Broadcast Encryption with Size $$N^{1/3}$$ and More from k-Lin

Wee, Hoeteck

doi:10.1007/978-3-030-84259-8_6

Hoeteck Wee^10,11

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12828))

Included in the following conference series:

Annual International Cryptology Conference

2519 Accesses
9 Citations

Abstract

We present the first pairing-based ciphertext-policy attribute-based encryption (CP-ABE) scheme for the class of degree 3 polynomials with compact parameters: the public key, ciphertext and secret keys comprise O(n) group elements, where n is input length for the function. As an immediate corollary, we obtain a pairing-based broadcast encryption scheme for N users with $O(N^{1/3})$-sized parameters, breaking the long-standing $\sqrt{N}$ barrier for pairing-based broadcast encryption. All of our constructions achieve adaptive security against unbounded collusions, and rely on the (bilateral) k-Lin assumption in prime-order bilinear groups.

You have full access to this open access chapter, Download conference paper PDF

Ciphertext-Policy Attribute-Based Broadcast Encryption with Small Keys

Optimal Broadcast Encryption and CP-ABE from Evasive Lattice Assumptions

Distributed Broadcast Encryption from Bilinear Groups

1 Introduction

In this work, we study broadcast encryption [12] as well as attribute-based encryption schemes [5, 17, 23]. In ciphertext-policy attribute-based encryption (CP-ABE), ciphertexts $\textsf {ct}$ are associated with a predicate f and a message m and keys $\textsf {sk}$ with an attribute x, and decryption returns m when x satisfies f. Broadcast encryption is a special case of CP-ABE where the predicate is specified by a set $S \subseteq [N]$, and decryption returns m when $x \in S$. In both cases, we require security against unbounded collusions, so that an adversary that sees a ciphertext along with secret keys for an arbitrary number of attributes $x_1,x_2,\ldots $ learns nothing about m as long as none of these attributes satisfies f.

Broadcast encryption has been an active area of research since their introduction in the 1990s, where a major goal is to obtain schemes with short parameters, notably short ciphertexts $\textsf {ct}$ and short public keys $\textsf {mpk}$. In a celebrated work from 2005, Boneh, Gentry and Waters (BGW) [6] presented a pairing-based broadcast encryption scheme with constant-size ciphertext (ignoring the contribution from the set S) and secret keys; however, the scheme has large public keys $\textsf {mpk}$ which is linear in the total number of users N, and moreover, decryption requires access to $\textsf {mpk}$. To address these shortcomings, the authors also showed how to modify their scheme to achieve $O(\sqrt{N})$-sized public keys, at the cost of a $O(\sqrt{N})$-sized ciphertext. A series of follow-up works [7, 10, 15] showed how to achieve $O(\sqrt{N})$-sized parameters (i.e., $|\textsf {mpk}|+|\textsf {ct}|+|\textsf {sk}| = O(\sqrt{N})$) under the standard k-Lin assumption, improving upon the q-type assumption used in BGW, while additionally strengthening the security guarantees from selective to adaptive security.

In a recent remarkable break-through, Agrawal and Yamada [2, 3] constructed a broadcast encryption scheme with $\textsf {poly}(\log N)$-sized parameters from pairings and LWE. Nonetheless, the following basic problem remains open since the work of BGW:

Can we build a broadcast encryption scheme with $o(\sqrt{N})$-sized parameters (that is, $|\textsf {mpk}|+|\textsf {ct}|+|\textsf {sk}| = o(\sqrt{N})$) from (just) pairings?

Prior approaches for pairing-based broadcast encryption requires $|\textsf {ct}|\!\cdot \!\mathrm {max}\{|\textsf {sk}|,|\textsf {mpk}|\} = \varOmega (N)$, which in turn implies a $\varOmega (\sqrt{N})$ bound on the parameter size. Moreover, this is essentially optimal for a large class of approaches for pairing-based broadcast encryption [14], indicating that breaking the $\sqrt{N}$ barrier would require substantially new ideas. As an aside –and an indication of our limited understanding of broadcast encryption with small parameters– we note that building a broadcast encryption scheme with o(N)-sized ciphertext from just LWE is also an open problem.

1.1 Our Results

We present a pairing-based broadcast encryption scheme with $O(N^{1/3})$-sized parameters, breaking the long-standing $\sqrt{N}$ barrier. Our broadcast encryption scheme achieves adaptive security against unbounded collusions, and rely on the bilateral k-Lin assumption in prime-order bilinear groups. In addition, our construction offers a range of trade-offs between ciphertext and key sizes (see Fig. 1). We stress that prior to this work, it was not known how to achieve $o(\sqrt{N})$-sized parameters with selective security even with q-type assumptions or generic bilinear groups.

More generally, we present a CP-ABE for degree 3 polynomials over $\{0,1\}^n$ (and more generally, $\mathbb {Z}_p^n$) where the public key, ciphertext and secret keys comprise of O(n) group elements; this scheme also achieves adaptive security against unbounded collusions under the bilateral k-Lin assumption. Our broadcast encryption scheme then follows as an immediate corollary, since we can encode set membership in $S \subseteq [N]$ as a degree 3 polynomial over $\{0,1\}^{O(N^{1/3})}$. Prior to this work, CP-ABE schemes with O(n)-sized parameters from pairings was only known for the class of degree 2 polynomials [22]. We refer to Fig. 2 for a summary of prior works on pairing-based CP-ABE for degree 3 polynomials.

The design of our schemes departs quite significantly from existing pairing-based ABE schemes, in that we exploit the power of “quadratic reconstruction”. This idea was previously used by Liu, Vaikuntanathan and Wee [22] to construct an information-theoretic, private-key analogue of broadcast construction –formally, conditional disclosure of secrets (CDS) for index– with $O(N^{1/3})$-sized parameters. However, the scheme only works over fields of characteristic 2, which are incompatible with bilinear groups operations “in the exponent”. Instead, we provide new techniques for instantiating quadratic reconstruction that are inspired in part by recent works on functional encryption for degree 2 polynomials [13, 21, 26].

2 Technical Overview

We proceed to provide an overview of our constructions. We focus on our CP-ABE scheme for degree 3 polynomials over $\mathbb {Z}_p^n \times \mathbb {Z}_p^n \times \mathbb {Z}_p^n$ given by

$$\begin{aligned} (\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3) \mapsto (\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \mathbf {x}_3) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}\end{aligned}$$

where $\mathbf {f}\in \mathbb {Z}_p^{n^3}$ is the coefficient vector. Throughout, we use boldface lower case to denote row vectors. In our CP-ABE scheme,

encryption takes as input $\mathbf {f}\in \mathbb {Z}_p^{n^3}$ and a message M and outputs a ciphertext $\textsf {ct}$;
key generation takes as input $\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3 \in \mathbb {Z}_p^n$ and outputs a key $\textsf {sk}$, and
decryption takes as input $\textsf {ct},\textsf {sk}$ along with $\mathbf {f},\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3$ and outputs M whenever $(\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \mathbf {x}_3) \mathbf {f}^{\!\scriptscriptstyle {\top }}\ne 0$.

We rely on an asymmetric bilinear group $(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)$ of prime order p where $e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T$. We use $[\cdot ]_1,[\cdot ]_2,[\cdot ]_T$ to denote component-wise exponentiations in respective groups $\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T$. The k-Lin assumption in $\mathbb {G}_1$ asserts that $([\mathbf {A}]_1,[\mathbf {s}\mathbf {A}]_1) \approx _c ([\mathbf {A}]_1,[\mathbf {u}]_1)$ where $\mathbf {s} \leftarrow \mathbb {Z}_p^k, \mathbf {A}\leftarrow \mathbb {Z}_p^{k \times (k+1)}, \mathbf {u}\leftarrow \mathbb {Z}_p^{k+1}$. The bilateral k-Lin assumption (as used in this work, and slightly weaker than that used in [13, 26]) asserts that $([\mathbf {A}]_1,[\mathbf {A}]_2,[\mathbf {s}\mathbf {A}]_2) \approx _c ([\mathbf {A}]_1,[\mathbf {A}]_2,[\mathbf {u}]_2)$, and is a strengthening of the k-Lin assumption in $\mathbb {G}_2$. In symmetric bilinear groups, the bilateral k-Lin and the standard k-Lin assumption are equivalent. Note that 1-Lin = DDH/SXDH, and that bilateral 1-Lin is false, for the same reason DDH is false in symmetric bilinear groups. We will describe our construction based the k-Lin assumption and the bilateral $k'$-Lin assumption, and set $k=1,k'=2$ for optimal concrete efficiency.

Following [1, 26], we make extensive use of tensor products (cf. Sect. 3). This enables a more compact description of our schemes, and avoids triple summations to compute a degree 3 polynomial. Moreover, we will be replacing scalars with vectors as our schemes get increasingly complex, upon which some scalar-vector products translate naturally to a tensor product of two vectors, whereas some other ones translate to a vector-matrix product.

Roadmap. We will begin our overview by describing two candidate CP-ABE schemes for degree 3 polynomials. We refer to these schemes as “candidates” because we do not in fact prove “full fledged” security of these two schemes (though it does seem quite plausible that both schemes are secure in the generic group model).

The first achieves
$$\begin{aligned} |\textsf {mpk}| = O(n^2), |\textsf {ct}| = O(n), |\textsf {sk}| = O(n) \end{aligned}$$
In comparison, prior constructions based on degree 2 polynomials requires either $|\textsf {ct}| = O(n^2)$ or $|\textsf {sk}| = O(n^2)$ (cf. Fig 2).
The second is a variant of the first with $|\textsf {mpk}| = O(n)$ and thus achieves O(n)-sized parameters.

We then describe in Sect. 2.4 how to modify the second candidate to obtain our final CP-ABE scheme, which achieves O(n)-sized parameters as well as adaptive security under the bi-k-Lin assumption.

2.1 CP-ABE for Degree 2 Polynomials

We begin with (a simplified variant of) the CP-ABE scheme in [22] for the class of degree 2 polynomials over $\mathbb {Z}_p^{n} \times \mathbb {Z}_p^{n}$ given by

$$\begin{aligned} (\mathbf {x}_1,\mathbf {x}_2) \mapsto (\mathbf {x}_1 \otimes \mathbf {x}_2) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}\end{aligned}$$

where $\mathbf {f}\in \mathbb {Z}_p^{n^2}$ is the coefficient vector and decryption is possible whenever $(\mathbf {x}_1 \otimes \mathbf {x}_2) \mathbf {f}^{\!\scriptscriptstyle {\top }}\ne 0$:

$$\begin{aligned} \begin{array}{rclll} \textsf {mpk}&{}=&{} [\alpha ]_T, [\mathbf {w}_2]_1, [\mathbf {w}_1]_1, &{} \mathbf {w}_1 \leftarrow \mathbb {Z}_p^{n}, \mathbf {w}_2 \leftarrow \mathbb {Z}_p^{n},\alpha \leftarrow \mathbb {Z}_p\\ \textsf {ct}&{}=&{} [s]_1, [((\mathbf {I}_{n_1} \otimes \mathbf {w}_2) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }})s]_1, [\alpha s]_T \cdot M, &{} s \leftarrow \mathbb {Z}_p \\ \textsf {sk}&{}=&{} [r]_2, [\mathbf {x}_1 r \mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_2, [\mathbf {x}_2 \alpha - r \mathbf {w}_2]_2, &{} r \leftarrow \mathbb {Z}_p \end{array} \end{aligned}$$

(1)

Note that the scheme achieves

$$\begin{aligned} |\textsf {mpk}| = O(n), |\textsf {ct}| = O(n), |\textsf {sk}| = O(n) \end{aligned}$$

Decryption uses

$$\begin{aligned} (\mathbf {x}_1\otimes \mathbf {x}_2)\mathbf {f}^{\!\scriptscriptstyle {\top }}\cdot \alpha s= & {} (\mathbf {x}_1\otimes ((\overbrace{\mathbf {x}_2 \alpha - r \mathbf {w}_2}^{\textsf {sk}})\overbrace{s}^\textsf {ct})) \mathbf {f}^{\!\scriptscriptstyle {\top }}\\&+ \,\mathbf {x}_1\overbrace{r}^{\textsf {sk}} \cdot \overbrace{((\mathbf {I}_{n_1} \otimes \mathbf {w}_2) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }})s}^\textsf {ct}\nonumber \\&- \,\overbrace{\mathbf {x}_1r\mathbf {w}_1^{\!\scriptscriptstyle {\top }}}^\textsf {sk}\cdot \overbrace{s}^\textsf {ct}\nonumber \end{aligned}$$

(2)

Following the dual system encryption methodology [4, 19, 20, 24, 25], security boils down to showing that M is hidden given a single ciphertext-key pair. In particular, it suffices to show that if $(\mathbf {x}_1\otimes \mathbf {x}_2)\mathbf {f}^{\!\scriptscriptstyle {\top }}= 0$, then $\alpha $ is hidden given

$$\begin{aligned} \begin{array}{rcllll} {\widehat{\textsf {ct}}}&{}=&{} [(\mathbf {I}_n \otimes \mathbf {w}_2) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_1, &{} \\ {\widehat{\textsf {sk}}}&{}=&{} [\mathbf {x}_1 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_2, [\mathbf {x}_2 \alpha - \mathbf {w}_2]_2, &{}\quad \end{array} \end{aligned}$$

(3)

where ${\widehat{\textsf {ct}}},{\widehat{\textsf {sk}}}$ are derived from $\textsf {ct},\textsf {sk}$ by setting $r=s=1$ and omitting $[\alpha s]_T$. Hiding of $\alpha $ then follows from

$$({\widehat{\textsf {ct}}},\;{\widehat{\textsf {sk}}}) \equiv \bigl (\tilde{\mathbf {w}}_1^{\!\scriptscriptstyle {\top }}, \;((\mathbf {x}_1 \otimes \tilde{\mathbf {w}}_2) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {x}_1 \tilde{\mathbf {w}}_1^{\!\scriptscriptstyle {\top }}- \overbrace{(\mathbf {x}_1\otimes \mathbf {x}_2)\mathbf {f}^{\!\scriptscriptstyle {\top }}\cdot \alpha }^{=0}, \tilde{\mathbf {w}}_2)\bigr )$$

2.2 Our First Candidate CP-ABE

Next, we describe a candidate CP-ABE for degree 3 polynomials with parameter sizes

$$\begin{aligned} |\textsf {mpk}| = O(n^2), |\textsf {ct}| = O(n), |\textsf {sk}| = O(n) \end{aligned}$$

To arrive at this scheme, we first replace $\mathbf {x}_2$ and $\mathbf {w}_2$ in (1) with $\mathbf {x}_2 \otimes \mathbf {x}_3$ and $\mathbf {w}_2 \otimes \mathbf {w}_3$ respectively, where ${\mathbf {w}_3 \leftarrow \mathbb {Z}_p^n}$. The ciphertext size remains unchanged, but the secret key size increases to $O(n^2)$ due to the term

$$\begin{aligned} (\mathbf {x}_2 \otimes \mathbf {x}_3) \alpha - r (\mathbf {w}_2 \otimes \mathbf {w}_3) \end{aligned}$$

To achieve $|\textsf {sk}| = O(n)$, we will compute the above expression using

$$\mathbf {x}_2 \otimes \mathbf {x}_3 \alpha - r \mathbf {w}_2 \otimes \mathbf {w}_3 = \mathbf {x}_2 \otimes \overbrace{(\mathbf {x}_3 \alpha + r_3 \mathbf {w}_3)}^\textsf {sk}- \overbrace{(\mathbf {x}_2 r_3 + r \mathbf {w}_2)}^\textsf {sk}\otimes \overbrace{\mathbf {w}_3}^\textsf {ct}$$

This yields the following scheme:

$$\begin{aligned} \begin{array}{rcllll} \textsf {mpk}&{}=&{} [\alpha ]_T &{}[\mathbf {w}_1]_1, [\mathbf {w}_3]_1, [\mathbf {w}_2 \otimes \mathbf {w}_3]_1,&{}\quad \mathbf {w}_1,\mathbf {w}_2,\mathbf {w}_3 \leftarrow \mathbb {Z}_p^n, \alpha \leftarrow \mathbb {Z}_p \\ \textsf {ct}&{}=&{} [s]_1, [\alpha s]_T \cdot M, &{} [((\mathbf {I}_n \otimes \mathbf {w}_2 \otimes \mathbf {w}_3) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }})s]_1, [\mathbf {w}_3 s]_1, &{}\quad s \leftarrow \mathbb {Z}_p, \\ \textsf {sk}&{}=&{} [r_2]_2, &{} [\mathbf {x}_1 r_2\mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_2, [\mathbf {x}_2 r_3 + r_2 \mathbf {w}_2]_2, [\mathbf {x}_3 \alpha + r_3 \mathbf {w}_3]_2, &{}\quad r_2, r_3 \leftarrow \mathbb {Z}_p \end{array} \end{aligned}$$

(4)

Here, we publish $[\mathbf {w}_2 \otimes \mathbf {w}_3]_1$ in $\textsf {mpk}$ so that we can compute $[(\mathbf {w}_2 \otimes \mathbf {w}_3)s]_1$ in $\textsf {ct}$.

Compressing $\textsf {mpk}$. To get to a CP-ABE scheme with O(n)-sized parameters, we will compress $\textsf {mpk}$ in the previous scheme as follows: instead of having set-up pick $\mathbf {w}_3$, the encryptor will sample a random $\mathbf {w}_3$; this eliminates $[\mathbf {w}_2\otimes \mathbf {w}_3]_1$ in $\textsf {mpk}$ and reduces $\textsf {mpk}$ to O(n) group elements. Next, we explain how this modification impacts $\textsf {ct}$ and $\textsf {sk}$ in (4):

Given $[\mathbf {w}_2]_1,\mathbf {w}_3,s,\mathbf {f}$, it is easy to compute $[(\mathbf {I}_n \otimes \mathbf {w}_2 \otimes \mathbf {w}_3s) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}]_1$ and thus $[((\mathbf {I}_n \otimes \mathbf {w}_2 \otimes \mathbf {w}_3) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }})s]_1$ in $\textsf {ct}$.
Now, key generation can no longer compute $[\mathbf {x}_3 \alpha + r_3 \mathbf {w}_3]_2$, which was used to compute $[(\mathbf {x}_3 \alpha + r_3 \mathbf {w}_3)s]_T$ during decryption. Instead, we will compute the latter using the equation
$$(\mathbf {x}_3 \alpha + r_3 \mathbf {w}_3)s = \overbrace{(r_3 + r_2 v_0)}^{\textsf {sk}} \cdot \overbrace{\mathbf {w}_3 s}^\textsf {ct}+ \overbrace{(\mathbf {x}_3 \alpha + r_2 \mathbf {v})}^{\textsf {sk}} \cdot \overbrace{s}^\textsf {ct}- r_2 \cdot \overbrace{(v_0 \mathbf {w}_3 + \mathbf {v}) s}^\textsf {ct}$$
where $v_0,\mathbf {v}$ are chosen by the set-up algorithm.

Putting these modifications together, we obtain our next candidate.

2.3 Our Second Candidate CP-ABE

Here is our candidate CP-ABE scheme with O(n)-sized parameters, where the terms not present in the previous scheme are shaded in gray:

(5)

The decryption algorithm on input $\textsf {ct}= ([s]_1,[\alpha s]_T \cdot M, [\mathbf {c}_1^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {c}_2]_1,[\mathbf {c}_3]_1)$ and $\textsf {sk}= ([r_2]_2,[\mathbf {d}_1]_2,[\mathbf {d}_2]_2,[d_3]_2,[\mathbf {d}_4]_2)$, computes $[(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {x}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}\cdot \alpha s]_T$ using

$$\begin{aligned}&(\underbrace{\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \overbrace{(d_3 \mathbf {c}_2 + \mathbf {d}_4 s - r_2 \mathbf {c}_3)}^{(\text {i})}}_{= (\mathbf {x}_1\otimes \mathbf {x}_2\otimes (\mathbf {x}_3\alpha +r_3\mathbf {w}_3))s})\mathbf {f}^{\!\scriptscriptstyle {\top }}- (\underbrace{\mathbf {x}_1 \otimes (\overbrace{\mathbf {d}_2(\mathbf {I}_{n} \otimes \mathbf {c}_2)}^{(\text {ii})})}_{=(\mathbf {x}_1\otimes \mathbf {x}_2\otimes r_3\mathbf {w}_3)s + (\mathbf {x}_1\otimes r_2\mathbf {w}_2\otimes \mathbf {w}_3)s}) \mathbf {f}^{\!\scriptscriptstyle {\top }}\;\;\\&\qquad \qquad +\;\; \underbrace{\;\overbrace{\;r_2 \mathbf {x}_1 \mathbf {c}_1^{\!\scriptscriptstyle {\top }}\;}^{(\text {iii})} \;-\; \overbrace{\;\mathbf {d}_1 s\;}^{(\text {iv})}}_{= (\mathbf {x}_1 \otimes r_2\mathbf {w}_2 \otimes \mathbf {w}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}s\;} \end{aligned}$$

where

$$\begin{aligned} (\text {i})= & {} (r_3+r_2v_0)(\mathbf {w}_3s) + (\mathbf {x}_3\alpha +r_2\mathbf {v})s - r_2(v_0\mathbf {w}_3+\mathbf {v})s = (\mathbf {x}_3 \alpha + r_3 \mathbf {w}_3) s\\ (\text {ii})= & {} (\mathbf {x}_2 r_3 + r_2\mathbf {w}_2) \cdot (\mathbf {I}_{n} \otimes \mathbf {w}_3s) = (\mathbf {x}_2 \otimes r_3\mathbf {w}_3)s + (r_2\mathbf {w}_2\otimes \mathbf {w}_3)s\\ (\text {iii})= & {} \mathbf {x}_1 r_2 ((\mathbf {I}_n \otimes \mathbf {w}_2 \otimes \mathbf {w}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }})s = (\mathbf {x}_1 \otimes r_2\mathbf {w}_2 \otimes \mathbf {w}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}s + \mathbf {x}_1 r_2 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}s\\ (\text {iv})= & {} \mathbf {x}_1 r_2 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}s \end{aligned}$$

Security warm-up. As before in Sect. 2.1, it suffices to show that $\alpha $ is computationally hidden given

$$\begin{aligned} {\widehat{\textsf {ct}}}=&\qquad \,\,\,\, [(\mathbf {I}_n \otimes \mathbf {w}_2 \otimes \mathbf {w}_3) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {w}_3]_1, [v_0\mathbf {w}_3 + \mathbf {v}]_1, \nonumber \\ {\widehat{\textsf {sk}}}=&\qquad \,\,\,\, [\mathbf {x}_1 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_2, [\mathbf {x}_2 r_3 + \mathbf {w}_2]_2,\qquad [r_3+v_0]_2, [\mathbf {x}_3 \alpha + \mathbf {v}]_2 \end{aligned}$$

(6)

Here, we allow adaptive choices of $\mathbf {f}$ and $\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3$ subject to the constraint $(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {x}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}= 0$. In this overview, we focus on the case $\mathbf {f}$ is queried before $\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3$.

Step 1. We start by sampling random $\widetilde{\mathbf {w}}_1,\widetilde{\mathbf {v}}$ and programming

$$ {\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}= (\mathbf {I}_n \otimes \mathbf {w}_2 \otimes \mathbf {w}_3) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}, \quad \widetilde{\mathbf {v}}= v_0\mathbf {w}_3 + \mathbf {v}$$

We can then rewrite $\textsf {ct},\textsf {sk}$ as:

$$\begin{aligned} \begin{array}{rcllll} \textsf {ct}&{}=&{} &{} [{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}]_1, [\mathbf {w}_3]_1,&{}[\widetilde{\mathbf {v}}]_1\\ \textsf {sk}&{}=&{} &{}[\mathbf {x}_1{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}-(\mathbf {x}_1\otimes \mathbf {w}_2\otimes \mathbf {w}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}]_2,[\mathbf {x}_2r_3+\mathbf {w}_2]_2, &{}[r_3+v_0]_2, [\mathbf {x}_3 \alpha + \widetilde{\mathbf {v}}- v_0\mathbf {w}_3]_2 \end{array} \end{aligned}$$

Step 2. Next, we sample random $\widetilde{\mathbf {w}}_2,\widetilde{v}_0$ and program

$$ {\widetilde{\mathbf {w}}_2} = \mathbf {x}_2 r_3 + \mathbf {w}_2, \quad \widetilde{v}_0 = r_3 + v_0$$

We can then rewrite $\textsf {sk}$ as:

$$\begin{aligned} \textsf {sk}=&[\mathbf {x}_1{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}-(\mathbf {x}_1\otimes \widetilde{\mathbf {w}}_2\otimes \mathbf {w}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}+ (\mathbf {x}_1\otimes \mathbf {x}_2\otimes r_3\mathbf {w}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}]_2,\\&[\widetilde{\mathbf {w}}_2]_2, [\widetilde{v}_0]_2, [\mathbf {x}_3 \alpha + \widetilde{\mathbf {v}}- \widetilde{v}_0\mathbf {w}_3 + r_3 \mathbf {w}_3]_2 \end{aligned}$$

Step 3. At this point, all of the leakage on $\alpha $ comes from the following terms in $\textsf {ct},\textsf {sk}$:

$$\begin{aligned}&[\mathbf {w}_3]_1\\&[(\mathbf {x}_1\otimes \mathbf {x}_2\otimes r_3\mathbf {w}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}]_2,[\mathbf {x}_3\alpha +r_3\mathbf {w}_3]_2 \end{aligned}$$

If we can argue that $[r_3\mathbf {w}_3]_2$ is pseudorandom, then we have

$$\begin{aligned} \begin{aligned} \{[(\mathbf {x}_1\otimes \mathbf {x}_2\otimes r_3\mathbf {w}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}]_2,[\mathbf {x}_3\alpha +r_3\mathbf {w}_3]_2\}&\approx _c [(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \widetilde{\mathbf {d}}_4)\mathbf {f}^{\!\scriptscriptstyle {\top }}\\&-\,\overbrace{(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {x}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}}^{=0}\alpha ]_2,[\widetilde{\mathbf {d}}_4]_2,\;\widetilde{\mathbf {d}}_4 \leftarrow \mathbb {Z}_p^n \end{aligned} \end{aligned}$$

and then we are done. Unfortunately, $[r_3\mathbf {w}_3]_2$ is not pseudorandom given $[\mathbf {w}_3]_1$ for the same reason DDH is false in symmetric bilinear groups; however, an analogous statement does hold if we replace $r_3,\mathbf {w}_3$ with their $k'$-dimensional analogues ($k' \ge 2$). Concretely, the bilateral $k'$-Lin assumption tells us that $[\mathbf {r}_3\mathbf {W}_3]_2$ is pseudorandom given $[\mathbf {W}_3]_1$, where ${\mathbf {r}_3 \leftarrow \mathbb {Z}_p^{k'}, \mathbf {W}_3 \leftarrow \mathbb {Z}_p^{k' \times n}}$.

Modifications. In addition to replacing $r_3,\mathbf {w}_3$ with ${\mathbf {r}_3 \leftarrow \mathbb {Z}_p^{k'}, \mathbf {W}_3 \leftarrow \mathbb {Z}_p^{k' \times n}}$,

we replace $\mathbf {x}_2 r_3$ in $\textsf {sk}$ with $\mathbf {x}_2 \otimes \mathbf {r}_3$, which in turns require increasing the width of $\mathbf {w}_2$ to $k'n$ (so that $\mathbf {x}_2 \otimes \mathbf {r}_3 + r_2 \mathbf {w}_2$ is well-defined);
we replace $\mathbf {w}_2 \otimes \mathbf {w}_3 = \mathbf {w}_2(\mathbf {I}_n \otimes \mathbf {w}_3)$ in $\textsf {ct}$ with $\mathbf {w}_2(\mathbf {I}_n \otimes \mathbf {W}_3)$;
we replace $v_0$ with $\mathbf {v}_0 \in \mathbb {Z}_p^{k'}$.

This means that when we program $\widetilde{\mathbf {w}}_2 = \mathbf {x}_2 \otimes \mathbf {r}_3 + \mathbf {w}_2$ in Step 2, we have $\mathbf {w}_2(\mathbf {I}_n \otimes \mathbf {W}_3) = \widetilde{\mathbf {w}}_2(\mathbf {I}_n \otimes \mathbf {W}_3) - \mathbf {x}_2 \otimes \mathbf {r}_3\mathbf {W}_3$, upon which we could invoke the bi-$k'$-Lin assumption. The case $\mathbf {f}$ is queried after $\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3$ uses similar ideas, except we would instead rely on the $k'$-Lin assumption in $\mathbb {G}_1$. Putting the modifications together, we arrive at the following variant of the scheme in (6):

$$\begin{aligned} \begin{array}{rcllll} {\widehat{\textsf {ct}}}&{}=&{} &{}[(\mathbf {I}_{n_1} \otimes \mathbf {w}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3)) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {W}_3]_1, &{}[\mathbf {v}_0\mathbf {W}_3 + \mathbf {v}]_1,&{}\quad \mathbf {W}_3 \leftarrow \mathbb {Z}_p^{k' \times n} \\ {\widehat{\textsf {sk}}}&{}=&{} &{}[\mathbf {x}_1 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_2, [\mathbf {x}_2 \otimes \mathbf {r}_3 + \mathbf {w}_2]_2,&{} [\mathbf {r}_3+\mathbf {v}_0]_2, [\mathbf {x}_3 \alpha + \mathbf {v}]_2 &{}\quad \mathbf {r}_3 \leftarrow \mathbb {Z}_p^{k'}, r_2 \leftarrow \mathbb {Z}_p \end{array} \end{aligned}$$

(7)

In Lemma 1, we show that the above scheme hides $\alpha $ given ${\widehat{\textsf {ct}}},{\widehat{\textsf {sk}}}$ for adaptive choices of $\mathbf {f}$ and $\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3$ subject to the constraint $(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {x}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}= 0$. This holds under the $k'$-Lin assumption in $\mathbb {G}_1$ and the bi-$k'$-Lin assumption.

2.4 Our Final CP-ABE

We now describe how we arrive at our final CP-ABE for the class of degree 3 polynomials, which achieves adaptive security against unbounded collusions under the k-Lin assumption in $\mathbb {G}_1,\mathbb {G}_2$ and the bilateral $k'$-Lin assumption, where $k \ge 1, k' \ge 2$. Following the dual system encryption methodology and the “compiler” in [10], we sample ${\mathbf {A}\leftarrow \mathbb {Z}_p^{(k+1)\times k}, \mathbf {B}\leftarrow \mathbb {Z}_p^{k \times (k+1)}}$ and make the following substitutions to the scheme in (5) combined with (7):

$$\begin{aligned}&s \mapsto \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}\in \mathbb {Z}_p^{1\times (k+1)},\; \alpha \mapsto \mathbf {k}\in \mathbb {Z}_p^{k+1},\; r \mapsto \mathbf {r}\mathbf {B}\in \mathbb {Z}_p^{k+1}\\&\mathbf {w}_2 \mapsto \mathbf {W}_2 \in \mathbb {Z}_p^{(k+1) \times (k+1)k'n},\, \mathbf {w}_1^{\!\scriptscriptstyle {\top }}\mapsto \mathbf {W}_1 \in \mathbb {Z}_p^{(k+1)n \times (k+1)},\,\\&\mathbf {v}\mapsto \mathbf {V}\in \mathbb {Z}_p^{(k+1) \times (k+1)n},\, \mathbf {v}_0 \mapsto \mathbf {V}_0 \in \mathbb {Z}_p^{(k+1) \times (k+1)k'} \end{aligned}$$

That is, we increase the width and heights of each of $\mathbf {w}_2,\mathbf {w}_1^{\!\scriptscriptstyle {\top }},\mathbf {v},\mathbf {v}_0$ by a multiplicative factor of $k+1$. We refer to Sect. 4.1 for a complete description of the scheme.

In the security proof, we rely on the following fact: for any $m,\ell \ge 1$, with probability $1-2/p$ over ${\mathbf {c}\leftarrow \mathbb {Z}_p^{k+1}, \mathbf {d}\leftarrow \mathbb {Z}_p^{k+1}}$, the matrix

$$(\mathbf {I}_m \otimes \mathbf {d}) \mathbf {M}(\mathbf {I}_\ell \otimes \mathbf {c}^{\!\scriptscriptstyle {\top }}) \in \mathbb {Z}_p^{m\ell }$$

is uniformly random given $\mathbf {M}(\mathbf {I}_\ell \otimes \mathbf {A}), (\mathbf {I}_m \otimes \mathbf {B})\mathbf {M}$, where ${\mathbf {M}\leftarrow \mathbb {Z}_p^{(k+1)m \times (k+1)\ell }}$. This was first observed in [10] for the special case $m=\ell =1$. In our security reduction, we would then essentially “embed” $\mathbf {w}_2,\mathbf {w}_1^{\!\scriptscriptstyle {\top }},\mathbf {v},\mathbf {v}_0$ from the scheme in (7) into $\mathbf {d}\mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {c}^{\!\scriptscriptstyle {\top }}), (\mathbf {I}_{n_1}\otimes \mathbf {d})\mathbf {W}_1\mathbf {c}^{\!\scriptscriptstyle {\top }}, \mathbf {d}\mathbf {V}(\mathbf {I}_{n_3}\otimes \mathbf {c}^{\!\scriptscriptstyle {\top }}), \mathbf {d}\mathbf {V}_0(\mathbf {I}_{k'}\otimes \mathbf {c}^{\!\scriptscriptstyle {\top }})$.

In the body of the paper, we consider a broader class of degree 3 polynomials over $\mathbb {Z}_p^{n_1}\times \mathbb {Z}_p^{n_2}\times \mathbb {Z}_p^{n_3}$. By varying $n_1,n_2,n_3$, we obtain trade-offs between ciphertext and key sizes as described in Fig. 1.

2.5 Discussion

We describe some additional related works as well as open problems.

The GKW lower bound. Gay, Kerendis and Wee showed a $N^{1/(d+1)}$ lower bound for information-theoretically secure conditional disclosure of secrets (CDS) protocols for broadcast encryption with degree d reconstruction [14]. The scheme in (3) constitutes such a CDS scheme with $\sqrt{N}$ parameters and linear reconstruction, where the scheme in (6) constitutes a CDS scheme with computational security and $N^{1/3}$ parameters with quadratic reconstruction “in the exponent”. Given that quadratic reconstruction seems to be the best we can hope for with bilinear maps, beating the $N^{1/3}$ parameter size achieved in this work for pairing-based broadcast encryption would be a remarkable break-through.

In 2014, Boneh, Waters and Zhandry constructed such a broadcast encryption scheme with $\textsf {poly}(\log N)$-sized parameters assuming multi-linear maps [8]. As mentioned earlier, Agrawal and Yamada [2, 3] recently obtained the same result from pairings and LWE. Independently, Brakerski and Vaikuntathan [9] presented a “lattice-inspired” candidate broadcast encryption with $\textsf {poly}(\log N)$-sized parameters, but they were unable to provide a reduction to LWE or any simple lattice assumption. These latter two works derived the broadcast encryption scheme as a special case of a more general result, namely CP-ABE for boolean formula/circuits over $\{0,1\}^n$ with $\textsf {poly}(n)$-sized parameters.

Zhandry [27] recently constructed the first pairing-based traitor-tracing scheme for N users with $O(N^{1/3})$-sized parameters that is secure in the generic group model. While the work also constructed traitor-tracing schemes with broadcast, these additional schemes do not improve upon the state-of-the-art for broadcast encryption (see Table 1 in [27]), except for adding traitor-tracing capabilities. While Zhandry’s results did motivate us to revisit the LVW conjecture regarding a $O(N^{1/3})$-sized broadcast encryption scheme, the techniques there-in appear to be largely unrelated to those developed in this work. In a way, broadcast encryption is harder than traitor-tracing in that we do have $\textsf {poly}(\log N)$-sized traitor-tracing from just LWE [16], but not for broadcast encryption.

Open problems. We describe two open problems:

Can we build a pairing-based CP-ABE for degree 2 polynomials with $|\textsf {mpk}| = O(n)$ and either $|\textsf {ct}| = O(1), |\textsf {sk}| = O(n)$ or $|\textsf {ct}| = O(n), |\textsf {sk}| = O(1)$? The former would imply a pairing-based broadcast encryption scheme for N users with $|\textsf {mpk}| = O(\sqrt{N}), |\textsf {ct}| = O(1), |\textsf {sk}| = O(\sqrt{N})$.
Another important open problem is to build broadcast encryption with $O(\sqrt{N})$-sized parameters, or CP-ABE for degree 2 polynomials with O(n)-sized parameters from just LWE. All known approaches for LWE-based ABE has ciphertext size at least linear in the length of the attribute, which in the case of broadcast encryption means an $\varOmega (N)$-sized ciphertext. Much of the prior research efforts towards LWE-based CP-ABE has focused on the class of circuits, and perhaps it would be easier to make progress by focusing on the simple class of degree 2 polynomials.

Perspective. To conclude, our results provide the first indication that we could leverage techniques and insights from FE for degree 2 polynomials to achieve surprising asymptotic efficiency improvements in the broader setting of pairing-based ABE. We are optimistic that this connection could yield further (asymptotic) efficiency improvements in other pairing-based schemes, both within ABE and beyond.

3 Preliminaries

Notations. We denote by $s \leftarrow S$ the fact that s is picked uniformly at random from a finite set S. We use $\approx _s$ to denote two distributions being statistically indistinguishable, and $\approx _c$ to denote two distributions being computationally indistinguishable. We use lower case boldface to denote row vectors and upper case boldface to denote matrices. For any positive integer N, we use [N] to denote $\{1,2,\ldots ,N\}$.

Tensor product. The tensor product (Kronecker product) for matrices $\mathbf {A}= (a_{i,j}) \in \mathbb {Z}^{\ell \times m}$, $\mathbf {B}\in \mathbb {Z}^{n\times p}$ is defined as

$$\begin{aligned} \mathbf {A}\otimes \mathbf {B}= \begin{bmatrix} a_{1,1} \mathbf {B}, &{} \ldots , &{} a_{1,m} \mathbf {B}\\ \ldots , &{} \ldots , &{} \ldots \\ a_{\ell ,1} \mathbf {B}, &{} \ldots , &{} a_{\ell ,m} \mathbf {B}\end{bmatrix}\in \mathbb {Z}^{\ell n\times mp}. \end{aligned}$$

The mixed-product property for tensor product says that

$$\begin{aligned} (\mathbf {A}\otimes \mathbf {B})(\mathbf {C}\otimes \mathbf {D}) = (\mathbf {A}\mathbf {C}) \otimes (\mathbf {B}\mathbf {D}) \end{aligned}$$

A useful corollary of the mixed-product property says that for any pair of row vectors $\mathbf {u},\mathbf {v}\in \mathbb {Z}^n$,

$$\begin{aligned} \mathbf {u}\otimes \mathbf {v}= & {} (\mathbf {u}\otimes 1) (\mathbf {I}_n \otimes \mathbf {v}) = (1 \otimes \mathbf {v}) (\mathbf {u}\otimes \mathbf {I}_n)\\= & {} \mathbf {u}(\mathbf {I}_n \otimes \mathbf {v}) = \mathbf {v}(\mathbf {u}\otimes \mathbf {I}_n) \end{aligned}$$

We adopt the convention that matrix multiplication takes precedence over tensor product, so that we can write $\mathbf {A}\otimes \mathbf {B}\mathbf {C}$ to mean $\mathbf {A}\otimes (\mathbf {B}\mathbf {C})$.

3.1 Prime-Order Bilinear Groups

A generator $\mathcal {G}$ takes as input a security parameter $1^\lambda $ and outputs a description $\mathbb {G} := (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)$, where p is a prime of $\varTheta (\lambda )$ bits, $\mathbb {G}_1$, $\mathbb {G}_2$ and $\mathbb {G}_T$ are cyclic groups of order p, and $e : \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T$ is a non-degenerate bilinear map. We require that the group operations in $\mathbb {G}_1$, $\mathbb {G}_2$, $\mathbb {G}_T$ and the bilinear map e are computable in deterministic polynomial time in $\lambda $. Let $g_1 \in \mathbb {G}_1$, $g_2 \in \mathbb {G}_2$ and $g_T = e(g_1,g_2) \in \mathbb {G}_T$ be the respective generators. We employ the implicit representation of group elements: for a matrix $\mathbf {M}$ over $\mathbb {Z}_p$, we define $[\mathbf {M}]_1:=g_1^{\mathbf {M}},[\mathbf {M}]_2:=g_2^{\mathbf {M}},[\mathbf {M}]_T:=g_T^{\mathbf {M}}$, where exponentiation is carried out component-wise. Also, given $[\mathbf {A}]_1,[\mathbf {B}]_2$, we let $e([\mathbf {A}]_1,[\mathbf {B}]_2) = [\mathbf {A}\mathbf {B}]_T$. We recall the matrix Diffie-Hellman (MDDH) assumption on $\mathbb {G}_1$ [11]:

Assumption 1

($\mathrm {MDDH}^{d}_{k,\ell }$ Assumption). Let $k,\ell ,d \in \mathbb {N}$. We say that the $\mathrm {MDDH}^{d}_{k,\ell }$ assumption holds if for all PPT adversaries $\mathcal {A}$, the following advantage function is negligible in $\lambda $.

where $\mathbb {G} := (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e) \leftarrow \mathcal {G}(1^\lambda )$, $\mathbf {M}\leftarrow \mathbb {Z}_p^{\ell \times k}$, $\mathbf {S}\leftarrow \mathbb {Z}_p^{k \times d}$ and $\mathbf {U}\leftarrow \mathbb {Z}_p^{\ell \times d}$.

The MDDH assumption on $\mathbb {G}_2$ can be defined in an analogous way. Escala et al. [11] showed that

$$ k\text {-Lin} \Rightarrow \mathrm {MDDH}_{k,k+1}^1 \Rightarrow \mathrm {MDDH}_{k,\ell }^d\; \forall \; k, d \ge 1,\ell > k$$

with a tight security reduction. (In the setting where $\ell \le k$, the $\mathrm {MDDH}_{k,\ell }^d$ assumption holds unconditionally.)

The bilateral MDDH assumption is defined analogously with the advantage function:

Note that the bilateral MDDH and bilateral k-Lin assumptions are false for $k=1$. In this paper, we only require a weaker variant of the bilateral MDDH assumption, as defined with the advantage function:

3.2 Attribute-Based Encryption

We define attribute-based encryption in the framework of key encapsulation. A attribute-based encryption scheme for a predicate $\textsf {P}(\,\cdot \,,\,\cdot \,)$ consists of four algorithms $(\mathsf {Setup}, \mathsf {Enc}, \mathsf {KeyGen}, \mathsf {Dec})$:

$\mathsf {Setup}(1^\lambda ,\mathcal {X},\mathcal {Y})\rightarrow (\textsf {pp}, \textsf {mpk}, \textsf {msk})$. The setup algorithm gets as input the security parameter $\lambda $, the the predicate domains $\mathcal {X},\mathcal {Y}$ and outputs the public parameter $\textsf {mpk}$, and the master key $\textsf {msk}$.
$\mathsf {Enc}(\textsf {mpk},x)\rightarrow (\textsf {ct}, \kappa )$. The encryption algorithm gets as input $\textsf {mpk}$ and $x \in \mathcal {X}$. It outputs a ciphertext $\textsf {ct}$ and a symmetric key $\mathsf {kem}\in \{0,1\}^\lambda $.
$\mathsf {KeyGen}(\textsf {msk},y)\rightarrow \textsf {sk}$. The key generation algorithm gets as input $\textsf {msk}$ and $y \in \mathcal {Y}$. It outputs a secret key $\textsf {sk}$.
$\mathsf {Dec}(\textsf {sk},y,\textsf {ct},x) \rightarrow \kappa $. The decryption algorithm gets as input $\textsf {sk},\textsf {ct},x,y$ such that $\textsf {P}(x,y)=1$. It outputs a symmetric key $\mathsf {kem}$.

In our schemes, we would actually compute $\mathsf {kem}\in \mathbb {G}_T$, which can then be hashed to $\{0,1\}^\lambda $.

Correctness. We require that for all $(x,y) \in \mathcal {X}\times \mathcal {Y}$ such that $\textsf {P}(x,y)=1$,

$$\begin{aligned} \Pr [(\textsf {ct},\mathsf {kem}) \leftarrow \mathsf {Enc}(\textsf {mpk},x); \mathsf {Dec}(\textsf {sk},y,\textsf {ct},x) = \mathsf {kem})]= 1, \end{aligned}$$

where the probability is taken over $(\textsf {mpk},\textsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda ,\mathcal {X},\mathcal {Y})$ and the coins of $\mathsf {Enc}$.

Security definition. For a stateful adversary $\mathcal {A}$, we define the advantage function

$$\begin{aligned} \mathsf {Adv}^{\textsc {abe}}_{\mathcal {A}}(\lambda ) := \Pr \left[ b = b' : \begin{array}{l} (\textsf {mpk},\textsf {msk}) \leftarrow \mathsf {Setup}(1^\lambda ,\mathcal {X},\mathcal {Y});\\ x \leftarrow \mathcal {A}^{\mathsf {KeyGen}(\textsf {msk},\cdot )}(\textsf {mpk});\\ b \leftarrow _{\textsc {r}}\{0,1\}; \mathsf {kem}_1 \leftarrow _{\textsc {r}}\{0,1\}^\lambda \\ (\textsf {ct},\mathsf {kem}_0) \leftarrow \mathsf {Enc}(\textsf {mpk},x);\\ b' \leftarrow \mathcal {A}^{\mathsf {KeyGen}(\textsf {msk},\cdot )}(\textsf {ct},\mathsf {kem}_b) \end{array}\right] - \frac{1}{2} \end{aligned}$$

with the restriction that all queries y that $\mathcal {A}$ makes to $\mathsf {KeyGen}(\textsf {msk},\cdot )$ satisfies $\textsf {P}(x,y) = 0$. An attribute-based encryption scheme is adaptively secure if for all PPT adversaries $\mathcal {A}$, the advantage $\mathsf {Adv}^{\textsc {abe}}_{\mathcal {A}}(\lambda )$ is a negligible function in $\lambda $.

CP-ABE for degree 3 polynomials. Here,

$$\begin{aligned} \mathcal {X}= \mathbb {Z}_p^{n_1n_2n_3}, \mathcal {Y}= \mathbb {Z}_p^{n_1} \times \mathbb {Z}_p^{n_2} \times \mathbb {Z}_p^{n_3} \end{aligned}$$

and

$$ \textsf {P}(\mathbf {f},(\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3)) = 1 \Longleftrightarrow (\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \mathbf {x}_3) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}\ne 0$$

Broadcast Encryption. Here,

$$\begin{aligned} \mathcal {X}= \{0,1\}^N, \mathcal {Y}= [N] \end{aligned}$$

where we think of $\{0,1\}^N$ as the power set of [N] (i.e., set of all subsets of [N]), and

$$\begin{aligned} \textsf {P}(S,y) = 1 \Longleftrightarrow y \in S \end{aligned}$$

4 CP-ABE for Degree 3 Polynomials

In this section, we present an adaptively secure CP-ABE for degree 3 polynomials against unbounded collusions, under the k-Lin assumption in $\mathbb {G}_1,\mathbb {G}_2$ and the bilateral k’-Lin assumption, where $k \ge 1, k' \ge 2$. Our scheme achieves

$$\begin{aligned} |\textsf {mpk}|= & {} ( k(k+1) + k(k+1)(n_1 + k'n_2 + n_3) + k')|\mathbb {G}_1| + |\mathbb {G}_T|\\ |\textsf {ct}|= & {} (k+1 + (k+1)n_1 + (k+1)k'n_3 + (k+1)n_3)|\mathbb {G}_1|\\ |\textsf {sk}|= & {} (2k+1 + (k+1)k'n_2 + (k+1)k' + (k+1)n_3)|\mathbb {G}_2| \end{aligned}$$

Setting $k=1,k'=2$, we obtain

$$ \begin{aligned} |\textsf {mpk}| =&(2 n_1 + 4 n_2 + 2 n_3 + 4)|\mathbb {G}_1|+|\mathbb {G}_T|,\quad |\textsf {ct}| = (2n_1 + 6n_3 + 2)|\mathbb {G}_1|,\\&|\textsf {sk}| = (4n_2 + 2n_3 + 7)|\mathbb {G}_2| \end{aligned}$$

4.1 Our Scheme

$\mathsf {Setup}(p,1^{n_1},1^{n_2},1^{n_3})$: Run $\mathbb {G} = (\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e) \leftarrow \mathcal {G}(p)$. Sample
$$\begin{aligned}&\mathbf {A}\leftarrow \mathbb {Z}_p^{(k+1) \times k},\mathbf {k}\leftarrow \mathbb {Z}_p^{k+1}, \mathbf {W}_2 \leftarrow \mathbb {Z}_p^{(k+1) \times (k+1)k'n_2}, \mathbf {W}_1 \leftarrow \mathbb {Z}_p^{(k+1)n_1 \times (k+1)},\\&\mathbf {V}\leftarrow \mathbb {Z}_p^{(k+1) \times (k+1)n_3}, \mathbf {V}_0 \leftarrow \mathbb {Z}_p^{(k+1) \times (k+1)k'}, \mathbf {B}\leftarrow \mathbb {Z}_p^{k \times (k+1)} \end{aligned}$$
For a matrix $\mathbf {M}\in \mathbb {Z}_p^{(k+1)m \times (k+1)\ell }$, we write $\overline{\mathbf {M}} := \mathbf {M}(\mathbf {I}_\ell \otimes \mathbf {A}) \in \mathbb {Z}_p^{(k+1)m \times k\ell }$. In particular, we have
$$\overline{\mathbf {k}}= \mathbf {k}\mathbf {A},\; \overline{\mathbf {W}}_2 = \mathbf {W}_2(\mathbf {I}_{k'n_2} \otimes \mathbf {A}),\; \overline{\mathbf {W}}_1 = \mathbf {W}_1\mathbf {A},\; \overline{\mathbf {V}}= \mathbf {V}(\mathbf {I}_{n_3} \otimes \mathbf {A}),\; \overline{\mathbf {V}}_0 = \mathbf {V}_0 (\mathbf {I}_{k'}\otimes \mathbf {A}) $$
Output
$$ \textsf {mpk}= \big (\,\mathbb {G},\,[\mathbf {A}]_1,\,[\overline{\mathbf {k}}]_T,\,[\overline{\mathbf {W}}_2]_1,\,[\overline{\mathbf {W}}_1]_1,\,[\overline{\mathbf {V}}]_1,\,[\overline{\mathbf {V}}_0]_1\,\big ), \quad \textsf {msk}= (\mathbf {k},\mathbf {W}_1,\mathbf {W}_2,\mathbf {V},\mathbf {V}_0,\mathbf {B}) $$
$\mathsf {Enc}(\textsf {mpk},\mathbf {f})$: Sample
$$ \mathbf {s} \leftarrow \mathbb {Z}_p^k, \mathbf {W}_3 \leftarrow \mathbb {Z}_p^{k' \times n_3} $$
and output
$$\begin{aligned}&\qquad \, \textsf {ct}= \big (\, [\underbrace{\mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}}_{\mathbf {c}_0^{\!\scriptscriptstyle {\top }}}]_1, [\underbrace{(\mathbf {I}_{n_1} \otimes (\overline{\mathbf {W}}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {s}^{\!\scriptscriptstyle {\top }})))\mathbf {f}^{\!\scriptscriptstyle {\top }}+\overline{\mathbf {W}}_1\mathbf {s}^{\!\scriptscriptstyle {\top }}}_{\mathbf {c}_1^{\!\scriptscriptstyle {\top }}}]_1,\\&[\underbrace{\mathbf {W}_3\otimes \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}}_{\mathbf {C}_2}]_1,\, [\underbrace{\overline{\mathbf {V}}_0(\mathbf {W}_3\otimes \mathbf {s}^{\!\scriptscriptstyle {\top }})+\overline{\mathbf {V}}(\mathbf {I}_{n_3}\otimes \mathbf {s}^{\!\scriptscriptstyle {\top }})}_{\mathbf {C}_3}]_1 \,\big ),\quad \mathsf {kem}= [\overline{\mathbf {k}}\mathbf {s}^{\!\scriptscriptstyle {\top }}]_T \end{aligned}$$
$\mathsf {KeyGen}(\textsf {msk}, \mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3)$: Sample
$$ \mathbf {r}_2 \leftarrow \mathbb {Z}_p^{k}, \mathbf {r}_3 \leftarrow \mathbb {Z}_p^{(k+1)k'} $$
and output
$$ \begin{aligned} \textsf {sk}=&\big (\, [\underbrace{\mathbf {r}_2\mathbf {B}}_{\mathbf {d}_0}]_2,\, [\underbrace{(\mathbf {x}_1 \otimes \mathbf {r}_2\mathbf {B})\mathbf {W}_1}_{\mathbf {d}_1}]_2,\, [\underbrace{\mathbf {x}_2 \otimes \mathbf {r}_3+\mathbf {r}_2\mathbf {B}\mathbf {W}_2}_{\mathbf {d}_2}]_2,\, [\underbrace{\mathbf {r}_3 + \mathbf {r}_2\mathbf {B}\mathbf {V}_0}_{\mathbf {d}_3}]_2,\\&[\underbrace{\mathbf {x}_3 \otimes \mathbf {k}+ \mathbf {r}_2\mathbf {B}\mathbf {V}}_{\mathbf {d}_4}]_2 \,\big ) \end{aligned} $$
$\mathsf {Dec}(\textsf {sk},(\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3),\textsf {ct},\mathbf {f})$: Output
$$\begin{aligned}&\Bigl [\,(\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \overbrace{(\mathbf {d}_3 \mathbf {C}_2 + \mathbf {d}_4 (\mathbf {I}_{n_3}\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }}) - \mathbf {d}_0 \mathbf {C}_3)}^{(\text {i})})\mathbf {f}^{\!\scriptscriptstyle {\top }}- (\mathbf {x}_1 \otimes \overbrace{(\mathbf {d}_2 (\mathbf {I}_{n_2} \otimes \mathbf {C}_2))}^{(\text {ii})}) \mathbf {f}^{\!\scriptscriptstyle {\top }}\\&+ \overbrace{(\mathbf {x}_1 \otimes \mathbf {d}_0)\mathbf {c}_1^{\!\scriptscriptstyle {\top }}}^{(\text {iii})} - \overbrace{\mathbf {d}_1 \mathbf {c}_0^{\!\scriptscriptstyle {\top }}}^{(\text {iv})}\,\Bigr ]_T^{((\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {x}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }})^{-1}} \end{aligned}$$
where the terms in (i), (ii), (iii), (iv) are computed in $\mathbb {G}_T$ using the pairing.

4.2 Correctness

Step 1. First, observe that we can rewrite $\textsf {ct},\mathsf {kem}$ in terms of $\textsf {msk}$ and $[\mathbf {c}_0]_1$ (where $\mathbf {c}_0^{\!\scriptscriptstyle {\top }}= \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}$), namely:

$$\begin{aligned} \textsf {ct}= & {} \big (\, [\underbrace{\mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}}_{\mathbf {c}_0^{\!\scriptscriptstyle {\top }}}]_1,\, [\underbrace{((\mathbf {I}_{n_1} \otimes \mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {I}_{k+1}))(\mathbf {f}^{\!\scriptscriptstyle {\top }}\otimes \mathbf {I}_{k+1})+\mathbf {W}_1)\mathbf {c}_0^{\!\scriptscriptstyle {\top }}}_{\mathbf {c}_1^{\!\scriptscriptstyle {\top }}}]_1\,\\&\quad [\underbrace{(\mathbf {W}_3\otimes \mathbf {I}_{k+1})(\mathbf {I}_{n_3}\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})}_{\mathbf {C}_2}]_1,\, [\underbrace{(\mathbf {V}_0(\mathbf {W}_3\otimes \mathbf {I}_{k+1}) + \mathbf {V})(\mathbf {I}_{n_3}\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})}_{\mathbf {C}_3}]_1 \,\big ),\nonumber \\ \mathsf {kem}= & {} [\mathbf {k}\mathbf {c}_0^{\!\scriptscriptstyle {\top }}]_T\nonumber \end{aligned}$$

(8)

To see that this is equivalent to the output of $\mathsf {Enc}$, we will use

$$\begin{aligned} (\mathbf {I}_{k'}\otimes \mathbf {A})(\mathbf {W}_3\otimes \mathbf {s}^{\!\scriptscriptstyle {\top }}) = (\mathbf {W}_3\otimes \mathbf {I}_{k+1})(\mathbf {I}_{n_3}\otimes \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}) \end{aligned}$$

(9)

We start with the first summand in $\mathbf {c}_1^{\!\scriptscriptstyle {\top }}$:

$$\begin{aligned} (\mathbf {I}_{n_1} \otimes (\overbrace{\qquad \overline{\mathbf {W}}_2\qquad }^{=\mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {I}_{k'}\otimes \mathbf {A})}(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {s}^{\!\scriptscriptstyle {\top }})))\mathbf {f}^{\!\scriptscriptstyle {\top }}= & {} (\mathbf {I}_{n_1} \otimes \mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {I}_{k+1})\\&(\mathbf {I}_{n_2n_3}\otimes \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}))\mathbf {f}^{\!\scriptscriptstyle {\top }}\quad \text {using (9)}\\= & {} (\mathbf {I}_{n_1} \otimes \mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {I}_{k+1}))\\&(\mathbf {I}_{n_1n_2n_3}\otimes \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }})(\mathbf {f}^{\!\scriptscriptstyle {\top }}\otimes 1)\\= & {} (\mathbf {I}_{n_1} \otimes \mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {I}_{k+1}))\\&(\mathbf {f}^{\!\scriptscriptstyle {\top }}\otimes \mathbf {I}_{k+1}) \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}\\ \end{aligned}$$

For the remaining terms, we have:

$$\begin{aligned} \overline{\mathbf {W}}_1\mathbf {s}^{\!\scriptscriptstyle {\top }}= & {} \mathbf {W}_1 \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}\\ \mathbf {W}_3\otimes \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}= & {} (\mathbf {W}_3\otimes \mathbf {I}_{k+1})(\mathbf {I}_{n_3}\otimes \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }})\\ \overbrace{\quad \overline{\mathbf {V}}_0\quad }^{=\mathbf {V}_0(\mathbf {I}_{k'}\otimes \mathbf {A})}(\mathbf {W}_3\otimes \mathbf {s}^{\!\scriptscriptstyle {\top }})= & {} (\mathbf {V}_0(\mathbf {W}_3\otimes \mathbf {I}_{k+1}))(\mathbf {I}_{n_3}\otimes \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }})\quad \text {using (9)}\\ \overline{\mathbf {V}}(\mathbf {I}_{n_3}\otimes \mathbf {s}^{\!\scriptscriptstyle {\top }})= & {} \mathbf {V}(\mathbf {I}_{n_3}\otimes \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}) \end{aligned}$$

Step 2. Next, we show that

$$\begin{aligned}&{(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {x}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}\cdot \mathbf {k}\mathbf {c}_0^{\!\scriptscriptstyle {\top }}}\\&= (\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \overbrace{(\mathbf {d}_3 \mathbf {C}_2 + \mathbf {d}_4 (\mathbf {I}_{n_3}\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }}) - \mathbf {d}_0 \mathbf {C}_3)}^{(\text {i})})\mathbf {f}^{\!\scriptscriptstyle {\top }}- (\mathbf {x}_1 \otimes \overbrace{(\mathbf {d}_2 (\mathbf {I}_{n_2} \otimes \mathbf {C}_2))}^{(\text {ii})}) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \overbrace{(\mathbf {x}_1 \otimes \mathbf {d}_0)\mathbf {c}_1^{\!\scriptscriptstyle {\top }}}^{(\text {iii})} - \overbrace{\mathbf {d}_1 \mathbf {c}_0^{\!\scriptscriptstyle {\top }}}^{(\text {iv})} \end{aligned}$$

This follows readily from the following calculations:

$$\begin{aligned} (\text {i})= & {} (\mathbf {r}_3+\mathbf {d}_0\mathbf {V}_0)(\mathbf {W}_3 \otimes \mathbf {I}_{k+1})(\mathbf {I}_{n_3}\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }}) + (\mathbf {x}_3 \otimes \mathbf {k}+\mathbf {d}_0\mathbf {V})(\mathbf {I}_{n_3} \otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }}) \\&- \mathbf {d}_0(\mathbf {V}_0(\mathbf {W}_3\otimes \mathbf {I}_{k+1})+\mathbf {V})(\mathbf {I}_{n_3} \otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})\\= & {} (\mathbf {r}_3 (\mathbf {W}_3 \otimes \mathbf {I}_{k+1}) + \mathbf {x}_3 \otimes \mathbf {k})(\mathbf {I}_{n_3} \otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})\\= & {} \mathbf {r}_3(\mathbf {W}_3 \otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }}) + \mathbf {x}_3 \otimes \mathbf {k}\mathbf {c}_0^{\!\scriptscriptstyle {\top }}\\ (\text {ii})= & {} (\mathbf {x}_2 \otimes \mathbf {r}_3 + \mathbf {d}_0\mathbf {W}_2)\cdot (\mathbf {I}_{n_2} \otimes \mathbf {W}_3 \otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})\\= & {} \mathbf {x}_2 \otimes (\mathbf {r}_3(\mathbf {W}_3 \otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})) + \mathbf {d}_0\mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})\\ (\text {iii})= & {} (\mathbf {x}_1 \otimes \mathbf {d}_0)((\mathbf {I}_{n_1} \otimes \mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {I}_{k+1}))(\mathbf {f}^{\!\scriptscriptstyle {\top }}\otimes \mathbf {I}_{k+1})+\mathbf {W}_1)\mathbf {c}_0^{\!\scriptscriptstyle {\top }}\\= & {} (\mathbf {x}_1\otimes (\mathbf {d}_0\mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})))\mathbf {f}^{\!\scriptscriptstyle {\top }}+ (\mathbf {x}_1 \otimes \mathbf {d}_0)\mathbf {W}_1 \mathbf {c}_0^{\!\scriptscriptstyle {\top }}\\ (\text {iv})= & {} (\mathbf {x}_1 \otimes \mathbf {d}_0) \mathbf {W}_1 \mathbf {c}_0^{\!\scriptscriptstyle {\top }}\end{aligned}$$

and thus

$$\begin{aligned}&(\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \overbrace{(\mathbf {d}_3 \mathbf {C}_2 + \mathbf {d}_4 (\mathbf {I}_{n_3}\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }}) - \mathbf {d}_0 \mathbf {C}_3)}^{(\text {i})})\mathbf {f}^{\!\scriptscriptstyle {\top }}- (\mathbf {x}_1 \otimes \overbrace{(\mathbf {d}_2 (\mathbf {I}_{n_2} \otimes \mathbf {C}_2))}^{(\text {ii})}) \mathbf {f}^{\!\scriptscriptstyle {\top }}\\&+ \overbrace{(\mathbf {x}_1 \otimes \mathbf {d}_0)\mathbf {c}_1^{\!\scriptscriptstyle {\top }}}^{(\text {iii})} - \overbrace{\mathbf {d}_1 \mathbf {c}_0^{\!\scriptscriptstyle {\top }}}^{(\text {iv})}\\&= (\mathbf {x}_1\otimes \mathbf {x}_2\otimes (\mathbf {r}_3(\mathbf {W}_3 \otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }}))) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}+ (\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {x}_3 \otimes \mathbf {k}\mathbf {c}_0^{\!\scriptscriptstyle {\top }}) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}\\&\quad -(\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes (\mathbf {r}_3(\mathbf {W}_3 \otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }}))) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}- (\mathbf {x}_1 \otimes \mathbf {d}_0\mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})) \cdot \mathbf {f}^{\!\scriptscriptstyle {\top }}\\&\quad +(\mathbf {x}_1\otimes (\mathbf {d}_0\mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})))\mathbf {f}^{\!\scriptscriptstyle {\top }}+ (\mathbf {x}_1 \otimes \mathbf {d}_0)\mathbf {W}_1 \mathbf {c}_0^{\!\scriptscriptstyle {\top }}\\&\quad - (\mathbf {x}_1 \otimes \mathbf {d}_0) \mathbf {W}_1 \mathbf {c}_0^{\!\scriptscriptstyle {\top }}\end{aligned}$$

Correctness then follows readily.

4.3 Core of Security Proof

As described in the technical overview in Sect. 2.3, the core of the security of lies in proving adaptive security of the scheme in (7) where the adversary is given just a single ciphertext and a single key and no $\textsf {mpk}$ and with $s=r_2=1$. We formalize and prove this statement next.

Given $\alpha _0,\alpha _1 \in \mathbb {Z}_p$, we define the distribution $\mathcal {D}_b$ over $(\textsf {ct},\textsf {sk})$ where:

$$\begin{aligned} \begin{array}{rcllll} \textsf {ct}&{}=&{} &{}[(\mathbf {I}_{n_1} \otimes \mathbf {w}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3)) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_1,[\mathbf {W}_3]_1, &{}[\mathbf {v}_0\mathbf {W}_3 + \mathbf {v}]_1,&{} \\ \textsf {sk}&{}=&{} &{}[\mathbf {x}_1 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}]_2, [\mathbf {x}_2 \otimes \mathbf {r}_3 + \mathbf {w}_2]_2,&{} [\mathbf {r}_3+\mathbf {v}_0]_2, [\mathbf {x}_3 \alpha _b + \mathbf {v}]_2 &{} \end{array} \end{aligned}$$

and

$$\begin{aligned} \mathbf {w}_1 \leftarrow \mathbb {Z}_p^{n_1}, \mathbf {w}_2 \leftarrow \mathbb {Z}_p^{k'n_2}, \mathbf {v}\leftarrow \mathbb {Z}_p^{n_3}, \mathbf {v}_0 \leftarrow \mathbb {Z}_p^{k'}, \mathbf {W}_3 \leftarrow \mathbb {Z}_p^{k' \times n_3}, \mathbf {r}_3 \leftarrow \mathbb {Z}_p^{k'} \end{aligned}$$

and we allow adaptive choices of $\mathbf {f}$ and $(\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_3)$ subject to the constraint $(\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \mathbf {x}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}= 0$.

Lemma 1

For all $\alpha _0,\alpha _1 \in \mathbb {Z}_p$, we have $\mathcal {D}_0 \approx _c \mathcal {D}_1$, under the $k'$-Lin assumption in $\mathbb {G}_1$ and the bi-$k'$-Lin assumption.

Proof

We bound the advantage of guessing b given $\mathcal {D}_b, b \leftarrow \{0,1\}$ by a negligible function. We proceed via a case analysis, following the “doubly selective” framework [4, 20]:

Case 1 (selective). $\mathbf {f}$ is queried before $\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_2$.

Step 1. We start by sampling random $\widetilde{\mathbf {w}}_1 \leftarrow \mathbb {Z}_p^{n_1},\widetilde{\mathbf {v}}\leftarrow \mathbb {Z}_p^{n_3}$ and programming

$$ {\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}= (\mathbf {I}_{n_1} \otimes \mathbf {w}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3)) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}, \quad \widetilde{\mathbf {v}}= \mathbf {v}_0\mathbf {W}_3 + \mathbf {v}$$

We can then rewrite $\textsf {ct},\textsf {sk}$ as:

$$\begin{aligned} \begin{array}{rcllll} \textsf {ct}&{}=&{} &{} [{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}]_1, [\mathbf {W}_3]_1,&{}[\widetilde{\mathbf {v}}]_1\\ \textsf {sk}&{}=&{} &{}[\mathbf {x}_1{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}-(\mathbf {x}_1\otimes \mathbf {w}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3))\mathbf {f}^{\!\scriptscriptstyle {\top }}]_2,[\mathbf {x}_2 \otimes \mathbf {r}_3+\mathbf {w}_2]_2, &{}[\mathbf {r}_3+\mathbf {v}_0]_2,\\ &{}&{}&{} [\mathbf {x}_3 \alpha _b + \widetilde{\mathbf {v}}- \mathbf {v}_0\mathbf {W}_3]_2 \end{array} \end{aligned}$$

Step 2. Next, we sample random $\widetilde{\mathbf {w}}_2 \leftarrow \mathbb {Z}_p^{k'n_2},\widetilde{\mathbf {v}}_0 \leftarrow \mathbb {Z}_p^{k'}$ and program

$$ {\widetilde{\mathbf {w}}_2} = \mathbf {x}_2 \otimes \mathbf {r}_3 + \mathbf {w}_2, \quad \widetilde{\mathbf {v}}_0 = \mathbf {r}_3 + \mathbf {v}_0$$

We can then rewrite $\textsf {ct},\textsf {sk}$ as:

$$\begin{aligned} \begin{array}{rcllll} \textsf {ct}&{}=&{} &{} [{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}]_1, [\mathbf {W}_3]_1,&{}[\widetilde{\mathbf {v}}]_1\\ \textsf {sk}&{}=&{} &{}[\mathbf {x}_1{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}+(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {r}_3\mathbf {W}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}-(\mathbf {x}_1\otimes \widetilde{\mathbf {w}}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3))\mathbf {f}^{\!\scriptscriptstyle {\top }}]_2,[\widetilde{\mathbf {w}}_2]_2, &{}[\widetilde{\mathbf {v}}_0]_2,\\ &{}&{}&{} [\mathbf {x}_3 \alpha _b + \mathbf {r}_3 \mathbf {W}_3 + \widetilde{\mathbf {v}}- \widetilde{\mathbf {v}}_0\mathbf {W}_3]_2 \end{array} \end{aligned}$$

Step 3. Next, by the bilateral $k'$-Lin assumption, we have:

$$\begin{aligned} \bigl \{\,[\mathbf {W}_3]_1,[\mathbf {r}_3 \mathbf {W}_3 + \mathbf {x}_3 \alpha _b]_2\,\bigr \} \approx _c \bigl \{\,[\mathbf {W}_3]_1,[\widetilde{\mathbf {d}}_4]_2\,\bigr \},\; \widetilde{\mathbf {d}}_4 \leftarrow \mathbb {Z}_p^{n_3}, \end{aligned}$$

This means that

$$\begin{aligned} \begin{array}{rclll} \textsf {sk}&{}\approx _c&{} &{}[\mathbf {x}_1{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}+(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \widetilde{\mathbf {d}}_4)\mathbf {f}^{\!\scriptscriptstyle {\top }}-\overbrace{(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {x}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}\alpha _b}^{=0} -(\mathbf {x}_1\otimes \widetilde{\mathbf {w}}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3))\mathbf {f}^{\!\scriptscriptstyle {\top }}]_2,\\ &{}&{}&{}[\widetilde{\mathbf {w}}_2]_2, [\widetilde{\mathbf {v}}_0]_2, [\widetilde{\mathbf {d}}_4 + \widetilde{\mathbf {v}}- \widetilde{\mathbf {v}}_0\mathbf {W}_3]_2 \end{array} \end{aligned}$$

That is, the distribution $\mathcal {D}_b$ is computationally indistinguishable from:

$$\begin{aligned} \begin{array}{rcllll} \textsf {ct}&{}=&{} &{} [{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}]_1, [\mathbf {W}_3]_1,&{}[\widetilde{\mathbf {v}}]_1\\ \textsf {sk}&{}=&{} &{}[\mathbf {x}_1{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}+(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \widetilde{\mathbf {d}}_4)\mathbf {f}^{\!\scriptscriptstyle {\top }}-(\mathbf {x}_1\otimes \widetilde{\mathbf {w}}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3))\mathbf {f}^{\!\scriptscriptstyle {\top }}]_2,[\widetilde{\mathbf {w}}_2]_2, &{}[\widetilde{\mathbf {v}}_0]_2, [\widetilde{\mathbf {d}}_4 + \widetilde{\mathbf {v}}- \widetilde{\mathbf {v}}_0\mathbf {W}_3]_2 \end{array} \end{aligned}$$

which is independent of the bit b.

Case 2: (co-selective). $\mathbf {x}_1,\mathbf {x}_2,\mathbf {x}_2$ is queried before $\mathbf {f}$.

Step 1. We start by sampling random $\widetilde{\mathbf {v}}_0 \leftarrow \mathbb {Z}_p^{k'},\widetilde{\mathbf {v}}\leftarrow \mathbb {Z}_p^{n_3},\widetilde{\mathbf {w}}_2 \leftarrow \mathbb {Z}_p^{k'n_2}$ and programming

$$ {\widetilde{\mathbf {w}}_2} = \mathbf {x}_2 \otimes \mathbf {r}_3 + \mathbf {w}_2, \quad \widetilde{\mathbf {v}}_0 = \mathbf {r}_3 + \mathbf {v}_0, \quad \widetilde{\mathbf {v}}= \mathbf {x}_3 \alpha _b + \mathbf {v}$$

We can then rewrite $\textsf {ct},\textsf {sk}$ as:

$$\begin{aligned} \begin{array}{rcllll} \textsf {ct}&{}=&{} &{} [-(\mathbf {I}_{n_1} \otimes \mathbf {x}_2 \otimes \mathbf {r}_3\mathbf {W}_3) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}+ (\mathbf {I}_{n_1} \otimes \widetilde{\mathbf {w}}_2 (\mathbf {I}_{n_2}\otimes \mathbf {W}_3)) \mathbf {f}^{\!\scriptscriptstyle {\top }}]_1,\\ &{}&{}&{} [\mathbf {W}_3]_1,[-(\mathbf {r}_3 \mathbf {W}_3 + \mathbf {x}_3 \alpha _b) + \widetilde{\mathbf {v}}_0 \mathbf {W}_3 + \widetilde{\mathbf {v}}]_1\\ \textsf {sk}&{}=&{} &{}[\mathbf {x}_1{\mathbf {w}_1}^{\!\scriptscriptstyle {\top }}]_2,[\widetilde{\mathbf {w}}_2]_2, &{}[\widetilde{\mathbf {v}}_0]_2, [ \widetilde{\mathbf {v}}]_2 \end{array} \end{aligned}$$

Step 2. Next, by the $k'$-Lin assumption in $\mathbb {G}_1$, we have:

$$\begin{aligned} \bigl \{\,[\mathbf {W}_3]_1,[\mathbf {r}_3 \mathbf {W}_3 + \mathbf {x}_3 \alpha _b]_1\,\bigr \} \approx _c \bigl \{\,[\mathbf {W}_3]_1,[\widetilde{\mathbf {c}}_3]_1\,\bigr \},\; \widetilde{\mathbf {c}}_3 \leftarrow \mathbb {Z}_p^{n_3}, \end{aligned}$$

This means that

$$\begin{aligned} \textsf {ct}\approx _c&[(\mathbf {I}_{n_1} \otimes \mathbf {x}_2 \otimes \mathbf {x}_3 \alpha _b) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}- (\mathbf {I}_{n_1} \otimes \mathbf {x}_2 \otimes \widetilde{\mathbf {c}}_3) \mathbf {f}^{\!\scriptscriptstyle {\top }}\\&+ (\mathbf {I}_{n_1} \otimes \widetilde{\mathbf {w}}_2 (\mathbf {I}_{n_2}\otimes \mathbf {W}_3)) \mathbf {f}^{\!\scriptscriptstyle {\top }}]_1, [\mathbf {W}_3]_1,[-\widetilde{\mathbf {c}}_3 + \widetilde{\mathbf {v}}_0 \mathbf {W}_3 + \widetilde{\mathbf {v}}]_1 \end{aligned}$$

Step 3. At this point, the view of the adversary is given by:

$$\begin{aligned} \textsf {ct}= & {} [\boxed {(\mathbf {I}_{n_1} \otimes \mathbf {x}_2 \otimes \mathbf {x}_3 \alpha _b) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}} - (\mathbf {I}_{n_1} \otimes \mathbf {x}_2 \otimes \widetilde{\mathbf {c}}_3) \mathbf {f}^{\!\scriptscriptstyle {\top }}\\&+ (\mathbf {I}_{n_1} \otimes \widetilde{\mathbf {w}}_2 (\mathbf {I}_{n_2}\otimes \mathbf {W}_3)) \mathbf {f}^{\!\scriptscriptstyle {\top }}]_1, [\mathbf {W}_3]_1,[-\widetilde{\mathbf {c}}_3 + \widetilde{\mathbf {v}}_0 \mathbf {W}_3 + \widetilde{\mathbf {v}}]_1\\ \textsf {sk}= & {} [\boxed {\mathbf {x}_1 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}}]_2,[\widetilde{\mathbf {w}}_2]_2,\qquad \qquad \qquad \qquad \ [\widetilde{\mathbf {v}}_0]_2, [ \widetilde{\mathbf {v}}]_2 \end{aligned}$$

where all of the leakage on $\alpha _b$ comes from the boxed terms. We claim that the advantage of the adversary is 0 here. It suffices to prove this for the case $\mathbf {f}$ is fixed in advance; then, a random guessing (also referred to as complexity leveraging) argument tells us that the advantage is still 0 even for an adaptively chosen $\mathbf {f}$.

Sample a random $\widetilde{\mathbf {w}}_1 \leftarrow \mathbb {Z}_p^{n_1}$ and program

$$\begin{aligned} \widetilde{\mathbf {w}}_1 = (\mathbf {I}_{n_1} \otimes \mathbf {x}_2 \otimes \mathbf {x}_3 \alpha _b) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}\end{aligned}$$

Then, we can write

$$ \mathbf {x}_1 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}= \mathbf {x}_1 \widetilde{\mathbf {w}}_1^{\!\scriptscriptstyle {\top }}- \mathbf {x}_1 (\mathbf {I}_{n_1} \otimes \mathbf {x}_2 \otimes \mathbf {x}_3 \alpha _b) \mathbf {f}^{\!\scriptscriptstyle {\top }}= \mathbf {x}_1 \widetilde{\mathbf {w}}_1^{\!\scriptscriptstyle {\top }}- \overbrace{(\mathbf {x}_1\otimes \mathbf {x}_2\otimes \mathbf {x}_3)\mathbf {f}^{\!\scriptscriptstyle {\top }}}^{=0}\alpha _b$$

This means that the view of the adversary (for a fixed $\mathbf {f}$) is identically distributed to

$$\begin{aligned} \begin{array}{rcllll} \textsf {ct}&{}=&{} &{} [\boxed {\widetilde{\mathbf {w}}_1^{\!\scriptscriptstyle {\top }}} - (\mathbf {I}_{n_1} \otimes \mathbf {x}_2 \otimes \widetilde{\mathbf {c}}_3) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ (\mathbf {I}_{n_1} \otimes \widetilde{\mathbf {w}}_2 (\mathbf {I}_{n_2}\otimes \mathbf {W}_3) ) \mathbf {f}^{\!\scriptscriptstyle {\top }}]_1, [\mathbf {W}_3]_1,&{}[-\widetilde{\mathbf {c}}_3 + \widetilde{\mathbf {v}}_0 \mathbf {W}_3 + \widetilde{\mathbf {v}}]_1\\ \textsf {sk}&{}=&{} &{}[\boxed {\mathbf {x}_1{\widetilde{\mathbf {w}}_1}^{\!\scriptscriptstyle {\top }}}]_2,[\widetilde{\mathbf {w}}_2]_2, &{}[\widetilde{\mathbf {v}}_0]_2, [ \widetilde{\mathbf {v}}]_2 \end{array} \end{aligned}$$

The above distribution is independent of the bit b, and hence the advantage is 0.

4.4 Security Proof

The rest of the proof is a routine application of the dual system encryption methodology [4, 10, 19, 20, 24, 25], apart from the substitutions in (11), which slightly generalizes that in [10], as described at the end of Sect. 2.4.

Auxiliary distributions. We define the following additional ciphertext and key distributions used in the security proof. Sample $\delta \leftarrow \mathbb {Z}_p$.

$(\hat{\textsf {ct}},\hat{\mathsf {kem}})$ is the same as $(\textsf {ct},\mathsf {kem})$ in (8), except we replace $\mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}$ with $\mathbf {c}^{\!\scriptscriptstyle {\top }}\leftarrow \mathbb {Z}_p^{(k+1)\times 1}$:
$$\begin{aligned} \hat{\textsf {ct}}= & {} \big (\, [{\mathbf {c}^{\!\scriptscriptstyle {\top }}}]_1,\, [{((\mathbf {I}_{n_1} \otimes \mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {I}_{k+1}))(\mathbf {f}^{\!\scriptscriptstyle {\top }}\otimes \mathbf {I}_{k+1})+\mathbf {W}_1)\mathbf {c}^{\!\scriptscriptstyle {\top }}}]_1,\,\\&\quad [{(\mathbf {W}_3\otimes \mathbf {I}_{k+1})(\mathbf {I}_{n_3}\otimes \mathbf {c}^{\!\scriptscriptstyle {\top }})}]_1,\, [{(\mathbf {V}_0(\mathbf {W}_3\otimes \mathbf {I}_{k+1}) + \mathbf {V})(\mathbf {I}_{n_3}\otimes \mathbf {c}^{\!\scriptscriptstyle {\top }})}]_1 \,\big ) \\ \hat{\mathsf {kem}}= & {} [\mathbf {k}\mathbf {c}^{\!\scriptscriptstyle {\top }}]_T \end{aligned}$$
Henceforth, let ${\mathbf {a}^{\scriptscriptstyle {\perp }}}\in \mathbb {Z}_p^{k+1}$ satisfying ${\mathbf {a}^{\scriptscriptstyle {\perp }}}\cdot \mathbf {A}= \mathbf {0}, {\mathbf {a}^{\scriptscriptstyle {\perp }}}\cdot \mathbf {c}^{\!\scriptscriptstyle {\top }}= 1$, which exists with probability $1-1/p$ over $\mathbf {c}$.
$\hat{\textsf {sk}}$ is the same as $\textsf {sk}$ except we replace $\mathbf {k}$ with $\mathbf {k}+ \delta {\mathbf {a}^{\scriptscriptstyle {\perp }}}$:
$$ \hat{\textsf {sk}} = \big (\, [\underbrace{\mathbf {r}_2\mathbf {B}}_{\mathbf {d}_0}]_2,\, [\underbrace{(\mathbf {x}_1 \otimes \mathbf {r}_2\mathbf {B})\mathbf {W}_1}_{\mathbf {d}_1}]_2,\, [\underbrace{\mathbf {x}_2 \otimes \mathbf {r}_3+\mathbf {r}_2\mathbf {B}\mathbf {W}_2}_{\mathbf {d}_2}]_2,\, [\underbrace{\mathbf {r}_3 + \mathbf {r}_2\mathbf {B}\mathbf {V}_0}_{\mathbf {d}_3}]_2,\, [\underbrace{\mathbf {x}_3 \otimes (\mathbf {k}+\delta {\mathbf {a}^{\scriptscriptstyle {\perp }}}) + \mathbf {r}_2\mathbf {B}\mathbf {V}}_{\mathbf {d}_4}]_2 \,\big ) $$
$\textsf {sk}[1]$ is the same as $\textsf {sk}$ except we replace $\mathbf {r}_2\mathbf {B}$ with $\mathbf {d}\leftarrow \mathbb {Z}_p^{k+1}$:
$$ \textsf {sk}[1] = \big (\, [\underbrace{\mathbf {d}}_{\mathbf {d}_0}]_2,\, [\underbrace{(\mathbf {x}_1 \otimes \mathbf {d})\mathbf {W}_1}_{\mathbf {d}_1}]_2,\, [\underbrace{\mathbf {x}_2 \otimes \mathbf {r}_3+\mathbf {d}\mathbf {W}_2}_{\mathbf {d}_2}]_2,\, [\underbrace{\mathbf {r}_3 + \mathbf {d}\mathbf {V}_0}_{\mathbf {d}_3}]_2,\, [\underbrace{\mathbf {x}_3 \otimes \mathbf {k}+ \mathbf {d}\mathbf {V}}_{\mathbf {d}_4}]_2 \,\big ) $$
$\textsf {sk}[2]$ is the same as $\textsf {sk}[1]$ except we replace $\mathbf {k}$ with $\mathbf {k}+ \delta {\mathbf {a}^{\scriptscriptstyle {\perp }}}$:
$$ \textsf {sk}[2] = \big (\, [\underbrace{\mathbf {d}}_{\mathbf {d}_0}]_2,\, [\underbrace{(\mathbf {x}_1 \otimes \mathbf {d})\mathbf {W}_1}_{\mathbf {d}_1}]_2,\, [\underbrace{\mathbf {x}_2 \otimes \mathbf {r}_3+\mathbf {d}\mathbf {W}_2}_{\mathbf {d}_2}]_2,\, [\underbrace{\mathbf {r}_3 + \mathbf {d}\mathbf {V}_0}_{\mathbf {d}_3}]_2,\, [\underbrace{\mathbf {x}_3 \otimes (\mathbf {k}+\delta {\mathbf {a}^{\scriptscriptstyle {\perp }}}) + \mathbf {d}\mathbf {V}}_{\mathbf {d}_4}]_2 \,\big ) $$

Following the terminology in prior works, $(\hat{\textsf {ct}},\hat{\mathsf {kem}})$ is the semi-functional (SF) ciphertext; $\hat{\textsf {sk}}$ is the SF secret key; $\textsf {sk}[1]$ is the pseudo-normal secret key, and $\textsf {sk}[2]$ is the pseudo-SF secret key.

Game sequence. We present a series of games. We write $\mathsf {Adv}_{\text {xx}}$ to denote the advantage of $\mathcal {A}$ in $\mathsf {Game}_{\text {xx}}$. Suppose $\mathcal {A}$ makes q queries to $\mathsf {KeyGen}$: let $(\mathbf {x}_1^i,\mathbf {x}_2^i,\mathbf {x}_3^i)$ denote the i’th query, and let one of $\textsf {sk}^i,\textsf {sk}^i[1],\textsf {sk}^i[2],\hat{\textsf {sk}}^i$ denote the i’th key.

$\mathsf {Game}_0$: is the real security game.
$\mathsf {Game}_1$: is the same as $\mathsf {Game}_0$ except we replace $(\textsf {ct},\mathsf {kem})$ with $(\hat{\textsf {ct}},\hat{\mathsf {kem}})$.
$\mathsf {Game}_{2,i}$ for $i=1,\ldots ,q$: is the same as $\mathsf {Game}_1$, except the first $i-1$ keys are given by $\hat{\textsf {sk}}^1,\ldots ,\hat{\textsf {sk}}^{i-1}$ (semi-functional) and the last $q-i$ keys are given by $\textsf {sk}^{i+1},\ldots ,\textsf {sk}^q$ (normal). There are 4 sub-games, where the i’th key transitions from $\textsf {sk}^i$ in $\mathsf {Game}_{2.i.0}$, to $\textsf {sk}^i[1]$ in $\mathsf {Game}_{2.i.1}$, to $\textsf {sk}^i[2]$ in $\mathsf {Game}_{2.i.2}$, to $\hat{\textsf {sk}}^i$ in $\mathsf {Game}_{2.i.3}$. Note that $\mathsf {Game}_1 = \mathsf {Game}_{2.1.0}$ and $\mathsf {Game}_{2.i.3} = \mathsf {Game}_{2.(i+1).0}$.
$\mathsf {Game}_3$: is the same as $\mathsf {Game}_{2,q,3}$, except that $\mathsf {kem}_0 \leftarrow _{\textsc {r}}\mathbb {G}_T$.

In $\mathsf {Game}_3$, the view of $\mathcal {A}$ is statistically independent of the challenge bit b. Hence, $\mathsf {Adv}_3=0$. We complete the proof by establishing the following claims:

This follows readily from the k-Lin assumption in $\mathbb {G}_1$, where the reduction on input $[\mathbf {A}]_1,[\mathbf {c}_0]_1$ where $\mathbf {c}_0^{\!\scriptscriptstyle {\top }}\in \{\mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }},\mathbf {c}^{\!\scriptscriptstyle {\top }}\}, \mathbf {c}\leftarrow \mathbb {Z}_p^{k+1}$:

runs the honest $\mathsf {Setup}$ to generate all the terms in $(\textsf {mpk},\textsf {msk})$ apart from $\mathbf {A}$;
uses $\textsf {msk},\mathbf {c}_0^{\!\scriptscriptstyle {\top }}$ to compute the challenge ciphertext and KEM:
$$\begin{aligned}&\big (\, [{\mathbf {c}_0^{\!\scriptscriptstyle {\top }}}]_1,\, [{((\mathbf {I}_{n_1} \otimes \mathbf {W}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {I}_{k+1}))(\mathbf {f}^{\!\scriptscriptstyle {\top }}\otimes \mathbf {I}_{k+1})+\mathbf {W}_1)\mathbf {c}_0^{\!\scriptscriptstyle {\top }}}]_1,\,\\&\quad [{(\mathbf {W}_3\otimes \mathbf {I}_{k+1})(\mathbf {I}_{n_3}\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})}]_1,\, [{(\mathbf {V}_0(\mathbf {W}_3\otimes \mathbf {I}_{k+1}) + \mathbf {V})(\mathbf {I}_{n_3}\otimes \mathbf {c}_0^{\!\scriptscriptstyle {\top }})}]_1 \,\big ) \\&[\mathbf {k}\mathbf {c}_0^{\!\scriptscriptstyle {\top }}]_T \end{aligned}$$
By (8), this is $(\textsf {ct},\mathsf {kem})$ when $\mathbf {c}_0^{\!\scriptscriptstyle {\top }}= \mathbf {A}\mathbf {s}^{\!\scriptscriptstyle {\top }}$, and $(\hat{\textsf {ct}},\hat{\mathsf {kem}})$ when $\mathbf {c}_0^{\!\scriptscriptstyle {\top }}= \mathbf {c}^{\!\scriptscriptstyle {\top }}$;
uses $\textsf {msk}$ to simulate the $\mathsf {KeyGen}$ oracle.

This follows readily from the k-Lin assumption in $\mathbb {G}_2$, where the reduction on input $[\mathbf {B}]_1,[\mathbf {d}_0]_1$ where $\mathbf {d}_0 \in \{\mathbf {r}\mathbf {B},\mathbf {d}\}, \mathbf {d}\leftarrow \mathbb {Z}_p^{k+1}$:

runs the honest $\mathsf {Setup}$ to generate all the terms in $(\textsf {mpk},\textsf {msk})$ apart from $\mathbf {B}$;
samples a random $\delta \in \mathbb {Z}_p$;
samples a random $\mathbf {c}\leftarrow \mathbb {Z}_p^{k+1}$ and uses $\textsf {msk},\mathbf {c}$ to compute the challenge ciphertext using (8);
uses $\textsf {msk}$ and $\delta $ to generate the first $i-1$ keys $\hat{\textsf {sk}}^1,\ldots ,\hat{\textsf {sk}}^{i-1}$ and the last $q-i$ keys $\textsf {sk}^{i+1},\ldots ,\textsf {sk}^q$;
computes the i’th key using $[\mathbf {d}_0 ]$ and $\textsf {msk},\delta $ using:
$$ \big (\, [{\mathbf {d}_0}]_2,\, [{(\mathbf {x}^i_1 \otimes \mathbf {d}_0)\mathbf {W}_1}]_2,\, [{\mathbf {x}^i_2 \otimes \mathbf {r}_3+\mathbf {d}_0\mathbf {W}_2}]_2,\, [{\mathbf {r}_3 + \mathbf {d}_0\mathbf {V}_0}]_2,\, [{\mathbf {x}^i_3 \otimes \mathbf {k}+ \mathbf {d}_0\mathbf {V}}]_2 \,\big ) $$
This is $\textsf {sk}^i$ when $\mathbf {d}_0 = \mathbf {r}\mathbf {B}$, and $\textsf {sk}^i[1]$ when $\mathbf {d}_0 = \mathbf {d}$.

To prove $\mathsf {Game}_{2.i.1} \approx _c \mathsf {Game}_{2.i.2}$, it suffices to show

$$\begin{aligned} (\mathsf {aux},\hat{\textsf {ct}},\textsf {sk}^i[1]) \approx _c (\mathsf {aux},\hat{\textsf {ct}},\textsf {sk}^i[2]) \end{aligned}$$

(10)

where

$$\begin{aligned} \begin{array}{rclllllll} \mathsf {aux} &{}:=&{} \big (\,\mathbb {G},\,\mathbf {A},\mathbf {c},\mathbf {B},\mathbf {k},\delta ,&{}\overline{\mathbf {W}}_2,&{}\overline{\mathbf {W}}_1,&{}\overline{\mathbf {V}},&{}\overline{\mathbf {V}}_0\\ &{}&{}&{}\mathbf {B}\mathbf {W}_2,&{}(\mathbf {I}_{n_1}\otimes \mathbf {B})\mathbf {W}_1,&{}\mathbf {B}\mathbf {V},&{}\mathbf {B}\mathbf {V}_0\big ) \end{array} \end{aligned}$$

This is because given $\mathsf {aux}$, we can compute $\textsf {mpk},\hat{\mathsf {kem}}$ as well as both $\textsf {sk}$ (for the last $q-i$ key queries) and $\hat{\textsf {sk}}$ (for the first $i-1$ key queries).

To compute $\textsf {sk}$, we sample $\mathbf {r}_2 \leftarrow \mathbb {Z}_p^k, \mathbf {r}_3 \leftarrow \mathbb {Z}_p^{(k+1)k'}$ and output
$$ \begin{aligned} \textsf {sk}=&\big (\, [\underbrace{\mathbf {r}_2\mathbf {B}}_{\mathbf {d}_0}]_2,\, [\underbrace{(\mathbf {x}_1 \otimes \mathbf {r}_2) \cdot (\mathbf {I}_{n_1} \otimes \mathbf {B})\mathbf {W}_1}_{\mathbf {d}_1}]_2,\, [\underbrace{\mathbf {x}_2 \otimes \mathbf {r}_3+\mathbf {r}_2 \cdot \mathbf {B}\mathbf {W}_2}_{\mathbf {d}_2}]_2,\, [\underbrace{\mathbf {r}_3 + \mathbf {r}_2 \cdot \mathbf {B}\mathbf {V}_0}_{\mathbf {d}_3}]_2,\\&[\underbrace{\mathbf {x}_3 \otimes \mathbf {k}+ \mathbf {r}_2 \cdot \mathbf {B}\mathbf {V}}_{\mathbf {d}_4}]_2 \,\big ) \end{aligned} $$
To compute $\hat{\textsf {sk}}$, we would first compute ${\mathbf {a}^{\scriptscriptstyle {\perp }}}$ given $\mathbf {A},\mathbf {c}$, and then proceed as in $\textsf {sk}$, except we replace $\mathbf {k}$ with $\mathbf {k}+\delta {\mathbf {a}^{\scriptscriptstyle {\perp }}}$.

We proceed to prove (10) using Lemma 1. Henceforth, let ${\mathbf {b}^{\scriptscriptstyle {\perp }}}\in \mathbb {Z}_p^{k+1}$ satisfying $\mathbf {B}\cdot {\mathbf {b}^{\scriptscriptstyle {\perp }}}^{\!\scriptscriptstyle {\top }}= \mathbf {0}, \mathbf {d}\cdot {\mathbf {b}^{\scriptscriptstyle {\perp }}}^{\!\scriptscriptstyle {\top }}= 1$, which exists with probability $1-1/p$ over $\mathbf {d}$, where $[\mathbf {d}]_2$ is the first component of $\textsf {sk}^i[1]$ and $\textsf {sk}^i[2]$. Sample

$$\begin{aligned} \begin{array}{l} \begin{array}{llll} \mathbf {W}'_1 \leftarrow \mathbb {Z}_p^{(k+1)n_1 \times (k+1)},&{} \mathbf {W}'_2 \leftarrow \mathbb {Z}_p^{(k+1) \times (k+1)k'n_2},&{} \mathbf {V}' \leftarrow \mathbb {Z}_p^{(k+1) \times (k+1)n_3},\\ \mathbf {w}_1 \leftarrow \mathbb {Z}_p^{n_1}, &{}\mathbf {w}_2 \leftarrow \mathbb {Z}_p^{k'n_2}, &{}\mathbf {v}\leftarrow \mathbb {Z}_p^{n_3},\\ \mathbf {k}' \leftarrow \mathbb {Z}_p^{k+1}&{}\mathbf {r}'_3 \leftarrow \mathbb {Z}_p^{(k+1)k'}\\ \alpha \leftarrow \mathbb {Z}_p,&{}\mathbf {r}_3 \leftarrow \mathbb {Z}_p^{k'} \end{array}\\ \begin{array}{l} \mathbf {V}'_0 \leftarrow \mathbb {Z}_p^{(k+1) \times (k+1)k'}\\ \mathbf {v}_0 \leftarrow \mathbb {Z}_p^{k'}, \end{array} \end{array} \end{aligned}$$

and substitute

$$\begin{aligned} \mathbf {W}_1\mapsto & {} \mathbf {W}'_1 + (\mathbf {I}_{n_1} \otimes {\mathbf {b}^{\scriptscriptstyle {\perp }}}^{\!\scriptscriptstyle {\top }}) \cdot \mathbf {w}_1^{\!\scriptscriptstyle {\top }}\cdot {\mathbf {a}^{\scriptscriptstyle {\perp }}}\\ \mathbf {W}_2\mapsto & {} \mathbf {W}'_2 + {\mathbf {b}^{\scriptscriptstyle {\perp }}}^{\!\scriptscriptstyle {\top }}\cdot \mathbf {w}_2 \cdot (\mathbf {I}_{n_2}\otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})\nonumber \\ \mathbf {V}\mapsto & {} \mathbf {V}' + {\mathbf {b}^{\scriptscriptstyle {\perp }}}^{\!\scriptscriptstyle {\top }}\cdot \mathbf {v}\cdot (\mathbf {I}_{n_3}\otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})\nonumber \\ \mathbf {V}_0\mapsto & {} \mathbf {V}'_0 + {\mathbf {b}^{\scriptscriptstyle {\perp }}}^{\!\scriptscriptstyle {\top }}\cdot \mathbf {v}_0 \cdot (\mathbf {I}_{k'}\otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})\nonumber \\ \mathbf {k}\mapsto & {} \mathbf {k}' + \alpha \cdot {\mathbf {a}^{\scriptscriptstyle {\perp }}}\nonumber \\ \mathbf {r}_3\mapsto & {} \mathbf {r}'_3 + \mathbf {r}_3 (\mathbf {I}_{k'}\otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})\nonumber \end{aligned}$$

(11)

where in the last line, we have $\mathbf {r}_3 \in \mathbb {Z}_p^{(k+1)k'}$ on the left, and $\mathbf {r}_3 \in \mathbb {Z}_p^{k'}$ on the right. We can then write

$$\begin{aligned} \begin{array}{rclllllll} \mathsf {aux} &{}=&{} \big (\,\mathbb {G},\,\mathbf {A},\mathbf {c},\mathbf {B},\mathbf {k},&{}\overline{\mathbf {W}}'_2,&{}\overline{\mathbf {W}}'_1,&{}\overline{\mathbf {V}}',&{}\overline{\mathbf {V}}'_0\\ &{}&{}&{}\mathbf {B}\mathbf {W}'_2,&{}(\mathbf {I}_{n_1}\otimes \mathbf {B})\mathbf {W}'_1,&{}\mathbf {B}\mathbf {V}',&{}\mathbf {B}\mathbf {V}'_0\big ) \end{array} \end{aligned}$$

and

$$\begin{aligned} \hat{\textsf {ct}}= & {} [{\mathbf {c}^{\!\scriptscriptstyle {\top }}}]_1,\, [{((\mathbf {I}_{n_1} \otimes \mathbf {W}'_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3\otimes \mathbf {I}_{k+1}))(\mathbf {f}^{\!\scriptscriptstyle {\top }}\otimes \mathbf {I}_{k+1})+\mathbf {W}'_1)\mathbf {c}^{\!\scriptscriptstyle {\top }}}\\&\quad +(\mathbf {I}_{n_1}\otimes {\mathbf {b}^{\scriptscriptstyle {\perp }}}^{\!\scriptscriptstyle {\top }}) \cdot (\boxed {(\mathbf {I}_{n_1} \otimes \mathbf {w}_2(\mathbf {I}_{n_2}\otimes \mathbf {W}_3)) \mathbf {f}^{\!\scriptscriptstyle {\top }}+ \mathbf {w}_1^{\!\scriptscriptstyle {\top }}})]_1,\,\\&[{(\boxed {\mathbf {W}_3}\otimes \mathbf {I}_{k+1})(\mathbf {I}_{n_3}\otimes \mathbf {c}^{\!\scriptscriptstyle {\top }})}]_1,\, [{(\mathbf {V}'_0(\mathbf {W}_3\otimes \mathbf {I}_{k+1}) + \mathbf {V}')(\mathbf {I}_{n_3}\otimes \mathbf {c}^{\!\scriptscriptstyle {\top }})}+{\mathbf {b}^{\scriptscriptstyle {\perp }}}^{\!\scriptscriptstyle {\top }}\cdot (\boxed {\mathbf {v}_0\mathbf {W}_3 + \mathbf {v}})]_1 \\ \hat{\mathsf {kem}}= & {} [\mathbf {k}'\mathbf {c}^{\!\scriptscriptstyle {\top }}+ \alpha ]_T\\ \textsf {sk}^i[1]= & {} [{\mathbf {d}}]_2,\, [{(\mathbf {x}^i_1 \otimes \mathbf {d})\mathbf {W}'_1} + \boxed {\mathbf {x}^i_1 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}} \cdot {\mathbf {a}^{\scriptscriptstyle {\perp }}}]_2\,\\&[{\mathbf {x}^i_2 \otimes \mathbf {r}'_3+\mathbf {d}\mathbf {W}'_2} + (\boxed {\mathbf {x}^i_2 \otimes \mathbf {r}_3 + \mathbf {w}_2}) \cdot (\mathbf {I}_{n_2}\otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})]_2,\, \\&[{\mathbf {r}'_3 + \mathbf {d}\mathbf {V}'_0} + (\boxed {\mathbf {r}_3 + \mathbf {v}_0}) \cdot (\mathbf {I}_{k'} \otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})]_2,\, \\&[{\mathbf {x}^i_3 \otimes \mathbf {k}' + \mathbf {d}\mathbf {V}'} + (\boxed {\mathbf {x}^i_3 \alpha + \mathbf {v}}) \cdot (\mathbf {I}_{n_3} \otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})]_2 \\ \textsf {sk}^i[2]= & {} [{\mathbf {d}}]_2,\, [{(\mathbf {x}^i_1 \otimes \mathbf {d})\mathbf {W}'_1} + \boxed {\mathbf {x}^i_1 \mathbf {w}_1^{\!\scriptscriptstyle {\top }}} \cdot {\mathbf {a}^{\scriptscriptstyle {\perp }}}]_2\,\\&[{\mathbf {x}^i_2 \otimes \mathbf {r}'_3+\mathbf {d}\mathbf {W}'_2} + (\boxed {\mathbf {x}^i_2 \otimes \mathbf {r}_3 + \mathbf {w}_2}) \cdot (\mathbf {I}_{n_2}\otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})]_2,\, \\&[{\mathbf {r}'_3 + \mathbf {d}\mathbf {V}'_0} + (\boxed {\mathbf {r}_3 + \mathbf {v}_0}) \cdot (\mathbf {I}_{k'} \otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})]_2,\, \\&[{\mathbf {x}^i_3 \otimes \mathbf {k}' + \mathbf {d}\mathbf {V}'} + (\boxed {\mathbf {x}^i_3 (\alpha +\delta ) + \mathbf {v}}) \cdot (\mathbf {I}_{n_3} \otimes {\mathbf {a}^{\scriptscriptstyle {\perp }}})]_2 \end{aligned}$$

Given the boxed terms together with $(\mathbf {c},\mathbf {d},\mathbf {W}'_1,\mathbf {W}'_2,\mathbf {V}',\mathbf {V}'_0,\mathbf {k}',\alpha ,{\mathbf {a}^{\scriptscriptstyle {\perp }}},{\mathbf {b}^{\scriptscriptstyle {\perp }}},\delta ,\mathbf {r}'_3)$, we can simulate $\hat{\textsf {ct}},\textsf {sk}^i[1],\textsf {sk}^i[2]$ as well as $\mathsf {aux}$. Therefore, it suffices to show that the boxed terms in $\mathsf {Game}_{2.i.1}$ and $\mathsf {Game}_{2.i.2}$ are computationally indistinguishable, which follows from Lemma 1. Concretely, the reduction on input $(\textsf {ct},\textsf {sk})$ from $\mathcal {D}_b$ corresponding to $\mathbf {f}$ and $(\mathbf {x}_1^i,\mathbf {x}_2^i,\mathbf {x}_3^i)$ and where $\alpha _0=\alpha ,\alpha _1=\alpha +\delta $:

1.
samples random $\mathbf {A},\mathbf {B},\mathbf {c},\mathbf {d},\mathbf {W}'_1,\mathbf {W}'_2,\mathbf {V}',\mathbf {V}'_0,\mathbf {k}',\alpha ,\delta ,\mathbf {r}'_3$, and call these values $\mathsf {aux}'$;
2.
computes ${\mathbf {a}^{\scriptscriptstyle {\perp }}},{\mathbf {b}^{\scriptscriptstyle {\perp }}}$ using $\mathbf {A},\mathbf {c},\mathbf {B},\mathbf {d}$;
3.
computes $\mathsf {aux}$ using $\mathsf {aux}',{\mathbf {a}^{\scriptscriptstyle {\perp }}},{\mathbf {b}^{\scriptscriptstyle {\perp }}}$, which it then uses to compute $\textsf {mpk}$ as well as the first $i-1$ and the last $q-i$ key queries;
4.
computes $\hat{\textsf {ct}}$ by using $\textsf {ct}$ from $\mathcal {D}_b$ for the boxed terms, and computing the remaining non-boxed terms using $\mathsf {aux}',{\mathbf {a}^{\scriptscriptstyle {\perp }}},{\mathbf {b}^{\scriptscriptstyle {\perp }}}$;
5.
computes $\hat{\mathsf {kem}}$ using $\mathsf {aux}'$;
6.
computes either $\textsf {sk}^i[1]$ or $\textsf {sk}^i[2]$ by using $\textsf {sk}$ from $\mathcal {D}_b$ for the boxed terms, and computing the remaining non-boxed terms using $\mathsf {aux}',{\mathbf {a}^{\scriptscriptstyle {\perp }}},{\mathbf {b}^{\scriptscriptstyle {\perp }}}$;

The output of the reduction is exactly $\mathsf {Game}_{2.i.(b+1)}$.

Analogous to $\mathsf {Game}_{2.i.0} \approx _c \mathsf {Game}_{2.i.1}$.

In $\mathsf {Game}_{2.q}$, we have $\mathsf {kem}_0 = [\mathbf {k}\mathbf {c}^{\!\scriptscriptstyle {\top }}]$, whereas $\textsf {mpk}$ only leaks $[\mathbf {k}\mathbf {A}]_T$ and $\hat{\textsf {sk}}^1,\ldots ,\hat{\textsf {sk}}^q$ only leaks $\mathbf {k}+ \delta {\mathbf {a}^{\scriptscriptstyle {\perp }}}$. The claim follows from the fact that $\mathbf {k}\mathbf {c}^{\!\scriptscriptstyle {\top }}$ is uniformly random in $\mathbb {Z}_p$ given $\mathbf {k}\mathbf {A}$ and $\mathbf {k}+ \delta {\mathbf {a}^{\scriptscriptstyle {\perp }}}$.

5 Broadcast Encryption with Size $N^{1/3}$

We can encode broadcast encryption for N parties as CP-ABE for degree 3 polynomials whenever $n_1n_2n_3 \ge N$, by using the folklore encoding of set membership in $S \subseteq [N]$ as a degree 3 polynomial over $\{0,1\}^{n_1} \times \{0,1\}^{n_2} \times \{0,1\}^{n_3}$:

given a set $S \subseteq [N]$, let $\mathbf {f}= (f_1,\ldots ,f_N) \in \{0,1\}^N$ denote the characteristic vector for the set S (that is, $f_i = 1$ iff $i \in S$);
given $y \in [N]$, we can pick $\mathbf {x}_1 \in \{0,1\}^{n_1}, \mathbf {x}_2 \in \{0,1\}^{n_2}, \mathbf {x}_3 \in \{0,1\}^{n_3}$ such that $\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \mathbf {x}_3 \in \{0,1\}^{n_1n_2n_3}$ is the characteristic vector of the set $\{y\}$.
then, $(\mathbf {x}_1 \otimes \mathbf {x}_2 \otimes \mathbf {x}_3) \mathbf {f}^{\!\scriptscriptstyle {\top }}= 1$ iff $y \in S$.

We can then set $n_1=N^\delta ,n_2=N^{1-2\delta },n_3=N^\delta $ for any $0 \le \delta \le 1/3$, which yields

$$\begin{aligned} |\textsf {mpk}| = O(N^{1-2\delta }), \; |\textsf {ct}| = O(N^{\delta }), \; |\textsf {sk}| = O(N^{1-2\delta }) \end{aligned}$$

In particular, when $\delta = 1/3$, we achieve

$$\begin{aligned} |\textsf {mpk}| = O(N^{1/3}), \; |\textsf {ct}| = O(N^{1/3}), \; |\textsf {sk}| = O(N^{1/3}) \end{aligned}$$

A concrete example. While the main focus of this work is on asymptotically more efficient pairing-based broadcast encryption, our scheme does achieve pretty concrete good efficiency. We can instantiate our scheme with the popular BLS12-381 curve with $|\mathbb {G}_1|$ being 48 bytes and $|\mathbb {G}_2|$ being 96 bytes. Now, recall an application for broadcast encryption in BGW05 [6], namely file sharing in encrypted file systems. The Windows EFS has a limit of 256KB in the file header for the EFS meta-data, and supports a maximum of 800 individual users. Assuming 32-bit users IDs, we can support 1000 users with a file header $(S,\textsf {ct})$ of size $4 \times 1000 + 82 \times 48 = 7936$ bytes, where each user holds a secret key of size $67 \times 96 = 6432$ bytes. We can do slightly better by setting $n_1=20,n_2=10,n_3=5$, which yields a header of size $4 \times 1000 + 72 \times 48 = 7456$ bytes and a secret key of size $57 \times 96 = 5482$ bytes. However, since $N=1000$ is fairly small, the broadcast encryption scheme with $O(\sqrt{N})$ parameters would also achieve similar performances: a file header of size $4 \times 1000 + 66 \times 48 = 7168$ and a secret key of size $68 \times 96 = 6528$ bytes.

References

Abdalla, M., Gong, J., Wee, H.: Functional Encryption for Attribute-Weighted Sums from k-Lin. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 685–716. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_23
Agrawal, S., Wichs, D., Yamada, S.: Optimal broadcast encryption from LWE and pairings in the standard model. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 149–178. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_6
Agrawal, S., Yamada, S.: Optimal broadcast encryption from pairings and LWE. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. Part I, volume 12105 of LNCS, pp. 13–43. Springer, Heidelberg (May 2020)
Chapter Google Scholar
Attrapadung, N.: Dual system encryption via doubly selective security: Framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (May 2014)
Chapter Google Scholar
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy, pp. 321–334. IEEE Computer Society Press, May 2007
Google Scholar
Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (Aug. 2005)
Chapter Google Scholar
Boneh, D., Waters, B.: A fully collusion resistant broadcast, trace, and revoke system. In: Juels, A., Wright, R.N., De Capitani, S., di Vimercati (eds.) ACM CCS 2006, pp. 211–220. ACM Press, October/November 2006
Google Scholar
Boneh, D., Waters, B., Zhandry, M.: Low overhead broadcast encryption from multilinear maps. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. Part I, volume 8616 of LNCS, pp. 206–223. Springer, Heidelberg (2014)
Chapter Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Lattice-inspired broadcast encryption and succinct ciphertext-policy ABE. Cryptology ePrint Archive, Report 2020/191 (2020)
Google Scholar
Chen, J., Gay, R., Wee, H.: Improved dual system ABE in prime-order groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. Part II, volume 9057 of LNCS, pp. 595–624. Springer, Heidelberg (Apr. 2015)
Chapter Google Scholar
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8
Chapter Google Scholar
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO’93. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (Aug. 1994)
Chapter Google Scholar
Gay, R.: A new paradigm for public-key functional encryption for degree-2 polynomials. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. Part I, volume 12110 of LNCS, pp. 95–120. Springer, Heidelberg (May 2020)
Chapter Google Scholar
Gay, R., Kerenidis, I., Wee, H.: Communication complexity of conditional disclosure of secrets and attribute-based encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 485–502. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_24
Chapter Google Scholar
Gentry, C., Waters, B.: Adaptive security in broadcast encryption systems (with short ciphertexts). In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 171–188. Springer, Heidelberg (Apr. 2009)
Chapter MATH Google Scholar
Goyal, R., Koppula, V., Waters, B.: Collusion resistant traitor tracing from learning with errors. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) 50th ACM STOC, pp. 660–670. ACM Press, June 2018
Google Scholar
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM CCS 2006, pp. 89–98. ACM Press, October/November 2006. Available as Cryptology ePrint Archive Report 2006/309
Google Scholar
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (Apr. 2008)
Chapter Google Scholar
Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_27
Chapter Google Scholar
Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_12
Chapter Google Scholar
Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. Part I, volume 10401 of LNCS, pp. 599–629. Springer, Heidelberg (Aug. 2017)
Chapter Google Scholar
Liu, T., Vaikuntanathan, V., Wee, H.: Conditional disclosure of secrets via non-linear reconstruction. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 758–790. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_25
Chapter Google Scholar
Sahai, A., Waters, B.R.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (May 2005)
Chapter Google Scholar
Waters, B.: Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (Aug. 2009)
Chapter Google Scholar
Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (Feb. 2014)
Chapter Google Scholar
Wee, H.: Functional encryption for quadratic functions from k-Lin, revisited. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 210–228. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_8
Chapter Google Scholar
Zhandry, M.: New techniques for traitor tracing: Size $N^{1/3}$ and more from pairings. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2020. Part I, LNCS, pp. 652–682. Springer, Heidelberg (Aug. 2020)
Chapter Google Scholar

Download references

Acknowledgments

I am extremely grateful to Junqing Gong for meticulous proof-reading and constructive feedback. I would also like to thank Tianren Liu for helpful discussions on the challenges of extending our $N^{1/3}$ CDS scheme in [22] to general fields while preserving degree 2 reconstruction.

Author information

Authors and Affiliations

NTT Research, California, USA
Hoeteck Wee
ENS, Paris, France
Hoeteck Wee

Authors

Hoeteck Wee
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hoeteck Wee .

Editor information

Editors and Affiliations

Columbia University, New York City, NY, USA
Tal Malkin
University of Michigan, Ann Arbor, MI, USA
Chris Peikert

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wee, H. (2021). Broadcast Encryption with Size $N^{1/3}$ and More from k-Lin. In: Malkin, T., Peikert, C. (eds) Advances in Cryptology – CRYPTO 2021. CRYPTO 2021. Lecture Notes in Computer Science(), vol 12828. Springer, Cham. https://doi.org/10.1007/978-3-030-84259-8_6

Download citation

DOI: https://doi.org/10.1007/978-3-030-84259-8_6
Published: 11 August 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-84258-1
Online ISBN: 978-3-030-84259-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Broadcast Encryption with Size \(N^{1/3}\) and More from k-Lin

Abstract

Similar content being viewed by others

Ciphertext-Policy Attribute-Based Broadcast Encryption with Small Keys

Optimal Broadcast Encryption and CP-ABE from Evasive Lattice Assumptions

Distributed Broadcast Encryption from Bilinear Groups

1 Introduction

1.1 Our Results

2 Technical Overview

2.1 CP-ABE for Degree 2 Polynomials

2.2 Our First Candidate CP-ABE

2.3 Our Second Candidate CP-ABE

2.4 Our Final CP-ABE

2.5 Discussion

3 Preliminaries

3.1 Prime-Order Bilinear Groups

Assumption 1

3.2 Attribute-Based Encryption

4 CP-ABE for Degree 3 Polynomials

4.1 Our Scheme

4.2 Correctness

4.3 Core of Security Proof

Lemma 1

Proof

4.4 Security Proof

5 Broadcast Encryption with Size \(N^{1/3}\)

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Publish with us

Societies and partnerships

Broadcast Encryption with Size \(N^{1/3}\) and More from k-Lin

Abstract

Similar content being viewed by others

Ciphertext-Policy Attribute-Based Broadcast Encryption with Small Keys

Optimal Broadcast Encryption and CP-ABE from Evasive Lattice Assumptions

Distributed Broadcast Encryption from Bilinear Groups

1 Introduction

1.1 Our Results

2 Technical Overview

2.1 CP-ABE for Degree 2 Polynomials

2.2 Our First Candidate CP-ABE

2.3 Our Second Candidate CP-ABE

2.4 Our Final CP-ABE

2.5 Discussion

3 Preliminaries

3.1 Prime-Order Bilinear Groups

Assumption 1

3.2 Attribute-Based Encryption

4 CP-ABE for Degree 3 Polynomials

4.1 Our Scheme

4.2 Correctness

4.3 Core of Security Proof

Lemma 1

Proof

4.4 Security Proof

5 Broadcast Encryption with Size \(N^{1/3}\)

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships