Keywords

1 Introduction

In this paper, we study Predicate Encryption (PE), a variant of functional encryption. In PE for a Boolean function \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\), an authority can create ciphertexts and secret keys which are labeled with values, or “attributes”, from \(\{0,1\}^n\). An authorized user with a decryption key \(K_y\) (with label \(y\in \{0,1\}^n\)) can decrypt a ciphertext \(CT_x\) (with label \(x\in \{0,1\}^n\)) if and only if \(f(x,y)=0\). Furthermore (in contrast to the related, weaker notion of attribute-based encryption), the attribute x is hidden unless the user can decrypt the messageFootnote 1.

Predicate encryption was first introduced by Boneh and Waters [10] and is a natural cryptographic primitive with a number of applications throughout cryptography and security [10, 22]. For instance, an executive may issue a secret key that allows her assistant to read only her emails that are labeled with certain business-related keywords, without revealing any of the keywords of any other emails. A credit card company may issue a secret key that allows an intermediary to check whether a transaction should be flagged for suspicious activity (based on attributes such as amount, home address, and location of purchase), without revealing bulk information for all transactions. A bank may issue a secret key that allows a credit-reporting company to learn complete information about certain statuses, such as late payments, but not about all of them.

In these examples, the metadata (i.e. attributes) of messages may carry sensitive information and should not be revealed en masse, while revealing only a limited or targeted set of attributes may be acceptable, especially if the number of decrypted messages is small relative to the total number of messages (as in the credit-card example).

1.1 Constructing PE

A long line of work [10, 17, 18, 22] has shown how to construct PE for certain classes of functions based on various cryptographic assumptions. [10] first constructed PE for some simple functions such as wildcard-matching (i.e. \(s \in \{0,1\}^n\) matches \(p \in \{0,1,*\}^n\) if \(p[i] = s[i]\) whenever \(p[i] \ne *\)) with relatively standard assumptions on bilinear maps. However, the known bilinear maps-based constructions typically can only support functions that can be essentially expressed as inner products. The one known exception is [22], which shows how to construct PE for the greater-than function (which cannot be expressed as a succinct inner product) using a different approach.

Some recent work has shown how to achieve better results using other assumptions. [13] showed how the stronger multilinear maps assumption can be used to construct PE for any f with polynomial-size circuits. [17] showed how to construct PE for polynomial-size circuits using assumptions on learning with errors (LWE).

In this work, we return to the question of constructing PE based only on bilinear maps. We will show how to do so for a large class of functions whose ‘one-sided probabilistic rank’ is low.

1.2 One-Sided Rank

Consider a Boolean function \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\) where we think of 0 as ‘true’ and 1 as ‘false’. The one-sided rank of f over a ring \(\mathcal{R}\) is the minimum integer d such that there are two maps \(g,h : \{0,1\}^n \rightarrow \mathcal{R}^d\) so that for any two \(x,y \in \{0,1\}^n\) we have:

  • If \(f(x,y) = 0\) then \(\langle g(x), h(y) \rangle = 0\), and

  • If \(f(x,y) = 1\) then \(\langle g(x), h(y) \rangle \ne 0\).

One-sided rank is a generalization of the notion of matching vector families (in the case when f is the equality function), and was recently studied in a cryptographic context by Bauer, Vihrovs, and Wee [8]. As first described by [18], if f has one-sided rank d, then f has ciphertexts of length \(O(d \log |\mathcal{R}|)\) for a number of different cryptographic primitives, including PE, given assumptions on bilinear maps. The idea is that g and h give an embedding of f into the inner product function, for which PE is already known from assumptions on bilinear maps [20] (specifically, from a variant on the Decisional Diffie-Hellman assumption; see Sect. 4.4 for more details).

This remark leads to PE for some functions with surprisingly low one-sided rank. For instance, over any ring with sufficiently large characteristic, Bauer et al. show that the equality function \(\textsf {EQ}_n : \{0,1\}^{2n} \rightarrow \{0,1\}\), where \(\textsf {EQ}_n(x,y)\) tests whether \(x=y\), has one-sided rank only 2, by picking \(g(x) = (x,1)\) and \(h(y) = (-1,y)\). However, for a number of other functions f of interest, including the greater-than function, the not-equals function, threshold functions, and or-of-equality functions, Bauer et al. show one-sided rank lower bounds, i.e. that the one-sided rank must be exponentially large in n. Hence, this one-sided rank approach is insufficient to construct PE with \(\mathrm{poly}(n)\) size ciphertexts for these functions.

1.3 One-Sided Probabilistic Rank

In this paper, we nonetheless achieve predicate encryption for these aforementioned functions and more. Our approach is to consider a new variant on one-sided rank, which we call one-sided probabilistic rankFootnote 2, which combines one-sided rank with the notion of probabilistic rank introduced by Alman and Williams [3]. We say \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\) has one-sided probabilistic rank d if there is a joint distribution \(\mathcal{D}\) on pairs of functions \(g,h : \{0,1\}^{n} \rightarrow \mathcal{R}^d\) such that for any two \(x,y \in \{0,1\}^n\) we have

  • If \(f(x,y) = 0\) then \(\Pr _{g,h \sim \mathcal{D}}[\langle g(x), h(y) \rangle = 0] \ge 1/\mathrm{poly}(n)\), and

  • If \(f(x,y) = 1\) then \(\Pr _{g,h \sim \mathcal{D}}[\langle g(x), h(y) \rangle = 0] \le \varepsilon (n)\) for a negligible function \(\varepsilon \).

Note in particular that, in contrast with the usual notion of probabilistic rank, or other related notions like matching vector families, the error in the \(f(x,y) = 0\) case may be very large in our definition; the success probability must only be polynomially bounded away from 0.

In a surprisingly simple construction, we show that PE can be constructed given assumptions about bilinear maps for any function with polynomially-low one-sided probabilistic rank, despite the high error.

Theorem 1

(Informal). Suppose the Boolean function \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\) has one-sided probabilistic rank d over the ring \(\mathcal{R}\). Then, assuming the existence of PE for inner product over \(\mathcal{R}\), there is a PE scheme for f with ciphertexts of length \(O(d \log |\mathcal{R}|)\).

Loosely, the nonnegligible probability of outputting 0 in the \(f(x,y)=0\) case of one-sided probabilistic rank will lead to the correctness of the PE scheme, and the negligible probability \(\varepsilon \) in the \(f(x,y)=1\) case will be crucial for the security, since the scheme will leak information with probability \(\varepsilon \). Theorem 1 can then be combined with the aforementioned bilinear maps-based PE for inner product, or with any other construction of PE for inner product.

We use Theorem 1 to give a number of new constructions of predicate encryption for various functions. We show that by taking advantage of the allowed error, we can achieve \(\mathrm{poly}(n)\) one-sided probabilistic rank upper bounds for many functions \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\) of interest, including:

Functions with \(O(\log n)\) Arthur-Merlin (AM) Communication Complexity. In a \(\textsf {AM}\) communication protocol for inputs xy, first a public random string z is drawn, then Merlin, who sees xy,  and z, picks a proof \(\varphi \). Alice and Bob, who are each given access to z, \(\varphi \), and their own input, independently decide to accept or reject. The protocol is correct if there is always a proof \(\varphi \) which makes both players accept when \(f(x,y) = 0\), but there is unlikely to be one when \(f(x,y) = 1\).

We show that if \(\lnot f\) has such a protocol where the proof \(\varphi \) can be described by \(O(\log n)\) bits, then f has \(\mathrm{poly}(n)\) one-sided probabilistic rank. Such protocols, which take advantage of both randomness and a nondeterministic proof, are very powerful, and despite decades of work, there are no explicit functions for which \(\omega (\log n)\) \(\textsf {AM}\) communication lower bounds are known [2, 6, 12, 14, 15]. Moreover, we will be able to use \(\textsf {AM}\) communication protocols where the probability that there is a proof which makes both players accept when \(f(x,y)=1\) only has to be \(\le 1 - 1/\mathrm{poly}(n)\); this is even stronger than normal \(\textsf {AM}\) communication, and hence harder to prove lower bounds for.

To complement this result, we give \(O(\log n)\) \(\textsf {AM}\) communication protocols, and hence \(\mathrm{poly}(n)\) one-sided probabilistic rank constructions, for some functions of interest, including:

  • The greater-than function \(\textsf {GEQ}_n : \{0,1\}^{2n} \rightarrow \{0,1\}\) where \(\textsf {GEQ}_n(x,y)\) tests whether \(x \ge y\) when interpreted as n-bit integers in the range \([0,2^n - 1]\). We show its one-sided probabilistic rank is \(\mathrm{poly}(n)\), whereas Bauer et al. showed a \(2^n\) lower bound on its one-sided rank.

    Range checking (even multidimensional) can be implemented by using two or more greater-than functions. This supports, for example, the use case of police stations being permitted to view emergency reports originating within a fixed area surrounding their precincts.

  • Sparse Set Disjointness, the function which, for two subsets \(S_1, S_2 \subseteq U\) of a universe U with \(|S_1|, |S_2| \le \mathrm{poly}(n)\) and \(|U| \le 2^{\mathrm{poly}(n)}\), outputs 0 if \(S_1\) and \(S_2\) are disjoint. Using one-sided probabilistic rank allows us to handle universe sizes that are exponentially larger than is allowed by one-sided rank (which can only handle \(|U| \le \mathrm{poly}(n)\)).

    As described in the introduction, this can be used in the example where a CEO wants to give her assistant the ability to decrypt all of her emails, except those which are labeled with any of a set of keywords, e.g. “personal”, “receipts” or “legal”.

Our result is not the first to relate \(\textsf {AM}\) communication with variants on PE: conditional disclosure of secrets (CDS) is known to capture a weaker version of PE called attribute-based encryption, and is related to several communication models including \(\textsf {AM}\) [4, 5].

Polynomial-size SYM \(\circ \) SYM Circuits. Here, \(\textsf {SYM}\) refers to the set of symmetric Boolean functions (i.e. functions which only depend on the number of 1s in their input), and \(\textsf {SYM}\circ \textsf {SYM}\) is the set of depth-2 circuits of \(\textsf {SYM}\) gates. This is a very expressive circuit class for which proving lower bounds is a notoriously open problem (the best known lower bounds are only against quadratic size \(\textsf {SYM}\circ \textsf {SYM}\) circuits; see e.g. [1]).

It includes, as a simple example, for any \(0 \le k \le n\), the function which on input \(x,y \in \{0,1\}^n\) tests whether the Hamming distance from x to y is at most k. It is known that the one-sided rank of this function, as well as the usual probabilistic rank of this function, must be exponential in n [3, 8], but we show that its one-sided probabilistic rank is only \(\mathrm{poly}(n)\). PE for this function can be thought of as PE for the ‘approximately equal’ function, and thus generalizes Identity-Based Encryption [9]. This is applicable, for example, in approximate matching for online dating [17], where users may want to find other users that are sufficiently similar to their target profile.

Interestingly, our one-sided probabilistic rank construction for \(\textsf {SYM}\circ \textsf {SYM}\) circuits seemingly cannot be converted into an \(\textsf {AM}\) communication protocol, ostensibly showing that one-sided probabilistic rank is a more expressive notion than just \(\textsf {AM}\) communication (although, as mentioned, no \(\omega (\log n)\) \(\textsf {AM}\) communication lower bound is known for \(\textsf {SYM}\circ \textsf {SYM}\)).

Constant-size, polynomial fan-in AND-OR circuits of low one-sided probabilistic rank functions. It is not hard to see that one can construct PE for the OR of polynomially many functions for which PE is already known (one way is to simultaneously use an independent copy of the PE scheme for each function). We show that if the functions have PE because they have low one-sided probabilistic rank (such as in the examples above), then one may use any constant-size AND-OR circuit with polynomial fan-in gates rather than just a single OR gate. (There are some additional properties we require of the low one-sided probabilistic rank functions; see Sect. 3.5 for more details.)

Finally, we show that for \(m \le \mathrm{poly}(n)\), functions with low one-sided probabilistic rank over \(\mathbb {Z}_m\) also have low one-sided probabilistic rank over any ring of sufficiently large characteristic. Known bilinear maps-based constructions of PE for inner product, including the aforementioned construction by [20], only seem to work over \(\mathbb {Z}_M\) for \(M > n^{\omega (1)}\). It is thus not evident, a priori, that low one-sided probabilistic rank expressions over, say, \(\mathbb {F}_2\), lead to PE via our construction. We nonetheless show that such a low rank expression over \(\mathbb {F}_2\), or any \(\mathbb {Z}_m\) for \(m \le \mathrm{poly}(n)\), also leads to one over \(\mathbb {Z}_M\), and hence to PE. This seems surprising: by comparison, many other notions of rank can change drastically depending on the underlying ring (e.g. [7, 16]).

This construction implies, for instance, that we can construct PE for the inner product mod 2 given assumptions about bilinear maps, which was not previously known to the best of our knowledge.

1.4 Outline

In Sect. 2 we introduce the relevant notation and the formal notions of \(\textsf {AM}\) communication and PE we will be using. Then, in Sect. 3 we give our new one-sided probabilistic rank constructions, and in Sect. 4 we show how to construct PE using probabilistic one-sided rank and PE for inner product.

2 Preliminaries

2.1 Notation

For \(n \in \mathbb {N}\), we write [n] to denote the set \(\{1,2,\ldots ,n\}\). For a r-dimensional vector x and any \(i \in [r]\), we write x[i] for the ith entry of x. For an \(r_1\)-dimensional vector \(x_1\) and an \(r_2\)-dimensional vector \(x_2\), we write \(x_1||x_2\) to denote the \((r_1 + r_2)\)-dimensional vector resulting from concatenating the two. For a ring \(\mathcal{R}\), \(n \in \mathbb {N}\), and length-n vectors \(a,b \in \mathcal{R}^n\), we write \(\langle a,b \rangle _\mathcal{R}\) for their inner product over \(\mathcal{R}\), and we simply write \(\langle a,b \rangle \) when the ring is clear from context. For \(m \in \mathbb {N}\), we write \(\mathbb {Z}_m\) for the ring of integers mod m, and if m is a power of a prime, we write \(\mathbb {F}_m\) to denote the finite field of order m.

A function \(f : \mathbb {N}\rightarrow [0,1]\) is negligible if it is smaller than any inverse polynomial, i.e. for any positive constant c, there is a \(\varLambda > 0\) such that \(f(\lambda ) < \frac{1}{\lambda ^c}\) for all \(\lambda > \varLambda \).

2.2 Boolean Functions

For Boolean functions \(f : \{0,1\}^n \rightarrow \{0,1\}\), we think of 0 as ‘true’ and 1 as ‘false’. Hence, the function \(\textsf {AND}_n : \{0,1\}^n \rightarrow \{0,1\}\) has \(\textsf {AND}_n(x) = 1\) unless x is all all-0s vector, in which case \(\textsf {AND}_n(x) = 0\), and \(\textsf {OR}_n : \{0,1\}^n \rightarrow \{0,1\}\) is defined similarly. For any \(f : \{0,1\}^n \rightarrow \{0,1\}\), we write \(\lnot f\) for the function \(\lnot f : \{0,1\}^n \rightarrow \{0,1\}\) given by \(\lnot f(x) = 1 - f(x)\).

Define \(\textsf {EQ}_n, \textsf {NEQ}_n : \{0,1\}^{2n} \rightarrow \{0,1\}\) by \(\textsf {EQ}_n(x,y) = 0\) if \(x = y\) and \(\textsf {EQ}_n(x,y) = 1\) otherwise, and \(\textsf {NEQ}_n(x,y) = \lnot \textsf {EQ}_n(x,y)\). Further define \(\textsf {GEQ}_n : \{0,1\}^{2n} \rightarrow \{0,1\}\) by \(\textsf {GEQ}_n(x,y) = 0\) if \(x \ge y\) when interpreted as binary representations of integers between 0 and \(2^{n}-1\), and \(\textsf {GEQ}_n(x,y) = 1\) otherwise.

A Boolean function \(f : \{0,1\}^n \rightarrow \{0,1\}\) is symmetric if it only depends on the Hamming weight of its input, i.e. \(f(x) = f(y)\) for any \(x,y \in \{0,1\}^n\) with \(\sum _{i=1}^n x_i = \sum _{i=1}^n y_i\). We write \(\textsf {SYM}\) for the set of such functions. For \(x,y \in \{0,1\}^n\), write \(\textsf {HAM}(x,y)\) for the Hamming distance between x and y.

For \(k,n \in \mathbb {N}\), let \(B_{n,k} \subseteq 2^{[n]}\) denote the set of subsets \(X \subseteq [n]\) with size \(|X| \le k\). Define \(\textsf {DISJ}_{n,k} : B_{n,k} \times B_{n,k} \rightarrow \{0,1\}\) by \(\textsf {DISJ}_{n,k}(X,Y) = 0\) if \(|X \cap Y| = 0\) and \(\textsf {DISJ}_{n,k}(X,Y) = 1\) otherwise. Note that elements of \(B_{n,k}\) can be described using only \(k \log n\) bits.

2.3 \(\textsf {AM}\) Communication Protocols

An Efficient Arthur-Merlin Communication Protocol \(\varPi \) with success probability p for a Boolean function \(f : \{ 0,1 \}^{2n} \rightarrow \{0,1\}\) proceeds as follows:

  1. 1.

    Initially Alice has an input \(x \in \{0,1\}^n\) and Bob has an input \(y \in \{0,1\}^n\).

  2. 2.

    A uniformly random \(z \in \{0,1\}^r\) for some \(r \in \mathbb {N}\) is publicly sampled and given to Alice, Bob, and Merlin.

  3. 3.

    Merlin observes x, y, and z, and then selects a proof \(\varphi \in \{0,1\}^t\) for some \(t \in \mathbb {N}\), and sends \(\varphi \) to both Alice and Bob.

  4. 4.

    Alice and Bob each look at z, \(\varphi \), and their own input, and independently decide to accept or reject in deterministic polynomial time.

The communication cost of \(\varPi \) is t. \(\varPi \) is said to be correct for f if for every \(x,y \in \{0,1\}^n\):

  • If \(f(x,y) = 0\) then there is a \(\varphi \) that Merlin can send to make both Alice and Bob accept no matter what z is.

  • If \(f(x,y) = 1\) then with probability at least p over the choice of z, there is no \(\varphi \) which makes both Alice and Bob accept.

Past work using \(\textsf {AM}\) communication protocols has typically assumed that p is a constant greater than 0; here we will be able to use the protocol to design a one-sided probabilistic rank expression in the much more powerful setting where we only require \(p \ge 1/\mathrm{poly}(n)\). One could amplify such a low p to a constant by repetition, but this would increase t by a factor which will be prohibitive in our constructions below.

2.4 Cryptographic Definitions

We now formally define the various notions of secure encryption we use. We follow the notation of [21].

Secret-Key Predicate Encryption. Let \(\varSigma \) be a finite set, denoting the set of possible attributes; for our purposes, \(\varSigma \) will typically be \(\{0,1\}^n\). Let f be a function \(\varSigma \times \varSigma \rightarrow \{0,1\}\). We say that \(x\in \varSigma \) satisfies a predicate \(y\in \varSigma \) if \(f(x,y)=0\) (recall that 0 corresponds to ‘true’ and nonzero to ‘false’).

Definition 1

(Secret-key predicate encryption). A secret-key predicate encryption (PE) scheme for a function f over the set of attributes \(\varSigma \) consists of the following probabilistic polynomial time (PPT) algorithms.

  • \(\mathsf {Setup}(1^\lambda ):\) Takes as input a security parameter \(1^\lambda \); outputs a secret key SK.

  • \(\mathsf {Enc}(SK,x,m):\) Takes as input a secret key SK, an attribute \(x\in \varSigma \), and a plaintext \(m\in \{0,1\}\) and outputs a ciphertext CT.

  • \(\mathsf {KeyGen}(SK,y):\) Takes as input a secret key SK and a predicate \(y\in \varSigma \) and outputs a predicate key \(SK_y\).

  • \(\mathsf {Dec}(SK_y,CT):\) Takes as input a predicate key \(SK_y\) and a ciphertext CT (corresponding to attribute x and plaintext m) and outputs a value in \(\{0,1,\bot \}\).

Correctness. For correctness, we require the following condition. For all \(\lambda \), all \(x\in \varSigma \), all \(y\in \varSigma \), and all \(m\in \{0,1\}\), letting \(SK\leftarrow \mathsf {Setup}(1^\lambda )\), \(CT\leftarrow \mathsf {Enc}(SK,x,m)\), and \(SK_y\leftarrow \mathsf {KeyGen}(SK,y)\):

  • If \(f(x,y)=0\), then \(\mathsf {Dec}(SK_y,CT)=m\) with all but negligible probability.

  • If \(f(x,y)=1\), then \(\mathsf {Dec}(SK_y,CT)=\bot \) with all but negligible probability.

We further define partial correctness as the same, except that in the case \(f(x,y)=0\), we only require that \(\mathsf {Dec}(SK_y,CT)=m\) with at least \(1/\mathrm{poly}(\lambda )\) (a much smaller probability), and \(\mathsf {Dec}(SK_y,CT) = 1-m\) with negligible probability (and otherwise \(\mathsf {Dec}(SK_y,CT) = \bot \)).

Security. We define security using the following game between an adversary \(\mathcal{A}\) and a challenger.

  • Setup: The challenger runs \(\mathsf {Setup}(1^\lambda )\) and keeps SK to itself. The challenger chooses a random bit b.

  • Queries: \(\mathcal{A}\) adaptively makes two types of queries:

    • Ciphertext query. \(\mathcal{A}\) submits attributes \(x_i^0, x_i^1\) and messages \(m_i^0,m_i^1\) and receives \(CT_{i} \leftarrow \mathsf {Enc}(SK, x_i^b, m_i^b)\).

    • Secret key query. \(\mathcal{A}\) submits a predicate \(y_j\) and receives \(SK_{y_j} \leftarrow \mathsf {KeyGen}(SK,y_j)\).

    These queries are subject to the restriction that for every ij, \(f(x_i^0,y_j)=f(x_i^1,y_j)=1\).

  • Guess: \(\mathcal {A}\) outputs a guess \(b'\) of b.

The advantage of \(\mathcal {A}\) is defined as \(\mathrm {Adv_\mathcal{A}}=|\Pr [b'=b]-\frac{1}{2}|\).

A PE scheme is secure if, for all PPT adversaries \(\mathcal{A}\), the advantage of \(\mathcal{A}\) in winning the above game is negligible in \(\lambda \).

Remark 1

A secure PE scheme that achieves the partial correctness definition described above can be generically transformed into a secure PE scheme with full correctness. By repeating the scheme \(\mathrm{poly}(\lambda )\) times and taking the first non-\(\bot \) result, the output is equal to m with all but negligible probability. By a straightforward hybrid argument (with \(\mathrm{poly}(\lambda )\) hybrids, where the i-th hybrid has \(i-1\) copies of the scheme hardcoded to 0, then one real copy of the scheme, then the rest hardcoded to 1), this will not affect security. See Appendix C for the full proof of this fact.

In light of this remark, in our proof we will only prove partial correctness. Similarly, although we consider the message here to be a single bit, we can replicate the scheme in order to allow arbitrary bitstrings as the message.

Predicate Encryption for Inner Products We will refer to the special case of predicate encryption for inner products as inner product encryption, or IPE. For any ring \(\mathcal{R}\) and integer \(n \in \mathbb {N}\), predicate encryption for inner products will be over the set of attributes \(\mathcal{R}^n\), and the function f will be the inner-product zero-testing function: if \(\langle x,y \rangle =0\) then \(f(x,y) = 0\), and otherwise \(f(x,y) = \bot \).

We note that we define PE (and hence IPE) that is not predicate-hiding (i.e. the key \(K_y\) reveals the predicate y). In fact, we either need the IPE scheme to be predicate-hiding, or else that the probabilistic rank expression never output 0 in the \(f(x,y)=1\) case, for the full security of our construction; see the full version (https://eprint.iacr.org/2019/1045) for more details.

3 One-Sided Probabilistic Rank

3.1 Definitions

We begin by introducing the new notion of one-sided probabilistic rank which we will use in this paper. Most of our results in this section will hold over arbitrary rings \(\mathcal{R}\) (often with a restriction on the characteristic of \(\mathcal{R}\)), although we will only need them in the case when \(\mathcal{R}= \mathbb {Z}_m\) is the ring of integers mod m in our application to PE below.

For positive integers nd, values \(p_1, p_2 \in [0,1]\), ring \(\mathcal{R}\), and a Boolean function \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\), we say f has Efficient \((p_1, p_2)\)-Probabilistic Rank d over \(\mathcal{R}\) (or for short we will write “\((p_1, p_2)\)-rank d over \(\mathcal{R}\)” and sometimes omit \(\mathcal{R}\) when it is clear from context) if there is a joint distribution \(\mathcal{D}\) on pairs of functions \(g,h : \{0,1\}^{n} \rightarrow \mathcal{R}^d\) such that:

  • g and h can be sampled from \(\mathcal{D}\) and evaluated in \(\mathrm{poly}(nd)\) time,

  • all \(x,y \in \{0,1\}^n\) with \(f(x,y) = 0\) have \(\Pr _{(g,h) \sim \mathcal{D}}[\langle g(x), h(y) \rangle = 0] \ge p_1\), and

  • all \(x,y \in \{0,1\}^n\) with \(f(x,y) = 1\) have \(\Pr _{(g,h) \sim \mathcal{D}}[\langle g(x), h(y) \rangle = 0] \le p_2\).

If \(\{f_n\}_{n \in \mathbb {N}}\) is a family of Boolean functions with \(f_n : \{0,1\}^{2n} \rightarrow \{0,1\}\), \(\lambda : \mathbb {N}\rightarrow \mathbb {N}\) is any function, and \(\mathcal{R}\) is any ring, we say \(\{f_n\}_{n \in \mathbb {N}}\) has Efficient One-sided Probabilistic Rank \(\lambda \) over \(\mathcal{R}\) if there are functions \(p_1, p_2 : \mathbb {N}\rightarrow [0,1]\) and \(d : \mathbb {N}\rightarrow \mathbb {N}\) such that for all n, \(f_n\) has \((p_1(n), p_2(n))\)-rank d(n) over \(\mathcal{R}\), where

  • \(d(n) \le \mathrm{poly}(\lambda (n))\),

  • \(p_1(n) \ge 1/\mathrm{poly}(\lambda (n))\), and

  • \(p_2(n) \le \mathrm{negl}(\lambda (n))\).

3.2 Construction from \(\textsf {AM}\) Communication Protocols

We now show that a number of functions \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\) of interest have efficient one-sided probabilistic rank \(\mathrm{poly}(n)\). We begin by showing this for any function whose co-\(\textsf {AM}\) communication complexity is \(O(\log n)\):

Lemma 1

For any \(n,t \in \mathbb {N}\), any \(p \in [0,1]\), any Boolean function \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\) such that \(\lnot f\) has an Arthur-Merlin communication protocol \(\varPi \) with communication t and success probability p, and any ring \(\mathcal{R}\) of characteristic greater than \(2^t\), the function f has (p, 0)-rank at most \(2^t\) over \(\mathcal{R}\).

Proof

Our randomized construction of the required maps \(g,h : \{0,1\}^n \rightarrow \mathcal{R}^{2^t}\) proceeds as follows. First, sample a uniformly random \(z \in \{0,1\}^r\) (where r is the length of the random string from \(\varPi \)). Then, for \(x \in \{0,1\}^n\), the vector g(x), whose \(2^t\) entries are indexed by \(\varphi \in \{0,1\}^t\), is given by:

$$g(x)[\varphi ] := {\left\{ \begin{array}{ll} 1 &{}\text { if Alice accepts in } \varPi \text { on input } x, \text { randomness } z, \text { and proof } \varphi , \\ 0 &{} \text { otherwise.} \end{array}\right. }$$

Similarly, for \(y \in \{0,1\}^n\),

$$h(y)[\varphi ] := {\left\{ \begin{array}{ll} 1 &{}\text { if Bob accepts in } \varPi \text { on input } y, \text { randomness } z, \text { and proof } \varphi , \\ 0 &{} \text { otherwise.} \end{array}\right. }$$

Since Alice and Bob must make decisions in polynomial time in the definition of \(\varPi \), these maps g and h can also be computed in polynomial time.

Now, for a given \(x,y \in \{0,1\}^n\), the inner product \(\langle g(x), h(y) \rangle \) counts the number of proofs \(\varphi \in \{0,1\}^t\) that Alice and Bob would both accept given inputs xy and randomness z. If \(f(x,y) = 0\), then since \(\varPi \) has correctness p for \(\lnot f\), there is no such \(\varphi \), and hence \(\langle g(x), h(y) \rangle = 0\), with probability at least p. If \(f(x,y) = 1\), then there is always such a \(\varphi \), and so \(\langle g(x), h(y) \rangle \in \{1,2,\ldots ,2^t\}\), which is always nonzero since the characteristic of \(\mathcal{R}\) is greater than \(2^t\).    \(\square \)

Using Lemma 1, we can construct low one-sided probabilistic rank expressions for many functions of interest. Some examples include:

Lemma 2

(GREATER THAN OR EQUALS). For any \(n \in \mathbb {N}\) and ring \(\mathcal{R}\) with characteristic at least \(n+1\), and any \(\varepsilon >0\), \(\textsf {GEQ}_n\) has \((1-\varepsilon ,0)\)-rank \(O(n^2 / \varepsilon )\) over \(\mathcal{R}\).

Lemma 3

(SPARSE DISJOINTNESS). For any \(n, k \in \mathbb {N}\) and ring \(\mathcal{R}\) with characteristic at least \(k+1\), and any \(\varepsilon >0\), the function \(\textsf {DISJ}_{n,k}\) has \((1-\varepsilon ,0)\)-rank \(O(k^2/\varepsilon )\) over \(\mathcal{R}\).

In Appendix A below, we give the \(\textsf {AM}\) communication protocols which prove these results when combined with Lemma 1.

3.3 Circuits of \(\textsf {SYM}\) Gates

We first use a technique from [23] for exactly representing \(\textsf {SYM}\) gates.

Lemma 4

For every \(n \in \mathbb {N}\), every symmetric Boolean function \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\), and every ring \(\mathcal{R}\), there are maps \(g,h : \{0,1\}^n \rightarrow \mathcal{R}^{n+1}\) which can be computed in polynomial time, such that \(\langle g(x), h(y) \rangle = f(x,y)\) for all \(x,y \in \{0,1\}^n\).

Proof

Let \(w : \{0,1\}^n \rightarrow \mathbb {Z}\) be the function which counts the number of 1s in its input, i.e. \(w(x) = x[1] + \cdots + x[n]\). There is a set \(S \subseteq \{0,1,\ldots ,2n\}\) such that \(f(x,y) = 1\) if and only if \(w(x) + w(y) \in S\). We define g and h as follows, for \(i \in [n+1]\):

$$g(x)[i] := {\left\{ \begin{array}{ll} 1 &{}\text { if } w(x) = i-1, \\ 0 &{} \text { otherwise,}\end{array}\right. }$$
$$h(y)[i] := {\left\{ \begin{array}{ll} 1 &{}\text { if } w(y) + i - 1 \in S, \\ 0 &{} \text { otherwise.}\end{array}\right. }$$

In other words, g(x) is 0 in every entry except 1 in a single entry, and h(y) has a 1 in that entry if \(f(x,y) = 1\) and a 0 otherwise. Hence, \(\langle g(x), h(y) \rangle = f(x,y)\) for all \(x,y \in \{0,1\}^n\).    \(\square \)

Lemma 5

( SYM \(\circ \) SYM circuits). Any function \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\) which can be written as a depth-2 circuit of \(\textsf {SYM}\) gates, with m gates in the bottom layer, has (1/m, 0)-rank at most \(nm + m + 1\) over any ring \(\mathcal{R}\) of characteristic at least \(m+1\).

Proof

Let \(p : \{0,1\}^m \rightarrow \{0,1\}\) be the symmetric function computed by the top gate, and let \(S \subseteq \{0,\ldots ,m\}\) be the set such that, for \(z \in \{0,1\}^m\), \(p(z) = 0\) if and only if \(z[1] + \cdots + z[m] \in S\). For each \(i \in [m]\), let \(g_i, h_i : \{0,1\}^{2n} \rightarrow \mathcal{R}^{n+1}\) be the maps from Lemma 4 which exactly compute the ith \(\textsf {SYM}\) gate in the bottom layer of the circuit for f.

We now define the probabilistic rank expression for f. Pick a uniformly random \(k \in S\). The rank expressions \(g,h : \{0,1\}^n \rightarrow \mathcal{R}^{nm+1}\) are given by \(g(x) = g_1(x) || g_2(x) || \cdots || g_m(x) || (1)\), and \(h(y) = h_1(y) || h_2(y) || \cdots || h_m(y) || (-k)\). Hence,

$$\langle g(x), h(y) \rangle = \left( \sum _{i=1}^m \langle g_i(x), h_i(y) \rangle \right) - k,$$

which is the number of bottom-layer gates satisfied by x and y, minus k. Since \(\mathcal{R}\) has characteristic at least \(m+1\), this equals 0 if and only if exactly k of the bottom layer gates are satisfied by x and y. It follows that when \(f(x,y) = 1\) we always have \(\langle g(x), h(y) \rangle \ne 0\), and when \(f(x,y) = 0\) we have \(\langle g(x), h(y) \rangle = 0\) with probability \(1/|S| \ge 1/m\), which happens when we pick the correct k.    \(\square \)

Corollary 1

For any positive integer n, any map \(p : \{0,1,\ldots ,n\} \rightarrow \{0,1\}\), and any ring \(\mathcal{R}\) of characteristic at least \(2n+1\), the function \(s : \{0,1\}^{2n} \rightarrow \{0,1\}\) given by \(s(x,y) = p(\textsf {HAM}(x,y))\) has (1/n, 0)-rank O(n) over \(\mathcal{R}\).

Proof

The function s is of the form described by Lemma 5, where \(m=n\), and the ith bottom layer gate is 1 if \(x[i] \ne y[i]\) (equivalently, \(x[i]+y[i] \in \{1\}\)) and 0 otherwise.    \(\square \)

3.4 Inner Products in Small Fields

We next show that one-sided probabilistic rank constructions over \(\mathbb {Z}_m\) for \(m \le \mathrm{poly}(\lambda )\) lead to one-sided probabilistic rank constructions over any ring of sufficiently large characteristic, with only a polynomial change in the error probabilities. This will be helpful in constructing PE later, since the known bilinear maps-based constructions of PE for inner products only work for certain rings of large characteristic.

Lemma 6

For any \(m,d \in \mathbb {N}\) and \(p_1, p_2 \in [0,1]\), suppose \(f : \{0,1\}^{2n} \rightarrow \{0,1\}\) is a Boolean function with \((p_1, p_2)\)-rank d over \(\mathbb {Z}_m\). Then, f also has \((p_1 / (dm), p_2 / (dm))\)-rank \(d+1\) over any ring \(\mathcal{R}\) of characteristic greater than \(d(m-1)^2\).

Proof

Draw \(g', h' : \{0,1\}^n \rightarrow \mathbb {Z}_m^d\) from the one-sided probabilistic rank expression over \(\mathbb {Z}_m\). Interpreting \(\mathbb {Z}_m\) as the set of integers \(\{0,1,2,\ldots ,m-1\} \subseteq \mathbb {Z}\), we have for any xy that \(\langle g'(x), h'(y) \rangle _\mathbb {Z}\) is an integer in \(\{0,1,2,\ldots , d(m-1)^2 \}\), such that \(\langle g'(x), h'(y) \rangle _{\mathbb {Z}_m} = 0\) if and only if \(\langle g'(x), h'(y) \rangle _\mathbb {Z}\) is an integer multiple of m. Letting \(m' \in \mathbb {N}\) be the largest multiple of m which is at most \(d(m-1)^2\), it follows since \(\mathcal{R}\) has characteristic greater than \(d(m-1)^2\) that \(\langle g'(x), h'(y) \rangle _{\mathbb {Z}_m} = 0\) if and only if \(\langle g'(x), h'(y) \rangle _\mathcal{R}\) is in the set \(M := \{0,m,2m,3m,\ldots ,m'\}\), and otherwise \(\langle g'(x), h'(y) \rangle _\mathcal{R}\) is in the set \(\{0,1,2,\ldots , d(m-1)^2 \} \setminus M\).

We thus pick a uniformly random \(k \in M\) and output \(g(x) = g'(x)||(-1)\) and \(h(y) = h'(y)||(k)\). Thus, we will have \(\langle g(x), h(y) \rangle _\mathcal{R}= 0\) if and only if \(\langle g'(x), h'(y) \rangle _{Z_m} = 0\) (which happens with probability \(p_1\) or \(p_2\) in the true and false cases, respectively) and we pick the correct \(k \in M\) (which happens with probability \(1/|M| \le 1/(dm)\)).    \(\square \)

3.5 Small Circuits of Low One-Sided Probabilistic Rank Functions

We next give low one-sided probabilistic rank expressions for AND and OR, which can be combined to give such expressions for small AND-OR circuits.

Lemma 7

Suppose \(f_1, \ldots , f_m : \{0,1\}^{2n} \rightarrow \{0,1\}\) are Boolean functions, each of which has \((p_1, p_2)\)-rank d over field \(\mathbb {F}\). Then, the \(\textsf {AND}\) of these functions, \(f_1 \wedge f_2 \wedge \cdots \wedge f_m\), has \((p_1^m, 1/|\mathbb {F}| + p_2)\)-rank dm over \(\mathbb {F}\).

Proof

For each \(i \in [m]\), we draw \(g_i, h_i : \{0,1\}^n \rightarrow \mathcal{F}^d\) from the assumed probabilistic rank expression for \(f_i\), and draw a uniformly random \(\alpha _i \in \mathbb {F}\). We then output \(g,h : \{0,1\}^n \rightarrow \mathcal{F}^{dm}\) given by \(g(x) = \alpha _1 g_1(x) || \alpha _2g_2(x) || \cdots || \alpha _m g_m(x)\) and \(h(x) = \alpha _1 h_1(x) || \alpha _2h_2(x) || \cdots || \alpha _m h_m(x)\). Hence, for \(x,y \in \{0,1\}^n\) we have

$$\langle g(x),h(y) \rangle = \sum _{i=1}^m \alpha _i \langle g_i(x), h_i(y) \rangle .$$

First, suppose that \(f_i(x,y) = 0\) for all i. Thus, with probability \(p_1^m\), we have \(\langle g_i(x), h_i(y) \rangle = 0\) for all i, and thus \(\langle g(x), h(y) \rangle = 0\) as desired.

Second, suppose that there is an i such that \(f_i(x,y) = 1\). Then in particular, \(\langle g_i(x), h_i(y) \rangle \ne 0\) with probability at least \(1 - p_2\). If it is nonzero, then \(\langle g(x), h(y) \rangle \) is a sum of a positive number of uniformly random elements of \(\mathbb {F}\), and so it is 0 with probability \(1 / |\mathbb {F}|\). In total, it is 0 with probability at most \(1 / |\mathbb {F}| + p_2\).    \(\square \)

Remark 2

Although Lemma 7 only yields an efficient one-sided probabilistic rank \(\lambda \) expression when \(|\mathbb {F}|\) is superpolynomial in \(\lambda \), we can assume this without loss of generality by first applying Lemma 6 to increase \(|\mathbb {F}|\).

Lemma 8

Suppose \(f_1, \ldots , f_m : \{0,1\}^{2n} \rightarrow \{0,1\}\) are Boolean functions, each of which has \((p_1, p_2)\)-rank d over ring \(\mathcal{R}\). Then, the \(\textsf {OR}\) of these functions, \(f_1 \vee f_2 \vee \cdots \vee f_m\), has \((p_1/m, p_2)\)-rank d over \(\mathcal{R}\).

Proof

We draw a uniformly random \(i^* \in [m]\), then draw \(f_{i^*}, g_{i^*} : \{0,1\}^n \rightarrow \mathcal{F}^d\) from the assumed probabilistic rank expression for \(f_{i^*}\), and simply output \(g(x) = g_{i^*}(x)\) and \(h(y) = h_{i^*}(y)\).

First, suppose there is an \(i \in [m]\) such that \(f_i(x,y) = 0\). Then, there is a 1/m probability that we select \(i^* = i\), and a \(p_1\) probability that \(\langle g_i(x), h_i(y) \rangle = 0\), so there is at least a \(p_1 / m\) probability that \(\langle g(x), h(y) \rangle = 0\).

Second, suppose that \(f_i(x,y) = 1\) for all \(i \in [m]\). Then, for whichever \(i^*\) we pick, there is a \(1-p_2\) probability that \(\langle g_{i^*}(x), h_{i^*}(y) \rangle \ne 0\), and so there is at most a \(p_2\) probability that \(\langle f(x), g(y) \rangle = 0\).    \(\square \)

We can construct one-sided probabilistic rank expressions for many simple circuits by applying Lemmas 7 and 8 to all the \(\textsf {AND}\) and \(\textsf {OR}\) gates. To give two examples:

Corollary 2

Suppose there is a constant c and Boolean functions \(f_1, \ldots , f_c : \{0,1\}^{2n} \rightarrow \{0,1\}\) which all have efficient one-sided probabilistic rank \(\lambda \) over a field \(\mathbb {F}\) with \(|\mathbb {F}| > \lambda ^{\omega (1)}\). Then, any constant-sized AND-OR circuit with the \(f_i\) as input also has \(\lambda \)-efficient one-sided probabilistic rank over \(\mathbb {F}\).

Corollary 3

For any \(m = \mathrm{poly}(n)\), let \(f_1, \ldots , f_m : \{0,1\}^{2n} \rightarrow \{0,1\}\) be any functions whose \((1 - 1/{2m}, 0)\)-rank is \(\mathrm{poly}(n)\) over a field \(\mathbb {F}\) with \(|\mathbb {F}| > n^{\omega (1)}\). Then, any constant-sized AND-OR circuit, with unbounded fan-in AND and OR gates in the bottom layer, and with the \(f_i\) as input, has (1/n)-efficient one-sided probabilistic rank over \(\mathbb {F}\).

Remark 3

Recall from Lemma 2 that Corollary 3 applies when the \(f_i\) are \(\textsf {GEQ}\) on subsets of the input bits.

4 Predicate Encryption Construction

We now construct secret-key predicate encryption for functions f with Efficient One-sided Probabilistic Rank \(\lambda \) (see the definition in Sect. 3.1). We will use inner product encryption as described in Sect. 2.4.

We will assume that our rank expression works over any \(\mathbb {Z}_p\) with prime \(p > \lambda ^{\omega (1)}\),Footnote 3 and that the underlying inner product encryption takes inner products over one such \(\mathbb {Z}_p\). Most constructions of inner product encryption, including the one we make use of below in Corollary 4, take the inner product over \(\mathbb {Z}_M\), where either M is itself a large prime, or else a product of a constant number of large primes, e.g. \(M=pqr\), which contains \(\mathbb {Z}_p\) as a subfield.

Theorem 2

Assuming a secure inner product encryption scheme (as described above), there is a secret-key predicate encryption scheme for any Boolean function f with efficient one-sided probabilistic rank \(\lambda \) (the time and space complexity of the PE scheme is polynomial in \(\lambda \)).

4.1 Construction

We now describe our construction for Theorem 2.

Let \(g,h\leftarrow \mathcal{D}\) be functions sampled from the joint distribution \(\mathcal{D}\) in the definition of one-sided probabilistic rank, in Sect. 3.1. In our construction, we only require a predicate-only IPE scheme, and as such we will always set the message m to 0 in \(\mathrm {IPE}\mathrm {.}\mathsf {Enc}(SK,x,m)\).

Fig. 1.
figure 1

Predicate encryption construction

Full size image

We prove correctness and security in the following subsections.

4.2 Proof of Correctness

Recall (from Remark 1) that it suffices to prove partial correctness, and then amplify to achieve all but negligible correctness.

Lemma 9

The scheme in Sect. 4.1 achieves partial correctness.

Proof

Let \(CT=(c_1,c_2)\) and \(SK_y=(k_1,k_2)\) be as above.

  • Suppose \(f(x,y)=1\). Then by the definition of gh, \(\langle g(x),h(y) \rangle \ne 0\) with all but negligible probability, and thus by the correctness of IPE, we have \(\mathrm {IPE}\mathrm {.}\mathsf {Dec}(c_1,k_1)=\bot \) and \(\mathsf {Dec}(SK_y,CT)=\bot \) as desired.

  • Suppose \(f(x,y)=0\). Then by the definition of gh, \(\langle g(x),h(y) \rangle = 0\) with probability at least \(1/\mathrm{poly}(\lambda (n))\). In this case, \(\mathrm {IPE}\mathrm {.}\mathsf {Dec}(c_1,k_1)=0\) and \(\mathsf {Dec}(SK_y,CT)\) proceeds to check \(\mathrm {IPE}\mathrm {.}\mathsf {Dec}(c_2,k_2)\). Then \(\langle g(x)||m,h(y)||1 \rangle = 0+m = m\) and hence, if \(m=0\), \(\mathrm {IPE}\mathrm {.}\mathsf {Dec}(c_2,k_2)=0\) and \(\mathsf {Dec}(SK_y,CT)=0\), and if \(m=1\), \(\mathrm {IPE}\mathrm {.}\mathsf {Dec}(c_2,k_2)=\bot \) and \(\mathsf {Dec}(SK_y,CT)=1\). Thus \(\mathsf {Dec}(SK_y,CT)=m\), except when the decryption algorithm outputs \(\bot \).

Therefore, in both cases, we satisfy the correctness requirement.    \(\square \)

4.3 Proof of Security

The security proof is given in Appendix B below.

4.4 Combining with Bilinear Maps

We have now proven Theorem 2. We can thus construct a predicate encryption scheme directly using an assumption on bilinear maps, the n-eDDH assumption (an extension of the bilinear decisional Diffie-Hellman assumption; see [20, Section 3.3] for more details), to instantiate the IPE scheme.

Although we use the construction of [20] in a completely black-box way and the details therefore do not impact our proofs, we will describe the basic idea here. A typical assumption describes three groups \(\mathcal {G}_1,\mathcal {G}_2,\mathcal {G}_T\) and corresponding generators \(g_1,g_2,g_T\) (not to be confused with the function g elsewhere in this paper), as well as the bilinear map itself, a public function \(e\left( g_1^x,g_2^y\right) =g_T^{xy}\). The assumption is that discrete log is hard in these groups, so that the exponents xy are hidden, except that the map allows an exponent in the first group to be multiplied with an exponent in the second group. The resulting elements of \(g_T\) can then be multiplied to produce \(g_T^{x_1y_1+x_2y_2+\ldots +x_ny_n}\), computing the inner product in the exponent, and if the exponent is zero this value will be equal to 1. Of course, this simple explanation is not secure, and the construction involves more details that we omit here.

Corollary 4

If the n-eDDH assumption holds, there is a secret-key predicate encryption scheme for any Boolean function f with efficient one-sided probabilistic rank \(\lambda \).

Proof

We can use the n-eDDH assumption to construct a fully secure inner product encryption scheme following [20], then apply Theorem 2 to construct the predicate encryption scheme.    \(\square \)

5 Conclusion

A natural question is whether this approach can be extended to the stronger notion of functional encryption (FE), where the attributes are hidden even when the user can decrypt. At first glance, our scheme seems to offer such a guarantee, as it only reveals the inner product and not the vectors g(x), h(y). However, the inner products from one-sided probabilistic rank have an error probability, and those errors are necessarily correlated, so that an adversary observing a certain error pattern can make inferences about which xy pairs are consistent with that pattern. Furthermore, such an extension could be quite strong. FE for the greater-than function, also known as order-revealing encryption (ORE), is a desirable primitive and has potential applications beyond crypto [11, 19]; however, it is not known to be constructible using bilinear maps or any other standard cryptographic assumptions. An extension to FE would also allow surprising constructions if combined with degree-2 PRGs over \(\mathbb {F}_2\).

One may hope to get around this possibility by designing probabilistic rank expressions whose error probability is negligible both when \(f(x, y) = 0\) and when \(f(x, y) = 1\). However, one can see that such a probabilistic rank expression could be used to construct a one-sided (deterministic) rank expression for f with only a polynomial blow-up in the rank. It is known that many functions of interest, including GEQ, do not have such rank expressions, so for these functions, probabilistic rank expressions with negligible error are also impossible.

Another question is whether our approach can support rank expressions with polynomial error on both sides, such as those considered in Bauer et al. [8]. For example, if \(f(x,y)=0\) then \(\langle g(x),h(y) \rangle =0\) with probability at least 2/3, and otherwise with probability at most 1/3. One idea for attempting to use such an expression is to secret-share the message, making 2m shares where m are required to decrypt, and then instantiate 2m distinct PE schemes to encrypt each share. However, if the adversary has multiple keys (none of which are authorized to decrypt x), she could try decrypting a share with each key, and decrypt any particular share with high probability (since any key works on any share with probability 1/3).