Predicate Encryption for Multi-Dimensional Range Queries from Lattices

Predicate Encryption for Multi-Dimensional Range Queries from Lattices

Romain Gay?and Pierrick Méaux??and Hoeteck Wee? ? ?

ENS, Paris, France

Abstract. We construct a lattice-based predicate encryption scheme for dimensional range and multi-dimensional subset queries. Our scheme is selectively secure and weakly attribute-hiding, and its security is based on the standard learning with errors (LWE) assumption. Multi-dimensional range and subset queries capture many interesting applications pertaining to searching on encrypted data. To the best of our knowledge, these are the first lattice-based predicate encryption schemes for functionalities beyond IBE and inner product.

1 Introduction

Predicate encryption [BW07, SBC+07, KSW08] is a new paradigm for public-key encryption that supports search queries on encrypted data. In predicate encryption, ciphertexts are associated with descriptive values x in addition to a plaintext, secret keys are associated with a query predicate f, and a secret key decrypts the ciphertext to recover the plaintext if and only if f(x)=1. The security requirement for predicate encryption enforces privacy of xand the plaintext even amidst multiple search queries, namely an adversary holding secret keys for different query predicates learns nothing aboutxand the plaintext if none of them is individually authorized to decrypt the ciphertext.

Multi-dimensional range queries. Following [BW07, SBC+07], we focus on predicate encryption for multi-dimensional range queries, as captured by the following examples:

– For network intrusion detection on logfiles, we would encrypt network flows labeled with a set of attributes from the network header, such as the source and destination addresses, port numbers, time-stamp, and protocol numbers. We could then issue auditors with restricted secret keys that can only decrypt the network flows that fall within a particular range of IP addresses and some specific time period.

– For credit card fraud investigation, we would encrypt credit card transactions labeled with a set of attributes such as time, costs and zipcodes. We could then issue investigators with restricted secret keys that decrypt transactions over $1,000 which took place in the last month and originated from a particular range of zipcodes.

– For online dating, we would encrypt personal profiles labeled with dating preferences pertaining to age, height, weight and salary. Secret keys are associated with specific attributes and can only decrypt profiles for which the attributes match the dating preferences.

?_{E-mail:[email protected]. Supported in part by ANR-14-CE28-0003 (Project EnBiD).}

??_{E-mail:[email protected]. INRIA and ENS. Supported in part by ANR-13-JS02-0003 (Project CLE).}

? ? ?_{E-mail: [email protected]. ENS and CNRS. Supported in part by ANR-14-CE28-0003 (Project EnBiD), NSF Award}

More generally, in multi-dimensional range queries, we are given a point (z1, . . . ,zD)∈[T]Dand interval

ranges [x1,y1], . . . , [xD,yD]⊆[T] and we want to know if (x1≤z1≤y1)∧ · · · ∧(xD ≤zD ≤yD). We also

consider more general multi-dimensional subset queries where we are given subsetS1, . . . ,SD⊆[T] and

we want to know if (z1 ∈S1)∧ · · · ∧(zD ∈SD). Note that in the first two examples, the search queries

are associated with the keys, whereas in the third example, the search queries are associated with the ciphertext. We will refer to encryption schemes for the former as “key-policy” schemes, and schemes for the latter as “ciphertext-policy” schemes. In all of these examples, it is important that unauthorized parties do not learn the contents of the ciphertexts, nor of the meta-data associated with the ciphertexts, such as the network header or dating preferences. On the other hand, it is often okay to leak the meta-data to authorized parties. We stress that privacy of the meta-meta-data is an additional security requirement provided by predicate encryption but not attribute-based encryption [GPSW06, GVW13].

Prior works. The first constructions of predicate encryption for multi-dimensional range queries were given in the works of Boneh and Waters [BW07] and Shi, et. al [SBC+07]; all of these constructions rely on bilinear groups and achieve parameters that are linear in the number of dimensionsD. The latter work also presents a generic “brute force” construction based on any anonymous IBE, where the parameters grow exponentially inD.

1.1 Our contributions

In this work, we construct a lattice-based predicate encryption scheme for multi-dimensional range queries, whose security is based on the standard learning with errors (LWE) assumption. Our scheme is selectively secure and weakly attribute-hiding, that is, we only guarantee privacy of the ciphertext attribute against collusions that are not authorized to decrypt the challenge ciphertext. The scheme is best suited for applications where the rangeT is very large but the number of dimensionsD is a small constant, as is the case for the three applications outlined earlier and also the scenario considered in [SBC+07]. In addition, we extend our techniques to multi-dimensional subset queries, where we obtain improved efficiency over prior schemes [BW07]. We summarize our schemes in Table 1 and 2.

Our approach. At a high level, our approach follows that of Shi et al. [SBC+07], who showed how to boost an anonymous IBE scheme into a predicate encryption scheme for multi-dimensional range queries. We show how to carry out a similar transformation over lattices, starting from the LWE-based anonymous IBE schemes in [CHKP10, ABB10a, AFV11]. We highlight the main novelties in this work:

– First, we present a more modular and conceptually simpler approach for handling multi-dimensional range queries. We construct our scheme for the simpler AND-OR-EQ predicate (conjunction of disjunction of equalities), and present a combinatorial reduction from multi-dimensional range queries to this predicate. The simpler AND-OR-EQ predicate is symmetric, which immediately yields both key-policy and ciphertext-policy schemes for multi-dimensional range queries. We can only prove security for our lattice-based AND-OR-EQ predicate encryption under an “at most one” promise, which necessitates a more delicate reduction from multi-dimensional range queries to AND-OR-EQ where we decompose range queries into disjoint sub-intervals. Indeed, the same technical issue arises in the previous pairing-based schemes.

Table 1.Summary of existing predicate encryption schemes for multi-dimensional range queries: given a point (z1, . . . ,zD)∈

[T]Dand interval ranges [x1,y1], . . . , [x_D,y_D]⊆[T], we want to know if (x1≤z1≤y1)∧· · ·∧(xD≤zD≤yD). Here,Ddenotes the

number of dimensions andTthe number of points in each dimension. We omit the poly(n) multiplicative overhead, wheren is the security parameter.

Source Public key size Ciphertext size Secret key size Encryption time Decryption time Attribute-hiding [BW07] (KP) O(D·T) O(D·T) O(D) O(D·T) O(D) fully [SBC+07] (KP, CP) O(DlogT) O(DlogT) O(DlogT) O(DlogT) O((logT)D) weakly this paper (KP, CP) O(DlogT) O(DlogT) O(DlogT) O(DlogT) O((logT)D) weakly Table 2.Summary of existing predicate encryption schemes for multi-dimensional subset queries: given a point (z1, . . . ,zD)∈

[T]Dand subsetsS1, . . . ,SD⊆[T], we want to know if (z1∈S1)∧ · · · ∧(zD∈SD). Here,Ddenotes the number of dimension and

Tthe size of the sets. We omit the poly(n) multiplicative overhead, wherenis the security parameter. (KP) stands for key-policy and (CP) stands for ciphertext-policy.

Source Public key size Ciphertext size Secret key size Encryption time Decryption time Attribute-hiding this paper (KP) O(D) O(D) O(D·T) O(D) O(TD) weakly this paper (CP) O(D·T) O(D·T) O(D) O(D·T) O(D) weakly

an anonymous IBE ciphertext for the identity X, and the key comprises two IBE keys fora andb; decryption works by trying all possible IBE keys. Following [SBC+07], we will pad the plaintext with zeroes, so that we know which of the decryptions corresponds to the correct plaintext. To handle the outer conjunction, we rely on secret sharing, as with prior lattice-based fuzzy IBE [ABV+12].

– Correctness for the inner disjunction requires more care than that in the bilinear groups. Roughly speaking, we need to show that decrypting an IBE ciphertext for identity a with a key for identity b6=ayields a random-looking value. The straight-forward argument that relies on IBE security yields computational correctness. To achieve statistical correctness in the lattice-based setting, we rely on a simple but seemingly novel analysis of the output of lattice-based trapdoor sampling algorithms (c.f. Lemma 13).

– The intuition for security for the inner disjunction is as follows: ifX is different froma andb, then both X and the plaintext remain hidden via security of the underlying IBE. On the other hand, if X is equal to one ofa,b, then the decryptor does learn the exact value of X, which means that we cannot hope to achieve strong attribute-hiding using these techniques. To establish the weak attribute-hiding for the general AND-OR-EQ, we rely on techniques from lattice-based inner product encryption [AFV11].

To the best of our knowledge, this is the first lattice-based predicate encryption scheme for function-alities beyond IBE and inner product [CHKP10, ABB10a, AFV11, Xag13], and we hope that it would inspire further research into lattice-based predicate encryption. We defer a more detailed overview of our construction to Section 4.

AND-OR-EQ in Section 4, and we show that it gives an efficient construction for multi-dimensional range queries. Finally, we show in Section 5 how to improve the construction of Section 4 in order to obtain an efficient scheme for multi-dimensional subset queries.

2 Preliminaries

Notations. We denote bys←RSthe fact thatsis picked uniformly at random from a finite setSor from a distribution. By PPT, we denote a probabilistic polynomial-time algorithm. Throughout this paper, we use 1n as the security parameter. For every vectoru∈Znq, we writeu=(u1, . . . ,un), and for any matrix

M∈Znq×m, we writeMi,jthe (i,j) entry ofM. For anyx∈R, we denote bybxcthe largest integer less than

or equal tox. For anyz∈[0, 1], we denote bybzethe closest integer toz.

Randomness extraction. We use the following variant of the left-over hash lemma [ILL89, DORS08] from [ABB10a]:

Lemma 1 ([ABB10a], Lemma 13). Let m > (n+1) logq+ω(logn), q > 2 be a prime number, R ←R {−1, 1}m×` modq, where`=`(n)is polynomial in n. LetA←RZnq×m,B←RZqn×`; For all vectorsu∈Zm

the distribution(A,AR,u>_{R)is statistically close from the distribution(A,B,u}>_R).

LWE Assumption. The decisional Learning With Error problem (dLWE) was introduced by Regev [Reg05],

Definition 1 (dLWE).For an integer q=q(n)≥2, an adversaryAand an error distributionχ=χ(n)over Zq, we define the following advantage function:

AdvdLWE_A n,m,q,χ:= |Pr[A(A,z0)=1]−Pr[A(A,z1)=1]|

where

A←RZnq×m,s←RZnq,e←Rχm,z0:=s>A+e> and z1←RZmq

The dLWEn,m,q,χ assumption asserts that for all PPTadversariesA, the advantage AdvdLWE_A n,m,q,χ is a

negligible function in n.

Throughout the paper, we denote byχmax<qthe bound on the noise distributionχ.

2.1 Lattice preliminaries

Lattices. For any matrixA∈Zqn×m and any vectorp∈Znq, we define the orthogonal q-ary lattice ofA:

Λ⊥

q(A) :={u∈Zm:Au=0 modq} and the shifted lattice:Λ p

q(A) :={u∈Zm:Au=p modq}. Similarly, for

any matrixP∈Znq×`, we define:ΛPq(A) :={U∈Zm×`:AU=P modq}.

Matrix norms. For any vectorx, we denote bykxkits`2norm. For any matrixR∈Znq×`we define the

1. kRkdenotes the maximum of the`2norm over the columns ofR.

2. kRkGSdenotes the Gram-Schmidt norm ofR(see [BGG+14] for further details).

3. kRk2denotes the operator norm ofRdefined askRk2=supkxk=1kRxk.

Note that for any matrixS∈Z`q×m, and any vector e∈Znq, we have kR·Sk ≤ kRk2· kSk, and ke>Fk∞≤ kek · kFk.

Gaussian distributions. For any positive parameter σ ∈ R>0, let ρσ(x) := exp(−πkxk2/σ2) be the

Gaussian function onRnof center0and parameterσ.

For anyn∈Nand any subsetD ofZn, we defineρ_σ(D) := P

x∈Dρσ(x) the discrete integral ofρσover

D, andDD,σthe discrete Gaussian distribution over D of parameter σ. That is, for ally∈D, we have

DD,σ(y) :=_ρρ_σσ₍(_Dy)₎.

Lemma 2 ([BGG+14], Lemma 2.5).Let n,m,`,q>0be integers andσ>0be a Gaussian parameter. For allA∈Znq×m,P∈Znq×`,U←RDΛP

q(A),σandR←R{−1, 1}

m×m_{, with overwhelming probability in m,}

kUk ≤σpm,kRk2≤20

p m

Trapdoor generators. The following lemmas state properties of algorithms for generating short basis of lattices.

Lemma 3 ([Ajt96, AP09, MP12]).Let n,m,q >0be integers with q prime and m=Θ(nlogq). There is a PPTalgorithmTrapGendefined as follows:

TrapGen(1n, 1m,q):

Inputs:a security parameter n, an integer m such that m=Θ(nlogq), and a prime modulus q.

Outputs:a matrixA∈Znq×m and a basisTA∈Zqm×m forΛ⊥q(A)such that the distribution ofAisnegl(n)

-close to uniform andkTAkGS=O(

p

nlogq), with all but negligible probability in n.

Lemma 4 ([MP12]).Let n,m,q >0 be integers with q prime and m=Θ(nlogq). There is a full-rank matrixGsuch that the latticeΛ⊥_q(G)has a publicly known basisTG∈Zm×mwithkTGkGS≤

p

5.

Lemma 5 ([GPV08], Lemmas 5.1 and 5.2).

– Let m≥2nlogq. With all butnegl(n)probability,A←RZnq×m is full rank (i.e. the subset-sums of the

columns ofAgenerateZnq).

– AssumeA∈Znq×m is full-rank andσ=ω(

p

logn). Then, the following distributions are statistically close:

{(u,Au) :u←RDZm,σ} and {(u,p) :p←RZnq,u←RD_Λp_q(A),σ}

2.2 Sampling algorithms

Given a matrixF:=[AkB] and a matrixP, we would like to sample random low-norm matricesUsuch thatFU=P. Specifically, we want to sampleUfrom the distributionD_ΛP

q(F),σ. The following lemma tells

us we could do so given either (1) a low-norm basisTA ofΛ⊥q(A) usingRightSample, or (2) a low-norm

Lemma 6 ( [GPV08, ABB10b, CHKP10, MP12] and [BGG+14], Lemma 2.8).

There existPPTalgorithmsRightSampleandLeftSamplesuch that:

RightSample(A,TA,B,P,σ):

Inputs: full-rank matrices A,B ∈Znq×m, a basisTA ofΛ⊥q(A), a matrix P∈Znq×(`+n) and a Gaussian

parameterσ=O(kTAkGS).

Output:a matrixU∈Zq2m×(`+n)whose distribution is statistically close toD_ΛP

q[AkB],σ·ω(

p

logm).

Remark 1. We can sample a short matrixU=



 

U1

U2



 ∈Z

2m×(`+k)

q in the same way that [ABB10b]. That is,

we first sample the bottom partU2∈Zqm×(`+k)fromD<sub>Z</sub>m×(`+k)

q ,σ·ω(

p

logn)and then, we sample the top part

U1∈Zqm×(`+k)from a distribution statistically close toD_ΛP−BU2

q (A),σ·ω(

p

logm), usingTA.

LeftSample(A,R,G,H,P,σ):

Inputs: a full-rank matrixA∈Znq×m, a matrix R∈Zqm×m, a full-rank matrix G∈Znq×m as defined in

Lemma 4, an invertible matrixH∈Znq×n, a matrixP∈Zqn×(`+n)and a Gaussian parameterσ=O(kRk2).

Output:a matrixU∈Zq2m×(`+n)whose distribution is statistically close toD_ΛP

q[AkHG+AR],σ·ω(

p

logm).

2.3 Predicate Encryption

A predicate encryption scheme for a predicateP(·,·) consists of four algorithms (Setup,Enc,KeyGen,Dec):

Setup(1n,X,Y,M) → (mpk,msk). The setup algorithm gets as input the security parameter n, the attribute universeX, the predicate universeY, and the message spaceM.

Enc(mpk,x,m)→ct. The encryption algorithm gets as inputmpk, an attribute x∈Xand a message m∈M. It outputs a ciphertextct.

KeyGen(mpk,msk,y)→sky. The key generation algorithm gets as inputmskand a valuey∈Y. It outputs

a secret keysky. Note thatyis public givensky.

Dec(mpk,sky,ct)→m. The decryption algorithm gets as input sky and a ciphertext ct. It outputs a

messagem.

Correctness. We require that for all (x,y)∈X×Ysuch thatP(x,y)=1 and allm∈M,

Pr[ct_←Enc(mpk,x,m);Dec(sky,ct)=m)]=1−negl(n),

Security Model. For a stateful adversaryA, we define the advantage function

AdvPE

A(n) :=Pr

                

β=β0:

(x∗₀,x₁∗)←A(1λ);

β←R{0, 1};

(mpk,msk)←Setup(1n,X,Y,M);

(m0,m1)←AKeyGen(msk,·)(mpk);

ct←Enc(mpk,x_β,m_β);

β0_←AKeyGen(msk,·)_(ct)

                 −1 2

with the restriction that all queriesythatAmakes toKeyGen(msk,·) satisfiesP(x∗

0,y)=P(x1∗,y)=0 (that

is,sky does not decryptct). A predicate encryption scheme isselectively secure and weakly attribute-hiding1if for all PPT adversariesA, the advantageAdvPE

A(n) is a negligible function inn.

3 Reductions Amongst Predicates

3.1 AND-OR-EQ predicate

In this section we state our general predicate, and exhibit the reductions from multi-dimensional subset queries and multi-dimensional range queries to the latter. This general predicate is symmetric (c.f. Lemma 11), which will allow us to obtain both ciphertext-policy and key-policy predicate encryption schemes in Section 4.

Disjunction of equality queries. Here,POR-EQ:Z`q×Z`q→{0, 1}, andPOR-EQ(x,y)=1 iff

`

W

i=1

¡

xi=yi¢.

We generalize the previous predicate to a multi-dimensional setting as follows PAND-OR-EQ : ZDq×`×

ZD×`

q →{0, 1}, and:

PAND-OR-EQ(X,Y)=1 iff

D

^

i=1

`

_

j=1

¡

Xi,j=Yi,j¢

We impose a so-called “at most one” promise on the input domains of the predicate for our predicate encryption scheme in Section 4. This technical property is required for our lattice-based instantiations (see Remark 3 in Section 4) and also implicitly used in prior pairing-based ones. We define the predicate PAT MOST ONE:Z`q×Z`q→{0, 1} and its multi-dimensional variantPAND AT MOST ONE:ZDq×`×ZDq×`→{0, 1} by:

PAT MOST ONE(x,y)=1 iff there exists at most one j∈[`],xj=yj

PAND AT MOST ONE(X,Y)=1 iff∀i∈[D], there exists at most onej∈[`] s.t.Xi,j=Yi,j

We require that the input domainsX,Y⊆ZqD×`forPAND-OR-EQsatisfy the “at most one” promise, namely for allX∈X,Y∈Y,

PAND AT MOST ONE(X,Y)=1

1_{In an adaptively secure scheme, the adversary specifies (x}∗

Indeed, the promise is satisfied by all of our reductions in this section.

3.2 Multi-dimensional subset queries

Predicate (ciphertext-policy). Here,PCP-SUBSET: {0, 1}D×T×[T]D→{0, 1} and

PCP-SUBSET(W,z)=1 iff

D

^

i=1

Wi,zi=1

For each dimensioni∈[D], thei’th row ofWis the characteristic vector of a subset of [T].

ReducingPCP-SUBSETtoPAND-OR-EQ. We map (W,z)∈{0, 1}D×T×[T]Dto (W,e Z)e ∈Z_qD×T×ZD_q×T where

– We is the matrixWwhere zeros are replaced by−1, that is, for all (i,j)∈[D]×[T],Wfi,j=1 ifWi,j=1,

andWfi,j= −1 otherwise. (We need this modification in order to satisfy the “at most one” promise.)

– Ze∈Z_qD×T denotes the matrix whosei’th row isezi ∈Z 1×T

q , where (e1, . . . ,eT) denotes the standard

basis ofZ1×T.

For instance, we map ((0, 1, 1), 2) to ((−1, 1, 1), (0, 1, 0)). We can check that the following lemma holds:

Lemma 7 (PCP-SUBSETtoPAND-OR-EQ).Let(W,z)∈{0, 1}D×T×[T]D, and(W,e eZ)∈Z_qD×T×ZD_q×T defined as

above.

– PCP-SUBSET(W,z)=1iffPAND-OR-EQ(W,e eZ)=1

– PAND AT MOST ONE(W,e Z)e =1

3.3 Multi-dimensional range queries

Predicate (key-policy). Here,PKP-RANGE: [T]D×I(T)D→{0, 1} andPKP-RANGE(z,I)=1 iff

D

V

j=1(

zj∈Ij), where I(T) denotes the set of all intervals of [T].

We show how to reducePKP-RANGEtoPAND-OR-EQ, which involves rewriting points and intervals as vectors.

Writing points and intervals as vectors. For simplicity, we writet fordlogTe. In order to realize the “at most one” promise, we need to decompose intervals into disjoint sub-intervals where each sub-interval contains all the points with some fixed prefix, e.g. [010, 110] can be written as [010, 011]∪[100, 101]∪

[110, 110]. Indeed, any interval in [T] can be partitioned into at most 2t disjoint sub-intervals with this property [DVOS00, Lemma 10.10].2In addition, we can ensure that there are exactly 2t sub-intervals by padding with empty intervalsε(using empty intervals ensures that no point ever lies in more than one of these 2tsub-intervals).

Lemma 8 (interval to vector [DVOS00]).There is an efficientPPTalgorithmIntVecthat on input I⊆[T] outputs(w1,w2, . . . ,w2t)∈¡{0, 1}∗∪{ε}¢2t, where t:= dlogTe, with the following properties:

– for each i=1, . . . ,t , we have w2i−1,w2i∈{0, 1}i∪{ε};

– for all z∈[T], we have z∈I iff one of w1, . . . ,w2t is a prefix of z;

– for all z∈[T], at most one of w1, . . . ,w2t is a prefix of z.

Here,εis not a prefix of any string.

For instance,IntVec([010, 110])=(ε,ε, 01, 10, 110,ε).

Remark 2 (Hashing bit strings intoZq).We map {0, 1}t∪{ε} wheret := dlogTeintoZq in the

straight-forward way, which requires thatq ≥T+1. We can handle also largerT by using matrices overZq à la

[ABB10a, Section 5].

Now we give the description of algorithmPtVec, used to map points to vectors.

PtVec: On inputz∈[T], output (v1, . . . ,v2t)∈Z2qt, wherev2i−1=v2i:=i-bit prefix ofz,i=1, . . . ,t.

For instance,PtVec(011)=(0, 0, 01, 01, 011, 011).

Lemma 9. For any point z∈[T]and any interval I⊆[T],

– z∈I iffPOR-EQ(PtVec(z),IntVec(I))=1 – PAT MOST ONE(PtVec(z),IntVec(I))=1.

Lemma 9 follows readily from Lemma 8.

ReducingPKP-RANGEtoPAND-OR-EQ. We map (z,I) to (PtVecD(z),IntVecD(I)) where

– PtVecD(z)∈ZqD×2tdenotes the matrix whosei’th row isPtVec(zi)

– IntVecD(I)∈ZqD×2tdenotes the matrix whosej’th row isIntVec(Ij)

Lemma 10 (PKP-RANGEtoPAND-OR-EQ).For allz∈[T]DandI⊆(I[T])D,

– PKP-RANGE(z,I)=1iffPAND-OR-EQ(PtVecD(z),IntVecD(I))=1 – PAND AT MOST ONE(PtVecD(z),IntVecD(I))=1

Lemma 10 follows readily from Lemma 9, applied to each dimensioni∈[D].

Predicate (ciphertext-policy). Here,PCP-RANGE:I(T)D×[T]D→{0, 1} and

PCP-RANGE(I,z)=1 iff

D

^

j=1

¡

zj∈Ij

¢

The predicatesPOR-EQandPAT MOST ONEare symmetric:

Lemma 11 (Symmetry ofPOR-EQandPAT MOST ONE).For allx,y∈Z`q, we have:

– POR-EQ(x,y)=1⇐⇒POR-EQ(y,x)=1

– PAT MOST ONE(x,y)=1⇐⇒PAT MOST ONE(y,x)=1

ReducingPCP-RANGEtoPAND-OR-EQ. Following the previous reduction, we map (I,z) to (IntVecD(I),PtVecD(z)).

Lemma 12 (PCP-RANGEtoPAND-OR-EQ).For allI⊆(I[T])Dandz∈[T]D,

– PCP-RANGE(I,z)=1iffPAND-OR-EQ(IntVecD(I),PtVecD(z))=1 – PAND AT MOST ONE(IntVecD(I),PtVecD(z))=1.

Lemma 12 follows from Lemma 10 and Lemma 11.

4 Predicate Encryption for AND-OR-EQ

Here we describe our predicate encryption scheme for the AND-OR-EQ predicate defined in Section 3.1, selectively secure and lattice-based. Recall thatPAND-OR-EQ:ZDq×`×ZDq×`→{0, 1}, and

PAND-OR-EQ(X,Y)=1 iff

D

^

i=1

`

_

j=1

¡

Xi,j=Yi,j¢

The security of our scheme relies on the fact the ciphertext attributes and secret key predicates come from a restricted domainX,Y⊆ZqD×`satisfying the “at most one” promise, namely for allX∈X,Y∈Y,

PAND AT MOST ONE(X,Y)=1

Indeed, the promise is satisfied by all of our reductions in Section 3.1.

Overview. We begin with the special caseD=1. Given an attribute matrixx∈Z1q×`, the ciphertext is an

LWE sample corresponding to a matrix of the form

£

AkA1+x1Gk · · · kA`+x<sub>`</sub>G¤

whereA, theAi’s andGare publicly known matrices, and the message is masked using an LWE sample

corresponding to a public matrixP. The secret key corresponding toy∈Z1q×`is a collection of`short

matricesU1, . . . ,U`such that for allj∈[`],

£

AkAj+yjG¤Uj=P

To understand how decryption works, let us first suppose that there exists a unique j such thatxj=yj

and that the decryptor knowsj; then, the decryptor can useUjto recover the plaintext. However, since

the decryptor does not knowx, he will try to decrypt the ciphertext using each ofU1, . . . ,U`. We will also

need to pad the plaintext with redundant zeros so that the decryptor can identify the correct plaintext. To establish security with respect to some selective challengex∗_{, we will need to simulate secret keys} for allysuch thatx∗_j 6=yjfor allj∈[`]. We can then simulateUjusing an “all-but-one” simulation (while

Higher dimensions. Given an attribute matrixX∈ZDq×`, the ciphertext is an LWE sample corresponding

to a matrix of the form

£

AkA1,1+X1,1Gk · · · kA1,`+X1,`GkA2,1+X2,1Gk · · · kAD,`+XD,`G

¤

The secret key corresponding toY∈ZDq×`is a collection ofD·`short matricesU1,1, . . . ,UD,`such that for

i∈[D],j∈[`]:

£

AkAi,j+Yi,jG¤Ui,j=Pi

whereP1, . . . ,PDis an additive secret-sharing ofP.

For correctness, observe that if there exist indices (j1, . . . ,jD)∈[`]Dsuch that for alli∈[D]Xi,ji=Yi,ji

then the decryptor can useU1,j1,· · ·,UD,jD to recover the plaintext. As with the caseD=1, the decryptor

will need to enumerate over all (j1, . . . ,jD)∈[`]D.

To simulate secret keys forY with respect to some selective challengeX∗, we first fix i∗ _{such that} X∗

i∗_,j6=Yi∗_,jfor allj∈[`]. Without loss of generality, supposei∗=1, that is, for allj∈[`],X_1,∗_j6=Y_1,j.

Using the "at most one" promise onXandY, we know that for alli≥2, we haveX_i∗_,j=Yi,jfor at most

onej∈[`], which we call ji. That is, there exists a vector of indices (j2, . . . ,jD)∈[`]D−1such that for all

i≥2 and allj6=ji, we haveX_i∗_,j6=Yi,j. We then proceed as follows:

– Sample random short matricesU2,j2, . . . ,UD,jD, which in turn determines the sharesP2, . . . ,PD.

– Use an all-but-one simulation strategy to sample the short matricesUi,j, for alli≥2, andj6=ji.

– DefineP1:=P−PD_i=2Pi and use an all-but-one simulation strategy to sample the remaining short

matrices in the secret key.

Note that the construction relies crucially on the “at most one” promise on X and Y. In fact, the scheme given in Section 4.1 is insecure if this promise is not fulfilled, that is, there is a PPT adversary that wins the game defined in Section 2.3 with non negligible advantage. The attack goes as follows. Suppose that the adversary holds a secret key forY∈ZDq×`such that PAND-OR-EQ(X,Y)=0 andPAND AT MOST ONE(X,Y)=0. SincePAND AT MOST ONE(X,Y)=0, for some dimension i∈[D], there are at least two indices j1, j2∈[`] such thatXi,j1 =Yi,j1 andXi,j2 =Yi,j2, and therefore, both short matrices Ui,j1 andUi,j2 allow to recover the same LWE sample corresponding to the matrixPi, up to some error. WhenXi,j26=Yi,j2however,Ui,j2 with the corresponding (i,j2) component of the ciphertext only gives a uniformly random vector. Therefore, the fact thatUi,j1andUi,j2both decrypts to (almost) the same LWE sample tells the adversary thatXi,j1 =Yi,j1andXi,j2=Yi,j2 with high probability, contradicting the fact that the scheme is weakly attribute hiding. This induces an attack whose running time is polynomial in the security parameter.

4.1 Construction

Letn∈Nbe the security parameter. Let the attribute spaceXand predicate spaceYbe subsets ofZD_q×` satisfying the “at most one” promise. Letq=q(n) ,m=m(n,`,D) andχmax=χmax(n,q,`,D) be positive

integers. Letσ=σ(n,q,`,D) be a Gaussian parameter.

Setup(1n,X,Y,M): On inputs the security parametern,X⊆ZqD×`,Y⊆ZDq×`andM:={0, 1}k, do:

– Pick (A,TA)←TrapGen(1n, 1m,q).

– PickP←RZnq×(k+n).

– Compute (G,TG) as defined in Lemma 4.

– Outputmpk:=(P,A,A1,1, . . . ,AD,`,G,TG) and msk:=TA

Enc(mpk,X,b): On inputmpk,X∈Xandb∈{0, 1}k, do: – Picks←RZnq,e←Rχm, and computec0:=s>A+e>.

– For alli∈[D] and all j∈[`], do:

• PickRi,j←{−1, 1}m×m.

• Computeci,j:=s>

¡

Ai,j+Xi,jG

¢ +e>_R

i,j.

– Setb0:=(b, 0, . . . , 0)∈{0, 1}k+n, picke0←Rχk+n, and computecf :=s>P+e0>+b0>· bq/2c.

– Outputct:=(c0,c1,1, . . . ,cD,`,cf)

KeyGen(mpk,msk,Y): On input the public parametersmpk, the master secret keymsk, and a predicate matrixY∈Y, do:

– Secret sharePas {Pi,i∈[D]}, such that D

P

i=1

Pi=P.

– For alli∈[D] and all j∈[`] :

Sample a short matrixUi,j∈Zq2m×(k+n)such that

£

AkAi,j+Yi,jG¤Ui,j=Piusing

RightSample(A,TA,Ai,j+Yi,jG,Pi,σ) withσ=O(pnlogq).

– output the secret keyskY=(U1,1, . . . ,UD,`)

Dec(mpk,skY,ct): On input the public parametersmpk, a secret keyskY=(U1,1, . . . ,UD,`) for a predicate

matrixY, and a ciphertextct=(c0,c1,1, . . . ,cD,`,cf), do:

– For all (j1, . . . ,jD)∈[`]D, computed:=cf− D

P

i=1

£

c0kci,ji

¤

Ui,ji modq.

– Ifj_qd_/2m∈{0, 1}k×0n, then output the firstk bits ofj_qd_/2m. For anyz∈[0, 1], we denote bybzethe closest integer toz.

– Otherwise, abort.

Running time. The running times are: – O(D·`·poly(n)) for encryption; – O(D·`·poly(n)) for key generation; – O(`D·poly(n)) for decryption.

The above numbers take into account matrix multiplications and additions. When done naively, the aboveDecalgorithm takesO(D·`D·poly(n)) time. However, if one saves the intermediate results

£

c0kci,j¤Ui,jfor all (i,j)∈[D]×[`], one can do it inO(`D·poly(n)) time.

4.2 Correctness

Lemma 13. Suppose thatχmaxis such that

χmax≤q/4·¡1+D·(1+20pm)·s·2m¢−1

where s = σ·ω(p

logn). Let (X,Y) ∈X×Y such thatPAND-OR-EQ(X,Y)= 1. Let skY =(U1,1, . . . ,UD,`) ←

andct₌(c0, . . . ,cf)←Enc(mpk,X,b)

With overwhelming probability in n,Decdoes not abort and outputsb.

Proof. Recall thatDeccomputesdfor all (j1, . . . ,jD)∈£`¤D. We consider two cases:

Case 1:∀i,Xi,ji=Yi,ji. We show that with overwhelming probability inn,

j _d

q/2

m

=(b, 0, . . . , 0) :=b0. For alli∈[D],

£

A||Ai,ji+Xi,jiG

¤

Ui,ji=Pi thus D

X

i=1

£

A||Ai,ji+Xi,jiG

¤

Ui,ji=P

This implies

D

X

i=1

[c0kci,ji

¤

Ui,ji≈ D

X

i=1

s>£

A||Ai,ji+Xi,jiG

¤

Ui,ji=s

>_P

≈cf−b0>· bq/2c

and thusd≈b0_{· bq/2c. To obtain}j d q/2

m

=b0_{, it suffices to bound the error term and show that}

° ° °e 0> − D X

i=1

(e> ||e>_R

i,ji)Ui,ji

° ° °

∞<q/4.

We know thatke0>_k

∞≤χmax. In addition, for alli∈[D],

° ° °(e

> ||e>_R

i,ji)Ui,ji

° ° ° ∞≤ ° ° °(e > ||e>_R

i,ji)

° ° °·

° ° °Ui,ji

° ° °≤

³

kek +°°R_i,ji ° °₂· kek

´ ·

° ° °Ui,ji

° ° °

By Lemma 6,°°U_i,ji ° °≤σ·ω(

p

logn)·p2mand by Lemma 2,°°R_i,ji ° °

2≤20

p

m. Combining these bounds, we obtain ° ° °e 0> − D X

i=1

(e> ||e>_R

i,ji)Ui,ji

° ° °

∞≤χmax+D·χmax·(1+20 p

m)·σ·ω(qlogm)·p2m

We will set the parameters in Section 4.4 so that the quantity on the right is bounded byq/4.

Case 2:∃i∗,Xi∗_,ji∗ 6=Y_i∗_,ji∗. We show that the computed valuedhas a distribution which is statistically

close to uniform, and therefore the probability that the lastnbits ofj_qd_/2mare all 0 is negligible inn. By an analogous calculation to that in Case 1, we have:

D

X

i=1

£

A||Ai,ji+Xi,jiG

¤

Ui,ji=P+ D

X

i=1

[0||(Xi,ji−Yi,ji)G

¤

Ui,ji

We know that there exists somei∗_{∈[D] such thatXi∗}

,ji∗6=Yi∗,ji∗, and we focus on

£

0> ||s>_(X

i∗_,j

i∗−Yi∗,ji∗)G ¤

Ui∗_,j

i∗

By Remark 1, we know that the bottom partU2∈Zqm×(k+n) ofUi∗_,ji∗ is sampled fromD_Zm q,σ·ω(

p

logn).

Therefore, sinceXi∗_,ji∗−Y_i∗_,ji∗6=0 andGis a full-rank matrix, by Lemma 5, we know that the distribution

from uniform overZk_q+n. Therefore,

d=cf− D

X

i=1

£

c0||ci,ji

¤

Ui,ji modq

is indistinguishable from uniform overZk_q+n, and the probability that the lastnbits ofj_qd_/2mare all 0 is negligible inn.

4.3 Proof of Security

Lemma 14. For any adversaryAon the predicate encryption scheme, there exists an adversaryBon the LWE assumption whose running time is roughly the same as that ofAand such that

AdvPE

A(n)≤AdvBdLWEn,m+n+k,q,χ+negl(n)

The proof follows via a series of games, analogous to those in [AFV11]. We first define several auxiliary algorithms for generating the simulated ciphertexts and secret keys, upon which we can describe the games.

Auxiliary algorithms. We introduce the following auxiliary algorithms:

„

Setup(1n,X,Y,M,A,P,X∗): on a security parametern, an attribute spaceX⊆ZDq×`, a predicate space Y⊆ZDq×`satisfying the “at most one promise”, a message spaceM:={0, 1}k, a matrixA∈Znq×m, a matrix

P∈Znq×(k+n)and the challenge attribute matrixX∗, do:

– Compute (G,TG) as defined in Lemma 4.

– For alli∈[D] and all j∈[`], pickRi,j←{−1, 1}m×mand setAi,j:=ARi,j−X_i∗_,jG.

– Outputmpk:=(P,A,A1,1, . . . ,AD,`,G,TG) andmskg:=(X∗,R<sub>1,1</sub>,· · ·,R<sub>D,</sub>`,T_A)

g

Enc(mpk,b;mskg,d₀,d_f): On input the public parametersmpk, a messageb∈{0, 1}k, the master secret

keymskg, and the extra inputsd₀∈Zm_q ,d_f ∈Zk_q+ndo:

– Setc0:=d>₀,

– For alli∈[D] and all j∈[`], computeci,j:=d>₀Ri,j,

– Computeb0:=(b, 0, . . . , 0)∈{0, 1}k+n, and setcf:=d>_f +b0>bq/2c.

– Output (c0, . . . ,cf).

ã

KeyGen(mpk,mskg,Y,X∗): On input the public parametersmpk, the master secret keymskg, a predicate

matrixYand the challenge attribute matrixX∗do: – IfP(X∗_{,Y)=1, abort.}

– Otherwise, sinceP(X∗,Y)=0, there must exist ai∗_{∈[D] such that for allj∈[`],X}∗

i∗_,j6=Yi∗_,j. By the

“at most one” property, for alli∈[D], there is at most oneji∈[`] such thatX_i∗_,ji=Yi,ji.

We proceed in three steps :

1. First, for alli∈[D] \ {i∗_{} we sample:Ui}

,ji←RDZ_q2m×(k+n)_,σ_·ω₍p_logn)withσ=O(

p

nlogq) and set

Pi:=

h

A||ARi,ji

i

2. Next, we setPi∗ to be:Pi∗:=P− P

i6=i∗Pi

3. We sample the remaining matrices as follows:

Ui,j←LeftSample(A,Ri,j,G,Yi,j−Xi∗,j,Pi,σ).

This is possible becauseYi,j−X_i∗_,j6=0, wheneveri=i∗or wheneverj6=ji.

– Output (U1,1, . . . ,UD,`).

Game sequence. We present a series of games. We writeAdv_xxxto denote the advantage ofAinGamexxx.

– Game0: is the real security game, as defined in Section 2.3.

– Game1: same asGame0, except that the challenger runs

„

Setup(1n,X,Y,M;A,P,X∗_β) and Encg(mpk,bβ;mskg,s>A+e>,s>P+e0>)

with (A,TA)←RTrapGen(1n, 1m),P←RZ

n×(k+n)

q ,s←RZnq,e←Rχm, ande0←Rχk+n. – Game2: same asGame1except that the challenger runsKeyGenã.

– Game3: same asGame2except that the challenger runs

g

Enc(mpk,b_β;mskg,d₀,d_f)

whered0←RZmq anddf ←RZkq+n.

– Game4: is the same asGame3except that the challenger runsKeyGen.

We show in the following lemmas that each pair of games (Gamei,Gamei+1) are either statistically

indistinguishable or computationally indistinguishable under the decision-LWE assumption. Finally, we show in Lemma 19 that no information is leaked aboutβis the last gameGame4.

Lemma 15 (Game0toGame1).For all m>(n+1) logq+ω(logn), we have|Adv0−Adv1| =negl(n).

Proof. FromGame0toGame1, we switch fromSetup,EnctoSetup„,Encg.

Note that the only difference betweenGame0andGame1is that for alli∈[D] and j∈[`], the matrix

Ai,jis set to beAi,j←RZnq×minGame0, whereas it is set to beAi,j:=ARi,j−X_i∗_,jGinGame1, whereRi,j←R {−1, 1}m×m. The matrixAi,jonly appears in thempkand in the componentci,j=s>(Ai,j+X_i∗_,jG)+e>Ri,j

of the ciphertext.

Therefore it suffices to show that the distribution of (A,e,Ai,j,e>Ri,j) in Game0 and Game1 are

statistically close, that is,

(A,e,Ai,j,e>Ri,j)≈s(A,e,ARi,j−Xi∗,jG,e>Ri,j)

whereAi,j←RZnq×m,Ri,j←R{−1, 1}m×m, ande←Rχm. Observe that

(A,e,Ai,j,e>Ri,j)

≡(A,e,Ai,j−Xi∗,jG,e>Ri,j) sinceAi,j←RZnq×m

≈s(A,e,ARi,j−X_i∗_,jG,e>Ri,j) by Lemma 1

Proof. FromGame1toGame2, we switch fromKeyGentoKeyGenã. Therefore, it suffices to show that for

any predicateYsuch thatP(X∗,Y)=0, the following distributions are statistically close:

KeyGen(mpk,msk,Y)≈sKeyGenã(mpk,mskg,Y,X∗)

We write:Fi,j:=

¡

AkAi,j+Yi,jG

¢

=³AkARi,j+(Yi,j−X_i∗_,j)G

´

∈Znq×2m.

SinceP(X∗,Y)=0, we know that there must exist ai∗∈[D] such thatYi∗_,j6=X_i∗_∗,j for all j∈[`]. Because

PAND AT MOST ONE(X∗,Y)=1, we know that for alli∈[D], there is at most oneji∈[`] such thatYi,ij =Xi∗,ij.

We proceed in three steps:

1. First, we argue that the joint distribution {Pi,Ui,ji:i∈[D],i6=i∗} is statistically close inKeyGenand

inKeyGenã. This follows readily from Lemma 5.

2. Next, we argue that the joint distribution {Pi:i∈[D]} is statistically close inKeyGenand inKeyGenã.

This follows readily from secret sharing.

3. Finally, fixP1, . . . ,PD. We argue that the distribution of the remaining matrices is statistically close

inKeyGenand inKeyGenã. This follows from Lemma 6, which tells us that the outputUi,j of both

RightSampleinKeyGenandLeftSampleinKeyGenã, are statistically close toD_ΛP_i

q(Fi,j),σ·ω(

p

logn).

We can sample theseUi,j inKeyGenã applyingLeftSamplebecauseY_i,j−X_i∗_,j6=0 wheneveri=i∗or

wheneverj6=ji.

Remark 3. Note that the "at most one" promise is crucial here, because whenYi,j−X_i∗_,j=0, we cannot

useLeftSampleto sample a short matrixUi,j such that

³

AkARi,j+(Yi,j−X_i∗_,j)G

´

Ui,j=Pi. If there exists

"at most one" ji∈[`] such thatYi,ji−Xi∗,ji =0, we can sample a short matrixUi,ji from some discrete

Gaussian distribution, and setPi to bePi:=¡AkARi,j+0·G¢Ui,j. Lemma 5 ensures that bothUi,j and

Piare correctly distributed. However, if there exist at least 2 indicesjiandj_i0∈[`] such thatYi,ji−Xi∗,ji=

Yi,j0

i−X

∗

i,j0

i =

0, then there is more than one matrix that we cannot sample usingLeftSample, and the previous technique does not work anymore.

Lemma 17 (Game2toGame3).There exists an adversaryBwhose running time is roughly the same as

that ofAand such that

|Adv₂−Adv₃| ≤AdvdLWEn,m+k+n,q,χ B

Note that only difference betweenGame2 andGame3 is that we switch the distribution of the inputs

(d0,dD+1) toEncgfrom LWE instances to random ones.

Proof. On input an LWE challenge

(A,P,d0,dD+1)

whereA←RZnq×m andP←RZnq×(k+n)and (d0,dD+1) is either (s>A+e>,s>P+e0>) or random,Bsimulates

Aand proceeds as follows:

– runsSetup„(1n,X,Y,M;A,P,X∗_β) as inGame2;

– answersA’s private key queries by usingKeyGenãas inGame₂;

– runsEncg(mpk,bβ;mskg,d₀,d_D+1) to generate the challenge ciphertext;

– Finally,Aguesses if it is interacting with aGame2or aGame3challenger.BoutputsA’s guess as the

When the LWE challenge is pseudorandom as in Definition 1, the adversary’s view is as inGame2. When

the LWE challenge is random the adversary’s view is as inGame3. Therefore,B’s advantage in solving

LWE is the same asA’s advantage in distinguishingGame2andGame3.

Lemma 18 (Game3toGame4). |Adv₃−Adv₄| =negl(n)

Proof. The differences betweenGame3andGame4are:

– InGame3,A←RZnq×m, andTA:= ⊥, whereas inGame4, (A,TA)←RTrapGen(1n, 1m).

– InGame3, the challenger answers the adversary’s secret key using theKeyGenãalgorithm, whereas he

answers using theKeyGenalgorithm inGame4.

The proof is the same as the one of Lemma 16, by symmetry of the games.

Lemma 19 (Game4).We have |Adv₄−1/2| =negl(n)

Proof. InGame4, both the challenge ciphertext and the secret keys are independent ofβ. Moreover, by

Lemma 1, we know that for alli∈[D], for allj∈[`] the two following distributions are statistically close

(A,Ai,j)≈s(A,ARi,j−X_i∗_,jG)

whereAi,j←RZqn×m,Ri,j←R{−1, 1}m×m, ande←Rχm. Thus, thempkdoes not leak any information on X∗_β. Therefore, we get|Adv₄−1/2| =negl(n).

4.4 Parameter selection

– By Lemma 1, we needm>(n+1) logq+ω(logn) – By Lemma 3, and Lemma 4, we requirem=Θ(nlogq) – By Lemma 5, we needm≥2nlogq

– By Lemma 6, we needσ=O(kTAkGS) andσ=O(kTGkGS·(1+ kRk2))

wherekTAkGS =O(

p

nlogq) andkRk2 ≤20pm with overwhelming probability inn, according to

Lemma 3 and Lemma 5, respectively.

– For correctness of decryption, we require χmax ≤q/4·¡1+D·(1+20pm)·s·2m¢−1, where s =σ·

ω(p

logn).

Consequently we takem=Θ(nlogq) ,σ=O¡p

nlogq¢

andχmax=O

¡

q·(D·(nlogq)3/2·s)−1¢

wheres=σ·ω(p

logn).

4.5 Putting everything together for multi-dimensional range queries

5 Shorter Ciphertexts and Secret Keys for Multi-Dimensional Subset Queries

The predicate encryption scheme for PAND-OR-EQ exhibited in Section 4 together with the reductions presented in Section 3 lead to efficient predicate encryption schemes for multi-dimensional subset queries.

Indeed, when D denotes the dimension and T denotes the size of the sets, we obtain a predicate encryption scheme forPKP-SUBSETandPCP-SUBSETwith ciphertexts and secret keys of sizeO(D·T).

However, in this section we show how we can improve the size of the secret keys and ciphertexts in order to obtain:

– ciphertexts of sizeO(D) forPKP-SUBSET – secret keys of sizeO(D) forPCP-SUBSET

5.1 Multi-dimensional subset queries, ciphertext policy

We can obtain a predicate encryption scheme forPCP-SUBSETusing the reduction toPAND-OR-EQdefined in section 3.2, with secret keys of sizeO(D·T). We reduce the size of the secret keys size down toO(D) using the fact that in each dimension, only one of theT matrices in the secret key is needed to decrypt. On the one hand, for each dimensioni, the reduction maps a pointz∈[T] into the vectorez. Therefore,

for all j6=ztheKeyGenalgorithm generates a short matrixUi,j which is a preimage of some target for

the matrix£

AkAi,j+0·G¤.

On the other hand, a characteristic vectorw∈{0, 1}T, is mapped into a−1, 1 vector. Thus, for all j, the (i,j)’th component of the ciphertext is an LWE sample corresponding to the matrix£

Ai,j+∗G¤,∗ ∈{−1, 1}.

Consequently, the matricesUi,j for j6=zdo not yield any useful information to decrypt the ciphertext.

Therefore, we can remove them, and still satisfies correctness. Moreover, it is clear that removing parts of the secret key will not affect the security. Removing these matrices, we obtain a scheme whose secret keys have sizeO(D), and whose decryption algorithm runs in timeO(D·poly(n)) (instead ofO(TD·poly(n))).

Construction. Letn∈Nbe the security parameter andT,D positive integers. Letq =q(n,T,D) ,m= m(n,T,D) andχmax=χmax(n,T,D) be positive integers, andσ=σ(n,T,D) be a Gaussian parameter.

Setup(1n,X,Y,M): on a security parametern, an attribute spaceX:={0, 1}D×T, a predicate spaceY:= ZD

q, and a message spaceM:={0, 1}k, do:

– Pick (A,TA)←TrapGen(1n, 1m,q).

– PickA1,1, . . . ,AD,T←RZnq×m.

– PickP←RZ

n×(k+n) q .

– Compute (G,TG) as defined in Lemma 4.

– Output:mpk:=(P,A,A1,1, . . . ,AD,T,G,TG) and msk:=TA

Enc(mpk,X,b): On input the public parameters mpk, an predicate matrixX∈X, and a messageb∈

{0, 1}k, do:

– Picks←RZnq,e←Rχm, and computec0:=s>A+e>.

– for alli∈[D] and allj∈[T], do:

• Computeci,j:=s>¡Ai,j+Xi,jG¢+e>Ri,j.

– Setb0:=(b, 0, . . . , 0)∈{0, 1}k+n, pick ane0←Rχk+n, and computecf :=s>P+e0>+b0>· bq/2c.

– Output:ct:=(c0,c1,1, . . . ,cD,T,cf)

KeyGen(mpk,msk,y): On input the public parametersmpk, the master secret keymsk, and an attribute vectory∈Y, do:

– Secret sharePas {Pi,i∈[D]}, such that D

P

i=1

Pi=P.

– For alli∈[D]:

Sample a short matrixUi∈Z2qm×(k+n)such that

£

AkAi,yi+G

¤

Ui=Pi

usingRightSample(A,TA,Ai,yi+G,Pi,σ) withσ=O(

p

nlogq). – Output the secret keyskY=(U1, . . . ,UD).

Dec(mpk,sky,ct): On input the public parametersmpk, a secret keysky=(U1, . . . ,UD) for an attribute

vectory, and a ciphertextct₌(c0,c1,1, . . . ,cD,T,cf), do:

– Computed:=cf−PDi=1

£

c0kci,yi

¤

Ui modq.

– Output the firstkbits ofj_qd_/2m. For anyz∈[0, 1], we denote bybzethe closest integer ofz.

Correctness and security. Correctness and security proofs follow readily from those ofPAND-OR-EQ in Section 4.

5.2 Multi-dimensional subset queries, key-policy

The following scheme is similar (however simpler) to the one presented in Section 4 forPAND-OR-EQ.

Overview. We begin with the special caseD=1. Given an attribute vectorx∈[T]D, the ciphertext is an LWE sample corresponding to the matrix£

AkA1+xG¤and the message is masked using an LWE sample

corresponding to a public matrixP. The secret key corresponding toY∈{0, 1}T is a collection ofT short matricesU1, . . . ,UT such that:

£

AkA1+jG¤Uj =P ifYj=1

Uj = ⊥ ifYj=0

For correctness, observe that ifYx=1, then the decryptor can useUxto recover the plaintext. However,

since the decryptor does not knowx, he will try to decrypt the ciphertext using each ofU1, . . . ,UT. We will

need to pad the plaintext with redundant zeroes so that the decryptor can identify the correct plaintext. To establish security with respect to some selective challengex∗_{, we will need to simulate the secret keys} for allYsuch thatYx∗=0. Observe that for allj=1, . . . ,T,

Yj=1=⇒j6=x∗

We can then simulateUj using an “all-but-one” simulation (while puncturing atx∗) exactly as in prior

Higher dimensions. Given an attribute vectorx∈[T]D, the ciphertext is an LWE sample corresponding to the matrix£

AkA1+x1Gk · · · kAD+xDG¤.

The secret key corresponding toY∈{0, 1}D×T is a collection ofD·T short matricesU1,1, . . . ,UD,T such

that forj=1, . . . ,T,i=1, . . . ,D:

£

AkAi+jG

¤

Ui,j =Pi ifYi,j=1

Ui,j = ⊥ ifYi,j=0

whereP1, . . . ,PDis an additive secret-sharing ofP.

For correctness, observe that ifY1,x1=Y2,x2=. . .=YD,xD =1, then the decryptor can useU1,x1,· · ·,UD,xD

to recover the plaintext. As with the caseD=1, the decryptor will need to enumerate over allx0∈[T]D. To simulate secret keys forYwith respect to some selective challengex∗, first we fixi∗_{such thatY}

k,x∗

i∗=0.

Without loss of generality, supposei∗_{=1, that is,Y}

1,x∗

1 =0. We then proceed as follows: – Sample random short matricesU2,x∗

2, . . . ,UD,x∗D, which in turn determines the sharesP2, . . . ,PD.

– DefineP1:=P−PD_i=2Pi and use an all-but-one simulation strategy to sample the remaining short

matrices in the secret key.

Construction. Letn ∈Nbe the security parameter andT,D be positive integers. Letq =q(n) ,m= m(n,T,D) andχmax=χmax(n,q,T,D) be positive integers, andσ=σ(n,q,T,D) be a Gaussian parameter.

Setup(1n,X,Y,M): onn,X:=ZDq,Y:={0, 1}D×T andM:={0, 1}k, do:

– Pick (A,TA)←TrapGen(1n, 1m,q).

– PickA1, . . . ,AD←RZnq×m.

– PickP←RZnq×(k+n).

– Compute (G,TG) as defined in Lemma 4.

– Output:mpk:=(P,A,A1, . . . ,AD,G,TG) and msk:=TA

Enc(mpk,x,b): On inputmpk,x∈Xandb∈{0, 1}k: – Picks←RZnq,e←Rχm, and computec0:=s>A+e>.

– For alli∈[D]:

• PickRi←{−1, 1}m×m.

• Computeci:=s>¡Ai+xiG¢+e>Ri.

– Setb0:=(b, 0, . . . , 0)∈{0, 1}k+n, picke0←Rχk+n, and computecf :=s>P+e0>+b0>· bq/2c.

– Output:ct:=(c0,c1, . . . ,cD,cf)

KeyGen(mpk,msk,Y): On inputmpk,msk, andY∈Y, do:

– Secret sharePas {Pi,i∈[D]}, such that D

P

i=1

Pi=P.

– For alli∈[D] andj∈[T]:

• IfYi,j=1 then sample a short matrixUi,j∈Z2qm×(k+n)such that

£

AkAi+jG¤Ui,j=Pi