Simplifying Design and Analysis of Complex Predicate Encryption Schemes
 16 Citations
 2k Downloads
Abstract
Wee (TCC’14) and Attrapadung (Eurocrypt’14) introduced predicate and pair encodings, respectively, as a simple way to construct and analyze attributebased encryption schemes, or more generally predicate encryption. However, many schemes do not satisfy the simple information theoretic property proposed in those works, and thus require much more complicated analysis. In this paper, we propose a new simple property for pair encodings called symbolic security. Proofs that pair encodings satisfy this property are concise and easy to verify. We show that this property is inherently tied to the security of predicate encryption schemes by arguing that any scheme which is not trivially broken must satisfy it. Then we use this property to discuss several ways to convert between pair encodings to obtain encryption schemes with different properties like small ciphertexts or keys. Finally, we show that any pair encoding satisfying our new property can be used to construct a fully secure predicate encryption scheme. The resulting schemes are secure under a new qtype assumption which we show follows from several of the assumptions used to construct such schemes in previous work.
Keywords
Encryption Scheme Security Property Regular Language Full Version Symbolic Property1 Introduction
Traditional public key encryption allows an encryptor to use a public key to encrypt a message so that the owner of the corresponding secret key can decrypt. In 2005, Sahai and Waters [35] introduced the concept of attributebased encryption, in which who can decrypt is determined by some more complex attributes of the decryptor and the message. Of course this is only meaningful if there is some party that can determine the attributes of the decryption, thus the basic model assumes a trusted party who publishes parameters used in encryption, and who issues decryption keys to users based on their attributes; given such a key, a user should be able to decrypt any ciphertext which is compatible with his attributes. The initial result considered a simple threshold functionality: every ciphertext was encrypted with a set of attributes, and a user could decrypt if they possessed sufficiently many of those attributes. This was then generalized to keypolicy ABE [22], in which the user’s key specifies a policy determining what attributes must be present in the ciphertext in order for that user to be able to decrypt, and ciphertextpolicy ABE [10], which is the natural opposite in that the user’s key corresponds to a list of attributes and ciphertexts are encrypted with a policy which determines which attributes the user must have to decrypt.
Since then the field of ABE has grown dramatically. There has been work which extends the type of policies that can be considered, for example to nonmonotone formulas [32], or even regular languages [38]. There has also been work which improves the efficiency of ABE in various dimensions, for example considering schemes with very short (e.g. constant size) ciphertexts or keys [7, 41], or schemes with very short parameters (again constantsize) which still support attributes from an unbounded space [29, 31, 33]. There has been work on distributing the job of the authority across multiple entities [14, 28], on updating ciphertexts [34], or hiding the key and/or ciphertext attributes [11, 12, 25, 36], and many other interesting directions.^{1}
One weakness in much of the early work is that the schemes presented were only shown to satisfy a weak notion of security called selective security. Selective security essentially only guarantees security for an adversary who chooses which type of ciphertext to attack (i.e. the attributes/policy for the ciphertext) without seeing the system parameters, any ciphertexts, or any decryption keys. Thus it was a major breakthrough when Waters introduced the dualsystem encryption technique [37], paving the way for schemes which satisfied the natural definition, in which the adversary may choose what type of ciphertext to attack adaptively based on any of the other information it sees while interacting with the system. Since then there has been a lot of work focused on obtaining the results above under this more natural security definition, which is usually referred to as full security.
One of the main downsides of this process, however, is that while most of the original constructions were simple and intuitive, many of these new constructions are significantly more complex. Also many of the first fully secure schemes relied on compositeorder pairing groups, which while conceptually simpler are not really usable in practice [23]. The effort to move these results to be based on standard primeorder pairing groups has added even more complexity [18, 24, 27]. As a result, the intuition for the resulting constructions is often difficult to follow, and the security analysis for these schemes is much more involved, so much so that even verifying the security proof is often very time consuming.
Two recent works by Wee and Attrapadung [2, 40] set out to simplify the process of designing and analyzing fully secure ABE schemes. They proposed a simple building block, called a predicate/pair encoding, which essentially considers what happens in the exponent of a single key and a single ciphertext. They proposed an information theoretic security property, which considers the distributions of these values, again only considering a single key and ciphertext, and showed that from any pair encoding scheme which satisfies this property one can construct a fully secure ABE scheme. The initial works proposed only compositeorder group schemes; later works [1, 4, 15] have updated these results to primeorder groups.
These results led to very simple, intuitive, and easy to analyze constructions for several basic types of ABE schemes, that worked in efficient prime order groups, and were based on simple assumptions like DLIN or SXDH. However, there are many types of ABE schemes for which we do not know how to construct this type of pair encoding. And in fact there are many types of ABE which we do not know how to construct under simple assumptions using any approach, like ABE with short ciphertexts, or with large universe, or where an attribute can be used any number of times in a policy, etc.
To address this problem, Attrapadung [2] also proposed a different security notion for pair encodings, and showed that under this notion one could construct pair encodings for many more types of ABEs, and that this notion was sufficient to produce secure constructions under more complex qtype assumptions. However, proving that a pair encoding scheme satisfies the new security notion is again a challenging task. This property involves elements in bilinear groups rather than just the exponent, and it is no longer informationtheoretic, so that it must be proved via reduction to a different qtype assumption for every encoding. These reductions are very complex, and again verifying the security becomes a matter of studying several pages of proof (9 pages for predicate encryption for regular languages, for instance), providing relatively little intuition for why the scheme is secure.
1.1 Our Contributions
Our goal in this work is to simplify the process of designing and analyzing ABE schemes for those types of ABEs which we only know how to construct from qtype assumptions. Towards this, we introduce a very different kind of security property for pair encodings that completely does away with any kind of distributions, and show that it is a very powerful and natural property through a series of results. We believe it provides a new perspective for looking at the security of predicate encryption schemes.
A pair encoding scheme, as defined by Attrapadung [2], gives a way to encode the two inputs x and y to a predicate into polynomials of a simple structure. These polynomials have three types of variables: common variables shared by the encodings of x and y, and variables specific to the encoding of x and to that of y.
A New Property for Pair Encodings. We present a new security property for pair encodings that essentially requires one to describe a mapping from the variables in the encoding to matrices and vectors. Once a mapping is specified, verifying that the property holds is just a matter of checking if the polynomials in the encoding evaluate to 0 when the variables are substituted.^{2} Thus verification is much easier compared to any property known before, since they all require checking whether certain distributions are (pefectly, statistically or computationally) indistinguishable. We call our new property the symbolic property (\(\mathsf {Sym}\text {}\mathsf {Prop}\)) since verification only involves symbolic manipulation.
We show how to convert any pair encoding that satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}\) into a fully secure encryption scheme whose security is based on a fixed qtype assumption that we call \(\mathsf {q}\text {}\mathsf {ratio}\). We use the generic transformation from Agrawal and Chase [1], henceforth called \(\mathsf {Gen}\text {}\mathsf {Trans}\), for this purpose. \(\mathsf {Gen}\text {}\mathsf {Trans}\) takes an encoding scheme satisfying a certain informationtheoretic property and produces an encryption scheme in dual system groups [16], which can then be instantiated in compositeorder groups under subgroup decision assumptions or primeorder groups under the klinear assumption.
We show that the security of \(\mathsf {Gen}\text {}\mathsf {Trans}\) can also be argued when the pair encoding satisfies a very different security property, the symbolic property. The main novelty in our proof, and the crucial difference from AC16, is in how the form of master secret key is changed: while AC16 uses an informationtheoretic property, we use \(\mathsf {Sym}\text {}\mathsf {Prop}\) in conjunction with a new assumption called \(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) on dual system groups.^{3} At a very high level, the terms that cannot be generated from \(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) are exactly the ones that go to zero due to \(\mathsf {Sym}\text {}\mathsf {Prop}\). Thus we are able to embed \(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) successfully into the reduction. Interestingly, however, as we will discuss below, \(\mathsf {Sym}\text {}\mathsf {Prop}\) is not just an artifact of our proof strategy but seems to be inherently linked to the fundamental security of the resulting predicate encryption schemes.
An added advantage of borrowing AC16’s transformation is that when a pair encoding is used in a way that can be shown to be informationtheoretically secure, then the encryption scheme obtained through \(\mathsf {Gen}\text {}\mathsf {Trans}\) is fully secure under a standard assumption. We show a useful application of this feature below.
We also show that the \(\mathsf {q}\text {}\mathsf {ratio}\) assumption is in fact implied by several other qtype assumptions used to construct ABE schemes, in particular those used in the LewkoWaters ABE [30] and Attrapadung’s fully secure predicate encryption for regular languages [2]. This assumption is also simpler to describe than either [30] or [2] and we believe that this approach better captures the intuition for why these schemes are secure.
Analysis of Pair Encodings. We show that \(\mathsf {Sym}\text {}\mathsf {Prop}\) holds for several pair encoding schemes, both new and old: multiuse CPABE, short ciphertext CPABE, large universe KPABE, short ciphertext KPABE, and predicate encryption for regular languages.
First, we present a new pair encoding \(\varPi _{\mathsf {re}\text {}\mathsf {use}}\) for CPABE that allows an attribute to be used any number of times in a policy. An interesting feature of \(\varPi _{\mathsf {re}\text {}\mathsf {use}}\) is that if no attribute is used more than once, then it collapses to the oneuse scheme of [2], which is informationtheoretically secure. So if we get an encryption scheme \(\mathsf {ES}\) when \(\mathsf {Gen}\text {}\mathsf {Trans}\) is applied on \(\varPi _{\mathsf {re}\text {}\mathsf {use}}\), then \(\mathsf {ES}\) is fully secure under a standard assumption as long as it is used to encrypt policies where attributes are not repeated. If a policy with multiple use of attributes needs to be encrypted, then \(\mathsf {ES}\) still fully hides the payload but under a qtype assumption. As far as we know, no multiuse scheme with this feature was known before. For instance, the LewkoWaters’ scheme [30] uses an assumption whose size scales with that of the access policy in the challenge ciphertext. So even if no attribute is used more than once, security still relies on a qtype assumption.^{4}
For short ciphertext CPABE, we show that the pair encoding of Agrawal and Chase [1] satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}\). This means that the encryption scheme that comes out after applying \(\mathsf {Gen}\text {}\mathsf {Trans}\) is fully secure, not just selectively secure as they proved it (since we use the same transformation as them), under a qtype assumption. Note that it was not known earlier whether there exists a fullysecure CPABE scheme with constantsize ciphertexts under any kind of assumption on bilinear maps. In fact, we can generically build an encryption scheme with constantsize ciphertexts for any predicate P from any pair encoding for P that satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}\) as discussed in more detail below.
The last three encodings we analyze are borrowed from the work of Attrapadung [2] with slight simplification. Previously, we only knew how to analyze them using the much more complex computational security property in [2]. Our analysis of these schemes is considerably simpler: for comparison, the proof of computational security for the regular languages pair encoding required 9 full pages, while our proof of symbolic security only takes 2.5 llncs pages. Our proofs can be seen as extracting, abstracting and somewhat simplifying the key ideas behind Attrapadung’s security analysis, so that they can be very easily verified, and more easily applied to future schemes.
Symbolic Property Inherent in a Secure Scheme. While there are several security properties for encoding schemes that allow one to check if they can be used to build some type of encryption scheme, is there a property that an encoding scheme should not satisfy? A natural one that comes to mind is that correctness holds for an x and y that make a predicate false. In other words, there exists a way to combine the polynomials in the encoding to recover the blinding factor for the message even when the predicate is false. We call a pair encoding scheme that satisfies this property trivially broken.
Building an encryption scheme from a pair encoding scheme seems to require at least that the pair encoding not be trivially broken, but there is no general result that shows some type of security for a scheme that only provides such a minimal guarantee. In Sect. 4, we give the first result of this kind: Any pair encoding scheme that is not trivially broken satisfies our symbolic property.
This result has several interesting broad implications. Suppose we have an encoding \(\varPi \) that we do not know to be secure. We apply \(\mathsf {Gen}\text {}\mathsf {Trans}\) on it to get an encryption scheme \(\mathsf {ES}\). For this scheme to not be completely broken, there should not be a way to trivially combine some ciphertext and key to recover the message when the predicate is false. Now an interesting fact about our generic transformation \(\mathsf {Gen}\text {}\mathsf {Trans}\) is that it preserves the structure of pair encodings, so that if there is way to combine the polynomials to recover the blinding factor, then the ciphertext and key coming out of \(\mathsf {Gen}\text {}\mathsf {Trans}\) can be combined to recover the message. Therefore, if \(\mathsf {ES}\) is not completely broken, \(\varPi \) is not broken either. This further implies that \(\varPi \) satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}\) and \(\mathsf {ES}\) is fully secure under \(\mathsf {q}\text {}\mathsf {ratio}\). Thus we arrive at a very interesting conclusion: Either \(\mathsf {ES}\) is broken in an obvious way or it is fully secure under \(\mathsf {q}\text {}\mathsf {ratio}\). Hence, \(\mathsf {Sym}\text {}\mathsf {Prop}\) seems to be inherently linked to the fundamental security of encryption schemes, and is not just an artifact of our proof strategy.
We can take this line of argument even further. Suppose there is a generic transformation that preserves the structure of pair encodings in the sense described above. And suppose that when an encoding scheme satisfying a certain property X is given as input, it generates an encryption scheme that is not obviously broken, for example a selectively secure scheme. Then every encoding that satisfies X will also satisfy our symbolic property, and hence will lead to a fully secure encryption scheme through \(\mathsf {Gen}\text {}\mathsf {Trans}\)! In this paper, we do not formalize the exact requirements a generic transformation should satisfy for such a general result to hold, leaving it as an interesting exercise for future work.
We conclude with an alternate way of proving symbolic security in case finding a mapping from an encoding’s variables to matrices/vectors seems difficult: show that for all x and y for which the predicate is false, the blinding factor cannot be recovered from the encoding’s polynomials.
 1.
Dual conversion. Any secure pair encoding for a predicate can be transformed into a secure encoding scheme for the dual predicate (where the role of key and ciphertext are switched).
 2.
Compact ciphertexts. Any secure pair encoding can be converted into one that has a constant number of variables and polynomials in the ciphertext encoding. Thus, after applying \(\mathsf {Gen}\text {}\mathsf {Trans}\) to the latter encoding, one gets encryption schemes with constantsize ciphertexts.
 3.
Compact keys. Analogous to above, any secure pair encoding can be converted into one that has a constant number of variables and polynomials in the key encoding, leading to encryption schemes with constantsize keys.^{5}
This demonstrates the power and versatility of the new symbolic property. In contrast, only the first type of transformation is known for the security properties of Attrapadung [2, 8], and none is known for Wee [40] or Chen et al. [15].

As mentioned before, we show that the regular language pair encoding from [2] satisfies our symbolic property. Here keys are associated with regular languages, expressed as deterministic finite automata (DFA), and ciphertexts are associated with strings of any length from an alphabet set. One can first apply the dual conversion transformation to get an encoding scheme where ciphertexts and keys are associated with DFAs and strings, respectively. Then applying our compact ciphertext transformation to this encoding, and using the resulting pair encoding in \(\mathsf {Gen}\text {}\mathsf {Trans}\), one gets an encryption scheme for regular languages with constant sized ciphertexts (but with an upper bound on the size of DFAs).

Similarly, applying our compact ciphertext/key transformation to Attrapadung’s pair encodings for doubly spatial encryption (DSE) yields new encoding schemes, that then lead to encryption schemes with constant size ciphertext and keys, respectively. The only previous work on short ciphertext DSE [5] relied on a more complex series of transformations in which one type of predicate family (e.g. CPABE) is embedded inside another (e.g. DSE), and resulted in more expensive encodings.
1.2 Overview of Symbolic Security
This section provides a highlevel informal treatment of pair encodings and the symbolic property with the goal of building some intuition about these concepts. Please refer to Sect. 3 for a formal presentation.
Pair Encodings. The pair encoding framework focuses on the exponent space of an encryption scheme. Suppose there is a predicate P that takes two inputs x and y. We want to encode x into a ciphertext and y into a key. An encryption scheme for P generally has terms like \(g^{b_1}, g^{b_2}, \ldots \) and a special one of the form \(e(g, g)^\alpha \) in the public parameters (\(b_1\), \(b_2\), \(\ldots \) and \(\alpha \) are chosen randomly). \(\alpha \) plays the role of the master secret key. To encrypt a message m along with attribute x, some random numbers \(s_0, s_1, s_2, \ldots \) are chosen and new terms are created by raising g, or some common term like \(g^{b_j}\), to some \(s_i\), and then taking a linear combination of these terms, where the terms and combination used depend on x. So, if we look at the exponent of any group element output by the encryption algorithm, it is usually a polynomial of the form \(s_1 + \lambda _1 s_2 b_3 + \ldots \) where \(\lambda _1\) is a constant that depends on x. Finally, m is hidden inside the ciphertext by blinding it with a rerandomization of \(e(g, g)^\alpha \), say \(e(g,g)^{\alpha s_0}\).
Similarly, the exponents of group elements in any key are of the form \(r_1 + \mu r_2 b_1 + \ldots \), where \(r_1, r_2, \ldots \) is fresh randomness chosen for this key. We could also have expressions that contain \(\alpha \) because key generation involves the master secret key. Thus there are three different types of variables involved in a pair encoding: the common variables \(b_1, b_2, \ldots \), the ciphertext encoding variables \(s_0, s_1, s_2, \ldots \), and the key encoding variables \(\alpha , r_1, r_2, \ldots \).
Overall, it can be seen that if we focus on the exponent space of an encryption scheme, we need to deal with polynomials of a special form only. If \(P(x, y) = 1\), then it should be possible to combine the ciphertext and key polynomials so that \(\alpha s_0\) can be recovered, and then used to unblind the message. The pair encoding framework just abstracts out such similarities between predicate encryption schemes in a formal way.
Security Properties and Transformation. Many security properties have been proposed in the literature for pair encodings, and a more restricted structure called predicate encodings [1, 2, 15, 40]. The main contribution of these papers is to give a generic transformation from any pair encoding that satisfies their respective property into a fully secure predicate encryption scheme in composite or prime order groups (or a higher level abstraction called dualsystem groups [16]). Proving that a pair encoding scheme satisfies a certain property is significantly easier, especially if the property is informationtheoretic, than directly proving security of an encryption scheme. This is not surprising because there are no bilinear maps, hardness assumptions, or sophisticated dualencryption techniques involved in this process. Furthermore, verifying security of any number of encryption schemes designed through the pair encoding framework reduces to checking that the respective pair encodings are secure—a much easier task—and that the generic transformation is correct—a onetime effort. Needless to say, this saves a huge amount of work.
A Concrete Example: Unbounded Attribute Reuse. Suppose we want to design an ABE scheme that puts no restriction on the number of times an attribute can be used in an access policy. We know that a linear secret sharing scheme is the standard way to present a policy. It consists of a matrix \(\mathbf {A} \) of size \(m \times k\) and a mapping \(\pi \) from its rows to the universe of attributes. A value \(\gamma \) can be secretshared through \(\mathbf {A} \) by creating m shares, one for each row. If a user has a set of attributes S, then she gets shares for all the rows that map to some attribute in S through \(\pi \). If S satisfies \((\mathbf {A}, \pi )\), then those shares can be combined to recover \(\gamma \); otherwise, \(\gamma \) is informationtheoretically hidden. In nearly all fully secure ABE schemes, the mapping \(\pi \) is assumed to be injective or onetoone (this is called the oneuse restriction), but we want to build an ABE scheme that supports any \(\pi \) whatsoever. In particular, the size of public parameters should not affect how many times an attribute can be used in a policy. (Any such scheme will likely rely on a qtype assumption [30].^{6})
If attributes are used multiple times, so that the ciphertext encoding has several variables \(s_1, \ldots , s_d\), then \(\alpha \) might be revealed to an unbounded adversary. Thus we need to find out if \(\varPi _{\mathsf {re}\text {}\mathsf {use}} \) satisfies a different type of property for which a generic transformation is known. One possibility is the computational double selective masterkey hiding property due to Attrapadung, but then the advantages of an abstraction like pair encoding are more or less lost: we will have to work at the level of bilinear maps instead of simple polynomials, and find a suitable qtype assumption(s) under which the property can be shown to hold.
The Symbolic Property. Our new symbolic property (\(\mathsf {Sym}\text {}\mathsf {Prop}\)) can be very useful in such cases. It provides a new, clean way of reasoning about security of pair encodings: instead of arguing that one distribution is indistinguishable from another, whether informationtheoretically or computationally, one needs to discover a mapping from the variables involved in an encoding to matrices and vectors, such that when the latter is substituted for the former in any ciphertext/key encoding polynomial, the zero vector is obtained. Indeed, one needs to invest some effort in order to find the right matrices and vectors that will make the polynomials go to zero, but once such a discovery is made, verifying the property is just a matter of doing some simple linear algebra.
Recall that a pair encoding scheme for a predicate P that takes two inputs x and y, consists of three different types of variables: common variables \(b_1, b_2, \ldots \), ciphertext encoding variables \(s_0, s_1, s_2, \ldots \), and key encoding variables \(\alpha , r_1, r_2, \ldots \). \(\mathsf {Sym}\text {}\mathsf {Prop}\) is defined w.r.t. three (deterministic) algorithms, \(\mathsf {EncB}\), \(\mathsf {EncS}\) and \(\mathsf {EncR}\). Among them, \(\mathsf {EncB}\) generates matrices for the common variables; \(\mathsf {EncS}\) and \(\mathsf {EncR}\) generate vectors for ciphertext encoding and key encoding variables, respectively. The inputs to these three algorithms depend on what type of symbolic property we want to prove. For the selective version, the three algorithms get x as input, while \(\mathsf {EncR}\) also gets y; and for the coselective version, they all get y as input, while \(\mathsf {EncS}\) also gets x. This is in line with the selective and coselective security notions for encryption schemes. In the former, all key queries come after the challenge ciphertext, while in the latter, they come beforehand. A pair encoding scheme satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}\) if it satisfies both the selective and coselective variants.
The trivial case where all the matrices and vectors output by the three algorithms are simply zero is ruled out because we also require that the vectors corresponding to two special variables, \(s_0\) in the encoding of x and \(\alpha \) in the encoding of y, are not orthogonal.
Proving the Symbolic Property for \(\varPi _{\mathsf {re}\text {}\mathsf {use}}\) . To prove \(\mathsf {Sym}\text {}\mathsf {Prop}\) for the multiuse encoding scheme \(\varPi _{\mathsf {re}\text {}\mathsf {use}}\) defined above, we need to define the outputs of the three algorithms \(\mathsf {EncB}\), \(\mathsf {EncS}\) and \(\mathsf {EncR}\) (in other words, a mapping from the variables in \(\varPi _{\mathsf {re}\text {}\mathsf {use}}\) to vectors and matrices) in both the selective and coselective settings. Towards this, we make use of a simple combinatorial fact that is often used in arguing security of ABE schemes. If a set of attributes S does not satisfy an access policy \((\mathbf {A}, \pi )\), then there exists a vector \(\mathbf {w} = (w_1, \ldots , w_k)\) s.t. \(w_1 = 1\) and \(\mathbf {a} _i\) is orthogonal to \(\mathbf {w} \) for all i such that \(\pi (i) \in S\). Note that \(\mathbf {w} \) can be computed only by an algorithm that knows both \((\mathbf {A}, \pi )\) and S.

If finding the right mapping is difficult for \(\mathsf {Sym}\text {}\mathsf {Prop}\), then finding a proof for the computational property of Attrapadung [2] is several times more difficult. A typical proof of the symbolic property is 1–2 pages while computational property proofs could go up to 10 pages (see the encoding for regular languages, for instance). A central issue with computational properties is finding an appropriate qtype assumption under which it holds, which may be very difficult for a complex predicate. Our approach can be seen as extracting out the real challenging part of designing Attrapadung’s computational proofs.

Verification of \(\mathsf {Sym}\text {}\mathsf {Prop}\) involves doing simple linear algebra, arguably a much simpler task than checking indistinguishability of distributions, and certainly a much simpler task than verifying a long computational reduction.

The certificate for the symbolic security of \(\varPi _{\mathsf {re}\text {}\mathsf {use}}\) bears many similarities with those of other encodings that we will describe later in the paper. Thus proving \(\mathsf {Sym}\text {}\mathsf {Prop}\) for a new encoding scheme is not as difficult as it might seem at first. Furthermore, modifying a short proof of the symbolic property is much easier than a long proof of a computational property.

Recall our result that if an encoding scheme is not trivially broken then it satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}\). This gives an alternate way of showing that \(\mathsf {Sym}\text {}\mathsf {Prop}\) holds, by proving that the scheme is not broken.
1.3 Outline of the Paper
In Sect. 2 we define relevant notation and review the standard definition of predicate encryption. In Sect. 3 we define pair encoding schemes and our new symbolic property formally. Section 5 first reviews the notion of dual system groups, then shows how to build encryption schemes from any pair encoding by using them. This conversion is a twostep process: first we augment an encoding so that it satisfies a few extra properties (Sect. 5.1); next we apply the transformation from Agrawal and Chase [1] (Sect. 5.4). A proof of security of the resulting encryption scheme is provided in Sect. 7.
Section 6 gives generic transformations that can be used to reduce the number of variables and/or polynomials in an encoding, which can then be used to get encryption schemes with constantsize ciphertexts/keys. We also provide a transformation from any encoding for a predicate to an encoding for the dual predicate. However, due to space constraints, most of the details are available in the full version only. The full version also provides several examples to illustrate how symbolic property can substantially simplifying the analysis of encoding schemes.
2 Preliminaries
We use \(\lambda \) to denote the security parameter. A negligible function is denoted by \(\mathsf {negl} \). We use bold letters to denote matrices and vectors, with the former in uppercase and the latter in lowercase. The operator \(\cdot \) applied to two vectors computes their entrywise product and \(\left\langle , \right\rangle \) gives the innerproduct. For a vector \(\mathbf {u} \), we use \(u_i\) to denote its ith element, and for a matrix \(\mathbf {M} \), \(M_{i, j}\) denotes the element in the ith row and jth column. When we write \(g^{\mathbf {u}}\) for a vector \(u = (u_1, \ldots , u_n)\), we mean the vector \((g^{u_1}, \ldots , g^{u_n})\). \(g^{\mathbf {M}}\) for a matrix \(\mathbf {M} \) should be interpreted in a similar way. The default interpretation of a vector should be as a row vector.
For two matrices \(\mathbf {U} \) and \(\mathbf {V} \) of dimension \(n \times m_1\) and \(n \times m_2\) respectively, let \(\mathbf {U} \circ \mathbf {V} \) denote the columnwise join of \(\mathbf {U} \) and \(\mathbf {V} \) of dimension \(n \times (m_1 + m_2)\), i.e., \(\mathbf {U} \circ \mathbf {V} \) has the matrix \(\mathbf {U} \) as the first \(m_1\) columns and \(\mathbf {V} \) as the remaining \(m_2\) columns. We also refer to this operation as appending \(\mathbf {V} \) to \(\mathbf {U} \). (The notation easily extends to vectors because we represent them as row matrices.) If we want to join matrices rowwise instead, we could take their transpose, apply a columnwise join, and then take the transpose of the resultant matrix.
We use \(x \leftarrow _RS\), for a set S, to denote that x has been drawn uniformly at random from it. The set of integers \(a, a+1, \ldots , b\) is compactly represented as [a, b]. If \(a=1\), then we just use [b], and if \(a=0\), then \([b]^+\).
Let \(\mathbb {Z} _N\) denote the set of integers \(\{0, 1, 2, \ldots , N\}\). Let \(\mathcal {G} _N(m)\) denote the set of all vectors of length m with every element in \(\mathbb {Z} _N\). Similarly, let \(\mathcal {G} _N(m_1, m_2)\) denote the set of all matrices of size \(m_1 \times m_2\) that have all the elements in \(\mathbb {Z} _N\).
Bilinear Pairings. We use the standard definition of pairing friendly groups from literature. A mapping e from a pair of groups \((\mathcal {G}, \mathcal {H})\) to a target group \(\mathcal {G}_T \) is bilinear if there is linearity in both the first and second inputs, i.e. \(e(g^a, h^b) = e(g, h)^{ab}\) for every \(g \in \mathcal {G}, h \in \mathcal {H} \) and \(a, b \in \mathbb {Z} \). We require e to be nondegenerate and efficiently computable. The identity element of a group G is denoted by \(1_G\).
Let \(\mathsf {GroupGen}\) be an algorithm that on input the security parameter \(\lambda \) outputs \((N, \mathcal {G}, \mathcal {H}, \mathcal {G}_T, g, h, e)\) where \(N = \varTheta (\lambda )\); \(\mathcal {G}\), \(\mathcal {H}\) and \(\mathcal {G}_T\) are (multiplicative) cyclic groups of order N; g, h are generators of \(\mathcal {G}\), \(\mathcal {H}\), respectively; and \(e:\mathcal {G} \times \mathcal {H} \rightarrow \mathcal {G}_T \) is a bilinear map. In this paper our focus will be on primeorder groups because they perform much better in practice.
Predicate Family. We borrow the notation of predicate family from Attrapadung [2]. It is given by \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\) for some constant c, where \(P_\kappa \) maps an \(x \in \mathcal {X} _\kappa \) and a \(y \in \mathcal {Y} _\kappa \) to either 0 or 1. The first entry of \(\kappa \) is a number \(N \in \mathbb {N} \) that is supposed to specify the size of a domain; rest of the entries are collectively referred to as \(\mathsf {par}\), i.e. \(\kappa = (N, \mathsf {par})\).
2.1 Predicate Encryption
An encryption scheme for a predicate family \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\) over a message space \(\mathcal {M} = \{\mathcal {M} _\lambda \}_{\lambda \in \mathbb {N}}\) consists of a tuple of four \(\mathsf {PPT}\) algorithms \((\mathsf {Setup}, \mathsf {Encrypt}, \mathsf {KeyGen},\) \(\mathsf {Decrypt})\) that satisfy a correctness condition. These algorithms behave as follows.

\(\mathsf {Setup} (1^\lambda , \mathsf {par})\). On input \(1^\lambda \) and \(\mathsf {par}\), \(\mathsf {Setup}\) outputs a master public key mpk and a master secret key msk. The output of \(\mathsf {Setup}\) is assumed to also define a natural number N, and \(\kappa \) is set to \((N, \mathsf {par})\).

\(\mathsf {Encrypt} (\textsc {mpk}, x, m)\). On input mpk, \(x \in \mathcal {X} _\kappa \) and \(m \in \mathcal {M} _\lambda \), \(\mathsf {Encrypt}\) outputs a ciphertext ct.

\(\mathsf {KeyGen} (\textsc {msk}, y)\). On input msk and \(y \in \mathcal {Y} _\kappa \), \(\mathsf {KeyGen}\) outputs a secret key sk.

\(\mathsf {Decrypt} (\textsc {mpk}, \textsc {sk}, \textsc {ct})\). On input mpk, a secret key sk and a ciphertext ct, \(\mathsf {Decrypt}\) outputs a message \(m' \in \mathcal {M} _\lambda \) or \(\perp \).
 1.
Setup Phase: \(\mathsf {Chal}\) runs \(\mathsf {Setup} (1^\lambda , \mathsf {par})\) to obtain mpk and msk. It gives mpk to \(\mathcal {A}\).
 2.
Query Phase: \(\mathcal {A}\) requests a key by sending \(y \in \mathcal {Y} _\kappa \) to \(\mathsf {Chal}\), and obtains \(\textsc {sk} \leftarrow \mathsf {KeyGen} (\textsc {msk}, y)\) in response. This step can be repeated any number of times.
 3.
Challenge Phase: \(\mathcal {A}\) sends two messages \(m_0, m_1 \in \mathcal {M} _\lambda \) and an \(x^\star \in \mathcal {X} _\kappa \) to \(\mathsf {Chal}\), and gets \(\textsc {ct} \leftarrow \mathsf {Encrypt} (\textsc {mpk}, x, m_b)\) as the challenge ciphertext.
 4.
Query Phase: This is identical to step 2.
 5.
Output. \(\mathcal {A}\) outputs a bit.
The output of the experiment is the bit that \(\mathcal {A}\) outputs at the end. It is required that for all y queried in steps 2 and 4, \(P_\kappa (x^\star , y) = 0\).
Definition 2.1
3 Pair Encoding Schemes
The notion of pair encoding schemes (\(\mathsf {PES}\)) was introduced by Attrapadung [2], and later refined independently by Agrawal and Chase [1] and Attrapadung [4] himself in an identical way. As observed in the latter works, all pair encodings proposed originally in [2] satisfy the additional constraints in the refined versions.
We present here a more structured definition of pair encoding schemes so that the reader can easily see the different components involved. In the full version we describe the original formulation as well, and argue why our definition does not lose any generality.
3.1 Definition
A \(\mathsf {PES}\) for a predicate family \(P_\kappa : \mathcal {X} _\kappa \times \mathcal {Y} _\kappa \rightarrow \{0,1\}\) indexed by \(\kappa = (N, \mathsf {par})\), where \(\mathsf {par}\) specifies some parameters, is given by four deterministic polynomialtime algorithms as described below.

\(\mathsf {Param} (\mathsf {par}) \rightarrow n\). When given \(\mathsf {par}\) as input, \(\mathsf {Param}\) outputs \(n \in \mathbb {N} \) that specifies the number of common variables, which we denote by \(\mathbf {b} := (b_1, \ldots , b_n)\).
 \(\mathsf {EncCt} (x, N) \rightarrow (w_1, w_2, \mathbf {c} (\mathbf {s}, \hat{\mathbf {s}}, \mathbf {b}))\). On input \(N \in \mathbb {N} \) and \(x \in \mathcal {X} _{(N, \mathsf {par})}\), \(\mathsf {EncCt}\) outputs a vector of polynomials \(\mathbf {c} = (c_1, \ldots , c_{w_3})\) in nonlone variables \(\mathbf {s} = (s_0, s_1, \ldots , s_{w_1})\) and lone variables \(\hat{\mathbf {s}} = (\hat{s}_1, \ldots , \hat{s}_{w_2})\). (The variables \(\hat{s}_1, \ldots , \hat{s}_{w_2}\) never appear in the form \(\hat{s}_z b_j\), and are hence called lone.) For \(\ell \in [w_3]\), where \(\eta _{\ell , z}, \eta _{\ell , i, j} \in \mathbb {Z} _N\), the \(\ell \)th polynomial is given by$$\begin{aligned} \sum _{z \in [w_2]} \eta _{\ell , z} \hat{s}_z \quad + \sum _{\begin{array}{c} i \in [w_1]^+, \\ j \in [n] \end{array}} \eta _{\ell , i, j} s_i b_j. \end{aligned}$$
 \(\mathsf {EncKey} (y, N) \rightarrow (m_1, m_2, \mathbf {k} (\mathbf {r}, \hat{\mathbf {r}}, \mathbf {b}))\). On input \(N \in \mathbb {N} \) and \(y \in \mathcal {Y} _{(N, \mathsf {par})}\), \(\mathsf {EncKey}\) outputs a vector of polynomials \(\mathbf {k} = (k_1, \ldots , k_{m_3})\) in nonlone variables \(\mathbf {r} = (r_1, \ldots , r_{m_1})\) and lone variables \(\hat{\mathbf {r}} = (\alpha , \hat{r}_1, \ldots , \hat{r}_{m_2})\). For \(t \in [m_3]\), where \(\phi _{t}, \phi _{t, z'}, \phi _{t, i', j} \in \mathbb {Z} _N\) the \(t \)th polynomial is given by$$\begin{aligned} \phi _{t} \alpha \quad + \quad \sum _{z' \in [m_2]} \phi _{t, z'} \hat{r}_{z'} \quad + \quad \sum _{\begin{array}{c} i' \in [m_1], \\ j \in [n] \end{array}} \phi _{t, i', j} r_{i'} b_j. \end{aligned}$$

\(\mathsf {Pair} (x, y, N) \rightarrow (\mathbf {E}, \overline{\mathbf {E}})\). On input N, and both x and y, \(\mathsf {Pair}\) outputs two matrices \(\mathbf {E} \) and \(\overline{\mathbf {E}}\) of size \((w_1+1) \times m_3\) and \(w_3 \times m_1\), respectively.
Observe that the output of \(\mathsf {EncKey}\) is analogous to that of \(\mathsf {EncCt}\), except in how the special variables \(\alpha \) and \(s_0\) are treated in the respective case. While \(\alpha \) is lone variable, i.e. it never appears in conjunction with a common variable, \(s_0\) is not. See the full version for several concrete examples of pair encodings and the different types of variables involved.
3.2 Symbolic Property
We introduce a new symbolic property for pair encoding schemes that significantly simplifies their analysis for even complex predicates. We get the best of two worlds: not only is our symbolic property very clean to describe (like informationtheoretic properties), it can also capture all the predicates that have been previously captured by any computational property. Further, the property does not involve dealing with any kind of distribution.
We now formally define the property. We use Open image in new window below to denote that a variable a is substituted by a matrix/vector b.
Definition 3.1

\(\mathsf {EncB} (x) \rightarrow \) \(\mathbf {B} _1, \ldots , \mathbf {B} _n \in \mathcal {G} _N(d_1, d_2)\);

\(\mathsf {EncS} (x) \rightarrow \) \(\mathbf {s} _0, \ldots , \mathbf {s} _{w_1} \in \mathcal {G} _N(d_2)\), \(\quad \hat{\mathbf {s} }_1, \ldots , \hat{\mathbf {s} }_{w_2} \in \mathcal {G} _N(d_1)\);

\(\mathsf {EncR} (x,y) \rightarrow \) \(\mathbf {r} _1, \ldots , \mathbf {r} _{m_1} \in \mathcal {G} _N(d_1)\), \(\quad \mathbf {a}, \hat{\mathbf {r} }_1, \ldots , \hat{\mathbf {r} }_{m_2} \in \mathcal {G} _N(d_2)\);
Similarly we say a pair encoding scheme satisfies \((d_1, d_2)\) coselective symbolic security property if there exist \(\mathsf {EncB}, \mathsf {EncR}, \mathsf {EncS} \) that satisfy the above properties but where \(\mathsf {EncB}\) and \(\mathsf {EncR}\) depend only on y, and \(\mathsf {EncS}\) depends on both x and y. Finally, a scheme satisfies \((d_1, d_2)\)symbolic property if it satisfies both \((d'_1, d'_2)\)selective and \((d''_1, d''_2)\)coselective properties for some \(d'_1, d''_1 \le d_1\) and \(d'_2, d''_2 \le d_2\).
We use \(\mathsf {Sym}\text {}\mathsf {Prop}\) as a shorthand for symbolic property. It is easy to see that if a scheme satisfies \((d_1, d_2)\)selective \(\mathsf {Sym}\text {}\mathsf {Prop}\) then it also satisfies \((d'_1, d'_2)\) for any \(d'_1 \ge d_1\) and \(d'_2 \ge d_2\). Just append \(d'_1d_1\) rows of zeroes and \(d'_2d_2\) columns of zeroes to the \(\mathbf {B} _j\) matrices, \(d'_2d_2\) zeroes to the \(\mathbf {s} _i\) vectors, \(d'_1d_1\) zeroes to the \(\hat{\mathbf {s} }_z\) vectors, \(d'_1d_1\) zeroes to the \(\mathbf {r} _{i'}\) vectors, and \(d'_2d_2\) zeroes to the \(\hat{\mathbf {r} }_{z'}\) vectors. A similar claim can also be made about coselective \(\mathsf {Sym}\text {}\mathsf {Prop}\). Thus if a \(\mathsf {PES}\) satisfies \((d_1, d_2)\)\(\mathsf {Sym}\text {}\mathsf {Prop}\) then it also satisfies selective and coselective properties with the same parameters, as well as \((d'_1, d'_2)\)\(\mathsf {Sym}\text {}\mathsf {Prop}\) for any \(d'_1 \ge d_1\) and \(d'_2 \ge d_2\).
Lastly, if a \(\mathsf {PES}\) \(\varGamma \) satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}\) for a predicate family \(P_\kappa \), we say that \(\varGamma \) is symbolically secure for \(P_\kappa \), or simply that \(\varGamma \) is symbolically secure if the predicate family is clear from context.
4 Obtaining Symbolic Security Generically
In this section, we prove an interesting and useful result. If a pair encoding scheme in not trivially broken in the sense that for any x, y that do not satisfy the predicate, there does not exist a way to directly recover \(\alpha s_0\) from the encoding polynomials (note that for correctness we require exactly this, but when the predicate is true), then the scheme satisfies the symbolic property.
Definition 4.1
(Trivially broken scheme). A pair encoding scheme \(\varGamma = (\mathsf {Param}, \mathsf {EncCt}, \mathsf {EncKey}, \mathsf {Pair})\) for a predicate family \(P_\kappa : \mathcal {X} _\kappa \times \mathcal {Y} _\kappa \rightarrow \{0,1\}\) is trivially broken if for a \(\kappa = (N, \mathsf {par})\), \(x \in \mathcal {X} _\kappa \), \(y \in \mathcal {Y} _\kappa \) that satisfy \(P_\kappa (x,y) = 0\), there exists a matrix \(\mathbf {E} \) such that \((\mathbf {s}, \mathbf {c}) \mathbf {E} {(\mathbf {r}, \mathbf {k})}^{\mathsf {T}} = \alpha s_0\), where \(\mathbf {c} \) is the vector of polynomials output by \(\mathsf {EncCt} (x, N)\) in variables \(\mathbf {s} = (s_0, \ldots )\), \(\hat{\mathbf {s}}\), \(\mathbf {b} \), and \(\mathbf {k} \) is the vector of polynomials output by \(\mathsf {EncKey} (y, N)\) in variables \(\mathbf {r} \), \(\hat{\mathbf {r}} = (\alpha , \ldots )\), \(\mathbf {b} \).
Theorem 4.2
If a pair encoding scheme is not trivially broken then it satisfies the symbolic property.
Proof
If a scheme \(\varGamma \) is not trivially broken, then for all x and y for which the predicate evaluates to false, the \(\mathsf {ct}\text {}\mathsf {enc}\) nonlone variables \(\mathbf {s} = (s_0, \ldots , s_{w_1})\) and polynomials \(\mathbf {c} = (c_1, \ldots , c_{w_3})\) cannot be paired with the \(\mathsf {key}\text {}\mathsf {enc}\) nonlone variables \(\mathbf {r} = (r_1, \ldots , r_{m_1})\) and polynomials \(\mathbf {k} = (k_1, \ldots , k_{m_3})\) to recover \(\alpha s_0\). We know that the former have monomials of the form \(s_0, \ldots , s_{w_1}\), \(\hat{s}_1, \ldots , \hat{s}_{w_2}\), \(s_0b_1, \ldots , s_0b_n\), \(\ldots \), \(s_{w_1}b_1, \ldots , s_{w_1}b_n\), so a total of \(w_2 + (n + 1)(w_1 + 1)\). Similarly, the total number of distinct monomials in the latter is \(m_2 + 1 + (n + 1) m_1\) (because \(\alpha \) is a lone variable as opposed to \(s_0\)). Let us denote the two quantities above by \(\mathsf {var}_c\) and \(\mathsf {var}_k\) respectively.
Define a matrix \(\mathbf {\varDelta } \) over \(\mathbb {Z} _N\) with \((w_1+w_3+1) (m_1+m_3)\) rows and \(\mathsf {var}_c \mathsf {var}_k \) columns. A row is associated with the product of a \(\mathsf {ct}\text {}\mathsf {enc}\) nonlone variable or polynomial with a \(\mathsf {key}\text {}\mathsf {enc}\) nonlone variable or polynomial. Each column represents a unique monomial that can be obtained by multiplying a \(\mathsf {ct}\text {}\mathsf {enc}\) monomial with a \(\mathsf {key}\text {}\mathsf {enc}\) monomial, with the first column representing \(\alpha s_0\). The (i, j)th entry in this matrix is the coefficient of the monomial associated with the jth column in the product polynomial attached with the ith row. Since \(\varGamma \) is not broken, we know that the rows in \(\mathbf {\varDelta } \) cannot be linearly combined to get the vector \((1, 0, \ldots , 0)\).
Note that it is enough to work with any subset of rows because they cannot be combined to get \((1, 0, \ldots , 0)\) either. Thus, for the rest of the proof, we consider only those rows of \(\mathbf {\varDelta } \) that multiply a \(\mathsf {ct}\text {}\mathsf {enc}\) nonlone variable with a \(\mathsf {key}\text {}\mathsf {enc}\) polynomial and vice versa (and only those columns which have monomials that can be obtained from multiplying such polynomials). Let \(n_1\) denote the number of rows now.
Since rows in \(\mathbf {\varDelta } \) cannot be linearly combined to get \((1, 0, \ldots , 0)\), the first column of \(\mathbf {\varDelta } \), say \(\mathsf {col}\), can be written as a linear combination of the other columns. Because if not, one can show that there exists a vector \(\mathbf {v} = (v_1, \ldots , v_{n_1})\) that is orthogonal to all the columns except the first one^{8}. We can then combine the rows of \(\mathbf {\varDelta } \) using \(v_1/\left\langle \mathsf {col}, \mathbf {v} \right\rangle , \ldots , v_{n_1}/\left\langle \mathsf {col}, \mathbf {v} \right\rangle \) to get \((1, 0, \ldots , 0)\)—a contradiction.
Let \(\mathcal {Q} \) denote the set of monomials associated with the columns of \(\mathbf {\varDelta } \). These columns can be linearly combined to get the zero vector, without zeroing out \(\mathsf {col}\), which corresponds to \(\alpha s_0\). Let \(\lambda _q\) be the factor that multiplies the column associated with the monomial \(q \in \mathcal {Q} \) in one such linear combination. Note that \(\lambda _{\alpha s_0} \ne 0\).
We now define matrices \(\mathbf {B} _1, \ldots , \mathbf {B} _n\) and vectors \(\mathbf {s} _0, \ldots , \mathbf {s} _{w_1}, \hat{\mathbf {s} }_1, \ldots , \hat{\mathbf {s} }_{w_2}\) as follows. \(\mathbf {B} _j\) has \(d_1\) rows and \(d_2 = w_1 + 1\) columns with the \((i+1)\)th column being \({\mathbf {u}}^{\mathsf {T}}_{i, j}\) for \(i = [w_1]^+\). Vector \(\mathbf {s} _i\) is set to \(\mathbf {e} _{i+1}\) for \(i = [w_1]^+\), where \(\mathbf {e} _i\) denotes the ith unit vector of size \(d_2\), and \(\hat{\mathbf {s} }_z\) is set to \(\mathbf {u} _z\) for \(z \in [w_2]\). These matrices and vectors depend only on \(\mathbf {v} _1, \mathbf {v} _2, \ldots , \mathbf {v} _{d_1}\), which in turn depends on \(\mathbf {\varDelta } '\) only. The entries in \(\mathbf {\varDelta } '\) are the coefficients of the monomials obtained by multiplying \(r_{i'}\) with various \(\mathsf {ct}\text {}\mathsf {enc}\) polynomials. Hence, they only depend on x and, in particular, not on y. Further, it is easy to observe that all the operations involved in computing \(\mathbf {B} _j\), \(\mathbf {s} _i\), \(\hat{\mathbf {s} }_z\) are efficient. Thus, one can define two deterministic polynomial time algorithms \(\mathsf {EncB}\) and \(\mathsf {EncS}\) that on input x only, output \(\mathbf {B} _1, \ldots , \mathbf {B} _n\) and \(\mathbf {s} _0, \ldots , \mathbf {s} _{w_1}\), \(\hat{\mathbf {s} }_1, \ldots , \hat{\mathbf {s} }_{w_2}\) respectively.
In the special case where \(\mathbf {\varDelta } '\)’s kernel is empty, \(\mathbf {B} _1, \ldots , \mathbf {B} _n\) are all set to \(d_1 \times d_2\) matrices with zero entries; \(\hat{\mathbf {s} }_1, \ldots , \hat{\mathbf {s} }_{w_2}\) are set to the zero vector of size \(d_1\); \(\mathbf {s} _1, \ldots , \mathbf {s} _{w_1}\) are set to the zero vector of size \(d_2\); and \(\mathbf {s} _0\) is set to \((1, 0, \ldots , 0)\). It is easy to see that all \(\mathsf {ct}\text {}\mathsf {enc}\) polynomials still evaluate to zero upon substitution.
One can define a deterministic polynomial time algorithm \(\mathsf {EncR}\) that on input x and y, computes how the columns of \(\mathbf {\varDelta } \) can be combined to get the zero vector, and then uses this information to define \(\mathbf {a} \), \(\hat{\mathbf {r} }_{z'}\), \(\mathbf {r} _{i'}\) as shown above.
The proof for the coselective symbolic property is analogous to the proof above, so we skip the details. \(\square \)
5 Predicate Encryption from Pair Encodings
In this section, we describe how any pair encoding scheme for a predicate can be transformed into an encryption scheme for the same predicate in dual system groups (\(\mathsf {DSG}\)), introduced by Chen and Wee [16], and later used and improved by several works [1, 4, 15]. This transformation is a twostep process: first we augment an encoding so that it satisfies a few extra properties (Sect. 5.1)^{9}; next we apply the transformation from Agrawal and Chase [1] (Sect. 5.4).
5.1 Augmenting Pair Encodings
We need the matrices and vectors involved in the symbolic property to have some extra features, so that we can prove the security of the derived predicate encryption scheme from our \(\mathsf {q}\text {}\mathsf {ratio}\) assumption. Towards this, we show how any pair encoding scheme that satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}\) can be transformed into another scheme that satisfies a more constrained version of this property, with only a few additional variables and polynomials.
We note that, although they are presented monolithically, many of the pair encodings introduced by Attrapadung [2] can be viewed as the result of applying a very similar augmentation to simpler underlying encodings. Thus, our results also help explain the structure of those previous encodings.
Recall that the algorithms of symbolic security output \(\mathbf {a} \) for \(\alpha \), \(\mathbf {B} _1, \ldots , \mathbf {B} _n\) for common variables, \(\mathbf {s} _0, \ldots , \mathbf {s} _{w_1}\) for nonlone \(\mathsf {ct}\text {}\mathsf {enc}\) variables, and \(\mathbf {r} _1, \ldots , \mathbf {r} _{m_1}\) for \(\mathsf {key}\text {}\mathsf {enc}\) nonlone variables. Let \(\mathbf {b} _j\) denote the first column of \(\mathbf {B} _j\) and \(s_{i, 1}\) the first element of \(\mathbf {s} _i\).
Definition 5.1
 1.
\(\mathbf {a} \) is set to \((1, 0, \ldots , 0)\).
 2.In every \(\mathsf {ct}\text {}\mathsf {enc}\) polynomial, if \(s_i b_j\) is replaced by

\({\mathbf {s} }^{\mathsf {T}}_i \mathbf {b} _j\) then we get a matrix with nonzero elements in the first row only;

\(s_{i, 1} \mathbf {B} _j\) then we get a matrix with nonzero elements in the first column only.
(The lone variables are replaced by the zero vector.)

 3.
In every \(\mathsf {key}\text {}\mathsf {enc}\) polynomial, if we replace \(r_{i'} b_j\) with \({\mathbf {b} }^{\mathsf {T}}_j \mathbf {r} _{i'}\), then we get a diagonal matrix. (The lone variables, once again, are replaced by the zero vector.)
 4.
The set of vectors \(\{\mathbf {s} _0, \ldots , \mathbf {s} _{w_1}\}\) is linearly independent, and so is the set \(\{\mathbf {r} _1, \ldots , \mathbf {r} _{m_1}\}\).
We convert any pair encoding that satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}\) into one that satisfies \(\mathsf {Sym}\text {}\mathsf {Prop}^\star \) in three steps. First we show that with only one additional \(\mathsf {key}\text {}\mathsf {enc}\) nonlone variable, an additional common variable, and an extra \(\mathsf {ct}\text {}\mathsf {enc}\) polynomial, we can get an encoding scheme for which the vector \(\mathbf {a} \) corresponding to \(\alpha \) can be set to \((1, 0, \ldots , 0)\) (in proving that \(\mathsf {Sym}\text {}\mathsf {Prop}\) holds). Next, with two extra common variables, and an additional variable and a polynomial each in the ciphertext and key encoding, one can satisfy the second and third properties from above. Finally, a simple observation can be used to satisfy the fourth property as well. More formally, we prove the following theorem in the full version.
Theorem 5.2
(Augmentation). Suppose a \(\mathsf {PES}\) for a predicate family \(P_\kappa : \mathcal {X} _\kappa \times \mathcal {Y} _\kappa \rightarrow \{0,1\}\) outputs n on input \(\mathsf {par} \), \((w_1, w_2, \mathbf {c})\) on input \(x \in \mathcal {X} _\kappa \), \((m_1, m_2, \mathbf {k})\) on input \(y \in \mathcal {Y} _\kappa \) and satisfies \((d_1, d_2)\)\(\mathsf {Sym}\text {}\mathsf {Prop}\), then there exists another \(\mathsf {PES}\) for \(P_\kappa \) that outputs \(n+3\) on input \(\mathsf {par} \), \((w_1+1, w_2, \overline{\mathbf {c}})\) on input x and \((m_1+2, m_2, \overline{\mathbf {k}})\) on input y, where \(\overline{\mathbf {c}} = \mathbf {c} +2\) and \(\overline{\mathbf {k}} = \mathbf {k} +1\), and satisfies \((\mathsf {max}(d_1, d_21) + M_1 + 1, d_2 + W_1 + 2)\)\(\mathsf {Sym}\text {}\mathsf {Prop}^\star \), where \(M_1\) and \(W_1\) are bounds on the number of \(\mathsf {key}\text {}\mathsf {enc}\) and \(\mathsf {ct}\text {}\mathsf {enc}\) nonlone variables, respectively.^{10}
The extra constraints of \(\mathsf {Sym}\text {}\mathsf {Prop}^\star \) give rise to some nice combinatorial facts. Please refer to the full version for details.
5.2 Dual System Groups
Dual system groups (\(\mathsf {DSG}\)) were introduced by Chen and Wee [16] and generalized by Agrawal and Chase [1]. The latter work also shows that the two instantiations of \(\mathsf {DSG}\) – in compositeorder groups under the subgroup decision assumption and in primeorder groups under the decisional linear assumption – given by Chen and Wee satisfy the generalized definition as well. Here we give a brief informal description of dual system groups. See the full version or existing work [1] for a formal definition.
Dual system groups are parameterized by a security parameter \(\lambda \) and a number n. They have a \(\mathsf {SampP} \) algorithm that on input \(1^\lambda \) and \(1^n\), outputs public parameters pp and secret parameters sp. The parameter pp contains a triple of groups \((\mathbb {G}, \mathbb {H}, \mathbb {G}_T)\) and a nondegenerate bilinear map \(e : \mathbb {G} \times \mathbb {H} \rightarrow \mathbb {G}_T \), a homomorphism \(\mu \) from \(\mathbb {H}\) to \(\mathbb {G}_T\), along with some additional parameters used by \(\mathsf {SampG}\), \(\mathsf {SampH}\). Given pp, we know the exponent of group \(\mathbb {H}\) and how to sample uniformly from it; let \(N = \exp (\mathbb {H})\). It is required that N is a product of distinct primes of \(\varTheta (\lambda )\) bits. The secret parameters sp contain \(\tilde{h} \in \mathbb {H} \) (where \(\tilde{h} \ne 1_{\mathbb {H}}\)) along with additional parameters used by \(\overline{\mathsf {SampG}}\) and \(\overline{\mathsf {SampH}}\).
A dual system group has several sampling algorithms: \(\mathsf {SampGT}\) algorithm takes an element in the image of \(\mu \) and outputs another element from \(\mathbb {G}_T\). \(\mathsf {SampG}\) and \(\mathsf {SampH}\) take pp as input and output a vector of \(n+1\) elements from \(\mathbb {G}\) and \(\mathbb {H}\) respectively. \(\overline{\mathsf {SampG}}\) and \(\overline{\mathsf {SampH}}\) take both pp and sp as inputs and output a vector of \(n+1\) elements from \(\mathbb {G}\) and \(\mathbb {H}\) respectively. These two algorithms are used in security proofs only. \(\overline{\mathsf {SampG}}_0\) and \(\overline{\mathsf {SampH}}_0\) denote the first element of \(\overline{\mathsf {SampG}}\) and \(\overline{\mathsf {SampH}}\) respectively.
A dual system group is correct if it satisfies the following two properties for all pp.

Projective: For all \(h \in \mathbb {H} \) and coin tosses \(\sigma \), \(\mathsf {SampGT} (\mu (h); \sigma ) = e(\mathsf {SampG}_0 \) \((\textsc {pp}; \sigma ), h)\), where \(\mathsf {SampG}_0\) is an algorithm that outputs only the first element of \(\mathsf {SampG}\).

Associative: If \((g_0, g_1, \ldots , g_n)\) and \((h_0, h_1, \ldots , h_n)\) are samples from \(\mathsf {SampG} (\textsc {pp})\) and \(\mathsf {SampH} (\textsc {pp})\) respectively, then for all \(i \in [1,n]\), \(e(g_0, h_i) = e(g_i, h_0)\).
Dual system groups have a number of interesting security properties as well that makes them very useful for building encryption schemes, see the full version for details. We additionally require that there exists a way to sample the setup parameters so that one not only gets pp and sp, but also some trapdoor information \(\mathsf {td}\) that can be used to generate samples from \(\overline{\mathsf {SampG}}\) and \(\overline{\mathsf {SampH}}\) given only the first element. We formalize this property and show that both instantiations of Chen and Wee [16] satisfy them in the full version. The new sampling algorithm will be denoted by \(\mathsf {SampP} ^*\) below.
5.3 New Computational Assumption
We introduce a new assumption, called \(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\), on dual system groups parameterized by positive integers \(d_1\) and \(d_2\).
Definition 5.3
Note that \(u_0\) is present in exactly one of the terms in \(D_{\mathbb {G}}\) and not at all in \(D_{\mathbb {H}}\).
We also define a similar assumption on bilinear maps.
Definition 5.4
In this paper our focus is on constructions in primeorder groups because they are much more practical, so we will consider the \(\mathsf {q}\text {}\mathsf {ratio}\) assumption on primeorder bilinear maps only. We show that this assumption is implied by the assumptions proposed by Lewko, Waters [30] and Attrapadung [2] in the full version. We also show that Chen and Wee’s prime order \(\mathsf {DSG}\) construction [16] (along with the new sampling algorithms we introduce) satisfies the \(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) assumption if the underlying group satisfies the \(\mathsf {q}\text {}\mathsf {ratio}\) assumption. Thus we have,
Lemma 5.5
A dual system group with a bilinear map \(e: \mathbb {G} \times \mathbb {H} \rightarrow \mathbb {G}_T \) that satisfies the \((d_1, d_2)\)\(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) assumption can be instantiated in a primeorder bilinear map \(e': \mathcal {G} \times \mathcal {H} \rightarrow \mathcal {G}_T \) that satisfies the \((d_1, d_2)\)\(\mathsf {q}\text {}\mathsf {ratio}\) and klinear assumptions. Further, an element of \(\mathbb {G}\) and \(\mathbb {H}\) is represented using \(k+1\) elements of \(\mathcal {G}\) and \(\mathcal {H}\), respectively. (An element of \(\mathbb {G}_T\) is represented by just one from \(\mathcal {G}_T\)).
5.4 Encryption Scheme
In this section, we show how to obtain an encryption scheme from a pair encoding using the sampling algorithms of dual system groups. Our transformation is based on the one given by Agrawal and Chase [1], and is referred to as \(\mathsf {Gen}\text {}\mathsf {Trans}\). If a \(\mathsf {PES}\) \(\varGamma _P\) is defined by the tuple of algorithms \((\mathsf {Param}, \mathsf {EncCt}, \mathsf {EncKey}, \mathsf {Pair})\) for a predicate family \(P = \{P_\kappa \}_{\kappa \in \mathbb {N} ^c}\), then the algorithms for \(\varPi _P := \mathsf {Gen}\text {}\mathsf {Trans} (\varGamma _P)\) are given as follows.

\(\mathsf {Setup} (1^\lambda , \mathsf {par})\): First the pair encoding algorithm \(\mathsf {Param} (\mathsf {par})\) is run to obtain n, and then the dual system group algorithm \(\mathsf {SampP} (1^\lambda , 1^n)\) is run to get pp, sp. A randomly chosen element from \(\mathbb {H}\) is designated to be the master secret key msk. Master public key mpk is set to be \((\textsc {pp}, \mu (\textsc {msk}))\). Further, N and \(\kappa \) are set to \(\exp (\mathbb {H})\) and \((N, \mathsf {par})\), respectively (where the exponent of \(\mathbb {H}\) is a part of pp).
 \(\mathsf {Encrypt} (\textsc {mpk}, x, \mathsf {msg})\): On input \(x \in \mathcal {X} _\kappa \) and \(\mathsf {msg} \in \mathbb {G}_T \), \(\mathsf {EncCt} (x, N)\) is run to obtain \(w_1\), \(w_2\) and polynomials \((c_1, \ldots , c_{w_3})\). For \(i' \in [w_1 + w_2]^+\), draw a sample \((g_{i',0}, \ldots , g_{i',n})\) from \(\mathsf {SampG}\) using pp. Recall that the \(\ell \)th polynomial is given bySet \(\textsc {ct} _i\) to be \(g_{i, 0}\) for \(i \in [w_1]^+\) and \(\widetilde{\textsc {ct}} _{\ell }\) to be$$\begin{aligned} \sum _{z \in [w_2]} \eta _{\ell , z} \hat{s}_z \quad + \sum _{\begin{array}{c} i \in [w_1]^+, j \in [n] \end{array}} \eta _{\ell , i, j} s_i b_j. \end{aligned}$$for \(\ell \in [w_3]\). Also, let \(\textsc {ct}^\star = \mathsf {msg} \cdot \mathsf {SampGT} (\mu (\textsc {msk}); \sigma )\) where \(\sigma \) denotes the coin tosses used in drawing the first sample from \(\mathsf {SampG}\). Output \(\textsc {ct}:= (\textsc {ct} _0, \ldots , \textsc {ct} _{w_1}, \widetilde{\textsc {ct}} _1, \ldots , \widetilde{\textsc {ct}} _{w_3}, \textsc {ct}^\star )\).$$\begin{aligned} \prod _{z \in [w_2]} g_{w_1+z, 0}^{\eta _{\ell , z}} \quad \cdot \quad \prod _{\begin{array}{c} i \in [w_1]^+, j \in [n] \end{array}} g_{i, j}^{\eta _{\ell , i, j}} \end{aligned}$$
 \(\mathsf {KeyGen} (\textsc {mpk}, \textsc {msk}, y)\): On input \(y \in \mathcal {Y} _\kappa \), \(\mathsf {EncKey} (y, N)\) is run to obtain \(m_1\), \(m_2\) and polynomials \((k_1, k_2, \ldots , k_{m_3})\). For \(i \in [m_1+m_2]\), draw a sample \((h_{i,0}, \ldots , h_{i,n})\) from \(\mathsf {SampH}\) using pp. Recall the \(t \)th polynomial is given bySet \(\textsc {sk} _{i'}\) to be \(h_{i', 0}\) for \(i' \in [m_1]\) and \(\widetilde{\textsc {sk}} _{t}\) to be$$\begin{aligned} \phi _{t} \alpha \quad + \quad \sum _{z' \in [m_2]} \phi _{t, z'} \hat{r}_{z'} \quad + \quad \sum _{\begin{array}{c} i' \in [m_1], j \in [n] \end{array}} \phi _{t, i', j} r_{i'} b_j. \end{aligned}$$for \(t \in [m_3]\). Output \(\textsc {sk}:= (\textsc {sk} _1, \ldots , \textsc {sk} _{m_1}, \widetilde{\textsc {sk}} _1, \ldots , \widetilde{\textsc {sk}} _{m_3})\).$$\begin{aligned} \textsc {msk} ^{\phi _{t}} \quad \cdot \quad \prod _{z' \in [m_2]} h_{m_1+z', 0}^{\phi _{t, z'}} \quad \cdot \quad \prod _{\begin{array}{c} i' \in [m_1], j \in [n] \end{array}} h_{i',j}^{\phi _{t, i', j}} \end{aligned}$$
 \(\mathsf {Decrypt} (\textsc {mpk}, \textsc {sk} _y, \textsc {ct} _x)\): On input \(\textsc {sk} _y\) and \(\textsc {ct} _x\), \(\mathsf {Pair} (x, y, N)\) is run to obtain matrices \(\mathbf {E} \) and \(\overline{\mathbf {E}}\). Output$$\begin{aligned} \textsc {ct}^\star \quad \cdot \quad \left( \prod _{\begin{array}{c} i \in [w_1]^+, t \in [m_3] \end{array}} e(\textsc {ct} _i, \widetilde{\textsc {sk}} _{t})^{E_{i, t}} \quad \cdot \,\,\, \prod _{\begin{array}{c} \ell \in [w_3], i' \in [m_1] \end{array}} e(\widetilde{\textsc {ct}} _{\ell }, \textsc {sk} _{i'})^{\overline{E}_{\ell , i'}} \right) ^{1}. \end{aligned}$$
One can use the projective and associative property of \(\mathsf {DSG}\) to show that the predicate encryption scheme defined above is correct (see [1] for details). We defer a proof of security for \(\varPi _P\) to Sect. 7, and conclude with the following remark.
Remark 5.6
(Size of ciphertexts and keys). Ciphertexts have \(w_1 + w_3 + 1\) elements from \(\mathbb {G}\) and an element from \(\mathbb {G}_T\); keys have \(m_1 + m_3\) elements from \(\mathbb {H}\). So the size of these objects depends only on the number of nonlone variables and polynomials. Moreover, there is a onetoone mapping between variables/polynomials and ciphertext/key elements. Thus if we can reduce the size of an encoding, we will immediately get an equivalent reduction in the size of ciphertexts or keys.
6 Transformations on Pair Encodings
In this section we present several useful transformations on pair encodings that preserve symbolic property. The first class of transformations help in reducing the size of ciphertexts and keys, and the second one provides a way to develop schemes for dual predicates (where the role of the two inputs to a predicate is reversed).
Compact Encoding Schemes. We show how pair encoding schemes can be made compact by reducing the number of \(\mathsf {ct}\text {}\mathsf {enc}\) and/or \(\mathsf {key}\text {}\mathsf {enc}\) polynomials and/or variables to a constant in a generic way. Importantly, we show that if the encoding scheme we start with satisfies the symbolic property, then so does the transformed scheme. As a result, building encryption schemes with constantsize ciphertexts or keys, for instance, becomes a very simple process.
Our first transformation converts any encoding scheme \(\varGamma '\) to another scheme \(\varGamma \) where the number of \(\mathsf {ct}\text {}\mathsf {enc}\) variables is just one. Naturally, we need to assume a bound on the total number of \(\mathsf {ct}\text {}\mathsf {enc}\) variables for this transformation to work. If \(W_1+1\) and \(W_2\) are bounds on the number of nonlone and lone \(\mathsf {ct}\text {}\mathsf {enc}\) variables, respectively, and the number of common variables in \(\varGamma '\) is n, then \(\varGamma \) has \((W_1+1)n + W_2\) common variables, 1 \(\mathsf {ct}\text {}\mathsf {enc}\) nonlone variable and 0 lone variables. The number of lone \(\mathsf {key}\text {}\mathsf {enc}\) variables and polynomials increases by a multiplicative factor of \(W_1+1\).
Our second transformation brings down the number of \(\mathsf {ct}\text {}\mathsf {enc}\) polynomials to just one. Once again the transformation is fully generic, as long as there is a bound \(W_3\) on the number of polynomials. In this case, the number of common variables increases by a multiplicative factor of \(W_3+1\), the number of nonlone \(\mathsf {key}\text {}\mathsf {enc}\) variables by a multiplicative factor of \(W_3\), and the number of \(\mathsf {key}\text {}\mathsf {enc}\) polynomials by an additive factor of \(m_1 W_3^2 n\).
When the two transformations above are applied one after the other, we obtain an encoding scheme with just one nonlone variable and one polynomial in the ciphertext encoding. After augmenting the scheme as per Theorem 5.2 which adds a nonlone variable and two polynomials, we can convert the resulting encoding scheme into a predicate encryption scheme by using the generic mechanism of Sect. 5.4. This encryption scheme will have exactly 5 dual system’s source group elements in any ciphertext, a number which would only double if the instantiation from Lemma 5.5 is used under the \(\mathsf {SXDH}\) (1linear) assumption.
One can also reduce the number of \(\mathsf {key}\text {}\mathsf {enc}\) variables and polynomials in a manner analogous to how the corresponding quantities are reduced in the ciphertext encoding, at the cost of increasing the number of common variables and \(\mathsf {ct}\text {}\mathsf {enc}\) variables and polynomials. If there is a bound on both the number of variables and polynomials in the key encoding, then one can obtain an encoding scheme with just one of each. This will result in encryption schemes with constantsize key.
Finally, we remark that one can also mixandmatch. For instance, first the number of \(\mathsf {ct}\text {}\mathsf {enc}\) variables can be reduced to one, and then we can do the same for \(\mathsf {key}\text {}\mathsf {enc}\) variables, resulting in a scheme with just one variable each in the ciphertext and key encodings at the cost of more polynomials in both. (This might be interesting, for example, because it produces a pair encoding of the form used in [15].) Note that when the ciphertext variable reduction transformation is applied, no lone variables are left in the ciphertext encoding (the only remaining variable is a nonlone variable). Hence, the key variable reduction transformation does not affect the number of \(\mathsf {ct}\text {}\mathsf {enc}\) variables.
See the full version for a formal treatment of the two transformations described above.
Dual Predicates. The dual predicate for a family \(P'_\kappa : \mathcal {Y} _\kappa \times \mathcal {X} _\kappa \rightarrow \{0,1\}\) is given by \(P_\kappa : \mathcal {X} _\kappa \times \mathcal {Y} _\kappa \rightarrow \{0,1\}\) where \(P_\kappa (x, y) = P'_\kappa (y, x)\) for all \(\kappa \), \(x \in \mathcal {X} _\kappa \), \(y \in \mathcal {Y} _\kappa \). For example, CPABE and KPABE are duals of each other. In the full version we show that Attrapadung’s dual scheme conversion [3, Sect. 8.1] mechanism preserves symbolic property too.
7 Security of Predicate Encryption Scheme
In this section we show that the transformation \(\mathsf {Gen}\text {}\mathsf {Trans}\) leads to a secure encryption scheme if the underlying encoding satisfies the (enhanced) symbolic property. More formally, we have:
Theorem 7.1
If a pair encoding scheme \(\varGamma _P\) satisfies \((d_1, d_2)\)\(\mathsf {Sym}\text {}\mathsf {Prop}^\star \) for a predicate family \(P_\kappa \), then the scheme \(\mathsf {Gen}\text {}\mathsf {Trans} (\varGamma _P)\) defined in Sect. 5.4 is a fully secure predicate encryption scheme for \(P_\kappa \) in dual system groups under the \((d_1, d_21)\)\(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) assumption.
When the above theorem is combined with Theorem 5.2 and Lemma 5.5, we get the following corollary:
Corollary 7.2
If a pair encoding scheme satisfies \((d_1, d_2)\)\(\mathsf {Sym}\text {}\mathsf {Prop}\) for a predicate family then there exists a fully secure predicate encryption scheme for that family in primeorder bilinear maps under the \((\mathsf {max}(d_1, d_21) + M_1 + 1, d_2 + W_1 + 1)\)\(\mathsf {q}\text {}\mathsf {ratio}\) and klinear assumptions, where \(M_1\) and \(W_1\) are bounds on the number of \(\mathsf {key}\text {}\mathsf {enc}\) and \(\mathsf {ct}\text {}\mathsf {enc}\) nonlone variables, respectively, in the encoding.
The rest of this section is devoted to the proof of Theorem 7.1. We follow the same general outline as in other papers that use dual system groups [1, 15, 16]. The design of hybrids in our proof is closer to [15, 16] rather than [1]. In particular, our hybrid structure is simpler because, unlike [1], we don’t add noise to individual samples in every key. However, since we have adopted the generic transformation from [1], the indistinguishability between several hybrids follows from that of corresponding hybrids in [1]. (We briefly review these hybrids and the properties they follow from below—for full proofs see [1].) The main novelty in our proof, and the crucial difference from [1], is how the form of master secret key is changed: in [1] relaxed perfect security is used for this purpose, but we use the symbolic property in conjunction with the \(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) assumption.
We first define auxiliary algorithms for encryption and key generation. Below we use \(g_{i, 0}\) (resp. \(h_{i, 0}\)) to denote the first element of \(\mathbf {g} _i\) (resp. \(\mathbf {h} _i\)). Also w and m denote \(w_1 + w_2\) and \(m_1 + m_2\), respectively.

\(\overline{\mathsf {Encrypt}} (\textsc {pp}, x, \mathsf {msg}; (\mathbf {g} '_0, \mathbf {g} '_1, \ldots , \mathbf {g} '_{w}), \textsc {msk})\): This algorithm is same as \(\mathsf {Encrypt}\) except that it uses \(\mathbf {g} '_i \in \mathbb {G} ^{n+1}\) instead of the samples \(\mathbf {g} _i\) from \(\mathsf {SampG}\), and sets \(\textsc {ct}^\star \) to \(\mathsf {msg} \cdot e(g'_{0,0}, \textsc {msk})\).

\(\overline{\mathsf {KeyGen}} (\textsc {pp}, \textsc {msk}, y; (\mathbf {h} '_1, \ldots , \mathbf {h} '_{m}))\): This algorithm is same as \(\mathsf {KeyGen}\) except that it uses \(\mathbf {h} '_{i} \in \mathbb {H} ^{n+1}\) instead of the samples \(\mathbf {h} _{i}\) from \(\mathsf {SampH}\).
Using the algorithms described above, we define alternate forms for the ciphertext, master secret key, and secret keys.

Semifunctional master secret key is defined to be \(\overline{\textsc {msk}}:= \textsc {msk} \cdot \tilde{h} ^\mu \) where \(\mu \leftarrow _R\mathbb {Z} _N\).

Semifunctional ciphertext is given by \(\overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}}, \textsc {msk})\), where \(\mathbf {G} \cdot \mathbf {\hat{G}} \) is defined as follows: sample \(\mathbf {g} _1, \ldots , \mathbf {g} _{w}\) from \(\mathsf {SampG}\) and \(\mathbf {\hat{g}} _1, \ldots , \mathbf {\hat{g}} _{w}\) from \(\overline{\mathsf {SampG}}\) (which also requires sp); set \(\mathbf {G} \) and \(\mathbf {G} '\) to be the vector of vectors \((\mathbf {g} _1, \ldots , \mathbf {g} _{w})\) and \((\mathbf {\hat{g}} _1, \ldots , \mathbf {\hat{g}} _{w})\), respectively; and denote \((\mathbf {g} _1 \cdot \mathbf {\hat{g}} _1, \ldots , \mathbf {g} _{w} \cdot \mathbf {\hat{g}} _{w})\) by \(\mathbf {G} \cdot \mathbf {\hat{G}} \).

Extsemifunctional ciphertext is given by \(\overline{\mathsf {Encrypt}} (\textsc {pp}, x, m; \mathbf {G} \cdot \mathbf {\hat{G}} \cdot \mathbf {\hat{G}} ', \textsc {msk})\), where \(\mathbf {G} \), \(\mathbf {\hat{G}} \) are as above, and \(\mathbf {\hat{G}} '\) is defined to be \((\mathbf {\hat{g}} '_1, \dots , \mathbf {\hat{g}} '_{w})\), where \(\mathbf {\hat{g}} '_i = (1, \hat{g}^{\gamma _1}_{i,0}, \ldots , \hat{g}^{\gamma _n}_{i,0})\) for \(i \in [w]\) and \(\gamma _1, \ldots , \gamma _n \leftarrow _R\mathbb {Z} _N\). (Here these \(\gamma _1,\ldots , \gamma _n\) will be chosen once and used in both ciphertext and key components.)

Table 1 lists the different types of keys we need and the inputs that should to be passed to \(\overline{\mathsf {KeyGen}} \) (besides pp and y) in order to generate them. In the table, \(\mathbf {h} _1, \ldots , \mathbf {h} _{m}\) are samples from \(\mathsf {SampH}\); \(\mathbf {\hat{h}} _1, \ldots , \mathbf {\hat{h}} _{m}\) are samples from \(\overline{\mathsf {SampH}}\) (which also requires sp); and \(\mathbf {\hat{h}} '_i = (1, \hat{h}^{\gamma _1}_{i,0}, \ldots , \hat{h}^{\gamma _n}_{i,0})\) for \(i \in [m]\), where \(\gamma _1, \ldots , \gamma _n\) are the values described above for the extsemifunctional ciphertext.
Six types of keys.
Type of key  Inputs to \(\overline{\mathsf {KeyGen}} \) (besides pp and y) 

Normal  \(\textsc {msk}; (\mathbf {h} _1, \ldots , \mathbf {h} _{m})\) 
Pseudonormal  \(\textsc {msk}; (\mathbf {h} _1 \cdot \mathbf {\hat{h}} _1, \ldots , \mathbf {h} _{m} \cdot \mathbf {\hat{h}} _{m})\) 
Extpseudonormal  \(\textsc {msk}; (\mathbf {h} _1 \cdot \mathbf {\hat{h}} _1 \cdot \mathbf {\hat{h}} '_1, \ldots , \mathbf {h} _{m} \cdot \mathbf {\hat{h}} _{m} \cdot \mathbf {\hat{h}} '_{m})\) 
Extpseudosemifunctional  \(\overline{\textsc {msk}}; (\mathbf {h} _1 \cdot \mathbf {\hat{h}} _1 \cdot \mathbf {\hat{h}} '_1, \ldots , \mathbf {h} _{m} \cdot \mathbf {\hat{h}} _{m} \cdot \mathbf {\hat{h}} '_{m})\) 
Pseudosemifunctional  \(\overline{\textsc {msk}}; (\mathbf {h} _1 \cdot \mathbf {\hat{h}} _1, \ldots , \mathbf {h} _{m} \cdot \mathbf {\hat{h}} _{m})\) 
Semifunctional  \(\overline{\textsc {msk}}; (\mathbf {h} _1, \ldots , \mathbf {h} _{m})\) 
An outline of the proof structure.
Hybrid  Difference from previous  Properties required 

\(\mathsf {Hyb} _0\)     
\(\mathsf {Hyb} _1\)  ct semifunc  Left subgroup ind 
\(\vdots \)  \(\vdots \)  \(\vdots \) 
\(\mathsf {Hyb} _{2, \varphi 1, 5}\)  \(\varphi 1\) keys semifunc   
\(\mathsf {Hyb} _{2, \varphi , 1}\)  \(\varphi \)th key pseudonorm  Right subgroup ind 
\(\mathsf {Hyb} _{2, \varphi , 2}\)  ct extsemifunc, \(\varphi \)th key extpseudonorm  Parameter hiding 
\(\mathsf {Hyb} _{2, \varphi , 3}\)  \(\varphi \)th key extpseudosemifunc  Nondegeneracy, \(\mathsf {Sym}\text {}\mathsf {Prop}^\star \), \(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) assumption 
\(\mathsf {Hyb} _{2, \varphi , 4}\)  ct semifunc, \(\varphi \)th key pseudosemifunc  Parameterhiding 
\(\mathsf {Hyb} _{2, \varphi , 5}\)  \(\varphi \)th key semifunc  Right subgroup ind 
\(\vdots \)  \(\vdots \)  \(\vdots \) 
\(\mathsf {Hyb} _{2, \xi , 5}\)  All keys semifunc   
\(\mathsf {Hyb} _3\)  ct semifunc encryption of random msg  Projective, orthogonality, nondegeneracy 
Let \(\xi \) denote the number of key queries made by the adversary. In Table 2, we give an outline of the proofstructure with the first column stating the various hybrids we have (\(\varphi \in [\xi ]\)), second column describes the way in which a hybrid differs from the one in the previous row, and the third column lists the properties we need to show indistinguishability from the previous one. To prevent the table from overflowing, we use some shorthands like ct for ciphertext, func for functional, norm for normal, msg for message, and ind for indistinguishability. Also, \(\mathsf {Hyb} _0\) is the game \(\mathsf {IND}\text {}\mathsf {CPA}^{b}_{\mathcal {A}}(\lambda , \mathsf {par})\) which is formally defined in Sect. 2.1. See the full version for a more formal description of the hybrids.
Our main concern here is the indistinguishability of hybrids \(\mathsf {Hyb} _{2, \varphi , 2}\) and \(\mathsf {Hyb} _{2, \varphi , 3}\) when the \(\varphi \)th key changes from extpseudonormal to extpseudo semifunctional, while the ciphertext stays extsemifunctional. (Indistinguishability of the rest of the hybrids follows from [1] as noted earlier.) We prove the following lemma in the full version.
Lemma 7.3
For any \(\mathsf {PPT}\) adversary \(\mathcal {A}\), there exists a \(\mathsf {PPT}\) adversary \(\mathcal {B}\) such that the advantage of \(\mathcal {A}\) in distinguishing \(\mathsf {Hyb} _{2, \varphi , 2}\) and \(\mathsf {Hyb} _{2, \varphi , 3}\) is at most the advantage of \(\mathcal {B}\) in the \(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) assumption plus some negligible quantity in the security parameter.
Footnotes
 1.
There has also been a very interesting line of work which uses indistinguishability obfuscation or multilinear maps to construct ABE for circuits [19, 20], and a lot of progress on building ABE schemes from lattices [13, 21], although achieving the natural full security notion there still requires complexity leveraging. Here, we focus on pairing based constructions as to date they provide the best efficiency and security guarantees.
 2.
The trivial case is ruled out because we also require that the vectors corresponding to two special variables, in the encoding of x and y respectively, are not orthogonal.
 3.
\(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) is very similar to \(\mathsf {q}\text {}\mathsf {ratio}\). We show that Chen and Wee’s instantiations of dual system groups satisfy \(\mathsf {q}\text {}\mathsf {ratio}_\mathsf {dsg}\) if the underlying bilinear maps satisfy \(\mathsf {q}\text {}\mathsf {ratio}\).
 4.
There are other ABE schemes that get much more than attribute reuse, like large universe or short keys, based on qtype assumptions [2], but proving them secure under a standard assumption when reuse does not happen would be even more difficult.
 5.
This transformation and the one above requires some bound on the number of variables and polynomials in the respective encoding.
 6.
In a recent work, Kowalczyk and Lewko [26] proposed a new technique to boost the entropy of a small set of (unpublished) semifunctional parameters. Using this idea, they propose a new KPABE scheme where the number of group elements in the public parameters grows only logarithmically in the bound on the number of attributeuses in a policy, but note that the number of times an attribute can be reused is still affected. Furthermore, the size of ciphertexts scales with the maximum number of times an attribute can be reused.
 7.
\(d_1\), \(d_2\) could depend on \(\kappa \) but we leave this implicit for simplicity of presentation.
 8.
The claim is similar to one made in the case of linear secret sharing schemes where we say that if a set of attributes does not satisfy a policy, i.e. the associated set of rows cannot be linearly combined to get a certain vector \(\mathbf {v} \), then one can find a vector orthogonal to all those rows but not to \(\mathbf {v} \). See, for instance, [9, Claim 2] for a formal proof.
 9.
This step need not be applied if the properties are already satisfied.
 10.
As we will see later, when a pair encoding scheme is transformed into a predicate encryption scheme, the parameters of \(\mathsf {Sym}\text {}\mathsf {Prop}^\star \) have no effect on the construction. They only affect the size of assumption on which the security of encryption scheme is based.
References
 1.Agrawal, S., Chase, M.: A study of pair encodings: predicate encryption in prime order groups. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 259–288. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_10 CrossRefGoogle Scholar
 2.Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_31 CrossRefGoogle Scholar
 3.Attrapadung, N.: Dual system encryption via doubly selective security: framework, fullysecure functional encryption for regular languages, and more. Cryptology ePrint Archive, Report 2014/428 (2014). http://eprint.iacr.org/2014/428
 4.Attrapadung, N.: Dual system encryption framework in primeorder groups via computational pair encodings. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 591–623. Springer, Heidelberg (2016). doi: 10.1007/9783662538906_20 CrossRefGoogle Scholar
 5.Attrapadung, N., Hanaoka, G., Yamada, S.: Conversions among several classes of predicate encryption and applications to ABE with various compactness tradeoffs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 575–601. Springer, Heidelberg (2015). doi: 10.1007/9783662487976_24 CrossRefGoogle Scholar
 6.Attrapadung, N., Libert, B.: Functional encryption for inner product: achieving constantsize ciphertexts with adaptive security or support for negation. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 384–402. Springer, Heidelberg (2010). doi: 10.1007/9783642130137_23 CrossRefGoogle Scholar
 7.Attrapadung, N., Libert, B., de Panafieu, E.: Expressive keypolicy attributebased encryption with constantsize ciphertexts. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 90–108. Springer, Heidelberg (2011). doi: 10.1007/9783642193798_6 CrossRefGoogle Scholar
 8.Attrapadung, N., Yamada, S.: Duality in ABE: converting attribute based encryption for dual predicate and dual policy via computational encodings. In: Nyberg, K. (ed.) CTRSA 2015. LNCS, vol. 9048, pp. 87–105. Springer, Cham (2015). doi: 10.1007/9783319167152_5 Google Scholar
 9.Beimel, A.: Secretsharing schemes: a survey. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 11–46. Springer, Heidelberg (2011). doi: 10.1007/9783642209017_2 CrossRefGoogle Scholar
 10.Bethencourt, J., Sahai, A., Waters, B.: Ciphertextpolicy attributebased encryption. In: IEEE Symposium on Security and Privacy, pp. 321–334 (2007)Google Scholar
 11.Boneh, D., Raghunathan, A., Segev, G.: Functionprivate identitybased encryption: hiding the function in functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 461–478. Springer, Heidelberg (2013). doi: 10.1007/9783642400841_26 CrossRefGoogle Scholar
 12.Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). doi: 10.1007/9783540709367_29 CrossRefGoogle Scholar
 13.Boyen, X.: Attributebased functional encryption on lattices. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 122–142. Springer, Heidelberg (2013). doi: 10.1007/9783642365942_8 CrossRefGoogle Scholar
 14.Chase, M.: Multiauthority attribute based encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 515–534. Springer, Heidelberg (2007). doi: 10.1007/9783540709367_28 CrossRefGoogle Scholar
 15.Chen, J., Gay, R., Wee, H.: Improved dual system ABE in primeorder groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_20 Google Scholar
 16.Chen, J., Wee, H.: Dual system groups and its applications – compact HIBE and more. Cryptology ePrint Archive, Report 2014/265 (2014). http://eprint.iacr.org/2014/265
 17.Chen, J., Wee, H.: Semiadaptive attributebased encryption and improved delegation for boolean formula. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 277–297. Springer, Cham (2014). doi: 10.1007/9783319108797_16 Google Scholar
 18.Freeman, D.M.: Converting pairingbased cryptosystems from compositeorder groups to primeorder groups. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 44–61. Springer, Heidelberg (2010). doi: 10.1007/9783642131905_3 CrossRefGoogle Scholar
 19.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)Google Scholar
 20.Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Functional encryption without obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 480–511. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_18 CrossRefGoogle Scholar
 21.Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attributebased encryption for circuits. In: ACM STOC, pp. 545–554 (2013)Google Scholar
 22.Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attributebased encryption for finegrained access control of encrypted data. In: ACM CCS, pp. 89–98 (2006). Available as Cryptology ePrint Archive Report 2006/309Google Scholar
 23.Guillevic, A.: Comparing the pairing efficiency over compositeorder and primeorder elliptic curves. In: Jacobson, M., Locasto, M., Mohassel, P., SafaviNaini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 357–372. Springer, Heidelberg (2013). doi: 10.1007/9783642389801_22 CrossRefGoogle Scholar
 24.Herold, G., Hesse, J., Hofheinz, D., Ràfols, C., Rupp, A.: Polynomial spaces: a new framework for compositetoprimeorder transformations. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 261–279. Springer, Heidelberg (2014). doi: 10.1007/9783662443712_15 CrossRefGoogle Scholar
 25.Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). doi: 10.1007/9783540789673_9 CrossRefGoogle Scholar
 26.Kowalczyk, L., Lewko, A.B.: Bilinear entropy expansion from the decisional linear assumption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 524–541. Springer, Heidelberg (2015). doi: 10.1007/9783662480007_26 CrossRefGoogle Scholar
 27.Lewko, A.: Tools for simulating features of composite order bilinear groups in the prime order setting. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 318–335. Springer, Heidelberg (2012). doi: 10.1007/9783642290114_20 CrossRefGoogle Scholar
 28.Lewko, A., Waters, B.: Decentralizing attributebased encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 568–588. Springer, Heidelberg (2011). doi: 10.1007/9783642204654_31 CrossRefGoogle Scholar
 29.Lewko, A., Waters, B.: Unbounded HIBE and attributebased encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 547–567. Springer, Heidelberg (2011). doi: 10.1007/9783642204654_30 CrossRefGoogle Scholar
 30.Lewko, A., Waters, B.: New proof methods for attributebased encryption: achieving full security through selective techniques. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). doi: 10.1007/9783642320095_12 CrossRefGoogle Scholar
 31.Okamoto, T., Takashima, K.: Fully secure unbounded innerproduct and attributebased encryption. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 349–366. Springer, Heidelberg (2012). doi: 10.1007/9783642349614_22 CrossRefGoogle Scholar
 32.Ostrovsky, R., Sahai, A., Waters, B.: Attributebased encryption with nonmonotonic access structures. In: ACM CCS, pp. 195–203 (2007)Google Scholar
 33.Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attributebased encryption. In: ACM CCS, pp. 463–474 (2013)Google Scholar
 34.Sahai, A., Seyalioglu, H., Waters, B.: Dynamic credentials and ciphertext delegation for attributebased encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 199–217. Springer, Heidelberg (2012). doi: 10.1007/9783642320095_13 CrossRefGoogle Scholar
 35.Sahai, A., Waters, B.: Fuzzy identitybased encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). doi: 10.1007/11426639_27 CrossRefGoogle Scholar
 36.Shen, E., Shi, E., Waters, B.: Predicate privacy in encryption systems. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 457–473. Springer, Heidelberg (2009). doi: 10.1007/9783642004575_27 CrossRefGoogle Scholar
 37.Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). doi: 10.1007/9783642033568_36 CrossRefGoogle Scholar
 38.Waters, B.: Functional encryption for regular languages. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 218–235. Springer, Heidelberg (2012). doi: 10.1007/9783642320095_14 CrossRefGoogle Scholar
 39.Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 678–697. Springer, Heidelberg (2015). doi: 10.1007/9783662480007_33 CrossRefGoogle Scholar
 40.Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). doi: 10.1007/9783642542428_26 CrossRefGoogle Scholar
 41.Yamada, S., Attrapadung, N., Hanaoka, G., Kunihiro, N.: A framework and compact constructions for nonmonotonic attributebased encryption. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 275–292. Springer, Heidelberg (2014). doi: 10.1007/9783642546310_16 CrossRefGoogle Scholar