Compact Adaptively Secure ABE for \({\textsf {NC}}^{1}\) from k-Lin

Abstract

We present compact attribute-based encryption (ABE) schemes for \({\textsf {NC}}^{1}\) that are adaptively secure under the k-Lin assumption with polynomial security loss. Our KP-ABE scheme achieves ciphertext size that is linear in the attribute length and independent of the policy size even in the many-use setting, and we achieve an analogous efficiency guarantee for CP-ABE. This resolves the central open problem posed by Lewko and Waters (CRYPTO 2011). Previous adaptively secure constructions either impose an attribute “one-use restriction” (or the ciphertext size grows with the policy size) or require q-type assumptions.

Appendices

Our CP-ABE Scheme

In this section, we present our compact CP-ABE for \({\textsf {NC}}^{1}\) that is adaptively secure under the \(\text {MDDH}_{k}\) assumption in asymmetric prime-order bilinear groups. The construction is analogous to our KP-ABE scheme in Sect. 6. One notable difference is that we introduce \({\mathbf {B}}{\mathbf {r}}\) in the secret keys, and we need to introduce additional intermediate distributions in the proof of security (this also removes the use of the \({\mathcal {O}}_{\textsf {E}}\) oracle in the core 1-ABE security game); the reduction is also a bit more complex as we need to embed the output of \({\mathcal {O}}_{\textsf {F}}\) into the CP-ABE ciphertext.

1.1 CP-ABE Construction

Our CP-ABE scheme is as follows:

• \({\textsf {Setup}}(1^\lambda ,1^n):\) Run \({\mathbb {G}} = (p, G_1, G_2, G_T, e) \leftarrow {\mathcal {G}}(1^\lambda )\). Sample

  $$\begin{aligned} {\mathbf {A}}\leftarrow {\mathbb {Z}}_p^{k \times 2k}, {\mathbf {B}}\leftarrow {\mathbb {Z}}_p^{(k+1) \times k}, {\mathbf {U}}_0,{\mathbf {W}}_i \leftarrow {\mathbb {Z}}_p^{2k \times (k+1)}, {\mathbf {v}}\leftarrow {\mathbb {Z}}_p^{2k} \end{aligned}$$

  and output:

  $$\begin{aligned} {\textsf {msk}}:= & {} (\;{\mathbf {v}}, {\mathbf {B}}, {\mathbf {U}}_0, {\mathbf {W}}_1,\ldots ,{\mathbf {W}}_n\;)\\ {{\textsf {mpk}}}:= & {} (\; [{\mathbf {A}}]_1,[{\mathbf {A}}{\mathbf {U}}_0]_1,[{\mathbf {A}}{\mathbf {W}}_1]_1,\ldots ,[{\mathbf {A}}{\mathbf {W}}_n]_1,\; e([{\mathbf {A}}]_1, [{\mathbf {v}}]_2)\;) \end{aligned}$$

• \({\textsf {Enc}}({{\textsf {mpk}}},f,M):\) Sample \((\{{\mathbf {u}}^{\top }_j\}, \rho ) \leftarrow {\textsf {share}}(f,{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {U}}_0)\), \({\mathbf {s}}, {\mathbf {s}}_j \leftarrow {\mathbb {Z}}_p^k\). Output:

  $$\begin{aligned} {\textsf {ct}}_f= & {} ({\textsf {ct}}_{1}, \{{\textsf {ct}}_{2,j}, {\textsf {ct}}_{3, j}\}, {\textsf {ct}}_{4})\\:= & {} \Bigg (\; [{\mathbf {s}}^{\top }{\mathbf {A}}]_1, \{ [{\mathbf {u}}_j^{\top }+ {\mathbf {s}}_j^{\top }{\mathbf {A}}{\mathbf {W}}_{\rho (j)}]_1, [{\mathbf {s}}_j^{\top }{\mathbf {A}}]_1 \}, \quad e([{\mathbf {s}}^{\top }{\mathbf {A}}]_1,[{\mathbf {v}}]_2) \cdot M \;\Bigg ) \\ \end{aligned}$$

  where \({\mathbf {W}}_0 = {\mathbf {0}}\).

• \({\textsf {KeyGen}}({{\textsf {mpk}}},{\textsf {msk}},f):\) Sample \({\mathbf {r}}\leftarrow {\mathbb {Z}}_p^k\). Output:

  $$\begin{aligned} {\textsf {sk}}_{\mathbf {x}}= & {} ({\textsf {sk}}_{1}, {\textsf {sk}}_{2}, \{ {\textsf {sk}}_{3, i} \}_{x_i = 1}\})\\:= & {} (\; [{\mathbf {v}}+ {\mathbf {U}}_0{\mathbf {B}}{\mathbf {r}}]_2, [{\mathbf {B}}{\mathbf {r}}]_2, \{[{\mathbf {W}}_i {\mathbf {B}}{\mathbf {r}}]_2\}_{x_i=1} \;) \end{aligned}$$

• \({\textsf {Dec}}({{\textsf {mpk}}},{\textsf {sk}}_{{\mathbf {x}}},{\textsf {ct}}_f ):\) Compute \(\omega _j\) such that \({\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {U}}_0 = \displaystyle \sum _{\rho (j) = 0 \vee x_{\rho (j) = 1}} \omega _j {\mathbf {u}}_j\) as described in Sect. 5.1. Output:

  $$\begin{aligned} \frac{{\textsf {ct}}_4}{ e({\textsf {ct}}_1, {\textsf {sk}}_1)} \cdot \displaystyle \prod _{\rho (j) = 0 \vee x_{\rho (j) = 1}} \left( \frac{e({\textsf {ct}}_{2, j}, {\textsf {sk}}_{2})}{e({\textsf {ct}}_{3,j}, {\textsf {sk}}_{3,\rho (j)})}\right) ^{\omega _j} \end{aligned}$$

1.2 Correctness

Correctness relies on the fact that for all j, we have

$$\begin{aligned} \frac{e({\textsf {ct}}_{2,j}, {\textsf {sk}}_{2})}{e({\textsf {ct}}_{3,j}, {\textsf {sk}}_{3,\rho (j)})} = [{\mathbf {u}}_j^{\top }{\mathbf {B}}{\mathbf {r}}]_T \end{aligned}$$

which follows from the fact that

$$\begin{aligned} {\mathbf {u}}_j^{\top }{\mathbf {B}}{\mathbf {r}}= (\underbrace{{\mathbf {u}}_j^{\top }+ {\mathbf {s}}_j^{\top }{\mathbf {A}}{\mathbf {W}}_{\rho (j)}}_{{\textsf {ct}}_{2, j}}) \cdot \underbrace{{\mathbf {B}}{\mathbf {r}}}_{{\textsf {sk}}_{2}} - \underbrace{{\mathbf {s}}_j^{\top }{\mathbf {A}}}_{{\textsf {ct}}_{3, j}} \cdot \underbrace{{\mathbf {W}}_{\rho (j)} {\mathbf {B}}{\mathbf {r}}}_{{\textsf {sk}}_{3,\rho (j)}} \end{aligned}$$

and also from the fact that

$$\begin{aligned} e({\textsf {ct}}_1, {\textsf {sk}}_1) = [{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {v}}+ {\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {U}}_0{\mathbf {B}}{\mathbf {r}}]_T \end{aligned}$$

Therefore, for all f, x such that \(f(x) = 1\), we have:

$$\begin{aligned}&\frac{{\textsf {ct}}_4}{ e({\textsf {ct}}_1, {\textsf {sk}}_1)} \cdot \displaystyle \prod _{\rho (j) = 0 \vee x_{\rho (j) = 1}} \left( \frac{e({\textsf {ct}}_{2, j}, {\textsf {sk}}_{2})}{e({\textsf {ct}}_{3,j}, {\textsf {sk}}_{3,\rho (j)})}\right) ^{\omega _j}\\&\quad = \frac{M \cdot [{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {v}}]_T}{[{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {v}}+ {\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {U}}_0{\mathbf {B}}{\mathbf {r}}]_T} \cdot \prod _{\rho (j) = 0 \vee x_{\rho (j) = 1}} [{\mathbf {u}}_j^{\top }{\mathbf {B}}{\mathbf {r}}]_T^{\omega _j}\\&\quad = \frac{M \cdot [{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {v}}]_T}{[{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {v}}+ {\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {U}}_0{\mathbf {B}}{\mathbf {r}}]_T} \cdot [\displaystyle \sum _{\rho (j) = 0 \vee x_{\rho (j) = 1}} \omega _j {\mathbf {u}}_j^{\top }{\mathbf {B}}{\mathbf {r}}]_T\\&\quad = \frac{M \cdot [{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {v}}]_T}{[{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {v}}+ {\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {U}}_0{\mathbf {B}}{\mathbf {r}}]_T} \cdot [ {\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {U}}_0 {\mathbf {B}}{\mathbf {r}}]_T\\&\quad = \frac{M \cdot [{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {v}}+ {\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {U}}_0 {\mathbf {B}}{\mathbf {r}}]_T}{[{\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {v}}+ {\mathbf {s}}^{\top }{\mathbf {A}}{\mathbf {U}}_0{\mathbf {B}}{\mathbf {r}}]_T} \\&\quad = M \end{aligned}$$

1.3 Adaptive Security

Description of hybrids A ciphertext can be in one of the following forms:

• \({\textsf {Normal}}\): generated as in the scheme.

• \({\textsf {SF}}\): same as a \({\textsf {Normal}}\) ciphertext, except \({\mathbf {s}}^{\top }{\mathbf {A}},{\mathbf {s}}_j^{\top }{\mathbf {A}}\) replaced with \({\mathbf {c}}^{\top },{\mathbf {c}}_j^{\top }\), where \({\mathbf {c}},{\mathbf {c}}_j \leftarrow {\mathbb {Z}}_p^{2k}\). That is,

  $$\begin{aligned} {\textsf {ct}}_f:= & {} \Bigg (\; [\boxed {{\mathbf {c}}^{\top }}]_1, \{ [{\mathbf {u}}_j^{\top }+ \boxed {{\mathbf {c}}_j^{\top }}{\mathbf {W}}_{\rho (j)}]_1, [\boxed {{\mathbf {c}}_j^{\top }}]_1 \}, \quad e([\boxed {{\mathbf {c}}^{\top }}]_1,[{\mathbf {v}}]_2) \cdot M \;\Bigg ) \end{aligned}$$

A secret key can be in one of the following forms:

• \({\textsf {Normal}}\): generated as in the scheme.

• \({\textsf {SF}}\): same as a \({\textsf {Normal}}\) key, except \({\mathbf {v}}\) replaced with \({\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(q)}\), where a fresh \(\mathbf {\delta }^{(q)} \leftarrow {\mathbb {Z}}_p^{k}\) is chosen per \({\textsf {SF}}\) and \({\mathbf {A}}^\perp \) is any fixed \({\mathbf {A}}^\perp \in {\mathbb {Z}}_p^{2k \times k} {\setminus } \{ {\mathbf {0}}\}\) such that \({\mathbf {A}}{\mathbf {A}}^\perp = {\mathbf {0}}\). That is,

  $$\begin{aligned} {\textsf {sk}}_{\mathbf {x}}:= & {} (\; [\boxed {{\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(q)}} + {\mathbf {U}}_0{\mathbf {B}}{\mathbf {r}}]_2, [{\mathbf {B}}{\mathbf {r}}]_2, \{[{\mathbf {W}}_i {\mathbf {B}}{\mathbf {r}}]_2\}_{x_i=1} \;) \end{aligned}$$

• \({\textsf {P}\text {-}\textsf {Normal}}\): same as a \({\textsf {Normal}}\) key, except \({\mathbf {B}}{\mathbf {r}}\) replaced with \({\mathbf {d}}\leftarrow {\mathbb {Z}}_p^{k+1}\). That is,

  $$\begin{aligned} {\textsf {sk}}_{\mathbf {x}}:= & {} (\; [{\mathbf {v}}+ {\mathbf {U}}_0\boxed { {\mathbf {d}}}]_2, [\boxed {{\mathbf {d}}}]_2, \{[{\mathbf {W}}_i \boxed {{\mathbf {d}}}]_2\}_{x_i=1} \;) \end{aligned}$$

• \({\textsf {P}\text {-}\textsf {SF}}\): same as a \({\textsf {SF}}\) key, except \({\mathbf {B}}{\mathbf {r}}\) replaced with \({\mathbf {d}}\leftarrow {\mathbb {Z}}_p^{k+1}\). That is,

  $$\begin{aligned} {\textsf {sk}}_{\mathbf {x}}:= & {} (\; [\boxed {{\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(q)}} + {\mathbf {U}}_0\boxed { {\mathbf {d}}}]_2, [\boxed {{\mathbf {d}}}]_2, \{[{\mathbf {W}}_i \boxed {{\mathbf {d}}}]_2\}_{x_i=1} \;) \end{aligned}$$

Here, \({\textsf {P}}\) stands for pseudo following [7, 36].

Hybrid sequence Suppose the adversary \({\textsf {A}}\) makes at most Q secret key queries. The hybrid sequence is as follows:

• \({\textsf {H}}_0\): real game

• \({\textsf {H}}_1\): same as \({\textsf {H}}_0\), except we use a \({\textsf {SF}}\) ciphertext.

• \({\textsf {H}}_{2,\ell ,1}, \ell =0,\ldots ,Q\): same as \({\textsf {H}}_1\), except the \(\ell \)’th key is \({\textsf {P}\text {-}\textsf {Normal}}\), the first \(\ell -1\) keys are \({\textsf {SF}}\) and the last \(Q-\ell \) keys are \({\textsf {Normal}}\).

• \({\textsf {H}}_{2,\ell ,2}\): same as \({\textsf {H}}_{2,\ell ,1}\) except the \(\ell \)’th key is \({\textsf {P}\text {-}\textsf {SF}}\).

• \({\textsf {H}}_{2,\ell ,3}\): same as \({\textsf {H}}_{2,\ell ,1}\) except the \(\ell \)’th key is \({\textsf {SF}}\).

• \({\textsf {H}}_3\): replace M with random.

Proof overview

• We have \({\textsf {H}}_0 \approx _c {\textsf {H}}_1 \equiv {\textsf {H}}_{2, 0, 3}\) via k-Lin (and its self-reducibility), which tells us

  $$\begin{aligned} ([{\mathbf {A}}]_1,[{\mathbf {s}}^{\top }{\mathbf {A}}]_1, \{[{\mathbf {s}}_j^{\top }{\mathbf {A}}]_1\}) \approx _c ([{\mathbf {A}}]_1,[{\mathbf {c}}^{\top }]_1, \{[{\mathbf {c}}_j^{\top }]_1\}) \end{aligned}$$

  Here, the security reduction will pick \({\mathbf {U}}_0, {\mathbf {W}}_1,\ldots ,{\mathbf {W}}_n\) and \({\mathbf {v}}\) so that it can simulate the \({{\textsf {mpk}}}\), the ciphertext and the secret keys.

• We have \({\textsf {H}}_{2,\ell -1, 3} \approx _c {\textsf {H}}_{2,\ell ,1}\) for all \(\ell \in [Q]\). The difference between the two is that we switch the \(\ell \)’th \({\textsf {sk}}_f\) from \({\textsf {Normal}}\) to \({\textsf {P}\text {-}\textsf {Normal}}\). This follows again via k-Lin, which tells us \(([{\mathbf {B}}]_2,[{\mathbf {B}}{\mathbf {r}}]_2) \approx _c ([{\mathbf {B}}]_2,[{\mathbf {d}}]_2)\). Again, the security reduction will pick \({\mathbf {U}}_0, {\mathbf {W}}_1,\ldots ,{\mathbf {W}}_n\) and \({\mathbf {v}}\) so that it can simulate the \({{\textsf {mpk}}}\), the ciphertext and the secret keys.

• We have \({\textsf {H}}_{2,\ell , 1} \approx _c {\textsf {H}}_{2,\ell ,2}\) for all \(\ell \in [Q]\). The difference between the two is that we switch the \(\ell \)’th \({\textsf {sk}}_f\) from \({\textsf {P}\text {-}\textsf {Normal}}\) to \({\textsf {P}\text {-}\textsf {SF}}\). I The idea is to program:

  $$\begin{aligned} {\mathbf {W}}_i = {\widetilde{{\mathbf {W}}}}_i + {\mathbf {A}}^\perp {\mathbf {w}}_i ({\mathbf {b}}^\perp )^{\top }, {\mathbf {U}}_0 = {\widetilde{{\mathbf {U}}}}_0 + {\mathbf {A}}^\perp {\mathbf {u}}({\mathbf {b}}^\perp )^{\top }\end{aligned}$$

  where \( {\mathbf {w}}_i, {\mathbf {b}}^\perp \in {\mathbb {Z}}_p^{k}, {\mathbf {A}}^\perp \in {\mathbb {Z}}_p^{2k \times k}, {\mathbf {u}}\in {\mathbb {Z}}_p^{k+1}\) and

  $$\begin{aligned} {\mathbf {A}}{\mathbf {A}}^\perp = {\mathbf {0}}, ({\mathbf {b}}^\perp )^{\top }{\mathbf {B}}= {\mathbf {0}} \end{aligned}$$

  Note that the public parameters and the normal and \({\textsf {SF}}\) keys information theoretically hide a random \({\mathbf {u}}\) and the \({\mathbf {w}}_i\)’s from \({\textsf {G}}^{\textsc {1-abe}}\). Next, we focus on the \({\textsf {SF}}\) ciphertext \({\textsf {ct}}_f\) and the \(\ell \)’th secret key \({\textsf {sk}}_{\mathbf {x}}\), which is either \({\textsf {P}\text {-}\textsf {Normal}}\) or \({\textsf {P}\text {-}\textsf {SF}}\). First, we argue that if we ignore \({\mathbf {v}}+ {\mathbf {U}}_0 {\mathbf {d}}\) in \({\textsf {sk}}_{\mathbf {x}}\), then \({\mathbf {u}}\) remains computationally hidden given \({\textsf {ct}}_f,{\textsf {sk}}_{\mathbf {x}}\) using the \({\textsf {G}}^{\textsc {1-abe}}\) security game. Theorem 2 tells us that \({\mathbf {u}}\) is computationally hidden given

  $$\begin{aligned} {\mathbf {c}}, \{ [{\mathbf {c}}_j^{\top }{\mathbf {A}}^\perp ]_1, [\mu _j + {\mathbf {c}}_j^{\top }{\mathbf {A}}^\perp {\mathbf {w}}_{\rho (j)}]_1 \}_j, \{ {\mathbf {w}}_i \}_{x_i = 1} \end{aligned}$$

  where \((\{\mu _j\}, \rho ) \leftarrow {\textsf {share}}(f,{\mathbf {c}}^{\top }{\mathbf {A}}^\perp {\mathbf {u}})\) and we treat \({\mathbf {c}}_j^{\top }{\mathbf {A}}^\perp \in {\mathbb {Z}}_p^{1 \times k}, {\mathbf {c}}_j \leftarrow {\mathbb {Z}}_p^{2k}\) as the randomness used for \({\textsf {CPA}}.{\textsf {Enc}}\), even for adaptive choices of f, x. We can then use the entropy in \({\mathbf {u}}\) to hide the \({\mathbf {A}}^\perp \)-component of \({\mathbf {v}}\) in \({\mathbf {v}}+ {\mathbf {A}}^\perp {\mathbf {u}}\underbrace{({\mathbf {b}}^\perp )^{\top }{\mathbf {d}}}_{\ne 0}\).

• We have \({\textsf {H}}_{2,\ell , 2} \approx _c {\textsf {H}}_{2,\ell ,3}\) for all \(\ell \in [Q]\). The difference between the two is that we switch the \(\ell \)’th \({\textsf {sk}}_f\) from \({\textsf {P}\text {-}\textsf {SF}}\) to \({\textsf {SF}}\). This follows again via k-Lin, which tells us \(([{\mathbf {B}}]_2,[{\mathbf {B}}{\mathbf {r}}]_2) \approx _c ([{\mathbf {B}}]_2,[{\mathbf {d}}]_2)\), symmetrically to the proof for \({\textsf {H}}_{2,\ell -1, 3} \approx _c {\textsf {H}}_{2,\ell ,1}\), except that \({\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(\ell )}\) is used instead of \({\mathbf {v}}\) in the \(\ell \)th secret key.

• We have \({\textsf {H}}_{2,Q,3} \equiv {\textsf {H}}_3\). In \({\textsf {H}}_{2,Q,3}\), the secret keys only leak \({\mathbf {v}}+{\mathbf {A}}^\perp \mathbf {\delta }^{(1)},\ldots ,{\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(Q)}\). This means that \({\mathbf {c}}^{\top }{\mathbf {v}}\) is statistically random (as long as \({\mathbf {c}}^{\top }{\mathbf {A}}^\perp \ne \mathbf {0}\)).

Lemma 10

(\({\textsf {H}}_0 \approx _c {\textsf {H}}_1 \equiv {\textsf {H}}_{2,0,3}\))

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_0 \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_1 \rangle =1]| \le {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {A}}^*}}(\lambda ) \end{aligned}$$

Proof

Given \(\text {MDDH}_{k,2k}^{2m+1}\) challenge \(([{\mathbf {A}}]_1,[{\mathbf {Z}}^{\top }]_1)\), where either \({\mathbf {Z}}^{\top }= {\mathbf {S}}^{\top }{\mathbf {A}}\) for a \({\mathbf {S}}^{\top }\leftarrow {\mathbb {Z}}_p^{(2m+1) \times k}\) or \({\mathbf {Z}}^{\top }= {\mathbf {C}}^{\top }\) for a \({\mathbf {C}}^{\top }\leftarrow {\mathbb {Z}}_p^{(2m+1) \times 2k}\), an adversary \({\mathcal {A}}'\) could simply choose \({\mathbf {U}}_0,{\mathbf {W}}_i \leftarrow {\mathbb {Z}}_p^{2k \times (k+1)}, {\mathbf {v}}\leftarrow {\mathbb {Z}}_p^{2k}\), form the public parameters with \({\mathbf {A}}, {\mathbf {U}}_0, {\mathbf {W}}_i, {\mathbf {v}}\) and choose its own \({\mathbf {B}}\leftarrow {\mathbb {Z}}_p^{(k+1) \times k}, {\mathbf {r}}\leftarrow {\mathbb {Z}}_p^k\) when responding to key requests.

For the challenge ciphertext, \({\mathcal {A}}'\) computes: \((\{{\mathbf {u}}^{\top }_j\}, \rho ) \leftarrow {\textsf {share}}(f,{\mathbf {z}}_{2m+1}^{\top }{\mathbf {U}}_0)\), parses the rows of \({\mathbf {Z}}^{\top }\) as \({\mathbf {z}}_j^{\top }\) for \(j \in [m+1]\) and returns:

$$\begin{aligned} {\textsf {ct}}_{\mathbf {x}}:= \Bigg (\; [{\mathbf {z}}_{2m+1}^{\top }]_1, \{ [{\mathbf {u}}_j^{\top }+ {\mathbf {z}}_j^{\top }{\mathbf {W}}_{\rho (j)}]_1, [{\mathbf {z}}_j^{\top }]_1 \}, \quad e([{\mathbf {z}}_{2m+1}^{\top }]_1,[{\mathbf {v}}]_2) \cdot M_b \;\Bigg ) \end{aligned}$$

(note that \(|\{{\mathbf {u}}_j\}| \le 2m\)).

If \({\mathbf {Z}}^{\top }= {\mathbf {S}}^{\top }{\mathbf {A}}\), then the challenge ciphertext is \({\textsf {Normal}}\) and \({\mathcal {A}}'\) has simulated \({\textsf {H}}_0\);

If \({\mathbf {Z}}^{\top }= {\mathbf {C}}^{\top }\), then the challenge ciphertext is \({\textsf {SF}}\) and \({\mathcal {A}}'\) has simulated \({\textsf {H}}_1 \equiv {\textsf {H}}_{2,0,3}\).

Finally, recall from Sect. 2.4 that \({\textsf {Adv}}^{{\text {MDDH}^{2m+1}_{k,2k}}}_{{{\mathcal {A}}'}}(\lambda ) = {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {A}}^*}}(\lambda )\)

\(\square \)

Lemma 11

(\({\textsf {H}}_{2,\ell -1,3} \approx _c {\textsf {H}}_{2,\ell ,1}\))

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell -1,3} \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,1} \rangle =1]| \le {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {A}}'}}(\lambda ) \end{aligned}$$

Proof

Given \(\text {MDDH}_{k}\) challenge \(([{\mathbf {B}}]_2,[{\mathbf {z}}]_2)\), where either \({\mathbf {z}}= {\mathbf {B}}{\mathbf {r}}\) for \({\mathbf {r}}\leftarrow {\mathbb {Z}}_p^{k}\) or \({\mathbf {z}}= {\mathbf {d}}\), for \({\mathbf {d}}\leftarrow {\mathbb {Z}}_p^{k+1}\), an adversary \({\mathcal {A}}'\) could simply choose \({\mathbf {A}}\leftarrow {\mathbb {Z}}_p^{k \times 2k}, {\mathbf {U}}_0,{\mathbf {W}}_i \leftarrow {\mathbb {Z}}_p^{2k \times (k+1)}, {\mathbf {v}}\leftarrow {\mathbb {Z}}_p^{2k}\) and form the public parameters with \({\mathbf {A}}, {\mathbf {U}}_0, {\mathbf {W}}_i, {\mathbf {v}}\). \({\mathcal {A}}'\) could then compute \({\mathbf {A}}^\perp \in {\mathbb {Z}}_p^{2k \times k}\) such that \({\mathbf {A}}{\mathbf {A}}^\perp = {\mathbf {0}}\) (to be used in answering secret key queries).

• For the \(({\textsf {SF}})\) challenge ciphertext, \({\mathcal {A}}'\) computes: \((\{{\mathbf {u}}^{\top }_j\}, \rho ) \leftarrow {\textsf {share}}(f,{\mathbf {c}}^{\top }{\mathbf {U}}_0)\), draws \({\mathbf {c}}, {\mathbf {c}}_j \leftarrow {\mathbb {Z}}_p^{2k}\) for each j, and creates:

  $$\begin{aligned} {\textsf {ct}}_f := \Bigg (\; [{\mathbf {c}}^{\top }]_1, \{ [{\mathbf {u}}_j^{\top }+ {\mathbf {c}}_j^{\top }{\mathbf {W}}_{\rho (j)}]_1, [{\mathbf {c}}_j^{\top }]_1 \}, \quad e([{\mathbf {c}}^{\top }]_1,[{\mathbf {v}}]_2) \cdot M_b \;\Bigg ) \end{aligned}$$

• For the first \(\ell -1\) secret keys requested, say the qth request is for \({\mathbf {x}}\), \({\mathcal {A}}'\) draws \(\mathbf {\delta }^{(q)}, {\mathbf {r}}^{(q)} \leftarrow {\mathbb {Z}}_p^{k}\), and forms the following \(({\textsf {SF}})\) key:

  $$\begin{aligned} {\textsf {sk}}_{\mathbf {x}}:= (\; [{\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(q)} + {\mathbf {U}}_0{\mathbf {B}}{\mathbf {r}}^{(q)}]_2, [{\mathbf {B}}{\mathbf {r}}^{(q)}]_2, \{[{\mathbf {W}}_i {\mathbf {B}}{\mathbf {r}}^{(q)}]_2\}_{x_i=1} \;) \end{aligned}$$

• For the last \(Q-\ell \) secret keys requested, \({\mathcal {A}}'\) proceeds as before for the first \(\ell -1\) keys except using just \({\mathbf {v}}\) instead of \({\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(q)}\). It is easy to see that it forms a \({\textsf {Normal}}\) key.

• For the \(\ell \)th secret key request, \({\mathcal {A}}'\) forms the following key:

  $$\begin{aligned} {\textsf {sk}}_{\mathbf {x}}:= (\; [{\mathbf {v}}+ {\mathbf {U}}_0{\mathbf {z}}]_2, [{\mathbf {z}}]_2, \{[{\mathbf {W}}_i {\mathbf {z}}]_2\}_{x_i=1} \;) \end{aligned}$$

If \({\mathbf {z}}= {\mathbf {B}}{\mathbf {r}}\), then the \(\ell \)th key is \({\textsf {Normal}}\) and \({\mathcal {A}}'\) has simulated \({\textsf {H}}_{2,\ell -1,3}\);

If \({\mathbf {z}}= {\mathbf {d}}\), then the \(\ell \)th key is \({\textsf {P}\text {-}\textsf {Normal}}\) and \({\mathcal {A}}'\) has simulated \({\textsf {H}}_{2,\ell ,1}\). \(\square \)

Lemma 12

(\({\textsf {H}}_{2,\ell ,1} \approx _c {\textsf {H}}_{2,\ell ,2}\))

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,1} \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,2} \rangle =1]| \le 2^{6d} \cdot 8^{d} \cdot n \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}^*}}(\lambda ) \end{aligned}$$

Proof

Consider the following adversary \({\mathcal {A}}'\) in \({\textsf {G}}^{\textsc {1-abe}}_\beta \) which internally simulates \({\mathcal {A}}\) and the challenger in the ABE security game:

• First, \({\mathcal {A}}'\) samples \({\mathbf {A}}\leftarrow {\mathbb {Z}}_p^{k \times 2k}, {\mathbf {B}}\leftarrow {\mathbb {Z}}_p^{(k+1) \times k}, {\widetilde{{\mathbf {U}}}}_0, {\widetilde{{\mathbf {W}}}}_i \leftarrow {\mathbb {Z}}_p^{2k \times (k+1)}, {\tilde{{\mathbf {v}}}} \leftarrow {\mathbb {Z}}_p^{2k}\), computes \({\mathbf {A}}^\perp \in {\mathbb {Z}}_p^{2k \times k} {\setminus } \{ {\mathbf {0}} \}, {\mathbf {b}}^\perp \in {\mathbb {Z}}_p^{(k+1)}\) such that \({\mathbf {A}}{\mathbf {A}}^\perp = {\mathbf {0}}\) and \(({\mathbf {b}}^\perp )^{\top }{\mathbf {B}}= {\mathbf {0}}\) and implicitly defines

  $$\begin{aligned}&{\mathbf {v}}:= {\tilde{{\mathbf {v}}}} - \frac{\mu ^{(0)} (({\mathbf {b}}^\perp )^{\top }{\mathbf {d}})}{({\mathbf {c}}^{\top }{\mathbf {A}}^\perp {\mathbf {u}})}{\mathbf {A}}^\perp {\mathbf {u}}, {\mathbf {U}}_0 := {\widetilde{{\mathbf {U}}}}_0 + \frac{\mu ^{(b)}}{({\mathbf {c}}^{\top }{\mathbf {A}}^\perp {\mathbf {u}})} {\mathbf {A}}^\perp {\mathbf {u}}({\mathbf {b}}^\perp )^{\top },\\&{\mathbf {W}}_i := {\widetilde{{\mathbf {W}}}}_i + {\mathbf {A}}^\perp {\mathbf {w}}_i ({\mathbf {b}}^\perp )^{\top }\end{aligned}$$

  where \({\mathbf {w}}_i \in {\mathbb {Z}}_p^k, \mu ^{(b)} \in {\mathbb {Z}}_p\) are chosen in \({\textsf {G}}^{\textsc {1-abe}}_\beta \), \({\mathbf {c}}\leftarrow {\mathbb {Z}}_p^{2k}\) is chosen for use in the challenge ciphertext, \({\mathbf {d}}\leftarrow {\mathbb {Z}}_p^{k+1}\) is chosen for use in the \(\ell \)th secret key and \({\mathbf {u}}\leftarrow {\mathbb {Z}}_p^{k}\). Note that \({\mathcal {A}}'\) can compute \({\mathbf {v}}\) since it has \(\mu ^{(0)}\) from \({\textsf {G}}^{\textsc {1-abe}}_\beta \) and knows all other vectors. Then, \({\mathcal {A}}'\) generates the public parameters as:

  $$\begin{aligned} {{\textsf {mpk}}} := (\; [{\mathbf {A}}]_1,[{\mathbf {A}}{\widetilde{{\mathbf {U}}}}_0]_1, [{\mathbf {A}}{\widetilde{{\mathbf {W}}}}_1]_1,\ldots ,[{\mathbf {A}}{\widetilde{{\mathbf {W}}}}_n]_1,\; e([{\mathbf {A}}]_1, [{\tilde{{\mathbf {v}}}}]_2)\;) \end{aligned}$$

• When \({\mathcal {A}}\) requests a challenge ciphertext for formula f along with \(M_0,M_1\), \({\mathcal {A}}'\) queries \({\mathcal {O}}_{\textsf {F}}(f) \rightarrow (\; \{[\mu _j+ {\mathbf {r}}_j^{\top }{\mathbf {w}}_{\rho (j)}]_1, [{\mathbf {r}}_j]_1\} \;)\) in \({\textsf {G}}^{\textsc {1-abe}}_\beta \). \({\mathcal {A}}'\) then samples \({\tilde{{\mathbf {c}}}}_j \leftarrow {\mathbb {Z}}_p^k\) for each j and \(b \leftarrow \{0,1\}\) (the challenge bit in the standard ABE security game), defines \({\mathbf {A}}^\perp _C := \left[ {\begin{array}{c} ({\mathbf {A}}^\perp )^{\top }\\ {\mathbf {M}}\end{array} } \right] \in {\mathbb {Z}}_p^{2k \times 2k}\) for a choice of \({\mathbf {M}}\) that makes \({\mathbf {A}}^\perp _C\) invertible, computes \([{\mathbf {c}}_j]_1 := \left[ ({\mathbf {A}}^\perp _C)^{-1 } \left( {\begin{array}{c} {\mathbf {r}}_j \\ {\tilde{{\mathbf {c}}}}_j \end{array} } \right) \right] _1 \), computes: \((\{{\tilde{{\mathbf {u}}}}^{\top }_j\}, \rho ) \leftarrow {\textsf {share}}(f,{\mathbf {c}}^{\top }{\widetilde{{\mathbf {U}}}}_0)\), and returns the following appropriately distributed \(({\textsf {SF}})\) challenge ciphertext:

  $$\begin{aligned} {\textsf {ct}}_f&:= \Bigg (\; [{\mathbf {c}}^{\top }]_1, \{ [{\tilde{{\mathbf {u}}}}_j^{\top }+ ( \mu _j + {\mathbf {r}}_j^{\top }{\mathbf {w}}_{\rho (j)} ) ({\mathbf {b}}^\perp )^{\top }+ {\mathbf {c}}_j^{\top }{\widetilde{{\mathbf {W}}}}_{\rho (j)}]_1, [{\mathbf {c}}_j^{\top }]_1 \},\\&\quad e([{\mathbf {c}}^{\top }]_1,[{\mathbf {v}}]_2) \cdot M_b \;\Bigg )\\&= \Bigg (\; [{\mathbf {c}}^{\top }]_1, \{ [\underbrace{{\tilde{{\mathbf {u}}}}_j^{\top }+ \mu _j ({\mathbf {b}}^\perp )^{\top }}_{\equiv {\textsf {share}}(f, {\mathbf {c}}^{\top }{\mathbf {U}}_0)} + \underbrace{ {\mathbf {c}}_j^{\top }{\widetilde{{\mathbf {W}}}}_{\rho (j)} + {\mathbf {r}}_j^{\top }{\mathbf {w}}_{\rho (j)} ({\mathbf {b}}^\perp )^{\top }}_{= {\mathbf {c}}_j^{\top }{\mathbf {W}}_{\rho (j)}}]_1, [{\mathbf {c}}_j^{\top }]_1 \}, \\&\quad e([{\mathbf {c}}^{\top }]_1,[{\mathbf {v}}]_2) \cdot M_b \;\Bigg ) \end{aligned}$$

  Note that \(\{\mu _j ({\mathbf {b}}^\perp )^{\top }\}\) is distributed like the output of \({\textsf {share}}(f, \mu ^{(b)} ({\mathbf {b}}^\perp )^{{\top }})\), and therefore, due to linearity and the fact that \({\mathbf {c}}^{\top }{\mathbf {U}}_0 = {\mathbf {c}}^{\top }{\widetilde{{\mathbf {U}}}}_0 + \mu ^{(b)} ({\mathbf {b}}^\perp )^{\top }\), then \(\{{\tilde{{\mathbf {u}}}}^{\top }_j + \mu _j ({\mathbf {b}}^\perp )^{{\top }}\}\) is distributed like \({\textsf {share}}(f,{\mathbf {c}}^{\top }{\widetilde{{\mathbf {U}}}}_0 + \mu ^{(b)} ({\mathbf {b}}^\perp )^{{\top }}) \equiv {\textsf {share}}(f,{\mathbf {c}}^{\top }{{\mathbf {U}}}_0 )\). Also, note that \({\mathbf {c}}_j^{\top }{\mathbf {W}}_i = {\mathbf {c}}_j^{\top }{\widetilde{{\mathbf {W}}}}_i + {\mathbf {r}}_j {\mathbf {w}}_{\rho (j)} {\mathbf {b}}^\perp \) since \({\mathbf {c}}_j^{\top }{\mathbf {A}}^\perp = {\mathbf {r}}_j\).

• For the first \(\ell -1\) secret keys requested, say the qth request is for \({\mathbf {x}}\), \({\mathcal {A}}'\) draws \(\mathbf {\delta }^{(q)}, {\mathbf {r}}^{(q)} \leftarrow {\mathbb {Z}}_p^k\) and forms the following \(({\textsf {SF}})\) key:

  $$\begin{aligned} {\textsf {sk}}_{\mathbf {x}}= & {} (\; [{\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(q)} + \underbrace{{\widetilde{{\mathbf {U}}}}_0{\mathbf {B}}{\mathbf {r}}^{(q)}}_{= {\mathbf {U}}_0{\mathbf {B}}{\mathbf {r}}^{(q)}}]_2, \\&\quad [{\mathbf {B}}{\mathbf {r}}^{(q)}]_2, \{[\underbrace{{\widetilde{{\mathbf {W}}}}_i {\mathbf {B}}{\mathbf {r}}^{(q)}}_{= {\mathbf {W}}_i {\mathbf {B}}{\mathbf {r}}^{(q)} }]_2\}_{x_i=1} \;) \end{aligned}$$

• For the last \(Q-\ell \) secret keys requested, \({\mathcal {A}}'\) proceeds as before for the first \(\ell -1\) keys except using just \({\mathbf {v}}\) instead of \({\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(q)}\). It is easy to see that it forms a \({\textsf {Normal}}\) key.

• For the \(\ell \)th secret key requested, say for \({\mathbf {x}}\), queries \({\mathcal {O}}_{\textsf {X}}({\mathbf {x}}) \rightarrow (\; \{ {\mathbf {w}}_i \}_{x_i = 1} \; )\) in \({\textsf {G}}^{\textsc {1-abe}}_\beta \), then uses these components to return:

  $$\begin{aligned} {\textsf {sk}}_{\mathbf {x}}= (\; [\underbrace{{\tilde{{\mathbf {v}}}} + {\widetilde{{\mathbf {U}}}}_0{\mathbf {d}}}_{= {\mathbf {v}}+ \frac{(\mu ^{(0)} - \mu ^{(b)}) (({\mathbf {b}}^\perp )^{\top }{\mathbf {d}})}{({\mathbf {c}}^{\top }{\mathbf {A}}^\perp {\mathbf {u}})} {\mathbf {A}}^\perp {\mathbf {u}}+ {\mathbf {U}}_0 {\mathbf {d}}}]_2, [ {\mathbf {d}}]_2, \{[\underbrace{( {\widetilde{{\mathbf {W}}}}_i + {\mathbf {A}}^\perp {\mathbf {w}}_i ({\mathbf {b}}^\perp )^{\top }) {\mathbf {d}}}_{= {\mathbf {W}}_i {\mathbf {d}}}]_2\}_{x_i=1} \;) \end{aligned}$$

  If \(\beta =0\), then the \(\ell \)th key is a \({\textsf {P}\text {-}\textsf {Normal}}\) key since \({\mathbf {v}}+ \frac{(\mu ^{(0)} - \mu ^{(0)}) (({\mathbf {b}}^\perp )^{\top }{\mathbf {d}})}{({\mathbf {c}}^{\top }{\mathbf {A}}^\perp {\mathbf {u}})} {\mathbf {A}}^\perp {\mathbf {u}}= {\mathbf {v}}\). If \(\beta =1\), then the \(\ell \)th key is a \({\textsf {P}\text {-}\textsf {SF}}\) key, where \(\mathbf {\delta }^{(\ell )} = \frac{(\mu ^{(0)} - \mu ^{(1)}) (({\mathbf {b}}^\perp )^{\top }{\mathbf {d}})}{({\mathbf {c}}^{\top }{\mathbf {A}}^\perp {\mathbf {u}})} {\mathbf {u}}\).

Putting everything together, for \(\beta \in \{0,1\}\), when \({\mathcal {A}}'\) interacts with \({\textsf {G}}^{\textsc {1-abe}}_\beta \), then \({\mathcal {A}}'\) simulates \({\textsf {H}}_{2,\ell , 1+\beta }\). So:

$$\begin{aligned}&|\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell , 1} \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell ,2} \rangle =1]| \\&\quad \le |\Pr [\langle {\mathcal {A}}',{\textsf {G}}^{\textsc {1-abe}}_0 \rangle =1]-\Pr [\langle {\mathcal {A}}',{\textsf {G}}^{\textsc {1-abe}}_1 \rangle =1]| \end{aligned}$$

and from Theorem 2, we then have:

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell -1} \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell } \rangle =1]| \le 2^{6d} \cdot 8^{d} \cdot n \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}^*}}(\lambda ) \end{aligned}$$

\(\square \)

Lemma 13

(\({\textsf {H}}_{2,\ell ,2} \approx _c {\textsf {H}}_{2,\ell ,3}\))

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,2} \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,3} \rangle =1]| \le {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {A}}'}}(\lambda ) \end{aligned}$$

Proof

Omitted, since the proof is completely analogous to that of Lemma 11, using \({\mathbf {v}}+ {\mathbf {A}}^\perp \mathbf {\delta }^{(\ell )}\) for a new random \(\mathbf {\delta }^{(\ell )}\) instead of \({\mathbf {v}}\) when creating the \(\ell \)th key. \(\square \)

Lemma 14

(\({\textsf {H}}_{2,Q,3} \approx _c {\textsf {H}}_{3}\))

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,Q,3} \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_{3} \rangle =1]| \le \frac{1}{p} \end{aligned}$$

Proof

These two hybrids are identically distributed conditioned on \({\mathbf {c}}^{\top }{\mathbf {A}}^\perp \ne \mathbf {0}\). To see this, consider two ways of choosing \({\mathbf {v}}\): \({\mathbf {v}}= {\tilde{{\mathbf {v}}}} \leftarrow {\mathbb {Z}}_p^{2k}\) and \({\mathbf {v}}= {\tilde{{\mathbf {v}}}} + {\mathbf {A}}^\perp \mathbf {{\tilde{m}}}\) for an independently random \(\mathbf {{\tilde{m}}} \leftarrow {\mathbb {Z}}_p^k\). Note that both result in \({\mathbf {v}}\) having a uniform distribution.

Using \({\tilde{{\mathbf {v}}}}\) to simulate hybrid \({\textsf {H}}_{2,Q,3}\) obviously results in \({\textsf {H}}_{2,Q,3}\) (where \({\mathbf {v}}= {\tilde{{\mathbf {v}}}}\)). However, using the identically distributed \({\mathbf {v}}= {\tilde{{\mathbf {v}}}} + {\mathbf {A}}^\perp \mathbf {{\tilde{m}}}\) to simulate \({\textsf {H}}_{2,Q,3}\) results in \({\textsf {H}}_{3}\) (where \(M \cdot [{\mathbf {c}}^{\top }{\mathbf {A}}^\perp \mathbf {{\tilde{m}}}]_T\) is a randomly distributed message as long as \({\mathbf {c}}^{\top }{\mathbf {A}}^\perp \ne \mathbf {0}\), and for redefined independently random \({\tilde{\mathbf {\delta }}}^{(i)} = \mathbf {\delta }^{(i)} + \mathbf {{\tilde{m}}}\) in the secret keys).

\({\mathbf {c}}\) is chosen at random and independent from \({\mathbf {A}}^\perp \ne {\mathbf {0}}\), so \({\mathbf {c}}^{\top }{\mathbf {A}}^\perp = \mathbf {0}\) with probability \(\frac{1}{p}\), and since we know that \({\textsf {H}}_{2, Q,3} \equiv {\textsf {H}}_{3}\) conditioned on \({\mathbf {c}}^{\top }{\mathbf {A}}^\perp \ne \mathbf {0}\), then we have:

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, Q,3} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_3 \rangle = 1]| \le \frac{1}{p} \end{aligned}$$

\(\square \)

Theorem 4

(Adaptive CP-ABE) The CP-ABE construction in Appendix A.1 is adaptively secure under the \(\text {MDDH}_{k}\) assumption.

Proof

Note that since \({\textsf {H}}_1 \equiv {\textsf {H}}_{2,0,3}\):

$$\begin{aligned}&|\Pr [\langle {\mathcal {A}},{\textsf {H}}_{0} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_3 \rangle = 1]| \\&\quad \le |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{0} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_1 \rangle = 1]|\\&\quad \quad + \displaystyle \sum _{\ell = 1}^{Q} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell -1,3} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,1} \rangle = 1]| \\&\quad \quad + \displaystyle \sum _{\ell = 1}^{Q} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,1} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,2} \rangle = 1]| \\&\quad \quad + \displaystyle \sum _{\ell = 1}^{Q} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,2} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell ,3} \rangle = 1]| \\&\quad \quad + |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,Q,3} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_3 \rangle = 1]| \end{aligned}$$

Summing the results of Lemmas 10–14, we then have that:

$$\begin{aligned}&|\Pr [\langle {\mathcal {A}},{\textsf {H}}_{0} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_3 \rangle = 1]| \le {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}^*}}(\lambda ) \\&\quad + \, 2 \cdot Q \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}^*}}(\lambda ) + Q \cdot 2^{6d} \cdot 8^{d} \cdot n \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}^*}}(\lambda ) + \frac{1}{p} \end{aligned}$$

If \(d = O(\log n)\), then under the k-Lin assumption this quantity is a negligible function of \(\lambda \). (The number of queries made Q and the attribute vector length n are both polynomial in \(\lambda \), and \(\frac{1}{p}\) is a negligible function of \(\lambda \).) It’s easy to see that \({\textsf {Adv}}^{\textsc {abe}}_{{\mathcal {A}}}(\lambda ) = 0\) in the \({\textsf {H}}_3\) hybrid game (since a random message is encrypted in the challenge ciphertext). So, any adversary in the real game (\({\textsf {H}}_0\)) will have advantage negligibly close to 0, and our construction satisfies adaptive security. \(\square \)

Our Unbounded KP-ABE Scheme

In this section, we use the modular technique presented in [6] to transform our KP-ABE construction from Sect. 6 (for \({\textsf {NC}}^{1}\) that is compact and adaptively secure under the \(\text {MDDH}_{k}\) assumption in asymmetric prime-order bilinear groups) into a construction with the same properties plus an added benefit that the scheme is unbounded (that is, the public parameters are of constant size [27]).

1.1 Unbounded KP-ABE Construction

• \({\textsf {Setup}}(1^\lambda ,1^n):\) Run \({\mathbb {G}} = (p, G_1, G_2, G_T, e) \leftarrow {\mathcal {G}}(1^\lambda )\). Sample

  $$\begin{aligned} {\mathbf {A}}_1 \leftarrow {\mathbb {Z}}_p^{k \times (2k+1)}, {\mathbf {W}},{\mathbf {W}}_0,{\mathbf {W}}_1 \leftarrow {\mathbb {Z}}_p^{(2k+1) \times k}, {\mathbf {v}}\leftarrow {\mathbb {Z}}_p^{2k+1} \end{aligned}$$

  and output:

  $$\begin{aligned} {\textsf {msk}}:= & {} (\;{\mathbf {v}}, {\mathbf {W}}, {\mathbf {W}}_0, {\mathbf {W}}_1\;)\\ {{\textsf {mpk}}}:= & {} (\; [{\mathbf {A}}_1]_1,[{\mathbf {A}}_1 {\mathbf {W}}]_1,[{\mathbf {A}}_1 {\mathbf {W}}_0]_1,[{\mathbf {A}}_1 {\mathbf {W}}_1]_1,\; e([{\mathbf {A}}_1]_1, [{\mathbf {v}}]_2)\;) \end{aligned}$$

• \({\textsf {Enc}}({{\textsf {mpk}}},x,M):\) Sample \({\mathbf {s}}, {\mathbf {s}}_i \leftarrow {\mathbb {Z}}_p^k\). Output:

  $$\begin{aligned} {\textsf {ct}}_{\mathbf {x}}= & {} ({\textsf {ct}}_{1}, \{{\textsf {ct}}_{2, i}, {\textsf {ct}}_{3,i}\}_{x_i =1}, {\textsf {ct}}_{4})\\&:= (\;[{\mathbf {s}}^{\top }{\mathbf {A}}_1]_1, \{ [{\mathbf {s}}^{\top }{\mathbf {A}}_1{\mathbf {W}}+{\mathbf {s}}_i^{\top }{\mathbf {A}}_1({\mathbf {W}}_0 + i \cdot {\mathbf {W}}_1)]_1, \\&\quad [{\mathbf {s}}_i^{\top }{\mathbf {A}}_1]_1 \}_{x_i = 1}, e([{\mathbf {s}}^{\top }{\mathbf {A}}_1]_1,[{\mathbf {v}}]_2) \cdot M\;) \end{aligned}$$

• \({\textsf {KeyGen}}({{\textsf {mpk}}},{\textsf {msk}},f):\) Sample \((\{{\mathbf {v}}_j\}, \rho ) \leftarrow {\textsf {share}}(f, {\mathbf {v}})\), \({\mathbf {r}}_j \leftarrow {\mathbb {Z}}_p^k\). Output:

  $$\begin{aligned} {\textsf {sk}}_f= & {} (\{{\textsf {sk}}_{1, j}, {\textsf {sk}}_{2, j}, {\textsf {sk}}_{3,j}\}, \{{\textsf {sk}}_{4,j}\})\\:= & {} (\; \{[{\mathbf {v}}_j+ {\mathbf {W}}{\mathbf {r}}_j]_2, [{\mathbf {r}}_j]_2, [({\mathbf {W}}_0+\rho (j)\cdot {\mathbf {W}}_1){\mathbf {r}}_j]_2 \}_{\rho (j) \ne 0}, \; \{[{\mathbf {v}}_j]_2 \}_{\rho (j) = 0} \;) \end{aligned}$$

• \({\textsf {Dec}}({{\textsf {mpk}}},{\textsf {sk}}_{f},{\textsf {ct}}_{\mathbf {x}}):\) Compute \(\omega _j\) such that \({\mathbf {v}}= \displaystyle \sum _{\rho (j) = 0 \vee x_{\rho (j) = 1}} \omega _j {\mathbf {v}}_j\) as described in Sect. 5.1. Output:

  $$\begin{aligned} {\textsf {ct}}_4 \cdot \displaystyle \prod _{x_{\rho (j) = 1}} \left( \frac{e({\textsf {ct}}_{2,\rho (j)}, {\textsf {sk}}_{2,j})}{e({\textsf {ct}}_{1}, {\textsf {sk}}_{1,j}) \cdot e({\textsf {ct}}_{3,\rho (j)}, {\textsf {sk}}_{3,j})}\right) ^{\omega _j} \cdot \displaystyle \prod _{\rho (j) = 0 } e({\textsf {ct}}_{1}, {\textsf {sk}}_{4,j})^{-\omega _j} \end{aligned}$$

1.2 Correctness

Correctness relies on the fact that for all j, we have

$$\begin{aligned} \frac{e({\textsf {ct}}_{1}, {\textsf {sk}}_{1,j}) \cdot e({\textsf {ct}}_{3,\rho (j)}, {\textsf {sk}}_{3,j})}{e({\textsf {ct}}_{2,\rho (j)}, {\textsf {sk}}_{2,j})} = [{\mathbf {s}}^{\top }{\mathbf {A}}_1 {\mathbf {v}}_j]_T \end{aligned}$$

which follows from the fact that

$$\begin{aligned} {\mathbf {s}}^{\top }{\mathbf {A}}_1 {\mathbf {v}}_j= & {} \underbrace{{\mathbf {s}}^{\top }{\mathbf {A}}_1}_{{\textsf {ct}}_1} \cdot (\underbrace{{\mathbf {v}}_j + {\mathbf {W}}{\mathbf {r}}_j}_{{\textsf {sk}}_{1,j}}) - \underbrace{({\mathbf {s}}^{\top }{\mathbf {A}}_1 {\mathbf {W}}+ {\mathbf {s}}_{\rho (j)}^{\top }{\mathbf {A}}_1 ({\mathbf {W}}_0 + \rho (j)\cdot {\mathbf {W}}_1))}_{{\textsf {ct}}_{2, \rho (j)}} \\&\quad \cdot \underbrace{{\mathbf {r}}_j}_{{\textsf {sk}}_{2,j}} + \underbrace{{\mathbf {s}}_{\rho (j)}^{\top }{\mathbf {A}}_1}_{{\textsf {ct}}_{3, \rho (j)}} \cdot \underbrace{({\mathbf {W}}_0+\rho (j)\cdot {\mathbf {W}}_1){\mathbf {r}}_j}_{{\textsf {sk}}_{3,j}} \end{aligned}$$

and also the fact that for all j,

$$\begin{aligned} e({\textsf {ct}}_{1}, {\textsf {sk}}_{4,j}) = [{\mathbf {s}}^{\top }{\mathbf {A}}_1 {\mathbf {v}}_j]_T \end{aligned}$$

Therefore, for all f, x such that \(f(x) = 1\), we have:

$$\begin{aligned}&{\textsf {ct}}_4 \cdot \displaystyle \prod _{x_{\rho (j) = 1}} \left( \frac{e({\textsf {ct}}_{2,\rho (j)}, {\textsf {sk}}_{2,j}))}{e({\textsf {ct}}_{1}, {\textsf {sk}}_{1,j}) \cdot e({\textsf {ct}}_{3,\rho (j)}, {\textsf {sk}}_{3,j})}\right) ^{\omega _j} \cdot \\&\quad \displaystyle \prod _{\rho (j) = 0 } e({\textsf {ct}}_{1}, {\textsf {sk}}_{4,j})^{-\omega _j}\\&\quad = M \cdot [{\mathbf {s}}^{\top }{\mathbf {A}}_1 {\mathbf {v}}]_T \cdot \prod _{\rho (j) = 0 \vee x_{\rho (j) = 1}} [{\mathbf {s}}^{\top }{\mathbf {A}}_1 {\mathbf {v}}_j]_T^{-\omega _j}\\&\quad = M \cdot [{\mathbf {s}}^{\top }{\mathbf {A}}_1 {\mathbf {v}}]_T \cdot [-{\mathbf {s}}^{\top }{\mathbf {A}}_1 \displaystyle \sum _{\rho (j) = 0 \vee x_{\rho (j) = 1}} \omega _j {\mathbf {v}}_j]_T\\&\quad = M \cdot [{\mathbf {s}}^{\top }{\mathbf {A}}_1 {\mathbf {v}}]_T \cdot [-{\mathbf {s}}^{\top }{\mathbf {A}}_1 {\mathbf {v}}]_T\\&\quad = M \end{aligned}$$

1.3 Adaptive Security

Entropy expansion lemma Our security proof relies on the “entropy expansion lemma” in [6]. First, we introduce some additional notation. Let \({\mathbf {A}}\) be a matrix over \({\mathbb {Z}}_p\). We use \({\textsf {span}}({\mathbf {A}})\) to denote the column span of \({\mathbf {A}}\), and we use \({\textsf {span}}^{\ell }({\mathbf {A}})\) to denote matrices of width \(\ell \) where each column lies in \({\textsf {span}}({\mathbf {A}})\); this means \({\mathbf {M}}\leftarrow _{\textsc {r}}{\textsf {span}}^{\ell }({\mathbf {A}})\) is a random matrix of width \(\ell \) where each column is chosen uniformly from \({\textsf {span}}({\mathbf {A}})\). We use \({\textsf {basis}}({\mathbf {A}})\) to denote a basis of \({\textsf {span}}({\mathbf {A}})\), and we use \(({\mathbf {A}}_1 \mid {\mathbf {A}}_2)\) to denote the concatenation of matrices \({\mathbf {A}}_1,{\mathbf {A}}_2\).

Pick random

$$\begin{aligned} {\mathbf {A}}_1 \leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{\ell _1 \times \ell }, {\mathbf {A}}_2 \leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{\ell _2 \times \ell }, {\mathbf {A}}_3 \leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{\ell _3 \times \ell } \end{aligned}$$

where \(\ell := \ell _1 + \ell _2 + \ell _3\). Let \(({\mathbf {A}}^{\Vert }_1 \mid {\mathbf {A}}^{\Vert }_2 \mid {\mathbf {A}}^{\Vert }_3)^{\top }\) denote the inverse of \(({\mathbf {A}}_1^{\top }\mid {\mathbf {A}}_2^{\top }\mid {\mathbf {A}}_3^{\top })\), so that \({\mathbf {A}}_i {\mathbf {A}}^{\Vert }_i = {\mathbf {I}}\) (known as non-degeneracy) and \({\mathbf {A}}_i {\mathbf {A}}^{\Vert }_j = {\mathbf {0}}\) if \(i \ne j\) (known as orthogonality). Here, we focus on the case \((\ell _1,\ell _2,\ell _3) = (k,1,k)\) and so \(\ell = 2k+1\).

Lemma 15

(Entropy expansion lemma [6]) Under the \(\text {MDDH}_{k}\) assumption, we have

$$\begin{aligned} \begin{array}{cl} &{} {\mathbb {D}}_0 := \left\{ \begin{array}{rl} {\textsf {aux}}: &{} [{\mathbf {A}}_1]_1,[{\mathbf {A}}_1 {\mathbf {W}}]_1,[{\mathbf {A}}_1 {\mathbf {W}}_0]_1,[{\mathbf {A}}_1 {\mathbf {W}}_1]_1 \\ {\textsf {ct}}: &{} [{\mathbf {c}}^{\top }]_1, \; \big \{ [{\mathbf {c}}^{\top }{\mathbf {W}}+ {\mathbf {c}}_i^{\top }({\mathbf {W}}_0 + i \cdot {\mathbf {W}}_1)]_1,\; [{\mathbf {c}}_i^{\top }]_1\big \}_{i \in [n]} \\ {\textsf {sk}}: &{} \big \{ [{\mathbf {W}}{\mathbf {D}}_{i}]_2, \; [{\mathbf {D}}_{i}]_2, \;[({\mathbf {W}}_0 + i \cdot {\mathbf {W}}_1){\mathbf {D}}_{i}]_2 \big \}_{i \in [n]}\\ \end{array} \right\} \\ \approx _c &{}\\ &{}{\mathbb {D}}_1 := \left\{ \begin{array}{rl} {\textsf {aux}}: &{} [{\mathbf {A}}_1]_1,[{\mathbf {A}}_1 {\mathbf {W}}]_1,[{\mathbf {A}}_1 {\mathbf {W}}_0]_1,[{\mathbf {A}}_1 {\mathbf {W}}_1]_1 \\ {\textsf {ct}}: &{} [\boxed {{\mathbf {c}}}^{\top }]_1,\;\big \{ [\boxed {{\mathbf {c}}}^{\top }({\mathbf {W}}+ \boxed {{\mathbf {V}}^{(2)}_i}) + \boxed {{\mathbf {c}}_i}^{\top }({\mathbf {W}}_0 + i \cdot {\mathbf {W}}_1 + \boxed {{\mathbf {U}}^{(2)}_i})]_1,\; [\boxed {{\mathbf {c}}_i}^{\top }]_1\big \}_{i \in [n]} \\ {\textsf {sk}}: &{} \big \{ [({\mathbf {W}}+\boxed {{\mathbf {V}}^{(2)}_i}) {\mathbf {D}}_{i}]_2, \; [{\mathbf {D}}_{i}]_2,\; [({\mathbf {W}}_0 + i \cdot {\mathbf {W}}_1 + \boxed {{\mathbf {U}}^{(2)}_i}){\mathbf {D}}_{i}]_2 \big \}_{i \in [n]} \end{array} \right\} \end{array} \end{aligned}$$

where \({\mathbf {W}}, {\mathbf {W}}_0, {\mathbf {W}}_1 \leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{(2k+1) \times k}, {\mathbf {V}}^{(2)}_i,{\mathbf {U}}^{(2)}_i \leftarrow _{\textsc {r}}{\textsf {span}}^{k}({\mathbf {A}}_2^{\parallel }),{\mathbf {D}}_{i} \leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{k\times k}\), and \({\mathbf {c}},{\mathbf {c}}_i \leftarrow _{\textsc {r}}{\textsf {span}}({\mathbf {A}}_1^{\top })\) in the left distribution while \({\mathbf {c}},{\mathbf {c}}_i\leftarrow _{\textsc {r}}{\textsf {span}}({\mathbf {A}}_1^{\top },{\mathbf {A}}_2^{\top })\) in the right distribution, where the concrete security loss \(|\Pr [{{\mathcal {A}}'({\mathbb {D}}_0)}=1]-\Pr [{{\mathcal {A}}'({\mathbb {D}}_1)}=1]| \le (5n+1) \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}'}}(\lambda )\).

This lemma allows us to use a hybrid proof to first transition to a game in which the challenge ciphertext and secret keys have components in the \({\mathbf {A}}_2\) space which mirror those of our (bounded) construction of Sect. 6. We then follow the same proof structure as in Sect. 6.

Description of hybrids A ciphertext can be in one of the following forms:

• \({\textsf {Normal}}\): generated as in the scheme.

• \({\textsf {SF}}\): same as a \({\textsf {Normal}}\) ciphertext, except \({\mathbf {s}}^{\top }{\mathbf {A}}_1, {\mathbf {s}}_i^{\top }{\mathbf {A}}_1\) replaced with \({\mathbf {c}}^{\top }, {\mathbf {c}}_i^{\top }\leftarrow {\mathbb {Z}}_p^{2k+1}\) and we use the substitution:

  $$\begin{aligned}&{\mathbf {W}}\rightarrow {\widehat{{\mathbf {V}}}}_i := {\mathbf {W}}+ {\mathbf {V}}^{(2)}_i \text { in }i\text {th component, and } \nonumber \\&\quad {\mathbf {W}}_0 + i \cdot {\mathbf {W}}_1 \rightarrow {\widehat{{\mathbf {U}}}}_i := {\mathbf {W}}_0 + i \cdot {\mathbf {W}}_1 + {\mathbf {U}}^{(2)}_i \end{aligned}$$

  (3)

  where \({\mathbf {U}}^{(2)}_i, {\mathbf {V}}^{(2)}_i \leftarrow {\textsf {span}}^{k}({\mathbf {A}}_2^{\parallel })\). Concretely, a \({\textsf {SF}}\) ciphertext is of the form:

  $$\begin{aligned} {\textsf {ct}}_{\mathbf {x}}:= (\;[{\mathbf {c}}^{\top }]_1, \{ [{\mathbf {c}}^{\top }{\widehat{{\mathbf {V}}}}_i +{\mathbf {c}}_i^{\top }{\widehat{{\mathbf {U}}}}_i]_1, [{\mathbf {c}}_i^{\top }]_1 \}_{x_i = 1}, e([{\mathbf {c}}^{\top }]_1,[{\mathbf {v}}]_2) \cdot M\;) \end{aligned}$$

A secret key can be in one of the following forms:

• \({\textsf {Normal}}\): generated as in the scheme.

• \({\textsf {P}\text {-}\textsf {SF}}\): same as a \({\textsf {Normal}}\) key, except we use the same substitution as in (3), concretely making a \({\textsf {P}\text {-}\textsf {SF}}\) key of the form:

  $$\begin{aligned} {\textsf {sk}}_f := (\; \{[{\mathbf {v}}_j+ {\widehat{{\mathbf {V}}}}_{\rho (j)} {\mathbf {r}}_j]_2, [{\mathbf {r}}_j]_2, [ {\widehat{{\mathbf {U}}}}_{\rho (j)} {\mathbf {r}}_j]_2 \}_{\rho (j) \ne 0}, \; \{[{\mathbf {v}}_j]_2 \}_{\rho (j) = 0} \;) \end{aligned}$$

• \({\textsf {SF}}\): same as a \({\textsf {P}\text {-}\textsf {SF}}\) key, except \({\mathbf {v}}\) replaced with \({\mathbf {v}}+ \delta {\mathbf {a}}^\perp \), where a fresh \(\delta \leftarrow {\mathbb {Z}}_p\) is chosen per \({\textsf {SF}}\) key and \({\mathbf {a}}^\perp \leftarrow {\textsf {span}}({\mathbf {A}}_2^{\parallel }) {\setminus } \{\mathbf {0}\}\).

Hybrid sequence Suppose the adversary \({\textsf {A}}\) makes at most Q secret key queries. The hybrid sequence is as follows:

• \({\textsf {H}}_0\): real game

• \({\textsf {H}}_1\): same as \({\textsf {H}}_0\), except all keys are \({\textsf {P}\text {-}\textsf {SF}}\), and we use a \({\textsf {SF}}\) ciphertext.

• \({\textsf {H}}_{2,\ell }, \ell =0,\ldots ,Q\): same as \({\textsf {H}}_1\), except the first \(\ell \) keys are \({\textsf {SF}}\) and the remaining \(Q-\ell \) keys are \({\textsf {P}\text {-}\textsf {SF}}\).

• \({\textsf {H}}_3\): replace M with random \({\widetilde{M}}\).

Proof overview

• We have \({\textsf {H}}_0 \approx _c {\textsf {H}}_1 \equiv {\textsf {H}}_{2,0}\) via Lemma 15. In the reduction, on input

  $$\begin{aligned} \left\{ \begin{array}{rl} {\textsf {aux}}: &{} [{\mathbf {A}}_1^{\top }]_1,[{\mathbf {A}}_1^{\top }{\mathbf {W}}]_1,[{\mathbf {A}}_1^{\top }{\mathbf {W}}_0]_1,[{\mathbf {A}}_1^{\top }{\mathbf {W}}_1]_1 \\ {\textsf {ct}}: &{} [{\mathbf {C}}_0]_1, \; \big \{ [{\mathbf {C}}_{1,i}]_1,\; [{\mathbf {C}}_{2,i}]_1\big \}_{i \in [n]} \\ {\textsf {sk}}: &{} \big \{ [{\mathbf {K}}_{0,i}]_2, \; [{\mathbf {K}}_{1,i}]_2, \;[{\mathbf {K}}_{2,i}]_2 \big \}_{i \in [n]}\\ \end{array} \right\} , \end{aligned}$$

  we sample \({\mathbf {v}}\leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{2k+1}\), compute \((\{{\mathbf {v}}_j\}, \rho ) \leftarrow {\textsf {share}}(f, {\mathbf {v}})\), draw \({{\tilde{{\mathbf {r}}}}}_{j,\ell } \leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{k}\) for shares j and keys \(\ell \in [Q]\) and simulate the game with

  $$\begin{aligned} \left\{ \begin{array}{rl} {{\textsf {mpk}}} : &{} {\textsf {aux}},\; e([{\mathbf {A}}_1^{\top }]_1, [{\mathbf {v}}]_2) \\ {\textsf {ct}}_{{\mathbf {x}}} : &{} [{\mathbf {C}}_0]_1, \;\big \{ [{\mathbf {C}}_{1,i}]_1,\; [{\mathbf {C}}_{2,i}]_1\big \}_{i:x_i=1}, e([{\mathbf {C}}_0]_1,[{\mathbf {v}}]_2) \cdot M_b \\ {\textsf {sk}}_f^\ell : &{} \big \{\;[ {\mathbf {v}}_k +{\mathbf {K}}_{0,\rho (j)}{{\tilde{{\mathbf {r}}}}}_{j,\ell }]_{2},\; [{\mathbf {K}}_{1,\rho (j)}{{\tilde{{\mathbf {r}}}}}_{j,\ell }]_{2},\; [{\mathbf {K}}_{2,\rho (j)}{{\tilde{{\mathbf {r}}}}}_{j,\ell }]_{2}\; \big \}\\ \end{array} \right\} . \end{aligned}$$

  In both cases, we set \({\mathbf {r}}_{j,\ell } := {\mathbf {D}}_\rho (j) {{\tilde{{\mathbf {r}}}}}_{j,\ell }\) where \({\mathbf {D}}_i \leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{k \times k}\) as defined in the entropy expansion lemma (Lemma 15). Therefore, all \({\mathbf {r}}_{j,\ell }\) are uniformly distributed over \({\mathbb {Z}}_p^{k}\) with high probability.

• We have \({\textsf {H}}_{2,\ell -1} \approx _c {\textsf {H}}_{2,\ell }\), for all \(\ell \in [Q]\). The difference between the two is that we switch the \(\ell \)’th \({\textsf {sk}}_f\) from \({\textsf {P}\text {-}\textsf {SF}}\) to \({\textsf {SF}}\) using the adaptive security of our core 1-ABE component in \({\textsf {G}}^{\textsc {1-abe}}\) from Sect. 5. The idea is to sample

  $$\begin{aligned} {\mathbf {v}}= {\tilde{{\mathbf {v}}}} + \mu {\mathbf {a}}^\perp \end{aligned}$$

  where \({\mathbf {a}}^\perp \leftarrow {\textsf {span}}({\mathbf {A}}_2^{\parallel }) {\setminus } \{\mathbf {0}\}\) so that \({{\textsf {mpk}}}\) can be computed using \({\tilde{{\mathbf {v}}}}\) and perfectly hides \(\mu , {\mathbf {w}}_1,\ldots ,{\mathbf {w}}_n\). Roughly speaking, the reduction

  • uses \({\mathcal {O}}_{\textsf {X}}(x)\) in \({\textsf {G}}^{\textsc {1-abe}}\) to simulate the challenge ciphertext

  • uses \({\mathcal {O}}_{\textsf {F}}(f)\) in \({\textsf {G}}^{\textsc {1-abe}}\) to simulate \(\ell \)’th secret key

  • uses \(\mu ^{(0)}\) from \({\textsf {G}}^{\textsc {1-abe}}\) together with \({\mathcal {O}}_{\textsf {E}}(i, \cdot ) = {\textsf {Enc}}(w_i,\cdot )\) to simulate the remaining \(Q-\ell \) secret keys

• We have \({\textsf {H}}_{2,Q} \equiv {\textsf {H}}_3\). In \({\textsf {H}}_{2,Q}\), the secret keys only leak \({\mathbf {v}}+ \delta _1 {\mathbf {a}}^\perp ,\ldots ,{\mathbf {v}}+ \delta _Q {\mathbf {a}}^\perp \). This means that \({\mathbf {c}}^{\top }{\mathbf {v}}\) is statistically random (as long as \({\mathbf {c}}^{\top }{\mathbf {a}}^\perp \ne 0\)).

Lemma 16

(\({\textsf {H}}_0 \approx _c {\textsf {H}}_1 \equiv {\textsf {H}}_{2,0}\))

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_0 \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_1 \rangle =1]| \le (5n+1) \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}'}}(\lambda ) \end{aligned}$$

Proof

Consider the following adversary \({\mathcal {A}}'\) attempting to distinguish the distributions in the Entropy Expansion Lemma 15, which internally simulates \({\mathcal {A}}\) and the challenger in the ABE security game:

• \({\mathcal {A}}'\) receives input:

  $$\begin{aligned} {\mathbb {D}}_\beta = \left\{ \begin{array}{rl} {\textsf {aux}}: &{} [{\mathbf {A}}_1^{\top }]_1,[{\mathbf {A}}_1^{\top }{\mathbf {W}}]_1,[{\mathbf {A}}_1^{\top }{\mathbf {W}}_0]_1,[{\mathbf {A}}_1^{\top }{\mathbf {W}}_1]_1 \\ {\textsf {ct}}: &{} [{\mathbf {C}}_0]_1, \; \big \{ [{\mathbf {C}}_{1,i}]_1,\; [{\mathbf {C}}_{2,i}]_1\big \}_{i \in [n]} \\ {\textsf {sk}}: &{} \big \{ [{\mathbf {K}}_{0,i}]_2, \; [{\mathbf {K}}_{1,i}]_2, \;[{\mathbf {K}}_{2,i}]_2 \big \}_{i \in [n]}\\ \end{array} \right\} \end{aligned}$$

• First, \({\mathcal {A}}'\) samples \({\mathbf {v}}\leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{2k+1}\) and outputs:

  $$\begin{aligned} {{\textsf {mpk}}} := (\; [{\mathbf {A}}_1]_1,[{\mathbf {A}}_1 {\mathbf {W}}]_1,[{\mathbf {A}}_1 {\mathbf {W}}_0]_1,[{\mathbf {A}}_1 {\mathbf {W}}_1]_1,\; e([{\mathbf {A}}_1]_1, [{{\mathbf {v}}}]_2)\;),\\ \end{aligned}$$

• When \({\mathcal {A}}\) requests a challenge ciphertext for attribute \({\mathbf {x}}\) along with \(M_0,M_1\), \({\mathcal {A}}'\) samples \(b \leftarrow \{0,1\}\) (the challenge bit in the standard ABE security game) and returns the following challenge ciphertext for \({\mathcal {A}}\):

  $$\begin{aligned} {\textsf {ct}}_{{\mathbf {x}}} := [{\mathbf {C}}_0]_1, \;\big \{ [{\mathbf {C}}_{1,i}]_1,\; [{\mathbf {C}}_{2,i}]_1\big \}_{i:x_i=1}, e([{\mathbf {C}}_0]_1,[{\mathbf {v}}]_2) \cdot M_b \end{aligned}$$

• For any secret keys requested, say for formula f, \({\mathcal {A}}'\) computes \((\{{\mathbf {v}}_j\}, \rho ) \leftarrow {\textsf {share}}(f, {\mathbf {v}})\), draws \({{\tilde{{\mathbf {r}}}}}_{j} \leftarrow _{\textsc {r}}{\mathbb {Z}}_p^{k}\) and forms the following key:

  $$\begin{aligned} {\textsf {sk}}_f := \big \{\;[ {\mathbf {v}}_j +{\mathbf {K}}_{0,\rho (j)}{{\tilde{{\mathbf {r}}}}}_{j}]_{2},\; [{\mathbf {K}}_{1,\rho (j)}{{\tilde{{\mathbf {r}}}}}_{j}]_{2},\; [{\mathbf {K}}_{2,\rho (j)}{{\tilde{{\mathbf {r}}}}}_{j}]_{2}\; \big \} \end{aligned}$$

  Notice that if \(\beta =0\) (the input to \({\mathcal {A}}'\) was drawn from distribution \({\mathbb {D}}_0\) defined in Lemma 15), then the challenge \({\textsf {ct}}_{\mathbf {x}}\) and all \({\textsf {sk}}_f\) are \({\textsf {Normal}}\), and if \(\beta =1\) (the input to \({\mathcal {A}}'\) was drawn from distribution \({\mathbb {D}}_1\)), then \({\textsf {ct}}_{\mathbf {x}}\) is distributed as a \({\textsf {SF}}\) ciphertext and all \({\textsf {sk}}_f\) are distributed as \({\textsf {P}\text {-}\textsf {SF}}\) keys.

Putting everything together, for \(\beta \in \{0,1\}\), when \({\mathcal {A}}'\) interacts with \({\mathbb {D}}_\beta \), then \({\mathcal {A}}'\) simulates \({\textsf {H}}_{\beta }\). It follows then that:

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_0 \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_1 \rangle =1]| \le |\Pr [{{\mathcal {A}}'({\mathbb {D}}_0)}=1]-\Pr [{{\mathcal {A}}'({\mathbb {D}}_1)}=1]| \end{aligned}$$

From Lemma 15, we then have:

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_0 \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_1 \rangle =1]| \le (5n+1) \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}'}}(\lambda ) \end{aligned}$$

\(\square \)

Lemma 17

(\({\textsf {H}}_{2,\ell -1} \approx _c {\textsf {H}}_{2,\ell }\))

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell -1} \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell } \rangle =1]| \le 2^{6d} \cdot 8^{d} \cdot n \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}^*}}(\lambda ) \end{aligned}$$

Proof

For each \(\beta \in \{0,1\}\), consider the following adversary \({\mathcal {A}}'\) in \({\textsf {G}}^{\textsc {1-abe}}_\beta \) which internally simulates \({\mathcal {A}}\) and the challenger in the ABE security game:

• First, \({\mathcal {A}}'\) samples \({\mathbf {A}}_1, {\mathbf {A}}_3 \leftarrow {\mathbb {Z}}_p^{k \times (2k+1)}, {\mathbf {A}}_2 \leftarrow {\mathbb {Z}}_p^{1 \times (2k+1)}, {\mathbf {W}}, {{\mathbf {W}}}_0 , {\mathbf {W}}_1 \leftarrow {\mathbb {Z}}_p^{(2k+1) \times k}, {\tilde{{\mathbf {v}}}} \leftarrow {\mathbb {Z}}_p^{2k+1}\), samples \(({\mathbf {U}}^{(2)}_i \in {\mathbb {Z}}_p^{(2k+1)\times k}), ({\widetilde{{\mathbf {V}}}}^{(2)}_i \in {\mathbb {Z}}_p^{(2k+1)\times k}) \leftarrow {\textsf {span}}^{k}({\mathbf {A}}_2^{\parallel })\) and \(({\mathbf {a}}^\perp \in {\mathbb {Z}}_p^{2k+1}) \leftarrow {\textsf {span}}({\mathbf {A}}_2^{\parallel }) {\setminus } \{\mathbf {0}\}\) and implicitly defines

  $$\begin{aligned} {\mathbf {v}}:= {\tilde{{\mathbf {v}}}} + \mu ^{(0)} {\mathbf {a}}^\perp , \quad {\mathbf {V}}^{(2)}_i := {\widetilde{{\mathbf {V}}}}^{(2)}_i + {\mathbf {a}}^\perp {\mathbf {w}}_i \end{aligned}$$

  where \(\mu ^{(0)} \in {\mathbb {Z}}_p, {\mathbf {w}}_i \in {\mathbb {Z}}_p^k\) is chosen in \({\textsf {G}}^{\textsc {1-abe}}_\beta \). (Note that \({\mathbf {v}}\) is distributed randomly in \({\mathbb {Z}}_p^{2k+1}\) and \({\mathbf {V}}^{(2)}_i\) is distributed like the output of \( {\textsf {span}}^{k}({\mathbf {A}}_2^{\parallel })\)). Then, \({\mathcal {A}}'\) outputs:

  $$\begin{aligned} {{\textsf {mpk}}} := (\; [{\mathbf {A}}_1]_1,[{\mathbf {A}}_1 {\mathbf {W}}]_1,[{\mathbf {A}}_1 {\mathbf {W}}_0]_1,[{\mathbf {A}}_1 {\mathbf {W}}_1]_1,\; e([{\mathbf {A}}_1]_1, [{\tilde{{\mathbf {v}}}}]_2)\;),\\ \end{aligned}$$

• When \({\mathcal {A}}\) requests a challenge ciphertext for attribute \({\mathbf {x}}\) along with \(M_0,M_1\), \({\mathcal {A}}'\) queries \({\mathcal {O}}_{\textsf {X}}({\mathbf {x}}) \rightarrow (\; \{ {\mathbf {w}}_i \}_{x_i = 1} \; )\) in \({\textsf {G}}^{\textsc {1-abe}}_\beta \). \({\mathcal {A}}'\) then samples \({\mathbf {c}}, {\mathbf {c}}_i \leftarrow {\mathbb {Z}}_p^{2k+1}\) and \(b \leftarrow \{0,1\}\) (the challenge bit in the standard ABE security game) and returns the following \(({\textsf {SF}})\) challenge ciphertext for \({\mathcal {A}}\):

  $$\begin{aligned} {\textsf {ct}}_{\mathbf {x}}:= \Bigg (\;[{\mathbf {c}}^{\top }]_1, \{ [{\mathbf {c}}^{\top }\underbrace{ ( {\mathbf {W}}+{\widetilde{{\mathbf {V}}}}^{(2)}_i + {\mathbf {a}}^\perp {\mathbf {w}}_i)}_{ {\widehat{{\mathbf {V}}}}_i} +{\mathbf {c}}_i^{\top }\underbrace{{\mathbf {W}}_0 + i \cdot {\mathbf {W}}_1 + {\mathbf {U}}^{(2)}_i }_{ {\widehat{{\mathbf {U}}}}_i}]_1, [{\mathbf {c}}_i^{\top }]_1 \}_{x_i = 1}, \;\; e([{\mathbf {c}}^{\top }]_1,[\underbrace{{\tilde{{\mathbf {v}}}} + \mu ^{(0)} {\mathbf {a}}^\perp }_{= {\mathbf {v}}}]_2) \cdot M_b \;\Bigg ) \end{aligned}$$

• For the first \(\ell -1\) secret keys requested, say for formula f, \({\mathcal {A}}'\) computes

  $$\begin{aligned} (\{{\mathbf {v}}_j\},\rho ) \leftarrow {\textsf {share}}(f,\underbrace{{\tilde{{\mathbf {v}}}} + {\tilde{\delta }} {\mathbf {a}}^\perp }_{= {\mathbf {v}}+ \delta {\mathbf {a}}^\perp }) \end{aligned}$$

  where \({\tilde{\delta }} \leftarrow {\mathbb {Z}}_p\) is drawn independently for each key (here, the per-key \(\delta = {\tilde{\delta }} - \mu ^{(0)}\) implicitly). Next, for each j, it queries \({\mathcal {O}}_{\textsf {E}}(\rho (j), [0]_2) \rightarrow ([{\mathbf {w}}_{\rho (j)}^{\top }{\mathbf {r}}_j]_2, [{\mathbf {r}}_j]_2)\) in \({\textsf {G}}^{\textsc {1-abe}}_\beta \) (since \({\mathcal {O}}_{\textsf {E}}(\rho (j), [0]_2) = {\textsf {CPA}}.{\textsf {Enc}}_{{\mathbf {w}}_{\rho (j)}}([0]_2)\)), and forms the following \(({\textsf {SF}})\) key:

  $$\begin{aligned} {\textsf {sk}}_f := (\; \{[\underbrace{{\mathbf {v}}_j+ ( {\mathbf {W}}+ {\widetilde{{\mathbf {V}}}}^{(2)}_{\rho (i)}) {\mathbf {r}}_j + {\mathbf {a}}^\perp {\mathbf {w}}_{\rho (j)}^{\top }{\mathbf {r}}_j}_{{\mathbf {v}}_j + {\widehat{{\mathbf {V}}}}_{\rho (j)} {\mathbf {r}}_j}]_2, [{\mathbf {r}}_j]_2, [\underbrace{({\mathbf {W}}_0 + \rho (j) \cdot {\mathbf {W}}_1 + {\mathbf {U}}^{(2)}_{\rho (j)}) {\mathbf {r}}_j}_{ {\widehat{{\mathbf {U}}}}_{\rho (j)} {\mathbf {r}}_j}]_2 \}_{\rho (j) \ne 0}, \; \{[{\mathbf {v}}_j]_2 \}_{\rho (j) = 0} \;) \end{aligned}$$

• For the last \(Q-\ell \) secret keys requested, say for formula f, \({\mathcal {A}}'\) proceeds as before for the first \(\ell -1\) keys except

  $$\begin{aligned} (\{{\mathbf {v}}_j\},\rho ) \leftarrow {\textsf {share}}(f,\underbrace{{\tilde{{\mathbf {v}}}} + \mu ^{(0)} {\mathbf {a}}^\perp }_{= {\mathbf {v}}}) \end{aligned}$$

  It is easy to see that it forms a \({\textsf {P}\text {-}\textsf {SF}}\) key.

• For the \(\ell \)th secret key requested, say for formula f, \({\mathcal {A}}'\) computes \((\{{\mathbf {v}}_j\},\rho ) \leftarrow {\textsf {share}}(f,{\tilde{{\mathbf {v}}}})\), queries \({\mathcal {O}}_{\textsf {F}}(f) \rightarrow (\; \{[\mu _j+ {\mathbf {w}}_{\rho (j)}^{\top }{\mathbf {r}}_j]_2, [{\mathbf {r}}_j]_2\} \;)\) in \({\textsf {G}}^{\textsc {1-abe}}_\beta \), then uses these components to return:

  $$\begin{aligned}&{\textsf {sk}}_f := (\; \{[\underbrace{{\mathbf {v}}_j+ ( {\mathbf {W}}+ {\widetilde{{\mathbf {V}}}}^{(2)}_{\rho (i)}) {\mathbf {r}}_j + {\mathbf {a}}^\perp (\mu _j + {\mathbf {w}}_{\rho (j)}^{\top }{\mathbf {r}}_j)}_{({\mathbf {v}}_j+ \mu _j {\mathbf {a}}^\perp ) + {\widehat{{\mathbf {V}}}}_{\rho (j)} {\mathbf {r}}_j}]_2, \\&\quad [{\mathbf {r}}_j]_2, [\underbrace{({\mathbf {W}}_0 + \rho (j) \cdot {\mathbf {W}}_1 + {\mathbf {U}}^{(2)}_{\rho (j)}) {\mathbf {r}}_j}_{ {\widehat{{\mathbf {U}}}}_{\rho (j)} {\mathbf {r}}_j}]_2 \}_{\rho (j) \ne 0}, \; \{[{\mathbf {v}}_j]_2 \}_{\rho (j) = 0} \;) \end{aligned}$$

  We claim that if \(\beta =0\), then \({\textsf {sk}}_f\) is a \({\textsf {P}\text {-}\textsf {SF}}\) key, and if \(\beta =1\), then \({\textsf {sk}}_f\) is a \({\textsf {SF}}\) key. This follows the fact that thanks to linearity, the shares

  $$\begin{aligned} (\{ {\mathbf {v}}_j + \mu _j {\mathbf {a}}^\perp \}, \rho ), \; \text{ where } (\{{\mathbf {v}}_j\},\rho ) \leftarrow {\textsf {share}}(f,{\tilde{{\mathbf {v}}}}), (\{\mu _j\},\rho ) \leftarrow {\textsf {share}}(f,\mu ^{(\beta )}) \end{aligned}$$

  are identically distributed to \({\textsf {share}}(f, {\tilde{{\mathbf {v}}}} + \mu ^{(\beta )} {\mathbf {a}}^\perp )\). The claim then follows from the fact that \({\tilde{{\mathbf {v}}}} + \mu ^{(0)}{\mathbf {a}}^\perp = {\mathbf {v}}\) and that \({\tilde{{\mathbf {v}}}} + \mu ^{(1)}{\mathbf {a}}^\perp \) is identically distributed to \({\mathbf {v}}+ \delta {\mathbf {a}}^\perp \) (where \(\delta = \mu ^{(1)} - \mu ^{(0)}\) is a fresh random value for this key).

Putting everything together, for \(\beta \in \{0,1\}\), when \({\mathcal {A}}'\) interacts with \({\textsf {G}}^{\textsc {1-abe}}_\beta \), then \({\mathcal {A}}'\) simulates \({\textsf {H}}_{2,\ell -1+\beta }\). It follows then that:

$$\begin{aligned}&|\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell -1} \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell } \rangle =1]|\\&\quad \le |\Pr [\langle {\mathcal {A}}',{\textsf {G}}^{\textsc {1-abe}}_0 \rangle =1]-\Pr [\langle {\mathcal {A}}',{\textsf {G}}^{\textsc {1-abe}}_1 \rangle =1]| \end{aligned}$$

From Theorem 2, we then have:

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell -1} \rangle =1]-\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, \ell } \rangle =1]| \le 2^{6d} \cdot 8^{d} \cdot n \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}^*}}(\lambda ) \end{aligned}$$

\(\square \)

Lemma 18

(\({\textsf {H}}_{2,Q} \approx _s {\textsf {H}}_{3}\))

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, Q} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_3 \rangle = 1]| \le \frac{1}{p} \end{aligned}$$

Proof

These two hybrids are identically distributed conditioned on \({\mathbf {c}}^{\top }{\mathbf {a}}^\perp \ne 0\). To see this, consider two ways of sampling \({\mathbf {v}}\): as \({\tilde{{\mathbf {v}}}} \leftarrow {\mathbb {Z}}_p^{2k+1}\) and as \({\tilde{{\mathbf {v}}}} + {\tilde{m}} {\mathbf {a}}^\perp \) for an independent \({\tilde{m}} \leftarrow {\mathbb {Z}}_p\). Note that both result in \({\mathbf {v}}\) having a uniform distribution.

Using \({\tilde{{\mathbf {v}}}}\) to simulate hybrid \({\textsf {H}}_{2,Q}\) obviously results in \({\textsf {H}}_{2,Q}\) (where \({\mathbf {v}}= {\tilde{{\mathbf {v}}}}\)). However, using the identically distributed \({\mathbf {v}}= {\tilde{{\mathbf {v}}}} + {\tilde{m}} {\mathbf {a}}^\perp \) to simulate \({\textsf {H}}_{2,Q}\) results in \({\textsf {H}}_{3}\) (where \({\widetilde{M}} = M \cdot e([{\mathbf {c}}^{\top }]_1, [ {\tilde{m}} {\mathbf {a}}^\perp ]_2)\) is randomly distributed as long as \({\mathbf {c}}^{\top }{\mathbf {a}}^\perp \ne 0\), and for redefined independently random \({\tilde{\delta }}_i := \delta _i + {\tilde{m}}\) in the secret keys).

\({\mathbf {c}}\) is chosen at random and independent from \({\mathbf {a}}^\perp \ne \mathbf {0}\), so \({\mathbf {c}}^{\top }{\mathbf {a}}^\perp = 0\) with probability \(\frac{1}{p}\), and since we know that \({\textsf {H}}_{2, Q} \equiv {\textsf {H}}_{3}\) conditioned on \({\mathbf {c}}^{\top }{\mathbf {a}}^\perp \ne 0\), then we have:

$$\begin{aligned} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2, Q} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_3 \rangle = 1]| \le \frac{1}{p} \end{aligned}$$

\(\square \)

Theorem 5

(Adaptive unbounded KP-ABE) The unbounded KP-ABE construction in Appendix B.1 is adaptively secure under the \(\text {MDDH}_{k}\) assumption.

Proof

$$\begin{aligned}&|\Pr [\langle {\mathcal {A}},{\textsf {H}}_{0} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_3 \rangle = 1]|\\&\quad \le |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{0} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_1 \rangle = 1]|\\&\,\qquad +\, \displaystyle \sum _{\ell = 1}^{Q} |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell -1} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,\ell } \rangle = 1]| \\&\,\qquad +\, |\Pr [\langle {\mathcal {A}},{\textsf {H}}_{2,Q} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_3 \rangle = 1]| \end{aligned}$$

(Since \({\textsf {H}}_1 \equiv {\textsf {H}}_{2,0}\)). Summing the results of Lemmas 16, 17 and 18, we then have:

$$\begin{aligned}&|\Pr [\langle {\mathcal {A}},{\textsf {H}}_{0} \rangle = 1] - \Pr [\langle {\mathcal {A}},{\textsf {H}}_3 \rangle = 1]| \le (5n+1) \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}'}}(\lambda ) \\&\quad + Q \cdot 2^{6d} \cdot 8^{d} \cdot n \cdot {\textsf {Adv}}^{{k\textsc {-Lin}}}_{{{\mathcal {B}}^*}}(\lambda ) + \frac{1}{p} \end{aligned}$$

If \(d = O(\log n)\), then under the k-Lin assumption this is a negligible function of \(\lambda \). (The number of queries made Q and the attribute vector length n are both polynomial in \(\lambda \), and \(\frac{1}{p}\) is a negligible function of \(\lambda \).) It’s easy to see that \({\textsf {Adv}}^{\textsc {abe}}_{{\mathcal {A}}}(\lambda ) = 0\) in the \({\textsf {H}}_3\) hybrid game (since a random message is encrypted in the challenge ciphertext). So, any adversary in the real game (\({\textsf {H}}_0\)) will have advantage negligibly close to 0, and our construction satisfies adaptive security. \(\square \)