Abstract
In predicate encryption, a ciphertext is associated with descriptive attribute values x in addition to a plaintext \(\mu \), and a secret key is associated with a predicate f. Decryption returns plaintext \(\mu \) if and only if \(f(x) = 1\). Moreover, security of predicate encryption guarantees that an adversary learns nothing about the attribute x or the plaintext \(\mu \) from a ciphertext, given arbitrary many secret keys that are not authorized to decrypt the ciphertext individually.
We construct a leveled predicate encryption scheme for all circuits, assuming the hardness of the subexponential learning with errors (LWE) problem. That is, for any polynomial function \(d = d(\lambda )\), we construct a predicate encryption scheme for the class of all circuits with depth bounded by \(d(\lambda )\), where \(\lambda \) is the security parameter.
Sergey Gorbunov — Supported in part by the Northrop Grumman Cybersecurity Research Consortium (CRC) and by a Microsoft PhD Fellowship.
Vinod Vaikuntanathan — Research supported in part by DARPA Grant number FA87501120225, NSF Awards CNS1350619 and CNS1413920, an Alfred P. Sloan Research Fellowship, the Northrop Grumman Cybersecurity Research Consortium (CRC), Microsoft Faculty Fellowship, and a Steven and Renee Finn Career Development Chair from MIT.
Hoeteck Wee — CNRS, INRIA and Columbia University.Supported in part by NSF Award CNS1445424, ERC project aSCEND (639554),the Alexander von Humboldt Foundation and a Google Faculty Research Award.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
Predicate encryption [BW07, SBC+07, KSW08] is a new paradigm for publickey encryption that supports searching on encrypted data. In predicate encryption, ciphertexts are associated with descriptive attribute values x in addition to plaintexts \(\mu \), secret keys are associated with a predicate f, and a secret key decrypts the ciphertext to recover \(\mu \) if and only if \(f(x) = 1\). The security requirement for predicate encryption enforces privacy of x and the plaintext even amidst multiple secret key queries: an adversary holding secret keys for different query predicates learns nothing about the attribute x and the plaintext (apart from the fact that x does not satisfy any of the query predicates) if none of them is individually authorized to decrypt the ciphertext.
Motivating Applications. We begin with several motivating applications for predicate encryption [BW07, SBC+07]:

For inspecting recorded log files for network intrusions, we would encrypt network flows labeled with a set of attributes from the network header, such as the source and destination addresses, port numbers, timestamp, and protocol numbers. We could then issue auditors with restricted secret keys that can only decrypt the network flows that fall within a particular range of IP addresses and some specific time period.

For credit card fraud investigation, we would encrypt credit card transactions labeled with a set of attributes such as time, costs and zipcodes. We could then issue investigators with restricted secret keys that decrypt transactions over $1,000 which took place in the last month and originated from a particular range of zipcodes.

For antiterrorism investigation, we would encrypt travel records labeled with a set of attributes such as travel destination and basic traveller data. We could then issue investigators with restricted secret keys that match certain suspicious travel patterns.

For online dating, we would encrypt personal profiles labeled with dating preferences pertaining to age, height, weight, salary and hobbies. Secret keys are associated with specific attributes and can only decrypt profiles for which the attributes match the dating preferences.
In all of these examples, it is important that unauthorized parties do not learn the contents of the ciphertexts, nor of the metadata associated with the ciphertexts, such as the network header or dating preferences. On the other hand, it is often okay to leak the metadata to authorized parties. We stress that privacy of the metadata is an additional security requirement provided by predicate encryption but not by the related and weaker notion of attributebased encryption (ABE) [SW05, GPSW06]; the latter only guarantees the privacy of the plaintext \(\mu \) and not the attribute x.
Utility and Expressiveness. The utility of predicate encryption is intimately related to the class of predicates for which we could create secret keys. Ideally, we would like to support the class of all circuits. Over the past decade, substantial advances were made for the weaker primitive of ABE, culminating most recently in schemes supporting any policy computable by general circuits [GVW13, BGG+14] under the standard LWE assumption [Reg09]. However, the stateoftheart for predicate encryption is largely limited to very simple functionalities related to computing an inner product [BW07, SBC+07, KSW08, AFV11, GMW15].
1.1 Our Contributions
In this work, we substantially advance the state of the art to obtain predicate encryption for all circuits (c.f. Fig. 1):
Theorem (Informal). Under the LWE assumption, there exists a predicate encryption scheme for all circuits, with succint ciphertexts and secret keys independent of the size of the circuit.
As with prior LWEbased ABE for circuits [GVW13, BGG+14], to support circuits of depth d, the parameters of the scheme grow with \(\mathrm{poly}(d)\), and we require subexponential \(n^{\Omega (d)}\) hardness of the LWE assumption. In addition, the security guarantee is selective, but can be extended to adaptive security via complexity leveraging [BB04].
Privacy Guarantees. The privacy notion we achieve is a simulationbased variant of “attributehiding” from the literature [SBC+07, OT10, AFV11]. That is, we guarantee privacy of the attribute x and the plaintext \(\mu \) against collusions holding secret keys for functions f such that \(f(x) = 0\). An even stronger requirement would be to require privacy of x even against authorized keys corresponding to functions f where \(f(x) = 1\); in the literature, this stronger notion is referred to as “full attributehiding” [BW07, KSW08]. This stronger requirement is equivalent to “fullfledged” functional encryption [BSW11], for which we cannot hope to achieve simulationbased security for all circuits as achieved in this work [BSW11, AGVW13].
Relation to Prior Works. Our result subsumes all prior works on predicate encryption under standard cryptographic assumptions, apart from a few exceptions pertaining to the inner product predicate [BW07, KSW08, OT12]. These results achieve a stronger security notion for predicate encryption, known as full (or strong) security (please refer to Sect. 3.1, and the full version for definitions).
In a recent breakthrough work, Garg et al. [GGH+13b] gave a beautiful candidate construction of functional encryption (more general primitive than predicate encryption) for arbitrary circuits. However, the construction relies on “multilinear maps” [GGH13a, CLT13, GGH15], for which we have few candidates and which rely on complex intractability assumptions that are presently poorly understood and not extensively studied in the literature. It remains an intriguing open problem to construct a functional encryption scheme from a standard assumption, such as LWE.
In contrast, if we consider functional encryption with apriori bounded collusions size (that is, the number of secret keys any collusion of adversaries may obtain is fixed by the scheme at the setup phase), then it is possible to obtain functional encryption for general circuits under a large class of standard assumptions [SS10, GVW12, GKP+13]. This notion is weaker than standard notion of functional encryption, yet remains very meaningful for many applications.
1.2 Overview of Our Construction
Our starting point is the work of Goldwasser, Kalai, Popa, Vaikuntanathan and Zeldovich [GKP+13] who show how to convert an attributebased encryption (ABE) scheme into a single key secure functional encryption (FE) scheme. Recall that in an attributebased encryption scheme [GPSW06], a ciphertext is associated with a descriptive value (a public “attribute”) x and plaintext \(\mu \), and it hides \(\mu \), but not x. The observation of Goldwasser et al. [GKP+13] is to hide x by encrypting it using a fully homomorphic encryption (FHE) scheme [Gen09, BV11b], and then using the resulting FHE ciphertext as the public “attribute” in an ABE scheme for general circuits [GVW13, BGG+14]. This has the dual benefit of guaranteeing privacy of x, while at the same time allowing homomorphic computation of predicates f on the encryption of x (Fig 2).
This initial idea quickly runs into trouble. The decryptor who is given the predicate secret key for f and a predicate encryption of \((x,\mu )\) can indeed compute an FHE encryption of f(x). However, the decryption process is confronted with a decision, namely whether to release the message \(\mu \) or not, and this decision depends on whether the plaintext f(x) is 0 or 1.^{Footnote 1} Clearly, resolving this conundrum requires obtaining f(x), which requires knowledge of the FHE secret key. Goldwasser et al. [GKP+13] solved this by employing a (single use) Yao garbling of the FHE decryption circuit, however this limited them to obtaining single key secure predicate/functional encryption schemes.^{Footnote 2}
Our first key idea is to embed the FHE secret key as part of the attributes in the ABE ciphertext. That is, in order to encrypt a plaintext \(\mu \) with attributes x in the predicate encryption scheme, we first choose a symmetric key \( \mathsf {fhe.sk}\) for the FHE scheme, encrypt x into a FHE ciphertext \(\hat{x}\), and encrypt \(\mu \) using the ABE scheme with \(( \mathsf {fhe.sk}, \hat{x})\) as the attributes to obtain an ABE ciphertext \(\mathsf {ct}\). Our predicate encryption ciphertext is then given by
To generate the predicate secret key for a function f, one simply generates the ABE secret key for the function g that takes as input \(( \mathsf {fhe.sk},\hat{x})\) and computes
That is, g first homomorphically computes a FHE encryption of f(x), and then decrypts it using the FHE secret key to output f(x).
At first glance, this idea evokes strong and conflicting emotions as it raises two problems. The first pertains to correctness: we can no longer decrypt the ciphertext since the ABE decryption algorithm needs to know all of the attributes (\(\hat{x}\) and \( \mathsf {fhe.sk}\)), but \( \mathsf {fhe.sk}\) is missing. The second pertains to security: the ABE ciphertext \(\mathsf {ct}\) is not guaranteed to protect the privacy of the attributes, and could leak all of \( \mathsf {fhe.sk}\) which together with \(\hat{x}\) would leak all of x. Solving both of these problems seems to require designing a predicate encryption scheme from scratch!
Our next key observation is that the bulk of the computation in g, namely the homomorphic evaluation of the function f, is performed on the public attribute \(\hat{x}\). The only computation performed on the secret value \( \mathsf {fhe.sk}\) is FHE decryption which is a fairly lightweight computation. In particular, with all known FHE schemes [Gen09, BV11b, BV11a, BGV12, GSW13, BV14, AP14], decryption corresponds to computing an inner product followed by a threshold function. Furthermore, we do know how to construct latticebased predicate encryption schemes for threshold of inner product [AFV11, GMW15]. We stress that the latter do not correspond to FHE decryption since the inner product is computed over a vector in the ciphertext and one in the key, whereas FHE decryption requires computing an inner product over two vectors in the ciphertext; nonetheless, we will build upon the proof techniques in achieving attributehiding in [AFV11, GMW15] in the proof of security.
In other words, if we could enhance ABE with a modicum of secrecy so that it can perform a heavyweight computation on public attributes followed by a lightweight privacypreserving computation on secret attributes, we are back in business. Our first contribution is to define such an object, that we call partially hiding predicate encryption.
Partially Hiding Predicate Encryption. We introduce the notion of partially hiding predicate encryption (PHPE), an object that interpolates between attributebased encryption and predicate encryption (analogously to partial garbling in [IW14]). In PHPE, the ciphertext, encrypting message \(\mu \), is associated with an attribute (x, y) where x is private but y is always public. The secret key is associated with a function f, and decryption succeeds iff \(f(x,y) = 1\). On the one extreme, considering a dummy x or functions f that ignore x and compute on y, we recover attributebased encryption. On the other end, considering a dummy y or functions f that ignore y and compute on x, we recover predicate encryption.
We will be interested in realizing PHPE for functions \(\phi \) of the form \(\phi (x,y) = g(x,h(y))\) for some functions g and h where h may perform arbitrary heavyweight computation on the public y and g only performs lightweight computation on the private x. Mapping back to our discussion, we would like to achieve PHPE for the “evaluatethendecrypt” class of functions, namely where g is the FHE decryption function, h is the FHE evaluation function, x is the FHE secret key, and y is the FHE ciphertext. In general, we would like g to be simple and will allow h to be complex. It turns out that we can formalize the observation above, namely that PHPE for this class of functions gives us a predicate encryption scheme. The question now becomes: can we construct PHPE schemes for the “evaluatethendecrypt” class of functions?
Assuming the subexponential hardness of learning with errors (LWE), we show how to construct a partially hiding predicate encryption for the class of functions \(f : \mathbb {Z}_q^t\times \{0,1\}^\ell \rightarrow \{0,1\}\) of the form
where \(h: \{0,1\}^\ell \rightarrow \{0,1\}^t\), \(\gamma \in \mathbb {Z}_q\), and \(\mathsf {IP}_\gamma (\mathbf {x}, \mathbf {z}) = 1 \text{ iff } \langle \mathbf {x},\mathbf {z}\rangle = \bigg ( \sum _{i \in [t]} \mathbf {x}[i] \cdot \mathbf {z}[i] \bigg ) = \gamma \mod q\).
This is almost what we want, but not quite. Recall that FHE decryption in many recent schemes [BV11b, BGV12, GSW13, BV14, AP14] is a function that checks whether an inner product of two vectors in \({\mathbb Z}_q^t\) (one of which could be over \(\{0,1\}^t\)) lies in a certain range. Indeed, if \(\mathbf {z}\in \{0,1\}^t\) is an encryption of 1 and \(\mathbf {x}\in {\mathbb Z}_q^t\) is the secret key, we know that \(\langle \mathbf {x}, \mathbf {z}\rangle \in [q/2B,q/2+B] \pmod {q}\), where B is the noise range. Applying the socalled “modulus reduction” [BV11b] transformation to all these schemes, we can assume that this range is polynomial in size.
In other words, we will manage to construct a partially hiding PE scheme for the function
whereas we need a partially hiding PE scheme for the FHE decryption function which is
where R is the polynomial size range \([q/2B,q/2+B]\) from above. How do we reconcile this disparity?
The “Lazy OR” Trick. The solution, called the “lazy OR trick” [SBC+07, GMW15] is to publish secret keys for all functions \(f_{\gamma }\) for \(\gamma \in R := [q/2B,q/2+B]\). This will indeed allow us to test if the FHE decryption of the evaluated ciphertext is 1 (and reveal the message \(\mu \) if it is), but it is also worrying. Publishing these predicate secret keys for the predicates \(f_{\gamma }\) reveals more information than whether \(\langle \mathbf {x},h(\mathbf {y}) \rangle \mathop {\in }\limits ^{?} R\). In particular, it reveals what \(\langle \mathbf {x},h(\mathbf {y}) \rangle \) is. This means that an authorized key would leak partial information about the attribute, which we do allow for predicate encryption. On the other hand, for an unauthorized key where the FHE decryption is 0, each of these \(f_\gamma , \gamma \in R\) is also an unauthorized key in the PHPE and therefore leaks no information about the attribute. This extends to the collection of keys in R since the PHPE is secure against collusions. For simplicity, we assume in the rest of this overview that FHE decryption corresponds to exactly to inner product.
Asymmetry to the Rescue: Constructing Partially Hiding PE. Our final contribution is the construction of a partially hiding PE for the function class \(f_{\gamma }(\mathbf {x},\mathbf {y})\) above. We will crucially exploit the fact that \(f_\gamma \) computes an inner product on the private attribute \(\mathbf {x}\). There are two challenges here: first, we need to design a decryption algorithm that knows \(f_\gamma \) and \(\mathbf {y}\) but not \(\mathbf {x}\) (this is different from decryption in ABE where the algorithm also knows \(\mathbf {x}\)); second, show that the ciphertext does not leak too much information about \(\mathbf {x}\). We use the fully keyhomomorphic encryption techniques developed by Boneh et al. [BGG+14] in the context of constructing an “arithmetic” ABE scheme. The crucial observation about the ABE scheme of [BGG+14] is that while it was not designed to hide the attributes, it can be made to partially hide them in exactly the way we want. In particular, the scheme allows us to carry out an inner product of a public attribute vector (corresponding to the evaluated FHE ciphertext) and a private attribute vector (corresponding to the FHE secret key \( \mathsf {fhe.sk}\)), thanks to an inherent asymmetry in homomorphic evaluation of a multiplication gate on ABE ciphertexts. More concretely, in the homomorphic evaluation of a ciphertext for a multiplication gate in [BGG+14], the decryption algorithm works even if one of the attribute remains private, and for addition gates, the decryption algorithms works even if both attributes remain private. This addresses the first challenge of a decryption algorithm that is oblivious to \(\mathbf {x}\). For the second challenge of security, we rely on techniques from inner product predicate encryption [AFV11] to prove the privacy of \(\mathbf {x}\) Note that in the latter, the inner product is computed over a vector in the ciphertext and one in the key, whereas in our scheme, the inner product is computed over two vectors in the ciphertext. Interestingly, the proof still goes through since the ciphertext in the ABE [BGG+14] has the same structure as the ciphertext in [AFV11]. We refer the reader to Sect. 3.2 for a detailed overview of the partial hiding PE, and to Sect. 4 for an overview of how we combine the partial hiding PE with FHE to obtain our main result.
Finally, we remark that exploiting asymmetry in multiplication has been used in fairly different contexts in both FHE [GSW13, BV14] and in ABE [GVW13, GV14]. In [GSW13] and in this work, the use of asymmetry was crucial for realizing the underlying cryptographic primitive; whereas in [GVW13, BV14, GV14], asymmetry was used to reduce the noise growth during homomorphic evaluation, thereby leading to quantitative improvements in the underlying assumptions and hence improved efficiency.
1.3 Discussion
Comparison with Other Approaches. The two main alternative approaches for realizing predicate and functional encryption both rely on multilinear maps either implicitly, or explicitly. The first is to use indistinguishability obfuscation as in [GGH+13b], and the second is to extend the dual system encryption framework to multilinear maps [Wat09, GGHZ14]. A crucial theoretical limitation of these approaches is that they all rely on nonstandard assumptions; we have few candidates for multilinear maps [GGH13a, CLT13, GGH15] and the corresponding assumptions are presently poorly understood and not extensively studied in cryptanalysis, and in some cases, broken [CHL+15]. In particular, the latest attack in [CHL+15] highlight the importance of obtaining constructions and developing techniques that work under standard cryptographic assumptions, as is the focus of this work.
Barriers to Functional Encryption from LWE. We note the two main barriers to achieving fullfledged functional encryption from LWE using our framework. First, the lazy conjunction approach to handle threshold inner product for FHE decryption leaks the exact inner product and therefore cannot be used to achieve full attributehiding. Second, we do not currently know of a fully attributehiding inner product encryption scheme under the LWE assumption, although we do know how to obtain such schemes under standard assumptions in bilinear groups [OT12, KSW08].
2 Preliminaries
We refer the reader to the full version for the background on lattices.
2.1 FullyHomomorphic Encryption
We present a fairly minimal definition of fully homomorphic encryption (FHE) which is sufficient for our constructions. A leveled homomorphic encryption scheme is a tuple of polynomialtime algorithms \(({\mathsf {HE}}.\mathsf {KeyGen}, {\mathsf {HE}}.\mathsf {Enc}, {\mathsf {HE}}.\mathsf {Eval}, {\mathsf {HE}}.\mathsf {Dec})\):

Key generation. \({\mathsf {HE}}.\mathsf {KeyGen}(1^\lambda ,1^d,1^k)\) is a probablistic algorithm that takes as input the security parameter \(\lambda \), a depth bound d and message length k and outputs a secret key \( \mathsf {sk}\).

Encryption. \({\mathsf {HE}}.\mathsf {Enc}( \mathsf {sk},\mu )\) is a probabilistic algorithm that takes as input \( \mathsf {sk}\) and a message \(\mu \in \{0,1\}^k\) and outputs a ciphertext \(\mathsf {ct}\).

Homomorphic evaluation. \({\mathsf {HE}}.\mathsf {Eval}(f,\mathsf {ct})\) is a deterministic algorithm that takes as input a boolean circuit \(C : \{0,1\}^k \rightarrow \{0,1\}\) of depth at most d and a ciphertext \(\mathsf {ct}\) and outputs another ciphertext \(\mathsf {ct}'\).

Decryption. \({\mathsf {HE}}.\mathsf {Dec}( \mathsf {sk},\mathsf {ct}')\) is a deterministic algorithm that takes as input \( \mathsf {sk}\) and ciphertext \(\mathsf {ct}'\) and outputs a bit.
Correctness. We require perfect decryption correctness with respect to homomorphically evaluated ciphertexts: namely for all \(\lambda ,d,k\) and all \( \mathsf {sk}\leftarrow {\mathsf {HE}}.\mathsf {KeyGen}(1^\lambda ,1^d,1^k)\), all \(\mu \in \{0,1\}^k\) and for all boolean circuits \(C: \{0,1\}^k \rightarrow \{0,1\}\) of depth at most d:
where the probablity is taken over \({\mathsf {HE}}.\mathsf {Enc}\) and \({\mathsf {HE}}.\mathsf {KeyGen}\).
Security. We require semantic security for a single ciphertext: namely for every stateful p.p.t. adversary \(\mathcal{A}\) and for all \(d,k = \mathrm{poly}(\lambda )\), the following quantity
is negligible in \(\lambda \).
FHE from LWE We will rely on an instantiation of FHE from the LWE assumption:
Theorem 2.1
(FHE from LWE [BV11b, BGV12, GSW13, BV14, AP14]). There is a FHE scheme \({\mathsf {HE}}.\mathsf {KeyGen},{\mathsf {HE}}.\mathsf {Enc},{\mathsf {HE}}.\mathsf {Eval},{\mathsf {HE}}.\mathsf {Dec}\) that works for any q with \(q \ge O(\lambda ^2)\) with the following properties:

\({\mathsf {HE}}.\mathsf {KeyGen}\) outputs a secret key \( \mathsf {sk}\in \mathbb {Z}_q^t\) where \(t= \mathrm{poly}(\lambda )\);

\({\mathsf {HE}}.\mathsf {Enc}\) outputs a ciphertext \(\mathsf {ct}\in \{0,1\}^{\ell }\) where \(\ell =\mathrm{poly}(k,d,\lambda ,\log q)\);

\({\mathsf {HE}}.\mathsf {Eval}\) outputs a ciphertext \(\mathsf {ct}' \in \{0,1\}^t\);

for any boolean circuit of depth d, \({\mathsf {HE}}.\mathsf {Eval}(C,\cdot )\) is computed by a boolean circuit of depth \(\mathrm{poly}(d,\lambda ,\log q)\).

\({\mathsf {HE}}.\mathsf {Dec}\) on input \( \mathsf {sk}, \mathsf {ct}'\) outputs a bit \(b \in \{0,1\}\). If \(\mathsf {ct}'\) is an encryption of 1 then
$$ \sum _{i=1}^t \mathsf {sk}[i] \cdot \mathsf {ct}'[i] \in [\lfloor q/2 \rfloor  B, \lfloor q/2 \rfloor + B] $$for some fixed \(B = \mathrm{poly}(\lambda )\). Otherwise, if \(\mathsf {ct}'\) is an encryption of 0, then
$$ \sum _{i=1}^t \mathsf {sk}[i] \cdot \mathsf {ct}'[i] \notin [\lfloor q/2 \rfloor  B, \lfloor q/2 \rfloor + B]; $$ 
security relies on \(\mathsf {dLWE}_{\Theta (t),q,\chi }\).
We highlight several properties of the above scheme: (1) the ciphertext is a bitstring, (2) the bound B is a polynomial independent of q (here, we crucially exploit the new results in [BV14] together with the use of leveled bootstrapping)^{Footnote 3}, (3) the size of normal ciphertexts is independent of the size of the circuit (this is the typical compactness requirement).
3 Partially Hiding Predicate Encryption
3.1 Definitions
We introduce the notation of partially hiding predicate encryption (PHPE), which interpolates attributebased encryption and predicate encryption (analogously to partial garbling in [IW14]). In PHPE, the ciphertext, encrypting message \(\mu \), is associated with an attribute (x, y) where x is private but y is always public. The secret key is associated with a predicate C, and decryption succeeds iff \(C(x,y) = 1\). The requirement is that a collusion learns nothing about \((x,\mu )\) if none of them is individually authorized to decrypt the ciphertext. Attributebased encryption corresponds to the setting where x is empty, and predicate encryption corresponds to the setting where y is empty. We refer the reader to the full version for the standard notion of predicate encryption.
Looking ahead to our construction, we show how to:

construct PHPE for a restricted class of circuits that is “low complexity” with respect to x and allows arbitrarily polynomialtime computation on y;

bootstrap this PHPE using FHE to obtain PE for all circuits.
Syntax. A PartiallyHiding Predicate Encryption scheme \(\mathcal {PHPE}\) for a pair of inputuniverses \(\mathcal{X}, \mathcal{Y}\), a predicate universe \(\mathcal{C}\), a message space \(\mathcal{M}\), consists of four algorithms \((\mathsf {PH.Setup},\mathsf {PH.Enc},\) \(\mathsf {PH.Keygen}, \mathsf {PH.Dec})\):

\(\mathsf {PH.Setup}(1^\lambda ,\mathcal{X},\mathcal{Y},\mathcal{C},\mathcal{M})\rightarrow (\mathsf {ph.mpk}, \mathsf {ph.msk})\). The setup algorithm gets as input the security parameter \(\lambda \) and a description of \((\mathcal{X},\mathcal{Y},\mathcal{C},\mathcal{M})\) and outputs the public parameter \(\mathsf {ph.mpk}\), and the master key \(\mathsf {ph.msk}\).

\(\mathsf {PH.Enc}(\mathsf {ph.mpk},(x,y),\mu )\rightarrow \mathsf {ct}_y\). The encryption algorithm gets as input \(\mathsf {ph.mpk}\), an attribute \((x,y) \in \mathcal{X}\times \mathcal{Y}\) and a message \(\mu \in \mathcal{M}\). It outputs a ciphertext \(\mathsf {ct}_y\).

\(\mathsf {PH.Keygen}(\mathsf {ph.msk},C)\rightarrow \mathsf {sk}_{C}\). The key generation algorithm gets as input \(\mathsf {ph.msk}\) and a predicate \(C \in \mathcal{C}\). It outputs a secret key \( \mathsf {sk}_{C}\).

\(\mathsf {PH.Dec}(( \mathsf {sk}_{C},C),(\mathsf {ct}_y, y) ) \rightarrow \mu \). The decryption algorithm gets as input the secret key \( \mathsf {sk}_C\), a predicate C, and a ciphertext \(\mathsf {ct}_y\) and the public part of the attribute y. It outputs a message \(\mu \in \mathcal{M}\) or \(\perp \).
Correctness. We require that for all \(\mathsf {PH.Setup}(1^\lambda ,\mathcal{X},\mathcal{Y},\mathcal{C},\mathcal{M})\rightarrow (\mathsf {ph.mpk}, \mathsf {ph.msk})\), for all \((x,y,C) \in \mathcal{X}\times \mathcal{Y}\times \mathcal{C}\), for all \(\mu \in \mathcal{M}\),

if \(C(x,y) = 1\), \(\Pr \big [ \mathsf {PH.Dec}(( \mathsf {sk}_{C}, C), (\mathsf {ct}_y,y)) = \mu \big ] \ge 1\mathrm{negl}(\lambda ),\)

if \(C(x,y) = 0\), \(\Pr \big [ \mathsf {PH.Dec}(( \mathsf {sk}_{C}, C), (\mathsf {ct}_y, y)) = \perp \big ] \ge 1\mathrm{negl}(\lambda ),\)
where the probabilities are taken over \( \mathsf {sk}_{C} \leftarrow \mathsf {PH.Keygen}(\mathsf {ph.msk}, C)\), \(\mathsf {ct}_y \leftarrow \mathsf {PH.Enc}(\mathsf {ph.mpk},(x,y),\mu )\) and coins of \(\mathsf {PH.Setup}\).
Definition 3.1
(PHPE AttributeHiding). Fix \((\mathsf {PH.Setup},\mathsf {PH.Enc},\mathsf {PH.Keygen},\) \(\mathsf {PH.Dec})\). For every stateful p.p.t. adversary \(\mathrm {Adv}\), and a p.p.t. simulator \(\mathrm {Sim}\), consider the following two experiments:
We say an adversary \(\mathrm {Adv}\) is admissible if all oracle queries that it makes \(C \in \mathcal{C}\) satisfy \(C(x,y)=0\). The PartiallyHiding Predicate Encryption scheme \(\mathcal {PHPE}\) is then said to be attributehiding if there is a p.p.t. simulator \(\mathrm {Sim}\) such that for every stateful p.p.t. adversary \(\mathrm {Adv}\), the following two distributions are computationally indistinguishable:
Remarks. We point out some remarks of our definition (SIMAH) when treated as a regular predicate encryption (i.e. the setting where y is empty; see the full version for completeness) and how it compares to other definitions in the literature.

We note the simulator for the challenge ciphertext gets y but not x; this captures the fact that y is public whereas x is private. In addition, the simulator is not allowed to program the public parameters or the secret keys. In the ideal experiment, the simulator does not explicitly learn any information about x (apart from its length); nonetheless, there is implicit leakage about x from the key queries made by an admissible adversary. Finally, we note that we can efficiently check whether an adversary is admissible.

Our security notion is “selective”, in that the adversary “commits” to (x, y) before it sees \(\mathsf {ph.mpk}\). It is possible to bootstrap selectivelysecure scheme to full security using standard complexity leveraging arguments [BB04, GVW13], at the price of a \(2^{x}\) loss in the security reduction.

Our definition refers to a single challenge message, but the definition extends readily to a setting with multiple challenge messages. Moreover, our definition composes in that security for a single message implies security with multiple messages (see the full version). The following remarks refer to many messages setting.

We distinguish between two notions of indistinguishabilitybased (IND) definitions used in the literature: attributehiding (INDAH)^{Footnote 4} and strong attributehiding (INDSAH)^{Footnote 5} [BW07, SBC+07, KSW08, AFV11]. In the INDAH, the adversary should not be able to distinguish between two pairs of attributes/messages given that it is restricted to queries which do not decrypt the challenge ciphertext (See the full version for details). It is easy to see that our SIMAH definition is stronger than INDAH. Furthermore, INDSAH also ensures that adversary cannot distinguish between the attributes even when it is allowed to ask for queries that decrypt the messages (in this case, it must output \(\mu _0=\mu _1\)). Our SIMAH definition is weaker than INDSAH, since we explicitly restrict the adversary to queries that do not decrypt the challenge ciphertext.

In the context of arbitrary predicates, strong variants of definitions (that is, INDSAH and SIMSAH) are equivalent to security notions for functional encryption (the simulation definition must be adjusted to give the simulated the outputs of the queries). However, the strong variant of notion (SIMSAH) is impossible to realize for many messages [BSW11, AGVW13]. We refer the reader to the full version for a sketch of the impossibility. Hence, SIMAH is the bestpossible simulation security for predicate encryption which we realize in this work. The only problem which we leave open is to realize INDSAH from standard LWE.
3.2 Our Construction
We refer the reader to the full version for the complete description of our construction. Below, we provide an overview.
Overview. We construct a partially hiding predicate encryption for the class of predicate circuits \(C : \mathbb {Z}_q^t\times \{0,1\}^\ell \rightarrow \{0,1\}\) of the form \(\widehat{C} \,\circ \, \mathsf {IP}_\gamma \) where \(\widehat{C}: \{0,1\}^\ell \rightarrow \{0,1\}^t\) is a boolean circuit of depth d, \(\gamma \in \mathbb {Z}_q\), and
where \(\mathsf {IP}_\gamma (\mathbf {x}, \mathbf {z}) = 1 \text{ iff } \langle \mathbf {x},\mathbf {z}\rangle = \bigg ( \sum _{i \in [t]} \mathbf {x}[i] \cdot \mathbf {z}[i] \bigg ) = \gamma \mod q\). We refer to circuit \(\mathsf {IP}\) as the generic innerproduct circuit of two vectors.
Looking ahead, \(\widehat{C}\) corresponds to FHE evaluation of an arbitrary circuit C, whereas \(\mathsf {IP}_\gamma \) corresponds to roughly to FHE decryption; in the language of the introduction in Sect. 1, \(\widehat{C}\) corresponds to heavyweight computation h, whereas \(\mathsf {IP}_\gamma \) corresponds to lightweight computation g.
The scheme. The public parameters are matrices
An encryption corresponding to the attribute \((\mathbf {x},\mathbf {y}) \in \mathbb {Z}_q^t\times \{0,1\}^\ell \) is a GPV ciphertext (an LWE sample) corresponding to the matrix
To decrypt the ciphertext given \(\mathbf {y}\) and a key for \(\widehat{C} \,\circ \, \mathsf {IP}_\gamma \), we apply the BGGHNSVV algorithm to first transform the first part of the ciphertext into a GPV ciphertext corresponding to the matrix
where \(\widehat{C}_i\) is the circuit computing the i’th bit of \(\widehat{C}\) and \(\mathbf {z}= \widehat{C}(\mathbf {y}) \in \{0,1\}^t\). Next, observe that
Summing over i, we have
where
Therefore, given only the public matrices and \(\mathbf {y}\) (but not \(\mathbf {x}\)), we may transform the ciphertext into a GPV ciphertext corresponding to the matrix
The secret key corresponding to \(\widehat{C} \,\circ \, \mathsf {IP}_\gamma \) is essentially a “short basis” for the matrix
which can be sampled using a short trapdoor \(\mathbf {T}\) of the matrix \(\mathbf {A}\).
Proof Strategy. There are two main components to the proof. Fix the selective challenge attribute \(\mathbf {x},\mathbf {y}\). First, we will simulate the secret keys without knowing the trapdoor for the matrix \(\mathbf {A}\): here, we rely on the simulated key generation for the ABE [BGG+14]. Roughly speaking, we will need to generate a short basis for the matrix
where \(\mathbf {R}_{\widehat{C} \,\circ \, \mathsf {IP}}\) is a smallnorm matrix known to the simulator. Now, whenever \(\widehat{C} \,\circ \, \mathsf {IP}(\mathbf {x},\mathbf {y}) \ne \gamma \) as is the case for admissible adversaries, we will be able to simultae secret keys using the puncturing techniques in [ABB10, AFV11, MP12].
Next, we will show that the attribute \(\mathbf {x}\) is hidden in the challenge ciphertext. Here, we adopt the proof strategy for attributehiding inner product encryption in [AFV11, GMW15]. In the proof, we simulate the matrices \(\mathbf {A},\mathbf {B}_1,\ldots ,\mathbf {B}_t\) using
where \(\mathbf {R}'_1,\ldots ,\mathbf {R}'_t\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}\{\pm 1\}^{m \times m}\). In addition, we simulate the corresponding terms in the challenge ciphertext by \( \mathbf {c}, \mathbf {c}^{\scriptscriptstyle \mathsf {T}}\mathbf {R}'_1, \ldots , \mathbf {c}^{\scriptscriptstyle \mathsf {T}}\mathbf {R}'_t\), where \(\mathbf {c}\) is a uniformly random vector, which we switched from \(\mathbf {A}^{\scriptscriptstyle \mathsf {T}}\mathbf {s}+ {\mathbf {e}}\) using the LWE assumption. Here we crucially rely on the fact that switched to simulation of secret keys without knowing the trapdoor of \(\mathbf {A}\). Going further, once \(\mathbf {c}\) is random, we can switch back to simulating secret keys using the trapdoor \(\mathbf {T}\). Hence, the secret keys now do not leak any information about \(\mathbf {R}'_1,\ldots ,\mathbf {R}'_t\). Therefore, we may then invoke the leftover hash lemma to argue that \(\mathbf {x}\) is informationtheoretically hidden.
4 Predicate Encryption for Circuits
In this section, we present our main construction of predicate encryption for circuits by bootstrapping on top of the partiallyhiding predicate encryption. That is,

We construct a Predicate Encryption scheme \(\mathcal {PE} =(\mathsf {Setup}, \mathsf {Keygen}, \mathsf {Enc}, \mathsf {Dec})\) for boolean predicate family \(\mathcal {C}\) bounded by depth d over k bit inputs.
starting from

an FHE scheme \(\mathcal {FHE} = ({\mathsf {HE}}.\mathsf {KeyGen}, {\mathsf {HE}}.\mathsf {Enc}, {\mathsf {HE}}.\mathsf {Dec}, {\mathsf {HE}}.\mathsf {Eval})\) with properties as described in Sect. 2.1. Define \(\ell \) as the size of the initial ciphertext encrypting k bit messages, and \(t\) as the size of the FHE secret key and evaluated ciphertext vectors;

a partiallyhiding predicate encryption scheme \(\mathcal {PHPE} = (\mathsf {PH.Setup}, \mathsf {PH.Keygen},\) \(\mathsf {PH.Enc}, \mathsf {PH.Dec})\) for the class \(\mathcal {C}_\mathsf {PHPE}\) of predicates bounded by some depth parameter \(d' = \mathrm{poly}(d, \lambda , \log q)\). Recall that
$$ (\widehat{C} \,\circ \, \mathsf {IP}_\gamma )(\mathbf {x}\in {\mathbb Z}_q^t, \mathbf {y}\in \{0,1\}^t) = 1 \text{ iff } \bigg ( \sum _{i \in [t]} \mathbf {x}[i] \cdot \widehat{C}(\mathbf {y})[i] \bigg ) = \gamma \mod q $$where \(\widehat{C}: \{0,1\}^\ell \rightarrow \{0,1\}^t\) is a circuit of depth at most \(d'\).
Overview. At a high level, the construction proceeds as follows:

the \(\mathcal {PE}\) ciphertext corresponding to an attribute \({\mathbf {a}}\in \{0,1\}^k\) is a \(\mathcal {PHPE}\) ciphertext corresponding to an attribute \(( \mathsf {fhe.sk},\mathsf {fhe.ct})\) where \( \mathsf {fhe.sk}\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}\mathbb {Z}_q^t\) is private and \(\mathsf {fhe.ct}:= {\mathsf {HE}}.\mathsf {Enc}({\mathbf {a}}) \in \{0,1\}^\ell \) is public;

the \(\mathcal {PE}\) secret key for a predicate \(C : \{0,1\}^k \rightarrow \{0,1\}\in \mathcal {C}\) is a collection of \(2B+1\) \(\mathcal {PHPE}\) secret keys for the predicates \(\{ \widehat{C} \,\circ \, \mathsf {IP}_\gamma : \mathbb {Z}_q^t\times \{0,1\}^\ell \rightarrow \{0,1\}\}_{\gamma = \lfloor q/2 \rfloor B,\ldots ,\lfloor q/2 \rfloor +B}\) where \(\widehat{C}: \{0,1\}^\ell \rightarrow \{0,1\}\) is the circuit:
$$ \widehat{C}(\mathsf {fhe.ct}) := {\mathsf {HE}}.\mathsf {Eval}(\mathsf {fhe.ct}, C), $$so \(\widehat{C}\) is a circuit of depth at most \(d' = \mathrm{poly}(d,\lambda ,\log q)\);

decryption works by trying all possible \(2B+1\) secret keys.
Note that the construction relies crucially on the fact that B (the bound on the noise in the FHE evaluated ciphertexts) is polynomial. For correctness, observe that for all \(C,{\mathbf {a}}\):
where \( \mathsf {fhe.sk},\mathsf {fhe.ct},\hat{C}\) are derived from \(C,{\mathbf {a}}\) as in our construction.
4.1 Our Predicate Encryption Scheme
Our construction proceeds as follows:

\(\mathsf {Setup}(1^\lambda , 1^k,1^d)\): The setup algorithm takes the security parameter \(\lambda \), the attribute length k and the predicate depth bound d.

1.
Run the partiallyhiding PE scheme for family \(\mathcal {C}_\mathsf {PHPE}\) to obtain a pair of master public and secret keys:
$$ (\mathsf {ph.mpk}, \mathsf {ph.msk}) \leftarrow \mathsf {PH.Setup}(1^\lambda , 1^t, 1^\ell , 1^{d'} ) $$where for kbit messages and depth d circuits: t is the length of FHE secret key, \(\ell \) is the bitlength of the initial FHE ciphertext and \(d'\) is the bound on FHE evaluation circuit (as described at the beginning of this section).

2.
Output \(( \mathsf {mpk}\mathop {=}\limits ^{.}\mathsf {ph.mpk}, \mathsf {msk}\mathop {=}\limits ^{.}\mathsf {ph.msk})\).

1.

\(\mathsf {Keygen}( \mathsf {msk}, C)\): The keygeneration algorithms takes as input the master secret key \( \mathsf {msk}\) and a predicate C. It outputs a secret key \( \mathsf {sk}_C\) computed as follows.

1.
Let \(\widehat{C}(\cdot ) := {\mathsf {HE}}.\mathsf {Eval}(\cdot , C)\) and let \((\widehat{C} \,\circ \, \mathsf {IP}_\gamma )\) be the predicates for \(\gamma = \lfloor q/2 \rfloor  B, \ldots , \lfloor q/2 \rfloor + B\).

2.
For all \(\gamma = \lfloor q/2 \rfloor  B, \ldots , \lfloor q/2 \rfloor + B\), compute
$$ \mathsf {sk}_{\widehat{C} \,\circ \, \mathsf {IP}_\gamma } \leftarrow \mathsf {PH.Keygen}\big ( \mathsf {ph.msk}, \widehat{C} \,\circ \, \mathsf {IP}_\gamma \big ) $$ 
3.
Output the secret key as \( \mathsf {sk}_C \mathop {=}\limits ^{.}\big ( \{ \mathsf {sk}_{\widehat{C} \,\circ \, \mathsf {IP}} \}_{\gamma = \lfloor q/2 \rfloor  B, \ldots , \lfloor q/2 \rfloor + B} \big )\).

1.

\(\mathsf {Enc}( \mathsf {mpk}, {\mathbf {a}}, \mu )\): The encryption algorithm takes as input the public key \( \mathsf {mpk}\), the input attribute vector \({\mathbf {a}}\in \{0,1\}^k\) and message \(\mu \in \{0,1\}\). It proceeds as follow.

1.
Samples a fresh FHE secret key \( \mathsf {fhe.sk}\in {\mathbb Z}_q^{t}\) by running \({\mathsf {HE}}.\mathsf {KeyGen}(1^\lambda , 1^{d'}, 1^k)\).

2.
Encrypt the input to obtain
$$ \mathsf {fhe.ct}\leftarrow {\mathsf {HE}}.\mathsf {Enc}( \mathsf {fhe.sk}, {\mathbf {a}}) \in \{0,1\}^{\ell } $$ 
3.
Compute
$$ \mathsf {ct}_\mathsf {fhe.ct}\leftarrow \mathsf {PH.Enc}\big ( \mathsf {mpk}, ( \mathsf {fhe.sk}, \mathsf {fhe.ct}), \mu \big ) $$Note that the \( \mathsf {fhe.sk}\) corresponds to the hidden attribute and \(\mathsf {fhe.ct}\) corresponds to the public attribute.

4.
Output the ciphertext \(\mathsf {ct}= (\mathsf {ct}_\mathsf {fhe.ct}, \mathsf {fhe.ct})\).

1.

\(\mathsf {Dec}( ( \mathsf {sk}_C, C), \mathsf {ct}):\) The decryption algorithm takes as input the secret key \( \mathsf {sk}_C\) with corresponding predicate C and the ciphertext \(\mathsf {ct}\). If there exists \(\gamma = \lfloor q/2 \rfloor  B, \ldots , \lfloor q/2 \rfloor + B\) such that
$$ \mathsf {PH.Dec}( ( \mathsf {sk}_{\widehat{C} \,\circ \, \mathsf {IP}_\gamma }, \widehat{C} \,\circ \, \mathsf {IP}_\gamma ), (\mathsf {ct}_\mathsf {fhe.ct}, \mathsf {fhe.ct})) = \mu \ne \perp $$then output \(\mu \). Otherwise, output \(\perp \).
4.2 Correctness
Lemma 4.1
Let \(\mathcal {C}\) be a family of predicates bounded by depth d and let \(\mathcal {PHPE}\) be the partiallyhiding PE and \(\mathcal {FHE}\) be a fullyhomomorphic encryption as per scheme description. Then, our predicate encryption scheme \(\mathcal {PE}\) is correct. Moreover, the size of each secret key is \(\mathrm{poly}(d, \lambda )\) and the size of each ciphertext is \(\mathrm{poly}(d, \lambda , k)\).
We refer the reader to the full version for the proof.
4.3 Security
Theorem 4.2
Let \(\mathcal {C}\) be a family of predicates bounded by depth d and let \(\mathcal {PHPE}\) be the secure partiallyhiding PE and \(\mathcal {FHE}\) be the secure fullyhomomorphic encryption as per scheme description. Then, our predicate encryption scheme \(\mathcal {PE}\) is secure.
Proof. We define p.p.t. simulator algorithms \(\mathsf {Enc}_\mathrm {Sim}\) and argue that its output is indistinguishable from the output of the real experiment. Let \(\mathsf {PH.Enc}_\mathrm {Sim}\) be the p.p.t. simulator for partiallyhiding predicate encryption scheme.

\(\mathsf {Enc}_\mathrm {Sim}( \mathsf {mpk}, 1^{{\mathbf {a}}}, 1^{\mu })\): To compute the encryption, the simulator does the following. It samples FHE secret key \( \mathsf {fhe.sk}\) by running \({\mathsf {HE}}.\mathsf {KeyGen}(1^\lambda , 1^{d'}, 1^k)\). It encrypts a zerostring \(\mathsf {fhe.ct}\leftarrow {\mathsf {HE}}.\mathsf {Enc}( \mathsf {fhe.sk}, \mathbf {0})\). It obtains the ciphertext as \( \mathsf {ct}_\mathsf {fhe.ct}\leftarrow \mathsf {PH.Enc}_\mathrm {Sim}( \mathsf {mpk}, \mathsf {fhe.ct}, 1^{ \mathsf {fhe.sk}}, 1^{\mu }).\)
We now argue via a series of hybrids that the output of the ideal experiment.

Hybrid 0: The real experiment.

Hybrid 1: The real encryption algorithm is replaced with \(\mathsf {Enc}^*\), where \(\mathsf {Enc}^*\) is an auxiliary algorithm defined below. On the high level, \(\mathsf {Enc}^*\) computes the FHE ciphertext honestly by sampling a secret key and using the knowledge of \({\mathbf {a}}\). It then invokes \(\mathsf {PH.Enc}_\mathrm {Sim}\) on the honestly generated ciphertext.

Hybrid 2: The simulated experiment.
Auxiliary Algorithms. We define the auxiliary algorithm \(\mathsf {Enc}^*\) used in Hybrid 1.

\(\mathsf {Enc}^*({\mathbf {a}}, 1^{\mu })\): The auxiliary encryption algorithm takes as input the attribute vector \({\mathbf {a}}\) and message length.

1.
Sample a fresh FHE secret key \( \mathsf {fhe.sk}\) by running \({\mathsf {HE}}.\mathsf {KeyGen}(1^\lambda , 1^{d'}, 1^k)\).

2.
Encrypt the input attribute vector to obtain a ciphertext
$$ \mathsf {fhe.ct}\leftarrow {\mathsf {HE}}.\mathsf {Enc}( \mathsf {fhe.sk}, {\mathbf {a}}) \in \{0,1\}^{\ell } $$ 
3.
Run \(\mathsf {PH.Enc}_\mathrm {Sim}\) on input \(( \mathsf {mpk}, \mathsf {fhe.ct}, 1^{ \mathsf {fhe.sk}}, 1^{\mu })\) to obtain the ciphertext \(\mathsf {ct}_\mathsf {fhe.ct}\).

1.
Lemma 4.3
The output of Hybrid 0 is computationally indistinguishable from the Hybrid 1, assuming security of PartiallyHiding Predicate Encryption.
Proof
Assume there is an adversary \(\mathrm {Adv}\) and a distinguisher \(\mathcal {D}\) that distinguishes the output \(({\mathbf {a}}, \mu , \alpha )\) produced in either of the two hybrids. We construct an adversary \(\mathrm {Adv}'\) and a distinguisher \(\mathcal {D}'\) that break the security of the PartiallyHiding Predicate Encryption. The adversary \(\mathrm {Adv}'\) does the following.

1.
Invoke the adversary \(\mathrm {Adv}\) to obtain an attribute vector \({\mathbf {a}}\).

2.
Sample a fresh FHE secret key \( \mathsf {fhe.sk}\) using \({\mathsf {HE}}.\mathsf {KeyGen}(1^\lambda , 1^{d'}, 1^k)\). Encrypt the attribute vector
$$ \mathsf {fhe.ct}\leftarrow {\mathsf {HE}}.\mathsf {Enc}( \mathsf {fhe.sk}, {\mathbf {a}}) $$and output the pair \(( \mathsf {fhe.sk}, \mathsf {fhe.ct})\) as the “selective” challenge attribute.

3.
Upon receiving \( \mathsf {mpk}\), it forwards it to \(\mathrm {Adv}\).

4.
For each oracle query C that \(\mathrm {Adv}\) makes which satisfies \(C({\mathbf {a}}) \ne 0\), \(\mathrm {Adv}'\) uses its oracle to obtain secret keys \( \mathsf {sk}_{\widehat{C} \,\circ \, \mathsf {IP}_\gamma }\) for \(\gamma = \lfloor q/2 \rfloor  B, \ldots , \lfloor q/2 \rfloor + B\). It outputs \( \mathsf {sk}_C = \big ( \{ \mathsf {sk}_{\widehat{C} \,\circ \, \mathsf {IP}_\gamma } \}_{\gamma = \lfloor q/2 \rfloor  B, \ldots , \lfloor q/2 \rfloor + B} \big )\).

5.
It outputs message \(\mu \) that \(\mathrm {Adv}\) produces, obtains a ciphertext \(\mathsf {ct}_\mathsf {fhe.ct}\) and sends \(\mathsf {ct}= (\mathsf {ct}_\mathsf {fhe.ct}, \mathsf {fhe.ct})\) back to \(\mathrm {Adv}\) to obtain \(\alpha \).
We note that given \(\mathrm {Adv}\) that is admissible, \(\mathrm {Adv}'\) is also admissible. That is, for all queries \(\widehat{C} \,\circ \, \mathsf {IP}_\gamma \) that \(\mathrm {Adv}'\) makes satisfies \((\widehat{C} \,\circ \, \mathsf {IP}_\gamma )( \mathsf {fhe.sk}, \mathsf {fhe.ct}) = 0\) since \(\langle \mathsf {fhe.sk}, \widehat{C}(\mathsf {fhe.ct}) \rangle \ne \gamma \) for \(\gamma = \lfloor q/2 \rfloor  B, \ldots , \lfloor q/2 \rfloor + B\) by the correctness of FHE in Sect. 2.1 and the fact that \(C({\mathbf {a}}) \ne 0\). Finally, the distinguisher \(\mathcal {D}'\) on input \(( \mathsf {fhe.sk}, \mathsf {fhe.ct}, \mu , \alpha )\) invokes \(\mathcal {D}\) and outputs whatever it outputs. Now, in Hybrid 0 the algorithms used as \(\mathsf {PH.Setup}, \mathsf {PH.Keygen}, \mathsf {PH.Enc}\) which corresponds exactly to the real security game of PHPE. However, in Hybrid 1 the algorithms correspond exactly to the simulated security game. Hence, we can distinguish between the real and simulated experiments contradicting the security of PHPE scheme.
Lemma 4.4
The output of Hybrid 1 and Hybrid 2 are computationally indistinguishable, assuming semantic security of FullyHomomorphic Encryption Scheme.
Proof
The only difference in Hybrids 1 and 2 is how the FHE ciphertext is produced. In one experiment, it is computed honestly by encrypting the attribute vector \({\mathbf {a}}\), while in the other experiment it is always an encryption of \(\mathbf {0}\). Hence, we can readily construct an FHE adversary that given \({\mathbf {a}}\), distinguishes encryption of \({\mathbf {a}}\) from encryption of \(\mathbf {0}\) as follows:

1.
Invoke the admissible PE adversary \(\mathrm {Adv}\) to obtain an attribute vector \({\mathbf {a}}\).

2.
Run the honest \(\mathsf {PH.Setup}\) and forwards \( \mathsf {mpk}\) to \(\mathrm {Adv}\).

3.
For each oracle query C that \(\mathrm {Adv}\) makes which satisfies \(C({\mathbf {a}}) \ne 0\), return \( \mathsf {sk}_C = \big ( \{ \mathsf {sk}_{\widehat{C} \,\circ \, \mathsf {IP}_\gamma } \}_{\gamma = \lfloor q/2 \rfloor  B, \ldots , \lfloor q/2 \rfloor + B} \big )\) as computed using the honest \(\mathsf {PH.Keygen}\) algorithm.

4.
To simulate the ciphertext, first forward the pair \(({\mathbf {a}}, \mathbf {0})\) to the FHE challenger to obtain a ciphertext \(\mathsf {fhe.ct}\). Then, run \(\mathsf {PH.Enc}_\mathrm {Sim}( \mathsf {mpk}, \mathsf {fhe.ct}, 1^{ \mathsf {fhe.sk}}, 1^{\mu })\) to obtain a ciphertext \(\mathsf {ct}_\mathsf {fhe.ct}\) and forward it to \(\mathrm {Adv}\)

5.
Finally, it runs the PE distinguisher on input \(({\mathbf {a}}, \mu , \alpha )\) and outputs its guess.
The lemma then follows from semantic security of the FHE completing the security proof. We also refer the reader to the full version for the summary of parameters selection.
Notes
 1.
In fact, there is a syntactic mismatch since \(\hat{f}(\cdot )\) is not a predicate, as it outputs an FHE ciphertext.
 2.
A reader familiar with [GKP+13] might wonder whether replacing singleuse garbled circuits in their construction with reusable garbled circuits (also from [GKP+13].) might remove this limitation. We remark that this does not seem possible, essentially because the construction in [GKP+13] relies crucially on the simplicity of computing garbled inputs from the “garbling key”. In particular, in Yao’s garbled circuit scheme, the garbling key is (many) pairs of “strings” \(L_0\) and \(L_1\), and a garbling of an input bit b is simply \(L_b\). This fits perfectly with the semantics of ABE (rather, a variant termed twoinput ABE in [GKP+13]) that releases one of two possible “messages” \(L_0\) or \(L_1\) depending on the outcome of a computation. In contrast, computing a garbled input in the reusable garbling scheme is a more complex and randomized function of the garbling key, and does not seem to align well with the semantics of ABE.
 3.
Recall that no circular security assumption needs to be made for leveled bootstrapping.
 4.
Sometimes also referred as weak attributehiding.
 5.
Sometimes also referred as full attributehiding.
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)
Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011)
Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013)
AlperinSheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014)
Boneh, D., Boyen, X.: Efficient selectiveID secure identitybased encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)
Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully keyhomomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS, pp. 309–325 (2012)
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011)
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ringLWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS, pp. 97–106 (2011)
Brakerski, Z., Vaikuntanathan, V.: Latticebased FHE as secure as PKE. In: ITCS, pp. 1–12 (2014)
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007)
Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015)
Coron, J.S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49, (2013). Also, Cryptology ePrint Archive, report 2013/451
Gentry, C., Gorbunov, S., Halevi, S.: Graphinduced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015)
Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Fully secure functional encryption without obfuscation. Cryptology ePrint Archive, report 2014/666 (2014)
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC, pp. 555–564 (2013)
Gay, R., Méaux, P., Wee, H.: Predicate encryption for multidimensional range queries from lattices. In: Public Key Cryptography (2015). Also, Cryptology ePrint Archive, report 2014/965
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attributebased encryption for finegrained access control of encrypted data. In: ACM CCS, pp. 89–98 (2006)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptuallysimpler, asymptoticallyfaster, attributebased. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013)
Gorbunov, S., Vinayagamurthy, D.: Riding on asymmetry: Efficient ABE for branching programs. Cryptology ePrint Archive, report 2014/819 (2014). http://eprint.iacr.org/
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multiparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attributebased encryption for circuits. In: STOC, pp. 545–554 (2013). Also, Cryptology ePrint Archive, report 2013/337
Ishai, Y., Wee, H.: Partial garbling schemes and their applications. In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014. LNCS, vol. 8572, pp. 650–662. Springer, Heidelberg (2014)
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008)
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)
Okamoto, T., Takashima, K.: Fully Secure functional encryption with general relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010)
Okamoto, T., Takashima, K.: Adaptively attributehiding (hierarchical) inner product encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 591–608. Springer, Heidelberg (2012)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009)
Shi, E., Bethencourt, J., Chan, H.T.H., Song, D.X., Perrig, A.: Multidimensional range query over encrypted data. In: IEEE Symposium on Security and Privacy, pp. 350–364 (2007)
Sahai, A., Seyalioglu, H.: Worryfree encryption: functional encryption with public keys. In: ACM Conference on Computer and Communications Security, pp. 463–472 (2010)
Sahai, A., Waters, B.: Fuzzy identitybased encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 International Association for Cryptologic Research
About this paper
Cite this paper
Gorbunov, S., Vaikuntanathan, V., Wee, H. (2015). Predicate Encryption for Circuits from LWE. In: Gennaro, R., Robshaw, M. (eds) Advances in Cryptology  CRYPTO 2015. CRYPTO 2015. Lecture Notes in Computer Science(), vol 9216. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783662480007_25
Download citation
DOI: https://doi.org/10.1007/9783662480007_25
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 9783662479995
Online ISBN: 9783662480007
eBook Packages: Computer ScienceComputer Science (R0)