Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions

Brakerski, Zvika; Komargodski, Ilan; Segev, Gil

doi:10.1007/s00145-017-9261-0

Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions

Published: 26 June 2017

Volume 31, pages 434–520, (2018)
Cite this article

Download PDF

Journal of Cryptology Aims and scope Submit manuscript

Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions

Download PDF

Zvika Brakerski¹,
Ilan Komargodski¹ &
Gil Segev²

2219 Accesses
15 Citations
Explore all metrics

Abstract

We construct a general-purpose multi-input functional encryption scheme in the private-key setting. Namely, we construct a scheme where a functional key corresponding to a function f enables a user holding encryptions of $x_1, \ldots , x_t$ to compute $f(x_1, \ldots , x_t)$ but nothing else. This is achieved starting from any general-purpose private-key single-input scheme (without any additional assumptions) and is proven to be adaptively secure for any constant number of inputs t. Moreover, it can be extended to a super-constant number of inputs assuming that the underlying single-input scheme is sub-exponentially secure. Instantiating our construction with existing single-input schemes, we obtain multi-input schemes that are based on a variety of assumptions (such as indistinguishability obfuscation, multilinear maps, learning with errors, and even one-way functions), offering various trade-offs between security assumptions and functionality. Previous and concurrent constructions of multi-input functional encryption schemes either rely on stronger assumptions and provided weaker security guarantees (Goldwasser et al. in Advances in cryptology—EUROCRYPT, 2014; Ananth and Jain in Advances in cryptology—CRYPTO, 2015), or relied on multilinear maps and could be proven secure only in an idealized generic model (Boneh et al. in Advances in cryptology—EUROCRYPT, 2015). In comparison, we present a general transformation that simultaneously relies on weaker assumptions and guarantees stronger security.

Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions

Function-Private Functional Encryption in the Private-Key Setting

Article 17 April 2017

1 Introduction

The emerging vision of functional encryption [17, 33, 36] extends the traditional “all-or-nothing” view of encryption schemes. Specifically, functional encryption schemes offer additional flexibility by supporting restricted decryption keys. These keys allow users to learn specific functions of the encrypted data, without learning any additional information. Building upon the early examples of functional encryption schemes for restricted function families (such as identity-based encryption [9, 20, 34]), extensive research is currently devoted to the construction of functional encryption schemes offering a variety of expressive families of functions (see, for example, [3,4,5, 8, 14, 16,17,18, 22, 23, 25, 26, 31,32,33, 36, 38]).

Until very recently, research on functional encryption has focused on the case of single-input functions. In a single-input functional encryption scheme, a functional key $\mathsf {sk}_f$ corresponding to a function f enables a user holding an encryption of a value x to compute f(x) while not revealing any additional information on x. In many scenarios, however, dealing only with single-input functions is insufficient, and a more general framework allowing multi-input functions is required.

Goldwasser et al. [21] recently introduced the notion of a multi-input functional encryption scheme. In such a scheme, a functional key corresponding to a t-input function f enables a user holding encryptions of $x_1, \ldots , x_t$ to compute $f(x_1, \ldots , x_t)$ without learning any additional information on the $x_i$’s. The work of Goldwasser et al. and their new notion are very well motivated by a wide range of applications based on mining aggregate information from several different data sources. These include, for example, running SQL queries on encrypted databases, computing over encrypted data streams, non-interactive differentially private data release, and order-revealing encryption (all of which are relevant in both the public-key setting and the private-key one [12]).

Goldwasser et al. presented a rigorous framework for capturing the security of multi-input schemes in the public-key setting and in the private-key one. In addition, relying on indistinguishability obfuscation and one-way functions [10, 22, 28], they constructed the first multi-input functional encryption schemes. In terms of functionality, their schemes are extremely expressive, supporting all multi-input functions that are computable by bounded-size circuits. In terms of security, however, their private-key scheme satisfies a weak selective notion, which does not allow the adversary to access an encryption oracle (which is quite crippling in the private-key setting), and requires an a priori bound on the number of challenge ciphertexts (the ciphertext length in their scheme depends on the number of challenge ciphertexts).

Following the work of Goldwasser et al. [21], a private-key multi-input functional encryption scheme that satisfies a more standard notion of security (one that allows access to an encryption oracle) was constructed by Boneh et al. [12]. Their scheme is based on multilinear maps and is proven secure in the idealized generic multilinear map model. In addition, in an independent and concurrent work, Ananth and Jain [5] constructed a selectively secure multi-input private-key functional encryption scheme based on any general-purpose public-key functional encryption scheme (as an intermediate step in constructing an indistinguishability obfuscator).

Thus, constructions of multi-input functional encryption schemes in the private-key setting have so far either relied on stronger assumptions and provided weaker security guarantees [5, 21],^{Footnote 1} or could be proven secure only in an idealized generic model [12].

1.1 Our Contributions

In this paper we present a construction of private-key multi-input functional encryption from any general-purpose private-key single-input functional encryption scheme (without introducing any additional assumptions). The resulting scheme supports any set of efficiently computable functions and provides adaptive security in the standard model for any constant number of inputs. We prove the following theorem:

Theorem 1.1

Assuming the existence of any private-key single-input selectively secure functional encryption scheme, for any constant $t \ge 2$ there exists a private-key t-input adaptively secure functional encryption scheme.

Assuming that the underlying private-key single-input scheme is sub-exponentially secure, our resulting scheme provides adaptive security for a super-constant number of inputs (we refer the reader to Sect. 1.4 for more details). Following [1, 16, 31], our scheme provides not only message privacy, but in fact a unified notion that captures both message privacy and function privacy (this notion is known as full security—see Sect. 2.3 for more details).

Instantiations. Instantiating our construction with existing private-key single-input schemes, we obtain new multi-input schemes based on a variety of assumptions in the standard model. Specifically, we obtain schemes that are secure for an unbounded number of encryption and key-generation queries based on indistinguishability obfuscation or multilinear maps. In addition, if the number of encryption and key-generation queries is a priori bounded, we can rely on much milder assumptions such as learning with errors [25] or even the existence of one-way functions or low-depth pseudorandom generators [26]. See Sect. 2.2 for further discussion.

Comparison with previous and concurrent work. Compared to the previous work of Goldwasser et al. [21] and Boneh et al. [12], our work yields stronger security guarantees and at the same time relies solely on a necessary assumption. Specifically, whereas Goldwasser et al. and Boneh et al. rely on indistinguishability obfuscation and multilinear maps, respectively, we rely on the existence of any general-purpose private-key single-input scheme, which is obviously necessary. Moreover, whereas the scheme of Goldwasser et al. provides a selective notion of security which, in addition, does not allow adversaries to access an encryption oracle and requires an a priori bound on the number of challenge ciphertexts, and the scheme of Boneh et al. is proved secure only in an idealized generic model that does not properly capture real-world adversaries, our scheme provides adaptive security in the standard model for any number of challenge ciphertexts.

Compared to the concurrent work of Ananth and Jain [5], our work again yields stronger security guarantees while relying on a weaker assumption. Specifically, whereas the construction of Ananth and Jain relies on public-key functional encryption and guarantees selective security (where, in addition, the adversary is not allowed to access an encryption oracle), our construction relies on private-key functional encryption and guarantees full security. However, the construction of [5] results with a multi-input scheme that supports polynomially many inputs. From the technical point of view, the scheme of Ananth and Jain is similar to “Step 1” of our approach (see Sect. 1.4). The vast majority of our efforts in this paper are devoted to providing better security while simultaneously relying on weaker assumptions, as mentioned above.

In terms of assumptions, the recent work of Asharov and Segev [7] shows that private-key functional encryption is much weaker than any public-key primitive (in particular, it is much weaker than public-key functional encryption). Specifically, they show that using the currently known techniques it is impossible to use a private-key functional encryption scheme for constructing even a key-agreement protocol (and therefore, in particular, it is impossible to construct a public-key encryption scheme or a public-key functional encryption scheme).

Finally, we note that in addition to introducing the notion of a multi-input functional encryption scheme, Goldwasser et al. [21] introduced the more general notion of a multi-client multi-input functional encryption scheme. In such a scheme, each input coordinate is associated with its own encryption key, and security should be satisfied for all coordinates whose encryption keys are not known to the adversary. In this paper we do not consider this more general notion, and an interesting open problem is to extend our approach to the multi-client setting.

1.2 Additional Related Work

Extensive research has been devoted to the study of functional encryption, and for concreteness we focus here only on those previous efforts that are directly relevant to the techniques used in this paper.

Function-private functional encryption. The security guarantees of functional encryption typically focus on message privacy. Intuitively, message privacy asks that a functional key $\mathsf {sk}_f$ does not help in distinguishing encryptions of two messages, $m_0$ and $m_1$, as long as $f(m_0) = f(m_1)$. In various cases, however, it is also useful to consider function privacy [1, 15, 16, 35], asking that a functional key $\mathsf {sk}_f$ does not reveal any unnecessary information on the function f. Specifically, in the private-key setting, function privacy asks that an encryption of a message m does not help in distinguishing two functional keys, $\mathsf {sk}_{f_0}$ and $\mathsf {sk}_{f_1}$, as long as $f_0(m) = f_1(m)$. Brakerski and Segev [16] recently showed that any private-key functional encryption scheme can be generically transformed into one that satisfies a unified notion of security, referred to as full security, which considers both message privacy and function privacy.

Other than being a useful notion for various applications, function privacy was found useful as a building block in the construction of several functional encryption schemes [3, 32]. One of the key insights that we utilize in this work is that function-private functional encryption allows to successfully apply proof techniques “borrowed” from the indistinguishability obfuscation literature (including, for example, a variant of the punctured programming approach of Sahai and Waters [37]).

Key-encapsulation techniques in functional encryption. Key encapsulation (also known as “hybrid encryption”) is an extremely useful approach in the design of encryption schemes (mostly in the public-key setting), both for improved efficiency and for improved security. Specifically, key encapsulation typically means that instead of encrypting a message m under a fixed key $\mathsf {sk}$, one can instead sample a random key $\mathsf{k}$, encrypt m under $\mathsf{k}$, and then encrypt $\mathsf{k}$ under $\mathsf {sk}$. Recently, Ananth et al. [3] showed that key encapsulation is useful also in the setting of functional encryption. They showed that it can be used to transform any selectively secure functional encryption scheme into an adaptively secure one (in both the public-key setting and the private-key one). Their construction and proof technique hint that key-encapsulation techniques may in fact be a general tool that is useful in the design of functional encryption schemes. Our constructions incorporate key-encapsulation techniques and exhibit additional strengths of this technique in the context of functional encryption schemes. Specifically, as discussed in Sect. 1.4, we use key-encapsulation techniques to create “sufficient independence” between combinations of different ciphertexts, a crucial ingredient in our constructions (see Sect. 1.4 for a detailed comparison between our technique and that of Ananth et al.).

Multi-input functional encryption schemes and obfuscation. An important aspect in studying multi-input functional encryption schemes is its tight connection to indistinguishability obfuscation. Goldwasser et al. [21] showed that the following three primitives are equivalent: (1) selectively secure private-key multi-input functional encryption scheme with polynomially many inputs, (2) selectively secure public-key two-input functional encryption scheme, and (3) indistinguishability obfuscation. The works of Ananth and Jain [5] and Ananth, Jain and Sahai [6] show how to construct a selectively secure private-key multi-input functional encryption scheme with polynomially many inputs (and thereby an indistinguishability obfuscator) from any sub-exponentially secure public-key single-input functional encryption scheme.^{Footnote 2}

1.3 Follow-Up Work

In a follow-up work, Bitansky et al. [13] showed that any single-input private-key functional encryption scheme and any public-key encryption scheme, both with sub-exponential security, can be used to construct an indistinguishability obfuscator for all polynomial-size circuits. Furthermore, they showed that a sub-exponentially secure single-input functional encryption scheme implies a public-key encryption scheme (with slightly super-polynomial security). As a building block in both of their constructions, they used our transformation from a single-input functional encryption scheme into a multi-input scheme. Our transformation is the non-black-box component in their constructions allowing them to bypass the black-box impossibility of Asharov and Segev [7] mentioned above.

More recently, Komargodski and Segev [30] presented a new transformation from single-input functional encryption to multi-input functional encryption in the private-key setting. They showed that any quasi-polynomially secure single-input scheme can be used to obtain a multi-input scheme supporting a polylogarithmic number of inputs. In comparison, in this paper, we require a sub-exponentially secure single-input scheme and obtain a scheme supporting only a slightly super-constant number of inputs. Komargodski and Segev further observed that their multi-input scheme is enough to get not only public-key encryption but actually a public-key functional encryption (for a restricted set of circuits) and average-case PPAD-hardness.

1.4 Overview of Our Constructions and Techniques

In this section we provide a high-level overview of our constructions. For concreteness, we focus here mainly on two-input schemes and then briefly discuss the generalization of our approach to more than two inputs (we refer the reader to “Appendix A” for the generalization to t-input schemes for $t \ge 2$). In what follows, we start by briefly describing the functionality and security properties of two-input schemes in the private-key setting. Then, we explain the main ideas underlying our constructions. We emphasize that the forthcoming overview is of very high level and ignores many technical details. For the full details we refer to Sects. 3 and 4.

Functionality and security. In a private-key two-input functional encryption scheme, the master secret key $\mathsf {msk}$ of the scheme is used for encrypting any messages x and y (separately) to the first and second coordinates, respectively, and for generating functional keys for two-input functions. A functional key $\mathsf {sk}_f$ corresponding to a function f enables to compute f(x, y) given $\mathsf {Enc}(x)$ and $\mathsf {Enc}(y)$. Building upon the previous notions of security for private-key multi-input functional encryption schemes [12, 21], we consider a strengthened notion of security that combines both message privacy and function privacy (as in [1, 16] for single-input schemes), to which we refer to as full security.^{Footnote 3} Specifically, we consider adaptive adversaries that are given access to “left-or-right” key-generation and encryption oracles. These oracles operate in one out of two modes corresponding to a randomly chosen bit b. The key-generation oracle receives as input pairs of the form $(f_0, f_1)$ and outputs a functional key for $f_b$. The encryption oracle receives as input pairs of the form $(x_0,x_1)$ for the first coordinate, or $(y_0, y_1)$ for the second coordinate, and outputs an encryption of $x_b$ or $y_b$. We require that no efficient adversary can guess the bit b with probability noticeably higher than 1 / 2, as long as for each such three queries $(f_0, f_1)$, $(x_0, x_1)$, and $(y_0, y_1)$ it holds that $f_0(x_0, y_0) = f_1(x_1, y_1)$.

Intuition: Input aggregation. Given a two-input function $f(\cdot ,\cdot )$, one can view f as a single-input function, $f^*$, that takes a tuple (x, y), which we denote by $x \Vert y$ to avoid confusion, and computes $f^*(x\Vert y) = f(x,y)$. Using a single-input scheme, we can generate a functional key for the function $f^*$. We thus remain with the problem of aggregating the input. That is, we need to be able to encrypt inputs x and y, such that given $\mathsf {Enc}(x)$ and $\mathsf {Enc}(y)$ it is possible to compute $\mathsf {Enc}(x \Vert y)$. At a very high level, this is achieved by having the encryption of x be an “aggregator”: To encrypt x, we will generate a functional key for the function ${\mathsf {AGG}}_x(\cdot )$ that on input y outputs an encryption of $x\Vert y$.^{Footnote 4} There are many technical difficulties in realizing this intuition, as we explain in the remainder of this section.

Step 1: Functional keys as ciphertexts. Given any private-key single-input functional encryption scheme, $\mathsf {1FE}$, the first step in our transformation is to use both its ciphertexts and its functional keys as ciphertexts for a two-input scheme $\mathsf {2FE}$: An encryption of a message x to the first coordinate is a functional key $\mathsf {sk}_x$ corresponding to a certain functionality that depends on x, and an encryption of a message y to the second coordinate is simply an encryption of y. Intuitively, the hope is that the function privacy of $\mathsf {1FE}$ will hide x, and that the message privacy of $\mathsf {1FE}$ will hide y. More specifically, a first attempt toward realizing this intuition is as follows:

1.
The master secret key consists of two keys, $\mathsf {msk_{in}}$ and $\mathsf {msk_{out}}$, for the single-input scheme $\mathsf {1FE}$. The key $\mathsf {msk_{in}}$ is used for encryption, and the key $\mathsf {msk_{out}}$ is used to decryption.
2.
An encryption of a message x to the first coordinate is a functional key $\mathsf {sk}_{x,\mathsf {msk_{out}}}$ that is generated using $\mathsf {msk_{in}}$ and corresponds to the following functionality: Given an input y, it outputs an encryption $\mathsf {Enc}_{\mathsf {msk_{out}}}(x||y)$ of x concatenated with y under $\mathsf {msk_{out}}$.^{Footnote 5} An encryption of a message y to the second coordinate is simply an encryption $\mathsf {Enc}_{\mathsf {msk_{in}}}(y)$ of y under $\mathsf {msk_{in}}$.
3.
A functional key for a two-input function f is a functional key that is generated using $\mathsf {msk_{out}}$ for the function f when viewed as a single-input function.
4.
Given a functional key for a function f, and two encryptions $\mathsf {sk}_{x,\mathsf {msk_{out}}}$ and $\mathsf {Enc}_{\mathsf {msk_{in}}}(y)$, we first apply $\mathsf {sk}_{x,\mathsf {msk_{out}}}$ on $\mathsf {Enc}_{\mathsf {msk_{in}}}(y)$ for obtaining $\mathsf {Enc}_{\mathsf {msk_{out}}}(x||y)$ and then apply the functional key for f on $\mathsf {Enc}_{\mathsf {msk_{out}}}(x||y)$.

It is straightforward to verify that the above scheme indeed provides the required functionality of a two-input scheme. Proving its security, however, does not seem to go through: When “attacking” the key $\mathsf {msk_{out}}$, we clearly cannot embed it in the encryptions $\mathsf {sk}_{x,\mathsf {msk_{out}}}$ generated to the first coordinate. A typical approach for “getting rid” of $\mathsf {msk_{out}}$ (so that it will not be explicitly needed and we would be able to use the security of the corresponding scheme) is to embed all possibly needed encryptions under $\mathsf {msk_{out}}$ inside the ciphertexts of the two-input scheme (this idea was used, e.g., in [3, 16, 32]). Note, however, that when an adversary makes T encryption queries there may be roughly $T^2$ different pairs of the form (x, y), and these $T^2$ pairs cannot be embedded into T ciphertexts (we note that $T = T(\lambda )$ may be any polynomial and it is not known in advance).

An additional approach is to use a public-key functional encryption scheme for the role played by $\mathsf {msk_{out}}$ (i.e., replacing $\mathsf {sk}_{x, \mathsf {msk_{out}}}$ with $\mathsf {sk}_{x,\mathsf {pk}_\mathsf{out}}$). Although this solution allows to prove security, we view it as a “warm-up solution” as we would like to avoid relying on a stronger primitive than necessary. Specifically, we would like to rely on private-key functional encryption and not on public-key function encryption (as recently shown by Asharov and Segev [7], private-key functional encryption is weaker than any public-key primitive).

Step 2: Selective security via “one-sided” key encapsulation. Our approach for resolving the difficulty described uses key-encapsulation techniques in functional encryption. Our main idea here is that when encrypting a message x, we sample a fresh key $\mathsf {msk}^\mathsf {\star }$ for the single-input scheme and output two components: $\mathsf {Enc}_{\mathsf {msk_{out}}}(\mathsf {msk}^\mathsf {\star })$ and $\mathsf {sk}_{x, \mathsf {msk}^\mathsf {\star }}$. Given an encryption $\mathsf {Enc}_{\mathsf {msk_{in}}}(y)$ of a message y, the component $\mathsf {sk}_{x, \mathsf {msk}^\mathsf {\star }}$ enables to compute $\mathsf {Enc}_{\mathsf {msk}^\mathsf {\star }}(x||y)$. In addition, a functional key for a function f is now generated using $\mathsf {msk_{out}}$ for the following functionality: Given an input $\mathsf {msk}^\mathsf {\star }$, it outputs a functional key for f (viewed as a single-input function) using $\mathsf {msk}^\mathsf {\star }$. This enables to compute f(x, y) given $\mathsf {Enc}_{\mathsf {msk}^\mathsf {\star }}(x||y)$ and provides the required functionality.

This “one-sided” key encapsulation enables us to prove a selectively secure variant of our notion of security.^{Footnote 6} In this variant we require adversaries to specify their encryption queries in advance, and they are then given adaptive access to the left-or-right key-generation oracle. The main idea underlying the proof of security is that our one-sided key-encapsulation approach yields sufficient independence and allows attacking the x’s one by one, by attacking their corresponding encapsulated keys. Focusing on one message x and its encapsulated key $\mathsf {msk}^*$, an adversary that makes T encryption queries $y_1, \ldots , y_T$ to the second coordinate induces only T pairs $\{(x,y_i)\}_{i \in [T]}$ (instead of $T^2$ pairs as above). Moreover, given that the encryption queries are chosen in advance, we can embed an encryption of $x||y_i$ under $\mathsf {msk}^\mathsf {\star }$ inside the encryption of each $y_i$. This way the key $\mathsf {msk}^\mathsf {\star }$ is not explicitly needed and thus can be attacked (while not affecting any of the other x’s).

As discussed in Sect. 1.2, key-encapsulation techniques have been introduced into the setting of functional encryption by Ananth et al. [3]. Our approach builds upon and significantly extends their initial observations and enables us to create “sufficient independence” between combinations of different ciphertexts, a crucial ingredient in our constructions.

This enables us to construct a selectively secure two-input scheme from any selectively secure single-input one (we refer the reader to Sect. 3 for the scheme and its proof of security). Note, however, that this approach is limited to selective adversaries: Embedding an encryption of $x||y_i$ inside the encryption of $y_i$ requires knowing x before the adversary queries for the encryption of $y_i$.

Step 3: Adaptive security via “two-sided” key encapsulation. Next, we present a general transformation from selective security to adaptive security (in fact, to our stronger notion of full security). Specifically, we rely on two building blocks: (1) any private-key selectively secure two-input scheme and (2) any private-key adaptively secure single-input scheme (note that such a scheme can be generically constructed from any selectively secure two-input scheme^{Footnote 7}). For this transformation we introduce a new technique which we call “two-sided” key encapsulation, where each pair of messages x and y has its own encapsulated key $\mathsf {msk}^\mathsf {\star }$. This, more subtle approach, enables us to “attack” a specific pair of messages each time, since each such pair uses a different encapsulated key: If x is known before y then we embed x||y inside the encryption of y, and if x is known after y then we embed x||y inside the encryption of x. This leaves the problem of how to realize this idea of two-sided key encapsulation. Our two-sided key encapsulation works as follows.

1.
The master secret key consists of two keys: A master secret key $\mathsf {msk_{out}}$ for a selectively secure two-input scheme and a master secret key $\mathsf {msk_{in}}$ for an adaptively secure single-input scheme.
2.
An encryption of a message y consists of two components: $\mathsf {Enc}_{\mathsf {msk_{out}}}(t)$ and $\mathsf {Enc}_{\mathsf {msk_{in}}}(y,t)$, where t is a fresh random tag.
3.
An encryption of a message x consists of two components: $\mathsf {Enc}_{\mathsf {msk_{out}}}(s)$ and $\mathsf {sk}_{x,s}$, where s is a fresh random tag. The functional key $\mathsf {sk}_{x,s}$ is generated using $\mathsf {msk_{in}}$ and corresponds to the following functionality: Given an input (y, t), derive $\mathsf {msk}^\mathsf {\star }$ using randomness $\mathsf {PRF}(s,t)$ ^{Footnote 8} and output $\mathsf {Enc}_{\mathsf {msk}^\mathsf {\star }}(x||y)$.
4.
A functional key for a function f is generated using $\mathsf {msk_{out}}$ for the following functionality: Given two inputs, s and t, derive $\mathsf {msk}^\mathsf {\star }= \mathsf {PRF}(s,t)$ and output a functional key for f (viewed as a single-input function) using $\mathsf {msk}^\mathsf {\star }$.

The crucial observation is that the master secret key $\mathsf {msk_{out}}$ of the two-input selectively secure scheme is used for encrypting random tags, whereas the plaintext itself is always encrypted using the master secret key $\mathsf {msk_{in}}$ of the adaptively secure single-input scheme. This enables us to prove the full security of the resulting scheme (we refer the reader to Sect. 4 for the scheme and its proof of security).

Comparison to the selective-to-adaptive transformation of Ananth et al. [3]. Our two-sided key-encapsulation technique shows that the usability of key encapsulation in the context of functional encryption, demonstrated by Ananth et al. [3], can be significantly extended. Whereas their generic transformation from selective security to adaptive security for single-input scheme uses a rather direct form of key encapsulation, our approach requires a significantly more structured one in which the encapsulated key is not determined at the time of encryption, but rather generated “freshly” (in a pseudorandom manner) for any two messages x and y as above.

Specifically, Ananth et al. encrypted a message m under a selectively secure key $\mathsf {msk}$, by sampling a fresh master secret key $\mathsf {msk}^\mathsf {\star }$ for a “one-time” adaptively secure scheme, encrypted m under $\mathsf {msk}^\mathsf {\star }$ and then encrypted $\mathsf {msk}^\mathsf {\star }$ under $\mathsf {msk}$. This direct encapsulation does not seem to extend to the two-input setting, as applying it independently in each coordinate seems to hurt both the security and the functionality of the scheme. By introducing our two-sided key-encapsulation idea we are able to balance between the need for using key encapsulation in each coordinate and the need for generating sufficient independence between different pairs of messages.

Step 4: Generalization to $\varvec{t}$-input schemes. The generalization of our result to t-input schemes, for $t \ge 2$, consists of two components. The first component is a construction that uses any $(t-1)$-input scheme for building a selectively secure t-input scheme, for any $t \ge 2$. The second component is a construction that uses any selectively secure t-input scheme and a fully secure $(t-1)$-input scheme for building a fully secure t-input scheme. Thus, for obtaining a fully secure t-input scheme from any single-input scheme, one can iteratively apply both components alternately t times. This is illustrated in Fig. 1 for the case $t=3$ (and the same illustration generalizes to any $t > 3$ in a straightforward manner).

This iterative application of our components places a restriction on the number of supported inputs. In general, each such application may result in a polynomial blowup in the parameters of the scheme. Therefore, $t-1$ applications may result in a blowup of $\lambda ^{2^{O(t)}}$ which must be kept polynomial. Without any additional assumptions, this implies that t can be any fixed constant. Assuming, in addition, that the underlying single-input scheme is sub-exponentially secure, the number of inputs can be made super-constant. Specifically, for any constant $0< \epsilon < 1$, when instantiating the underlying single-input scheme with security parameter $\tilde{\lambda } = 2^{(\log \lambda )^\epsilon }$, the first component can be iteratively applied to reach $t = \Theta (\log \log \lambda )$ inputs. Obtaining a generic transformation that supports a super-constant number of inputs without assuming sub-exponential security (or an alternative form of “succinctness”) is left as an open problem.

1.5 Paper Organization

The remainder of this paper is organized as follows: In Sect. 2 we provide an overview of the notation, definitions, and tools underlying our constructions. In Sect. 3 we present a construction of a selectively secure two-input functional encryption scheme from any single-input scheme. In Sect. 4 we present a construction of a fully secure two-input functional encryption scheme from any selectively secure one. In “Appendix A” we generalize our approach to t-input schemes for $t \ge 2$, and in “Appendix B” we provide the formal proofs of our claims from Sects. 3 and 4.

2 Preliminaries

In this section we present the notation and basic definitions that are used in this work. For a distribution X we denote by $x \leftarrow X$ the process of sampling a value x from the distribution X. Similarly, for a set $\mathcal {X}$ we denote by $x \leftarrow \mathcal {X}$ the process of sampling a value x from the uniform distribution over $\mathcal {X}$. For a randomized function f and an input $x\in \mathcal {X}$, we denote by $y\leftarrow f(x)$ the process of sampling a value y from the distribution f(x). For an integer $n \in \mathbb {N}$ we denote by [n] the set $\{1,\ldots , n\}$. A function ${\mathsf {neg}}:\mathbb {N}\rightarrow \mathbb {R}$ is negligible if for every constant $c > 0$ there exists an integer $N_c$ such that ${\mathsf {neg}}(\lambda ) < \lambda ^{-c}$ for all $\lambda > N_c$. For a randomized algorithm A, we denote by A(x; r) the output of A on input x given randomness r.

Two sequences of random variables $X = \{ X_\lambda \}_{\lambda \in \mathbb {N}}$ and $Y = \{Y_\lambda \}_{\lambda \in \mathbb {N}}$ are computationally indistinguishable if for any probabilistic polynomial-time algorithm ${\mathcal {A}}$ there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that $\left| \Pr [{\mathcal {A}}(1^{\lambda }, X_\lambda ) = 1] - \Pr [{\mathcal {A}}(1^{\lambda },Y_\lambda ) = 1] \right| \le {\mathsf {neg}}(\lambda )$ for all sufficiently large $\lambda \in \mathbb {N}$. Throughout the paper, we denote by $\lambda $ the security parameter.

2.1 Pseudorandom Functions

Let $\{\mathcal {K}_\lambda , \mathcal {X}_\lambda , \mathcal {Y}_\lambda \}_{\lambda \in \mathbb {N}}$ be a sequence of sets, and let $\mathsf {PRF}= (\mathsf {PRF.Gen}, \mathsf {PRF.Eval})$ be a function family with the following syntax:

$\mathsf {PRF.Gen}$ is a probabilistic polynomial-time algorithm that takes as input the unary representation of the security parameter $\lambda $ and outputs a key $K\in \mathcal {K}_\lambda $.
$\mathsf {PRF.Eval}$ is a deterministic polynomial-time algorithm that takes as input a key $K\in \mathcal {K}_\lambda $ and a value $x\in \mathcal {X}_\lambda $ and outputs a value $y\in \mathcal {Y}_\lambda $.

The sets $\mathcal {K}_\lambda $, $\mathcal {X}_\lambda $, and $\mathcal {Y}_\lambda $ are referred to as the key space, domain, and range of the function family, respectively. For ease of notation we may denote by $\mathsf {PRF.Eval}_K(\cdot )$ or $\mathsf {PRF}_K(\cdot )$ the function $\mathsf {PRF.Eval}(K,\cdot )$ for $K\in \mathcal {K}_\lambda $. The following is the standard definition of a pseudorandom function family.

Definition 2.1

(Pseudorandomness) A function family $\mathsf {PRF}= (\mathsf {PRF.Gen}, \mathsf {PRF.Eval})$ is pseudorandom if for every probabilistic polynomial-time algorithm ${\mathcal {A}}$ there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {A}}}(\lambda )&\mathop {=}\limits ^\mathsf{def}&\left| \Pr _{K\leftarrow \mathsf {PRF.Gen}(1^\lambda )} \left[ {\mathcal {A}}^{\mathsf {PRF.Eval}_K(\cdot )}(1^\lambda ) = 1 \right] \right. \\&\left. - \Pr _{f\leftarrow F_\lambda }\left[ {\mathcal {A}}^{f(\cdot )}(1^\lambda ) = 1\right] \right| \le {\mathsf {neg}}(\lambda ), \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where $F_\lambda $ is the set of all functions that map $\mathcal {X}_\lambda $ into $\mathcal {Y}_\lambda $.

In addition to the standard notion of a pseudorandom function family, we rely on the seemingly stronger (yet existentially equivalent) notion of a puncturable pseudorandom function family [11, 19, 29, 37]. In terms of syntax, this notion asks for an additional probabilistic polynomial-time algorithm, $\mathsf {PRF.Punc}$, that takes as input a key $K \in \mathcal {K}_\lambda $ and a set $S \subseteq \mathcal {X}_\lambda $ and outputs a “punctured” key $K_S$. The properties required by such a puncturing algorithm are captured by the following definition.

Definition 2.2

(Puncturable PRF) A pseudorandom function family $\mathsf {PRF}= (\mathsf {PRF.Gen}, \mathsf {PRF.Eval}, \mathsf {PRF.Punc})$ is puncturable if the following properties are satisfied:

1.
Functionality For all sufficiently large $\lambda \in \mathbb {N}$, for every set $S \subseteq \mathcal {X}_\lambda $, and for every $x \in \mathcal {X}_\lambda {\setminus } S$ it holds that
$$\begin{aligned} \Pr _{\begin{array}{c} K\leftarrow \mathsf {PRF.Gen}(1^\lambda );\\ K_S \leftarrow \mathsf {PRF.Punc}(K,S) \end{array}}[\mathsf {PRF.Eval}_K(x)= \mathsf {PRF.Eval}_{K_S}(x) ] = 1. \end{aligned}$$
2.
Pseudorandomness at punctured points Let ${\mathcal {A}}=({\mathcal {A}}_1,{\mathcal {A}}_2)$ be any probabilistic polynomial-time algorithm such that ${\mathcal {A}}_1(1^\lambda )$ outputs a set $S \subseteq \mathcal {X}_\lambda $, a value $x \in S$, and state information $\mathsf {state}$. Then, for any such ${\mathcal {A}}$ there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that
$$\begin{aligned} \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {A}}}(\lambda )&\mathop {=}\limits ^\mathsf{def}&\left| \Pr \left[ {\mathcal {A}}_2(K_S,\mathsf {PRF.Eval}_K(x), \mathsf {state}) = 1\right] \right. \\&\left. -\Pr \left[ {\mathcal {A}}_2(K_S, y, \mathsf {state})=1\right] \right| \le {\mathsf {neg}}(\lambda ) \end{aligned}$$
for all sufficiently large $\lambda \in \mathbb {N}$, where $(S, x, \mathsf {state}) \leftarrow {\mathcal {A}}_1(1^{\lambda })$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, $K_S = \mathsf {PRF.Punc}(K,S)$, and $y \leftarrow \mathcal {Y}_\lambda $.

For our constructions we rely on pseudorandom functions that need to be punctured only at one point (i.e., in both parts of Definition 2.2 it holds that $S = \{x\}$ for some $x \in \mathcal {X}_\lambda $). As observed by [11, 19, 29, 37] the GGM construction [24] of PRFs from any one-way function can be easily altered to yield such a puncturable pseudorandom function family.

2.2 Private-Key Single-Input Functional Encryption

A private-key single-input functional encryption scheme over a message space $\mathcal {X}= \{\mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}$ and a function space $\mathcal {F}= \{\mathcal {F}_\lambda \}_{\lambda \in \mathbb {N}}$ is a quadruple $({\mathsf {FE}\mathsf {.S}}, {\mathsf {FE}\mathsf {.KG}}, {\mathsf {FE}\mathsf {.E}}, {\mathsf {FE}\mathsf {.D}})$ of probabilistic polynomial-time algorithms. The setup algorithm ${\mathsf {FE}\mathsf {.S}}$ takes as input the unary representation $1^{\lambda }$ of the security parameter $\lambda \in \mathbb {N}$ and outputs a master secret key $\mathsf {msk}$. The key-generation algorithm ${\mathsf {FE}\mathsf {.KG}}$ takes as input a master secret key $\mathsf {msk}$ and a single-input function $f \in \mathcal {F}_\lambda $ and outputs a functional key $\mathsf {sk}_f$. The encryption algorithm ${\mathsf {FE}\mathsf {.E}}$ takes as input a master secret key $\mathsf {msk}$ and a message $x \in \mathcal {X}_\lambda $ and outputs a ciphertext $\mathsf {ct}$. In terms of correctness we require that for all sufficiently large $\lambda \in \mathbb {N}$, for every function $f \in \mathcal {F}_\lambda $ and message $x \in \mathcal {X}_\lambda $ it holds that ${\mathsf {FE}\mathsf {.D}}({\mathsf {FE}\mathsf {.KG}}(\mathsf {msk},f), {\mathsf {FE}\mathsf {.E}}(\mathsf {msk},x)) = f(x)$ with all but a negligible probability over the internal randomness of the algorithms ${\mathsf {FE}\mathsf {.S}}$, ${\mathsf {FE}\mathsf {.KG}}$, and ${\mathsf {FE}\mathsf {.E}}$.

In terms of security, we rely on the private-key variant of the existing indistinguishability-based notions for message privacy and function privacy. In fact, following [1, 16], our notion of security combines both message privacy and function privacy. When formalizing this notion it would be convenient to use the following standard notion of a left-or-right oracle.

Definition 2.3

(Left-or-right oracle) Let $\mathcal {O}(\cdot ,\cdot )$ be a probabilistic two-input functionality. For each $b\in \{ 0,1 \}$ we denote by $\mathcal {O}_b$ the probabilistic three-input functionality $\mathcal {O}_b(k, z_0, z_1)\mathop {=}\limits ^\mathsf{def} \mathcal {O}(k, z_b)$.

Intuitively, a private-key functional encryption scheme is secure if encryptions of messages $x_1, \ldots , x_T$ together with functional keys corresponding to functions $f_1, \ldots , f_T$ reveal essentially no information other than the values $\{ f_i(x_j)\}_{i,j\in [T]}$. We consider an adaptive notion of security, to which we refer to as full security, in which adversaries are given adaptive access to left-or-right encryption and key-generation oracles.

Definition 2.4

(Full security [1, 16]) A private-key single-input functional encryption scheme $\mathsf {FE}= ({\mathsf {FE}\mathsf {.S}},{\mathsf {FE}\mathsf {.KG}},{\mathsf {FE}\mathsf {.E}},{\mathsf {FE}\mathsf {.D}})$ over a message space $\mathcal {X}= \{\mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}$ and a function space $\mathcal {F}= \{\mathcal {F}_\lambda \}_{\lambda \in \mathbb {N}}$ is fully secure if for any probabilistic polynomial-time adversary ${\mathcal {A}}$ there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that

$$\begin{aligned} \begin{aligned} \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {FE}, {\mathcal {A}}, \mathcal {F}}(\lambda )&\mathop {=}\limits ^\mathsf{def} \left| \Pr \left[ {\mathcal {A}}^{\mathsf {KG}_0(\mathsf {msk},\cdot ,\cdot ), \mathsf {Enc}_0(\mathsf {msk},\cdot ,\cdot )} (1^\lambda ) = 1\right] \right. \\&\qquad \left. - \Pr \left[ {\mathcal {A}}^{\mathsf {KG}_1(\mathsf {msk},\cdot ,\cdot ), \mathsf {Enc}_1(\mathsf {msk},\cdot ,\cdot )}(1^\lambda ) = 1\right] \right| \\&\qquad \le {\mathsf {neg}}(\lambda ) \end{aligned} \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where for every $(f_0,f_1)\in \mathcal {F}_\lambda \times \mathcal {F}_\lambda $ and $(x_0, x_1)\in \mathcal {X}_\lambda \times \mathcal {X}_\lambda $ with which ${\mathcal {A}}$ queries the left-or-right key-generation and encryption oracles, respectively, it holds that $f_0(x_0) = f_1(x_1)$. Moreover, the probability is taken over the choice of $\mathsf {msk}\leftarrow {\mathsf {FE}\mathsf {.S}}(1^\lambda )$ and the internal randomness of ${\mathcal {A}}$.

Known constructions. Private-key single-input functional encryption schemes that satisfy the above notion of full security and support circuits of any a priori bounded polynomial size are known to exist based on a variety of assumptions.

Ananth et al. [3] gave a generic transformation from selective-message (or selective-function) security to full security. Moreover, Brakerski and Segev [16] showed how to transform any message-private functional encryption scheme into a functional encryption scheme which is fully secure, and the resulting scheme inherits the security guarantees of the original one. Therefore, based on [3, 16], given any selective-message (or selective-function) message-private functional encryption scheme we can generically obtain a fully secure scheme. This implies that schemes that are fully secure for any number of encryption and key-generation queries can be based on indistinguishability obfuscation [22, 38], differing-input obfuscation [2, 8], and multilinear maps [23]. In addition, schemes that are fully secure for a bounded number $T = T(\lambda )$ of encryption and key-generation queries can be based on the learning with errors (LWE) assumption (where the length of ciphertexts grows with T and with a bound on the depth of allowed functions) [25], based on pseudorandom generators computable by small-depth circuits (where the length of ciphertexts grows with T and with an upper bound on the circuit size of the functions) [26], and even based on one-way functions (for $T = 1$) [26].

2.3 Private-Key Two-Input Functional Encryption

In this section we define the functionality and security of private-key two-input functional encryption scheme (we refer the reader to “Appendix A.1” for the generalization to t-input schemes for any $t \ge 2$). Let $\mathcal {X}= \{\mathcal {X}_{\lambda }\}_{\lambda \in \mathbb {N}}$, $\mathcal {Y}= \{\mathcal {Y}_{\lambda }\}_{\lambda \in \mathbb {N}}$, and $\mathcal {Z}= \{\mathcal {Z}_{\lambda }\}_{\lambda \in \mathbb {N}}$ be ensembles of finite sets, and let $\mathcal {F}= \{\mathcal {F}_{\lambda }\}_{\lambda \in \mathbb {N}}$ be an ensemble of finite two-ary function families. For each $\lambda \in \mathbb {N}$, each function $f\in \mathcal {F}_{\lambda }$ takes as input two strings, $x\in \mathcal {X}_\lambda $ and $y\in \mathcal {Y}_\lambda $, and outputs a value $f(x,y) \in \mathcal {Z}_{\lambda }$. A private-key two-input functional encryption scheme $\Pi $ for $\mathcal {F}$ consists of four probabilistic polynomial-time algorithm $\mathsf {Setup}$, $\mathsf {Enc}$, $\mathsf {KG}$, and $\mathsf {Dec}$, described as follows.

$\mathsf {Setup}(1^\lambda )$—The setup algorithm takes as input the security parameter $\lambda $ and outputs a master secret key $\mathsf {msk}$.
$\mathsf {Enc}(\mathsf {msk}, m, \mathsf {i})$—The encryption algorithm takes as input a master secret key $\mathsf {msk}$, message input m, and an index $\mathsf {i}\in [2]$, where $m\in \mathcal {X}_\lambda $ if $\mathsf {i}=1$ and $m\in \mathcal {Y}_\lambda $ if $\mathsf {i}=2$. It outputs a ciphertext $\mathsf {ct}_\mathsf {i}$.
$\mathsf {KG}(\mathsf {msk}, f)$—The key-generation algorithm takes as input a master secret key $\mathsf {msk}$ and a function $f\in \mathcal {F}_\lambda $ and outputs a functional key $\mathsf {sk}_f$.
$\mathsf {Dec}(\mathsf {sk}_f, \mathsf {ct}_1,\mathsf {ct}_2)$—The (deterministic) decryption algorithm takes as input a functional key $\mathsf {sk}_f$ and two ciphertexts $\mathsf {ct}_1$ and $\mathsf {ct}_2$, and outputs a string $z\in \mathcal {Z}_\lambda \cup \{ \bot \}$.

Definition 2.5

(Correctness) A private-key two-input functional encryption scheme $\Pi = (\mathsf {Setup}, \mathsf {Enc}, \mathsf {KG}, \mathsf {Dec})$ for $\mathcal {F}$ is correct if there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that for every $\lambda \in \mathbb {N}$, for every $f\in \mathcal {F}_\lambda $, and for every $(x,y)\in \mathcal {X}_\lambda \times \mathcal {Y}_\lambda $, it holds that

$$\begin{aligned} \Pr \big [\mathsf {Dec}(\mathsf {sk}_f, \mathsf {Enc}(\mathsf {msk}, x, 1),\mathsf {Enc}(\mathsf {msk}, y, 2)) = f(x,y)\big ] \ge 1- {\mathsf {neg}}(\lambda ), \end{aligned}$$

where $\mathsf {msk}\leftarrow \mathsf {Setup}(1^{\lambda })$, $\mathsf {sk}_f \leftarrow \mathsf {KG}(\mathsf {msk}, f)$, and the probability is taken over the internal randomness of $\mathsf {Setup}, \mathsf {Enc}$, and $\mathsf {KG}$.

Intuitively, we say that a two-input scheme is secure if for any two pairs of messages $(x_{0},x_{1})$ and $(y_{0}, y_{1})$ that are encrypted with respect to indices $\mathsf {i}=1$ and $\mathsf {i}=2$, respectively, and for every pair of functions $(f_0, f_1)$, the triplets $(\mathsf {sk}_{f_0}, \mathsf {Enc}(\mathsf {msk}, x_0, 1),\mathsf {Enc}(\mathsf {msk}, y_0, 2))$ and $(\mathsf {sk}_{f_1}, \mathsf {Enc}(\mathsf {msk}, x_1, 1), \mathsf {Enc}(\mathsf {msk}, y_1, 2))$ are computationally indistinguishable as long as $f_0(x_{0},y_0) = f_1(x_1, y_1)$ (note that this considers both message privacy and function privacy). The formal notions of security build upon this intuition and capture the fact that an adversary may in fact hold many functional keys and ciphertexts and may combine them in an arbitrary manner. As in the case of single-input schemes, we formalize our notions of security using left-or-right key-generation and encryption oracles. Specifically, for each $b\in \{ 0,1 \}$ and $\mathsf {i}\in \{1,2\}$ we let $\mathsf {KG}_b(\mathsf {msk}, f_0, f_1)\mathop {=}\limits ^\mathsf{def} \mathsf {KG}(\mathsf {msk}, f_b)$ and $\mathsf {Enc}_b(\mathsf {msk},(m_0,m_1),\mathsf {i}) \mathop {=}\limits ^\mathsf{def} \mathsf {Enc}(\mathsf {msk},m_b,\mathsf {i})$. Before formalizing our notions of security we define the notion of a valid two-input adversary.

Definition 2.6

(Valid two-input adversary) A probabilistic polynomial-time algorithm ${\mathcal {A}}$ is a valid two-input adversary if for all private-key two-input functional encryption schemes $\Pi = (\mathsf {Setup},\mathsf {KG},\mathsf {Enc},\mathsf {Dec})$ over a message space $\mathcal {X}\times \mathcal {Y}= \{\mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}\times \{\mathcal {Y}_\lambda \}_{\lambda \in \mathbb {N}}$ and a function space $\mathcal {F}= \{\mathcal {F}_\lambda \}_{\lambda \in \mathbb {N}}$, for all $\lambda \in \mathbb {N}$ and $b\in \{ 0,1 \}$, and for all $(f_0,f_1)\in \mathcal {F}_\lambda $, $((x_0, x_1),1)\in \mathcal {X}_\lambda \times \mathcal {X}_\lambda \times \{1\}$ and $((y_0, y_1),1)\in \mathcal {Y}_\lambda \times \mathcal {Y}_\lambda \times \{2\}$ with which ${\mathcal {A}}$ queries the left-or-right key-generation and encryption oracles, respectively, it holds that $f_0(x_0,y_0) = f_1(x_1,y_1)$.

We consider two notions of security for two-input functional encryption schemes, both of which combine message privacy and function privacy. The first notion, full security, considers adversaries that have adaptive access to both the encryption oracle and the key-generation oracle. The second notion, selective-message security, considers adversaries that must specify all of their encryption queries in advance, but can then have adaptive access to the key-generation oracle. Full security clearly implies selective-message security, and our work shows that the two notions are in fact equivalent for multi-input schemes.

Definition 2.7

(Full security) A private-key two-input functional encryption scheme $\Pi = (\mathsf {Setup},\mathsf {KG},\mathsf {Enc},\mathsf {Dec})$ over a message space $\mathcal {X}\times \mathcal {Y}= \{\mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}\times \{\mathcal {Y}_\lambda \}_{\lambda \in \mathbb {N}}$ and a function space $\mathcal {F}= \{\mathcal {F}_\lambda \}_{\lambda \in \mathbb {N}}$ is fully secure if for any valid two-input adversary ${\mathcal {A}}$ there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {full2FE}}_{\Pi ,\mathcal {F},{\mathcal {A}}} \mathop {=}\limits ^\mathsf{def} \left| \Pr \left[ \mathsf {Exp}^{\mathsf {full2FE}}_{\Pi , \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \le {\mathsf {neg}}(\lambda ), \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where the random variable $\mathsf {Exp}^{\mathsf {full2FE}}_{\Pi , \mathcal {F}, {\mathcal {A}}}(\lambda )$ is defined via the following experiment:

1.
$\mathsf {msk}\leftarrow \mathsf {Setup}(1^{\lambda })$, $b\leftarrow \{ 0,1 \}$.
2.
$b' \leftarrow {\mathcal {A}}^{\mathsf {KG}_b(\mathsf {msk},\cdot ,\cdot ),\mathsf {Enc}_b(\mathsf {msk},(\cdot ,\cdot ),\cdot )}\left( 1^{\lambda },\right) $.
3.
If $b' = b$ then output 1, and otherwise output 0.

Definition 2.8

(Selective-message security) A private-key two-input functional encryption scheme $\Pi = (\mathsf {Setup}, \mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})$ over a message space $\mathcal {X}\times \mathcal {Y}= \{\mathcal {X}_\lambda \}_{\lambda \in \mathbb {N}}\times \{\mathcal {Y}_\lambda \}_{\lambda \in \mathbb {N}}$ and a function space $\mathcal {F}= \{\mathcal {F}_\lambda \}_{\lambda \in \mathbb {N}}$ is selective-message secure if for any valid two-input adversary ${\mathcal {A}}= ({\mathcal {A}}_1, {\mathcal {A}}_2)$ there exists a negligible function ${\mathsf {neg}}(\lambda )$ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {sel2FE}}_{\Pi ,\mathcal {F},{\mathcal {A}}} \mathop {=}\limits ^\mathsf{def} \left| \Pr \left[ \mathsf {Exp}^{\mathsf {sel2FE}}_{\Pi , \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \le {\mathsf {neg}}(\lambda ), \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where the random variable $\mathsf {Exp}^{\mathsf {sel2FE}}_{\Pi , \mathcal {F}, {\mathcal {A}}}(\lambda )$ is defined via the following experiment:

1.
$\left( \vec {x},\vec {y},\mathsf {state}\right) \leftarrow {\mathcal {A}}_1^{}\left( 1^{\lambda }\right) $, where $\vec {x} = ((x^0_{1},x^1_1), \ldots , (x^0_{T},x^1_T))$ and $\vec {y} = ((y^0_{1},y^1_1), \ldots , (y^0_{T},y^1_T))$.
2.
$\mathsf {msk}\leftarrow \mathsf {Setup}(1^{\lambda })$, $b\leftarrow \{ 0,1 \}$.
3.
$\mathsf {ct}_{1,i} \leftarrow \mathsf {Enc}(\mathsf {msk}, x^{b}_{i}, 1)$ and $\mathsf {ct}_{2,i} \leftarrow \mathsf {Enc}(\mathsf {msk}, y^{b}_{i}, 2)$ for $i\in [T]$.
4.
$b' \leftarrow {\mathcal {A}}_2^{\mathsf {KG}_b(\mathsf {msk},\cdot ,\cdot )}\left( 1^{\lambda }, \mathsf {ct}_{1,1}, \ldots ,\mathsf {ct}_{1,T},\mathsf {ct}_{2,1}\ldots , \mathsf {ct}_{2,T},\mathsf {state}\right) $.
5.
If $b' = b$ then output 1, and otherwise output 0.

Our definitions of a two-input functional encryption scheme is inspired by the definition of [12]. It is a natural generalization of the single-input case and gives rise to an order-revealing encryption. Moreover, as a concrete motivation, a t-input scheme according to the above definition is enough to construct indistinguishability obfuscation for circuits with t input bits [21].^{Footnote 9}

Additional natural ways to define two-input functional encryptions schemes exist. Specifically, Goldwasser et al. [21] considered two such definitions. The first allows to encrypt a message m independently of an index $i\in [2]$. Thus, given a key for a two-input function f and encryptions of two messages x and of y, one can compute both f(x, y) and f(y, x). A construction which satisfies our (indexed) definition can be easily transformed into one which satisfies the above (non-indexed) definition by encrypting each message with respect to both indices.

The second, referred to as “multi-client,” considers each index as a different “client” and gives each of them his own secret key. In this setting, their security game is quite different, and in particular, an adversary is allowed to obtain the secret keys of a subset of the clients of his choice. The approach underlying our schemes does not seem to directly extend to the multi-client setting, and we leave it as an interesting path for future exploration.

3 A Selectively Secure Two-Input Scheme from any Single-Input Scheme

In this section we construct a private-key two-input functional encryption scheme that is selectively secure. Let $\mathcal {F}= \{ \mathcal {F}_{\lambda } \}_{\lambda \in \mathbb {N}}$ be a family of two-ary functionalities, where for every $\lambda \in \mathbb {N}$ the set $\mathcal {F}_{\lambda }$ consists of functions of the form $f : \mathcal {X}_{\lambda } \times \mathcal {Y}_{\lambda } \rightarrow \mathcal {Z}_{\lambda }$. Our construction relies on the following building blocks:

1.
A private-key single-input functional encryption scheme $\mathsf {1FE}= ({\mathsf {1FE}\mathsf {.S}}, {\mathsf {1FE}\mathsf {.KG}}, {\mathsf {1FE}\mathsf {.E}}, {\mathsf {1FE}\mathsf {.D}})$.
2.
A pseudorandom function family $\mathsf {PRF}= (\mathsf {PRF.Gen}, \mathsf {PRF.Eval})$.

As discussed in Sect. 1.1, we assume that the scheme $\mathsf {1FE}$ is sufficiently expressive in the sense that $\mathsf {1FE}$ supports the function family $\mathcal {F}$ (when viewed as a family of single-input functions), the evaluation procedure of the pseudorandom function family $\mathsf {PRF}$, the encryption and key-generation procedures of the private-key functional encryption scheme $\mathsf {1FE}$, and a few additional basic operations. Our scheme $\mathsf {2FE^{sel}}= ({\mathsf {2FE^{sel}}\mathsf {.S}}, {\mathsf {2FE^{sel}}\mathsf {.KG}}, {\mathsf {2FE^{sel}}\mathsf {.E}}, {\mathsf {2FE^{sel}}\mathsf {.D}})$ is defined as follows.

The setup algorithm. On inputting the security parameter $1^{\lambda }$ the setup algorithm ${\mathsf {2FE^{sel}}\mathsf {.S}}$ samples $\mathsf {msk_{out}}\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^{\lambda })$ and $\mathsf {msk_{in}}\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^{\lambda })$ and outputs $\mathsf {msk}= (\mathsf {msk_{out}},\mathsf {msk_{in}})$.
The key-generation algorithm. On inputting the master secret key $\mathsf {msk}$ and a function $f \in \mathcal {F}_{\lambda }$, the key-generation algorithm ${\mathsf {2FE^{sel}}\mathsf {.KG}}$ samples a random string $z\leftarrow \{ 0,1 \}^\lambda $ and outputs $\mathsf {sk}_{f} \leftarrow {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{out}}, {D_{f,\bot ,z,\bot }})$, where $D_{f,\bot ,z,\bot }$ is a single-input function that is defined in Fig. 2.
The encryption algorithm. On inputting the master secret key $\mathsf {msk}$, a message m, and an index $\mathsf {i}\in [2]$, the encryption algorithm ${\mathsf {2FE^{sel}}\mathsf {.E}}$ has two cases:
- If $(m,\mathsf {i}) = (x,1)$, it samples a master secret key $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, a PRF key $K\leftarrow \mathsf {PRF.Gen}(1^{\lambda })$, and a random string $s\in \{ 0,1 \}^\lambda $ and then outputs a pair $(\mathsf {ct}_1, \mathsf {sk}_1)$ defined as follows:
  $$\begin{aligned} \mathsf {ct}_1\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }, K, 0))\\ \mathsf {sk}_1\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}}, \mathsf {AGG}_{x,\bot ,0,s,\mathsf {msk}^\mathsf {\star },K}), \end{aligned}$$
  where $\mathsf {AGG}_{x,\bot ,0,s,\mathsf {msk}^\mathsf {\star },K}$ is a single-input function that is defined in Fig. 3.
- If $(m,\mathsf {i}) = (y,2)$, it samples a random string $t\in \{ 0,1 \}^\lambda $, and outputs
  $$\begin{aligned} \mathsf {ct}_2 \leftarrow {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{in}}, (y,\bot ,t, \bot ,\bot )). \end{aligned}$$
The decryption algorithm. On inputting a functional key $\mathsf {sk}_f$ and two ciphertexts, $(\mathsf {ct}_1, \mathsf {sk}_1)$ and $\mathsf {ct}_2$, the decryption algorithm ${\mathsf {2FE^{sel}}\mathsf {.D}}$ computes $\mathsf {ct}' = {\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}_1, \mathsf {ct}_2)$, $\mathsf {sk}' = {\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}_f, \mathsf {ct}_1)$ and outputs ${\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}', \mathsf {ct}')$.

The correctness of the above scheme with respect to any family of two-ary functionalities follows in a straightforward manner from the correctness of the underlying functional encryption scheme $\mathsf {1FE}$. Specifically, consider any pair of messages x and y and any function f. The encryption of x with respect to the index $\mathsf {i}=$1 and the encryption of y with respect to the index $\mathsf {i}=2$ result in ciphertexts $(\mathsf {ct}_1,\mathsf {sk}_1)$ and $\mathsf {ct}_2$, respectively. Using the correctness of the scheme $\mathsf {1FE}$, by executing ${\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}_1,\mathsf {ct}_2)$ we obtain an encryption $\mathsf {ct}'$ of the message (x, y) under the key $\mathsf {msk}^\mathsf {\star }$. In addition, by executing ${\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}_f,\mathsf {ct}_1)$ we obtain a functional key $\mathsf {sk}'$ for $C_{f}$ under the key $\mathsf {msk}^\mathsf {\star }$. Therefore, executing ${\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}',\mathsf {ct}')$ outputs the value $C_f((x, y)) = f(x,y)$ as required.

The following theorem captures the security of the scheme, stating that under suitable assumptions on the underlying building blocks, the two-input scheme $\mathsf {2FE^{sel}}$ is selective-message secure (see Definition 2.8).

Theorem 3.1

Assuming that (1) $\mathsf {1FE}$ is fully secure, and (2) $\mathsf {PRF}$ is a pseudorandom function family, then $\mathsf {2FE^{sel}}$ is selective-message secure.

We note that for proving that $\mathsf {2FE^{sel}}$ is selective-message secure it suffices to require selective-message security from $\mathsf {1FE}$. However, given the generic transformations of Ananth et al. [3] (from selective security to adaptive security) and of Brakerski and Segev [16] (from message security to full security), for simplifying the proof of Theorem 3.1 we assume that $\mathsf {1FE}$ is fully secure. In addition, when assuming that $\mathsf {1FE}$ is fully secure, the scheme $\mathsf {2FE^{sel}}$ can be shown to satisfy a notion of security that seems in between selective-message security and full security. Specifically, this notion considers adversaries that first have adaptive access to encryptions only for the first coordinate, and then have adaptive access to encryptions only for the second coordinate (while having adaptive access to the key-generation oracle throughout the experiment). However, given our generic transformation from selective-message security to full security for multi-input schemes (see Sect. 4), for simplifying the proof of Theorem 3.1 we focus on proving selective-message security.

In addition, for concreteness we focus on the unbounded case where the underlying scheme supports an unbounded (i.e., not fixed in advance) number of key-generation queries and encryption queries. More generally, the proof of Theorem 3.1 shows that if the scheme corresponding to $\mathsf {msk_{out}}$ supports $T_1$ encryption queries and $T_2$ key-generation queries, the scheme corresponding to $\mathsf {msk_{in}}$ supports $T_3$ encryption queries and $T_4$ key-generation queries, and the scheme corresponding to each $\mathsf {msk}^\mathsf {\star }$ supports $T_5$ encryption queries and $T_6$ key-generation queries, then the resulting scheme $\mathsf {2FE^{sel}}$ supports $\min \{T_1,T_4,T_5\}$ encryption queries with respect to index $\mathsf {i}= 1$, $\min \{T_3, T_5\}$ encryption queries with respect to index $\mathsf {i}= 2$, and $\min \{T_2,T_6\}$ key-generation queries. When the polynomials $T_1,\ldots ,T_6$ are known in advance (i.e., do not depend on the adversary), such schemes are known to exist based on the LWE assumption or even only one-way functions (see Sect. 2.2 for a more detailed discussion of the existing schemes).

Proof of Theorem 3.1

Let ${\mathcal {A}}=({\mathcal {A}}_1,{\mathcal {A}}_2)$ be a valid adversary that issues at most $T_1 = T_1(\lambda )$ encryption queries with respect to index $\mathsf {i}=1$, at most $T_2 = T_2(\lambda )$ encryption queries with respect to index $\mathsf {i}=2$, and at most $T_3=T_3(\lambda )$ key-generation queries (note that $T_1$, $T_2$, and $T_3$ may be any polynomials and are not fixed in advance). We assume for simplicity and without loss of generality that $T_1=T_2=T_3\mathop {=}\limits ^\mathsf{def} T$.

We present a sequence of experiments and upper bound ${\mathcal {A}}$’s advantage in distinguishing each two consecutive experiments. The first experiment is the experiment $\mathsf {Exp}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}, {\mathcal {A}}}(\lambda )$ (see Definition 2.8), and the last experiment is completely independent of the bit b. This enables us to prove that there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}, {\mathcal {A}}}(\lambda ) \mathop {=}\limits ^\mathsf{def} \left| \Pr \left[ \mathsf {Exp}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \le {\mathsf {neg}}(\lambda ) \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$. In what follows we first describe the notation used throughout the proof and then describe the experiments.

Notation. We denote the ${i}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=1$ by $(\mathsf {sk}_{1,i},\mathsf {ct}_{1,i})$ and the ${i}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=2$ by $\mathsf {ct}_{2,i}$. We denote the ${i}{\mathrm{th}}$ input pair corresponding to the index $\mathsf {i}=1$ by $(x^0_i,x^1_i)$, the random strings used for generating the resulting $\mathsf {sk}_{1,i}$ by $s_i$, the master secret key and the PRF key used for generating the resulting $\mathsf {ct}_{1,i}$ and $\mathsf {sk}_{1,i}$ by $\mathsf {msk}^\mathsf {\star }_i$ and $K_i$, respectively. We denote the ${i}{\mathrm{th}}$ input pair corresponding to the index $\mathsf {i}=2$ by $(y^0_i,y^1_i)$, and the randomness used for generating the resulting $\mathsf {ct}_{2,i}$ by $t_i$. Finally, we denote by $(f^0_1, f^1_1),\ldots ,(f^0_T, f^1_T)$ the function pairs with which the adversary queries the key-generation oracle and by $z_1,\ldots ,z_T$ the corresponding random strings used for generating $\mathsf {sk}_{f_1}, \ldots , \mathsf {sk}_{f_T}$.

For ease of following the proof, we give an outline of the sequence of experiments. By $\sim $ we denote computational indistinguishability and by $\equiv $ we denote equivalence.

$$\begin{aligned}&\mathcal {H}^{(0)}(\lambda ) \sim \mathcal {H}^{(1)}(\lambda ) \sim \mathcal {H}^{(2)}(\lambda ) \equiv \\&\mathcal {H}^{(3,1)}(\lambda ) \sim \mathcal {H}^{(4,1)}(\lambda ) \sim \mathcal {H}^{(5,1)}(\lambda ) \sim \cdots \sim \mathcal {H}^{(9,1)}(\lambda ) \sim \mathcal {H}^{(10,1)}(\lambda ) \equiv \\&\mathcal {H}^{(3,2)}(\lambda ) \sim \mathcal {H}^{(4,2)}(\lambda ) \sim \mathcal {H}^{(5,2)}(\lambda ) \sim \cdots \sim \mathcal {H}^{(9,2)}(\lambda ) \sim \mathcal {H}^{(10,2)}(\lambda ) \equiv \\&\qquad \qquad \cdots \\&\mathcal {H}^{(3,T)}(\lambda ) \sim \mathcal {H}^{(4,T)}(\lambda ) \sim \mathcal {H}^{(5,T)}(\lambda ) \sim \cdots \sim \mathcal {H}^{(9,T)}(\lambda ) \sim \mathcal {H}^{(10,T)}(\lambda ) \equiv \\&\mathcal {H}^{(3,T+1)}(\lambda ) \sim \mathcal {H}^{(11)}(\lambda ) \sim \mathcal {H}^{(12)}(\lambda ). \end{aligned}$$

Furthermore, we use boxes to highlight the differences between an experiment and the previous one.

Experiment $\varvec{\mathcal {H}^{(0)}{(\lambda )}}$. This is the original experiment corresponding to $b\leftarrow \{ 0,1 \}$ chosen uniformly at random, namely $\mathsf {Exp}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}, {\mathcal {A}}}(\lambda )$. In this experiment the encryptions are generated as follows.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0))\\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,\bot ,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, (y^b_i,\bot ,t_i, \bot ,\bot )\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,\bot ,z_i,\bot }}\right) \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(1)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(0)}(\lambda )$ by modifying the encryptions as follows. Given inputs $(x^0_i,x^1_i)$ and $(y^0_i,y^1_i)$, instead of setting the field $x_1$ and $y_1$ to be $\bot $ we set it to be $x^1_i$ and $y^1_i$, respectively. The scheme has the following form:

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,\boxed {x^1_i},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, (y^b_i,\boxed {y^1_i},t_i, \bot ,\bot )\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,\bot ,z_i,\bot }}\right) \end{aligned}$$

Note that all the tokens that are issued as part of the encryption according to $\mathsf {i}= 1$ are generated with $a=0$ (where a is the third hardwired item). Thus, the circuit $\mathsf {AGG}_{x_0,x_1,a,s,\mathsf {msk}^\mathsf {\star },K}$ always sets $x = x^b_i$ and $y = y^b_i$ and ignores $x^1_i$ and $y^1_i$ (see Fig. 3). Thus, the security of the underlying scheme $\mathsf {1FE}$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(0)}$ and $\mathcal {H}^{(1)}$. Specifically, let $\mathcal {F}'$ denote the family of functions $\mathsf {AGG}_{x_0,x_1,a,s,\mathsf {msk}^\mathsf {\star },K}$ (as defined in Fig. 3). In “Appendix B.1” we prove the following claim: $\square $

Claim 3.2

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(0) \rightarrow (1)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(0) \rightarrow (1)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(2)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(1)}(\lambda )$ by modifying the functional keys as follows. Given inputs $(f^0,f^1)$, instead of setting the fields $f_1,f_2$ to be $f^b,\bot $ we set it to be $f^b,f^1$. The scheme has the following form:

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,{x^1_i},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, (y^b_i,{y^1_i},t_i, \bot ,\bot )\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,\boxed {f^1_i},z_i,\bot }}\right) \end{aligned}$$

Note that all the ciphertexts that are issued as part of the encryption according to $\mathsf {i}= 1$ are generated with $w=0$ (where w is the third hardwired item in $\mathsf {ct}_{1}$). Thus, the circuit $D_{f_0,f_1,z_i,u}$ always sets $f = f^b_i$ and ignores $f^1_i$ (see Fig. 2). Thus, the security of the underlying scheme $\mathsf {1FE}$ (with respect to $\mathsf {msk_{out}}$) guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(1)}$ and $\mathcal {H}^{(2)}$. Specifically, let $\mathcal {F}''$ denote the family of functions $D_{f_0,f_1,z_i,u}$ (as defined in Fig. 2). In “Appendix B.1” we prove the following claim:

Claim 3.3

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(1) \rightarrow (2)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(2)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}'', {\mathcal {B}}^{(1) \rightarrow (2)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(3,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(2)}(\lambda )$ by modifying the encryptions as follows. The first $j-1$ ciphertexts are generated such that $a=1$ and $w=1$, while the rest of the encryptions are generated as before.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, \boxed {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,\boxed {1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, (y^b_i,y^1_i,t_i, \bot ,\bot )\right) \end{aligned}$$
Ciphertexts ($i=j,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,f^1_i,z_i,\bot }}\right) \end{aligned}$$

Notice that $\mathcal {H}^{(3,1)}= \mathcal {H}^{(2)}$.

Experiment $\varvec{\mathcal {H}^{(4,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(3,j)}(\lambda )$ by modifying the ${j}{\mathrm{th}}$ ciphertext to not include the master secret key $\mathsf {msk}^\mathsf {\star }_j$ and the PRF key ${K_j}$ (that is, we replace them with $\bot $’s). Moreover, for every $i\in [T]$ in the ${i}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= 2$ we hardwire the pair $(s_j,\gamma _i)$, where $\gamma _i = {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i) ; \mathsf {PRF.Eval}(K_j, t_i))$.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 1)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,x^1_i,t_i, \boxed {s_j,\gamma _i}\right) \right) \\&\gamma _i = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i) ; \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Ciphertext ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,\boxed {\bot },\boxed {\bot }}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, \boxed {s_j,\gamma _i}\right) \right) \\&\gamma _i = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i) ;\right. \\&\quad \left. \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, \boxed {s_j,\gamma _i}\right) \right) \\&\gamma _i = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i) ;\ \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,f^1_i,z_i,\bot }}\right) \end{aligned}$$

We observe that the only combinations that are affected by this change are combinations that include the ${j}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= 1$. However, using the hardwired values $\gamma _i$ for $i\in [T]$ the functionalities stay the same. Thus, the security of the underlying $\mathsf {1FE}$ scheme guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(3,j)}$ and $\mathcal {H}^{(4,j)}$. In “Appendix B.1” we prove the following claim:

Claim 3.4

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(3,j) \rightarrow (4,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(3,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(4,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(3,j) \rightarrow (4,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(5,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(4,j)}(\lambda )$ by modifying the ${j}{\mathrm{th}}$ ciphertext as follows. We replace $(\mathsf {msk}^\mathsf {\star }_j,K_j, 0)$ with $(\bot , \bot , 0)$. Moreover, in the ${i}{\mathrm{th}}$ functional key corresponding to the functions $(f^0_i,f^1_i)$ we hardwire the value $\delta _i = {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}^\mathsf {\star }_j, C_{f^b_i}; \mathsf {PRF.Eval}(K_j, z_i))$.

Ciphertexts $\left( i=1,\ldots ,j-1\right) $:
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 1)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&\gamma _i = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i) ; \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Ciphertext ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \boxed {\bot , \bot }, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,{\bot },{\bot }}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i})\right) \\&\gamma _i = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i) ;\right. \\&\left. \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, (y^b_i,y^1_i,t_i, {s_j,\gamma _i})\right) \\&\gamma _i = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i) ; \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}&\leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,f^1_i,z_i,\boxed {\delta _i}}}\right) \\&\delta _i = {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}^\mathsf {\star }_j, C_{f^b_i} ; \mathsf {PRF.Eval}(K_j, z_i)\right) \end{aligned}$$

We observe that the only combinations that are affected by this change are combinations that include the ${j}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= 1$. However, using the hardwired value $\delta $ the functionality stays the same. Thus, the security of the underlying scheme $\mathsf {1FE}$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(4,j)}$ and $\mathcal {H}^{(5,j)}$. In “Appendix B.1” we prove the following claim:

Claim 3.5

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(4,j) \rightarrow (5,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(4,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(5,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(4,j) \rightarrow (5,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(6,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(5,j)}(\lambda )$ by modifying the hardwired values $\gamma _1,\ldots ,\gamma _T$ and $\delta _1,\ldots ,\delta _T$ to use randomness sampled uniformly at random rather than randomness generated using a PRF.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 1)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, (y^b_i,y^1_i,t_i, {s_j,\gamma _i})\right) \\&\boxed {\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i)\right) \end{aligned}$$
Ciphertext ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, ({\bot , \bot , 0})\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,{\bot },{\bot }}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&\boxed {\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i)\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, (y^b_i,y^1_i,t_i, {s_j,\gamma _i})\right) \\&\boxed {\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b_i)\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}&\leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,f^1_i,z_i,{\delta _i}}}\right) \\&\boxed {\delta _i} = {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}^\mathsf {\star }_j, C_{f^b_i}\right) \end{aligned}$$

The pseudorandomness of $\mathsf {PRF.Eval}(K_j, \cdot )$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(5,j)}$ and $\mathcal {H}^{(6,j)}$. In “Appendix B.1” we prove the following claim:

Claim 3.6

For every $j\in [T]$ there exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(5,j)\rightarrow (6,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(5,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(6,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(5,j)\rightarrow (6,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(7,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(6,j)}(\lambda )$ by modifying the ciphertext as follows. In the ${i}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= 2$ we embed in $\gamma _i$ the encryption of $(x^1_j, y^1)$ rather than $(x^b_j, y^b)$. Moreover, we replace the circuit embedded in $\delta _i$ in the ${i}{\mathrm{th}}$ functional key to be $C_{f^1_i}$ rather than $C_{f^b_i}$.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 1)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, (y^b_i,y^1_i,t_i, {s_j,\gamma _i})\right) \\&{\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, \boxed {(x^1_j, y^1_i)}\right) \end{aligned}$$
Ciphertext ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, ({\bot , \bot , 0})\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,{\bot },{\bot }}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&{\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, \boxed {(x^1_j, y^1_i)}\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&{\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, \boxed {(x^1_j, y^1_i)}\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}&\leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,f^1_i,z_i,{\delta _i}}}\right) \\&{\delta _i} = {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}^\mathsf {\star }_j, \boxed {C_{f^1_i}}\right) \end{aligned}$$

The above change only affects evaluations that correspond to the combination of any ciphertext corresponding to $\mathsf {i}=2$ with the ${j}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}=1$. Using the fact that the adversary is valid (see Definition 2.6), the functionality stays exactly the same. Thus, the security of the underlying scheme $\mathsf {1FE}$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(6,j)}$ and $\mathcal {H}^{(7,j)}$. In “Appendix B.1” we prove the following claim:

Claim 3.7

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(6,j) \rightarrow (7,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(6,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(7,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(6,j) \rightarrow (7,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(8,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(7,j)}(\lambda )$ by modifying the hardwired values $\gamma _1,\ldots ,\gamma _T$ and $\delta _1,\ldots ,\delta _T$ to use randomness generated using a PRF rather than randomness sampled uniformly at random.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 1)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&\boxed {\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^1_j, y^1_i) ; \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Ciphertext ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, ({\bot , \bot , 0})\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,{\bot },{\bot }}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&\boxed {\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, {(x^1_j, y^1_i)} ; \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&\boxed {\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, {(x^1_j, y^1_i)}; \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}&\leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,f^1_i,z_i,{\delta _i}}}\right) \\&\boxed {\delta _i} = {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}^\mathsf {\star }_j, C_{f^1_i} ; \mathsf {PRF.Eval}(K_j, z_i)\right) \end{aligned}$$

The pseudorandomness of $\mathsf {PRF.Eval}(K_j, \cdot )$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(7,j)}$ and $\mathcal {H}^{(8,j)}$. The proof of the following claim is analogous to the proof of Claim 3.6.

Claim 3.8

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(7,j) \rightarrow (8,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(7,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(8,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(7,j)\rightarrow (8,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(9,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(8,j)}(\lambda )$ by modifying the ${j}{\mathrm{th}}$ ciphertext to contain the pair $(\mathsf {msk}^\mathsf {\star }_j,K_j,1)$. Moreover, in the functional key corresponding to the function $f_i$ for $i\in [T]$ we remove the hardwired value $\delta _i$.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i,1)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&{\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^1_j, y^1_i) ; \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Ciphertext ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \boxed {\mathsf {msk}^\mathsf {\star }_i, K_i, 1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,{\bot },{\bot }}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&{\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, {(x^1_j, y^1_i)} ; \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i,0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, {s_j,\gamma _i}\right) \right) \\&{\gamma _i} = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, {(x^1_j, y^1_i)}; \mathsf {PRF.Eval}(K_j, t_i)\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}&\leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,f^1_i,z_i,\boxed {\bot }}}\right) \end{aligned}$$

We observe that the only combinations that are affected by this change are combinations that include the ${j}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= 1$. However, using the fact that we replace $(\bot ,\bot )$ in $\mathsf {ct}_{1,j}$ with $(\mathsf {msk}^\mathsf {\star }_j, K_j)$ and remove the hardwired values $\delta _i$ the functionality stays the same. Thus, the security of the underlying scheme $\mathsf {1FE}$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(8,j)}$ and $\mathcal {H}^{(9,j)}$. The proof of the following claim is analogous to the proof of Claim 3.5.

Claim 3.9

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(8,j) \rightarrow (9,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(8,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(9,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(8,j) \rightarrow (9,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(10,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(9,j)}(\lambda )$ by modifying the ciphertexts as follows. For the ${i}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= 2$ we remove the hardwired pair $(s_j,\gamma _i)$. Moreover, we encrypt the ${j}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}=1$ with $2=1$. Notice that $\mathcal {H}^{(10,j)} = \mathcal {H}^{(3,j+1)}$.

Ciphertexts $\left( i=1,\ldots ,\boxed {j}\right) $:
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 1)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, \boxed {\bot ,\bot }\right) \right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, \boxed {\bot ,\bot }\right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}&\leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,f^1_i,z_i,{\bot }}}\right) \end{aligned}$$

We observe that the only combinations that are affected by this change are combinations that include the ${j}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= 1$. However, since the hardwired values $\gamma _i$ for $i\in [T]\cup \{0\}$ preserved the functionalities when $a=1$ for the ${j}{\mathrm{th}}$ ciphertext, when we remove them and add back $\mathsf {msk}^\mathsf {\star }_j$ and $K_j$ the functionalities stay the same. Thus, the security of the underlying scheme $\mathsf {1FE}$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(9,j)}$ and $\mathcal {H}^{(10,j)}$. The proof of the following claim is analogous to the proof of Claim 3.4.

Claim 3.10

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(9,j) \rightarrow (10,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(9,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(10,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(9,j) \rightarrow (10,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(11)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(3,T+1)}(\lambda )$ by modifying the ciphertexts not to include $f^b_i$ at all.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i,1)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_i,x^1_i,{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( y^b_i,y^1_i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{\boxed {\bot },f^1_i,z_i,\bot }}\right) \end{aligned}$$

We observe that at this point all ciphertexts have $w=1$. Therefore, the first parameter $f^b_i$ is always ignored and the functionalities stay the same. Thus, the security of the underlying $\mathsf {1FE}$ scheme guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(3,T+1)}$ and $\mathcal {H}^{(11)}$. The proof of the following claim is analogous to the proof of Claim 3.3.

Claim 3.11

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(3,T+1) \rightarrow (11)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(3,T+1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(3,T+1) \rightarrow (11)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(12)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(11)}(\lambda )$ by modifying the ciphertexts not to include $x^b_i$ and $y^b_i$ at all. Notice that this experiment is completely independent of the bit b, and therefore $\Pr [\mathcal {H}^{(12)}(\lambda ) = 1] = 1/2$.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 1)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{\boxed {\bot },x^1_i,{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( \boxed {\bot },y^1_i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{\bot ,f^1_i,z_i,\bot }}\right) \end{aligned}$$

We observe that at this point all ciphertexts have $w=1$. Therefore, the first parameters $f^b_i$ are always ignored and the functionalities stay the same. Thus, the security of the underlying $\mathsf {1FE}$ scheme guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(11)}$ and $\mathcal {H}^{(12)}$. The proof of the following claim is analogous to the proof of Claim 3.2.

Claim 3.12

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(11) \rightarrow (12)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(12)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(11) \rightarrow (12)}}(\lambda ). \end{aligned}$$

Finally, putting together Claims 3.2–3.12 with the facts that $\mathcal {H}^{(0)}(\lambda ) = \mathsf {Exp}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}, {\mathcal {A}}}(\lambda )$, $\mathcal {H}^{(2)}(\lambda ) = \mathcal {H}^{(3,1)}(\lambda )$, and $\Pr \left[ \mathcal {H}^{(12)}(\lambda ) = 1\right] = 1/2$, we observe that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}},\mathcal {F},{\mathcal {A}}}&\mathop {=}\limits ^\mathsf{def}&\left| \Pr \left[ \mathsf {Exp}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \\= & {} \left| \Pr \left[ \mathcal {H}^{(0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(12)}(\lambda ) = 1 \right] \right| \\\le & {} \sum _{i=0}^{1}\left| \Pr \left[ \mathcal {H}^{(i)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(i+1)}(\lambda ) = 1 \right] \right| \\&+ \sum _{i=1}^T \sum _{j=3}^{10} \left| \Pr \left[ \mathcal {H}^{(j,i)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(j+1,i)}(\lambda ) = 1 \right] \right| \\&+ \left| \Pr \left[ \mathcal {H}^{(3,T+1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] \right| \\&+ \left| \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(12)}(\lambda ) = 1 \right] \right| \\\le & {} {\mathsf {neg}}(\lambda ) . \end{aligned}$$

4 From Selective to Adaptive Security for Two-Input Schemes

In this section we show how to transform any private-key selective-message secure two-input functional encryption scheme (see Definition 2.8) into a fully secure one (see Definition 2.7). Our construction relies on the following building blocks:

1.
A private-key single-input functional encryption scheme $\mathsf {1FE}= ({\mathsf {1FE}\mathsf {.S}}, {\mathsf {1FE}\mathsf {.KG}}, {\mathsf {1FE}\mathsf {.E}}, {\mathsf {1FE}\mathsf {.D}})$.
2.
A private-key two-input functional encryption scheme $\mathsf {2FE^{sel}}= ({\mathsf {2FE^{sel}}\mathsf {.S}}, {\mathsf {2FE^{sel}}\mathsf {.KG}}, {\mathsf {2FE^{sel}}\mathsf {.E}}, {\mathsf {2FE^{sel}}\mathsf {.D}})$.
3.
A puncturable pseudorandom function family $\mathsf {PRF}= (\mathsf {PRF.Gen}, \mathsf {PRF.Eval},\mathsf {PRF.Punc})$.

We assume that the schemes $\mathsf {1FE}$ and $\mathsf {2FE^{sel}}$ are sufficiently expressive in the sense that they support the function family $\mathcal {F}$ (when viewed as a family of single-input functions), the evaluation procedure of the pseudorandom function family $\mathsf {PRF}$, the setup, encryption and key-generation procedures of the scheme $\mathsf {1FE}$, and a few additional basic operations. The scheme $\mathsf {2FE}= ({\mathsf {2FE}\mathsf {.S}}, {\mathsf {2FE}\mathsf {.KG}}, {\mathsf {2FE}\mathsf {.E}}, {\mathsf {2FE}\mathsf {.D}})$ is defined as follows.

The setup algorithm On inputting the security parameter $1^{\lambda }$ the setup algorithm ${\mathsf {2FE}\mathsf {.S}}$ samples $\mathsf {msk}_1 \leftarrow {\mathsf {1FE}\mathsf {.S}}(1^{\lambda })$ and $\mathsf {msk}_2 \leftarrow {\mathsf {2FE^{sel}}\mathsf {.S}}(1^{\lambda })$ and then outputs $\mathsf {msk}= (\mathsf {msk}_1, \mathsf {msk}_2)$.
The key-generation algorithm On inputting the master secret key $\mathsf {msk}$ and a function $f \in \mathcal {F}_{\lambda }$, the key-generation algorithm ${\mathsf {2FE}\mathsf {.KG}}$ outputs $\mathsf {sk}_{f} \leftarrow {\mathsf {2FE^{sel}}\mathsf {.KG}}(\mathsf {msk}_2, {D_{f,\bot ,1,\bot ,\bot ,\bot }})$, where $D_{f,\bot ,1,\bot ,\bot ,\bot }$ is a two-input function that is defined in Fig. 4.
The encryption algorithm On inputting the master secret key $\mathsf {msk}$, a message m, and an index $\mathsf {i}\in [2]$, the encryption algorithm ${\mathsf {2FE}\mathsf {.E}}$ has two cases:
- If $(m,\mathsf {i}) = (x,1)$, it samples $s\leftarrow \{ 0,1 \}^\lambda $ uniformly at random, three PRF keys $K^\mathsf {enc},K^\mathsf {key},K^\mathsf {msk}\leftarrow \mathsf {PRF.Gen}(1^\lambda )$ and outputs a pair $(\mathsf {ct}_1,\mathsf {sk}_1)$ defined as follows:
  $$\begin{aligned} \mathsf {ct}_1\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk}, K^\mathsf {key}, s, 0), 1) \\ \mathsf {sk}_1\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\mathsf {AGG}_{x,\bot ,0, s,K^\mathsf {msk}, K^\mathsf {enc}, \bot ,\bot }) \end{aligned}$$
  where the single-input function $\mathsf {AGG}_{x,\bot ,0,s,K^\mathsf {msk}, K^\mathsf {enc},\bot ,\bot }$ is defined in Fig. 5.
- If $(m,\mathsf {i}) = (y,2)$, it samples $t\leftarrow \{ 0,1 \}^\lambda $ uniformly at random and outputs a pair $(\mathsf {ct}_2, \mathsf {ct}_3)$ defined as follows:
  $$\begin{aligned} \mathsf {ct}_2\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (1, t), 2) \\ \mathsf {ct}_3\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_1, (y,\bot ,1,t,\bot ,\bot )). \end{aligned}$$
The decryption algorithm On inputting a functional key $\mathsf {sk}_f$ and two ciphertexts $(\mathsf {ct}_1,\mathsf {sk}_1)$ and $(\mathsf {ct}_2, \mathsf {ct}_3)$, the decryption algorithm ${\mathsf {2FE}\mathsf {.D}}$ first computes the value $\mathsf {sk}' = {\mathsf {2FE^{sel}}\mathsf {.D}}(\mathsf {sk}_f, \mathsf {ct}_1, \mathsf {ct}_2)$, then it computes the value $\mathsf {ct}' = {\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}_1, \mathsf {ct}_3)$, and finally it outputs ${\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}', \mathsf {ct}')$.

The correctness of the above scheme with respect to any family of two-ary functionalities follows in a straightforward manner from the correctness of the underlying functional encryption schemes $\mathsf {1FE}$ and $\mathsf {2FE^{sel}}$. Specifically, consider any pair of messages x and y and any function f. The encryption of x with respect to the index $\mathsf {i}=$1 and the encryption of y with respect to the index $\mathsf {i}=2$ result in ciphertexts $(\mathsf {ct}_1,\mathsf {sk}_1)$ and $(\mathsf {ct}_2, \mathsf {ct}_3)$, respectively. Recall that the ciphertext $(\mathsf {ct}_1,\mathsf {sk}_1)$ hides associated randomness s and the ciphertext $(\mathsf {ct}_2,\mathsf {ct}_3)$ hides associated randomness t. Using the correctness of the scheme $\mathsf {2FE^{sel}}$, by executing ${\mathsf {2FE^{sel}}\mathsf {.D}}(\mathsf {sk}_f,\mathsf {ct}_1,\mathsf {ct}_2)$ we obtain a functional key $\mathsf {sk}'$ for $C_f$ under the key $\mathsf {msk}_{s,t}$. In addition, by executing ${\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}_1, \mathsf {ct}_3)$ we obtain an encryption $\mathsf {ct}'$ of (x, y) under the key $\mathsf {msk}_{s,t}$. Therefore, executing ${\mathsf {1FE}\mathsf {.D}}(\mathsf {sk}',\mathsf {ct}')$ outputs the value $C_f((x, y)) = f(x,y)$ as required.

The following theorem captures the security of the scheme. This theorem states that under suitable assumptions on the underlying building blocks, the two-input scheme $\mathsf {2FE}$ is fully secure (see Definition 2.7).

Theorem 4.1

Assuming that (1) $\mathsf {1FE}$ is fully secure, (2) $\mathsf {2FE^{sel}}$ is selective-message secure, and (3) $\mathsf {PRF}$ is a puncturable pseudorandom function family, then $\mathsf {2FE}$ is fully secure.

As in Sect. 3, for concreteness we focus on the unbounded case where the underlying schemes, $\mathsf {1FE}$ and $\mathsf {2FE^{sel}}$, support an unbounded (i.e., not fixed in advance) number of key-generation queries and encryption queries. More generally, the proof of Theorem 4.1 shows that if the scheme corresponding to $\mathsf {msk}_1$ supports $T_1$ encryption queries and $T_2$ key-generation queries, the scheme corresponding to $\mathsf {msk}_2$ supports $T^{(1)}_3$ encryption queries with respect to index $\mathsf {i}=1$ and $T^{(2)}_3$ encryption queries with respect to index $\mathsf {i}=2$, and $T_4$ key-generation queries, and the scheme corresponding to each $\mathsf {msk}_{s,t}$ supports a single encryption query and $T_5$ key-generation queries, then the resulting scheme $\mathsf {2FE}$ supports $\min \{T_2,T^{(1)}_3\}$ encryption queries with respect to index $\mathsf {i}= 1$, $\min \{T_1, T_3^{(2)}\}$ encryption queries with respect to index $\mathsf {i}= 2$, and $\min \{T_4,T_5\}$ key-generation queries. When the polynomials $T_1,T_2,T_3^{(1)},T_3^{(2)},T_4$, and $T_5$ are known in advance (i.e., do not depend on the adversary), such schemes are known to exist based on the LWE assumption or even only one-way functions (see Sect. 2.2 for a more detailed discussion of the existing schemes).

Proof of Theorem 4.1

Let ${\mathcal {A}}=({\mathcal {A}}_1,{\mathcal {A}}_2)$ be a probabilistic polynomial-time adversary that issues at most $T_1 = T_1(\lambda )$ encryption queries with respect to index $\mathsf {i}=1$, at most $T_2 = T_2(\lambda )$ encryption queries with respect to index $\mathsf {i}=2$, and at most $T_3=T_3(\lambda )$ key-generation queries (note that $T_1$, $T_2$ and $T_3$ may be any polynomials and are not fixed in advance), and let $\mathcal {F}$ be a family of two-ary functionalities. We assume for simplicity and without loss of generality that $T_1=T_2=T_3 \mathop {=}\limits ^\mathsf{def} T$.

We present a sequence of experiments and upper bound ${\mathcal {A}}$’s advantage in distinguishing each two consecutive experiments. The first experiment is the experiment in which ${\mathcal {A}}$ gets oracle access to a left-or-right key-generation oracle $\mathsf {KG}_b(\mathsf {msk},\cdot ,\cdot )$ and to a left-or-right encryption oracle $\mathsf {Enc}_b(\mathsf {msk},(\cdot ,\cdot ),\cdot )$ for $b\leftarrow \{ 0,1 \}$ chosen uniformly at random (see Definition 2.7), and the last experiment is completely independent of the bit b. This enables us to prove that there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that

$$\begin{aligned}&\mathsf {Adv}^\mathsf {sel2FE}_{\mathsf {2FE},\mathcal {F},{\mathcal {A}}}(\lambda ) \mathop {=}\limits ^\mathsf{def} \left| \Pr \left[ \mathsf {Exp}^{\mathsf {sel2FE}}_{\mathsf {2FE}, \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \le {\mathsf {neg}}(\lambda ) \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$. In what follows we first describe the notation used throughout the proof and then describe the experiments.

Notation. We denote the ${i}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=1$ by $(\mathsf {sk}_{1,i},\mathsf {ct}_{1,i})$ and the ${i}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=2$ by $(\mathsf {ct}_{2,i},\mathsf {ct}_{3,i})$. Recall that the adversary ${\mathcal {A}}$ has unrestricted access to an encryption oracle with respect to index $\mathsf {i}=1$ and $\mathsf {i}=2$. We denote the ${i}{\mathrm{th}}$ input the adversary queries the encryption oracle with $\mathsf {i}=1$ by $(x^0_i,x^1_i)$, the random string used by $s_i$ and the three PRF keys used for $\mathsf {sk}_{1,i}$ and $\mathsf {ct}_{1,i}$ by $K^\mathsf {msk}_i, K^\mathsf {key}_i$ and $K^\mathsf {enc}_i$. Similarly, we denote the ${i}{\mathrm{th}}$ input the adversary queries the encryption oracle with $\mathsf {i}=2$ by $(y^0_i,y^1_i)$ and the random string used by $t_i$. Finally, we denote by $(f^0_1,f^1_1),\ldots ,(f^0_T,f^1_T)$ the function pairs with which the adversary queries the key-generation oracle.

For ease of following the proof, we give an outline of the sequence of experiments. By $\sim $ we denote computational indistinguishability and by $\equiv $ we denote equivalence.

$$\begin{aligned}&\mathcal {H}^{(0)}(\lambda ) \sim \mathcal {H}^{(1)}(\lambda ) \sim \mathcal {H}^{(2)}(\lambda ) \equiv \\&\mathcal {H}^{(3,1,0)}(\lambda ) \sim \mathcal {H}^{(4,1,0)}(\lambda ) \sim \mathcal {H}^{(5,1,0)}(\lambda ) \sim \cdots \sim \mathcal {H}^{(8,1,0)}(\lambda ) \sim \mathcal {H}^{(9,1,0)}(\lambda ) \sim \\&\quad \mathcal {H}^{(3,1,1)}(\lambda ) \sim \mathcal {H}^{(4,1,1)}(\lambda ) \sim \mathcal {H}^{(5,1,1)}(\lambda ) \sim \cdots \sim \mathcal {H}^{(8,1,1)}(\lambda ) \sim \mathcal {H}^{(9,1,1)}(\lambda ) \sim \\&\qquad \qquad \qquad \ldots \\&\quad \mathcal {H}^{(3,1,T)}(\lambda ) \sim \mathcal {H}^{(4,1,T)}(\lambda ) \sim \mathcal {H}^{(5,1,T)}(\lambda ) \sim \cdots \sim \mathcal {H}^{(8,1,T)}(\lambda ) \sim \mathcal {H}^{(9,1,T)}(\lambda ) \equiv \\&\mathcal {H}^{(3,2,0)}(\lambda ) \sim \mathcal {H}^{(4,2,0)}(\lambda ) \sim \mathcal {H}^{(5,2,0)}(\lambda ) \sim \cdots \sim \mathcal {H}^{(8,2,0)}(\lambda ) \sim \mathcal {H}^{(9,2,0)}(\lambda ) \sim \\&\quad \mathcal {H}^{(3,2,1)}(\lambda ) \sim \mathcal {H}^{(4,2,1)}(\lambda ) \sim \mathcal {H}^{(5,2,1)}(\lambda ) \sim \cdots \sim \mathcal {H}^{(8,2,1)}(\lambda ) \sim \mathcal {H}^{(9,2,1)}(\lambda ) \sim \\&\qquad \qquad \qquad \ldots \\&\quad \mathcal {H}^{(3,2,T)}(\lambda ) \sim \mathcal {H}^{(4,2,T)}(\lambda ) \sim \mathcal {H}^{(5,2,T)}(\lambda ) \sim \cdots \sim \mathcal {H}^{(8,2,T)}(\lambda ) \sim \mathcal {H}^{(9,2,T)}(\lambda ) \equiv \\&\ldots \\&\mathcal {H}^{(3,T+1,0)}(\lambda ) \sim \mathcal {H}^{(10)}(\lambda ) \sim \mathcal {H}^{(11)}(\lambda ). \end{aligned}$$

As before, we use boxes to highlight the differences between an experiment and the previous one.

Experiment $\varvec{\mathcal {H}^{(0)}(\lambda )}$. This is the original experiment corresponding to $b\leftarrow \{ 0,1 \}$ chosen uniformly at random. That is, ${\mathcal {A}}$ gets oracle access to the key-generation oracle $\mathsf {KG}_b(\mathsf {msk},\cdot )$ and oracle access to a left-or-right encryption oracle $\mathsf {Enc}_b(\mathsf {msk},(\cdot ,\cdot ),\cdot )$ where $b\leftarrow \{ 0,1 \}$ is chosen uniformly at random.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i,0), 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,\bot ,0,s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (1,t), 2)\\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, (y^b_i,\bot ,1,t_i,\bot ,\bot )\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,\bot ,1,\bot ,\bot ,\bot }}\right) \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(1)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(0)}(\lambda )$ by modifying the encryptions as follows. Given inputs $(x^0_i,x^1_i)$ and $(y^0_i,y^1_i)$, instead of setting the field $x_1$ and $y_1$ to be $\bot $ we set it to be $x^1_i$ and $y^1_i$, respectively. In addition, in the encryptions $\mathsf {ct}_{3,i}$ corresponding to $\mathsf {i}=2$ we embed a counter.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,\boxed {x^1_i},0,s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (1,t), 2)\\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( y^b_i,\boxed {y^1_i},\boxed {i},t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,\bot ,1,\bot ,\bot ,\bot }}\right) \end{aligned}$$

Note that all the functional keys that are issued as part of the encryption according to $\mathsf {i}= 1$ are generated with $a=0$ (where a is the third hardwired item). Moreover, since $\mathsf {thr}= 0$ it always holds that $\mathsf {thr}< \mathsf {c}$ which ensures that the functionality does not change. Thus, the circuit $\mathsf {AGG}_{x_0,x_1,a,s,K^\mathsf {msk},K^\mathsf {key}}$ always sets $x = x^b_i$ and $y = y^b_i$ and ignores $x^1_i$ and $y^1_i$ (see Fig. 5). Thus, the security of the underlying scheme $\mathsf {1FE}$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(0)}$ and $\mathcal {H}^{(1)}$. Specifically, let $\mathcal {F}'$ denote the family of functions $\mathsf {AGG}_{x_0,x_1,a,s,K^\mathsf {msk},K^\mathsf {key}}$ (as defined in Fig. 5). In “Appendix B.2” we prove the following claim:

Claim 4.2

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(0) \rightarrow (1)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(0) \rightarrow (1)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(2)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(1)}(\lambda )$ by modifying the functional keys as follows. Given inputs $(f^0_i,f^1_i)$, instead of setting the field $f_1$ to be $\bot $ we set it to be $f^1_i$. In addition, in the ciphertexts $\mathsf {ct}_{2,i}$ corresponding to $\mathsf {i}=2$ and in the functional keys we embed a counter.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0), 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},0,s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \\ \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( \boxed {i},t\right) , 2\right) \\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, (y^b_i,{y^1_i},{i},t_i, \bot ,\bot )\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,\boxed {f^1_i},\boxed {i},\bot ,\bot ,\bot }}\right) \end{aligned}$$

Note that all the functional keys that are issued as part of the encryption according to $\mathsf {i}= 1$ are generated with $w=0$ which ensures that the functionality does not change. Thus, the circuit $D_{f_0,f_1,s',t',u}$ always sets $f_w = f^b_i$ and ignores $f^1_i$. Hence, the security of the underlying scheme $\mathsf {2FE^{sel}}$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(1)}$ and $\mathcal {H}^{(2)}$. Specifically, let $\mathcal {F}'$ denote the family of functions $D_{f_0,f_1,s',t',u}$ (as defined in Fig. 4). In “Appendix B.2” we prove the following claim:

Claim 4.3

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(1) \rightarrow (2)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(2)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}', {\mathcal {B}}^{(1) \rightarrow (2)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(3,j,k)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(2)}(\lambda )$ by modifying the encryptions as follows. The first $j-1$ ciphertexts are generated such that $\mathsf {thr}=T$, the ${j}{\mathrm{th}}$ ciphertext is generated such that $\mathsf {thr}=k$, and the rest of the ciphertexts are generated as before.

Ciphertexts ($\mathsf {i}= 1$ and $i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \Bigg (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, \boxed {T}\Bigg ), 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},\boxed {T},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, \boxed {k}\right) ,1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},\boxed {k},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j+1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0), 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{0},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 2$ and $i = 1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (i,t), 2)\\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( y^b_i,{y^1_i},i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,f^1_i,i,\bot ,\bot ,\bot }}\right) \end{aligned}$$

Notice that $\mathcal {H}^{(3,1,0)}= \mathcal {H}^{(2)}$.

Experiment $\varvec{\mathcal {H}^{(4,j,k)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(3,j,k)}(\lambda )$ by modifying the encryptions as follows. First, we sample in advance $s_j$, $t_k$, $K^\mathsf {msk}_j$, $K^\mathsf {key}_j$ and $K^\mathsf {enc}_j$ and compute $\mathsf {msk}_{s_j,t_k} = {\mathsf {1FE}\mathsf {.S}}(1^\lambda ; \mathsf {PRF.Eval}(K^\mathsf {msk}_j, t_k))$. Then, we act according to the following two cases: If the ${j}{\mathrm{th}}$ encryption with respect to index $\mathsf {i}=1$ comes before the ${k}{\mathrm{th}}$ encryption with respect to index $\mathsf {i}=2$, we embed into $\mathsf {ct}_{3,k}$ the pair of values $(s_j, \gamma )$ where $\gamma = {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_{s_j,t_k}, (x^b_j, y^b_k) ; \mathsf {PRF.Eval}(K^\mathsf {enc}_j, t_k))$. Otherwise, if the ${j}{\mathrm{th}}$ encryption with respect to index $\mathsf {i}=1$ comes after the ${k}{\mathrm{th}}$ encryption with respect to index $\mathsf {i}=2$, we embed into $\mathsf {ct}_{1,j}$ the pair of values $(t_k, \gamma )$.

Finally, instead of using $K^\mathsf {msk}_j$ and $K^\mathsf {key}_j$ in the ${j}{\mathrm{th}}$ encryption with respect to $\mathsf {msk}_1$, we use ${K^\mathsf {msk}_j}|_{\{t_k\}}$ and ${K^\mathsf {enc}_j}|_{\{t_k\}}$ which are the keys $K^\mathsf {msk}_j$ and $K^\mathsf {enc}_j$ punctured at the point $\{t_k\}$.

For concreteness we assume that the latter is the case, namely that the ${j}{\mathrm{th}}$ encryption with respect to index $\mathsf {i}=1$ came after the ${k}{\mathrm{th}}$ encryption with respect to index $\mathsf {i}=2$ (the other case is handled similarly).

Ciphertexts ($\mathsf {i}= 1$ and $i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, {T}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{T},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, {k}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{k},s_i \boxed {{K^\mathsf {msk}_i}|_{\{t_k\}}},\boxed {{K^\mathsf {enc}_i}|_{\{t_k\}}}, \boxed {t_k,\gamma }}\right) \\&\mathsf {msk}_{s_j,t_k} = {\mathsf {1FE}\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}(K^\mathsf {msk}_i,t_k)\right) \\&\gamma = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_{s_j,t_k}, (x^b_j, y^b_k) ; \mathsf {PRF.Eval}(K^\mathsf {enc}_i, t_k)\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j+1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0), 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{0},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 2$ and $i = 1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, (i,t), 2\right) \\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( y^b_i,{y^1_i},i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,f^1_i,i,\bot ,\bot ,\bot }}\right) \end{aligned}$$

We observe that the combination of the ${k}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=2$ with the ${j}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=1$ has the same functionality due to the hardwired pair $(t_k, \gamma )$ (or $(s_k, \gamma )$ depending on the order they were queried on). For the rest of the combinations we have that the functionality stays the same by the functionality property of the punctured PRF. Thus, the security of the underlying $\mathsf {1FE}$ scheme guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(3,j,k)}$ and $\mathcal {H}^{(4,j,k)}$. In “Appendix B.2” we prove the following claim:

Claim 4.4

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(3,j,k) \rightarrow (4,j,k)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(3,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(4,j,k)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(3,j,k) \rightarrow (4,j,k)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(5,j,k)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(4,j,k)}(\lambda )$ by modifying the encryptions as follows. First, instead of using $K^\mathsf {msk}_j$ and $K^\mathsf {key}_j$ in the ${j}{\mathrm{th}}$ encryption with respect to $\mathsf {msk}_2$, we use ${K^\mathsf {msk}_j}|_{\{t_k\}}$ and ${K^\mathsf {key}_j}|_{\{t_k\}}$ which are the keys $K^\mathsf {msk}_j$ and $K^\mathsf {key}_j$ punctured at the point $\{t_k\}$. Second, we hardwire into every functional key for a pair $(f^0_i.f^1_i)$ the triple $(s_j, t_k, \delta )$, where $\delta = {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_{s_j,t_k}, C_{f^b_i} ; \mathsf {PRF.Eval}(K^\mathsf {key}_j, t_k))$.

Ciphertexts ($\mathsf {i}= 1$ and $i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, {T}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{T},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( \boxed {{K^\mathsf {msk}_i}|_{\{t_k\}}}, \boxed {{K^\mathsf {key}_i}|_{\{t_k\}}}, s_i, {k}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{k},s_i {{K^\mathsf {msk}_i}|_{\{t_k\}}},{{K^\mathsf {enc}_i}|_{\{t_k\}}}, {t_k,\gamma }}\right) \\&\mathsf {msk}_{s_j,t_k} = {\mathsf {1FE}\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_i,t_k\right) \right) \\&\gamma = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_{s_j,t_k}, \left( x^b_j, y^b_k\right) ; \mathsf {PRF.Eval}\left( K^\mathsf {enc}_i, t_k\right) \right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j+1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{0},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 2$ and $i = 1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( i,t\right) , 2\right) \\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( y^b_i,{y^1_i},i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,f^1_i,i,\boxed {s_j,t_k,\delta }}}\right) \\&\mathsf {msk}_{s_j,t_k} = {\mathsf {1FE}\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_j, t_k\right) \right) \\&\delta = {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_{s_j,t_k}, C_{f^b_i} ; \mathsf {PRF.Eval}\left( K^\mathsf {key}_j, t_k\right) \right) \end{aligned}$$

We observe that the combination of the ${k}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=2$ with the ${j}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=1$ has the same functionality due to the hardwired values $(s_j, t_k, \delta )$. For the rest of the combinations we have that the functionality stays the same by the functionality property of the punctured PRF. Thus, the security of the underlying $\mathsf {2FE^{sel}}$ scheme guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(4,j,k)}$ and $\mathcal {H}^{(5,j,k)}$. In “Appendix B.2” we prove the following claim:

Claim 4.5

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(4,j,k) \rightarrow (5,j,k)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(4,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(5,j,k)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}', {\mathcal {B}}^{(4,j,k) \rightarrow (5,j,k)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(6,j,k)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(5,j,k)}(\lambda )$ by modifying the encryptions as follows. Instead of using randomness generated using a PRF we use randomness sampled uniformly at random. That is, $\mathsf {msk}_{s_j,t_k}$, $\gamma $ and $\delta $ are generated using randomness that is sampled uniformly at random rather than generated using a PRF. We emphasize that $\mathsf {msk}_{s_j,t_k}$ is computed in advance once as ${\mathsf {msk}_{s_j,t_k}} \leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$.

Ciphertexts ($\mathsf {i}= 1$ and $i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, {T}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{T},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( {{K^\mathsf {msk}_i}|_{\{t_k\}}}, {{K^\mathsf {key}_i}|_{\{t_k\}}}, s_i, {k}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{k},s_i {{K^\mathsf {msk}_i}|_{\{t_k\}}},{{K^\mathsf {enc}_i}|_{\{t_k\}}}, {t_k,\gamma }}\right) \\&\boxed {\mathsf {msk}_{s_j,t_k}} = {\mathsf {1FE}\mathsf {.S}}\left( 1^\lambda \right) \\&\boxed {\gamma } = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_{s_j,t_k}, \left( x^b_j, y^b_k\right) \right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j+1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{0},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 2$ and $i = 1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( i,t\right) , 2\right) \\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( y^b_i,{y^1_i},i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,f^1_i,i,{s_j,t_k,\delta }}}\right) \\&\boxed {\delta } = {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_{s_j,t_k}, C_{f^b_i}\right) \end{aligned}$$

The pseudorandomness of $\mathsf {PRF.Eval}(K^\mathsf {msk}_j, \cdot )$, $\mathsf {PRF.Eval}(K^\mathsf {key}_j, \cdot )$, and $\mathsf {PRF.Eval}(K^\mathsf {enc}_j, \cdot )$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(5,j,k)}$ and $\mathcal {H}^{(6,j,k)}$. In “Appendix B.2” we prove the following claim:

Claim 4.6

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(5,j,k) \rightarrow (6,j,k)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(5,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(6,j,k)}(\lambda ) = 1 \right] \right| \le 3\cdot \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(5,j,k)\rightarrow (6,j,k)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(7,j,k)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(6,j,k)}(\lambda )$ by modifying the encryptions as follows. Instead of having $(x^b_j, y^b_k)$ hardwired in $\gamma $ and $D_{f^b_i}$ in $\delta $, we hardwire the values $(x^1_j, y^1_k)$ and $D_{f^1_i}$, respectively.

Ciphertexts ($\mathsf {i}= 1$ and $i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, {T}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{T},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( {{K^\mathsf {msk}_i}|_{\{t_k\}}}, {{K^\mathsf {key}_i}|_{\{t_k\}}}, s_i, {k}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{k},s_i {{K^\mathsf {msk}_i}|_{\{t_k\}}},{{K^\mathsf {enc}_i}|_{\{t_k\}}}, {t_k,\gamma }}\right) \\&{\mathsf {msk}_{s_j,t_k}} = {\mathsf {1FE}\mathsf {.S}}\left( 1^\lambda \right) \\&{\gamma } = {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_{s_j,t_k}, \left( \boxed {x^1_j, y^1_k}\right) \right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j+1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{0},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 2$ and $i = 1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( i,t\right) , 2\right) \\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( y^b_i,{y^1_i},i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,f^1_i,i,{s_j,t_k,\delta }}}\right) \\&{\delta } = {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_{s_j,t_k}, \boxed {C_{f^1_i}}\right) \end{aligned}$$

We observe that the combination of the ${k}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=2$ with the ${j}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=1$ has the same functionality due to the hardwired values $(s_j, t_k, \delta )$ and the fact that the adversary is valid (see Definition 2.6). Thus, the security of the underlying $\mathsf {1FE}$ scheme guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(6,j,k)}$ and $\mathcal {H}^{(7,j,k)}$. In “Appendix B.2” we prove the following claim:

Claim 4.7

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(6,j,k) \rightarrow (7,j,k)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(6,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(7,j,k)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(6,j,k) \rightarrow (7,j,k)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(8,j,k)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(7,j,k)}(\lambda )$ by modifying the encryptions as follows. Instead of using randomness sampled uniformly at random we use randomness generated using a PRF. That is, $\mathsf {msk}_{s_j,t_k}$, $\gamma $ and $\delta $ are generated using a PRF.

Ciphertexts ($\mathsf {i}= 1$ and $i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, {T}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{T},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( {{K^\mathsf {msk}_i}|_{\{t_k\}}}, {{K^\mathsf {key}_i}|_{\{t_k\}}}, s_i, {k}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{k},s_i {{K^\mathsf {msk}_i}|_{\{t_k\}}},{{K^\mathsf {enc}_i}|_{\{t_k\}}}, {t_k,\gamma }}\right) \\&\boxed {{\mathsf {msk}_{s_j,t_k}}} \leftarrow {\mathsf {1FE}\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_j, t_k\right) \right) \\&\boxed {\gamma } \leftarrow {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_{s_j,t_k}, \left( {x^1_j, y^1_k}\right) ; \mathsf {PRF.Eval}\left( K^\mathsf {enc}_j, t_k\right) \right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j+1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{0},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 2$ and $i = 1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( i,t\right) , 2\right) \\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( y^b_i,{y^1_i},i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,f^1_i,i,{s_j,t_k,\delta }}}\right) \\&\boxed {\mathsf {msk}_{s_j,t_k}} \leftarrow {\mathsf {1FE}\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_j, t_k\right) \right) \\&\boxed {\delta } \leftarrow {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_{s_j,t_k}, {C_{f^1_i}} ; \mathsf {PRF.Eval}\left( K^\mathsf {key}_j, t_k\right) \right) \end{aligned}$$

The pseudorandomness of $\mathsf {PRF.Eval}(K^\mathsf {msk}_j, \cdot )$, $\mathsf {PRF.Eval}(K^\mathsf {key}_j, \cdot )$, and $\mathsf {PRF.Eval}(K^\mathsf {enc}_j, \cdot )$ guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(7,j,k)}$ and $\mathcal {H}^{(8,j,k)}$. The proof of the following claim is analogous to the proof of Claim 4.6.

Claim 4.8

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(7,j,k) \rightarrow (8,j,k)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(7,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(8,j,k)}(\lambda ) = 1 \right] \right| \le 3\cdot \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(7,j,k)\rightarrow (8,j,k)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(9,j,k)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(8,j,k)}(\lambda )$ by modifying the encryptions as follows. First, instead of using punctured keys ${K^\mathsf {msk}_j}|_{\{t_k\}}$ and ${K^\mathsf {key}_j}|_{\{t_k\}}$ in the ${j}{\mathrm{th}}$ encryption with respect to $\mathsf {msk}_2$, we use the original keys $K^\mathsf {msk}_j$ and ${K^\mathsf {key}_j}$. Second, we set the threshold $\mathsf {thr}$ in $\mathsf {ct}_{1,j}$ to $k+1$. Lastly, we hardwire into every functional key for a pair $(f^0_i.f^1_i)$ the triple $(\bot ,\bot , \bot )$ instead of $(s_j,t_k,\delta )$.

Ciphertexts ($\mathsf {i}= 1$ and $i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, {T}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{T},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( \boxed {{K^\mathsf {msk}_i}}, \boxed {{K^\mathsf {key}_i}}, s_i, \boxed {k+1}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{k},s_i {{K^\mathsf {msk}_i}|_{\{t_k\}}},{{K^\mathsf {enc}_i}|_{\{t_k\}}}, {t_k,\gamma }}\right) \\&{{\mathsf {msk}_{s_j,t_k}}} \leftarrow {\mathsf {1FE}\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_j, t_k\right) \right) \\&{\gamma } \leftarrow {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_{s_j,t_k}, \left( {x^1_j, y^1_k}\right) ; \mathsf {PRF.Eval}\left( K^\mathsf {enc}_j, t_k\right) \right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 1$ and $i=j+1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{0},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 2$ and $i = 1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, t, 2\right) \\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( y^b_i,{y^1_i},i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,f^1_i,i,\boxed {\bot ,\bot ,\bot }}}\right) \end{aligned}$$

We observe that the combination of the ${k}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=2$ with the ${j}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=1$ has the same functionality due to the hardwired values $(s_j, t_k, \delta )$. For the rest of the combinations we have that the functionality stays the same by the functionality property of the punctured PRF. Thus, the security of the underlying $\mathsf {2FE^{sel}}$ scheme guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(8,j,k)}$ and $\mathcal {H}^{(9,j,k)}$. The proof of the following claim is analogous to the proof of Claim 4.5.

Claim 4.9

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(8,j,k) \rightarrow (9,j,k)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(8,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(9,j,k)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}', {\mathcal {B}}^{(8,j,k) \rightarrow (9,j,k)}}(\lambda ). \end{aligned}$$

Next, as in Claim 4.4 we observe that $\mathcal {H}^{(9,j,k)}(\lambda )$ is indistinguishable from $\mathcal {H}^{(3,j,k+1)}(\lambda )$.

Claim 4.10

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(9,j,k) \rightarrow (3,j,k+1)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(9,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(3,j,k+1)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(9,j,k) \rightarrow (3,j,k+1)}}(\lambda ). \end{aligned}$$

Moreover, we notice that $\mathcal {H}^{(3,j,T)}(\lambda ) = \mathcal {H}^{(3,j+1,0)}(\lambda )$.

Experiment $\varvec{\mathcal {H}^{(10)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(3,T+1,0)}(\lambda )$ by modifying the ciphertexts not to include $f^b_i$ at all.

Ciphertexts ($\mathsf {i}= 1$ and $i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, {T}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{x^b_i,{x^1_i},{T},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 2$ and $i = 1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( i,t\right) , 2\right) \\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( y^b_i,{y^1_i},i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{\boxed {\bot },f^1_i,i,\bot ,\bot ,\bot }}\right) \end{aligned}$$

We observe that at this point all ciphertexts have $\mathsf {thr}=T$. Therefore, the first parameter $f^b_i$ is always ignored and the functionalities stay the same. Thus, the security of the underlying $\mathsf {2FE^{sel}}$ scheme guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(3,T+1,0)}$ and $\mathcal {H}^{(10)}$. The proof of the following claim is analogous to the proof of Claim 4.3.

Claim 4.11

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(3,T+1,0) \rightarrow (10)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(3,T+1,0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(10)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}', {\mathcal {B}}^{(3,T+1,0) \rightarrow (10)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(11)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(10)}(\lambda )$ by modifying the ciphertexts not to include $x^b_i$ and $y^b_i$ at all. Notice that this experiment is completely independent of the bit b, and therefore $\Pr [\mathcal {H}^{(11)}(\lambda ) = 1] = 1/2$.

Ciphertexts ($\mathsf {i}= 1$ and $i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, {T}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.KG}}\left( \mathsf {msk}_1, \mathsf {AGG}_{\boxed {\bot },{x^1_i},{T},s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }\right) \end{aligned}$$
Ciphertexts ($\mathsf {i}= 2$ and $i = 1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {2FE^{sel}}\mathsf {.E}}\left( \mathsf {msk}_2, \left( i,t\right) , 2\right) \\ \mathsf {ct}_{3,i}\leftarrow & {} {\mathsf {1FE}\mathsf {.E}}\left( \mathsf {msk}_1, \left( \boxed {\bot },{y^1_i},i,t_i, \bot ,\bot \right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {2FE^{sel}}\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{{\bot },f^1_i,i,\bot ,\bot ,\bot }}\right) \end{aligned}$$

We observe that at this point all ciphertext have $\mathsf {thr}=T$. Therefore, the first parameters $x^b_i$ and $y^b_i$ are always ignored and the functionalities stay the same. Thus, the security of the underlying $\mathsf {1FE}$ scheme guarantees that the adversary ${\mathcal {A}}$ has only a negligible advantage in distinguishing experiments $\mathcal {H}^{(3,T+1)}$ and $\mathcal {H}^{(10)}$. The proof of the following claim is analogous to the proof of Claim 4.2.

Claim 4.12

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(10) \rightarrow (11)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(10)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(10) \rightarrow (11)}}(\lambda ). \end{aligned}$$

Finally, putting together Claims 4.2–4.12 with the facts that $\mathsf {Adv}^\mathsf {sel2FE}_{\mathsf {2FE},\mathcal {F},{\mathcal {A}}}(\lambda ) = \mathcal {H}^{(0)}(\lambda )$, $\mathcal {H}^{(2)}(\lambda ) = \mathcal {H}^{(3,1,0)}(\lambda )$, and $\Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1\right] = 1/2$, we observe that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {sel2FE}}_{\mathsf {2FE},\mathcal {F},{\mathcal {A}}}&\mathop {=}\limits ^\mathsf{def}&\left| \Pr \left[ \mathsf {Exp}^{\mathsf {sel2FE}}_{\mathsf {2FE}, \mathcal {F}, {\mathcal {A}}}\left( \lambda \right) = 1 \right] - \frac{1}{2} \right| \\= & {} \left| \Pr \left[ \mathcal {H}^{\left( 0\right) }\left( \lambda \right) = 1 \right] - \Pr \left[ \mathcal {H}^{\left( 11\right) }\left( \lambda \right) = 1 \right] \right| \\\le & {} \sum _{i=0}^{1}\left| \Pr \left[ \mathcal {H}^{\left( i\right) }\left( \lambda \right) = 1 \right] - \Pr \left[ \mathcal {H}^{\left( i+1\right) }\left( \lambda \right) = 1 \right] \right| \\&+ \sum _{j=1}^T \sum _{k=0}^{T} \sum _{i=3}^{8} \left| \Pr \left[ \mathcal {H}^{\left( i,j,k\right) }\left( \lambda \right) = 1 \right] - \Pr \left[ \mathcal {H}^{\left( i+1,j,k\right) }\left( \lambda \right) = 1 \right] \right| \\&+ \left| \Pr \left[ \mathcal {H}^{\left( 3,T+1,0\right) }\left( \lambda \right) = 1 \right] - \Pr \left[ \mathcal {H}^{\left( 10\right) }\left( \lambda \right) = 1 \right] \right| \\&+ \left| \Pr \left[ \mathcal {H}^{\left( 10\right) }\left( \lambda \right) = 1 \right] - \Pr \left[ \mathcal {H}^{\left( 11\right) }\left( \lambda \right) = 1 \right] \right| \\\le & {} {\mathsf {neg}}\left( \lambda \right) . \end{aligned}$$

Notes

In terms of assumptions, the recent work of Asharov and Segev [7] shows that indistinguishability obfuscation and public-key functional encryption are significantly stronger primitives than private-key functional encryption. We refer the reader to Sect. 1.1 for a more elaborate discussion.
Bitansky and Vaikuntanathan [18] achieved the same result (an indistinguishability obfuscator) as [5] using a similar construction (at least conceptually) while relying essentially on the same assumptions. However, they construct an indistinguishability obfuscator directly without going through the equivalence to multi-input functional encryption schemes.
We consider a unified notion capturing both message privacy and function privacy not only as a useful feature for various applications. In fact, the function privacy of the resulting two-input scheme plays a crucial role when extending our results to more than two inputs.
A somewhat related functionality was recently considered by Iovino and Zebrowski [27] who introduced the notion of mergeable functional encryption, where one can publicly transform encryptions, $\mathsf {Enc}(x)$ and $\mathsf {Enc}(y)$, of two values into an encryption $\mathsf {Enc}(x\Vert y)$ of their concatenation. They show how to construct such a scheme for two inputs building on the specific construction of [22] and assuming strong notions of obfuscation. In comparison, our approach applies to many inputs (as discussed below) and is based on minimal assumptions.
Notice that this is a randomized functionality. We will derandomize it using a PRF.
“One sided” here refers to the fact that the encapsulated key $\mathsf {msk}^\mathsf {\star }$ is generated only from the side of the x’s.
Any two-input scheme can be used as a single-input scheme by simply ignoring one of its coordinates, and then one can apply the selective-to-adaptive transformation of Ananth et al. [3] for single-input schemes.
More accurately, the key $\mathsf {msk}^\mathsf {\star }$ is computed by applying the setup algorithm of $\mathsf {1FE}$ with randomness $\mathsf {PRF}(s,t)$.
Indeed, [5] get a construction of a t-input scheme for any $t\ge 1$ which implies an indistinguishability obfuscator. Our construction falls short from being generalized to such extent (however, it relies on weaker assumptions).

References

S. Agrawal, S. Agrawal, S. Badrinarayanan, A. Kumarasubramanian, M. Prabhakaran, A. Sahai, Function private functional encryption and property preserving encryption: new definitions and positive results. Cryptology ePrint Archive, Report 2013/744 (2013)
P. Ananth, D. Boneh, S. Garg, A. Sahai, M. Zhandry, Differing-inputs obfuscation and applications. Cryptology ePrint Archive, Report 2013/689 (2013)
P. Ananth, Z. Brakerski, G. Segev, V. Vaikuntanathan, From selective to adaptive security in functional encryption, in Advances in Cryptology—CRYPTO ’15 (2015), pp. 657–677
S. Agrawal, S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption: new perspectives and lower bounds, in Advances in Cryptology—CRYPTO ’13 (2013), pp. 500–518
P. Ananth, A. Jain, Indistinguishability obfuscation from compact functional encryption, in Advances in Cryptology—CRYPTO ’15 (2015), pp. 308–326
P. Ananth, A. Jain, A. Sahai, Achieving compactness generically: indistinguishability obfuscation from non-compact functional encryption. Cryptology ePrint Archive, Report 2015/730 (2015)
G. Asharov, G. Segev, Limits on the power of indistinguishability obfuscation and functional encryption, in Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science (2015), pp. 191–209
E. Boyle, K. Chung, R. Pass, On extractability obfuscation, in Proceedings of the 11th Theory of Cryptography Conference (2014), pp. 52–73
D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003). Preliminary version in Advances in Cryptology—CRYPTO ’01 (2001), pp. 213–229
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)
Article MathSciNet MATH Google Scholar
E. Boyle, S. Goldwasser, I. Ivan, Functional signatures and pseudorandom functions, in Proceedings of the 17th International Conference on Practice and Theory in Public-Key Cryptography (2014), pp. 501–519
D. Boneh, K. Lewi, M. Raykova, A. Sahai, M. Zhandry, J. Zimmerman, Semantically secure order-revealing encryption: multi-input functional encryption without obfuscation, in Advances in Cryptology—EUROCRYPT ’15 (2015), pp. 563–594
N. Bitansky, R. Nishimaki, A. Passelègue, D. Wichs, From cryptomania to obfustopia through secret-key functional encryption, in Proceedings of the 14th Theory of Cryptography Conference (2016), pp. 391–418
M. Bellare, A. O’Neill, Semantically-secure functional encryption: possibility results, impossibility results and the quest for a general definition, in Proceedings of the 12th International Conference on Cryptology and Network Security (2013), pp. 218–234
D. Boneh, A. Raghunathan, G. Segev, Function-private identity-based encryption: hiding the function in functional encryption, in Advances in Cryptology—CRYPTO ’13 (2013), pp. 461–478
Z. Brakerski, G. Segev, Function-private functional encryption in the private-key setting, in Proceedings of the 12th Theory of Cryptography Conference (2015), pp. 306–324
D. Boneh, A. Sahai, B. Waters, Functional encryption: definitions and challenges, in Proceedings of the 8th Theory of Cryptography Conference (2011), pp. 253–273
N. Bitansky, V. Vaikuntanathan, Indistinguishability obfuscation from functional encryption, in Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science (2015), pp. 171–190
D. Boneh, B. Waters, Constrained pseudorandom functions and their applications, in Advances in Cryptology—ASIACRYPT ’13 (2013), pp. 280–300
C. Cocks, An identity based encryption scheme based on quadratic residues, in Proceedings of the 8th IMA International Conference on Cryptography and Coding (2001), pp. 360–363
S. Goldwasser, S.D. Gordon, V. Goyal, A. Jain, J. Katz, F.-H. Liu, A. Sahai, E. Shi, H.-S. Zhou, Multi-input functional encryption, in Advances in Cryptology—EUROCRYPT ’14 (2014), pp. 578–602
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science (2013), pp. 40–49
S. Garg, C. Gentry, S. Halevi, M. Zhandry, Functional encryption without obfuscation, in Proceedings of the 13th Theory of Cryptography Conference (2016), pp. 480–511
O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33(4), 792–807 (1986)
Article MathSciNet MATH Google Scholar
S. Goldwasser, Y. Kalai, R.A. Popa, V. Vaikuntanathan, N. Zeldovich, Reusable garbled circuits and succinct functional encryption, in Proceedings of the 45th Annual ACM Symposium on Theory of Computing (2013), pp. 555–564
S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption with bounded collusions via multi-party computation, in Advances in Cryptology—CRYPTO ’12 (2012), pp. 162–179
V. Iovino, K. Zebrowski, Mergeable functional encryption. Cryptology ePrint Archive, Report 2015/103 (2015)
I. Komargodski, T. Moran, M. Naor, R. Pass, A. Rosen, E. Yogev, One-way functions and (im)perfect obfuscation, in Proceedings of the 55th Annual IEEE Symposium on Foundations of Computer Science (2014), pp. 374–383
A. Kiayias, S. Papadopoulos, N. Triandopoulos, T. Zacharias, Delegatable pseudorandom functions and applications, in Proceedings of the 20th Annual ACM Conference on Computer and Communications Security (2013), pp. 669–684
I. Komargodski, G. Segev, From Minicrypt to Obfustopia via private-key functional encryption. Cryptology ePrint Archive, Report 2017/80 (2017)
J. Katz, A. Sahai, B. Waters, Predicate encryption supporting disjunctions, polynomial equations, and inner products. J. Cryptol. 26(2), 191–224 (2013)
Article MathSciNet MATH Google Scholar
I. Komargodski, G. Segev, E. Yogev, Functional encryption for randomized functionalities in the private-key setting from minimal assumptions, in Proceedings of the 12th Theory of Cryptography Conference (2015), pp. 352–377
A. O’Neill, Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010)
A. Shamir, Identity-based cryptosystems and signature schemes, in Advances in Cryptology—CRYPTO ’84 (1984), pp. 47–53
E. Shen, E. Shi, B. Waters, Predicate privacy in encryption systems, in Proceedings of the 6th Theory of Cryptography Conference (2009), pp. 457–473
A. Sahai, B. Waters, Slides on functional encryption (2008). http://www.cs.utexas.edu/bwaters/presentations/files/functional.ppt
A. Sahai, B. Waters. How to use indistinguishability obfuscation: deniable encryption, and more, in Proceedings of the 46th Annual ACM Symposium on Theory of Computing (2014), pp. 475–484
B. Waters, A punctured programming approach to adaptively secure functional encryption, in Advances in Cryptology—CRYPTO ’15 (2015), pp. 678–697

Download references

Acknowledgements

We thank Eylon Yogev for various insightful discussions and the EUROCRYPT ’16 and Journal of Cryptology reviewers for their useful comments.

Author information

Authors and Affiliations

Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, 76100, Rehovot, Israel
Zvika Brakerski & Ilan Komargodski
School of Computer Science and Engineering, Hebrew University of Jerusalem, 91904, Jerusalem, Israel
Gil Segev

Authors

Zvika Brakerski
View author publications
You can also search for this author in PubMed Google Scholar
Ilan Komargodski
View author publications
You can also search for this author in PubMed Google Scholar
Gil Segev
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ilan Komargodski.

Additional information

Communicated by Jonathan Katz.

Supported by the Israel Science Foundation (Grant No. 468/14) and by the Alon Young Faculty Fellowship.

Supported in part by a grant from the I-CORE Program of the Planning and Budgeting Committee, the Israel Science Foundation, BSF and the Israeli Ministry of Science and Technology.

Supported by the European Union’s 7th Framework Program (FP7) via a Marie Curie Career Integration Grant (Grant No. 618094), by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253), by the Israel Science Foundation (Grant No. 483/13), by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11), by the US-Israel Binational Science Foundation (Grant No. 2014632), and by a Google Faculty Research Award.

Appendices

Generalization to $\varvec{t\ge 2}$ Inputs

In this section we generalize our results to more than two inputs. In “Appendix A.1” we generalize the definitions introduced in Sect. 2.3, and in “Appendices A.2 and A.3” we generalize the constructions from Sects. 3 and 4, respectively. More precisely, in “Appendix A.2” we show how to obtain a selectively secure t-input scheme assuming any fully secure $(t-1)$-input scheme. Then, in “Appendix A.3” we show how to obtain a fully secure t-input scheme assuming any fully secure $(t-1)$-input scheme and a selectively secure t-input scheme.

1.1 Private-Key $\varvec{t}$-Input Functional Encryption

In this section we generalize the framework introduced in Sect. 2.3 to the general case of t-input schemes (Sect. 2.3 dealt with the case $t=2$).

For $i\in [t]$ let $\mathcal {X}_i = \{(\mathcal {X}_i)_{\lambda }\}_{\lambda \in \mathbb {N}}$ be an ensemble of finite sets, and let $\mathcal {F}= \{\mathcal {F}_{\lambda }\}_{\lambda \in \mathbb {N}}$ be an ensemble of finite t-ary function families. For each $\lambda \in \mathbb {N}$, each function $f\in \mathcal {F}_{\lambda }$ takes as input t strings, $x_1\in (\mathcal {X}_1)_\lambda ,\ldots ,x_t\in (\mathcal {X}_t)_\lambda $, and outputs a value $f(x_1,\ldots ,x_t) \in \mathcal {Z}_{\lambda }$. A private-key t-input functional encryption scheme $\Pi $ for $\mathcal {F}$ consists of four probabilistic polynomial-time algorithm $\mathsf {Setup}$, $\mathsf {Enc}$, $\mathsf {KG}$ and $\mathsf {Dec}$, described as follows. The setup algorithm $\mathsf {Setup}(1^\lambda )$ takes as input the security parameter $\lambda $ and outputs a master secret key $\mathsf {msk}$. The encryption algorithm $\mathsf {Enc}(\mathsf {msk}, m, \mathsf {i})$ takes as input a master secret key $\mathsf {msk}$, a message m, and an index $\mathsf {i}\in [t]$, where $m\in (\mathcal {X}_\mathsf {i})_\lambda $, and outputs a ciphertext $\mathsf {ct}_\mathsf {i}$. The key-generation algorithm $\mathsf {KG}(\mathsf {msk}, f)$ takes as input a master secret key $\mathsf {msk}$ and a function $f\in \mathcal {F}_\lambda $ and outputs a functional key $\mathsf {sk}_f$. The (deterministic) decryption algorithm $\mathsf {Dec}$ takes as input a functional key $\mathsf {sk}_f$ and t ciphertexts, $\mathsf {ct}_1,\ldots ,\mathsf {ct}_t$, and outputs a string $z\in \mathcal {Z}_\lambda \cup \{ \bot \}$.

Definition A.1

(Correctness) A private-key t-input functional encryption scheme $\Pi = (\mathsf {Setup}, \mathsf {Enc}, \mathsf {KG}, \mathsf {Dec})$ for $\mathcal {F}$ is correct if there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that for every $\lambda \in \mathbb {N}$, for every $f\in \mathcal {F}_\lambda $, and for every $(x_1,\ldots ,x_t) \in (\mathcal {X}_1)_\lambda \times \cdots \times (\mathcal {X}_t)_\lambda $, it holds that

$$\begin{aligned} \Pr \big [\mathsf {Dec}(\mathsf {sk}_f, \mathsf {Enc}(\mathsf {msk}, x_1, 1),\ldots ,\mathsf {Enc}(\mathsf {msk}, x_t, t)) = f(x_1,\ldots ,x_t)\big ] \ge 1- {\mathsf {neg}}(\lambda ), \end{aligned}$$

where $\mathsf {msk}\leftarrow \mathsf {Setup}(1^{\lambda })$, $\mathsf {sk}_f \leftarrow \mathsf {KG}(\mathsf {msk}, f)$, and the probability is taken over the internal randomness of $\mathsf {Setup}, \mathsf {Enc}$ and $\mathsf {KG}$.

Next, we generalize the security definitions from Sect. 2.3 to the t-input case. As in Sect. 2.3, we start by defining the notion of a valid t-input adversary. Then, we define full security and selective-message security.

Definition A.2

(Valid t-input adversary) A probabilistic polynomial-time algorithm ${\mathcal {A}}$ is a valid t-input adversary if for all private-key t-input functional encryption schemes $\Pi = (\mathsf {Setup},\mathsf {KG},\mathsf {Enc},\mathsf {Dec})$ over a message space $\mathcal {X}_1\times \cdots \times \mathcal {X}_t= \{(\mathcal {X}_1)_\lambda \}_{\lambda \in \mathbb {N}}\times \cdots \times \{(\mathcal {X}_t)_\lambda \}_{\lambda \in \mathbb {N}}$ and a function space $\mathcal {F}= \{\mathcal {F}_\lambda \}_{\lambda \in \mathbb {N}}$, for all $\lambda \in \mathbb {N}$ and $b\in \{ 0,1 \}$, and for all $(f_0,f_1)\in \mathcal {F}_\lambda $ and $((x^0_{i}, x^1_{i}),i)\in \mathcal {X}_i\times \mathcal {X}_i\times \{i\}$ (where $i\in [t]$) with which ${\mathcal {A}}$ queries the left-or-right key-generation and encryption oracles, respectively, it holds that $f_0(x^0_1,\ldots ,x^0_t) = f_1(x^1_1,\ldots ,x^1_t)$.

Definition A.3

(Full security) A private-key t-input functional encryption scheme $\Pi = (\mathsf {Setup},\mathsf {KG},\mathsf {Enc},\mathsf {Dec})$ over a message space $\mathcal {X}_1\times \cdots \times \mathcal {X}_t= \{(\mathcal {X}_1)_\lambda \}_{\lambda \in \mathbb {N}}\times \cdots \times \{(\mathcal {X}_t)_\lambda \}_{\lambda \in \mathbb {N}}$ and a function space $\mathcal {F}= \{\mathcal {F}_\lambda \}_{\lambda \in \mathbb {N}}$ is fully secure if for any valid t-input adversary ${\mathcal {A}}$ there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {fullFE_t}}_{\Pi ,\mathcal {F},{\mathcal {A}}} \mathop {=}\limits ^\mathsf{def} \left| \Pr \left[ \mathsf {Exp}^{\mathsf {fullFE_t}}_{\Pi , \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \le {\mathsf {neg}}(\lambda ), \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where the random variable $\mathsf {Exp}^{\mathsf {fullFE_t}}_{\Pi , \mathcal {F}, {\mathcal {A}}}(\lambda )$ is defined via the following experiment:

1.
$\mathsf {msk}\leftarrow \mathsf {Setup}(1^{\lambda })$, $b\leftarrow \{ 0,1 \}$.
2.
$b' \leftarrow {\mathcal {A}}^{\mathsf {KG}_b(\mathsf {msk},\cdot ,\cdot ),\mathsf {Enc}_b(\mathsf {msk},(\cdot ,\cdot ),\cdot )}\left( 1^{\lambda }\right) $.
3.
If $b' = b$ then output 1, and otherwise output 0.

Definition A.4

(Selective-message security) A private-key t-input functional encryption scheme $\Pi = (\mathsf {Setup}, \mathsf {KG}, \mathsf {Enc}, \mathsf {Dec})$ over a message space $\mathcal {X}_1\times \cdots \times \mathcal {X}_t= \{(\mathcal {X}_1)_\lambda \}_{\lambda \in \mathbb {N}}\times \cdots \times \{(\mathcal {X}_t)_\lambda \}_{\lambda \in \mathbb {N}}$ and a function space $\mathcal {F}= \{\mathcal {F}_\lambda \}_{\lambda \in \mathbb {N}}$ is selective-message secure if for any valid t-input adversary ${\mathcal {A}}= ({\mathcal {A}}_1, {\mathcal {A}}_2)$ there exists a negligible function ${\mathsf {neg}}(\lambda )$ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {selFE_t}}_{\Pi ,\mathcal {F},{\mathcal {A}}} \mathop {=}\limits ^\mathsf{def} \left| \Pr \left[ \mathsf {Exp}^{\mathsf {selFE_t}}_{\Pi , \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \le {\mathsf {neg}}(\lambda ), \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$, where the random variable $\mathsf {Exp}^{\mathsf {selFE_t}}_{\Pi , \mathcal {F}, {\mathcal {A}}}(\lambda )$ is defined via the following experiment:

1.
$\left( \vec {x_1},\ldots ,\vec {x_t},\mathsf {state}\right) \leftarrow {\mathcal {A}}_1^{}\left( 1^{\lambda }\right) $, where $\vec {x_i} = ((x^0_{i, 1},x^1_{i, 1}), \ldots , (x^0_{i, T},x^1_{i, T}))$ for $i\in [t]$.
2.
$\mathsf {msk}\leftarrow \mathsf {Setup}(1^{\lambda })$, $b\leftarrow \{ 0,1 \}$.
3.
$\mathsf {ct}_{i, j} \leftarrow \mathsf {Enc}(\mathsf {msk}, x^{b}_{i, j}, 1)$ for $i\in [t]$ and $j\in [T]$.
4.
$b' \leftarrow {\mathcal {A}}_2^{\mathsf {KG}_b(\mathsf {msk},\cdot ,\cdot )}\left( 1^{\lambda }, \{\mathsf {ct}_{i,j}\}_{i\in [t], j\in [T]},\mathsf {state}\right) $.
5.
If $b' = b$ then output 1, and otherwise output 0.

1.2 A Selectively Secure $\varvec{t}$-Input Scheme from any $\varvec{(t-1)}$-Input Scheme

In this section we generalize the construction from Sect. 3 by presenting a construction of a selectively secure t-input scheme assuming any fully secure $(t-1)$-input scheme. Let $\mathcal {F}= \{ \mathcal {F}_{\lambda } \}_{\lambda \in \mathbb {N}}$ be a family of t-input functionalities, where for every $\lambda \in \mathbb {N}$ the set $\mathcal {F}_{\lambda }$ consists of functions of the form $f : (\mathcal {X}_1)_{\lambda } \times \cdots \times (\mathcal {X}_{t})_{\lambda } \rightarrow \mathcal {Z}_{\lambda }$. Our construction relies on the following building blocks:

1.
A private-key single-input functional encryption scheme $\mathsf {FE}_1= ({\mathsf {FE}_1\mathsf {.S}}, {\mathsf {FE}_1\mathsf {.KG}}, {\mathsf {FE}_1\mathsf {.E}}, {\mathsf {FE}_1\mathsf {.D}})$.
2.
A private-key $(t-1)$-input functional encryption scheme $\mathsf {FE}^\mathsf{sel}_{t-1}= ({\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.S}}, {\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.KG}}, {\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.E}}, {\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.D}})$.
3.
A pseudorandom function family $\mathsf {PRF}= (\mathsf {PRF.Gen},\mathsf {PRF.Eval})$.

Our scheme $\mathsf {FE}^\mathsf{sel}_t= ({\mathsf {FE}^\mathsf{sel}_t\mathsf {.S}}, {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}, {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}, {\mathsf {FE}^\mathsf{sel}_t\mathsf {.D}})$ is defined as follows.

The setup algorithm On inputting the security parameter $1^{\lambda }$ the setup algorithm ${\mathsf {FE}^\mathsf{sel}_t\mathsf {.S}}$ samples $\mathsf {msk_{out}}\leftarrow {\mathsf {FE}_1\mathsf {.S}}(1^{\lambda })$,$\mathsf {msk_{in}}\leftarrow {\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.S}}(1^{\lambda })$ and outputs $\mathsf {msk}= (\mathsf {msk_{out}},\mathsf {msk_{in}})$.
The key-generation algorithm On inputting the master secret key $\mathsf {msk}$ and a function $f \in \mathcal {F}_{\lambda }$, the key-generation algorithm ${\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}$ samples a random string $z\leftarrow \{ 0,1 \}^\lambda $ and outputs $\mathsf {sk}_{f} \leftarrow {\mathsf {FE}_1\mathsf {.KG}}(\mathsf {msk_{out}}, {D_{f,\bot ,z,\bot }})$, where $D_{f,\bot ,z,\bot }$ is a single-input function that is defined in Fig. 6.
The encryption algorithm On inputting the master secret key $\mathsf {msk}$, a message m, and an index $\mathsf {i}\in [t]$, the encryption algorithm ${\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}$ has two cases:
- If $(m,\mathsf {i}) = (x_1,1)$, it samples a master secret key $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.S}}(1^\lambda )$, a PRF key $K\leftarrow \mathsf {PRF.Gen}(1^{\lambda })$, and a random string $s\in \{ 0,1 \}^\lambda $, and then outputs a pair $(\mathsf {ct}_1, \mathsf {sk}_1)$ defined as follows:
  $$\begin{aligned} \mathsf {ct}_1\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}(\mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }, K, 0))\\ \mathsf {sk}_1\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.KG}}(\mathsf {msk_{in}}, \mathsf {AGG}_{x_1,\bot ,0,s,\mathsf {msk}^\mathsf {\star },K}), \end{aligned}$$
  where $\mathsf {AGG}_{x,\bot ,0,\mathsf {msk}^\mathsf {\star },K}$ is a $(t-1)$-input function that is defined in Fig. 7.
- If $(m,\mathsf {i}) = (x_i,i)$ where $i \in \{2, \ldots , t\}$, it samples a random string $\tau _i\in \{ 0,1 \}^\lambda $ and outputs
  $$\begin{aligned} \mathsf {ct}_i \leftarrow {\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.E}}(\mathsf {msk_{in}}, (x_i,\bot ,\tau _i, \bot ,\bot ), i-1). \end{aligned}$$
The decryption algorithm On inputting a functional key $\mathsf {sk}_f$ and ciphertexts $(\mathsf {ct}_1, \mathsf {sk}_1), \mathsf {ct}_2, \ldots , \mathsf {ct}_{t}$, the decryption algorithm ${\mathsf {FE}^\mathsf{sel}_t\mathsf {.D}}$ computes $(\mathsf {ct}'_2, \ldots , \mathsf {ct}'_{t}) = {\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.D}}(\mathsf {sk}_1, (\mathsf {ct}_2, \ldots , \mathsf {ct}_{t}))$, $\mathsf {sk}' = {\mathsf {FE}_1\mathsf {.D}}(\mathsf {sk}_f, \mathsf {ct}_1)$ and outputs ${\mathsf {FE}^\mathsf{sel}_{t-1}\mathsf {.D}}(\mathsf {sk}', (\mathsf {ct}'_2, \ldots , \mathsf {ct}'_{t}))$.

Theorem A.5

Assuming that (1) $\mathsf {FE}_1$ is fully secure, (2) $\mathsf {FE}^\mathsf{sel}_{t-1}$ is selective-message secure, and (3) $\mathsf {PRF}$ is a pseudorandom function family, then $\mathsf {FE}^\mathsf{sel}_t$ is selective-message secure.

As in Theorem 3.1, we note that for proving that $\mathsf {FE}^\mathsf{sel}_t$ is selective-message secure it suffices to require selective-message security from $\mathsf {FE}_1$. However, given the generic transformation for single-input schemes [3, 16] (from selective security to adaptive security and from message security to full security, respectively), for simplifying the proof of Theorem A.5 we assume that $\mathsf {FE}_1$ is fully secure.

Theorem A.5

Let ${\mathcal {A}}=({\mathcal {A}}_1,{\mathcal {A}}_2)$ be a valid adversary that issues at most $T_{\mathsf {i}} = T_{\mathsf {i}}(\lambda )$ encryption queries with respect to index $\mathsf {i}\in [t]$ and at most $T_{0}=T_0(\lambda )$ key-generation queries (note that $T_0,\ldots , T_{t}$ may be any polynomials and are not fixed in advance). We assume for simplicity and without loss of generality that $T_0=\cdots =T_{t}\mathop {=}\limits ^\mathsf{def} T$.

We present a sequence of experiments and upper bound ${\mathcal {A}}$’s advantage in distinguishing each two consecutive experiments. The first experiment is the experiment $\mathsf {Exp}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}, {\mathcal {A}}}(\lambda )$ (see Definition A.4), and the last experiment is completely independent of the bit b. This enables us to prove that there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}, {\mathcal {A}}}(\lambda ) \mathop {=}\limits ^\mathsf{def} \left| \Pr \left[ \mathsf {Exp}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \le {\mathsf {neg}}(\lambda ) \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$. In what follows we first describe the notation used throughout the proof and then describe the experiments.

Notation. We denote the ${i}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=1$ by $(\mathsf {sk}_{1,i},\mathsf {ct}_{1,i})$ and the ${i}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=\ell $, where $2 \le \ell \le t$, by $\mathsf {ct}_{\ell ,i}$. We denote the ${i}{\mathrm{th}}$ encryption query corresponding to the index $\mathsf {i}=1$ by $(x^0_{1,i},x^1_{1,i})$, the random strings used for generating the resulting $\mathsf {sk}_{1,i}$ by $s_i$, the master secret key and the PRF key used for generating the resulting $\mathsf {ct}_{1,i}$ and $\mathsf {sk}_{1,i}$ by $\mathsf {msk}^\mathsf {\star }_i$ and $K_i$, respectively. We denote the ${i}{\mathrm{th}}$ encryption query corresponding to the index $\mathsf {i}=\ell $, where $2\le \ell \le t$ by $(x^0_{\ell ,i},x^1_{\ell ,i})$, and the randomness used for generating the resulting $\mathsf {ct}_{\ell ,i}$ by $\tau _{\ell ,i}$. Finally, we denote by $(f^0_1, f^1_1),\ldots ,(f^0_T, f^1_T)$ the function pairs with which the adversary queries the key-generation oracle and by $z_1,\ldots ,z_T$ the corresponding random strings used for generating $\mathsf {sk}_{f_1}, \ldots , \mathsf {sk}_{f_T}$.

Experiment $\varvec{\mathcal {H}^{(0)}(\lambda )}$. This is the original experiment corresponding to $b\leftarrow \{ 0,1 \}$ chosen uniformly at random, namely $\mathsf {Exp}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}, {\mathcal {A}}}(\lambda )$. In this experiment the encryptions are generated as follows.

Ciphertexts ($i=1,\ldots ,T$, $2 \le \ell \le t$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}(\mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0))\\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}(\mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},\bot ,0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}) \\ \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}(\mathsf {msk_{in}}, (x^b_{\ell ,i},\bot ,\tau _{\ell ,i}, \bot ,\bot ), \ell -1) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}_1\mathsf {.KG}}(\mathsf {msk_{out}}, {D_{f^b_i,\bot ,z_i,\bot }}) \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(1)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(0)}(\lambda )$ by modifying the encryptions as follows. Given inputs $(x^0_{\ell ,i},x^1_{\ell ,i})$, instead of setting the field $x_1$ to be $\bot $ we set it to be $x^1_{\ell ,i}$. The scheme has the following form:

Ciphertexts ($i=1,\ldots ,T$, $2 \le \ell \le t$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},\boxed {x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, (x^b_{\ell ,i},\boxed {x^1_{\ell ,i}},\tau _{\ell ,i}, \bot ,\bot ), \ell -1\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,\bot ,z_i,\bot }}\right) \end{aligned}$$

As in Claim 3.2, we have the following claim:

Claim A.6

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(0) \rightarrow (1)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {selFE_{t-1}}}_{\mathsf {FE}^\mathsf{sel}_{t-1}, \mathcal {F}', {\mathcal {B}}^{(0) \rightarrow (1)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(2)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(1)}(\lambda )$ by modifying the functional keys as follows. Given inputs $(f^0,f^1)$, instead of setting the fields $f_1,f_2$ to be $f^b,\bot $ we set it to be $f^b,f^1$. The scheme has the following form:

Ciphertexts ($i=1,\ldots ,T$, $2 \le \ell \le t$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \\ \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, (x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, \bot ,\bot ), \ell -1\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,\boxed {f^1_i},z_i,\bot }}\right) \end{aligned}$$

As in Claim 3.3 we have the following claim:

Claim A.7

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(1) \rightarrow (2)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(2)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {FE}_1, \mathcal {F}'', {\mathcal {B}}^{(1) \rightarrow (2)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(3,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(2)}(\lambda )$ by modifying the encryptions as follows. The first $j-1$ ciphertexts are generated such that $a=1$ and $w=1$, while the rest of the encryptions are generated as before.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, \boxed {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\boxed {1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=j,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $2 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, (x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, \bot ,\bot ), \ell -1\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,f^1_i,z_i,\bot }}\right) \end{aligned}$$

Notice that $\mathcal {H}^{(3,1)}= \mathcal {H}^{(2)}$.

Experiment $\varvec{\mathcal {H}^{(4,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(3,j)}(\lambda )$ by modifying the ${j}{\mathrm{th}}$ ciphertext to not include the master secret key $\mathsf {msk}^\mathsf {\star }_j$ and the PRF key ${K_j}$ (that is, we replace them with $\bot $’s). Moreover, for every $i\in [T]$ in the ${i}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= 2$ we hardwire the pair $(s_j,\gamma )$, where $\gamma = {\mathsf {FE}_{t-1}\mathsf {.E}}(\mathsf {msk}^\mathsf {\star }_j, (x^b_{1,j}, x^b_{2,i}), 1 ; \mathsf {PRF.Eval}(K_j, \tau _{2,i}))$. Similarly, for every $i\in [T]$ in the ${i}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= \ell > 2$ we hardwire the pair $(s_j,\gamma )$, where $\gamma = {\mathsf {FE}_{t-1}\mathsf {.E}}(\mathsf {msk}^\mathsf {\star }_j, x^b_{\ell ,i}, \ell -1 ; \mathsf {PRF.Eval}(K_j, \tau _{\ell ,i}))$

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star }_i, K_i, 0)\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\boxed {\bot },\boxed {\bot }}\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{2,i},{x^1_{2,i}},\tau _{2,i}, \boxed {s_j,\gamma }\right) , 1\right) \\&\gamma = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_{1,j}, x^b_{2,i}), 1 ; \mathsf {PRF.Eval}(K_j, \tau _{2,i})\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $3 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, \boxed {s_j,\gamma }\right) , \ell -1\right) \\&\gamma = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, x^b_{\ell ,i}, \ell -1 ; \mathsf {PRF.Eval}\left( K_j, \tau _{\ell ,i}\right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,{f^1_i},z_i,\bot }}\right) \end{aligned}$$

As in Claim 3.4 we have the following claim:

Claim A.8

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(3,j) \rightarrow (4,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(3,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(4,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {selFE_{t-1}}}_{\mathsf {FE}^\mathsf{sel}_{t-1}, \mathcal {F}', {\mathcal {B}}^{(3,j) \rightarrow (4,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(5,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(4,j)}(\lambda )$ by modifying the ${j}{\mathrm{th}}$ ciphertext as follows. We replace $(\mathsf {msk}^\mathsf {\star }_j,K_j, 0)$ with $(\bot , \bot , 0)$. Moreover, in the ${i}{\mathrm{th}}$ functional key corresponding to the functions $(f^0_i,f^1_i)$ we hardwire the value $\delta = {\mathsf {FE}_{t-1}\mathsf {.KG}}(\mathsf {msk}^\mathsf {\star }_j, C_{f^b_i} ; \mathsf {PRF.Eval}(K_j, z_i))$.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \boxed {\bot }, \boxed {\bot }, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,{\bot },{\bot }}\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, (x^b_{2,i},{x^1_{2,i}},\tau _{2,i}, {s_j,\gamma }), 1\right) \\&\gamma = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_{1,j}, x^b_{2,i}), 1 ; \mathsf {PRF.Eval}(K_j, \tau _{2,i})\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $3 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, (x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, {s_j,\gamma }), \ell -1\right) \\&\gamma = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, x^b_{\ell ,i}, \ell -1 ; \mathsf {PRF.Eval}\left( K_j, \tau _{\ell ,i}\right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,{f^1_i},z_i,\boxed {\delta }}}\right) \\&\delta = {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}^\mathsf {\star }_j, C_{f^b_i} ; \mathsf {PRF.Eval}(K_j, z_i)\right) \end{aligned}$$

As in Claim 3.5 we have the following claim:

Claim A.9

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(4,j) \rightarrow (5,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(4,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(5,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {FE}_1, \mathcal {F}', {\mathcal {B}}^{(4,j) \rightarrow (5,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(6,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(5,j)}(\lambda )$ by modifying the hardwired value of the $\gamma $’s and the $\delta $’s to use randomness sampled uniformly at random rather than randomness generated using a PRF.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( {\bot }, {\bot }, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,{\bot },{\bot }}\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, (x^b_{2,i},{x^1_{2,i}},\tau _{2,i}, {s_j,\gamma }), 1\right) \\&\boxed {\gamma } = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, (x^b_{1,j}, x^b_{2,i}), 1\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $3 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, (x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, {s_j,\gamma }), \ell -1\right) \\&\boxed {\gamma } = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, x^b_{\ell ,i}, \ell -1\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,{f^1_i},z_i,{\delta }}}\right) \\&\boxed {\delta } = {\mathsf {FE}_{t-1}\mathsf {.KG}}(\mathsf {msk}^\mathsf {\star }_j, C_{f^b_i}) \end{aligned}$$

As in Claim 3.6 we have the following claim:

Claim A.10

For every $j\in [T]$ there exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(5,j)\rightarrow (6,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(5,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(6,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(5,j)\rightarrow (6,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(7,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(6,j)}(\lambda )$ by modifying the ciphertext as follows. In the ${i}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= 2$ we embed in $\gamma $ the encryption of $(x^1_{1,j}, x^1_{2,i})$ rather than $(x^b_{1,j}, x^b_{2,i})$. In the ${i}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= \ell > 2$ we embed in $\gamma $ the encryption of $x^1_{\ell ,i}$ rather than $x^b_{\ell ,i}$. Moreover, we replace the circuit embedded in $\delta $ in the ${i}{\mathrm{th}}$ functional key to be $C_{f^1_i}$ rather than $C_{f^b_i}$.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( {\bot }, {\bot }, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,{\bot },{\bot }}\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{2,i},{x^1_{2,i}},\tau _{2,i}, {s_j,\gamma }\right) , 1\right) \\&{\gamma } = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, \boxed {\left( x^1_{1,j}, x^1_{2,i}\right) }, 1\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $3 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, {s_j,\gamma }\right) , \ell -1\right) \\&\gamma = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, \boxed {x^1_{\ell ,i}}, \ell -1\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,{f^1_i},z_i,{\delta }}}\right) \\&{\delta } = {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}^\mathsf {\star }_j, \boxed {C_{f^1_i}}\right) \end{aligned}$$

As in Claim 3.7 we have the following claim:

Claim A.11

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(6,j) \rightarrow (7,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(6,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(7,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {selFE_{t-1}}}_{\mathsf {FE}_{t-1}, \mathcal {F}', {\mathcal {B}}^{(6,j) \rightarrow (7,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(8,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(7,j)}(\lambda )$ by modifying the hardwired values in the $\gamma $’s and in the $\delta $’s to use randomness generated using a PRF rather than randomness sampled uniformly at random.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( {\bot }, {\bot }, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,{\bot },{\bot }}\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{2,i},{x^1_{2,i}},\tau _{2,i}, {s_j,\gamma }\right) , 1\right) \\&\boxed {\gamma } = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, \left( {x^1_{1,j}, x^1_{2,i}}\right) , 1 ; \mathsf {PRF.Eval}\left( K_j, \tau _{2,i}\right) \right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $3 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, {s_j,\gamma }\right) , \ell -1\right) \\&\boxed {\gamma } = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, {x^1_{\ell ,i}}, \ell -1 ; \mathsf {PRF.Eval}\left( K_j, \tau _{\ell ,i}\right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,{f^1_i},z_i,{\delta }}}\right) \\&\boxed {\delta } = {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}^\mathsf {\star }_j, {C_{f^1_i}} ; \mathsf {PRF.Eval}\left( K_j, z_i\right) \right) \end{aligned}$$

As in Claim 3.8 we have the following claim:

Claim A.12

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(7,j) \rightarrow (8,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(7,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(8,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(7,j)\rightarrow (8,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(9,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(8,j)}(\lambda )$ by modifying the ${j}{\mathrm{th}}$ ciphertext to contain the pair $(\mathsf {msk}^\mathsf {\star }_j,K_j, 1)$. Moreover, in the functional key corresponding to the function $f_i$ for $i\in [T]$ we remove the hardwired value $\delta $.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=j$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \boxed {\mathsf {msk}^\mathsf {\star }_i}, \boxed {K_i}, \boxed {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,{\bot },{\bot }}\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{2,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{2,i},{x^1_{2,i}},\tau _{2,i}, {s_j,\gamma }\right) , 1\right) \\&{\gamma } = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, \left( {x^1_{1,j}, x^1_{2,i}}\right) ,1 ; \mathsf {PRF.Eval}\left( K_j, \tau _{2,i}\right) \right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $3 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, {s_j,\gamma }\right) , \ell -1\right) \\&{\gamma } = {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}^\mathsf {\star }_j, {x^1_{\ell ,i}},\ell -1 ; \mathsf {PRF.Eval}\left( K_j, \tau _{\ell ,i}\right) \right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,{f^1_i},z_i,\boxed {\bot }}}\right) \end{aligned}$$

As in Claim 3.9 we have the following claim:

Claim A.13

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(8,j) \rightarrow (9,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(8,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(9,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {FE}_1, \mathcal {F}', {\mathcal {B}}^{(8,j) \rightarrow (9,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(10,j)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(9,j)}(\lambda )$ by modifying the ciphertexts as follows. For the ${i}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}= \ell \ge 2$ we remove the hardwired pair $(s_j,\gamma )$. Moreover, we encrypt the ${j}{\mathrm{th}}$ ciphertext corresponding to $\mathsf {i}=1$ with $w=1$. Notice that $\mathcal {H}^{(10,j)} = \mathcal {H}^{(3,j+1)}$.

Ciphertexts ($i=1,\ldots ,\boxed {j}$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, {1}\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{1},s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 0\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},0,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $2 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, \boxed {\bot ,\bot }\right) , \ell -1\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{f^b_i,{f^1_i},z_i,{\bot }}}\right) \end{aligned}$$

As in Claim 3.10 we have the following claim:

Claim A.14

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(9,j) \rightarrow (10,j)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(9,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(10,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {selFE_{t-1}}}_{\mathsf {FE}^\mathsf{sel}_{t-1}, \mathcal {F}', {\mathcal {B}}^{(9,j) \rightarrow (10,j)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(11)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(3,T+1)}(\lambda )$ by modifying the ciphertexts not to include $f^b_i$ at all.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 1\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},1,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $2 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},\tau _{\ell ,i}, {\bot ,\bot }\right) , \ell -1\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{\boxed {\bot },{f^1_i},z_i,{\bot }}}\right) \end{aligned}$$

As in Claim 3.11 we have the following claim:

Claim A.15

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(3,T+1) \rightarrow (11)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(3,T+1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {FE}_1, \mathcal {F}', {\mathcal {B}}^{(3,T+1) \rightarrow (11)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(12)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(11)}(\lambda )$ by modifying the ciphertexts not to include $x^b_{\mathsf {i},i}$ at all for $\mathsf {i}\in [t]$ and $i\in [T]$. Notice that this experiment is completely independent of the bit b, and therefore $\Pr [\mathcal {H}^{(12)}(\lambda ) = 1] = 1/2$.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk_{out}}, \left( \mathsf {msk}^\mathsf {\star }_i, K_i, 1\right) \right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk_{in}}, \mathsf {AGG}_{\boxed {\bot },{x^1_{1,i}},1,s_i,\mathsf {msk}^\mathsf {\star }_i,K_i}\right) \end{aligned}$$
Ciphertexts ($i=1,\ldots ,T$, $2 \le \ell \le t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk_{in}}, \left( \boxed {\bot },{x^1_{\ell ,i}},\tau _{\ell ,i}, {\bot ,\bot }\right) , \ell -1\right) \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk_{out}}, {D_{{\bot },{f^1_i},z_i,{\bot }}}\right) \end{aligned}$$

As in Claim 3.12 we have the following claim:

Claim A.16

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(11) \rightarrow (12)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(12)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {selFE_{t-1}}}_{\mathsf {FE}^\mathsf{sel}_{t-1}, \mathcal {F}', {\mathcal {B}}^{(11) \rightarrow (12)}}(\lambda ). \end{aligned}$$

Finally, putting together Claims A.6–A.16 with the facts that $\mathcal {H}^{(0)}(\lambda ) = \mathsf {Exp}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}, {\mathcal {A}}}(\lambda )$, $\mathcal {H}^{(2)}(\lambda ) = \mathcal {H}^{(3,1)}(\lambda )$, and $\Pr \left[ \mathcal {H}^{(12)}(\lambda ) = 1\right] = 1/2$, we observe that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t,\mathcal {F},{\mathcal {A}}}&\mathop {=}\limits ^\mathsf{def}&\left| \Pr \left[ \mathsf {Exp}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \\= & {} \left| \Pr \left[ \mathcal {H}^{(0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(12)}(\lambda ) = 1 \right] \right| \\\le & {} \sum _{i=0}^{1}\left| \Pr \left[ \mathcal {H}^{(i)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(i+1)}(\lambda ) = 1 \right] \right| \\&+ \sum _{i=1}^T \sum _{j=3}^{9} \left| \Pr \left[ \mathcal {H}^{(j,i)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(j+1,i)}(\lambda ) = 1 \right] \right| \\&+ \left| \Pr \left[ \mathcal {H}^{(3,T+1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] \right| \\&+ \left| \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(12)}(\lambda ) = 1 \right] \right| \\\le & {} {\mathsf {neg}}(\lambda ) . \end{aligned}$$

1.3 From Selective to Adaptive Security for $\varvec{t}$-Input Schemes

In this section we generalize the construction from Sect. 4 to get a fully secure t-input functional encryption scheme assuming any fully secure $(t-1)$-input functional encryption scheme and any selectively secure t-input functional encryption scheme. Our construction relies on the following building blocks:

1.
A private-key single-input functional encryption scheme $\mathsf {FE}_1= ({\mathsf {FE}_1\mathsf {.S}}, {\mathsf {FE}_1\mathsf {.KG}}, {\mathsf {FE}_1\mathsf {.E}}, {\mathsf {FE}_1\mathsf {.D}})$.
2.
A private-key $(t-1)$-input functional encryption scheme $\mathsf {FE}_{t-1}= ({\mathsf {FE}_{t-1}\mathsf {.S}}, {\mathsf {FE}_{t-1}\mathsf {.KG}}, {\mathsf {FE}_{t-1}\mathsf {.E}}, {\mathsf {FE}_{t-1}\mathsf {.D}})$.
3.
A private-key t-input functional encryption scheme $\mathsf {FE}^\mathsf{sel}_t= ({\mathsf {FE}^\mathsf{sel}_t\mathsf {.S}}, {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}, {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}, {\mathsf {FE}^\mathsf{sel}_t\mathsf {.D}})$.
4.
A puncturable pseudorandom function family $\mathsf {PRF}= (\mathsf {PRF.Gen}, \mathsf {PRF.Eval},\mathsf {PRF.Punc})$.

The scheme $\mathsf {FE}_t= ({\mathsf {FE}_t\mathsf {.S}}, {\mathsf {FE}_t\mathsf {.KG}}, {\mathsf {FE}_t\mathsf {.E}}, {\mathsf {FE}_t\mathsf {.D}})$ is defined as follows.

The setup algorithm On inputting the security parameter $1^{\lambda }$ the setup algorithm ${\mathsf {FE}_t\mathsf {.S}}$ samples $\mathsf {msk}_{t-1} \leftarrow {\mathsf {FE}_{t-1}\mathsf {.S}}(1^{\lambda })$ and $\mathsf {msk}_t \leftarrow {\mathsf {FE}^\mathsf{sel}_t\mathsf {.S}}(1^{\lambda })$ and then outputs $\mathsf {msk}= (\mathsf {msk}_{t-1}, \mathsf {msk}_t)$.
The key-generation algorithm On inputting the master secret key $\mathsf {msk}$ and a function $f \in \mathcal {F}_{\lambda }$, the key-generation algorithm ${\mathsf {FE}_t\mathsf {.KG}}$ outputs $\mathsf {sk}_{f} \leftarrow {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}(\mathsf {msk}_t, D_{f,\bot ,1,\underbrace{\bot ,\ldots ,\bot }_{t \text { times}},\bot })$, where $D_{f,\bot ,1,\underbrace{\bot ,\ldots ,\bot }_{t \text { times}},\bot }$ is a t-input function that is defined in Fig. 8.
The encryption algorithm On inputting the master secret key $\mathsf {msk}$, a message m, and an index $\mathsf {i}\in [2]$, the encryption algorithm ${\mathsf {FE}_{t-1}\mathsf {.E}}$ has two cases:
- If $(m,\mathsf {i}) = (x_1,1)$, it samples $\tau _1\leftarrow \{ 0,1 \}^\lambda $ uniformly at random, three PRF keys $K^\mathsf {enc},K^\mathsf {key},K^\mathsf {msk}\leftarrow \mathsf {PRF.Gen}(1^\lambda )$ and outputs a pair $(\mathsf {ct}_1,\mathsf {sk}_1)$ defined as follows:
  $$\begin{aligned} \mathsf {ct}_1\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}, K^\mathsf {key}, \tau _1, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_1\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x_1,\bot ,\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _1,K^\mathsf {msk}, K^\mathsf {enc}, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
  where the single-input function $\mathsf {AGG}_{x_1,\bot ,\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _1,K^\mathsf {msk}, K^\mathsf {enc}, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }$ is defined in Fig. 9.
- If $(m,\mathsf {i}) = (x_i,i)$ and $i>1$, it samples $\tau _i\leftarrow \{ 0,1 \}^\lambda $ uniformly at random and outputs a pair $(\mathsf {ct}_i, \mathsf {ct}'_i)$ defined as follows:
  $$\begin{aligned} \mathsf {ct}_{i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( 1, \tau _i\right) , i\right) \\ \mathsf {ct}'_{i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x_i,\bot ,1,\tau _i,\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , i-1\right) . \end{aligned}$$
The decryption algorithm On inputting a functional key $\mathsf {sk}_f$ and t ciphertexts $(\mathsf {ct}_1,\mathsf {sk}_1)$ and $(\mathsf {ct}_2, \mathsf {ct}'_2),\ldots ,(\mathsf {ct}_t, \mathsf {ct}'_t)$, the decryption algorithm ${\mathsf {FE}_t\mathsf {.D}}$ first computes the value $\mathsf {sk}' = {\mathsf {FE}^\mathsf{sel}_t\mathsf {.D}}(\mathsf {sk}_f, \mathsf {ct}_1,\ldots , \mathsf {ct}_t)$, then it computes the value $\mathsf {ct}' = {\mathsf {FE}_{t-1}\mathsf {.D}}(\mathsf {sk}_1, \mathsf {ct}'_2, \ldots ,\mathsf {ct}'_t)$, and finally, it outputs ${\mathsf {FE}_1\mathsf {.D}}(\mathsf {sk}', \mathsf {ct}')$.

The following theorem captures the security of the scheme. This theorem states that under suitable assumptions on the underlying building blocks, the t-input scheme $\mathsf {FE}_t$ is fully private (see Definition 2.7).

Theorem A.17

Let $t>1$ be any fixed integer. Assuming that (1) $\mathsf {FE}_1$ is fully secure, (2) $\mathsf {FE}_{t-1}$ is fully secure, (3) $\mathsf {FE}^\mathsf{sel}_t$ is selective-message secure, and (4) $\mathsf {PRF}$ is a puncturable pseudorandom function family, then $\mathsf {FE}_t$ is fully secure.

We note that the proof of Theorem A.17 assumes that t is a fixed constant. The reason for this limitation is that the number of hybrids in the proof of security is $\lambda ^{O(t)}$, where $\lambda $ is the security parameter, which is polynomial for any constant t. If we assume that the underlying building blocks are sub-exponentially secure, then the proof of Theorem A.17 can be used for a super-constant number of inputs.

Proof of Theorem A.17

Let ${\mathcal {A}}=({\mathcal {A}}_1,{\mathcal {A}}_2)$ be a valid adversary that issues at most $T_\mathsf {i}= T_\mathsf {i}(\lambda )$ encryption queries with respect to index $\mathsf {i}\in [t]$ and at most $T_{0}=T_0(\lambda )$ key-generation queries (note that $T_0,\ldots , T_{t}$ may be any polynomials and are not fixed in advance). We assume for simplicity and without loss of generality that $T_0=\cdots =T_{t}\mathop {=}\limits ^\mathsf{def} T$.

We present a sequence of experiments and upper bound ${\mathcal {A}}$’s advantage in distinguishing each two consecutive experiments. The first experiment is the experiment in which ${\mathcal {A}}$ gets oracle access to a left-or-right key-generation oracle $\mathsf {KG}_b(\mathsf {msk},\cdot ,\cdot )$ and to a left-or-right encryption oracle $\mathsf {Enc}_b(\mathsf {msk},(\cdot ,\cdot ),\cdot )$ for $b\leftarrow \{ 0,1 \}$ chosen uniformly at random (see Definition A.3), and the last experiment is completely independent of the bit b. This enables us to prove that there exists a negligible function ${\mathsf {neg}}(\cdot )$ such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {fullFE_t}}_{\mathsf {FE}_t,\mathcal {F},{\mathcal {A}}} \mathop {=}\limits ^\mathsf{def} \left| \Pr \left[ \mathsf {Exp}^{\mathsf {fullFE_t}}_{\mathsf {FE}_t, \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \le {\mathsf {neg}}(\lambda ), \end{aligned}$$

for all sufficiently large $\lambda \in \mathbb {N}$. In what follows we first describe the notation used throughout the proof and then describe the experiments.

Notation. We denote the ${i}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=1$ by $(\mathsf {sk}_{1,i},\mathsf {ct}_{1,i})$ and the ${i}{\mathrm{th}}$ ciphertext with respect to $\mathsf {i}=\ell $, where $2 \le \ell \le t$, by $(\mathsf {ct}_{\ell ,i},\mathsf {ct}'_{\ell ,i})$. We denote the ${i}{\mathrm{th}}$ encryption query corresponding to the index $\mathsf {i}=1$ by $(x^0_{1,i},x^1_{1,i})$, the random strings used for generating the resulting $\mathsf {sk}_{1,i}$ by $\tau _{1,i}$, the PRF keys used for generating the resulting $\mathsf {ct}_{1,i}$ and $\mathsf {sk}_{1,i}$ by $K^\mathsf {msk}_i, K^\mathsf {key}_i$ and $K^\mathsf {enc}_i$. We denote the ${i}{\mathrm{th}}$ encryption query corresponding to the index $\mathsf {i}=\ell \ge 2$ by $(x^0_{\ell ,i},x^1_{\ell ,i})$, and the randomness used for generating the resulting $(\mathsf {ct}_{\ell ,i},\mathsf {ct}'_{\ell ,i})$ by $\tau _{\ell ,i}$. Finally, we denote by $(f^0_1, f^1_1),\ldots ,(f^0_T, f^1_T)$ the function pairs with which the adversary queries the key-generation oracle to get $\mathsf {sk}_{f_1}, \ldots , \mathsf {sk}_{f_T}$.

Experiment $\varvec{\mathcal {H}^{(0)}(\lambda )}$. This is the original experiment corresponding to $b\leftarrow \{ 0,1 \}$ chosen uniformly at random. That is, ${\mathcal {A}}$ gets oracle access to the key-generation oracle $\mathsf {KG}_b(\mathsf {msk},\cdot )$ and oracle access to a left-or-right encryption oracle $\mathsf {Enc}_b(\mathsf {msk},(\cdot ,\cdot ),\cdot )$ where $b\leftarrow \{ 0,1 \}$ is chosen uniformly at random.

Ciphertexts ($i=1,\ldots ,T$, $\ell = 2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}(\mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},\bot ,\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot })\\ \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( 1, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}(\mathsf {msk}_{t-1}, (x^b_{\ell ,i},\bot ,1,\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot ), \ell -1). \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}(\mathsf {msk}_2, {D_{f^b_i,\bot ,1,\underbrace{\bot ,\ldots ,\bot }_{t \text { times}},\bot }}) \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(1)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(0)}(\lambda )$ by modifying the encryptions as follows. Given inputs $(x^0_{\ell ,i},x^1_{\ell ,i})$, instead of setting the field $x_1$ to be $\bot $ we set it to be $x^1_{\ell ,i}$. In addition, in the encryptions $\mathsf {ct}'_{\ell ,i}$ corresponding to $\mathsf {i}=\ell \ge 2$ we embed a counter.

Ciphertexts ($i=1,\ldots ,T$, $\ell = 2,\ldots ,t$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},\boxed {x^1_{1,i}},\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \\ \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( 1, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},\boxed {x^1_{\ell ,i}},\boxed {i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , \ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_2, {D_{f^b_i,\bot ,1,\underbrace{\bot ,\ldots ,\bot }_{t \text { times}},\bot }}\right) \end{aligned}$$

As in Claim 4.2 we have the following claim:

Claim A.18

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(0) \rightarrow (1)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {fullFE_{t-1}}}_{\mathsf {FE}_{t-1}, \mathcal {F}', {\mathcal {B}}^{(0) \rightarrow (1)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(2)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(1)}(\lambda )$ by modifying the functional keys follows. Given inputs $(f^0_i,f^1_i)$, instead of setting the field $f_1$ to be $\bot $ we set it to be $f^1_i$. In addition, in the ciphertexts $\mathsf {ct}_{\ell ,i}$ corresponding to $\mathsf {i}=\ell \ge 2$ and in the functional keys we embed a counter.

Ciphertexts ($i=1,\ldots ,T$, $\ell = 2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \\ \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( \boxed {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , \ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{f^b_i,\boxed {f^1_i},\boxed {i},\underbrace{\bot ,\ldots ,\bot }_{t \text { times}},\bot }}\right) \end{aligned}$$

As in Claim 4.3 we have the following claim:

Claim A.19

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(1) \rightarrow (2)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(2)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}', {\mathcal {B}}^{(1) \rightarrow (2)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(3,j,k_2\ldots ,k_t)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(2)}(\lambda )$ by modifying the encryptions as follows. The first $j-1$ ciphertexts with respect to index $\mathsf {i}=1$ are generated such that $\mathsf {thr}_2,\ldots ,\mathsf {thr}_t=T$ and $w=1$, the ${j}{\mathrm{th}}$ ciphertext with respect to index $\mathsf {i}=1$ is generated such that $\mathsf {thr}_i=k_i$ for $i\in [T]$, and the rest of the ciphertexts are generated as before.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{\boxed {T,\ldots ,T}}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}}, \underbrace{\boxed {T,\ldots ,T}}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertexts ($i=j$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \boxed {k_2,\ldots ,k_t}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\boxed {k_2,\ldots ,k_t}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertext ($i=1,\ldots ,T$, $\ell =2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , \ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{f^b_i,{f^1_i},{i},\underbrace{\bot ,\ldots ,\bot }_{t \text { times}},\bot }}\right) \end{aligned}$$

Notice that $\mathcal {H}^{(3,1,0,\ldots ,0)}= \mathcal {H}^{(2)}$.

Experiment $\varvec{\mathcal {H}^{(4,j,k_2\ldots ,k_t)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(3,j,k_2\ldots ,k_t)}(\lambda )$ by modifying the encryptions as follows. First, we sample in advance $\tau _{1,j}$, $\tau _{2,k_2},\ldots ,\tau _{t,k_t}$, $K^\mathsf {msk}_j$, $K^\mathsf {key}_j$ and $K^\mathsf {enc}_j$, and compute $\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2},\ldots ,\tau _{t,k_t}} = {\mathsf {1FE}\mathsf {.S}}(1^\lambda ; \mathsf {PRF.Eval}(K^\mathsf {msk}_j, \tau _{2,k_2}\ldots \tau _{t,k_t}))$. Then, assume that the ${j}{\mathrm{th}}$ encryption comes after the ${k_i}{\mathrm{th}}$ encryption with respect to index $\mathsf {i}=i$ for all $i>1$. In this case, we embed into $\mathsf {sk}_{1,j}$ the values $(\tau _{2,k_2}, \ldots , \tau _{t,k_t}, \gamma )$ where $\gamma = {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2},\ldots ,\tau _{t,k_t}}, (x^b_{1,j}, x^b_{2,k_2},\ldots ,x^b_{t,k_t}) ; \mathsf {PRF.Eval}(K^\mathsf {enc}_j, \tau _{2,k_2}\ldots \tau _{t,k_t}))$. (More generally, we embed into the ciphertext that comes last the corresponding values.) Finally, instead of using $K^\mathsf {msk}_j$ and $K^\mathsf {key}_j$ in the ${j}{\mathrm{th}}$ encryption with respect to $\mathsf {msk}_1$, we use ${K^\mathsf {msk}_j}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}$ and ${K^\mathsf {enc}_j}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}$ which are the keys $K^\mathsf {msk}_j$ and $K^\mathsf {enc}_j$ punctured at the point $\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}$.

For concreteness we assume that the latter is the case, namely that the ${j}{\mathrm{th}}$ encryption with respect to index $\mathsf {i}=1$ came after the ${k_i}{\mathrm{th}}$ encryption with respect to index $\mathsf {i}=i$ for every $i>1$ (the other cases are handled similarly).

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{{T,\ldots ,T}}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}}, \underbrace{{T,\ldots ,T}}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertexts ($i=j$)
$$\begin{aligned} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, {k_2,\ldots ,k_t}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{\genfrac{}{}{0.0pt}{}{x^b_{1,i},{x^1_{1,i}},{k_2,\ldots ,k_t},\tau _{1,i}, \boxed {{K^\mathsf {msk}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, }{\boxed {{K^\mathsf {enc}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}},\boxed {\tau _{2,k_2},\ldots ,\tau _{t,k_t},\gamma }}}\right) \\&\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}} = {\mathsf {FE}_1\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_i,\tau _{k_2}\ldots \tau _{k_t}\right) \right) \\&\gamma = {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, \left( x^b_{1, j},x^b_{2,k_2},\ldots ,x^b_{t,k_t}\right) ; \right. \\&\qquad \left. \mathsf {PRF.Eval}\left( K^\mathsf {enc}_i, \tau _{2,k_2}\ldots \tau _{t,k_t}\right) \right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertext ($i=1,\ldots ,T$, $\ell =2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , \ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{f^b_i,{f^1_i},{i},\underbrace{\bot ,\ldots ,\bot }_{t \text { times}},\bot }}\right) \end{aligned}$$

As in Claim 4.4 we have the following claim:

Claim A.20

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(3,j,k_2\ldots ,k_t) \rightarrow } {}^{(4,j,k_2\ldots ,k_t)}$ such that

$$\begin{aligned}&\left| \Pr \left[ \mathcal {H}^{(3,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(4,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] \right| \\&\le \mathsf {Adv}^{\mathsf {fullFE_{t-1}}}_{\mathsf {FE}_{t-1}, \mathcal {F}', {\mathcal {B}}^{(3,j,k_2\ldots ,k_t) \rightarrow (4,j,k_2\ldots ,k_t)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(5,j,k_2\ldots ,k_t)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(4,j,k_2\ldots ,k_t)}(\lambda )$ by modifying the encryptions as follows. First, instead of using $K^\mathsf {msk}_j$ and $K^\mathsf {key}_j$ in the ${j}{\mathrm{th}}$ encryption with respect to $\mathsf {msk}_t$, we use ${K^\mathsf {msk}_j}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}$ and ${K^\mathsf {key}_j}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}$ which are the keys $K^\mathsf {msk}_j$ and $K^\mathsf {key}_j$ punctured at the point $\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}$. Second, we hardwire into every functional key for a pair $(f^0_i.f^1_i)$ the list $(\tau _{1,j},\tau _{2,k_2},\ldots ,\tau _{t,k_t}, \delta )$, where $\delta = {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2},\ldots ,\tau _{t,k_t}}, C_{f^b_i} ; \mathsf {PRF.Eval}(K^\mathsf {key}_j, \tau _{2,k_2}\ldots \tau _{t,k_t}))$.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{{T,\ldots ,T}}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}}, \underbrace{{T,\ldots ,T}}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertexts ($i=j$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( \boxed {{K^\mathsf {msk}_{i}}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, \boxed {{K^\mathsf {key}_{i}}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, \tau _{1,i}, {k_2,\ldots ,k_t}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{k_2,\ldots ,k_t}, \tau _{1,i}, {{K^\mathsf {msk}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}},{{K^\mathsf {enc}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}},\right. \\&\left. {{\tau _{2,k_2},\ldots ,\tau _{t,k_t},\gamma }}\right) \\&\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}} = {\mathsf {FE}_1\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_i,\tau _{k_2}\ldots \tau _{k_t}\right) \right) \\&\gamma = {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, \left( x^b_{1, j},x^b_{2,k_2},\ldots ,x^b_{t,k_t}\right) ;\right. \\&\qquad \left. \mathsf {PRF.Eval}\left( K^\mathsf {enc}_i, \tau _{2,k_2}\ldots \tau _{t,k_t}\right) \right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertext ($i=1,\ldots ,T$, $\ell =2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , \ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{f^b_i,{f^1_i},{i}, \boxed {\tau _{1,j},\tau _{2,k_2}\ldots ,\tau _{t,k_t},\delta }}}\right) \\&\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}} = {\mathsf {FE}_1\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_i,\tau _{k_2}\ldots \tau _{k_t}\right) \right) \\&\delta = {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, C_{f^b_i} ; \mathsf {PRF.Eval}\left( K^\mathsf {key}_j, \tau _{k_2}\ldots \tau _{k_t}\right) \right) \end{aligned}$$

As in Claim 4.5 we have the following claim:

Claim A.21

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(4,j,k_2\ldots ,k_t) \rightarrow } {}^{(5,j,k_2\ldots ,k_t)}$ such that

$$\begin{aligned}&\left| \Pr \left[ \mathcal {H}^{(4,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(5,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] \right| \\&\le \mathsf {Adv}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}', {\mathcal {B}}^{(4,j,k_2\ldots ,k_t) \rightarrow (5,j,k_2\ldots ,k_t)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(6,j,k_2\ldots ,k_t)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(5,j,k_2\ldots ,k_t)}(\lambda )$ by modifying the encryptions as follows. Instead of using randomness generated using a PRF we use randomness sampled uniformly at random. That is, $\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2},\ldots ,\tau _{t,k_t}}$, $\gamma $ and $\delta $ are generated using randomness that is sampled uniformly at random rather than generated using a PRF. We emphasize that $\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2},\ldots ,\tau _{t,k_t}}$ is computed in advance once as ${\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2},\ldots ,\tau _{t,k_t}}} \leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{{T,\ldots ,T}}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}}, \underbrace{{T,\ldots ,T}}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertexts ($i=j$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {{K^\mathsf {msk}_{i}}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, {{K^\mathsf {key}_{i}}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, \tau _{1,i}, {k_2,\ldots ,k_t}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{k_2,\ldots ,k_t}, \tau _{1,i}, {{K^\mathsf {msk}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}},{{K^\mathsf {enc}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}},\right. \\&\left. {{\tau _{2,k_2},\ldots ,\tau _{t,k_t},\gamma }}\right) \\&\boxed {\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}} = {\mathsf {FE}_1\mathsf {.S}}\left( 1^\lambda \right) \\&\boxed {\gamma } = {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, \left( x^b_{1, j},x^b_{2,k_2},\ldots ,x^b_{t,k_t}\right) \right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertext ($i=1,\ldots ,T$, $\ell =2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) ,\ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{f^b_i,{f^1_i},{i}, {\tau _{1,j},\tau _{2,k_2}\ldots ,\tau _{t,k_t},\delta }}}\right) \\&\boxed {\delta } = {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, C_{f^b_i} \right) \end{aligned}$$

As in Claim 4.6 we have the following claim:

Claim A.22

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(5,j,k_2\ldots ,k_t) \rightarrow } {}^{(6,j,k_2\ldots ,k_t)}$ such that

$$\begin{aligned}&\left| \Pr \left[ \mathcal {H}^{(5,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(6,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] \right| \\&\le 3\cdot \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(5,j,k_2\ldots ,k_t)\rightarrow (6,j,k_2\ldots ,k_t)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(7,j,k_2\ldots ,k_t)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(6,j,k_2\ldots ,k_t)}(\lambda )$ by modifying the encryptions as follows. Instead of having $(x^b_{1, j},x^b_{2,k_2},\ldots ,x^b_{t,k_t})$ hardwired in $\gamma $ and $D_{f^b_i}$ in $\delta $, we hardwire the values $(x^1_{1, j},x^1_{2,k_2},\ldots ,x^1_{t,k_t})$ and $D_{f^1_i}$, respectively.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{{T,\ldots ,T}}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}}, \underbrace{{T,\ldots ,T}}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertexts ($i=j$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {{K^\mathsf {msk}_{i}}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, {{K^\mathsf {key}_{i}}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, \tau _{1,i}, {k_2,\ldots ,k_t}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{k_2,\ldots ,k_t}, \tau _{1,i}, {{K^\mathsf {msk}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}},\right. \\&\left. {{{K^\mathsf {enc}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, {\tau _{2,k_2},\ldots ,\tau _{t,k_t},\gamma }}\right) \\&{\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}} = {\mathsf {FE}_1\mathsf {.S}}\left( 1^\lambda \right) \\&{\gamma } = {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, \left( \boxed {x^1_{1, j},x^1_{2,k_2},\ldots ,x^1_{t,k_t}}\right) \right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertext ($i=1,\ldots ,T$, $\ell =2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) ,\ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{f^b_i,{f^1_i},{i}, {\tau _{1,j},\tau _{2,k_2}\ldots ,\tau _{t,k_t},\delta }}}\right) \\&{\delta } = {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, \boxed {C_{f^1_i}}\right) \end{aligned}$$

As in Claim 4.7 we have the following claim:

Claim A.23

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(6,j,k_2\ldots ,k_t) \rightarrow } {}^{(7,j,k_2\ldots ,k_t)}$ such that

$$\begin{aligned}&\left| \Pr \left[ \mathcal {H}^{(6,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(7,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] \right| \\&\le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {FE}_1, \mathcal {F}', {\mathcal {B}}^{(6,j,k_2\ldots ,k_t) \rightarrow (7,j,k_2\ldots ,k_t)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(8,j,k_2\ldots ,k_t)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(7,j,k_2\ldots ,k_t)}(\lambda )$ by modifying the encryptions as follows. Instead of using randomness sampled uniformly at random we use randomness generated using a PRF. That is, $\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2},\ldots ,\tau _{t,k_t}}$, $\gamma $ and $\delta $ are generated using a PRF.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{{T,\ldots ,T}}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}}, \underbrace{{T,\ldots ,T}}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertexts ($i=j$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {{K^\mathsf {msk}_{i}}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, {{K^\mathsf {key}_{i}}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, \tau _{1,i}, {k_2,\ldots ,k_t}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{k_2,\ldots ,k_t}, \tau _{1,i}, {{K^\mathsf {msk}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}},\right. \\&\left. {{{K^\mathsf {enc}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, {\tau _{2,k_2},\ldots ,\tau _{t,k_t},\gamma }}\right) \\&\boxed {\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}} = {\mathsf {FE}_1\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_i,\tau _{k_2}\ldots \tau _{k_t}\right) \right) \\&\boxed {\gamma } = {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, \left( {x^1_{1, j},x^1_{2,k_2},\ldots ,x^1_{t,k_t}}\right) ;\right. \\&\qquad \left. \mathsf {PRF.Eval}\left( K^\mathsf {enc}_i,\tau _{k_2}\ldots \tau _{k_t}\right) \right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertext ($i=1,\ldots ,T$, $\ell =2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , \ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{f^b_i,{f^1_i},{i}, {\tau _{1,j},\tau _{2,k_2}\ldots ,\tau _{t,k_t},\delta }}}\right) \\&\boxed {\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}} = {\mathsf {FE}_1\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_j,\tau _{k_2}\ldots \tau _{k_t}\right) \right) \\&\boxed {\delta } = {\mathsf {FE}_1\mathsf {.KG}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, {C_{f^1_i}}; \mathsf {PRF.Eval}\left( K^\mathsf {key}_j,\tau _{k_2}\ldots \tau _{k_t}\right) \right) \end{aligned}$$

As in Claim 4.8 we have the following claim:

Claim A.24

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(7,j,k_2\ldots ,k_t) \rightarrow } {}^{(8,j,k_2\ldots ,k_t)}$ such that

$$\begin{aligned}&\left| \Pr \left[ \mathcal {H}^{(7,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(8,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] \right| \\&\le 3\cdot \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(7,j,k_2\ldots ,k_t)\rightarrow (8,j,k_2\ldots ,k_t)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(9,j,k)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(8,j,k_2\ldots ,k_t)}(\lambda )$ by modifying the ciphertexts as follows. First, instead of using punctured keys ${K^\mathsf {msk}_j}|_{\{\tau _{2,k_2},\ldots ,\tau _{t,k_t}\}}$ and ${K^\mathsf {key}_j}|_{\{\tau _{2,k_2},\ldots ,\tau _{t,k_t}\}}$ in the ${j}{\mathrm{th}}$ encryption with respect to $\mathsf {msk}_2$, we use the original keys $K^\mathsf {msk}_j$ and ${K^\mathsf {key}_j}$. Second, we set the threshold $\mathsf {thr}$ in $\mathsf {ct}_{1,j}$ to $k+1$. Lastly, we hardwire into every functional key for a pair $(f^0_i.f^1_i)$ the sequence $(\bot ,\ldots ,\bot , \bot )$ instead of $(\tau _{1,j},\tau _{2,k_2}\ldots ,\tau _{t,k_t},\delta )$.

Ciphertexts ($i=1,\ldots ,j-1$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{{T,\ldots ,T}}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}}, \underbrace{{T,\ldots ,T}}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertexts ($i=j$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( \boxed {{K^\mathsf {msk}_{i}}}, \boxed {{K^\mathsf {key}_{i}}}, \tau _{1,i}, {k_2,\ldots ,k_{t-1},\boxed {k_t+1}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},{k_2,\ldots ,k_t}, \tau _{1,i}, {{K^\mathsf {msk}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}},\right. \\&\left. {{{K^\mathsf {enc}_i}|_{\{\tau _{2,k_2}\ldots \tau _{t,k_t}\}}}, {\tau _{2,k_2},\ldots ,\tau _{t,k_t},\gamma }}\right) \\&{\mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}} = {\mathsf {FE}_1\mathsf {.S}}\left( 1^\lambda ; \mathsf {PRF.Eval}\left( K^\mathsf {msk}_i,\tau _{k_2}\ldots \tau _{k_t}\right) \right) \\&{\gamma } = {\mathsf {FE}_1\mathsf {.E}}\left( \mathsf {msk}_{\tau _{1,j},\tau _{2,k_2}\ldots \tau _{t,k_t}}, \left( {x^1_{1, j},x^1_{2,k_2},\ldots ,x^1_{t,k_t}}\right) ;\right. \\&\quad \left. \mathsf {PRF.Eval}\left( K^\mathsf {enc}_i,\tau _{k_2}\ldots \tau _{k_t}\right) \right) \end{aligned}$$
Ciphertexts ($i=j+1,\ldots ,T$)
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{0,\ldots ,0}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}},\underbrace{0,\ldots ,0}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertext ($i=1,\ldots ,T$, $\ell =2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , \ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{f^b_i,{f^1_i},{i}, \underbrace{\boxed {\bot ,\ldots ,\bot }}_{t \text { times}},\boxed {\bot }}}\right) \end{aligned}$$

As in Claim 4.9 we have the following claim:

Claim A.25

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(8,j,k_2\ldots ,k_t) \rightarrow } {}^{(9,j,k_2\ldots ,k_t)}$ such that

$$\begin{aligned}&\left| \Pr \left[ \mathcal {H}^{(8,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(9,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] \right| \\&\le \mathsf {Adv}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}', {\mathcal {B}}^{(8,j,k_2\ldots ,k_t) \rightarrow (9,j,k_2\ldots ,k_t)}}(\lambda ). \end{aligned}$$

Next, as in Claim 4.10, we observe that $\mathcal {H}^{(9,j,k_2\ldots ,k_t)}(\lambda )$ and $\mathcal {H}^{(3,j,k_2\ldots ,k_{t-1},k_{t}+1)}(\lambda )$ are indistinguishable. Moreover, we notice that $\mathcal {H}^{(3,j,k_2\ldots ,T)}(\lambda ) = \mathcal {H}^{(3,j,k_2\ldots ,k_{t-1}+1,0)}(\lambda )$ and more generally $\mathcal {H}^{(3,j,k_2\ldots ,k_{i},T,0,\ldots ,0)}(\lambda ) = \mathcal {H}^{(3,j,k_2\ldots ,k_{i}+1,0,\ldots ,0)}(\lambda )$.

Claim A.26

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(9,j,k_2\ldots ,k_t) \rightarrow } {}^{(3,j,k_2\ldots ,k_{t-1},k_t+1)}$ such that

$$\begin{aligned}&\left| \Pr \left[ \mathcal {H}^{(9,j,k_2\ldots ,k_t)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(3,j,k_2\ldots ,k_{t-1},k_t+1))}(\lambda ) = 1 \right] \right| \\&\qquad \qquad \le \mathsf {Adv}^{\mathsf {fullFE_{t-1}}}_{\mathsf {FE}_{t-1}, \mathcal {F}', {\mathcal {B}}^{(9,j,k_2\ldots ,k_t) \rightarrow (3,j,k_2\ldots ,k_{t-1},k_t+1))}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(10)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(3,T+1,0,\ldots ,0)}(\lambda )$ by modifying the ciphertexts not to include $f^b_i$ at all.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{{T,\ldots ,T}}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{x^b_{1,i},{x^1_{1,i}}, \underbrace{{T,\ldots ,T}}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertext ($i=1,\ldots ,T$, $\ell =2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( x^b_{\ell ,i},{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , \ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{\boxed {\bot },{f^1_i},{i},\underbrace{\bot ,\ldots ,\bot }_{t \text { times}},\bot }}\right) \end{aligned}$$

As in Claim 4.11 we have the following claim:

Claim A.27

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(3,T+1,0,\ldots ,0) \rightarrow } {}^{(10)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(3,T+1,0,\ldots ,0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(10)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {selFE_t}}_{\mathsf {FE}^\mathsf{sel}_t, \mathcal {F}', {\mathcal {B}}^{(3,T+1,0,\ldots ,0) \rightarrow (10)}}(\lambda ). \end{aligned}$$

Experiment $\varvec{\mathcal {H}^{(11)}(\lambda )}$. This experiment is obtained from the experiment $\mathcal {H}^{(10)}(\lambda )$ by modifying the ciphertexts not to include $x^b_{\mathsf {i},i}$ at all for $\mathsf {i}\in [t]$ and $i\in [T]$. Notice that this experiment is completely independent of the bit b, and therefore $\Pr [\mathcal {H}^{(11)}(\lambda ) = 1] {=} 1/2$.

Ciphertexts ($i=1,\ldots ,T$):
$$\begin{aligned}{} \mathsf {ct}_{1,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( K^\mathsf {msk}_{i}, K^\mathsf {key}_{i}, \tau _{1,i}, \underbrace{{T,\ldots ,T}}_{_{t-1 \text { times}}}\right) , 1\right) \\ \mathsf {sk}_{1,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.KG}}\left( \mathsf {msk}_{t-1},\mathsf {AGG}_{\boxed {\bot },{x^1_{1,i}}, \underbrace{{T,\ldots ,T}}_{t-1 \text { times}}, \tau _{1,i},K^\mathsf {msk}_i, K^\mathsf {enc}_i, \underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot }\right) \end{aligned}$$
Ciphertext ($i=1,\ldots ,T$, $\ell =2,\ldots ,t$):
$$\begin{aligned}{} \mathsf {ct}_{\ell ,i}\leftarrow & {} {\mathsf {FE}^\mathsf{sel}_t\mathsf {.E}}\left( \mathsf {msk}_t, \left( {i}, \tau _{\ell ,i}\right) , \ell \right) \\ \mathsf {ct}'_{\ell ,i}\leftarrow & {} {\mathsf {FE}_{t-1}\mathsf {.E}}\left( \mathsf {msk}_{t-1}, \left( \boxed {\bot },{x^1_{\ell ,i}},{i},\tau _{\ell ,i},\underbrace{\bot ,\ldots ,\bot }_{t-1 \text { times}},\bot \right) , \ell -1\right) . \end{aligned}$$
Functional keys ($i=1,\ldots ,T$):
$$\begin{aligned} \mathsf {sk}_{f_i} \leftarrow {\mathsf {FE}^\mathsf{sel}_t\mathsf {.KG}}\left( \mathsf {msk}_t, {D_{{\bot },{f^1_i},{i},\underbrace{\bot ,\ldots ,\bot }_{t \text { times}},\bot }}\right) \end{aligned}$$

As in Claim 4.12 we have the following claim:

Claim A.28

There exists a probabilistic polynomial-time adversary ${\mathcal {B}}^{(10) \rightarrow (11)}$ such that

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(10)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {fullFE_{t-1}}}_{\mathsf {FE}_{t-1}, \mathcal {F}', {\mathcal {B}}^{(10) \rightarrow (11)}}(\lambda ). \end{aligned}$$

Finally, putting together Claims A.18–A.28 with the facts that $\mathsf {Adv}^\mathsf {fullFE_t}_{\mathsf {FE}_t,\mathcal {F},{\mathcal {A}}}(\lambda ) = \mathcal {H}^{(0)}(\lambda )$, $\mathcal {H}^{(2)}(\lambda ) = \mathcal {H}^{(3,1,0,\ldots ,0)}(\lambda )$, and $\Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1\right] = 1/2$, and that t is a fixed constant, we observe that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {fullFE_t}}_{\mathsf {FE}_t,\mathcal {F},{\mathcal {A}}}&\mathop {=}\limits ^\mathsf{def}&\left| \Pr \left[ \mathsf {Exp}^{\mathsf {fullFE_t}}_{\mathsf {FE}_t, \mathcal {F}, {\mathcal {A}}}(\lambda ) = 1 \right] - \frac{1}{2} \right| \\= & {} \left| \Pr \left[ \mathcal {H}^{(0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] \right| \\\le & {} \sum _{i=0}^{1}\left| \Pr \left[ \mathcal {H}^{(i)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(i+1)}(\lambda ) = 1 \right] \right| \\&+ \sum _{j=1}^T \sum _{k_2=0}^T \ldots \sum _{k_t=0}^{T} \sum _{i=3}^{8} \left| \Pr \left[ \mathcal {H}^{(i,j,k_2,\ldots ,k_t)}(\lambda ) = 1 \right] \right. \\&\left. - \Pr \left[ \mathcal {H}^{(i+1,j,k_2,\ldots ,k_t)}(\lambda ) = 1 \right] \right| \\&+ \left| \Pr \left[ \mathcal {H}^{(3,T+1,0,\ldots ,0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(10)}(\lambda ) = 1 \right] \right| \\&+ \left| \Pr \left[ \mathcal {H}^{(10)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(11)}(\lambda ) = 1 \right] \right| \\\le & {} T^t \cdot {\mathsf {neg}}(\lambda ) \le {\mathsf {neg}}(\lambda ). \end{aligned}$$

Deferred Proofs

1.1 Proofs of Claims 3.2–3.7

In this section we provide deferred proofs. Throughout, in the claims where we reduce the security to the security of a functional encryption scheme, we construct an adversary that is valid according to Definition 2.6.

Proof of Claim 3.2

The adversary ${\mathcal {B}}^{(0) \rightarrow (1)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}$ samples $\mathsf {msk_{out}}\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$ and emulates the execution of ${\mathcal {A}}_1$ on input $1^\lambda $ by simulating the encryptions as follows: When ${\mathcal {A}}_1$ requests the encryption of the pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$), ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk_{in}},\cdot ,\cdot )$ with the pair $(\mathsf {AGG}_{x^b,\bot ,0,s,\mathsf {msk}^\mathsf {\star },K}, \mathsf {AGG}_{x^b,x^1,0,s,\mathsf {msk}^\mathsf {\star },K})$, and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star },K^\mathsf {key},0))$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests an encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$), ${\mathcal {B}}$ samples $t\in \{ 0,1 \}^\lambda $, queries the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk_{in}},\cdot ,\cdot )$ with the pair $((y^b, \bot ,t,\bot ,\bot ),(y^b, y^1,t,\bot ,\bot ))$, and returns the output to ${\mathcal {A}}_1$. We do the above with all input pairs until ${\mathcal {A}}_1$ outputs $\mathsf {state}$ and halts.

Then, we emulate the execution of ${\mathcal {A}}_2$ on input $1^\lambda $, $\mathsf {state}$ and all the ciphertexts that were already generated by simulating the key-generation oracle as follows: When ${\mathcal {A}}_2$ requests a functional key for $(f^0,f^1) \in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ samples a random $z\leftarrow \{ 0,1 \}^\lambda $, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{out}},D_{f^b,\bot ,z,\bot })$, and returns the output to ${\mathcal {A}}_2$. We do the above until ${\mathcal {A}}_2$ outputs $b'$ and halts. Finally, ${\mathcal {B}}$ outputs 1 if $b'=b$ and otherwise it outputs 0.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(0)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(1)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] \right| = \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(0) \rightarrow (1)}}(\lambda ). \end{aligned}$$

Proof of Claim 3.3

The adversary ${\mathcal {B}}^{(1) \rightarrow (2)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}$ samples $\mathsf {msk_{in}}\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$ and emulates the execution of ${\mathcal {A}}_1$ on input $1^\lambda $ by simulating the encryptions as follows: When ${\mathcal {A}}_1$ requests the encryption of $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$), ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,0,s,\mathsf {msk}^\mathsf {\star },K}$ and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ queries the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk_{out}}, \cdot ,\cdot )$ with the pair $((\mathsf {msk}^\mathsf {\star },K^\mathsf {key},0), (\mathsf {msk}^\mathsf {\star },K^\mathsf {key},0))$, and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests an encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$), ${\mathcal {B}}$ samples $t\in \{ 0,1 \}^\lambda $, runs the encryption oracle ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{in}},\cdot )$ with the input $(y^b, y^1,t,\bot ,\bot )$ and returns the output to ${\mathcal {A}}_1$.

Then, we emulate the execution of ${\mathcal {A}}_2$ on input $1^\lambda $, $\mathsf {state}$ and all the ciphertexts generated before by simulating the key-generation oracle as follows: When ${\mathcal {A}}_2$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ samples a random $z\leftarrow \{ 0,1 \}^\lambda $, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk_{out}},\cdot ,\cdot )$ with the pair $(D_{f^b,\bot ,z,\bot },D_{f^b,f^1,z,\bot })$, and returns the output to ${\mathcal {A}}_2$. We do the above until ${\mathcal {A}}_2$ outputs $b'$ and halts. Finally, ${\mathcal {B}}$ outputs 1 if $b'=b$ and otherwise it outputs 0.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(1)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(2)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(2)}(\lambda ) = 1 \right] \right| = \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(1) \rightarrow (2)}}(\lambda ). \end{aligned}$$

Proof of Claim 3.4

The adversary ${\mathcal {B}}^{(3,j) \rightarrow (4,j)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}$ samples $\mathsf {msk_{out}}\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$, $s_j\leftarrow \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }_j\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$ and $K_j\leftarrow \mathsf {PRF.Eval}(1^\lambda )$, and emulates the execution of ${\mathcal {A}}_1$ on input $1^\lambda $ by simulating the encryptions as follows: When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\le j-1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk_{in}},\cdot ,\cdot )$ with the pair $(\mathsf {AGG}_{x^b,x^1,1,s,\mathsf {msk}^\mathsf {\star },K}, \mathsf {AGG}_{x^b,x^1,1,s,\mathsf {msk}^\mathsf {\star },K})$, and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star },K^\mathsf {key},1))$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i= j$, ${\mathcal {B}}$ sets $s = s_j$, $\mathsf {msk}^\mathsf {\star }= \mathsf {msk}^\mathsf {\star }_j$, $K= K_j$, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk_{in}},\cdot ,\cdot )$ with the pair $(\mathsf {AGG}_{x^b,x^1,0,s,\mathsf {msk}^\mathsf {\star },K}, \mathsf {AGG}_{x^b,x^1,1,s,\bot ,\bot })$, and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star },K^\mathsf {key},0))$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\ge j+1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk_{in}},\cdot ,\cdot )$ with the pair $(\mathsf {AGG}_{x^b,x^1,0,s,\mathsf {msk}^\mathsf {\star },K}, \mathsf {AGG}_{x^b,x^1,0,s,\mathsf {msk}^\mathsf {\star },K})$, and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, (\mathsf {msk}^\mathsf {\star },K^\mathsf {key},0))$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests an encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$) ${\mathcal {B}}$ samples $t\in \{ 0,1 \}^\lambda $, queries the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk_{in}},\cdot ,\cdot )$ with the pair $((y^b, y^1,t,\bot ,\bot ),(y^b, y^1,t,s_j,\gamma ))$, where $\gamma = {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b) ; \mathsf {PRF.Eval}(K_j, t))$, and returns the output to ${\mathcal {A}}_1$.

Denote by $(x^0_j,x^1_j)$ the ${j}{\mathrm{th}}$ ciphertext pair issued with index $\mathsf {i}=1$. ${\mathcal {B}}$ emulates the execution of ${\mathcal {A}}_2$ on input $1^\lambda $, $\mathsf {state}$ and all the ciphertexts from before by simulating the key-generation oracle as follows: When ${\mathcal {A}}_2$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ samples a random $z\leftarrow \{ 0,1 \}^\lambda $, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{out}},\cdot )$ with the circuit $D_{f^b,f^1,z,\bot }$, and returns the output to ${\mathcal {A}}_2$. We do the above until ${\mathcal {A}}_2$ outputs $b'$ and halts. Finally, ${\mathcal {B}}$ outputs 1 if $b'=b$ and otherwise it outputs 0.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(3,j)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(4,j)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(3,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(4,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(3,j) \rightarrow (4,j)}}(\lambda ). \end{aligned}$$

Proof of Claim 3.5

The adversary ${\mathcal {B}}^{(4,j) \rightarrow (5,j)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}$ samples $\mathsf {msk_{in}}\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$, $s_j\leftarrow \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }_j\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$ and $K_j\leftarrow \mathsf {PRF.Eval}(1^\lambda )$, and emulates the execution of ${\mathcal {A}}_1$ on input $1^\lambda $ by simulating the encryptions as follows: When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\le j-1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,1,s,\mathsf {msk}^\mathsf {\star },K}$ and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ queries the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk_{out}}, \cdot , \cdot )$ with the pair $((\mathsf {msk}^\mathsf {\star },K^\mathsf {key}, 1), (\mathsf {msk}^\mathsf {\star },K^\mathsf {key}, 1))$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i= j$, ${\mathcal {B}}$ sets $s=s_j$, $\mathsf {msk}^\mathsf {\star }=\mathsf {msk}^\mathsf {\star }_j$, $K= K_j$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,0,s,\mathsf {msk}^\mathsf {\star },K}$, and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ queries the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk_{out}}, \cdot , \cdot )$ with the pair $((\mathsf {msk}^\mathsf {\star },K^\mathsf {key}, 0),(\bot ,\bot , 0))$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\le j+1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,0,s,\mathsf {msk}^\mathsf {\star },K}$, and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ queries the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk_{out}}, \cdot , \cdot )$ with the pair $((\mathsf {msk}^\mathsf {\star },K^\mathsf {key}, 0), (\mathsf {msk}^\mathsf {\star },K^\mathsf {key}, 0))$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests an encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$) ${\mathcal {B}}$ samples $t\in \{ 0,1 \}^\lambda $, runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{in}},\cdot )$ with the input $(y^b, y^1,t,s_j,\gamma )$, where $\gamma = {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b) ; \mathsf {PRF.Eval}(K_j, t))$, and returns the output to ${\mathcal {A}}_1$

Denote by $(x^0_j,x^1_j)$ the ${j}{\mathrm{th}}$ ciphertext pair issued with index $\mathsf {i}=1$. ${\mathcal {B}}$ emulates the execution of ${\mathcal {A}}_2$ on input $1^\lambda $, $\mathsf {state}$ and all the ciphertexts from before by simulating the key-generation oracle as follows: When ${\mathcal {A}}_2$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ samples a random $z\leftarrow \{ 0,1 \}^\lambda $, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk_{out}},\cdot ,\cdot )$ with the pair $(D_{f^b,f^1,z,\bot }, D_{f^b,f^1,z,\delta })$, where $\delta = {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}^\mathsf {\star }_j,D_{f^b}; \mathsf {PRF}(K^\mathsf {key}_j,z_i))$, and returns the output to ${\mathcal {A}}_2$. We do the above until ${\mathcal {A}}_2$ outputs $b'$ and halts. Finally, ${\mathcal {B}}$ outputs 1 if $b'=b$ and otherwise it outputs 0.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(4,j)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(5,j)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(4,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(5,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(4,j) \rightarrow (5,j)}}(\lambda ). \end{aligned}$$

Proof of Claim 3.6

The adversary ${\mathcal {B}}^{(5,j) \rightarrow (6,j)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. Recall that ${\mathcal {B}}$ has access to an oracle, denoted $R(\cdot )$, that is either a random function or a PRF and its goal is to distinguish between the two cases. First, ${\mathcal {B}}$ samples $\mathsf {msk_{in}},\mathsf {msk_{out}}\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$, $s_j\leftarrow \{ 0,1 \}^\lambda $ and $\mathsf {msk}^\mathsf {\star }_j\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, and emulates the execution of ${\mathcal {A}}_1$ on input $1^\lambda $ by simulating the encryptions as follows: When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\le j-1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,1,s,\mathsf {msk}^\mathsf {\star },K}$ and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, \cdot )$ with the input $(\mathsf {msk}^\mathsf {\star },K^\mathsf {key},1)$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i=j$, ${\mathcal {B}}$ sets $s=s_j$, $\mathsf {msk}^\mathsf {\star }=\mathsf {msk}^\mathsf {\star }_j$, $K=K_j$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,0,s,\bot ,\bot }$ and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, \cdot )$ with the input $(\bot ,\bot ,0)$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\ge j+1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,0,s,\mathsf {msk}^\mathsf {\star },K}$ and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, \cdot )$ with the input $(\mathsf {msk}^\mathsf {\star },K^\mathsf {key},0)$, and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests an encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$) ${\mathcal {B}}$ samples $t\in \{ 0,1 \}^\lambda $, runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{in}},\cdot )$ with the input $(y^b, y^1,t,s_j,\gamma )$, where $\gamma = {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}^\mathsf {\star }_j, (x^b_j, y^b) ; R(t_i)))$, where $R(t_i)$ is either the output of a PRF or a uniformly random string, and returns the output to ${\mathcal {A}}_1$.

Denote by $(x^0_j,x^1_j)$ the ${j}{\mathrm{th}}$ ciphertext pair issued with index $\mathsf {i}=1$. ${\mathcal {B}}$ emulates the execution of ${\mathcal {A}}_2$ on input $1^\lambda $ and $\mathsf {state}$ by simulating the key-generation oracle as follows: When ${\mathcal {A}}_2$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ samples a random $z\leftarrow \{ 0,1 \}^\lambda $, queries the key-generation oracle ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{out}},\cdot )$ with the circuit $D_{f^b,f^1,z,\delta }$, where $\delta = {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}^\mathsf {\star }_j,D_{f^b}; R(z_i)))$, where $R(z_i)$ is either the output of a PRF or a uniformly random string, and returns the output to ${\mathcal {A}}_2$. We do the above until ${\mathcal {A}}_2$ outputs $b'$ and halts. Finally, ${\mathcal {B}}$ outputs 1 if $b'=b$ and otherwise it outputs 0.

Note that when $R(\cdot )$ corresponds to a pseudorandom function then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(5,j)}$, and when $R(\cdot )$ corresponds to a uniformly random function then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(6,j)}$. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(5,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(6,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(5,j)\rightarrow (6,j)}}(\lambda ). \end{aligned}$$

Proof of Claim 3.7

The adversary ${\mathcal {B}}^{(6,j) \rightarrow (7,j)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}$ samples $\mathsf {msk_{in}},\mathsf {msk_{out}}\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$, $s_j\leftarrow \{ 0,1 \}^\lambda $ and $K_j\leftarrow \mathsf {PRF.Eval}(1^\lambda )$, and emulates the execution of ${\mathcal {A}}_1$ on input $1^\lambda $ by simulating the encryptions as follows: When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\le j-1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,1,s,\mathsf {msk}^\mathsf {\star },K}$ and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, \cdot )$ with the input $(\mathsf {msk}^\mathsf {\star },K^\mathsf {key},1)$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i= j$, ${\mathcal {B}}$ sets $s=s_j$ and $K=K_j$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,0,s,\bot ,\bot }$ and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, \cdot )$ with the input $(\bot ,\bot ,0)$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\ge j+1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $\mathsf {msk}^\mathsf {\star }\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $K\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{in}},\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,0,s,\mathsf {msk}^\mathsf {\star },K}$ and returns the output to ${\mathcal {A}}_1$. Moreover, ${\mathcal {B}}$ runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{out}}, \cdot )$ with the input $(\mathsf {msk}^\mathsf {\star },K^\mathsf {key},0)$ and returns the output to ${\mathcal {A}}_1$. When ${\mathcal {A}}_1$ requests for the encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$) ${\mathcal {B}}$ samples $t\in \{ 0,1 \}^\lambda $, queries the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk}^\mathsf {\star }_j, \cdot ,\cdot )$ with the pair $((x^b_j, y^b), (x^1_j, y^1))$ to get $\gamma $, runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk_{in}},\cdot )$ with the input $(y^b, y^1,t,s_j,\gamma )$, and returns the output to ${\mathcal {A}}_1$.

Denote by $(x^0_j,x^1_j)$ the ${j}{\mathrm{th}}$ ciphertext pair issued with index $\mathsf {i}=1$. ${\mathcal {B}}$ emulates the execution of ${\mathcal {A}}_2$ on input $1^\lambda $ and $\mathsf {state}$ by simulating the key-generation oracle as follows: When ${\mathcal {A}}_2$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ samples a random $z\leftarrow \{ 0,1 \}^\lambda $, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk}^\mathsf {\star }_j, \cdot ,\cdot )$ with the pair $(C_{f^b}, C_{f^1})$ to get $\delta $, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk_{out}},\cdot )$ with the input $D_{f^b,f^1,z,\delta }$ and returns the output to ${\mathcal {A}}_2$. We do the above until ${\mathcal {A}}_2$ outputs $b'$ and halts. Finally, ${\mathcal {B}}$ outputs 1 if $b'=b$ and otherwise it outputs 0.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(6,j)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(7,j)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(6,j)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(7,j)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(6,j) \rightarrow (7,j)}}(\lambda ). \end{aligned}$$

1.2 Proofs of Claims 4.2–4.7

Proof of Claim 4.2

The adversary ${\mathcal {B}}^{(0) \rightarrow (1)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}$ samples $\mathsf {msk}_2\leftarrow {\mathsf {2FE^{sel}}\mathsf {.S}}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$ and emulates the execution of ${\mathcal {A}}$ on input $1^\lambda $ by simulating the encryption oracle as follows: When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$), ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $K^\mathsf {msk},K^\mathsf {key},K^\mathsf {enc}\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk}_1,\cdot ,\cdot )$ with the pair $(\mathsf {AGG}_{x^b,\bot ,0,s,K^\mathsf {msk},K^\mathsf {enc},\bot ,\bot }, \mathsf {AGG}_{x^b,x^1,0,s,K^\mathsf {msk},K^\mathsf {enc},\bot ,\bot })$, and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk},K^\mathsf {key},s,0),1)$ and returns the output to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests the ${i}{\mathrm{th}}$ encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$), ${\mathcal {B}}$ samples $t\in \{ 0,1 \}^\lambda $, queries the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk}_1,\cdot ,\cdot )$ with the pair $((y^b, \bot ,1,t,\bot ,\bot ),(y^b, y^1,i,t,\bot ,\bot ))$, and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (1,t),2)$ and returns the output to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ runs the key-generation procedure ${\mathsf {2FE^{sel}}\mathsf {.KG}}(\mathsf {msk}_2,D_{f^b,\bot ,1,\bot ,\bot ,\bot })$ and returns the output to ${\mathcal {A}}$.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(0)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(1)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(0)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] \right| = \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(0) \rightarrow (1)}}(\lambda ). \end{aligned}$$

Proof of Claim 4.3

The adversary ${\mathcal {B}}^{(1) \rightarrow (2)}=({\mathcal {B}}_1,{\mathcal {B}}_2)$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}_1$ samples $\mathsf {msk}_1\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$ and $b\leftarrow \{ 0,1 \}$. Then, ${\mathcal {B}}_1$ samples $K^\mathsf {msk}_1,\ldots ,K^\mathsf {msk}_T,K^\mathsf {key}_1,\ldots ,K^\mathsf {key}_T, K^\mathsf {enc}_1,\ldots ,K^\mathsf {enc}_T\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, $s_1,\ldots ,s_T\leftarrow \{ 0,1 \}^\lambda $ and $t_1,\ldots ,t_T\leftarrow \{ 0,1 \}^\lambda $, where T is upper bounded by the running time of ${\mathcal {A}}$.

For $i\in [T]$ the adversary ${\mathcal {B}}_1$ requests the encryption of the pair $((K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0), (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0))$ with respect to index $\mathsf {i}= 1$ and with the pairs $((1,t_i), (i,t_i))$ with respect to index $\mathsf {i}= 2$ to get $\mathsf {ct}_{1,1},\ldots , \mathsf {ct}_{1,T}, \mathsf {ct}_{2,1}, \ldots , \mathsf {ct}_{2,T}$. Finally, ${\mathcal {B}}_1$ outputs the state information $\mathsf {state}$ which is all its memory.

Next, ${\mathcal {B}}_2$ given as input $1^\lambda $, $\mathsf {state}$ and $\mathsf {ct}_{1,1},\ldots , \mathsf {ct}_{1,T}, \mathsf {ct}_{2,1}, \ldots , \mathsf {ct}_{2,T}$ emulates the execution of ${\mathcal {A}}$ on input $1^\lambda $ by simulating the encryption oracle as follows: When ${\mathcal {A}}$ queries for the ${i}{\mathrm{th}}$ time the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$), ${\mathcal {B}}_2$ runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,0,s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }$ to get $\mathsf {sk}_{1,i}$ and returns $(\mathsf {ct}_{1,i}, \mathsf {sk}_{1,i})$ to ${\mathcal {A}}$. When ${\mathcal {A}}$ queries for the ${i}{\mathrm{th}}$ time the encryption oracle with $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$), ${\mathcal {B}}_2$ runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_1,\cdot )$ with the input $(y^b, y^1,i,t,\bot ,\bot )$ to get $\mathsf {ct}_{3,i}$ and returns the pair $(\mathsf {ct}_{2,i},\mathsf {ct}_{3,i})$ to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests for the ${i}{\mathrm{th}}$ time a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}_2$ queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk}_2,\cdot ,\cdot )$ with the pair $(D_{f^b,\bot ,1,\bot ,\bot ,\bot }, D_{f^b,f^1,i,\bot ,\bot ,\bot })$ and returns the output to ${\mathcal {A}}$.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(1)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(2)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(1)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(2)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}', {\mathcal {B}}^{(1) \rightarrow (2)}}(\lambda ). \end{aligned}$$

Proof of Claim 4.4

The adversary ${\mathcal {B}}^{(3,j,k) \rightarrow (4,j,k)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}$ samples $\mathsf {msk}_2\leftarrow {\mathsf {2FE^{sel}}\mathsf {.S}}(1^\lambda ), s_j, t_k\leftarrow \{ 0,1 \}^\lambda $, $K^\mathsf {msk}_j,K^\mathsf {key}_j,K^\mathsf {enc}_j\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$, computes $\mathsf {msk}_{s_j,t_k} = {\mathsf {1FE}\mathsf {.S}}(1^\lambda ; \mathsf {PRF.Eval}(K^\mathsf {msk}_j,t_k))$, and emulates the execution of ${\mathcal {A}}$ on input $1^\lambda $ by simulating the encryption oracle as follows.

When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for the ${i}{\mathrm{th}}$ time for $i\le j-1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $K^\mathsf {msk},K^\mathsf {key},K^\mathsf {enc}\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk}_1,\cdot ,\cdot )$ with the pair $(\mathsf {AGG}_{x^b,x^1,T,s,K^\mathsf {msk},K^\mathsf {enc},\bot ,\bot }, \mathsf {AGG}_{x^b,x^1,T,s,K^\mathsf {msk},K^\mathsf {enc},\bot ,\bot })$ and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk},K^\mathsf {key},s,T),1)$ and returns the output to ${\mathcal {A}}$.

When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for the ${i}{\mathrm{th}}$ time for $i=j$, ${\mathcal {B}}$ queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk}_1,\cdot ,\cdot )$ with $(\mathsf {AGG}_{x^b,x^1,k,s_j,K^\mathsf {msk}_j,K^\mathsf {enc}_j,\bot ,\bot }, \mathsf {AGG}_{x^b,x^1,k,s_j,{K^\mathsf {msk}_j}|_{\{t_k\}},{K^\mathsf {enc}_j}|_{\{t_k\}},t_k,\gamma })$, where $\gamma = {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_{s_j,t_k}, (x^b_j, y^b_k) ; \mathsf {PRF.Eval}(K^\mathsf {enc}_i, t_k))$, and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk}_j,K^\mathsf {key}_j,s_j,k),1)$ and returns the output to ${\mathcal {A}}$.

When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for the ${i}{\mathrm{th}}$ time for $i\ge j+1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $K^\mathsf {msk},K^\mathsf {key},K^\mathsf {enc}\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, queries the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk}_1,\cdot ,\cdot )$ with the pair $(\mathsf {AGG}_{x^b,x^1,0,s,K^\mathsf {msk},K^\mathsf {enc},\bot ,\bot }, \mathsf {AGG}_{x^b,x^1,0,s,K^\mathsf {msk},K^\mathsf {enc},\bot ,\bot })$ and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk},K^\mathsf {key},s,0),1)$ and returns the output to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests the ${i}{\mathrm{th}}$ encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$), ${\mathcal {B}}$ samples $t_i\in \{ 0,1 \}^\lambda $ (unless $i=k$ in which case $t_i$ is already known), queries the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk}_1,\cdot ,\cdot )$ with the pair $((y^b, y^1,1,t_i,\bot ,\bot ),(y^b, y^1,i,t_i,\bot ,\bot ))$ and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (i,t),2)$ and returns the output to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ runs the key-generation procedure ${\mathsf {2FE^{sel}}\mathsf {.KG}}(\mathsf {msk}_2,D_{f^b,f^1,i,\bot ,\bot ,\bot })$ and returns the output to ${\mathcal {A}}$.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(3,j,k)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(4,j,k)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(3,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(4,j,k)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(3,j,k) \rightarrow (4,j,k)}}(\lambda ). \end{aligned}$$

Proof of Claim 4.5

The adversary ${\mathcal {B}}^{(4,j,k) \rightarrow (5,j,k)}=({\mathcal {B}}_1,{\mathcal {B}}_2)$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}_1$ samples $\mathsf {msk}_1\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$, $K^\mathsf {msk}_1,\ldots ,K^\mathsf {msk}_T,K^\mathsf {key}_1,\ldots ,K^\mathsf {key}_T, K^\mathsf {enc}_1,\ldots ,K^\mathsf {enc}_T\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, $s_1,\ldots ,s_T\leftarrow \{ 0,1 \}^\lambda $ and $t_1,\ldots ,t_T\leftarrow \{ 0,1 \}^\lambda $, where T is upper bounded by the running time of ${\mathcal {A}}$. Then, ${\mathcal {B}}_1$ computes $\mathsf {msk}_{s_j,t_k} = {\mathsf {1FE}\mathsf {.S}}(1^\lambda ; \mathsf {PRF.Eval}(K^\mathsf {msk}_j,t_k))$.

The adversary ${\mathcal {B}}_1$ proceeds as follows: For $i\le j-1$ it requests the encryption of the pair $((K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, T), (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, T))$ with respect to index $\mathsf {i}= 1$. For $i = j$ it requests the encryption of the pair $((K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, k), (K^\mathsf {msk}_i|_{\{t_k\}}, K^\mathsf {key}_i|_{\{t_k\}}, s_i, k))$, where $K^\mathsf {msk}_i|_{\{t_k\}}$ and $K^\mathsf {key}_i|_{\{t_k\}}$ are the keys $K^\mathsf {msk}_i$ and $K^\mathsf {key}_i$ punctured at the point $t_k$. For $i \ge j+1$ it requests the encryption of the pair $((K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0), (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0))$ with respect to index $\mathsf {i}= 1$. All the above results with $\mathsf {ct}_{1,1}, \ldots , \mathsf {ct}_{1,T}$. Then, the adversary ${\mathcal {B}}_1$ requests the encryption of the pair $((i,t_i), (i,t_i))$ with respect to index $\mathsf {i}= 2$ for $i\in [T]$ to get $\mathsf {ct}_{2,1}, \ldots , \mathsf {ct}_{2,T}$. Finally, ${\mathcal {B}}_1$ outputs the state information $\mathsf {state}$ which is all its memory.

Next, ${\mathcal {B}}_2$ emulates the execution of ${\mathcal {A}}$ on input $1^\lambda $ by simulating the encryption oracle as follows: When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for the ${i}{\mathrm{th}}$ time for $i\le j-1$, ${\mathcal {B}}_2$ runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\cdot )$ with $\mathsf {AGG}_{x^b,x^1,T,s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }$ to get $\mathsf {sk}_{1,i}$ and returns the pair $(\mathsf {ct}_{1,i},\mathsf {sk}_{1,i})$ to ${\mathcal {A}}$. When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for the ${i}{\mathrm{th}}$ time for $i=j$, ${\mathcal {B}}_2$ runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\cdot )$ with the input $\mathsf {AGG}_{x^b,x^1,k,s_j,{K^\mathsf {msk}_j}|_{\{t_k\}},{K^\mathsf {enc}_j}|_{\{t_k\}},t_k,\gamma }$, where $\gamma = {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_{s_j,t_k}, (x^b_j, y^b_k) ; \mathsf {PRF.Eval}(K^\mathsf {enc}_i, t_k))$, to get $\mathsf {sk}_{1,i}$ and returns the pair $(\mathsf {ct}_{1,i}, \mathsf {sk}_{1,i})$ to ${\mathcal {A}}$. When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for the ${i}{\mathrm{th}}$ time for $i\ge j+1$, ${\mathcal {B}}_2$ runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\cdot )$ with $\mathsf {AGG}_{x^b,x^1,0,s_i,K^\mathsf {msk}_i,K^\mathsf {enc}_i,\bot ,\bot }$ to get $\mathsf {sk}_{1,i}$ and returns the pair $(\mathsf {ct}_{1,i},\mathsf {sk}_{1,i})$ to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests the ${i}{\mathrm{th}}$ encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$), ${\mathcal {B}}_2$ runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_1,\cdot )$ with the input $(y^b, y^1,i,t_i,\bot ,\bot ))$ to get $\mathsf {ct}_{3,i}$ and returns the pair $(\mathsf {ct}_{2,i},\mathsf {ct}_{3,i})$ to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}_2$ queries the key-generation oracle $\mathsf {KG}(\mathsf {msk}_2, \cdot ,\cdot )$ with the pair $(D_{f^b,f^1,i,\bot ,\bot ,\bot }, D_{f^b,f^1,i,s_j,t_k,\delta })$, where $\delta = {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_{s_j,t_k}, C_{f^b_i} ; \mathsf {PRF.Eval}(K^\mathsf {key}_j, t_k))$ and returns the output to ${\mathcal {A}}$.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(4,j,k)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(5,j,k)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(4,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(5,j,k)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {sel2FE}}_{\mathsf {2FE^{sel}}, \mathcal {F}', {\mathcal {B}}^{(4,j,k) \rightarrow (5,j,k)}}(\lambda ). \end{aligned}$$

Proof of Claim 4.6

The proof of this claim proceeds by three hybrid experiments, which we denote by $\mathcal {H}^{(5.1,j,k)}$,$\mathcal {H}^{(5.2,j,k)}$ and $\mathcal {H}^{(5.3,j,k)} = \mathcal {H}^{(6,j,k)}$, such that in each we replace only one PRF evaluation with sampling a string uniformly at random. Experiment $\mathcal {H}^{(5.1,j,k)}$ corresponds to replacing $\mathsf {PRF.Eval}(K^\mathsf {msk}_j,t_k)$ with a uniform string, experiment $\mathcal {H}^{(5.2,j,k)}$ corresponds to replacing $\mathsf {PRF.Eval}(K^\mathsf {key}_j,t_k)$ and $\mathsf {PRF.Eval}(K^\mathsf {enc}_j, t_k)$, and finally experiment $\mathcal {H}^{(5.3,j,k)}$ corresponds to $\mathcal {H}^{(6,j,k)}$. Since the three proofs of indistinguishability are very similar, we provide the proof for the first one and omit the missing details. That is, in what follows we prove that the experiment $\mathcal {H}^{(5,j,k)}$ is indistinguishable from an experiment $\mathcal {H}^{(5.1,j,k)}$ in which we only replace the value of $\mathsf {msk}_{s_j,t_k}$ to be computed using a uniform random string rather than as $\mathsf {PRF.Eval}(K^\mathsf {msk}_j,t_k)$.

The adversary ${\mathcal {B}}^{(5,j,k) \rightarrow (5.1,j,k)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}$ samples $\mathsf {msk}_1\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda ), \mathsf {msk}_2\leftarrow {\mathsf {2FE^{sel}}\mathsf {.S}}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$ and $s_j,t_k\leftarrow \{ 0,1 \}^\lambda $. Now, ${\mathcal {B}}$ is given $R(t_k)$, punctures PRF key $K^\mathsf {msk}_j|_{\{t_k\}}$, and its goal is to guess if $R(t_k)$ is uniformly random or the output of a PRF.

${\mathcal {B}}$ emulates the execution of ${\mathcal {A}}$ on input $1^\lambda $ by simulating the encryption oracle as follows: When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\le j-1$, ${\mathcal {B}}$ samples $K^\mathsf {msk}_i, K^\mathsf {key}_i,K^\mathsf {enc}_i\leftarrow \mathsf {PRF.Gen}(1^\lambda $, $s_i\leftarrow \{ 0,1 \}^\lambda $, executes the procedure ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, T), 1)$ to get $\mathsf {ct}_{1,i}$ and the procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\cdot )$ with the input $\mathsf {AGG}_{x^b, x^1, T, s_i, K^\mathsf {msk}_i, K^\mathsf {enc}_i, \bot ,\bot }$ to get $\mathsf {sk}_{1,i}$, and returns to ${\mathcal {A}}$ the pair $(\mathsf {ct}_{1,i},\mathsf {sk}_{1,i})$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i=j$, ${\mathcal {B}}$ samples $K^\mathsf {key}_i,K^\mathsf {enc}_i\leftarrow \mathsf {PRF.Gen}(1^\lambda $, punctures $K^\mathsf {enc}_i$ and $K^\mathsf {key}_i$ at the point $t_k$ to get $K^\mathsf {enc}_i|_{\{t_k\}}$ and $K^\mathsf {key}_i|_{\{t_k\}}$, respectively, executes the procedure ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk}_i|_{\{t_k\}}, K^\mathsf {key}_i|_{\{t_k\}}, s_i, k), 1)$ to get $\mathsf {ct}_{1,i}$ and the procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\mathsf {AGG}_{x^b, x^1, k, s_i, K^\mathsf {msk}_i|_{\{t_k\}}, K^\mathsf {enc}_i|_{\{t_k\}}, t_k,\gamma })$, where $\gamma = {\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_{s_j,t_k}, (x^b_j, y^b_k) ; \mathsf {PRF.Eval}(K^\mathsf {enc}_i, t_k))$ and $\mathsf {msk}_{s_j,t_k} = {\mathsf {1FE}\mathsf {.S}}(1^\lambda ; R(t_k))$ to get $\mathsf {sk}_{1,i}$, and returns to ${\mathcal {A}}$ the pair $(\mathsf {ct}_{1,i},\mathsf {sk}_{1,i})$. When ${\mathcal {A}}_1$ requests for the encryption of the ${i}{\mathrm{th}}$ input pair $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for $i\ge j+1$, ${\mathcal {B}}$ samples $K^\mathsf {msk}_i,K^\mathsf {key}_i,K^\mathsf {enc}_i\leftarrow \mathsf {PRF.Gen}(1^\lambda $, $s_i\leftarrow \{ 0,1 \}^\lambda $, executes the procedure ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk}_i, K^\mathsf {key}_i, s_i, 0), 1)$ to get $\mathsf {ct}_{1,i}$ and the procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\cdot )$ with the circuit $\mathsf {AGG}_{x^b, x^1, 0, s_i, K^\mathsf {msk}_i, K^\mathsf {enc}_i, \bot ,\bot }$ to get $\mathsf {sk}_{1,i}$, and returns to ${\mathcal {A}}$ the pair $(\mathsf {ct}_{1,i},\mathsf {sk}_{1,i})$. When ${\mathcal {A}}$ requests the ${i}{\mathrm{th}}$ encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$), ${\mathcal {B}}$ samples $t_i\leftarrow \{ 0,1 \}^\lambda $, runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_1,\cdot )$ with the input $(y^b, y^1,i,t_i,\bot ,\bot ))$ to get $\mathsf {ct}_{3,i}$ and the encryption procedure ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (i,t_i), 2)$ to get $\mathsf {ct}_{2,i}$ and returns the pair $(\mathsf {ct}_{2,i},\mathsf {ct}_{3,i})$ to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ runs the key-generation procedure ${\mathsf {2FE^{sel}}\mathsf {.KG}}(\mathsf {msk}_2, \cdot )$ with the input $D_{f^b,f^1,i,s_j,t_k,\delta }$, where $\delta = {\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_{s_j,t_k}, C_{f^b_i} ; \mathsf {PRF.Eval}(K^\mathsf {key}_j, t_k))$ and returns the output to ${\mathcal {A}}$.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(5,j,k)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(5.1,j,k)}$ described above. The same argument applied to $\mathcal {H}^{(5.2,j,k)}$ and $\mathcal {H}^{(5.3,j,k)}$ to get

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(5,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(6,j,k)}(\lambda ) = 1 \right] \right| \le 3\cdot \mathsf {Adv}_{\mathsf {PRF}, {\mathcal {B}}^{(5,j,k)\rightarrow (6,j,k)}}(\lambda ). \end{aligned}$$

Proof of Claim 4.7

The adversary ${\mathcal {B}}^{(6,j,k) \rightarrow (7,j,k)}={\mathcal {B}}$ given input $1^\lambda $ is defined as follows. First, ${\mathcal {B}}$ samples $\mathsf {msk}_1\leftarrow {\mathsf {1FE}\mathsf {.S}}(1^\lambda )$, $\mathsf {msk}_2\leftarrow {\mathsf {2FE^{sel}}\mathsf {.S}}(1^\lambda ), s_j, t_k\leftarrow \{ 0,1 \}^\lambda $, $K^\mathsf {msk}_j,K^\mathsf {key}_j,K^\mathsf {enc}_j\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, $b\leftarrow \{ 0,1 \}$ and punctures the PRF keys at $t_k$ to get $K^\mathsf {msk}_j|_{\{t_k\}},K^\mathsf {key}_j|_{\{t_k\}}$ and $K^\mathsf {enc}_j|_{\{t_k\}}$, emulates the execution of ${\mathcal {A}}$ on input $1^\lambda $ by simulating the encryption oracle as follows: When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for the ${i}{\mathrm{th}}$ time for $i\le j-1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $K^\mathsf {msk},K^\mathsf {key},K^\mathsf {enc}\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_1,\cdot )$ with $\mathsf {AGG}_{x^b,x^1,T,s,K^\mathsf {msk},K^\mathsf {enc},\bot ,\bot }$ and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk},K^\mathsf {key},s,T),1)$ and returns the output to ${\mathcal {A}}$. When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for the ${i}{\mathrm{th}}$ time for $i=j$, ${\mathcal {B}}$ runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\cdot )$ with $\mathsf {AGG}_{x^b,x^1,k,s_j,{K^\mathsf {msk}_j}|_{\{t_k\}},{K^\mathsf {enc}_j}|_{\{t_k\}},t_k,\gamma }$, where $\gamma $ is the output of the encryption oracle $\mathsf {Enc}_\sigma (\mathsf {msk}_{s_j,t_k}, \cdot ,\cdot )$ on the pair $((x^b_j, y^b_k), (x^1_j, y^1_k))$, and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, ({K^\mathsf {msk}_j}|_{\{t_k\}},{K^\mathsf {key}_j}|_{\{t_k\}},s_j,k),1)$ and returns the output to ${\mathcal {A}}$. When ${\mathcal {A}}$ queries the encryption oracle with $(x^0,x^1)\in \mathcal {X}_\lambda $ (with respect to index $\mathsf {i}= 1$) for the ${i}{\mathrm{th}}$ time for $i\ge j+1$, ${\mathcal {B}}$ samples $s\in \{ 0,1 \}^\lambda $, $K^\mathsf {msk},K^\mathsf {key},K^\mathsf {enc}\leftarrow \mathsf {PRF.Gen}(1^\lambda )$, runs the key-generation procedure ${\mathsf {1FE}\mathsf {.KG}}(\mathsf {msk}_1,\cdot )$ with $\mathsf {AGG}_{x^b,x^1,0,s,K^\mathsf {msk},K^\mathsf {enc},\bot ,\bot }$ and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (K^\mathsf {msk},K^\mathsf {key},s,0),1)$ and returns the output to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests the ${i}{\mathrm{th}}$ encryption of $(y^0,y^1)\in \mathcal {Y}_\lambda $ (with respect to index $\mathsf {i}= 2$), ${\mathcal {B}}$ samples $t_i\in \{ 0,1 \}^\lambda $ (unless $i=k$ in which case $t_i$ is already known), runs the encryption procedure ${\mathsf {1FE}\mathsf {.E}}(\mathsf {msk}_1,\cdot )$ with the input $(y^b, y^1,i,t_i,\bot ,\bot )$, and returns the output to ${\mathcal {A}}$. Moreover, ${\mathcal {B}}$ runs ${\mathsf {2FE^{sel}}\mathsf {.E}}(\mathsf {msk}_2, (i,t),2)$ and returns the output to ${\mathcal {A}}$. When ${\mathcal {A}}$ requests a functional key for $(f^0,f^1)\in \mathcal {F}\times \mathcal {F}$, ${\mathcal {B}}$ runs the key-generation procedure ${\mathsf {2FE^{sel}}\mathsf {.KG}}(\mathsf {msk}_2,D_{f^b,f^1,i,s_j,t_k,\delta })$, where $\delta $ is the output of the key-generation oracle $\mathsf {KG}_\sigma (\mathsf {msk}_{s_j, t_j}, \cdot , \cdot )$ with the pair $(C_{f^b},C_{f^1})$, and returns the output to ${\mathcal {A}}$.

Note that when $\sigma = 0$ then ${\mathcal {A}}$’s view is identical to its view in the experiment $\mathcal {H}^{(6,j,k)}$, and when $\sigma = 1$ then ${\mathcal {A}}$’s view is identical to its view in the modified experiment $\mathcal {H}^{(7,j,k)}$ described above. Therefore,

$$\begin{aligned} \left| \Pr \left[ \mathcal {H}^{(6,j,k)}(\lambda ) = 1 \right] - \Pr \left[ \mathcal {H}^{(7,j,k)}(\lambda ) = 1 \right] \right| \le \mathsf {Adv}^{\mathsf {full1FE}}_{\mathsf {1FE}, \mathcal {F}', {\mathcal {B}}^{(6,j,k) \rightarrow (7,j,k)}}(\lambda ). \end{aligned}$$

$\square $

Rights and permissions

Reprints and permissions

About this article

Cite this article

Brakerski, Z., Komargodski, I. & Segev, G. Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions. J Cryptol 31, 434–520 (2018). https://doi.org/10.1007/s00145-017-9261-0

Download citation

Received: 06 February 2016
Revised: 02 June 2017
Published: 26 June 2017
Issue Date: April 2018
DOI: https://doi.org/10.1007/s00145-017-9261-0

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions

Abstract

Similar content being viewed by others

Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions

Function-Private Functional Encryption in the Private-Key Setting

Function-Private Functional Encryption in the Private-Key Setting

1 Introduction

1.1 Our Contributions

Theorem 1.1

1.2 Additional Related Work

1.3 Follow-Up Work

1.4 Overview of Our Constructions and Techniques

1.5 Paper Organization

2 Preliminaries

2.1 Pseudorandom Functions

Definition 2.1

Definition 2.2

2.2 Private-Key Single-Input Functional Encryption

Definition 2.3

Definition 2.4

2.3 Private-Key Two-Input Functional Encryption

Definition 2.5

Definition 2.6

Definition 2.7

Definition 2.8

3 A Selectively Secure Two-Input Scheme from any Single-Input Scheme

Theorem 3.1

Proof of Theorem 3.1

Claim 3.2

Claim 3.3

Claim 3.4

Claim 3.5

Claim 3.6

Claim 3.7

Claim 3.8

Claim 3.9

Claim 3.10

Claim 3.11

Claim 3.12

4 From Selective to Adaptive Security for Two-Input Schemes

Theorem 4.1

Proof of Theorem 4.1

Claim 4.2

Claim 4.3

Claim 4.4

Claim 4.5

Claim 4.6

Claim 4.7

Claim 4.8

Claim 4.9

Claim 4.10

Claim 4.11

Claim 4.12

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Additional information

Appendices

Generalization to \(\varvec{t\ge 2}\) Inputs

1.1 Private-Key \(\varvec{t}\)-Input Functional Encryption

Definition A.1

Definition A.2

Definition A.3

Definition A.4

1.2 A Selectively Secure \(\varvec{t}\)-Input Scheme from any \(\varvec{(t-1)}\)-Input Scheme

Theorem A.5

Theorem A.5

Claim A.6

Claim A.7

Claim A.8

Claim A.9

Claim A.10

Claim A.11

Claim A.12

Claim A.13

Claim A.14

Claim A.15