LetGrp-Genbe an algorithm that takes as input security parameter 1λand outputsparams= (p,
G1,G2,GT, e(·,·), g1, g2) where pis aλbit prime, G1,G2,GT are groups of orderp, e:G1×G2 →GT is an efficiently computable
non-degenerate bilinear map andg1, g2are generators of G1,G2 respectively.
(pk,msk)←mBME.Setup(1λ,1`): The setup algorithm first choosesparams= (p,
G1,G2,GT, e(·,·), g1, g2)←
Grp-Gen(1λ). It chooses α ←
Zp, ai ← Zp, bi ← Zp, ci ← Zp for each i ∈ [`]. The public key consists of params, e(g1, g2)α, Qi∈[`]g
ai·bi+ci
1 and {g ai
1 }i∈[`], while the master secret key consists of
params, α,{ai, bi, ci}i∈`.
sk ← mBME.KeyGen(x,msk): Let msk = params, α,{ai, bi, ci}i∈`
. The key generation algorithm first chooses t←Zp andui←Zp for eachi∈[`]. It computesK0=gα2 ·
Q i∈[`]g −t·ci 2 · Q i:xi=0g −ui·ai 2 . Next, it sets K1 =gt2, and for eachi∈ [`], K2,i =g−t·bi ifxi = 1, elseK2,i =g−2t·bi+ui. The key is
K0, K1,{K2,i}i∈[`]
ct←mBME.Enc-SK(m,y,msk): Letmsk= params, α,{ai, bi, ci}i∈`
. The secret key encryption algorithm first choosess←Zp, and for eachi∈[`] such thatyi= 0, it choosesri ←Zp. It setsC=m·e(g1, g2)α·s, C0 = gs1, C1 = Q i:yi=1g s·(ai·bi+ci) 1 ·Q i:yi=0g s·ci+ai·bi·ri 1
. For each i∈ [`], it sets C2,i = ga1i·s if yi= 1, elseC2,i=g1ai·ri ifyi= 0. The ciphertext is
C, C0, C1,{C2,i}i∈[`]
.
ct←mBME.Enc-PK(m,pk): Letpk= (params, e(g1, g2)α,Qi∈`g ai·bi+ci 1 ,{g
ai
1 }i∈[`]). The public key encryp- tion algorithm is identical to the secret key encryption algorithm. It first chooses s ← Zp. It sets C = m·e(g1, g2)α·s, C0 = g1s, C1 = Q i∈`g ai·bi+ci 1 s
. For each i ∈ [`], it sets C2,i = (g1ai) s
. The ciphertext isC, C0, C1,{C2,i}i∈[`]
.
z ←mBME.Dec(ct,sk): Let ct=C, C0, C1,{C2,i}i∈[`]
and sk =K0, K1,{K2,i}i∈[`] . The decryption algorithm outputs C e(C0, K0)·e(C1, K1)·Qi∈[`]e(C2,i, K2,i) .
6.1
Correctness
Fix any security parameterλ, messagem, vectors x,ysuch that f(x,y) = 1 and public key pk= (params, e(g1, g2)α,Qi∈[`]g
ai·bi+ci 1 ,{g
ai
1 }i∈[`]). Let (s,{ri}i:yi=0) be the randomness used during encryption, (t,{ui}i:xi=0) the randomness used during key generation, ciphertextct= (C, C0, C1,{C2,i}i∈[`]) and keysk= (K0, K1,{K2,i}i∈[`]). To show that decryption works correctly, it suffices to show thate(C0, K0)·e(C1, K1)·
Q i∈[`]e(C2,i, K2,i) = e(g1, g2)α·s. e(C0, K0)·e(C1, K1)· Y i∈[`] e(C2,i, K2,i) =e(g1, g2) α·s−(P is·t·ci)−(Pi:xi=0s·ui·ai)·e(g 1, g2) (P is·t·ci)+(Pi:yi=1s·t·ai·bi)+(Pi:yi=0t·ai·bi·ri) ·e(g1, g2)− (P i:yi=1t·s·ai·bi)−(Pi:yi=0t·ai·bi·ri)+(Pi:xi=0ai·s·ui)
In the second step, we use the fact that sincef(x,y) = 1, wheneverxi= 0,yi= 1 (if this was not the case, then we would have, for alli such thatxi =yi = 0, e(g1, g2)ui·ai·ri terms in the product). Simplifying the expression, we get the desired producte(g1, g2)α·s.
6.2
Security
Theorem 6.1. Assuming Assumption 1and Assumption2, the mixedmBMEscheme described above sat- isfies key hiding (Definition4.3), ciphertext hiding (Definition4.2), and pk-sk ciphertext indistinguishability (Definition4.1) security properties.
To prove security, we need to show that the scheme satisfies Definition 4.1, Definition 4.2 and Defini- tion4.3. First, it is easy to check that the scheme satisfies Definition 4.1. This is because the distribution of an encryption ofmusing public keypkis identical to the distribution of an encryption ofmfor attribute 1`, computed using master secret key.
6.2.1 Ciphertext Hiding Security
Lemma 6.1. Assuming Assumption1and Assumption2, the mixedmBMEscheme described above satisfies the ciphertext hiding security property (defined in Definition4.2).
As shown in Section 4.2, it suffices to show that the scheme satisfies Definition 4.4 and Definition 4.5. We will prove each of these properties separately.
Claim 6.1. Assuming Assumption1, the mixed mBMEscheme described above satisfies Definition4.4.
Proof. Suppose, on the contrary, there exists a PPT adversaryAthat breaks the simplified ciphertext hiding
property of our scheme with non-negligible advantage(·). We will build a PPT reduction algorithmBthat breaks Assumption1with advantage(·).
The reduction algorithm first receives the challenge (G1,G2,GT, g1, g2, gx1, g y 1, g
yz 1 , g
y
2, g2z, T) from the chal- lenger, whereT =gx1·y·zor g1x·y·z+r. Next, it receives the challenge vectorsy,y0 from the adversaryA. Let j be the (unique) index such that yj 6=y0j, onesthe set of indices such thatyi =yi0 = 1, and zeroesthe set such thatyi =y0i= 0.
The reduction algorithm must first generate the public key. Next it receives either ciphertext queries or key queries and a message m from the adversary. Then it generates the challenge ciphertext. Finally, it receives more ciphertext and key queries and the adversary’s guess, which it uses to break Assumption2.
Public key The reduction algorithm implicitly setsaj =y·z and choosesbj, cj←Zpalong withα←Zp. Next, for eachi∈ones, it choosesai, bi, ci←Zp. For eachi∈zeroes, it choosesa0i, bi, ci←Zp and implicitly setsai=y+a0i. It computes the public key components as follows.
pk1,i,pk2,i= g1y·zbi ·gci 1, g y·z 1 ifi=j, gai·bi+ci 1 , g ai 1 ifi∈ones, (g1y)bi ·ga 0 i·bi+ci 1 , g y 1·g a0i 1 ifi∈zeroes.
All the above terms can be computed using only g1, g1y and g1y·z. The public key is set to be pk = e(g1, g2)α,Qi∈[`]pk1,i,
pk2,i i
∈[`].
Next, the adversary is allowed to query for polynomially many key/ciphertext queries, with the restriction that for every secret key queryx,f(x,y) =f(x,y0), which are handled as follows.
Pre-challenge ciphertext queries For the ciphertext query (m,w), the reduction algorithm chooses q←Zpandvi←Zp for eachi∈[`]. It then setsC=m·e(g1, g2)α·q, C0=g
q
1. Next, for the termC1, note that the reduction algorithm can computegai·bi
1 andg ci
1 for alli∈[`] usingg1, g1y, g y·z
1 . As a result, for each i∈[`], the reduction algorithm can compute both gs·(ai·bi+ci)
1 and g
s·ci+ai·bi·vi
1 , and hence, it can compute
C1. Finally, it can compute C2,i since it can computeg1ai for all i∈[`] (usingg1, g1y andg y·z
1 ). Therefore, the ciphertext queries can be simulated perfectly.
Pre-challenge secret key queries Let x be the vector queried by the adversary. Here, we have two cases, depending on whether xj = 0 or xj = 1. In the first case, if xj = 1, then the reduc- tion algorithm chooses t ← Zp, and for all i such that xi = 0, it chooses ui ← Zp. It sets K1 = g2t, K0= Q i∈[`]g −t·ci 2 ·Q
i:xi=0,i∈onesg
−ui·ai 2
·Q
i:xi=0,i∈zeroes(g y 2) −ui ·g−ui·a0i 2
. Finally, for eachi∈[`], both g−t·bi
2 andg
−t·bi+ui
2 can be generated using g2. Therefore, in this case, the key query can be handled usingg2, gy2.
In the second case, since xj = 0, there exists an index j∗ ∈[`] such thatyj∗ =yj0∗ =xj∗ = 0. In this
case, the reduction algorithm choosest←Zp, and choosesui ←Zp for alli such thati6=j∗ andxi = 0. It choosesu0
j∗ and setsuj∗=−z·uj+u0j∗. As in the first case, the reduction algorithm can computeK1=g2t. It can also computeg−t·ci
2 for alli∈[`], and for allisuch thatxi= 0 andi /∈ {j∗, j}, it can computeg−2ui·ai usingg2andg2y. Therefore, to computeK0, it suffices to computeg
−uj·aj−uj∗·aj∗
2 . Plugging in the values of
uj∗, aj∗, uj andaj, it follows thatg
−uj·aj−uj∗·aj∗ 2 = (g z 2) a0j∗·uj·(gy 2) −u0j∗ ·g−u 0 j∗·a0j∗
2 , which can be computed
usingg2, g y 2, g
z
reduction algorithm can compute g−t·bi 2 and g
ui
2 using g2 and g2z. Therefore, the entire secret key can be computed usingg2, g
y 2, g
z 2.
After all pre-challenge key/ciphertext queries, the adversary sends a messagem, which the reduction uses to compute the challenge ciphertext.
Challenge ciphertext The reduction algorithm computes the challenge ciphertextct∗, which corresponds
to an encryption of messagemfor attributeyory0. It implicitly setss=x. For eachi6=j, it choosesri← Zp, and it implicitly setsrj=r/(y·z) +x. It setsC∗=m·e(g1x, g2)α,C0∗=g1x,C1∗=
Q i∈ones(g x 1) ai·bi+ci· Q i∈zeroes(g x 1) ci·(gy 1) bi·ri·(g 1) a0i·bi·ri· Tbj ·(gx 1) cj
. Next, it sets the C2,i∗ components as follows.
C2,i∗ = (gx 1) ai ifi∈ones, (gy1)ri·ga0i·ri 1 ifi∈zeroes, T ifi=j It sendsct∗=C∗, C0∗, C1∗, C2,i∗ i∈[`] toA.
Next, the adversary is allowed to query for polynomially many more key/ciphertext queries, which are computed the same way as the pre-challenge queries. After all post-challenge key/ciphertext queries, the adversary sends its guessb0, and the reduction algorithm forwards this guess to the challenger.
Analysis : Depending on whether T = g2x·y·z or T = g2x·y·z+r, the reduction algorithm either outputs an encryption of m for y or y0. Also, note that the ciphertext and key queries are distributed as in the security game. In particular, all the exponents{ai, bi, ci}, the randomness chosen for key/ciphertext queries are uniformly random elements in Zp. Therefore, ifAwins with advantage , then Bbreaks Assumption 1
with advantage.
Claim 6.2. Assuming Assumption2, the mixed mBMEscheme described above satisfies Definition4.5.
Proof. Suppose, on the contrary, there exists a PPT adversary Athat breaks the message-only ciphertext
hiding property of our scheme with non-negligible advantage(·). We will build a PPT reduction algorithm
Bthat breaks Assumption1 with advantage (2·).
The reduction algorithm first receives the challenge (G1,G2,GT, g1, g2, g1x, g y 1, g
y
2, gz2, T) from the chal- lenger, whereT =gx1·y·zorg1x·y·z+r. Next, it receives the challenge vectoryfrom the adversaryA. Letones
the set of indices such thatyi= 1 andzeroesthe set such that yi= 0.
The reduction algorithm must first generate the public key. Next it receives either ciphertext queries or key queries and then challenge message m0, m1 from the adversary. Then it generates the challenge ciphertext. Finally, it receives more ciphertext and key queries and the adversary’s guess, which it uses to break Assumption2.
Public key For each i ∈ [`], the reduction algorithm picks bi, ci ← Zp. Next, for each i ∈ ones, the reduction algorithm chooses ai ← Zp, and for each i ∈ zeroes, it choodes a0i ← Zp and implicitly sets ai=y+a0i. It also implicitly setsα=yz. It computes the public key components as follows.
pk1,i,pk2,i = gai·bi+ci 1 , g ai 1 ifi∈ones, (g1y)bi·ga0i·bi+ci 1 , g y 1·g a0i 1 ifi∈zeroes.
All the above terms can be computed using onlyg1 andg y 1. The public key is set to bepk=e(gy1, gz
1), Q i∈[`]pk1,i, pk2,i i∈[`].
Next, the adversary is allowed to query for polynomially many key/ciphertext queries, with the restriction that for every secret key queryx,f(x,y) = 0, which are handled as follows.
Pre-challenge ciphertext queries For the ciphertext query (m,w), the reduction algorithm chooses q←Zp and vi ←Zp for eachi∈[`]. It then setsC=m·e(g
y 1, g
z
2)q, C0 =g q
1. Next, for the termC1, note that the reduction algorithm can computegai·bi
1 andg ci
1 for alli∈[`] usingg1 andg y
1. As a result, for each i∈[`], the reduction algorithm can compute bothgq·(ai·bi+ci)
1 and g
q·ci+ai·bi·vi
1 , and hence, it can compute
C1. Finally, it can compute C2,i since it can computega1i for all i∈ [`] (using g1 and g y
1). Therefore, the ciphertext queries can be simulated perfectly.
Pre-challenge secret key queries Letx be the vector queried by the adversary. By the definition of the security game, f(x,y) = 0 so there exists an index j∗ ∈ [`] such that yj∗ = xj∗ = 0. The reduction
algorithm choosest←Zp, and choosesui←Zpfor allisuch thati6=j∗andxi= 0. It choosesu0j∗and sets
uj∗=z+u0j∗. As in the first case, the reduction algorithm can computeK1=g2t. It can also computeg
−t·ci 2 for alli∈[`], and for allisuch that xi = 0 andi6=j∗, it can compute g−2ui·ai usingg2and gy2. Therefore, to computeK0, it suffices to computegα−uj∗·aj∗
2 . Plugging in the values ofα, uj∗ and aj∗, it follows that
gα−uj∗·aj∗ 2 = (g z 2) −a0 j∗·(gy 2) −u0j∗ ·g−u 0 j∗·a0j∗
2 , which can be computed usingg2, g2y, g z
2. Finally, the reduction algorithm needs to computeK2,ifor each i∈[`]. For all i∈[`], the reduction algorithm can computeg2−t·bi andgui
2 usingg2 andg2z. Therefore, the entire secret key can be computed usingg2, g2y, g z 2.
After all pre-challenge key/ciphertext queries, the adversary sends the challenge messagesm0, m1, which the reduction uses to compute the challenge ciphertext.
Challenge ciphertext The reduction algorithm picks a random b← {0,1} and computes the challenge ciphertext ct∗, which corresponds to an encryption of message mb for attribute y or an encryption of a random element. The reduction algorithm implicitly setss=x. For eachi∈zeroes, it choosesri←Zp. It setsC∗=mb·e(T, g2),C0∗=gx1,C1∗= Q i∈ones(g x 1) ai·bi+ci·Q i∈zeroes(g x 1) ci·(gy 1) bi·ri·(g 1) a0i·bi·ri. Next, it sets theC2,i∗ components as follows.
C2,i∗ = ( (gx 1) ai ifi∈ones, (gy1)ri ·ga0i·ri 1 ifi∈zeroes It sendsct∗=C∗, C0∗, C1∗, C2,i∗ i ∈[`] toA.
Next, the adversary is allowed to query for polynomially many more key/ciphertext queries, which are computed the same way as the pre-challenge queries. After all post-challenge key/ciphertext queries, the adversary sends its guessb0. Ifb0=b, the reduction algorithm guesses 1, otherwise guesses 0.
Analysis : Depending on whether T = gx2·y·z or T =g2x·y·z+r, the reduction algorithm either plays the honest security game with an encryption ofmb under vectoryor sends an encryption of a random message. Also, note that the ciphertext and key queries are distributed as in the security game. In particular, all the exponents {ai, bi, ci}, the randomness chosen for key/ciphertext queries are uniformly random elements in Zp. Therefore, ifAwins with advantage, thenBbreaks Assumption1 with advantage 2.
6.2.2 Key-Hiding Security
Lemma 6.2. Assuming Assumption 2, the mixed mBME scheme described above satisfies the key hiding security property (defined in Definition4.3).
In order to prove this lemma, it suffices to show that the scheme satisfies Definition 4.6 (using Theo- rem4.2).
Proof. Suppose, on the contrary, there exists a PPT adversary A that breaks the simplified key hiding property of our scheme with non-negligible advantage(·). We will build a PPT reduction algorithmBthat breaks Assumption2with advantage(·).
The reduction algorithm first receives the challenge (G1,G2,GT, g1, g2, g y
1, gz1, gx2, g y
2, T) from the chal- lenger, whereT =gx2·y·z org2x·y·z+r. Next, it receives the challenge vectorsx,x0 from the adversaryA. Let j be the (unique) index such that xj 6=x0j,onesthe set of indices such thatxi=x0i= 1, andzeroesthe set such thatxi=x0i= 0.
Public key The reduction algorithm implicitly setsbj =y·z,cj=−aj·y·z+c0j. For alli∈ones, it chooses ai, bi, ci←Zp. For alli∈zeroes, it choosesai, b0i, c0iand impicitly setsbi=aj·y+b0iandci=−aj·ai·y+c0i.