Functional encryption for computational hiding in prime order groups via pair encodings

Abstract

Lewko and Waters introduced the computational hiding technique in Crypto’12. In their technique, two computational assumptions that achieve selective and co-selective security proofs lead to adaptive security of an encryption scheme. Later, pair encoding framework was introduced by Attrapadung in Eurocrypt’14. The pair encoding framework generalises the computational hiding technique for functional encryption (FE). It has been used to achieve a number of new FE schemes such as FE for regular languages and unbounded attribute based encryption allowing multi-use of attributes. Nevertheless, the generalised construction of Attrapadung’s pair encoding for those schemes is adaptively secure only in composite order groups, which leads to efficiency loss. It remains a challenging task to explore constructions in prime order groups for gaining efficiency improvement, which leaves the research gap in the existing literature. In this work, we aim to address this drawback by proposing a new generalised construction for pair encodings in prime order groups. Our construction will lead to a number of new FE schemes in prime order groups, which have been previously introduced only in composite order groups by Attrapadung.

Appendix: Equations in Lemma 2.1

If \(T = f_2^{cw}\), then \(\mathbf {K}_0, \mathbf {K}_1\) and \(\mathbf {K}_2\) are properly distributed \(\hbox {NE}_{j-1}\) since

$$\begin{aligned} \mathbf {K}_0&= (f_2^d)^{\mathbf {k}(\alpha , x, (1,\mathbf {h}'); \mathbf {r}'')} f_2^{\mathbf {k}(0, x, (0 ,\mathbf {h}''); \mathbf {r}'')} (f_2^c)^{-\mathbf {k}(0, x, (0 ,\mathbf {h}''); \mathbf {1}_j)} (f_2^d (f_2^{wa})^{-1} f_2^{y'_v})^{\mathbf {z}'}\nonumber \\&\quad (f^{cw})^{- a \mathbf {k}(0,x,(1,\mathbf {h}'); \cdot \mathbf {1}_j)} (f_2^c)^{y'_v \mathbf {k}(0,x,(1,\mathbf {h}'); \cdot \mathbf {1}_j)}f_2^{-a\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')}\nonumber \\&= f_2^{d\mathbf {k}(\alpha ', x, (1,\mathbf {h}'); \mathbf {r}'')} \boxed {f_2^{d\mathbf {k}(0, x, (1,\mathbf {h}'); - c\mathbf {1}_j)}}f_2^{\mathbf {k}(0, x, (0 ,\mathbf {h}''); \mathbf {r}'')}f_2^{\mathbf {k}(0, x, (0 ,\mathbf {h}'');-c\mathbf {1}_j)} f_2^{(d-wa+y'_v)(\mathbf {z}')} \nonumber \\&\quad \cdot \, \boxed {f_2^{d\mathbf {k}(0, x, (1,\mathbf {h}'); c\mathbf {1}_j)}}f_2^{- wa \mathbf {k}(0,x,(1,\mathbf {h}'); c \cdot \mathbf {1}_j)}f_2^{y'_v \mathbf {k}(0,x,(1,\mathbf {h}'); c \cdot \mathbf {1}_j)}f_2^{-a\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')} \end{aligned}$$

(12)

$$\begin{aligned}&= f_2^{d\mathbf {k}(\alpha ', x, (1,\mathbf {h}'); \mathbf {r})} f_2^{\mathbf {k}(0, x, (0 ,\mathbf {h}''); \mathbf {r})} f_2^{(d-wa+y'_v)(\mathbf {z}'+\mathbf {k}(0,x,(1,\mathbf {h}'); c \cdot \mathbf {1}_j))} f_2^{-a\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')} \end{aligned}$$

(13)

$$\begin{aligned}&= f_2^{\mathbf {k}(d\alpha ', x, (d ,d\mathbf {h}'); \mathbf {r})}f_2^{\mathbf {k}(0, x, (0 ,\mathbf {h}''); \mathbf {r})} f_2^{(d-wa+y'_v)(\mathbf {z}' + \mathbf {k}(0,x,(1,\mathbf {h}'); c\cdot \mathbf {1}_j))}f_2^{-a\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')} \end{aligned}$$

(14)

$$\begin{aligned}&= f_2^{\mathbf {k}(d\alpha ', x, (d ,d\mathbf {h}'+\mathbf {h}''); \mathbf {r})} f_2^{(d-wa+y'_v)(\mathbf {z}' + \mathbf {k}(0,x,(1,\mathbf {h}'); c\cdot \mathbf {1}_j))}f_2^{-a\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')} \nonumber \\&= g_2^{\mathbf {k}(\alpha ', x, (1,\mathbf {h}); \mathbf {r})} v_2^{\mathbf {z}}f_2^{-a\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')} \end{aligned}$$

(15)

This implicitly sets \(\mathbf {r} = \mathbf {r}'' -c \cdot \mathbf {1}_j\) and \(\mathbf {z} = \mathbf {z}' + \mathbf {k}(0,x,(1,\mathbf {h}'); c \cdot \mathbf {1}_j)\). The second equality (12) in above equation holds by the linearity over random values because

$$\begin{aligned} (f_2^d)^{\mathbf {k}(\alpha , x, (1,\mathbf {h}'); \mathbf {r}'')}&= (f_2^d)^{\mathbf {k}(\alpha , x, (1,\mathbf {h}'); \mathbf {r}'')} (f_2^{d})^{\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {0})} \\&= (f_2^d)^{\mathbf {k}(\alpha , x, (1,\mathbf {h}'); \mathbf {r}'')}(f_2^d)^{\mathbf {k}(0, x, (1,\mathbf {h}'); -c\mathbf {1}_j)}(f_2^d)^{\mathbf {k}(0, x, (1,\mathbf {h}'); c\mathbf {1}_j)}.\\ \end{aligned}$$

The third equality (13) holds because of the definition of \(\mathbf {r}\) (\( = \mathbf {r}''- c \cdot \mathbf {1}_j\)) and linearity over random values. The equalities (14) and (15) hold due to linearity over common parameters.

$$\begin{aligned} \mathbf {K}_1&= (f_2^w)^{ \mathbf {z}'} (f_2^{cw})^{\mathbf {k}(0,x,(1,\mathbf {h}'); \mathbf {1}_j)}f_2^{\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')}\\&= (f_2^w)^{ \mathbf {z}'} (f_2^{w})^{\mathbf {k}(0,x,(1,\mathbf {h}'); c \cdot \mathbf {1}_j)}f_2^{\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')}\\&= (f_2^w)^{ \mathbf {z}'+\mathbf {k}(0,x,(1,\mathbf {h}'); c \cdot \mathbf {1}_j)}f_2^{\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')} = u_2^{\mathbf {z}}f_2^{\mathbf {k}(0, x, (1,\mathbf {h}'); \mathbf {r}_{j-1}')} \end{aligned}$$

If T is random in Lemma 2.1. and we let \(f_2^{wc + \gamma }\) denote it, This is properly distributed \(\hbox {NE}_j\) since \((f_2^\gamma )^{- a\mathbf {k}(0,x,(1,\mathbf {h}'); \cdot \mathbf {1}_j)}\) is multiplied to \(\mathbf {K}_1\). By linearity over random values, this implicitly sets \(\mathbf {r}'_j = \mathbf {r}'_{j-1} +\gamma \cdot \mathbf {1}_j\). \(\mathbf {r}'_j\) is still randomly distributed since \(\gamma \) is a random value.

The challenge ciphertext is also properly distributed because

$$\begin{aligned} \mathbf {C}_0&= (f_1^{dwt})^{\mathbf {c}(y,(1,\mathbf {h}');{\tilde{s}},\tilde{\mathbf {s}})}(f_1^d)^{\mathbf {c}(y,(1,\mathbf {h}');s'', \mathbf {s}'')} (f_1^{wt})^{\mathbf {c}(y,(0, \mathbf {h}'');{\tilde{s}},\tilde{\mathbf {s}})} f_1^{\mathbf {c}(y,(0, \mathbf {h}'');s'', \mathbf {s}'')} \nonumber \\&= (f_1^{wt})^{\mathbf {c}(y,(d,d\mathbf {h}');{\tilde{s}},\tilde{\mathbf {s}})}f_1^{\mathbf {c}(y,(d,d\mathbf {h}');s'', \mathbf {s}'')} (f_1^{wt})^{\mathbf {c}(y,(0, \mathbf {h}'');{\tilde{s}},\tilde{\mathbf {s}})} f_1^{\mathbf {c}(y,(0, \mathbf {h}'');s'', \mathbf {s}'')} \end{aligned}$$

(16)

$$\begin{aligned}&= (f_1^{wt})^{\mathbf {c}(y,(d,d\mathbf {h}');{\tilde{s}},\tilde{\mathbf {s}} )}(f_1)^{\mathbf {c}(y,(d,d\mathbf {h}');s'', \mathbf {s}'')} (f_1^{wt})^{\mathbf {c}(y,(0, \mathbf {h}'');{\tilde{s}},\tilde{\mathbf {s}})} f_1^{\mathbf {c}(y,(0, \mathbf {h}'');s'', \mathbf {s}'')} \end{aligned}$$

(17)

$$\begin{aligned}&= f_1^{\mathbf {c}(y,(d, d\mathbf {h}');wt{\tilde{s}} + s'', wt\tilde{\mathbf {s}} + \mathbf {s}'')} f_1^{\mathbf {c}(y,(0, \mathbf {h}'');wt{\tilde{s}} + s'', wt\tilde{\mathbf {s}} + \mathbf {s}'')} \end{aligned}$$

(18)

$$\begin{aligned}&=f_1^{\mathbf {c}(y,(d, d\mathbf {h}'+\mathbf {h}'');wt{\tilde{s}} + s'', wt\tilde{\mathbf {s}} + \mathbf {s}'')} \end{aligned}$$

(19)

$$\begin{aligned}&= g_1^{\mathbf {c}(y,(1, \mathbf {h});s, \mathbf {s})} \mathbf {C}_1 = (C_0)^a (f_1^{d^2t})^{-\mathbf {c}(y,(1, \mathbf {h}');{\tilde{s}},\tilde{\mathbf {s}})} = g_1^{a\mathbf {c}(y,(1, \mathbf {h});s, \mathbf {s})} f_1^{\mathbf {c}(y, (1,\mathbf {h}');s',\mathbf {s}')}\nonumber \\ \mathbf {C}_2&= (f_1^{d^2})^{\mathbf {c}(y,(1,\mathbf {h}');s'',\mathbf {s}'')}(f_1^{dwt})^{\mathbf {c}(y,(y'_v,\mathbf {h}''+y'_v\mathbf {h}');{\tilde{s}},\tilde{\mathbf {s}})}(f_1^d)^{c(y,(y'_v, \mathbf {h}''+y'_v\mathbf {h}');s'',\mathbf {s}'')}\nonumber \\&\quad \cdot \, (f_1^{wt})^{\mathbf {c}(y,(0,y'_v\mathbf {h}'');{\tilde{s}},\tilde{\mathbf {s}})}f_1^{\mathbf {c}(y,(0,y'_v\mathbf {h}'');s'',\mathbf {s}'')}\nonumber \\&= {(f_1^{d^2})^{\mathbf {c}(y,(1,\mathbf {h}');wt{\tilde{s}}+ s'',wt\tilde{\mathbf {s}}+ \mathbf {s}'')}}{(f_1^{d^2})^{\mathbf {c}(y,(1,\mathbf {h}');-wt{\tilde{s}},-wt\tilde{\mathbf {s}})}}\nonumber \\&\quad \cdot \, (f_1^{d})^{\mathbf {c}(y,(y'_v,\mathbf {h}''+y'_v\mathbf {h}');wt{\tilde{s}}+s'',wt\tilde{\mathbf {s}}+\mathbf {s}'')} f_1^{\mathbf {c}(y,(0,y'_v \mathbf {h}'');wt{\tilde{s}}+s'',wt\tilde{\mathbf {s}}+\mathbf {s}'')} \end{aligned}$$

(20)

$$\begin{aligned}&= f_1^{ \mathbf {c}(y,((d+y'_v)d, d(d+y'_v)\mathbf {h}'+(d+y'_v)\mathbf {h}'');wt{\tilde{s}} + s'',wt\tilde{\mathbf {s}} +\mathbf {s}'')} (f_1^w)^{\mathbf {c}(y,(1,\mathbf {h}');-d^2t{\tilde{s}},-d^2t\tilde{\mathbf {s}})} \nonumber \\&= g_1^{\tau \mathbf {c}(y, (1,\mathbf {h});s,\mathbf {s})}u_1^{\mathbf {c}(y, (1,\mathbf {h}');s',\mathbf {s}')}. \end{aligned}$$

(21)

The equalities of (16) and (19) hold by linearity over common parameters. Also, those of (17) and (18) hold by linearity over random values. The equalities of (20) holds since

$$\begin{aligned}&(f_1^{d^2})^{\mathbf {c}(y,(1,\mathbf {h}');s'',\mathbf {s}'')} \\&\quad = {(f_1^{d^2})^{\mathbf {c}(y,(1,\mathbf {h}');wt{\tilde{s}}+ s'',wt\tilde{\mathbf {s}}+ \mathbf {s}'')}}{(f_1^{d^2})^{\mathbf {c}(y,(1,\mathbf {h}'); -wt{\tilde{s}},-wt\tilde{\mathbf {s}})}}\\&(f_1^{dwt})^{\mathbf {c}(y,(y'_v,\mathbf {h}''+y'_v\mathbf {h}');{\tilde{s}},\tilde{\mathbf {s}})}(f_1^d)^{c(y,(y'_v, \mathbf {h}''+y'_v\mathbf {h}');s'',\mathbf {s}'')} \\&\quad = (f_1^{d})^{\mathbf {c}(y,(y'_v,\mathbf {h}''+ y'_v\mathbf {h}');wt{\tilde{s}}+s'',wt\tilde{\mathbf {s}}+\mathbf {s}'')} \\&(f_1^{wt})^{\mathbf {c}(y,(0,y'_v\mathbf {h}'');{\tilde{s}},\tilde{\mathbf {s}})}f_1^{\mathbf {c}(y,(0,y'_v\mathbf {h}'');s'',\mathbf {s}'')}\\&\quad = f_1^{\mathbf {c}(y,(0,y'_v \mathbf {h}'');wt{\tilde{s}}+s'',wt\tilde{\mathbf {s}}+\mathbf {s}'')}. \end{aligned}$$

It is worth noting that all equalities above hold by linearity over random values. The last equalities in \(\mathbf {C}_0, \mathbf {C}_1\) and \(\mathbf {C}_2\) hold because of \(s' = -d^2t {\tilde{s}}, \mathbf {s}' = -d^2t \tilde{\mathbf {s}}\) and the definitions of public parameters. \({\tilde{s}}\) and \(\tilde{\mathbf {s}}\) are randomly distributed to the adversary although they also appear in \(s = wt {\tilde{s}} + s'', \mathbf {s}=wt{\tilde{s}} + \mathbf {s}''\) since their values are not revealed in those values (due to \(s''\) and \(\mathbf {s}''\)).