Lower Bounds on Assumptions Behind Registration-Based Encryption

Abstract

Registration-based encryption (RBE) [11] is a primitive that aims to offer what identity-based encryption (IBE) [2] offers without the so-called key-escrow problem. In RBE parties who wish to join the system will generate their own secret and public keys and register their public keys to a transparent party called key curator (KC) who does not have any secret state.

The initial constructions of RBE made non-black-box use of building block primitives, due to their use of either indistinguishability obfuscation [11] or some garbling scheme [12]. More recently, it was shown [14, 17] how to achieve black-box constructions of (variants of) RBE and even stronger primitives based on bilinear maps in which the RBE is relaxed to have a CRS whose length can grow with the number of registered identities. Making cryptographic constructions in general, and RBE in particular, black-box is an important step as it can play a significant role in its efficiency and potential deployment. Hence, in this work we ask: what are the minimal assumptions for black-box constructions of RBE? Particularly, can we black-box construct RBE schemes from the same assumptions used for public-key encryption or simpler algebraic assumptions that hold in the generic group model?

In this work, we prove the first black-box separation results for RBE beyond the separations that follow from the observation that RBE black-box implies public-key encryption. In particular, we answer both of the questions above negatively and prove that neither trapdoor permutations nor (even Shoup’s) generic group model can be used as the sole source of hardness for building RBE schemes. More generally, we prove that a relaxation of RBE in which all the keys are registered and compressed at the same time is already too complex to be built from either of the above-mentioned primitives in a black-box way. At a technical level, using compression techniques, we prove lemmas in the TDP and GGM oracle settings that prove the following intuitive yet useful fact: that compact strings cannot signal too many trapdoors, even if their generation algorithm takes exponential time. Due to their generality, our lemmas could be of independent interest and find more applications.

Appendices

A Omitted Proofs

For sake of completeness, here we include a full of Lemma 1, which is heavily based on that of [25] and is simply adapted to our setting.

Proof

(of Lemma 1 - adapted from [25]). Consider choosing an oracle O, a random m, and \((\textsf{sgk}, \textsf{vrk}) \leftarrow {\text {Gen}}^{O}(1^\mathrm {\kappa }, m)\), and then fixing them. We will say that \(\sigma \) is “good” if \(\Pr [{\text {Ver}}^{O}(\textsf{vrk}, m, \sigma ) = 1] \ge \delta /2\), where the probability is taken over the random coins of \({\text {Ver}}\). By correctness, with probability at least \(\delta /2\) over \(m, (\textsf{sgk}, \textsf{vrk}) \leftarrow {\text {Gen}}^O(1^\mathrm {\kappa }, m)\), there will exist at least one good \(\sigma \), namely the output of \(\sigma \leftarrow {\text {Sig}}^{O}(\textsf{sgk}, \textsf{m})\).

Suppose \({\text {Ver0}}\) was deterministic. Then we could compute \(v \leftarrow {\text {Ver0}}^{O}(\textsf{vrk}, \textsf{m})\), and consider the oracle-free probabilistic circuit \(C(\sigma ) = {\text {Ver1}}(v, \sigma )\). Then an input \(\sigma \) is good if and only if \(C(\sigma )\) accepts with probability at least \(\delta /2\). Since C is oracle-free, we can brute-force search for such a \(\sigma \), finding it with probability at least \(\delta /2\). The forgery will then be \((m, \sigma )\), which is accepted by the challenger with probability \(\delta /2\), giving an overall advantage \(\delta ^2/4\).

For a potentially randomized \({\text {Ver0}}\), we have to work slightly harder. For a good \(\sigma \), we have that \(\Pr _{v \leftarrow {\text {Ver0}}^{O}(\textsf{vrk},\textsf{m})}[\Pr [{\text {Ver1}}(v, \sigma ) = 1] \ge \delta /4] \ge \delta /4\). Meanwhile, we will call a \(\sigma \) “bad” if \(\Pr _{v \leftarrow {\text {Ver0}}^{O}(\textsf{vrk},\textsf{m})}[\Pr [{\text {Ver1}}(v, \sigma ) = 1] \ge \delta /4] \le \delta /8\).

For a parameter t chosen momentarily, we let \(v_1, \dots , v_t \leftarrow {\text {Ver0}}^{O}(\textsf{vrk}, \textsf{m})\), and construct circuits \(C_i(\sigma ) = {\text {Ver1}}(v_i, \sigma )\). We then brute-force search for a \(\sigma \) such that \(\Pr _{i\leftarrow [t]}[\Pr [C_i(\sigma ) = 1] \ge \delta /4] \ge 3\delta /8\). By Hoeffding’s inequality, any good \(\sigma \) will be a solution with probability \(1 - 2^{\varOmega (\delta ^2t)}\). Meanwhile, any bad \(\sigma \) will be a solution with probability \(2^{-\varOmega (\delta ^2t)}\). By setting t such that \(t/\delta ^2\) is sufficiently longer than the bit-length of signatures, we can union bound over all bad \(\delta \), showing that there will be no bad solutions except with negligible probability. We will therefore find a not-bad solution with probability at least \(\delta /2 - {\text {negl}}\ge \delta /3\). In this case, with probability at least \(\delta /8\) over the choice of v by the verifier, \(\Pr [{\text {Ver1}}(v, \sigma ) = 1] \ge \delta /4\). Hence, the overall success probability is at least \((\delta /3) \times (\delta /8) \times (\delta /4) \ge \delta ^3/100\).    \(\square \)

We now present proof of Lemma 3.

Proof

(Proof of Lemma 3). Let \(s = |\mathcal {S}| = 2^{3\mathrm {\kappa }}\). Assume wlog that both \(\mathcal {A}\) and \(\mathcal {B}\) are deterministic. We prove that any fixed labeling function \(\textbf{label}\) for which \(\textsf{Success}\) holds can be uniquely described with

$$\begin{aligned} f := \log \left( 2^{|z|}\left( {\begin{array}{c}p\\ w\end{array}}\right) w!\left( {\begin{array}{c}t\\ w\end{array}}\right) \frac{(s-w)!}{(s-p)!} 2^u w!\right) \end{aligned}$$

(2)

bits.

This means that there exists at most \(2^f\) different \(\textsf{Successful}\) oracles. Using the inequalities \({(a/b)}^b \le \left( {\begin{array}{c}a\\ b\end{array}}\right) \le (a e /b)^b\), the fraction of \(\textbf{g}\) oracles for which \(\textsf{Success}\) holds is at most

$$\begin{aligned} \frac{2^f}{\text { number of } L \text { oracles}} &\le \frac{ 2^{|z|+u} w! \left( {\begin{array}{c}p\\ w\end{array}}\right) w! \left( {\begin{array}{c}t\\ w\end{array}}\right) \frac{(s-w)!}{(s-p)!} }{\frac{s!}{(s-p)!}} = \frac{ 2^{|z|+u} w! \left( {\begin{array}{c}p\\ w\end{array}}\right) \left( {\begin{array}{c}t\\ w\end{array}}\right) }{\left( {\begin{array}{c}s\\ w\end{array}}\right) } \\ & \le \frac{2^{|z|+u} w! (\frac{p e}{w})^w (\frac{t e}{w})^w}{(\frac{s}{w})^w} = 2^{|z|+u} w! (\frac{e^2 t p}{s w})^w \le 2^{|z|+u} w! (\frac{16 \times 2^{\mathrm {\kappa }/3}}{2^{2 \mathrm {\kappa }} w})^w \\ &\le 2^{|z|+u} w! (\frac{1}{2^{(3/2) \mathrm {\kappa }} w})^w ~~~~~~~ \text { because }\frac{16 \times 2^{\mathrm {\kappa }/3}}{2^{2 \mathrm {\kappa }} } \le \frac{1}{2^{(3/2) \mathrm {\kappa }}}\text { for large }\mathrm {\kappa }\\ &\le 2^{|z|+u} (\frac{1}{2^{(3/2) \mathrm {\kappa }} })^w = \frac{1}{2^{(3/2) \mathrm {\kappa }w - |z| - u}} \le \frac{1}{2^{\mathrm {\kappa }/2}}, \end{aligned}$$

as desired. The last inequality follows from \(\frac{3}{2}kw - |z| - u \ge k/2\), in turn obtained from \(w \ge \frac{ 2(|z| + u)}{ 3 \mathrm {\kappa }} +\frac{1}{3}\).

We now prove Eq. 2. Fix a \(\textsf{Successful}\) labelling function \(\textbf{label}\). Let \(\textsf{Chal} = \{\ell _1, \dots , \ell _t \}\) and wlog assume \(\ell _1 <_{\textsf{lex}} \ell _2 <_{\textsf{lex}} \dots <_{\textsf{lex}} \ell _t \), where \(\le _{\textsf{lex}}\) denotes lexicographical ordering. Let \((\ell _{i_1}, \dots , \ell _{i_w})\) be the w lexicographically smallest elements in \(\textsf{Chal}\) that have a pre-image under \(\textbf{label}\), and let \((x_{i_1}, \dots , x_{i_w})\) be their pre-images. Let \(\mathsf {Chal_x} := \{x_{i_1}, \dots , x_{i_w}\}\).

We say a query to \(\textbf{add}\) is new for \(\mathcal {B}\) if it satisfies the following requirements: (1) the answer to this query is not \(\bot \); (2) at least one of the input labels has not been input to queries to \(\textbf{add}\) made by \(\mathcal {B}\) before and the label belongs to \(\textsf{Chal}\). Such labels are called new labels. Let \(\textsf{New}\) be the list of pre-images to the new labels in the order as they appear in the queries. Let v be a bit string of length u that records the new queries of \(\mathcal {B}\) such that the ith bit of v is 1 if and only if the ith query made by \(\mathcal {B}\) is a new \(\textbf{add}\) query.

Given \(\mathcal {B}\) we claim that any \(\textsf{Successful}\) labeling function \(\textbf{label}\) can be fully described by z, \(\mathsf {Chal_x}\), the index set \(\{i_1, \dots , i_w\}\), v, \(\textsf{New}\) and the outputs of \(\textbf{label}\) on all input points in \(\mathbb {Z}_p \setminus \mathsf {Chal_x}\). Indeed, for any \(x \notin \mathsf {Chal_x}\), the value \(\textbf{label}(x)\) is already given. We determine the labels of \(x \in \mathsf {Chal_x}\) as follows: run \(\mathcal {B}^{\textbf{label}, \textbf{add}}(g, z)\) to get \(\textsf{Chal}\). We first explain how to reply to \(\mathcal {B}\)’s queries using the provided information.

1. 1.

   Answering \(\textbf{label}\) queries of \(\mathcal {B}\): By condition (ii), we know the answer does not appear in \(\textsf{Chal}\), which means the input of the query does not appear in \(\mathsf {Chal_x}\). Since \(\textbf{label}\) is completely determined on \(\mathbb {Z}_p \setminus \mathsf {Chal_x}\), we can successfully answer such queries.

2. 2.

   Answering \(\textbf{add}\) queries of \(\mathcal {B}\): First note that by assumption, if the answer to the query is not \(\bot \), then its pre-image must be in \(\mathsf {Chal_x}\), which means we can answer correctly assuming we know the pre-images to the input labels. In the following, we show how to find pre-images with the provided information. Using v, one can tell if the query is new.

   • Suppose the query is new. We then know both of the input labels are valid.

     • If one of the labels has pre-image in \(\mathbb {Z}_p \setminus \mathsf {Chal_x}\) or has been seen before, we can retrieve the pre-image of the other label in \(\textsf{New}\).

     • Otherwise, it must be the case that both labels are new and we can retrieve the pre-images in \(\textsf{New}\).

   • Suppose the query is not new.

     • If the answer query to this query is not \(\bot \), it must be the case that the labels either have pre-images in \(\mathbb {Z}_p \setminus \mathsf {Chal_x}\) or have been seen before, we can answer the queries directly.

     • Otherwise, it must be the case that the answer to this query is \(\bot \).

Thus, the set \(\textsf{Chal}\) can be retrieved. Once \(\textsf{Chal}\) is retrieved, sort its elements to get \((\ell _1, \dots \ell _t)\) and use the provided \((i_1, \dots , i_w)\) to retrieve \((\ell _{i_1}, \dots , \ell _{i_w})\). Assuming \(\mathsf {Chal_x} = (x_{i_1}, \dots , x_{i_w})\), we have \(\textbf{label}(x_{i_h}) = \ell _{i_h}\) for \(h \in [w]\).

We now count f the number of bits required to describe \(\mathsf {Chal_x}\), the indices \(\{i_1, \dots , i_w\}\) and \(\textbf{label}\)’s outputs on all of \(\mathbb {Z}_p \setminus \mathsf {Chal_x}\). We can describe the sorted set \(\mathsf {Chal_x}\) with \(\log (\left( {\begin{array}{c}p\\ w\end{array}}\right) w!)\) bits. We can describe the index set with \(\log \left( {\begin{array}{c}t\\ w\end{array}}\right) \) bits. We can describe the function \(\textbf{label}\) on \(\mathbb {Z}_p \setminus \mathsf {Chal_x}\) with \(\log \frac{(s-w)!}{(s-p)!}\) bits. The string v has length u. The list \(\textsf{New}\) can be described with \(\log w!\) bits because we can choose a permutation of the w pre-images whose initial items form the list \(\textsf{New}\).    \(\square \)

B Attacks on RBE with CRS

1.1 B.1 TDP-Impossibility of PKCom with CRS

Theorem 8

For \(\epsilon := \frac{1}{\textsf{poly}(\mathrm {\kappa })}\) let \(\mathcal {E}^{\textbf{O}} :=(\textsf{CRS}^{\textbf{O}},\textsf{Key}^{\textbf{O}},\textsf{Com}^{\textbf{O}},\textsf{Enc}^{\textbf{O}},\textsf{Dec}^{\textbf{O}})\) be a \((1-\epsilon )\)-correct PKCom scheme with respect to a random TDP oracle \(\textbf{O}=(\textbf{g},\textbf{e},\textbf{d})\). Suppose a public parameter \(\textsf{pp}\) under \(\mathcal {E}^{\textbf{g}, \textbf{e}, \textbf{d}}\) satisfies \(|\textsf{pp}| \le \frac{(n-2) |\textsf{ik}|}{2} \), where n is the number of users and \(\textsf{ik}\) is a base index key (recall \(|\textsf{ik}| = 3 \mathrm {\kappa }\), Defintion 2). Also, let \(\alpha \) be the number of queries made by \(\textsf{CRS}^{\textbf{O}}(1^\mathrm {\kappa },1^n)\) to the oracle \(\textbf{O}\). Then, there exists a \((1-\epsilon )(1-\frac{1}{\alpha })\frac{(1-2^{-\mathrm {\kappa }/3})}{n}\)-correct target-restricted signature scheme relative to \(\textbf{O}=(\textbf{g},\textbf{e},\textbf{d})\)

We give the construction in Construction 9.

Algorithm 1

\(\mathsf {SampleKeys(s)}\)

Construction 9

We construct a n-target-restricted signature scheme from any PKCom scheme \(\mathcal {E}^{\textbf{O}}=(\textsf{CRS}^{\textbf{O}},\textsf{Key}^{\textbf{O}},\textsf{Com}^{\textbf{O}},\textsf{Enc}^{\textbf{O}},\textsf{Dec}^{\textbf{O}})\). The construction is parameterized over an integer s, which will be parameterized later; this parameter will only affect the size of the verification key. We assume all the algorithms satisfy the assumption in Note 1.

• \({\text {Gen}}^{\textbf{O}}(1^{\mathrm {\kappa }},h) \rightarrow (\textsf{sgk},\textsf{vrk})\) where \(h \in [n]\) is the message to be signed:

  1. 1.

     Run \(\textsf{CRS}^{\textbf{O}}(1^{\mathrm {\kappa }},1^n) \rightarrow \textsf{crs}\) and let \(\textsf{QCRS}\) be the set of all Q-A pairs made to \(\textbf{g}\) and \(\textbf{e}\).¹²

  2. 2.

     For \(1 \le j \le n\), run \(\textsf{Key}^{\textbf{O}}(1^{\mathrm {\kappa }},\textsf{crs}) \rightarrow (\textsf{pk}_j,\textsf{sk}_j)\). Let \(\textsf{QGen}_{j}\) be the set of all Q-A pairs made to \(\textbf{g}\) and \(\textbf{e}\).

  3. 3.

     Run \(\textsf{Com}^{\textbf{O}}(\textsf{crs},\textsf{pk}_1,\dots ,\textsf{pk}_n) \rightarrow \textsf{pp}\) and let \(\textsf{QCMP}\) be the set of all query response pairs made to \(\textbf{g}\) and \(\textbf{e}\).

  4. 4.

     Run \(\textsf{SampleKeys }(\textsf{crs},h,\{\textsf{pk}_i\}_ {i \ne h})\) as defined in Algorithm 1 to obtain a set \(\textsf{K}\).

  5. 5.

     Return \(\textsf{vrk}=((\textsf{pk}_1,\dots ,\textsf{pk}_n),\cup _{j \ne h} \textsf{QGen}_j \cup \textsf{QCMP},\textsf{K})\), \(\textsf{sgk}=(\textsf{sk}_h,\textsf{QGen}_h,\textsf{QCRS})\).

• \({\text {Sig}}(\textsf{sgk},h) \rightarrow \sigma \): For \(\textsf{sgk}\) as above, return \(\sigma =(\textsf{sk}_h,\textsf{QGen}_h,\textsf{QCRS})\).

• \({\text {Ver}}^{\textbf{g},\textbf{e},\textbf{d}}(\textsf{vrk},\sigma ,h) = {\text {Ver1}}({\text {Ver0}}^O(\textsf{vrk}, h), \sigma )\): Parse \(\textsf{vrk}:= ((\textsf{pk}_1,\dots ,\textsf{pk}_n),\)\(\textsf{S},\textsf{K})\) and \(\sigma := (\textsf{sk}_h , \textsf{QGen}_h,\textsf{QCRS})\).

  1. 1.

     \({\text {Ver0}}^{\textbf{g},\textbf{e},\textbf{d}}(\textsf{vrk},h) \rightarrow \alpha := (\textsf{vrk}, h , m,c,\textsf{QEnc}) \), where \((m,c) \leftarrow \textsf{Enc}^{\textbf{g},\textbf{e},\textbf{d}}(\textsf{pp},h) \) and \(\textsf{QEnc}\) is the set of all Q-A pairs made to \(\textbf{g}\) and \(\textbf{e}\).

  2. 2.

     \({\text {Ver1}}(\alpha , \sigma )\): Retrieve \(\textsf{QEnc}\), \(\textsf{S}\) and \(\textsf{K}\) from \(\mathsf {\alpha }\). (Recall \(\textsf{S} = \cup _{j \ne h} \textsf{QGen}_j \cup \textsf{QCMP} \cup \textsf{K}\) is in \(\textsf{vk}\).) Parse \(\sigma := (\textsf{sk}_h , \textsf{QGen}_h,\textsf{QCRS})\). Let \(\textsf{All}= \textsf{S} \cup \textsf{QEnc} \cup \textsf{QGen}_h \cup \textsf{QCRS}\). Run \(\textsf{Dec}{\textsf{Sim}}(\textsf{crs},h,\textsf{sk}_h , \{ \textsf{pk}_i \} , c , (\textsf{All} , \textsf{QEnc} , \textsf{QGen}_h,\textsf{QCRS}))\), which simulates the execution of \(\textsf{Dec}^O(\textsf{crs},h , \textsf{sk}_h , \{\textsf{pk}_i\} , c)\) by rendering queries via \((\textsf{All} , \textsf{QEnc} , \textsf{QGen}_h,\textsf{QCRS})\), as follows:

     1. (a)

        For a given \(\textbf{g}\) or \(\textbf{e}\) query, if the answer is already provided in \(\textsf{All}\), reply with that answer; else, with a random string z of appropriate length. In case of answering with a random response, add the Q-A pair to \(\textsf{Fake}\) (initially empty).¹³

     2. (b)

        For a given query \(\textsf{qu}:=(({\textsf{tk}},{y}) \xrightarrow [\textbf{d}]{} ?)\), if for some \({\textsf{ik}}\), \(({\textsf{tk}} \xrightarrow [\textbf{g}]{} {\textsf{ik}}) \in (\textsf{All} \cup \textsf{Fake})/(\textsf{QGen}_h \cup \textsf{QCRS})\) and \((({\textsf{ik}},{x}) \xrightarrow [\textbf{e}]{} {c}) \in \textsf{All}\) for some \({x}\), respond to the query with \({x}\). Else, if for some \({\textsf{ik}}\), \(({\textsf{tk}} \xrightarrow [\textbf{g}]{} {\textsf{ik}}) \in \textsf{QGen}_{h} \cup \textsf{QCRS}\) and \((({\textsf{ik}},{x}) \xrightarrow [\textbf{e}]{} {y}) \in (\textsf{All}/\textsf{QEnc})\cup \textsf{Fake}\) for some \({x}\), respond to the query with \({x}\). Else, respond to the query with a random value \(r \leftarrow \{0,1\}^{\mathrm {\kappa }}\).

     Letting \(m'\) be the output of \(\textsf{Dec}{\textsf{Sim}}\), output 1 if \({m'}=m\) and 0 otherwise.

1.2 B.2 Impossibility of PKCom with CRS in Shoup’s GGM

Now, we present the transformation of PKCom to target-restricted signatures while allowing CRS.

Theorem 10

If there exists a \((1-\epsilon )\)-correct PKCom scheme \((\textsf{CRS}^{\mathbb {G}_{RR}},\textsf{Key}^{\mathbb {G}_{RR}},\)\(\textsf{Com}^{\mathbb {G}_{RR}},\textsf{Enc}^{\mathbb {G}_{RR}},\textsf{Dec}^{\mathbb {G}_{RR}})\) in the RR generic group model, then there exists a \(\delta \)- correct target-restricted signature scheme in the same model where \(\delta =(1-\epsilon )\frac{(1-2^{-\mathrm {\kappa }/3})}{n}\).

Construction 11

We construct a target-restricted signature scheme defined over messages in [n] from any PKCom scheme in the following way.

• \({\text {Gen}}^{\mathbb {G}_{RR}}(1^{\mathrm {\kappa }},h) \rightarrow (\textsf{sgk},\textsf{vrk})\) where \(h \in [n]\) is the message to be signed. For \(i \in [n]\) let \(\textsf{QGen}_i=\emptyset \).

  1. 1.

     Run \(\textsf{CRS}^{\mathbb {G}_{RR}}(1^{\mathrm {\kappa }},1^n) \rightarrow \textsf{crs}\) and all Q-A pairs made to \(\mathbb {G}_{RR}\) to \(\textsf{QCRS}\).

  2. 2.

     For \(1 \le j \le n\), run \(\textsf{Key}^{\mathbb {G}_{RR}}(1^{\mathrm {\kappa }},\textsf{crs}) \rightarrow (\textsf{pk}_j,\textsf{sk}_j)\) and add all Q-A pairs made to \(\mathbb {G}_{RR}\) to \(\textsf{QGen}_{j}\).

  3. 3.

     Run \(\textsf{Com}^{\mathbb {G}_{RR}}(\textsf{crs},\textsf{pk}_1,\dots ,\textsf{pk}_n) \rightarrow \textsf{pp}\) and let \(\textsf{QCMP}\) be the set of all Q-A pairs made to \(\mathbb {G}_{RR}\).

  4. 4.

     Update \(\textsf{Known}\leftarrow \textsf{Upd}(\cup _{i \ne h} \textsf{QGen}_i \cup \textsf{QCMP}\cup \textsf{QCRS})\) (Definition 10).

  5. 5.

     Return \(\textsf{vrk}=((\textsf{pk}_1,\dots ,\textsf{pk}_n),\cup _{j \ne h} \textsf{QGen}_j \cup \textsf{QCMP},\textsf{Known},\upsilon )\), \(\textsf{sgk}=(\textsf{sk}_h,\textsf{QGen}_h,\textsf{QCRS})\).

• \({\text {Sig}}(\textsf{sgk},h) \rightarrow \sigma \): For \(\textsf{sgk}\) as above, return \(\sigma :=(\textsf{sk}_h,\textsf{QGen}_h,\textsf{QCRS})\).

• \({\text {Ver}}^{\mathbb {G}_{RR}}(\textsf{vrk},\sigma ,h)={\text {Ver1}}({\text {Ver0}}^{\mathbb {G}_{RR}}(\textsf{vrk},h),\sigma ):\) Parse \(\textsf{vrk}:=((\textsf{pk}_1,\dots ,\textsf{pk}_n),\textsf{A},\textsf{Known},\upsilon )\) and \(\sigma :=(\textsf{sk}_h,\textsf{QGen}_h,\textsf{QCRS}).\)

  1. 1.

     \({\text {Ver0}}^{\mathbb {G}_{RR}}(\textsf{vrk},h)\rightarrow \alpha := (\textsf{vrk},h,m,c,\textsf{QEnc})\), where \((m,c) \leftarrow \textsf{Enc}^{\mathbb {G}_{RR}}(\textsf{pp},h)\) and \(\textsf{QEnc}\) is the set of all Q-A pairs made to \(\mathbb {G}_{RR}\).

  2. 2.

     \({\text {Ver1}}(\alpha ,\sigma ):\) Retrieve \(\textsf{QEnc}\), \(\textsf{A}\) and \(\textsf{Known}\) from \(\alpha \). Recall \(\textsf{A}=\cup _{j \ne h} \textsf{QGen}_j \cup \textsf{QCMP} \). Update \(\textsf{Known}\leftarrow \textsf{Upd}(\textsf{QEnc})\). Let \(\textsf{All}= \cup _{j \ne h} \textsf{QGen}_{j} \cup \textsf{QCMP} \cup \textsf{QEnc}\). Run \(\textsf{Dec}{\textsf{Sim}}\) which simulates the execution of \(\textsf{Dec}^{\mathbb {G}_{RR}}(\textsf{crs},h,\textsf{sk}_h,\{\textsf{pk}_i\},c)\) by rendering queries via \((\textsf{All},\textsf{QGen}_h,\textsf{QCRS})\), as follows: Initialize two sets \(\textsf{E}=\textsf{Eq}(\textsf{All})\) and \(\textsf{V}=\textsf{Var}(\textsf{All})\). For a given query \(\textbf{add}( \ell _1, \ell _2)\) do the following:

     1. (a)

        If \(\ell _1 \notin \textsf{V} \cup \textsf{Var}(\textsf{QGen}_h \cup \textsf{QCRS})\) or \(\ell _2 \notin \textsf{V} \cup \textsf{Var}(\textsf{QGen}_h \cup \textsf{QCRS})\), respond to the query with \(\bot \).

     2. (b)

        Else if both \(\ell _1,\ell _2 \in \textsf{V}\), if there exists \(\ell \in \textsf{V} \cup \textsf{Var}(\textsf{QGen}_h \cup \textsf{QCRS})\) such that \( x_{\ell _1}+x_{\ell _2}-x_{\ell } \in \textsf{Span}(\textsf{E} \cup \textsf{Eq}(\textsf{QGen}_h \cup \textsf{QCRS}))\), return \(\ell \). If no such an \(\ell \) is found, respond with a random label \(\ell '\), add \( x_{\ell _1}+ x_{\ell _2}-x_{\ell '}\) to \(\textsf{E}\) and add \(\ell '\) to \(\textsf{V}\). Also, set \(\textsf{Known}(\ell ')=\top \).

     3. (c)

        Else if there exists a label \( \ell \) such that \( x_{\ell _1}+ x_{\ell _2}-x_{\ell '} \in \textsf{Span}( \textsf{Eq}(\textsf{QCMP}\cup _i \textsf{QGen}_i \cup \textsf{QCRS}))\), return \(\ell \);

     4. (d)

        Else, if there exists a label \( \ell \) such that \(\textsf{Known}(\ell ) = \top \) and \( x_{\ell _1}+ x_{\ell _2}-x_{\ell } \in \textsf{Span}(\textsf{E} \cup \textsf{Eq}(\textsf{QGen}_h \cup \textsf{QCRS}))\), return \(\ell \). Else, respond with a random label \(\ell '\) and add \( x_{\ell _1}+ x_{\ell _2}-x_{\ell '}\) to \(\textsf{E}\), and add \(\ell '\) to \(\textsf{V}\). Also, set \(\textsf{Known}(\ell ')=\top \).