Multi-key and Multi-input Predicate Encryption (for Conjunctions) from Learning with Errors

Francati, Danilo; Friolo, Daniele; Malavolta, Giulio; Venturi, Daniele

doi:10.1007/s00145-024-09504-7

Multi-key and Multi-input Predicate Encryption (for Conjunctions) from Learning with Errors

Research Article
Open access
Published: 14 May 2024

Volume 37, article number 24, (2024)
Cite this article

Download PDF

You have full access to this open access article

Journal of Cryptology Aims and scope Submit manuscript

Multi-key and Multi-input Predicate Encryption (for Conjunctions) from Learning with Errors

Download PDF

Danilo Francati¹,
Daniele Friolo²,
Giulio Malavolta³ &
…
Daniele Venturi²

301 Accesses
Explore all metrics

Abstract

We put forward two natural generalizations of predicate encryption (PE), dubbed multi-key and multi-input PE. More in details, our contributions are threefold.

Definitions. We formalize security of multi-key PE and multi-input PE following the standard indistinguishability paradigm, and modeling security both against malicious senders (i.e., corruption of encryption keys) and malicious receivers (i.e., collusions).
Constructions. We construct adaptively secure multi-key and multi-input PE supporting the conjunction of poly-many arbitrary single-input predicates, assuming the sub-exponential hardness of the learning with errors (LWE) problem.
Applications. We show that multi-key and multi-input PE for expressive enough predicates suffices for interesting cryptographic applications, including non-interactive multi-party computation (NI-MPC) and matchmaking encryption (ME).

In particular, plugging in our constructions of multi-key and multi-input PE, under the sub-exponential LWE assumption, we obtain the first ME supporting arbitrary policies with unbounded collusions, as well as robust (resp. non-robust) NI-MPC for so-called all-or-nothing functions satisfying a non-trivial notion of reusability and supporting a constant (resp. polynomial) number of parties. Prior to our work, both of these applications required much heavier tools such as indistinguishability obfuscation or compact functional encryption.

XHX – A Framework for Optimally Secure Tweakable Block Ciphers from Classical Block Ciphers and Universal Hashing

Efficient cryptanalysis of an encrypted database supporting data interoperability

Article 23 May 2024

Structured Encryption and Leakage Suppression

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

1 Introduction

Predicate encryption (PE) [17, 30, 37] is a powerful cryptographic primitive that enriches standard encryption with fine-grained access control to the encrypted data. In PE, the ciphertext is associated to both a message m and an attribute^{Footnote 1}x, whereas the secret key is associated to a predicate $P$, in such a way that the decryption process reveals the message if and only if the attribute x satisfies the predicate $P$ (i.e., $P(x) = 1$). Typically, security of PE requires indistinguishability in the presence of collusion attacks, namely, for any pair of attributes $(x^0,x^1)$ and for any pair of messages $(m^0,m^1)$, ciphertexts corresponding to $(x^0,m^0)$ and to $(x^1,m^1)$ are computationally indistinguishable, even for an adversary possessing poly-many decryption keys $\textsf{dk}_{P}$, so long as $P(x^0) = P(x^1) = 0$ (otherwise it is easy to distinguish). The above security notion is also known as “weak” attribute-hiding which considers the secrecy of the attributes only in the case of a receiver not able to decrypt the ciphertext, i.e., the predicate is not satisfied.

Recently, there has been a lot of progress in constructing PE supporting expressive predicates under standard assumptions [5, 12, 17, 30, 37, 38, 42, 43, 45, 46]. In particular, Gourbunov et al. [30] give a construction of selectively secure PE (with unbounded collusions) for arbitrary predicates under the learning with errors (LWE) assumption. Moreover, under sub-exponential LWE, the same construction achieves adaptive security (this requires complexity leveraging).

1.1 Our Contributions

In this paper, we put forward two natural generalizations of PE which we dub multi-key PE and multi-input PE. Furthermore, we construct both multi-key PE and multi-input PE for a particular class of predicates, under the LWE assumption. As we show, the class of predicates our schemes can handle is powerful enough to yield interesting cryptographic applications, including matchmaking encryption (ME) [10, 11] for arbitrary policies and non-interactive multi-party computation (NI-MPC) [34] satisfying a weaker (but still non-trivial) notion of reusability. We elaborate on these contributions in Sect. 1.3.

Prior to our work, all of the above applications required much stronger tools such as indistinguishability obfuscation (iO) [13]. While recent work made significant progress toward basing iO on standard assumptions [35, 36], these constructions are fairly complex and still require a careful combination of multiple assumptions (i.e., learning parity with noise, the SXDH assumption on bilinear groups, and the existence of pseudorandom generators computable in constant depth). Furthermore, such constructions are not secure in the presence of a quantum attacker. Candidate constructions of post-quantum iO also exist [18, 28, 47], but they are based on problems whose hardness is less understood.

Multi-key PE. In multi-key PE, we consider an ensemble of predicates $\mathcal {P}= \{P_v\}$ indexed by a value $v\in \mathcal {V}= \mathcal {V}_1\times \cdots \times \mathcal {V}_{n} $ which is uniquely represented as a sequence $v = (v_1,\ldots ,v_{n}) \in \mathcal {V}_1\times \cdots \times \mathcal {V}_{n}$. A sender can encrypt a message under an input $x$ using the public-key encryption algorithm $\textsf{Enc}(\textsf{mpk},x,m)$. A trusted authority generates decryption keys $\textsf{dk}_{v_{i}}$ (using the corresponding master secret key $\textsf{msk}_i$) for each $i \in [n]$, with the guarantee that, given the decryption keys $\textsf{dk}_{v_{1}},\ldots ,\textsf{dk}_{v_{n}}$, the receiver can decrypt successfully the ciphertext c (associated to plaintext m and attributes x), so long as $P_v(x) =P_{v_1,\ldots ,v_{n}}(x) = 1$.

Security of multi-key PE says that, for any pair of attributes $(x^0,x^1)$ and for any pair of messages $(m^0,m^1)$, ciphertexts c associated to $(x^0,m^0)$ and $(x^1,m^1)$ should be computationally indistinguishable even under unbounded collusions, where the latter essentially means that the adversary can obtain decryption keys for (poly-many) arbitrary values $v_1,\ldots ,v_{n}$ which correspond to predicates indexed by any value $v=(v_1,\ldots ,v_{n})$ such that $P_{v}(x^0) = P_{v}(x^1)=0$. This yields so-called CPA-1-sided security. The stronger notion of CPA-2-sided security additionally allows for predicates indexed by values v such that $P_v(x^0) = P_v(x^1) = 1$, so long as $m^0 = m^1$. These notions mimic the corresponding notions that are already established for standard PE.

Our first result is a construction of multi-key PE, from the sub-exponential LWE assumption, supporting conjunctions of arbitrary predicates, i.e., for predicates of the form $P_v(x) = P_{v_1}(x_1) \wedge \cdots \wedge P_{v_{n}}(x_{n})$, where $x = (x_1,\ldots ,x_{n})$ and $v = (v_1,\ldots ,v_{n})$.

Theorem 1

(Informal). Assuming the sub-exponential hardness of LWE, there exists a CPA-1-sided adaptively secure multi-key PE scheme supporting conjunctions of $n = \textsf {poly}(\lambda )$ arbitrary predicates with unbounded collusions.

Multi-input PE. In multi-input PE, we consider predicates $P$ with n inputs, i.e., predicates of the form $P(x_1,\ldots ,x_{n})$. A trusted authority produces encryption keys $\textsf{ek}_i$ which are associated to the ith slot of an input for $P$; namely, given a (possibly secret)^{Footnote 2} encryption key $\textsf{ek}_i$, a sender can generate a ciphertext $c_i$ which is an encryption of message $m_i$ under attribute $x_i$. At the same time, the authority can produce a decryption key $\textsf{dk}_P$ associated to an n-input predicate $P$, with the guarantee that the receiver can successfully decrypt $c_1,\ldots ,c_{n}$, and thus obtain $m_1,\ldots ,m_{n}$, so long as $P(x_1,\ldots ,x_{n})=1$.

As for security, we consider similar flavors as CPA-1-sided and CPA-2-sided security for standard PE. Namely, for any pair of sequences of attributes $(x_1^0,\ldots ,x_{n}^0)$ and $(x_1^1,\ldots ,x_{n}^1)$ and for any pair of sequences of messages $(m_1^0,\ldots ,m_{n}^0)$ and $(m_1^1,\ldots ,m_{n}^1)$, ciphertexts $c_1,\ldots ,c_{n}$ corresponding to either $(x_1^0,m_1^0),\ldots ,(x_{n}^0,m_{n}^0)$ or $(x_1^1,m_1^1),\ldots , (x_{n}^1,m_{n}^1)$ should be computationally indistinguishable. Here, we additionally consider two cases:

In the setting with no corruptions (a.k.a. the secret-key setting), all of the encryption keys $\textsf{ek}_i$ are secret and cannot be corrupted (and thus all the senders are honest).
In the setting with adaptive corruptions, the attacker can adaptively reveal some of the encryption keys $\textsf{ek}_i$ (and thus corrupt a subset of the senders).

Naturally, for both of these flavors, one can define CPA-1-sided and CPA-2-sided security with or without collusions.

Our second result is a construction of multi-input PE, from the sub-exponential LWE assumption, supporting conjunctions of $n=\textsf {poly}(\lambda )$ arbitrary predicates with wildcards, i.e., for predicates of the form $P(x_1,\ldots ,x_{n}) = P_1(x_1) \wedge \cdots \wedge P_{n}(x_{n})$ such that, for each $i \in [n]$, there exists a (public) wildcard input $x^\star _i$ for which $P_i(x^\star _i)=1$ for every ith predicate $P_i$.^{Footnote 3} Our multi-input PE construction retains its security only in the setting of no corruptions (i.e., the encryption keys $\textsf{ek}_i$ are kept secret) and no collusions (i.e., the adversary only knows a single decryption key $\textsf{dk}_P$ for an adversarially chosen predicate $P$).

Theorem 2

(Informal). Assuming the sub-exponential hardness of LWE, there exists a CPA-1-sided adaptively secure multi-input PE scheme supporting conjunctions of $n = \textsf {poly}(\lambda )$ arbitrary predicates with wildcards, without corruptions and without collusions.

Our third result is a construction of multi-input PE, from the sub-exponential LWE assumption, supporting the same class of predicates as above but tolerating adaptive corruptions of up to $n-1$ parties. However, this particular scheme only supports predicates with constant arity.

Theorem 3

(Informal). Assuming the sub-exponential hardness of LWE, there exists a CPA-1-sided adaptively secure multi-input PE scheme supporting conjunctions of $n = O(1)$ arbitrary predicates with wildcards, under $n-1$ adaptive corruptions and without collusions.

Finally, we anticipate that all our constructions are transformations that leverage single-input PE schemes (e.g., [30]) and lockable obfuscation [31, 48] as building blocks. Such transformations are general and achieve CPA-2-sided security if the underlying single-input PE schemes are CPA-2-sided secure. In particular, we obtain (i) CPA-2-sided secure multi-key PE with unbounded collusions for $n=\textsf {poly}(\lambda )$, (ii) CPA-2-sided secure multi-input PE without corruptions and without collusions for $n = O(\log (\lambda )),$^{Footnote 4} and (iii) CPA-2-sided secure multi-input PE under $n-1$ corruptions and without collusions for $n = O(1)$. However, at the time of this writing, the LWE assumption is not sufficient for CPA-2-sided security. Indeed, even for single-input PE for arbitrary predicates, CPA-2-sided security implies iO [15]. The current state-of-the-art constructions of iO require much stronger assumptions compared to standard LWE.

Additional content of this manuscript. A preliminary version of this work appears in the Proceedings of EUROCRYPT 2023 [25]. Material not present in the Proceedings, but included in this manuscript, are (i) construction of multi-input PE in the setting of no corruptions (Construction 3 of Sect. 5.2); (ii) applications of our constructions (Sect. 6); (iii) security proofs of our results including the ones contained in the Proceedings of EUROCRYPT 2023 [25] (Sect. 5).

1.2 Technical Overview

We now give a high-level overview of our constructions. As explained above, both our multi-key and multi-input PE constructions handle conjunctions of arbitrary predicates, i.e., predicates of the form:

$$\begin{aligned} P(x_1,\ldots ,x_{n}) = P_1(x_1) \wedge \cdots \wedge P_{n}(x_{n}). \end{aligned}$$

(1)

We start by explaining how to build multi-key PE for the above class of predicates by combining single-input PE and so-called lockable obfuscation [31, 48]. Informally, a lockable obfuscation scheme allows to obfuscate a circuit $\mathbb {C}$ under a lock y together with a message m, in such a way that evaluating the obfuscated circuit, on input x, returns m if $\mathbb {C}(x) = y$. As for security, an obfuscated circuit can be simulated in a virtual black box (VBB) fashion whenever the lock is random and unknown to the adversary. Lockable obfuscation exists under the standard LWE assumption.

Then, we explain how to build multi-input PE (for the same class of predicates) by additionally using SKE and PKE. Here, we consider two settings: without corruptions (a.k.a. the secret-key setting) and with corruptions. The former assumes that all the encryption keys (each corresponding to an input) are secret. The latter is a stronger model that allows the adversary to leak one or more encryption keys (i.e., corruption of the senders). We achieve security in each setting by changing the way lockable obfuscation is used. In particular, part of the contribution of this paper is a new technique based on nested (lockable obfuscated) circuits that execute each other. This technique allows us to construct a multi-input PE that can handle adaptive corruptions. We provide a high-level overview in the remaining part of this section. For more details, we refer the reader to Sects. 4 and 5.

Multi-key Predicate Encryption. An n-key PE allows a sender to encrypt a message $m$ under an attribute $x$, by running $c{{\leftarrow {\$}}}\textsf{Enc}( \textsf{mpk},x, m)$. Similarly to single-input PE, a receiver can correctly decrypt $c$ if it has a decryption key for a predicate $P_v$, within a family $\mathcal {P}$ of predicates indexed by values $v\in \mathcal {V}$, such that $P_v(x) = 1$. The main difference between single-input PE and n-key PE is that in the latter the receiver must have n independent decryption keys $(\textsf{dk}_{v_1},\ldots , \textsf{dk}_{v_{n}})$ that uniquely represent the predicate $P_{v}(\cdot ) = P_{v_1,\ldots ,v_{n}}(\cdot )$, i.e., the decryption key associated to a particular predicate is decomposed into n decryption keys. Each decryption key $\textsf{dk}_{v_i}$ is generated by the authority via $\textsf{KGen}(\textsf{msk}_i,v_i)$ where $(\textsf{msk}_1,\ldots ,\textsf{msk}_{n})$ are the master secret keys generated during the setup. Hence, once obtained $(\textsf{dk}_{v_1},\ldots , \textsf{dk}_{v_{n}})$ from the authority, the receiver can decrypt the ciphertext $c$ (encrypted under attribute $x$) by executing $\textsf{Dec}(\textsf{dk}_{v_1},\ldots ,\textsf{dk}_{v_{n}}, c)$. The message is returned if the predicate $P_{v_1,\ldots ,v_{n}}(x) = 1$, where $P_{v_1,\ldots ,v_{n}}(\cdot )$ is the predicate represented by the combination of the n decryptions keys $\textsf{dk}_{v_1},\ldots ,\textsf{dk}_{v_{n}}$. The security of n-key PE is analogous to that of single-input PE, where the validity of the adversary $\textsf{A}$ is defined with respect to the (poly-many) tuples $(\textsf{dk}_{v_1},\ldots ,\textsf{dk}_{v_n})$ of n decryption keys that the adversary has access to. In particular, we consider the well-known notion of CPA-1-sided security, i.e., the attacker cannot distinguish between $\textsf{Enc}(\textsf{mpk},x^0,m^0)$ and $\textsf{Enc}(\textsf{mpk},x^1,m^1)$ so long as it only holds combinations of n decryption keys $(\textsf{dk}_{v_1},\ldots ,\textsf{dk}_{v_n})$ such that $P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) = 0$ (i.e., the adversary cannot decrypt the challenge ciphertext).^{Footnote 5}

As explained above, we focus on conjunctions of arbitrary predicates $P_{v_1,\ldots ,v_{n}}(x) = P_{v_1,\ldots ,v_{n}}(x_1,\ldots ,x_{n}) = P_{v_{1}}(x_1) \wedge \cdots \wedge P_{v_{n}}(x_{n})$ as defined in Eq. (1); hence, $x=(x_1,\ldots ,x_n)$ and each $\textsf{dk}_{v_i}$ identifies the ith predicate of the conjunction (and, in turn, any tuple of n decryption keys uniquely identifies the global predicate). We build an n-key PE handling this class of predicates by extending the technique of Goyal et al. [31], that uses lockable obfuscation to transform any CPA secure attribute-based encryption (ABE) (recall that ABE schemes only guarantee the secrecy of the message) into a CPA-1-sided secure PE (i.e., secrecy of both message and attribute). Let $\textsf{PE}_i = (\textsf{Setup}_i,\textsf{KGen}_i,\textsf{Enc}_i,\textsf{Dec}_i)$ for $i\in [n]$ be n single-input PE schemes, each with ciphertext expansion $\textsf {poly}(\lambda )+ |m_i|$ where $|m_i|$ is the message length supported by the ith PE.^{Footnote 6} In a nutshell, our n-key PE scheme $\textsf{kPE}= (\textsf{Setup},\textsf{KGen},\textsf{Enc},\textsf{Dec})$ works as follows:

Setup.:

The setup algorithm $\textsf{Setup}$ simply executes $\textsf{Setup}_i$ of each $\textsf{PE}_i$ and outputs the master public key $\textsf{mpk}=(\textsf{mpk}_1,\ldots ,\textsf{mpk}_{n})$ and n master secret keys $(\textsf{msk}_1,\ldots , \textsf{msk}_{n})$.

Key Generation.:

To generate a decryption key $\textsf{dk}_{v_i} {{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk}_i,v_i)$ (representing the ith predicate $P_{v_i}(\cdot )$ of the conjunction), the authority can use the key generation algorithm of the ith PE, i.e., $\textsf{dk}_{v_i} {{\leftarrow {\$}}}\textsf{KGen}_i(\textsf{msk}_i,P_{v_i})$.

Encryption.:

To encrypt a message $m$ under an input $x= (x_1,\ldots ,x_{n})$, a sender samples a random lock y and encrypts it n times using $\textsf{PE}_1,\ldots ,\textsf{PE}_{n}$, i.e.,

$$\begin{aligned} c{{\leftarrow {\$}}}\textsf{Enc}_{n}(\textsf{mpk}_{n},x_{n},\textsf{Enc}_{n-1}(\textsf{mpk}_{n-1},x_{n-1}, \ldots ,\textsf{Enc}_{1}(\textsf{mpk}_{1}, x_1, y))). \end{aligned}$$

Note that, for $n =\textsf {poly}(\lambda )$, the final ciphertext will be of polynomial size since each underlying ith PE scheme has $\textsf {poly}(\lambda )+ |m_i|$ ciphertext expansion where $|m_i|$ is the message length supported by ith scheme. The final ciphertext of the n-key PE $\textsf{kPE}$ will be the obfuscation of the circuit $\mathbb {C}_{c}$ under the lock y together with the message $m$ (i.e., $\widetilde{\mathbb {C}} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {C}_{c}, y,m)$), where $\mathbb {C}_{c}$, on input $(\textsf{dk}_{v_1},\ldots ,\textsf{dk}_{v_{n}})$, iteratively decrypts $c$ and returns the last decrypted value, i.e., $y = \mathbb {C}_c(\textsf{dk}_{v_1},\ldots ,\textsf{dk}_{v_{n}}) = \textsf{Dec}_{1}(\textsf{dk}_{v_1},\ldots ,\textsf{Dec}_{n}(\textsf{dk}_{v_{n}},c))$.

Decryption.:

Finally, decryption is straightforward: the receiver simply executes $\widetilde{\mathbb {C}}$ using its n decryption keys $(\textsf{dk}_{v_1}, \ldots , \textsf{dk}_{v_n})$.

The CPA-1-sided security of our construction follows by the CPA security (i.e., secrecy of the message) of $\textsf{PE}_1,\ldots ,\textsf{PE}_{n}$ and by the security of lockable obfuscation.^{Footnote 7} Intuitively, the proof works as follows. In order to be valid, an adversary $\textsf{A}$ cannot hold a tuple of decryption keys $(\textsf{dk}_{v_1}, \ldots , \textsf{dk}_{v_{n}})$ such that $P_{v_1,\ldots ,v_{n}}(x^b) = P_{v_1,\ldots ,v_{n}}(x^b_1,\ldots ,x^b_{n})=1$, where $x^b = (x^b_1,\ldots ,x^b_{n})$ is the input chosen by $\textsf{A}$ during the challenge phase, and b is the challenge bit. Since $P_{v_1,\ldots ,v_{n}}(x^b_1,\ldots ,x^b_{n})$ is a conjunction of arbitrary predicates (see Eq. (1)), this implies that there exists an $i \in [n]$ such that $P_{v_i}(x^b_i) = 0$ for every ith decryption key $\textsf{dk}_{v_i}$ obtained by $\textsf{A}$. We can leverage this observation together with the CPA security of $\textsf{PE}_i$ to do a first hybrid in which the challenger computes the ith layer of the challenge ciphertext as $\textsf{Enc}_{i}(\textsf{mpk}_i,x^b_i,0\ldots 0)$. Now, since the lock y is not encrypted anymore, we can use the security of lockable obfuscation to do a second hybrid in which the challenge ciphertext $\widetilde{\mathbb {C}}$ is simulated by using the simulator of lockable obfuscation. In this last hybrid, the challenge ciphertext does not depend on the bit b sampled by the challenger.

Despite we focused the discussion on CPA-1-sided security, we stress that the same construction achieves CPA-2-sided security if the underlying n single-input PE schemes $\textsf{PE}_1,\ldots ,\textsf{PE}_{n}$ are CPA-2-sided secure, i.e., $\textsf{Enc}(\textsf{mpk},x^0,m^0)$ and $\textsf{Enc}(\textsf{mpk},x^1,m^1)$ are indistinguishable even when $P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1)=1$ and $m^0 = m^1$.

Multi-input Predicate Encryption. We now turn to the more challenging setting of multi-input PE.^{Footnote 8} Here, each of the n senders can use its corresponding encryption key to independently encrypt messages under different inputs for the predicate. For this reason, the setup algorithm of n-input PE outputs n encryption keys $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n})$ and a master secret key $\textsf{msk}$. Each encryption key $\textsf{ek}_i$ is given to the ith sender and allows the latter to handle the ith slot of a multi-input predicate. The ith party encrypts a message $m_i$ under an input $x_i$ by using its encryption key $\textsf{ek}_i$, i.e., $c_i {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_i,x_i,m_i)$. On the other hand, a receiver can use the decryption key $\textsf{dk}_P$ associated to an n-input predicate $P$ (recall that $\textsf{dk}_P$ is generated by the authority via $\textsf{KGen}(\textsf{msk},P)$) to execute $\textsf{Dec}(\textsf{dk}_P,c_1,\ldots ,c_{n})$. Intuitively, the decryption algorithm returns $(m_1,\ldots ,m_{n})$ when $P(x_1,\ldots ,x_{n}) = 1$ where $(m_i,x_i)$ are the message and the input associated to the ith ciphertext $c_i$.

The CPA-1-sided security of n-input PE is similar to that of n-key PE, but adapted to the multi-input setting. Informally, an adversary $\textsf{A}$ must not be able to distinguish between ciphertexts $(\textsf{Enc}(\textsf{ek}_i,x^0_i,m^0_i))_{i\in [n]}$ and $(\textsf{Enc}(\textsf{ek}_i,x^{1}_i,m^{1}_i))_{i\in [n]}$ where $(x^0_{1},\ldots ,x^0_{n})$, $(x^1_{1},\ldots ,x^1_{n})$ and $(m^0_1,\ldots ,m^0_{n})$, $(m^1_1,\ldots , m^1_{n})$ are chosen by $\textsf{A}$. Naturally, this is subject to the usual validity condition, informally saying that $\textsf{A}$ should not be able to decrypt (part of) the challenge ciphertext. This condition can assume different meanings depending on whether the encryption keys are all secret or some of them are public (or can be leaked). Because of this, we formalize security with and without corruptions. Throughout the rest of this section, we describe how CPA-1-sided security of n-input PE changes in these two settings, and give some intuition on our constructions for each setting. We recall that our multi-input constructions will support conjunctions of arbitrary predicates with wildcards (see Theorems 3 and 2 of Sect. 1.1).

Security in the secret-key setting. Here, no corruptions are allowed and thus the encryption keys are kept secrets. Hence, an adversary $\textsf{A}$ playing the CPA-1-sided security game has adaptive oracle access to both the key generation oracle $\textsf{KGen}(\textsf{msk},\cdot )$ and to n encryption oracles $\{\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )\}_{i \in [n]}$. The latter oracles allow $\textsf{A}$ to generate ciphertexts (associated to the ith input/sender) on adversarially chosen predicate inputs and messages. Since these ciphertexts are created independently, the adversary has the power to interleave part of the challenge ciphertext $(c^*_1,\ldots ,c^*_{n})$ with the ciphertexts obtained through the encryption oracles. This has a huge impact on the security of the a n-input PE scheme and on the validity condition that $\textsf{A}$ must satisfy. For example, during the challenge phase, $\textsf{A}$ could choose two vectors of messages $(m^0_1,\ldots ,m^0_{n})$ and $(m^1_1,\ldots ,m^1_{n})$ and two vectors of predicate inputs $(x^0_{1},\ldots ,x^0_{n})$ and $(x^1_{1},\ldots ,x^1_{n})$ such that for every predicate $P$ (submitted to oracle $\textsf{KGen}(m,\cdot )$) we have $P(x^0_{1},\ldots ,x^0_{n}) = P(x^1_{1},\ldots ,x^1_{n})=0$. Although the vector $(c^*_1,\ldots ,c^*_{n})$ cannot be directly decrypted, $\textsf{A}$ could still be able to decrypt part of it by leveraging the encryption oracles. In more details, $\textsf{A}$ could: (i) adversarially choose $x'_i$ such that $P(x^0_1,\ldots ,x'_i,\ldots x^0_{n}) = 1$ and $P(x^1_1,\ldots ,x'_i, \ldots x^1_{n}) = 0$; (ii) submit $(x'_i,m'_i)$ to oracle $\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )$ and obtain $c'_i$;and (iii) simply decrypt the vector $(c^*_1,\ldots ,c'_i,\ldots ,c^*_{n})$. When $b=0$ (resp. $b=1$), the adversary knows that the challenge ciphertext must (resp. must not) decrypt successfully. This allows it to easily win the CPA-1-sided security experiment of n-input PE. As a consequence, the condition defining when $\textsf{A}$ is valid depends on both the queries submitted to $\textsf{KGen}(\textsf{msk},\cdot )$ and to the oracles $\{\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )\}_{i \in [n]}$. More precisely, for every decryption key $\textsf{dk}_P$ corresponding to a predicate $P$, for every vector of ciphertexts obtained by interleaving the challenge ciphertext $(c^*_1,\ldots ,c^*_{n})$ with the ciphertexts generated through any of the n encryption oracles, we must have that $P$ is not satisfied. This is formalized by the following condition: $\forall P\in \mathcal {Q}_{\textsf{KGen}}$, $\forall j \in [n]$, $\forall i_1 \in [k_1+1], \ldots , \forall i_n \in [k_n+1]$, it holds that

$$\begin{aligned}&P(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) = \nonumber \\&P(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n})= 0, \end{aligned}$$

(2)

where $\mathcal {Q}_{\textsf{KGen}}$ are the queries submitted to oracle $\textsf{KGen}(\textsf{msk},\cdot )$, $(x^0_{1},\ldots ,x^{0}_{n}), (x^1_{1},\ldots ,x^{1}_{n})$ are the predicate inputs chosen by $\textsf{A}$ during the challenge phase, and $\mathcal {Q}^b_i = \{x^{(1,b)}_i,\ldots ,x^{(k_i,b)}_i,x^{(k_i+1,b)}_i = x^b_i\}$ is the ordered list composed of the $k_i$ predicate inputs submitted to oracle $\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )$ and the challenge input $x^b_i$ for $b \in {{\leftarrow {\$}}}, i \in [n]$ (observe that $\mathcal {Q}^0_i$ and $\mathcal {Q}^1_i$ are identical except for the last element). The formal security definition appears in Sect. 4.2.

Construction in the secret-key setting. We propose a construction of n-input PE for conjunctions of arbitrary predicates (see Eq. (1)) with wildcards from single-input PE, lockable obfuscation, and SKE. In particular, we start from single-input PE for arbitrary predicates. Actually, it will suffice that the underlying PE itself supports the predicates $P(x_1,\ldots ,x_{n})$ as defined in Eq. (1), where we view $(x_1,\ldots ,x_{n})$ as a single input chosen by the sender. In addition, the predicate must have a (efficiently computable) wildcard input $(x^\star _1,\ldots ,x^\star _{n})$ such that $x^\star _i$ satisfies every ith predicate of the conjunction, i.e., $P_i(x^\star _i)=1$. As we will describe next, the $n-1$ subset of wildcards $(x^\star _1,\ldots ,x^\star _{i-1},x^\star _{i+1},\ldots ,x^\star _{n})$ will permit the ith sender to put a “don’t care” placeholder on the slots of the other senders. This will allow the construction to deal with multiple inputs without compromising the evaluation of the predicate. We highlight that wildcards can be generically added to any single-input PE for arbitrary predicates. Let $P$ the original predicate supported by the single-input PE scheme. Then, we can add a wildcard by translating $P$ into a new predicate $P'$ which admits a special (dummy) input $x^\star $ that always evaluate the predicate to 1, i.e.,

$$\begin{aligned} P'(x) = {\left\{ \begin{array}{ll} 1 &{} \text {if } x = x^\star ,\\ P(x) &{} \text {otherwise}. \end{array}\right. } \end{aligned}$$

The main intuition behind our construction is to evaluate the conjunction of the predicates inside lockable obfuscation in such a way that, as soon as one of the predicates (of the conjunction) is not satisfied, both the messages and the predicate inputs remain hidden (even if another predicate $P_i$ is satisfied). To accomplish that, we need to create a link between the independently generated ciphertexts (each produced by different senders). This is done by leveraging an SKE scheme as follows.

In a nutshell, our construction works as follows:

Encryption keys.:

The ith secret encryption key has the form $\textsf{ek}_i = (\textsf{mpk},\textsf{k}_i,\textsf{k}_{i+1})$ where $\textsf{mpk}$ is the master public key of the single-input PE, and $\textsf{k}_i$ for $i \in [n]$ is a secret key for the SKE. (We also let $\textsf{ek}_{n+1} = \textsf{k}_1$.^{Footnote 9})

Encryption.:

In order to encrypt a message $m_i$ under an input $x_i$, the ith sender samples a random lock $y_i$ and encrypts $(y_i,\textsf{k}_{i+1})$ via the single-input PE, using the input made by all the wildcards $x^\star _{j}$ except for the position $j=i$, where, instead, the sender places its real input $x_i$, i.e., $c^{(1)}_i {{\leftarrow {\$}}}\textsf{Enc}(\textsf{mpk},(x^\star _1,\ldots ,x^\star _{i-1}, x_i, x^\star _{i+1}, \ldots , x^\star _{n}), (y_i,\textsf{k}_{i+1}))$. The final ciphertext $c_i$ will be $c_i= (\widetilde{\mathbb {C}}_i,c^{(2)}_i)$, where $c^{(2)}_i {{\leftarrow {\$}}}\textsf{Enc}(\textsf{k}_{i},c^{(1)}_i)$ and $\widetilde{\mathbb {C}}_i$ is the obfuscation of the circuit $\mathbb {C}_{c^{(2)}_i,\textsf{k}_{i+1}}$ under the lock $y_i$ and message $m_i$.

Similarly to the case of multi-key PE, the latter circuit is responsible for the decryption. In particular, upon input the ciphertexts $(c^{(2)}_{i+1},\ldots , c^{(2)}_{n},c^{(2)}_1,\ldots ,c^{(2)}_{i-1})$—note the order of the ciphertexts—and the decryption key $\textsf{dk}_P$ for $P(x_1,\ldots ,x_{n})$, the circuit $\mathbb {C}_{c^{(2)}_i,\textsf{k}_{i+1}}$ acts as follows:

1.:

Set $\textsf{k}= \textsf{k}_{i+1}$ where $\textsf{k}_{i+1}$ is the secret key hardcoded into the circuit (recall that secret keys are cyclically ordered, i.e., $\textsf{k}_{n+1} = \textsf{k}_{1}$).

2.:

For $c^{(2)}_j \in \{c^{(2)}_{i+1},\ldots , c^{(2)}_{n},c^{(2)}_1,\ldots ,c^{(2)}_{i-1}\}$ do:

(a):: Decrypt $c^{(2)}_{j}$ using the secret key $\textsf{k}$, i.e., $c^{(1)}_{j} = \textsf{Dec}(\textsf{k}, c^{(2)}_{j})$.
(b):: Decrypt $c^{(1)}_{j}$ using $\textsf{dk}_{P}$ in order to get $(y_j,\textsf{k}_{j+1})$. If $c^{(1)}_{j}$ decrypts correctly, $\textsf{k}_{j+1}$ is the secret key used to encrypt the next ciphertext $c^{(2)}_{j+1}$.
(c):: Set $\textsf{k}= \textsf{k}_{j+1}$.

3.:

Compute $(y_i,\textsf{k}_{i+1}) = \textsf{Dec}(\textsf{dk}_P,\textsf{Dec}(\textsf{k}, c^{(2)}_{i}))$, where $c^{(2)}_i$ is the ciphertext hardcoded into the circuit.

4.:

Return $y_i$ (note that if none of the decryptions fails then $y_i$ is the lock used to obfuscate the circuit).

Decryption.:

By following the computation (described above) of the obfuscated circuit, decryption is immediate. Upon input $(c_i)_{i \in [n]}$, the receiver computes $m_i = \widetilde{\mathbb {C}}_i(c^{(2)}_{i+1},\ldots , c^{(2)}_{n},c^{(2)}_1,\ldots ,c^{(2)}_{i-1},\textsf{dk}_P)$ where $c_i = (\widetilde{\mathbb {C}}_i, c^{(2)}_i)$ and $\textsf{dk}_P$ is the decryption key of the underlying single-input PE for a predicate $P(x_1,\ldots ,x_{n})$.

We highlight that the combination of the SKE with the PE wildcards is what allows our construction to correctly implement the predicates of Eq. (1). This is because, when $c^{(1)}_{i}$ correctly decrypts under the key $\textsf{dk}_P$ (2b), we are guaranteed that $P_i(x_i) = 1$ (recall that $x_i$ is the input of the ith sender). In particular, the latter holds as, in any other slot, the ith sender has used the wildcards. By repeating this argument, we can conclude that $P(x_1,\ldots ,x_{n}) = P_1(x_1) \wedge \ldots \wedge P_{n}(x_{n})$ is satisfied if the execution of each $\mathbb {C}_{c^{(2)}_i,\textsf{k}_{i+1}}$ goes as expected. The formal construction is described in Sect. 5.2.

As for security, we show that our construction satisfies CPA-1-sided security in the presence of no collusions (i.e., the adversary can submit a single query to the oracle $\textsf{KGen}$) if the underlying PE is CPA-1-sided secure, SKE is CPA secure, and the lockable obfuscation is secure. Roughly, the proof works as follows. Let $P^*$ be the only predicate submitted to $\textsf{KGen}$ by the adversary. Starting from $\textsf{A}$’s validity condition, we infer that, for any choice of the challenge bit $b \in {{\leftarrow {\$}}}$, then attacker $\textsf{A}$ must maintain one of the following two conditions:

(i)
either $P^*_1(x^b_1) = \ldots = P^*_{n}(x^b_{n}) = 0$ (i.e., all the predicates of the conjunctions are false);
(ii)
or (if at least one predicate $P^*_i$ is satisfied, i.e., $P^*_i(x^b_i)=1$) there exists $j\ne i$ such that, for every $x_j \in \mathcal {Q}^b_j$, it holds that $P^*_{j}(x_j)=0$ where $\mathcal {Q}^b_j$ is the ordered list composed of predicate inputs submitted to the oracle $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ and the challenge input $x^b_j$ (see Eq. (2)).^{Footnote 10}

When the first condition is satisfied, we can leverage the CPA-1-sided security of the single-input PE to show that the every lock $y_i$ (encrypted using the PE), and every input $x_i$ (encrypted in $c^{(2)}_i$), is completely hidden to the adversary. The latter allows us to use the security of lockable obfuscation to move to a hybrid experiment in which all the (obfuscated) circuits are simulated (including the messages).

On the other hand, when the second condition is satisfied, we can transition to a hybrid experiment (this time by leveraging the security of the underlying PE scheme) in which $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ computes $c^{(1)}_j$ by encrypting the all-zero string (instead of $(y_j,\textsf{k}_{j+1})$). Thus, we can use the security of lockable obfuscation to move to another hybrid in which $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ simulates all the obfuscations. At this point, the symmetric key $\textsf{k}_{j+1}$ is not used anymore. Hence, we can use the security of SKE to transition to another hybrid in which $\textsf{Enc}(\textsf{ek}_{j+1},\cdot ,\cdot )$ computes $c^{(2)}_{j+1}$ by encrypting the all-zero string (instead of $c^{(1)}_{j+1}$ that, in turn, contains the lock $y_{j+1}$ and the symmetric key $\textsf{k}_{j+2}$). After this hybrid, we can again use the security of lockable obfuscation to simulate all the obfuscations computed by $\textsf{Enc}(\textsf{ek}_{j+1},\cdot ,\cdot )$, and so on. By repeating these last two hybrids, we reach an experiment whose distribution does not depend on the challenge bit.

We highlight that our scheme is not secure in the presence of collusions. In particular, the fact that the adversary can obtain a single decryption key $\textsf{dk}_P$ is crucial in order to get the validity condition (ii), i.e., for every $b \in {{\leftarrow {\$}}}$ there exists a j such that for every predicate (submitted to $\textsf{KGen}(\textsf{msk},\cdot )$) we have $P_j(x^b_j) =0$. In fact, in the case of collusions, the adversary can ask for two decryption keys $\textsf{dk}_{P}$ and $\textsf{dk}_{P'}$ such that for every $b \in {{\leftarrow {\$}}}$:

$$\begin{aligned} P_1(x^b_1)&= 0 \text { and } P_{2}(x^{b}_2) = \ldots = P_{n}(x^{b}_{n}) = 1 \\ P'_1(x^b_1)&= 1 \text { and } P'_{2}(x^{b}_2) = \ldots = P'_{n}(x^{b}_{n}) = 0. \end{aligned}$$

Note that these are valid queries for the CPA-1-sided security experiment of n-input PE (the ciphertext cannot be decrypted). However, such a unique j for every predicate (as per condition (ii)) does not exist. When this happens, we are not able to conclude the proof by making a reduction to the security of single-input PE (the reduction will make an invalid set of queries to the $\textsf{KGen}$ oracle of the single-input PE, making it invalid for the CPA-1-sided security of the single-input PE).^{Footnote 11}

Lastly, we stress that since we start from a single-input PE supporting conjunctions of arbitrary predicates with wildcards, we end up with an n-input PE for conjunctions of arbitrary predicates (see Eq. (1)) with wildcards. We highlight that wildcards do not play any role in the security proof of our secret-key construction. In other words, wildcards are required for functionality (correctness) and not for security. Indeed, in the secret-key setting (i.e., no corruptions), wildcards can be easily removed. This is because we can transform any secure multi-input PE for $P(x_1,\ldots ,x_{n}) = P_1(x_1) \wedge \ldots \wedge P_{n}(x_{n})$ with a single wildcard $(x^\star _1,\ldots ,x^\star _{n})$ into a secure multi-input PE for the same class of predicates $P(x_1,\ldots ,x_{n})$ without the wildcard. This can be done by requiring the senders not to encrypt the corresponding wildcard, i.e., for each $i\in [n]$, $\textsf{Enc}(\textsf{ek}_i,x^\star _i,m_i)$ outputs $\bot $ whenever $x_i = x^\star _i$. We stress that this only works in the case of no corruptions. In fact, as we will discuss later, in case of corruption, wildcards play a role in the security of our corruption-resilient multi-input PE scheme, e.g., an adversary can encrypt wildcards on its own using the leaked encryption keys.

Security under corruptions. Next, let us explain how to define security of multi-input PE in the presence of corruptions. Here, the adversary has the possibility to corrupt a subset of the senders and leak their encryption keys $\textsf{ek}_i$. We model this by introducing an additional corruption oracle $\textsf{Corr}(\cdot )$ that, upon input an index $i \in [n]$, returns $\textsf{ek}_i$. Note that, once obtained $\textsf{ek}_i$, the adversary $\textsf{A}$ has the possibility to produce arbitrary ciphertexts on any message and predicate input, without interacting with the challenger during the CPA-1-sided security game. As usual, the validity condition heavily depends on the queries submitted to both the encryption oracles and the corruption oracle. More precisely, the validity condition now says that, for every decryption key $\textsf{dk}_P$, for every vector of ciphertexts that can be obtained by interleaving the challenge ciphertext $(c^*_1,\ldots ,c^*_{n})$ with both the ciphertexts obtain through any of the (uncorrupted) encryption oracles and the ones that $\textsf{A}$ may autonomously produce by using the leaked encryption keys (through oracle $\textsf{Corr}(\cdot )$), we have that $P$ is not satisfied. Hence, the validity condition is identical to that of the secret-key setting (see Eq. (2)), except that:

If the ith encryption key $\textsf{ek}_i$ has been corrupted/leaked, then $\mathcal {Q}^b_i$ of Eq. (2) corresponds to the ith predicate input space. This is because the adversary can produce a valid ciphertext on any input $x_i$.
Else (i.e., the ith encryption key $\textsf{ek}_i$ is still secret), $\mathcal {Q}^b_i$ is defined as usual, i.e., it is the ordered list of predicate inputs submitted to oracle $\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )$ and challenge input $x^b_i$.

See Sect. 4.2 for the formal definition.

A simple attack. Before explaining our construction in details, let us show why the previous construction is not secure under corruptions. For simplicity, we focus on the 2-input setting. This will help us identifying the main properties that a multi-input scheme must satisfy in order to remain secure in case of corruptions. Suppose an adversary $\textsf{A}$ has a single decryption key $\textsf{dk}_P$ for $P(x_1,x_2) = P_1(x_1)\wedge P_2(x_2)$ and a vector of ciphertexts $(c^*_1,c^*_2) = ((\widetilde{\mathbb {C}}_1,c^{(2)}_1),(\widetilde{\mathbb {C}}_2,c^{(2)}_2))$ encrypted under the predicate input $(x_1,x_2)$ such that $P_1(x_1) = 0$ and $P_2(x_2)=1$. Note that this ciphertext should not decrypt under $\textsf{dk}_P$, since the conjunction of $P_1$ and $P_2$ evaluates to 0. If $\textsf{A}$ can obtain $\textsf{ek}_2$, then it can easily determine the message $m_2$ (and thus the bit b). Indeed, once $\textsf{A}$ gets $\textsf{ek}_2 = (\textsf{mpk},\textsf{k}_2,\textsf{k}_1)$, it can compute a malicious ciphertext $\widetilde{c}^{(1)}_1$ (using the single-input PE) by encrypting $(\widetilde{y}, \textsf{k}_2)$ (where $\widetilde{y}$ is a random lock) under the predicate input composed by $(x'_1,x'_2)$ such that $P_1(x'_1)=1$ and $P_2(x'_2) =1$. Then, it can compute $\widetilde{c}^{(2)}_1 {{\leftarrow {\$}}}\textsf{Enc}(\textsf{k}_1, \widetilde{c}^{(1)}_1)$ and execute $\widetilde{\mathbb {C}}_2(\widetilde{c}^{(2)}_1,\textsf{dk}_P)$ to get $m_2$. Note that by definition the execution of $\widetilde{\mathbb {C}}_2$ outputs the correct message, since $P_1(x'_1) \wedge P_2(x_2) = 1$ and $\widetilde{c}^{(2)}_1$ contains the correct secret encryption key $\textsf{k}_2$, allowing the circuit to correctly end the computation. Also, note that this attack does not violate the validity condition. This is because $P_1(x_1) = 0$, and $\textsf{A}$ does not use the oracle $\textsf{Enc}(\textsf{ek}_1,\cdot ,\cdot )$ at all. Hence, any interleaving of the ciphertexts will involve the predicate input $x_1$ that, in turn, will make the conjunction $P(x_1,x'_2) = P_1(x_1)\wedge P_2(x'_2)$ unsatisfied for every choice of the input predicate $x'_2$.

In light of the above attack, we can identify the main properties that a multi-input PE scheme must satisfy to remain secure even in the presence of corruption:

1.
Naturally, as for the secret-key setting, it is fundamental that the encrypted inputs and encrypted messages remain secret when one of the predicates $P_i$ of the conjunction is not satisfied (see the proof strategy of our previous construction).
2.
In combination with the above, we must guarantee that revealing one (or more) encryption key leaks no information about the encryption keys of other senders. This is fundamental otherwise a malicious sender may be able to impersonate and produce valid ciphertexts on behalf of others. This affects the security of the scheme since an adversary able to forge ciphertexts on behalf of an honest sender can violate the property described by the above Item 1 (i.e., the adversary can satisfy the ith predicate associated to the ith honest sender). We highlight that ensuring correctness while guaranteeing this property is challenging. For example, if the encryption key of the first sender “encodes” less information about the one of the second sender, then the harder will be the combination of their ciphertexts during decryption.

As demonstrated by the attack strategy described above, our secret-key multi-input PE scheme does not achieve the second property since an attacker can leak one encryption key which, in turn, allows it to produce a ciphertext on behalf of the honest sender (which allows for correct decryption in some scenarios).

Construction under corruptions. In order to achieve the above properties, we propose a new technique based on nested (lockable obfuscated) circuits that can be executed one inside the other. This technique permits to make available secret information (e.g., secret keys) only during nested execution. For the sake of clarity, we first present our approach for the case of two inputs.

Encryption keys.:: We replace the SKE in our previous construction with a PKE, so that the encryption key $\textsf{ek}_1$ (resp. $\textsf{ek}_2$) is now composed of $(\textsf{mpk},\textsf{sk}_1,\textsf{pk}_1,\textsf{pk}_{2})$ (resp. $(\textsf{mpk},\textsf{sk}_2,\textsf{pk}_2,\textsf{pk}_{1})$) where $(\textsf{sk}_i,\textsf{pk}_i)$ is a secret/public key pair. Each $(\textsf{sk}_i,\textsf{pk}_i)$ is associated to the ith sender. Indeed, note that only $\textsf{ek}_i$ (the encryption key of the ith sender) contains the secret key $\textsf{sk}_i$). This is fundamental to deal with corruptions, i.e., corrupting the ith sender reveals no information about the secret keys $(\textsf{sk}_1,\ldots , \textsf{sk}_{i-1},\textsf{sk}_{i+1},\ldots ,\textsf{sk}_{n})$ of the other senders. Moreover, as we will next, $\textsf{sk}_j$ will be required to generate valid ciphertexts for the jth slot of the scheme.
Encryption.:: From the perspective of the first sender, in order to encrypt a message $m_1$ under the input $x_1$, it samples two random locks $(y^\textsf{in}_1,y^\textsf{out}_1)$ and encrypts them (using the single-input PE) as before using the wildcard $x^\star _2$, i.e., $c^{(0)}_{1} {{\leftarrow {\$}}}\textsf{Enc}(\textsf{mpk},(x_1,x^\star _2)$, $(y^\textsf{in}_1,y^\textsf{out}_1))$.^{Footnote 12} At this point, the PE ciphertext $c^{(0)}_{1}$ is re-encrypted twice using $\textsf{pk}_1$ and $\textsf{pk}_2$, i.e., $c^{(i)}_1 {{\leftarrow {\$}}}\textsf{Enc}(\textsf{pk}_i,c^{(i-1)}_1)$ for $i \in [2]$. Intuitively, the two layers of PKE have the role of hiding the PE ciphertexts (that in turn contain the locks) even when the adversary leaks all encryption keys except one. The final ciphertext is composed by the two obfuscations $\widetilde{\mathbb {C}}^\textsf{out}_1$, $\widetilde{\mathbb {C}}^\textsf{in}_1$ of the circuits $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(2)}_1}$, $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_1,c^{(2)}_1}$, respectively. The former is obfuscated under the lock $y^\textsf{out}_1$ and message $m_1$, whereas the latter is obfuscated under the lock $y^{\textsf{in}}_1$ and message $\textsf{sk}_1$. The ciphertext produced by the second sender, is identical, except that it uses $\textsf{sk}_2$ (instead of $\textsf{sk}_1$) and that $c^{(0)}_2$ is computed using the predicate input $(x^\star _1,x_2)$ (instead of $(x_1,x^\star _2)$).
Decryption.:: The crux of our nesting technique comes from the definition of the circuits $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_i,c^{(2)}_i}$ which, in turn, defines the decryption algorithm of our construction (i.e., the nesting technique is fundamental to achieve correctness). More precisely, the outer circuit $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(2)}_1}$ (i.e., the circuit that is given obfuscated to the receiver as part of the ciphertext $c_1$) will take as input the obfuscation $\widetilde{\mathbb {C}}^{\textsf{in}}_2$ of the inner circuit $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{2},c^{(2)}_{2}}$ and a decryption key $\textsf{dk}_P$. Then, in order to securely check the conjunction inside the lockable obfuscation, $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(2)}_1}$ will execute $\widetilde{\mathbb {C}}^{\textsf{in}}_2(\textsf{sk}_{1},\textsf{dk}_P)$. At this point, $\widetilde{\mathbb {C}}^{\textsf{in}}_2$ has everything it needs to check the satisfiability of $P_2(\cdot )$. It removes the PKE layers from $c^{(2)}_2$ by computing $c^{(0)}_2 = \textsf{Dec}(\textsf{sk}_2,\textsf{Dec}(\textsf{sk}_1,c^{(2)}_2))$. Then, it decrypts the PE ciphertext $(y^{\textsf{in}}_2,y^{\textsf{out}}_2)=\textsf{Dec}(\textsf{dk}_P,c^{(0)}_2)$—observe that the decryption succeeds if $P_2(x_2) = 1$—and returns $y^\textsf{in}_2$. By correctness of lockable obfuscation, if the computation of $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{2},c^{(2)}_{2}}(\textsf{sk}_1,\textsf{dk}_P)$ goes as intended, then $\widetilde{\mathbb {C}}^{\textsf{in}}_2(\textsf{sk}_{1},\textsf{dk}_P)$ will output $\textsf{sk}_2$ (the message attached to the obfuscation). Once obtained $\textsf{sk}_2$, the computation of $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(2)}_1}$ can continue and perform a similar computation to check the satisfiability of $P_1(\cdot )$ except that, if the PE ciphertext $c^{(0)}_1$ decrypts correctly, it returns $y^{\textsf{out}}_1$. If all the decryptions (performed by $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(2)}_1}$ and $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_2,c^{(2)}_2}$) succeed, the execution of the obfuscation $\widetilde{\mathbb {C}}^{\textsf{out}}_1$ of $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(2)}_1}$ will output $m_1$. A symmetrical argument holds for $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_2,c^{(2)}_2}$ and $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_1,c^{(2)}_1}$, releasing $m_2$.

We show that the above 2-input PE construction is CPA-1-sided secure under 1 corruption (i.e., one encryption key remains secret) and no collusions if the underlying single-input PE is CPA secure, PKE is CPA secure, and the lockable obfuscation is secure. The high-level intuition is that $\textsf{sk}_i$ remains unknown to the adversary if $P_i(\cdot )=0$ (unless the adversary invokes the oracle $\textsf{Corr}(i)$). This is reflected by the proof technique that is sketched below.

Let $\textsf{dk}_{P^*}$ be the decryption key obtained by $\textsf{A}$ for the predicate $P^*(\cdot ,\cdot ) = P^*_1(\cdot ) \wedge P^*_2(\cdot )$ (recall the presence of wildcards), and let $\mathcal {Q}_\textsf{Corr}$ be the queries submitted to the corruption oracle. Starting from the validity condition, we can infer that for any choice of the challenge bit $b \in {{\leftarrow {\$}}}$ we have:

(i)
either $P^*_1(x^b_1) = P^*_2(x^b_2) = 0$;
(ii)
or (i.e., there exists an $i \in [2]$ such that predicate $P_i$ is satisfied) $j \not \in \mathcal {Q}_\textsf{Corr}$ such that $j \ne i$ and, for every $x_{j} \in \mathcal {Q}^b_{j}$, $P^*_{j}(x_{j}) = 0$ (recall that $x^b_j \in \mathcal {Q}^b_j$). Observe that this second condition holds because of the following:
- If there is $x_{j} \in \mathcal {Q}^b_{j}$ such that $P^*_{j}(x_{j}) = 1$, $\textsf{A}$ can use the corresponding ciphertext to decrypt the ith part of the challenge ciphertext since $P^*_i(x^b_i) =1$.
- If $j \in \mathcal {Q}_{\textsf{Corr}}$, $\textsf{A}$ can simply use $\textsf{ek}_{j}$ to encrypt a random message under the wildcard $x^\star _{j}$ (that always exists by design of our construction) and, again, decrypt the ith part of the challenge ciphertext. Note that, contrarily from our secret-key construction, wildcards play an important role in the security of our multi-input PE construction under corruptions (if an encryption key $\textsf{ek}_j$ gets leaked then a malicious adversary can always encrypt itself the jth wildcards $x^\star _j$, satisfying the jth predicate $P_j$). Hence, in the corruption setting, wildcards are used for both functionality and security.

By leveraging the above two conditions, the security of our scheme follows by using a similar argument to that of the secret-key setting. In particular, when the first condition is satisfied, we can show that the locks $(y^\textsf{in}_1,y^\textsf{out}_1)$ and $(y^\textsf{in}_2,y^\textsf{out}_2)$ (used to encrypt the challenge) are completely hidden. This, in turn, allows us to use the security of lockable obfuscation and simulate the obfuscations of $(\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(2)}_1},\mathbb {C}^{\textsf{in}}_{\textsf{sk}_1,c^{(2)}_1})$, $(\mathbb {C}^{\textsf{out}}_{\textsf{sk}_2,c^{(2)}_2}, \mathbb {C}^{\textsf{in}}_{\textsf{sk}_2,c^{(2)}_2})$, and the corresponding messages.

On the other hand, when the second condition is satisfied, we can move to a hybrid (by leveraging the security of single-input PE) in which $\textsf{Enc}(\textsf{ek}_{j},\cdot ,\cdot )$ computes $c^{(0)}_{j}$ by encrypting the all-zero string (instead of $(y^\textsf{in}_{j},y^{\textsf{out}}_{j})$). Then, we can use the security of lockable obfuscation to transition to another hybrid in which $\textsf{Enc}(\textsf{ek}_{j},\cdot ,\cdot )$ simulates all the obfuscations. At this point, the secret key $\textsf{sk}_{j}$ of the uncorrupted jth sender is not used anymore (recall that $j \not \in \mathcal {Q}_{\textsf{Corr}}$). Hence, we can leverage the security of the PKE to remove the locks $(y^\textsf{in}_i,y^\textsf{out}_i)$ chosen by the ith sender (recall $i \ne j$). In more details, we do another hybrid in which the jth PKE layer $c^{(j)}_{i}$ of the challenge ciphertext is an encryption of zeroes (instead of $c^{(j-1)}_{i}$ that, in turn, encrypts the locks $(y^\textsf{in}_i,y^\textsf{out}_i)$). After this hybrid, we can again use the security of lockable obfuscation to simulate all the obfuscations (and the corresponding attached messages) that compose the ith component of the ciphertext. The distribution of this last hybrid does not depend on the challenge bit b since all the ciphertexts are simulated by the simulator of the lockable obfuscation scheme.

To sum up, we can observe that encrypting $c^{(0)}_i$ (the PE ciphertext that contains the locks) with the public keys $(\textsf{pk}_1$, $\textsf{pk}_2)$ of both senders is crucial in order for our proof to work independently of which encryption key the adversary decides to leak. So long as at least one encryption key $\textsf{ek}_i$ remains hidden, then there is a PKE layer that cannot be decrypted by the adversary. This allows the proof to go through.

Generalizing the nesting technique to $(n>2)$ inputs. By carefully modifying the definition of the outer and inner circuits, we can generalize the above technique to the case of $n>2$. The structure of the encryption keys and of the encryption algorithm is similar to the case $n=2$:

Each encryption key $\textsf{ek}_i$ is of the form $(\textsf{mpk},\textsf{sk}_i,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$.
To compute the ith encryption of $(x_i,m_i)$, the sender computes the initial PE ciphertext as $c^{(0)}_i {{\leftarrow {\$}}}\textsf{Enc}(\textsf{mpk}, (x^\star _1,\ldots ,x_i,\ldots ,x^\star _{n}),(y^\textsf{in}_i,y^\textsf{out}_i))$. Then, it re-encrypts n times the ciphertext $c^{(0)}_i$ using $(\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$, i.e., $c^{(v)}_i {{\leftarrow {\$}}}\textsf{Enc}(\textsf{pk}_v,c^{(v-1)}_i)$ for $v \in [n]$. As usual, the final ciphertext $c_i = (\widetilde{\mathbb {C}}^\textsf{out}_i,\widetilde{\mathbb {C}}^\textsf{in}_i)$ is composed of the obfuscations of $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_i,c^{(n)}_i}$ and $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_i,c^{(n)}_i}$.

We now turn on the crucial point: the definition of the outer and inner circuits. Again, for the sake of clarity, we only describe the outer circuit $\mathbb {C}^\textsf{out}_{\textsf{sk}_1,c^{(n)}_1}$ and of the inner circuits $(\mathbb {C}^\textsf{in}_{\textsf{sk}_2,c^{(n)}_2},\ldots , \mathbb {C}^\textsf{in}_{\textsf{sk}_{n},c^{(n)}_{n}})$ generated by the corresponding senders. The remaining circuits are defined similarly. First off, the input space of these circuits is a follows:

$\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(n)}_1}$ takes as input the $n-1$ obfuscations of the circuits $(\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{2},c^{(n)}_{2}}, \ldots , \mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n},c^{(n)}_{n}})$ and a decryption $\textsf{dk}_{P}$. These obfuscations are the inner circuits that needs to be executed in order to return the message $m_1$ attached to the obfuscation of $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(n)}_1}$.
On the other hand, $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_i,c^{(n)}_i}$, for $i \in [n]{\setminus } \{1\}$, takes as input a tuple of n secret keys $(\textsf{sk}_{1},\ldots , \textsf{sk}_{n})$ (where some can be set to $\bot $), a decryption key $\textsf{dk}_P$, and the obfuscations of $(\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{i+1},c^{(n)}_{i+1}}, \ldots , \mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n},c^{(n)}_{n}})$. Intuitively, these obfuscations are the remaining inner circuits that we need to still execute in order to complete the nested execution.

Intuitively, the decryption of $m_1$ requires the nested execution of these circuits (starting from the outer one) in order to get all the secret keys required to decrypt the PE ciphertext. This is achieved as follows:

The outer circuit $\mathbb {C}^{\textsf{out}}_{\textsf{sk}_1,c^{(n)}_1}$ starts the nested execution by invoking the obfuscation of $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{2},c^{(n)}_{2}}$ upon input $(\textsf{sk}_1,\bot ,\ldots ,\bot )$, $\textsf{dk}_P$, and the remaining obfuscations of $(\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{3},c^{(n)}_{3}}, \ldots , \mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n},c^{(n)}_{n}})$.
In turn, $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{2},c^{(n)}_{2}}$ will do a similar thing: It executes the next obfuscated circuit $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{3},c^{(n)}_{3}}$ upon input $(\textsf{sk}_1,\textsf{sk}_2,\bot ,\ldots ,\bot )$, $\textsf{dk}_P$, and the remaining obfuscations $(\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{4},c^{(n)}_{4}}, \ldots , \mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n},c^{(n)}_{n}})$.
The above process is repeated until $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n},c^{(n)}_{n}}$ is executed upon input $(\textsf{sk}_1,\ldots ,\textsf{sk}_{n-1},\bot )$ and $\textsf{dk}_P$. At this point, all the secret keys are known (observe that $\textsf{sk}_{n}$ is hardcoded). From $c^{(n)}_{n}$, we can remove the n PKE layers, decrypt the PE ciphertext and, in turn, return $y^{\textsf{in}}_{n}$ if the PE ciphertext decrypts correctly (i.e., $P_{n}(\cdot )$ is satisfied).
Once $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n},c^{(n)}_{n}}$ terminates, the secret key $\textsf{sk}_{n}$ is released and $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n-1},c^{(n)}_{n-1}}$ performs the computation required to check if $P_{n-1}(\cdot )$ is satisfied. Indeed, $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n-1},c^{(n)}_{n-1}}$ has been executed on input $(\textsf{sk}_1,\ldots ,\textsf{sk}_{n-2},\bot ,\bot )$, it has $\textsf{sk}_{n-1}$ harcoded, and the execution of $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n},c^{(n)}_{n}}$ has released $\textsf{sk}_{n}$. Hence, after the correct termination of $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n},c^{(n)}_{n}}$, all secret keys are known.

It may seems that this argument can be iterated. However, there is a problem. Even if $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n-1},c^{(n)}_{n-1}}$ correctly terminates, the circuit $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n-2},c^{(n)}_{n-2}}$ that invokes it does not have access to the secret key $\textsf{sk}_{n}$. This is because the latter circuit receives as input $(\textsf{sk}_{1},\ldots , \textsf{sk}_{n-3},\bot ,\bot ,\bot )$, it has $\textsf{sk}_{n-2}$ hardcoded, and the circuit $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n-1},c^{(n)}_{n}}$ has returned $\textsf{sk}_{n-1}$. As a consequence, $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n-2},c^{(n)}_{n-2}}$ must re-run $\mathbb {C}^{\textsf{in}}_{\textsf{sk}_{n},c^{(n)}_{n}}$ on input $(\textsf{sk}_1,\ldots ,\textsf{sk}_{n-1},\bot )$ in order to get $\textsf{sk}_{n}$ and decrypt every PKE layer. This needs to be done at any level of the nested execution, yielding an asymptotic running time of $O(n^n)$. Hence, this technique only works assuming $n=O(1)$, i.e. for O(1)-input predicates. The formal construction is described in Sect. 5.3.

On achieving CPA-2-sided secure multi-input PE. Until now, we only focused the discussion on achieving CPA-1-sided security. Our multi-input constructions achieve CPA-2-sided security if the underlying single-input PE is CPA-2-sided secure (we highlight that, in our secret-key multi-input PE construction, we need to reduce the n-arity from $\textsf {poly}(\lambda )$ to $O(\log (\lambda ))$ since we use complexity leveraging). We just recall here that, already for the simple notion of single-input PE for arbitrary predicates, CPA-2-sided security implies iO [15].

1.3 Applications

Finally, we explore applications of multi-key and multi-input PE. This question is particularly relevant given the fact that we are only able to obtain multi-key and multi-input PE supporting conjunctions of arbitrary predicates (with wildcards). Luckily, we can show that this class of predicates is already expressive enough to yield interesting cryptographic applications which previously required much stronger assumptions.

Matchmaking Encryption. Matchmaking encryption (ME) [10, 11] allows a sender to publicly encrypt a message $m$ under some attributes $\sigma $ and a policy $\mathbb {R}$. On the other hand, the receiver can use the decryption keys $\textsf{dk}_{\rho }$ and $\textsf{dk}_{\mathbb {S}}$ (encoding the receiver’s attributes and policy, respectively) to decrypt the message (i.e., $\textsf{Dec}(\textsf{dk}_\rho ,\textsf{dk}_\mathbb {S},c) = m$) if there is a mutual match $\mathbb {S}(\sigma )=1 \wedge \mathbb {R}(\rho ) = 1$. The main security guarantee of ME is defined by the following two properties:

In case of a mismatch, nothing is leaked except the fact that a match did not occur.
Additionally, in case of a match, nothing is leaked except for the message and the fact that a match occurred.

These properties are reminiscent to CPA-2-sided security of PE. Multi-key PE is a direct generalization of ME: 2-key PE for conjunctions $P_{v_1,v_2}(\cdot ,\cdot ) = P_{v_1}(\cdot )\wedge P_{v_2}(\cdot )$ (i.e., the class of predicates studied in this work) implies ME for arbitrary policies. In a nutshell, the construction works as follows. To encrypt a message $m$ under the sender’s attributes $\sigma $ and the sender’s policy $\mathbb {R}$, the ME encryption algorithm corresponds to the public-key encryption algorithm of the 2-key PE scheme, i.e., $c{{\leftarrow {\$}}}\textsf{Enc}(\textsf{mpk}, (x_1,x_2), m)$ where $x_1 = \sigma $ and $x_2 = \mathbb {R}$. Analogously, the ME decryption keys $\textsf{dk}_\rho $ and $\textsf{dk}_\mathbb {S}$ correspond to the decryption keys $\textsf{dk}_{v_2}$ and $\textsf{dk}_{v_1}$ of the 2-key PE scheme where $v_1 = \mathbb {S}$ and $v_2 = \rho $. By setting $P_{v_1,v_2}(x_1,x_2) = P_{\mathbb {S},\rho }(\sigma ,\mathbb {R})= P_{\sigma }(\mathbb {S}) \wedge P_{\mathbb {R}}(\rho ) = \mathbb {S}(\sigma ) \wedge \mathbb {R}(\rho )$, we obtain the desired ME functionality during decryption. The security analysis is intuitive: if the 2-key PE is CPA-1-sided secure, then the ME scheme is secure only in case of mismatch. In addition, if the 2-key PE is CPA-2-sided secure, then the ME security holds also in case of a match. Hence, as a corollary of our results, we achieve the weaker notion of CPA-1-sided secure (i.e., mismatch) ME supporting arbitrary policies and unbounded collusions from sub-exponential LWE. We provide more details in Sect. 6.1.

The seminal works of ME [10, 11] propose ME as a tool for anonymous communication with bilateral authentication. The anonymity level guaranteed by the scheme depends on the notion of security. ME with CPA-2-sided security (as originally proposed by [10, 11]) guarantees the anonymity of users (e.g., users’ attributes and policies) independently from the outcome of the bilateral matching (i.e., match and mismatch). In the case of CPA-1-sided secure ME (as the one proposed in this work), anonymity is guaranteed only in case of a mismatch, i.e., unauthorized parties infer no information about the identity of the sender. Thus, our notion of CPA-1-secure ME can be used in scenarios in which the sender’s identity can be disclosed to authorized receivers (e.g., health-care scenarios where a bilateral matching between patients and doctors is performed).

Previous works construct CPA-2-sided secure ME with unbounded collusions for either very restricted policies (i.e., for identity matching) using bilinear maps [20, 26] (and ROM [10]), or for arbitrary policies from much stronger assumptions such as 2-input FE with one secret key and one public key (this notion of 2-input FE implies iO) [10, 11].

For completeness (see Sects. 4.1, 4.3), we highlight that we can build n-key PE from $(n+1)$-input PE supporting arbitrary predicates and tolerating 1 corruption (this is required to implement the public-key encryption algorithm of n-key PE). As a consequence, multi-input PE implies ME as well. However, recall that our multi-input PE constructions do not support arbitrary predicates but only conjunctions of arbitrary predicates with wildcards.

Non-interactive MPC. Non-interactive MPC (NI-MPC) [14, 34] allows n parties to evaluate a function $f(v_1,\ldots ,v_{n})$ on their inputs using a single round of communication (i.e., each party sends a single message $c_i {{\leftarrow {\$}}}\textsf{Enc}(\textsf{crs},\textsf{ek}_i,v_i)$). This is achieved by assuming a trusted setup (that may depend on the function itself) that generates (possibly correlated) strings (e.g., common reference string $\textsf{crs}$ and encryption keys $\textsf{ek}_i$) that can be later used by the parties to perform function evaluation. Security of NI-MPC can be formulated in two different settings, named non-reusable and reusable NI-MPC. The former retains security only if the setup is executed after every round. The latter retains security even if parties evaluate f on different inputs using the same setup (full-fledged reusability makes use of session identifiers in order to avoid that an adversary can interleave messages from different rounds [34]). Both non-reusable and reusable NI-MPC provide the same security guarantee, formalized using an indistinguishability-based definition: an adversary $\textsf{A}$ cannot distinguish between $(\textsf{Enc}(\textsf{crs},\textsf{ek}_i,v^0_i))_{i\in [n]}$ and $(\textsf{Enc}(\textsf{crs},\textsf{ek}_i,v^1_i))_{i\in [n]}$, so long as any combination of the messages known by the adversary (including the ones it can compute using the encryption key $\textsf{ek}_i$ of a corrupted party) yields the same function’s evaluation.^{Footnote 13}

As mentioned by several works [14, 29, 32, 33], NI-MPC achieving indistinguishability-based security implies iO even in very restricted settings. In particular, a non-reusable 1-robust (i.e., one malicious party) NI-MPC for two parties implies iO. Intuitively, by fixing the NI-MPC function to $f(\mathbb {C},x) = \mathbb {C}(x)$, we can obfuscate a circuit by simply setting the input of the first (honest) party to $\mathbb {C}$, compute $c_1 {{\leftarrow {\$}}}\textsf{Enc}(\textsf{crs},\textsf{ek}_1,\mathbb {C})$, and outputting $\widetilde{\mathbb {C}} = (\textsf{crs},c_1,\textsf{ek}_2)$ where $\textsf{ek}_1,\textsf{ek}_2$ are the key material required to encode the inputs of the NI-MPC (note that 1-robustness is necessary since we reveal $\textsf{ek}_2$). To evaluate the obfuscated circuit, the evaluator only needs to compute $c_2 {{\leftarrow {\$}}}\textsf{Enc}(\textsf{crs},\textsf{ek}_2,x)$ and evaluate the NI-MPC function f that will yield $\mathbb {C}(x)$. The security of this iO obfuscator follows from the security of NI-MPC since the residual functions $f(\mathbb {C}_0,\cdot )$ and $f(\mathbb {C}_1,\cdot )$ are identical, as $\mathbb {C}_0(x) = \mathbb {C}_1(x)$ for every input x. Additionally, reusable, 0-robust (i.e., no malicious parties) NI-MPC for $n=\textsf {poly}(\lambda )$ parties implies iO. In this case, iO can be built using a similar construction to that of iO from secret-key multi-input functional encryption (FE) [29].

Due to the similarities between multi-input PE and multi-input FE, we observe that multi-input PE is enough to construct NI-MPC for all-or-nothing functions defined over the predicates supported by the multi-input PE scheme. In more details, by leveraging our CPA-1-sided n-input PE (for $n = O(1)$) secure under $n-1$ corruptions and without collusions, we can build an $(n-1)$-robust NI-MPC for a constant number of parties for the following class of functions:

$$\begin{aligned} f_{P}((x_1,m_1),\ldots ,(x_{n},m_{n})) = {\left\{ \begin{array}{ll} (m_1,\ldots ,m_{n}) &{} \text {if } P(x_1,\ldots ,x_{n}) =1\\ \bot &{} \text { otherwise} \end{array}\right. } \end{aligned}$$

where $P(x_1,\ldots ,x_n)$ is a conjunctions of arbitrary independent predicates (with wildcards) as defined in Eq. (1). The resulting NI-MPC satisfies a weaker notion of reusability without session identifiers (i.e., messages produced in different rounds can be interleaved by design) specifically tailored for all-or-nothing functions, which we name CPA-1-sided reusability. In a nutshell, CPA-1-sided reusable NI-MPC guarantees the usual indistinguishability-based security only if $f_P$ outputs $\bot $ (i.e., $P(\cdot )$ is not satisfied) for any combination of the honest messages and the ones the adversary can maliciously compute using the encryption key $\textsf{ek}_i$ of a corrupted party.

The construction is intuitive. At setup, simply publish $\textsf{crs}= \textsf{dk}_P$ and distribute $\textsf{ek}_i$ to the ith party where $(\textsf{msk},\textsf{ek}_1,\ldots \textsf{ek}_{n}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ and $\textsf{dk}_P{{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk},P)$. During evaluation, each party can send the message $c_i {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_i,x_i,m_i)$ and compute $\textsf{Dec}(\textsf{dk}_P,c_1,\ldots ,c_{n})$ to evaluate the function $f_{P}((x_1,m_1),\ldots ,(x_{n},m_{n}))$. The CPA-1-sided reusable security of k-robust NI-MPC for $f_P$ follows readily from CPA-1-sided security of n-input PE under k corruptions and without collusions.

By plugging in our results, we obtain either CPA-1-sided reusable $(n-1)$-robust NI-MPC with $n = O(1)$, or CPA-1-sided reusable 0-robust NI-MPC with $n = \textsf {poly}(\lambda )$ where the predicate $P$ of the function $f_P$ is a conjunctions of arbitrary predicates (i.e., $P(x_1,\ldots ,x_{n}) = P_1(x_1)\wedge \cdots \wedge P_{n}(x_{n})$) with wildcards under the LWE assumption.

An example of an application of (CPA-1-sided reusable) NI-MPC is one-round voting protocols: We imagine the scenario where a committee consisting of n parties wants to approve a certain law. They can use NI-MPC to encode their set of constraints as their input $x_i$. The law is then approved if $P_1(x_1) \wedge \cdots \wedge P_2(x_n) = 1$, where $P_i$ is a (public) policy that checks if the constraint imposed by $x_i$ is satisfied by the law. Importantly, the protocol is completely non-interactive, and therefore the parties can just send their messages and go offline, without the need to wait for everyone to respond. In terms of security, the law is approved only if all policies are satisfied and otherwise the preference of each party is kept hidden. For instance, a hypothetical party that blocked the law would remain anonymous. We provide the formal definition of CPA-1-sided reusability and the construction of NI-MPC from multi-input PE in Sect. 6.2.

We emphasize that, nonetheless CPA-1-sided reusability is a weakening of the standard reusability definition, our flavor of reusability is non-trivial to achieve in the setting of general functions. This is because we can build null iO (and, in turn, witness encryption) [19, 31, 48] from CPA-1-sided reusable NI-MPC using the same constructions of iO from (standard) reusable NI-MPC, i.e., CPA-1-sided reusable (resp. CPA-1-sided non-reusable) 0-robust (resp. 1-robust) NI-MPC for $n=\textsf {poly}(\lambda )$ parties (resp. $n=2$ parties) and general functions implies null iO. The above observation motivates our research question of building such a notion of NI-MPC for restricted functionalities. Considering restricted functionalities, such as conjunction of arbitrary predicates, permits us to construct NI-MPC from LWE that is, at the time of this writing, a computational assumption not sufficient for constructing null iO and witness encryption.

1.4 Relation with Witness Encryption

In the following we recall the notion of witness encryption (WE) [27], and we discuss its relation with both multi-input and multi-key schemes. We anticipate that such relations do not require CPA-1-sided and CPA-2-sided security. Hence, the following discussion will focus on multi-input and multi-key ABE schemes, i.e., predicate inputs can be public.

A WE scheme for a relation $\mathcal {R}$, defined over a language $\mathcal {L}$, allows a sender to encrypt a message $m$ using a statement x. A receiver, holding a witness w, can decrypt the message $m$ if $(x,w)\in \mathcal {R}$. As for security, WE guarantees that the message remains hidden whenever $x \not \in \mathcal {L}$, i.e., the corresponding ciphertext cannot be decrypted. WE has several disrupting applications such as encrypting messages that can be decrypted in future (i.e., whenever w will be known). Moreover, WE does not require setup and is fully non-interactive.

As shown by Brakerski et al. [19], an n-input ABE (i.e., predicate inputs can be public) for arbitrary predicates (or any predicate that “match” the desired NP relation), secure in the secret-key setting and without collusions, implies WE for NP and n-size witnesses. The construction is reminiscent to the one of iO from secret-key multi-input functional encryption [29] (see also Sect. 1.3). Unfortunately, we cannot use here our n-input scheme since it only supports conjunctions of arbitrary predicates (see Eq. (1)). Currently, it is not known how to build n-input ABE (and thus PE), with $n>2$, for arbitrary predicates without iO (the only known construction is for $n=2$ and it is due to the work of Agrawal et al. [8]. See Sect. 2 for a detailed discussion.

Also, we stress that multi-key ABE (i.e., a multi-key scheme where predicate inputs can be public) for arbitrary predicates implies WE. The construction is similar to that of Brakerski et al. [19], for obtaining WE from multi-input ABE. The only difference is that we substitute the multiple inputs with the multiple decryption keys of multi-key ABE. For completeness, we describe the construction below. Let $P_{v_1,\ldots ,v_{n}}(x) = 1$ if and only if $(x,w) \in \mathcal {R}$, where $w = v_{1} || \ldots || v_{n}$ defines the class of predicates supported by the multi-key ABE. To encrypt a message m under a statement $x \in \mathcal {L}$, the sender computes $(\textsf{mpk},\textsf{msk}_1,\ldots ,\textsf{msk}_{n}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ and sends to the receiver $(c,(\textsf{dk}_{v_i},\textsf{dk}_{\hspace{0.83328pt}\overline{\hspace{-0.83328pt}v_i\hspace{-0.83328pt}}\hspace{0.83328pt}})_{i \in [n]})$ where $c{{\leftarrow {\$}}}\textsf{Enc}(\textsf{mpk},x,m)$ and $\textsf{dk}_{v_i} {{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk}_i,1)$ (resp. $\textsf{dk}_{\hspace{0.83328pt}\overline{\hspace{-0.83328pt}v_i\hspace{-0.83328pt}}\hspace{0.83328pt}} {{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk}_i,0)$) for $i \in [n]$. To decrypt the ciphertext under a witness $w = v_1 || \ldots || v_{n}$, the receiver simply executes $\textsf{Dec}(\textsf{dk}'_{v_1},\ldots , \textsf{dk}'_{v_{n}}, c)$ where $\textsf{dk}'_{v_i} = \textsf{dk}_{v_i}$ if $v_i = 1$, and $\textsf{dk}'_{v_i} = \textsf{dk}_{\hspace{0.83328pt}\overline{\hspace{-0.83328pt}v_i\hspace{-0.83328pt}}\hspace{0.83328pt}}$ if $v_i = 0$.^{Footnote 14} Similarly to the case of multi-input, our multi-key construction fails to imply WE since it does not support arbitrary predicates (we stress once again that CPA-1-sided and CPA-2-sided security are not required).

It may seem that arbitrary predicates are a necessary condition in order to build WE from multi-input schemes. However, we highlight that this is not necessarily the case if we consider security under corruptions. In particular, a 2-input scheme for conjunctions under 1 corruption and no collusions, implies WE for any relation. This can be accomplished by considering the predicate $P_{x,\mathcal {R}}(\cdot ,\cdot ) = P_1(\cdot ) \wedge P_{x,\mathcal {R}}(\cdot )$ such that $P_1(x^\star _1) = 1$ (for some wildcard $x^\star _1$) and $P_{x,\mathcal {R}}(w) = 1$ if and only if $(x,w) \in \mathcal {R}$. Intuitively, to encrypt $m$ using a statement x, the sender can simply output $(c_1,\textsf{ek}_2,\textsf{dk}_{P_{x,\mathcal {R}}})$ such that $c_1 {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_1,x^\star _1,m)$, $\textsf{dk}_{P_{x,\mathcal {R}}} {{\leftarrow {\$}}}\textsf{KGen}(m,P_{x,\mathcal {R}})$, and $(\textsf{msk},\textsf{ek}_1,\textsf{ek}_2) {{\leftarrow {\$}}}\textsf{Setup} (1^{\lambda })$. Then, the receiver uses w to retrieve $m$ by computing $\textsf{Dec}(\textsf{dk}_{x,\mathcal {R}},c_1,\textsf{Enc}(\textsf{ek}_2,w))$.^{Footnote 15} Here, it is crucial that the underlying 2-input scheme can handle corruptions, since the latter allows the sender to disclose $\textsf{ek}_2$ to the (possibly malicious) receiver and give him the opportunity to try different witnesses.

Unfortunately, even in this case, our O(1)-input scheme under corruptions fails to imply WE. This is because our construction supports conjunctions of arbitrary predicates each one having a wildcard. In other words, the wildcard is a trivial witness for any statement.^{Footnote 16}

Given the above discussion, we identify two plausible approaches that could lead to a construction of WE from standard assumptions:

Enlarging the class of predicates of our secret-key n-input or n-key constructions: From conjunction of arbitrary predicates (see Eq. (1)) to arbitrary predicates (or any restricted class of predicates that permits to implement a specific non-trivial WE relation $\mathcal {R}$).
Supporting conjunctions of arbitrary predicates (without wildcards) in the setting of 2-input with security under 1 corruption.

2 Related Work

Multi-input PE is a special case of multi-input FE [29]. It is well known that so-called compact FE (supporting arbitrary functions) implies multi-input FE [9, 15], which in turn implies iO. Constructions of multi-input FE from standard assumptions, in turn, exist for restricted functions [1,2,3,4, 6, 7, 16, 21, 22, 24, 39, 44]. The multi-input and multi-key settings have also been considered in the context of fully-homomorphic encryption [23, 40, 41].

Multi-input PE can also be seen as stronger form of multi-input ABE [19], the difference being that the attributes are not private in the case of ABE. Previously to our work, all (provably secure) constructions of n-input ABE with $n>2$ required iO. The only exception is the work of Agrawal et al. [8] that proposes two constructions of secret-key (i.e., no corruptions) 2-input key-policy ABE for $\textsf{NC}^1$ with unbounded collusions (recall that, in the ABE setting, only the secrecy of the messages is guaranteed, i.e., inputs can be public). The first construction is based on LWE and pairings, and it is provably secure in the generic group model. The second construction is based on function-hiding inner-product FE, a variant of the non-falsifiable KOALA knowledge assumption (which is proven to hold under the bilinear generic group model), and LWE. However, this second construction achieves a weaker selective flavor of security in which the adversary has to submit both the challenge and the decryption key queries before the setup phase. Additionally, they propose two heuristic constructions. The first is a 2-input ABE for $\textsf{P}$ from lattices, and the second is a 3-input ABE for $\textsf{NC}^1$ from pairings and lattices. However, the security of these heuristic constructions remains unclear.

In comparison, our work directly focuses on the PE setting (i.e., CPA-1-sided security) and provides the first secret-key n-input PE that supports $n = \textsf {poly}(\lambda )$ inputs, with (adaptive) CPA-1-sided security (i.e., secrecy of both inputs and messages) based solely on LWE. However, our construction only supports a restricted class of predicates (i.e., conjunctions of arbitrary predicates with wildcards) and it is secure only in the case of no collusions. Furthermore, differently from [8], we move away from the secret-key setting and propose a second construction of n-input PE (still for conjunctions of arbitrary predicates) that supports $n=O(1)$ inputs and can tolerate $n-1$ corruptions (i.e., up to $n-1$ encryption keys can be adaptively revealed by the adversary). Finally, we propose the notion of multi-key PE (not covered in [8]), and give the first construction of CPA-1-sided secure n-key PE for $n=\textsf {poly}(\lambda )$, with unbounded collusions and still supporting conjunctions of arbitrary predicates, based on LWE.

Regarding the techniques, we highlight that both our work and that of [8] introduce (albeit different) nesting techniques based on lockable obfuscation. In particular, the nesting technique of [8] permits to transform any secret-key n-input ABE into a secret-key n-input PE (achieving CPA-1-sided security). We stress that their approach only works in the secret-key setting. In contrast, we propose a different nesting technique which yields n-input PE for $n = O(1)$ while tolerating $n-1$ corruptions. It is important to note that our nesting technique is not generic, but it is specifically tailored to work with the class of predicates considered in this work.

Turning to applications, we highlight that the multi-input schemes of [8] fail to imply ME, since their constructions are all in the secret-key setting (whereas ME requires a public-key encryption algorithm). As for NI-MPC, the constructions in [8] can be used to obtain a CPA-1-sided 0-robust reusable NI-MPC for all-or-nothing functions defined over arbitrary predicates, but only in the case of 2 parties (3 parties if we consider also the heuristic constructions).

3 Preliminaries

3.1 Notation

We use the notation $[n] = \{1,2,\ldots ,n\}$. Capital bold-face letters (such as $\textbf{X}$) are used to denote random variables, small letters (such as x) to denote concrete values, calligraphic letters (such as $\mathcal {X}$) to denote sets, serif letters (such as $\textsf{A}$) to denote algorithms, and bold typeface letters (such as $\mathbb {C}$) to denote circuits. All of our algorithms are modeled as (possibly interactive) Turing machines; if algorithm $\textsf{A}$ has oracle access to some oracle $\textsf{O}$, we often implicitly write $\mathcal {Q}_\textsf{O}$ for the set of queries asked by $\textsf{A}$ to $\textsf{O}$.

For a string $x \in {{\leftarrow {\$}}}^*$, we let |x| be its length; if $\mathcal {X}$ is a set, $|\mathcal {X}|$ represents the cardinality of $\mathcal {X}$. When x is chosen uniformly in $\mathcal {X}$, we write $x{{\leftarrow {\$}}}\mathcal {X}$. If $\textsf{A}$ is an algorithm, we write $y {{\leftarrow {\$}}}\textsf{A}(x)$ to denote a run of $\textsf{A}$ on input x and output y; if $\textsf{A}$ is randomized, y is a random variable and $\textsf{A}(x;r)$ denotes a run of $\textsf{A}$ on input x and (uniform) randomness r. An algorithm $\textsf{A}$ is probabilistic polynomial-time (PPT) if $\textsf{A}$ is randomized and for any input $x,r \in {{\leftarrow {\$}}}^*$ the computation of $\textsf{A}(x;r)$ terminates in a polynomial number of steps (in the input size). We write $\mathbb {C}(x) = y$ to denote the evaluation of the circuit $\mathbb {C}$ on input x and output y.

Let $\textbf{G}$ be an experiment defining the security of a cryptographic primitive $\Pi $ and $\textbf{E}$ be an event. We write $\mathbb {P}\left[ \textbf{G}_{\Pi ,\textsf{A}}(\lambda ) = 1 | \textbf{E}\right] $ (i.e., the outcome of experiment $\textbf{G}_{\Pi ,\textsf{A}}(\lambda )$ conditioned to the event $\textbf{E}$) to denote the advantage of an adversary $\textsf{A}$ in winning the experiment $\textbf{G}_{\Pi ,\textsf{A}}(\lambda )$ (i.e., $\textbf{G}_{\Pi ,\textsf{A}}(\lambda )$ = 1) when the event $\textbf{E}$ holds.^{Footnote 17}

Negligible functions. Throughout the paper, we denote by $\lambda \in \mathbb {N}$ the security parameter and we implicitly assume that every algorithm takes as input the security parameter. A function $\nu (\cdot )$ is called negligible in the security parameter $\lambda \in \mathbb {N}$ if it vanishes faster than the inverse of any polynomial in $\lambda $, i.e. $\nu (\lambda ) \in O(1/p(\lambda ))$ for all positive polynomials $p(\lambda )$. We sometimes write $\textsf {negl}(\lambda )$ (resp. $\textsf {poly}(\lambda )$) to denote an unspecified negligible function (resp. polynomial function) in the security parameter.

3.2 Lockable Obfuscation

A lockable obfuscator [31, 48] permits to obfuscate a circuit $\mathbb {C}$ together with a “lock” $y$ and a message $m$. As a result, the obfuscator will output an obfuscated circuit $\widetilde{\mathbb {C}}$ that will behave as follows:

$$\begin{aligned} \widetilde{\mathbb {C}}(x) = {\left\{ \begin{array}{ll} m&{} \text {if } \mathbb {C}(x) = y\\ \bot &{} \text { otherwise.} \end{array}\right. } \end{aligned}$$

More formally, let $n(\cdot ),s(\cdot ),d(\cdot )$ be polynomials, and $\mathcal {C}_{n,s,d}(\lambda )$ be the family of circuits of depth $d(\lambda )$ with input size $n(\lambda )$ and output size $s(\lambda )$. A lockable obfuscator for the circuit family $\mathcal {C}_{n,s,d}(\lambda )$ and message space $\mathcal {M}$ is composed of the following polynomial-time algorithms:

$\textsf{Obf}(1^{\lambda }, \mathbb {C},y,m)$::: Upon input the security parameter $1^{\lambda }$, a circuit $\mathbb {C}\in \mathcal {C}_{n,s,d}(\lambda )$, a lock $y\in {{\leftarrow {\$}}}^{s(\lambda )}$, and a message $m\in \mathcal {M}$, the randomized lockable obfuscator algorithm outputs a circuit $\widetilde{\mathbb {C}}$.
$\textsf{Eval}(\widetilde{\mathbb {C}}, x)$::: Upon input an obfuscated circuit $\widetilde{\mathbb {C}}$ and an input $x\in {{\leftarrow {\$}}}^{n(\lambda )}$, the deterministic evaluation algorithm outputs a message $m\in \mathcal {M}\cup \{\bot \}$.

Definition 1

(Semi-statistical correctness of lockable obfuscation [31]). A lockable obfuscator $\Pi =(\textsf{Obf},\textsf{Eval})$ for the circuit family $\mathcal {C}_{n,s,d}(\lambda )$ and message space $\mathcal {M}$ satisfies semi-statistical correctness if:

1.
$\forall \lambda \in \mathbb {N}$, $\forall x \in {{\leftarrow {\$}}}^{n(\lambda )}$, $m\in \mathcal {M}$, $\forall \mathbb {C}\in \mathcal {C}_{n,s,d}(\lambda )$ such that $\mathbb {C}(x) = y$, we have
$$\begin{aligned} \mathbb {P}\left[ \textsf{Eval}(\textsf{Obf}(1^{\lambda },\mathbb {C},y,m),x) = m\right] = 1. \end{aligned}$$
2.
$\forall \lambda \in \mathbb {N}$, $\forall x \in {{\leftarrow {\$}}}^{n(\lambda )}$, $\forall m\in \mathcal {M}$, $\forall \mathbb {C}\in \mathcal {C}_{n,s,d}(\lambda )$ such that $\mathbb {C}(x) \ne y$, we have
$$\begin{aligned} \mathbb {P}\left[ \textsf{Eval}(\textsf{Obf}(1^{\lambda },\mathbb {C},y,m),x) = m\right] \le \textsf {negl}(\lambda ). \end{aligned}$$

As for security, lockable obfuscation must hide any information about the circuit $\mathbb {C}$, the message $m$ and the lock y when the lock is randomly chosen. This is defined by requiring that there exists a simulator $\textsf{S}$ that simulates the obfuscated circuit $\widetilde{\mathbb {C}}$.

Definition 2

(Security of lockable obfuscation). A lockable obfuscator $\Pi =(\textsf{Obf}, \textsf{Eval})$ for the circuit family $\mathcal {C}_{n,s,d}(\lambda )$ and message space $\mathcal {M}$ is secure if there exists a PPT simulator $\textsf{S}$ such that for every PPT adversary $\textsf{A}= (\textsf{A}_0,\textsf{A}_1)$ we have:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\textsf{lock}\text {-}\textsf{sim}}_{\Pi , \textsf{A},\textsf{S}}(\lambda ) = 1\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ), \end{aligned}$$

where $\textbf{G}^{\textsf{lock}\text {-}\textsf{sim}}_{\Pi , \textsf{A},\textsf{S}}(\lambda )$ is depicted in Fig. 1.

Remark 1

The definitions above are taken from [31]. Wichs and Zirdelis [48] proposed a slightly more general notion of obfuscation for multi-bit compute-and-compare circuits in which the lock is only required to be unpredictable. They also give an obfuscator for multi-bit compute-and-compare circuits from the LWE assumption.

3.3 Symmetric and Public Key Encryption

3.3.1 Symmetric Key Encryption

A symmetric-key encryption (SKE) scheme with message space $\mathcal {M}$ is composed of the following polynomial-time algorithms:

$\textsf{KGen}(1^{\lambda })$::: The randomized key generator takes as input the security parameter $1^{\lambda }$ and outputs a symmetric key $\textsf{k}$.
$\textsf{Enc}(\textsf{k}, m)$::: The randomized encryption algorithm takes as input a symmetric key $\textsf{k}$ and a message $m\in \mathcal {M}$, and outputs a ciphertext $c$.
$\textsf{Dec}(\textsf{k}, c)$::: The deterministic decryption algorithm takes as input a symmetric key $\textsf{k}$ and a ciphertext $c$, and outputs a message $m$.

We require a SKE to be correct and secure against chosen-plaintext attacks (CPA).

Definition 3

(Correctness of SKE). A SKE $\Pi $ with message space $\mathcal {M}$ is correct if $\forall \lambda \in \mathbb {N}$, $\forall m\in \mathcal {M}$, we have

$$\begin{aligned} \mathbb {P}\left[ \textsf{Dec}(\textsf{k}, \textsf{Enc}(\textsf{k}, m)) = m\right] \ge 1 - \textsf {negl}(\lambda ), \end{aligned}$$

where $\textsf{k}{{\leftarrow {\$}}}\textsf{KGen}(1^{\lambda })$. The above probability is taken over the random coins of $\textsf{KGen}$ and $\textsf{Enc}$.

Definition 4

(CPA security of SKE). We say that a SKE $\Pi $ is CPA secure if for all PPT adversaries $\textsf{A}=(\textsf{A}_0,\textsf{A}_1)$:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\mathsf {\textsf{CPA}\text {-}\textsf{ske}}}_{\Pi , \textsf{A}}(\lambda ) = 1\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ), \end{aligned}$$

where game $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}\textsf{ske}}}_{\Pi , \textsf{A}}(\lambda )$ is depicted in Fig. 2.

3.3.2 Public Key Encryption

A public-key encryption (PKE) scheme with message space $\mathcal {M}$ is composed of the following polynomial-time algorithms:

$\textsf{KGen}(1^{\lambda })$::: The randomized key generator takes as input the security parameter $1^{\lambda }$ and outputs a public and a secret key pair $(\textsf{pk},\textsf{sk})$.
$\textsf{Enc}(\textsf{pk}, m)$::: The randomized encryption algorithm takes as input a public key $\textsf{pk}$ and a message $m\in \mathcal {M}$ and outputs a ciphertext $c$.
$\textsf{Dec}(\textsf{sk}, c)$::: The deterministic decryption algorithm takes as input a secret key $\textsf{sk}$ and a ciphertext $c$ and outputs a message $m$.

We consider the usual definition of correctness and CPA security of PKE.

Definition 5

(Correctness of PKE). A PKE $\Pi $ with message space $\mathcal {M}$ is correct if $\forall \lambda \in \mathbb {N}$, $\forall (\textsf{pk},\textsf{sk})$ output by $\textsf{KGen}(1^{\lambda })$, $\forall m\in \mathcal {M}$, we have

$$\begin{aligned} \mathbb {P}\left[ \textsf{Dec}(\textsf{sk}, \textsf{Enc}(\textsf{pk}, m)) = m\right] \ge 1 - \textsf {negl}(\lambda ), \end{aligned}$$

where $(\textsf{pk},\textsf{sk}){{\leftarrow {\$}}}\textsf{KGen}(1^{\lambda })$. The above probability is taken over the random coins of $\textsf{KGen}$ and $\textsf{Enc}$.

Definition 6

(CPA security of PKE). We say that a SKE $\Pi $ is CPA secure if for all PPT adversaries $\textsf{A}=(\textsf{A}_0,\textsf{A}_1)$:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\mathsf {\textsf{CPA}\text {-}\textsf{pke}}}_{\Pi , \textsf{A}}(\lambda ) = 1\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ), \end{aligned}$$

where game $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}\textsf{pke}}}_{\Pi , \textsf{A}}(\lambda )$ is depicted in Fig. 2.

3.4 Predicate Encryption

In PE, a trusted authority generates a decryption key for the receiver associated to an arbitrary predicate of his choice. The receiver is able to decrypt a ciphertext if and only if the predicate $P$ (corresponding to its decryption key) is satisfied when evaluated with the predicate input $x$ used for encrypting the plaintext, i.e. $P(x)=1$. Formally, a PE with message space $\mathcal {M}$, input space $\mathcal {X}$, and predicate space $\mathcal {P}$, is composed of the following polynomial-time algorithms:

$\textsf{Setup}(1^{\lambda })$::: Upon input the security parameter $1^{\lambda }$, the randomized setup algorithm outputs the master public key $\textsf{mpk}$ and the master secret key $\textsf{msk}$.
$\textsf{KGen}(\textsf{msk}, P)$::: The randomized key generator takes as input the master secret key $\textsf{msk}$ and a predicate $P\in \mathcal {P}$. The algorithm outputs a secret decryption key $\textsf{dk}_{P}$ for predicate $P$.
$\textsf{Enc}(\textsf{mpk},x, m)$::: The randomized encryption algorithm takes as the master public key $\textsf{mpk}$, an input $x\in \mathcal {X}$, and a message $m\in \mathcal {M}$. The algorithm produces a ciphertext $c$ linked to both $x$ and m.
$\textsf{Dec}(\textsf{dk}_{P}, c)$::: The deterministic decryption algorithm takes as input a secret decryption key $\textsf{dk}_{P}$ for predicate $P\in \mathcal {P}$ and a ciphertext $c$. The algorithm outputs either a message $m$ or an error $\bot $.

Correctness of PE states that the receiver obtains the message with overwhelming probability if $P(x)=1$. On the other hand, if $P(x) =0$, the decryption outputs $\bot $ with overwhelming probability.

Definition 7

(Correctness of PE). A PE with message space $\mathcal {M}$, input space $\mathcal {X}$, predicate space $\mathcal {P}$, is correct if $\forall \lambda \in \mathbb {N}$, $\forall m\in \mathcal {M}$, $\forall x\in \mathcal {X}$, $\forall P\in \mathcal {P}$, the following two conditions hold:

1.
If $P(x)=1$, then $\mathbb {P}\left[ \textsf{Dec}(\textsf{dk}_{P}, \textsf{Enc}(\textsf{mpk},x, m)) = m\right] \ge 1 - \textsf {negl}(\lambda )$ where $(\textsf{mpk}, \textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ and $\textsf{dk}_{P} {{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk}, P)$.
2.
If $P(x) = 0$, then $\mathbb {P}\left[ \textsf{Dec}(\textsf{dk}_{P}, \textsf{Enc}(\textsf{mpk},x, m)) = \bot \right] \ge 1 - \textsf {negl}(\lambda )$ where $(\textsf{mpk}, \textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ and $\textsf{dk}_{P} {{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk}, P)$.

The above two probabilities are taken over the random coins of $\textsf{Setup}, \textsf{KGen}$ and $\textsf{Enc}$.

Security of PE comes in different flavors. The standard CPA security requires the adversary to distinguish between the encryption of two messages for the same predicate input. More formally, the adversary is allowed to perform a polynomial number of queries to the key generation oracle. Then, the adversary chooses two messages $m^0$ and $m^1$ and an input $x$, and wins the CPA security game if it can distinguish between an encryption of $\textsf{Enc}(\textsf{mpk},x,m^0)$ and $\textsf{Enc}(\textsf{mpk},x,m^1)$ with non-negligible probability (a PE scheme that satisfies CPA security is also called attribute-based encryption (ABE)).

Definition 8

(CPA security of PE). We say that a PE $\Pi $ is CPA secure if for all valid PPT adversaries $\textsf{A}= (\textsf{A}_0,\textsf{A}_1)$:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\mathsf {\textsf{CPA}\text {-}PE}}_{\Pi , \textsf{A}}(\lambda ) = 1\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ), \end{aligned}$$

where game $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}PE}}_{\Pi , \textsf{A}}(\lambda )$ is depicted in Fig. 3. Adversary $\textsf{A}$ is called valid if $\forall P\in \mathcal {Q}_{\textsf{KGen}}$ it holds that $P(x) = 0$.

We also consider two stronger definitions of security, namely CPA-1-sided and CPA-2-sided security, guaranteeing also the secrecy of the predicate input used during the encryption of a message. In this security games, the adversary is allowed to choose two different inputs $x^0$ and $x^1$ and the usual messages $m^0$ and $m^1$. CPA-1-sided security guarantees the privacy of the input only when the predicates for which the adversary knows a decryption key (i.e. the ones he received from the key generation oracle) are not satisfied, i.e. the receiver cannot decrypt the message. On the other hand, CPA-2-sided security considers the same property also when the predicate is satisfied, i.e., the receiver can decrypt the challenge ciphertexts.

Definition 9

(CPA-1-sided and CPA-2-sided security of PE). Let $t\in [2]$. We say that a PE $\Pi $ is CPA-t-sided secure if for all valid PPT adversaries $\textsf{A}= (\textsf{A}_0,\textsf{A}_1)$:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\mathsf {\textsf{CPA}\text {-}}t\mathsf {\text {-}PE}}_{\Pi , \textsf{A}}(\lambda ) = 1\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ), \end{aligned}$$

where game $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}t\mathsf {\text {-}PE}}_{\Pi , \textsf{A}}(\lambda )$ is depicted in Fig. 3. Adversary $\textsf{A}$ is called valid if $\forall P\in \mathcal {Q}_{\textsf{KGen}}$,

$$\begin{aligned} {\textbf {Case }}t=1:&\ P(x^0) = P(x^1) = 0.\\ {\textbf {Case }}t=2:&\ \text {Either } P(x^0) = P(x^1) = 0 \ \text {or } P(x^0) = P(x^1) \wedge m^0 = m^1. \end{aligned}$$

Through the paper, we say $\Pi $ is CPA-1-sided (resp. CPA-2-sided) secure without collusions if $|\mathcal {Q}_{\textsf{KGen}}| = 1$, i.e., the adversary cannot get more than one decryption key.^{Footnote 18}

Remark 2

PE schemes, satisfying CPA security (Definition 8) or CPA-1-sided security (Definition 9), can be built from different assumptions. Notably, [30] proposes an LWE-based PE scheme satisfying CPA-1-sided (and thus CPA) selective security, i.e., the adversary chooses the challenge messages and predicate inputs before receiving the master public key. By using complexity leveraging, the same construction achieves adaptive security (i.e., Definitions 8, 9) but this requires sub-exponential LWE.

4 Multi-key and Multi-input Predicate Encryption

We provide the formal definitions of multi-key PE and multi-input PE in the following Sects. 4.1 and 4.2, respectively. In Sect. 4.3, we show the relations between multi-key PE and multi-input PE schemes.

4.1 Multi-key PE

Formally, an n-key PE with message space $\mathcal {M}$, input space $\mathcal {X}$, and predicate space $\mathcal {P}=\{P_{v_1,\ldots ,v_{n}}(x)\}_{(v_1,\ldots ,v_{n}) \in \mathcal {V}}$ indexed by $\mathcal {V}= \mathcal {V}_1 \times \cdots \times \mathcal {V}_{n}$, is composed of the following polynomial-time algorithms:

$\textsf{Setup}(1^{\lambda })$::: Upon input the security parameter $1^{\lambda }$ the setup algorithm outputs the master public key $\textsf{mpk}$ and the n master secret key $(\textsf{msk}_1,\ldots ,\textsf{msk}_{n})$.
$\textsf{KGen}(\textsf{msk}_i, v_i)$::: Let $i \in [n]$. The randomized key generator takes as input the ith master secret key $\textsf{msk}_i$ and the ith index $v_i\in \mathcal {V}_i$. The algorithm outputs the ith secret decryption key $\textsf{dk}_{v_i}$ for the predicate index $v_i$.
$\textsf{Enc}(\textsf{mpk}, x, m)$::: The randomized encryption algorithm takes as the master public key $\textsf{mpk}$, an input $x\in \mathcal {X}$, and a message $m\in \mathcal {M}$. The algorithm produces a ciphertext $c$.
$\textsf{Dec}(\textsf{dk}_{v_1}, \ldots , \textsf{dk}_{v_{n}}, c)$::: The deterministic decryption algorithm takes as input n secret decryption keys $(\textsf{dk}_{v_1},\ldots , \textsf{dk}_{v_{n}})$ for the n indexes $(v_1,\ldots ,v_{n}) \in \mathcal {V}$ and a ciphertext $c$. The algorithm outputs a message $m$.

Correctness is intuitive: given the decryption keys $(\textsf{dk}_{v_1},\ldots ,\textsf{dk}_{v_{n}})$ for $(v_1,\ldots ,v_{n}) \in \mathcal {V}$, the decryption algorithm returns the message $m$ (encrypted under the input $x$) with overwhelming probability, whenever $P_{v_1,\ldots ,v_{n}}(x)=1$.

Definition 10

(Correctness of n-key PE). A n-key PE with message space $\mathcal {M}$, input space $\mathcal {X}$, predicate space $\mathcal {P}=\{P_{v_1,\ldots ,v_{n}}\}_{v_1,\ldots ,v_{n} \in \mathcal {V}}$ indexed by $\mathcal {V}= \mathcal {V}_1 \times \cdots \times \mathcal {V}_{n}$, is correct if $\forall \lambda \in \mathbb {N}$, $\forall m\in \mathcal {M}$, $\forall x\in \mathcal {X}$, $\forall (v_1,\ldots , v_{n}) \in \mathcal {V}$ such that $P_{v_1,\ldots ,v_{n}}(x) = 1$, we have:

$$\begin{aligned} \mathbb {P}\left[ \textsf{Dec}(\textsf{dk}_{v_1}, \ldots , \textsf{dk}_{v_{n}}, \textsf{Enc}(\textsf{mpk}, x, m)) = m\right] \ge 1 - \textsf {negl}(\lambda ), \end{aligned}$$

where $ (\textsf{mpk}, \textsf{msk}_1,\ldots ,\textsf{msk}_{n}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ and $\textsf{dk}_{v_{i}} {{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk}_i, v_i)$ for $i\in [n]$. The above probability is taken over the random coins of $\textsf{Setup}, \textsf{KGen}$, and $\textsf{Enc}$.

As for security, we adapt the standard CPA-1-sided and CPA-2-sided security of PE to the n-key setting. In particular, an adversary (with oracle access to $\textsf{KGen}(\textsf{msk}_i,\cdot )$ for $i \in [n]$) cannot distinguish between $\textsf{Enc}(\textsf{mpk},x^0,m^0)$ and $\textsf{Enc}(\textsf{mpk},x^1,m^1)$ except with non-negligible probability. When considering CPA-1-sided security, the adversary is valid only if it cannot decrypt the challenge ciphertext, i.e., it asks to the n key generation oracles indexes $(v_1,\ldots ,v_{n})$ such that $P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) =0$. Analogously, the CPA-2-sided security captures the indistinguishability of $\textsf{Enc}(\textsf{mpk},x^0,m^0)$ and $\textsf{Enc}(\textsf{mpk},x^1,m^1)$ even when the adversary can decrypt the challenge ciphertext, i.e., $P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) = 1$ and $m^0 = m^1$. These security definitions are formalized below.

Definition 11

(CPA-1-sided and CPA-2-sided security ofn-key PE). Let $t \in [2]$. We say that a n-key PE $\Pi $ is CPA-t-sided secure if for all valid PPT adversaries $\textsf{A}= (\textsf{A}_0,\textsf{A}_1)$:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\mathsf {\textsf{CPA}\text {-}}t\mathsf {\text {-}\textsf{kPE}}}_{\Pi , \textsf{A}}(\lambda ) = 1\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ), \end{aligned}$$

where game $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}t\mathsf {\text {-}\textsf{kPE}}}_{\Pi , \textsf{A}}(\lambda )$ is depicted in Fig. 4. Adversary $\textsf{A}$ is called valid if $\forall v_1 \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_1,\cdot )},\ldots ,\forall v_{n} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{n},\cdot )}$, we have^{Footnote 19}

$$\begin{aligned} {\textbf {Case }}t=1:&\ P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) = 0.\\ {\textbf {Case }}t=2:&\ \text {Either } P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) = 0 \\&\ \text {or } P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) \wedge m^0 = m^1.^{19} \end{aligned}$$

4.2 Multi-input PE

Formally, an n-input PE with message space $\mathcal {M}= \mathcal {M}_1 \times \cdots \times \mathcal {M}_{n}$, input space $\mathcal {X}= \mathcal {X}_1 \times \cdots \times \mathcal {X}_{n}$, and predicate space $\mathcal {P}$, is composed of the following polynomial-time algorithms:

$\textsf{Setup}(1^{\lambda })$::: Upon input the security parameter $1^{\lambda }$ the setup algorithm outputs the encryption keys $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n})$ and the master secret key $\textsf{msk}$.
$\textsf{KGen}(\textsf{msk}, P)$::: The randomized key generator takes as input the master secret key $\textsf{msk}$ and a predicate $P\in \mathcal {P}$. The algorithm outputs a secret decryption key $\textsf{dk}_{P}$ for predicate $P$.
$\textsf{Enc}(\textsf{ek}_i, x_i, m_i)$::: Let $i \in [n]$. The randomized encryption algorithm takes as input an encryption key $\textsf{ek}_i$, an input $x_i\in \mathcal {X}_i$, and a message $m_i\in \mathcal {M}_i$. The algorithm produces a ciphertext $c_i$ linked to $x_i$.
$\textsf{Dec}(\textsf{dk}_{P}, c_1,\ldots , c_{n})$::: The deterministic decryption algorithm takes as input a secret decryption key $\textsf{dk}_{P}$ for predicate $P\in \mathcal {P}$ and n ciphertexts $(c_1,\ldots ,c_{n})$. The algorithm outputs n messages $(m_1,\ldots ,m_{n})$.

Correctness states that ciphertexts $(c_1,\ldots ,c_{n})$, each linked to an input $x_i$, correctly decrypt with overwhelming probability if $P(x_1,\ldots ,x_{n})=1$.

Definition 12

(Correctness of n-input PE). An n-input PE with message space $\mathcal {M}=\mathcal {M}_1 \times \cdots \times \mathcal {M}_{n}$, input space $\mathcal {X}= \mathcal {X}_1 \times \cdots \times \mathcal {X}_{n}$, predicate space $\mathcal {P}$, is correct if $\forall \lambda \in \mathbb {N}$, $\forall (m_1,\ldots ,m_{n}) \in \mathcal {M}$, $\forall (x_1,\ldots ,x_{n})\in \mathcal {X}$,$\forall P\in \mathcal {P}$ such that $P(x_1,\ldots ,x_{n}) = 1$, we have:

$$\begin{aligned} \mathbb {P}\left[ \textsf{Dec}(\textsf{dk}_{P}, c_1,\ldots ,c_{n}) = (m_1,\ldots ,m_{n})\right] \ge 1 - \textsf {negl}(\lambda ), \end{aligned}$$

where $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n}, \textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$, $\textsf{dk}_{P} {{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk}, P)$, and $c_i {{\leftarrow {\$}}} \textsf{Enc}(\textsf{ek}_i, x_i, m_i)$ for $i\in [n]$. The above probability is taken over the random coins of $\textsf{Setup},\textsf{KGen}$, and $\textsf{Enc}$.

Security with and without corruptions. The CPA-1-sided and CPA-2-sided security of n-input PE capture the infeasibility in distinguishing between ciphertexts $(\textsf{Enc} (\textsf{ek}_1,x^0_1,m^0_1),\ldots ,\textsf{Enc}(\textsf{ek}_{n},x^0_{n},m^0_{n}))$ and $(\textsf{Enc}(\textsf{ek}_1,x^1_1,m^1_1),\ldots ,\textsf{Enc}(\textsf{ek}_{n},x^1_{n},m^1_{n}))$. This is modeled by an adversary having oracle access to a key generation oracle $\textsf{KGen}(\textsf{msk},\cdot )$ (allowing it to get decryption keys $\textsf{dk}_P$ on predicates of its choice) and n encryption oracles $\textsf{Enc}(\textsf{ek}_1,\cdot ,\cdot ),\ldots , \textsf{Enc}(\textsf{ek}_{n},\cdot ,\cdot )$ (allowing it to get encryptions of arbitrary messages and inputs). Differently from the n-key setting, we consider different models of security with respect to whether the encryption keys are secret (i.e., no corruptions) or public/leaked (i.e., the adversary has the possibility to get one or more encryption keys of its choice). The corruption of an encryption key is captured by giving access to a corruption oracle $\textsf{Corr}(\cdot )$ to the adversary that, on input $i \in [n]$, it returns $\textsf{ek}_i$. Intuitively, the knowledge of $\textsf{ek}_i$ impacts the validity condition that the adversary must satisfy (e.g., the challenge ciphertext cannot be decrypted). Indeed, $\textsf{ek}_i$ would allow the adversary to produce arbitrary ith ciphertexts on arbitrary ith inputs $x_i$ and potentially decrypt part of the challenge ciphertext. Concretely, as for CPA-1-sided security, the validity of the adversary can be defined as follows:

No corruptions (a.k.a. the secret-key setting). If all the encryption keys $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n})$ are secret the validity conditions of CPA-1-sided security is straightforward. It intuitively states that for every $\textsf{dk}_{P}$ (obtained through oracle $\textsf{KGen}(\textsf{msk},\cdot )$) and any tuple of ciphertexts $(c_1,\ldots ,c_{n})$ (each linked to an input $x_i$) obtained through the interleaving of part of the challenge ciphertext with the ciphertexts generated by invoking oracles $\{\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )\}_{i\in [n]}$, we must have that $P(x_1,\ldots ,x_{n})=0$ (otherwise part of the challenge ciphertext can be decrypted).
With corruptions. If some of the encryption keys are known by the adversary (i.e., obtained through the corruption oracle $\textsf{Corr}(\cdot )$) then the validity condition now changes according to which keys have been obtained. This is because the adversary can now autonomously compute arbitrary ciphertext (for a particular slot i) using the leaked ith encryption key $\textsf{ek}_i$. Taking into account this observation, the validity of CPA-1-sided security with corruptions says that any tuple of ciphertexts $(c_1,\ldots ,c_{n})$ that can be obtained by interleaving part of the challenge ciphertexts with both the ones generated through oracles $\{\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )\}_{i\in [n]}$ and the ones that can be autonomously generated using the leaked encryption keys, we must have that $P(x_1,\ldots ,x_{n})=0$.

The validity of CPA-2-sided security (with and without corruptions) can be easily obtained by adapting the above discussion. Below, we provide the formal definition.

Definition 13

($\ell $-Corruptions CPA-1-sided and CPA-2-sided security of n-input PE). Let $t \in [2]$. We say that an n-input PE $\Pi $ is CPA-t-sided secure in the $\ell $-corruptions setting if for all valid PPT adversaries $\textsf{A}= (\textsf{A}_0,\textsf{A}_1)$:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\ell \text {-}\textsf{CPA}\text {-}t\text {-}\textsf{iPE}}_{\Pi , \textsf{A}}(\lambda ) = 1\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ), \end{aligned}$$

where game $\textbf{G}^{\ell \text {-}\textsf{CPA}\text {-}t\text {-}\textsf{iPE}}_{\Pi , \textsf{A}}(\lambda )$ is depicted in Fig. 5. Let $\mathcal {Q}_i = \{x| \exists (x,m) \in \mathcal {Q}_{\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )} \}$ for $i \in [n]{\setminus } \mathcal {Q}_{\textsf{Corr}}$ and $\mathcal {Q}_i = \mathcal {X}_{i}$ for $i \in \mathcal {Q}_{\textsf{Corr}}$. Moreover, let $\mathcal {Q}^d_i$ (for $d\in {{\leftarrow {\$}}}$) be the ordered set composed of the predicate inputs $\mathcal {Q}_i$ and the challenge input $x^d_{i}$, i.e., $\mathcal {Q}^d_i = \{x^{(1,d)}_i,\ldots ,x^{(k_i,d)}_i,x^{(k_i+1,d)}_i = x^d_i\}$ where $k_i = |\mathcal {Q}_i|$ and $x^{(j,d)} \in \mathcal {Q}_i$ for $j \in [k_i]$.^{Footnote 20} Adversary $\textsf{A}$ is called valid if $|\mathcal {Q}_{\textsf{Corr}}| \le \ell $ and $\forall P\in \mathcal {Q}_{\textsf{KGen}}$, $\forall j \in [n]$, $\forall i_1 \in [k_1 +1],\ldots , \forall i_n \in [k_n + 1]$, we have

$$\begin{aligned} {\textbf {Case }}t=1:&\ P(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \\&\ = P(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) = 0. \\ {\textbf {Case }}t=2:&\ \text {Either } \\&\quad P(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \\&\quad = P(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) = 0 \\&\ \text {or } \\&\quad P(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \\&\quad = P(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) \wedge m^0_j = m^{1}_j. \end{aligned}$$

Through the paper, for $t \in [2]$, we say that $\Pi $ is CPA-t-sided secure in the $\ell $-corruptions setting and without collusions if $|\mathcal {Q}_{\textsf{KGen}}| = 1$ (i.e., the adversary asks for a single decryption key). If $|\mathcal {Q}_\textsf{Corr}|=0$ (i.e., no corruptions), we say that $\Pi $ is CPA-t-sided secure in the secret-key setting. In case of both restrictions, we say that $\Pi $ is CPA-t-sided secure in the secret-key setting and without collusions (i.e., $|\mathcal {Q}_\textsf{Corr}|=0$ and $|\mathcal {Q}_{\textsf{KGen}}| = 1$).^{Footnote 21}

4.3 Relating Multi-key PE and Multi-input PE

Here, we show a construction of n-key PE from $(n+1)$-input PE supporting arbitrary predicates and tolerating 1 corruption. In more details, it suffices that the $(n+1)$-input PE satisfies a weaker flavor of security under corruptions, named $\ell $-hybrid setting (which is formalized in this section).

Multi-input PE in the $\ell $-Hybrid Setting. A multi-input PE in the hybrid setting allows generating (during setup) some encryptions keys that can be made public. The main difference between the hybrid setting and the corruption setting is that in the former the setup needs to know a priori which ones will be public (in other words, the setup depends on the keys that the adversary wants to leak/obtain). For this reason, it is easy to see that the hybrid setting is stronger than the secret-key one but significantly weaker than the corruption setting (in which the keys are leaked by the adversary in an adaptively fashion).

We assume that the $\textsf{Setup}$ algorithm takes as input an additional parameter $1^{\ell }$ denoting the number of keys that will be made public. Without loss of generality, we assume that the first $n-\ell $ keys $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n-\ell })$ are kept secret whereas the last $\ell $ keys $(\textsf{ek}_{n-\ell +1},\ldots ,\textsf{ek}_{n})$ are published. Observe that, for $\ell =0$, the hybrid setting corresponds to the secret-key setting (see Sect. 4.2).

Definition 14

($\ell $-Hybrid CPA-1-sided and CPA-2-side security of n-input PE). Let $t \in [2]$. We say that a n-input PE $\Pi $ is CPA-t-sided secure in the $\ell $-hybrid setting if for all valid PPT adversaries $\textsf{A}= (\textsf{A}_0,\textsf{A}_1)$:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\ell \mathsf {\text {-}hyb}\mathsf {\text {-}\textsf{CPA}\text {-}}1\mathsf {\text {-}\textsf{iPE}}}_{\Pi , \textsf{A}}(\lambda ) = 1\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ), \end{aligned}$$

where game $\textbf{G}^{\ell \mathsf {\text {-}hyb}\mathsf {\text {-}\textsf{CPA}\text {-}}1\mathsf {\text {-}\textsf{iPE}}}_{\Pi , \textsf{A}}(\lambda )$ is depicted in Fig. 6. Let $\mathcal {Q}_i = \{x| \exists (x,m) \in \mathcal {Q}_{\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )} \}$ for $i \in [n-\ell ]$ and $\mathcal {Q}_i{=}\mathcal {X}_{i}$ for $i \in [n] {\setminus } [n-\ell ]$. Moreover, let $\mathcal {Q}^d_i$ (for $d\in {{\leftarrow {\$}}}$) be the ordered set composed of the predicate inputs $\mathcal {Q}_i$ and the challenge input $x^d_{i}$, i.e., $\mathcal {Q}^d_i = \{x^{(1,d)}_i,\ldots ,x^{(k_i,d)}_i,x^{(k_i+1,d)}_i = x^d_i\}$ where $k_i = |\mathcal {Q}_i|$ and $x^{(j,d)} \in \mathcal {Q}_i$ for $j \in [k_i]$. Adversary $\textsf{A}$ is called valid if $|\mathcal {Q}_{\textsf{Corr}}| \le \ell $ and $\forall P\in \mathcal {Q}_{\textsf{KGen}}$, $\forall j \in [n]$, $\forall i_1 \in [k_1 +1],\ldots , \forall i_n \in [k_n + 1]$, we have^{Footnote 22}

$$\begin{aligned} {\textbf {Case }}t=1:&\ P(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \\&\ = P(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) = 0. \\ {\textbf {Case }}t=2:&\ \text {Either } \\&\quad P(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \nonumber \\&\quad = P(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) = 0 \\&\ \text {or } \\&\quad P(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \\&\quad =P(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) \wedge m^0_j = m^{1}_j. \end{aligned}$$

Multi-key PE from Multi-input PE. Here, we build a n-key PE from $(n+1)$-input PE that tolerates 1 public encryption key, i.e., 1-hybrid setting (Definition 14). The idea is to use the first n inputs of the predicate $P(x_1,\ldots ,x_{n+1})$ (of $(n+1)$-input PE) to determine the indexes $(v_1,\ldots ,v_{n}) \in \mathcal {V}$ that define the predicate $P_{v_1,\ldots ,v_{n}}(x)$ of the n-key PE, i.e., $P(x_1,\ldots ,x_{n+1}) = P(v_1,\ldots ,v_{n},x) = P_{v_1,\ldots ,v_{n}}(x)$ where $x_i = v_i$ for $i \in [n]$ and $x_{n+1} = x$.

Construction 1

Let $\textsf{iPE}= (\textsf{Setup}_1, \textsf{KGen}_1, \textsf{Enc}_1, \textsf{Dec}_1)$ be a $(n+1)$-input PE scheme with message space $\mathcal {M}= \mathcal {M}_1\times \cdots \times \mathcal {M}_{n+1}$, input space $\mathcal {X}= \mathcal {X}_1 \times \cdots \times \mathcal {X}_{n+1}$, and predicate space $\mathcal {P}_1 = \{P(x_1,\ldots ,x_{n+1})\}$ such that

$$\begin{aligned} P(x_1,\ldots ,x_{n+1}) = P_{x_1,\ldots ,x_{n}}(x_{n+1}), \end{aligned}$$

where $x_i \in \mathcal {X}_i$ for $i \in [n+1]$. We build a n-key PE scheme with message space $\mathcal {M}= \mathcal {M}_{n+1}$, input space $\mathcal {X}= \mathcal {X}_{n+1}$, and predicate space $\mathcal {P}=\{P_{v_1,\ldots ,v_{n}}(x)\}_{(v_1,\ldots ,v_{n}) \in \mathcal {V}}$ indexed by $\mathcal {V}= \mathcal {X}_1 \times \cdots \times \mathcal {X}_{n}$, in the following way:

$\textsf{Setup}(1^{\lambda })$::: Upon input the security parameter $1^{\lambda }$ the randomized setup algorithm outputs $\textsf{mpk}= \textsf{ek}_n$ and $\textsf{msk}_1 = (\textsf{ek}_1,\textsf{dk}_P),\ldots ,\textsf{msk}_{n} = (\textsf{ek}_{n},\textsf{dk}_P)$ where $(\textsf{mpk}',\textsf{ek}_1,\ldots ,\textsf{ek}_{n+1}) {{\leftarrow {\$}}}\textsf{Setup}_1(1^{\lambda })$ and $\textsf{dk}_P{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk}',P)$ for $P\in \mathcal {P}_1$.
$\textsf{KGen}(\textsf{msk}_i, v_i)$::: Let $i \in [n]$. Upon input the ith master secret key $\textsf{msk}_i = (\textsf{ek}_i,\textsf{dk}_P)$, and the ith predicate index $v_i\in \mathcal {X}_i$, the randomized key generator outputs $\textsf{dk}_{v_i} = (c_{v_i},\textsf{dk}_P)$ where $c_{v_i} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{ek}_i,v_i,\bot )$.
$\textsf{Enc}(\textsf{mpk}, x, m)$::: Upon input the master public key $\textsf{mpk}= \textsf{ek}_{n+1}$, an input $x\in \mathcal {X}_{n+1}$, and a message $m\in \mathcal {M}_{n+1}$, the randomized encryption algorithm computes $c{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{ek}_{n+1},x,m)$.
$\textsf{Dec}(\textsf{dk}_{v_1}, \ldots , \textsf{dk}_{v_{n}}, c)$::: Upon input n secret decryption keys $\textsf{dk}_{v_1} = (c_{v_1},\textsf{dk}_P),\ldots , \textsf{dk}_{v_{n}} = (c_{v_{n}},\textsf{dk}_{P})$ and a ciphertext $c$, the deterministic decryption algorithm outputs $m_{n+1}$ where $(m_1,\ldots ,m_{n+1}) = \textsf{Dec}_1(\textsf{dk}_{P}, c_{v_1}, \ldots , c_{v_{n}}, c)$.

Correctness follows from the correctness of $\textsf{iPE}$. As for security, we establish the following result.

Theorem 4

Let $\textsf{iPE}$ be as above. For $t \in [2]$, if $\textsf{iPE}$ is CPA-t-sided secure in the 1-hybrid model without collusions (Definition 14) then the n-key PE scheme $\Pi $ from Construction 1 is CPA-t-sided secure (Definition 11).

Proof

(CPA-1-sided security of $\Pi $) Without loss of generality, we assume that the adversary $\textsf{A}$ submits (at least) one query to each key generation oracle $\textsf{KGen}(\textsf{msk}_1,\cdot ),\ldots , \textsf{KGen}(\textsf{msk}_{n},\cdot )$ (proving the security of $\Pi $ against this adversary implies the security of $\Pi $ against any other adversary that does not query an oracle $\textsf{KGen}(\textsf{msk}_j,\cdot ,\cdot )$ for a $j \in [n]$). Suppose there exists a valid PPT adversary $\textsf{A}$ with a non-negligible advantage in breaking the CPA-1-sided security of $\Pi $. We build an adversary $\textsf{A}'$ that breaks the 1-hybrid CPA-1-side security (without collusions) of $\textsf{iPE}$. $\textsf{A}'$ is defined as follows:

1.
Receive $\textsf{ek}_{n+1}$ from the challenger and send it to $\textsf{A}$.
2.
Send the query $P$ (i.e., the predicate supported by $\textsf{iPE}$) to the $\textsf{KGen}_1$ oracle and receive $\textsf{dk}_P$.
3.
item:answerspsqueriesspsmultispskeyspsPEspsfromspsmultispsinputspsPE Initialize $\mathcal {L}_i = \{\emptyset \}$ for $i \in [n]$. $\textsf{A}'$ answers to the incoming oracle queries as follows:
- On input $v_i \in \mathcal {X}_i$ for $\textsf{KGen}(\textsf{msk}_i,\cdot )$, forward the query $(v_i,\bot )$ to oracle $\textsf{Enc}_1(\textsf{ek}_i,\cdot ,\cdot )$ and receive the answer $c_{v_i}$. Add $v_i$ to $\mathcal {L}_i$ and return $\textsf{dk}_{v_i}=(c_{v_i},\textsf{dk}_P)$.
4.
Receive the challenge $(m^0, m^1, x^0, x^1)$ from $\textsf{A}$. $\textsf{A}'$ sends the challenge $((m^0_1, \ldots ,m^0_{n}),(m^1_1,\ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ where $m^i_1 = \ldots = m^i_{n}= \bot $, $m^{i}_{n+1} = m^i$, $x^i_{j} = x^{1-i}_{j} = \bar{x_j} {{\leftarrow {\$}}}\mathcal {L}_j$, and $x^i_{n+1} = x^i$, for $j \in [n]$ and $i \in {{\leftarrow {\$}}}$.
5.
Receive the challenge ciphertexts $c_1,\ldots ,c_{n+1}$ and forward $c_{n+1}$ to $\textsf{A}$.
6.
Answer to the incoming oracle queries as in Item 3.
7.
Return the output of $\textsf{A}$.

Let d be the challenge bit sampled by the challenger. $\textsf{A}'$ perfectly simulates the view of $\textsf{A}$. Moreover, since $\textsf{A}$ is a valid adversary, we have that $\forall v_1 \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_1,\cdot )},\ldots , \forall v_{n} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{n},\cdot )}$, we have $P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) = 0.$ In order to be valid, $\textsf{A}'$ needs to satisfy the condition of Definition 14. Let $\mathcal {Q}^b_i$ as defined in Definition 14. First, note that, for $i \in [n]$, we have that $\mathcal {Q}^0_i = \mathcal {Q}^{1}_i = \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_i,\cdot )} = \mathcal {L}_i$ since $x^{d}_i = x^{1-d}_i = \bar{x_i}$ are sampled from $\mathcal {L}_i$ (i.e., $\mathcal {Q}_i$ does not contain any value that depends on the challenge bit d). Hence, the only case in which the adversary $\textsf{A}'$ may evaluate the predicate $P$ on an input that depends on the challenge bit d (i.e., the cases captured by Definition 14) is when $\textsf{A}'$ uses the challenge ciphertext $c_{n+1}$. However, when $c_{n+1}$ is used, the validity of $\textsf{A}$ implies that $\forall (v_1,\ldots ,v_{n}) \in \mathcal {Q}^b_1 \times \cdots \times \mathcal {Q}^b_{n}$ (recall $\mathcal {Q}^b_i = \mathcal {Q}^{1-b}_i$ for $i \in [n]$),

$$\begin{aligned} P(v_1,\ldots ,v_n,x^0_{n+1}) = P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_0,\ldots ,v_{n}}(x^1) = P(v_1,\ldots ,v_n,x^1_{n+1}) = 0, \end{aligned}$$

where $x^i_{n+1} = x^i$ for $i \in {{\leftarrow {\$}}}$. Hence, $\textsf{A}'$ submits only a single query to oracle $\textsf{KGen}_1$ and is also a valid adversary for $\textbf{G}^{\ell \mathsf {\text {-}hyb}\mathsf {\text {-}\textsf{CPA}\text {-}}1\mathsf {\text {-}\textsf{iPE}}}_{\textsf{iPE}, \textsf{A}'}(\lambda )$. This concludes the proof.

(CPA-2-sided security of $\Pi $) The reduction is identical. The only difference is the analysis of the validity of $\textsf{A}'$. By definition $\textsf{A}$ is a valid adversary with respect to the CPA-2-sided security of $\textsf{iPE}$, i.e., $\forall v_1 \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_1,\cdot )},\ldots , \forall v_{n} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{n},\cdot )}$, we have

$$\begin{aligned}&\text {Either } P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) = 0 \ \text {or} \\&\quad P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) \wedge m^0 = m^1. \end{aligned}$$

If $\textsf{A}$ satisfies the first part of the above condition, then the analysis of $\textsf{A}$’s validity is identical to that of CPA-1-sided security. On the other hand, if $\textsf{A}$ satisfies the second part of the above condition, then the validity of $\textsf{A}$ follows by using an similar argument to that of CPA-1-sided security and, in addition, observing that

$$\begin{aligned} P(v_1,\ldots ,v_n,x^0_{n+1}) = P_{v_1,\ldots ,v_{n}}(x^0) = P_{v_1,\ldots ,v_{n}}(x^1) = P(v_1,\ldots ,v_n,x^1_{n+1}), \end{aligned}$$

and $m^0_{n+1} = m^0 = m^{1} = m^{1}_{n+1}$. This concludes the proof. $\square $

5 Constructions

In this section, we give different constructions of multi-key and multi-input PE (see also Sect. 1.2) for predicates $P(x_1,\ldots ,x_{n}) = P_1(x_1) \wedge \ldots \wedge P_{n}(x_{n})$.

In particular, in Sect. 5.1 we give a construction of n-key PE from single-input PE and lockable obfuscation for $n = \textsf {poly}(\lambda )$. This construction is secure against unbounded collusions.

In Sects. 5.2 and 5.3, we give two constructions of n-input PE from single-input PE, lockable obfuscation, and SKE/PKE. The first handles $\textsf {poly}(\lambda )$-arity and it is CPA-1-side secure without collusions and in the secret-key setting. The second handles O(1)-arity and it is CPA-1-side secure without collusions and in the $(n-1)$-corruptions setting. This second construction leverages a new nesting execution technique of (lockable obfuscated) circuits.

Both multi-input constructions support conjunctions of arbitrary predicates with wildcards, i.e., for every $i\in [n]$, there exists (possibly unique) a wildcard $x^\star _i$ such that for every ith predicate $P_i$ we have $P_i(x^\star _i) = 1$ (in Sect. 5.4 we discuss how to remove the wildcard when no corruptions are in place).

Also, our constructions are generic and achieve CPA-2-sided security if the underlying single-input PE is CPA-2-sided secure (in case of no corruptions, our CPA-2-sided secure multi-input Construction 3 supports $n = O(\log (\lambda ))$).

5.1 Multi-key PE from PE and Lockable Obfuscation

Construction 2

Consider the following primitives:

1.
For $i \in [n]$, a PE scheme $\textsf{PE}_i = (\textsf{Setup}_i, \textsf{KGen}_i, \textsf{Enc}_i, \textsf{Dec}_i)$ with message space $\mathcal {M}_i$, input space $\mathcal {X}_i$, and predicate space $\mathcal {P}_i =\{P_v(x)\}_{v\in \mathcal {V}_i}$ indexed by $\mathcal {V}_i$. Without loss of generality, we assume that $\textsf{PE}_i$ has ciphertext space $\mathcal {Y}_{i}$, $\mathcal {M}_{1} = {{\leftarrow {\$}}}^{m(\lambda )}$, and $\mathcal {M}_{i} = \mathcal {Y}_{i-1}$ for every $i \in [n] {\setminus } \{1\}$. In order to do not incur into an exponential ciphertext growth (e.g., for $n = \textsf {poly}(\lambda )$), each ith PE scheme must have a ciphertext expansion of $\textsf {poly}(\lambda )+ |m_i|$ where $|m_i|$ is the length of the messages $m_i \in \mathcal {M}_i$ supported by the ith PE scheme (this can be obtained generically from any PE scheme by leveraging hybrid encryption, i.e., $\textsf{Enc}_i(\textsf{mpk},x,s) || \textsf{PRG}(s) \oplus m_i$ where $s {{\leftarrow {\$}}}{{\leftarrow {\$}}}^\lambda $).^{Footnote 23}
2.
A lockable obfuscation scheme $\textsf{LOBF}= (\textsf{Obf}, \textsf{Eval})$ with message space $\mathcal {M}$ for the family of circuits $\mathcal {C}_{n,s,d}(\lambda ) = \{\mathbb {C}_{c}\}$ as defined in Fig. 7, where $n(\lambda )$, $s(\lambda )$, $d(\lambda )$ depends on the schemes $\textsf{PE}_1,\ldots ,\textsf{PE}_{n}$ used, and the circuits $\mathcal {C}_{n,s,d}(\lambda )$.

We build a n-key PE scheme $\Pi $ with message space $\mathcal {M}$, input space $\mathcal {X}= \mathcal {X}_1 \times \cdots \times \mathcal {X}_{n}$, and predicate space $\mathcal {P}=\{P_{v_1,\ldots ,v_{n}}(x_1,\ldots ,x_{n})=P_{v_1}(x_1)\wedge \cdots \wedge P_{v_{n}}(x_{n})\}_{(v_1,\ldots ,v_{n}) \in \mathcal {V}}$ indexed by $\mathcal {V}= \mathcal {V}_1 \times \cdots \times \mathcal {V}_{n}$ (and $P_{v_i} \in \mathcal {P}_i$ for $i \in [n]$), as follows:

$\textsf{Setup}(1^{\lambda })$::

Upon input the security parameter $1^{\lambda }$ the randomized setup algorithm outputs $\textsf{mpk}= (\textsf{mpk}_1,\ldots ,\textsf{mpk}_{n})$ and $\textsf{msk}_1,\ldots ,\textsf{msk}_{n}$ where $(\textsf{mpk}_i,\textsf{msk}_i) {{\leftarrow {\$}}}\textsf{Setup}_i(1^{\lambda })$ for $i \in [n]$.

$\textsf{KGen}(\textsf{msk}_i, v_i)$::

Let $i \in [n]$. Upon input the ith master secret key $\textsf{msk}_i$ and the ith predicate index $v_i\in \mathcal {V}_i$, the randomized key generator outputs $\textsf{dk}_{v_i} {{\leftarrow {\$}}}\textsf{KGen}_i(\textsf{msk}_1,P_{v_i})$ where $P_{v_i} \in \mathcal {P}_i$.

$\textsf{Enc}(\textsf{mpk}, x, m)$::

Upon input the master public key $\textsf{mpk}= (\textsf{mpk}_1,\ldots ,\textsf{mpk}_{n})$, an input $x= (x_1,\dots ,x_{n}) \in \mathcal {X}$, and a message $m\in \mathcal {M}$, the randomized encryption proceeds as follows:

1.:: Sample $y{{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and let $c_{0} = y$.
2.:: For $i\in [n]$, compute $c_{i} {{\leftarrow {\$}}}\textsf{Enc}_i(\textsf{mpk}_i,x_i,c_{i-1})$.

Finally, it outputs $c= \widetilde{\mathbb {C}}$ where $\widetilde{\mathbb {C}} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {C}_{c_{n}}, y, m)$.

$\textsf{Dec}(\textsf{dk}_{v_1}, \ldots , \textsf{dk}_{v_{n}}, c)$::

Upon input n decryption keys $\textsf{dk}_{v_1}, \ldots , \textsf{dk}_{v_{n}}$ and a ciphertext $c= \widetilde{\mathbb {C}}$, the deterministic decryption algorithm outputs $m= \textsf{Eval}(\widetilde{\mathbb {C}},(\textsf{dk}_{v_1},\ldots , \textsf{dk}_{v_{n}}))$.

Correctness follows from the correctness of the underlying schemes. We establish the following result.

Theorem 5

Let $n=\textsf {poly}(\lambda )$, $\textsf{PE}_1,\ldots ,\textsf{PE}_{n}$ and $\textsf{LOBF}$ be as above.

1.
If each $\textsf{PE}_1,\ldots ,\textsf{PE}_{n}$ is CPA secure (Definition 8) and $\textsf{LOBF}$ is secure (Definition 2), then the n-key PE scheme $\Pi $ from Construction 2 is CPA-1-sided secure (Definition 11).
2.
If each $\textsf{PE}_1,\ldots ,\textsf{PE}_{n}$ is CPA-2-sided secure (Definition 9) and $\textsf{LOBF}$ is secure (Definition 2), then the n-key PE scheme $\Pi $ from Construction 2 is CPA-2-sided secure (Definition 11).

5.1.1 Proof of Theorem 5

CPA-1-sided security of $\Pi $ (Theorem 5). Consider the predicate space $\mathcal {P}$ of Construction 2, i.e.,

$$\begin{aligned} \mathcal {P}&= \{P_{v_1,\ldots ,v_{n}}(x_1,\ldots ,x_{n})\}_{(v_1,\ldots ,v_{n}) \in \mathcal {V}} \nonumber \\&= \{P_{v_1}(x_1)\wedge \ldots \wedge P_{v_{n}}(x_{n})\}_{(P_{v_1},\ldots ,P_{v_{n}}) \in \mathcal {P}_1 \times \ldots \times \mathcal {P}_{n}}. \end{aligned}$$

(3)

Also, consider the validity condition of $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}1\mathsf {\text {-}\textsf{kPE}}}_{\Pi ,\textsf{A}}$ (Definition 11). We can write such a validity condition for the predicate space $\mathcal {P}$ as follows: $\forall v_1 \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_1,\cdot )},\ldots , v_{n} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{n},\cdot )}$,

$$\begin{aligned}&P_{v_1,\ldots ,v_{n}}(x^0_1,\ldots ,x^0_{n}) = P_{v_1,\ldots ,v_{n}}(x^1_1,\ldots ,x^1_{n}) \\&\quad =\left( P_{v_1}(x^0_1)\wedge \ldots \wedge P_{v_{n}}(x^0_{n}) \right) = 0 \ \wedge \ \left( P_{v_1}(x^0_1)\wedge \ldots \wedge P_{v_{n}}(x^0_{n}) \right) = 0, \end{aligned}$$

where $x_0 = (x^0_1,\ldots ,x^0_{n})$ and $x_1 = (x^1_1,\ldots ,x^1_{n})$ are the two input challenges output by the adversary. The above equation can be rewritten as follows: $\exists j_0,j_1\in [n]$, $\forall v_{j_0} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{j_0},\cdot )}$, $\forall v_{j_1} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{j_1},\cdot )}$,

$$\begin{aligned} P_{v_{j_0}}(x^0_{j_0}) = 0 \wedge P_{v_{j_1}}(x^1_{j_1}) = 0. \end{aligned}$$

(4)

Hence, in order to be valid with respect to $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}1\mathsf {\text {-}\textsf{kPE}}}_{\Pi ,\textsf{A}}$, $\textsf{A}$ needs to satisfy the above equation. Let $\textbf{Validity}_{j_0,j_1}$ the validity condition (as defined in Eq. (4)) with respect to some $j_0,j_1\in [n]$. By taking into account the above point, the CPA-1-sided security of Construction 2 follows by proving the following lemma.

Lemma 1

Let $j_0,j_1 \in [n]$. If both $\textsf{PE}_{j_0}$ and $\textsf{PE}_{j_1}$ are CPA secure (Definition 8) and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\mathsf {\textsf{CPA}\text {-}}1\mathsf {\text {-}\textsf{kPE}}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \Big \vert \textbf{Validity}_{j_0,j_1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Consider the following hybrid experiments:

$\textbf{H}^b_0(\lambda )$::: This is exactly the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}1\mathsf {\text {-}\textsf{kPE}}}_{\Pi ,\textsf{A}}$ conditioned to $\textbf{Validity}_{j_0,j_1}$ where the challenge bit is b, i.e., the adversary is valid and satisfies condition $\textbf{Validity}_{j_0,j_1}$.
$\textbf{H}^{b}_1(\lambda )$::: Same as $\textbf{H}^b_0$, except that the challenger computes $c_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_{j_b}(\textsf{mpk}_{j_b},x^b_{j_b},w)$ where $w {{\leftarrow {\$}}}\mathcal {M}_{j_b}$ (instead of $c_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_{j_b}(\textsf{mpk}_{j_b},x^b_{j_b}, c_{j_b-1})$.
$\textbf{H}^{b}_2(\lambda )$::: Same as $\textbf{H}^b_1$, except that the challenger simulates the challenge ciphertext $c= \widetilde{\mathbb {C}}$ using the simulator of the lockable obfuscation scheme $\textsf{LOBF}$, i.e., $\widetilde{\mathbb {C}} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {C}_{c}|}, 1^{|m_b|})$.

Claim 1

$\textbf{H}^b_0(\lambda ) \approx _c \textbf{H}^b_1(\lambda )$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^b_0(\lambda )$ and $ \textbf{H}^b_1(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA security of $\textsf{PE}_{j_b}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}_{j_b}$ from the challenger.
2.
Send $\textsf{mpk}= (\textsf{mpk}_1,\ldots ,\textsf{mpk}_{n})$ to $\textsf{D}$ where $(\textsf{mpk}_i,\textsf{msk}_i) {{\leftarrow {\$}}}\textsf{Setup}_i(1^{\lambda })$ for $i \in [n] {\setminus }\{j_b\}$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $v_i \in \mathcal {V}_i$ for $\textsf{KGen}(\textsf{msk}_i,\cdot )$, $\textsf{A}$ proceeds as follows: If $j_b = i$, it forwards the query $P_{v_i} \in \mathcal {P}_{j_b}$ to $\textsf{KGen}_{j_b}$ and returns the answer $\textsf{dk}_{v_i}$. Otherwise (if $j_b \ne i$), it returns $\textsf{dk}_{v_i} {{\leftarrow {\$}}}\textsf{KGen}_i(\textsf{msk}_i,P_{v_i})$ for $P_{v_i} \in \mathcal {P}_{i}$.
4.
Receive the challenge $(m^0, m^1, (x^0_1,\ldots ,x^0_{n}), (x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
5.
Sample $y {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and set $c_{0} = y$.
6.
For $i \in [j_b-1]$, compute $c_i {{\leftarrow {\$}}}\textsf{Enc}_i(\textsf{mpk}_i,x^b_i,c_{i-1})$.
7.
Send the challenge $(m^{0}_*, m^{1}_*,x^b_{j_b})$ where $m^0_* = c_{j_b}$, $m^1_* {{\leftarrow {\$}}}\mathcal {M}_{j_b}$ and receive the challenge ciphertext $c^*$.
8.
For $i \in [n]\setminus [j_b]$, compute $c_i {{\leftarrow {\$}}}\textsf{Enc}_i(\textsf{mpk}_i,x^b_i,c_{i-1})$ where $c_{j_b} = c^*$.
9.
Finally, send $c= \widetilde{\mathbb {C}} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {C}_{c_{n}}, y,m^b)$ to $\textsf{D}$.
10.
Answer to the incoming oracle queries as in Item 3.
11.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^b_0(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^b_1(\lambda )$. In addition, since $\textsf{D}$ is valid and satisfies the condition $\textbf{Validity}_{j_0,j_1}$, we conclude that $\forall v_{j_0} \in \mathcal {V}_{j_0}, P_{v_{j_0}}(x^0_{j_b}) = 0$. This implies that $\forall P\in \mathcal {Q}_{\textsf{KGen}_{j_b}}$, $P(x^0_{j_b}) = 0$. Hence, $\textsf{A}$ is a valid adversary with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 2

$\textbf{H}^b_1(\lambda ) \approx _c \textbf{H}^b_2(\lambda )$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^b_1(\lambda )$ and $ \textbf{H}^b_2(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of lockable obfuscation $\textsf{LOBF}$. $\textsf{A}$ is defined as follows:

1.
Send $\textsf{mpk}= (\textsf{mpk}_1, \ldots , \textsf{mpk}_{n})$ to $\textsf{D}$ where $(\textsf{mpk}_i,\textsf{msk}_i) {{\leftarrow {\$}}}\textsf{Setup}_i(1^{\lambda })$ for $i \in [n]$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $v_i \in \mathcal {V}_i$ for $\textsf{RKGen}(\textsf{msk}_i,\cdot )$, $\textsf{A}$ returns $\textsf{dk}_{v_i} {{\leftarrow {\$}}}\textsf{KGen}_i(\textsf{msk}_i,P_{v_i})$ for $P_{v_i} \in \mathcal {P}_{i}$.
3.
Receive the challenge $(m^0, m^1, (x^0_1,\ldots ,x^0_{n}), (x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For $i \in [n]\setminus [j_b]$, compute $c_i {{\leftarrow {\$}}}\textsf{Enc}_i(\textsf{mpk}_i,x^b_i,c_{i-1})$ where $c_{j_b} {{\leftarrow {\$}}}\mathcal {M}_{j_b}$.
5.
The adversary $\textsf{A}$ sends $(\mathbb {C}_{c_{n}}, m^b)$ to the challenger and receives back the obfuscated circuit $\widetilde{\mathbb {C}}$ from the challenger.
6.
$\textsf{A}$ returns $c= \widetilde{\mathbb {C}}$ to $\textsf{D}$.
7.
Answer to the incoming oracle queries as in Item 2.
8.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. When $d=0$, $\textsf{A}$ simulates $\textbf{H}^b_1(\lambda )$; otherwise, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^b_2(\lambda )$. Thus, $\textsf{A}$ has the same non-negligible advantage of $\textsf{D}$ with respect to the experiment $\textbf{G}^{\textsf{lock}\text {-}\textsf{sim}}_{\textsf{LOBF}, \textsf{A}, \textsf{S}}(\lambda )$. This concludes the proof. $\square $

Claim 3

$\textbf{H}^b_2(\lambda ) \equiv \textbf{H}^{1-b}_2(\lambda )$.

Proof

The claim follows by observing that these experiments do not depend on the challenge bit b. $\square $

Lemma 1 follows by combining Claims 1–3. $\square $

By leveraging Lemma 1, we conclude that $\Pi $ of Construction 2 is CPA-1-sided secure.

CPA-2-sided security of $\Pi $ (Theorem 5). Consider the validity condition of $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}2\mathsf {\text {-}\textsf{kPE}}}_{\Pi ,\textsf{A}}$ (Definition 11). This can be rewritten with respect to the definition of $\mathcal {P}$ (Eq. (3)) as follows: $\exists j_0,j_1\in [n]$, $\forall v_{j_0} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{j_0},\cdot )}$, $\forall v_{j_1} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{j_1},\cdot )}$, $\forall (v_1,\ldots ,v_{n}) \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{1},\cdot )} \times \cdots \times \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{n},\cdot )}$,

$$\begin{aligned} \text {Either }&P_{v_{j_0}}(x^0_{j_0}) = 0 \wedge P_{v_{j_1}}(x^1_{j_1}) = 0 \nonumber \\ \text {or }&P_{v_1}(x^0_1) = P_{v_1}(x^1_1) \wedge \ldots \wedge P_{v_{n}}(x^0_{n}) = P_{v_{n}}(x^1_{n}) \wedge m_0 = m_1 \end{aligned}$$

(5)

Consider the following conditions:

$$\begin{aligned} \textbf{Validity}_{0,j_0,j_1}&: \forall v_{j_0} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{j_0},\cdot )}, \forall v_{j_1} \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{j_1},\cdot )}, \\&\qquad P_{v_{j_0}}(x^0_{j_0}) = 0 \wedge P_{v_{j_1}}(x^1_{j_1}) = 0 \\ \textbf{Validity}_{1}&: \forall (v_1,\ldots ,v_{n}) \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{1},\cdot )} \times \ldots \times \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{n},\cdot )}, \\&\qquad P_{v_1}(x^0_1) = P_{v_1}(x^1_1) \wedge \ldots \wedge P_{v_{n}}(x^0_{n}) = P_{v_{n}}(x^1_{n}) \wedge m^0 = m^1. \end{aligned}$$

By leveraging the above validity conditions we can rephrase Eq. (5) as follows: $\exists j_0,j_1\in [n]$ such that

$$\begin{aligned} \text {Either } \textbf{Validity}_{0,j_0,j_1} \text { or } \textbf{Validity}_{1}. \end{aligned}$$

Hence, in order to be valid with respect to $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}2\mathsf {\text {-}\textsf{kPE}}}_{\Pi ,\textsf{A}}$, $\textsf{A}$ needs to satisfy the above equation. By taking into account the above point, the CPA-2-sided security of Construction 2 follows by proving the following lemmas.

Lemma 2

Let $j_0,j_1 \in [n]$. If both $\textsf{PE}_{j_0}$ and $\textsf{PE}_{j_1}$ are CPA-2-sided secure (Definition 9) and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\mathsf {\textsf{CPA}\text {-}}2\mathsf {\text {-}\textsf{kPE}}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \Big \vert \textbf{Validity}_{0,j_0,j_1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

The lemma follows by using an identical argument to that of Lemma 1. $\square $

Lemma 3

If each $\textsf{PE}_{1},\ldots ,\textsf{PE}_{n}$ are CPA-2-sided secure (Definition 9), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\mathsf {\textsf{CPA}\text {-}}2\mathsf {\text {-}\textsf{kPE}}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \Big \vert \textbf{Validity}_{1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Consider the following hybrid experiments:

$\textbf{H}^b_{0}(\lambda )$::: This is exactly the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}2\mathsf {\text {-}\textsf{kPE}}}_{\Pi ,\textsf{A}}$ conditioned to $\textbf{Validity}_{1}$ where the challenge bit is b, i.e., the adversary is valid and satisfies the condition $\textbf{Validity}_{1}$.
$\textbf{H}^{b}_i(\lambda )$ for $i \in {[n]}$::: Same as $\textbf{H}^b_{i-1}$, except that the challenger computes $c_{i} {{\leftarrow {\$}}}\textsf{Enc}_{i}(\textsf{mpk}_{i},x^{1-b}_{i}, c_{i-1})$ (instead of $c_{i} {{\leftarrow {\$}}}\textsf{Enc}_{i}(\textsf{mpk}_{i},x^{b}_{i}, c_{i-1})$.

Claim 4

For $i\in [n]$, $\textbf{H}^b_{i-1}(\lambda ) \approx _c \textbf{H}^b_{i}(\lambda )$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^b_{i-1}(\lambda )$ and $ \textbf{H}^b_{i}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA-2-sided security of $\textsf{PE}_{i}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}_{i}$ from the challenger.
2.
Send $\textsf{mpk}= (\textsf{mpk}_1,\ldots ,\textsf{mpk}_{n})$ to $\textsf{D}$ where $(\textsf{mpk}_j,\textsf{msk}_j) {{\leftarrow {\$}}}\textsf{Setup}_i(1^{\lambda })$ for $j \in [n] {\setminus }\{i\}$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $v_j \in \mathcal {V}_j$ for $\textsf{RKGen}(\textsf{msk}_j,\cdot )$, $\textsf{A}$ proceeds as follows: If $j = i$, it forwards the query $P_{v_j} \in \mathcal {P}_{i}$ to $\textsf{KGen}_{i}$ and returns the answer $\textsf{dk}_{v_j}$. Otherwise (if $j \ne i$), it returns $\textsf{dk}_{v_j} {{\leftarrow {\$}}}\textsf{KGen}_j(\textsf{msk}_j,P_{v_j})$ for $P_{v_j} \in \mathcal {P}_{j}$.
4.
Receive the challenge $(m^0, m^1, (x^0_1,\ldots ,x^0_{n}), (x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
5.
Sample $y {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and set $c_{0} = y$.
6.
For $j \in [i-1]$, compute $c_j {{\leftarrow {\$}}}\textsf{Enc}_j(\textsf{mpk}_j,x^{1-b}_j,c_{j-1})$.
7.
Send the challenge $(m^0_*, m^1_*,x^0 = x^b_{i}, x^1 = x^{1-b}_{i})$ where $m^0_* = m^1_* = c_{i-1}$, and receive the challenge ciphertext $c^*$.
8.
For $j \in [n] \setminus [i]$, compute $c_j {{\leftarrow {\$}}}\textsf{Enc}_j(\textsf{mpk}_j,x^b_j,c_{j-1})$ where $c_{i} = c^*$.
9.
Finally, send $c= \widetilde{\mathbb {C}} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {C}_{c_{n}}, y,m_b)$ to $\textsf{D}$.
10.
Answer to the incoming oracle queries as in Item 3.
11.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^b_{i-1}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^b_{i}(\lambda )$. In addition, since $\textsf{D}$ is valid and satisfies the condition $\textbf{Validity}_{1}$, we conclude that $\forall v_i \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_i,\cdot )}, P_{v_i}(x^{0}_{i}) = P_{v_i}(x^{1}_{i})$. Hence, $\textsf{A}$ is a valid adversary with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 5

$\textbf{H}^b_{n}(\lambda ) \equiv \textbf{H}^{1-b}_{n}(\lambda )$.

Proof

Since $\textbf{Validity}_1$ holds, we know that $m_0 = m_1$. Hence, these experiments are identically distributed. $\square $

Lemma 3 follows by combining Claims 4 and 5. $\square $

By combining Lemmas 2 and 3 we conclude that $\Pi $ of Construction 2 is CPA-2-sided secure.

5.2 Secret-key Setting: Multi-input PE from PE, Lockable Obfuscation and SKE

Secret-key setting. We present our n-input PE construction that is CPA-1-sided secure in the secret-key setting without collusions, for $n =\textsf {poly}(\lambda )$. It leverages a CPA-1-sided secure single-input PE, lockable obfuscation, and SKE. The same construction is CPA-2-sided secure in the secret-key setting without collusions for $n=O(\log (\lambda ))$, if the initial single-input PE is CPA-2-sided secure.

Construction 3

(n-input PE in the secret-key setting). Consider the following primitives:

1.
A PE scheme $\textsf{PE}_1 = (\textsf{Setup}_1, \textsf{KGen}_1, \textsf{Enc}_1, \textsf{Dec}_1)$ with message space $\mathcal {M}_1 = {{\leftarrow {\$}}}^{m(\lambda )} \times \mathcal {M}'_1$, input space $\mathcal {X}_1 = \mathcal {X}_{1,1} \times \cdots \times \mathcal {X}_{1,n}$, and predicate space $\mathcal {P}_1 =\{P(x_1,\ldots ,x_{n})\} = \{P_1(x_1) \wedge \cdots \wedge P_{n}(x_{n})\}$. Without loss of generality, we assume that $\textsf{PE}$ has ciphertext space $\mathcal {M}_2$ and there exists a (single) wildcard input $(x^\star _1,\ldots ,x^\star _{n}) \in \mathcal {X}_1$ such that $\forall (P_1(x_1) \wedge \cdots \wedge P_{n}(x_{n})) \in \mathcal {P}_1,\forall i \in [n], P_i(x^\star _i)=1$.
2.
A SKE scheme $\textsf{SKE}= (\textsf{KGen}_2,\textsf{Enc}_2,\textsf{Dec}_2)$ with message space $\mathcal {M}_2$. Without loss of generality, we assume that $\textsf{SKE}$ has key space $\mathcal {M}'_1$
3.
A lockable obfuscation scheme $\textsf{LOBF}= (\textsf{Obf}, \textsf{Eval})$ with message space $\mathcal {M}_3$ for the family of circuits $\mathcal {C}_{n,s,d}(\lambda ) = \{\mathbb {C}_{c,\textsf{k}}\}$ as defined in Fig. 7, where $n(\lambda )$, $s(\lambda )$, $d(\lambda )$ depends on the schemes $\textsf{PE}$ and $\textsf{SKE}$ used, and the circuit depth of the circuits $\mathcal {C}_{n,s,d}(\lambda )$.

We build a n-input PE scheme with message space $\mathcal {M}= \overbrace{\mathcal {M}_{3} \times \cdots \times \mathcal {M}_{3}}^n$, input space $\mathcal {X}= \mathcal {X}_{1}$, and predicate space $\mathcal {P}= \mathcal {P}_1 =\{P(x_1,\ldots ,x_{n})\} = \{P_1(x_1) \wedge \cdots \wedge P_{n}(x_{n})\}$ with wildcard (i.e., there exists a (single) wildcard $(x^\star _1,\ldots ,x^\star _n) \in \mathcal {X}$ such that $\forall (P_1(x_1) \wedge \cdots \wedge P_{n}(x_{n}))\in \mathcal {P}$,$\forall i \in [n]$, $P_i(x^\star _i) =1$), as follows:

$\textsf{Setup}(1^{\lambda })$::: Upon input the security parameter $1^{\lambda }$, the randomized setup algorithm outputs $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n})$ and $\textsf{msk}$ where $(\textsf{mpk},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}_1(1^{\lambda })$, $\textsf{ek}_i = (\textsf{mpk}, \textsf{k}_i,\textsf{k}_{i+1})$, $\textsf{k}_{n+1} = \textsf{k}_1$, and $\textsf{k}_i {{\leftarrow {\$}}}\textsf{KGen}_2(1^{\lambda })$ for $i \in [n]$.
$\textsf{KGen}(\textsf{msk}, P)$::: Upon input the master secret key $\textsf{msk}$ and a predicate $P\in \mathcal {P}$, the randomized key generator outputs $\textsf{dk}_P{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P)$.
$\textsf{Enc}(\textsf{ek}_i, x_i, m_i)$::: Let $i \in [n]$. Upon input an encryption key $\textsf{ek}_i = (\textsf{mpk}, \textsf{k}_i,\textsf{k}_{i+1})$, an input $x_i \in \mathcal {X}_{1,i}$, and a message $m_i\in \mathcal {M}_3$, the randomized encryption algorithm samples $y_i {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and compute $c^{(1)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y_i,\textsf{k}_{i+1}))$ where $x_j = x^\star _j$ for any $j \in [n] {\setminus } \{i\}$. Finally, it outputs $c= (\widetilde{\mathbb {C}}_i,c^{(2)}_i)$ where $\widetilde{\mathbb {C}}_i {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {C}_{c^{(2)}_i,\textsf{k}_{i+1}}, y_i, m_i)$ and $c^{(2)}_i {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_i,c^{(1)}_i)$.
$\textsf{Dec}(\textsf{dk}_{P}, c_1, \ldots , c_{n})$::: Upon input a secret decryption key $\textsf{dk}_{P}$ for predicate $P\in \mathcal {P}$, and n ciphertexts $(c_1, \ldots , c_{n})$ such that $c_i = (\widetilde{\mathbb {C}}_i,c^{(2)}_i)$ for $i \in [n]$. The deterministic decryption returns $(m_1,\ldots ,m_{n})$ where $m_i = \textsf{Eval}( \widetilde{\mathbb {C}}_i,(c^{(2)}_{i+1},\ldots ,c^{(2)}_{n},c^{(2)}_{1},\ldots , c^{(2)}_{i-1},\textsf{dk}_P))$ for $i \in [n]$.

As usual, correctness follows from the correctness of the underlying primitives. Below, we establish the following result.

Theorem 6

Let $\textsf{PE}$, $\textsf{SKE}$, and $\textsf{LOBF}$ be as above.

1.
For $n=\textsf {poly}(\lambda )$, if $\textsf{PE}$ is CPA-1-sided secure without collusions (Definition 9), $\textsf{SKE}$ is CPA secure (Definition 4), and $\textsf{LOBF}$ is secure (Definition 2), then the n-input PE scheme $\Pi $ from Construction 3 is CPA-1-sided secure in the secret-key setting without collusions (Definition 13).
2.
For $n=O(\log (\lambda ))$, if $\textsf{PE}$ is CPA-2-sided secure without collusions (Definition 9), $\textsf{SKE}$ is CPA secure (Definition 4), and $\textsf{LOBF}$ is secure (Definition 2), then the n-input PE scheme $\Pi $ from Construction 3 is CPA-2-sided secure in the secret-key setting without collusions (Definition 13).

5.2.1 Proof of Theorem 6

CPA-1-sided security of $\Pi $ (Theorem 6). Consider the predicate space $\mathcal {P}= \{P(x_1,\ldots , x_{{n}})\}$ of Construction 3 where $P(x_1,\ldots ,x_{{n}}) = P_1(x_1) \wedge \cdots \wedge P_{n}(x_{n})$. Let $P^* \in \mathcal {P}$ be the only predicate for which the adversary will ask the decryption key $\textsf{dk}_{P^*}$ during the experiment $\textbf{G}^{0\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}$ (recall that we prove the security of Construction 3 in the scenario without collusions, i.e., $|\mathcal {Q}_{\textsf{KGen}}| = 1$). Also, consider the validity condition of $\textbf{G}^{0\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}$. We can write such a validity condition with respect to $P^* \in \mathcal {Q}_{\textsf{KGen}} = \{P^*\}$ as follows: $\forall j \in [n]$, $\forall i_1 \in [k_1+1],\ldots ,\forall i_n \in [k_n+1]$,

$$\begin{aligned}&P^*(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \\&\quad = P^*(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) \\&\quad = P^*_1(x^{(i_1,0)}_1) \wedge \cdots \wedge P^*_{j-1}(x^{(i_{j-1},0)}_{j-1}) \wedge P^*_{j}(x^{0}_j) \wedge P^*_{j+1}(x^{(i_{j+1},0)}_{j+1}) \wedge \cdots \wedge P^*_{i_n}(x^{(i_n,0)}_{n}) \\&\quad =P^*_1(x^{(i_1,1)}_1) \wedge \cdots \wedge P^*_{j-1}(x^{(i_{j-1},1)}_{j-1}) \wedge P^*_{j}(x^{1}_j) \wedge P^*_{j+1}(x^{(i_{j+1},1)}_{j+1}) \wedge \cdots \wedge P^*_{n}(x^{(i_n,1)}_{n}) = 0, \end{aligned}$$

where $\mathcal {Q}^{b}_i = \{x^{(1,b)}_i, \ldots , x^{(k_i,b)}_i, x^{(k_i+1,b)}_i = x^b_i\}$ is the ordered list composed of the $k_i$ predicate inputs $\mathcal {Q}_i$ submitted to oracle $\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )$ and the challenge input $x^b_i$ (as defined in Definition 13). The above equation can be rewritten as follows: $\exists j_0,j_1\in [n]$, $\forall (x'_1,\ldots ,x'_{n}) \in \mathcal {Q}_1 \times \cdots \times \mathcal {Q}_{n}$,

$$\begin{aligned}&\left( \left( P^*_1(x^0_1) = 0 \wedge \cdots \wedge P^*_{n}(x^0_{n}) = 0 \right) \vee \left( P^*_{j_0}(x^0_{j_0}) = 0 \wedge P^*_{j_0}(x'_{j_0}) = 0 \right) \right) \wedge \nonumber \\&\quad \left( \left( P^*_1(x^1_1) = 0 \wedge \cdots \wedge P^*_{n}(x^1_{n}) = 0 \right) \vee \left( P^*_{j_1}(x^1_{j_1}) = 0 \wedge P^*_{j_1}(x'_{j_1}) = 0 \right) \right) . \end{aligned}$$

(6)

Note that in the above equation we made explicit the challenge inputs and the inputs submitted to the encryption oracles. For this reason, it is enough to quantify over all $(x'_1,\ldots ,x'_n) \in \mathcal {Q}_1 \times \cdots \times \mathcal {Q}_n$ where $\mathcal {Q}_i = \{x^{(1)}_i,\ldots , x^{(k_i)}_i\}$ are the inputs submitted to oracle $\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )$. Hence, in order to be valid, $\textsf{A}$ needs to satisfy the condition defined by Eq. (6). These conditions are defined by the events below: for some $j_0,j_1\in [n]$,

$$\begin{aligned}&\textbf{Validity}_{1} : \\&\qquad P^*_1(x^0_1) = 0 \wedge \cdots \wedge P^*_{n}(x^0_{n}) = 0 \wedge P^*_1(x^1_1) = 0 \wedge \cdots \wedge P^*_{n}(x^1_{n}) = 0. \\&\textbf{Validity}_{2,j_0,j_1} : \forall x'_{j_0} \in \mathcal {Q}_{j_0},\forall x'_{j_1} \in \mathcal {Q}_{j_1}, \\&\qquad P^*_{j_0}(x^0_{j_0}) = 0 \wedge P^*_{j_0}(x'_{j_0}) = 0 \wedge P^*_{j_1}(x^1_{j_1}) = 0 \wedge P^*_{j_1}(x'_{j_1}) = 0.\\&\textbf{Validity}_{3,j_0} : \forall x'_{j_0} \in \mathcal {Q}_{j_0}, \\&\qquad P^*_{j_0}(x^0_{j_0}) = 0 \wedge P^*_{j_0}(x'_{j_0}) = 0 \wedge P^*_1(x^1_1) = 0 \wedge \cdots \wedge P^*_{n}(x^1_{n}) = 0.\\&\textbf{Validity}_{4,j_1} : \forall x'_{j_1} \in \mathcal {Q}_{j_1}, \\&\qquad P^*_1(x^0_1) = 0 \wedge \cdots \wedge P^*_{n}(x^0_{n}) = 0 \wedge P^*_{j_1}(x^1_{j_1}) = 0 \wedge P^*_{j_1}(x'_{j_1}) = 0. \end{aligned}$$

For the sake of clarity, in the rest of this proof, we use the notation $\mathbb {V}_i{\mathop {=}\limits ^{\text {{def}}}}\mathbb {C}_{c^{(2)}_{i},\textsf{k}_{i+1}}$ where $c^{(2)}_{i}$ and $\textsf{k}_{i+1}$ will be clear from the context. Also, $[a:b]^{+}_n = \{a,a+1,\ldots ,n,1, 2,\ldots ,b\}$. If $1 \le a\le b \le n$, we have $[a:b]^{+}_n = \{a,a+1,\ldots ,b\}$. Similarly, $[a:b]^{-}_n = \{a,a-1,\ldots ,1,n,n-1,\ldots ,b\}$. If $1 \le b\le a \le n$, we have $[a:b]^{-}_n = \{a,a-1,\ldots ,b\}$.

Lemma 4

If $\textsf{PE}$ is CPA-1-sided secure without collusions (Definition 9) and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{0\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}|=1 \Big \vert \textbf{Validity}_{1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Consider the following hybrid experiments:

$\textbf{H}^{b,0}_0(\lambda )$::: This is exactly the experiment $\textbf{G}^{0\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda )$ conditioned to the event $\textbf{Validity}_{1}$ where the challenge bit is b, i.e., the adversary is valid and satisfies the condition $\textbf{Validity}_1$.
$\textbf{H}^{b,i}_0(\lambda )$ for ${i \in [n]}$::: Same as $\textbf{H}^{b,i-1}_0$, except that the challenger changes how it computes the challenger ciphertext $c_i$. The value $c^{(1)}_i$ challenge ciphertext $c_i = (\widetilde{\mathbb {C}}_i, c^{(2)}_i)$ is computed as $c^{(1)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), 0^{s(\lambda ) + k(\lambda )})$ (instead of $c^{(1)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), (y_i,\textsf{k}_{i+1}))$) where $0^{s(\lambda ) + k(\lambda )} \in \mathcal {M}_1$ (for some function k), $x_i = x^0_i$, and $x_j = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Observe that $c^{(1)}_i$ is computed by fixing $x_i = x^{0}_i$ (instead of $x_i = x^b_i$), i.e., the input $(x_1,\ldots ,x_{n})$ used to compute the ith challenge ciphertext is fixed and does not depend on the challenge bit b.
$\textbf{H}^{b,0}_1(\lambda )$::: Identical to $\textbf{H}^{b,n}_0(\lambda )$.
$\textbf{H}^{b,i}_1(\lambda )$ for ${i \in [n]}$::: Same as $\textbf{H}^{b,i-1}_1$, except that the challenger changes how it computes the challenger ciphertext $c_i$. Formally, the value $\widetilde{\mathbb {C}}_i$ of challenge ciphertext $c_i = (\widetilde{\mathbb {C}}_i, c^{(2)}_i)$ is simulated by the challenger using the simulator of the lockable obfuscation scheme $\textsf{LOBF}$, i.e., $\widetilde{\mathbb {C}}_i {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_i|},1^{|m^b_i|})$.

Claim 6

$\textbf{H}^{b,i-1}_0(\lambda ) \approx _c \textbf{H}^{b,i}_0(\lambda )$ for $i\in [n]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,1-i}_0(\lambda )$ and $ \textbf{H}^{b,i}_0(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA-1-sided security without collusions of $\textsf{PE}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}$ from the challenger.
2.
Compute $\textsf{k}_j {{\leftarrow {\$}}}\textsf{KGen}_2(1^{\lambda })$ for $j\in [n]$. Let $\textsf{ek}_i = (\textsf{mpk},\textsf{k}_i,\textsf{k}_{i+1})$ for $i \in [n]$ where $\textsf{k}_{n+1} = \textsf{k}_1$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, forward the query $P^*$ to $\textsf{KGen}_1$ and return the answer $\textsf{dk}_P$.
- On input $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j) {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
4.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
5.
For any $j \in [n]$, $\textsf{A}$ proceeds as follows:
Case $j < i$::

Sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Execute $c^{(1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}),0^{s(\lambda ) + k(\lambda )})$ where $x_j = x^0_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.

Case $j = i$::

Send the challenge $(m^0_*= (y_i, \textsf{k}_{i+1}), m^1_*=0^{s(\lambda )+k(\lambda )}, x^0_*=({x}^0_{*1},\ldots ,{x}^0_{*n}),x^1_*=({x}^1_{*1},\ldots ,{x}^1_{*n}))$ where $y_{i} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $0^{s(\lambda )+k(\lambda )} \in \mathcal {M}_1$, ${x}^0_{*i} = x^b_i$, ${x}^1_{*i} = {x}^0_i$, and ${x}^0_{*j} = {x}^1_{*j} = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Receive the challenge ciphertext $c^*$ from the challenger. Set $c^{(1)}_i = c^*$.

Case $j > i$::

Sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and compute $c^{(1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}), (y_j, \textsf{k}_{j+1}))$ where $x_j = x^b_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
6.
Compute $c_j = (\widetilde{\mathbb {C}}_j, c^{(2)}_j)$ where $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{ek}_j, c^{(1)}_j)$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_j, m^{b}_j)$ for any $j \in [n]$.
7.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
8.
Answer to the incoming oracle queries as in Item 3.
9.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_0(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_0(\lambda )$. Moreover, conditioned to the event $\textbf{Validity}_{1}$ (i.e., $\textsf{D}$ satisfies $\textbf{Validity}_{1}$), we know that $\textsf{D}$ asks for a single decryption key $\textsf{dk}_{P^*}$ for $P^*$ and $P^*_i(x^0_i) =0 \wedge P^*_i(x^1_i) = 0$. Because of this, $\textsf{A}$ submits a single query $P^*$ to oracle $\textsf{KGen}(\textsf{msk},\cdot )$ and it is also a valid adversary for the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}1\mathsf {\text {-}PE}}_{\textsf{PE},\textsf{A}}(\lambda )$ with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 7

$\textbf{H}^{b,i-1}_1(\lambda ) \approx _c \textbf{H}^{b,i}_1(\lambda )$ for $i\in [n]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,1-i}_1(\lambda )$ and $ \textbf{H}^{b,i}_1(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscation scheme $\textsf{LOBF}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{k}_j,\textsf{k}_{j-1})$ for $j\in [n]$. Let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk},P^*)$.
- On input $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ where $j \in [n]$, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j) {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For any $j \in [n]$, compute $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda ) + k(\lambda )})$ and $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_j)$ where $x_j = x^0_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
5.
For any $j \in [n] \setminus \{i\}$, $\textsf{A}$ proceeds as follows:
Case $j < i$::

Compute $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m^b_j|})$.

Case $j = i$::

Send the challenge $(\mathbb {V}_i, m^b_i)$ to the challenger and receive $\widetilde{\mathbb {C}}$. Set $\widetilde{\mathbb {C}}_i = \widetilde{\mathbb {C}}$.

Case $j > i$::

Compute $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_j, m^{b}_j)$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$.
6.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
7.
Answer to the incoming oracle queries as in Item 2.
8.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_1(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_1(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 8

$\textbf{H}^{b,n}_1(\lambda ) \equiv \textbf{H}^{1-b,n}_1(\lambda )$.

Proof

The distribution of these two experiments does not depend on the bit b. $\square $

By combining Claims 6–8 and the fact that $\textbf{Validity}_{1}$ is satisfied, we conclude that

$$\begin{aligned} \textbf{H}^{b,0}_0 \approx _c \cdots \approx _c \textbf{H}^{b,n}_0 \equiv \textbf{H}^{b,0}_1 \approx _c \cdots \approx _c \textbf{H}^{b,n}_1 \equiv \textbf{H}^{1-b,n}_1. \end{aligned}$$

This concludes the proof. $\square $

Lemma 5

Let $j_0,j_1 \in [n]$. If $\textsf{PE}$ is CPA-1-sided secure without collusions (Definition 9), $\textsf{SKE}$ is CPA secure (Definition 4), and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{0\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}| = 1 \Big \vert \textbf{Validity}_{2,j_0,j_1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Without loss of generality, let $q = |\mathcal {Q}_{1}| =\cdots = |\mathcal {Q}_{n}| \in \textsf {poly}(\lambda )$. Consider the following hybrid experiments:

$\textbf{H}^b_0(\lambda )$::: This is exactly the experiment $\textbf{G}^{0\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda )$ conditioned to the event $\textbf{Validity}_{2,j_0,j_1}$ where the challenge bit is b, i.e., the adversary is valid and satisfies $\textbf{Validity}_{2,j_0,j_1}$.
$\textbf{H}^{b}_1(\lambda )$::: Same as $\textbf{H}^{b}_0$, except that the challenger changes how it computes the challenger ciphertext $c_{j_b}$. Formally, the value $c^{(1)}_{j_b}$ of the challenge ciphertext $c_{j_b} = (\widetilde{\mathbb {C}}_{j_b}, c^{(2)}_{j_b})$ is computed as $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), 0^{s(\lambda ) + k(\lambda )})$ (instead of $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), (y_{j_b},\textsf{k}_{j_{b}+1}))$) where $0^{s(\lambda ) + k(\lambda )} \in \mathcal {M}_1$ (for some function k), $x_{j_b} = x^b_{j_b}$, and $x_{j} = x^\star _j$ for $j \in [n] {\setminus } \{j_b\}$. Note that $c^{(1)}_{j_b}$ still depends on the challenge bit b since it is computed over the input $(x_1,\ldots x_{n})$ where $x_{j_b} = x_{j_b}^b$. We will remove this dependency in $\textbf{H}^{b,0,0,0}_{5+n-1}$.^{Footnote 24}
$\textbf{H}^{b,0}_2$::: Identical to $\textbf{H}^{b}_1(\lambda )$.
$\textbf{H}^{b,i}_2(\lambda )$ for ${i \in [q]}$::: Same as $\textbf{H}^{b,i-1}_2(\lambda )$ except that the challenger changes how it answers to the first i queries for oracle $\textsf{Enc}(\textsf{ek}_{j_b},\cdot ,\cdot )$. Formally, on input the $i'$th query $(x,m)$ such that $i'\le i$, the challenger computes $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j_b} = x$, and $x_{j} = x^\star _{j}$ for $j \in [n] {\setminus } \{j_b\}$. Finally, the challenger returns $c_{j_b} = (\widetilde{\mathbb {C}}_{j_b},c^{(2)}_{j_b})$ where $c^{(2)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j_b},c^{(1)}_{j_b})$, $y_{j_b} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, and $\widetilde{\mathbb {C}}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_{j_b}, y_{j_b}, m)$. Otherwise, on input the $i'$th query $(x,m)$ such that $i' > i$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{b,0}_2$.
$\textbf{H}^{b}_3(\lambda )$::: Same as $\textbf{H}^{b,q}_2$, except that the challenger changes how it computes the challenger ciphertext $c_{j_b}$. Formally, the value $\widetilde{\mathbb {C}}_{j_b}$ of challenge ciphertext $c_{j_b} = (\widetilde{\mathbb {C}}_{j_b}, c^{(2)}_{j_b})$ is simulated by the challenger using the simulator of the lockable obfuscation scheme $\textsf{LOBF}$, i.e., $\widetilde{\mathbb {C}}_{j_b} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_{j_b}|},1^{|m^b_{j_b}|})$.
$\textbf{H}^{b,0}_4$::: Identical to $\textbf{H}^{b}_3(\lambda )$.
$\textbf{H}^{b,i}_4(\lambda )$ for ${i \in [q]}$::: Same as $\textbf{H}^{b,i-1}_4(\lambda )$ except that the challenger changes how it answers to the first i queries for oracle $\textsf{Enc}(\textsf{ek}_{j_b},\cdot ,\cdot )$. Formally, on input the $i'$th query $(x,m)$ such that $i'\le i$, the challenger returns $c_{j_b} = (\widetilde{\mathbb {C}}_{j_b},c^{(2)}_{j_b})$ where $\widetilde{\mathbb {C}}_{j_b}$ is computed using the simulator of the lockable obfuscator scheme $\textsf{LOBF}$, i.e., $\widetilde{\mathbb {C}}_{j_b} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_{j_b}|}, 1^{|m|})$. Otherwise, on input the $i'$th query $(x,m)$ such that $i' > i$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{b,0}_4$.
$\textbf{H}^{b,q,q,1}_4$::: Identical to $\textbf{H}^{b,q}_4(\lambda )$.
$\textbf{H}^{b,0,0,0}_{5+i}$ for ${i \in \{0\}\cup [n-1]}$::: Same as $\textbf{H}^{b,q,q,1}_{5+i-1}$ except that the challenger changes how it computes the challenger ciphertext $c_{v}$ where $v = (j_b+i \mod n)+1$. Formally, the value $c^{(1)}_{v}$ is computed as $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), 0^{s(\lambda )+k(\lambda )})$ where $0^{s(\lambda ) + k(\lambda )} \in \mathcal {M}_1$ (for some function k), $x_{v} = x^0_{v}$, and $x_{j} = x^\star _j$ for $j \in [n] {\setminus } \{v\}$. Observe that $c^{(1)}_{v}$ is computed by fixing $x_{v} = x^{0}_{v}$ (instead of $x_{v} = x^b_{v}$), i.e., the predicate input $(x_1,\ldots ,x_{n})$ used to compute the vth challenge ciphertext is fixed and does not depend on the challenge bit b.
$\textbf{H}^{b,t_1,0,0}_{5+i}$ for ${t_1 \in [q]}$, ${i \in \{0\}\cup [n-2]}$::: Same as $\textbf{H}^{b,t_1-1,0,0}_{5+i}(\lambda )$ except that the challenger changes how it answers to the first $t_1$ queries for oracle $\textsf{Enc}(\textsf{ek}_{v},\cdot ,\cdot )$ where $v = (j_b+i \mod n)+1$. On input the $t_1'$th query $(x,m)$ such that $t_1'\le t_1$, the challenger computes $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{v} = x$, and $x_{j} = x^\star _{j}$ for $j \in [n] {\setminus } \{v\}$. Finally, the challenger returns $c_{v} = (\widetilde{\mathbb {C}}_{v},c^{(2)}_{v})$ where $c^{(2)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{v},c^{(1)}_{v})$, $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_v, y_{v}, m)$, and $y_{v}{{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Otherwise, on input the $t_1'$th query $(x,m)$ such that $t_1' > t_1$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{b,0,0,0}_{5+i}$.
$\textbf{H}^{b,q,t_2,0}_{5+i}$ for ${t_2 \in [q]}$,${i \in \{0\}\cup [n-2]}$::: Same as $\textbf{H}^{b,q,t_2-1,0}_{5+i}(\lambda )$ except that the challenger changes how it answers to the first $t_2$ queries for oracle $\textsf{Enc}(\textsf{ek}_{v},\cdot ,\cdot )$ where $v = (j_b+i \mod n)+1$. Formally, on input the $t_2'$th query $(x,m)$ such that $t_2'\le t_2$, the challenger returns $c_{v} = (\widetilde{\mathbb {C}}_{v},c^{(2)}_{v})$ where $\widetilde{\mathbb {C}}_{v}$ is computed using the simulator of the lockable obfuscator scheme $\textsf{LOBF}$, i.e., $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathcal {V}_v|}, 1^{|m|})$. Otherwise, on input the $t_2'$th query $(x,m)$ such that $t_2' > t_2$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{b,q,0,0}_{5+i}$.
$\textbf{H}^{b,q,q,1}_{5+i}$ for ${i \in \{0\}\cup [n-2]}$::: Same as $\textbf{H}^{b,q,q,0}_{5+i}(\lambda )$ except that the challenger computes the challenger ciphertext $c_{v}$ differently for $v = (j_b+i \mod n)+1$. Formally, the value $\widetilde{\mathbb {C}}_{v}$ of challenge ciphertext $c_{v} = (\widetilde{\mathbb {C}}_{v}, c^{(2)}_{v})$ is simulated by the challenger using the simulator of the lockable obfuscation scheme $\textsf{LOBF}$, i.e., $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_v|},1^{|m^b_{v}|})$.

Claim 9

$\textbf{H}^b_0(\lambda ) \approx _c \textbf{H}^{b}_1(\lambda )$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b}_0(\lambda )$ and $ \textbf{H}^{b}_1(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA-1-sided security without collusions of $\textsf{PE}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}$ from the challenger.
2.
Compute $\textsf{k}_j {{\leftarrow {\$}}}\textsf{KGen}_2(1^{\lambda })$ for $j\in [n]$. Let $\textsf{ek}_j = (\textsf{mpk},\textsf{k}_j,\textsf{k}_{j+1})$ for $j \in [n]$ where $\textsf{k}_{n+1} = \textsf{k}_1$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, forward the query $P^*$ to $\textsf{KGen}_1$ and return the answer $\textsf{dk}_{P^*}$.
- On input $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ where $j \in [n]$, return $c_{j} = (\widetilde{\mathbb {C}}_j,c^{(2)}_j) {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
4.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$. Send the challenge $(m^0_*=(y_{j_b}, \textsf{k}_{j_b+1}), m^1_*=0^{s(\lambda )+k(\lambda )}, x^0_*=({x}^0_{*1},\ldots ,{x}^0_{*n}),x^1_*=({x}^1_{*1},\ldots ,{x}^1_{*n}))$ where $y_{j_b} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $0^{s(\lambda )+k(\lambda )} \in \mathcal {M}_1$, ${x^0_{*j_b}} = {x}^1_{*j_b} =x^b_{j_b}$ and ${x}^0_{*j} = {x}^1_{*j}=x^\star _j$ for $j \in [n] {\setminus } \{j_b\}$.
5.
Receive the challenge ciphertext $c^*$ from the challenger. Set $c^{(1)}_{j_b} = c^*$.
6.
For any $j \in [n] \setminus \{j_b\}$, compute $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots , x_{n}),(y_j, \textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_j = x^b_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
7.
Compute $c_j = (\widetilde{\mathbb {C}}_j, c^{(2)}_j)$ where $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{ek}_j, c^{(1)}_j)$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j,$ $ y_j, m^{b}_j)$ for any $j \in [n]$.
8.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
9.
Answer to the incoming oracle queries as in Item 3.
10.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b}_0(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b}_1(\lambda )$. Moreover, since $\textsf{D}$ submits a single query $P^*$ to oracle $\textsf{KGen}(\textsf{msk},\cdot )$ and it satisfies the condition $\textbf{Validity}_{2,j_0,j_1}$, we know that $P^*_{j_b}(x^b_{j_b}) = 0$. Because of this, $\textsf{A}$ submits only a query to oracle $\textsf{KGen}_1(\textsf{msk},\cdot )$ (i.e., security without collusions) and, it is also a valid adversary for the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}1\mathsf {\text {-}PE}}_{\textsf{PE},\textsf{A}}(\lambda )$ with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 10

$\textbf{H}^{b,i-1}_2(\lambda ) \approx _c \textbf{H}^{b,i}_2(\lambda )$ for $i \in [q]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,i-1}_2(\lambda )$ and $ \textbf{H}^{b,i}_2(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA-1-sided security without collusions of $\textsf{PE}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}$ from the challenger.
2.
Compute $\textsf{k}_j {{\leftarrow {\$}}}\textsf{KGen}_2(1^{\lambda })$ for $j\in [n]$. Let $\textsf{k}_{n+1} = \textsf{k}_1$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, forward the query $P^*$ to $\textsf{KGen}_1$ and return the answer $\textsf{dk}_{P^*}$.
- On input $i'$th query $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_{j},\cdot ,\cdot )$ where $j \in [n]$, $\textsf{A}$ proceeds as follows:
  Case $j \ne j_b$::
  
  Sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Compute $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y_j,\textsf{k}_{j+1}))$ where $x_{j} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j\}$.
  
  Case $j = j_b$ and $i' < i$::
  
  Sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Compute $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),0^{s(\lambda ) + k(\lambda )})$ where $x_{j_b} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$.
  
  Case $j = j_b$ and $i' = i$::
  
  Sample $y_{j_b} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and send $(m^0_* = (y_{j_b},\textsf{k}_{j_b+1}), m^1_* = 0^{s(\lambda ) + k(\lambda )}, x^0_*=({x}^0_{*1},\ldots ,{x}^0_{*n}),x^1_*=({x}^1_{*1},\ldots ,{x}^1_{*n}))$ to the challenger where ${x}^0_{*j_b} = {x}^1_{*j_b} = x$ and ${x}^0_{*j'} = {x}^1_{*j'}=x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$. Receive the challenge ciphertext $c^*$ and $c^{(1)}_{j_b} = c^*$.
  
  Case $j = j_b$ and $i' > i$::
  
  Sample $y_{j_b} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Compute $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1 (\textsf{mpk},(x_1,\ldots ,x_{n}),(y_{j_b}, \textsf{k}_{j_b+1}))$ where $x_{j_b} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$.
  
  Finally, return $c_{j} = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ where $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j, c^{(1)}_j)$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}( 1^{\lambda }, \mathbb {V}_j,y_j,m)$.
4.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n})$ from $\textsf{D}$.
5.
For every $j\in [n]\setminus \{j_b\}$, sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and compute $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),(y_j, \textsf{k}_{j+1}))$ where $x_{j} = x^b_j$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j\}$.
6.
Sample $y_{j_b} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and compute the ciphertext $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda ) + k(\lambda )})$ where $x_{j_b} = x^b_{j_b}$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$.
7.
Compute the ciphertext $c_j = (\widetilde{\mathbb {C}}_j, c^{(2)}_j)$ where $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j, c^{(1)}_j)$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_{j},y_j, m^{b}_j)$ for any $j \in [n]$.
8.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
9.
Answer to the incoming oracle queries as in Item 3.
10.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_2(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_2(\lambda )$. Moreover, since $\textsf{D}$ submits a single query $P^*$ to oracle $\textsf{KGen}(\textsf{msk},\cdot )$ and it satisfies the condition $\textbf{Validity}_{2,j_0,j_1}$, we know that $\forall x'_{j_b} \in \mathcal {Q}_{j_b}, P^*_{j_b}(x'_{j_b}) = 0$. Because of this, $\textsf{A}$ submits a single query to oracle $\textsf{KGen}_1(\textsf{msk},\cdot )$ and it is also a valid adversary for the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}1\mathsf {\text {-}PE}}_{\textsf{PE},\textsf{A}}(\lambda )$ with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 11

$\textbf{H}^{b,q}_2(\lambda ) \approx _c \textbf{H}^{b}_3(\lambda )$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,q}_2(\lambda )$ and $ \textbf{H}^{b}_3(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscation scheme $\textsf{LOBF}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{k}_j,\textsf{k}_{j+1})$ for $j\in [n]$. Let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk},P^*)$.
- On input $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $j = j_b$::
  
  Sample $y_{j_b} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Compute $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j_b} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j_b\}$.
  
  Case $j \ne j_b$::
  
  Run $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), (y_j, \textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_j = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ where $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_j)$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_j, m)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
Compute $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ and $c^{(2)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_{j_b})$ where $x_{j_b} = x^b_{j_b}$, and $x_{j} = x^\star _{j}$ for $j \in [n] {\setminus } \{j_b\}$.
5.
For any $j \in [n]\setminus \{j_b\}$, sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and compute $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),(y_j,\textsf{k}_{j+1}))$, $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_j)$, and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_j, m^{b}_j)$ where $x_j = x^b_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
6.
Send the challenge $(\mathbb {V}_{j_b}, m^b_{j_b})$ to the challenger and receive $\widetilde{\mathbb {C}}$. Set $\widetilde{\mathbb {C}}_{j_b} = \widetilde{\mathbb {C}}$.
7.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
8.
Answer to the incoming oracle queries as in Item 2.
9.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,q}_2(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b}_3(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 12

$\textbf{H}^{b,i-1}_4(\lambda ) \approx _c \textbf{H}^{b,i}_4(\lambda )$ for $i \in [q]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,i-1}_4(\lambda )$ and $ \textbf{H}^{b,i}_4(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscation scheme $\textsf{LOBF}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{ek}_j,\textsf{ek}_{j-1})$ for $j\in [n]$. Let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk},P^*)$.
- On input the $i'$th query $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $j{=}j_b$ and $i'{<}i$::
  
  Run $\widetilde{\mathbb {C}}_{j_b} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_{j_b}|},1^{|m|})$, $c^{(2)}_{j_b}{{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j_b}, c^{(1)}_{j_b})$, and $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j_b} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j_b\}$.
  
  Case $j = j_b$ and $i'= i$::
  
  Compute $c^{(2)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j_b},c^{(1)}_{j_b})$ and $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j_b} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j_b\}$. Send the challenge $(\mathbb {V}_{j_b},m)$ to the challenger and receive the answer $\widetilde{\mathbb {C}}^*$. Set $\widetilde{\mathbb {C}}_{j_b} = \widetilde{\mathbb {C}}^*$.
  
  Case $j = j_b$ and $i' > i$::
  
  Compute $\widetilde{\mathbb {C}}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_{j_b}, m)$, $c^{(2)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j_b},c^{(1)}_{j_b})$, and $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $y_{j_b} {{\leftarrow {\$}}} {{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j_b} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j_b\}$.
  
  Case $j \ne j_b$::
  
  Compute $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_j, y_j, m)$, $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_j)$, and $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y_j, \textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_j = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
Run $\widetilde{\mathbb {C}}_{j_b} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_{j_b}|},1^{|m^b_{j_b}|})$, $c^{(1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$, and $c^{(2)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_{j_b})$ where $x_{j_b} = x^b_{j_b}$, and $x_{j} = x^\star _{j}$ for $j \in [n] {\setminus } \{j_b\}$.
5.
For any $j \in [n]\setminus \{j_b\}$, sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and compute $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots , x_{n}),(y_j,\textsf{k}_{j+1}))$, $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_j)$, and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_j, y_j, m^{b}_j)$ where $x_j = x^b_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
6.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
7.
Answer to the incoming oracle queries as in Item 2.
8.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_4(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_4(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 13

$\textbf{H}^{b,q,q,1}_{5+i-1}(\lambda ) \approx _c \textbf{H}^{b,0,0,0}_{5+i}(\lambda )$ for $i \in \{0\}\cup [n-1]$.

Proof

Let $v = (j_b + i \mod n)+1$. Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,q,q,1}_{5+i-1}(\lambda )$ and $ \textbf{H}^{b,0,0,0}_{5+i}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA security of $\textsf{SKE}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{mpk},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}_1(1^{\lambda })$ and $\textsf{ek}_j = (\textsf{ek},\textsf{k}_j,\textsf{k}_{j-1})$ for $j\in [n]{\setminus }\{v\}$. If $v \ne 1$, let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P^*)$.
- On input $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $j \in {[j_b:v-1]^+_n}$::
  
  Compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_j|},1^{|m|})$, $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Case $j = v$::
  
  Run $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y_{v}, \textsf{k}_{v+1}))$ where $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$. Send the query $c^{(1)}_{v}$ to the oracle $\textsf{Enc}_2$ and receive the answer $c^{(2)}_{v}$. Compute $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_{v},y_{v},m)$.
  
  Case $i < n-2$ (hence, $v \not \in \{j_b-1,j_b\}$) and $j \in {[v+1:j_b-1]^+_n}$::
  
  Run $\widetilde{\mathbb {C}}_{j}{{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_j,y_j,m)$, the ciphertext $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y_j, \textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
Case $i < n-1$ (hence, $v \ne j_b$): For every $j \in [n]$, the adversary $\textsf{A}$ proceeds as follows:
Case $j \in {[j_b,v-1]^+_n}$::

Run $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1( \textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x^b_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_j|},1^{|m^b_{j}|})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_{j})$.

Case $j = v$::

Run $c^{(1,0)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},({x}^0_{*1},\ldots , {x}^0_{*n}),(y_{v},\textsf{k}_{v+1}))$ and $c^{(1,1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, ({x}^1_{*1},\ldots , {x}^1_{*n}),0^{s(\lambda )+k(\lambda )})$ where $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, ${x}^0_{*v}= x^b_{v}$, ${x}^1_{*v} = x^0_{v}$, and ${x}^0_{*j'} = {x}^1_{*j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{v\}$. Send the challenge $(m^0 = c^{(1,0)}_{v}, m^1 = c^{(1,1)}_{v})$ to the challenger and receive the answer $c^*$. Set $c^{(2)}_{v}$ and compute $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_v, m^{b}_{v})$.

Case $i < n-2$ (hence, $v \not \in \{j_b-1,j_b\}$) and $j \in {[v+1:j_b-1]^+_n}$::

Run $c^{(1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y_j, \textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x^b_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_{j},m^{b}_{j})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$.
5.
Otherwise, case $i = n-1$ (hence, $v = j_b$): For every $j \in [n]$, the adversary $\textsf{A}$ proceeds as follows:
Case $j \in {[j_b+1:j_b-1]^+_n}$::

Execute $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x^b_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}} \textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m^b_{j}|})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_{j})$.

Case $j = j_b$::

Run $c^{(1,0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, ({x}^0_{*1},\ldots , {x}^0_{*n}),0^{s(\lambda )+k(\lambda )})$ and $c^{(1,1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, ({x}^1_{*1},\ldots , {x}^1_{*n}),0^{s(\lambda )+k(\lambda )})$ where ${x}^0_{*j_b} = x^b_{j_b}$, ${x}^1_{*j_b} = x^0_{j_b}$, and ${x}^0_{*j'} = {x}^1_{*j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j_b\}$. Send the challenge $(m^0 = c^{(1,0)}_{j_b}, m^1 = c^{(1,1)}_{j_b})$ to the challenger and receive the answer $c^*$. Set $c^{(2)}_{j_b}$. Finally, compute $\widetilde{\mathbb {C}}_{j_b} {{\leftarrow {\$}}}\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_{j_b}|},1^{|m^b_{j_b}|})$.
6.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
7.
Answer to the incoming oracle queries as in 2.
8.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,q,q,1}_{5+i-1}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,0,0,0}_{5+i}(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 14

$\textbf{H}^{b,t_1-1,0,0}_{5+i}(\lambda ) \approx _c \textbf{H}^{b,t_1,0,0}_{5+i}(\lambda )$ for $t_1 \in [q]$ and $i \in \{0\}\cup [n-2]$.

Proof

Let $v = (j_b + i \mod n)+1$ Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,t_1-1,0,0}_{5+i}(\lambda )$ and $ \textbf{H}^{b,t_1,0,0}_{5+i}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA security of $\textsf{SKE}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{mpk},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}_1(1^{\lambda })$ and $\textsf{ek}_j = (\textsf{ek},\textsf{k}_j,\textsf{k}_{j-1})$ for $j\in [n]{\setminus }\{v\}$. If $v \ne 1$, let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P^*)$.
- On input the $t_1'$th query $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $j \in {[j_b:v-1]^+_n}$::
  
  Execute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_j|},1^{|m|})$, $c^{(2)}_{j} {{\leftarrow {\$}}}$ $\textsf{Enc}_2(,\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Case $j = v$ and $t_1' < t_1$::
  
  Sample $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Run $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},$ $(x_1,\ldots ,x_{n}),0^{s(\lambda ) + k (\lambda )})$ where $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$. Send the query $c^{(1)}_{v}$ to the oracle $\textsf{Enc}_2$ and receive the answer $c^{(2)}_{v}$. Compute $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_v,y_{v},m)$.
  
  Case $j = v$ and $t_1' = t_1$::
  
  Compute $c^{(1,0)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),$ $ (y_{v},\textsf{k}_{v+1}))$ and $c^{(1,1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $y_{v}{{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{v} = x$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{v\}$. Send the challenge $(m^0 = c^{(1,0)}_{v}, m^1 = c^{(1,1)}_{v})$ to the challenger and receive the answer $c^*$. Set $c^{(2)}_{v}$. Finally, compute $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_v, y_{v}, m)$.
  
  Case $j = v$ and $t_1' > t_1$::
  
  Sample $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Run $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},$ $(x_1,\ldots ,x_{n}), (k_{v},\textsf{k}_{v+1}))$ where $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$. Send the query $c^{(1)}_{v}$ to the oracle $\textsf{Enc}_2$ and receive the answer $c^{(2)}_{v}$. Compute $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}$ $ (1^{\lambda },\mathbb {V}_v,y_{v},m)$.
  
  Case $i < n-2$ (hence, $v \ne j_b-1$) and $j \in {[v+1:j_b-1]^+_n}$::
  
  Run $\widetilde{\mathbb {C}}_{j}{{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_j,y_j,m)$, $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1$ $(\textsf{mpk},(x_1,\ldots ,x_{n}),(y_j,\textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For every $j \in [n]$, the adversary $\textsf{A}$ proceeds as follows:
Case $j \in {[j_b:v-1]^+_n}$::

Run $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x^0_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m^b_{j}|})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_{j})$.

Case $j = v$::

Sample $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )+k(\lambda )}$ and compute $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{v} = x^0_{v}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{v\}$. Send the query $c^{(1)}_{v}$ to the oracle $\textsf{Enc}_2$ and receive the answer $c^{(2)}_{v}$. Compute $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_v,y_{v},m)$.

Case $i < n-2$ (hence, $v \ne j_b-1$) and $j \in {[v+1:j_b-1]^+_n}$::

Run $c^{(1)}_{j} {{\leftarrow {\$}}}$ $ \textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),(y_j,\textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x^b_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_{j},m^{b}_{j})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$.
5.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
6.
Answer to the incoming oracle queries as in Item 2.
7.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,t_1-1,0,0}_{5+i}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,t_1,0,0}_{5+i}(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 15

$\textbf{H}^{b,q,t_2-1,0}_{5+i}(\lambda ) \approx _c \textbf{H}^{b,q,t_2,0}_{5+i}(\lambda )$ for $t_2 \in [q]$ and $i \in \{0\}\cup [n-2]$.

Proof

Let $v = (j_b + i \mod n)+1$. Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,q,t_2-1,0}_{5+i}(\lambda )$ and $ \textbf{H}^{b,q,t_2,0}_{5+i}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscator scheme $\textsf{LOBF}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{k}_{j},k_{j+1})$ for $j \in [n]$. Let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P^*)$.
- On input the $t_2'$th query $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $j \in {[j_b:v-1]^+_n}$::
  
  Execute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m|})$, $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2 $ $ (\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Case $j = v$ and $t_2' < t_2$::
  
  Run $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_v|},1^{|m|})$, $c^{(2)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{v},c^{(1)}_{v})$, $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$.
  
  Case $j = v$ and $t_2' = t_2$::
  
  Compute $c^{(2)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{v}, c^{(1)}_{v})$ and $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{v} = x$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{v\}$. Send the challenge $(\mathbb {V}_v,m)$ to the challenger and receive the answer $\widetilde{\mathbb {C}}^*$. Set $\widetilde{\mathbb {C}}_{v} = \widetilde{\mathbb {C}}^*$.
  
  Case $j = v$ and $t_2' > t_2$::
  
  Sample $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Compute $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), 0^{s(\lambda )+k(\lambda )})$ where $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$. Send the query $c^{(1)}_{v}$ to the oracle $\textsf{Enc}_2$ and receive the answer $c^{(2)}_{v}$. Compute $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {C}_{c^{(2)}_{v},\textsf{k}_{v+1}},y_{v},m)$.
  
  Case $i < n-2$ (hence, $v \ne j_b-1$) and $j \in {[v+1:j_b-1]^+_n}$::
  
  Run $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_j,y_j,m)$, $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),(y_j,\textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For every $j \in [n]$, the adversary $\textsf{A}$ proceeds as follows:
Case $j \in {[j_b:v-1]^+_n}$::

Run $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x^0_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m^b_{j}|})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_{j})$.

Case $j = v$::

Sample $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )+k(\lambda )}$ and compute $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{v} = x^0_{v}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{v\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_v,y_{v},m^b_{v})$ and $c^{(2)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{v},c^{(1)}_{v})$.

Case $i < n-2$ (hence, $v \ne j_b-1$) and $j \in {[v+1:j_b-1]^+_n}$::

Run $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),(y_j,\textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x^b_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_{j}, m^{b}_{j})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$.
5.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
6.
Answer to the incoming oracle queries as in Item 2.
7.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,q,t_2-1,0}_{5+i}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,q,t_2,0}_{5+i}(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 16

$\textbf{H}^{b,q,q,0}_{5+i}(\lambda ) \approx _c \textbf{H}^{b,q,q,1}_{5+i}(\lambda )$ for $i \in \{0\}\cup [n-2]$.

Proof

Let $v = (j_b + i \mod n)+1$. Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,q,q,0}_{5+i}(\lambda )$ and $ \textbf{H}^{b,q,q,1}_{5+i}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscator scheme $\textsf{LOBF}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{k}_{j},\textsf{k}_{j+1})$ for $j \in [n]$. Let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P^*)$.
- On input $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $j \in {[j_b:v]^+_n}$::
  
  Run $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_j|},1^{|m|})$, $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Case $i < n-2$ (hence, $v \ne j_b-1$) and $j \in {[v+1:j_b-1]^+_n}$::
  
  Run $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_j,y_j,m)$, $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), (y_j, \textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For every $j \in [n]$, the adversary $\textsf{A}$ proceeds as follows:
Case $j \in {[j_b:v-1]^+_n}$::

Run $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x^0_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m^b_{j}|})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_{j})$.

Case $j = v$::

Run $c^{(2)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{v},c^{(1)}_{v})$ and $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{v} = x^0_{v}$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{v\}$. Send the challenge $(\mathbb {V}_v,m^b_{v})$ to the challenger and receive the answer $\widetilde{\mathbb {C}}^*$. Set $\widetilde{\mathbb {C}}_{v} = \widetilde{\mathbb {C}}^*$.

Case $i < n-2$ (hence, $v \ne j_b-1$) and $j \in {[v+1:j_b-1]^+_n}$::

Run $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),(y_j,\textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x^b_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_{j}, m^{b}_{j})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$.
5.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
6.
Answer to the incoming oracle queries as in Item 2.
7.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,q,q,0}_{5+i}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,q,q,1}_{5+i}(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 17

$\textbf{H}^{1-b,q,q,q}_{5+n}(\lambda ) \equiv \textbf{H}^{b,q,q,1}_{5+n}(\lambda )$.

Proof

The distributions of these two experiments do not depend on the bit b. $\square $

By combining Claims 9–17 and the fact that $\textbf{Validity}_{2,j_0,j_1}$ holds, we conclude that

$$\begin{aligned}&\textbf{H}^b_0 \approx _c \textbf{H}^{b}_1 \equiv \textbf{H}^{b,0}_2 \approx _c \cdots \approx _c \textbf{H}^{b,q}_2 \approx _c \textbf{H}^{b}_3 \equiv \textbf{H}^{b,0}_4 \approx _c \cdots \approx _c \textbf{H}^{b,q}_4 \equiv \\&\quad \textbf{H}^{b,q,q,1}_4 \approx _c \textbf{H}^{b,0,0,0}_{5} \approx _c \cdots \approx _c \textbf{H}^{b,q,0,0}_{5} \approx _c \cdots \approx _c \textbf{H}^{b,q,q,0}_{5} \approx _c \\&\quad \textbf{H}^{b,q,q,1}_{5} \approx _c \cdots \approx _c \textbf{H}^{b,0,0,0}_{5+n-1} \equiv \textbf{H}^{1-b,0,0,0}_{5+n-1}. \end{aligned}$$

This concludes the proof. $\square $

Lemma 6

Let $j_0 \in [n]$. If $\textsf{PE}$ is CPA-1-sided secure without collusions (Definition 9), $\textsf{SKE}$ is CPA secure (Definition 4), and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{0\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}| = 1 \Big \vert \textbf{Validity}_{3,j_0}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Without loss of generality, let $q = |\mathcal {Q}_{1}| =\ldots = |\mathcal {Q}_{nim}| \in \textsf {poly}(\lambda )$. Consider the hybrid experiments of Lemmas 4 and 5. Formally,

Let $\textbf{H}^{1,i}_0(\lambda )$ and $\textbf{H}^{1,i}_1(\lambda )$ for $i \in \{0\}\cup [n]$ be the hybrids of Lemma 4 (for the challenge bit $b=1$) except that are conditioned to the event $\textbf{Validity}_{3,j_0}$ (instead of $\textbf{Validity}_{1}$).
Let $\textbf{H}^0_0(\lambda ), \textbf{H}^{0}_1(\lambda ), \textbf{H}^{0,i}_2(\lambda ), \textbf{H}^{0}_3(\lambda ), \textbf{H}^{0,i}_4(\lambda ), \textbf{H}^{0,q,q,1}_{4}(\lambda ), \textbf{H}^{0,i,0,0}_{5+j}(\lambda ),\textbf{H}^{0,q,i,0}_{5+j}(\lambda ), \textbf{H}^{0,q,q,k}_{5+j}(\lambda ),$ and $\textbf{H}^{0,0,0,0}_{5+n-1}(\lambda )$, for $(i,j,k) \in (\{0\}\cup [q]) \times (\{0\}\cup [n-2]) \times {{\leftarrow {\$}}}$, be the hybrids of Lemma 5 (for the challenge bit $b=0$) except that are conditioned to the event $\textbf{Validity}_{3,j_0}$ (instead of $\textbf{Validity}_{2,j_0,j_1}$).

In addition, consider the following additional hybrids experiments:

$\textbf{H}^{0,q,q}_{5+n}$::: Identical to $\textbf{H}^{0,0,0,0}_{5+n-1}$.
$\textbf{H}^{0,0,0}_{5+n+i}$ for ${i \in [n]}$::: Identical to $\textbf{H}^{0,q,q}_{5+n+i-1}$.
$\textbf{H}^{0,0,t_2}_{5+n+i}$ for ${t_2 \in [q]},{i \in [n]}$::: Same as $\textbf{H}^{0,0,t_2-1}_{5+n+i}$ except that the challenger changes how it answers to the first $t_2$ queries for oracle $\textsf{Enc}(\textsf{ek}_{v},\cdot ,\cdot )$ where $v = (j_0 - i-1 \mod n) + 1$. Formally, on input the $t_2'$th query $(x,m)$ such that $t_2'\le t_2$, the challenger returns $c_{v} = (\widetilde{\mathbb {C}}_{v},c^{(2)}_{v})$ where $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_v, y_{v}, m)$ where $y_v {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$. Otherwise, on input the $t_2'$th query $(x,m)$ such that $t_2' > t_2$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{0,0,0}_{5+n+i}$.
$\textbf{H}^{0,t_1,q}_{5+n+i}$ for ${t_1 \in [q]},{i \in [n]}$::: Same as $\textbf{H}^{0,t_1-1,q}_{5+n+i}$ except that the challenger changes how it answers to the first $t_1$ queries for oracle $\textsf{Enc}(\textsf{ek}_{v},\cdot ,\cdot )$ where $v = (j_0- i -1 \mod n)+1$. Formally, on input the $t_1'$th query $(x,m)$ such that $t_1'\le t_1$, the challenger computes $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), (y_v, \textsf{k}_{v+1}))$ where $y_v {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{v} = x$, and $x_{j} = x^\star _{j}$ for $j \in [n] {\setminus } \{v\}$. Finally, the challenger returns $c_{v} = (\widetilde{\mathbb {C}}_{v},c^{(2)}_{v})$ where $c^{(2)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{v},c^{(1)}_{v})$, $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_{v}, y_{v}, m)$. Otherwise, on input the $t_1'$th query $(x,m)$ such that $t_1' > t_1$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{0,0,q}_{5+n+i}$.

Claim 18

$\textbf{H}^{0}_{0}(\lambda ) \approx _c \textbf{H}^{0,0,0,0}_{5+n-1}(\lambda )$.

Proof

The proof of Claim 18 is identical to that of Lemma 5 where the challenge bit is $b=0$. $\square $

Claim 19

$\textbf{H}^{0,0,t_2-1}_{5+n+i}(\lambda ) \approx _c \textbf{H}^{0,0,t_2}_{5+n+i}(\lambda )$ for $t_2 \in [q]$ and $i \in [n]$.

Proof

Let $v = (j_0 - i -1 \mod n) +1$. Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{0,0,t_2-1}_{5+n+i}(\lambda )$ and $ \textbf{H}^{0,0,t_2}_{5+n+i}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscator scheme $\textsf{LOBF}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{1},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{k}_{j},k_{j+1})$ for $j \in [n]$. Let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P^*)$.
- On input the $t_2'$th query $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $i > 1$ and $j \in {[j_0-1:v+1]^-_n}$::
  
  Compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_j,y_j,m)$, $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y_j,\textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Case $j = v$ and $t_2' < t_2$::
  
  Compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_v,y_v,m)$, $c^{(2)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{v},c^{(1)}_{v})$, and $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), 0^{s(\lambda )+k(\lambda )})$ where $y_v {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$.
  
  Case $j = v$ and $t_2' = t_2$::
  
  Compute $c^{(2)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{v},c^{(1)}_{v})$, and $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$. Send the challenge $(\mathbb {C}_{c^{(2)}_v,\textsf{k}_{v+1}},m)$ to the challenger and receive $\widetilde{\mathbb {C}}^*$. Set $\widetilde{\mathbb {C}}_v = \widetilde{\mathbb {C}}^*$.
  
  Case $j = v$ and $t_2' > t_2$::
  
  Run $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_v|},1^{|m|})$, $c^{(2)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{v},c^{(1)}_{v})$, $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$.
  
  Case $i \ne n$ and $j \in {[v-1:j_0]^-_n}$::
  
  Compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_{j}|},1^{|m|})$, $c^{(2)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), 0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For every $j \in [n]$, the adversary $\textsf{A}$ computes $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x^0_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m^0_{j}|})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_{j})$.
5.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
6.
Answer to the incoming oracle queries as in Item 2.
7.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{0,0,t_2}_{5+n+i}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{0,0,t_2-1}_{5+n+i}(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 20

$\textbf{H}^{0,t_1-1,q}_{5+n+i}(\lambda ) \approx _c \textbf{H}^{0,t_1,q}_{5+n+i}(\lambda )$ for $t_1 \in [q]$ and $i \in [n-1]$.

Proof

Let $v = (j_0 - i -1 \mod n) +1$. Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{0,t_1,q}_{5+n+i}(\lambda )$ and $ \textbf{H}^{0,t_1-1,q}_{5+n+i}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA security of $\textsf{SKE}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{mpk},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}_1(1^{\lambda })$ and $\textsf{ek}_j = (\textsf{mpk},\textsf{ek}_j,\textsf{ek}_{j-1})$ for $j\in [n]{\setminus }\{v\}$. If $v \ne 1$, let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P^*)$.
- On input the $t_1'$th query $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $i >1$ and $j \in {[j_0-1:v+1]^-_n}$::
  
  Run $\widetilde{\mathbb {C}}_{j}{{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_v,y_j,m)$, $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), (y_j, \textsf{k}_{j+1}))$ where $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Case $j = v$ and $t_1' < t_1$::
  
  Run $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), (y_v, \textsf{k}_{v+1}))$ where $y_v {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$. Send the query $c^{(1)}_{v}$ to the oracle $\textsf{Enc}_2$ and receive the answer $c^{(2)}_v$. Compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_v,y_v,m)$.
  
  Case $j = v$ and $t_1' = t_1$::
  
  Run $c^{(1,0)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ and $c^{(1,1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),(y_{v},\textsf{k}_{v+1}))$ where $y_{v} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_{v} = x$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{v\}$. Send the challenge $(m^0 = c^{(1,0)}_{v}, m^1 = c^{(1,1)}_{v})$ to the challenger and receive the answer $c^*$. Set $c^{(2)}_{v}$ and compute $\widetilde{\mathbb {C}}_{v} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_v, y_{v}, m)$.
  
  Case $j = v$ and $t_1' > t_1$::
  
  Run $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), 0^{s(\lambda ) + k(\lambda )})$ where $x_{v} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{v\}$. Send the query $c^{(1)}_{v}$ to the oracle $\textsf{Enc}_2$ and receive the answer $c^{(2)}_v$. Compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda },\mathbb {V}_v,y_v,m)$ where $y_v {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$.
  
  Case $j \in {[v-1:j_0]^-_n}$::
  
  Run $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_v|},1^{|m|})$, $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_{j},c^{(1)}_{j})$, and $c^{(1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), 0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For every $j \in [n]$, the adversary $\textsf{A}$ proceeds as follows:
Case $j = v$::

Compute $c^{(1)}_{v} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{v} = x^0_{v}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{v\}$. Send the query $c^{(1)}_v$ to the oracle $\textsf{Enc}_2$ and receive the answer $c^{(2)}_v$. Finally, compute $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m^0_{j}|})$.

Case $j \ne v$::

Compute $c^{(1)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s(\lambda )+k(\lambda )})$ where $x_{j} = x^0_{j}$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] \setminus \{j\}$. Finally, run $\widetilde{\mathbb {C}}_{j} {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m^0_{j}|})$ and $c^{(2)}_{j} {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_{j})$.
5.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
6.
Answer to the incoming oracle queries as in Item 2.
7.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{0,t_1-1,q}_{5+n+i}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{0,t_1,q}_{5+n+i}(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 21

$\textbf{H}^{0,t_1-1,q}_{5+2n}(\lambda ) \approx _c \textbf{H}^{0,t_1,q}_{5+2n}(\lambda )$ for $t_1 \in [q]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{0,t_1,q}_{5+2n}(\lambda )$ and $ \textbf{H}^{0,t_1-1,q}_{5+2n}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA-1-sided security without collusions of $\textsf{PE}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}$ from the challenger.
2.
Compute $\textsf{k}_j {{\leftarrow {\$}}}\textsf{KGen}_2(1^{\lambda })$ for $j\in [n]$. Let $\textsf{k}_{n+1} = \textsf{k}_1$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, forward the query $P^*$ to $\textsf{KGen}_1$ and return the answer $\textsf{dk}_{P^*}$.
- On input $t_1'$th query $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_{j},\cdot ,\cdot )$ where $j \in [n]$, $\textsf{A}$ proceeds as follows:
  Case $j \ne j_0$::
  
  Sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and compute $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y_j,\textsf{k}_{j+1}))$ where $x_{j} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j\}$.
  
  Case $j = j_0$ and $t_1' < t_1$::
  
  Compute $c^{(1)}_{j_0} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots , x_{n}),(y_{j_0} , \textsf{k}_{j_0+1}))$ where $x_{j_0} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_0\}$.
  
  Case $j = j_0$ and $t_1' = t_1$::
  
  Sample $y_{j_0} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and send the challenge $(m^0_* = 0^{s(\lambda ) + k(\lambda )}, m^1_* = (y_{j_0},\textsf{k}_{j_0+1}), x^0_*=({x}^0_{*1},\ldots ,{x}^0_{*n}),x^1_*=({x}^1_{*1},\ldots ,{x}^1_{*n}))$ to the challenger where ${x}^0_{*j_0} = {x}^1_{*j_0} = x$ and ${x}^0_{*j'} = {x}^1_{*j'}=x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_0\}$. Receive the challenge ciphertext $c^*$ and $c^{(1)}_{j_0} = c^*$.
  
  Case $j = j_0$ and $t_1' > t_1$::
  
  Sample $y_{j_0} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and compute $c^{(1)}_{j_0} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots , x_{n}),0^{s(\lambda ) + k(\lambda )})$ where $x_{j_0} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_0\}$.
  
  Finally, return $c_{j} = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ where $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j, c^{(1)}_j)$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_j,m)$.
4.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n})$ from $\textsf{D}$.
5.
For every $j \in [n]$, the adversary $\textsf{A}$ computes $c^{(1)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s(\lambda ) + k(\lambda )})$ where $x_{j} = x^0_{j}$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j\}$.
6.
For every $j \in [n]$, the adversary $\textsf{A}$ computes $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{ek}_j,c^{(1)}_{j})$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|}, 1^{|m^0_j|})$.
7.
Set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
8.
Answer to the incoming oracle queries as in Item 3.
9.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{0,t_1-1,q}_{5+2n}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{0,t_1,q}_{5+2n}(\lambda )$. Moreover, since $\textsf{D}$ submits a single query $\mathcal {P}^*$ to oracle $\textsf{KGen}(\textsf{msk},\cdot )$ and it satisfies $\textbf{Validity}_{3,j_0}$, we know that $\forall x'_{j_0} \in \mathcal {Q}_{j_0}, P^*_{j_0}(x'_{j_0}) = 0$. Because of this, $\textsf{A}$ submits a single query to oracle $\textsf{KGen}_1(\textsf{msk},\cdot )$ and it is also a valid adversary for the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}1\mathsf {\text {-}PE}}_{\textsf{PE},\textsf{A}}(\lambda )$ with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 22

$\textbf{H}^{1,0}_{0}(\lambda ) \approx _c \textbf{H}^{1,q}_{1}(\lambda )$.

Proof

The proof of Claim 22 is identical to that of Lemma 4 where the challenge bit is $b=1$. $\square $

Claim 23

$\textbf{H}^{0,q,q}_{5+2n}(\lambda ) \equiv \textbf{H}^{1,q}_{1}(\lambda )$.

Proof

Claim 23 follows by observing that experiments $\textbf{H}^{0,q,q}_{5+2n}(\lambda )$ and $\textbf{H}^{1,q}_{1}(\lambda )$ are identical (and does not depend on the bit b). $\square $

By combining Claims 18–23 and the fact that $\textbf{Validity}_{3,j_0,}$ is satisfied, we conclude that

$$\begin{aligned}&\textbf{H}^0_0 \approx _c \textbf{H}^{0,0,0,0}_{5+n-1} \equiv \textbf{H}^{0,q,q}_{5+n} \equiv \textbf{H}^{0,0,0}_{5+n+1} \approx _c \ldots \approx _c \textbf{H}^{0,0,q}_{5+n+1} \approx _c \ldots \approx _c \\&\quad \textbf{H}^{0,q,q}_{5+n+1} \equiv \textbf{H}^{0,0,0}_{5+n+2} \approx _c \ldots \approx _c \textbf{H}^{0,0,q}_{5+2n} \approx _c \ldots \approx _c \textbf{H}^{0,q,q}_{5+2n} \equiv \textbf{H}^{1,q}_1 \approx _c \textbf{H}^{1,0}_0 \end{aligned}$$

This concludes the proof. $\square $

Lemma 7

Let $j_1 \in [n]$. If $\textsf{PE}$ is CPA-1-sided secure without collusions (Definition 9), $\textsf{SKE}$ is CPA secure (Definition 4), and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{0\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}| = 1 \Big \vert \textbf{Validity}_{4,j_1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Lemma 7 follows by using a symmetrical argument to that of Lemma 6. $\square $

By combining Lemmas 4–7, we conclude that $\Pi $ is CPA-1-sided secure without collusions.

CPA-2-sided security of $\Pi $ for $n=O(\log (\lambda ))$ (Theorem 6). As usual, consider the predicate space $\mathcal {P}= \{P(x_1,\ldots ,x_{{n}})\}$ of Construction 3 where $P(x_1,\ldots ,x_{{n}}) = P_1(x_1) \wedge \ldots \wedge P_{n}(x_{n})$. Let $P^* \in \mathcal {P}$ be the only predicate for which the adversary will ask for the decryption key $\textsf{dk}_{P^*}$ during the experiment $\textbf{G}^{0\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}$ (recall that we prove the security of Construction 3 in the scenario without collusions, i.e., $|\mathcal {Q}_{\textsf{KGen}}| = 1$). Also, consider the validity condition of $\textbf{G}^{0\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}$ and consider the following observations:

1.
Suppose that $\forall j \in [n], \forall i_1\in [k_1+1],\ldots ,\forall i_n\in [k_n+1]$, we have
$$\begin{aligned}&P^*(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \\&\quad =P^*(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) = 0, \end{aligned}$$
where $\mathcal {Q}^b_i = \{x^{(1,b)}_i,\ldots ,x^{(k_i,b)}_i, x^{(k_i+1,b)}_i = x^b_i\}$ for $i \in [n]$, $b\in {{\leftarrow {\$}}}$ as defined in Definition 13. This means that the adversary cannot decrypt any part of the challenge ciphertext.
2.
Otherwise, if $\exists j \in [n], \exists i_1\in [k_1+1],\ldots ,\exists i_n\in [k_n+1]$ such that
$$\begin{aligned}&P^*(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \nonumber \\&\quad =P^*(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) = 1 , \end{aligned}$$
(7)
we are guaranteed that the adversary can retrieve the message $m^b_j$ contained into the jth challenge ciphertext $c_j$. By taking into account the definition of $P^*(x_1,\ldots ,x_{n}) = P^*_1(x_1) \wedge \ldots \wedge P^*_n(x_n)$, Eq. (7) implies that, for any $j' \in [n]\setminus [j]$, the adversary can satisfy the ith predicate $P^*_i$ for $i \in [n]{\setminus } [j']$ (e.g., by taking the ciphertexts corresponding to the indexes $i_1,\ldots ,i_{j-1},i_{j+1},\ldots , i_n$ and the jth challenge ciphertext $c_j$). Hence, the secrecy of the challenge message $m^{b}_{j'}$ solely depends on the evaluation of $P^*_{j'}$ over the challenge input $x^b_{j'}$.

By taking into account the following observations, we can rewrite the validity condition of $\textbf{G}^{0\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}$ (Definition 13) in the following way:

$$\begin{aligned} \text {Either } \mathbf {Validity_1} \text { or } \mathbf {Validity_2} \end{aligned}$$

where $\textbf{Validity}_1$ and $\textbf{Validity}_2$ formalize the observations of Items 1 and 2 respectively, i.e.,

$$\begin{aligned} \textbf{Validity}_{1}&:\ \forall j \in [n], \forall i_1\in [k_1+1],\ldots ,\forall i_n\in [k_n+1], \\&\quad P^*(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) = \\&\quad P^*(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) = 0 \\ \textbf{Validity}_{2}&: \ \forall j \in [n], \text {Either } P^*_j(x^0_j) = P^*_j(x^1_j) = 0 \text { or } P^*_j(x^0_j) = P^*_j(x^1_j) \wedge m^0_j = m^1_j \end{aligned}$$

where $\mathcal {Q}^b_i = \{x^{(1,b)}_i,\ldots ,x^{(k_i,b)}_i, x^{(k_i+1,b)}_i = x^b_i\}$ for $i \in [n]$, $b\in {{\leftarrow {\$}}}$ as defined in Definition 13. Hence, the CPA-2-sided security of Construction 3 follows by proving the following lemmas.

Lemma 8

If $\textsf{PE}$ is CPA-1-sided secure without collusions (Definition 9), $\textsf{SKE}$ is CPA secure (Definition 4), and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{0\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}|=1 \Big \vert \textbf{Validity}_{1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Note that $\textbf{Validity}_{1}$ is equivalent to the validity condition of CPA-1-sided security. Hence, the lemma follows by leveraging an identical argument to that of the CPA-1-sided case (Sect. 5.2.1). $\square $

Lemma 9

If $\textsf{PE}$ is CPA-2-sided secure without collusions (Definition 9) and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{0\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}|=1 \Big \vert \textbf{Validity}_{2}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

In this lemma, we restrict the adversary to submit the (single) query to $\textsf{KGen}$ only before the challenge phase, i.e., the oracle $\textsf{KGen}$ is not available after the challenge phase. Under this restriction, we prove Lemma 9 for any $n=\textsf {poly}(\lambda )$. Then, we use complexity leveraging to show that the lemma holds when $n = O(\log (\lambda ))$ and the oracle $\textsf{KGen}$ is available after the challenge phase. Without loss of generality, we assume the adversary always submit a query to $\textsf{KGen}$. Finally, for the sake of clarity, in the rest of this proof we use the notation $\mathbb {V}_i{\mathop {=}\limits ^{\text {{def}}}}\mathbb {C}_{c^{(2)}_{i},\textsf{k}_{i+1}}$ where $c^{(2)}_{i}$ and $\textsf{k}_{i+1}$ will be clear from the context.

Consider the following hybrid experiments:

$\textbf{H}^{b,0}_0(\lambda )$::: This is exactly the experiment $\textbf{G}^{0\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda )$ conditioned to the event $\textbf{Validity}_{2}$ where the challenge bit is b, i.e., the adversary is valid and satisfied $\textbf{Validity}_{2}$. Recall that the oracle $\textsf{KGen}$ is not available after the challenge phase.
$\textbf{H}^{b,i}_0(\lambda )$ for ${i \in [n]}$::: Same as $\textbf{H}^{b,i-1}_0$, except that the challenger changes how it computes the challenger ciphertext $c_i$. Let $P^* \in \mathcal {Q}_\textsf{KGen}$ and $((x^0_1, \ldots ,x^0_n),(x^1_1,\ldots ,x^1_n))$ be the predicate submitted to the oracle $\textsf{KGen}$ before the challenge phase and the challenge inputs chosen by the adversary. If $P^*_i(x^0_i) = P^*_i(x^1_i) = 0$, the value $c^{(1)}_i$ challenge ciphertext $c_i = (\widetilde{\mathbb {C}}_i, c^{(2)}_i)$ is computed as $c^{(1)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), 0^{s(\lambda ) + k(\lambda )})$ where $0^{s(\lambda ) + k(\lambda )} \in \mathcal {M}_1$ (for some function k) $x_i = x^{0}_i$, and $x_j = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Otherwise, if $P^*_i(x^0_i) = P^*_i(x^1_i) = 1$, the value $c^{(1)}_i$ challenge ciphertext $c_i = (\widetilde{\mathbb {C}}_i, c^{(2)}_i)$ is computed as $c^{(1)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), (y_i,\textsf{k}_{i+1}))$ where $y_i {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $x_i = x^{0}_i$, and $x_j = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Observe that $c^{(1)}_i$ is computed by fixing $x_i = x^{0}_i$ (instead of $x_i = x^b_i$), i.e., the input $(x_1,\ldots ,x_{n})$ used to compute the ith challenge ciphertext is fixed and does not depend on the challenge bit b.
$\textbf{H}^{b,0}_1(\lambda )$::: Identical to $\textbf{H}^{b,n}_1(\lambda )$.
$\textbf{H}^{b,i}_1(\lambda )$ for ${i \in [n]}$::: Same as $\textbf{H}^{b,i-1}_1$, except that the challenger changes how it computes the challenger ciphertext $c_i$. Let $P^* \in \mathcal {Q}_\textsf{KGen}$ and $((x^0_1, \ldots ,x^0_n),(x^1_1,\ldots ,x^1_n))$ be the predicate submitted to the oracle $\textsf{KGen}$ before the challenge phase and the challenge inputs chosen by the adversary. If $P^*_i(x^0_i) = P^*_i(x^1_i) = 0$, the value $\widetilde{\mathbb {C}}_i$ of challenge ciphertext $c_i = (\widetilde{\mathbb {C}}_i, c^{(2)}_i)$ is simulated by the challenger using the simulator of the lockable obfuscation scheme $\textsf{LOBF}$, i.e., $\widetilde{\mathbb {C}}_i {{\leftarrow {\$}}}\textsf{S}(1^{\lambda },1^{|\mathbb {V}_i|},1^{|m^b_i|})$. Otherwise, if $P^*_i(x^0_i) = P^*_i(x^1_i) = 1$, the value $\widetilde{\mathbb {C}}_i$ is computed as in $\textbf{H}^{b,0}_1(\lambda )$.

Claim 24

$\textbf{H}^{b,i-1}_0(\lambda ) \approx _c \textbf{H}^{b,i}_0(\lambda )$ for $i\in [n]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,1-i}_0(\lambda )$ and $ \textbf{H}^{b,i}_0(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA-2-sided security without collusions of $\textsf{PE}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}$ from the challenger.
2.
Compute $\textsf{k}_j {{\leftarrow {\$}}}\textsf{KGen}_2(1^{\lambda })$ for $j\in [n]$. Let $\textsf{ek}_i = (\textsf{mpk},\textsf{k}_i,\textsf{k}_{i+1})$ for $i \in [n]$ where $\textsf{k}_{n+1} = \textsf{k}_1$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, forward the query $P^*$ to $\textsf{KGen}_1$ and return the answer $\textsf{dk}_P$.
- On input $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j) {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
4.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
5.
Let $P^*(x_1,\ldots ,x_n) = P^*_1(x_1) \wedge \cdots \wedge P^*_n(x_n)$ be the predicate submitted by $\textsf{A}$ to the oracle $\textsf{KGen}$. For any $j \in [n]$, $\textsf{A}$ proceeds as follows:
Case $j < i$ and $P^*(x^0_j) = P^*(x^1_j)=0$::

Compute $c^{(1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}),0^{s(\lambda ) + k(\lambda )})$ where $x_j = x^{0}_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.

Case $j < i$ and $P^*(x^0_j) = P^*(x^1_j)=1$::

Sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and execute $c^{(1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}),(y_j,\textsf{k}_{j+1}))$ where $x_j = x^{0}_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.

Case $j = i$ and $P^*(x^0_j) = P^*(x^1_j)=0$::

Send the challenge $(m^0_*= (y_i, \textsf{k}_{i+1}), m^1_*=0^{s(\lambda )+k(\lambda )},x^0_*=({x}^0_{*1},\ldots ,{x}^0_{*n}),x^1_*=({x}^1_{*1},\ldots ,{x}^1_{*n}))$ where $y_{i} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, $0^{s(\lambda )+k(\lambda )} \in \mathcal {M}_1$, ${x}^0_{*i} = x^b_i$, ${x}^1_{*i} = {x}^{0}_i$, and ${x}^0_{*j} = {x}^1_{*j} = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Receive the challenge ciphertext $c^*$ from the challenger. Set $c^{(1)}_i = c^*$.

Case $j = i$ and $P^*(x^0_j) = P^*(x^1_j)=1$::

Send the challenge $(m^0_*= (y_i, \textsf{k}_{i+1}), m^1_*=(y_i, \textsf{k}_{i+1}),x^0_*=({x}^0_{*1},\ldots ,{x}^0_{*n}),x^1_*=({x}^1_{*1},\ldots ,{x}^1_{*n}))$ where $y_{i} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$, ${x}^0_{*i} = x^b_i$, ${x}^1_{*i} = {x}^{0}_i$, and ${x}^0_{*j} = {x}^1_{*j} = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Receive the challenge ciphertext $c^*$ from the challenger. Set $c^{(1)}_i = c^*$.

Case $j > i$::

Sample $y_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$ and compute $c^{(1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}), (y_j, \textsf{k}_{j+1}))$ where $x_j = x^b_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
6.
Compute $c_j = (\widetilde{\mathbb {C}}_j, c^{(2)}_j)$ where $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{ek}_j, c^{(1)}_j)$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j, y_j, m^{b}_j)$ for any $j \in [n]$.
7.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
8.
Answer to the incoming oracle queries for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ as in Item 3.
9.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_0(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_0(\lambda )$. Moreover, since $\textsf{D}$ satisfies $\textbf{Validity}_{2}$ and it asks for a single decryption key $\textsf{dk}_{P^*}$ for $P^*$, we have that either $P^*_i(x^0_i) = P^*_i(x^1_i) =0$ or $P^*_i(x^0_i) = P^*_i(x^1_i) \wedge m^0_i = m^1_i$. This implies that $\textsf{A}$ is a valid adversary for the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}2\mathsf {\text {-}PE}}_{\textsf{PE},\textsf{A}}(\lambda )$ with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 25

$\textbf{H}^{b,i-1}_1(\lambda ) \approx _c \textbf{H}^{b,i}_1(\lambda )$ for $i \in [n]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,1-i}_1(\lambda )$ and $ \textbf{H}^{b,i}_1(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscation scheme $\textsf{LOBF}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_n,\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ for $j\in [n]$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{k}_j,\textsf{k}_{j+1})$. Let $\textsf{k}_{n+1} = \textsf{k}_1$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_P{{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk},P)$.
- On input $(x,m) \in \mathcal {X}_1 \times \mathcal {M}_3$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, return $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j) {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
Let $P^*(x_1,\ldots ,x_n) = P^*_1(x_1) \wedge \ldots \wedge P^*_n(x)$ be the predicate submitted by $\textsf{A}$ to the oracle $\textsf{KGen}$. For any $j \in [n]$, $\textsf{A}$ proceeds as follows:
Case $j < i$ and $P^*(x^0_j) = P^*(x^1_j)=0$::

Compute $c^{(1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}),0^{s(\lambda ) + k(\lambda )})$ where $x_j = x^{0}_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ where $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_j)$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{S}(1^{\lambda }, 1^{|\mathbb {V}_j|},1^{|m^b_j|})$.

Case $j = i$ and $P^*(x^0_j) = P^*(x^1_j)=0$::

Compute $c^{(1)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),0^{s(\lambda ) + k(\lambda )})$ and $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_i,c^{(1)}_i)$ where $x_i = x^0_i$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{i\}$. Send the challenge $(\mathbb {V}_i, m^b_i)$ to the challenger and receive $\widetilde{\mathbb {C}}_i$. Set $c_i = (\widetilde{\mathbb {C}}_i,c^{(2)}_i)$.

Case $j > i$ and $P^*(x^0_j) = P^*(x^1_j)=0$::

Compute $c^{(1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}),0^{s(\lambda ) + k(\lambda )})$ where $x_j = x^{0}_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$. Finally, set $c_j = (\widetilde{\mathbb {C}}_j,c^{(2)}_j)$ where $c^{(2)}_j {{\leftarrow {\$}}}\textsf{Enc}_2(\textsf{k}_j,c^{(1)}_j)$ and $\widetilde{\mathbb {C}}_j {{\leftarrow {\$}}}\textsf{Obf}(1^{\lambda }, \mathbb {V}_j,y_j,m^b_j)$ where $y_j{{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s(\lambda )}$.

Case $P^*(x^0_j) = P^*(x^1_j)=1$::

Compute $c_j {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x^0_j,m^b_j).$
5.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
6.
Answer to the incoming oracle queries for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ as in Item 2.
7.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_1(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_1(\lambda )$. Hence, $\textsf{A}$ retains the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 26

$\textbf{H}^{b,n}_1(\lambda ) \equiv \textbf{H}^{1-b,n}_1(\lambda )$.

Proof

The claim follows by leveraging the validity condition $\textbf{Validity}_2$. Indeed, for every $i \in [n]$, if $P^*_i(x^0_i)=P^*_i(x^1_i)=0$ we have that the jth ciphertext $c_j$ does not depend on the bit b. On the other hand, if $P^*_i(x^0_i)=P^*_i(x^1_i)=1$, we have that the jth ciphertext $c_j$ depends on either $m^0_j$ or $m^1_j$. However, since the adversary satisfies the validity condition $\textbf{Validity}_2$ we have that $m^0_j = m^1_j$. Hence, $\textbf{H}^{b,n}_1(\lambda )$ and $\textbf{H}^{1-b,n}_1(\lambda )$ are identically distributed. This concludes the proof. $\square $

By combining Claims 24–25 and conditioned to the event $\textbf{Validity}_{2}$, we conclude that $\textbf{H}^{0,0}_0 \approx _c \ldots \approx _c \textbf{H}^{0,n}_0 \equiv \textbf{H}^{0,0}_1 \approx _c \ldots \approx _c \textbf{H}^{0,n}_1 \equiv \textbf{H}^{1,n}_1$. Note that this holds if $n = \textsf {poly}(\lambda )$ and the adversary is restricted to submitting the (single) key generation query before the challenge phase, i.e., $\textsf{KGen}$ oracle not available after challenge phase. By using complexity leveraging, we conclude that the same result holds also when the $\textsf{KGen}$ oracle is available after the challenge phase when $n = O(\log (\lambda ))$. This concludes the proof. $\square $

By leveraging Lemmas 8 and 9, we conclude that $\Pi $ of Construction 2 is CPA-2-sided secure for $n = O(\log (\lambda ))$.

5.3 Corruption Setting: Multi-input PE from PE, Lockable Obfuscation and PKE

We now move on to our construction of n-input PE that is CPA-1-sided secure in the $(n-1)$-corruptions setting without collusions. This construction handles constant arity (i.e., $n \in O(1)$) since the decryption running time is $O(n^n)$. It is based on CPA secure single-input PE, lockable obfuscation, and PKE and it leverages the nested execution technique described in Sect. 1.2. Also, the same construction achieves CPA-2-sided security if the initial single-input PE is CPA-2-sided secure.

Construction 4

(n-input PE in the corruption setting)/ Consider the following primitives:

1.
A PE scheme $\textsf{PE}= (\textsf{Setup}_1, \textsf{KGen}_1, \textsf{Enc}_1, \textsf{Dec}_1)$ with message space $\mathcal {M}_1 = {{\leftarrow {\$}}}^{m_3(\lambda ) + m_4(\lambda )}$, input space $\mathcal {X}_1 = \mathcal {X}_{1,1} \times \ldots \times \mathcal {X}_{1,n}$, and predicate space $\mathcal {P}_1 =\{P(x_1,\ldots ,x_{n})\} = \{P_1(x_1) \wedge \ldots \wedge P_{n}(x_{n})\}$. Without loss of generality, we assume that $\textsf{PE}$ has ciphertext space $\mathcal {Y}_1$ and there exists a (single) wildcard input $(x^\star _1,\ldots ,x^\star _{n}) \in \mathcal {X}_1$ such that $\forall (P_1(x_1)\wedge \ldots \wedge P_{n}(x_{n})) \in \mathcal {P}_1,\forall i \in [n], P_i(x^\star _i)=1$.
2.
For $i \in [n]$, a PKE scheme $\textsf{PKE}_{2,i} = (\textsf{KGen}_{2,i},\textsf{Enc}_{2,i},\textsf{Dec}_{2,i})$ with message space $\mathcal {M}_{2,i}$. Without loss of generality, we assume that $\textsf{PKE}_i$ has ciphertext space $\mathcal {Y}_{2,i}$ and secret-key space $\mathcal {K}_{2,i}$. Moreover, we assume that $\mathcal {M}_{2,1} = \mathcal {Y}_{1}$, and $\mathcal {M}_{2,i} = \mathcal {Y}_{2,i-1}$ for every $i \in [n]{\setminus }\{1\}$.
3.
A lockable obfuscation scheme $\textsf{LOBF}_3 = (\textsf{Obf}_3, \textsf{Eval}_3)$ with message space $\mathcal {M}_3 = (\mathcal {K}_{2,1}\cup \ldots \cup \mathcal {K}_{2,n}) \times {{\leftarrow {\$}}}^{\lfloor \log _2(n)\rfloor +1}$ for the family of circuits $\mathcal {C}^{\textsf{in}}_{n_3,s_3,d_3}(\lambda )= \{\mathbb {C}^{\textsf{in}}_{c,\textsf{sk},i}\}$ defined in Fig. 8, where $n_3(\lambda )$, $s_3(\lambda )$, $d_3(\lambda )$ depends on the schemes $\textsf{PE},\textsf{PKE}_{2,1},\ldots ,\textsf{PKE}_{2,n}$ used, and the circuits $\mathcal {C}^{\textsf{in}}_{n_3,s_3,d_3}(\lambda )$.
4.
A lockable obfuscation scheme $\textsf{LOBF}_4 = (\textsf{Obf}_4, \textsf{Eval}_4)$ with message space $\mathcal {M}_4$ for the family of circuits $\mathcal {C}^{\textsf{out}}_{n_4,s_4,d_4}(\lambda ) = \{\mathbb {C}^{\textsf{out}}_{c,\textsf{sk},i}\}$ defined in Fig. 8, where $n_4(\lambda )$, $s_4(\lambda )$, $d_4(\lambda )$ depends on the schemes $\textsf{PE},\textsf{PKE}_{2,1},\ldots ,\textsf{PKE}_{2,n},\textsf{LOBF}_3$ used, and the circuits $\mathcal {C}^{\textsf{out}}_{n_4,s_4,d_4}(\lambda )$.

We build a n-input PE scheme with message space $\mathcal {M}= \overbrace{\mathcal {M}_{4} \times \cdots \times \mathcal {M}_{4}}^{n}$, input space $\mathcal {X}= \mathcal {X}_1$, and predicate space $\mathcal {P}= \mathcal {P}_1 =\{P(x_1,\ldots ,x_{n})\} = \{P_1(x_1) \wedge \cdots \wedge P_{n}(x_{n})\}$ with wildcard (i.e., there exists a (single) wildcard $(x^\star _1,\ldots ,x^\star _n) \in \mathcal {X}$ such that $\forall (P_1(x_1)\wedge \ldots \wedge P_n(x_n)) \in \mathcal {P}$, $\forall i \in [n]$, $P_i(x^\star _i) =1$), as follows:

$\textsf{Setup}(1^{\lambda })$::

Upon input the security parameter $1^{\lambda }$ the randomized setup algorithm outputs $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n})$ and $\textsf{msk}$ where $(\textsf{mpk},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}_1(1^{\lambda })$, $\textsf{ek}_i = (\textsf{mpk}, \textsf{sk}_i,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$, and $(\textsf{sk}_i,\textsf{pk}_i) {{\leftarrow {\$}}}\textsf{KGen}_{2,i}(1^{\lambda })$ for $i \in [n]$.

$\textsf{KGen}(\textsf{msk}, P)$::

Upon input the master secret key $\textsf{msk}$ and a predicate $P\in \mathcal {P}$, the randomized key generator algorithm outputs $\textsf{dk}_P{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P)$.

$\textsf{Enc}(\textsf{ek}_i, x_i, m_i)$::

Let $i \in [n]$. Upon input an encryption key $\textsf{ek}_i = (\textsf{mpk}, \textsf{sk}_i,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$, an input $x_i \in \mathcal {X}_{1,i}$, and a message $m_i\in \mathcal {M}_4$, the randomized encryption algorithm samples $(y^{\textsf{in}}_i,y^{\textsf{out}}_i) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$ and proceeds as follows:

1.:: Compute $c^{(0)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y^{\textsf{in}}_i,y^{\textsf{out}}_i))$ where $x_j = x^\star _j$ for $j \in [n]{\setminus }\{i\}$.
2.:: For $j \in [n]$, compute $c_i^{(j)} {{\leftarrow {\$}}}\textsf{Enc}_{2,j}(\textsf{pk}_j,c_i^{(j-1)})$.

Finally, it outputs $c_i=(\widetilde{\mathbb {C}}^{\textsf{out}}_i,\widetilde{\mathbb {C}}^{\textsf{in}}_i)$, where $\widetilde{\mathbb {C}}^{\textsf{out}}_i {{\leftarrow {\$}}}\textsf{Obf}_4(1^\lambda ,\mathbb {C}^{\textsf{out}}_{c_{i}^{(n)},\textsf{sk}_{i},i},y^{\textsf{out}}_i,m_i)$ and $\widetilde{\mathbb {C}}^{\textsf{in}}_i {{\leftarrow {\$}}}\textsf{Obf}_3(1^\lambda ,\mathbb {C}^{\textsf{in}}_{c_{i}^{(n)},\textsf{sk}_{i},i},y^{\textsf{in}}_i,(\textsf{sk}_i,i))$.

$\textsf{Dec}(\textsf{dk}_{P}, c_1,\ldots , c_{n})$::

Upon input a decryption key $\textsf{dk}_{P}$ for predicate $P\in \mathcal {P}$, and n ciphertexts $(c_1, \ldots , c_{n})$ such that $c_i = (\widetilde{\mathbb {C}}^{\textsf{out}}_i,\widetilde{\mathbb {C}}^{\textsf{in}}_i)$ for $i \in [n]$. The deterministic decryption algorithm returns $(m_1,\ldots ,m_{n})$ where $m_i = \textsf{Eval}_4(\widetilde{\mathbb {C}}^{\textsf{out}}_{i},(\widetilde{\mathbb {C}}^{\textsf{in}}_{1},\ldots ,\widetilde{\mathbb {C}}^{\textsf{in}}_{i-1}, \widetilde{\mathbb {C}}^{\textsf{in}}_{i+1},\ldots , \widetilde{\mathbb {C}}^{\textsf{in}}_{n}, \textsf{dk}_P))$ for $i \in [n]$.

Correctness follows from the one of the underlying primitives (see also Fig. 8 for the definitions of $\mathbb {C}^{\textsf{in}}_{c,\textsf{sk},i}$ and $\mathbb {C}^{\textsf{out}}_{c,\textsf{sk},i}$). Moreover, decryption is polynomial time when $n \in O(1)$. Below, we establish the following result.

Theorem 7

Let $n = O(1)$, $\textsf{PE}$, $\textsf{PKE}_{2,1},\ldots ,\textsf{PKE}_{2,n}$, $\textsf{LOBF}_3$, and $\textsf{LOBF}_4$ be as above.

1.
If $\textsf{PE}$ is CPA secure without collusions (Definition 8), each $\textsf{PKE}_{2,i}$ (for $i \in [n]$) is CPA secure (Definition 6), and both $\textsf{LOBF}_3$ and $\textsf{LOBF}_4$ are secure (Definition 2), then the n-input PE scheme $\Pi $ from Construction 4 is CPA-1-sided secure in the $(n-1)$-corruptions setting without collusions (Definition 13).
2.
If $\textsf{PE}$ is CPA-2-sided secure without collusions (Definition 9), each $\textsf{PKE}_{2,i}$ (for $i \in [n]$) is CPA secure (Definition 6), and both $\textsf{LOBF}_3$ and $\textsf{LOBF}_4$ are secure (Definition 2), then the n-input PE scheme $\Pi $ from Construction 4 is CPA-2-sided secure in the $(n-1)$-corruptions setting without collusions (Definition 13).

5.3.1 Proof of Theorem 7

CPA-1-sided security of $\Pi $ (Theorem 7) Consider the predicate space $\mathcal {P}= \{P(x_1,\ldots ,x_{{n}})\}$ of Construction 4 where $P(x_1,\ldots ,x_{{n}}) = P_1(x_1) \wedge \cdots \wedge P_{n}(x_{n})$. Let $P^* \in \mathcal {P}$ be the only predicate for which the adversary will ask the decryption key $\textsf{dk}_{P^*}$ during the experiment $\textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}$ (recall that we prove the security of Construction 4 in the $\ell $-corruptions setting without collusions (i.e., $|\mathcal {Q}_{\textsf{KGen}}| = 1$). Consider the validity condition of $\textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}$ and let $\mathcal {Q}_i = \{x| \exists (x,m) \in \mathcal {Q}_{\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )}\}$ for $i\in [n]{\setminus } \mathcal {Q}_{\textsf{Corr}}$, and $\mathcal {Q}_i = \mathcal {X}_{1,i}$ for $i \in \mathcal {Q}_{\textsf{Corr}}$ (recall that $|\mathcal {Q}_{\textsf{Corr}}| \le n-1$) as defined in Definition 13. We can write such a validity condition with respect to $P^* \in \mathcal {Q}_{\textsf{KGen}} = \{P^*\}$ as follows: $\forall j \in [n]$, $\forall i_1 \in [k_1+1], \ldots , \forall i_n \in [k_n+1]$,

$$\begin{aligned}&P^*(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) \\&\quad = P^*(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) \\&\quad =P^*_1(x^{(i_1,0)}_1) \wedge \cdots \wedge P^*_{j-1}(x^{(i_{j-1},0)}_{j-1}) \wedge P^*_{j}(x^{0}_j) \wedge P^*_{j+1}(x^{(i_{j+1},0)}_{j+1}) \wedge \cdots \wedge P^*_{i_n}(x^{(i_n,0)}_{n}) \\&\quad =P^*_1(x^{(i_1,1)}_1) \wedge \cdots \wedge P^*_{j-1}(x^{(i_{j-1},1)}_{j-1}) \wedge P^*_{j}(x^{1}_j) \wedge P^*_{j+1}(x^{(i_{j+1},1)}_{j+1}) \wedge \cdots \wedge P^*_{n}(x^{(i_n,1)}_{n}) = 0, \end{aligned}$$

where $\mathcal {Q}^{b}_i = \{x^{(1,b)}_i, \ldots , x^{(k_i,b)}_i, x^{(k_i+1,b)}_i = x^b_i\}$ is the ordered list composed of the $k_i$ predicate inputs $\mathcal {Q}_i$ and the challenge input $x^b_i$ (as defined in Definition 13). Note that Construction 4 has input space $\mathcal {X}_1 = \mathcal {X}_{1,1} \times \cdots \times \mathcal {X}_{1,n}$ (that is identical to the one of the underlying $\textsf{PE}$). Hence, we can conclude that for each $\mathcal {X}_{1,i}$ for $i \in [n]$ there exists $x^\star _i \in \mathcal {X}_{1,i}$ such that $P^*_i(x^\star _i)=1$. As a consequence, an adversary is valid only if there exists $j_0,j_1\in [n]{\setminus } \mathcal {Q}_{\textsf{Corr}}$ such that $P^*_{j_0}(x^0_{j_0}) = P^*_{j_1}(x^1_{j_1}) = 0$. Otherwise, an adversary is able to decrypt at least one out the two challenges by leveraging the corrupted encryption keys $\{\textsf{ek}_{i}\}_{i\in \mathcal {Q}_{\textsf{Corr}}}$ and computing $|\mathcal {Q}_{\textsf{Corr}}|$ ciphertexts, each under the ith predicate wildcard $x^\star _i \in \mathcal {X}_{1,i}$ for $i\in \mathcal {Q}_{\textsf{Corr}}$.

According to the above observation, the $\textsf{A}$’s validity can be rewritten as follows: $\exists j_0,j_1\in [n]{\setminus } \mathcal {Q}_{\textsf{Corr}}$, $\forall (x'_1,\ldots ,x'_{n}) \in \mathcal {Q}_1 \times \cdots \times \mathcal {Q}_{n}$,

$$\begin{aligned}&\left( \left( P^*_1(x^0_1) = 0 \wedge \cdots \wedge P^*_{n}(x^0_{n}) = 0 \right) \vee \left( P^*_{j_0}(x^0_{j_0}) = 0 \wedge P^*_{j_0}(x'_{j_0}) = 0 \right) \right) \wedge \nonumber \\&\quad \left( \left( P^*_1(x^1_) = 0 \wedge \cdots \wedge P^*_{n}(x^1_{n}) = 0 \right) \vee \left( P^*_{j_1}(x^1_{j_1}) = 0 \wedge P^*_{j_1}(x'_{j_1}) = 0 \right) \right) . \end{aligned}$$

(8)

Note that in the above equation we made explicit the challenge inputs and the inputs of $\mathcal {Q}_i$. For this reason, it is enough to quantify over all $(x'_1,\ldots ,x'_n) \in \mathcal {Q}_1 \times \cdots \times \mathcal {Q}_n$ where $\mathcal {Q}_i$ is equal to the inputs $\{x^{(1)}_i,\ldots , x^{(k_i)}_i\}$ submitted to oracle $\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )$, if $i \not \in \mathcal {Q}_\textsf{Corr}$. Otherwise (if $i \in \mathcal {Q}_\textsf{Corr}$), $\mathcal {Q}_i$ is equal to the ith input space $\mathcal {X}_{1,i}$. Hence, in order to be valid, $\textsf{A}$ needs to satisfy the condition defined by Eq. (8). This is equivalent to considering the events below: For some $j_0,j_1\in [n]\setminus \mathcal {Q}_{\textsf{Corr}}$,^{Footnote 25}

$$\begin{aligned}&\textbf{Validity}_{1} : \\&\qquad P^*_1(x^0_1) = 0 \wedge \cdots \wedge P^*_{n}(x^0_{n}) = 0 \wedge P^*_1(x^1_1) = 0 \wedge \cdots \wedge P^*_{n}(x^1_{n}) = 0. \\&\textbf{Validity}_{2,j_0,j_1} : \forall x'_{j_0} \in \mathcal {Q}_{j_0},\forall x'_{j_1} \in \mathcal {Q}_{j_1}, \\&\qquad P^*_{j_0}(x^0_{j_0}) = 0 \wedge P^*_{j_0}(x'_{j_0}) = 0 \wedge P^*_{j_1}(x^1_{j_1}) = 0 \wedge P^*_{j_1}(x'_{j_1}) = 0.\\&\textbf{Validity}_{3,j_0} : \forall x'_{j_0} \in \mathcal {Q}_{j_0}, \\&\qquad P^*_{j_0}(x^0_{j_0}) = 0 \wedge P^*_{j_0}(x'_{j_0}) = 0 \wedge P^*_1(x^1_1) = 0 \wedge \cdots \wedge P^*_{n}(x^1_{n}) = 0.\\&\textbf{Validity}_{4,j_1} : \forall x'_{j_1} \in \mathcal {Q}_{j_1}, \\&\qquad P^*_1(x^0_1) = 0 \wedge \cdots \wedge P^*_{n}(x^0_{n}) = 0 \wedge P^*_{j_1}(x^1_{j_1}) = 0 \wedge P^*_{j_1}(x'_{j_1}) = 0. \end{aligned}$$

For the sake of clarity, in the rest of this proof, we use the notation ${\mathbb {V}}^{\textsf{in}}_i {\mathop {=}\limits ^{\text {{def}}}}\mathbb {C}^{\textsf{in}}_{c^{(n)}_{i},\textsf{sk}_{i},i}$ (resp. ${\mathbb {V}}^{\textsf{out}}_i {\mathop {=}\limits ^{\text {{def}}}}\mathbb {C}^{\textsf{out}}_{c^{(n)}_{i},\textsf{sk}_{i},i}$) where $c^{(n)}_{i}$, $\textsf{sk}_{i}$, and i will be clear from the context. Also, $[a:b]^{+}_n = \{a,a+1,\ldots ,n,1,2,\ldots ,b\}$. If $1 \le a\le b \le n$, we have $[a:b]^{+}_n = \{a,a+1,\ldots ,b\}$.

Lemma 10

If $\textsf{PE}$ is CPA secure without collusions (Definition 8), $\textsf{LOBF}_3$ and $\textsf{LOBF}_4$ are secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}| = 1 \Big \vert \textbf{Validity}_{1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Consider the following hybrid experiments:

$\textbf{H}^{b,0}_0(\lambda )$::: This is exactly the experiment $\textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda )$ conditioned to the validity event $\textbf{Validity}_{1}$ where the challenge bit is b, i.e., the adversary is valid and satisfies $\textbf{Validity}_{1}$.
$\textbf{H}^{b,i}_0(\lambda )$ for ${i \in [n]}$::: Same as $\textbf{H}^{b,i-1}_0$, except that the challenger changes how it computes the challenger ciphertext $c_i$. Formally, it computes value $c^{(0)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}),0^{s_3(\lambda )+s_4(\lambda )})$ (instead of $c^{(0)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), (y^{\textsf{in}}_i, y^{\textsf{out}}_i))$) where $c^{(0)}_i$ is the value used to compute the challenge ciphertext $x_i = x^0_i$, and $x_j = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Observe that $c_i$ is computed by fixing $x_i = x^{0}_i$ (instead of $x_i = x^b_i$), i.e., the predicate input $(x_1,\ldots ,x_{n})$ used to compute the ith challenge ciphertext is fixed and does not depend on the challenge bit b.
$\textbf{H}^{b,0}_1(\lambda )$::: Identical to $\textbf{H}^{b,n}_0(\lambda )$.
$\textbf{H}^{b,i}_1(\lambda )$ for ${i\in [n]}$::: Same as $\textbf{H}^{b,i-1}_1$, except that the challenger changes how it computes the challenger ciphertext $c_i$. Formally, the value $\widetilde{\mathbb {C}}^{\textsf{in}}_i$ of challenge ciphertext $c_i = (\widetilde{\mathbb {C}}^\textsf{in}_i,\widetilde{\mathbb {C}}^\textsf{out}_i)$ is simulated by the challenger using the simulator $\textsf{S}_3$ of the lockable obfuscation scheme $\textsf{LOBF}_3$, i.e., $\textsf{S}(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{in}}_i|},1^{|(\textsf{sk}_i,i)|})$.
$\textbf{H}^{b,0}_2(\lambda )$::: Identical to $\textbf{H}^{b,n}_1(\lambda )$.
$\textbf{H}^{b,i}_2(\lambda )$ for ${i \in [n]}$::: Same as $\textbf{H}^{b,i-1}_2$, except that the challenger changes how it computes the challenger ciphertext $c_i$. Formally, the value $\widetilde{\mathbb {C}}^{\textsf{out}}_i$ of challenge ciphertext $c_i = (\widetilde{\mathbb {C}}^\textsf{in}_i,\widetilde{\mathbb {C}}^\textsf{out}_i)$ is simulated by the challenger using the simulator $\textsf{S}_4$ of the lockable obfuscation scheme $\textsf{LOBF}_4$, i.e., $\textsf{S}(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{out}}_i|},1^{|m^b_i|})$.

Claim 27

$\textbf{H}^{b,i-1}_0(\lambda ) \approx _c \textbf{H}^{b,i}_0(\lambda )$ for $i\in [n]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,1-i}_0(\lambda )$ and $ \textbf{H}^{b,i}_0(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA security without collusions of $\textsf{PE}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}$ from the challenger.
2.
Compute $(\textsf{sk}_j,\textsf{pk}_j) {{\leftarrow {\$}}}\textsf{KGen}_{2,j}(1^{\lambda })$ and set $\textsf{ek}_j = (\textsf{mpk},\textsf{sk}_j,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$ for $j\in [n]$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, forward the query $P^*$ to $\textsf{KGen}_1$ and return the answer $\textsf{dk}_{P^*}$.
- On input $j \in [n]$ for $\textsf{Corr}$, return $\textsf{ek}_j$.
- On input $(x,m) \in \mathcal {X}_{1,j} \times \mathcal {M}_4$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ where $j \in [n]$, return $c_j {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
4.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
5.
For any $j \in [n]$, $\textsf{A}$ proceeds as follows:
Case $j < i$::

Sample $(y^\textsf{in}_j,y^\textsf{out}_j) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$. Compute $c^{(0)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}),0^{s_3(\lambda ) + s_4(\lambda )})$ where $x_j = x^0_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.

Case $j = i$::

Send the challenge $(m^0=(y^\textsf{in}_i, y^\textsf{out}_i), m^1=0^{s_3(\lambda )+s_4(\lambda )}, x=({x}_1,\ldots ,{x}_{n}))$ where $(y^\textsf{in}_j,y^\textsf{out}_j) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$, ${x}_i = x^b_i$, and ${x}_j = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Receive the challenge ciphertext $c^*$ from the challenger. Set $c^{(0)}_i = c^*$.

Case $j > i$::

Sample $(y^\textsf{in}_j,y^\textsf{out}_j) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$. Compute $c^{(-1)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}),(y^\textsf{in}_j,y^\textsf{out}_j))$ where $x_j = x^0_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
6.
For every $j \in [n]$, compute $c_j^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_j^{(v-1)})$ for $v \in [n]$.
7.
Compute $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_j, \widetilde{\mathbb {C}}^{\textsf{out}}_j)$ where $\widetilde{\mathbb {C}}^\textsf{in}_j {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda }, {\mathbb {V}}^{\textsf{in}}_j, y^\textsf{in}_j, (\textsf{sk}_j,j))$ and $\widetilde{\mathbb {C}}^\textsf{out}_j {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda }, {\mathbb {V}}^{\textsf{out}}_j, y^\textsf{out}_j, m^b_j)$ for any $j \in [n]$.
8.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
9.
Answer to the incoming oracle queries as in Item 3.
10.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_0(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_1(\lambda )$. Moreover, since $\textsf{D}$ satisfies $\textbf{Validity}_{1}$ and it asks for a single decryption key $\textsf{dk}_{P^*}$ for $P^*$, we have that $P^*_i(x^0_i) =0 \wedge P^*_i(x^1_i) = 0$. Because of this, $\textsf{A}$ submits a single query $P^*$ to oracle $\textsf{KGen}_1$ and it is also a valid adversary for the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}PE}}_{\textsf{PE},\textsf{A}}(\lambda )$ with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 28

$\textbf{H}^{b,i-1}_1(\lambda ) \approx _c \textbf{H}^{b,i}_1(\lambda )$ for $i\in [n]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,1-i}_1(\lambda )$ and $ \textbf{H}^{b,i}_1(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscation scheme $\textsf{LOBF}_3$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{sk}_j,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$ for $j\in [n]$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk},P^*)$.
- On input $j \in [n]$ for $\textsf{Corr}$, return $\textsf{ek}_j$.
- On input $(x,m) \in \mathcal {X}_{1,j} \times \mathcal {M}_4$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ where $j \in [n]$, return $c_j {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For every $j \in [n]$, run $c^{(0)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s_3(\lambda ) + s_4(\lambda )})$ where $x_j = x^0_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
5.
For every $j \in [n]$, compute $c_j^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_j^{(v-1)})$ for $v \in [n]$.
6.
For any $j \in [n]$, $\textsf{A}$ proceeds as follows:
Case $j < i$::

Compute $\widetilde{\mathbb {C}}^\textsf{in}_j {{\leftarrow {\$}}}\textsf{S}_3(1^{\lambda }, 1^{|{\mathbb {V}}^{\textsf{in}}_j|},1^{|(\textsf{sk}_j,j)|})$.

Case $j = i$::

Send the challenge $({\mathbb {V}}^{\textsf{in}}_i, (\textsf{sk}_i,i))$ to the challenger and receive $\widetilde{\mathbb {C}}^\textsf{in}_i$.

Case $j > i$::

Compute $\widetilde{\mathbb {C}}^\textsf{in}_j {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda }, {\mathbb {V}}^{\textsf{in}}_j, y^{\textsf{in}}_j, (\textsf{sk}_j,j))$ where $y^\textsf{in}_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )}$.
7.
For every $j \in [n]$, compute $\widetilde{\mathbb {C}}^\textsf{out}_j {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda }, {\mathbb {V}}^{\textsf{out}}_j, y^{\textsf{out}}_j, m^b_j)$ where $y^\textsf{out}_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_4(\lambda )}$.
8.
Set $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_j,\widetilde{\mathbb {C}}^{\textsf{out}}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
9.
Answer to the incoming oracle queries as in Item 2.
10.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_1(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_1(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 29

$\textbf{H}^{b,i-1}_2(\lambda ) \approx _c \textbf{H}^{b,i}_2(\lambda )$ for $i\in [n]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,1-i}_2(\lambda )$ and $ \textbf{H}^{b,i}_2(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscation scheme $\textsf{LOBF}_4$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{sk}_j,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$ for $j\in [n]$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk},P^*)$.
- On input $j \in [n]$ for $\textsf{Corr}$, return $\textsf{ek}_j$.
- On input $(x,m) \in \mathcal {X}_{1,j} \times \mathcal {M}_4$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ where $j \in [n]$, return $c_j {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For every $j \in [n]$, compute $c^{(0)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots , x_{n}),0^{s_3(\lambda ) + s_4(\lambda )})$ where $x_j = x^0_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
5.
For every $j \in [n]$, run $c_j^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_j^{(v-1)})$ for $v \in [n]$.
6.
For every $j \in [n]$, compute $\widetilde{\mathbb {C}}^\textsf{in}_j {{\leftarrow {\$}}}\textsf{S}_3(1^{\lambda }, 1^{|{\mathbb {V}}^{\textsf{in}}_j|},1^{|(\textsf{sk}_j,j)|})$.
7.
For every $j \in [n]$, $\textsf{A}$ proceeds as follows:
Case $j < i$::

Compute $\widetilde{\mathbb {C}}^\textsf{out}_j {{\leftarrow {\$}}}\textsf{S}_4(1^{\lambda }, 1^{|{\mathbb {V}}^{\textsf{out}}_j|},1^{|m^b_j|})$.

Case $j = i$::

Send the challenge $({\mathbb {V}}^{\textsf{out}}_i, m^b_i)$ to the challenger and receive $\widetilde{\mathbb {C}}^\textsf{out}_i$.

Case $j > i$::

Compute $\widetilde{\mathbb {C}}^\textsf{out}_j {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda }, {\mathbb {V}}^{\textsf{out}}_j, y^{\textsf{out}}_j, m^b_j)$ where $y^\textsf{out}_j {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_4(\lambda )}$.
8.
Set $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_j,\widetilde{\mathbb {C}}^{\textsf{out}}_j)$ for $j \in [n]$ and send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
9.
Answer to the incoming oracle queries as in Item 2.
10.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_2(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_2(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 30

$\textbf{H}^{b,n}_2(\lambda ) \equiv \textbf{H}^{1-b,n}_2(\lambda )$.

Proof

The distribution of these two experiments does not depend on the bit b. $\square $

By combining Claims 27–30 and conditioned to the event $\textbf{Validity}_{1}$, we conclude that

$$\begin{aligned} \textbf{H}^{b,0}_0 \approx _c \ldots \approx _c \textbf{H}^{b,n}_0 \equiv \textbf{H}^{b,0}_1 \ldots \approx _c \textbf{H}^{b,n}_1 \equiv \textbf{H}^{b,0}_2 \approx _c \ldots \approx _c \textbf{H}^{b,n}_2 \equiv \textbf{H}^{1-b,n}_2. \end{aligned}$$

This concludes the proof. $\square $

Lemma 11

Let $j_0,j_1 \in [n]\setminus \mathcal {Q}_\textsf{Corr}$. If $\textsf{PE}$ is CPA secure without collusions (Definition 8), $\textsf{PKE}_{2,j_0}$ and $\textsf{PKE}_{2,j_1}$ are CPA secure (Definition 6), $\textsf{LOBF}_3$ and $\textsf{LOBF}_4$ are secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}| = 1 \Big \vert \textbf{Validity}_{2,j_0,j_1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Without loss of generality, let $q = |\mathcal {Q}_{j_{0}}| = |\mathcal {Q}_{j_{1}}| \in \textsf {poly}(\lambda )$ (recall $j_0,j_1 \not \in \mathcal {Q}_{\textsf{Corr}}$). Consider the following hybrid experiments:

$\textbf{H}^b_0(\lambda )$::: This is exactly the experiment $\textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda )$ conditioned to the validity event $\textbf{Validity}_{2,j_0,j_1}$ where the challenge bit is b, i.e., the adversary is valid and satisfies the validity event $\textbf{Validity}_{2,j_0,j_1}$.
$\textbf{H}^{b}_1(\lambda )$::: Same as $\textbf{H}^{b}_0$, except that the challenger changes how it computes the challenge $j_b$th ciphertext $c_{j_b}$. Specifically, it computes $c^{(0)}_{j_b}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), 0^{s_3(\lambda ) + s_4(\lambda )})$ (instead of $c^{(0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), (y^{\textsf{in}}_i, y^{\textsf{out}}_i))$) where the value $c^{(0)}_{j_b}$ is used to compute the challenge ciphertext, $x_i = x^b_i$, and $x_j = x^\star _j$ for $j \in [n] {\setminus } \{j_b\}$.
$\textbf{H}^{b,0}_2$::: Identical to $\textbf{H}^{b}_1(\lambda )$.
$\textbf{H}^{b,i}_2(\lambda )$ for ${i \in [q]}$::: Same as $\textbf{H}^{b,i-1}_2(\lambda )$ except that the challenger changes how it answers to the first i queries for oracle $\textsf{Enc}(\textsf{ek}_{j_b},\cdot ,\cdot )$. Formally, on input the $i'$th query $(x,m)$ such that $i'\le i$, the challenger computes $c^{(0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s_3(\lambda )+s_4(\lambda )})$ where $x_{j_b} = x$, and $x_{j} = x^\star _{j}$ for $j \in [n] {\setminus } \{j_b\}$. Finally, the challenger returns $c_{j_b} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_b},\widetilde{\mathbb {C}}^\textsf{out}_{j_b})$ where $c^{(v)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_{v},c^{(b-1)}_{j_b})$ for $v \in [n]$, $(y^\textsf{in}_{j_b},y^\textsf{out}_{j_b}) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )+s_4(\lambda )}$, $\widetilde{\mathbb {C}}^\textsf{in}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda },{\mathbb {V}}^{\textsf{in}}_{j_b}, y^\textsf{in}_{j_b},(\textsf{sk}_{j_b},j_b))$, and $\widetilde{\mathbb {C}}^\textsf{out}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda },{\mathbb {V}}^{\textsf{out}}_{j_b}, y^\textsf{out}_{j_b}, m^b_{j_b})$. Otherwise, on input the $i'$th query $(x,m)$ such that $i' > i$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{b,0}_2$.
$\textbf{H}^{b}_3(\lambda )$::: Same as $\textbf{H}^{b,q}_2$, except that the challenger changes how it computes the challenge $j_b$th ciphertext $c_{j_b}$. Formally, the value $\widetilde{\mathbb {C}}^\textsf{in}_{j_b}$ of challenge $j_b$th ciphertext $c_{j_b} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_b}, \widetilde{\mathbb {C}}^\textsf{out}_{j_b})$ is simulated by the challenger using the simulator $\textsf{S}_3$ of the lockable obfuscation scheme $\textsf{LOBF}_3$, i.e., $\widetilde{\mathbb {C}}^{\textsf{in}}_{j_b}$ is computed by executing $\textsf{S}_3(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{in}}_{j_b}|},1^{|(\textsf{sk}_{j_b},j_b)|})$.
$\textbf{H}^{b}_4(\lambda )$::: Same as $\textbf{H}^{b}_3$, except that the challenger changes how it computes the challenge $j_b$th ciphertext $c_{j_b}$. Formally, the value $\widetilde{\mathbb {C}}^\textsf{out}_{j_b}$ of challenge $j_b$th ciphertext $c_{j_b} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_b}, \widetilde{\mathbb {C}}^\textsf{out}_{j_b})$ is simulated by the challenger using the simulator $\textsf{S}_4$ of the lockable obfuscation scheme $\textsf{LOBF}_4$, i.e., $\widetilde{\mathbb {C}}^{\textsf{out}}_{j_b}$ is computed by executing $\textsf{S}_4(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{out}}_{j_b}|},1^{|m^b_{j_b}|})$.
$\textbf{H}^{b,0}_5$::: Identical to $\textbf{H}^{b}_4(\lambda )$.
$\textbf{H}^{b,i}_5(\lambda )$ for ${i \in [q]}$::: Same as $\textbf{H}^{b,i-1}_5(\lambda )$ except that the challenger changes how it answers to the first i queries for oracle $\textsf{Enc}(\textsf{ek}_{j_b},\cdot ,\cdot )$. Formally, on input the $i'$th query $(x,m)$ such that $i'\le i$, the challenger returns $c_{j_b} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_b}, \widetilde{\mathbb {C}}^\textsf{out}_{j_b})$ where $\widetilde{\mathbb {C}}^\textsf{in}_{j_b}$ is computed using the simulator $\textsf{S}_3$ of the lockable obfuscator scheme $\textsf{LOBF}_3$, i.e., $\widetilde{\mathbb {C}}^\textsf{in}_{j_b} {{\leftarrow {\$}}}\textsf{S}_3(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{in}}_{j_b}|}, 1^{|(\textsf{sk}_{j_b},j_b)|})$. Otherwise, on input the $i'$th query $(x,m)$ such that $i' > i$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{b,0}_5$.
$\textbf{H}^{b,0}_6$::: Identical to $\textbf{H}^{b,q}_5(\lambda )$.
$\textbf{H}^{b,i}_6(\lambda )$ for ${i \in [q]}$::: Same as $\textbf{H}^{b,i-1}_6(\lambda )$ except that the challenger changes how it answers to the first i queries for oracle $\textsf{Enc}(\textsf{ek}_{j_b},\cdot ,\cdot )$. Formally, on input the $i'$th query $(x,m)$ such that $i'\le i$, the challenger returns $c_{j_b} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_b}, \widetilde{\mathbb {C}}^\textsf{out}_{j_b})$ where $\widetilde{\mathbb {C}}^\textsf{out}_{j_b}$ is computed using the simulator $\textsf{S}_4$ of the lockable obfuscator scheme $\textsf{LOBF}_4$, i.e., $\widetilde{\mathbb {C}}^\textsf{out}_{j_b} {{\leftarrow {\$}}}\textsf{S}_4(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{out}}_{j_b}|}, 1^{|m|})$. Otherwise, on input the $i'$th query $(x,m)$ such that $i' > i$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{b,0}_6$.
$\textbf{H}^{b,1,1}_6$::: Identical to $\textbf{H}^{b,q}_6(\lambda )$.
$\textbf{H}^{b,0,0}_{7+i}$ for ${i \in \{0\}\cup [n-2]}$::: Same as $\textbf{H}^{b,1,1}_{7+i-1}$ except that the challenger changes how it computes the challenge ciphertext $c_{r}$ where $r = (j_b+i \mod n)+1$. Formally, the value $c^{(j_b)}_{r}$ is computed as $c^{(j_b)}_{r} {{\leftarrow {\$}}}\textsf{Enc}_{2,j_b}(\textsf{pk}_{j_b},w)$ where $w {{\leftarrow {\$}}}\mathcal {M}_{2,j_b}$.
$\textbf{H}^{b,1,0}_{7+i}$ for ${i \in \{0\}\cup [n-2]}$::: Same as $\textbf{H}^{b,1,0}_{7+i}(\lambda )$ except that the challenger changes how it computes the challenge ciphertext $c_{r}$ where $r = (j_b+i \mod n)+1$. Formally, the value $\widetilde{\mathbb {C}}^{\textsf{in}}_{v}$ of challenge ciphertext $c_{r} = (\widetilde{\mathbb {C}}^{\textsf{in}}_{r}, \widetilde{\mathbb {C}}^{\textsf{out}}_{r})$ is simulated by the challenger using the simulator of the lockable obfuscation scheme $\textsf{LOBF}_3$, i.e., $\widetilde{\mathbb {C}}^{\textsf{in}}_{v}$ is computed by executing $\textsf{S}_3(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{in}}_{r}|},1^{|(\textsf{sk}_r,r)|})$.
$\textbf{H}^{b,1,1}_{7+i}$ for ${i \in \{0\}\cup [n-2]}$::: Same as $\textbf{H}^{b,1,0}_{7+i}(\lambda )$ except that the challenger changes how it computes the challenge ciphertext $c_{r}$ where $r = (j_b+i \mod n)+1$. Formally, the value $\widetilde{\mathbb {C}}^{\textsf{out}}_{v}$ of challenge ciphertext $c_{r} = (\widetilde{\mathbb {C}}^{\textsf{in}}_{r}, \widetilde{\mathbb {C}}^{\textsf{out}}_{r})$ is simulated by the challenger using the simulator of the lockable obfuscation scheme $\textsf{LOBF}_4$, i.e., $\widetilde{\mathbb {C}}^{\textsf{out}}_{v}$ is computed by executing $\textsf{S}_4(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{out}}_r|},1^{|m^b_r|})$.

Claim 31

$\textbf{H}^b_0(\lambda ) \approx _c \textbf{H}^{b}_1(\lambda )$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b}_0(\lambda )$ and $ \textbf{H}^{b}_1(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA security without collusions of $\textsf{PE}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}$ from the challenger.
2.
Compute $(\textsf{sk}_j,\textsf{pk}_j) {{\leftarrow {\$}}}\textsf{KGen}_{2,j}(1^{\lambda })$ and set $\textsf{ek}_j = (\textsf{mpk},\textsf{sk}_j,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$ for $j\in [n]$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, forward the query $P^*$ to $\textsf{KGen}_1$ and return the answer $\textsf{dk}_{P^*}$.
- On input $j \in [n]$ for $\textsf{Corr}$, return $\textsf{ek}_j$.
- On input $(x,m) \in \mathcal {X}_{1,j} \times \mathcal {M}_4$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$ where $j \in [n]$, return $c_j {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
4.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$. Send the challenge $(m^0=(y^\textsf{in}_{j_b}, y^\textsf{out}_{j_b}), m^1=0^{s_3(\lambda )+s_4(\lambda )}, x=({x}_1,\ldots ,{x}_{n}))$ where $(y^\textsf{in}_{j_b},y^\textsf{out}_{j_b}) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )+s_4(\lambda )}$, ${x}_{j_b} =x^b_{j_b}$ and ${x}_j = x^\star _j$ for $j \in [n] {\setminus } \{j_b\}$.
5.
Receive the challenge ciphertext $c^*$ from the challenger. Set $c^{(0)}_{j_b} = c^*$.
6.
For every $j \in [n]\setminus \{j_b\}$, compute $c^{(0)}_{j}{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1, \ldots ,x_{n}),(y^\textsf{in}_j,y^\textsf{out}_j))$ where $(y^\textsf{in}_j,y^\textsf{out}_j){{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$, $x_j = x^b_j$, and $x_{j'} = x^\star _{j'}$ for $j' \in [n] {\setminus } \{j\}$.
7.
For every $j \in [n]$, compute $c_j^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_j^{(v-1)})$ for $v \in [n]$.
8.
Compute $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_j, \widetilde{\mathbb {C}}^{\textsf{out}}_j)$ where $\widetilde{\mathbb {C}}^\textsf{in}_j {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda }, {\mathbb {V}}^{\textsf{in}}_j, y^\textsf{in}_j, (\textsf{sk}_j,j))$ and $\widetilde{\mathbb {C}}^\textsf{out}_j {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda }, {\mathbb {V}}^{\textsf{out}}_j, y^\textsf{out}_j, m^b_j)$ for any $j \in [n]$.
9.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
10.
Answer to the incoming oracle queries as in Item 3.
11.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b}_0(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b}_1(\lambda )$. Moreover, $\textsf{D}$ submits a single query $P^*$ to oracle $\textsf{KGen}$ and it satisfies the validity condition $\textbf{Validity}_{2,j_0,j_1}$, we know that $P^*_{j_b}(x^b_{j_b}) = 0$. Because of this, $\textsf{A}$ submits a single query to oracle $\textsf{KGen}_1$ and, it is also a valid adversary for the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}PE}}_{\textsf{PE},\textsf{A}}(\lambda )$ with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 32

$\textbf{H}^{b,i-1}_2(\lambda ) \approx _c \textbf{H}^{b,i}_2(\lambda )$ for $i \in [q]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,i-1}_2(\lambda )$ and $ \textbf{H}^{b,i}_2(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA security without collusions of $\textsf{PE}$. $\textsf{A}$ is defined as follows:

1.
Receive $\textsf{mpk}$ from the challenger.
2.
Compute $(\textsf{sk}_j,\textsf{pk}_j) {{\leftarrow {\$}}}\textsf{KGen}_{2,j}(1^{\lambda })$ and set $\textsf{ek}_j = (\textsf{mpk},\textsf{sk}_j,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$ for $j\in [n]$.
3.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, forward the query $P^*$ to $\textsf{KGen}_1$ and return the answer $\textsf{dk}_{P^*}$.
- On input $j \in [n]$ for $\textsf{Corr}$, return $\textsf{ek}_j$.
- On input $i'$th query $(x,m) \in \mathcal {X}_{1,j} \times \mathcal {M}_4$ for $\textsf{Enc}(\textsf{ek}_{j},\cdot ,\cdot )$ where $j \in [n]$, $\textsf{A}$ proceeds as follows:
  Case $j \ne j_b$::
  
  Sample $(y^\textsf{in}_jy^\textsf{out}_j) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )+s_4(\lambda )}$. Run $c^{(0)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y^\textsf{in}_j,y^\textsf{out}_j))$ where $x_{j} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j\}$.
  
  Case $j = j_b$ and $i' < i$::
  
  Sample $(y^\textsf{in}_{j_b},y^\textsf{out}_{j_b}) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )+s_4(\lambda )}$. Compute $c^{(0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s_3(\lambda ) + s_4(\lambda )})$ where $x_{j_b} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$.
  
  Case $j = j_b$ and $i' = i$::
  
  Sample $(y^\textsf{in}_{j_b},y^\textsf{out}_{j_b}) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$. Send the challenge $(m^0 = (y^\textsf{in}_{j_b},y^\textsf{out}_{j_b}), m^1 = 0^{s_3(\lambda ) + s_4(\lambda )}, x=({x}_1,\ldots ,{x}_{n}))$ to the challenger where ${x}_{j_b} = x$ and ${x}_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$. Receive the challenge ciphertext $c^*$ and set $c^{(0)}_{j_b} = c^*$.
  
  Case $j = j_b$ and $i' > i$::
  
  Sample $(y^\textsf{in}_j,y^\textsf{out}_j) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )+s_4(\lambda )}$. Compute $c^{(-1)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y^\textsf{in}_j,y^\textsf{out}_j))$ where $x_{j_b} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_j, \widetilde{\mathbb {C}}^{\textsf{out}}_j)$ where $c_j^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_j^{(v-1)})$ for $v \in [n]$, $\widetilde{\mathbb {C}}^\textsf{in}_j {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda }, {\mathbb {V}}^{\textsf{in}}_j, y^\textsf{in}_j, (\textsf{sk}_j,j))$ and $\widetilde{\mathbb {C}}^\textsf{out}_j {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda }, {\mathbb {V}}^{\textsf{out}}_j, y^\textsf{out}_j, m)$.
4.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
5.
Compute $c^{(0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s_3(\lambda ) + s_4(\lambda )})$ where $x_{j_b} = x^b_{j_b}$, $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$, and $(y^\textsf{in}_{j_b},y^\textsf{out}_{j_b}) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )+s_4(\lambda )}$.
6.
Compute $c_{j_b}^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_{j_b}^{(v-1)})$ for $v \in [n]$.
7.
Compute $c_{j_b} = (\widetilde{\mathbb {C}}^{\textsf{in}}_{j_b}, \widetilde{\mathbb {C}}^{\textsf{out}}_{j_b})$ where $\widetilde{\mathbb {C}}^\textsf{in}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda }, {\mathbb {V}}^{\textsf{in}}_{j_b}, y^\textsf{in}_{j_b}, (\textsf{sk}_{j_b},j_b))$ and $\widetilde{\mathbb {C}}^\textsf{out}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda }, {\mathbb {V}}^{\textsf{out}}_{j_b}, y^\textsf{out}_{j_b}, m^b_{j_b})$.
8.
For every $j\in [n]\setminus \{j_b\}$, compute $c_j {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x^b_j,m^b_j)$.
9.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
10.
Answer to the incoming oracle queries as in Item 3.
11.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_2(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_2(\lambda )$. Moreover, since $\textsf{D}$ submits a single query $P^*$ to oracle $\textsf{KGen}$ and it satisfies the validity condition $\textbf{Validity}_{2,j_0,j_1}$, we have that $j_b \not \in \mathcal {Q}_\textsf{Corr}$ and $\forall x'_{j_b} \in \mathcal {Q}_{j_b} \subset \mathcal {X}_{1,j_b}, P^*_{j_b}(x'_{j_b}) = 0$. Because of this, $\textsf{A}$ submits a single query to oracle $\textsf{KGen}_1$ and it is also a valid adversary for the experiment $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}PE}}_{\textsf{PE},\textsf{A}}(\lambda )$ with the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 33

$\textbf{H}^{b,q}_2(\lambda ) \approx _c \textbf{H}^{b}_3(\lambda )$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,q}_2(\lambda )$ and $ \textbf{H}^{b}_3(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscation scheme $\textsf{LOBF}_3$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$ where $\textsf{ek}_j = (\textsf{mpk},\textsf{sk}_j,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$ for $j\in [n]$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}(\textsf{msk},P^*)$.
- On input $j \in [n]$ for $\textsf{Corr}$, return $\textsf{ek}_j$.
- On input $(x,m) \in \mathcal {X}_{1,j} \times \mathcal {M}_4$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $j = j_b$::
  
  Sample $(y^\textsf{in}_{j_b},y^\textsf{out}_{j_b}) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )+s_4(\lambda )}$. Run $c^{(0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s_3(\lambda )+s_4(\lambda )})$ where $x_{j_b} = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j_b\}$.
  
  Case $j \ne j_b$::
  
  Compute $c^{(0)}_j {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y^\textsf{in}_{j}, y^\textsf{out}_{j}))$ where $(y^\textsf{in}_{j},y^\textsf{out}_{j}) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$, $x_j = x$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{j\}$.
  
  Finally, return $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_j, \widetilde{\mathbb {C}}^{\textsf{out}}_j)$ where $c_j^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_j^{(v-1)})$ for $v \in [n]$, $\widetilde{\mathbb {C}}^\textsf{in}_j {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda }, {\mathbb {V}}^{\textsf{in}}_j, y^\textsf{in}_j, (\textsf{sk}_j,j))$ and $\widetilde{\mathbb {C}}^\textsf{out}_j {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda }, {\mathbb {V}}^{\textsf{out}}_j, y^\textsf{out}_j, m)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
Compute $c^{(0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s_3(\lambda ) + s_4(\lambda )})$ where $x_{j_b} = x^b_{j_b}$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$.
5.
Compute $c_{j_b}^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_{j_b}^{(v-1)})$ for $v \in [n]$.
6.
Send the challenge $({\mathbb {V}}^{\textsf{in}}_{j_b}, (\textsf{sk}_{j_b},j_b))$ to the challenger and receive $\widetilde{\mathbb {C}}$. Compute $c_{j_b} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_b},\widetilde{\mathbb {C}}^\textsf{out}_{j_b})$ where $\widetilde{\mathbb {C}}^\textsf{in}_{j_b} = \widetilde{\mathbb {C}}$, $\widetilde{\mathbb {C}}^\textsf{out}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda },{\mathbb {V}}^{\textsf{out}}_{j_b}, y^\textsf{out}_{j_b}, m^b_{j_b})$ and $ y^\textsf{out}_{j_b} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_4(\lambda )}$.
7.
For every $j\in [n]\setminus \{j_b\}$, compute $c_j {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x^b_j,m^b_j)$.
8.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
9.
Answer to the incoming oracle queries as in Item 2.
10.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,q}_2(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b}_3(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 34

$\textbf{H}^{b,i-1}_4(\lambda ) \approx _c \textbf{H}^{b,i}_4(\lambda )$.

Proof

Claim 34 follows by leveraging a similar argument to that of Claim 33. $\square $

Claim 35

$\textbf{H}^{b,i-1}_5(\lambda ) \approx _c \textbf{H}^{b,i}_5(\lambda )$ for $i \in [q]$.

Proof

Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,i-1}_5(\lambda )$ and $ \textbf{H}^{b,i}_5(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscation scheme $\textsf{LOBF}_3$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, forward the query $P^*$ to $\textsf{KGen}_1$ and return the answer $\textsf{dk}_{P^*}$.
- On input $j \in [n]$ for $\textsf{Corr}$, return $\textsf{ek}_j$.
- On input $i'$th query $(x,m) \in \mathcal {X}_{1,j} \times \mathcal {M}_4$ for $\textsf{Enc}(\textsf{ek}_{j},\cdot ,\cdot )$ where $j \in [n]$, $\textsf{A}$ proceeds as follows:
  Case $j \ne j_b$::
  
  Return $c_j = (\widetilde{\mathbb {C}}^\textsf{in}_j,\widetilde{\mathbb {C}}^\textsf{out}_j) {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x,m)$.
  
  Case $j = j_b$ and $i' < i$::
  
  Sample $y^\textsf{out}_{j_b} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_4(\lambda )}$. Run $c^{(0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s_3(\lambda ) + s_4(\lambda )})$ where $x_{j_b} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$. Return $c_{j_b} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_b},\widetilde{\mathbb {C}}^\textsf{out}_{j_b})$ where $c_{j_b}^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_{j_b}^{(v-1)})$ for $v \in [n]$, $\widetilde{\mathbb {C}}^\textsf{in}_{j_b} {{\leftarrow {\$}}}\textsf{S}_3(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{in}}_{j_b}|},1^{|(\textsf{sk}_{j_b},j_b)|})$, and $\widetilde{\mathbb {C}}^\textsf{out}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda },{\mathbb {V}}^{\textsf{out}}_{j_b},y^{\textsf{out}}_{j_b},m)$.
  
  Case $j = j_b$ and $i' = i$::
  
  Sample $y^\textsf{out}_{j_b} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_4(\lambda )}$. Run $c^{(0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s_3(\lambda ) + s_4(\lambda )})$ where $x_{j_b} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$. Send the challenge $({\mathbb {V}}^{\textsf{in}}_{j_b}, (\textsf{sk}_{j_b},j_b))$ to the challenger where $c_{j_b}^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_{j_b}^{(v-1)})$ for $v \in [n]$. Receive the challenge ciphertext $\widetilde{\mathbb {C}}$ and set $\widetilde{\mathbb {C}}_{j_b}^{\textsf{in}} = \widetilde{\mathbb {C}}$. Return $c_{j_b} = (\widetilde{\mathbb {C}}_{j_b}^{\textsf{in}},\widetilde{\mathbb {C}}_{j_b}^{\textsf{out}})$ where $\widetilde{\mathbb {C}}^\textsf{out}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda },{\mathbb {V}}^{\textsf{out}}_{j_b},y^{\textsf{out}}_{j_b},m)$.
  
  Case $j = j_b$ and $i' > i$::
  
  Sample $(y^\textsf{in}_j,y^\textsf{out}_j) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )+s_4(\lambda )}$. Compute $c^{(0)}_{j_b} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),0^{s_3(\lambda )+s_4(\lambda )})$ where $x_{j_b} = x$ and $x_{j'} = x^\star _{j'}$ for $j' \in [n]{\setminus }\{j_b\}$. Return $c_{j_b} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_b},\widetilde{\mathbb {C}}^\textsf{out}_{j_b})$ where $c_{j_b}^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_{j_b}^{(v-1)})$ for $v \in [n]$, $\widetilde{\mathbb {C}}^\textsf{in}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda },{\mathbb {V}}^{\textsf{in}}_{j_b},y^{\textsf{in}}_{j_b},(\textsf{sk}_{j_b},j_b))$, and $\widetilde{\mathbb {C}}^\textsf{out}_{j_b} {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda },{\mathbb {V}}^{\textsf{out}}_{j_b},y^{\textsf{out}}_{j_b},m)$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
Compute $c_{j_b} = (\widetilde{\mathbb {C}}^{\textsf{in}}_{j_b}, \widetilde{\mathbb {C}}^{\textsf{out}}_{j_b})$ where $\widetilde{\mathbb {C}}^\textsf{in}_{j_b} {{\leftarrow {\$}}}\textsf{S}_3(1^{\lambda }, 1^{|{\mathbb {V}}^{\textsf{in}}_{j_b}|}, 1^{|(\textsf{sk}_{j_b},j_b)|})$ and $\widetilde{\mathbb {C}}^\textsf{out}_{j_b} {{\leftarrow {\$}}}\textsf{S}_4(1^{\lambda }, 1^{|{\mathbb {V}}^{\textsf{out}}_{j_b}|}, 1^{|m^b_{j_b}|})$.
5.
For every $j\in [n]\setminus \{j_b\}$, compute $c_j {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j,x^b_j,m^b_j)$.
6.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
7.
Answer to the incoming oracle queries as in Item 2.
8.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,i-1}_5(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,i}_5(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 36

$\textbf{H}^{b,i-1}_6(\lambda ) \approx _c \textbf{H}^{b,i}_6(\lambda )$ for $i \in [q]$.

Proof

Claim 36 follows by leveraging a similar argument to that of Claim 35. $\square $

Claim 37

$\textbf{H}^{b,1,1}_{7+i-1}(\lambda ) \approx _c \textbf{H}^{b,0,0}_{7+i}(\lambda )$ for $i \in \{0\}\cup [n-2]$.

Proof

Let $r = (j_b + i \mod n)+1$. Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,1,1}_{7+i-1}(\lambda )$ and $ \textbf{H}^{b,0,0}_{7+i}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the CPA security of $\textsf{PKE}_{2,j_b}$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{mpk},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}_1(1^{\lambda })$ and $(\textsf{sk}_j,\textsf{pk}_j){{\leftarrow {\$}}}\textsf{KGen}_{2,j}(1^{\lambda })$ for $j \in [n]{\setminus }\{j_b\}$.
2.
Receive $\textsf{pk}_{j_b}$ from the challenger.
3.
Set $\textsf{ek}_j = (\textsf{mpk},\textsf{sk}_j,\textsf{pk}_1,\ldots ,\textsf{pk}_{n})$ for $j\in [n]{\setminus }\{j_b\}$.
4.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P^*)$.
- On input $j \in [n]$ for $\textsf{Corr}$, return $\textsf{ek}_j$.
- On input $(x,m) \in \mathcal {X}_{1,j} \times \mathcal {M}_4$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $j = j_b$::
  
  Run $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_{j},\widetilde{\mathbb {C}}^{\textsf{out}}_{j})$ where $\widetilde{\mathbb {C}}^{\textsf{in}}_{j} {{\leftarrow {\$}}}\textsf{S}_3(1^{\lambda }, 1^{|{\mathbb {V}}^{\textsf{in}}_{j}|},1^{|(\textsf{sk}_j,j)|})$ and $\widetilde{\mathbb {C}}^{\textsf{out}}_{j} {{\leftarrow {\$}}}\textsf{S}_4(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{out}}_{j}|},1^{|m|})$.
  
  Case $j \ne j_b$::
  
  Compute $c_{j} {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j, x, m)$.
  
  Finally, return $c_j$.
5.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
6.
For every $j \in [n]$, the adversary $\textsf{A}$ proceeds as follows:
Case $j \in {[j_b:r-1]^+_n}$::

Compute $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_{j},\widetilde{\mathbb {C}}^{\textsf{out}}_{j})$ where $\widetilde{\mathbb {C}}^{\textsf{in}}_{j} {{\leftarrow {\$}}}\textsf{S}_3(1^{\lambda }, 1^{|{\mathbb {V}}^{\textsf{in}}_{j}|},1^{|(\textsf{sk}_j,j)|})$ and $\widetilde{\mathbb {C}}^{\textsf{out}}_{j} {{\leftarrow {\$}}}\textsf{S}_4(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{out}}_{j}|},1^{|m^b_j|})$.

Case $j = r$::

Sample $(y^\textsf{in}_{r},y^\textsf{out}_{r}) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$ and compute $c^{(0)}_r {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}),(y^\textsf{in}_{r}, y^\textsf{out}_{r}))$ where $x_r = x^b_r$, $x_{j'} = x^\star _{j'}$ for any $j' \in [n]{\setminus }\{r\}$. Compute $c_r^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_r^{(v-1)})$ for $v \in [j_b-1]$. Send the challenge $(m^0 = c_r^{(v)}, m^1 = w)$ to the challenger where $w {{\leftarrow {\$}}}\mathcal {M}_{2,j_b}$. Receive the answer $c^*$ and set $c^{(j_b)}_r = c^*$. Compute $c_r^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_r^{(v-1)})$ for $v \in [n]{\setminus } [j_b]$. Set $c_r = (\widetilde{\mathbb {C}}^{\textsf{in}}_r, \widetilde{\mathbb {C}}^{\textsf{out}}_r)$ where $\widetilde{\mathbb {C}}^\textsf{in}_r {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda }, {\mathbb {V}}^{\textsf{in}}_r, y^\textsf{in}_r, (\textsf{sk}_r,r))$ and $\widetilde{\mathbb {C}}^\textsf{out}_r {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda }, {\mathbb {V}}^{\textsf{out}}_r,y^\textsf{out}_r, m^b_r)$.

Case $i <n-2$ and $j \in {[r+1:j_b-1]^+_n}$::

Compute $c_{j} {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j, x^b_j, m^b_j)$.
7.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
8.
Answer to the incoming oracle queries as in Item 4.
9.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. This is because, by the $\textbf{Validity}_{2,j_0,j_1}$ we have that $j_b \not \in \mathcal {Q}_{\textsf{Corr}}$, i.e., $\textsf{A}$ can simulate the view of $\textsf{D}$ without knowing $\textsf{sk}_{j_b}$ (sampled by the challenger). Moreover, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,1,1}_{7+i-1}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,0,0}_{7+i}(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 38

$\textbf{H}^{b,0,0}_{7+i}(\lambda ) \approx _c \textbf{H}^{b,1,0}_{7+i}(\lambda )$ for $i \in \{0\}\cup [n-2]$.

Proof

Let $r = (j_b + i \mod n)+1$. Suppose there exists a PPT distinguisher $\textsf{D}$ that distinguishes between $\textbf{H}^{b,0,0}_{7+i}(\lambda )$ and $ \textbf{H}^{b,1,0}_{7+i}(\lambda )$ with non-negligible probability. We build an adversary $\textsf{A}$ that breaks the security of the lockable obfuscation scheme $\textsf{LOBF}_3$. $\textsf{A}$ is defined as follows:

1.
Compute $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$.
2.
$\textsf{A}$ answers to the incoming oracle queries as follows:
- On input $P^* \in \mathcal {P}$ for $\textsf{KGen}$, return $\textsf{dk}_{P^*}{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk},P^*)$.
- On input $j \in [n]$ for $\textsf{Corr}$, return $\textsf{ek}_j$.
- On input $(x,m) \in \mathcal {X}_{1,j} \times \mathcal {M}_4$ for $\textsf{Enc}(\textsf{ek}_j,\cdot ,\cdot )$, $\textsf{A}$ proceeds as follows:
  Case $j = j_b$::
  
  Run $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_{j},\widetilde{\mathbb {C}}^{\textsf{out}}_{j})$ where $\widetilde{\mathbb {C}}^{\textsf{in}}_{j} {{\leftarrow {\$}}}\textsf{S}_3(1^{\lambda }, 1^{|{\mathbb {V}}^{\textsf{in}}_j|},1^{|(\textsf{sk}_j,j)|})$ and $\widetilde{\mathbb {C}}^{\textsf{out}}_{j} {{\leftarrow {\$}}}\textsf{S}_4(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{out}}_j|},1^{|m|})$.
  
  Case $j \ne j_b$::
  
  Compute $c_{j} {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j, x, m)$.
  
  Finally, return $c_j$.
3.
Receive the challenge $((m^0_1, \ldots , m^0_{n}),(m^1_1, \ldots , m^1_{n}), (x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_{n}))$ from $\textsf{D}$.
4.
For every $j \in [n]$, the adversary $\textsf{A}$ proceeds as follows:
Case $j \in {[j_b:r-1]^+_n}$::

Compute $c_j = (\widetilde{\mathbb {C}}^{\textsf{in}}_{j},\widetilde{\mathbb {C}}^{\textsf{out}}_{j})$ where $\widetilde{\mathbb {C}}^{\textsf{in}}_{j} {{\leftarrow {\$}}}\textsf{S}_3(1^{\lambda }, 1^{|{\mathbb {V}}^{\textsf{in}}_j|},1^{|(\textsf{sk}_j,j)|})$ and $\widetilde{\mathbb {C}}^{\textsf{out}}_{j} {{\leftarrow {\$}}}\textsf{S}_4(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{out}}_j|},1^{|m^b_j|})$.

Case $j = r$::

Compute $c_r^{(v)} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_v,c_r^{(v-1)})$ for $v \in [n]{\setminus } [j_b-1]$ where $c^{(j_b-1)}_r = w {{\leftarrow {\$}}}\mathcal {M}_{2,j_b}$. Send the challenge $({\mathbb {V}}^{\textsf{in}}_r, (\textsf{sk}_r,r))$ to the challenger and receive the answer $\widetilde{\mathbb {C}}^*$. Set $c_r = (\widetilde{\mathbb {C}}^{\textsf{in}}_r, \widetilde{\mathbb {C}}^{\textsf{out}}_r)$ where $\widetilde{\mathbb {C}}^\textsf{in}_r = \widetilde{\mathbb {C}}^*$, $y^\textsf{out}_{r} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_4(\lambda )}$, and $\widetilde{\mathbb {C}}^\textsf{out}_r {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda }, {\mathbb {V}}^{\textsf{out}}_r, y^\textsf{out}_r, m^b_r)$.

Case $i < n-2$ and $j \in {[r+1:j_b-1]}^+_n$::

Compute $c_{j} {{\leftarrow {\$}}}\textsf{Enc}(\textsf{ek}_j, x^b_j, m^b_j)$.
5.
Send the challenge ciphertexts $(c_1,\ldots ,c_{n})$ to $\textsf{D}$.
6.
Answer to the incoming oracle queries as in Item 2.
7.
Return the output of $\textsf{D}$.

Let d be the challenge bit sampled by the challenger. The adversary $\textsf{A}$ perfectly simulates the view of $\textsf{D}$. In particular, if $d=0$, $\textsf{A}$ simulates $\textbf{H}^{b,0,0}_{7+i}(\lambda )$. On the other hand, if $d=1$, $\textsf{A}$ simulates $\textbf{H}^{b,1,0}_{7+i}(\lambda )$. Hence, $\textsf{A}$ has the same advantage of $\textsf{D}$. This concludes the proof. $\square $

Claim 39

$\textbf{H}^{b,1,0}_{7+i}(\lambda ) \approx _c \textbf{H}^{b,1,1}_{7+i}(\lambda )$ for $i \in \{0\}\cup [n-2]$.

Proof

Claim 39 follows by leveraging a similar argument to that of Claim 38. $\square $

Claim 40

$\textbf{H}^{1-b,1,1}_{7+n-2}(\lambda ) \approx _c \textbf{H}^{b,1,1}_{7+n-2}(\lambda )$.

Proof

The distribution of these two experiments does not depend on the bit b. $\square $

By combining Claims 31–40 and conditioned to the event $\textbf{Validity}_{2,j_0,j_1}$, we conclude that

$$\begin{aligned}&\textbf{H}^b_0 \approx _c \textbf{H}^{b}_1 \equiv \textbf{H}^{b,0}_2 \approx _c \cdots \approx _c \textbf{H}^{b,q}_2 \approx _c \textbf{H}^{b}_3 \approx _c \textbf{H}^{b}_4 \equiv \textbf{H}^{b,0}_5 \approx _c \cdots \approx _c \textbf{H}^{b,q}_{5} \equiv \\&\quad \textbf{H}^{b,0}_{6} \approx _c \cdots \approx _c \textbf{H}^{b,q}_{6} \equiv \textbf{H}^{b,1,1}_{6} \approx _c \textbf{H}^{b,0,0}_{7} \approx _c \cdots \approx _c \textbf{H}^{b,1,1}_{7+n-2} \equiv \textbf{H}^{1-b,1,1}_{7+n-2}. \end{aligned}$$

This concludes the proof. $\square $

Lemma 12

Let $j_0 \in [n]\setminus \mathcal {Q}_\textsf{Corr}$. If $\textsf{PE}$ is CPA secure without collusions (Definition 8), $\textsf{PKE}_{2,j_0}$ is CPA secure (Definition 6), $\textsf{LOBF}_3$ and $\textsf{LOBF}_4$ are secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}| = 1 \Big \vert \textbf{Validity}_{3,j_0}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Without loss of generality, let $q = |\mathcal {Q}_{j_{0}}| \in \textsf {poly}(\lambda )$ (recall $j_0 \not \in \mathcal {Q}_{\textsf{Corr}}$). Consider the hybrid experiments of Lemmas 4 and 11. Formally,

Let $\textbf{H}^{1,i}_0(\lambda ), \textbf{H}^{1,i}_1(\lambda ), \textbf{H}^{1,i}_2(\lambda )$ for $i \in [n]$ be the hybrid of Lemma 10 (for the challenge bit $b=1$) except that are conditioned to the event $\textbf{Validity}_{3,j_0}$ (instead of $\textbf{Validity}_{1}$).
Let $\textbf{H}^0_0(\lambda ), \textbf{H}^{0}_1(\lambda ), \textbf{H}^{0,t}_2(\lambda ), \textbf{H}^{0}_3(\lambda ), \textbf{H}^{0}_4(\lambda ), \textbf{H}^{0,t}_5(\lambda ), \textbf{H}^{0,t}_6(\lambda ), \textbf{H}^{0,1,1}_{6}(\lambda ), \textbf{H}^{0,k_1,k_2}_{7+j}(\lambda )$, for $i \in [n],t \in [q], j \in \{0\}\cup [n-2], (k_1,k_2)\times {{\leftarrow {\$}}}^2$, be the hybrids of Lemma 11 (for the challenge bit $b=0$) except that are conditioned to the event $\textbf{Validity}_{3,j_0}$ (instead of $\textbf{Validity}_{2,j_0,j_1}$).

In addition, consider the following additional hybrids experiments:

$\textbf{H}^{0,0}_{7+n-1}$::: Identical to $\textbf{H}^{0,1,1}_{7+n-2}$.
$\textbf{H}^{0,i}_{7+n-1}$ for ${i \in [q]}$::: Same as $\textbf{H}^{0,i-1}_{7+n-1}$ except that the challenger changes how it answers to the first i queries for oracle $\textsf{Enc}(\textsf{ek}_{j_0},\cdot ,\cdot )$. Formally, on input the $i'$th query $(x,m)$ such that $i'\le i$, the challenger returns $c_{j_0} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_0},\widetilde{\mathbb {C}}^\textsf{out}_{j_0})$ where $\widetilde{\mathbb {C}}^\textsf{out}_{v} {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda },{\mathbb {V}}^{\textsf{out}}_{j_0}, y^{\textsf{out}}_{j_0}, m)$ where $y^\textsf{out}_{j_0} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_4(\lambda )}$. Otherwise, on input the $i'$th query $(x,m)$ such that $i' > i$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{0,0}_{7+n-1}$.
$\textbf{H}^{0,0}_{7+n}$::: Identical to $\textbf{H}^{0,q}_{7+n-1}$.
$\textbf{H}^{0,i}_{7+n}$ for ${i \in [q]}$::: Same as $\textbf{H}^{0,i-1}_{7+n}$ except that the challenger changes how it answers to the first i queries for oracle $\textsf{Enc}(\textsf{ek}_{j_0},\cdot ,\cdot )$. Formally, on input the $i'$th query $(x,m)$ such that $i'\le i$, the challenger returns $c_{j_0} = (\widetilde{\mathbb {C}}^\textsf{in}_{j_0},\widetilde{\mathbb {C}}^\textsf{out}_{j_0})$ where $\widetilde{\mathbb {C}}^\textsf{in}_{j_0} {{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda },{\mathbb {V}}^{\textsf{in}}_{j_0}, y^{\textsf{in}}_{j_0}, (\textsf{sk}_{j_0},j_0))$ where $y^\textsf{in}_{j_0} {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda )}$. Otherwise, on input the $i'$th query $(x,m)$ such that $i' > i$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{0,0}_{7+n}$.
$\textbf{H}^{0,0}_{7+n+1}$::: Identical to $\textbf{H}^{0,q}_{7+n}$.
$\textbf{H}^{0,i}_{7+n+1}$ for ${i \in [q]}$::: Same as $\textbf{H}^{0,i-1}_{7+n+1}$ except that the challenger changes how it answers to the first i queries for oracle $\textsf{Enc}(\textsf{ek}_{j_0},\cdot ,\cdot )$. On input the $i'$th query $(x,m)$ such that $i'\le i$, the challenger samples $(y^\textsf{in}_{j_0},y^\textsf{out}_{j_0}) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$ and computes $c^{(0)}_{j_0} {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(x_1,\ldots ,x_{n}), (y^{\textsf{in}}_{j_0}, y^{\textsf{out}}_{j_0}))$ where $x_{j_0} = x$, and $x_{j} = x^\star _{j}$ for $j \in [n] {\setminus } \{j_0\}$. Finally, the challenger returns $c_{j_0} = (\widetilde{\mathbb {C}}^{\textsf{in}}_{j_0},\widetilde{\mathbb {C}}^{\textsf{out}}_{j_0})$ where $c^{(v)}_{j_0} {{\leftarrow {\$}}}\textsf{Enc}_{2,v}(\textsf{pk}_{v},c^{(v-1)}_{j_0})$ for $v \in [n]$, $\widetilde{\mathbb {C}}^{\textsf{in}}_{j_0} {{\leftarrow {\$}}}{{\leftarrow {\$}}}\textsf{Obf}_3(1^{\lambda },{\mathbb {V}}^{\textsf{in}}_{j_0}, y^{\textsf{in}}_{j_0},(\textsf{sk}_{j_0},j_0))$, $\widetilde{\mathbb {C}}^\textsf{out}_{v} {{\leftarrow {\$}}}\textsf{Obf}_4(1^{\lambda },{\mathbb {V}}^{\textsf{out}}_{j_0}, y^{\textsf{out}}_{j_0},m)$. Otherwise, on input the $i'$th query $(x,m)$ such that $i' > i$, the challenger answers as usual, i.e., as defined in $\textbf{H}^{0,0}_{7+n+1}$.

Claim 41

$\textbf{H}^{0}_{0}(\lambda ) \approx _c \textbf{H}^{0,1,1}_{7+n-2}(\lambda )$.

Proof

The proof of Claim 41 is identical to that of Lemma 5 where the challenge bit is $b=0$. $\square $

Claim 42

$\textbf{H}^{0,i-1}_{7+n-1}(\lambda ) \approx _c \textbf{H}^{0,i}_{7+n-1}(\lambda )$ for $i \in [q]$.

Proof

Claim 42 follows by leveraging a similar argument to that of Claim 36. $\square $

Claim 43

$\textbf{H}^{0,i-1}_{7+n}(\lambda ) \approx _c \textbf{H}^{0,i}_{7+n}(\lambda )$ for $i \in [q]$.

Proof

Claim 43 follows by leveraging a similar argument to that of Claim 35. $\square $

Claim 44

$\textbf{H}^{0,i-1}_{7+n+1}(\lambda ) \approx _c \textbf{H}^{0,i-1}_{7+n+1}(\lambda )$ for $i \in [q]$.

Proof

Claim 44 follows by leveraging a similar argument to that of Claim 32. $\square $

Claim 45

$\textbf{H}^{1,0}_{0}(\lambda ) \approx _c \textbf{H}^{1,q}_{2}(\lambda )$.

Proof

The proof of Claim 45 is identical to that of Lemma 4 where the challenge bit is $b=1$. $\square $

Claim 46

$\textbf{H}^{0,q}_{7+n+1}(\lambda ) \equiv \textbf{H}^{1,q}_{2}(\lambda )$.

Proof

Claim 46 follows by observing that experiments $\textbf{H}^{0,q}_{7+n+1}(\lambda )$ and $\textbf{H}^{1,q}_{2}(\lambda )$ are identical (and does not depend on the bit b). $\square $

By combining Claims 41–46 and the fact that $\textbf{Validity}_{3,j_0,}$ holds, we conclude that

$$\begin{aligned}&\textbf{H}^0_0 \approx _c \textbf{H}^{0,1,1}_{7+n-2} \equiv \textbf{H}^{b,0}_{7+n-1} \approx _c \ldots \approx _c \textbf{H}^{b,q}_{7+n-1} \equiv \textbf{H}^{b,0}_{7+n} \approx _c \ldots \approx _c \textbf{H}^{b,q}_{7+n} \\&\quad \equiv \textbf{H}^{b,0}_{7+n+1} \approx _c \ldots \approx _c \textbf{H}^{b,q}_{7+n+1} \equiv \textbf{H}^{1,q}_2 \approx _c \textbf{H}^{1,0}_0. \end{aligned}$$

This concludes the proof. $\square $

Lemma 13

Let $j_1 \in [n]\setminus \mathcal {Q}_\textsf{Corr}$. If $\textsf{PE}$ is CPA secure without collusions (Definition 8), $\textsf{PKE}_{2,j_1}$ is CPA secure (Definition 6), $\textsf{LOBF}_3$ and $\textsf{LOBF}_4$ are secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}| = 1 \Big \vert \textbf{Validity}_{4,j_1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Lemma 13 follows by using a symmetrical argument to that of Lemma 12. $\square $

By combining Lemmas 10–13 we conclude that $\Pi $ is CPA secure in the $(n-1)$-corruptions setting without collusions.

CPA-2-sided security of $\Pi $ (Theorem 7) As usual, consider the predicate space $\mathcal {P}= \{P(x_1,\ldots ,x_{{n}})\}$ of Construction 4 where $P(x_1,\ldots ,x_{{n}})= P_1(x_1) \wedge \ldots \wedge P_{n}(x_{n})$. Let $P^* \in \mathcal {P}$ be the only predicate for which the adversary will ask for the decryption key $\textsf{dk}_{P^*}$ during the experiment $\textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}$ (recall that we prove the security of Construction 4 in the scenario without collusions, i.e., $|\mathcal {Q}_{\textsf{KGen}}| = 1$). We can leverage a similar argument to that used to prove Theorem 6 for the CPA-2-sided case (see Sect. 5.2.1) in order to rewrite the validity condition of $\textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}$ (Definition 13) as follows:

$$\begin{aligned} \text {Either } \mathbf {Validity_1} \text { or } \mathbf {Validity_2} \end{aligned}$$

where

$$\begin{aligned} \textbf{Validity}_{1}&:\ \forall j \in [n], \forall i_1\in [k_1+1],\ldots ,\forall i_n\in [k_n+1], \\&\quad P^*(x^{(i_1,0)}_1,\ldots ,x^{(i_{j-1},0)}_{j-1},x^{0}_j,x^{(i_{j+1},0)}_{j+1},\ldots ,x^{(i_n,0)}_{n}) = \\&\quad P^*(x^{(i_1,1)}_1,\ldots ,x^{(i_{j-1},1)}_{j-1},x^{1}_j,x^{(i_{j+1},1)}_{j+1},\ldots ,x^{(i_n,1)}_{n}) = 0 \\ \textbf{Validity}_{2}&: \ \forall j \in [n], \text {Either } P^*_j(x^0_j) = P^*_j(x^1_j) = 0 \text { or } P^*_j(x^0_j) = P^*_j(x^1_j) \wedge m^0_j = m^1_j \end{aligned}$$

for $\mathcal {Q}^b_i = \{x^{(1,b)}_i,\ldots ,x^{(k_i,b)}_i, x^{(k_i+1,b)}_i = x^b_i\}$ for $i \in [n]$, $b\in {{\leftarrow {\$}}}$ as defined in Definition 13. Recall that, if $i \not \in \mathcal {Q}_\textsf{Corr}$, then $\mathcal {Q}^b_i$ is the ordered list composed of the inputs submitted to the oracle $\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )$ and the challenge input $x^b_i$. Otherwise, if $i \in \mathcal {Q}_\textsf{Corr}$, then $\mathcal {Q}^b_i$ is equal to the ith input space $\mathcal {X}_{1,i}$ that, in turn, contains also the challenge input $x^b_i$. Hence, the CPA-2-sided security of Construction 4 follows by proving the following lemmas.

Lemma 14

If $\textsf{PE}$ is CPA secure without collusions (Definition 8), $\textsf{SKE}$ is CPA secure (Definition 4), and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}|=1 \Big \vert \textbf{Validity}_{1}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Note that $\textbf{Validity}_{1}$ is equivalent to the validity condition of CPA-1-sided security. Hence, the lemma follows by leveraging an identical argument to that of the CPA-1-sided case (Sect. 5.3.1). $\square $

Lemma 15

If $\textsf{PE}$ is CPA-2-sided secure without collusions (Definition 9) and $\textsf{LOBF}$ is secure (Definition 2), then

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda ) = 1 \wedge |\mathcal {Q}_{\textsf{KGen}}|=1 \Big \vert \textbf{Validity}_{2}\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ). \end{aligned}$$

Proof

Let $P^* \in \mathcal {Q}_\textsf{KGen}$ and $((x^0_1, \ldots ,x^0_n),(x^1_1,\ldots ,x^1_n))$ be the predicate submitted to the oracle $\textsf{KGen}$ and the challenge inputs chosen by the adversary, respectively. Despite $P^*$ is chosen adaptively, we assume that the values $\{z_i\}_{i \in [n]}$ such that $P^*_i(x^0_i)=P^*_i(x^1_i)=z_i$ are known before the challenge phase. Indeed, $\{z_i\}_{i \in [n]}$ can be guessed with non-negligible probability since $n = O(1)$.

Consider the following hybrid experiments:

$\textbf{H}^{b,0}_0(\lambda )$::: This is exactly the experiment $\textbf{G}^{(n-1)\text {-}\textsf{CPA}\text {-}2\text {-}\textsf{iPE}}_{\Pi ,\textsf{A}}(\lambda )$ conditioned to the event $\textbf{Validity}_{2}$ where the challenge bit is b, i.e., the adversary is valid and satisfies $\textbf{Validity}_{2}$.
$\textbf{H}^{b,i}_0(\lambda )$ for ${i \in [n]}$::: Same as $\textbf{H}^{b,i-1}_0$, except that the challenger changes how it computes the challenge ciphertext $c_i$ with respect to $z_i$. If $z_i = 0$ (i.e., $P^*_i(x^0_i) = P^*_i(x^1_i) = 0$), the value $c^{(0)}_i$ is computed as $c^{(0)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), 0^{s_3(\lambda ) + s_4(\lambda )})$ where $x_i = x^{0}_i$, and $x_j = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Otherwise, if $z_i = 1$ (i.e., $P^*_i(x^0_i) = P^*_i(x^1_i) = 1$), the value $c^{(0)}_i$ is computed as $c^{(0)}_i {{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk}, (x_1,\ldots ,x_{n}), (y^\textsf{in}_i,y^\textsf{out}_{1}))$ where $(y_i^{\textsf{in}},y^{\textsf{out}}_i) {{\leftarrow {\$}}}{{\leftarrow {\$}}}^{s_3(\lambda ) + s_4(\lambda )}$, $x_i = x^{0}_i$, and $x_j = x^\star _j$ for $j \in [n] {\setminus } \{i\}$. Observe that $c^{(0)}_i$ is computed by fixing $x_i = x^{0}_i$ (instead of $x_i = x^b_i$), i.e., the input $(x_1,\ldots ,x_{n})$ used to compute the ith challenge ciphertext is fixed and does not depend on the challenge bit b.
$\textbf{H}^{b,0}_1(\lambda )$::: Identical to $\textbf{H}^{b,n}_1(\lambda )$.
$\textbf{H}^{b,i}_1(\lambda )$ for ${i \in [n]}$::: Same as $\textbf{H}^{b,i-1}_1$, except that the challenger changes how it computes the challenger ciphertext $c_i$ with respect to $z_i$. If $z_i = 0$ (i.e., $P^*_i(x^0_i) = P^*_i(x^1_i) = 0$), the value $\widetilde{\mathbb {C}}^\textsf{out}_i$ of challenge ciphertext $c_i = (\widetilde{\mathbb {C}}^\textsf{in}_i, \widetilde{\mathbb {C}}^\textsf{out}_i)$ is simulated by the challenger using the simulator of the lockable obfuscation scheme $\textsf{LOBF}_4$, i.e., $\widetilde{\mathbb {C}}^{\textsf{out}}_i {{\leftarrow {\$}}}\textsf{S}_4(1^{\lambda },1^{|{\mathbb {V}}^{\textsf{out}}_i|},1^{|m^b_i|})$ where ${\mathbb {V}}^{\textsf{out}}_i = \mathbb {C}^\textsf{out}_{c^{(n)}_i,\textsf{sk}_i,i}$. Otherwise, if $z_i = 1$ (i.e., $P^*_i(x^0_i) = P^*_i(x^1_i) = 1$), the value $\widetilde{\mathbb {C}}^{\textsf{out}}_i$ is computed as in $\textbf{H}^{b,0}_1(\lambda )$.

We can prove that the indistinguishability of the above hybrids by leveraging similar techniques to that of Sects. 5.2.1 and 5.3.1.

Claim 47

$\textbf{H}^{b,i-1}_0(\lambda ) \approx _c \textbf{H}^{b,i}_0(\lambda )$ for $i\in [n]$.

Proof

Note that the values $\{z_i\}_{i \in [n]}$ (i.e., $P^*_i(x^0_i)=P^*_i(x^1_i)=z_i$), can be correctly guessed with non-negligible probability since $n = O(1)$. Conditioned to the above, the claim follows from the CPA-2-sided security of $\textsf{PE}$. $\square $

Claim 48

$\textbf{H}^{b,i-1}_1(\lambda ) \approx _c \textbf{H}^{b,i}_1(\lambda )$ for $i\in [n]$.

Proof

As usual, the values $\{z_i\}_{i \in [n]}$ (i.e., $P^*_i(x^0_i)=P^*_i(x^1_i)=z_i$), can be correctly guessed with non-negligible probability since $n = O(1)$. Conditioned to the above, the claim follows from the security of the lockable obfuscation scheme $\textsf{LOBF}_4$. $\square $

Claim 49

$\textbf{H}^{b,n}_1(\lambda ) \equiv \textbf{H}^{1-b,n}_1(\lambda )$.

Proof

The claim follows by leveraging the fact that $\textbf{Validity}_2$ holds (i.e., the adversary satisfies $\textbf{Validity}_2$) and observing that the values $\{z_i\}_{i \in [n]}$ (i.e., $P^*_i(x^0_i)=P^*_i(x^1_i)=z_i$), can be correctly guessed with non-negligible probability since $n = O(1)$. Conditioned to the above, for every $i \in [n]$, if $P^*_i(x^0_i)=P^*_i(x^1_i)=z_i=0$ we have that the jth challenge ciphertext $c_j$ does not depend on the bit b. On the other hand, if $P^*_i(x^0_i)=P^*_i(x^1_i)=z_i=1$, we have that the jth challenge ciphertext $c_j$ depends on either $m^0_j$ or $m^1_j$. However, by the validity condition $\textbf{Validity}_2$ we have that $m^0_j = m^1_j$. Hence, $\textbf{H}^{b,n}_1(\lambda )$ and $\textbf{H}^{1-b,n}_1(\lambda )$ are identically distributed. This concludes the proof. $\square $

By combining Claims 47–49 and the fact that $\textbf{Validity}_{2}$ holds, we conclude that $\textbf{H}^{0,0}_0 \approx _c \ldots \approx _c \textbf{H}^{0,n}_0 \equiv \textbf{H}^{0,0}_1 \approx _c \ldots \approx _c \textbf{H}^{0,n}_1 \equiv \textbf{H}^{1,n}_1$. This concludes the proof. $\square $

By leveraging Lemmas 14 and 15, we conclude that $\Pi $ of Construction 4 is CPA-2-sided secure.

5.4 Additional Discussion

On wildcards. Wildcards affect the security guarantee and the expressiveness of the multi-input PE construction depending on the presence of corruptions. In the case of no corruptions (Construction 3), the (single) wildcard can be removed by simply requiring each ith sender not to compute a ciphertext $c_i$ under the corresponding ith wildcard $x^\star _i$, i.e., $\textsf{Enc}(\textsf{ek}_i,x_i,m_i)$ outputs $\bot $ whenever $x_i = x^\star _i$. In other words, we can transform any secure multi-input PE for $P(x_1,\ldots ,x_{n}) = P_1(x_1) \wedge \ldots \wedge P_{n}(x_{n})$ with wildcard $(x^\star _1,\ldots ,x^\star _{n})$ into a secure multi-input PE for the same predicate $P(x_1,\ldots ,x_{n})$ without the wildcard. On the other hand, this cannot be done when corruptions are in place (Construction 4). Indeed, if the adversary gets an encryption key $\textsf{ek}_i$, then it can use the latter to always produce a ciphertext $c_i$ under $x^\star _i$. This means that the adversary can always use $\textsf{ek}_i$ (of the corrupted user) and satisfy the ith predicate $P_i$ (this also affects the security proof of Construction 4. See Sects. 5.3.1, 5.3.1).

On unbounded collusions For completeness, we highlight that if we start from an initial single-input PE scheme $\textsf{PE}$ (of Theorems 6, 7) that is CPA-1-sided secure against unbounded collusions, both our Constructions 3 and 4 are CPA-1-sided secure with respect to a weaker form of unbounded collusions (but still stronger than no collusions). For the sake of clarity, we focus on our secret-key Construction 3, but the same argument holds for our Construction 4 against corruptions.

In case of no collusions, at the beginning of the proof of Theorem 6 (see Sect. 5.2.1), we show that the adversary’s validity condition (of Definition 13) is equivalent to satisfying at least one of the following four conditions: for some $j_0,j_1\in [n]$,

$$\begin{aligned}&\textbf{Validity}_{1} : \nonumber \\&\qquad P^*_1(x^0_1) = 0 \wedge \cdots \wedge P^*_{n}(x^0_{n}) = 0 \wedge P^*_1(x^1_1) = 0 \wedge \cdots \wedge P^*_{n}(x^1_{n}) = 0 \end{aligned}$$

(9)

$$\begin{aligned}&\textbf{Validity}_{2,j_0,j_1} : \forall x'_{j_0} \in \mathcal {Q}_{j_0},\forall x'_{j_1} \in \mathcal {Q}_{j_1}, \nonumber \\&\qquad P^*_{j_0}(x^0_{j_0}) = 0 \wedge P^*_{j_0}(x'_{j_0}) = 0 \wedge P^*_{j_1}(x^1_{j_1}) = 0 \wedge P^*_{j_1}(x'_{j_1}) = 0 \end{aligned}$$

(10)

$$\begin{aligned}&\textbf{Validity}_{3,j_0} : \forall x'_{j_0} \in \mathcal {Q}_{j_0}, \nonumber \\&\qquad P^*_{j_0}(x^0_{j_0}) = 0 \wedge P^*_{j_0}(x'_{j_0}) = 0 \wedge P^*_1(x^1_1) = 0 \wedge \cdots \wedge P^*_{n}(x^1_{n}) = 0 \end{aligned}$$

(11)

$$\begin{aligned}&\textbf{Validity}_{4,j_1} : \forall x'_{j_1} \in \mathcal {Q}_{j_1}, \nonumber \\&\qquad P^*_1(x^0_1) = 0 \wedge \cdots \wedge P^*_{n}(x^0_{n}) = 0 \wedge P^*_{j_1}(x^1_{j_1}) = 0 \wedge P^*_{j_1}(x'_{j_1}) = 0 \end{aligned}$$

(12)

where $P^*(x_1,\ldots ,x_n) = (P^*_1(x_1)\wedge \cdots \wedge P^*_n(x_n)) \in \mathcal {Q}_\textsf{KGen}$ is the single key generation query submitted by the adversary $\textsf{A}$, $((x^0_1,\ldots ,x^0_{n}),(x^1_1,\ldots ,x^1_n))$ is the adversarial challenge inputs, and $\mathcal {Q}_i$ are the predicate inputs submitted to the encryption oracle $\textsf{Enc}(\textsf{ek}_i,\cdot ,\cdot )$ for $i\in [n]$.

When working with CPA-1-sided security against (fully fledged) unbounded collusions, a valid adversary can obtain two decryption keys for $P$ and $P'$ that satisfy Eq. (10) (or Eqs (11), (12)) with respect to two different indexes $j_0,j_1 \in [n]$ and $j'_0,j'_1 \in [n]$, i.e., $(j_0,j_1) \ne (j'_0,j'_1)$. When this happens the proof fails since, as we discussed in Sect. 1.2, our reduction will make an invalid set of queries to the $\textsf{KGen}$ oracle of the single-input PE. However, we observe that the exact same proof of Theorem 5 goes through when we allow $\textsf{A}$ to asking for multiple decryption keys under the restriction that: $\exists j_0,j_1 \in [n]$, $\forall P(x_1,\ldots ,x_n) = (P_1(x_1)\wedge \ldots \wedge P_n(x_n)) \in \mathcal {Q}_\textsf{KGen}$, such that either one condition between Eqs. (9)–(12) is satisfied (i.e., the same indexes $j_0,j_1$ for all predicates $P\in \mathcal {Q}_\textsf{KGen}$).

6 Applications

In this section, we show the applications of our constructions. In Sect. 6.1, we provide the definitions of ME and we show a construction from multi-key PE. In Sect. 6.2, we define CPA-1-sided reusable robust NI-MPC for all-or-nothing functions and we provide a construction from multi-input PE.

6.1 Matchmaking Encryption from 2-Key PE

Definition of ME. In ME, a trusted authority generates a decryption key for the receiver, associated to an arbitrary policy of his choice. The receiver is able to decrypt the message if and only if a match occurs, i.e. the sender’s attribute match the receiver policy, and vice versa. Differently from [10, 11], we consider honest senders (i.e., we do not consider authenticity security). Hence, the sender do not need to receive an encryption key from the authority, but can encrypt a message directly with the sender’s attribute as an input. Security against malicious senders (i.e., authenticity) can be achieved by relying on similar techniques of [10, 11, 26], by combining non-interactive zero-knowledge proofs and digital signatures.

Formally, an ME with message space $\mathcal {M}$, sender’s policy and attribute spaces $\mathcal {P}_1$ and $\mathcal {U}_1$, receiver’s policy and attribute spaces $\mathcal {P}_2$ and $\mathcal {U}_2$ is composed of the following polynomial-time algorithms:

$\textsf{Setup}(1^{\lambda })$::: Upon input the security parameter $1^{\lambda }$, the randomized setup algorithm outputs the master public key $\textsf{mpk}$ and the master secret key $\textsf{msk}$.
$\textsf{RKGen}(\textsf{msk}, \rho )$::: The randomized receiver-key generator takes as input the master secret key $\textsf{msk}$, and attributes $\rho \in \mathcal {U}_2$. The algorithm outputs a secret decryption key $\textsf{dk}_{\rho }$ for attributes $\rho $.
$\textsf{PolGen}(\textsf{msk}, \mathbb {S})$::: The randomized receiver policy generator takes as input the master secret key $\textsf{msk}$, and a policy $\mathbb {S}\in \mathcal {P}_2$. The algorithm outputs a secret decryption key $\textsf{dk}_{\mathbb {S}}$ for the circuit $\mathbb {S}$.
$\textsf{Enc}(\textsf{mpk},\sigma , \mathbb {R}, m)$::: The randomized encryption algorithm takes as input the master public key $\textsf{mpk}$, attributes $\sigma \in \mathcal {U}_1$, a policy $\mathbb {R}\in \mathcal {P}_1$, and a message $m\in \mathcal {M}$. The algorithm produces a ciphertext $c$ linked to both $\sigma $ and $\mathbb {R}$.
$\textsf{Dec}(\textsf{dk}_{\rho }, \textsf{dk}_{\mathbb {S}}, c)$::: The deterministic decryption algorithm takes as input a secret decryption key $\textsf{dk}_{\rho }$ for attributes $\rho \in \mathcal {U}_2$, a secret decryption key $\textsf{dk}_{\mathbb {S}}$ for a circuit $\mathbb {S}\in \mathcal {P}_2$, and a ciphertext $c$. The algorithm outputs a message $m$.

Correctness states that the receiver can obtain the message with overwhelming probability if a match occurs. As for security, we consider the standard definition of ME, namely CPA-1-sided and CPA-2-sided security. Informally, CPA-1-sided security captures the secrecy of the sender’s attributes, the sender’s policy, and the message when a match does not occur. On the other hand, CPA-2-sided security extends this secrecy even when a match occurs.

Definition 15

(Correctness of ME). An ME with message space $\mathcal {M}$, sender’s policy and attribute spaces $\mathcal {P}_1$ and $\mathcal {U}_1$, receiver’s policy and attribute spaces $\mathcal {P}_2$ and $\mathcal {U}_2$, is correct if $\forall \lambda \in \mathbb {N}$, $\forall m\in \mathcal {M}$, $\forall \sigma \in \mathcal {U}_1$,$\forall \rho \in \mathcal {U}_2$, $\forall \mathbb {R}\in \mathcal {P}_1$, $\forall \mathbb {S}\in \mathcal {P}_2$ such that $\mathbb {S}(\sigma )=1 \wedge \mathbb {R}(\rho )=1$:

$$\begin{aligned} \mathbb {P}\left[ \textsf{Dec}(\textsf{dk}_{\rho }, \textsf{dk}_{\mathbb {S}}, \textsf{Enc}(\textsf{mpk},\sigma , \mathbb {R}, m)) = m\right] \ge 1 - \textsf {negl}(\lambda ), \end{aligned}$$

where $\forall (\textsf{mpk}, \textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda })$, $\textsf{dk}_{\rho } {{\leftarrow {\$}}}\textsf{RKGen}(\textsf{msk}, \rho )$, and $\textsf{dk}_{\mathbb {S}} {{\leftarrow {\$}}} \textsf{PolGen}(\textsf{msk}, \mathbb {S})$. The above probability is taken over the random coins of $\textsf{Setup},\textsf{RKGen}, \textsf{PolGen}$, and $\textsf{Enc}$.

Definition 16

(CPA-1-sided and CPA-2-sided security of ME). Let $t \in [2]$. We say that an ME $\Pi $ is CPA-t-sided secure if for all valid PPT adversaries $\textsf{A}=(\textsf{A}_0,\textsf{A}_1)$:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\mathsf {\textsf{CPA}\text {-}t\text {-}ME}}_{\Pi , \textsf{A}}(\lambda ) = 1\right] - \frac{1}{2} \right|\le \textsf {negl}(\lambda ), \end{aligned}$$

where game $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}t\text {-}ME}}_{\Pi , \textsf{A}}(\lambda )$ is depicted in Fig. 9. Adversary $\textsf{A}$ is called valid if $\forall \rho \in \mathcal {Q}_{\textsf{RKGen}}, \forall \mathbb {S}\in \mathcal {Q}_{\textsf{PolGen}}$,

Case $t=1$ (mismatch only):
$$\begin{aligned}&(\mathbb {R}^0(\rho ) = \mathbb {R}^1(\rho )=0) \vee (\mathbb {S}(\sigma ^0) = \mathbb {S}(\sigma ^1)=0) \nonumber \\&\qquad \vee (\mathbb {R}^0(\rho ) = \mathbb {S}(\sigma ^1)=0) \vee (\mathbb {R}^1(\rho ) = \mathbb {S}(\sigma ^0)=0); \end{aligned}$$
(13)
Case $t=2$ (mismatch and match): Either
$$\begin{aligned}&(\mathbb {R}^0(\rho ) = \mathbb {R}^1(\rho )=0) \vee (\mathbb {S}(\sigma ^0) = \mathbb {S}(\sigma ^1)=0) \nonumber \\&\qquad \vee (\mathbb {R}^0(\rho ) = \mathbb {S}(\sigma ^1)=0) \vee (\mathbb {R}^1(\rho ) = \mathbb {S}(\sigma ^0)=0) \end{aligned}$$
$$\begin{aligned} \text {or }(\mathbb {R}^0(\rho ) =\mathbb {R}^1(\rho )) \wedge (\mathbb {S}(\sigma ^0) = \mathbb {S}(\sigma ^1)) \wedge (m^0 = m^1) . \end{aligned}$$
(14)

We stress that CPA-1-sided and CPA-2-sided security reflects the “mismatch condition” and “match condition” of the original work of Ateniese et al. [10, Definition 5]. We chose to change their names to avoid confusion and make the notation consistent with respect to the one of PE. Also, we stress that [10, Definition 5] defines security of ME only in term of CPA-2-sided security (whereas, in this work, we also consider the weaker notion of CPA-1-sided security).

6.1.1 Construction of ME from 2-Key PE

Construction 5

Let $\textsf{kPE}= (\textsf{Setup}_1, \textsf{KGen}_1, \textsf{Enc}_1, \textsf{Dec}_1)$ be a 2-key PE scheme with message space $\mathcal {M}$, input space $\mathcal {X}= \mathcal {X}_1 \times \mathcal {X}_2$, and predicate space 4$\mathcal {P}= \{P_{\rho ,\mathbb {R}}(x_1,x_2)\}_{(\rho ,\mathbb {R})\in \mathcal {V}}$ indexed by $\mathcal {V}= \mathcal {V}_1 \times \mathcal {V}_2$ such that

$$\begin{aligned} P_{\rho ,\mathbb {R}}(\sigma ,\mathbb {S}) = P_{\rho }(\mathbb {S}) \wedge P_{\mathbb {R}}(\sigma ) = \mathbb {S}(\rho ) \wedge \mathbb {R}(\sigma ), \end{aligned}$$

where $\sigma \in \mathcal {X}_1$, $\mathbb {S}\in \mathcal {X}_2$, $\rho \in \mathcal {V}_1$, and $\mathbb {R}\in \mathcal {V}_2$. We build an ME scheme with message space $\mathcal {M}$, sender’s policy and attribute spaces $\mathcal {X}_2$ and $\mathcal {X}_1$, and receiver’s policy and attribute spaces $\mathcal {V}_2$ and $\mathcal {V}_1$, in the following way:

$\textsf{Setup}(1^{\lambda })$::: Upon input the security parameter $1^{\lambda }$, the randomized setup algorithm outputs $\textsf{mpk}= \textsf{mpk}$ and $\textsf{msk}= (\textsf{msk}_1,\textsf{msk}_2)$ where $(\textsf{mpk},\textsf{msk}_1,\textsf{msk}_2){{\leftarrow {\$}}}\textsf{Setup}_1(1^{\lambda })$.
$\textsf{RKGen}(\textsf{msk}, \rho )$::: Upon input the master secret key $\textsf{msk}= (\textsf{msk}_1,\textsf{msk}_2)$ and attributes $\rho \in \mathcal {V}_1$, the randomized receiver-key generator outputs $\textsf{dk}_\rho {{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk}_1,\rho )$.
$\textsf{PolGen}(\textsf{msk}, \mathbb {S})$::: Upon input the master secret key $\textsf{msk}= (\textsf{msk}_1,\textsf{msk}_2)$ and a policy $\mathbb {S}\in \mathcal {V}_2$, the randomized receiver policy generator outputs $\textsf{dk}_\mathbb {S}{{\leftarrow {\$}}}\textsf{KGen}_1(\textsf{msk}_2,\mathbb {S})$.
$\textsf{Enc}(\textsf{mpk}, \sigma , \mathbb {R}, m)$::: Upon input the master public key $\textsf{mpk}$, attributes $\sigma \in \mathcal {X}_1$, a policy $\mathbb {R}\in \mathcal {X}_2$, and a message $m\in \mathcal {M}$, the randomized encryption algorithm computes $c{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{mpk},(\sigma ,\mathbb {R}),m)$.
$\textsf{Dec}(\textsf{dk}_{\rho }, \textsf{dk}_{\mathbb {S}}, c)$::: Upon input a secret decryption key $\textsf{dk}_{\rho }$ for attributes $\rho \in \mathcal {V}_1$, a secret decryption key $\textsf{dk}_{\mathbb {S}}$ for a policy $\mathbb {S}\in \mathcal {V}_2$, and a ciphertext $c$, the deterministic decryption algorithm outputs $m= \textsf{Dec}_1(\textsf{dk}_{\rho }, \textsf{dk}_{\mathbb {S}}, c)$.

Correctness follows from the correctness of $\textsf{kPE}$. Below, we establish the following result.

Theorem 8

Let $\textsf{kPE}$ be as above.

1.
If $\textsf{kPE}$ is CPA-1-sided secure (Definition 11) then the ME scheme $\Pi $ from Construction 5 is CPA-1-sided secure (Definition 16).
2.
If $\textsf{kPE}$ is CPA-2-sided secure (Definition 11) then the ME scheme $\Pi $ from Construction 5 is CPA-2-sided secure (Definition 16).

Proof

(CPA-1-sided security of $\Pi $) Suppose there exists a valid PPT adversary $\textsf{A}$ with a non-negligible advantage in breaking the CPA-1-sided security of $\Pi $. We build an adversary $\textsf{A}'$ that breaks the CPA-1-sided security of $\textsf{kPE}$. $\textsf{A}'$ is defined as follows:

1.
Receive $\textsf{mpk}$ from the challenger and send it to $\textsf{A}$.
2.
$\textsf{A}'$ answers to the incoming oracle queries as follows:
- On input $\rho \in \mathcal {V}_1$ for $\textsf{RKGen}$, forward the query $\rho $ to $\textsf{KGen}(\textsf{msk}_1,\cdot )$ and return the answer $\textsf{dk}_\rho $.
- On input $\mathbb {R}\in \mathcal {V}_2$ from $\textsf{PolGen}$, forward the query $\mathbb {R}$ to $\textsf{KGen}(\textsf{msk}_2,\cdot )$ and return the answer $\textsf{dk}_\mathbb {R}$.
3.
Receive the challenge $(m^0, m^1, \mathbb {R}^0, \mathbb {R}^1, \sigma ^0, \sigma ^1)$ from $\textsf{A}'$. Send the challenge $(m^0, m^1,x^0, x^1)$ where $x^i = (\sigma ^i,\mathbb {S}^i)$ for $i \in {{\leftarrow {\$}}}$. Forward the challenge ciphertext $c$ to $\textsf{A}$.
4.
Answer to the incoming oracle queries as in Item 2.
5.
Return the output of $\textsf{A}$.

Let d be the challenge bit sampled by the challenger. $\textsf{A}'$ perfectly simulates the view of $\textsf{A}$. Moreover, $\textsf{A}$ is a valid adversary, i.e., it satisfies the mismatch condition of Eq. (13). This implies that $\forall \rho \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_1,\cdot )},\mathbb {R}\in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{2},\cdot )}$, $P_{\rho ,\mathbb {R}}(\sigma ^0,\mathbb {S}^0) = \mathbb {S}^0(\rho ) \wedge \mathbb {R}(\sigma ^0) = 0$ and $P_{\rho ,\mathbb {R}}(\sigma ^1,\mathbb {S}^1) = \mathbb {S}^1(\rho ) \wedge \mathbb {R}^1(\sigma ) = 0$. Hence, $\textsf{A}'$ is a valid adversary for $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}1\mathsf {\text {-}\textsf{kPE}}}_{\textsf{kPE}, \textsf{A}'}(\lambda )$. This concludes the proof.

(CPA-2-sided security of $\Pi $) The reduction is identical. The only difference is the analysis of the validity of $\textsf{A}'$. Since $\textsf{A}$ is a valid adversary with respect to the CPA-2-sided security experiment of $\textsf{kPE}$, i.e., it satisfies Eq. (14). This implies that $\forall \rho \in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_1,\cdot )},\mathbb {R}\in \mathcal {Q}_{\textsf{KGen}(\textsf{msk}_{2},\cdot )}$, either $P_{\rho ,\mathbb {R}}(\sigma ^0,\mathbb {S}^0) = P_{\rho ,\mathbb {R}}(\sigma ^1,\mathbb {S}^1) = 0$ or $P_{\rho ,\mathbb {R}}(\sigma ^0,\mathbb {S}^0) = P_{\rho ,\mathbb {R}}(\sigma ^1,\mathbb {S}^1) \wedge m^0 = m^1$. Hence, $\textsf{A}'$ is a valid adversary for $\textbf{G}^{\mathsf {\textsf{CPA}\text {-}}2\mathsf {\text {-}\textsf{kPE}}}_{\textsf{kPE}, \textsf{A}'}(\lambda )$. This concludes the proof. $\square $

6.2 Non-interactive Multi Party Computation (with Correlated Randomness) from Multi-input PE

Definition of CPA-1-sided reusable k-robust NI-MPC for all-or-nothing functions. A NI-MPC protocol for a function $f: \mathcal {V}_1\times \cdots \times \mathcal {V}_{n}\rightarrow \mathcal {Y}$ is a (non-interactive) protocol between n parties and an evaluator.^{Footnote 26} On initialization, a trusted party executes the setup algorithm $(\textsf{crs},\textsf{ek}_1,\ldots ,\textsf{ek}_{n}){{\leftarrow {\$}}}\textsf{Setup}(1^{\lambda },f)$. Then, it publishes the common reference string $\textsf{crs}$ and sends the (possibly correlated) encryption keys to the corresponding parties, i.e., the ith party receives the ith encryption key $\textsf{ek}_i$. After the setup phase, each party, owning an input $v_i \in \mathcal {V}_i$, sends a single message $c_i {{\leftarrow {\$}}}\textsf{Enc}(\textsf{crs},\textsf{ek}_i,v_i)$ to the evaluator. The latter will be able to compute the output of the function f by executing $f(v_1,\ldots ,v_{n})=\textsf{Eval}(\textsf{crs}, c_1,\ldots ,c_{n})$. We focus on NI-MPC without session identifiers, i.e., the encryption algorithm does not take in input the unique identifier for the current round. Hence, messages computed in different rounds can be interleaved by design (this will affect the security definition of NI-MPC).

Formally, a NI-MPC protocol $\Pi $ for a function $f:\mathcal {V}_1\times \cdots \times \mathcal {V}_{n}\rightarrow \mathcal {Y}$ consists of the following algorithms:

$\textsf{Setup}(1^\lambda ,f)$::: Upon input the security parameter $1^{\lambda }$ and a function $f:\mathcal {V}_1\times \cdots \times \mathcal {V}_{n}\rightarrow \mathcal {Y}$, the setup algorithm outputs the common reference string $\textsf{crs}$ and n encryption keys $\textsf{ek}_1,\ldots ,\textsf{ek}_{n}$.
$\textsf{Enc}(\textsf{crs},\textsf{ek}_i,v_i)$::: Upon input a common reference string $\textsf{crs}$, an input $v_i \in \mathcal {V}_i$, and an encryption key $\textsf{ek}_i$, the randomized encryption algorithm outputs a ciphertext $c_i$.
$\textsf{Eval}(\textsf{crs},c_1,\ldots ,c_{n})$::: Upon input a common reference string $\textsf{crs}$ and n ciphertexts $c_1,\ldots ,c_{n}$, the deterministic evaluation algorithm outputs a value $y \in \mathcal {Y}$.

Correctness states that the evaluation of n ciphertext $(c_1,\ldots ,c_{n})$, computed over the inputs $(v_1,\ldots ,v_{n})$, outputs $f(v_1,\ldots ,v_{n})$

Definition 17

(Correctness of NI-MPC). A NI-MPC protocol for a function $f: \mathcal {V}_1\times \cdots \times \mathcal {V}_{n}\rightarrow \mathcal {Y}$ is correct if $\forall \lambda \in \mathbb {N}$, $\forall (v_1,\ldots ,v_{n}) \in \mathcal {V}_1\times \cdots \times \mathcal {V}_{n}$, we have:

$$\begin{aligned} \mathbb {P}\left[ \textsf{Eval}(\textsf{crs},c_1,\ldots ,c_{n}) = f(v_1,\ldots ,v_{n})\right] = 1 - \textsf {negl}(\lambda ), \end{aligned}$$

where $(\textsf{crs},\textsf{ek}_1,\ldots ,\textsf{ek}_{n}) {{\leftarrow {\$}}}\textsf{Setup}(1^\lambda ,f)$ and $c_i {{\leftarrow {\$}}}\textsf{Enc}(\textsf{crs},\textsf{ek}_i,v_i)$ for $i \in [n]$. The above probability is taken over the random coins of $\textsf{Setup}$ and $\textsf{Enc}$.

As for security, a k-robust NI-MPC guarantees the secrecy of the inputs of honest parties even in the presence of an adversary that corrupts a set $\mathcal {Q}_\textsf{Corr}$ of k parties (when an adversary corrupts the ith party it obtains its encryption key $\textsf{ek}_i$ and the latter gives to the adversary the ability of producing adversarially chosen messages using $\textsf{ek}_i$). Following the blueprint of Halevi et al. [32] (see also [14]), this is formalized by an indistinguishability-based definition that states the infeasibility of distinguishing between $(\textsf{Enc}(\textsf{crs},\textsf{ek}_1,v^0_1),\ldots , \textsf{Enc}(\textsf{crs},\textsf{ek}_{n},v^0_{n}))$ and $(\textsf{Enc}(\textsf{crs},\textsf{ek}_1,v^1_1),\ldots , \textsf{Enc}(\textsf{crs},\textsf{ek}_{n},v^1_{n}))$,^{Footnote 27} so long as any interleaving of the honest inputs with any adversarially chosen input $v'_i \in \mathcal {V}_i$, belonging to a corrupted party $i \in \mathcal {Q}_\textsf{Corr}$, produces the same function evaluation. In addition, security of NI-MPC can be formulated in two different settings, named non-reusable and reusable NI-MPC:

Non-reusable NI-MPC guarantees the secrecy of parties’ inputs only if the setup is executed after each round (i.e., a single evaluation $f(v_1,\ldots ,v_{n})$ per setup is allowed).
On the other hand, reusable NI-MPC provides a stronger security guarantees allowing parties to use the same setup in multiple rounds. As defined in [32], full-fledged reusability NI-MPC makes use of session identifiers in order to block interleaving of messages produced in different rounds. In particular, in each round of computation, the parties compute their messages $c_1,\ldots ,c_{n}$ by attaching to them a unique session identifiers $\ell $. Only messages $c_1,\ldots ,c_{n}$ with the same identifier $\ell $ can be evaluated together yielding $f(v_1,\ldots ,v_{n}) = \textsf{Eval}(\textsf{crs},c_1,\ldots ,c_{n})$.

We focus on a weaker notion of reusability without session identifiers, specifically tailored for all-or-nothing functions, that allows to re-use the same setup until a certain condition is satisfied. An all-or-nothing function $f_P:\mathcal {V}_1\times \cdots \times \mathcal {V}_{n} \rightarrow (\mathcal {M}_1 \times \cdots \times \mathcal {M}_{n})\cup \{\bot \}$ returns parties’ messages $(m_1,\ldots ,m_{n})\in \mathcal {M}_{1}\times \cdots \times \mathcal {M}_{n}$ only if a predicate $P(x_1,\ldots ,x_{n})$ is satisfied, i.e.,

$$\begin{aligned} f_{P}(v_1,\ldots ,v_{n}) = {\left\{ \begin{array}{ll} (m_1,\ldots ,m_{n}) &{} \text {if } P(x_1,\ldots ,x_{n}) =1\\ \bot &{} \text { otherwise} \end{array}\right. } \end{aligned}$$

(15)

where $v_i=(x_i,m_i) \in \mathcal {V}_i = \mathcal {X}_i \times \mathcal {M}_i$ for $i\in [n]$. We named our weaker notion of reusability CPA-1-sided reusability and, in a nutshell, it allows parties to reuse the same setup (without affecting the security of the protocol) so long as $f_P$ evaluates $\bot $ for any combinations of the honest inputs and every input associated to the corrupted parties.^{Footnote 28} This condition resembles the CPA-1-sided security of multi-input PE (Definition 13).

Definition 18

(CPA-1-sided reusable k-robust security of NI-MPC for all-or-nothing functions). Let $f_P:\mathcal {V}_1\times \cdots \times \mathcal {V}_{n} \rightarrow (\mathcal {M}_1 \times \cdots \times \mathcal {M}_{n})\cup \{\bot \}$ be an all-or-nothing function as defined in Eq. (15). We say that a NI-MPC protocol $\Pi $ for $f_P$ is CPA-1-sided reusable k-robust secure if for any valid PPT adversary $\textsf{A}=(\textsf{A}_0,\textsf{A}_1)$ we have:

$$\begin{aligned} \left|\mathbb {P}\left[ \textbf{G}^{\textsf{ni}\text {-}\textsf{mpc}}_{\Pi ,\textsf{A}}(\lambda )\right] -\frac{1}{2}\right|\le \textsf {negl}(\lambda ){} \end{aligned}$$

where $\textbf{G}^{\textsf{ni}\text {-}\textsf{mpc}}_{\Pi ,\textsf{A}}(\lambda )$ is depicted in Fig. 10. Let $\mathcal {Q}_i = \mathcal {Q}_{\textsf{Enc}(\textsf{crs},\textsf{ek}_i,\cdot )}$ for $i \in [n]{\setminus } \mathcal {Q}_\textsf{Corr}$ and $\mathcal {Q}_i = \mathcal {X}_{i}$ for $i \in \mathcal {Q}_\textsf{Corr}$. Adversary $\textsf{A}$ is called valid if $|\mathcal {Q}_\textsf{Corr}| \le k$ and $\forall d\in {{\leftarrow {\$}}}$, $\forall j \in [n]$, $\forall (v'_1,\ldots ,v'_{n}) \in \mathcal {Q}_1 \cup \{v^d_1\} \times \cdots \times \mathcal {Q}_{n} \cup \{v^d_{n}\}$, we have that

$$\begin{aligned} f_P(v'_0,\ldots ,v'_{j-1},v^{d}_j,v'_{j+1},\ldots ,v'_{n-1}) = \bot . \end{aligned}$$

We stress that both the flavors of corruption and challenge selection considered in our Definition 18 are stronger than the one of Halevi et al. [32]. In Definition 18, the adversary can both choose which parties want to corrupt and the challenge adaptively. On the other hand, [32] only covers selective security on both aspects.

Remark 3

(On the relation between NI-MPC, iO, and null iO). As note by previous works [14, 32], NI-MPC has strong relations with iO. Taking into account full-fledged reusability, indistinguishability-based 0-robust NI-MPC for general functions that supports $n = \textsf {poly}(\lambda )$ parties implies iO. The construction is reminiscent to that of iO from multi-input functional encryption [29]. Analogously, we can translate the above implications to the setting of CPA-1-sided reusability and null iO (and, in turn WE) [19, 31, 48], i.e., CPA-1-sided reusable 0-robust NI-MPC for general functions that supports $n=\textsf {poly}(\lambda )$ parties implies null iO. This shows that nonetheless CPA-1-sided reusability is a weakening of standard reusability, it is non-trivial to achieve for general functions. Moreover, if we consider 1-robustness, we can get rid of both the (CPA-1-sided) reusability and $n=\textsf {poly}(\lambda )$ parties requirements. In particular, as described in Sect. 1.4, we can build iO (resp. null iO) from indistinguishability-based (resp. CPA-1-sided) non-reusable 1-robust NI-MPC supporting $n=2$ parties.^{Footnote 29}

6.2.1 Construction of NI-MPC for all-or-nothing functions from Multi-input PE

Here, we build a CPA-1-sided reusable k-robust NI-MPC protocol for $f_P:\mathcal {V}_1\times \cdots \times \mathcal {V}_{n} \rightarrow (\mathcal {M}_1\times \cdots \times \mathcal {M}_{n}) \cup \{\bot \}$ (defined as in Eq. (15)) from any CPA-1-sided secure n-input PE in the k-corruptions setting without collusions.

Construction 6

Let $\textsf{iPE}_1 = (\textsf{Setup}_1, \textsf{KGen}_1, \textsf{Enc}_1, \textsf{Dec}_1)$ be a n-input PE scheme with message space $\mathcal {M}= \mathcal {M}_1\times \cdots \times \mathcal {M}_{n}$, input space $\mathcal {X}= \mathcal {X}_1 \times \cdots \times \mathcal {X}_{n}$, and predicate space $\mathcal {P}_1 = \{P(x_1,\ldots ,x_{n})\}$. Let $\mathcal {V}_i = \mathcal {X}_i \times \mathcal {M}_i$ for $i \in [n]$. For every $P\in \mathcal {P}_1$, we build a NI-MPC protocol for the function $f_P:\mathcal {V}_1\times \cdots \times \mathcal {V}_{n} \rightarrow (\mathcal {M}_1\times \cdots \times \mathcal {M}_{n}) \cup \{\bot \}$ (as defined in Eq. (15)) in the following way:

$\textsf{Setup}(1^\lambda ,f_P)$::: Upon input the security parameter $1^{\lambda }$ and a function $f_P$, the randomized setup algorithm computes $(\textsf{ek}_1,\ldots ,\textsf{ek}_{n},\textsf{msk}) {{\leftarrow {\$}}}\textsf{Setup}_1(1^\lambda )$ and $\textsf{dk}_P= \textsf{KGen}_1(\textsf{msk},P)$ where $P\in \mathcal {P}_1$ is the predicate defining the function $f_P$. Finally, it returns $\textsf{crs}= \textsf{dk}_P$ and $\textsf{ek}_1,\ldots ,\textsf{ek}_{n}$.
$\textsf{Enc}(\textsf{crs},\textsf{ek}_i,v_i)$::: Let $i \in [n]$. Upon input the common reference string $\textsf{crs}= \textsf{dk}_P$, the encryption key $\textsf{ek}_i$, and the input $v_i = (x_i,m_i) \in \mathcal {V}_i$, the randomized encryption algorithm outputs $c_i{{\leftarrow {\$}}}\textsf{Enc}_1(\textsf{ek}_i,x_i,m_i)$.
$\textsf{Eval}(\textsf{crs},c_1,\ldots ,c_{n})$::: On input the common reference string $\textsf{crs}=\textsf{dk}_P$ and n ciphertexts $c_1,\ldots ,c_{n}$, the evaluation algorithm outputs $\textsf{Dec}_1(\textsf{dk}_P,c_1,\ldots ,c_{n})$.

Correctness follows from that of the underlying n-input PE $\textsf{iPE}_1$. In particular, correctness for the case $f_P((x_1,m_1),\ldots ,(x_{n},m_{n})) = \bot $ (i.e., $P$ is not satisfied) can be obtained by extending the $\textsf{iPE}_1$’s correctness to the case of $P$ is not satisfied, i.e., $\textsf{Dec}(\textsf{dk}_P,c_1,\ldots ,c_{n}) = \bot $ whenever $P(x_1,\ldots ,x_{n}) =0$.^{Footnote 30}

Security of Construction 6 is formalized by Theorem 9. By combining Theorems 9 and 6 (and [30]), we obtain a CPA-1-sided reusable 0-robust NI-MPC protocol for $n=\textsf {poly}(\lambda )$ parties (based on the LWE assumption) for all-or-nothing functions $f_P$ (Eq. (15)) where $P$ is a conjunctions of arbitrary predicates with wildcards. Similarly, by combining Theorems 9 and 7, we obtain a CPA-1-sided reusable $(n-1)$-robust NI-MPC protocol for $n=O(1)$ parties for the same class of functions. Both settings are non-trivial, and they both imply null iO (and WE) in the case of NI-MPC for general functions (see Sects. 1.3 and Remark 3).

Theorem 9

Let $\textsf{iPE}_1$ as above. If $\textsf{iPE}_1$ is CPA-1-sided secure in the k-corruptions setting without collusions (Definition 13), then $\Pi $ of Construction 6 is CPA-1-sided reusable k-robust secure (Definition 18).

Proof

Suppose there exists a valid PPT adversary $\textsf{A}$ with a non-negligible advantage in breaking the partial reusability k-robust security of NI-MPC. we build an adversary $\textsf{A}'$ that breaks the CPA-1-sided security in the k-corruptions setting without collusions of $\textsf{iPE}_1$. $\textsf{A}'$ proceeds as follows:

1.
Send $P$ to the oracle $\textsf{KGen}_1(\textsf{msk},\cdot )$ and receive $\textsf{dk}_P$.
2.
Send $\textsf{crs}=\textsf{dk}_P$ to $\textsf{A}$.
3.
$\textsf{A}'$ answers the incoming oracle queries as follows:
- On input $v_i=(x,m) \in \mathcal {V}_i$ for $\textsf{Enc}(\textsf{crs},\textsf{ek}_i,\cdot )$ where $i \in [n]$, forward the query $(x,m)$ to $\textsf{Enc}_1(\textsf{ek}_i,\cdot ,\cdot )$ and return the answer $c_i$ to $\textsf{A}$.
- On input $i\in [n]$ for $\textsf{Corr}(\cdot )$, forward the query i to oracle $\textsf{Corr}_1(\cdot )$ and return the answer $\textsf{ek}_i$ to $\textsf{A}$.
4.
Receive the challenge $(v^0_1=(x_1^0,m_1^0),\ldots ,v^0_{n}=(x^0_{n},m^0_{n}))$ and $(v^1_1=(x_1^1,m_1^1),\ldots ,v^1_{n}=(x^1_{n},m^1_{n}))$.
5.
Send $((m_1^0,\ldots ,m_{n}^0),(x_1^0,\ldots ,x_{n}^0))$ and $((m_1^1,\ldots ,m_{n}^1),(x_1^1, \ldots ,x_{n}^1))$ to the challenger.
6.
Receive the ciphertexts $(c_1,\ldots ,c_{n})$ and forward them to $\textsf{A}$.
7.
Answer to the incoming oracle queries as in Item 3.
8.
Return the output of $\textsf{A}$.

The adversary $\textsf{A}'$ perfectly simulates the view of $\textsf{A}$. Moreover, by combining $|\mathcal {Q}_{\textsf{KGen}_1}| = 1$ ($\textsf{A}$ submits a single query to the $\textsf{KGen}_1$ oracle) and $\textsf{A}$’s validity, we can easily conclude that $\textsf{A}'$ is a valid adversary for the experiment $\textbf{G}^{k\text {-}\textsf{CPA}\text {-}1\text {-}\textsf{iPE}}_{\textsf{iPE}, \textsf{A}'}(\lambda )$ without collusions. This concludes the proof. $\square $

Notes

Sometimes, we also refer to x as the predicate input. Throughout the paper, we use the terms attribute and input interchangeably.
This is one of the differences between multi-key PE and multi-input PE: the former has a public-key encryption algorithm, whereas the latter could have a secret-key encryption algorithm.
Note that, in the setting with no corruptions, assuming the presence of a (single) wildcard $x^\star _i$ for each $P_i$ does not affect the expressiveness and the security guarantees of multi-input PE. This is because the ith sender can simply choose not to encrypt $x^\star _i$, which will not permit the receiver to evaluate $P_i$ over $x^\star _i$.
Note that, in case of no corruptions, our CPA-1-sided construction supports $n=\textsf {poly}(\lambda )$. However, to achieve CPA-2-sided security we use complexity leveraging and this reduces n from $\textsf {poly}(\lambda )$ to $O(\log (\lambda ))$.
Observe that the decryption keys can be interleaved. For example, starting from $(\textsf{dk}_{v_1},\ldots ,\textsf{dk}_{v_i},\ldots \textsf{dk}_{v_{n}})$ representing the predicate $P_{v_1,\ldots ,v_{i},\ldots ,v_{n}}$, the adversary can ask for an additional ith decryption key $\textsf{dk}_{v'_i}$ and rearrange the decryption keys as $(\textsf{dk}_{v_1},\ldots ,\textsf{dk}_{v'_i},\ldots \textsf{dk}_{v_{n}})$ in order to obtain the tuple representing a different predicate $P_{v_1,\ldots , v'_i,\ldots , v_{n}} \ne P_{v_1,\ldots , v_i,\ldots , v_{n}}$.
By leveraging hybrid encryption, we can transform any PE into one with $\textsf {poly}(\lambda )+ |m|$ ciphertext expansion, i.e., $\textsf{Enc}'(\textsf{mpk},x,m) = \textsf{Enc}(\textsf{mpk},x,s) || \textsf{PRG}(s) \oplus m$ where $s {{\leftarrow {\$}}}{{\leftarrow {\$}}}^\lambda $.
When we write CPA secure PE, without specifying 1-sided or 2-sided security, we refer to a PE scheme that guarantees only the secrecy of the message. CPA secure PE is the same as CPA secure ABE.
Indeed, as we discuss in Sect. 4.3, CPA-1-sided (resp. CPA-2-sided) secure multi-input PE for arbitrary predicates implies CPA-1-sided (resp. CPA-2-sided) secure multi-key PE.
In other words, the secret keys are cyclically ordered.
If this condition is not satisfied, the adversary has obtained through the encryption oracles a set of ciphertexts that can be interleaved with one (or more) parts of the challenge ciphertext in order to satisfy the predicate $P^*$.
As we discuss in Sect. 5.4, our construction remains secure if we consider a weaker form of collusion in which the adversary can only obtain multiple decryption keys for predicates $P$ such that there is a unique j for all predicates (submitted to $\textsf{KGen}$) that satisfies the validity condition (ii).
Recall that wildcards must be efficiently computable.
Note that security of NI-MPC for general functions is formalized by an indistinguishability-based definition [14, 32]. This is because simulation-based NI-MPC implies virtual black box (VBB) obfuscation that is known to be impossible for certain classes of functions [13].
Observe that the same construction works if we start from a multi-key PE whose encryption algorithm is secret-key, i.e., the $\textsf{mpk}$ (required to execute $\textsf{Enc}$) is replaced with an encryption key $\textsf{ek}$ that is kept secret.
A similar construction can be used to build iO from 2-input FE with security under 1 corruption and no collusions.
If wildcards exist, a malicious receiver can always decrypt the message by evaluating the predicate over the wildcards.
This is equivalent to saying that the output of $\textbf{G}_{\Pi ,\textsf{A}}(\lambda )$ is set to 0 when $\textbf{E}$ does not hold.
For the sake of clarity, we implicitly assume that challenge messages and inputs have the same length, i.e., $|m^0| = |m^1|$ and $|x^0| = |x^1|$ (this is required to exclude trivial attacks). We stress that when the single-input PE scheme has an apriori bound on the length of the messages and attributes (defined on setup), the latter have same length by definition.
As usual, we implicitly assume that challenge messages and inputs have the same length, i.e., $|m^0| = |m^1|$ and $|x^0| = |x^1|$ (this is required to exclude trivial attacks). We stress that when the multi-key PE scheme has an apriori bound on the length of the messages and attributes (defined on setup), the latter have same length by definition.
Observe that $\mathcal {Q}^0_i$ and $\mathcal {Q}^1_i$ are identical except for the last element.
As for multi-key PE, we implicitly assume that challenge messages and inputs have the same length, i.e., $|m^0_i| = |m^1_i|$ and $|x^0_i| = |x^1_i|$ for $i \in [n]$ (this is required to exclude trivial attacks). We stress that when the multi-input PE scheme has an apriori bound on the length of the messages and attributes (defined on setup), the latter have same length by definition.
As usual, we implicitly assume that the challenge messages and inputs have the same length, i.e., $|m^0_i| = |m^1_i|$ and $|x^0_i| = |x^1_i|$ for $i \in [n]$.
We stress each $\textsf{PE}_i$ requires a different PRG with a particular stretch depending on the size of the message we wish to encrypt. Alternatively, it is possible to use a single PRG if the latter has an arbitrary polynomial stretch.
This allow us to reuse the proof in Lemmas 6 and 7.
Since we are in the $(n-1)$-corruptions setting (i.e, $|\mathcal {Q}_{\textsf{Corr}}|\le n-1$) such as $j_0,j_1\in [n]\setminus \mathcal {Q}_{\textsf{Corr}}$ always exist.
Depending on the scenario, the evaluator can be any of the parties running the NI-MPC protocol.
Simulation-based security of NI-MPC for general functions is impossible. Indeed, simulation-based NI-MPC implies virtual black box (VBB) obfuscation [14, 29, 32] and the latter is impossible for certain class of circuits/functions [13].
We consider every combination of the inputs due to the lack of session identifiers.
Non-reusable 1-robust security of NI-MPC means that the honest encryption key $\textsf{ek}_i$ is used only once (i.e., to compute a single message) whereas $\textsf{ek}_{1-i}$ is revealed to the adversary (i.e., the adversary can use it multiple times without breaking the security of the NI-MPC protocol).
Correctness for the case $P(x_1,\ldots ,x_{n})=0$ can be seamlessly added to any multi-input PE scheme by applying an efficiently computable and invertible padding $\Phi (\cdot )$ (e.g., $\Phi (m) = m|| 1 || 0^\lambda $ where $\lambda $ is the security parameter) before encrypting the message $m_i$, i.e., $\textsf{Enc}(\textsf{ek}_i,x_i,\Phi (m_i))$. On decryption, the n-input PE scheme will return $\bot $ whenever the padding is invalid.

References

M. Abdalla, F. Benhamouda, R. Gay, From single-input to multi-client inner-product functional encryption, in S.D. Galbraith, S. Moriai, editors, ASIACRYPT 2019, Part III. LNCS, vol. 11923 (Springer, Heidelberg, 2019), pp. 552–582
M. Abdalla, F. Benhamouda, M. Kohlweiss, H. Waldner, Decentralizing inner-product functional encryption, in D. Lin, K. Sako, editors, PKC 2019, Part II. LNSC, vol. 11443 (Springer, Heidelberg, 2019), pp. 128–157
M. Abdalla, D. Catalano, D. Fiore, R. Gay, B. Ursu, Multi-input functional encryption for inner products: function-hiding realizations and constructions without pairings, in H. Shacham, A. Boldyreva, editors, CRYPTO 2018, Part I. LNCS, vol. 10991 (Springer, Heidelberg, 2018), pp. 597–627
M. Abdalla, R. Gay, M. Raykova, H. Wee, Multi-input inner-product functional encryption from pairings, in J.-S. Coron, J.B. Nielsen, editors, EUROCRYPT 2017, Part I. LNCS, vol. 10210 (Springer, Heidelberg, 2017), pp. 601–626
S. Agrawal, D.M. Freeman, V. Vaikuntanathan, Functional encryption for inner product predicates from learning with errors, in D.H. Lee and X. Wang, editors, ASIACRYPT 2011. LNCS, vol. 7073 (Springer, Heidelberg, 2011), pp. 21–40
S. Agrawal, R. Goyal, J. Tomida, Multi-input quadratic functional encryption from pairings, in T. Malkin, C. Peikert, editors, CRYPTO 2021, Part IV. Virtual Event. LNCS, vol. 12828 (Springer, Heidelberg, 2021), pp. 208–238
S. Agrawal, R. Goyal, J. Tomida, Multi-input quadratic functional encryption: stronger security, broader functionality, in TCC 2022 (Springer, 2023), pp. 711–740
S. Agrawal, A. Yadav, S. Yamada, Multi-input attribute based encryption and predicate encryption, in CRYPTO 2022 (Springer, 2022), pp. 590–621
P. Ananth, A. Jain, Indistinguishability obfuscation from compact functional encryption, in R. Gennaro, M.J.B. Robshaw, editors, CRYPTO 2015, Part I. LNCS, vol. 9215 (Springer, Heidelberg, 2015), pp. 308–326
G. Ateniese, D. Francati, D. Nuñez, D. Venturi, Match me if you can: Matchmaking encryption and its applications, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part II. LNCS, vol. 11693 (Springer, Heidelberg, 2019), pp. 701–731
G. Ateniese, D. Francati, D. Nuñez, D. Venturi, Match me if you can: matchmaking encryption and its applications. J. Cryptol. 34(3), 1–50 (2021)
Article MathSciNet Google Scholar
N. Attrapadung, Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more, in P.Q. Nguyen, E. Oswald, editors, EUROCRYPT 2014. LNCS, vol. 8441 (Springer, Heidelberg, 2014), pp. 557–577
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang. On the (im)possibility of obfuscating programs, in J. Kilian, editor, CRYPTO 2001. LNCS, vol. 2139 (Springer, Heidelberg, 2001), pp. 1–18
A. Beimel, A. Gabizon, Y. Ishai, E. Kushilevitz, S. Meldgaard, A. Paskin-Cherniavsky, Non-interactive secure multiparty computation, in J.A. Garay, R. Gennaro, editors, CRYPTO 2014, Part II. LNCS, vol. 8617 (Springer, Heidelberg, 2014), pp. 387–404
N. Bitansky, V. Vaikuntanathan, Indistinguishability obfuscation from functional encryption, in V. Guruswami, editor, 56th FOCS (IEEE Computer Society Press, 2015), pp. 171–190
D. Boneh, K. Lewi, M. Raykova, A. Sahai, M. Zhandry, J. Zimmerman, Semantically secure order-revealing encryption: multi-input functional encryption without obfuscation, in E. Oswald, M. Fischlin, editors, EUROCRYPT 2015, Part II. LNCS, vol. 9057 (Springer, Heidelberg, 2015), pp. 563–594
D. Boneh, B. Waters, Conjunctive, subset, and range queries on encrypted data, in S.P. Vadhan, editor, TCC 2007. LNCS, vol. 4392 (Springer, Heidelberg, 2007), pp. 535–554
Z. Brakerski, N. Döttling, S. Garg, G. Malavolta, Factoring and pairings are not necessary for iO: circular-secure LWE suffices, in ICALP 2022 (Schloss Dagstuhl-Leibniz-Zentrum für Informatik, 2022)
Z. Brakerski, A. Jain, I. Komargodski, A. Passelègue, D. Wichs, Non-trivial witness encryption and null-iO from standard assumptions, in D. Catalano, R. De Prisco, editors, SCN 18. LNCS, vol. 11035 (Springer, Heidelberg, 2018), pp. 425–441
J. Chen, Y. Li, J. Wen, J. Weng, Identity-based matchmaking encryption from standard assumptions, in ASIACRYPT 2022 (Springer, 2022)
J. Chotard, E.D. Sans, R. Gay, D.H. Phan, D. Pointcheval, Decentralized multi-client functional encryption for inner product, in T. Peyrin, S. Galbraith, editors, ASIACRYPT 2018, Part II. LNCS, vol. 11273 (Springer, Heidelberg, 2018), pp. 703–732
M. Ciampi, L. Siniscalchi, H. Waldner, Multi-client functional encryption for separable functions, in J. Garay, editor, PKC 2021, Part I. LNCS, vol. 12710 (Springer, Heidelberg, 2021), pp. 724–753
M. Clear, C. McGoldrick, Multi-identity and multi-key leveled FHE from learning with errors, in R. Gennaro, M.J.B. Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, Heidelberg, 2015), pp. 630–656
P. Datta, T. Okamoto, J. Tomida, Full-hiding (unbounded) multi-input inner product functional encryption from the $k$-Linear assumption, in M. Abdalla, R. Dahab, editors, PKC 2018, Part II. LNCS, vol. 10770 (Springer, Heidelberg, 2018), pp. 245–277
D. Francati, D. Friolo, G. Malavolta, D. Venturi, Multi-key and multi-input predicate encryption from learning with errors, in Annual International Conference on the Theory and Applications of Cryptographic Techniques (Springer, 2023), pp. 573–604
D. Francati, A. Guidi, L. Russo, D. Venturi, Identity-based matchmaking encryption without random oracles, in INDOCRYPT 2021 (Springer, 2021), pp. 415–435
S. Garg, C. Gentry, A. Sahai, B. Waters, Witness encryption and its applications, in D. Boneh, T. Roughgarden, J. Feigenbaum, editors, 45th ACM STOC (ACM Press, 2013), pp. 467–476
R. Gay, R. Pass, Indistinguishability obfuscation from circular security, in S. Khuller, V.V. Williams, editors, STOC ’21: 53rd Annual ACM SIGACT Symposium on Theory of Computing, Virtual Event, Italy, June 21–25, 2021 (ACM, 2021), pp. 736–749
S. Goldwasser, S. Dov Gordon, V. Goyal, A. Jain, J. Katz, F.-H. Liu, A. Sahai, E. Shi, H.-S. Zhou, Multi-input functional encryption, in P.Q. Nguyen, E. Oswald, editors, EUROCRYPT 2014. LNCS, vol. 8441 (Springer, Heidelberg, 2014), pp. 578–602
S. Gorbunov, V. Vaikuntanathan, H. Wee, Predicate encryption for circuits from LWE, in R. Gennaro, M.J.B. Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, Heidelberg, 2015), pp. 503–523
R. Goyal, V. Koppula, B. Waters, Lockable obfuscation, in C. Umans, editor, 58th FOCS (IEEE Computer Society Press, 2017), pp. 612–621
S. Halevi, Y. Ishai, A. Jain, I. Komargodski, A. Sahai, E. Yogev, Non-interactive multiparty computation without correlated randomness, in T. Takagi, T. Peyrin, editors, ASIACRYPT 2017, Part III. LNCS, vol. 10626 (Springer, Heidelberg, 2017), pp. 181–211
S. Halevi, Y. Ishai, A. Jain, E. Kushilevitz, T. Rabin, Secure multiparty computation with general interaction patterns, in M. Sudan, editor, ITCS 2016 (ACM, 2016), pp. 157–168
S. Halevi, Y. Lindell, B. Pinkas, Secure computation on the web: computing without simultaneous interaction, in P. Rogaway, editor, CRYPTO 2011. LNCS, vol. 6841 (Springer, Heidelberg, 2011), pp. 132–150
A. Jain, H. Lin, A. Sahai, Indistinguishability obfuscation from well-founded assumptions, in S. Khuller, V.V. Williams, editors, STOC ’21: 53rd Annual ACM SIGACT Symposium on Theory of Computing, Virtual Event, Italy, June 21–25, 2021 (ACM, 2021), pp. 60–73
A. Jain, H. Lin, A. Sahai, Indistinguishability obfuscation from LPN over $\mathbb{F}_p$, DLIN, and PRGs in ${NC}^0$, in O. Dunkelman, S. Dziembowski, editors, EUROCRYPT 2022, Part I. LNCS, vol. 13275 (Springer, Heidelberg, 2022), pp. 670–699
J. Katz, A. Sahai, B. Waters, Predicate encryption supporting disjunctions, polynomial equations, and inner products, in N.P. Smart, editor, EUROCRYPT 2008. LNCS, vol. 4965 (Springer, Heidelberg, 2008), pp. 146–162
A.B. Lewko, T. Okamoto, A. Sahai, K. Takashima, B. Waters, Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption, in H. Gilbert, editor, EUROCRYPT 2010. LNCS, vol. 6110 (Springer, Heidelberg, 2010), pp. 62–91
B. Libert, R. Titiu, Multi-client functional encryption for linear functions in the standard model from LWE, in S.D. Galbraith, S. Moriai, editors, ASIACRYPT 2019, Part III. LNCS, vol. 11923 (Springer, Heidelberg, 2019), pp. 520–551
A. López-Alt, E. Tromer, V. Vaikuntanathan, On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption, in H.J. Karloff, T. Pitassi, editors, 44th ACM STOC (ACM Press, 2012), pp. 1219–1234
P. Mukherjee, D. Wichs, Two round multiparty computation via multi-key FHE. In M. Fischlin, J.-S. Coron, editors, EUROCRYPT 2016, Part II. LNCS, vol. 9666 (Springer, Heidelberg, 2016), pp. 735–763
T. Okamoto, K. Takashima, Fully secure functional encryption with general relations from the decisional linear assumption, in T. Rabin, editor, CRYPTO 2010. LNCS, vol. 6223 (Springer, Heidelberg, 2010), pp. 191–208
T. Okamoto, K. Takashima, Adaptively attribute-hiding (hierarchical) inner product encryption, in D. Pointcheval, T. Johansson, editors, EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Heidelberg, 2012), pp. 591–608
J. Tomida, Tightly secure inner product functional encryption: multi-input and function-hiding constructions, in S.D. Galbraith, S. Moriai, editors, ASIACRYPT 2019, Part III. LNCS, vol. 11923 (Springer, Heidelberg, 2019), pp. 459–488
B. Waters, Functional encryption for regular languages, in R. Safavi-Naini, R. Canetti, editors, CRYPTO 2012. LNCS, vol. 7417 (Springer, Heidelberg, 2012), pp. 218–235
H. Wee, Dual system encryption via predicate encodings, in Y. Lindell, editor, TCC 2014. LNCS, vol. 8349 (Springer, Heidelberg, 2014), pp. 616–637
H. Wee, D. Wichs, Candidate obfuscation via oblivious LWE sampling, in A. Canteaut, F.-X. Standaert, editors, EUROCRYPT 2021, Part III. LNCS, vol. 12698 (Springer, Heidelberg, 2021), pp. 127–156
D. Wichs, G. Zirdelis, Obfuscating compute-and-compare programs under LWE, in C. Umans, editor, 58th FOCS (IEEE Computer Society Press, 2017), pp. 600–611

Download references

Acknowledgements

The first author was supported by the Carlsberg Foundation under the Semper Ardens Research Project CF18-112 (BCM); the second and the fourth were supported by project SERICS (PE00000014) and by project PARTHENON (B53D23013000006), under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU; the third author was partially supported by the German Federal Ministry of Education and Research (BMBF) in the course of the 6GEM research hub under Grant No. 16KISK038, by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972, and by the European Research Council through an ERC Starting Grant (Grant agreement No. 101077455, ObfusQation).

Funding

Open access funding provided by Aarhus Universitet

Author information

Authors and Affiliations

Aarhus University, Aarhus, Denmark
Danilo Francati
Sapienza University of Rome, Rome, Italy
Daniele Friolo & Daniele Venturi
Bocconi University, Milan, Italy
Giulio Malavolta

Authors

Danilo Francati
View author publications
You can also search for this author in PubMed Google Scholar
Daniele Friolo
View author publications
You can also search for this author in PubMed Google Scholar
Giulio Malavolta
View author publications
You can also search for this author in PubMed Google Scholar
Daniele Venturi
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Danilo Francati.

Additional information

Communicated by Shweta Agrawal.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

An abridged version of this paper appears in the Proceedings of Advances in Cryptology-EUROCRYPT 2023: 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques [25].

“This paper was reviewed by Prabhanjan Ananth and David Wu.”.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Francati, D., Friolo, D., Malavolta, G. et al. Multi-key and Multi-input Predicate Encryption (for Conjunctions) from Learning with Errors. J Cryptol 37, 24 (2024). https://doi.org/10.1007/s00145-024-09504-7

Download citation

Received: 06 March 2023
Revised: 24 February 2024
Accepted: 18 April 2024
Published: 14 May 2024
DOI: https://doi.org/10.1007/s00145-024-09504-7

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Multi-key and Multi-input Predicate Encryption (for Conjunctions) from Learning with Errors

Abstract

Similar content being viewed by others

XHX – A Framework for Optimally Secure Tweakable Block Ciphers from Classical Block Ciphers and Universal Hashing

Efficient cryptanalysis of an encrypted database supporting data interoperability

Structured Encryption and Leakage Suppression

1 Introduction

1.1 Our Contributions

Theorem 1

Theorem 2

Theorem 3

1.2 Technical Overview

1.3 Applications

1.4 Relation with Witness Encryption

2 Related Work

3 Preliminaries

3.1 Notation

3.2 Lockable Obfuscation

Definition 1

Definition 2

Remark 1

3.3 Symmetric and Public Key Encryption

3.3.1 Symmetric Key Encryption

Definition 3

Definition 4

3.3.2 Public Key Encryption

Definition 5

Definition 6

3.4 Predicate Encryption

Definition 7

Definition 8

Definition 9

Remark 2

4 Multi-key and Multi-input Predicate Encryption

4.1 Multi-key PE

Definition 10

Definition 11

4.2 Multi-input PE

Definition 12

Definition 13

4.3 Relating Multi-key PE and Multi-input PE

Definition 14

Construction 1

Theorem 4

Proof

5 Constructions

5.1 Multi-key PE from PE and Lockable Obfuscation

Construction 2

Theorem 5

5.1.1 Proof of Theorem 5

Lemma 1

Proof

Claim 1

Proof

Claim 2

Proof

Claim 3

Proof

Lemma 2

Proof

Lemma 3

Proof

Claim 4

Proof

Claim 5

Proof

5.2 Secret-key Setting: Multi-input PE from PE, Lockable Obfuscation and SKE

Construction 3

Theorem 6

5.2.1 Proof of Theorem 6

Lemma 4

Proof

Claim 6

Proof

Claim 7

Proof

Claim 8

Proof

Lemma 5

Proof