piecewise secure AKGS is known for ABPs:

Lemma 4

([14, 17]). There exists a piecewise secure AKGS for \(\mathsf {ABP}\), for which the garbling size of an ABP is the same as its size.

Throughout the paper, we will use a vectorized version of the garbling algorithm. Let \({\varvec{\alpha },\varvec{\beta }\in \mathbb {Z}_p^k}\), then \(\mathsf {Garble}(f,\varvec{\alpha },\varvec{\beta })\) is executed component-wise with independent randomness and the output are concatenated:

$$\begin{aligned} \mathrm {for}\,t\in [k]{\text {:}}\quad (\mathbf {L}_1^{(t)},\dots ,\mathbf {L}_m^{(t)})&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Garble}(f,\varvec{\alpha }[t],\varvec{\beta }[t]);\\ \mathrm {for}\,j\in [m]{\text {:}}\qquad \qquad \qquad \; {\mathbf {L}_j}&{}=\begin{pmatrix}\mathbf {L}_j^{(1)}\\ \vdots \\ \mathbf {L}_j^{(k)}\end{pmatrix} =\sum _{t=1}^{k}{\mathbf {e}_j\otimes \mathbf {L}_j^{(t)}};\\ \mathrm {output }&(\mathbf {L}_1,\dots ,\mathbf {L}_m). \end{aligned}$$

Here, \(\mathbf {e}_j\in \mathbb {Z}_p^k\) are the standard basis vectors and \(\mathbf {L}_j\)’s are column vectors of length \(k(n+1)\). In the vectorized version, the randomness is a matrix and each row of the matrix is used for one invocation of the non-vectorized garbling. This notation is compatible with tensor products:

Lemma 5

(mixing and stitching). Suppose \(f:\mathbb {Z}_p^n\rightarrow \mathbb {Z}_p\).

Let \({\varvec{\alpha },\varvec{\beta }\in \mathbb {Z}_p^k},{\mathbf {R}\in \mathbb {Z}_p^{k\times m'}},{\mathbf {c}\in \mathbb {Z}_p^k}\), and define

$$\begin{aligned}(\mathbf {L}_1,\dots ,\mathbf {L}_m)\leftarrow \mathsf {Garble}(f,\varvec{\alpha },\varvec{\beta };\mathbf {R}),\quad (\mathbf {L}_1',\dots ,\mathbf {L}_m')&{}\leftarrow \mathsf {Garble}(f,\mathbf {c}^{{\mathsf {T}}}\varvec{\alpha },\mathbf {c}^{{\mathsf {T}}}\varvec{\beta };\mathbf {c}^{{\mathsf {T}}}\mathbf {R}),\end{aligned}$$

then \(\mathbf {L}_j^{{\mathsf {T}}}(\mathbf {c}\otimes \mathbf {I}_{n+1})=(\mathbf {L}_j')^{{\mathsf {T}}}\) for all \(j\in [m]\).

Now let \({\alpha ,\beta \in \mathbb {Z}_p},{\mathbf {r}\in \mathbb {Z}_p^{m'}},{\mathbf {d}\in \mathbb {Z}_p^k}\), and define

$$\begin{aligned}(\mathbf {L}_1',\dots ,\mathbf {L}_j')\leftarrow \mathsf {Garble}(f,\alpha ,\beta ;\mathbf {r}),\quad (\mathbf {L}_1,\dots ,\mathbf {L}_j)&{}\leftarrow \mathsf {Garble}(f,\alpha \mathbf {d},\beta \mathbf {d};\mathbf {d}\mathbf {r}^{{\mathsf {T}}}),\end{aligned}$$

then \(\mathbf {d}\otimes \mathbf {L}_j'=\mathbf {L}_j\) for all \(j\in [m]\).

2.2 Attribute-Based Encryption

In the definition below, we explicitly take the description of policy/attribute out of the secret key/ciphertext so that we can characterize succinctness.

Definition 6

(ABE). Let \(\mathcal {M}=\{M_\lambda \}_{\lambda \in \mathbb {N}}\) be a sequence of message sets and \({\mathcal {P}=\{\mathcal {P}_\lambda \}_{\lambda \in \mathbb {N}}}\) a sequence of predicate families with \(\mathcal {P}_\lambda =\bigl \{P:X_P\times Y_P\rightarrow {\{{0,1}\}}\bigr \}\). An attribute-based encryption (ABE) scheme for message space \(\mathcal {M}\) and predicate space \(\mathcal {P}\) consists of four efficient algorithms:

• \(\mathsf {Setup}(1^\lambda ,P)\) takes as input the security parameter \(1^\lambda \) and a predicate \({P\in \mathcal {P}_\lambda }\), and outputs a pair of master public/secret keys \((\mathsf {mpk},\mathsf {msk})\).

• \(\mathsf {KeyGen}(\mathsf {msk},y)\) takes as input a policy \(y\in Y_P\) and outputs a secret key \(\mathsf {sk}\).

• \(\mathsf {Enc}(\mathsf {mpk},x,g)\) takes as input an attribute \(x\in X_P\) and a message \(g\in M_\lambda \), and outputs a ciphertext \(\mathsf {ct}\).

• \(\mathsf {Dec}(\mathsf {sk},y,\mathsf {ct},x)\) takes as input a secret key, the policy of the key, a ciphertext, and the attribute of the ciphertext, and is supposed to recover the message if \(P(x,y)=1\).

The scheme is required to be correct, i.e., for all \({\lambda \in \mathbb {N}},{g\in M_\lambda },{P\in \mathcal {P}_\lambda },{x\in X_P},{y\in Y_P}\) such that \(P(x,y)=1\),

$$\begin{aligned} \mathrm {Pr}\left[ \begin{aligned} (\mathsf {mpk},\mathsf {msk})&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Setup}(1^\lambda ,P)\\ \mathsf {sk}&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {KeyGen}(\mathsf {msk},y)\\ \mathsf {ct}&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Enc}(\mathsf {mpk},x,g) \end{aligned} \,:\, \mathsf {Dec}(\mathsf {sk},y,\mathsf {ct},x)=g\right] =1. \end{aligned}$$

Definition 7

(ABE for ABP). Let \(p=p(\lambda )\) be a sequence of prime numbers. A key-policy ABE (KP-ABE) for ABP over \(\mathbb {Z}_{p(\lambda )}\) is defined for the following predicate family:

$$\begin{aligned} \mathcal {P}=\{\mathcal {P}_\lambda \},\quad \mathcal {P}_\lambda =\bigl \{ P_{\lambda ,n}:\mathbb {Z}_{p(\lambda )}^n\times \mathsf {ztABP}_{p(\lambda )}^n\rightarrow {\{{0,1}\}}\bigr \},\quad P_{\lambda ,n}(\mathbf {x},y)=y(\mathbf {x}). \end{aligned}$$

In a ciphertext-policy ABE (CP-ABE) for ABP over \(\mathbb {Z}_{p(\lambda )}\), the predicates are

$$\begin{aligned} P_{\lambda ,n}:\mathsf {ztABP}_{p(\lambda )}^n\times \mathbb {Z}_{p(\lambda )}^n\rightarrow {\{{0,1}\}},\quad (y,\mathbf {x})\mapsto y(\mathbf {x}). \end{aligned}$$

Definition 8

(succinct ABE). An ABE scheme has succinct ciphertext if the length of \(\mathsf {ct}\) is a fixed polynomial in security parameter \(\lambda \) (independent of the length of x, y and the choice of P). Similarly, the scheme has succinct secret key if the length of \(\mathsf {sk}\) is a fixed polynomial in \(\lambda \).

The above definition does not rule out trivially succinct schemes, e.g., one only supporting x, y of length at most \(\lambda \). In this work, we construct KP-ABE for ABP with succinct ciphertexts and CP-ABE for ABP with succinct secret keys. These constructions are non-trivial because \(\mathsf {Setup}\) can be run with any predicate \(P_{\lambda ,n}\) for attribute length n, the scheme works with policies of arbitrary size, and the ciphertexts in KP-ABE and the secret keys in CP-ABE have fixed size \(\mathrm {poly}({\lambda })\), independent of n.

Security. We consider the standard IND-CPA security of ABE.

Definition 9

(IND-CPA of ABE [16]). Adopt the notations in Definition 6. The scheme is IND-CPA secure if \(\mathsf {Exp}_{{\text {CPA}}}^0\approx \mathsf {Exp}_{{\text {CPA}}}^1\), where \(\mathsf {Exp}_{{\text {CPA}}}^b\) with adversary \(\mathcal {A}\) proceeds as follows:

• Setup. Launch \(\mathcal {A}(1^\lambda )\) and receive from it a predicate \(P\in \mathcal {P}_\lambda \). Run \((\mathsf {mpk},\mathsf {msk})\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Setup}(1^\lambda ,P)\) and send \(\mathsf {mpk}\) to \(\mathcal {A}\).

• Query I. Repeat the following for arbitrarily many rounds determined by \(\mathcal {A}\): In each round, \(\mathcal {A}\) submits a policy \(y_q\in Y_P\) for a secret key. Upon this query, run \(\mathsf {sk}_q\overset{\smash {\,_\$}}{\leftarrow }\mathsf {KeyGen}(\mathsf {msk},y)\) and send \(\mathsf {sk}_q\) to \(\mathcal {A}\).

• Challenge. The adversary submits the challenge attribute \(x^*\in X_P\) and two messages \(g_0,g_1\in M_\lambda \). Run \(\mathsf {ct}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Enc}(\mathsf {mpk},x,g_b)\) and return \(\mathsf {ct}\) to \(\mathcal {A}\).

• Query II. Same as Query I.

• Guess. The adversary outputs a bit \(b'\). The outcome of the experiment is \(b'\) if \(P(x^*,y_q)=0\) for all \(y_q\) queried in Query I/II. Otherwise, the outcome is set to 0.

2.3 Pairing Groups and Matrix Diffie–Hellman Assumption

Throughout the paper, we use a sequence of pairing groups

$$\begin{aligned} \mathcal {G}=\{( G_{\lambda ,1},G_{\lambda ,2},G_{\lambda ,{{\text {T}}}}, g_{\lambda ,1},g_{\lambda ,2},e_\lambda )\}_{\lambda \in \mathbb {N}}, \end{aligned}$$

where \(G_{\lambda ,1},G_{\lambda ,2},G_{\lambda ,{{\text {T}}}}\) are groups of prime order \(p=p(\lambda )\), and \(G_{\lambda ,1}\) (resp. \(G_{\lambda ,2}\)) is generated by \(g_{\lambda ,1}\) (resp. \(g_{\lambda ,2}\)). The maps \(e_\lambda :G_{\lambda ,1}\times G_{\lambda ,2}\rightarrow G_{\lambda ,{{\text {T}}}}\) are

• bilinear: \(e_\lambda \bigl (g_{\lambda ,1}^a,g_{\lambda ,2}^b\bigr ) =\bigl (e_\lambda (g_{\lambda ,1},g_{\lambda ,2})\bigr )^{ab}\) for all \(a,b\in \mathbb {Z}_{p(\lambda )}\); and

• non-degenerate: generates \(G_{\lambda ,{{\text {T}}}}\).

The group operations as well as the pairing \(e_\lambda \) must be efficiently computable.

When we talk about one group without thinking about pairing, the subscripts \(1,2,{{\text {T}}}\) are dropped.

Bracket Notation. Fix a security parameter, for \(i=1,2,{{\text {T}}}\), we write \([\![ \mathbf {A} ]\!]_i\) for \(g_{\lambda ,i}^{\mathbf {A}}\), where the exponentiation is element-wise. When bracket notation is used, group operations are written additively and pairing is written multiplicatively, so that \([\![ \mathbf {A} ]\!]_i+[\![ \mathbf {B} ]\!]_i=[\![ \mathbf {A}+\mathbf {B} ]\!]_i\) and \([\![ \mathbf {A} ]\!]_1[\![ \mathbf {B} ]\!]_2=[\![ \mathbf {A} ]\!]_2[\![ \mathbf {B} ]\!]_1=[\![ \mathbf {A}\mathbf {B} ]\!]_{{\text {T}}}\). Furthermore, numbers can always operate with group elements, e.g., \(\mathbf {A}[\![ \mathbf {B} ]\!]_1=[\![ \mathbf {A}\mathbf {B} ]\!]_1\).

Matrix Diffie–Hellman Assumption. In this paper, we rely on the MDDH assumptions.

Definition 10

(MDDH [12]). Let \(G=\{(G_\lambda ,g_\lambda )\}_{\lambda \in \mathbb {N}}\) be a sequence of groups of prime order \(p=p(\lambda )\) with their generators, and \(\ell =\ell (\lambda ),q=q(\lambda )\) polynomials. The \({{\text {MDDH}}}_{k,\ell }^q\) assumption holds in G if

$$\begin{aligned} \{[\![ \mathbf {A},\mathbf {S}^{{\mathsf {T}}}\mathbf {A} ]\!]\}_{\lambda \in \mathbb {N}} \approx \{[\![ \mathbf {A},\mathbf {C}^{{\mathsf {T}}} ]\!]\}_{\lambda \in \mathbb {N}} {\,\mathrm {for}\,} \mathbf {A}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_{p(\lambda )}^{k\times \ell (\lambda )}, \mathbf {S}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_{p(\lambda )}^{k\times q(\lambda )}, \mathbf {C}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_{p(\lambda )}^{\ell (\lambda )\times q(\lambda )}\!. \end{aligned}$$

By default, \(\ell =k+1\) and \(q=1\). It is known [12] that k-Lin implies \({{\text {MDDH}}}_k\), which further implies \({{\text {MDDH}}}_{k,\ell }^q\) for any polynomial \(\ell ,q\).

3 IPFE with Gradual Simulation Security

In this work, we consider IPFE schemes based on MDDH-hard groups (potentially without pairing), where the ciphertext encodes the encrypted vector in the exponent of the group, and decryption computes the inner product in the exponent. In our definition below, we directly define such group-based IPFE. The definition can be easily modified for IPFE that are not group-based.

Definition 11

(IPFE). Let \(G=\{(G_\lambda ,g_\lambda )\}_{\lambda \in \mathbb {N}}\) be a sequence of groups of prime order \(p=p(\lambda )\) with their generators. A G-encoded public-key inner-product functional encryption (IPFE) scheme consists of four efficient algorithms:

• \(\mathsf {Setup}(1^\lambda ,1^n, 1^T)\) takes as input the security parameter \(1^\lambda \), the dimension \(1^n\) of the vectors, and an additional parameter \(1^T\) (see Definition 12). It outputs a pair of master public/secret keys \((\mathsf {mpk},\mathsf {msk})\).

• \(\mathsf {KeyGen}(\mathsf {msk},\mathbf {v})\) takes the master secret key and a vector as input, and outputs a secret key \(\mathsf {sk}\).

• \(\mathsf {Enc}(\mathsf {mpk},[\![ \mathbf {u} ]\!])\) takes the master public key and a vector (encoded in G) as input, and outputs a ciphertext \(\mathsf {ct}\).

• \(\mathsf {Dec}(\mathsf {sk},\mathbf {v},\mathsf {ct})\) takes a secret key, the vector in the secret key, and a ciphertext as input, and is supposed to compute the inner product in the exponent.

The scheme is required to be correct, meaning that for all \({\lambda ,n,T\in \mathbb {N}},{\mathbf {u},\mathbf {v}\in \mathbb {Z}_{p(\lambda )}^n}\), it holds that

$$\begin{aligned} \mathrm {Pr}\left[ \begin{aligned} (\mathsf {mpk},\mathsf {msk})&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Setup}(1^\lambda ,1^n,1^T)\\ \mathsf {sk}&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {KeyGen}(\mathsf {msk},\mathbf {v})\\ \mathsf {ct}&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Enc}(\mathsf {msk},[\![ \mathbf {u} ]\!]) \end{aligned} \,:\, \mathsf {Dec}(\mathsf {sk},\mathbf {v},\mathsf {ct})=[\![ \mathbf {u}^{{\mathsf {T}}}\mathbf {v} ]\!]\right] =1. \end{aligned}$$

The scheme is succinct if the length of \(\mathsf {sk}\) is independent of n and only depends on \(\lambda ,T\).

\(\mathsf {Setup}\) algorithm in the above definition takes an additional input \(1^T\) specifying the desired level of simulation security, which we define next.

Gradual Simulation Security. When building the 1-ABE scheme, we rely on the notion of gradual simulation security, which is stronger than the usual simulation security (see [2]). Roughly speaking, on top of the requirement that simulation should be indistinguishable from the real scheme, the notion stipulates that even when some ciphertexts are already simulated, whether another ciphertext is honest or simulated should be indistinguishable. The parameter T specifies the maximum number of ciphertexts that can be simulated.

To navigate around the many indices involved in the definition, it is the easiest to keep in mind that i (hence \(I,I^*,I_t\)) always counts the ciphertexts, and that j (hence \(J,J^*,J_t\)) always counts the keys.

Definition 12

(gradual simulation security). Adopt the notations in Definition 11. A simulator consists of three efficient algorithms:

• \(\mathsf {SimSetup}(1^\lambda ,1^n,1^T)\) takes the same input as \(\mathsf {Setup}\), and outputs a simulated master public key \(\mathsf {mpk}\) and an internal state \(\mathsf {st}\).¹²

• \(\mathsf {SimKeyGen}(\mathsf {st},\mathbf {v},z_1,\dots ,z_I)\) takes as input the internal state \(\mathsf {st}\), a vector \(\mathbf {v}\), and a list \(z_1,\dots ,z_I\) of inner products in \(\mathbb {Z}_{p(\lambda )}\) (which are the intended inner products between this simulated key and all previously simulated ciphertexts). It outputs a simulated secret key \(\mathsf {sk}\) and a new state \(\mathsf {st}'\).

• \(\mathsf {SimEnc}(\mathsf {st},z_1,\dots ,z_J)\) takes as input the internal state \(\mathsf {st}\) and a list \(z_1, \dots , z_J\) of inner products in \(\mathbb {Z}_{p(\lambda )}\) (which are the intended inner products between this simulated ciphertext and all previously simulated keys). It outputs a simulated ciphertext \(\mathsf {ct}\) and a new state \(\mathsf {st}'\).

The simulator gradually T-simulates the scheme if it satisfies both key simulation security and T-ciphertext simulation security defined below.

An IPFE scheme is gradually T-simulation-secure if it can be gradually T-simulated by some simulator. The scheme is gradually simulation-secure if there exists a simulator such that the simulator gradually T-simulates the scheme for all \(T=\mathrm {poly}({\lambda })\).

Key Simulation Security. Roughly speaking, this captures the idea that it is indistinguishable to interact with the real authority (who generates and distributes \(\mathsf {mpk}\) and \(\mathsf {sk}\)’s) versus the simulator issuing simulated \(\mathsf {mpk}\) and \(\mathsf {sk}\)’s (without simulating any ciphertext). We require \(\mathsf {Exp}_{{{\text {real}}}}\approx \mathsf {Exp}_{{\text {sim}}}\), which proceed as follows when run with an adversary \(\mathcal {A}\):

• Setup. Launch \(\mathcal {A}(1^\lambda )\) and receive from it \((1^n,1^T)\). Run

  $$\begin{aligned}&{\text {in }}\mathsf {Exp}_{{\text {real}}}{\text {:}} \qquad (\mathsf {mpk},\mathsf {msk})\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Setup}(1^\lambda ,1^n,1^T)\\&{\text {in }}\mathsf {Exp}_{{\text {sim}}}{\text {:}}\qquad \quad (\mathsf {mpk},\mathsf {st})\overset{\smash {\,_\$}}{\leftarrow }\mathsf {SimSetup}(1^\lambda ,1^n,1^T) \end{aligned}$$

  and send \(\mathsf {mpk}\) to \(\mathcal {A}\).

• Challenge. Repeat the following for arbitrarily many rounds determined by \(\mathcal {A}\): In each round, \(\mathcal {A}\) submits a vector \(\mathbf {v}_j\). Upon this challenge, run

  $$\begin{aligned}&{\text {in }}\mathsf {Exp}_{{\text {real}}}{\text {:}}\qquad \qquad \mathsf {sk}_j\overset{\smash {\,_\$}}{\leftarrow }\mathsf {KeyGen}(\mathsf {msk},\mathbf {v}_j)\\&{\text {in }}\mathsf {Exp}_{{\text {sim}}}{\text {:}}\qquad (\mathsf {sk}_j,\mathsf {st}')\overset{\smash {\,_\$}}{\leftarrow }\mathsf {SimKeyGen}(\mathsf {st},\mathbf {v}_j) \qquad \mathsf {st}\leftarrow \mathsf {st}' \end{aligned}$$

  and send \(\mathsf {sk}_j\) to \(\mathcal {A}\).

• Guess. The adversary outputs a bit \(b'\), the outcome of the experiment.

We emphasize that there is no ciphertext challenge in the experiments. The adversary can generate ciphertexts on its own using \(\mathsf {mpk}\).

T-Ciphertext Simulation Security. Roughly speaking, this captures the idea that when interacting with the simulator, it is indistinguishable whether any subset of ciphertexts are normally generated or simulated, as long as at most T ciphertexts are simulated. In the experiments below, we denote by \(z_{i,j}\in \mathbb {Z}_p\) the decryption outcome (inner product) between the j^th simulated secret key (ordered temporally among all queried secret keys) and the i^th simulated ciphertext (ordered temporally among all queried ciphertexts, excluding the challenge ciphertext). We also let \(I_t,J_t\) be the number of simulated ciphertexts (excluding the challenge ciphertext) and secret keys at any time t. \(\mathsf {Exp}_{T{{\text {-GS}}}}^b\) (\(b\in {\{{0,1}\}}\)) with adversary \(\mathcal {A}\) proceeds as follows:

• Setup. Launch \(\mathcal {A}(1^\lambda )\) and receive from it \((1^n,1^T)\). Run

  $$\begin{aligned} (\mathsf {mpk},\mathsf {st})\overset{\smash {\,_\$}}{\leftarrow }\mathsf {SimSetup}(1^\lambda ,1^n,1^T) \end{aligned}$$

  and send \(\mathsf {mpk}\) to \(\mathcal {A}\).

• Query I. Repeat the following for arbitrarily many rounds determined by \(\mathcal {A}\): In each round, \(\mathcal {A}\) has 2 options.

  • Key Simulation Query: \(\mathcal {A}\) can submit a vector \(\mathbf {v}_j\) with a list \(z_{\le I_t,j}\) of inner products for a secret key \(\mathsf {sk}_j\). The list \(z_{\le I_t,j}\) consists of \(z_{1,j},\dots ,z_{I_t,j}\), all the decryption outcomes between \(\mathsf {sk}_j\) and the simulated ciphertexts queried up to this point. Upon this query, run

    $$\begin{aligned} {(\mathsf {sk}_j,\mathsf {st}')} {{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {SimKeyGen}(\mathsf {st},\mathbf {v}_j,z_{1,j},\dots ,z_{I_t,j})} \qquad \mathsf {st}\leftarrow \mathsf {st}' \end{aligned}$$

    and send \(\mathsf {sk}_j\) to \(\mathcal {A}\).

  • Ciphertext Simulation Query: \(\mathcal {A}\) can submit a list \(z_{i,\le J_t}\) of inner products for a simulated ciphertext \(\mathsf {ct}_i\). The list \(z_{i,\le J_t}\) consists of \(z_{i,1},\dots ,z_{i,J_t}\), all the decryption outcomes between \(\mathsf {ct}_i\) and the simulated secret keys queried up to this point. Upon this query, run

    $$\begin{aligned} {(\mathsf {ct}_i,\mathsf {st}')} {{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {SimEnc}(\mathsf {st},z_{i,1},\dots ,z_{i,J_t})} \qquad \mathsf {st}\leftarrow \mathsf {st}' \end{aligned}$$

    and send \(\mathsf {ct}_i\) to \(\mathcal {A}\).

• Challenge. The adversary submits a vector \(\mathbf {u}^*\). Upon the challenge, let the total number of secret key queries in Query I be \(J^*\) and the total number of ciphertext queries in Query I be \(I^*\), run

  $$\begin{aligned}&{b=0{\text {:}}\quad \mathsf {ct}^*} {{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Enc}(\mathsf {mpk},[\![ \mathbf {u}^* ]\!])}\\&{b=1{\text {:}}\quad \mathsf {ct}^*} {{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {SimEnc}\bigl (\mathsf {st}, (\mathbf {u}^*)^{{\mathsf {T}}}\mathbf {v}_1, \dots , (\mathbf {u}^*)^{{\mathsf {T}}}\mathbf {v}_{J^*} \bigr )}\qquad \mathsf {st}\leftarrow \mathsf {st}' \end{aligned}$$

  and send \(\mathsf {ct}^*\) to \(\mathcal {A}\).

• Query II. Same as Query I, except that in \(\mathsf {Exp}_{T{{\text {-GS}}}}^1\), for each secret key query \(\mathbf {v}_j\), we put \((\mathbf {u}^*)^{{\mathsf {T}}}\mathbf {v}_j\) immediately after \(z_{I^*,j}\) in the argument list of \(\mathsf {SimKeyGen}\) so that the simulator gets the correct list of inner products:

  $$\begin{aligned} b=0{\text {:}}\quad (\mathsf {sk}_j,\mathsf {st}')&\overset{\smash {\,_\$}}{\leftarrow }\mathsf {SimKeyGen}(\mathsf {st},\mathbf {v}_j,z_{1,j},\dots ,z_{I^*,j}, \qquad \qquad z_{I^*+1,j},\dots ,z_{I_t,j});\\ b=1{\text {:}}\quad (\mathsf {sk}_j,\mathsf {st}')&\overset{\smash {\,_\$}}{\leftarrow }\mathsf {SimKeyGen}(\mathsf {st},\mathbf {v}_j,z_{1,j},\dots ,z_{I^*,j}, (\mathbf {u}^*)^{{\mathsf {T}}}\mathbf {v}_j, z_{I^*+1,j},\dots ,z_{I_t,j});\\ \mathsf {st}&{}\leftarrow \mathsf {st}' \quad {\text {(in either case).}} \end{aligned}$$

• Guess. The adversary outputs a bit \(b'\). The outcome of the experiment is \(b'\) if both constraints are satisfied:

  • the total number of ciphertext simulation queries in Query I/II is less than T;

  • the equation \(\{\mathbf {u}_i^{{\mathsf {T}}}\mathbf {v}_j=z_{i,j}\quad \forall i,j\}\) (about \(\mathbf {u}_i\)’s) has a solution.

  Otherwise, the outcome is set to 0.

Remarks

In \(\mathsf {Exp}_{T{{\text {-GS}}}}^1\), the challenge ciphertext \(\mathsf {ct}^*\) is generated in the same way as the other simulated ciphertexts, and in Query II the inner products between \(\mathsf {sk}_j\) and \(\mathsf {ct}^*\) are appropriately positioned. From the simulator’s perspective, there is no indication which ciphertext is the challenge ciphertext. This definition ensures that the simulator cannot behave differently depending on whether a particular ciphertext is the challenge or not, and simplifies the application of gradual simulation security in our construction of ABE.

Note that the simulator receives inner products \(z_{i,j}\) in the clear and the adversary submits challenge \(\mathbf {u}^*\) in \(\mathsf {Exp}_{T{{\text {-GS}}}}^b\) in the clear, though the input to encryption and the output of decryption are group-encoded. This is necessary as otherwise, the simulator must solve discrete logarithm in G.

We note that when \(T=1\), gradual simulation security becomes the standard notion of simulation security. On the other hand, simulation security does not imply gradual simulation security. So this definition is a strict generalization of simulation security.

3.1 Construction of Gradually Simulation-Secure IPFE

The IPFE scheme in [3] has been proven simulation-secure [2]. We show that it can be adapted for gradual simulation security. The scheme has succinct keys, whose length grows linearly in T and polynomially in \(\lambda \), and is independent of n, which eventually translates into the succinctness of our ABE scheme.

Construction 13

([3]). The construction is described for a fixed value of \(\lambda \), and \(\lambda \) is suppressed for brevity. Let G be a group (with generator g) of prime order p such that \({{\text {MDDH}}}_k\) holds in G. Our G-encoded IPFE works as follows:

• \(\mathsf {Setup}(1^n,1^T)\) takes as input the dimension n and the maximum number T of simulated ciphertexts. It samples \({\mathbf {A}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^{k\times (k+T)}},{\mathbf {W}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^{(k+T)\times n}}\) and outputs \({\mathsf {mpk}=[\![ \mathbf {A},\mathbf {A}\mathbf {W} ]\!]},{\mathsf {msk}=\mathbf {W}}\).

• \(\mathsf {KeyGen}(\mathsf {msk},\mathbf {v})\) outputs \(\mathsf {sk}=\mathbf {W}\mathbf {v}\).

• \(\mathsf {Enc}(\mathsf {mpk},[\![ \mathbf {u} ]\!])\) samples \(\mathbf {s}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^k\) and outputs \(\mathsf {ct}=(\mathbf {s}^{{\mathsf {T}}}[\![ \mathbf {A} ]\!],\mathbf {s}^{{\mathsf {T}}}[\![ \mathbf {A}\mathbf {W} ]\!]+[\![ \mathbf {u}^{{\mathsf {T}}} ]\!])\).

• \(\mathsf {Dec}(\mathsf {sk},\mathbf {v},\mathsf {ct})\) parses \(\mathsf {ct}\) as \(([\![ \mathbf {c}^{{\mathsf {T}}} ]\!],[\![ \mathbf {t}^{{\mathsf {T}}} ]\!])\) and outputs \(-[\![ \mathbf {c}^{{\mathsf {T}}} ]\!]\mathsf {sk}+[\![ \mathbf {t}^{{\mathsf {T}}} ]\!]\mathbf {v}\).

The correctness is readily verified by

$$\begin{aligned} -[\![ \mathbf {c}^{{\mathsf {T}}} ]\!]\mathsf {sk}+[\![ \mathbf {t}^{{\mathsf {T}}} ]\!]\mathbf {v}= [\![ -(\mathbf {s}^{{\mathsf {T}}}\mathbf {A})(\mathbf {W}\mathbf {v})+(\mathbf {s}^{{\mathsf {T}}}\mathbf {A}\mathbf {W}+\mathbf {u}^{{\mathsf {T}}})\mathbf {v} ]\!] = [\![ \mathbf {u}^{{\mathsf {T}}}\mathbf {v} ]\!]. \end{aligned}$$

The scheme is succinct as \(\mathsf {sk}\) consists of \(k+T\) elements in \(\mathbb {Z}_p\), independent of n.

Theorem 14

Suppose in Construction 13, the \({{\text {MDDH}}}_k\) assumption holds in G, then the constructed scheme is gradually simulation-secure, and the T in the security definition is the T as input of \(\mathsf {Setup}\).

The simulator for our scheme is built modularly upon that for the one-time pad IPFE scheme, which we sketc.h below. We refer the readers to the full version for a more detailed exposition.

One-Time Pad IPFE. OTP-IPFE is a secret-key IPFE:

• \(\mathsf {Setup}(p,1^n)\) samples the master secret key \(\mathsf {msk}=\mathbf {w}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^n\).

• \(\mathsf {KeyGen}(\mathsf {msk},\mathbf {v})\) outputs the secret key \(\mathsf {sk}=\mathbf {w}^{{\mathsf {T}}}\mathbf {v}\) for \(\mathbf {v}\in \mathbb {Z}_p^n\).

• \(\mathsf {Enc}(\mathsf {msk},\mathbf {u})\) outputs the ciphertext \(\mathsf {ct}=(\mathbf {w}+\mathbf {u})^{{\mathsf {T}}}\).

• \(\mathsf {Dec}(\mathsf {sk},\mathbf {v},\mathsf {ct})\) outputs \(-\mathsf {sk}+\mathsf {ct}\mathbf {v}\) as the inner product.

Correctness is readily verified by \(-\mathsf {sk}+\mathsf {ct}\mathbf {v}=-\mathbf {w}^{{\mathsf {T}}}\mathbf {v}+(\mathbf {w}+\mathbf {u})^{{\mathsf {T}}}\mathbf {v}=\mathbf {u}^{{\mathsf {T}}}\mathbf {v}\).

The scheme satisfies perfect simulation security for one ciphertext (defined similarly to the usual simulation security). The simulator works as follows:

• \(\mathsf {SimSetup}(p,1^n)\) samples the internal state as \(\mathsf {st}=(\widetilde{\mathbf {w}},\bot )\) with \(\widetilde{\mathbf {w}}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^n\). (Here, \(\bot \) means that the ciphertext has not been simulated.)

• \(\mathsf {SimKeyGen}(\mathsf {st},\mathbf {v}_j)\) simulates a pre-challenge key for \(\mathbf {v}_j\) as \(\mathsf {sk}_j=\widetilde{\mathbf {w}}^{{\mathsf {T}}}\mathbf {v}_j\) and updates the state to \(\mathsf {st}'=(\mathsf {st},\mathbf {v}_j)\).

• \(\mathsf {SimEnc}(\mathsf {st},z_1,\dots ,z_{J^*})\) simulates the challenge ciphertext as a uniformly random solution \(\mathsf {ct}^*\) of

  $$\begin{aligned} -\widetilde{\mathbf {w}}^{{\mathsf {T}}}\mathbf {v}_j+\mathsf {ct}^*\mathbf {v}_j=z_j \quad \forall j\in [J^*], \end{aligned}$$

  and updates the state to \(\mathsf {st}'=(\bot ,\mathsf {ct}^*)\) so that it knows the ciphertext has been simulated. (Here, \(J^*\) is the number of keys queried before ciphertext simulation, and \(z_j\) is the intended inner product between the ciphertext and the j^th key.)

• \(\mathsf {SimKeyGen}(\mathsf {st},\mathbf {v}_j,z_j)\) simulates a post-challenge key for \(\mathbf {v}_j\) as \(\mathsf {sk}_j=\mathsf {ct}^*\mathbf {v}_j-z_j\) and does not update the state.

Dual System Encryption and Simulator. Construction 13 can be seen as dual system encryption applied to OTP-IPFE. There are \(k+T\) instances of OTP-IPFE with the master secret keys being \(\mathbf {W}\in \mathbb {Z}_p^{(k+T)\times n}\). We publish k projections of them (the normal space) in the master public key (i.e., \(\mathbf {A}\mathbf {W}\) with \(\mathbf {A}\in \mathbb {Z}_p^{k\times (k+T)}\)), and reserve T instances (the semi-functional space) for the simulator.

To simulate, we first switch the ciphertext into the semi-functional form, which means it uses an OTP-IPFE instance independent of the master public key. Then, we employ a change of variable to explicitly separate out the instance (also known as using the parameter hiding property). Lastly, the simulation can be delegated to OTP-IPFE simulator.

Let us take \(T=1\) for example. The first step is

$$\begin{aligned} \mathsf {ct}^*= ([\![ \mathbf {s}^{{\mathsf {T}}}\mathbf {A} ]\!],[\![ \mathbf {s}^{{\mathsf {T}}}\mathbf {A}\mathbf {W}+\mathbf {u}^{{\mathsf {T}}} ]\!]) \overset{{{\text {MDDH}}}_k}{\approx } ([\![ \mathbf {c}^{{\mathsf {T}}} ]\!],[\![ \mathbf {c}^{{\mathsf {T}}}\mathbf {W}+\mathbf {u}^{{\mathsf {T}}} ]\!]) \quad \text {for }\mathbf {c}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^{k+1}. \end{aligned}$$

The second step is to perform a change of variable \(\mathbf {W}=\widetilde{\mathbf {W}}+\mathbf {a}^\perp \mathbf {w}^{{\mathsf {T}}}\), where \(\mathbf {W},\mathbf {w}\) are random and \(\mathbf {a}^\perp \) is the vector such that \(\mathbf {A}\mathbf {a}^\perp =\mathbf {0}\) and \(\mathbf {c}^{{\mathsf {T}}}\mathbf {a}^\perp =1\) (which uniquely exists with overwhelming probability). With this change of variable, the keys and the challenge ciphertext become

The terms highlighted in the boxes are exactly the keys and ciphertexts of OTP-IPFE with master secret key \(\mathbf {w}\), and the last step is to use OTP-IPFE simulator to simulate these terms.

For general T, we simply prepare uniformly random \(\mathbf {c}_1,\dots ,\mathbf {c}_T\) for each simulated ciphertext, and set \(\mathbf {W}=\widetilde{\mathbf {W}}+\mathbf {a}_1^\perp \mathbf {w}_1^{{\mathsf {T}}}+\cdots +\mathbf {a}_T^\perp \mathbf {w}_T^{{\mathsf {T}}}\), where \(\mathbf {a}_1^\perp ,\dots ,\mathbf {a}_T^\perp \) are the solution to \({\mathbf {A}\mathbf {a}_i^\perp =\mathbf {0}}\), \({\mathbf {c}_i^{{\mathsf {T}}}\mathbf {a}_i^\perp =1}\), and \({\mathbf {c}_i^{{\mathsf {T}}}\mathbf {a}_{i'}^\perp =0}\) for all \(i\ne i'\), so that the T instances for simulation do not “interfere” with each other. The keys and ciphertexts after replacing OTP-IPFE by simulation are

$$\begin{aligned} \mathsf {mpk}&{}=([\![ \mathbf {A} ]\!],[\![ \mathbf {A}\widetilde{\mathbf {W}} ]\!]),\\ \mathsf {sk}_j&{}=\widetilde{\mathbf {W}}\mathbf {v}_j +\mathbf {a}_1^\perp \mathsf {SimKeyGen}(\mathsf {st}_1,\mathbf {v}_j,z_{1,j}) +\cdots +\mathbf {a}_T^\perp \mathsf {SimKeyGen}(\mathsf {st}_T,\mathbf {v}_j,z_{T,j}),\\ \mathsf {ct}_i^*&{}=([\![ \mathbf {c}_i^{{\mathsf {T}}} ]\!], [\![ \mathbf {c}_i^{{\mathsf {T}}}\widetilde{\mathbf {W}} +\mathsf {SimEnc}(\mathsf {st}_i,z_{i,1},\dots ,z_{i,J_t}) ]\!]), \end{aligned}$$

which is how our simulator for Construction 13 works. Here, \(\mathsf {st}_1,\dots ,\mathsf {st}_T\) track T independent instances of OTP-IPFE simulator. We refer the reader to the full version for the security proof.

4 Ciphertext-Policy 1-ABE for ABP

In this section, we construct the core component of our adaptively secure ABE, called 1-ABE, from any gradually 2-simulation-secure IPFE. A 1-ABE has the same syntax as an ABE, except that

• The message space is \(\mathbb {Z}_p\) for some p and decryption only needs to recover the message encoded in (another) group.

• In the security definition, the adversary is allowed to query at most one secret key.

• In the security definition, the adversary only chooses the attribute but not the message. The message is 0 in one experiment (\(\mathsf {Exp}_{{\text {1-ABE}}}^0\)), and is uniformly random in the other experiment (\(\mathsf {Exp}_{{\text {1-ABE}}}^1\)).¹³

The relaxation of decryption correctness and the change of messages in the security definition are because 1-ABE will be used to encapsulate keys for full ABE. In full ABE, the group-encoded decryption result of 1-ABE is used to mask the message, and we argue security by replacing the encapsulated key by random.

ABE constructions in some previous works such as [15, 17] go through an intermediate step of building a secret-key 1-ABE that is 1-key 1-ciphertext secure. In the secret-key setting, keys and ciphertexts are symmetric, and consequently there is no distinction between ciphertext-policy and key-policy 1-ABE. In contrast, our 1-ABE is public-key and 1-key secure. This asymmetry separates CP-1-ABE and KP-1-ABE. We remark that 1-ABE in [15, 17] can be easily modified to fit our definition as CP-1-ABE. We will see that our definition is easier to use in reductions for full ABE.

Construction 15

(CP-1-ABE). The construction is described for a fixed value of \(\lambda \), and \(\lambda \) is suppressed for brevity. Let G be a group (with generator g) of prime order p, \((\mathsf {IPFE}.\mathsf {Setup},\mathsf {IPFE}.\mathsf {KeyGen},\mathsf {IPFE}.\mathsf {Enc},\mathsf {IPFE}.\mathsf {Dec})\) a G-encoded IPFE, and \((\mathsf {Garble},\mathsf {Eval})\) be an AKGS for ABP. We construct a 1-ABE for predicate space

$$\begin{aligned} \mathcal {P}=\{P_n\,|\,n\in \mathbb {N}\},\quad P_n(y,\mathbf {x})=y(\mathbf {x}) {\text { for }} y\in \mathsf {ztABP}_p^n,\mathbf {x}\in \mathbb {Z}_p^n. \end{aligned}$$

The scheme works as follows:

• \(\mathsf {Setup}(1^n)\) takes as input the attribute length (i.e., \(P_n\) is represented by \(1^n\)) and outputs \((\mathsf {mpk},\mathsf {msk})\overset{\smash {\,_\$}}{\leftarrow }\mathsf {IPFE}.\mathsf {Setup}(1^{n+1})\).

• \(\mathsf {KeyGen}(\mathsf {msk},\mathbf {x})\) outputs \(\mathsf {sk}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {IPFE}.\mathsf {KeyGen}\bigl (\mathsf {msk},(1,\mathbf {x})\bigr )\).

  Note: If the underlying IPFE has succinct secret keys, so does this scheme. For instance, when instantiated with Construction 13 with \(T=2\) under DDH, each secret key consists of just three group elements.

• \(\mathsf {Enc}(\mathsf {mpk},y,\mu )\) garbles y with \(\mu \) and encrypts the label functions in IPFE ciphertexts as follows:

  $$\begin{aligned} {\text {if }}y=f_{\ne 0}{\text {:}}\quad \alpha&{}\leftarrow \mu , \beta \leftarrow 0;\\ {\text {if }}y=f_{=0}{\text {:}}\quad \alpha&{}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p, \beta \leftarrow \mu ;\\ (\mathbf {L}_1,\dots ,\mathbf {L}_m)&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Garble}(f,\alpha ,\beta ),\\ {\text {for }}j\in [m]{\text {:}}\quad \mathsf {ict}_j&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {IPFE}.\mathsf {Enc}(\mathsf {mpk},[\![ \mathbf {L}_j ]\!]). \end{aligned}$$

  The algorithm outputs \(\mathsf {ct}=(\mathsf {ict}_1,\dots ,\mathsf {ict}_m)\).

• \(\mathsf {Dec}(\mathsf {sk},\mathbf {x},\mathsf {ct},y)\) takes as input a secret key \(\mathsf {sk}\) for \(\mathbf {x}\) and a ciphertext \(\mathsf {ct}\) for y. If \(y(\mathbf {x})=0\), the algorithm outputs \(\bot \) and stops. Otherwise, it computes

  

  and outputs \([\![ \mu ' ]\!]\) as the message.

  Note: We show that the scheme is correct. By the correctness of IPFE, we have

  $$\begin{aligned} \ell _j = \mathbf {L}_j^{{\mathsf {T}}}\begin{pmatrix}1\\ \mathbf {x}\end{pmatrix} = L_j(\mathbf {x}), \end{aligned}$$

  where \(L_j\)’s are the label functions defined by \(\mathsf {Garble}\). Since \(\mathsf {Eval}\) is linear in the labels, it can be performed in the exponent. By the correctness of AKGS,

  $$\begin{aligned} {\text {if }}y=f_{\ne 0},f(\mathbf {x})\ne 0{\text {:}}\quad \mu '&{}={\textstyle \frac{1}{f(\mathbf {x})}}(\alpha f(\mathbf {x})+\beta ) ={\textstyle \frac{1}{f(\mathbf {x})}}(\mu f(\mathbf {x})+0) =\mu ;\\ {\text {if }}y=f_{=0},f(\mathbf {x})=0{\text {:}}\quad \mu '&{}=\alpha f(\mathbf {x})+\beta =\alpha \cdot 0+\mu =\mu . \end{aligned}$$

Theorem 16

Suppose in Construction 15, the IPFE is gradually 2-simulation-secure and the AKGS is piecewise secure, then the constructed 1-ABE is secure.

We refer the reader to the full version for the proof.

5 Key-Policy ABE for ABP

In this section, we apply the classic dual system encryption to obtain full KP-ABE from CP-1-ABE instantiated with the IPFE in Sect. 3.1.

Construction 17

(KP-ABE). The construction is described for a fixed value of \(\lambda \), and \(\lambda \) is suppressed for brevity. Let \(G_1,G_2,G_{{\text {T}}}\) be pairing groups of prime order p for which \({{\text {MDDH}}}_k\) holds in \(G_1,G_2\), and let \((\mathsf {Garble},\mathsf {Eval})\) be an AKGS for ABP. We construct an ABE for message space \(G_{{\text {T}}}\) and predicate space

$$\begin{aligned} \mathcal {P}=\{P_n\,|\,n\in \mathbb {N}\},\quad P_n(\mathbf {x},y)=y(\mathbf {x}) {\text { for }} \mathbf {x}\in \mathbb {Z}_p^n,y\in \mathsf {ztABP}_p^n. \end{aligned}$$

The scheme works as follows:

• \(\mathsf {Setup}(1^n)\) takes as input the attribute length (i.e., \(P_n\) is represented by \(1^n\)). It samples and sets

  $$\begin{aligned} \mathbf {A}&{}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^{k\times (k+2)}, \mathbf {B}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^{k\times (k+1)},&\mathbf {W}&{}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^{(k+2)\times (k+1)(n+1)}, \varvec{\mu }\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^{k+1},\\ \mathsf {xpk}&{}=([\![ \mathbf {B}^{{\mathsf {T}}} ]\!]_1,[\![ \mathbf {W}(\mathbf {B}^{{\mathsf {T}}}\otimes \mathbf {I}_{n+1}) ]\!]_1),&\mathsf {fpk}&{}=([\![ \mathbf {A} ]\!]_2,[\![ \mathbf {A}\mathbf {W} ]\!]_2),\\ \mathsf {mpk}&{}=([\![ \varvec{\mu }^{{\mathsf {T}}}\mathbf {B}^{{\mathsf {T}}} ]\!]_{{\text {T}}},\mathsf {xpk}),&\mathsf {msk}&{}=(\mathsf {fpk},\varvec{\mu }). \end{aligned}$$

  Note: We explain the connection with CP-1-ABE and dual system encryption (as demonstrated in Sect. 1.1). The matrix \(\mathbf {W}=(\mathbf {W}_1\ \cdots \ \mathbf {W}_{k+1})\) consists of \(k+1\) master secret keys of CP-1-ABE concatenated by columns, each of shape \((k+2)\times (n+1)\). Its projection along a vector \(\mathbf {b}=(b_1,\dots ,b_{k+1})^{{\mathsf {T}}}\) is

  $$\begin{aligned} b_1\mathbf {W}_1+\cdots +b_{k+1}\mathbf {W}_{k+1}&{}= \mathbf {W}_1\cdot b_1\mathbf {I}_{n+1} +\cdots + \mathbf {W}_{k+1}\cdot b_{k+1}\mathbf {I}_{n+1}\\&{}= (\mathbf {W}_1\ \cdots \ \mathbf {W}_{k+1}) \begin{pmatrix} b_1\mathbf {I}_{n+1}\\ \vdots \\ b_{k+1}\mathbf {I}_{n+1} \end{pmatrix} =\mathbf {W}(\mathbf {b}\otimes \mathbf {I}_{n+1}). \end{aligned}$$

  The matrix \(\mathbf {B}=(\mathbf {b}_1^{{\mathsf {T}}}\ \cdots \ \mathbf {b}_k^{{\mathsf {T}}})^{{\mathsf {T}}}\) consists of all the projection vectors, and \(\mathbf {W}({\mathbf {B}^{{\mathsf {T}}}\otimes \mathbf {I}_{n+1}})\) is the projections of \(\mathbf {W}\) along \(\mathbf {B}\) concatenated by columns.

• \(\mathsf {KeyGen}(\mathsf {msk},y)\) garbles y with \(\varvec{\mu }\) as follows:

  $$\begin{aligned} {\text {if }}y=f_{\ne 0}{\text {:}}\quad \varvec{\alpha }&{}\leftarrow \varvec{\mu },\qquad \;\; \varvec{\beta }\leftarrow \mathbf {0};\\ {\text {if }}y=f_{=0}{\text {:}}\quad \varvec{\alpha }&{}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^{k+1},\quad \varvec{\beta }\leftarrow \varvec{\mu };\\ (\mathbf {L}_1,\dots ,\mathbf {L}_m)&{}\overset{\smash {\,_\$}}{\leftarrow }\mathsf {Garble}(f,\varvec{\alpha },\varvec{\beta }). \end{aligned}$$

  It samples \(\mathbf {s}_j\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^k\) for \(j\in [m]\) and sets

  $$\begin{aligned} \mathsf {sk}_{j,1}=\mathbf {s}_j^{{\mathsf {T}}}[\![ \mathbf {A} ]\!]_2,\quad \mathsf {sk}_{j,2}=\mathbf {s}_j^{{\mathsf {T}}}[\![ \mathbf {A}\mathbf {W} ]\!]_2+[\![ \mathbf {L}_j^{{\mathsf {T}}} ]\!]_2. \end{aligned}$$

  The algorithm outputs \(\mathsf {sk}=(\mathsf {sk}_{1,1},\mathsf {sk}_{1,2},\dots ,\mathsf {sk}_{m,1},\mathsf {sk}_{m,2})\).

  Note: Generating a key in KP-ABE means encrypting \(\varvec{\mu }\) in each CP-1-ABE instance, which boils down to generating IPFE ciphertexts, as shown above.

• \(\mathsf {Enc}(\mathsf {mpk},\mathbf {x},g)\) samples \(\mathbf {r}\overset{\smash {\,_\$}}{\leftarrow }\mathbb {Z}_p^k\) and sets

  $$\begin{aligned} \mathsf {ct}_1=[\![ \mathbf {B}^{{\mathsf {T}}} ]\!]_1\mathbf {r},\quad \! \mathsf {ct}_2=[\![ \mathbf {W}(\mathbf {B}^{{\mathsf {T}}}\otimes \mathbf {I}_{n+1}) ]\!]_1\left( \mathbf {r}\otimes \begin{pmatrix}1\\ \mathbf {x}\end{pmatrix}\right) ,\quad \! \mathsf {ct}_3=[\![ \varvec{\mu }^{{\mathsf {T}}}\mathbf {B}^{{\mathsf {T}}} ]\!]_{{\text {T}}}\mathbf {r}+g. \end{aligned}$$

  The algorithms outputs \(\mathsf {ct}=(\mathsf {ct}_1,\mathsf {ct}_2,\mathsf {ct}_3)\).

  Note: We remark that \(\mathbf {r}\) (resp. \(\mathbf {B}^{{\mathsf {T}}}\mathbf {r}\)) is the coefficients of random linear combination w.r.t. the projections (resp. the CP-1-ABE instances). Here, \(\mathsf {ct}_2\) corresponds to a CP-1-ABE key w.r.t. randomly combined master secret key \(\mathbf {W}(\mathbf {B}^{{\mathsf {T}}}\mathbf {r}\otimes \mathbf {I}_{n+1})\), which is an IPFE secret key for \(\bigl ({1\atop \mathbf {x}}\bigr )\), i.e.,

  $$\begin{aligned} \mathsf {ct}_2=[\![ \mathbf {W}(\mathbf {B}^{{\mathsf {T}}}\mathbf {r}\otimes \mathbf {I}_{n+1})\begin{pmatrix}1\\ \mathbf {x}\end{pmatrix} ]\!]_1. \end{aligned}$$

  The ciphertext consists of \(2k+3\) elements in \(G_1\) and one element in \(G_{{\text {T}}}\), hence is succinct.

• \(\mathsf {Dec}(\mathsf {sk},y,\mathsf {ct},\mathbf {x})\) first checks whether \(y(\mathbf {x})=1\). If not, it outputs \(\bot \) and terminates. Otherwise, it parses \(\mathsf {sk},\mathsf {ct}\) as defined in \(\mathsf {KeyGen},\mathsf {Enc}\), computes

  

  and outputs \(\mathsf {ct}_3-[\![ \mu ' ]\!]_{{\text {T}}}\) as the recovered message.

  Note: We show that the scheme is correct. By definition (also cf. Construction 13),

  $$\begin{aligned} \ell _j&{}= -\mathbf {s}_j^{{\mathsf {T}}}\mathbf {A}\mathbf {W}(\mathbf {B}^{{\mathsf {T}}}\otimes \mathbf {I}_{n+1}) \left( \mathbf {r}\otimes \begin{pmatrix}1\\ \mathbf {x}\end{pmatrix}\right) + (\mathbf {s}_j^{{\mathsf {T}}}\mathbf {A}\mathbf {W}+\mathbf {L}_j^{{\mathsf {T}}}) \left( \mathbf {B}^{{\mathsf {T}}}\mathbf {r}\otimes \begin{pmatrix}1\\ \mathbf {x}\end{pmatrix}\right) \\ {}&{}= \mathbf {L}_j^{{\mathsf {T}}}\left( \mathbf {B}^{{\mathsf {T}}}\mathbf {r}\otimes \begin{pmatrix}1\\ \mathbf {x}\end{pmatrix}\right) = \mathbf {L}_j^{{\mathsf {T}}}\left( \mathbf {B}^{{\mathsf {T}}}\mathbf {r}\otimes \mathbf {I}_{n+1}\right) \begin{pmatrix}1\\ \mathbf {x}\end{pmatrix}. \end{aligned}$$

  By Lemma 5, if we define \((\mathbf {L}_1',\dots ,\mathbf {L}_m')\leftarrow \mathsf {Garble}(f,\mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\alpha },\mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\beta };\mathbf {r}^{{\mathsf {T}}}\mathbf {B}\mathbf {R})\), where \(\mathbf {R}\) is the randomness used to generate \(\mathbf {L}_j\)’s, then

  $$\begin{aligned} \ell _j = \mathbf {L}_j^{{\mathsf {T}}}\left( \mathbf {B}^{{\mathsf {T}}}\mathbf {r}\otimes \mathbf {I}_{n+1}\right) \begin{pmatrix}1\\ \mathbf {x}\end{pmatrix} = (\mathbf {L}_j')^{{\mathsf {T}}}\begin{pmatrix}1\\ \mathbf {x}\end{pmatrix} = L_j'(\mathbf {x}). \end{aligned}$$

  By the correctness of AKGS, we have

  $$\begin{aligned} \mathsf {Eval}(f,\mathbf {x},\ell _1,\dots ,\ell _m) = \mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\alpha }f(\mathbf {x})+\mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\beta }. \end{aligned}$$

  In the two cases where decryption should succeed,

  $$\begin{aligned} {\text {if }}y=f_{\ne 0},f(\mathbf {x})\ne 0{\text {:}}\quad \mu '&{}= {\textstyle \frac{1}{f(\mathbf {x})}} (\mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\mu }f(\mathbf {x})+\mathbf {r}^{{\mathsf {T}}}\mathbf {B}\mathbf {0}) = \mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\mu };\\ {\text {if }}y=f_{=0},f(\mathbf {x})=0{\text {:}}\quad \mu '&{}= \mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\alpha }f(\mathbf {x})+\mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\mu }= \mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\mu }. \end{aligned}$$

  Therefore, in both cases, we have \(\mathsf {ct}_3-[\![ \mu ' ]\!]_{{\text {T}}}=[\![ \varvec{\mu }^{{\mathsf {T}}}\mathbf {B}^{{\mathsf {T}}}\mathbf {r} ]\!]_T+g-[\![ \mathbf {r}^{{\mathsf {T}}}\mathbf {B}\varvec{\mu } ]\!]_T=g\).

Minimizing Pairing Operations. The number of pairing operations in the decryption algorithm appears to depend on the garbling size of the policy and the attribute length. It can be reduced to \(2k+3\) as follows.¹⁴ Since \(\mathsf {Eval}\) is linear in the labels, the decryption algorithm can first find \(\gamma _1,\dots ,\gamma _m\in \mathbb {Z}_p\) such that

$$\begin{aligned} \mathsf {Eval}(f,\mathbf {x},\ell _1,\dots ,\ell _m)=\sum _{j=1}^{m}{\gamma _j\ell _j}. \end{aligned}$$

The computation of \([\![ \mu ' ]\!]_{{\text {T}}}\) can be rewritten as

$$\begin{aligned}{}[\![ \mu ' ]\!]_{{\text {T}}}&{}= \sum _{j=1}^{m}{\gamma _j[\![ \ell _j ]\!]_{{\text {T}}}} = \sum _{j=1}^{m}{\gamma _j\left( -\mathsf {sk}_{j,1}\mathsf {ct}_2+ \mathsf {sk}_{j,2}\left( \mathsf {ct}_1\otimes \begin{pmatrix}1\\ \mathbf {x}\end{pmatrix}\right) \right) } \\ {}&{}= -\left( \sum _{j=1}^{m}{\gamma _j\mathsf {sk}_{j,1}}\right) \mathsf {ct}_2+ \left( \sum _{j=1}^{m}{\gamma _j\mathsf {sk}_{j,2}}\right) \left( \mathbf {I}_{k+1}\otimes \begin{pmatrix}1\\ \mathbf {x}\end{pmatrix}\right) \mathsf {ct}_1. \end{aligned}$$

Note that \(\mathsf {ct}_1,\mathsf {ct}_2\) consist of \(k+1,k+2\) group elements and only these elements (in \(G_1\)) take part in pairing. Therefore, the formula above only uses \(2k+3\) pairing operations.

There are further optimizations possible, such as appropriately choosing which group of the two source groups to use for the secret key to reduce the cost of exponentiation in decryption. Next, we proceed to the security of our scheme.

Theorem 18

Suppose in Construction 17, \({{\text {MDDH}}}_k\) holds in both \(G_1\) and \(G_2\), and the AKGS is piecewise secure, then the constructed scheme is IND-CPA secure.

We refer the reader to the full version for the proof.