Semi-Adaptive Attribute-Based Encryption and Improved Delegation for Boolean Formula

Semi-Adaptive Attribute-Based Encryption

and Improved Delegation for Boolean Formula

Jie Chen1,⋆⋆and Hoeteck Wee2,⋆ ⋆ ⋆

1 _{Department of Computer Science and Technology, East China Normal University} 2 _´

Ecole Normale Sup´erieure, Paris

Abstract. We considersemi-adaptivesecurity for attribute-based encryption, where the adversary specifies the challenge attribute vector after it sees the public parameters but before it makes any secret key queries. We present two constructions of semi-adaptive attribute-based encryption under static assumptions withshortciphertexts. Previous constructions with short ciphertexts either achieve the weaker notion of selective security, or require parameterized assumptions.

As an application, we obtain improved delegation schemes for Boolean formula withsemi-adaptivesoundness, where correctness of the computation is guaranteed even if the client’s input is chosen adaptively depending on its public key. Previous delegation schemes for formula achieve one of adaptive soundness, constant communication complexity, or security under static assumptions; we show how to achieve semi-adaptive soundness and the last two simultaneously.

⋆_{The research leading to these results has received funding from the European Research Council under the European Community’s} Seventh Framework Programme (FP7/2007-2013 Grant Agreement no. 339563 CryptoCloud).

⋆⋆

Email:[email protected]. Supported by Science and Technology Commission of Shanghai Municipality under Grants 14YF1404200, 13JC1403500, and the National Natural Science Foundation of China Grant No. 61172085. Part of this work was done at Nanyang Technological University, supported by the National Research Foundation of Singapore under Research Grant NRF-CRP2-2007-03.

⋆ ⋆ ⋆

1 Introduction

Attribute-based encryption (ABE) [33, 19] is an emerging paradigm for public-key encryption which enables fine-grained control of access to encrypted data. In traditional public-key encryption, access to the encrypted data is all or nothing: given the secret key, one can decrypt and read the entire plaintext, but without it, nothing about the plaintext is revealed (other than its length). In ABE, a ciphertext is labeled with an attribute vectorx, and a secret key is associated with an access policy specified as a Boolean formula, and the secret key decrypts the ciphertext if and only if x satisfies the access policy.1 It is easy to see that ABE is a generalization of identity-based encryption (IBE) [34, 5, 13]. The security requirement for ABE stipulates that it resists collusion attacks, namely any group of users collectively learns nothing about the plaintext if none of them is individually authorized to decrypt the ciphertext.

Delegation. A delegation scheme allows a computationally weak client to delegate expensive computations to the cloud, with the assurance that a malicious cloud cannot convince the client to accept an incorrect computation [18, 16, 4, 14]. Recent work of Parno, Raykova and Vaikuntanathan [32] showed that any ABE with encryption time at most linear in the length of the attribute vector immediately yields a delegation scheme for Boolean formula. There is an initial pre-processing phase which fixes the formulaf the client wishes to compute and produces some public key. Afterwards, to delegate computation on an input x, the client only needs to send a single message. Moreover, the ensuing delegation scheme satisfies public delegatability, namely anyone can delegate computations to the cloud; as well as public verifiability, namely anyone can check the cloud’s work (given a “verification” key published by the client).

State of the art. Since the introduction of ABE and motivated in part by the connection to delegation, there is now a large body of work providing constructions with incomparable trade-offs amongst efficiency, security guarantees and security assumptions [19, 2, 27, 31, 26]; a summary of this work is presented in Fig 1. A key measure of efficiency is the ciphertext size and the encryption time; ideally, we want this to depend at most linearly in the length of the attribute vector and independent of the size of the access structure. For security guarantees, the two primary notions are selective and adaptive security; in the more restrictive setting of selective security, the adversary must specify the challenge attribute vector prior to seeing the public parameters. Finally, the security of the schemes rely on the assumed hardness of some computational problem in bilinear groups; here, we prefer prime-order instantiations over composite-order ones, and static assumptions over parameterized ones.

1.1 Our Contributions

We introduce the notion ofsemi-adaptive security for ABE and delegation. In ABE, this means that the adversary specifies the challenge attribute vector after it sees the public parameters but before it makes any secret key queries. This is stronger than selective security but weaker than adaptive security. In delegation, this means that the client’s input may depend on the public key but is independent of the worker’s evaluation key. In addition, we provide new constructions of efficient semi-adaptively secure ABE and delegation schemes under static assumptions.

New ABE Schemes. Our first result is a semi-adaptively secure ABE whose efficiency matches the state-of-the-art selectively secure ABE [2]:

1

reference security Enc time CT size MPK size SK size group assumption GPSW06 [19] selective O(n)∗ O(n)∗ O(n) O(ℓ) prime static ALP11 [2] selective O(n) O(1) O(n) O(nℓ) prime parameterized inn ALP11 + LW10 selective O(n) O(1) O(n) O(nℓ) composite static T14 [35] selective O(n) O(1) O(n) O(nℓ) prime static LOSTW10 [27] adaptive O(nM)∗ O(nM)∗ O(nM) O(ℓ) composite static OT10 [31] adaptive O(nM)∗ O(nM)∗ O(nM) O(ℓ) prime static LW12 [26] adaptive O(n)∗ O(n)∗ O(n) O(ℓ) prime parameterized inℓ A14 [1] adaptive O(n) O(1) O(n) O(nℓ) composite parameterized inℓ Construction 1 semi-adaptive O(n) O(1) O(n) O(nℓ) composite static Construction 2 semi-adaptive O(n)∗ O(n)∗ O(n) O(ℓ) prime static

Fig. 1.Summary of existing KP-ABE schemes. Here,ndenotes the universe size,Mis the maximum number of times an attribute may be used, andℓ≤nMis the number of rows in the matrixMof the access structure. Encryption time is given in terms of group operations, and CT, PP, SK sizes are given in terms of group elements. For CT, we omit the additive overhead ofnbitsin order to transmit the attribute vector. For the quantities marked with∗,nmay be replaced with number of non-zero entries in the attribute vectorx ∈ {0,1}n, which could be much smaller thann. Note that ALP11, T14 and A14 achieve large universe, we restrict the attribute universe to[n]for comparison.

(Informal Theorem) There exists a semi-adaptively secure ABE with constant-size ciphertexts. Encryption time is linear in the length of the attribute vector and independent of the size of the access structure. The security of the scheme is based on static assumptions in composite-order groups.

We also achieve an analogous result in prime-order groups based on the SXDH Assumption; however, the ciphertext size is linear in the length of the attribute vector. Throughout this work, when we refer to ciphertext size, we measure the number of group elements, and we omit the additive overhead of nbits

needed to transmit the attribute vector.

New Delegation Schemes. Starting from our semi-adaptively secure ABE, we obtain improved delegation

schemes for Boolean formula with semi-adaptive soundness, where correctness of the computation is guaranteed even if the client’s input is chosen adaptively depending on its public key. We note that achieving semi-adaptive soundness is important in practice, since we would like to reuse the same public key across multiple inputs, which could lead to correlation between the input and the public key. Previous delegation schemes for formula achieve one of adaptive soundness [26, 17], constant communication complexity2 [2], or security under static assumptions [19]; we achieve semi-adaptive soundness and the last two simultaneously. We compare our schemes with prior works in Fig 2. We stress that in applications such as delegating computation from mobile devices on cellular networks where bandwidth is a premium, reducing the client’s communication fromO(nλ)bits ton+O(λ)bits represents substantial savings.

1.2 Our Techniques

Following our recent works [38, 9] and inspired in part by [26], we rely on Waters’ dual system encryption methodology [36, 25] to reduce the problem of building a (public-key) semi-adaptively secure ABE to that of building a private-key selectively secure ABE. Recall that dual system encryption is typically implemented by designing a “semi-functional space” where semi-functional components of keys and ciphertexts will behave like a parallel copy of the normal components of the system, except divorced from the public parameters. In particular, we will embed the private-key selectively secure ABE into the semi-functional space.

We proceed to outline the constructions of private-key ABE with short ciphertexts:

2

reference security |EKF| client’s

communi-cation in bits

worker’s complexity

groups assumptions

GPSW06 [19] selective O(ℓ) O(nλ) O(ℓ) prime static ALP11 [2] selective O(nℓ) n+O(λ) O(nℓ) prime parameterized inn T14 [35] selective O(nℓ) n+O(λ) O(nℓ) prime static GGPR13 [17] adaptive O(ℓ) n+O(λ) O(ℓ) prime parameterized inℓ LW12 [26] adaptive O(ℓ) O(nλ) O(ℓ) prime parameterized inℓ A14 [1] adaptive O(nℓ) n+O(λ) O(nℓ) composite parameterized inℓ Construction 1 semi-adaptive O(nℓ) n+O(λ) O(nℓ) composite static Construction 2 semi-adaptive O(ℓ) O(nλ) O(ℓ) prime static

Fig. 2.Summary of existing publicly verifiable computation schemes. GGPR13 supports NC. The remaining schemes only support NC1and are obtained using the transformation of [32]. Here,|EKF|is the worker’s evaluation key,nis the bit length of the input

andℓis the size of the formula. In all the schemes, the public key isO(n)group elements, delegation and verification complexity of client isO(n)group operations, computation complexity of worker is also given in terms of group operations.

– For our composite-order scheme with constant-size ciphertext, we use a private-key variant of the selectively secure ABE scheme of Attrapadung, Libert and Panafieu (ALP) in [2]. Our main insight is that in the private-key setting with a single challenge ciphertext, we can replace the use of parameterized assumptions in the ALP scheme with the basic DDH assumption. Roughly speaking, fix an attribute

i that does not appear in the challenge attribute. We can then rely on the DDH assumption to mask all the LSSS shares of the master secret key corresponding to attribute i(c.f. Section 3 overview and Lemma 2).3The formal security proof is more involved since we need to instantiate this argument within the dual system framework.

– For our prime-order scheme withO(n)-size ciphertext, the private-key selectively secure ABE we use is essentially that of Goyal et al. [19], which is in fact a public-key scheme and yields ciphertexts of lengthO(n). To combine this scheme with the dual system framework, we rely on dual pairing vector spaces [29, 30, 15, 23, 11]. Here, we will also use the SXDH assumption to booststatisticalentropy in the semi-functional key space into arbitrarily large amounts ofcomputationalentropy in the same space (c.f. Lemma 6) as we will need to mask an arbitrarily large number of shares corresponding to a single attribute.

For both schemes, we are able to exploit random self-reducibility to obtain security loss that do not depend on the number of secret key queries or the size of the boolean formula (but may depend on the input sizen). In contrast, all known adaptively secure ABE schemes incur a loss that is at least linear in both the number of secret key queries and the size of the boolean formula (sometimes implicitly, by either making a “one-use” restriction or using a parameterized assumption).

Additional related work. In an independent work, Takashima [35] proposed a selectively secure KP-ABE scheme with constant-size ciphertexts under the DLIN assumption, which results in a delegation scheme with constant communication complexity and security under static assumptions but only achieving selective soundness. Upon learning of our work, Takashima showed that his scheme also achieves semi-adaptive security, thereby resolving a natural open problem from this work. Gennaro, Gentry, Parno and Raykova [17] constructed a delegation scheme achieving adaptive soundness and supporting NC but its security relies on parameterized assumptions.

3_{In an earlier submission, an anonymous reviewer asked if it is possible to obtain the composite-order scheme by combining}

Organization. We present our composite-order and prime-order constructions in Section 3 and Section A respectively, and the delegation schemes and associated definitions in Section B.

2 Preliminaries

Notation. We denote bys ←R S the fact that sis picked uniformly at random from a finite set S and

by x, y, z ←R S that allx, y, z are picked independently and uniformly at random from S. By PPT, we

denote a probabilistic polynomial-time algorithm. Throughout, we use1λ as the security parameter. We use

·to denote multiplication (or group operation) as well as component-wise multiplication. We use lower case boldface to denote (column) vectors over scalars and upper case boldface to denote vectors of group elements as well as matrices. Given two vectorsx = (x1, x2, . . .),y = (y1, y2, . . .)over scalars, we use ⟨x,y⟩to denote the standard dot product x⊤y. Given a group elementg, we writegx to denote(gx1_{, g}x2_{, . . .); we}

definegAwhereAis a matrix in an analogous way.

2.1 Access Structures

We define (monotone) access structures using the language of (monotone) span programs [21].

Definition 1 (access structure [3, 21]).A(monotone) access structureAfor attribute universe[n]is a pair

(M, ρ)whereMis aℓ×ℓ′ matrix overZN andρ : [ℓ]→[n]. Givenx = (x1, . . . , xn)∈ {0,1}n, we say

that

xsatisfiesAiff1∈span⟨Mx⟩,

Here,1 := (1,0, . . . ,0) ∈ Zℓ_N′ is a row vector;Mx denotes the collection of vectors{Mj : xρ(j) = 1}

whereMj denotes thej’th row ofM; andspanrefers to linear span of collection of (row) vectors overZN.

That is,xsatisfiesAiff there exists constantsω1, . . . , ωℓ∈ZN such that

∑

j:xρ(j)=1

ωjMj =1.

Observe that the constants {ωj} can be computed in time polynomial in the size of the matrix M via Gaussian elimination.

2.2 Key-Policy Attribute-Based Encryption

A KP-ABE scheme consists of four algorithms(Setup,Enc,KeyGen,Dec):

Setup(1λ,[n]) → (MPK,MSK). The setup algorithm takes in a security parameter 1λ, and an attribute universe[n]. It outputs public parametersMPKand a master secret keyMSK.

Enc(MPK,x, m)→CTx. The encryption algorithm takes in the public parametersMPK, an attribute vector x, and a messagem. It outputs a ciphertextCTx.

KeyGen(MPK,MSK,A) → SK_A. The key generation algorithm takes in the public parameters MPK, the master secret keyMSK, and an access structureA:= (M, ρ). It outputs a secret keySK_A.

Dec(MPK,SK_A,CTx) → m. The decryption algorithm takes in the public parameters MPK, a secret key

SK_Afor an access structureA, and a ciphertext CTxencrypted under an attribute vectorx. It outputs a

Correctness. For all(MPK,MSK) ← Setup(1λ,[n]), all access structuresA, all decryption keysSK_A, all messagesm, allxsatisfyingA, we havePr[Dec(MPK,SK_A,Enc(MPK,x, m)) =m] = 1.

2.3 Semi-Adaptive Security Model

We now formalize the notation ofsemi-adaptivesecurity for KP-ABE. Briefly, the adversary specifies the challenge attribute vector after it sees the public parameters and before it makes any secret key queries. The security game is defined by the following experiment, played by a challenger and an adversaryA.

Setup. The challenger runs the setup algorithm to generate(MPK,MSK). It givesMPKtoA. Challenge Attribute. Agives the challenger a challengex∗.

Phase 1. A adaptively requests keys for access structures A with the constraint x∗ does not satisfy A. The challenger responds with the corresponding secret keySK_A, which it generates by running the key generation algorithm.

Challenge Ciphertext. A submits two equal-length messages m0 and m1. The challenger picks β ←R {0,1}, and encryptsmβ underx∗by running the encryption algorithm. It sends the ciphertext toA. Phase 2. Acontinues to issue key queries as inPhase 1.

Guess. Amust output a guessβ′forβ. The advantageAdvKP-ABE

A (λ)of an adversaryAis defined to bePr[β′ =β]−1/2.

Definition 2. A KP-ABE scheme is semi-adaptively secure if all PPT adversaries achieve at most a negligible advantage in the above security game.

2.4 Composite Order Bilinear Groups

Composite order bilinear groups were first introduced in [7] and used in [22, 25, 27]. A generatorG takes as input a security parameter 1λ and outputs a description G := (N, GN, GT, e), whereN is product of distinct primes ofΘ(λ)bits,GN andGT are cyclic groups of orderN, ande:GN ×GN → GT is a map with the following properties:

1. (Bilinearity)∀g, h∈GN, a, b∈ZN, e(ga, hb) =e(g, h)ab. 2. (Non-degeneracy)∃g∈GN such thate(g, g)has orderN inGT.

We require that the group operations in GN and GT as well the bilinear map e are computable in deterministic polynomial time with respect toλ. Furthermore, the group descriptions ofGN andGT include generators of the respective cyclic groups. We useGnto denote the subgroup ofGN of ordern, wheren dividesN.

Computational Assumptions. We now state the three static assumptions that are required in our security proof. The first two assumptions are introduced in [25] and also used in [27]. The third assumption which basically asserts that the DDH problem is hard in theGp2-subgroup. This assumption is essentially implied

Assumption 1 Given a group generatorG, we define the following distribution:

G:= (N =p1p2p3, GN, GT, e)←R G, g1, U1 ←R Gp1, U2←R Gp2, g3 ←R Gp3, T0 ←R Gp1, T1 ←R Gp1p2,

D:= (G;g1, U1U2, g3).

We assume that for any PPT algorithmA,

AdvAS1_A (λ) :=Pr[A(D, T0) = 1]−Pr[A(D, T1) = 1]

is negligible in the security parameterλ.

Assumption 2 Given a group generatorG, we define the following distribution:

G:= (N =p1p2p3, GN, GT, e)←R G, α, s←R ZN,

g1 ←R Gp1, g2, X2, Y2 ←R Gp2, g3←R Gp3, T0 :=e(g1, g1)αs, T1 ←R GT,

D:= (G;g1, g1αX2, g1sY2, g2, g3).

We assume that for any PPT algorithmA,

AdvAS2_A (λ) :=Pr[A(D, T0) = 1]−Pr[A(D, T1) = 1]

is negligible in the security parameterλ.

Assumption 3 Given a group generatorG, we define the following distribution:

G:= (N =p1p2p3, GN, GT, e)←R G, x, y, z ←R ZN,

g1, U1 ←R Gp1, g2, U2 ←R Gp2, g3, X3, Y3, U3, W3←R Gp3, T0:=g2xyW3, T1 :=gxy+z2 W3,

D:= (G;g1, U1U2, gx2X3, gy2Y3, g2U3, g3).

We assume that for any PPT algorithmA,

AdvAS3_A (λ) :=Pr[A(D, T0) = 1]−Pr[A(D, T1) = 1]

is negligible in the security parameterλ.

3 Semi-Adaptive ABE with Constant-Size Ciphertext

Overview. The starting point of our construction is the following variant of the ALP KP-ABE in [2]: MPK:= (g, gw, e(g, g)α)

CT_x:= (gs, gs⟨w,x⟩, e(g, g)αs·m)

SK_A:= (gαjeρ(j)+rjw_{, g}rj _{: j}∈_[ℓ])

and an access structure Anot satisfied by x∗. We proceed via a case analysis to argue that SK_A hidesα

computationally:

– ifx∗_k = 1, then the shares{αj :ρ(j) =k}reveal no information aboutαvia the secret sharing property. – if x∗_k = 0, then the ciphertext reveals no information aboutwk (and since we are in the private-key setting, there is noMPK). Then, by the DDH assumption,{gαj+rjwk, grj :ρ(j) = k}computationally hidesαj.

The formal security proof is more involved since we need to instantiate this argument within the dual system framework.

3.1 Construction

– Setup(1λ,[n]): On input an attribute universe[n], generateG:= (N =p1p2p3, GN, GT, e)←R G, pick α←R ZN,w←R Zn_N and output

MPK:= (G, e(g1, g1)α, g1, g1w) and MSK:= (α,w, g2, g3 ).

– Enc(MPK,x, m): On input an attribute vectorx:= (x1, . . . , xn)∈ {0,1}nandm∈GT, output CTx:=

(

C0:=gs1, C1:=g1s⟨w,x⟩, C2:=e(g1, g1)αs·m

)

∈GN×GN×GT,

wheres←R ZN.

– KeyGen(MPK,MSK,A:= (M, ρ)): On input an access structureA := (M, ρ), whereM ∈ Zℓ_N×ℓ′ and

ρ: [ℓ]→[n], pick a random vectoru←R Zℓ ′

N such that1u=αand setαj :=Mju,j∈[ℓ].4Output SK_A:=

(

Dj :=g

αjeρ(j)+rjw

1 ·g

r′_jw

2 ·Xj, D0,j:=g rj 1 ·g

r′_j

2 ·Zj : j∈[ℓ]

)

∈(Gn_N ×GN)ℓ,

wherer1, r′1, . . . , rℓ, rℓ′ ←R ZN;Xj ←R Gnp3;Zj ←R Gp3, and(e1, . . . ,en)is the standard basis for Zn

N.

– Dec(MPK,SK_A,CTx): IfxsatisfiesA, computeω1, . . . , ωℓ ∈ZN such that

∑

j:xρ(j)=1

ωjMj =1.

Then, compute5

e(g1, g1)αs←

∏

j:xρ(j)=1 (

e(C₀x,Dj)·e(C1, D0,j)−1

)ωj

,

and recover the message asm←C2/e(g1, g1)αs ∈GT.

Correctness. Observe that

e(C₀x,Dj)·e(C1, D0,j)−1 =e((gs1)x, g

αjeρ(j)+rjw

1 ·g

r′_jw

2 ·Xj)·e(g1s⟨w,x⟩, g rj 1 ·g

r′_j

2 ·Zj)−1

=e(g1, g1)αjs⟨eρ(j),x⟩·e(g1, g1)rjs⟨w,x⟩·e(g1, g1)−rjs⟨w,x⟩

=e(g1, g1)αjs.

4

Theαj’s do in fact correspond to LSSS secret shares ofα, distributed acrossnparties, where thei’th party receive|ρ−1_(i)|

shares, given by{αj:ρ(j) =i}.

5

In addition, we have

∑

j:xρ(j)=1

ωjαj =

∑

j:xρ(j)=1

ωjMju=1u=α.

This means

∏

j:xρ(j)=1 (

e(C₀x,Dj)·e(C1, D0,j)−1

)ωj

= ∏

j:xρ(j)=1

e(g1, g1)ωjαjs=e(g1, g1)αs.

Correctness follows readily.

3.2 Proof of Security

We prove the following theorem:

Theorem 1. Under Assumptions 1, 2 and 3 (described in Section 2.4), our KP-ABE scheme defined in Section 3.1 is semi-adaptively secure (in the sense of Definition 2). More precisely, for any adversaryAthat makes at mostq key queries against the KP-ABE scheme, there exist probabilistic algorithms B1,B2,B3

such that

AdvKP-ABE

A (λ)≤AdvAS1B1 (λ) +n·Adv

AS3

B2 (λ) +Adv

AS2

B3 (λ) + 1/p1+ (n+ 1)/p2,

and

max{Time(B1),Time(B2),Time(B3)} ≈Time(A) +q·poly(λ, n),

wherenis the size of universe attribute set andpoly(λ, n)is independent ofTime(A).

Overview. The proof follows via a series of games. To describe the games, we must first define semi-functional keys and ciphertexts. Fix random generators g1, g2, g3, and let x∗ denote the semi-adaptive challenge. We stress that unlike standard dual system encryption, we allow the semi-functional secret keys to depend on the semi-adaptive challengex∗ (this is okay because in the semi-adaptive security game,x∗

is fixed before the adversary sees any secret keys). In the final transition (c.f. Lemma 3), we need to be able to simulate the secret keys giveng₁αX2 (as provided in Assumption 2) instead ofg1α, so we define the semi-functional secret keys to have additional randomGp2-components for the indicesj corresponding to x∗_ρ(j)= 0as captured by the termα′_je_ρ(j)below.

Semi-functional ciphertext.

CTx∗ := (

g₁s· gs′ 2 , g

s⟨w,x∗⟩

1 · g

s′⟨w,x∗⟩

2 , e(g1, g1)αs·m

) ,

wheres′←R ZN.

Semi-functional secret key.

SK_A:=    g

αjeρ(j)+rjw

1 ·g

rj′w

2 ·Xj, grj1 ·g r′j

2 ·Zj :x∗_ρ(j)= 1

gαj₁ eρ(j)+rjw·g

α′jeρ(j) +r′jw

2 ·Xj, g

rj 1 ·g

r′_j

2 ·Zj :x∗_ρ(j)= 0

  ,

where freshα′₁, . . . , α′_ℓ ←R ZN are chosen for each secret key (specifically, we pick freshα′j ←R ZN for alljsuch thatx∗_ρ(j)= 0).

– both semi-functional and normal secret keySK_Acan decrypt a normal ciphertextCT_x∗; – a normal secret keySK_Acan decrypt a semi-functional ciphertextCTx∗;

– a semi-functional secret keySK_Acandecrypt a semi-functional ciphertextCTx∗; this is because thej’th

subkey(Dj, D0,j)corresponding tox∗_ρ(j) = 0is not used for decryption although it has an additional semi-functional componentgα

′

j

2 . This is different from a standard dual system encryption argument, but is okay in our setting becausex∗is fixed semi-adaptivelybeforethe adversary makes secret key queries.

Game sequence. We consider the following sequence of games: – Game0: is the real security game (c.f. Section 2.3).

– Game1: is the same asGame0except that the challenge ciphertext is semi-functional.

– Game2,k,k= 1,2, . . . , n: we incrementally transform each normal secret key to a semi-functional one, i.e.Game2,kis the same asGame1except that, for each secret key

SK_A:= (

Dj, D0,j :j∈[ℓ]

) ,

thej’th subkey(Dj, D0,j)is semi-functional ifρ(j)≤k, and normal ifρ(j)> k. More precisely,

SK_A:=     

gαjeρ(j)+rjw

1 ·g

r′_jw

2 ·Xj, g

rj 1 ·g

r_j′

2 ·Zj :x∗_ρ(j)= 1

g₁αjeρ(j)+rjw·gr ′

jw

2 ·Xj, g

rj 1 ·g

r_j′

2 ·Zj : (x∗_ρ(j)= 0)∧(ρ(j)> k)

g₁αjeρ(j)+rjw·gα ′

jeρ(j)+r′jw

2 ·Xj, g

rj 1 ·g

r_j′

2 ·Zj : (x∗_ρ(j)= 0)∧(ρ(j)≤k)

    ,

where fresh α′₁, . . . , α′_ℓ ←R ZN are chosen for each secret key. In other words, from Game2,k−1 to

Game2,k, we modify the first componentDj of thej’th subkey for allj such thatρ(j) = k (that is, corresponds to the variablexk) as follows:

• ifx∗_k= 1, we leave it unchanged;

• ifx∗_k= 0, we change the semi-functional component fromgr ′

jw 2 tog

α′_jek+rj′w

2 .

Note that inGame2,n, all keys are semi-functional.

– Game3: is the same asGame2,nexcept that the challenge ciphertext is a semi-functional encryption of a random message inGT.

Fix an adversary A. We write Adv_xx(λ) to denote the advantage of A in Gamexx. It is easy to see that

Adv₃(λ) = 0, because the view of the adversary isGame3is independent of the challenge bitβ. We complete the proof by establishing the following sequence of lemmas.

Lemma 1 (Normal to semi-functional ciphertext).There exists an adversaryB1such that:

|Adv₀(λ)−Adv₁(λ)| ≤AdvAS1_B1 (λ) + 1/p1+ 1/p2

andTime(B1)≈Time(A) +q·poly(λ, n)wherepoly(λ, n)is independent ofTime(A).

Proof. We construct an adversaryB1for Assumption 1 usingA. Recall that in Assumption 1, the adversary is givenD:= (G;g1, U1U2, g3),along withT, whereT is distributed as

gs₁ or g₁sg₂s′.

Here,B1 simulatesGame0 ifT := g1sandGame1 ifT := g1sgs

′

2 . The quantitys, s′ in the assumption will correspond the random exponentss, s′used in the ciphertext.

Setup. B₁samplesα←R Zn,w←R Zn_N and outputs

MPK:= (e(g1, g1α), g1, g1w). We note that

(α,w, g1, U1U2, g3;T )

is known toB1. The adversaryAoutputs a challengex∗ := (x∗1, . . . , x∗n).

Challenge Ciphertext. Upon receiving two equal-length messagesm0 andm1 from A,B1 picksβ ←R {0,1}and outputs the semi-functional challenge ciphertext as:

CTx∗:= (

T, T⟨w,x∗⟩, e(T, g₁α)·mβ

) .

Now, supposeT =g₁s·g₂s′, then,

T⟨w,x∗⟩ := (g₁s·g₂s′)⟨w,x∗⟩ =gs₁⟨w,x∗⟩g₂s′⟨w,x∗⟩, e(T, g₁α) :=e(g₁s·g₂s′, g₁α) =e(g1, g1)αs.

Now, ifs′ = 0(i.e.,T =gs₁), this would indeed be a normal encryption. On the other hand, ifs′←R ZN instead, this would indeed be a semi-functional encryption.

Key Queries. On inputA:= (M, ρ),B1needs to generate a normal keySK_A, which has the distribution

(

Dj :=g αjeρ(j)

1 ·(g

rj 1 ·g

r_j′

2 )w·Xj, D0,j:= (g rj 1 ·g

r_j′

2 )·Zj :j ∈[ℓ]

) .

B1picksr˜j ←R ZN forj ∈[ℓ]and replacesg rj 1 ·g

r′_j

2 with(U1U2)rj˜ ; then, it outputs SK_A:=

(

gαj₁ eρ(j) ·(U1U2)rj˜w·Xj, (U1U2)rj˜ ·Zj :j∈[ℓ]

) .

Observe that(U1U2)rj˜ is properly distributed as long asU1U2 is a generator ofGp1p2 (by the Chinese

Remainder Theorem), which occurs with probability1−1/p1−1/p2.

We may therefore conclude that:|Adv₀(λ)−Adv₁(λ)| ≤Adv_BAS1₁ (λ) + 1/p1+ 1/p2. ⊓⊔ Lemma 2 (Normal to semi-functional keys).Fork= 1, . . . , n, there exists an adversaryB2such that:

|Adv_2,k−1(λ)−Adv_2,k(λ)| ≤Adv_BAS3₂ (λ) + 1/p2

andTime(B2) ≈ Time(A) +q·poly(λ, n)where poly(λ, n) is independent ofTime(A). (We note that

Game2,0is identical toGame1.)

Overview of proof. Fixk. We want to modifyj’th subkey(Dj, D0,j)for alljsuch thatρ(j) = k(that is, corresponds to the variablexk) as follows:

– ifx∗_k= 1, we leave it unchanged (in this case,Game2,k−1andGame2,k are identical); – ifx∗_k= 0, we change the semi-functional component inDjfromg

r′_jw

2 tog

α′_jek+r′_jw

2 using Assumption 3. In the rest of the overview, we focus on the casex∗_k = 0. Roughly speaking, we rely on the fact thatwk

(modp2)is statistically hidden givenMPKto obtain computational entropy as captured by{g α′_j

2 : ρ(j) =

inGame2,k−1andGame2,kare of the form:

(gαj₁ ek+rjw· gr ′

jw

2 ·Xj, grj1 ·g r′j

2 ·Zj) and (gαj1 ek+rjw· g

α′jek+rj′w

2 ·Xj, g1rj ·g r′j 2 ·Zj) Roughly speaking, it suffices to show that:

(g₁w, gr ′

jw

2 ·Xj, g r′_j

2 ·Zj) and (g

w

1 , g

α′_jek+r_j′w

2 ·Xj, g

r_j′ 2 ·Zj)

are computationally indistinguishable, whereg₁wis provided inMPK. We may further simplify this to show that:

(gwk 1 , g

r′_jwk

2 ·Xj, g r_j′

2 ·Zj) and (g1wk, g

α′_j+r′_jwk

2 ·Xj, g r_j′ 2 ·Zj)

are computationally indistinguishable, whereXj, Zj ←R Gp3. This follows essentially from Assumption 3,

which tells us that

(gr ′

jwk

2 ·Xj, g r′_j

2 ·Zj, gw2k ·Y3) and ( g

α′_j+r′_jwk

2 ·Xj, g r_j′

2 ·Zj, g2wk·Y3)

are computationally indistinguishable, whereXj, Zj, Y3 ←Gp3. Here, we rely crucially on the fact thatwk (modp2)is completely random givengwk₁ . To handle multiple subkeys{(Dj, D0,j) :j∈ρ−1(k)}, we can proceed via a hybrid argument, but that would yield a security loss of|ρ−1_{(k)|. To avoid this loss, we rely} on the rerandomization trick from [28]. Finally, note that we cannot generate a semi-functional ciphertext forx∗ such thatx∗_k = 1since we are only giveng₂wkY3and notg2wk. (For the proof, it suffices to simulate a semi-functional ciphertext for whichx∗_k= 0.)

Proof. We construct an adversaryB2 (which gets as additional inputk ∈ [n]) for Assumption 3 usingA. We note that the casex∗_k= 1is straight-forward sinceGame2,k is identical toGame2,k−1, which means

|Adv_2,k−1(λ)−Adv_2,k(λ)|= 0≤AdvAS3_B2 (λ).

This leaves us with k such that x∗_k = 0. Recall that in Assumption 3, the adversary is given D := (G;g1, U1U2, g2xX3, g₂yY3, g2U3, g3),along withT, whereT is distributed as

gxy₂ W3 or gxy+z2 W3.

Here, we assume that z ←R Z∗p2, which yields a 1/p2 negligible difference from Assumption 3 in the

advantage; B2 simulatesGame2,k−1 if T = g2xyW3 andGame2,k if T = gxy+z2 W3. Moreover, we use a “trick” from [28] to get a tight security reduction and avoid losing a factor ofℓ.

Specifically,B2proceeds as follows:

Setup. B2 samplesα ←R ZN,w˜ ←R ZnN and implicitly sets the parameterw := ˜wmodp1p3 (whereas

wmodp2is undetermined at this point).B2outputs

MPK:= (e(g1, g1α), g1, g1w˜ ).

Observe that this is indeed the correct distribution sinceg₁w=g₁w˜. Moreover, we note that

(α,w, g˜ 3;U1U2, gx2X3, g₂yY3, g2U3;T )

Challenge Ciphertext. Upon receiving two equal-length messagesm0 andm1 from A,B2 picksβ ←R {0,1}and outputs the semi-functional challenge ciphertext as:

(

U1U2, (U1U2)⟨w˜,x

∗_⟩

, e(g₁α, U1U2)·mβ

) .

Observe that this is indeed the correct distribution since⟨w,˜ x∗⟩=⟨w,x∗⟩modp1p2.

Key Queries. On inputA:= (M, ρ),B2needs to generate a secret keySK_Aof the form:

           

g₁αjeρ(j)+rjw·gr ′

jw

2 ·Xj, g

rj 1 ·g

r′_j

2 ·Zj :x∗_ρ(j)= 1

g₁αjeρ(j)+rjw·gr ′

jw

2 ·Xj, grj1 ·g r′_j

2 ·Zj : (x∗_ρ(j) = 0)∧(ρ(j)> k)

g₁αjeρ(j)+rjw·gα ′

jeρ(j)+rj′w

2 ·Xj, grj1 ·g r′j

2 ·Zj : (x∗_ρ(j) = 0)∧(ρ(j)< k)

g₁αjeρ(j)+rjw· gr ′

jw

2 ·Xj, g

rj 1 ·g

r′_j

2 ·Zj : (x∗ρ(j) = 0)∧(ρ(j) =k)∧(T =g xy 2 W3)

g₁αjeρ(j)+rjw· gα′jeρ(j)+r′jw

2 ·Xj, g

rj 1 ·g

r′_j

2 ·Zj : (x∗_ρ(j) = 0)∧(ρ(j) =k)∧(T =g2xy+zW3)

           

whereα′₁, . . . , α′_ℓ ←R ZN. Note that we knowαand can therefore computeαj :=Mjuas in the normal

KeyGen. We proceed via a case analysis forj. The first three cases are straight-forward, observe that

g₁w˜ =gw₁ and g₂w=gw₂˜ ·(gy₂)ek_.

We simply useg2U3andg₂yY3in place ofg2andgy₂ respectively and pickrj, r′j, α′j ←R ZN.

This leaves us withjsuch that(x∗_ρ(j) = 0)∧(ρ(j) = k). Here,B2 picksδj, δj′ ←R ZN and implicitly sets

r_j′ :=xδj+δ′j. We can then rewrite thej’th normal subkey as:

(

g₁αjeρ(j)+rjw˜ · (gxδj₂ ·gδ ′

j 2 )w˜ ·(g

xyδj 2 ·g

yδ_j′ 2 )

eρ(j) ·_X

j, g₁rj·(g₂xδj ·g δ′_j 2 )·Zj

) .

Here, we want to replaceg2, g2x, g y 2, g

xy

2 withg2U3, gx2X3, g₂yY3, T respectively. First,B2 computes

Rj := (gx2X3)δj·(g2U3)δ

′

j _=gr

′

j 2 ·(X

δj 3 U

δ′_j 3 ), and outputs as thej’th subkey

(

g₁αjeρ(j)+rjw˜ · R_jw˜ ·(Tδj·(g₂yY3)δ

′

j)eρ(j) ·_X j, g

rj

1 ·Rj·Zj

) .

Now, supposeT =g₂xy+zW3. Then,

Rw_j˜ ·(Tδj ·(gy₂Y3)δ

′

j)eρ(j) _=gzδjeρ(j)+r

′

jw

2 ·X′j

for some X′_j ∈ Gn

p3. Now, ifz = 0(i.e.,T = g

xy

2 W3), this would indeed be a normal subkey. On the other hand, ifz←R Z∗p2, this would be a semi-functional subkey, withα

′

In summary,B2outputs asSKA:        

g₁αjeρ(j)+rjw˜ ·Sj·Xj, g rj

1 ·(g2U3)r

′

j·_Z

j :x∗_ρ(j)= 1

g₁αjeρ(j)+rjw˜ ·Sj·Xj, g₁rj·(g2U3)r

′

j·_Z

j : (x∗_ρ(j) = 0)∧(ρ(j)> k)

g₁αjeρ(j)+rjw˜ ·(g2U3)α

′

jeρ(j) ·_S

j ·Xj, g

rj

1 ·(g2U3)r

′

j·_Z

j : (x∗_ρ(j) = 0)∧(ρ(j)< k)

gαjeρ(j)+rjw˜

1 · Rwj˜ ·

(

Tδj _·(gy 2Y3)δ

′

j)eρ(j) ·_X j, g

rj

1 ·Rj ·Zj : (x∗_ρ(j) = 0)∧(ρ(j) =k)

       

whereSj := (g2yY3)r

′

jek ·_(g 2U3)r

′

jw˜ ∈_Gn

p2p3,Rj := (g

x

2X3)δj ·(g2U3)δ

′

j ∈_G p2p3.

We may therefore conclude that:|Adv_2,k−1(λ)−Adv_2,k(λ)| ≤Adv_BAS3₂ (λ) + 1/p2. ⊓⊔ Lemma 3 (Final transition).There exists an adversaryB3such that:

|Adv_2,n(λ)−Adv₃(λ)| ≤AdvAS2_B3 (λ)

andTime(B3)≈Time(A) +q·poly(λ, n)wherepoly(λ, n)is independent ofTime(A).

Overview of proof. Following the final transitions in [25, 27], we use Assumption 2, in which we are given

(g1, g1αX2, gs1Y2, g2, g3, T)whereT is eithere(g1, g1)αsor drawn uniformly fromGT to blind the challenge message mβ. The main challenge in our setting lies in simulating a semi-functional key SK_Agivengα₁X2 and notαitself. Recall that a semi-functional keySK_Ahas the same distribution

   g

αjeρ(j)

1 ·g

rjw

1 ·g r′_jw

2 ·Xj, g

rj 1 ·g

r′_j

2 ·Zj :x∗ρ(j)= 1

g₁αjeρ(j) · gα′jeρ(j)

2 ·g

rjw

1 ·g r′_jw

2 ·Xj, g rj 1 ·g

r′_j

2 ·Zj :x∗_ρ(j)= 0

  

in bothGame2,nandGame3. Specifically, we need to simulate (giveng1, g2, gα1X2)

  g

αj

1 :x∗ρ(j)= 1

gαj₁ · gα′j

2 :x∗ρ(j)= 0

 

whereα1, . . . , αℓare LSSS shares ofαaccording toA= (M, ρ)andα′1, . . . , αℓ′ are independently random values. Roughly speaking, we proceed as follows:

– simulate the terms (gαj₁ : x∗_ρ(j) = 1) by raising g1 to the power of random LSSS shares of 0 (as determined byM˜u0below);

– simulate the terms (g₁αj ·gα ′

j

2 : x∗ρ(j) = 0) by doing a LSSS share of g α

1X2 “in the exponent” (as determined byαM˜u1below), multiplying by the shares of0from the previous step, then re-randomizing theGp2-components.

We exploit the fact thatx∗does not satisfyAto argue that we can chooseu˜1 so thatMx∗u˜1 =0.

Proof. We construct an adversaryB3for Assumption 2 usingA. Recall that in Assumption 2, the adversary is givenD:= (G;g1, gα1X2, gs1Y2, g2, g3),along withT, whereT equalse(g1, g1)αsor is drawn uniformly fromGT. Here,B3 simulatesGame2,n ifT :=e(g1, g1)αsandGame3 ifT ←R GT. The quantityαin the assumption will correspond exactly toα inMSK, and the quantitysin the assumption will correspond the random exponentssused in the (semi-functional) ciphertext.

Specifically,B3proceeds as follows:

Setup. B3samplesw←R ZnN and output the public parameters

We note that

(w, g2, g3;g1αX2, gs1Y2;T )

is known toB3. The adversaryAoutputs a challengex∗ := (x∗₁, . . . , x∗_n).

Challenge Ciphertext. Upon receiving two equal-length messagesm0 andm1 from A,B3 picksβ ←R {0,1}and outputs the semi-functional challenge ciphertext as:

CT_x∗:= (

g₁sY2, (g1sY2)⟨w,x

∗_⟩

, T ·mβ

) .

Now, ifT is distributed as distributed ase(g1, g1)αs, this would indeed be a properly distributed semi-functional encryption ofmβ. On the other hand, ifT ←R GT, instead, then the challenge ciphertext is a properly distributed semi-functional encryption of a random message inGT.

Key Queries. On input A := (M, ρ), B3 needs to generate a semi-functional key SKA, which has the distribution

SK_A:=

   g

αjeρ(j)

1 ·g

rjw

1 ·g r′_jw

2 ·Xj, g

rj 1 ·g

r′_j

2 ·Zj :x∗_ρ(j)= 1

g₁αjeρ(j) · gα ′

jeρ(j)

2 ·g

rjw

1 ·g r′_jw

2 ·Xj, g rj 1 ·g

r′_j

2 ·Zj :x∗_ρ(j)= 0

  ,

whereα′₁, . . . , α′_ℓ ←R ZN. The main challenge lies in simulating the termsg αj

1 sinceB3 is only given

g₁αX2 and notα itself. By definition of the KP-ABE security game, x∗ does not satisfy A, so 1 ∈/

span⟨Mx∗⟩. (Refer to Definition 1 for the notation.) Therefore, we can efficiently computeu˜1 ∈ Zℓ

′

N such that

Mx∗u˜1 =0 and 1˜u1= 1.

B3samplesu˜0←R Zℓ ′

N such that1˜u0= 0, and implicitly sets

u:=α·u˜1+ ˜u0.

Observe thatuhas indeed the correct distribution. Recall that we setαj :=Mju, which yields

αj =

{

Mju˜0 ifx∗_ρ(j)= 1

α·Mju˜1+Mju˜0 ifx∗_ρ(j)= 0

where bothu˜1 andu˜0 are known toB3. The casejsuch thatx∗_ρ(j) = 1is straight-forward;B3simply picksrj, rj′ ←R ZN. For the casej such thatx∗_ρ(j) = 0, we can then rewriteg

αj 1 ·g

α′_j

2 as a function of

˜

u0,u˜1, andg1αX2:

gαj₁ ·gα ′

j 2 =g

α·Mju˜1+Mj˜u0

1 ·g

α′_j

2 = (gα1X2)Mju˜1 ·g

Mju˜0

1 ·g

˜ α′_j 2 , whereB3picksα˜′j ←R ZN and implicitly setsg

α′_j 2 :=X

Mj˜u1

2 ·g

˜ α′_j

2 .B3then outputs

SK_A:=    g

Mj˜u0eρ(j)

1 ·g

rjw

1 ·g r′_jw

2 ·Xj, g

rj 1 ·g

r′_j

2 ·Zj :x∗_ρ(j)= 1

(

(g₁αX2)Mju˜1 ·g₁Mju˜0 ·g ˜ α′_j 2

)eρ(j) _·

g₁rjw·gr ′

jw

2 ·Xj, g rj 1 ·g

r′_j

2 ·Zj :x∗ρ(j)= 0

  .

We may therefore conclude that:|Adv_2,n(λ)−Adv₃(λ)| ≤AdvAS2_B3 (λ). ⊓⊔

References

[1] N. Attrapadung. Dual system encryption via doubly selective security: Framework, fully secure functional encryption for regular languages, and more. InEUROCRYPT, pages 557–577, 2014.

[2] N. Attrapadung, B. Libert, and E. de Panafieu. Expressive key-policy attribute-based encryption with constant-size ciphertexts. InPublic Key Cryptography, pages 90–108, 2011.

[3] A. Beimel.Secure Schemes for Secret Sharing and Key Distribution. Ph.D., Technion - Israel Institute of Technology, 1996. [4] S. Benabbas, R. Gennaro, and Y. Vahlis. Verifiable delegation of computation over large datasets. InCRYPTO, page 110,

2011. Cryptology ePrint Archive, Report 2011/132.

[5] D. Boneh and M. K. Franklin. Identity-based encryption from the Weil pairing.SIAM J. Comput., 32(3):586–615, 2003. [6] D. Boneh and B. Waters. Conjunctive, subset, and range queries on encrypted data. InTCC, pages 535–554, 2007. Also

Cryptology ePrint Archive, Report 2006/287.

[7] D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-DNF formulas on ciphertexts. InTCC, pages 325–341, 2005. [8] J. Chen and H. Wee. Fully, (almost) tightly secure IBE and dual system groups. InCRYPTO (2), pages 435–460, 2013. [9] J. Chen and H. Wee. Fully, (almost) tightly secure IBE from standard assumptions. IACR Cryptology ePrint Archive, Report

2013/803, 2013. Preliminary version in [8].

[10] J. Chen and H. Wee. Dual system groups and its applications — compact HIBE and more. IACR Cryptology ePrint Archive, Report 2014/265, 2014. Preliminary version in [8].

[11] J. Chen, H. W. Lim, S. Ling, H. Wang, and H. Wee. Shorter IBE and signatures via asymmetric pairings. InPairing, pages 122–140, 2012.

[12] L. Cheung and C. C. Newport. Provably secure ciphertext policy ABE. InACM Conference on Computer and Communications Security, pages 456–465, 2007.

[13] C. Cocks. An identity based encryption scheme based on quadratic residues. InIMA Int. Conf., pages 360–363, 2001. [14] D. Fiore and R. Gennaro. Publicly verifiable delegation of large polynomials and matrix computations, with applications. In

ACM Conference on Computer and Communications Security, pages 501–512, 2012.

[15] D. M. Freeman. Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In EUROCRYPT, pages 44–61, 2010.

[16] R. Gennaro, C. Gentry, and B. Parno. Non-interactive verifiable computing: Outsourcing computation to untrusted workers. InCRYPTO, pages 465–482, 2010.

[17] R. Gennaro, C. Gentry, B. Parno, and M. Raykova. Quadratic span programs and succinct NIZKs without PCPs. In EUROCRYPT, pages 626–645, 2013. Also Cryptology ePrint Archive, Report 2012/215.

[18] S. Goldwasser, Y. T. Kalai, and G. N. Rothblum. Delegating computation: interactive proofs for muggles. InSTOC, pages 113–122, 2008.

[19] V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attribute-based encryption for fine-grained access control of encrypted data. InACM Conference on Computer and Communications Security, pages 89–98, 2006.

[20] V. Goyal, A. Jain, O. Pandey, and A. Sahai. Bounded ciphertext policy attribute based encryption. InICALP (2), pages 579–591, 2008.

[21] M. Karchmer and A. Wigderson. On span programs. InStructure in Complexity Theory Conference, pages 102–111, 1993. [22] J. Katz, A. Sahai, and B. Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In

EUROCRYPT, pages 146–162, 2008.

[23] A. Lewko. Tools for simulating features of composite order bilinear groups in the prime order setting. InEUROCRYPT, pages 318–335, 2012.

[24] A. B. Lewko.Functional Encryption: New Proof Techniques and Advancing Capabilities. Ph.D., The University of Texas at Austin, 2012.

[25] A. B. Lewko and B. Waters. New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In TCC, pages 455–479, 2010.

[26] A. B. Lewko and B. Waters. New proof methods for attribute-based encryption: Achieving full security through selective techniques. InCRYPTO, pages 180–198, 2012.

[27] A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. InEUROCRYPT, pages 62–91, 2010.

[28] M. Naor and O. Reingold. Number-theoretic constructions of efficient pseudo-random functions. J. ACM, 51(2):231–262, 2004.

[29] T. Okamoto and K. Takashima. Homomorphic encryption and signatures from vector decomposition. InPairing, pages 57–74, 2008.

[30] T. Okamoto and K. Takashima. Hierarchical predicate encryption for inner-products. InASIACRYPT, pages 214–231, 2009. [31] T. Okamoto and K. Takashima. Fully secure functional encryption with general relations from the decisional linear

[32] B. Parno, M. Raykova, and V. Vaikuntanathan. How to delegate and verify in public: Verifiable computation from attribute-based encryption. InTCC, pages 422–439, 2012.

[33] A. Sahai and B. Waters. Fuzzy identity-based encryption. InEUROCRYPT, pages 457–473, 2005. [34] A. Shamir. Identity-based cryptosystems and signature schemes. InCRYPTO, pages 47–53, 1984.

[35] K. Takashima. Expressive attribute-based encryption with constant-size ciphertexts from the decisional linear assumption. In SCN, 2014. To appear. Also, Cryptology ePrint Archive, Report 2014/207.

[36] B. Waters. Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions. InCRYPTO, pages 619–636, 2009.

[37] B. Waters. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. InPublic Key Cryptography, pages 53–70, 2011.

A Semi-Adaptive ABE in Prime-Order Groups

This is based on embedding the ABE scheme of Goyal et al. [19] (see also [27]).

A.1 Dual Pairing Vector Spaces

Our second construction is based on dual pairing vector spaces proposed by Okamoto and Takashima [29, 30]. In this paper, we concentrate on the asymmetric version [31]. We only briefly describe how to generate random dual orthonormal bases. See [29, 30, 31] for a full definition of dual pairing vector spaces.

We first introduce asymmetric bilinear pairing groups. A generator G which takes as input a security parameter1λ _{and outputs a descriptionG := (q, G}

1, G2, GT, e), whereqis a prime ofΘ(λ)bits,G1,G2, andGT are cyclic groups of orderq, ande:G1×G2 →GT is a map with the following properties:

1. (Bilinearity)∀h1 ∈G1, h2∈G2, a, b∈Zq, e(ha1, hb2) =e(h1, h2)ab. 2. (Non-degeneracy)∃g1 ∈G1, g2 ∈G2such thate(g1, g2)has orderqinGT.

We require that the group operations in G1, G2, and GT as well the bilinear map e are computable in deterministic polynomial time with respect toλ. Furthermore, the group descriptions of G1, G2, andGT include generators of the respective cyclic groups.

We extend the pairingeto vectors of group elements overG1 andG2by defining

e(gv₁, g₂w) :=e(g1, g2)⟨v,w⟩.

Dual Pairing Vector Spaces. For a fixed (constant) dimensionn, we will choose random bases

(d1, . . . ,dn) and (d∗1, . . . ,d∗n) ofZn_q, subject to the constraint that they are “dual orthonormal”, meaning that

⟨d∗_i,dj⟩= 0 modq

wheneveri̸=j, and

⟨di,d∗i⟩= 1 modq for alli. We denote such algorithm as

(d1, . . . ,dn,d∗1, . . . ,d∗n)←R Dual(Znq) or (d1,d∗1, . . . ,dn,d∗n)←R Dual(Znq). Then for generatorsg1 ∈G1 andg2 ∈G2, we have

e(gdi 1 , g

d∗_j

2 ) = 1 wheneveri̸=j, where1here denotes the identity element inGT.

Assumption 4 (DDH1: Decisional Diffie-Hellman Assumption inG1) Given a group generator G, we

define the following distribution:

G:= (q, G1, G2, GT, g1, g2, e)←R G, x, y, z←R Zq,

T0:=gxy1 , T1:=gxy+z1 ,

D:= (G;g1, g2, g1x, g y 1).

We assume that for any PPT algorithmA(with output in{0,1}),

AdvDDH1_A (λ) :=|Pr[A(D, T0)−Pr[A(D, T1)]|

is negligible in the security parameterλ.

The dual of above assumption is decisional Diffie-Hellman assumption inG2(denoted as DDH2), which is identical to Definitions 4 with the roles ofG1andG2reversed. We say that:

Definition 3. The symmetric external Diffie-Hellman (SXDH) assumption holds if DDH problems are intractable in bothG1andG2.

The Subspace assumptions were introduced in [23, 11, 31]. In this paper, specifically, we require the following Subspace assumption inG1, which is similar with the SXDH-based Subspace assumptions of [11] but involvesn+ 1bases pairs chosen independently at random (see also [24]).

Assumption 5 (DS1: Decisional Subspace Assumption inG1) Given a group generatorG(·), define the

following distribution:

G:= (q, G1, G2, GT, g1, g2, e)←R G(1λ),

(d0,d∗0,f0,f0∗), . . . ,(dn,d∗n,fn,fn∗)←R Dual(Z2q),

τ1, τ2, µ1, µ2 ←R Zq,

U0 :=g

µ1d∗0+µ2f0∗

2 , . . . , Un:=gµ1d

∗

n+µ2fn∗

2 ,

V0 :=gτ11d0, . . . , Vn:=gτ11dn,

W0 :=gτ11d0+τ2f0, . . . , Wn:=g1τ1dn+τ2fn,

D:= (

G;gd0

1 , g

f0

1 , g

d∗₀

2 , . . . , g

dn 1 , g

fn 1 , g

d∗n

2 , U0, . . . , Un, µ2

) .

We assume that for any PPT algorithmA(with output in{0,1}),

AdvDS1_A (λ) :=|Pr[A(D, V0, . . . , Vn) = 1]−Pr[A(D, W0, . . . , Wn) = 1]|

is negligible in the security parameterλ.

Lemma 4. If the DDH assumption inG1 holds, then the Subspace assumption inG1 stated in Definition 5

also holds. More precisely, for any adversary A against the Subspace assumption in G1, there exist

probabilistic algorithmsBsuch that

Adv_ADS1(λ)≤Adv_BDDH1(λ)

andTime(B)≈Time(A) + poly(λ, n)wherepoly(λ, n)is independent ofTime(A).