Generic Transformations of Predicate Encodings: Constructions and Applications
 8 Citations
 3.1k Downloads
Abstract
Predicate encodings (Wee, TCC 2014; Chen, Gay, Wee, EUROCRYPT 2015), are symmetric primitives that can be used for building predicate encryption schemes. We give an algebraic characterization of the notion of privacy from predicate encodings, and explore several of its consequences. Specifically, we propose more efficient predicate encodings for boolean formulae and arithmetic span programs, and generic optimizations of predicate encodings. We define new constructions to build boolean combination of predicate encodings. We formalize the relationship between predicate encodings and pair encodings (Attrapadung, EUROCRYPT 2014), another primitive that can be transformed generically into predicate encryption schemes, and compare our constructions for boolean combinations of pair encodings with existing similar constructions from pair encodings. Finally, we demonstrate that our results carry to tagbased encodings (Kim, Susilo, Guo, and Au, SCN 2016).
Keywords
Predicate Encryption (PE) Pair Encoding PE Schemes Attrapadung Monotone Boolean Formula1 Introduction
Predicate Encryption (PE) [13, 25] is a form of publickey encryption that supports finegrained access control for encrypted data. In predicate encryption, everyone can create ciphertexts while keys can only be created by the master key owner. Predicate encryption schemes use predicates to model (potentially complex) access control policies, and attributes are attached to both ciphertexts and secret keys. A predicate encryption scheme for a predicate \(\mathsf {P}\) guarantees that decryption of a ciphertext \(\mathsf{ct}_{x}\) with a secret key \(\mathsf{sk}_{y}\) is allowed if and only if the attribute x associated to the ciphertext \(\mathsf{ct}\) and the attribute y associated to the secret key \(\mathsf{sk}\) verify the predicate \(\mathsf {P}\), i.e. \(\mathsf {P}(x,y)=1\). Predicate encryption schemes exist for several useful predicates, such as Zero Inner Product Encryption (ZIPE), where attributes are vectors \(\varvec{x}\) and \(\varvec{y}\) and the predicate \(\mathsf {P}(\varvec{x},\varvec{y})\) is defined as \(\varvec{x}^{\top }\varvec{y}=0\). Predicate encryption subsumes several previously defined notions of publickey encryption. For example, IdentityBased Encryption (IBE) [34] can be obtained by defining \(\mathsf {P}(x,y)\) as \(x = y\) and AttributeBased Encryption (ABE) [33] can be obtained similarly. More concretely, for KeyPolicy ABE (KPABE), the attribute x is a boolean vector, the attribute y is a boolean function, and the predicate \(\mathsf {P}(x,y)\) is defined as \(y(x) = 1\). For CiphertextPolicy ABE (CPABE), the roles of the attributes x and y are swapped.
Modular Approaches for PE. In 2014, two independent works by Wee [37] and Attrapadung [6] proposed generic and unifying frameworks for obtaining efficient fully secure PE schemes for a large class of predicates. Both works use the dual system methodology introduced by Lewko and Waters [27, 36] and define a compiler that takes as input a relatively simple symmetric primitive and produces a fully secure PE construction. Wee introduced socalled predicate encodings, an informationtheoretic primitive inspired from linear secret sharing. Attrapadung introduced socalled pair encodings and provided computational and informationtheoretic security notions. These approaches greatly simplify the construction and analysis of predicate encryption schemes and share several advantages. First, they provide a good tradeoff between expressivity and performance, while the security relies on standard and well studied assumptions. Second, they unify existing constructions into a single framework, i.e., previous PE constructions can be seen as instantiations of these new compilers with certain encodings. Third, building PE schemes by analyzing and building these simpler encodings is much easier than building PE schemes directly. Compared to full security for PE, the encodings must verify much weaker security requirements. The power of pair and predicate encodings is evidenced by the discovery of new constructions and efficiency improvements over existing ones. However, both approaches were designed over composite order bilinear groups. In Chen et al. [15] and Attrapadung [7] respectively extended the predicate encoding and pair encoding compiler to the prime order setting. Next, Agrawal and Chase [1] improved on Attrapadung’s work by relaxing the security requirement on pair encodings and thus, capturing new constructions. In addition, their work also brings both generic approaches closer together, because like in [15], the new compiler relies (in a blackbox way) on Dual System Groups (DSG) [16, 17]. Additionally Kim et al. [22] recently introduced a new generic framework for modular design of predicate encryption that improves on the performance of existing compilers. Their core primitive, tagbased encodings, is very similar to predicate encodings.
1.1 Our Contributions
We pursue the study of predicate encodings and establish several general results and new constructions that broaden their scope and improve their efficiency. We also compare predicate encodings to pair and tagbased encodings.
Predicate Encodings. We show that the informationtheoretic definition of \(\alpha \)privacy used in [15, 37] is equivalent to an algebraic statement (furthermore independent of \(\alpha \)) about the existence of solutions for a linear system of equations. Leveraging this result, we prove a representation theorem for predicate encodings: every triple of encoding functions implicitly defines a unique predicate for which it is a valid predicate encoding. Conversely, every predicate \(\mathsf {P}\) that admits a predicate encoding is logically equivalent to the implicit predicate induced by its encoding functions. Moreover, our algebraic definition of privacy simplifies all subsequent results in the paper.
First, we define a generic optimization of predicate encodings that often leads to efficiency improvements and reduce the number of required group elements in keys and ciphertexts. We prove the soundness of the transformations and validate their benefits experimentally on examples from [15, 37]; we successfully apply these simplifications to reduce the size of keys and ciphertexts by up to 50% and to reduce the number of group operations needed in some of the existing encodings.
Second, we define generic methods for combining predicate encodings. We provide encoding transformations for the disjunction, conjunction and negation of predicates, and for the dual predicate.
TagBased Encodings. We show that our results on predicate encodings generalize to tagbased encodings. In particular, we give a purely algebraic characterization of the hiding property of tagbased encodings. Moreover, we demonstrate that the hiding property can be strengthened without any loss of generality, by requiring equality rather than statistical closeness of distributions.
Comparison of Encodings. We compare the expressivity of the three core primitives (predicate encodings, pair encodings and tagbased encodings) corresponding to the three different modular frameworks. We provide an embedding that produces an informationtheoretical pair encoding from every predicate encoding. Then, we use this encoding to compare our constructions to build boolean combination of predicate encodings with similar constructions for pair encodings that were introduced by [6].
In addition, we provide a transformation^{1} from tagbased encodings into predicate encodings.

Combining predicates. We show how to combine our results to build DualPolicy AttributeBased Encryption (DPABE) [9, 10] in the frameworks of predicate encodings and tagbased encodings (Sect. 6.1). Additionally, we consider the idea of combining arbitrary encodings with a broadcast encryption encoding to achieve direct revocation of keys. The former encoding takes care of revocation, while the latter encodes the desired access structure.

Improved predicate encodings. We provide new instances of predicate encodings that improve on best known predicate encodings proposed in [15] and have additional properties (Sect. 6.2).

Extra features. Finally, we show how to construct a weakly attributehiding predicate encoding for boolean formulas and how to enhance any predicate encoding with support for delegation (Sect. 6.3).
Implementation and Evaluation. We implement a general library for predicate encryption with support for the predicate encoding and pair encoding frameworks. Our library uses the RelicToolkit [5] for pairings with a 256bits BarretoNaehrig Curve [11]. We use our library for validating our constructions; experimental results are presented in the relevant sections. All the experiments were executed on a 8core machine with 2.40 GHz Intel Core i73630QM CPU and 8 GB of RAM. Our scalability experiments show that predicate encodings can be used for real applications. The code is publicly available and open source^{2}.
1.2 Prior Work
Predicate encodings have been introduced in [37] and we use a refined version that is defined in [15] as our starting point. Both variants use an informationtheoretic definition of the hiding while we show that there is an equivalent algebraic definition. Another related work is [20], initiating a systematic study of the communication complexity of the socalled conditional secret disclosure primitive, which is closely related to predicate encodings.
Other works also optimize existing predicate encryption schemes, for example many works focus on going from composite order constructions to the more efficient prime order ones [7, 15, 26]. In [15] they also propose performance improvements on dual system groups. We believe our optimizations via predicate encodings complement other possible enhancements of predicate encryption.
Boolean combinations of predicates have also been considered in the setting of pair encodings. Attrapadung [9, 10] proposes generic transformations for conjunction and for the dual predicate, but neither for negation nor disjunction. We propose new transformations for conjunction and dual in the framework of predicate encodings and we also deal with negation and disjunction.
The main advantage of DPABE is the possibility of considering policies over objective attributes (associated to data) and policies over subjective attributes (associated to user credentials) at the same time. DPABE has been considered by Attrapadung in the pair encoding framework [9, 10]. To the best of our knowledge, we are the first to provide DPABE in the predicate encoding and tagbased encoding frameworks.
Revocation is a desirable property for PE and ABE schemes that has also been considered by many works in the literature. Revocation allows to invalidate a user’s secret key in such a way that it becomes useless, even if its associated attribute satisfies the policy associated to the ciphertext. Some attempts [32] propose indirect revocation that requires that the master secret owner periodically updates secret keys for nonrevoked users. Other attempts achieve direct revocation [8, 23, 30, 31], but either rely on strong assumptions or provide only selectively security. Our construction not only allows to achieve revocation in a fully secure framework, but it allows to add revocation to arbitrary predicate encodings.
Policy hiding is another property of PE, and ABE in particular, that has been broadly studied. In this context, policies associated to ciphertexts are not attached to them and therefore, unauthorized users will only learn the fact that their key does not satisfy the policy, but nothing else. Policy Hiding has been considered in several works [13, 25]. The security of our construction improves on earlier works, thanks to the compiler from [15]. Our observation extends the expressivity of attributehiding predicate encryption for ZIPE proposed in [15] to support policyhiding for boolean formulas.
In [15], the authors introduce the notion of spatial encryption predicate encodings. We generalize this notion and introduce a transformation that makes delegation possible for every predicate encoding.
Several works evaluate the suitability of ABE for different applications. For example, ABE has been used and benchmarked to enforce privacy of Electronic Medical Records (EMR) [3], in a system where healthcare organizations export EMRs to external storage locations. Other examples are Sieve [35] or Streamforce [18], systems that provide enforced access control for user data and stream data in untrusted clouds. In contrast to these works, we are the first to evaluate predicate encryption and ABE based on modern modular approaches such as the predicate encoding and pair encoding frameworks. The resulting schemes also satisfy a stronger security notion (full vs. selective security) compared to the previously mentioned evaluations. We focus on synthetic case studies, while other works analyze more realistic settings and integration of ABE into bigger systems. Combining our methods with these more practical case studies is a very interesting direction for future work.
1.3 Comparison with Agrawal and Chase (EUROCRYPT 2017)
Concurrently and independently, Agrawal and Chase [2] introduce a new security notion, which they call symbolic property, for pair encodings. They adapt previous generic frameworks [1, 7] to define a compiler that takes pair encodings satisfying the symbolic property and produces fully secure predicate encryption schemes under the qratio assumption—a new assumption that is implied by some qtype assumptions proposed in [6, 29]. Moreover, they introduce the notion of tivially broken pair encoding and show that any not trivially broken pair encoding must satisfy their symbolic property. Their definitions of symbolic property and trivially broken for pair encodings are closely related to our algebraic characterization of privacy of predicate encodings. However, the two results are incomparable: although pair encodings are more general than predicate encodings (see Sect. 5.1 for a more detailed comparison), their results rely of qtype assumption, whereas our results build on previous frameworks that rely on weaker assumptions (MatrixDH or kLIN).
2 Background
In this section, we first introduce some mathematical notation and then define predicate encodings, tagbased encodings and pair encodings the three primitives used in the three different modular frameworks for predicate encryption.
2.1 Notation
For finite sets S, we use \(x \mathop {\leftarrow }\limits ^{\$}S\) to denote that x is uniformly sampled from S. We define [n] as the range \(\{1,\dots ,n\}\) for an arbitrary \(n \in \mathbb {N}\). For a predicate \(\mathsf {P}: \mathcal {X}\times \mathcal {Y}\rightarrow \{0,1\}\), we use \((x,y) \in \mathsf {P}\) as a shorthand for \(\mathsf {P}(x,y) = 1\). We use the same conventions for matrixrepresentations of linear maps on finitedimensional spaces. We define vectors \(\varvec{v} \in \mathbb {F}^{n}\) as column matrices and denote the transpose of a matrix A by \(A^{\top }\). We use \(\mathsf{diag}(\varvec{v})\) to denote the diagonal matrix with main diagonal \(\varvec{v}\). We denote the identity matrix of dimension n by \(I_{n}\), a zero vector of length n by \(\varvec{0}_n\) and a zero matrix of m rows and n columns by \({\mathbf {0}}_{m, n}\). Let S be a set of indices and A be a matrix. \(A_S\) denotes the matrix formed from the set of columns of A with indices is in S. We define the colspan of a matrix \(M \in \mathbb {F}^{m\times n}\) as the set of all possible linear combinations columns of M. That is Open image in new window . We analogously define the rowspan of a matrix. We consider prime order bilinear groups \(\mathcal{G}= (\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_t, e:\mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_t)\) and use \(g_1\), \(g_2\), \(g_t\) to denote their respective generators. The map e satisfies \(e(g_1^a, g_2^b) = g_t^{ab}\) for every \(a,b \in \mathbb {N}\). A bilinear group is said to be symmetric if \(\mathbb {G}_1 = \mathbb {G}_2\), otherwise it is called asymmetric. We abuse of notation and write \(g^{\varvec{v}}\) to denote \((g^{\varvec{v}_1}, \dots , g^{\varvec{v}_n})\) for a group element g and a vector \(\varvec{v} \in \mathbb {Z}_p^{n}\).
2.2 Predicate Encodings
Predicate encodings are informationtheoretic primitives that can be used for building predicate encryption schemes [37]. We adopt the definition from [15], but prefer to use matrix notation.
Definition 1

reconstructability: for all \((x,y) \in \mathsf {P}\), \(\mathsf {sD}_{x,y}^{\top } \mathsf {sE}_x = \mathsf {rD}_{x,y}^{\top } \mathsf {rE}_y\) and \(\mathsf {rD}_{x,y}^{\top } \mathsf {kE}_y = 1\);
 \(\alpha \) privacy: for all \((x,y) \notin \mathsf {P}, \alpha \in \mathbb {Z}_p\),where \(\equiv \) denotes equality of distributions.$$\begin{aligned} \varvec{w}\mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{w}; \textsf { return } (\mathsf {sE}_x \varvec{w}, \, \mathsf {rE}_y \varvec{w}+ \alpha \cdot \mathsf {kE}_y) \, \, \equiv \, \, \varvec{w}\mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{w}; \textsf { return } (\mathsf {sE}_x \varvec{w}, \, \mathsf {rE}_y \varvec{w}) \end{aligned}$$
Reconstructability allows to recover \(\alpha \) from \((x,y,\, \mathsf {sE}_x \varvec{w}, \, \mathsf {rE}_y \varvec{w}+ \alpha \cdot \mathsf {kE}_y)\) if \((x,y) \in \mathsf {P}\). Privacy ensures that \(\alpha \) is perfectly hidden for such tuples if \((x,y) \notin \mathsf {P}\).
Example 1
Note that the following is a simplification of their compiler, where we avoid DSG for simplicity. The real scheme produced by their compiler would have twice as many group elements (under SXDH) or three times as many (under DLIN).
2.3 TagBased Encodings
Tagbased encodings is a new primitive defined in a very recent work [22] that defines a new generic framework (using prime order groups) for modular design of predicate encryption.
Definition 2
 reconstructability: for all \((x,y) \in \mathsf {P}\), there exists an efficient algorithm that on input (x, y) computes vectors \(\varvec{m}_c \in \mathbb {Z}_p^{c}\), \(\varvec{m}_k \in \mathbb {Z}_p^{k}\) such that$$\begin{aligned} \varvec{m}_c^{\top } \mathsf {cE}_x = \varvec{m}_k^{\top } \mathsf {kE}_y \ne \varvec{0}^{\top }_{h} \end{aligned}$$
 \(\varvec{h}\) hiding: for all \((x,y) \notin \mathsf {P}\),where \(\approx _s\) denotes negligible statistical distance between distributions.$$\begin{aligned} \varvec{h} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{h};\, \textsf { return } (\mathsf {cE}_x \varvec{h},\, \mathsf {kE}_y \varvec{h}) \quad \approx _s\quad \varvec{h}, \varvec{h}' \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{h};\, \textsf { return } (\mathsf {cE}_x \varvec{h},\, \mathsf {kE}_y \varvec{h}') \end{aligned}$$
The compiler proposed in [22] uses similar ideas to the one for predicate encodings. However, it does not rely on dual system groups and can be instantiated with symmetric bilinear maps. The message is blinded and ciphertexts and keys contain a set of group elements that are enough to recover the blinding factor only when the predicate is true. This compiler has the advantage that some elements of ciphertexts and keys are \(\mathbb {Z}_p\) values and not group elements, which reduces the storage size.
2.4 Pair Encodings
Attrapadung [6, 7] proposes an independent modular framework for predicate encryption, based on a primitive called pair encoding. For our purposes, it suffices to consider a more restrictive, informationtheoretic, notion of pair encodings.
Definition 3
 polynomial constraints:

\(\bullet \) For every \(x \in \mathcal {X}\) and every \(f \in \mathsf{Enc1}(x)\), \(f = f(\varvec{s},\varvec{h})\) only contains monomials of the form \(s_i\) or \(s_ih_j\), \(i \in [0,l]\), \(j \in [n]\).

\(\bullet \) For every \(y \in \mathcal {Y}\) and every \(f \in \mathsf{Enc2}(y)\), \(f = f(\varvec{r},\varvec{h})\) only contains monomials of the form \(\alpha \), \(r_i\) or \(r_ih_j\), \(i \in [m]\), \(j \in [n]\).


reconstructability: for all \((x,y) \in \mathsf {P}\) and all \(\varvec{c}_x \leftarrow \mathsf{Enc1}(x)\), \(\varvec{k}_y \leftarrow \mathsf{Enc2}(y)\), \(E_{x,y} \leftarrow \mathsf{Pair}(x,y)\), the following polynomial equality holds \(\varvec{c}_x^{\top }E_{x,y}\varvec{k}_y = \alpha s_0\).
 perfect security: for all \((x,y) \notin \mathsf {P}\) and all \(\varvec{c}_x \leftarrow \mathsf{Enc1}(x)\), \(\varvec{k}_y \leftarrow \mathsf{Enc2}(y)\),where \(\equiv \) denotes equality of distributions.$$\begin{aligned} \begin{array}{lll} &{} \varvec{h} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{n};\, \varvec{r} \mathop {\leftarrow }\limits ^{\$}(\mathbb {Z}_p^*)^{m};\, \varvec{s} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{l+1};\, &{} \textsf { return } (\varvec{c}_x(\varvec{s}, \varvec{h}), \, \varvec{k}_y(0,\varvec{r},\varvec{h})) \quad \equiv \\ &{} \varvec{h} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{n};\, \varvec{r} \mathop {\leftarrow }\limits ^{\$}(\mathbb {Z}_p^*)^{m};\, \varvec{s} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{l+1}; \alpha \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p;\, &{} \textsf { return } (\varvec{c}_x(\varvec{s}, \varvec{h}), \, \varvec{k}_y(\alpha ,\varvec{r},\varvec{h})) \end{array} \end{aligned}$$
The compiler from pair encodings follows similar ideas to the other compilers. The message is blinded by a random factor and ciphertexts and keys contain all the information necessary to recover this blinded factor, only when the predicate holds. The compiler from pair encodings requires to compute a polynomial number of pairings during decryption, unlike the compilers for predicate encodings and tagbased encodings that need^{3} 6 and 8 pairings respectively.
3 Predicate Encodings: Properties and Consequences
In this section, we present a purely algebraic (and independent of \(\alpha \)) characterization of the \(\alpha \)privacy property. It simplifies both the analysis and the construction of predicate encodings. In particular, we use our characterization to define and prove a new optimization of predicate encodings, i.e., a transformation that makes the encoding functions smaller while preserving the predicate. Additionally, we unify the reconstructability and privacy properties and show that they are mutually exclusive and complementary, i.e., for every \((x,y) \in \mathcal {X}\times \mathcal {Y}\), one and only one of the two conditions holds. This unified treatment facilitates the construction and study of predicate encodings.
3.1 Algebraic Properties of Predicate Encodings
The following theorem captures two essential properties of predicate encodings: first, privacy admits a purely algebraic characterization (furthermore independent of \(\alpha \)) given in terms of existence of solutions of a linear system of equations. Second, reconstructability and privacy, when viewed as properties of a single pair (x, y), negate each other; i.e. a pair (x, y) always satisfies exactly one of the two properties.
Theorem 1
 \(\alpha \) privacy For every \(\alpha \in \mathbb {Z}_p\),$$\begin{aligned}&\varvec{w}\mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{w}; \textsf { return } (S \varvec{w}, \, R \varvec{w}+ \alpha \cdot \varvec{k}) \quad \equiv \quad&\varvec{w}\mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{w}; \textsf { return } (S \varvec{w}, \, R \varvec{w})&\end{aligned}$$

(algebraic) privacy There exists \(\varvec{w}\in \mathbb {Z}_p^{w}\) such that \(S \varvec{w}= \varvec{0}_{s}\) and \(R \varvec{w}= \varvec{k}\)

nonreconstructability For every \(\varvec{s} \in \mathbb {Z}_p^{s}\) and \(\varvec{r} \in \mathbb {Z}_p^{r}\), either \(\varvec{s}^{\top }S \ne \varvec{r}^{\top }R\) or \(\varvec{r}^{\top }\varvec{k} \ne 1\).
Proof

for every \(\varvec{a}\in \mathbb {F}^{m}\), \(\varvec{b}^{\top } \ne \varvec{a}^{\top }A\);

there exists \(\varvec{z}\in \mathbb {F}^{n}\) such that \(\varvec{z}^{\top } \varvec{b} = 1\) and \(A \varvec{z} = \varvec{0}_{m}\).
Our next result is a representation theorem. It is based on the notion of partial encoding; informally, a partial encoding consists of the first three algorithms of a predicate encoding; it is not attached to any specific predicate, nor is required to satisfy any property.
Definition 4
(Partial encoding). Let \(\mathcal {X}\) and \(\mathcal {Y}\) be finite sets. Let \(p\in \mathbb {N}\) be a prime and \(s,r,w\in \mathbb {N}\). A (s, r, w)partial encoding is given by three deterministic algorithms \((\mathsf {sE},\mathsf {rE},\mathsf {kE})\): \(\mathsf {sE}\) maps \(x \in \mathcal {X}\) into a matrix \(\mathsf {sE}_x \in \mathbb {Z}_p^{s \times w}\), and \(\mathsf {rE}\), \(\mathsf {kE}\) map \(y \in \mathcal {Y}\) into a matrix \(\mathsf {rE}_y \in \mathbb {Z}_p^{r \times w}\) and a vector \(\mathsf {kE}_y \in \mathbb {Z}_p^{r}\) respectively.
The representation theorem shows that there exists an embedding from partial encodings to predicate encodings, and that every predicate encoding lies the image of the embedding.
Theorem 2
Example 2
Example 3
3.2 Optimizing Predicate Encodings
In this section, we show that the efficiency of predicate encodings can be improved by pre and postprocessing. Specifically, we show that an (s, r, w)encoding \((\mathsf {sE},\mathsf {rE},\mathsf {kE},\mathsf {sD},\mathsf {rD})\) for a predicate \(\mathsf {P}\) can be transformed into a \((s',r',w')\)encoding \((\mathsf {sE}',\mathsf {rE}',\mathsf {kE}',\mathsf {sD}',\mathsf {rD}')\) for the same predicate, by applying a linear transformation to the matrices induced by \(\mathsf {sE},\mathsf {rE},\mathsf {kE}\).
More precisely, if we define \(\mathsf {sE}'_x = A\mathsf {sE}_x\), \(\mathsf {rE}'_y = B\mathsf {rE}_y\) and \(\mathsf {kE}'_y = B\mathsf {kE}_y\) for two matrices A and B, the privacy of the encoding will be preserved, but reconstructability may be destroyed. On the contrary, when we consider the partial encoding \(\mathsf {sE}'_x = \mathsf {sE}_xC\), \(\mathsf {rE}'_y = \mathsf {rE}_yC\) and \(\mathsf {kE}'_y = \mathsf {kE}_y\) for a matrix C, reconstructability is automatically guaranteed, but privacy could not hold (for the same predicate). Intuitively, this occurs because reconstructability depends on the rowspan of the matrices \(\mathsf {sE}_x, \mathsf {rE}_y\), while privacy depends on their colspan. Our following theorem imposes conditions on these matrices A, B and C so that the resulting predicate encoding is equivalent to the original one.
Theorem 3

For all \((x,y) \in \mathsf {P}\), Open image in new window and Open image in new window ;

For all \((x,y) \notin \mathsf {P}\), there exists Open image in new window s.t. \(\mathsf {sE}_x\varvec{w}= \varvec{0}_{s}\) and \(\mathsf {rE}_y \varvec{w}= \mathsf {kE}_y\).
This transformation is useful to make predicate encodings simpler and more efficient in different manners. For instance, it can be used to make the matrices corresponding to encoding and decoding functions become sparser. That is, if we consider \(\mathsf{A}\) and \(\mathsf{B}\) as functions that apply matrix Gaussian elimination ^{4} to the matrices associated to \(\mathsf {sE}\) and \(\mathsf {rE},\mathsf {kE}\), many entries from these matrices will be zero. Hence, fewer group operations will be performed during encryption and key generation, improving the performance. Moreover, the transformation can be used to reduce the size of \(\mathsf{mpk}\), \(\mathsf{ct}_{x}\) and \(\mathsf{sk}_{y}\). If \(w'<w\), the number of elements in \(\mathsf{mpk}\) will decrease. This will also improve the performance of encryption and key generation (both depend directly on \(\mathsf{mpk}\)). Additionally, if \(s'<s\) or \(r'<r\), the number of elements in \(\mathsf{ct}_{x}\) and \(\mathsf{sk}_{y}\) will also decrease respectively.
Note that a simplification from the right (multiplying by \(\mathsf{C}\)) changes the structure of the encoding and may open the possibility of leftsimplifications that were not available before and vice versa. Example 4 illustrates this idea. We optimize a predicate encoding that corresponds to the result of applying our negation transformation (from next section, Theorem 6) to the predicate encoding from Example 1.
Example 4
The above simplifications can be successfully applied to actual predicate encodings proposed in [15]. In Sect. 6.2 we propose improved predicate encodings for monotonic boolean formulas and arithmetic span programs.
3.3 Combining Predicates
Using the new characterization of predicate encodings from the previous section, we define transformations to combine predicate encodings into new predicate encodings for more complex predicates. In particular, we define predicate encoding transformations for disjunction, conjunction, negation and the dual predicate. These combinations are useful to create new schemes that inherit different properties from the more basic building blocks. In Sect. 6, we propose several constructions that rely on these transformations.
Disjunction. We present a method to build a predicate encoding for the disjunction of \(\mathsf {P}_1\) and \(\mathsf {P}_2\) from predicate encodings for \(\mathsf {P}_1\) and \(\mathsf {P}_2\). Observe that the predicate encryption scheme obtained from the resulting predicate encoding is more efficient than the predicate encryption scheme obtained by compiling the predicate encodings of \(\mathsf {P}_1\) and \(\mathsf {P}_2\) separately, and then applying a generic transformation that builds predicate encryption schemes for a disjunction from predicate encryption schemes of its disjuncts.
Theorem 4
Note that it is possible to obtain sharing between attributes, e.g., if \({\mathcal {X}}_{1}= {\mathcal {X}}_{2}\) and the sender uses only the subset \(\{ (x,x) \mid x \in {\mathcal {X}}_{1}\}\) of \({\mathcal {X}}_{1}\times {\mathcal {X}}_{2}\), the predicate becomes \(\mathsf {P}(x,({y}_{1},{y}_{2})) = 1 \text { iff } \mathsf {P}_1(x,{y}_{1}) \vee \mathsf {P}_2(x,{y}_{2})\).
Conjunction. In contrast to disjunction, the naive solution that just concatenates secret keys fails. Given keys for attribute pairs \((y_1,y_2)\) and \((y_1',y_2')\), it would be possible to recombine the components and obtain a key for \((y_1,y_2')\) leading to collusion attacks. Our predicate encoding transformation deals with this problem by “tying” the two components together with additional randomness.
Theorem 5
Note that it is possible to combine Theorems 4 and 5 to create a predicate encoding for \(\mathsf {P}_1\bowtie \mathsf {P}_2\), where the placeholder \(\bowtie \in \{\vee , \wedge \}\) can be part of keys or ciphertexts.
Negation. To obtain a functionally complete set of boolean predicate encoding transformers, we now define a transformation for negation. Our transformation unifies negated predicates like Nonzero Inner Product Encryption (NIPE) and Zero Inner Product Encryption (ZIPE). In Sect. 6.2 we use this transformation to build optimized predicate encodings. The technique works for predicate encodings where the negation transformation yields a predicate encoding that can be further simplified (using our method from Sect. 3.2).
Theorem 6
A similar construction has been considered in a posterior work [4] to this work. Specifically, they show how to transform a conditional disclosure of secrets (CDS) for f into a CDS for \(\bar{f}\) (the complement of f).
Dual. In the literature, the notions of KPABE and CPABE are considered separately. In fact, many works are only valid for one of the two versions of Attribute Based Encryption. Our transformation unifies the notion of KPABE and CPABE in the framework of predicate encodings. In this context they should not be considered separately, because our transformation provides a CiphertextPolicy predicate encoding from any KeyPolicy predicate encoding and vice versa.
Theorem 7
4 TagBased Encodings
We show that our techniques for predicate encodings can be extended to the framework of tagbased encodings. In particular, we show a similar result to our Theorem 1, which establishes that \(\varvec{h}\)hiding and reconstructability are mutually exclusive and complementary.
Theorem 8

\(\varvec{h}\) hiding: \(\varvec{h} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{h};\, \textsf { return } (C \varvec{h},\, K \varvec{h}) \,\, \equiv \,\, \varvec{h}, \varvec{h}' \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{h};\, \textsf { return } (C \varvec{h},\, K \varvec{h}')\)

nonreconstructability For every \(\varvec{m}_c \in \mathbb {Z}_p^{c}\) and very \(\varvec{m}_k \in \mathbb {Z}_p^{k}\), either \(\varvec{m}_c^{\top } C \ne \varvec{m}_k^{\top } K\) or \(\varvec{m}_c^{\top } C = \varvec{0}^{\top }_{h}\).
A consequence of Theorem 8 is that every valid tagbased encoding is perfectly hiding, or equivalently, there cannot exist a tagbased encoding where the two distributions from \(\varvec{h}\)hiding are negligibly close but not identical.
Thanks to the above theorem, it is possible to define disjunction and conjunction transformations for tagbased encodings along the lines of predicate encodings. We were not able to design a negation transformation for tagbased encodings and leave it for future work. On the other hand, the dual transformation is straightforward in this framework, as mentioned in [22], because the encoding primitives are completely symmetric.
Expressivity of TagBased Encodings vs Predicate Encodings. We propose a transformation that produces valid predicate encodings from valid tagbased encodings for the same predicate.
Theorem 9
Given a (c, 1, h)tagbased encoding \((\mathsf {cE},\mathsf {kE})\) for \(\mathsf {P}: \mathcal {X}\times \mathcal {Y}\rightarrow \{0,1\}\), the (c, 1, h)partial predicate encoding \((\mathsf {sE}',\mathsf {rE}',\mathsf {kE}')\) defined as \(\mathsf {sE}'_x = \mathsf {cE}_x\), \(\mathsf {rE}'_y = \mathsf {kE}_y\), \(\mathsf {kE}'_y = \left( \begin{array}{c} 1 \end{array} \right) \), induces a predicate encoding for \(\mathsf {P}\).
Note that because of the symmetry of tagbased encodings, Theorem 9 can be also applied to (1, k, h)tagbased encodings. All the tagbased encodings proposed in [22] (except one) have either \(c = 1\) or \(k = 1\), so the above theorem can be applied to them.
5 Pair Encodings
In this section we provide an embedding that transforms every predicate encoding into an informationtheoretic pair encoding. Consequently, we can see predicate encodings as a subclass of pair encodings. This opens the possibility of reusing the conjunction and dual transformation proposed by Attrapadung [9, 10] for pair encodings, to create combinations of predicate encodings via our embedding. We show that this alternative method is fundamentally different from our direct conjunction and dual transformations on predicate encodings, where our combinations produce more efficient encodings.
5.1 Embedding Predicate Encodings into Pair Encodings
In this section we provide an embedding that produces a valid informationtheoretic pair encoding from every valid predicate encoding (see Definitions 1 and 3 for predicate encodings and pair encodings respectively).
Definition 5

\(\mathsf{Enc1}_{pe}(x) = (c_0, \varvec{c})\), where \(c_0(s_0,\varvec{h}) = s_0, \,\varvec{c}(s_0,\varvec{h}) = s_0\cdot \mathsf {sE}_{x}\varvec{h}\)

\(\mathsf{Enc2}_{pe}(y) = (k_0, \varvec{k})\), where \(k_0(\alpha ,r_1,\varvec{h}) = r_1, \, \varvec{k}(\alpha ,r_1,\varvec{h}) = \alpha \cdot \mathsf {kE}_{y} + r_1\cdot \mathsf {rE}_{y}\varvec{h}\)

\(\mathsf{Pair}_{pe}(x,y) = \) Open image in new window
All variables \(\varvec{s} = (s_0)\) and \(\varvec{r} = (r_1)\) appear in the clear in the \(\mathsf{Enc1}\) and \(\mathsf{Enc2}\) polynomials respectively. This simplifies the pair encoding’s informationtheoretical security notion into one equivalent to the privacy of the predicate encoding (see proof of Theorem 10).
Theorem 10
(Correctness of the embedding). If \(pe = (\mathsf {sE},\mathsf {rE},\mathsf {kE},\mathsf {sD},\mathsf {rD})\) is a valid (s, r, w)predicate encoding for \(\mathsf {P}\), then \(\mathsf{Emb}(pe)\) is a valid information theoretic \((s+1,\, r+1,\,w)\)pair encoding for \(\mathsf {P}\).
Our embedding shows that every predicate encoding can be transformed into a perfectly secure pair encoding. In fact, after applying the compiler from [1] to the embedding of a predicate encoding, we get the same predicate encryption scheme that the one provided by the compiler from [15].
We conclude that predicate encodings can be transformed into a very special class of pair encodings: encodings that allow decryption with 2 pairings and have only one element of randomness in both, ciphertexts and secret keys (what makes them very efficient).
5.2 Comparison Between Encoding Transformations
The resulting pair encodings are different. The first one (result of our conjunction) does not introduce new random variables and does not increase the number of pairings for decryption. On the other hand, the second conjunction adds new random variables to key generation and increases the number of pairings needed during decryption. This overhead will be amplified if nested conjunctions are used. We include a detailed comparison between the dual transformations in the full version of this paper.
6 Constructions
We provide new instances of predicate encodings to achieve predicate encryption schemes with new properties or better performance.
6.1 Combining Predicates
DualPolicy ABE. DualPolicy Attribute Based Encryption [9, 10] has already been considered in the pair encodings framework. It combines KPABE and CPABE into a single construction that simultaneously allows two access control mechanisms. The main advantage is the possibility of considering policies over objective attributes (associated to data) and policies over subjective attributes (associated to user credentials) at the same time.
Broadcast encryption has been considered in the literature to approach revocation [19, 23, 30]. In broadcast encryption, a broadcasting authority encrypts a message in such a way that only authorized users will be able to decrypt it. This can be expressed with the predicate \( \mathsf {P}(\varvec{x},i) = 1 \text { if and only if } \varvec{x}_i = 1\), where \(\varvec{x} \in \mathcal {X}= \{0,1\}^{n}\) and \(i \in \mathcal {Y}= [n]\). A drawback is that the number of users in the system, n, is polynomial size. Figure 1 shows the performance of predicate encryption built from a predicate encoding that combines boolean formulas with broadcast encryption. The system supports thousands of users in reasonable time.
6.2 Improved Predicate Encodings
In Fig. 3 we present a comparison between our improved encoding for keypolicy monotonic boolean formulas and the original one. To this end, we generate random boolean formulas for different sizes, starting from a random set of leaf nodes and combining them with boolean operators \(\vee \) and \(\wedge \). Our tables report on the average time for each algorithm. Our encoding needs 50% less time than the original algorithms for setup, encryption and key generation. For decryption the performance is similar. All the analyzed schemes were instantiated with the same compiler, therefore all achieve the same level of security (under SXDH assumption). In terms of secret key size, our encoding is smaller in general (in the worst case, when all the gates in the policy are orgates, key sizes are equal).
Figure 4 shows the performance of our new encoding for KPABE for Arithmetic Span Programs compared to the original encoding from [15]. As we expected, our encoding needs 66% of the time required for the original encoding for setup, encryption and key generation. Additionally, secret key size is halved with our encoding.
6.3 Extra Features
In this section we consider new theoretical results that can be proved thanks to our algebraic characterization of \(\alpha \)privacy and can be used to produce new predicate encodings enhanced with extra properties.
AttributeHiding for Boolean Formulas. Chen et al. proposed an extension of the compiler in [15] to build weakly attributehiding predicate encryption schemes [13, 25]. In a weakly attributehiding scheme, the ciphertext attribute x remains secret for unauthorized users, that only learn the fact that their secret keys are not valid. This additional compiler needs to be instantiated with predicate encodings satisfying additional properties. The following is a definition from [15].
Definition 6

x oblivious reconstruction: \(\mathsf {sD}_{x,y}\) and \(\mathsf {rD}_{x,y}\) are independent of x.
 attributehiding: for all \((x,y) \notin \mathsf {P}\),where \(\equiv \) denotes equality of distributions.$$\begin{aligned} \varvec{w}\mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{w};\, \textsf {return } (\mathsf {sE}_x \varvec{w},\, \mathsf {rE}_y \varvec{w}) \quad \equiv \quad \varvec{s} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{s}; \varvec{r} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{r};\, \textsf {return } (\varvec{s}, \, \varvec{r}) \end{aligned}$$
The following theorem relates the second property with our alternative definition of predicate encodings:
Theorem 11

\(\varvec{w}\mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{w};\, \textsf {return } (S \varvec{w},\, R \varvec{w}) \,\, \equiv \,\, \varvec{s} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{s};\, \varvec{r} \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^{r};\, \textsf {return } (\varvec{s}, \, \varvec{r})\)

\(\mathrm{rank}{\left( \begin{array}{c} S \\ R \end{array} \right) } = s + r\)
Note that for every (s, r, w)predicate encoding \((\mathsf {sE}, \mathsf {rE}, \mathsf {kE}, \mathsf {sD}, \mathsf {rD})\) that is attributehiding, there exists an equivalent (s, 1, w)predicate encoding. This is because \(\mathsf {rD}\) is independent from x and thus, we can apply our optimization Theorem 3 with matrices \(\mathsf{B}_y = \mathsf {rD}_{x,y}^{\top } \in \mathbb {Z}_p^{1 \times w}\), \(\mathsf{A}_x = I_{s}\), \(\mathsf{C}= I_{w}\). Therefore, the class of predicates that can be built from attributehiding encodings is included in the class of predicates achieved from (s, 1, w)predicate encodings.
Therefore, with a disjunction of k predicate encodings like the former we can encode boolean formulas that have at most k disjuncts. Note that the resulting encoding is attributehiding but it is not xoblivious. However, without the knowledge of the policy x, one can guess for the disjunct his secret key satisfies (if any). In this way, a valid key will be enough to decrypt after at most k decryption tries (one for every disjunct).
Delegation. Delegation of keys is a desirable property for every predicate encryption scheme. Roughly, it allows the owner of a secret key to weaken his key creating a new one that is less powerful than the original one. This property can be used to achieve forward secrecy (see [14] for an application to ABE that supports delegation), where past sessions are protected from the compromise of future secret keys. More formally, we say that a predicate \(\mathsf {P}: \mathcal {X}\times \mathcal {Y}\rightarrow \{0,1\}\) supports delegation if there is a partial ordering \(\preceq \) on \(\mathcal {Y}\) such that for every \(x\in \mathcal {X}\), if \(\mathsf {P}(x,y) = 1\) and \((y\preceq y')\), then \(\mathsf {P}(x,y') = 1\).
Delegation has been considered in [15] as the property of some predicate encodings. We propose a generic method to convert any predicate encoding into one supporting delegation.
Theorem 12
The additional set of notnull rows in \(\mathsf {rE}'_y\) can be used to weaken the linear span of \(\mathsf {rE}_y\), what directly modifies the predicate. In particular, this method works really well for monotonic boolean formulas (see Fig. 5 for an example).
Footnotes
 1.
This transformation has side conditions, thus it is not universal, but all existing tagbased encodings (except one) satisfy these side conditions.
 2.
Source code at https://github.com/miguelambrona/aberelic.
 3.
Decryption in the framework of predicate encodings needs 4 pairings under SXDH assumption or 6 under DLIN, in the framework of tagbased encodings decryption requires 8 pairings and the assumption is DLIN.
 4.
Note that if matrices \(\mathsf{A}_x\), \(\mathsf{B}_y\) or \(\mathsf{C}\) are invertible, they always satisfy their respective requirements.
 5.
Where every attribute appears at most once and the number of andgates is lower than k (one could overcome the oneuse restriction by considering duplicated attributes).
 6.
Being half when the bound on the number of andgates is maximal.
 7.
In [21] there is a modification of their algorithm that produces matrices (Y, Z) such that the predicate associated is \(f(\varvec{x}) \ne 0\) (the double negation will cancel out).
 8.
Conjunction also preserves xoblivious reconstruction, while disjunction does not.
 9.
This equivalence holds when \(S < p\), but in practice p is a large prime.
 10.
Note that \(\alpha \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p\), \(r_1 \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^*\) and therefore, \(\alpha /r_1\) distributes uniformly over \(\mathbb {Z}_p\), so we can apply the \(\alpha \)privacy property from the predicate encoding.
Notes
Acknowledgements
The work presented here was supported by projects S2013/ICE2731 NGREENS SoftwareCM, ONR Grants N000141210914 and N000141512750.
Supplementary material
References
 1.Agrawal, S., Chase, M.: A study of pair encodings: predicate encryption in prime order groups. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 259–288. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_10 CrossRefGoogle Scholar
 2.Agrawal, S., Chase, M.: Simplifying design and analysis of complex predicate encryption schemes. Cryptology ePrint Archive, Report 2017/233 (2017). EUROCRYPT (2017)Google Scholar
 3.Akinyele, J.A., Lehmann, C.U., Green, M.D., Pagano, M.W., Peterson, Z.N.J., Rubin, A.D.: Selfprotecting electronic medical records using attributebased encryption. Cryptology ePrint Archive, Report 2010/565 (2010). http://eprint.iacr.org/2010/565
 4.Applebaum, B., Arkis, B., Raykov, P., Vasudevan, P.N.: Conditional disclosure of secrets: amplification, closure, amortization, lowerbounds, and separations. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 24, p. 38 (2017)Google Scholar
 5.Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. https://github.com/relictoolkit/relic
 6.Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_31 CrossRefGoogle Scholar
 7.Attrapadung, N.: Dual system encryption framework in primeorder groups. Cryptology ePrint Archive, Report 2015/390 (2015). http://eprint.iacr.org/2015/390
 8.Attrapadung, N., Imai, H.: Conjunctive broadcast and attributebased encryption. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 248–265. Springer, Heidelberg (2009). doi: 10.1007/9783642032981_16 CrossRefGoogle Scholar
 9.Attrapadung, N., Imai, H.: Dualpolicy attribute based encryption. In: Abdalla, M., Pointcheval, D., Fouque, P.A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 168–185. Springer, Heidelberg (2009). doi: 10.1007/9783642019579_11 CrossRefGoogle Scholar
 10.Attrapadung, N., Yamada, S.: Duality in ABE: converting attribute based encryption for dual predicate and dual policy via computational encodings. Cryptology ePrint Archive, Report 2015/157 (2015). http://eprint.iacr.org/2015/157
 11.Barreto, P.S.L.M., Naehrig, M.: Pairingfriendly elliptic curves of prime order. Cryptology ePrint Archive, Report 2005/133 (2005). http://eprint.iacr.org/2005/133
 12.Beimel, A.: Secretsharing schemes: a survey. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 11–46. Springer, Heidelberg (2011). doi: 10.1007/9783642209017_2 CrossRefGoogle Scholar
 13.Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). doi: 10.1007/9783540709367_29 CrossRefGoogle Scholar
 14.Canetti, R., Halevi, S., Katz, J.: A forwardsecure publickey encryption scheme. J. Cryptol. 20(3), 265–294 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
 15.Chen, J., Gay, R., Wee, H.: Improved dual system ABE in primeorder groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_20 Google Scholar
 16.Chen, J., Wee, H.: Fully, (almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013). doi: 10.1007/9783642400841_25 CrossRefGoogle Scholar
 17.Chen, J., Wee, H.: Dual system groups and its applications – compact hibe and more. Cryptology ePrint Archive, Report 2014/265 (2014). http://eprint.iacr.org/2014/265
 18.Dinh, T.T.A., Datta, A.: Streamforce: outsourcing access control enforcement for stream data to the clouds. In: Fourth ACM Conference on Data and Application Security and Privacy, CODASPY 2014, San Antonio, TX, USA, 03–05 March 2014, pp. 13–24 (2014)Google Scholar
 19.Garg, S., Kumarasubramanian, A., Sahai, A., Waters, B.: Building efficient fully collusionresilient traitor tracing and revocation schemes. In: AlShaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 10, pp. 121–130. ACM Press, October 2010Google Scholar
 20.Gay, R., Kerenidis, I., Wee, H.: Communication complexity of conditional disclosure of secrets and attributebased encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 485–502. Springer, Heidelberg (2015). doi: 10.1007/9783662480007_24 CrossRefGoogle Scholar
 21.Ishai, Y., Wee, H.: Partial garbling schemes and their applications. In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014. LNCS, vol. 8572, pp. 650–662. Springer, Heidelberg (2014). doi: 10.1007/9783662439487_54 Google Scholar
 22.Guo, F., Kim, J., Susilo, W., Au, M.H.: A tag based encoding: an efficient encoding for predicate encoding in prime order groups. Cryptology ePrint Archive, Report 2016/655 (2016). http://eprint.iacr.org/2016/655
 23.Junod, P., Karlov, A.: An efficient publickey attributebased broadcast encryption scheme allowing arbitrary access policies. In: Proceedings of the Tenth Annual ACM Workshop on Digital Rights Management, DRM 2010, pp. 13–24. ACM, New York (2010)Google Scholar
 24.Karchmer, M., Wigderson, A.: On span programs. In: Proceedings of the 8th IEEE Structure in Complexity Theory, pp. 102–111. IEEE Computer Society Press (1993)Google Scholar
 25.Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). doi: 10.1007/9783540789673_9 CrossRefGoogle Scholar
 26.Lewko, A.B.: Tools for simulating features of composite order bilinear groups in the prime order setting. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 318–335. Springer, Heidelberg (2012). doi: 10.1007/9783642290114_20 CrossRefGoogle Scholar
 27.Lewko, A.B., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). doi: 10.1007/9783642117992_27 CrossRefGoogle Scholar
 28.Lewko, A.B., Waters, B.: Decentralizing attributebased encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 568–588. Springer, Heidelberg (2011). doi: 10.1007/9783642204654_31 CrossRefGoogle Scholar
 29.Lewko, A.B., Waters, B.: New proof methods for attributebased encryption: achieving full security through selective techniques. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). doi: 10.1007/9783642320095_12 CrossRefGoogle Scholar
 30.Liu, Z., Wong, D.S.: Practical ciphertextpolicy attributebased encryption: traitor tracing, revocation, and large universe. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 127–146. Springer, Cham (2015). doi: 10.1007/9783319281667_7 CrossRefGoogle Scholar
 31.Lubicz, D., Sirvent, T.: Attributebased broadcast encryption scheme made efficient. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 325–342. Springer, Heidelberg (2008). doi: 10.1007/9783540681649_22 CrossRefGoogle Scholar
 32.Sahai, A., Seyalioglu, H., Waters, B.: Dynamic credentials and ciphertext delegation for attributebased encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 199–217. Springer, Heidelberg (2012). doi: 10.1007/9783642320095_13 CrossRefGoogle Scholar
 33.Sahai, A., Waters, B.: Fuzzy identitybased encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). doi: 10.1007/11426639_27 CrossRefGoogle Scholar
 34.Shamir, A.: Identitybased cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). doi: 10.1007/3540395687_5 CrossRefGoogle Scholar
 35.Wang, F., Mickens, J., Zeldovich, N., Vaikuntanathan, V.: Sieve: cryptographically enforced access control for user data in untrusted clouds. In: 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), pp. 611–626, Santa Clara, CA. USENIX Association, March 2016Google Scholar
 36.Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). doi: 10.1007/9783642033568_36 CrossRefGoogle Scholar
 37.Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). doi: 10.1007/9783642542428_26 CrossRefGoogle Scholar