A Study of Pair Encodings: Predicate Encryption in Prime Order Groups

Abstract

Pair encodings and predicate encodings, recently introduced by Attrapadung [2] and Wee [36] respectively, greatly simplify the process of designing and analyzing predicate and attribute-based encryption schemes. However, they are still somewhat limited in that they are restricted to composite order groups, and the information theoretic properties are not sufficient to argue about many of the schemes. Here we focus on pair encodings, as the more general of the two. We first study the structure of these objects, then propose a new relaxed but still information theoretic security property. Next we show a generic construction for predicate encryption in prime order groups from our new property; it results in either semi-adaptive or full security depending on the encoding, and gives security under SXDH or DLIN. Finally, we demonstrate the range of our new property by using it to design the first semi-adaptively secure CP-ABE scheme with constant size ciphertexts.

S. Agrawal—Part of this work was done when the author was at Microsoft Research.

1 Introduction

In traditional public key encryption systems, a message is encrypted under a particular public key, with the guarantee that it can only be decrypted by the party holding the corresponding secret key. Attribute based encryption (ABE), introduced in [30], instead allows us to use attributes to determine who has the power to decrypt. In these systems, there is a single entity which publishes system parameters and distributes the appropriate decryption keys to various parties. In key-policy ABE (KP-ABE) [18], a message is encrypted under a set of attributes describing that message, and each decryption key is associated with a policy describing which ciphertexts it can decrypt. Conversely, in ciphertext-policy ABE (CP-ABE) [8] each user is given a decryption key that depends on his attributes, and ciphertexts are encrypted with policies describing which users can decrypt them. ABE has been proposed for a variety of applications, from social network privacy to pay-per-view broadcasting to health record access-control to cloud security (see e.g. [1, 6, 28, 31, 34]).

Recently there has been a lot of progress in terms of both security and functionality. Using the dual system framework introduced by Waters [35], several works [23, 25] have designed ABE schemes that satisfy the natural security definition, avoiding the restrictions of selective security¹. Other works consider extra features like short ciphertexts whose length is independent of the size of the associated attribute set and policy [5, 37], or “unbounded” schemes that place no bounds on the space of possible attributes or the number of attributes that can be tied to a ciphertext or key [24, 27, 29]. Predicate encryption [10] generalizes the concept to require only that the ciphertext and key are associated with values x, y, and decryption succeeds iff some predicate P(x, y) holds. Note that in this work we assume that x and y are revealed by the ciphertext and key respectively; we do not consider attribute-hiding [11, 21] or predicate-hiding [9, 32].

As these schemes have progressed, however, constructions and proofs have become increasingly complex. Many of the proposed schemes require composite order pairings, in which the order of the pairing groups is a product of two or more primes; since these schemes require that factoring the group order is hard, this in practice means that these groups must be at least an order of magnitude larger than prime order groups of comparable security level, and according to [19] composite order pairing computations are at least 2 orders of magnitude slower. This has prompted efforts to design schemes in prime order groups [17, 20, 22, 26, 27], but many of these schemes still have fairly high cost as compared to their selectively secure counterparts, and designing and analyzing security of such schemes can be quite challenging.

Two very recent works, by Wee [36] and Attrapadung [2] make significant progress in simplifying the design and analysis of new constructions. These works introduce simple new objects, called predicate encodings and pair encodings respectively in the two works, which can be used to construct ABE and other predicate encryption schemes. Essentially, they consider one decryption key and one ciphertext, and focus on what happens in the exponent space. Both formalisms introduce simple information theoretic properties on these objects and show that if these properties are met, they can be extended into fully secure ABE/predicate encryption schemes. The major advantage of this approach is that instead of having to design and prove security of a complex scheme, now all one has to do is design and analyze an appropriate encoding, which is a much simpler task. This vastly simplifies the design of new schemes, and in fact, both works resulted in new constructions and more efficient variants of previously known schemes.

Currently these works have two primary limitations. First, they both result in ABE schemes that rely on composite order pairings, which as explained above is very undesirable from an efficiency standpoint. The second drawback is that the strict information theoretic properties they require from the underlying objects mean that there are many constructions that they cannot capture in their model. Attrapadung [2] addresses this by introducing a computational security notion, which allows several more interesting constructions to be captured in the framework. However, this security notion is much harder to analyze - it involves not only the encodings in the exponent space, but also elements in the composite order group in which it is embedded, and the proofs that the encodings satisfy this notion are not only computational (rather than information theoretic) but are based on much stronger assumptions.

Still these encodings seem extremely promising as a way to simplify the design and analysis of predicate encryption schemes. In our work we further study these objects, with the aim of understanding them better and beginning to address these limitations. In particular we focus on the pair encodings from [2], as they seem to be able to capture more constructions.

Our Contributions. First, we study the structure of pair encodings. Attrapadung’s pair encodings have only limited structural requirements. This means that he is able to capture many existing constructions in his framework, although as mentioned above, in many cases the information theoretic security property he defines does not hold for these schemes. A better understanding of the natural structure of these schemes may help to design new schemes, by providing better intuition for what is important and simply by limiting the search space.

Here we consider two structural properties. First we assume a simple property that describes where the public parameters appear in the key and ciphertext. This seems to reflect some basic structure, as all the pair encodings in [2] have this property. Looking ahead, this property allows us to instantiate these schemes efficiently in prime order groups. We then show that this implies a second, seemingly unrelated property involving the use of random variables in the key and ciphertexts. We can use this second property to simplify our security definitions and analyses.

Using this understanding, we propose a relaxation of the information theoretic security property proposed in [2]. This property essentially allows us to consider the scheme at smaller granularity than an entire key or ciphertext. It is still information theoretic, and it does not depend on the group in which it will be used; this means it is still easy to analyze whether a given encoding satisfies this property. We consider two flavors of this property and show that the stronger of the two is implied by the security properties in [2]. However, we will see that our new property is indeed a relaxation in that it allows us to consider encodings that did not satisfy the original property. Thus, we make a first step towards addressing the limitations of the strict information theoretic property of previous work.

Next we present a generic construction of predicate encryption from pair encodings. Here we make use of the dual system groups introduced by [13]; although we must modify their properties slightly, we show that their instantiations arestill sufficient². We show that pair encodings which satisfy the stronger flavor of our new property result in fully secure predicate encryption schemes, while pair encodings which satisfy the weaker flavor result in schemes which can still be shown to be semi-adaptively secure³. While full security is preferable, we will see that this second result allows us to design schemes in areas in which even selectively secure constructions are hard to construct.

This approach has two advantages. First, this means that we can transform any pair encoding scheme which satisfies the information theoretic security properties in [2] into a fully secure ABE or predicate encryption scheme in a prime order group based only on the \(\mathsf {SXDH}\) or \(\mathsf {DLIN}\) assumption. This results in schemes which are of practical efficiency, with strong security guarantees based on mild assumptions. Moreover, the advantage of this approach is that while proof of our generic construction is fairly involved, analyzing a given pair encoding scheme to verify the necessary property is still quite straightforward.

Finally, to demonstrate how our relaxed security property allows us to consider additional functionalities, we present a new pair encoding for CP-ABE with constant-size ciphertext. When used in our generic construction, this results in a CP-ABE with constant size-ciphertext which is semi-adaptively secure and can be instantiated under either \(\mathsf {SXDH}\) or \(\mathsf {DLIN}\). To the best of our knowledge, prior to our work there were no known schemes for constant-size CP-ABE, even considering only selectively security and allowing for very strong assumptions.⁴ This shows then that our new techniques allow us to consider a strictly greater range of schemes; we hope that they will continue to prove useful and lead to other interesting constructions.

Other Related Work. As mentioned above, the original works of [2, 36] gave constructions only in composite order groups. In a recent work, however, Chen, Gay, and Wee [12] proposed a transformation to go from pair encodings to prime order predicate encryption schemes, requiring the same strong information theoretic property on the underlying pair encoding as in [36]. However, they also require strict restrictions on the structure of pair encodings, which are not satisfied by most of the encodings which had previously been proposed; essentially this requires that there be only one unit of randomness in each ciphertext or key. They show that the previous encodings which satisfy the information theoretic property from [2] (the basic KP- and CP-ABE schemes) have counterparts which satisfy these stricter requirements. This results in the most efficient known constructions for a number of problems. As mentioned above, our generic construction can be applied directly to the original pair encodings [2]; this will yield similar constructions, with slightly different tradeoffs (generally smaller public parameters but slower decryption). Interestingly, our relaxed perfect security property is designed to leverage exactly the kind of structure they prohibit, so perhaps it suggests another way forward for predicates that cannot be addressed under their model.

In concurrent work, Attrapadung [3] proposed a generic construction that compiles any secure (computational or information-theoretic) pair encoding scheme for a predicate R to a fully secure FE scheme for the same predicate in prime-order groups under Matrix Diffie-Hellman assumption [16] (of which \(\mathsf {DLIN}\) is a special case) with an additional q-type assumption in the case of pair encodings that only satisfy the computational security definition from [2]. This then also gives prime order group constructions for any predicate encoding scheme satisfying the strong information theoretic property under DLIN, and for KP-ABE with short ciphertext (as well as unbounded KP-ABE and ABE for regular languages) under a q-type assumption. However, as compared to this work, our results have the following advantages: First, we use dual system groups in a black box way, which simplifies the transformation, unifies prime and composite order group constructions, and means that any new construction of dual system groups directly gives new constructions for ABE. Moreover, our relaxed perfect security property allows us to show semi-adaptive security for the short ciphertext schemes based only on SXDH or DLIN, without any q-type assumptions; in addition to giving us the new results on CP-ABE, we can also give a much simpler proof of semi-adaptive security for Attrapadung’s KP-ABE with short ciphertexts, and this proof does not require q-type assumptions. (See the full version of the paper.)

Finally, we mention the concurrent work of Attrapadung, Hanaoka, and Yamada [4]. This work presents various conversions among pair encoding schemes. Among other things, they show that if one starts with the KP-ABE scheme with constant-size ciphertexts recently proposed by Takashima [33], then by applying the conversion one gets a CP-ABE scheme with constant-size ciphertexts, which is selectively secure under the \(\mathsf {DLIN}\) assumption. On the other hand, we get a semi-adaptive scheme secure under any assumption which can be used to construct dual system groups (which includes SXDH, DLIN, etc.). Moreover, since Takashima’s construction does not use any abstractions, our construction is significantly more modular, easier to analyze and easier to extend. As we view the CP-ABE more as a test-case for the utility of our new definition and transformation, having an approach that can extend easily to other types of ABE schemes seems particularly valuable.

2 Preliminaries

We use \(\cong , \equiv \) and \(\approx \) to denote statistical, perfect and computational indistinguishability respectively. Security parameter is denoted by \(\lambda \), and \(\mathsf {negl} (\lambda )\) denotes a negligible function in \(\lambda \).

We normally use lower case letters in bold to denote vectors; but if a vector’s elements are themselves vectors, we use upper case. For two vectors \(\mathbf {u} = (u_1, \ldots , u_n)\) and \(\mathbf {v} = (v_1, \ldots , v_n)\), we use \(\mathbf {u} \cdot \mathbf {v} \) to denote the entry-wise product, i.e., \((u_1 v_1, \ldots , u_n v_n)\), and \(\langle u, v \rangle \) to denote the inner-product, i.e., \(\sum _{i=1}^n u_i v_i\). The \(\cdot \) operator naturally extends to vectors of vectors (or matrices): if \(\mathbf {U} = (\mathbf {u} _1, \ldots , \mathbf {u} _m)\) and \(\mathbf {V} = (\mathbf {v} _1, \ldots , \mathbf {v} _m)\), then \(\mathbf {U} \cdot \mathbf {V} = (\mathbf {u} _1 \cdot \mathbf {v} _1, \ldots , \mathbf {u} _m \cdot \mathbf {u} _m)\). \(g^{\mathbf {u}}\) should be interpreted as the vector \((g^{u_1}, \ldots , g^{u_n})\). \(g^{\mathbf {A}}\), where \(\mathbf {A} \) is a matrix, should be interpreted in an analogous way.

We use \(\mathbf {u} _1, \ldots , \mathbf {u} _m \leftarrow \mathsf {SampAlg}(\cdot )\) to denote that the algorithm \(\mathsf {SampAlg}\) is run m times with independent coin tosses to generate samples \(\mathbf {u} _1, \ldots , \mathbf {u} _m\). Since the output of this algorithm is a vector, we also use \((u_1, \ldots , u_n) \leftarrow \mathsf {SampAlg}(\cdot )\) to denote that a single sample with co-ordinates \(u_1, \ldots , u_n\) is drawn from \(\mathsf {SampAlg}\) (this should not be confused with the previous notation). Finally, \(a \leftarrow _RS\) denotes drawing an element a uniformly at random from the set S.

Bilinear Pairings: Let \(\mathbb {G}, \mathbb {H} \) and \(\mathbb {G}_T \) be three multiplicative groups. A pairing \(e : \mathbb {G} \times \mathbb {H} \rightarrow \mathbb {G}_T \) is bilinear if for all \(g \in \mathbb {G}, h \in \mathbb {H} \) and \(a, b \in \mathbb {Z} \), \(e(g^a, h^b) = e(g, h)^{ab}\). This pairing is non-degenerate if whenever \(e(g, h) = 1_{\mathbb {G}_T}\), then either \(g = 1_{\mathbb {G}}\) or \(h = 1_{\mathbb {H}}\) (where \(1_{\mathbb {G}}\), for instance, denotes the identity element of \(\mathbb {G} \).) We will only be interested in bilinear pairings that are efficiently computable.

The order of an element g of a group G is the smallest positive integer a such that \(g^a = 1_G\). The exponent of a group is defined as the least common multiple of the orders of all elements of the group. One can show that if a non-degenerate bilinear pairing \(e : \mathbb {G} \times \mathbb {H} \rightarrow \mathbb {G}_T \) can be defined over three groups \(\mathbb {G}, \mathbb {H} \) and \(\mathbb {G}_T \), then they all have the same exponent. We use \(\exp (G)\) to denote the exponent of a group G.

Homomorphism: A homomorphism from a group \(\langle G, \cdot \rangle \) to a group \(\langle H, \oplus \rangle \) is a function \(\psi : G \rightarrow H\) such that for all \(g_1, g_2 \in G\), \(\psi (g_1 \cdot g_2) = \psi (g_1) \oplus \psi (g_2)\). We define two sets with respect to a homomorphism: \(\mathsf {Image} (\psi ) = \{ \psi (g) \; | \; g \in G \}\) and \(\mathsf {Kernel} (\psi ) = \{ g \in G \; | \; \psi (g) = 1_{H} \}\).

2.1 Predicate Encryption (PE)

An encryption scheme for a predicate family \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\) over a message space \(\mathcal {M} = \{\mathcal {M} _\lambda \}_{\lambda \in \mathbb {N}}\) consists of four \(\mathsf {PPT}\) algorithms which satisfy a correctness condition defined below.

• \(\mathsf {Setup} (1^\lambda , \mathsf {par}) \rightarrow (\textsc {mpk}, \textsc {msk})\). The \(\mathsf {Setup}\) algorithm takes as input the unary representation of the security parameter \(\lambda \) and some additional parameters \(\mathsf {par}\). It outputs a master public key \(\textsc {mpk}\) and a master secret key \(\textsc {msk}\). The output of \(\mathsf {Setup}\) defines a number \(N \in \mathbb {N} \) (perhaps implicitly), and \(\kappa \) is set to \((N, \mathsf {par})\).

• \(\mathsf {Encrypt} (\textsc {mpk}, x, m) \rightarrow \textsc {ct} \). The encryption algorithm takes public parameters \(\textsc {mpk}\), an \(x \in \mathcal {X} _\kappa \) and an \(m \in \mathcal {M} _\lambda \) as inputs, and outputs a ciphertext \(\textsc {ct}\).

• \(\mathsf {KeyGen} (\textsc {mpk}, \textsc {msk}, y) \rightarrow \textsc {sk} \). The key generation algorithm takes as input the public parameters \(\textsc {mpk}\), the master secret key \(\textsc {msk}\) and a \(y \in \mathcal {Y} _\kappa \), and outputs a secret key \(\textsc {sk}\).

• \(\mathsf {Decrypt} (\textsc {mpk}, \textsc {sk}, \textsc {ct}) \rightarrow m'\). The decryption algorithm takes as input the public parameters \(\textsc {mpk}\), a secret key \(\textsc {sk}\) and a ciphertext \(\textsc {ct}\), and outputs a message \(m' \in \mathcal {M} _\lambda \).

Correctness: For all \(\lambda \) and \(\mathsf {par}\), \(\textsc {mpk}\) and \(\textsc {msk}\) output by \(\mathsf {Setup} (1^\lambda , \mathsf {par})\), \(m \in \mathcal {M} _\lambda \), \(x \in \mathcal {X} _\kappa \) and \(y \in \mathcal {Y} _\kappa \) such that \(P_\kappa (x,y) = 1\), if

$$\begin{aligned} \textsc {ct} \leftarrow \mathsf {Encrypt} (\textsc {mpk}, x, m) \quad \textsc {sk} \leftarrow \mathsf {KeyGen} (\textsc {mpk}, \textsc {msk}, y), \end{aligned}$$

then

$$\begin{aligned} \mathsf {Pr} [ \mathsf {Decrypt} (\textsc {mpk}, \textsc {ct}, \textsc {sk}) \ne m ] \le \mathsf {negl} (\lambda ), \end{aligned}$$

where the probability is over the random coin tosses of \(\mathsf {Encrypt}, \mathsf {KeyGen} \) and \(\mathsf {Decrypt} \).

Security: Let \(\varPi \) be an encryption scheme for a predicate family \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\) over a message space \(\mathcal {M} = \{\mathcal {M} _\lambda \}_{\lambda \in \mathbb {N}}\). Consider the following experiment \(\mathsf {Expt}^{(b)}_{\mathcal {A},\varPi }\) \((\lambda , \mathsf {par})\) between an adversary \(\mathcal {A}\) and a challenger \(\mathsf {Chl}\) for \(b \in \{0,1\}\) when both are given input \(1^\lambda \) and \(\mathsf {par}\):

1. 1.

   Setup: \(\mathsf {Chl}\) runs \(\mathsf {Setup} (1^\lambda , \mathsf {par})\) to obtain \(\textsc {mpk}\) and \(\textsc {msk}\). It gives \(\textsc {mpk}\) to \(\mathcal {A}\).

2. 2.

   Query: \(\mathcal {A}\) issues a key query by sending \(y \in \mathcal {Y} _\kappa \) to \(\mathsf {Chl}\), and obtains \(\textsc {sk} \leftarrow \mathsf {KeyGen} (\textsc {mpk},\) \(\textsc {msk}, y)\) in response. This step can be repeated any number of times \(\mathcal {A}\) desires.

3. 3.

   Challenge: \(\mathcal {A}\) sends two messages \(m_0, m_1 \in \mathcal {M} _\lambda \) and an \(x \in \mathcal {X} _\kappa \) to \(\mathsf {Chl}\), and gets \(\textsc {ct} \leftarrow \mathsf {Encrypt} (\textsc {mpk}, x, m_b)\) as the challenge ciphertext.

4. 4.

   Query: This step is identical to step 2.

At the end of the experiment, \(\mathcal {A}\) outputs a bit which is defined to be the output of the experiment. We call an adversary admissible if for every \(y \in \mathcal {Y} _\kappa \) queried in steps 2 and 4, \(P_\kappa (x, y) = 0\). This prevents \(\mathcal {A}\) from succeeding in the experiment simply by decrypting \(\textsc {ct}\).

Definition 1

An encryption scheme \(\varPi \) is adaptively or fully secure for a predicate family \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\) if for every \(\mathsf {PPT}\) admissible adversary \(\mathcal {A}\) and every \(\mathsf {par}\),

$$\begin{aligned} | \mathsf {Pr} [\mathsf {Expt}^{(0)}_{\mathcal {A},\varPi }(\lambda , \mathsf {par}) = 1] - \mathsf {Pr} [\mathsf {Expt}^{(1)}_{\mathcal {A},\varPi }(\lambda , \mathsf {par}) = 1] | \le \mathsf {negl} (\lambda ), \end{aligned}$$

where the probabilities are taken over the coin tosses of \(\mathcal {A}\) and \(\mathsf {Chl}\). On the other hand, \(\varPi \) is semi-adaptively secure if the above condition is satisfied w.r.t. to a modified experiment where \(\mathcal {A}\) provides \(x \in \mathcal {X} _\kappa \) to \(\mathsf {Chl}\) right after the setup phase (instead of the challenge phase), i.e., before it starts querying [15].

3 Pair Encoding Schemes

The notion of pair encoding schemes (\(\mathsf {PES}\)) was introduced by Attrapadung [2]. Our definition of this scheme is slightly different from the one given by [2] in that we place a restriction on the structure. Though the latter definition is more general, we believe that our formulation mirrors the concrete design of such schemes more closely. In particular, all the constructions of pair encoding schemes given in [2] fit into our framework without any changes.

We first present the definition given by Attrapadung and discuss the restrictions we impose afterwards. A pair encoding scheme for a predicate family \(P_\kappa : \mathcal {X} _\kappa \times \mathcal {Y} _\kappa \rightarrow \{0,1\}\) indexed by \(\kappa = (N, \mathsf {par})\) consists of four polynomial-time deterministic algorithms which satisfy a correctness condition as defined below.

• \(\mathsf {Param} (\mathsf {par}) \rightarrow n\). The \(\mathsf {Param}\) algorithm takes the parameters \(\mathsf {par}\) as input, and outputs a positive integer \(n \in \mathbb {N} \) which specifies the number of common variables shared by the following two algorithms. Let \(\mathbf {b} := (b_1, b_2, \ldots , b_n)\) denote the common variables.

• \(\mathsf {EncC} (x, N) \rightarrow (\mathbf {c} := (c_1, c_2, \ldots , c_{w_1}); w_2)\). The \(\mathsf {EncC}\) algorithm takes an \(N \in \mathbb {N} \) and an \(x \in \mathcal {X} _{(N, \mathsf {par})}\) as inputs, and outputs a sequence of \(w_1\) polynomials \(c_1, c_2, \ldots , c_{w_1}\) with coefficients in \(\mathbb {Z} _{N}\) and a \(w_2 \in \mathbb {N} \). Every polynomial \(c_{\ell }\) is a linear combination of monomials of the form \(s, s_i, sb_j, s_{i}b_{j}\) in variables \(s, s_1, s_2, \ldots , s_{w_2}\) and \(b_1, \ldots , b_n\). More formally, for \(\ell \in [1, w_1]\),

  $$\begin{aligned} c_{\ell } \quad := \quad \zeta _{\ell } s \quad + \quad \sum _{i \in [1,w_2]} \eta _{\ell , i} s_i \quad + \quad \sum _{j \in [1,n]} \theta _{\ell , j} s b_j \quad + \sum _{i \in [1,w_2], j \in [1,n]} \vartheta _{\ell , i, j} s_i b_j, \end{aligned}$$

  where \(\zeta _{\ell }, \eta _{\ell , i}, \theta _{\ell , j}, \vartheta _{\ell , i, j} \in \mathbb {Z} _N\) are constants which define \(c_\ell \).

• \(\mathsf {EncK} (y, N) \rightarrow (\mathbf {k} := (k_1, k_2, \ldots , k_{m_1}); m_2)\). The \(\mathsf {EncK}\) algorithm takes an \(N \in \mathbb {N} \) and a \(y \in \mathcal {Y} _{(N, \mathsf {par})}\) as inputs, and outputs a sequence of \(m_1\) polynomials \(k_1, k_2, \ldots , k_{m_1}\) with coefficients in \(\mathbb {Z} _{N}\) and an \(m_2 \in \mathbb {N} \). Every polynomial \(k_{t}\) is a linear combination of monomials of the form \(\alpha , r_{i'}, r_{i'}b_j\) in variables \(\alpha , r_1, r_2, \ldots , r_{m_2}\) and \(b_1, \ldots , b_n\). More formally, for \(t \in [1, m_1]\),

  $$\begin{aligned} k_{t} \quad := \quad \tau _{t} \alpha \quad + \quad \sum _{i' \in [1,m_2]} \upsilon _{t, i'} r_{i'} \quad + \quad \sum _{i' \in [1,m_2], j \in [1,n]} \phi _{t, i', j} r_{i'} b_j, \end{aligned}$$

  where \(\tau _{t}, \upsilon _{t, i'}, \phi _{t, i', j} \in \mathbb {Z} _N\) are constants which define \(k_t \).

• \(\mathsf {Pair} (x, y, N) \rightarrow \mathbf {E} \). The \(\mathsf {EncC}\) algorithm takes an \(N \in \mathbb {N} \), an \(x \in \mathcal {X} _{(N, \mathsf {par})}\) and a \(y \in \mathcal {Y} _{(N, \mathsf {par})}\) as inputs, and outputs a matrix \(\mathbf {E} \in \mathbb {Z} ^{m_1 \times w_1}_{N}\).

Correctness: A pair encoding scheme is correct if for every \(\kappa = (N, \mathsf {par})\), \(x \in \mathcal {X} _\kappa \) and \(y \in \mathcal {Y} _\kappa \) such that \(P_\kappa (x,y) = 1\), the following holds symbolically

$$\begin{aligned} \mathbf {k} \mathbf {E} \mathbf {c} ^T = \sum _{\begin{array}{c} t \in [1, m_1], \\ \ell \in [1, w_1] \end{array}} E_{t, \ell } k_{t} c_{\ell } = \alpha s. \end{aligned}$$

Structural Restrictions. We impose an additional restriction on the form of \(\mathbf {E} \). Essentially this says that if \(k_{t}\) has a monomial of the form \(r_{i'}b_{j'}\) and a \(c_{\ell }\) has a monomial of the form \(sb_j\) or \(s_{i}b_{j}\) then \(E_{t, \ell }\) must be 0. One can easily verify that every pair encoding scheme given in [2] (as well as the new one we propose) satisfies this. We also assume that the variable s is explicitly given out in the encoding of x, i.e., \(s \in \mathbf {c} \).

Moreover, we can show that given the constraint on \(\mathbf {E} \), we can assume w.l.o.g. that the set of polynomials output by \(\mathsf {EncC}\) and \(\mathsf {EncK}\) have a fairly restricted structure. In simple words, if a polynomial contains the monomial \(s b_j\) (or \(s_i b_j\), \(r_{i'}b_{j}\)), then there must exist a polynomial which only contains the monomial s (resp. \(s_i\), \(r_{i'}\)). More precisely, we show that for any pair encoding which satisfies the restriction on \(\mathbf {E} \), there is a corresponding one in which \(\mathsf {EncC}\) and \(\mathsf {EncK}\) have this structure, and this correspondence preserves all of the security properties defined in [2].

For formal statements see the full version. For the rest of this work, we will assume that all pair encodings satisfy the properties listed above.

3.1 Security

Attrapadung provided two security notions for pair encoding schemes: perfect and computational. As discussed in Sect. 1, in this paper we focus on perfect security, which is the information theoretic property, for which we propose a relaxation. First, we restate here the original security definition given by Attrapadung (which is referred to as perfectly master-key hiding in his paper).

Definition 2

(Perfect Security [2]). A pair encoding scheme \((\mathsf {Param}, \mathsf {EncC},\) \(\mathsf {EncK}, \mathsf {Pair})\) for a predicate family \(P_\kappa \) is perfectly secure if for every \(\kappa = (N, \mathsf {par})\), \(x \in \mathcal {X} _\kappa \) and \(y \in \mathcal {Y} _\kappa \) such that \(P_\kappa (x,y) = 0\),

$$\begin{aligned} \big ( \mathbf {c} (\mathbf {s}, \mathbf {b}), \mathbf {k} (0, \mathbf {r}, \mathbf {b}) \big ) \equiv \big ( \mathbf {c} (\mathbf {s}, \mathbf {b}), \mathbf {k} (\alpha , \mathbf {r}, \mathbf {b}) \big ), \end{aligned}$$

(1)

where \(\mathbf {s} \leftarrow _R\mathbb {Z} ^{w_2+1}_N\), \(\mathbf {b} \leftarrow _R\mathbb {Z} ^n_N\), \(\mathbf {r} \leftarrow _R\mathbb {Z} ^{m_2}_N\) and \(\alpha \leftarrow _R\mathbb {Z} _N\).

We propose a new relaxed notion of perfect security that allows more flexibility in the design of pair encoding schemes. Very roughly, this property will allow us to add noise gradually to the parameters used in the key, as long as this noise is not detectable given the relevant part of the key and the ciphertext. The goal is to eventually add sufficient noise to completely hide the master secret. Towards this, we define a new randomized polynomial-time sampling algorithm for pair encoding schemes. While the algorithms above are used in the generic construction, the \(\mathsf {Samp}\) algorithm described below will be used in the security proof.

• \(\mathsf {Samp} (d,x,y,N) \rightarrow (\mathbf {b} _d := (b_{d,1}, b_{d,2}, \ldots , b_{d,n}))\). This algorithm takes a \(d \in [1, m_2]\), an \(N \in \mathbb {N} \), an \(x \in \mathcal {X} _{(N, \mathsf {par})}\), and a \(y \in \mathcal {Y} _{(N, \mathsf {par})}\) as inputs, and outputs a sequence of n numbers in \(\mathbb {Z} _N\). We require that the probability of this algorithm producing \((u \cdot b_{d,1}, u \cdot b_{d,2}, \ldots , u \cdot b_{d,n})\) as output is equal to the probability that it produces \((b_{d,1}, b_{d,2}, \ldots , b_{d,n})\) as output, for any \(u \in \mathbb {Z} ^*_N\).

Jumping ahead, the dependence of \(\mathsf {Samp}\) on its inputs will play a crucial role in the proof of security of our generic construction. We will see that if \(\mathsf {Samp}\) doesn’t depend on x, then we can prove our construction to be fully secure. But in case it does, we can only prove semi-adaptive security.

Recall that \(\mathsf {EncK}\) on input y and N produces a sequence of polynomials \(\mathbf {k} (\alpha , \mathbf {r}, \mathbf {b})\) with coefficients in \(\mathbb {Z} _{N}\), where every polynomial is a linear combination of monomials of the form \(\alpha , r_{i'}, r_{i'}b_j\) in variables \(\alpha , r_1, r_2, \ldots , r_{m_2}\) and \(b_1, \ldots , b_n\). In the following we use \(\mathbf {k} _d (\alpha , r_d, \mathbf {b})\), for \(d \in [1,m_2]\), to denote the polynomials in \(\mathbf {k} \) obtained by setting all the variables in \(\{r_1, r_2, \ldots , r_{m_2}\}\) except \(r_d\) to 0. We are now ready to define our new notion of perfect security.

Definition 3

(Relaxed Perfect Security). A pair encoding scheme \(\varGamma = (\mathsf {Param},\) \(\mathsf {EncC}, \mathsf {EncK}, \mathsf {Pair})\) for a predicate family \(P_\kappa \) is relaxed perfectly secure if there exists a \(\mathsf {PPT}\) algorithm \(\mathsf {Samp}\) (as defined above) such that for every \(\mathsf {par}\), \(x \in \mathcal {X} _\kappa \) and \(y \in \mathcal {Y} _\kappa \) such that \(P_\kappa (x,y) = 0\), and every \(d \in [1, m_2]\):

$$\begin{aligned} \{\mathbf {c} (\mathbf {s}, \mathbf {b}), \mathbf {k} _d(0, r_d, \mathbf {b})\}_{N \in \mathbb {N}} \quad \cong \quad \{\mathbf {c} (\mathbf {s}, \mathbf {b}), \mathbf {k} _d(0, r_d, \mathbf {b} + \mathbf {b} _d)\}_{N \in \mathbb {N}}, \end{aligned}$$

(2)

where \(\mathbf {s} \leftarrow _R\mathbb {Z} ^{w_2+1}_N\), \(\mathbf {b} \leftarrow _R\mathbb {Z} ^n_N\), \(r_d \leftarrow _R\mathbb {Z} _N, \mathbf {b} _d \leftarrow \mathsf {Samp} (d,x,y,N)\). Furthermore,

$$\begin{aligned} \bigg \{ \mathbf {c} (\mathbf {s}, \mathbf {b}), \sum _{d \in [1, m_2]} \mathbf {k} _d(0, r_d, \mathbf {b} + \mathbf {b} _d) \bigg \}_{N \in \mathbb {N}} \cong \bigg \{ \mathbf {c} (\mathbf {s}, \mathbf {b}), \sum _{d \in [1, m_2]} \mathbf {k} _d(\alpha , r_d, \mathbf {b} + \mathbf {b} _d) \bigg \}_{N \in \mathbb {N}}, \end{aligned}$$

(3)

where \(\mathbf {s} \leftarrow _R\mathbb {Z} ^{w_2+1}_N\), \(\mathbf {b} \leftarrow _R\mathbb {Z} ^n_N\), \(r_1, r_2, \ldots , r_{m_2} \leftarrow _R\mathbb {Z} _N\), \(\alpha \leftarrow _R\mathbb {Z} _N\), \(\mathbf {b} _d \leftarrow \mathsf {Samp} (d,x,y,N)\) for \(d \in [1,m_2]\), and \(\cong \) denotes statistical indistinguishability. We say \(\varGamma \) satisfies strong relaxed perfect security if \(\mathsf {Samp}\) does not depend on x.

Note that in Eqs. (2) and (3), we have distribution ensembles indexed by N, unlike the definition of perfect security where we are dealing with only one distribution. We require that the ensembles are statistically indistinguishable from each other, which means that for large enough values of N, the statistical distance between the distributions is negligible.

We now show that any pair encoding scheme that is perfectly secure under the original definition is also secure under the stronger flavor of the relaxed definition.

Lemma 1

Let \(\varGamma = (\mathsf {Param}, \mathsf {EncC}, \mathsf {EncK}, \mathsf {Pair})\) be a pair encoding scheme. If \(\varGamma \) is prefectly secure (Definition 2), then \(\varGamma \) is also relaxed perfectly secure (Definition 3). Moreover, we can define a \(\mathsf {Samp}\) algorithm for \(\varGamma \) that does not depend on the input x.

Proof

For any pair encoding scheme \(\varGamma \), define \(\mathsf {Samp}\) to output a vector of zeroes on any input. With this definition, (2) is trivially satisfied for every \(d \in [1,m_2]\), and the two distributions in (3) reduce to

$$\begin{aligned} \left\{ \mathbf {c} (\mathbf {s}, \mathbf {b}), \sum _{d \in [1, m_2]} \mathbf {k} _d(0, r_d, \mathbf {b}) \right\} \quad \text {and} \quad \left\{ \mathbf {c} (\mathbf {s}, \mathbf {b}), \sum _{d \in [1, m_2]} \mathbf {k} _d(\alpha , r_d, \mathbf {b}) \right\} . \end{aligned}$$

(4)

Since \(\varGamma \) is perfectly secure, we know that if \(\mathbf {s} \leftarrow _R\mathbb {Z} ^{w_2+1}_N\), \(\mathbf {b} \leftarrow _R\mathbb {Z} ^n_N\), \(\mathbf {r} \leftarrow _R\mathbb {Z} ^{m_2}_N\) and \(\alpha \leftarrow _R\mathbb {Z} _N\), then

$$\begin{aligned} \{\mathbf {c} (\mathbf {s}, \mathbf {b}), \mathbf {k} (0, \mathbf {r}, \mathbf {b})\} \equiv \{\mathbf {c} (\mathbf {s}, \mathbf {b}), \mathbf {k} (\alpha , \mathbf {r}, \mathbf {b})\}. \end{aligned}$$

We can replace \(\mathbf {k} (\alpha , \mathbf {r}, \mathbf {b})\) with \(\mathbf {k} (m_2\alpha , \mathbf {r}, \mathbf {b})\) in the above without changing the joint distribution. Now, observe that \(\mathbf {k} (0, \mathbf {r}, \mathbf {b}) = \sum _{d \in [1, m_2]} \mathbf {k} _d(0, r_d,\) \(\mathbf {b})\) and \(\mathbf {k} (m_2 \alpha , \mathbf {r}, \mathbf {b}) = \sum _{d \in [1, m_2]} \mathbf {k} _d(\alpha , r_d, \mathbf {b})\) symbolically. Therefore, the two distributions in (4) are identical.    \(\square \)

4 Dual System Groups

Our construction of predicate encryption schemes from pair encodings is based on dual system groups (\(\mathsf {DSG}\)), introduced by Chen and Wee [14] in a recent work. Our formulation of \(\mathsf {DSG}\), given below, can be seen as a generalization of theirs. However, as we will show, both their instantiations satisfy the new properties without making any changes.

A dual system group is parameterized by a security parameter \(\lambda \) and a number n. It consists of six \(\mathsf {PPT}\) algorithms as described below.

4.1 Syntax

• \(\mathsf {SampP} (1^\lambda , 1^n)\): On input \(1^\lambda \) and \(1^n\), \(\mathsf {SampP}\) outputs public parameters \(\textsc {pp}\) and secret parameters \(\textsc {sp}\), which have the following properties:

  • \(\textsc {pp}\) contains a triple of groups \((\mathbb {G}, \mathbb {H}, \mathbb {G}_T)\) and a non-degenerate bilinear map \(e : \mathbb {G} \times \mathbb {H} \rightarrow \mathbb {G}_T \), a homomorphism \(\mu \) from \(\mathbb {H}\) to \(\mathbb {G}_T\), along with some additional parameters used by \(\mathsf {SampG}\), \(\mathsf {SampH}\). Given \(\textsc {pp}\), we know the exponent of group \(\mathbb {H}\) and how to sample uniformly from it. Let \(N = \exp (\mathbb {H})\) (see Sect. 2). We require that N is a product of distinct primes of \(\varTheta (\lambda )\) bits.

  • \(\textsc {sp}\) contains \(\tilde{h} \in \mathbb {H} \) (where \(\tilde{h} \ne 1_{\mathbb {H}}\)) along with additional parameters used by \(\overline{\mathsf {SampG}}\) and \(\overline{\mathsf {SampH}}\).

• \(\mathsf {SampGT}\) takes an element in the image of \(\mu \) and outputs another element from \(\mathbb {G}_T\).

• \(\mathsf {SampG}\) and \(\mathsf {SampH}\) take \(\textsc {pp}\) as input and output a vector of \(n+1\) elements from \(\mathbb {G}\) and \(\mathbb {H}\) respectively.

• \(\overline{\mathsf {SampG}}\) and \(\overline{\mathsf {SampH}}\) take both \(\textsc {pp}\) and \(\textsc {sp}\) as inputs and output a vector of \(n+1\) elements from \(\mathbb {G}\) and \(\mathbb {H}\) respectively.

4.2 Properties

We require that all the properties below hold for every \(\textsc {pp}\) and \(\textsc {sp}\) output by \(\mathsf {SampP}\). Let \(\mathsf {SampG}_0\) be the algorithm that outputs only the first element of \(\mathsf {SampG}\). Analogously, \(\mathsf {SampH}_0\), \(\overline{\mathsf {SampG}}_0\) and \(\overline{\mathsf {SampH}}_0\) can be defined. A dual system group is correct if it satisfies the following two properties⁵:

Projective: For all \(h \in \mathbb {H} \) and coin tosses \(\sigma \), \(\mathsf {SampGT} (\mu (h); \sigma ) = e(\mathsf {SampG}_0 \) \((\textsc {pp}; \sigma ), h)\).

Associative: If \((g_0, g_1, \ldots , g_n)\) and \((h_0, h_1, \ldots , h_n)\) are samples from \(\mathsf {SampG} (\textsc {pp})\) and \(\mathsf {SampH} (\textsc {pp})\) respectively, then for all \(i \in [1,n]\), \(e(g_0, h_i) = e(g_i, h_0)\).

For security we require the following three properties to hold:

Orthogonality: \(\tilde{h} \in \mathsf {Kernel} (\mu )\), i.e., \(\mu (\tilde{h}) = 1_{\mathbb {G}_T}\).

Non-degeneracy:

1. 1.

   \(\overline{\mathsf {SampH}}_0 (\textsc {pp}, \textsc {sp}) \cong \tilde{h} ^\delta \), where \(\delta \leftarrow _R\mathbb {Z} _N\).

2. 2.

   \(\exists \) \(\tilde{g} \in \mathbb {G} \) s.t. \(\overline{\mathsf {SampG}}_0 (\textsc {pp}, \textsc {sp}) \cong \tilde{g} ^\alpha \), where \(\alpha \leftarrow _R\mathbb {Z} _N\).

3. 3.

   For all \(\hat{g}_0 \leftarrow \overline{\mathsf {SampG}}_0 (\textsc {pp}, \textsc {sp})\), \(e(\hat{g}_0, \tilde{h})^{\beta }\) is uniformly distributed over \(\mathbb {G}_T\), where \(\beta \leftarrow _R\mathbb {Z} _N\).

(Here \(\cong \) denotes statistical indistinguishability.)

Remark 1

In [14], the non-degeneracy property is defined in a slightly different way. First, they require that for all \(\hat{h}_0 \leftarrow \overline{\mathsf {SampH}}_0 (\textsc {pp}, \textsc {sp})\), \(\tilde{h}\) lies in the group generated by \(\hat{h}_0\), instead of the first point above. And secondly, they do not have any constraint on the output of \(\overline{\mathsf {SampG}}_0 (\textsc {pp}, \textsc {sp})\) like in the second point above. The third property, though, is also present in their definition⁶.

Indistinguishability. For two (positive) polynomials \(\mathsf {poly} _1(\cdot )\) and \(\mathsf {poly} _2(\cdot )\), define \(\mathbf {G}, \mathbf {H}, \mathbf {\hat{G}}, \mathbf {\hat{H}}, \mathbf {\hat{G}} ', \mathbf {\hat{H}} '\) as follows:

$$\begin{aligned} (\textsc {pp}, \textsc {sp}) \leftarrow \mathsf {SampP} (1^\lambda , 1^n); \quad \gamma _1, \gamma _2, \ldots , \gamma _n \leftarrow _R\mathbb {Z} _N; \end{aligned}$$

$$\begin{aligned} \mathbf {g} _1, \mathbf {g} _2, \dots , \mathbf {g} _{\mathsf {poly} _1(\lambda )} \leftarrow \mathsf {SampG} (\textsc {pp}); \mathbf {G} := (\mathbf {g} _1, \mathbf {g} _2, \dots , \mathbf {g} _{\mathsf {poly} _1(\lambda )}); \end{aligned}$$

$$\begin{aligned} \mathbf {h} _1, \mathbf {h} _2, \dots , \mathbf {h} _{\mathsf {poly} _2(\lambda )} \leftarrow \mathsf {SampH} (\textsc {pp}); \mathbf {H} := (\mathbf {h} _1, \mathbf {h} _2, \dots , \mathbf {h} _{\mathsf {poly} _2(\lambda )}); \end{aligned}$$

$$\begin{aligned} \forall i \in [1, \mathsf {poly} _1(\lambda )], \quad \mathbf {\hat{g}} _i := (\hat{g}_{i,0}, \ldots ) \leftarrow \overline{\mathsf {SampG}} (\textsc {pp}, \textsc {sp}); \quad \mathbf {\hat{g}} '_i := (1, \hat{g}^{\gamma _1}_{i,0}, \hat{g}^{\gamma _2}_{i,0}, \ldots , \hat{g}^{\gamma _n}_{i,0}) \end{aligned}$$

$$\begin{aligned} \forall j \in [1, \mathsf {poly} _2(\lambda )], \quad \mathbf {\hat{h}} _j := (\hat{h}_{j,0}, \ldots ) \leftarrow \overline{\mathsf {SampH}} (\textsc {pp}, \textsc {sp}); \quad \mathbf {\hat{h}} '_j := (1, \hat{h}^{\gamma _1}_{j,0}, \hat{h}^{\gamma _2}_{j,0}, \ldots , \hat{h}^{\gamma _n}_{j,0}) \end{aligned}$$

$$\begin{aligned} \mathbf {\hat{G}} := (\mathbf {\hat{g}} _1, \mathbf {\hat{g}} _2, \dots , \mathbf {\hat{g}} _{\mathsf {poly} _1(\lambda )}); \mathbf {\hat{H}} := (\mathbf {\hat{h}} _1, \mathbf {\hat{h}} _2, \dots , \mathbf {\hat{h}} _{\mathsf {poly} _2(\lambda )}); \end{aligned}$$

$$\begin{aligned} \mathbf {\hat{G}} ' := (\mathbf {\hat{g}} '_1, \mathbf {\hat{g}} '_2, \dots , \mathbf {\hat{g}} '_{\mathsf {poly} _1(\lambda )}); \mathbf {\hat{H}} ' := (\mathbf {\hat{h}} '_1, \mathbf {\hat{h}} '_2, \dots , \mathbf {\hat{h}} '_{\mathsf {poly} _2(\lambda )}). \end{aligned}$$

We call a dual system group Left Subgroup Indistinguishable (\(\mathsf {LSI}\)), Right Subgroup Indistinguishable (\(\mathsf {RSI}\)) and Parameter hiding (\(\mathsf {PH}\)) if for all polynomials \(\mathsf {poly} _1(\cdot )\) and \(\mathsf {poly} _2(\cdot )\),

$$\begin{aligned} \{ \textsc {pp}, \mathbf {G} \}&\approx \{ \textsc {pp}, \mathbf {G} \cdot \mathbf {\hat{G}} \}, \end{aligned}$$

(5)

$$\begin{aligned} \{ \textsc {pp}, \tilde{h}, \mathbf {G} \cdot \mathbf {\hat{G}}, \mathbf {H} \}&\approx \{ \textsc {pp}, \tilde{h}, \mathbf {G} \cdot \mathbf {\hat{G}}, \mathbf {H} \cdot \mathbf {\hat{H}} \}, \text {and} \end{aligned}$$

(6)

$$\begin{aligned} \{ \textsc {pp}, \tilde{h}, \mathbf {\hat{G}}, \mathbf {\hat{H}} \}&\equiv \{ \textsc {pp}, \tilde{h}, \mathbf {\hat{G}} \cdot \mathbf {\hat{G}} ', \mathbf {\hat{H}} \cdot \mathbf {\hat{H}} ' \} \end{aligned}$$

(7)

hold respectively. Observe that the two distributions in (5) and (6) are computationally indistinguishable, while the two distributions in (7) are identical.

Instantiations of \({\mathsf {DSG}}\) . The three indistinguishability properties defined above are generalizations of the corresponding ones in Chen and Wee [14]. In the full version we show that the two instantiations of \(\mathsf {DSG}\)  – in composite-order groups under the subgroup decision assumption and in prime-order groups under the decisional linear assumption (\(d\text {-}\mathsf {LIN}\)) – given by [14] satisfy our generalized indistinguishability properties as well as our new definition of non-degeneracy.

Remark 2

In the prime-order instantiation of dual system groups under the \(d\text {-}\mathsf {LIN}\) assumption given by [14], an element from groups \(\mathbb {G}\) or \(\mathbb {H}\) is represented by \(d+1\) elements from a source prime-order group (an element from \(\mathbb {G}_T\) is mapped to just one element of a target prime-order group). Now, suppose we have an encryption scheme in dual system groups where the ciphertext/key consists of elements from \(\mathbb {G}\) or \(\mathbb {H}\) (and possibly an element from \(\mathbb {G}_T\)). Then, a concrete instantiation in prime-order groups would only double the size of ciphertext/key, if we make the \(\mathsf {SXDH}\) assumption (special case of \(d\text {-}\mathsf {LIN}\) with \(d=1\)), and only triple it if we make the \(\mathsf {DLIN}\) assumption (special case of \(d\text {-}\mathsf {LIN}\) with \(d=2\)).

5 Predicate Encryption from Pair Encodings

In this section, we show how to construct a predicate encryption scheme \(\varPi _P = (\mathsf {Setup}, \mathsf {Encrypt},\) \(\mathsf {KeyGen}, \mathsf {Decrypt})\) for any predicate family \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\) for which we have a pair encoding scheme \(\varGamma _P = (\mathsf {Param}, \mathsf {EncC}, \mathsf {EncK}, \mathsf {Pair})\), using dual system groups. The message space for \(\varPi _P\) would be the target group in \(\mathsf {DSG}\). Recall that \(\kappa \) specifies a number \(N \in \mathbb {N} \) and some additional parameters \(\mathsf {par}\).

• \(\mathsf {Setup} (1^\lambda , \mathsf {par})\): First run \(\mathsf {Param} (\mathsf {par})\) to obtain n, then run \(\mathsf {SampP} (1^\lambda , 1^n)\) to obtain \(\textsc {pp}\) and \(\textsc {sp}\). Recall that given \(\textsc {pp}\), we know the exponent of group \(\mathbb {H}\) and can sample uniformly from it. Output

  $$\begin{aligned} \textsc {msk} \leftarrow _R\mathbb {H} \qquad \textsc {mpk}:= (\textsc {pp}, \mu (\textsc {msk})). \end{aligned}$$

  Set \(N = \exp (\mathbb {H})\) and \(\kappa = (N, \mathsf {par})\).

• \(\mathsf {Encrypt} (\textsc {mpk}, x, m)\): On input an \(x \in \mathcal {X} _\kappa \) and an \(m \in \mathbb {G}_T \), run \(\mathsf {EncC} (x, N)\) to obtain a sequence of \(w_1\) polynomials \((c_1, c_2, \ldots , c_{w_1})\) and a \(w_2 \in \mathbb {N} \). Draw \(w_2+1\) samples from \(\mathsf {SampG}\):

  $$\begin{aligned} (g_{0,0}, \ldots , g_{0,n}) \leftarrow \mathsf {SampG} (\textsc {pp}; \sigma ) \end{aligned}$$
  $$\begin{aligned} (g_{1,0}, \ldots , g_{1,n}) \leftarrow \mathsf {SampG} (\textsc {pp}), \ldots , (g_{w_2,0}, \ldots , g_{w_2,n}) \leftarrow \mathsf {SampG} (\textsc {pp}), \end{aligned}$$

  where \(\sigma \) denotes the coin tosses used in drawing the first sample from \(\mathsf {SampG}\). Recall that the polynomial \(c_{\ell }\) is given by

  $$\begin{aligned} \zeta _{\ell } s \quad + \quad \sum _{i \in [1,w_2]} \eta _{\ell , i} s_i \quad + \quad \sum _{j \in [1,n]} \theta _{\ell , j} s b_j \quad + \sum _{i \in [1,w_2], j \in [1,n]} \vartheta _{\ell , i, j} s_i b_j, \end{aligned}$$

  where \(\zeta _{\ell }, \eta _{\ell , i}, \theta _{\ell , j}, \vartheta _{\ell , i, j} \in \mathbb {Z} _N\) are constants. Output \(\textsc {ct}:= (\textsc {ct} _1, \ldots , \textsc {ct} _{w_1},\) \(\textsc {ct} _{w_1+1})\) as the encryption of m under x where

  $$\begin{aligned} \textsc {ct} _{\ell } \quad := \quad g_{0,0}^{\zeta _{\ell }} \quad \cdot \quad \prod _{i \in [1,w_2]} g_{i,0}^{\eta _{\ell , i}} \quad \cdot \quad \prod _{j \in [1,n]} g_{0,j}^{\theta _{\ell , j}} \quad \cdot \quad \prod _{i \in [1,w_2], j \in [1,n]} g_{i,j}^{\vartheta _{\ell , i, j}} \end{aligned}$$

  for \(\ell \in [1, w_1]\) and \(\textsc {ct} _{w_1+1} := m \cdot \mathsf {SampGT} (\mu (\textsc {msk}); \sigma ).\) Notice that the monomials s, \(s_i\), \(s b_j\), and \(s_i b_j\) are mapped to group elements \(g_{0,0}\), \(g_{i,0}\), \(g_{0,j}\), and \(g_{i,j}\), respectively.

• \(\mathsf {KeyGen} (\textsc {mpk}, \textsc {msk}, y)\): On input a \(y \in \mathcal {Y} _\kappa \), run \(\mathsf {EncK} (y, N)\) to obtain a sequence of \(m_1\) polynomials \((k_1, k_2, \ldots , k_{m_1})\) and an \(m_2 \in \mathbb {N} \). Draw \(m_2\) samples from \(\mathsf {SampH}\):

  $$\begin{aligned} (h_{1,0}, \ldots , h_{1,n}) \leftarrow \mathsf {SampH} (\textsc {pp}), \ldots , (h_{m_2,0}, \ldots , h_{m_2,n}) \leftarrow \mathsf {SampH} (\textsc {pp}). \end{aligned}$$

  Output the key as \(\textsc {sk}: = (\textsc {sk} _{1}, \textsc {sk} _{2}, \ldots , \textsc {sk} _{m_1})\) where for \(t \in [1, m_1]\)

  $$\begin{aligned} \textsc {sk} _{t} \quad := \quad \textsc {msk} ^{\tau _{t}} \quad \cdot \quad \prod _{i' \in [1,m_2]} h_{i',0}^{\upsilon _{t, i'}} \quad \cdot \quad \prod _{i' \in [1,m_2], j \in [1,n]} h_{i',j}^{\phi _{t, i', j}}. \end{aligned}$$

  In this case, the variables \(\alpha \), \(r_{i'}\), and \(r_{i'} b_j\) are mapped to \(\textsc {msk} \), \(h_{i',0}\), and \(h_{i',j}\), respectively.

• \(\mathsf {Decrypt} (\textsc {mpk}, \textsc {sk} _y, \textsc {ct} _x)\): On input \(\textsc {sk} _y := (\textsc {sk} _{1}, \textsc {sk} _{2}, \ldots , \textsc {sk} _{m_1})\) and \(\textsc {ct} _x := (\textsc {ct} _{1}, \ldots , \textsc {ct} _{w_1+1})\), run \(\mathsf {Pair} (x, y, N)\) to obtain an \(m_1 \times w_1\) matrix \(\mathbf {E} \). Output

  $$\begin{aligned} \textsc {ct} _{w_1+1} \cdot \left[ \prod _{t \in [1,m_1], \ell \in [1, w_1]} e(\textsc {ct} _{\ell }, \textsc {sk} _{t}^{E_{t,\ell }}) \right] ^{-1}. \end{aligned}$$

Correctness (Sketch). We know that if \(P_\kappa (x,y) = 1\), then \(\sum _{t \in [1,m_1], \ell \in [1, w_1]}\) \(E_{t,\ell } k_{t} c_{\ell } = \alpha s\). Consider two polynomials \(k_{t}\) and \(c_{\ell }\). When these polynomials are multiplied together, no two monomials – one from \(k_{t}\) and one from \(c_{\ell }\) – combine to give the same monomial in the product polynomial \(k_{t} c_{\ell }\), except when

• s is multiplied with \(r_{i'}b_{j}\) and \(sb_{j}\) is multiplied with \(r_{i'}\), or

• \(s_i\) is multiplied with \(r_{i'}b_{j}\) and \(s_{i}b_{j}\) is multiplied with \(r_{i'}\),

because of the restriction on the form of \(\mathbf {E} \). Now, s is mapped to \(g_{0,0}\), \(r_{i'}b_{j}\) is mapped to \(h_{i',j}\), \(sb_{j}\) is mapped to \(g_{0,j}\) and \(r_{i'}\) is mapped to \(h_{i',0}\). By the associativity property of dual system groups, we know that \( e(g_{0,0}, h_{i',j}) = e(g_{0,j}, h_{i',0}). \) Further, we mapped \(s_i\) to \(g_{i,0}\) and \(s_{i}b_{j}\) to \(g_{i,j}\), and associativity guarantees that \( e(g_{i,0}, h_{i',j}) = e(g_{i,j}, h_{i',0}). \) Therefore, from the observations above, it follows that

$$\begin{aligned} \prod _{t \in [1,m_1], \ell \in [1, w_1]} e(\textsc {ct} _{\ell }, \textsc {sk} _{t}^{E_{t,\ell }}) = e(g_{0,0}, \textsc {msk}). \end{aligned}$$

Finally, by projective property we know that \(e(g_{0,0}, \textsc {msk}) = \mathsf {SampGT} (\mu (\textsc {msk}); \sigma )\).

Remark 3

(Preserving Size). Observe that the output of \(\mathsf {Encrypt}\) consists of \(w_1+1\) elements, \(w_1\) from \(\mathbb {G}\) and 1 from \(\mathbb {G}_T\), where \(w_1\) is the number of polynomials output by \(\mathsf {EncC}\). Further, any key has the same number of elements from \(\mathbb {H}\) as the number of polynomials output by \(\mathsf {EncK}\). Hence, in particular, if \(w_1\) (resp. \(m_1\)) is a constant then ciphertexts (resp. keys) are also of constant size, in terms of dual system group elements. Further, if we instantiate dual system groups in prime-order groups under \(\mathsf {SXDH}\) or \(\mathsf {DLIN}\) assumption, then the ciphertexts (resp. keys) would still be of constant size (see Remark 2.)

6 Proof of Security

In this section, we show that the encryption scheme \(\varPi _P\) constructed for a predicate family \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\) in the previous section is secure using the properties of dual system groups and relaxed perfect security of pair encoding schemes. More formally, we prove the following theorem.

Theorem 1

For any predicate family \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\), if \(\varGamma _P = (\mathsf {Param}, \mathsf {EncC},\) \(\mathsf {EncK}, \mathsf {Pair})\) is a relaxed perfectly secure pair encoding scheme, then the encryption scheme \(\varPi _P = (\mathsf {Setup}, \mathsf {Encrypt},\) \(\mathsf {KeyGen}, \mathsf {Decrypt})\) constructed in Sect. 5 (using \(\varGamma _P\)) is semi-adaptively secure. Furthermore, if the algorithm \(\mathsf {Samp}\) does not depend on input x, then \(\varPi _P\) is fully secure (see Definition 1).

Using Lemma 1, a corollary of the above theorem is that:

Corollary 1

For any predicate family \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\), if \(\varGamma _P = (\mathsf {Param}, \mathsf {EncC},\) \(\mathsf {EncK},\) \(\mathsf {Pair}, \mathsf {Samp})\) is a perfectly secure pair encoding scheme, then the encryption scheme \(\varPi _P = (\mathsf {Setup}, \mathsf {Encrypt},\) \(\mathsf {KeyGen}, \mathsf {Decrypt})\) constructed in Sect. 5 (using \(\varGamma _P\)) is fully secure.

Recall that dual system groups can be instantiated in prime-order groups under the \(d\text {-}\mathsf {LIN}\) assumption. Together with the above corollary, this gives a useful and interesting result:

Corollary 2

Every perfectly secure pair encoding scheme proposed by Attrapadung [2] has a fully secure predicate encryption scheme in prime order groups under the \(d\text {-}\mathsf {LIN}\) assumption.

The rest of this section is devoted to the proof of Theorem 1. We first define auxiliary algorithms for encryption and key generation.

• \(\overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; (\mathbf {g} '_0, \mathbf {g} '_1, \ldots , \mathbf {g} '_{w_2}), \textsc {msk})\): This algorithm is the same as \(\mathsf {Encrypt}\) except that it uses the input \(\mathbf {g} '_i \in \mathbb {G} ^{n+1}\) instead of choosing samples \(\mathbf {g} _i\) from \(\mathsf {SampG}\) for \(i \in [0, w_2]\), and sets \(\textsc {ct} _{w_1+1} := m \cdot e(g'_{0,0}, \textsc {msk})\), where \(g'_{0,0}\) if the first element of the vector \(\mathbf {g} '_0\).

• \(\overline{\mathsf {KeyGen}} (\textsc {pp}, \textsc {msk}, y; (\mathbf {h} '_1, \ldots , \mathbf {h} '_{m_2}))\): This algorithm is the same as \(\mathsf {KeyGen}\) except that it uses \(\mathbf {h} '_{i}\) instead of the samples \(\mathbf {h} _{i}\) from \(\mathsf {SampH}\) for \(i \in [1, m_2]\).

Using these algorithms, we define alternate forms for the ciphertext and master secret key:

• Semi-functional master secret key is defined to be \(\overline{\textsc {msk}}:= \textsc {msk} \cdot \tilde{h} ^\beta \) where \(\beta \leftarrow _R\mathbb {Z} _N\).

• Semi-functional ciphertext is given by \(\overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}}, \textsc {msk})\) where \(\mathbf {g} _1, \mathbf {g} _2, \dots , \mathbf {g} _{w_2} \leftarrow \mathsf {SampG} (\textsc {pp})\), \(\mathbf {\hat{g}} _1, \mathbf {\hat{g}} _2, \ldots , \mathbf {\hat{g}} _{w_2} \leftarrow \overline{\mathsf {SampG}} (\textsc {pp}, \textsc {sp})\), \(\mathbf {G} := (\mathbf {g} _1, \mathbf {g} _2,\) \(\dots , \mathbf {g} _{w_2})\), and \(\mathbf {\hat{G}} := (\mathbf {\hat{g}} _1, \mathbf {\hat{g}} _2,\) \( \dots , \mathbf {\hat{g}} _{w_2})\). Observe that \(\overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G}, \textsc {msk})\) is identically distributed to \(\mathsf {Encrypt} (\textsc {mpk},\) x, m) – the normal ciphertext – by the projective property of dual system groups.

Table 1 defines various forms of keys for \(\rho \in [1, m_2]\) and the inputs that need to be passed to \(\overline{\mathsf {KeyGen}} \) (besides \(\textsc {pp}\) and y) in order to generate them. Intermediate-3 and SF-intermediate-3 keys are also defined for \(\rho =0\) (SF stands for semi-functional). In the table, \(\mathbf {h} _1, \ldots , \mathbf {h} _{m_2} \leftarrow \mathsf {SampH} (\textsc {pp})\), \(\mathbf {\hat{h}} _1, \ldots , \mathbf {\hat{h}} _{m_2} \leftarrow \overline{\mathsf {SampH}} (\textsc {pp}, \textsc {sp})\), and \(\mathbf {z} _d := (1, z_{d,1}, \ldots , z_{d,n})\), where \((z_{d,1}, \ldots , z_{d,n}) \leftarrow \mathsf {Samp} (d, x,\) y, N) for all \(d \in [1,m_2]\). For convenience in the following, we define a slightly modified form of \(\mathsf {Samp}\), called \(\overline{\mathsf {Samp}}\), which just prepends 1 to the output of \(\mathsf {Samp}\). Note that 0-Intermediate-3 is distributed identically to a normal key and 0-SF-intermediate-3 is distributed identically to a SF noisy key. Since we have many forms of keys, (where appropriate) we use a box to highlight the part of a key which is different from the previous key.

Table 1. Various types of keys

Proof Structure: The novelty in our proof is that instead of working at the level of a key, we work at the level of samples that form the key. Let \(\xi \) denote the number of queries made by the adversary, and let \(y_{\varphi }\) denote the \(\varphi \)th query for \(\varphi \in [1, \xi ]\). Further, let \(m_{2, \varphi }\) be the second output of \(\mathsf {EncK} (y_{\varphi }, N)\). We define the following hybrids for \(\varphi \in [1, \xi ]\) and \(\rho \in [1,m_{2, \varphi }]\) (fix any \(b \in \{0,1\}\)).

• \(\mathsf {Hyb} _0\): This is the real security game \(\mathsf {Expt}^{(b)}_{\mathcal {A},\varPi _P}(\lambda , \mathsf {par})\) described in Sect. 2.1.

• \(\mathsf {Hyb} _1\): This game is same as the above except that the ciphertext is semi-functional.

• \(\mathsf {Hyb} _{2, \varphi , i, \rho }\) for \(i \in \{1,2,3\}\): This game is same as the above except that the first \(\varphi -1\) keys are semi-functional, \(\varphi \)th key is of the form \(\rho \)-intermediate-i, and rest of the keys are normal.

• \(\mathsf {Hyb} _{2, \varphi , 4}\): This game is same as the above except that the \(\varphi \)th key is Pseudo-normal noisy.

• \(\mathsf {Hyb} _{2, \varphi , 5}\): This game is same as the above except that the \(\varphi \)th key is Pseudo-SF noisy.

• \(\mathsf {Hyb} _{2, \varphi , 6}\): This game is same as the above except that the \(\varphi \)th key is SF noisy.

• \(\mathsf {Hyb} _{2, \varphi , i, \rho }\) for \(i \in \{7,8,9\}\): This game is same as the above except that the \(\varphi \)th key is of the form \(\rho \)-SF-intermediate-\((i-6)\).

• \(\mathsf {Hyb} _3\): This game is same as \(\mathsf {Hyb} _{2, \xi , 9, m_{2, \xi }}\) except that the ciphertext is a semi-functional encryption of a random message in \(\mathbb {G}_T\).

Table 2. An outline of the proof structure.

Our goal is to show that \(\mathsf {Hyb} _0\) and \(\mathsf {Hyb} _3\) are computationally indistinguishable from each other, for both values of the bit b used by \(\mathsf {Chl}\) in the security game \(\mathsf {Expt}^{(b)}_{\mathcal {A},\varPi _P}(\lambda , \mathsf {par})\). Since \(\mathsf {Chl}\) encrypts a random message in \(\mathsf {Hyb} _3\), there would be no way for a \(\mathsf {PPT}\) adversary to tell whether \(m_0\) or \(m_1\) was encrypted. This would imply that \(\varPi _P\) is a secure encryption scheme.

Our proof proceeds as follows. We first show that \(\mathsf {Hyb} _0\) and \(\mathsf {Hyb} _1\) are computationally indistinguishable due to the left subgroup indistinguishability (\(\mathsf {LSI}\)) property of dual system groups; this takes the ciphertext from normal to semi-functional space (the form of the ciphertext doesn’t change after this step). After that, we take the keys one by one from normal to semi-functional space by going through a series of hybrids. We show that \(\mathsf {Hyb} _{2,1,3,0}\) (or, equivalently, \(\mathsf {Hyb} _1\)) is computationally indistinguishable from \(\mathsf {Hyb} _{2,1,9,m_{2,1}}\) by following the steps shown in Table 2 for \(\varphi = 1\); this makes the first key semi-functional while keeping the rest of the keys unchanged. Then, we show that \(\mathsf {Hyb} _{2,2,3,0}\) (or, equivalently, \(\mathsf {Hyb} _{2,1,9,m_{2,1}}\)) is computationally indistinguishable from \(\mathsf {Hyb} _{2,2,9,m_{2,2}}\) by once again following the steps shown in Table 2, but now for \(\varphi = 2\); as a result, the second key also moves into the semi-functional space. We continue in the same fashion till all the keys are in the semi-functional space, i.e., we are in the hybrid \(\mathsf {Hyb} _{2,\xi ,9,m_{2,\xi }}\). The last step of the proof is to show that \(\mathsf {Hyb} _{2,\xi ,9,m_{2,\xi }}\) and \(\mathsf {Hyb} _3\) are statistically close to each other.

We formally prove the indistinguishability of hybrids that require relaxed perfect security, our new information-theoretic notion of security, in Lemmas 2 and 3 below, but defer the other proofs to the full version because they follow directly from the properties of dual system groups in a manner similar to Chen and Wee’s security proof for HIBE [14].

Remark 4

(Full vs. Semi-adaptive Security.). In transitioning from \(\mathsf {Hyb} _{2,\varphi ,1,\rho }\) to \(\mathsf {Hyb} _{2,\varphi ,2,\rho }\) in Lemma 2, we add randomness using the algorithm \(\overline{\mathsf {Samp}}\) to the \(\rho \)-th sample of the \(\varphi \)-th key. Observe that if \(\overline{\mathsf {Samp}}\) depends on input x, then this transition can only take place if x is known before any key queries are issued. Therefore, in this case, we can prove semi-adaptive security. On the other hand, if \(\overline{\mathsf {Samp}}\) does not depend on x, then we get full security (and as shown in Lemma 1, this is the case for all of the perfectly secure pair encoding schemes of [2]).

Remark 5

(Perfectly Secure Encodings). Recall from the proof of Lemma 1 that for any perfectly secure pair encoding scheme, we can define a dummy sampling algorithm that always outputs a vector of 0s. When this is the case, the security proof can be considerably simplified: we could directly go from \(\mathsf {Hyb} _1\) to \(\mathsf {Hyb} _{2,\varphi , 4}\) and also from \(\mathsf {Hyb} _{2,\varphi ,5}\) to \(\mathsf {Hyb} _{2,\varphi ,9, m_{2,\varphi }}\) using right subgroup indistinguishability.

Remark 6

(Cost of Our Reduction). There are many complex predicates for which we do not know any perfectly secure pair encoding schemes. But if one can design a scheme that is relaxed perfectly secure, then we show that an encryption scheme can be derived from it, which is secure under standard assumptions. The reduction cost of our security proof, however, is higher than usual: if an adversary makes \(\xi \) queries and \(m_2\) is the maximum number of samples used in any key, then the cost is \(O(\xi \cdot m_2)\). For instance, this cost only depends on the number of pre-challenge queries in the case of Attrapadung’s computationally secure encodings (Theorem 1 in [2]). Note, however, that computational security of the encoding itself is proved under q-type assumptions.

Lemma 2

For every \(\varphi \in [1, \xi ]\) and \(\rho \in [1,m_{2, \varphi }]\), \(\mathsf {Hyb} _{2, \varphi , 1, \rho } \cong \mathsf {Hyb} _{2, \varphi , 2, \rho }\).

Proof

Given \(\textsc {pp}, \textsc {msk} \) and \(\tilde{h} \), one can generate \(\textsc {mpk}\) and every key except the \(\varphi \)th (because in order to generate this key and the ciphertext, we need to be able to sample from \(\overline{\mathsf {SampH}} \) and \(\overline{\mathsf {SampG}} \), for which secret parameters \(\textsc {sp} \) are required). Hence, it suffices to show that the following two distributions are statistically close (for clarity, we omit \(\varphi \) in the following):

$$\begin{aligned} \{ \textsc {pp},&\textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}}, \textsc {msk}), \\&\overline{\mathsf {KeyGen}} (\textsc {pp}, \textsc {msk}, y; (\mathbf {h} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \mathbf {h} _{\rho -1} \cdot \tilde{h} ^{\mathbf {z} _{\rho -1}}, \mathbf {h} _\rho \cdot \mathbf {\hat{h}} _\rho , \mathbf {h} _{\rho +1}, \ldots , \mathbf {h} _{m_2})) \}, \end{aligned}$$

$$\begin{aligned}&\{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}}, \textsc {msk}), \\&\overline{\mathsf {KeyGen}} (\textsc {pp}, \textsc {msk}, y; (\mathbf {h} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \mathbf {h} _{\rho -1} \cdot \tilde{h} ^{\mathbf {z} _{\rho -1}}, \mathbf {h} _\rho \cdot \mathbf {\hat{h}} _\rho \cdot \tilde{h} ^{\mathbf {z} _{\rho }}, \mathbf {h} _{\rho +1}, \ldots , \mathbf {h} _{m_2})) \}. \end{aligned}$$

But observe that:

$$\begin{aligned} \overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}}, \textsc {msk}) = \overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G}, \textsc {msk}) \cdot \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}}, \textsc {msk}), \end{aligned}$$

because of the way \(\mathsf {Encrypt} \) and \(\mathsf {KeyGen} \) are defined and bilinearity of e (see the construction in Sect. 5). The first component on the right hand side of each of the above equations can be generated given \(\textsc {pp}, \textsc {msk} \) and \(\tilde{h} \). Hence, we only need to focus on the second components, i.e., it is enough to show that the following two distributions are statistically close:

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}}, \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp}, 1, y; (1, \ldots , 1, \mathbf {\hat{h}} _\rho , 1, \ldots , 1)) \}, \end{aligned}$$

(8)

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}}, \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp}, 1, y; (1, \ldots , 1, \mathbf {\hat{h}} _\rho \cdot \tilde{h} ^{\mathbf {z} _{\rho }}, 1, \ldots , 1)) \}. \end{aligned}$$

(9)

Let us focus on the first distribution between the two above. By the parameter-hiding property of dual system groups we know that \(\{ \textsc {pp}, \tilde{h}, \mathbf {\hat{G}}, \mathbf {\hat{h}} _{\rho } \}\) and \(\{ \textsc {pp}, \tilde{h}, \mathbf {\hat{G}} \cdot \mathbf {\hat{G}} ', \mathbf {\hat{h}} _{\rho } \cdot \mathbf {\hat{h}} '_{\rho } \}\) are identically distributed. Hence (8) is identically distributed to

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}} \cdot \mathbf {\hat{G}} ', \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp}, 1, y; (1, \ldots , 1, \mathbf {\hat{h}} _{\rho } \cdot \mathbf {\hat{h}} '_{\rho }, 1, \ldots , 1)) \}. \end{aligned}$$

(10)

Let \(\hat{\textsc {ct}} := (\hat{\textsc {ct}}_1, \ldots , \hat{\textsc {ct}}_{w_1+1})\) and \(\hat{\textsc {sk}} := (\hat{\textsc {sk}}_1, \ldots , \hat{\textsc {sk}}_{m_1})\) denote the output of \(\overline{\mathsf {Encrypt}}\) and \(\overline{\mathsf {KeyGen}}\) respectively. We know that for \(\ell \in [1, w_1]\),

$$\begin{aligned} \hat{\textsc {ct}}_{\ell } \quad = \quad \hat{g}_{0,0}^{\zeta _{\ell }} \quad \cdot \quad \prod _{i \in [1,w_2]} \hat{g}_{i,0}^{\eta _{\ell , i}} \quad \cdot \quad \prod _{j \in [1,n]} (\hat{g}_{0,j} \cdot \hat{g}_{0,0}^{\gamma _j})^{\theta _{\ell , j}} \quad \cdot \prod _{i \in [1,w_2], j \in [1,n]} (\hat{g}_{i,j} \cdot \hat{g}_{i,0}^{\gamma _j})^{\vartheta _{\ell , i, j}}, \end{aligned}$$

where \((\hat{g}_{i,0}, \ldots , \hat{g}_{i,n}) \leftarrow \overline{\mathsf {SampG}} (\textsc {pp}, \textsc {sp})\) for \(i \in [0, w_2]\) and \(\gamma _1, \ldots , \gamma _n \leftarrow _R\mathbb {Z} _N\). Also, \(\hat{\textsc {ct}}_{w_1+1} = e(\hat{g}_{0,0}, \textsc {msk})\). Using the non-degeneracy property of dual system groups, we can write \(\hat{g}_{0,0}\) and \(\hat{g}_{i,0}\) as \(\tilde{g} ^{\delta }\) and \(\tilde{g} ^{\delta _i}\) respectively, for \(i \in [1, w_2]\), where \(\delta , \delta _1, \ldots , \delta _{w_2} \leftarrow _R\mathbb {Z} _N\). Then we consider \(\hat{g}_{0,j}\) (and \(\hat{g}_{i,j}\)) for \(j=1,\ldots , n\) to be values sampled from \(\overline{\mathsf {SampG}} \) conditioned on the value of \(\hat{g}_{0,0}\) (resp. \(\hat{g}_{i,0}\)). (These values may not be efficiently sampleable.) Therefore, we have

$$\begin{aligned} \hat{\textsc {ct}}_{\ell } \quad = \quad \tilde{g} ^{ \zeta _{\ell } \delta + \sum _{{i \in [1,w_2]}} \eta _{\ell , i} \delta _i + \sum _{j \in [1,n]} \theta _{\ell , j} \delta \gamma _j + \sum _{i \in [1,w_2], j \in [1,n]} \vartheta _{\ell , i, j} \delta _i \gamma _j } \cdot \\ \nonumber \prod _{j \in [1,n]} \hat{g}_{0,j}^{\theta _{\ell , j}} \quad \cdot \quad \prod _{i \in [1,w_2], j \in [1,n]} \hat{g}_{i,j}^{\vartheta _{\ell , i, j}} \end{aligned}$$

(11)

Shifting our focus to the key, we know that its \(t \)th component is given by

$$\begin{aligned} \hat{\textsc {sk}}_{t} \quad = \quad \hat{h}_{\rho ,0}^{\upsilon _{t, \rho }} \quad \cdot \quad \prod _{j \in [1,n]} (\hat{h}_{\rho ,j} \cdot \hat{h}_{\rho ,0}^{\gamma _j})^{\phi _{t, \rho , j}}, \end{aligned}$$

for \(t \in [1, m_1]\), where \((\hat{h}_{\rho ,0}, \ldots , \hat{h}_{\rho ,n}) \leftarrow \overline{\mathsf {SampH}} (\textsc {pp}, \textsc {sp})\). Using non-degeneracy once again, we can write \(\hat{h}_{\rho ,0}\) as \(\tilde{h} ^{\omega }\) for an \(\omega \leftarrow _R\mathbb {Z} _N\), and consider \(\hat{h}_{\rho ,j}\) for \(j=1,\ldots , n\) to be sampled from \(\overline{\mathsf {SampH}} \) conditioned on the value of \(\hat{h}_{\rho ,0}\). Hence,

$$\begin{aligned} \hat{\textsc {sk}}_{t} \quad = \quad \tilde{h} ^{ \upsilon _{t, \rho } \omega + \sum _{j \in [1,n]} \phi _{t, \rho , j} \omega \gamma _j} \quad \cdot \quad \prod _{j \in [1,n]} \hat{h}_{\rho ,j}^{\phi _{t, \rho , j}}. \end{aligned}$$

(12)

Now, observe the superscripts of \(\tilde{g} \) and \(\tilde{h} \) in (11) and (12) respectively (over \(\ell \in [1,w_1]\) and \(t \in [1,m_1]\)). We know that \(\delta , \delta _1, \ldots , \delta _{w_2}\), \(\gamma _1, \ldots , \gamma _n\) and \(\omega \) are randomly chosen from \(\mathbb {Z} _N\). Hence, we can use the first property (2) of relaxed perfect security to add noise to the \(\rho \)-th sample used in the key. But the problem is that in any sample drawn from \(\overline{\mathsf {SampG}}\) and \(\overline{\mathsf {SampH}}\), elements of the sample may depend on each other. In particular \(\hat{g}_{0,j}\) may reveal some information about \(\delta \), and similarly for \(\hat{g}_{i, j}\) and for \(\hat{h}_{\rho ,j}\), so we must ensure that (2) applies even given this information. Recall the discussion on structural restrictions after the definition of pair encoding schemes. We know that if \(\vartheta _{\ell ,i,j} \ne 0\) for any \(\ell \in [1,w_1]\) and \(j \in [1,n]\) (otherwise, we don’t need to worry about \(\hat{g}_{i, j}\)), then \(\delta _i\) is an explicit part of the encoding output by \(\mathsf {EncC} \). Similarly, if \(\phi _{t, \rho , j} \ne 0\) for any \(t \in [1,m_1]\) and \(j \in [1,n]\), then \(\omega \) is an explicit part of the encoding output by \(\mathsf {EncK} \). Further, \(\delta \) is always explicit. Therefore, given a sample from either of the distributions in (2), one can compute the first element of the samples from \(\overline{\mathsf {SampG}}\) and \(\overline{\mathsf {SampH}}\), and then draw rest of the elements conditioned on the first ones.

In a nutshell, we can apply (2) to conclude that the distribution

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, (\hat{\textsc {ct}}_1, \ldots , \hat{\textsc {ct}}_{w_1+1}), (\hat{\textsc {sk}}_1, \ldots , \hat{\textsc {sk}}_{m_1}) \} \end{aligned}$$

is statistically close to

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, (\hat{\textsc {ct}}_1, \ldots , \hat{\textsc {ct}}_{w_1+1}), (\tilde{\textsc {sk}}_1, \ldots , \tilde{\textsc {sk}}_{m_1}) \}, \end{aligned}$$

where

$$\begin{aligned} \tilde{\textsc {sk}}_{t} \quad&:= \quad \tilde{h} ^{ \upsilon _{t, \rho } \omega + \sum _{j \in [1,n]} \phi _{t, \rho , j} \omega (\gamma _j + z_j)} \quad \cdot \quad \prod _{j \in [1,n]} \hat{h}_{\rho ,j}^{\phi _{t, \rho , j}} \\ \quad&= \quad \tilde{h} ^{ \upsilon _{t, \rho } \omega + \sum _{j \in [1,n]} \phi _{t, \rho , j} \omega \gamma _j} \quad \cdot \quad \prod _{j \in [1,n]} (\hat{h}_{\rho ,j} \cdot \tilde{h} ^{\omega z_j})^{\phi _{t, \rho , j}}, \end{aligned}$$

for \(t \in [1,m_1]\), and \(\mathbf {z} _\rho = (z_1, \ldots , z_n) \leftarrow \mathsf {Samp} (\rho , x, y, N)\). We use the fact that \(\delta \) is always explicit to generate the \(w_1+1\)th component of the ciphertext.

Observe that the only difference between \(\hat{\textsc {sk}}_{t}\) and \(\tilde{\textsc {sk}}_{t}\) is that an extra \(\tilde{h} ^{\omega z_j}\) is multiplied with \(\hat{h}_{\rho ,j}\) in the latter case. Hence, the key \((\tilde{\textsc {sk}}_1, \ldots , \tilde{\textsc {sk}}_{m_1})\) can be generated by giving \(\mathbf {\hat{h}} _\rho \cdot \mathbf {\hat{h}} '_\rho \cdot \tilde{h} ^{\mathbf {z} _{\rho }}\) as the \(\rho \)-th sample to \(\overline{\mathsf {KeyGen}}\) (\(\mathbf {z} _{\rho }\) has the same distribution as \(\omega \cdot \mathbf {z} _{\rho }\) since \(\omega \in \mathbb {Z} ^*_N\) with high probability). Therefore, (10) is statistically close to

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}} \cdot \mathbf {\hat{G}} ', \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp}, 1, y; (1, \ldots ,&1, \mathbf {\hat{h}} _{\rho } \cdot \mathbf {\hat{h}} '_{\rho } \cdot \tilde{h} ^{\mathbf {z} _{\rho }}, \\&1, \ldots , 1)). \end{aligned}$$

Using parameter-hiding once again, we can show that the above distribution is identical to

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}}, \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp}, 1, y; (1, \ldots , 1, \mathbf {\hat{h}} _{\rho } \cdot \tilde{h} ^{\mathbf {z} _{\rho }}, 1, \ldots , 1)), \end{aligned}$$

which completes the proof.    \(\square \)

The above proof can be easily adapted to show that \(\mathsf {Hyb} _{2, \varphi , 7, \rho } \cong \mathsf {Hyb} _{2, \varphi , 8, \rho }\). In this case, we want that the two distributions

$$\begin{aligned} \,\,\,&\{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}}, \textsc {msk}), \\&\overline{\mathsf {KeyGen}} (\textsc {pp}, \overline{\textsc {msk}}, y; (\mathbf {h} _1, \ldots , \mathbf {h} _{\rho -1}, \mathbf {h} _\rho \cdot \mathbf {\hat{h}} _\rho \cdot \tilde{h} ^{\mathbf {z} _{\rho }}, \mathbf {h} _{\rho +1} \cdot \tilde{h} ^{\mathbf {z} _{\rho +1}}, \ldots , \mathbf {h} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \}, \end{aligned}$$

$$\begin{aligned} \{\textsc {pp}&, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}}, \textsc {msk}), \\&\overline{\mathsf {KeyGen}} (\textsc {pp}, \overline{\textsc {msk}}, y; (\mathbf {h} _1, \ldots , \mathbf {h} _{\rho -1}, \mathbf {h} _\rho \cdot \mathbf {\hat{h}} _\rho , \mathbf {h} _{\rho +1} \cdot \tilde{h} ^{\mathbf {z} _{\rho +1}}, \ldots , \mathbf {h} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \}. \end{aligned}$$

are indistinguishable from each other. Observe that the only difference now is that we have \(\overline{\textsc {msk}}\) instead of \(\textsc {msk}\), and noise is present in the samples \(\rho +1, \ldots , n\) instead of \(1, \ldots , \rho -1\). So, we can split \(\overline{\mathsf {Encrypt}}\) and \(\overline{\mathsf {KeyGen}}\) in a way similar to the above proof, and once again it suffices to show that exactly the distributions in (8) and (9) are indistinguishable.

Lemma 3

For every \(\varphi \in [1, \xi ]\), \(\mathsf {Hyb} _{2, \varphi , 4} \cong \mathsf {Hyb} _{2, \varphi , 5}\).

Proof

This proof proceeds in a manner similar to the proof of Lemma 2. To begin with, we observe as before that given \(\textsc {pp}, \textsc {msk} \) and \(\tilde{h} \), one can generate \(\textsc {mpk}\) and every key except the \(\varphi \)th (for clarity, we omit \(\varphi \) below). Hence, it suffices to show that the distribution

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}}, \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp},&\textsc {msk}, y; (\mathbf {h} _1 \cdot \mathbf {\hat{h}} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \\&\mathbf {h} _{m_2} \cdot \mathbf {\hat{h}} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \}, \end{aligned}$$

is statistically close to a distribution where \(\textsc {msk}\) is replaced by \(\overline{\textsc {msk}}\), the semi-functional master secret key. Further,

$$\begin{aligned} \overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}}, \textsc {msk}) = \overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G}, \textsc {msk}) \cdot \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}}, \textsc {msk}), \end{aligned}$$

$$\begin{aligned}&\overline{\mathsf {KeyGen}} (\textsc {pp}, \textsc {msk}, y; (\mathbf {h} _1 \cdot \mathbf {\hat{h}} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \mathbf {h} _{m_2} \cdot \mathbf {\hat{h}} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \\ =\,&\overline{\mathsf {KeyGen}} (\textsc {pp}, \textsc {msk}, y; (\mathbf {h} _1, \ldots , \mathbf {h} _{m_2})) \cdot \overline{\mathsf {KeyGen}} (\textsc {pp}, 1, y; (\mathbf {\hat{h}} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \mathbf {\hat{h}} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})), \end{aligned}$$

$$\begin{aligned}&\overline{\mathsf {KeyGen}} (\textsc {pp}, \overline{\textsc {msk}}, y; (\mathbf {h} _1 \cdot \mathbf {\hat{h}} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \mathbf {h} _{m_2} \cdot \mathbf {\hat{h}} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \\ =\,&\overline{\mathsf {KeyGen}} (\textsc {pp}, \textsc {msk}, y; (\mathbf {h} _1, \ldots , \mathbf {h} _{m_2})) \cdot \overline{\mathsf {KeyGen}} (\textsc {pp}, \tilde{h} ^{\beta }, y; (\mathbf {\hat{h}} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \mathbf {\hat{h}} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})), \end{aligned}$$

where \(\beta \leftarrow _R\mathbb {Z} _N\). The first component on the right hand side of each of the above equations can be generated given \(\textsc {pp}, \textsc {msk} \) and \(\tilde{h} \). Hence, it is enough to show that the following two distributions are statistically close:

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}}, \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp}, 1, y; (\mathbf {\hat{h}} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \mathbf {\hat{h}} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \}, \end{aligned}$$

(13)

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}}, \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp}, \tilde{h} ^{\beta }, y; (\mathbf {\hat{h}} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \mathbf {\hat{h}} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \}. \end{aligned}$$

(14)

Let us focus on the first distribution between the two above. By the parameter-hiding property of dual system groups, it is identically distributed to

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}} \cdot \mathbf {\hat{G}} ', \textsc {msk}), \overline{\mathsf {KeyGen}} (&\textsc {pp}, 1, y; (\mathbf {\hat{h}} _1 \cdot \mathbf {\hat{h}} '_1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \\ \nonumber&\mathbf {\hat{h}} _{m_2} \cdot \mathbf {\hat{h}} '_{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \}. \end{aligned}$$

(15)

Let \(\hat{\textsc {ct}} := (\hat{\textsc {ct}}_1, \ldots , \hat{\textsc {ct}}_{w_1+1})\) and \(\hat{\textsc {sk}} := (\hat{\textsc {sk}}_1, \ldots , \hat{\textsc {sk}}_{m_1})\) denote the output of \(\overline{\mathsf {Encrypt}}\) and \(\overline{\mathsf {KeyGen}}\) respectively. We know that for \(\ell \in [1, w_1]\),

$$\begin{aligned} \hat{\textsc {ct}}_{\ell } \quad = \quad \hat{g}_{0,0}^{\zeta _{\ell }} \quad \cdot \quad \prod _{i \in [1,w_2]} \hat{g}_{i,0}^{\eta _{\ell , i}} \quad \cdot \quad \prod _{j \in [1,n]} (\hat{g}_{0,j} \cdot \hat{g}_{0,0}^{\gamma _j})^{\theta _{\ell , j}} \quad \cdot \prod _{i \in [1,w_2], j \in [1,n]} (\hat{g}_{i,j} \cdot \hat{g}_{i,0}^{\gamma _j})^{\vartheta _{\ell , i, j}}, \end{aligned}$$

where \((\hat{g}_{i,0}, \ldots , \hat{g}_{i,n}) \leftarrow \overline{\mathsf {SampG}} (\textsc {pp}, \textsc {sp})\) for \(i \in [0, w_2]\) and \(\gamma _1, \ldots , \gamma _n \leftarrow _R\mathbb {Z} _N\). Using non-degeneracy property of dual system groups, we can write \(\hat{g}_{0,0}\) and \(\hat{g}_{i,0}\) as \(\tilde{g} ^{\delta }\) and \(\tilde{g} ^{\delta _i}\) respectively, for \(i \in [1, w_2]\), where \(\delta , \delta _1, \ldots , \delta _{w_2} \leftarrow _R\mathbb {Z} _N\). Therefore, we have

$$\begin{aligned} \hat{\textsc {ct}}_{\ell } \quad = \quad \tilde{g} ^{ \zeta _{\ell } \delta + \sum _{{i \in [1,w_2]}} \eta _{\ell , i} \delta _i + \sum _{j \in [1,n]} \theta _{\ell , j} \delta \gamma _j + \sum _{i \in [1,w_2], j \in [1,n]} \vartheta _{\ell , i, j} \delta _i \gamma _j } \cdot \\ \nonumber \prod _{j \in [1,n]} \hat{g}_{0,j}^{\theta _{\ell , j}} \quad \cdot \quad \prod _{i \in [1,w_2], j \in [1,n]} \hat{g}_{i,j}^{\vartheta _{\ell , i, j}} \end{aligned}$$

(16)

Shifting our focus to the key, we know that its \(t \)th component is given by

$$\begin{aligned} \hat{\textsc {sk}}_{t} \quad = \quad \prod _{i' \in [1,m_2]} \hat{h}_{i',0}^{\upsilon _{t, i'}} \quad \cdot \quad \prod _{i' \in [1,m_2], j \in [1,n]} (\hat{h}_{i',j} \cdot \hat{h}_{i',0}^{\gamma _j} \cdot \tilde{h} ^{z_{i',j}})^{\phi _{t, i', j}}, \end{aligned}$$

for \(t \in [1, m_1]\), where \((\hat{h}_{i',0}, \ldots , \hat{h}_{i',n}) \leftarrow \overline{\mathsf {SampH}} (\textsc {pp}, \textsc {sp})\) and \((z_{i',1}, \ldots , z_{i',n}) \leftarrow \mathsf {Samp} (i', x, y, N)\) for \(i' \in [1,m_2]\). Using non-degeneracy once again, we can write \(\hat{h}_{i',0}\) as \(\tilde{h} ^{\omega _{i'}}\) for an \(\omega _{i'} \leftarrow _R\mathbb {Z} _N\). Hence,

$$\begin{aligned} \hat{\textsc {sk}}_{t} \quad&= \quad \tilde{h} ^{ \sum _{i' \in [1,m_2]} \left[ \upsilon _{t, i'} \omega _{i'} + \sum _{j \in [1,n]} \left( \phi _{t, i', j} \omega _{i'} \gamma _j + \phi _{t, i', j} z_{i',j} \right) \right] } \quad \cdot \prod _{i' \in [1,m_2], j \in [1,n]} \hat{h}_{i',j}^{\phi _{t, i', j}} \nonumber \\ \quad&= \quad \tilde{h} ^{ \sum _{i' \in [1,m_2]} \left[ \upsilon _{t, i'} \omega _{i'} + \sum _{j \in [1,n]} \left( \phi _{t, i', j} \omega _{i'} (\gamma _j + z_{i',j}) \right) \right] } \quad \cdot \quad \prod _{i' \in [1,m_2], j \in [1,n]} \hat{h}_{i',j}^{\phi _{t, i', j}} , \end{aligned}$$

(17)

since the distribution of \((z_{i',1}, \ldots , z_{i',n})\) is statistically close to \((\omega _{i'} z_{i',1}, \ldots ,\) \( \omega _{i'} z_{i',n})\) (with high probability \(\omega _{i'} \in \mathbb {Z} ^*_N\)) for all \(i' \in [1,m_2]\).

Now, observe the superscripts of \(\tilde{g} \) and \(\tilde{h} \) in (16) and (17) respectively (over \(\ell \in [1,w_1]\) and \(t \in [1,m_1]\)). We know that \(\delta , \delta _1, \ldots , \delta _{w_2}\), \(\gamma _1, \ldots , \gamma _n\) and \(\omega _1, \ldots , \omega _{m_2}\) are randomly chosen from \(\mathbb {Z} _N\). Hence, we can use the second property (3) of relaxed perfect security to add noise to the master secret key. (The dependencies between the elements of the samples drawn from \(\overline{\mathsf {SampG}}\) and \(\overline{\mathsf {SampH}}\) can be handled as in the previous proof.) Therefore, we have that the distribution

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, (\hat{\textsc {ct}}_1, \ldots , \hat{\textsc {ct}}_{w_1+1}), (\hat{\textsc {sk}}_1, \ldots , \hat{\textsc {sk}}_{m_1}) \} \end{aligned}$$

is statistically close to

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, (\hat{\textsc {ct}}_1, \ldots , \hat{\textsc {ct}}_{w_1+1}), (\tilde{\textsc {sk}}_1, \ldots , \tilde{\textsc {sk}}_{m_1}) \}, \end{aligned}$$

where

$$\begin{aligned} \tilde{\textsc {sk}}_{t} \quad&:= \quad \tilde{h} ^{ \tau _t \beta + \sum _{i' \in [1,m_2]} \left[ \upsilon _{t, i'} \omega _{i'} + \sum _{j \in [1,n]} \left( \phi _{t, i', j} \omega _{i'} (\gamma _j + z_{i',j}) \right) \right] } \quad \cdot \prod _{i' \in [1,m_2], j \in [1,n]} \hat{h}_{i',j}^{\phi _{t, i', j}}, \end{aligned}$$

for \(t \in [1,m_1]\), and \(\beta \leftarrow _R\mathbb {Z} _N\). Observe that the only difference between \(\hat{\textsc {sk}}_{t}\) and \(\tilde{\textsc {sk}}_{t}\) is that an extra \(\tau _t \beta \) is begin added to the exponent of \(\tilde{h} \) in the latter case. Hence, the key \((\tilde{\textsc {sk}}_1, \ldots , \tilde{\textsc {sk}}_{m_1})\) can be generated by providing \(\tilde{h} ^{\beta }\) as master secret key to \(\overline{\mathsf {KeyGen}}\). Therefore, (15) is statistically close to

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}} \cdot \mathbf {\hat{G}} ', \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp},&\tilde{h} ^{\beta }, y; (\mathbf {\hat{h}} _1 \cdot \mathbf {\hat{h}} '_1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \\&\mathbf {\hat{h}} _{m_2} \cdot \mathbf {\hat{h}} '_{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \}. \end{aligned}$$

Using parameter-hiding once again, we can show that the above distribution is identical to

$$\begin{aligned} \{ \textsc {pp}, \textsc {msk}, \tilde{h}, \overline{\mathsf {Encrypt}} (\textsc {pp}, x, 1; \mathbf {\hat{G}}, \textsc {msk}), \overline{\mathsf {KeyGen}} (\textsc {pp}, \tilde{h} ^{\beta }, y; (\mathbf {\hat{h}} _1 \cdot \tilde{h} ^{\mathbf {z} _1}, \ldots , \mathbf {\hat{h}} _{m_2} \cdot \tilde{h} ^{\mathbf {z} _{m_2}})) \}, \end{aligned}$$

which completes the proof.    \(\square \)

7 Ciphertext-Policy ABE

In this section, we design a relaxed perfectly secure pair encoding scheme for Ciphertext-Policy Attribute Based Encryption (CP-ABE). The access policy is represented by a linear secret sharing (LSS) scheme \((\mathbf {A}, \pi )\), where \(\mathbf {A} \) is a matrix of size \(n_1 \times n_2\) with entries in \(\mathbb {Z} _N\) and \(\pi \) is a mapping from \([1, n_1]\) to a universe of attributes \(\mathcal {U}\). Let \(\mathbf {a_i} \) denote the ith row of \(\mathbf {A} \) for \(i \in [1, n_1]\). Let \(S \subseteq \mathcal {U} \) be a set of attributes and \(\varUpsilon = \{ i \; | \; i \in [1, n_1], \pi (i) \in S \}\) be the indices of rows in \(\mathbf {A} \) associated with S.

We say that the LSS scheme \((\mathbf {A}, \pi )\) accepts S if \(\mathbf {e} = (1, 0, \ldots , 0)\) lies in the span of rows associated with S (otherwise the scheme rejects S). In other words, if S is acceptable, there exists constants \(\{\varepsilon _i\}_{i \in \varUpsilon }\) such that \(\sum _{i \in \varUpsilon } \varepsilon _i \mathbf {a_i} = \mathbf {e} \). (This set of constants can be easily computed given S.) An interesting property of LSS schemes that will be useful to us later in the proofs is that if \((A,\pi )\) rejects S, then there must exist a vector \(\mathbf {w} = (w_1, \ldots , w_{n_2})\) such that \(\langle \mathbf {w}, \mathbf {a} _i \rangle = 0\) for all \(i \in \varUpsilon \) but \(\langle \mathbf {w}, \mathbf {e} \rangle = 1\). This, in particular, implies that \(w_1 = 1\). (See [7], Claim 2, for a proof of this and other properties below about secret sharing schemes.)

In order to share a secret \(s \in \mathbb {Z} _N\), one picks \(v_2, v_3, \ldots , v_{n_1} \leftarrow _R\mathbb {Z} _N\), and outputs \(\langle \mathbf {a_i}, \mathbf {v} \rangle \) as the ith share for \(i \in [1, n_1]\), where \(\mathbf {v} = (s, v_2, v_3, \ldots , v_{n_1})\). This way of sharing a secret leads to two useful properties:

• Correctness: For every S accepted by \((\mathbf {A}, \pi )\), every secret \(s \in \mathbb {Z} _N\) and any \(v_2, v_3, \ldots , v_{n_1} \in \mathbb {Z} _N\), \(\sum _{i \in \varUpsilon } \varepsilon _i \langle \mathbf {a_i}, \mathbf {v} \rangle = \langle \mathbf {v}, \sum _{i \in \varUpsilon } \varepsilon _i \mathbf {a_i} \rangle = s\).

• Privacy: For every S rejected by \((\mathbf {A}, \pi )\), the distribution of \(\{\langle \mathbf {a_i}, \mathbf {v} \rangle \}_{i \in \varUpsilon }\) is independent of the secret s being shared.

The predicate family for CP-ABE is indexed by \(\kappa = (N, n_1, n_2, \mathcal {U}, T)\). \(\mathcal {X} _{\kappa }\) is the set of all LSS schemes where the matrix is of size \(n_1 \times n_2\) with entries in \(\mathbb {Z} _N\) and the mapping is from \([1, n_1]\) to \(\mathcal {U}\). \(\mathcal {Y} _{\kappa }\) is given by the set \(\{ S \; | \; S \subseteq \mathcal {U}, |S| \le T \}\). For all \(x \in \mathcal {X} _{\kappa }\) and \(y \in \mathcal {Y} _{\kappa }\), \(P_\kappa (x,y) = 1\) if and only if x accepts y. It is clear from our definition of predicate family that there is a bound on the size of matrices and the number of attributes associated with a key. But there are no other restrictions: the size of attribute universe \(\mathcal {U}\) could be arbitrary and \(\pi \) need not be injective. Without loss of generality, we assume \(\mathcal {U}\) to be \(\mathbb {Z} _N\).

We are now ready to design a relaxed perfectly secure pair encoding scheme \(\varPhi _{\mathsf {cp\text{- }abe}} = (\mathsf {Param},\) \(\mathsf {EncC}, \mathsf {EncK}, \mathsf {Pair})\) for the CP-ABE predicate family.

7.1 Pair Encoding Scheme

• \(\mathsf {Param} (\mathsf {par}) \rightarrow n_1(n_2 + T + 1)\). Let \(\mathbf {b} = ( \{b_{i,j}\}_{i \in [1,n_1], j \in [1,n_2]},\) \( \{b'_{i,t}\}_{i \in [1,n_1], t \in [0,T]} )\).

• \(\mathsf {EncC} ((A, \pi ), N) \rightarrow \mathbf {c} (\mathbf {s}, \mathbf {b}) := (c_1, c_2)\) where

  $$\begin{aligned} c_1 = s \qquad c_2 = s \left( \sum _{\begin{array}{c} i \in [1,n_1] \\ j \in [1,n_2] \end{array}} a_{i,j} b_{i,j} + \sum _{\begin{array}{c} i \in [1,n_1] \\ t \in [0,T] \end{array}} \pi (i)^t b'_{i,t} \right) \!, \end{aligned}$$

  and \(\mathbf {s} = (s)\), and \(a_{i,j}\) denotes the entry in the ith row and jth column of A.

• \(\mathsf {EncK} (S, N) \rightarrow \mathbf {k} (\alpha , \mathbf {r}, \mathbf {b})\) \( := ( \{k_{1,i}, k_{2,i,j}\) \( k_{3,i,\ell ,j}, k_{4,i,y} \) \( k_{5,i,\ell ,t} \}\) \({}_{i, \ell \in [1,n_1], i \ne \ell , j \in [1,n_2], y \in S, t \in [0,T]} )\) where

  $$\begin{aligned} k_{1,i} = r_i \quad k_{2,i,j} = r_i b_{i,j} - v_j \qquad k_{3,i,\ell ,j} = r_i b_{\ell ,j} \end{aligned}$$
  $$\begin{aligned} k_{4,i,y} = r_i \sum _{t \in [0,T]} y^t b'_{i,t} \qquad k_{5,i,\ell ,t} = r_i b'_{\ell , t} \end{aligned}$$

  and \(\mathbf {r} = (r_1, r_2, \ldots , r_{n_1}, v_2, \ldots , v_{n_2})\) and \(v_1 = \alpha \).

We informally discuss how to recover \(\alpha s\) by combining the polynomials generated by \(\mathsf {EncC}\) and \(\mathsf {EncK}\), with an intent to provide some intuition about the scheme, and defer a formal proof to the full version. We can think of \(v_2, v_3, \ldots , v_{n_1}\) as the randomness picked in order to share \(v_1 = \alpha \) according to the scheme \((A, \pi )\). Hence, if we find \(\langle \mathbf {a_i}, \mathbf {v} \rangle \) for all \(i \in \varUpsilon \), we can recover \(\alpha \) (ignore s for now). One could start out by multiplying \(a_{i,j}\) by \(k_{2,i,j}\) and summing over j, for an \(i \in \varUpsilon \). This does give \(\sum _{j} a_{i,j} v_j\) but also produces an extra term \(r_i \sum _{j} a_{i,j} b_{i,j}\) (ignore \(r_i\) for now). We could try to get rid of this term by using \(c_2\) but the product \(a_{i,j} b_{i,j}\) there is also summed over i (since we want \(\mathsf {EncC}\) to produce a constant number of polynomials, we are forced to pack as much into one polynomial as possible). Fortunately, we have the polynomials \(k_{3,i,\ell ,j}\) for \(\ell \ne i\). We can multiply these by \(a_{\ell ,j}\) and remove the unwanted \(a_{i,j} b_{i,j}\) terms. But we are not done yet: we must also remove the term \(\sum _{i,t} \pi (i)^t b'_{i,t}\) left in the mix because we used \(c_2\). If \(\pi (i) \in S\), then this is easy: use \(k_{4,i,\pi (i)}\) to remove \(\sum _{t} \pi (i)^t b'_{i,t}\), and \(k_{5,i,\ell ,t} \cdot \pi (\ell )^t\) to remove the rest. However, if \(\pi (i) \notin S\), there is no way to do this.

7.2 Relaxed Perfect Security

We now prove that the pair encoding scheme \(\varPhi _{\mathsf {cp\text{- }abe}}\) designed above is relaxed perfectly secure (Definition 3). Towards this, we first define a sampling algorithm \(\mathsf {Samp}\) as follows. On input an \(i \in [1,n_1]\), \((A,\pi ) \in \mathcal {X} _\kappa \), \(S \in \mathcal {Y} _\kappa \) and N, \(\mathsf {Samp}\) checks whether \(\pi (i) \notin S\). If yes, it picks elements \(\hat{b}_{i,1}, \hat{b}_{i,2}, \ldots , \hat{b}_{i,n_2}\) independently and uniformly from \(\mathbb {Z} _N\); otherwise it picks them uniformly but with the constraint that \(\sum _{j \in [1,n_2]} a_{i,j} \hat{b}_{i,j} = 0\). \(\mathsf {Samp}\) outputs

$$\begin{aligned} \widehat{\mathbf {b}}_i := (\underbrace{0, \ldots , \ldots , \ldots , 0}_{(i-1)n_{2}}, \hat{b}_{i,1}, \hat{b}_{i,2}, \ldots , \hat{b}_{i,n_2}, \underbrace{0, \ldots , \ldots , \ldots , \ldots , 0}_{(n_{1}-i)n_2 + n_1(T+1)}). \end{aligned}$$

(18)

Observe that the output of \(\mathsf {Samp}\) depends on \((A, \pi )\), the input to \(\mathsf {EncC}\). Hence, this sampling algorithm would lead to a semi-adaptively secure scheme.

We consider only those \(N \in \mathbb {N} \) which are a product of distinct primes of \(\varTheta (\lambda )\) bits. This is sufficient for our purposes because the \(\mathsf {Setup}\) algorithm of the generic construction in Sect. 5 defines N of exactly this form. We first show that for all \(i \in [1,n_1]\) and \(N \in \mathbb {N} \),

$$\begin{aligned} \big ( \mathbf {c} (\mathbf {s}, \mathbf {b}), \mathbf {k} _i(0, r_i, \mathbf {b}) \big ) \quad \equiv \quad \big ( \mathbf {c} (\mathbf {s}, \mathbf {b}), \mathbf {k} _i(0, r_i, \mathbf {b} + \widehat{\mathbf {b}}_i) \big ), \end{aligned}$$

(19)

where \(\mathbf {s} \leftarrow _R\mathbb {Z} ^1_N\), \(\mathbf {b} \leftarrow _R\mathbb {Z} ^n_N\), \(r_i \leftarrow _R\mathbb {Z} _N, \widehat{\mathbf {b}}_i \leftarrow \mathsf {Samp} (i,(A,\pi ),S,N)\). Recall that \(\mathbf {k} _i\) denotes the polynomials in \(\mathbf {k} \) obtained by setting all the variables in \(\mathbf {r} = (r_1, r_2, \ldots , r_{n_1}, v_2, \ldots , v_{n_2})\) except the ith to 0. For \(i \in [n_1+1,n_1+n_2-1]\), the only polynomial in \(\mathbf {k} _i\) is \(-v_{i-n_1+1}\), or, more importantly, there is no monomial with any b. Hence, the equation above trivially holds for i in this range irrespective of what \(\mathsf {Samp}\) outputs. (That is why we don’t care about defining \(\mathsf {Samp}\) ’s behavior on such inputs.)

Let us refer to the left and right distributions in Eq. (19) as \(\varDelta _L\) and \(\varDelta _R\) respectively. Fix an arbitrary \(i^* \in [1,n_1]\). By the definition of \(\mathbf {k} _{i^*}\), we know that in these two distributions only those components of the key survive which have subscript \(i^*\). Further, in the components \(k_{2,i^*,1}, \ldots , k_{2,i^*,n_2}\), the variables \(v_1, \ldots , v_{n_2}\) are all set to 0. Now, focus on the distribution \(\varDelta _R\). It is clear from Eq. (18) that the added randomness \(\widehat{\mathbf {b}}_{i^*}\) affects only \(k_{2,i^*,1}, \ldots , k_{2,i^*,n_2}\) components. For \(i \in [1,n_1]\) and \(j \in [1,n_2]\), let \(\delta _{i,j} := b_{i,j}\) if \(i \ne i^*\) and \(\delta _{i^*,j} := b_{i^*,j} + \hat{b}_{i^*,j}\). Since \(b_{i,j}\) are uniformly and independently distributed, so are \(\delta _{i,j}\). The second component of ciphertext encoding, \(c_2\), can now be rewritten as

$$\begin{aligned} s \left( \sum _{\begin{array}{c} i \in [1,n_1] \\ j \in [1,n_2] \end{array}} a_{i,j} \delta _{i,j} - \sum _{j \in [1,n_2]} a_{i^*,j} \hat{b}_{i^*,j} + \sum _{t \in [0,T]} \pi (i^*)^t b'_{i^*,t} + \sum _{\begin{array}{c} i \in [1,n_1], i \ne i^* \\ t \in [0,T] \end{array}} \pi (i)^t b'_{i,t} \right) \!. \end{aligned}$$

Observe that the only difference between \(\varDelta _L\) and \(\varDelta _R\) is that in the latter case there is an additional term \(\mathsf {rand}:= \sum _{j \in [1,n_2]} a_{i^*,j} \hat{b}_{i^*,j}\) in \(c_2\). If \(\pi (i^*) \in S\), then this term is 0 by our choice of \(\mathsf {Samp} \). On the other hand when \(\pi (i^*) \notin S\), we show that \(\sum _{t \in [0,T]} \pi (i^*)^t b'_{i^*,t}\) is an independent uniform random variable over \(\mathbb {Z} _N\), and therefore, the additional term \(\mathsf {rand}\) does not matter. Towards this, consider the polynomial \(f(x) = b'_{i^*,T} \cdot x^T + b'_{i^*,T-1} \cdot x^{T-1} + \ldots + b'_{i^*,0}\). Since \(b'_{i^*,T}, \ldots , b'_{i^*,0}\) are chosen at random, any \(T+1\) distinct points on f(x) are uniformly distributed over \(\mathbb {Z} ^{T+1}_N\). The only components of the key which depend on \(b'_{i^*,T}, \ldots , b'_{i^*,0}\) are \(\{k_{4,i^*,y}\}_{y \in S}\), which could also be rewritten as \(\{r_{i^*}f(y)\}_{y \in S}\). There could be at most T such components because \(|S| \le T\). Therefore, \(\sum _{t \in [0,T]} \pi (i^*)^t b'_{i^*,t} = f(\pi (i^*))\) is independently and uniformly distributed.

The second and last step in proving relaxed perfect security is to show that when \((A,\pi )\) does not accept S, Eq. (3) holds, i.e., for large enough values of N, the statistical distance between the distributions,

$$\begin{aligned} \left( \mathbf {c} (\mathbf {s}, \mathbf {b}), \sum _{i \in [1,n_1+n_2-1]} \mathbf {k} _i(0, r_i, \mathbf {b} + \widehat{\mathbf {b}}_i) \right) \, \text {and} \, \left( \mathbf {c} (\mathbf {s}, \mathbf {b}), \sum _{i \in [1,n_1+n_2-1]} \mathbf {k} _i(\alpha , r_i, \mathbf {b} + \widehat{\mathbf {b}}_i) \right) , \end{aligned}$$

(20)

is negligible, where \(\mathbf {s} \leftarrow _R\mathbb {Z} ^1_N\), \(\mathbf {b} \leftarrow _R\mathbb {Z} ^n_N\), \(\mathbf {r} \leftarrow _R\mathbb {Z} _N^{n_1+n_2-1}\), \(\alpha \leftarrow _R\mathbb {Z} _N\), and \(\widehat{\mathbf {b}}_i \leftarrow \mathsf {Samp} (i,(A,\pi ),\) S, N) for \(i \in [1,n_1+n_2-1]\). Let us denote the left and right distributions in Eq. (20) above by \(\varGamma _L\) and \(\varGamma _R\) respectively. The second component of the key in these two distributions is given by

$$\begin{aligned} k_{2,i,j} = r_i b_{i,j} + r_i \hat{b}_{i,j} - v_j \end{aligned}$$

for \(i \in [1,n_1]\) and \(j \in [1,n_2]\). The only difference between the distributions is in the components \(k_{2,1,1}, \ldots , k_{2,n_1,1}\). In the case of \(\varGamma _L\), \(v_1 = (n_1+n_2-1) \alpha = 0\), while in the case of \(\varGamma _R\), it is chosen independently and uniformly from \(\mathbb {Z} _N\).

Let us focus on the distribution \(\varGamma _L\). Recall that there exists a vector \(\mathbf {w} = (w_1, \ldots , w_{n_2})\) orthogonal to all the rows associated with S such that \(w_1 = 1\). We claim that if we replace the variables \(\hat{b}_{i,j}\) by \(\hat{b}_{i,j} - r^{-1}_i w_j \alpha \), where \(\alpha \leftarrow _R\mathbb {Z} _N\), then \(\varGamma _L\) is not affected. (With high probability \(r_i \in \mathbb {Z} ^*_N\), so \(r^{-1}_i\) exists.) If \(\pi (i) \notin S\), we know that \(\hat{b}_{i,1}, \hat{b}_{i,2}, \ldots , \hat{b}_{i,n_2}\) are independently and uniformly distributed. Hence adding \( - r^{-1}_i w_j \alpha \) has no effect on their joint distribution. On the other hand when \(\pi (i) \in S\), \(\hat{b}_{i,1}, \hat{b}_{i,2}, \ldots , \hat{b}_{i,n_2}\) are uniformly chosen with the constraint that \(\sum _{j \in [1,n_2]} a_{i,j} \hat{b}_{i,j} = 0\). Now, when \( - r^{-1}_i w_j \alpha \) is added,

$$\begin{aligned} \sum _{j \in [1,n_2]} a_{i,j} (\hat{b}_{i,j} - r^{-1}_i w_j \alpha ) \quad = \quad \sum _{j \in [1,n_2]} a_{i,j} \hat{b}_{i,j} \quad - \quad r^{-1}_i \alpha \sum _{j \in [1,n_2]} a_{i,j} w_j \quad = \quad 0 \end{aligned}$$

because \(\mathbf {w} \) is orthogonal to every \(\mathbf {a} _i\) such that \(\pi (i) \in S\). Hence, the variables \(\hat{b}_{i,1}, \hat{b}_{i,2}, \ldots , \hat{b}_{i,n_2}\) still satisfy the constraint they did before.

After replacing \(\hat{b}_{i,j}\) by \(\hat{b}_{i,j} - r^{-1}_i w_j \alpha \), we have that \( k_{2,i,j} = r_i b_{i,j} + r_i \hat{b}_{i,j} - w_j \alpha - v_j \) (where \(v_1 = 0\)). The final step in the proof is to replace the variables \(w_1 \alpha , w_2 \alpha + v_2, \ldots , w_{n_2} \alpha + v_{n_2}\) by \(\alpha , v_2, \ldots , v_{n_2}\). This does not affect \(\varGamma _L\) because \(v_2,\ldots , v_{n_2}\) are picked independently and uniformly from \(\mathbb {Z} _N\) (and \(w_1 = 1\)). But now \(\varGamma _L\) is exactly the distribution \(\varGamma _R\).

7.3 Instantiation: Constant-Size Ciphertext

We briefly comment about instantiating the pair encoding scheme \(\varPhi _{\mathsf {cp\text{- }abe}} = (\mathsf {Param}, \mathsf {EncC}, \mathsf {EncK}, \mathsf {Pair})\). Using the generic method in Sect. 5, one can construct a predicate encryption scheme \(\varPi _{\mathsf {cp\text{- }abe}} = (\mathsf {Setup},\) \(\mathsf {Encrypt}, \mathsf {KeyGen}, \mathsf {Decrypt})\) for CP-ABE using \(\varPhi _{\mathsf {cp\text{- }abe}}\). According to Theorem 1, \(\varPi _{\mathsf {cp\text{- }abe}} \) is semi-adaptively secure because the \(\mathsf {Samp}\) algorithm we defined in the previous sub-section depends on the access structure. However, since \(\mathsf {EncC}\) outputs only two polynomials, \(\mathsf {Encrypt}\) outputs only two elements from \(\mathbb {G}\) (and one element from \(\mathbb {G}_T\)). Now, from Remark 2, it follows that one can design a concrete scheme for CP-ABE in prime-order groups where the ciphertext contains only 4 group elements under the \(\mathsf {SXDH}\) assumption, and only 6 elements under the \(\mathsf {DLIN}\) assumption (plus an additional element from the target group). Furthermore, only a constant number of pairing operations would be required to decrypt a ciphertext.