1 Introduction

Selective-opening (SO) attacks. A selective-opening (SO) attack on an encryption scheme models the adaptive corruption of multiple senders. More formally, an SO adversary \(A\) first receives many ciphertexts \(c _1,\dots ,c _n\) for respective plaintexts \(m _1,\dots ,m _n\) that are jointly sampled (and may thus be related). \(A\) may then ask for the opening of an arbitrary subset of the \(c _i\).Footnote 1 Finally, \(A\) is asked to break the security of the unopened ciphertexts.

Different flavors of SO security notions. Note that it is not entirely clear what “breaking the security of the unopened ciphertexts” should mean. For instance, since the plaintexts are related, it is possible that all plaintexts (including those from unopened ciphertexts) can be efficiently computed from the opened plaintexts. Furthermore, to achieve greater generality, usually the joint distribution from which the \(m _1,\dots ,m _n\) are sampled is adversarially chosen, so \(A\) may already have some a-priori (partial or even full) knowledge about the unopened \(m _i\).

Hence, two different flavors of SO security have developed: simulation-based (SIM-SO [2, 10]) and indistinguishability-based (IND-SO [2, 5]) security. Intuitively, SIM-SO security requires that the output of \(A\) above can be simulated by a simulator that sees only the opened \(m _i\) (and no ciphertexts at all). In particular, all information \(A\) can extract about the unopened \(m _i\) can also be generated by a simulator from the opened \(m _i\) alone.

On the other hand, IND-SO security requires that the unopened plaintexts look indistinguishable from independently sampled plaintexts. Because the plaintexts may be related, this independent sampling must be conditioned on the already opened plaintexts to avoid trivial attacks. Hence, if, e.g., the opened plaintexts already fully determine all plaintexts, conditional sampling will lead to the originally encrypted plaintexts, and IND-SO security is trivially achieved.

As a consequence, the IND-SO experiment itself is only efficient for plaintext distributions that are “efficiently (conditionally) re-samplable” in the above sense. In fact, usually IND-SO security is only considered for such plaintext distributions [2, 18, 19], which limits its applicability to scenarios with such distributions; there is no known encryption scheme that is IND-SO secure against arbitrary (i.e., only efficiently samplable) plaintext distributions.

The difficulty of achieving simulation-based SO security. Hence, from an application point of view, SIM-SO security is the preferable notion of SO security. Unfortunately, while IND-SO security (restricted to efficiently re-samplable plaintext distributions and in the chosen-plaintext case) is already achieved by any lossy encryption scheme [2, 29], SIM-SO security seems much harder to obtain. For instance, [1] show (under mild computational assumptions) that there are encryption schemes that are IND-CPA but not SIM-SO secure. Furthermore, known constructions of SIM-SO secure encryption schemes follow dedicated (and somewhat nonstandard) design strategies [2, 3, 12, 15, 18, 19, 22]. As a result, all known SIM-SO secure schemes fall into one of the following two categories:  

Large ciphertexts. :

The SIM-SO secure schemes from [2, 3, 12, 22] have ciphertexts of \(\mathbf {O} (|m |)\) group elements, where \(|m |\) is the bitsize of the plaintext.

DCR-based. :

The schemes from [15, 18, 19]Footnote 2 have more compact ciphertexts, but are limited to the decisional composite residuosity (DCR) setting [9, 28] (and rely on its specific algebraic features).

Below, when explaining our technical approach, we will also comment on the technical obstacles that need to be overcome for SIM-SO security.

Our results. In this work, we offer the first SIM-SO secure encryption schemes with compact ciphertexts in the discrete-log setting. Specifically, ciphertexts in our scheme carry \(\mathbf {O} (1)\) group elements (plus \(|m |\) bits, where \(|m |\) is the plaintext bitsize), and SIM-SO security can be proved under any matrix assumption [11] (thus, in particular under, e.g., the \(k\)-linear assumption for any \(k\ge 1\)). Our construction is simple, works in the standard model, and does not require pairings.

The price we pay for these features is a rather large public key size (of \(\mathbf {O} (|m |^2)\) group elements, and computationally expensive encryption and decryption procedures. Specifically, our encryption proceeds bitwise, and requires \(\mathbf {O} (|m |)\) exponentiations for each message bit. (Alternatively, the operation needed to encrypt one bit could also be viewed as one multi-exponentiation with respect to \(\mathbf {O} (|m |)\) fixed bases. So there is room for some small improvements in runtime by a constant factor, e.g., using interleaving multi-exponentiation [23].) Concerning the key size, we show how a technique of [7] can be used to at least compress the public key to \(\mathbf {O} (|m |)\) group elements by using a pairing. Still, in particular in light of the relatively inefficient encryption and decryption in our scheme, we view our result mainly as a feasibility result (Table 1).

Table 1. Comparison of our construction with other SO-secure PKE schemes. (We omit schemes that do not achieve SIM-SO-CPA security in any more efficient way than the ones mentioned, e.g., because they focus on CCA security [15, 18, 19] or on the IBE setting [3].) |G| denotes the description (bit-)size of elements of a group in the discrete-log setting, and |G| and \(|G_T|\) denote the corresponding sizes in a pairing-friendly setting with source group G and target group \(G_T\). \(\lambda \) denotes the security parameter. The entry \( poly (\lambda )\) in the |m| column means that the message size is not restricted and might be set arbitrarily (and especially independent of the group size). QR denotes the quadratic residuosity assumption, DCR denotes Paillier’s decisional composite residuosity assumption, and |N| denotes the length of a suitable composite number (determining the modulus) for such schemes. TDOWP denotes an arbitrary trapdoor one-way permutation, and \(|\text {img}|\) denotes the (bit-)size of elements in the corresponding image. \(|c|-|m |\) denotes the ciphertext overhead (i.e., the bitlength of the ciphertext minus the plaintext bitlength).

In the following, we give a brief overview over our approach.

Our starting point. Our starting point is the lossy (and thus IND-SO secure) PKE scheme of [25] (see also [2, 17, 29]). In this scheme, public keys and ciphertexts are of the form

$$\begin{aligned} pk =(g,g^x,g^y,g^z) \qquad c =(u,v)=(g^{r+sx},g^{ry+sz}\cdot m) \end{aligned}$$

for random exponents \(x,y,r,s\), for \(z=xy\), and a plaintext \(m\). Note that if we switch \(z\) to an independently random value (however with \(z\ne xy\)), then encryption becomes lossy: ciphertexts are tuples of random group elements, independently of \(m\). Furthermore, such a switch can be justified with the decisional Diffie-Hellman (DDH) assumption.

Efficient openability. In order to achieve SIM-SO security, we additionally require a property called “efficient openability” of ciphertexts [2, 12]. In a nutshell, efficient openability requires that ciphertexts generated under lossy public keys can be opened to arbitrary messages with a special trapdoor. (Note that such an arbitrary opening is always possible inefficiently in the lossy case.)

We note that efficient openability implies SIM-SO security [2]. In fact, all mentioned SIM-SO secure schemes achieve (a suitable variant of) efficient openability.Footnote 3 Unfortunately, this strong property is not achieved easily. For instance, consider the PKE scheme from (1) (with lossy public keys, i.e., with \(z\ne xy\)). In order to open a given ciphertext \(c =(u,v)\) as an encryption of an externally given plaintext \(m\), a simulator would have to supply random coins \((r,s)\) satisfying \(r+sx=\mathrm {dlog}_g(u)\) and \(ry+sz=\mathrm {dlog}_g(v)-\mathrm {dlog}_g(m)\). Hence, the ability to open to arbitrary \(m\) implies the ability to compute discrete logarithms (which would seem to require special trapdoors in standard discrete-log groups).Footnote 4

A bitwise scheme. Our first observation is that the situation changes if only bits (or messages from a small domain) are encrypted. Concretely, consider the following slightly modified scheme that encrypts only bits:

$$\begin{aligned} pk =(g,g^x,g^y,g^z) \qquad c =(u,v)=(g^{r+sx},H(g^{ry+sz})\oplus m) \end{aligned}$$

where \(x,y,z,r,s\) are as before, \(H\) is a universal hash function that maps group elements to bits, and \(m \in \{0,1\}\). This scheme allows for an efficient opening operation (if \(z\ne xy\)). Namely, to open a ciphertext \(c =(u,v)\) (as in (2)) to a message \(m\), using as trapdoor \(x,y,z,r,s\), simply sample \(r',s'\) randomly subject to \(r'+s'x=r+sx\) until \(H(g^{r'y+s'z})\oplus m =v\). (On average, it takes \(2\) such samplings until suitable \(r',s'\) are found.) This scheme can be generalized to messages \(m \in \{0,1\}^{\mathbf {O} (\log (\lambda ))}\) (where \(\lambda \) denotes the security parameter), using hash functions with output length \(|m |\), at the cost of a less efficient opening algorithm. In the following, however, we will focus on the bitwise processing of messages for simplicitly.

The scheme from (2) hence achieves efficient openability (and thus SIM-SO security), but suffers from a small message space. Of course, its message space can be expanded by concatenating several ciphertexts, which would however increase the ciphertext size to \(\mathbf {O} (|m |)\) group elements.

Compressing ciphertexts. Hence, instead of concatenating ciphertexts, we reuse the value of \(u\) across several bit encryptions. Doing so naively (e.g., by setting \(u=g^{r+sx}\) and \(v_i=H(g_i^{ry+sz})\oplus m _i\) for different generators \(g_i\)) would however interfere with our efficient opening strategy. Specifically, it is not obvious how to efficiently sample \(r',s'\) as above that would lead to \(H(g_i^{r'y+s'z})\oplus m _i=v_i\) for all \(i\) simultaneously.

We resolve this issue by adding more encryption random coins (and thus more “degrees of freedom” for our efficient opening procedure). That is, we set

$$\begin{aligned} \begin{aligned} pk&=(g,(g^{x_i},g^{y_j})_{j=1}^\mu ,(g^{z_{i,j}})_{i,j=1}^\mu ) \\ c&=(u,(v_i)_{i=1}^\mu )=(g^{r+\sum _{j=1}^\mu s_jx_j},(H(g^{ry_j+\sum _{j=1}^\mu s_jz_{i,j}})\oplus m _i)_{i=1}^\mu ) \end{aligned} \end{aligned}$$

for random exponents \(x_i,y_j,z_{i,j},r,s_j\) and \(z_{i,j}=x_iy_j\), and an \(\mu \)-bit plaintext \(m =(m _i)_{i=1}^\mu \). Since \(z_{i,j}=x_iy_j\), knowledge of all \(x_i,y_j\) allows to decrypt. However, switching to random \(z_{i,j}\ne x_iy_j\) (which can be justified with the DDH assumption) implies that encryption becomes lossy (as with (1) and (2)).

Moreover, in case \(z_{i,j}\ne x_iy_j\), a ciphertext \(c =(u,(v_i)_{i=1}^\mu )\) can be efficiently opened as follows. First, select “target exponents” \(t_1,\dots ,t_\mu \) randomly subject to \(H(g^{t_i})\oplus m _i=v_i\) for all \(i\). (The \(t_i\) can be sampled individually, one after the other, and so this step requires \(2\mu \) samplings on average.) Next, solve the system that consists of the linear equations \(r'y_j+\sum _{j=1}^\mu s'_jz_{i,j}=t_i\) (with \(1\le i\le \mu \)) and \(r'+\sum _{j=1}^\mu s'_jx_j=r+\sum _{j=1}^\mu s_jx_j\) for the variables \(r',s'_j\). (Since the \(z_{i,j}\ne x_iy_j\) are random, this system is solvable using linear algebra with high probability.) Finally, output \((r',(s'_j)_{j=1}^\mu )\) as the desired random coins that open \(c\) to \(m\).

Extensions and open problems. Inside, we also show how to generalize this idea to weaker assumptions than DDH (in the same spirit in which [14] generalize the DDH-based lossy trapdoor function of [30]). In particular, we obtain constructions based on any Matrix Diffie-Hellman (MDDH) assumption [11] (at the price of somewhat larger ciphertexts, but whose overhead is still independent of \(|m |\), and somewhat larger public keys), including the \(k\)-linear assumption [20, 31]. Furthermore, we show how to compress the public key of our scheme from \(\mathbf {O} (|m |^2)\) to \(\mathbf {O} (|m |)\) group elements using a pairing-based technique used to compress the public key of lossy trapdoor functions [7].

In this work, we focus on chosen-plaintext (CPA) security. One interesting open problem is to extend our techniques to the chosen-ciphertext (CCA) setting to obtain a SIM-SO-CCA secure scheme with compact ciphertexts in the discrete-log regime. Besides, of course a further compression of the public key in our schemes or an improvement in computational efficiency would be desirable.

Relation to a scheme of Bellare and Yilek. Our “bitwise” scheme from (2) above is very similar to a scheme of Bellare and Yilek (from Sect. 5.4 of the September 23, 2012 update of [4]). (We thank one TCC reviewer for pointing us to that scheme, which we were not aware of previously.) The main difference is that we use the use the term \(H(g^{ry+sz})\oplus m \) to hide the message, whereas Bellare and Yilek use \(g^{ry+sz})\, \cdot \, g^m \). This entails (conceptually not very significant) differences in the respective opening algorithms. However, the more important difference in these schemes is that our scheme from (2) only has one group element (plus one hidden message bit) in the ciphertext, while Bellare and Yilek use a whole group element to hide a one-bit message. Hence, our main trick above (namely, to modify and then reuse the first ciphertext element \(g^{ry+sz}\) for many bit encryptions) would not lead to compact ciphertexts when applied to the scheme of Bellare and Yilek.

SO security against corrupted receivers, and relation to non-committing encryption. Traditionally, SO security models a setting in which only senders are corrupted (and thus, an opening only reveals the corresponding encryption random coins). However, some works (e.g., [1, 21]) additionally consider SO security against corrupted receivers (in which case there are many public keys, and an opening consists of the respective secret key). In this setting, strong impossibility results hold [1], which provide a fixed upper limit the number of secure encryptions under any given public key. The arising technical problems are commitment problems, and are very related to the inherent problems of non-committing encryption (NCE, [8]). Indeed, NCE schemes can be seen as encryption schemes that are SO secure both against corrupted senders and corrupted receivers.

In contrast, the more commonly considered notion of SO security against corrupted senders (which we also consider here) allows for more efficient schemes, that in particular tolerate an arbitrary number of encryptions and corruptions. The price to pay here is of course that only corruptions of senders (but not of receivers) are considered.

Roadmap. After fixing some notation and basic definitions in Sect. 2, we introduce our construction of lossy encryption with efficient weak opening in Sect. 3. The construction is generic and relies on what we call a matrix rank assumption. In Sect. 4, we then instantiate those assumptions with the family of MDDH assumptions from [11] (and thus in particular with the \(k\)-linear assumption). Finally, Sect. 5 presents a matrix rank assumption with a linear-size representation which is implied by the BDDH assumption in pairing groups. This results in a scheme with a public key size that is linear in \(|m |\).

2 Preliminaries

Notation. Throughout the paper, \(\lambda \in \mathbb {N} \) denotes the security parameter. For a finite set \(\mathcal {S}\), we denote by \(s\leftarrow \mathcal {S} \) the process of sampling \(s\) uniformly from \(\mathcal {S} \). For a probabilistic algorithm \(A\), we denote with \(\mathcal {R} _A\) the space of \(A\)’s random coins. \(y\leftarrow A(x;R)\) denotes the process of running \(A\) on input \(x\) and with randomness \(R \leftarrow \mathcal {R} _A\), and assigning \(y\) the result. We write \(y\leftarrow A(x)\) for \(y\leftarrow A(x;R)\) with uniform \(R\). If \(A\)’s running time is polynomial in \(\lambda \), then \(A\) is called probabilistic polynomial-time (PPT). We call a positive function \(\eta \) negligible if for every polynomial p there exists \(\lambda _0\) such that for all \(\lambda \ge \lambda _0\) holds \(\eta (\lambda )\le \frac{1}{p(\lambda )}\). We call \(\eta \) overwhelming if \(\eta (\lambda ) \ge 1 - \nu (\lambda )\), where \(\nu \) is a negligible function. The statistical distance between two random variables X and Y over a finite common domain D is defined by \(\varDelta (X, Y) = \frac{1}{2} \sum _{z \in D} | {{\mathrm{\Pr }}}[X=z] - {{\mathrm{\Pr }}}[Y=z]|\). We say that two families \(X=(X_\lambda )_{\lambda \in \mathbb {N}}\) and \(Y=(Y_\lambda )_{\lambda \in \mathbb {N}}\) of random variables are statistically close or statistically indistinguishable, denoted by \(X \approx _s Y\), if \(\varDelta (X_\lambda , Y_\lambda )\) is negligible in \(\lambda \).

2.1 Groups and Matrix Assumptions

Prime-order k -linear group generators. We use the following formal definition of a k-linear prime-order group generator for our constructions.

Remark 1

We stress that our constructions do not require multilinear maps in the sense of [16]. We rather want to capture both single-group settings and bilinear group settings in one unified definition, because this will be helpful in the sequel for the exposition of results that apply to both settings. Hence, one should have \(k=1\) or \(k=2\) in mind in the following definition.

Definition 1

A prime-order k-linear group generator is a PPT algorithm \(\mathcal {G}_k\) that on input of a security parameter \(1^\lambda \) outputs a tuple of the form

$$ \mathcal {MG}_{k}:=(k,G_1,\ldots , G_k, G_{k+1},g_1, \ldots , g_{k}, e, p)\leftarrow \mathcal {G}_k(1^\lambda ) $$

where \(G_1, \ldots , G_{k+1}\) are descriptions of cyclic groups of prime order p, \(\log p=\varTheta (\lambda )\), \(g_i\) is a generator of \(G_i\) for \(1 \le i \le k\), and \(e:\,G_1\times \ldots \times G_k\rightarrow G_{k+1}\) is a map which satisfies the following properties:

  • k-linearity: For all \(a_1 \in G_1, \ldots , a_k \in G_k\), \(\alpha \in \mathbb {Z} _p\), and \(i\in \{1,\dots ,k\}\) we have \(e(a_1,\ldots ,a_{i-1},\alpha a_i, a_{i+1},\ldots , a_k)= \alpha e(a_1,\ldots , a_k)\).

  • Non-degeneracy: \(g_{k+1}:=e(g_1,\dots ,g_k)\) generates \(G_{k+1}\).

If \(G_1 = \ldots = G_k\), we call \(\mathcal {G}_k\) a symmetric k-linear group generator.

Note that Definition 1 captures both ordinary single group generators and symmetric bilinear group generators:

  • In the single-group setting, \(\mathcal {G}_1(1^\lambda )\) would output \(\mathcal {MG}_{1}:=(1,G_1, G_2, g_1, e, p)\), where \(G_1=G_2\) and \(e: G_1 \rightarrow G_2\) is the identity mapping.

  • In the symmetric bilinear group setting, \(\mathcal {G}_2(1^\lambda )\) would output \(\mathcal {MG}_{2}:=(1,G_1, G_2, G_3, g_1, g_2, e, p)\), where \(G_1=G_2\) and \(g_1 = g_2\) and \(e: G_1 \times G_2 \rightarrow G_3\) is a pairing.

Implicit Representation. Following [11], we introduce the notion of implicit representations. Let \(G_i\) be a cyclic group of order p generated by \(g_i\). Then by \([a]_i := g_i^a\) we denote the implicit representation of \(a \in \mathbb {Z} _p\) in \(G_i\). More generally, we also define such representations for vectors \(\vec {b} \in \mathbb {Z} _p^n\) by \([\vec {b}]_i:=([b_j]_i)_{j} \in G_i^n\) and for matrices \(\mathbf {{A}} = (a_{j,k})_{j,k} \in \mathbb {Z} _p^{n\times \ell }\) by \([\mathbf {{A}}]_i:= ([a_{j,k}]_i)_{j,k} \in G_i^{n\times \ell }\).

Matrix-vector operations in implicit representation. If a matrix \([\mathbf {{A}}]=[(a_{i,j})_{i,j}] \in G^{n\times \ell }\) is known “in the exponent”, and a vector \(\vec {u}=(u_i)_i\in \mathbb {Z} _p^\ell \) is known “in clear”, then the product \([\mathbf {{A}}\cdot \vec {u}]\in G^n\) can be efficiently computed as \([(v_i)_i]\) for \([v_i]=\prod _{j=1}^\ell [a_{i,j}]^{u_j}\). Similarly, \([\mathbf {{A}}\cdot \mathbf {{B}}]\in G^{n \times k}\) can be computed given \([\mathbf {{A}}]=[(a_{i,j})_{i,j}] \in G^{n\times \ell }\) and \(\mathbf {{B}} \in \mathbb {Z} _p^{\ell \times k}\). If only \([\mathbf {{A}}]_1\) and \([\mathbf {{B}}]_2\) are known (i.e., only “in the exponent”) and a bilinear map \(e: G_1 \times G_2 \rightarrow G_3\) is given, we can still compute the matrix product \([\mathbf {{A}}\cdot \mathbf {{B}}]_3\) in the target group \(G_3\), as \([(c_{i,j})_{i,j}]_3\) for \([c_{i,j}]_3=\prod _{t=1}^\ell e([a_{i,t}]_1,[b_{t,j}]_2)\).

Matrix distributions and MDDH assumptions. For instantiating our construction we will make use of matrix distributions and the Matrix Diffie-Hellman assumption family as introduced in [11].

Let \(n,\ell \in \mathbb {N} \), \(n>\ell \). We call \(\mathcal {D} _{n,\ell }\) a matrix distribution if it outputs (in probabilistic polynomial time and with overwhelming probability in \(\log (p)\)) matrices \(\mathbf {{A}} \in \mathbb {Z} _p^{n\times \ell }\) of full rank \(\ell \). We define \(\mathcal {D} _{\ell } := \mathcal {D} _{\ell +1,\ell }\).

Definition 2

We say that the \(\mathcal {D} _{n,\ell }\) -Matrix Diffie-Hellman assumption, or just \(\mathcal {D} _{n,\ell }\)-MDDH assumption for short, holds in \(G_i\) and relative to the k-linear group generator \(\mathcal {G}_k\), if for all PPT adversaries \(D \), we have that

$$ \mathbf {Adv}_{\mathcal {D} _{n,\ell },\mathcal {G}_k}(D) = \left| {{\mathrm{\Pr }}}[D (\mathcal {MG}_{k},[\mathbf {{A}}]_i, [\mathbf {{A}} \vec {w}]_i)=1]-{{\mathrm{\Pr }}}[D (\mathcal {MG}_{k},[\mathbf {{A}}]_i, [\vec {u}]_i) =1] \right| $$

is negligible, where the probability is taken over the output

$$ \mathcal {MG}_{k}=(k,G_1,\ldots , G_k, G_{k+1},g_1, \ldots , g_k, e, p)\leftarrow \mathcal {G}_k(1^\lambda ), $$

\(\mathbf {{A}} \leftarrow \mathcal {D} _{n,\ell }\), \(\vec {w} \leftarrow \mathbb {Z} _p^\ell \), \(\vec {u} \leftarrow \mathbb {Z} _p^{n}\) and the coin tosses of the adversary \(D \).

In particular, we will refer to the following examples of matrix distributions, all for \(n=\ell +1\):

$$ \mathcal {SC}_{\ell }: \mathbf {{A}}= \left( {\begin{matrix} s &{} 0 &{} \ldots &{} 0 &{} 0 \\ 1 &{} s &{} \ldots &{} 0 &{} 0 \\ 0 &{} 1 &{} &{} 0 &{} 0 \\ \tiny {\vdots } &{} &{} \tiny {\ddots } &{} \tiny {\ddots } &{} &{} \\ 0 &{} 0 &{} \ldots &{} 1 &{} s \\ 0 &{} 0 &{} \ldots &{} 0 &{} 1 \end{matrix}} \right) , \, \mathcal {L}_{\ell }:\mathbf {{A}}= \left( {\begin{matrix} s_1 &{} 0 &{} 0 &{} \ldots &{} 0 \\ 0 &{} s_2 &{} 0 &{} \ldots &{} 0\\ \tiny {\vdots } &{} \tiny {\vdots } &{} \tiny {\ddots } &{} &{} \tiny {\vdots } \\ 0 &{} 0 &{} 0 &{} \ldots &{} s_{\ell }\\ 1 &{} 1 &{} 1 &{} \ldots &{} 1 \end{matrix}} \right) , \, \mathcal {U}_{\ell }: \mathbf {{A}}\leftarrow \mathbb {Z} _p^{(\ell +1) \times \ell }, $$

where \(s,s_i \leftarrow \mathbb {Z} _p\). The \(\mathcal {SC}_{\ell }\) assumption, introduced in [11], is the \(\ell \) -symmetric cascade assumption (\(\ell \)-\(\mathsf {SCasc} \)). The \(\mathcal {L}_{\ell }\) assumption is actually the well-known \(\ell \) -linear assumption (\(\ell \text{- }\mathsf {Lin}\), [6]) in matrix language (DDH equals \(1\text{- }\mathsf {Lin}\)), and the \(\mathcal {U}_{\ell }\) assumption is the \(\ell \) -uniform assumption. Moreover, \(\ell \)-\(\mathsf {SCasc} \), \(\ell \text{- }\mathsf {Lin}\), and the \(\ell \)-uniform assumption hold in the generic group model [32] relative to a k-linear group generator if \(k \le \ell \) [11].

The circulant matrix assumption

$$ \mathcal {C}_{\ell +d,\ell }:\mathbf {{A}}= \left( {\begin{matrix} s_1 &{} &{} &{} 0 \\ \tiny {\vdots } &{} s_1 &{} &{} \\ s_d &{} \tiny {\vdots } &{} \tiny {\ddots } &{} \\ 1 &{} s_d &{} &{} s_1 \\ &{} 1 &{} \tiny {\ddots } &{} \tiny {\vdots }\\ &{} &{} \tiny {\ddots } &{} s_d\\ 0 &{} &{} &{} 1 \end{matrix}} \right) , $$

has very recently been proposed in [24] as a \(\mathcal {D} _{n,\ell }\)-MDDH assumption with optimal representation size among all assumptions with \(n > \ell +1\). This assumption has been shown to hold in the \(\ell \)-linear generic group model [24]. More generally, we can also define the \(\mathcal {U}_{n,\ell }\) assumption for arbitrary \(n>\ell \). Note that the \(\mathcal {U}_{n,\ell }\) assumption is the weakest MDDH assumption (with the worst representation size) and implied by any other \(\mathcal {D}_{n,\ell }\) assumption [11]. In particular \(\ell \text{- }\mathsf {Lin}\) implies the \(\ell \)-uniform assumption as shown by Freeman [13].

Bilinear Decisional Diffie-Hellman. We will make use of the bilinear decisional Diffie-Hellman (BDDH) assumption for our construction with linear-size public keys.

Definition 3

Let \(\mathcal {MG}_{2}:=(2,G_1, G_{2}, G_{3}, g_1, g_{2}, e, p) \leftarrow \mathcal {G}_2(1^\lambda )\), where \(\mathcal {G}_2\) is a symmetric bilinear group generator (i.e., \(G_1 = G_2\) and \(g_1 = g_2\)), and let \(a,b,c \leftarrow \mathbb {Z} _p\), \(b \leftarrow \{0,1\}\), \(T_0 := abc\) and \(T_1 \leftarrow \mathbb {Z} _p\). We say that the bilinear decisional Diffie-Hellman (BDDH) assumption holds relative to \(\mathcal {G}_2\), if

$$ \mathsf {Adv}^{\mathsf {bddh}}_{B,\mathcal {G}_2} (1^\lambda ) := \ \ \left| \begin{array}{ll} &{}\Pr \left[ 1 \leftarrow B (1^\lambda ,\mathcal {MG}_{2},[(a,b,c)]_1,[T_0]_3) \right] \\ - &{}\Pr \left[ 1 \leftarrow B (1^\lambda ,\mathcal {MG}_{2},[(a,b,c)]_1,[T_1]_3) \right] \end{array} \right| $$

is a negligible function for all PPT adversaries \(B\).

2.2 Selective-Opening Secure Encryption

Public-Key Encryption. A public-key encryption (PKE) scheme \(\mathsf {PKE}\) with message space \(\mathcal {M}\) consists of three PPT algorithms \(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec} \). The key generation algorithm \(\mathsf {Gen} (1^\lambda )\) outputs a public key \( pk \) and a secret key \( sk \). Encryption algorithm \(\mathsf {Enc} ( pk ,m)\) takes \( pk \) and a message \(m \in \mathcal {M} \), and outputs a ciphertext \(c\). Decryption algorithm \(\mathsf {Dec} ( sk ,c)\) takes \( sk \) and a ciphertext \(c\), and outputs a message \(m\). For correctness, we want \(\mathsf {Dec} ( sk ,\mathsf {Enc} ( pk ,m))=m \) for all \(m \in \mathcal {M} \) and all \(( pk , sk )\leftarrow \mathsf {Gen} (1^\lambda )\).

Simulation-Based Selective Opening Security. We use the definition of SO-security against chosen-plaintext attacks of Fehr et al. [12], which refines the definition of [2, 4] (by letting the adversary choose the message distribution).

Fig. 1.
figure 1

SIM-SO-CPA security experiments.

Definition 4 (Simulation-based security against selective opening attacks)

For a PKE scheme \(\mathsf {PKE} =(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\), a polynomially bounded function \(n=n(\lambda )>0\), a function \(\mathcal {T}\) and a stateful PPT adversary \(A\), consider the experiments in Fig. 1. We call \(\mathsf {PKE}\) SIM-SO-CPA secure if for any PPT adversary \(A\) and PPT function \(\mathcal {T}\) there is a stateful PPT simulator \( S \) such that

$$ \mathsf {Adv}^{\mathsf {sim\text {-}so\text {-}cpa}}_{\mathsf {PKE},A}(\lambda ) := \left| \Pr \left[ {\mathsf {Exp}^{\mathsf {sim\text {-}so\text {-}cpa\text {-}real}}_{\mathsf {PKE},A,\mathcal {T},n}(\lambda )=1}\right] - \Pr \left[ {\mathsf {Exp}^{\mathsf {sim\text {-}so\text {-}cpa\text {-}ideal}}_{\mathsf {PKE}, S ,\mathcal {T},n}(\lambda )=1}\right] \right| $$

is negligible. As usual, we require that the distribution \(\mathfrak {D}_\mathsf {so} \) that \(A\) outputs is encoded as a circuit. Since \(A\) is PPT, this enforces efficient samplability of \(\mathfrak {D}_\mathsf {so} \).

2.3 Selective Opening Security from Lossy Encryption

In [2, 4], Bellare et al. show that any lossy encryption scheme where ciphertexts can be efficiently opened to arbitrary messages is indeed SIM-SO-CPA secure. The following definition essentially repeats the definition of lossy encryption with efficient opening from [4] with one small change: the \(\mathsf {Opener} \) algorithm may receive an additional input, the random coins used to generate the ciphertext (that should now be opened to a different message). We call a scheme satisfying this definition, a lossy encryption scheme with efficient weak opening.

Definition 5 (Lossy encryption with efficient weak opening)

A lossy encryption scheme with efficient weak opening and message space \(\mathcal {M} \) is a tuple of PPT algorithms \(\mathsf {LPKE} = (\mathsf {Gen}, \mathsf {LGen}, \mathsf {Enc}, \mathsf {Dec})\) such that

  • \(\mathsf {Gen} (1^\lambda )\) takes as input the security parameter \(1^\lambda \) and outputs a keypair \(( pk , sk )\). We call \( pk \) a real or injective public key.

  • \(\mathsf {LGen} (1^\lambda )\) takes as input the security parameter \(1^\lambda \) and outputs a keypair \(( pk , sk )\). We call \( pk \) a lossy public key.

  • \(\mathsf {Enc} ( pk ,m)\) takes as input a (real or lossy) public key \( pk \) and a message \(m \in \mathcal {M} \) and outputs a ciphertext \(c \)

  • \(\mathsf {Dec} ( sk ,c)\) takes as input a secret key \( sk \) and a ciphertext \(c \) and outputs either a message \(m \in \mathcal {M} \) or \(\bot \) in case of a failure.

Additionally, \(\mathsf {LPKE} \) needs to satisfy the following properties:

  1. 1.

    Correctness for real keys: For all \(\lambda \in \mathbb {N} \), \(( pk , sk ) \leftarrow \mathsf {Gen} (1^\lambda )\), messages \(m \in \mathcal {M} \), and ciphertexts \(c \leftarrow \mathsf {Enc} ( pk ,m)\), it always holds that \(m \leftarrow \mathsf {Dec} ( sk ,c)\).

  2. 2.

    Indistinguishability of real keys from lossy keys: For any PPT algorithm \(D \) it holds that the advantage

    $$ \begin{array}{lll} \mathsf {Adv}^{\mathsf {ind}\text {-}\mathsf {lossy}\text {-}\mathsf {key}}_{\mathsf {LPKE},D} (\lambda ) &{}:=&{} \left| \begin{array}{ll} &{} {{\mathrm{\Pr }}}[1 \leftarrow D (1^\lambda , pk )\ |\ ( pk , sk ) \leftarrow \mathsf {Gen} (1^\lambda )]\\ -&{} {{\mathrm{\Pr }}}[1 \leftarrow D (1^\lambda , pk )\ |\ ( pk , sk ) \leftarrow \mathsf {LGen} (1^\lambda )]\\ \end{array} \right| \end{array} $$

    is negligible in \(\lambda \).

  3. 3.

    Lossiness of encryption with lossy keys: Let \(\lambda \in \mathbb {N} \). For any \(( pk , sk ) \leftarrow \mathsf {LGen} (1^\lambda )\) and distinct messages \(m _0 \ne m _1 \in \mathcal {M} \), holds that

    $$( sk ,\mathsf {Enc} ( pk ,m _0)) \approx _s ( sk ,\mathsf {Enc} ( pk ,m _1))$$
  4. 4.

    Efficient weak openability: Let \(\mathcal {R} _\mathsf {Enc} \) denote the space of random coins for encryption. There exists a PPT algorithm \(\mathsf {Opener} \) such that for any two messages \(m _0, m _1 \in \mathcal {M} \), the probability that \(\mathsf {Opener} \) on input of a lossy public and secret key \(( pk , sk ) \leftarrow \mathsf {LGen} (1^\lambda )\), a ciphertext \(c \leftarrow \mathsf {Enc} ( pk , m _0; r')\), where \(r' \leftarrow \mathcal {R} _\mathsf {Enc} \), the corresponding random coins \(r'\), and a message \(m _1\), outputs uniform random coins r from \(\{r \in \mathcal {R} _\mathsf {Enc}\ |\ \mathsf {Enc} ( pk , m _1; r) = c \}\) is overwhelming.

Despite our small changes with respect to the definition of lossy encryption and SIM-SO-CPA compared to the definitions in [4], the following theorem still follows from the corresponding proof in [4]: It does not matter for the proof if the message distribution is some arbitrary but fixed distribution (where we quantify over all efficiently samplable distributions) or if it is the output of the adversary after seeing the (lossy) public key. Moreover, the simulator which uses the \(\mathsf {Opener} \) algorithm knows the encryption randomness of the (dummy) ciphertexts (that should be opened differently) as it has generated these ciphertexts itself.Footnote 5

Theorem 1

([2, 4]). If \(\mathsf {LPKE} \) is a lossy encryption scheme with efficient weak opening then \(\mathsf {LPKE} \) is SIM-SO-CPA secure.

3 Lossy Encryption from Matrix Rank Assumptions

First, we would like to stress that although we use k-linear group generators \(\mathcal {G}_k\) in the following definitions and constructions for generality, the existence of k-linear maps for \(k>2\) is not required to instantiate our constructions. For the instantiations based on MDDH assumptions (Sect. 4), an ordinary group generator \(\mathcal {G}_1\) or bilinear group generator \(\mathcal {G}_2\) can be assumed (where the pairing is not used for encryption). For the instantiation based on the BDDH assumption (Sect. 5), a bilinear group generator \(\mathcal {G}_2\) is required where the pairing is needed in the encryption routine. Hence, for the remainder of this paper, it might be best to have \(k=1\) or \(k=2\) in mind.

In the following, we show how to build efficient lossy encryption with efficient weak opening for multiple bits from rank problems. Roughly speaking, this problem asks to distinguish a \(n \times n\) matrix of rank \(\ell < n\) chosen according to some (not necessarily uniform) distribution from a matrix of full rank n chosen according to some (not necessarily uniform) distribution, where both matrices are given in implicit representation. The following definition captures rank assumptions and additionally allows the considered matrices to be given in some “compressed form” (which, e.g., can be decompressed efficiently using a pairing).

Definition 6

Let \(\mathcal {MG}_{k}:=(k,G_1,\ldots ,G_{k+1},g_1, \ldots , g_{k},e,p)\leftarrow \mathcal {G}_k(1^\lambda )\) be a k-linear group generator. A \((n, \ell )\)-indistinguishable matrix constructor \(\mathsf {MCon} \) for \(G_i\), where \(1 \le i \le k+1\), is a tuple \(\mathsf {MCon} = (\mathsf {SetupNFR}, \mathsf {SetupFR}, \mathsf {Constr})\) of PPT algorithms with the following properties.  

Setup of non-full rank matrix description. :

\(\mathsf {SetupNFR} (\mathcal {MG}_{k})\) returns a matrix \(\mathbf {{A}}\in \mathbb {Z} _p^{n \times n}\) of rank \(\ell \), where we assume that \(\mathbf {{A}}\)’s first \(\ell \) rows are linearly independent, as well as a (compact) description \( mat \in \{0,1\}^*\) of the implicit representation \([\mathbf {{A}}]_i\) of \(\mathbf {{A}}\).

Setup of full rank matrix description. :

\(\mathsf {SetupFR} (\mathcal {MG}_{k})\) returns a matrix \(\mathbf {{A}}\in \mathbb {Z} _p^{n \times n}\) of rank n as well as a (compact) description \( mat \in \{0,1\}^*\) of the implicit representation \([\mathbf {{A}}]_i\) of \(\mathbf {{A}}\).Footnote 6

Reconstruction of matrix from matrix description. :

\(\mathsf {Constr} (\mathcal {MG}_{k}, mat )\) returns \([\mathbf {{A}}]_i \in G_i^{n \times n}\) on input of a matrix description \( mat \).

Correctness. :

\(\mathsf {MCon} \) is called correct relative to \(\mathcal {G}_k\) if for all \(\lambda \in \mathbb {N} \), \(\mathcal {MG}_{k}:=\) \((k,G_1,\ldots ,G_{k+1},\) \(g_1, \ldots , g_{k},e,p) \leftarrow \mathcal {G}_k(1^\lambda )\), and \((\mathbf {{A}}, mat _{\mathbf {{A}}}) \leftarrow \mathsf {SetupNFR} \) \((\mathcal {MG}_{k})\), \((\mathbf {{B}}, mat _{\mathbf {{B}}}) \leftarrow \mathsf {SetupFR} (\mathcal {MG}_{k})\), the matrices \(\mathbf {{A}}\) and \(\mathbf {{B}}\) are of rank \(\ell \) and of rank n with probability 1, respectively, and \([\mathbf {{A}}]_i \leftarrow \mathsf {Constr} (\mathcal {MG}_{k}, mat _{\mathbf {{A}}})\) and \([\mathbf {{B}}]_i \leftarrow \mathsf {Constr} (\mathcal {MG}_{k}, mat _{\mathbf {{B}}})\).

Security. :

\(\mathsf {MCon} \) is called secure relative to \(\mathcal {G}_k\), if for all PPT algorithms \(A \) and for \(\mathcal {MG}_{k} \leftarrow \mathcal {G}_k(1^\lambda )\), \((\mathbf {{A}}, mat ) \leftarrow \mathsf {SetupNFR} (\mathcal {MG}_{k})\), and \((\mathbf {{A}}', mat ') \leftarrow \mathsf {SetupFR} (\mathcal {MG}_{k})\) holds that the advantage

$$\begin{aligned} \begin{array}{lll} \mathsf {Adv}^{\mathsf {ind\text {-}matrix\text {-}rank}}_{\mathsf {MCon},A}(1^\lambda )&:= \left| {{\mathrm{\Pr }}}[1 \leftarrow A (1^\lambda ,\mathcal {MG}_{k}, mat )] - {{\mathrm{\Pr }}}[1 \leftarrow A (1^\lambda ,\mathcal {MG}_{k}, mat ')] \right| \end{array} \end{aligned}$$

is negligible in \(\lambda \).


Construction of the LPKE scheme with efficient weak opening. Apart from an \((n, \ell )\)-indistinguishable matrix constructor for \(G_i\), we additionally need a hash function \(H: G_i \rightarrow \{0,1\}\) such that H(a), for uniformly random \(a \leftarrow G_i\), is statistically indistinguishable from the uniform distribution on \(\{0,1\}\). By writing \(H(\vec {b})\), where \(\vec {b}\) is a vector of group elements from \(G_i\), we refer to the component-wise application of the hash function, which results in a (bit-)vector of hash values of the same length as \(\vec {b}\).

Based on these ingredients, we can define a lossy encryption scheme with efficient weak opening \(\mathsf {LPKE} = (\mathsf {Gen}, \mathsf {LGen}, \mathsf {Enc}, \mathsf {Dec})\) with message space \(\{0,1\}^{n-\ell }\) and ciphertexts consisting of \(\ell \) group elements and \(n-\ell \) bits. Note that the parameter \(\ell \) reflects the strength of the assumption we are willing to make, the smaller \(\ell \), the stronger the underlying assumption. For instance, the assumption that random rank \(\ell \) matrices are indistinguishable from random full rank matrices is implied by the assumption that random rank \(\ell -1\) matrices are indistinguishable from random full rank matrices. (Furthermore, rank \(\ell \) vs. n indistinguishability is implied by the \(\ell \)-linear assumption.) Hence, to make ciphertexts as compact as possible, one would choose \(\ell = 1\) and could, e.g., base security on the 1-linear assumption which equals DDH.

The idea underlying encryption (with a real key) in our construction is as follows: a message bit is encrypted using the hash of a randomized linear dependent row vector of \(\mathbf {{A}}\) given in implicit representation. Additionally, the linear independent row vectors of \(\mathbf {{A}}\) are randomized the same way and given in implicit representation as part of the ciphertext. Decryption then boils down to recomputing the (implicit representation of the) linear dependent vector from the (implicit representations of the) linear independent vectors. As all row vectors are randomized the same way (which is a linear operation), the dependencies are not changed by the randomization. The details of \(\mathsf {LPKE} \) are given below.

  • \(\mathsf {Gen} (1^\lambda )\) runs the group generator \(\mathcal {MG}_{k}:=(k,G_1,\ldots ,G_{k+1},g_1, \ldots , g_{k},e,p)\leftarrow \mathcal {G}_k(1^\lambda )\) as well as \((\mathbf {{A}}, mat ) \leftarrow \mathsf {SetupNFR} (\mathcal {MG}_{k})\) to choose a matrix of rank \(\ell \). Let \(\mathbf {{A}}_0\) denote the first \(\ell \) rows of \(\mathbf {{A}}\) and \(\mathbf {{A}}_1\) the remaining \(n - \ell \) rows. Then it computes a matrix \(\mathbf {{T}} \in \mathbb {Z} _p^{(n-\ell ) \times \ell }\) satisfying

    $$\begin{aligned} \mathbf {{T}} \mathbf {{A}}_0 = \mathbf {{A}}_1 \end{aligned}$$

    As the rows of \(\mathbf {{A}}_1\) linearly depend on the rows of \(\mathbf {{A}}_0\), \(\mathbf {{T}}\) always exists and can be computed efficiently (e.g., using Gaussian Elimination). The algorithm returns \( pk := (\mathcal {MG}_{k}, mat )\) and \( sk := (\mathcal {MG}_{k}, \mathbf {{T}})\).

  • \(\mathsf {LGen} (1^\lambda )\) runs the group generator \(\mathcal {MG}_{k}:=(k,G_1,\ldots ,G_{k+1},g_1, \ldots ,\) \( g_{k},e,p)\leftarrow \mathcal {G}_k(1^\lambda )\) as well as \((\mathbf {{A}}, mat ) \leftarrow \mathsf {SetupFR} (\mathcal {MG}_{k})\) to choose a matrix of rank n. The algorithm returns \( pk := (\mathcal {MG}_{k}, mat )\) and \( sk := (\mathcal {MG}_{k}, \mathbf {{A}})\).

  • \(\mathsf {Enc} ( pk ,\vec {m})\) reconstructs the matrix \([\mathbf {{A}}]_i \leftarrow \mathsf {Constr} (\mathcal {MG}_{k}, mat )\). Let \([\mathbf {{A}}_0]_i\) denote the first \(\ell \) rows of \([\mathbf {{A}}]_i\) and \([\mathbf {{A}}_1]_i\) the remaining \(n - \ell \) rows. Then it chooses \(\vec {w} \leftarrow \mathbb {Z} _p^{n}\), computes

    $$\begin{aligned} \begin{array}{lll} [\vec {c} _0]_i &{}:=&{} [\mathbf {{A}}_0 \vec {w}]_i\\ \vec {c} _1 &{}:=&{} H([\mathbf {{A}}_1 \vec {w}]_i) \oplus \vec {m} \end{array} \end{aligned}$$

    (using exponentiations with the entries of \(\vec {w}\)), and returns ciphertext \(c:= ([\vec {c} _0]_i, \vec {c} _1) \in G_i^\ell \times \{0,1\}^{n-\ell }\).

  • \(\mathsf {Dec} ( sk ,c)\) recomputes \(\vec {m} \) as \(\vec {m}:= H([\mathbf {{T}}\vec {c} _0]_i) \oplus \vec {c} _1\).

We show that \(\mathsf {LPKE} \) indeed satisfies the four properties of a lossy encryption scheme with efficient weak opening.

Theorem 2

If \(\mathsf {MCon} \) is secure and the output of H statistically indistinguishable from uniform for random input then \(\mathsf {LPKE} \) is a lossy encryption scheme with efficient weak opening.


Correctness for real keys. Given a real public key \( pk := (\mathcal {MG}_{k}, mat )\) and secret key \( sk := (\mathcal {MG}_{k}, \mathbf {{T}})\) returned by \(\mathsf {Gen} (1^\lambda )\) as well as a ciphertext \(c:= ([\vec {c} _0]_i, \vec {c} _1)\), correctness of decryption follows from the equation

$$\begin{aligned} \begin{array}{lll} H([\mathbf {{T}}\vec {c} _0]_i) \oplus \vec {c} _1 &{}=&{} H([\mathbf {{T}}\vec {c} _0]_i) \oplus H([\mathbf {{A}}_1 \vec {w}]_i) \oplus \vec {m} \\ &{}=&{} H([\mathbf {{T}} \mathbf {{A}}_0 \vec {w}]_i) \oplus H([\mathbf {{A}}_1 \vec {w}]_i) \oplus \vec {m} \\ &{}=&{} H([\mathbf {{A}}_1 \vec {w}]_i) \oplus H([\mathbf {{A}}_1 \vec {w}]_i) \oplus \vec {m} \\ \end{array} \end{aligned}$$

Indistinguishability of real keys from lossy keys. It follows from the security of \(\mathsf {MCon} \) that a real public key \((\mathcal {MG}_{k}, mat )\) generated by \(\mathsf {Gen} (1^\lambda )\) is indistinguishable from a lossy one \((\mathcal {MG}_{k}, mat ')\) generated by \(\mathsf {LGen} (1^\lambda )\).

Lossiness of encryption with lossy keys. Consider the matrix \([\mathbf {{A}}]_i \leftarrow \mathsf {Constr} (\mathcal {MG}_{k}, mat )\), where \( mat \) is computed by \(\mathsf {LGen} (1^\lambda )\). This matrix has full rank, so the linear map defined by \(\mathbf {{A}}\) as \(\vec w \mapsto \mathbf {{A}}\vec w\) is bijective. Thus, for uniformly random \(\vec w\), \([\vec {c} _0]_i=[\mathbf {{A}}_0 \vec {w}]_i\) is uniformly random over \(G_i^\ell \) and \([\mathbf {{A}}_1 \vec {w}]_i\) is uniformly random over \(G_i^{n-\ell }\) (even when \(\mathbf {{A}}\) is given).

Now, since by assumption the output of H is statistically close to uniform for uniformly random input, \(H([\mathbf {{A}}_1 \vec {w}]_i)\oplus \vec {m} \) will also be statistically close to uniform over \(\{0,1\}^{n-\ell }\) for any string \(\vec m\).

Hence, for uniformly random \(\vec w \leftarrow \mathbb {Z} _p^n\), the distributions of

$$ (\mathbf {{A}},([\mathbf {{A}}_0 \vec {w}]_i,H([\mathbf {{A}}_1 \vec {w}]_i)\oplus \vec {m})) \qquad \text {and}\qquad (\mathbf {{A}},([\mathbf {{A}}_0 \vec {w}]_i,H([\mathbf {{A}}_1 \vec {w}]_i)\oplus \vec {m} ')) $$

are statistically close for any two distinct message vectors \(\vec {m} \ne \vec {m} ' \in \{0,1\}^{n-\ell }\).

Efficient weak openability. Let a lossy keypair \(( pk =(\mathcal {MG}_{k}, mat ), sk =(\mathcal {MG}_{k}, \mathbf {{A}})) \leftarrow \mathsf {LGen} (1^\lambda )\), message vector \(\vec {m} \), a ciphertext \(c:=([\vec {c} _0]_i,\vec {c} _1) \leftarrow \mathsf {Enc} ( pk , \vec {m} '; \vec {w}')\), as well as the corresponding encryption randomness \(\vec {w}'\) be given. Then \(\mathsf {Opener} \) should efficiently determine some encryption randomness \(\vec {w}\) such that \(\mathsf {Enc} ( pk , \vec {m}; \vec {w}) = ([\vec {c} _0]_i,\vec {c} _1)\). This can be done by setting up a linear system of equations in the exponent

$$\begin{aligned} \mathbf {{A}} \vec {w} = \vec {b}, \end{aligned}$$

where the right-hand side vector


satisfies \(\vec {b}_0 = \vec {c} _0\) and \(H([\vec {b}_1]_i) \oplus \vec {c} _1 = \vec {m} \).

First, \(\mathsf {Opener} \) can easily determine \(\vec {b}_0:=\vec {c} _0 \in \mathbb {Z} _p^\ell \), i.e., the discrete logarithms of \([\vec {c} _0]_i\) to the base \(g_i\), by computing \(\mathbf {{A}} \vec {w}'\). Second, it can efficiently find a vector \(\vec {b}_1 \in \mathbb {Z} _p^{n-\ell }\) satisfying \(H([\vec {b}_1]_i) \oplus \vec {c} _1 = \vec {m} \) by randomly guessing one component of \(\vec {b}_1\) after another and verifying the equation for this component. As the output of H is close to uniform for random input, this will require about \(2 (n-\ell )\) steps. After that, \(\mathsf {Opener} \) can solve the system of linear equations from Eq. 7 by multiplying with the inverse of \(\mathbf {{A}}\) as this matrix is of full rank.

It is not hard to see that the determined randomness \(\vec {w}\) has the correct distribution, i.e., \(\vec {w}\) is uniformly chosen from

$$\begin{aligned} \mathsf {Coins} (\vec {m},c) := \{\vec {w} \in \mathbb {Z} _p^{n}\ |\ \mathsf {Enc} ( pk , \vec {m}; \vec {w}) = c \} \end{aligned}$$

Note that each \(\vec {w} \in \mathsf {Coins} (\vec {m},c)\) uniquely determines a right-hand side \(\vec {b}\) in (7), i.e., a vector from


Hence, to uniformly sample \(\vec {w}\) from \(\mathsf {Coins} (\vec {m},c)\) it suffices to uniformly sample \(\vec {b}\) from \(\mathsf {KENCs} (\vec {m},c)\) and invert the bijective mapping by computing \(\mathbf {{A}}^{-1} \vec {b}\). This is exactly what \(\mathsf {Opener} \) does.

4 From MDDH Assumptions to Matrix Rank Assumptions

We have seen in Sect. 3 that in order to build an \((n-\ell )\)-bit LPKE scheme with efficient weak opening, it suffices to define a secure \((n, \ell )\)-indistinguishable matrix constructor. In the following, we first show that such a constructor is generically given by any \(\mathcal {D} _{n,\ell }\)-MDDH assumption (including DDH, \(\ell \)-Lin, \(\ell \)-SCasc, \((n,\ell )\)-circulant matrix assumption, etc.). Then, we consider the size of the public key when using different members of MDDH assumption family.

Generic construction from MDDH assumptions. Let \(\mathcal {G}_k\) be a k-linear group generator and \(\mathcal {MG}_{k}:=(k,G_1,\ldots ,G_{k+1},g_1, \ldots , g_{k},e,p)\leftarrow \mathcal {G}_k(1^\lambda )\). Furthermore, let \(\mathcal {D} _{n,\ell }\) be a matrix distribution over \(\mathbb {Z} _p^{n\times \ell }\), where \(n>\ell \). We assume that the first \(\ell \) rows of an output of \(\mathcal {D} _{n,\ell }\) forms a regular matrix with overwhelming probability. A \((n, \ell )\)-indistinguishable matrix constructor \(\mathsf {MCon} _{\mathcal {D} _{n,\ell }\text {-}\mathsf {MDDH}}\) for \(G_i\) can then be defined based on \(\mathcal {D} _{n,\ell }\)-MDDH as follows:

  • \(\mathsf {SetupNFR} (\mathcal {MG}_{k})\) samples a matrix \(\mathbf {{A}}' \leftarrow \mathcal {D} _{n,\ell }\) of rank \(\ell \) according to the given matrix distribution. If \(\mathbf {{A}}'\) is not of rank \(\ell \) the sampling is repeated. (Note that since \(\mathcal {D} _{n,\ell }\) outputs full rank matrices with overwhelming probability this case should virtually never happen.) Furthermore, a random matrix \(\mathbf {{R}} \leftarrow \mathbb {Z} _p^{\ell \times (n-\ell )}\) is sampled. Then it computes \(\mathbf {{A}} := \mathbf {{A}}' (\mathbf {{I}}_\ell ||\mathbf {{R}}) = (\mathbf {{A}}'||\mathbf {{A}}'\mathbf {{R}})\), where \(\mathbf {{I}}_\ell \) is the \(\ell \times \ell \) identity matrix, and returns \((\mathbf {{A}}, [\mathbf {{A}}]_i)\).

  • \(\mathsf {SetupFR} (\mathcal {MG}_{k})\) samples a matrix \(\mathbf {{A}}' \leftarrow \mathcal {D} _{n,\ell }\) of rank \(\ell \) (if the rank of \(\mathbf {{A}}'\) is smaller sampling is repeated). After that, random matrices \(\mathbf {{U}} \leftarrow \mathbb {Z} _p^{n \times (n-\ell )}\) are sampled until \(\mathbf {{A}}:=(\mathbf {{A}}'||\mathbf {{U}})\) is of full rank n. (Note that \(\mathbf {{A}}\) will be of rank n with overwhelming probability of at least \(1-\frac{n-\ell }{p^{n-\ell }}\) for uniform \(\mathbf {{U}}\).) It then returns \((\mathbf {{A}}, [\mathbf {{A}}]_i)\).

  • \(\mathsf {Constr} (\mathcal {MG}_{k}, mat )\) returns \( mat \) (as the matrix is not compressed).

Remark 2

Consider the matrix \(\mathbf {{A}}' \leftarrow \mathcal {D} _{n,\ell }\) generated during \(\mathsf {SetupNFR} (\mathcal {MG}_{k})\). Let \(\mathbf {{A}}_0'\) denote the first \(\ell \) rows of \(\mathbf {{A}}'\) and \(\mathbf {{A}}_1'\) the last \(n-\ell \) rows of \(\mathbf {{A}}'\). Then the transformation matrix \(\mathbf {{T}}\) from Eq. 4, which is used as the secret key, can be set to \(\mathbf {{T}} := \mathbf {{A}}_1' (\mathbf {{A}}_0')^{-1}\). Correctness follows from

$$\begin{aligned} \begin{array}{lll} \mathbf {{T}} \mathbf {{A}}_0 &{}=&{} \mathbf {{A}}_1' (\mathbf {{A}}_0')^{-1} \mathbf {{A}}_0\\ &{}=&{} \mathbf {{A}}_1' (\mathbf {{A}}_0')^{-1} \mathbf {{A}}_0' (\mathbf {{I}}_\ell ||\mathbf {{R}})\\ &{}=&{} \mathbf {{A}}_1' (\mathbf {{I}}_\ell ||\mathbf {{R}})\\ &{}=&{} \mathbf {{A}}_1\\ \end{array} \end{aligned}$$

Correctness. Consider \((\mathbf {{A}}, mat _{\mathbf {{A}}}) \leftarrow \mathsf {SetupNFR} (\mathcal {MG}_{k})\) and \((\mathbf {{B}}, mat _{\mathbf {{B}}}) \leftarrow \mathsf {SetupFR} (\mathcal {MG}_{k})\). Obviously, \(\mathbf {{A}}= (\mathbf {{A}}'||\mathbf {{A}}'\mathbf {{R}})\) will be of rank \(\ell \) as this is the case for \(\mathbf {{A}}'\). Similarly, \(\mathbf {{B}}:=(\mathbf {{B}}'||\mathbf {{U}})\) will be of rank n by construction. Furthermore, clearly, it holds that \([\mathbf {{A}}]_i \leftarrow \mathsf {Constr} (\mathcal {MG}_{k}, mat _{\mathbf {{A}}})\) and \([\mathbf {{B}}]_i \leftarrow \mathsf {Constr} (\mathcal {MG}_{k}, mat _{\mathbf {{B}}})\).

Security. As for security we show

Lemma 1

If the \(\mathcal {D} _{n,\ell }\)-MDDH assumption holds relative to \(\mathcal {G}_k\), then the scheme \(\mathsf {MCon} _{\mathcal {D} _{n,\ell }\text {-}\mathsf {MDDH}}\) is secure.


First note that the distribution of \(\mathbf {{A}}\) returned by \(\mathsf {SetupNFR} \) and the distribution of \(\mathbf {{B}}\) returned by \(\mathsf {SetupFR} \) are statistically indistinguishable from the distribution of \((\mathbf {{A}}'||\mathbf {{A}}'\mathbf {{R}})\) and \((\mathbf {{A}}'||\mathbf {{U}})\), respectively, where \(\mathbf {{A}}' \leftarrow \mathcal {D} _{n,\ell }\), \(\mathbf {{R}} \leftarrow \mathbb {Z} _p^{\ell \times (n-\ell )}\), and \(\mathbf {{U}} \leftarrow \mathbb {Z} _p^{n \times (n-\ell )}\).

Then considering the latter distributions, the lemma immediately follows from the \(\mathcal {D} _{n,\ell }\)-Matrix Diffie-Hellman assumption and its random self-reducibility. More concretely, the \(\mathcal {D} _{n,\ell }\)-MDDH assumption demands that for all PPT adversaries \(D \) holds that

$$ \left| {{\mathrm{\Pr }}}[D (\mathcal {MG}_{k},[\mathbf {{A}}']_i, [\mathbf {{A}}' \vec {r}]_i)=1]-{{\mathrm{\Pr }}}[D (\mathcal {MG}_{k},[\mathbf {{A}}']_i, [\vec {u}]_i) =1] \right| $$

is negligible, where \(\mathcal {MG}_{k} \leftarrow \mathcal {G}_k(1^\lambda )\), \(\mathbf {{A}}' \leftarrow \mathcal {D} _{n,\ell }\), \(\vec {r} \leftarrow \mathbb {Z} _p^\ell \) and \(\vec {u} \leftarrow \mathbb {Z} _p^{n}\). Hence, \([\mathbf {{A}}'||\mathbf {{A}}'\vec {r}]_i\) is computationally indistinguishable from \([\mathbf {{A}}'||\vec {u}]_i\). As any matrix assumption is random self-reducible (Lemma 1 in [11]), it follows that

$$\begin{aligned} \left| {{\mathrm{\Pr }}}[D (\mathcal {MG}_{k},[\mathbf {{A}}']_i, [\mathbf {{A}}' \mathbf {{R}}]_i)=1]-{{\mathrm{\Pr }}}[D (\mathcal {MG}_{k},[\mathbf {{A}}']_i, [\mathbf {{U}}]_i) =1] \right| \end{aligned}$$

is negligible, where \(\mathbf {{R}} \leftarrow \mathbb {Z} _p^{\ell \times (n-\ell )}\) and \(\mathbf {{U}} \leftarrow \mathbb {Z} _p^{n \times (n-\ell )}\). Thus, \([\mathbf {{A}}'||\mathbf {{A}}'\mathbf {{R}}]_i\) is computationally indistinguishable from \([\mathbf {{A}}'||\mathbf {{U}}]_i\).

Concrete instantiations. Let us now consider what we get from different members of the MDDH assumption family.

1-bit LPKE from standard assumptions. From standard assumptions like DDH and \(\ell \)-Lin, we can immediately obtain a one bit lossy encryption scheme by means of the corresponding indistinguishable matrix constructor. More precisely, for \(\ell \)-Lin we would consider the \(\mathcal {L}_{\ell +1, \ell }\) matrix distribution which samples \((\ell +1) \times \ell \) matrices of the form

$$\begin{aligned} \mathbf {{A}}' = \left( {\begin{matrix} s_1 &{} 0 &{} 0 &{} \ldots &{} 0 \\ 0 &{} s_2 &{} 0 &{} \ldots &{} 0\\ \tiny {\vdots } &{} \tiny {\vdots } &{} \tiny {\ddots } &{} &{} \tiny {\vdots } \\ 0 &{} 0 &{} 0 &{} \ldots &{} s_{\ell }\\ 1 &{} 1 &{} 1 &{} \ldots &{} 1 \end{matrix}} \right) \end{aligned}$$

Hence, this results in a public key of the form

$$\begin{aligned}{}[\mathbf {{A}}]_i = \left[ \left( {\begin{matrix} s_1 &{} 0 &{} 0 &{} \ldots &{} 0 &{} s_1 r_1\\ 0 &{} s_2 &{} 0 &{} \ldots &{} 0\\ \tiny {\vdots } &{} \tiny {\vdots } &{} \tiny {\ddots } &{} &{} \tiny {\vdots } &{} \tiny {\vdots } \\ 0 &{} 0 &{} 0 &{} \ldots &{} s_{\ell } &{} s_\ell r_\ell \\ 1 &{} 1 &{} 1 &{} \ldots &{} 1 &{} r_1 + \ldots + r_\ell \end{matrix}} \right) \right] _i, \end{aligned}$$

where \(r_i \leftarrow \mathbb {Z} _p\), which can be represented using \(2(\ell + 1)\) group elements.

Multi-bit LPKE from standard assumptions. Note that the number of bits we can encrypt equals the number of linearly dependent row vectors of \(\mathbf {{A}} \in \mathbb {Z} _p^{n \times n}\), i.e., \(n-\ell \). Thus, if we had a distribution \(\mathcal {D} _{n,\ell }\) that yields matrices with more than one linearly dependent vector, i.e., \(n > \ell +1\), our construction would be able to encrypt more than one bit. Hence, we could obtain a scheme for multiple bits from a standard assumption by finding a \(\mathcal {D} _{n,\ell }\)-MDDH assumption with \(n > \ell +1\) which is implied by this standard assumption. For instance, the \(\ell \)-Lin assumption implies \(\mathcal {U}_{n,\ell }\)-MDDH for arbitrary n, where \(\mathcal {U}_{n,\ell }\) samples uniform \(n \times \ell \) matrices of rank \(\ell \) (this follows from Lemma A.1 in [26]). Hence, from DDH, for example, we can get a scheme for \((n-1)\)-bit messages with arbitrary \(n \in \mathbb {N} \) by means of the uniform distribution \(\mathcal {U}_{n,1}\) which samples a matrix of the form

$$\begin{aligned} \mathbf {{A}}' = \left( {\begin{matrix} s_1 \\ \vdots \\ s_n\\ \end{matrix}} \right) \end{aligned}$$

and, thus, yields a public key of the form

$$\begin{aligned}{}[\mathbf {{A}}]_i = \left[ \left( {\begin{matrix} s_1 &{} s_1 r_1 &{} \ldots &{} s_1 r_{n-1}\\ \vdots &{} &{} &{} \vdots \\ s_n &{} s_n r_1 &{} \ldots &{} s_n r_{n-1}\\ \end{matrix}} \right) \right] _i, \end{aligned}$$

where \(r_i \leftarrow \mathbb {Z} _p\). Note that the resulting scheme is essentially the DDH-based scheme sketched in the introduction (with the minor difference that \(s_n\) is set to 1 instead of being uniformly chosen).

It is interesting to observe that \(\ell \)-Lin is a family of assumptions which (at least in the generic group model) become strictly weaker as \(\ell \) grows and that we can get an LPKE scheme for messages of arbitrary size for each member of this family (by means of \(\mathcal {U}_{n,\ell }\)).

On the downside, if make the detour to the \(\mathcal {U}_{n,\ell }\) distribution (instead of directly building on \(\ell \)-Lin), the public key will consist of \(n^2\) group elements to represent \([\mathbf {{A}}]_i\). Alternatively, we can take a more direct approach and extend a (standard) \(\mathcal {D} _{\ell +1,\ell }\)-MDDH assumption (like \(\ell \)-Lin) to the \(\mathcal {D} _{n,\ell }\)-MDDH assumption, where the first \(\ell +1\) rows of \(\mathbf {{A}}' \leftarrow \mathcal {D} _{n,\ell }\) are sampled as by \(\mathcal {D} _{\ell +1,\ell }\) and the remaining \(n-\ell -1\) are sampled uniformly. In this case, \(\mathcal {D} _{n,\ell }\)-MDDH is implied by \(\mathcal {D} _{\ell +1,\ell }\)-MDDH [24]. The representation of \([\mathbf {{A}}]_i\) will consist of \(E + (n-\ell -1)\ell + n (n-\ell )\) group elements to encrypt \(n-\ell \) bits, where E is the number of elements required to represent a matrix sampled by the \(\mathcal {D} _{\ell +1,\ell }\) distribution (e.g., 1 for \(\ell \)-SCasc).

Multi-bit LPKE from a new \(\mathcal {D} _{n,\ell }\) -MDDH assumption. A \(\mathcal {D} _{n,\ell }\)-MDDH for \(n>\ell +1\) with an optimal representation size has recently been proposed in [24]. The circulant matrix distribution \(\mathcal {C}_{\ell +d,\ell }\) outputs matrices \(\mathbf {{A}}' \in \mathbb {Z} _p^{(\ell +d) \times \ell }\) which can be represented using d group elements. The assumption has been shown to hold in the \(\ell \)-linear generic group model [24]. Plugging this distribution into our scheme, we obtain a public key consisting of \(d+(\ell +d)d\) group elements (representing \([\mathbf {{A}}]_i\)) to encrypt d bits.

5 From the BDDH Assumption to a Compact Matrix Rank Assumption

In this section, we show how to leverage the lossy trapdoor function construction of Boyen and Waters [7] to obtain a (n, 1)-indistinguishable matrix constructor \(\mathsf {MCon} _{\mathsf {BDDH}}\) with a linear-size matrix description \( mat \). This translates to an \((n-1)\)-bit lossy encryption scheme featuring a linear public key size. (Note that the size of the secret key is also linear.)

Essentially, the idea is to generate the quadratic number of group elements in the matrix from a linear number of group elements, by applying a bilinear map. A technical hurdle is to do this in a way such that matrices computed in this way have either rank 1 or full rank, in a computationally indistinguishable way. Here we apply the “linear equations” technique of Boyen and Waters, which enables an algorithm to re-compute the full matrix by applying the bilinear map, except for the diagonal. The diagonal entries of the matrix are given additionally in the matrix description \( mat \), and set-up such that the resulting matrix has either rank 1 or full rank. Interestingly, the lossy trapdoor function of Boyen and Waters corresponds to our injective encryption scheme, and vice versa.

Let \(\mathcal {MG}_{2}:=(2,G_1, G_{2}, G_{3}, g_1, g_{2}, g_3, e, p) \leftarrow \mathcal {G}_2(1^\lambda )\), where \(G_1=G_2\) and \(g_1 = g_2\), be a symmetric bilinear group generator. Then a (n, 1)-indistinguishable matrix constructor \(\mathsf {MCon} _{\mathsf {BDDH}}\) for \(G_1\) can be defined as follows:

  • \(\mathsf {SetupNFR} (\mathcal {MG}_{2})\) samples two uniformly random elements \(h, k \leftarrow \mathbb {Z} _p^*\), and two exponent vectors \(\vec r = (r_1, \ldots ,r_n)^\top \leftarrow (\mathbb {Z} _p^*)^n\) and \(\vec u= (u_1, \ldots ,u_n)^\top \leftarrow (\mathbb {Z} _p^*)^n\). Then it sets \(\mathbf {{A}}:= (a_{i,j}) \in (\mathbb {Z} _p^*)^{n \times n}\) with \(a_{i,j} := h r_i u_j\). Furthermore, it computes

    • \([\vec s]_1 := [(s_1, \ldots , s_n)^\top ]_1 \in G_1^n\) where \(s_i := (hi + k)r_i\)

    • \([\vec v]_1 := [(v_1, \ldots , v_n)^\top ]_1 \in G_1^n\) where \(v_j := (hj + k)u_j\)

    • \([\vec d]_3 := [(d_1, \ldots , d_n)^\top ]_3 \in G_3^n\) where \(d_i := hr_iu_i\)

    and sets \( mat := ([\vec r]_1,[\vec s]_1,[\vec u]_1,[\vec v]_1,[\vec d]_3)\). It returns \((\mathbf {{A}}, mat )\).

  • \(\mathsf {SetupFR} (\mathcal {MG}_{2})\) samples elements \(h, k \leftarrow \mathbb {Z} _p^*\) and vectors \(\vec r, \vec u \leftarrow (\mathbb {Z} _p^*)^n\) the same way as \(\mathsf {SetupNFR} \). It sets \(\mathbf {{A}}:= (a_{i,j}) \in \mathbb {Z} _p^{n \times n}\) with \(a_{i,j} := h r_i u_j\) for \(i \ne j\) and \(a_{i,i} := h r_i u_i + 1\). Accordingly, \([\vec s]_1\) and \([\vec v]_1\) are defined as in \(\mathsf {SetupNFR} \) but \(d_i\) is set to \(d_i := h r_i u_i + 1\). It sets \( mat := ([\vec r]_1,[\vec s]_1,[\vec u]_1,[\vec v]_1,[\vec d]_3)\) and returns \((\mathbf {{A}}, mat )\).

  • \(\mathsf {Constr} (\mathcal {MG}_{2}, mat )\) computes \([\mathbf {{A}}]_3 := ([a_{i,j}]_3)_{i,j}\) for \(1 \le i,j \le n\) as follows:

    • For \(i \ne j\), it uses the pairing to compute

      $$\begin{aligned}{}[a_{i,j}]_3 := e([r_i]_1,[v_j]_1)^{1/(j-i)} e([u_j]_1,[s_i]_1)^{-1/(j-i)} =[(r_i \cdot v_j - u_j \cdot s_i)/(j-i)]_3 \end{aligned}$$
    • For \(i = j\) it sets \([a_{i,i}]_3 := [d_i]_3\)

Remark 3

The transformation matrix \(\mathbf {{T}}\) from Eq. 4 can be set to \(\mathbf {{T}} := (r_2/r_1, \ldots , r_n/r_1)^\top \).

Correctness. Consider \((\mathbf {{A}}, mat _{\mathbf {{A}}}) \leftarrow \mathsf {SetupNFR} (\mathcal {MG}_{2})\) and \((\mathbf {{B}}, mat _{\mathbf {{B}}}) \leftarrow \mathsf {SetupFR} (\mathcal {MG}_{2})\). Let \(\mathbf {{A}}_0\) be the first row of \(\mathbf {{A}}\) and \(\mathbf {{A}}_1\) be the remaining \(n-1\) rows. It is easy to see that \(\mathbf {{T}} \mathbf {{A}}_0 = \mathbf {{A}}_1\), where \(\mathbf {{T}}\) is defined as described above. Moreover, \(\mathbf {{A}}\) cannot be the zero-matrix, because h and all \(r_i\) and \(u_j\) are non-zero. So \(\mathbf {{A}}\) is of rank 1.

Note also that by construction of \(\mathsf {SetupFR} \) we have \(\mathbf {{B}} = \mathbf {{A}}+ \mathbf {{I}}_n\), where \(\mathbf {{A}}\) has rank 1 (as above) and \(\mathbf {{I}}_n\) is the \((n \times n)\)-identity matrix. Thus, since \(\mathbf {{A}}\) has rank 1, \(\mathbf {{B}}\) is row-equivalent to \(\mathbf {{I}}_n\), which is equivalent to \(\mathbf {{B}}\) having full rank.

To see that for \([\mathbf {{A}}']_3 := \mathsf {Constr} (\mathcal {MG}_{2}, mat _{\mathbf {{A}}})\) and \([\mathbf {{B}}']_3 := \mathsf {Constr} (\mathcal {MG}_{2},\) \( mat _{\mathbf {{B}}})\) we have \([\mathbf {{A}}']_3 = [\mathbf {{A}}]_3\) and \([\mathbf {{B}}']_3 = [\mathbf {{B}}]_3\), first observe that the diagonal entries are correct, since \([a_{i,i}']_3 = h r_i u_i\) and \([b_{i,i}']_3 = h r_i u_i + 1\). Moreover, in either case we have for \(i \ne j\) that

$$\begin{aligned} \begin{array}{lll} [a_{i,j}']_3 = [b_{i,j}']_3 &{}=&{} [(r_i v_j - u_j s_i) / (j-i)]_3\\ &{}=&{} [(r_i (hj + k) u_j - u_j (hi + k)r_i) / (j-i)]_3\\ &{}=&{} [(h r_i u_j j + k r_i u_j - h r_i u_j i - k r_i u_j) / (j-i)]_3\\ &{}=&{} [h r_i u_j (j-i) / (j-i)]_3\\ &{}=&{} [h r_i u_j]_3 \end{array} \end{aligned}$$

Security. Following [7], we prove security under the bilinear decisional Diffie-Hellman assumption (cf. Definition 3). However, to simplify the security proof of \(\mathsf {MCon} _{\mathsf {BDDH}}\), we first define the following slightly modified BDDH* assumption, which is implied by the standard BDDH assumption from Definition 3 by a straightforward reduction.

Definition 7

Let \(\mathcal {MG}_{2}:=(2,G_1, G_{2}, G_{3}, g_1, g_{2}, e, p) \leftarrow \mathcal {G}_2(1^\lambda )\), \(a,b,c \leftarrow \mathbb {Z} _p^*\), \(b \leftarrow \{0,1\}\), \(T_0 := abc\) and \(T_1 := abc+1\). We say that the BDDH* assumption holds relative to \(\mathcal {G}_2\), if

$$ \mathsf {Adv}^{\mathsf {bddh*}}_{B,\mathcal {G}_2} (1^\lambda ) := \ \ \left| \begin{array}{ll} &{}\Pr \left[ 1 \leftarrow B (1^\lambda ,\mathcal {MG}_{2},[(a,b,c)]_1,[T_0]_3) \right] \\ - &{}\Pr \left[ 1 \leftarrow B (1^\lambda ,\mathcal {MG}_{2},[(a,b,c)]_1,[T_1]_3) \right] \end{array} \right| $$

is a negligible function for all PPT adversaries \(B\).

Remark 4

A straightforward reduction allows to show that \(\mathsf {Adv}^{\mathsf {bddh*}}_{B,\mathcal {G}_2} (1^\lambda ) \le 2 \cdot \mathsf {Adv}^{\mathsf {bddh}}_{B,\mathcal {G}_2} (1^\lambda )\) for all PPT algorithms \(B\).

Theorem 3

If the BDDH* assumption holds relative to \(\mathcal {G}_2\), then \(\mathsf {MCon} _{\mathsf {BDDH}}\) is secure.


We will show that one can construct an adversary \(B\) against the BDDH* assumption from each adversary \(A\) against \(\mathsf {MCon}\) such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {ind\text {-}matrix\text {-}rank}}_{\mathsf {MCon},A}(1^\lambda ) \le n \cdot \mathsf {Adv}^{\mathsf {bddh*}}_{B,\mathcal {G}_2} (1^\lambda ) \end{aligned}$$

To this end, we describe a hybrid argument which consists of \(n+1\) hybrid games \(H_0, \ldots , H_n\). In Hybrid \(H_\delta \), \(\delta \in \{0,\ldots ,n\}\), we run \(A\) on input \( mat := ([\vec r]_1,[\vec s]_1,[\vec u]_1,[\vec v]_1,[\vec d]_3)\), where all values are computed exactly as in \(\mathsf {SetupNFR} \), except that

$$ d_i := {\left\{ \begin{array}{ll} h r_i u_i + 1 &{}\text {for}~ i < \delta \\ h r_i u_i &{} \text {for}~ i \ge \delta \end{array}\right. } $$

Note that the input \( mat \) of \(A\) in \(H_0\) is identically distributed to the matrix descriptions computed by \((\mathbf {{A}}, mat ) \leftarrow \mathsf {SetupNFR} (\mathcal {MG}_{2})\). In \(H_n\), \(A\) receives a matrix description \( mat \) which is distributed exactly as a matrix description computed by \((\mathbf {{A}}, mat ) \leftarrow \mathsf {SetupFR} (\mathcal {MG}_{2})\).

Let \(X_\delta \) denote the event that \(A\) outputs “1” in Hybrid \(H_\delta \). We show that for each \(\delta \in \{1,\ldots ,n\}\) we can construct an adversary \(B\) such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {bddh*}}_{B,\mathcal {G}_2} \ge \left| \Pr [X_{\delta -1}] - \Pr [X_{\delta }] \right| \end{aligned}$$

which proves (17). \(B\) receives as input a BDDH*-instance \((\mathcal {MG}_{2},[(a,b,c)]_1, [T])\). It creates \( mat = ([\vec r]_1,[\vec s]_1,[\vec u]_1,[\vec v]_1,[\vec d]_3)\) as follows.

  • \([\vec r]_1 := [(r_1, \ldots , r_n)^\top ]_1\), where \([r_\delta ]_1 := [a]_1\) and \(r_i \leftarrow \mathbb {Z} _p^*\) for all \(i \in \{1,\ldots ,n\}\) with \(i \ne \delta \)

  • \([\vec u]_1 := [(u_1, \ldots , u_n)^\top ]_1\), where \([u_\delta ]_1 := [b]_1\) and \(u_i \leftarrow \mathbb {Z} _p^*\) for all \(i \in \{1,\ldots ,n\}\) with \(i \ne \delta \)

  • \([h]_1 := [c]_1\) and \([k]_1 := [-h\delta +y]\) for \(y \leftarrow \mathbb {Z} _p \setminus \{h\delta \}\)

  • \([\vec s]_1 := [(s_1, \ldots , s_n)^\top ]_1\), where \([s_i]_1 = [(hi+k)r_i]_1 = [(h(i-\delta )+y)r_i]_1\). Note that all the \([s_i]_1\) can efficiently be computed by \(B\), due to the above setup of \([h]_1\), \([k]_1\), \([\vec r]_1\).

  • \([\vec v]_1 := [(v_1, \ldots , v_n)^\top ]_1\), where \([v_j]_1 = [(hj+k)u_j]_1 = [(h(j-\delta )+y)u_j]_1\). As above, all the \([v_i]_1\) can efficiently be computed by \(B\), due to the setup of \([h]_1\), \([k]_1\), \([\vec u]_1\).

Finally, \(B\) sets \([\vec d]_3 := [(d_1, \ldots , d_n)^\top ]_3\), where

Then it runs \(A\) on input \((\mathcal {MG}_{2}, mat )\) and outputs whatever \(A\) outputs.

Note that if \([T]_3 = [abc]_3 = [hr_\delta u_\delta ]_3\), then the view of \(A\) when interacting with \(B\) is identical to its view in hybrid \(H_{\delta -1}\). Thus, the probability that \(A\) outputs “1” in this case is equal to \(\Pr [X_{\delta -1}]\). If \([T]_3 = [abc+1]_3 = [hr_\delta u_\delta +1]_3\), then it is identical to \(H_{\delta }\), so that the the probability that \(A\) outputs “1” in this case is equal to \(\Pr [X_{\delta }]\). This yields (18) and thus concludes the proof.

Shortcut evaluation. We remark that it is possible to reduce the number of pairing computations required to compute \([\mathbf {{A}}\vec w]_3\) for \(\vec w \in \mathbb {Z} _p^n\), given \( mat \). In the naïve approach sketched above, one first has to recompute \([\mathbf {{A}}]_3\) from \( mat \), which requires \(\mathbf {O} (n^2)\) pairing evaluations, and then \([\mathbf {{A}}]_3 \vec w\).

Following the “shortcut evaluation” approach described in [7], we note that the number of pairing evaluations can be reduced to \(2n = \mathbf {O} (n)\), by computing \(([z_1]_3,\ldots ,[z_n]_3)\) from \( mat = ([\vec r]_1,[\vec s]_1,[\vec u]_1,[\vec v]_1,[\vec d]_3)\) and \(\vec w \in \mathbb {Z} _p^n\) as

$$ [z_j]_3 := \frac{ \left[ \sum _{i \ne j} \frac{w_ir_i}{j-i}\right] _1 \cdot [v_j]_1 }{ \left[ \sum _{i \ne j} \frac{w_iu_i}{j-i}\right] _1 \cdot [s_j]_1 } + \left[ w_jd_j \right] _3 $$

Indeed, as shown by Boyen and Waters [7], it is easy to verify that

$$ [z_j]_3 = \left[ \sum _{i=1}^n r_i u_i h w_i \right] _3 $$

for all \(j \in \{1,\ldots ,n\}\), and thus it holds that \(([z_1]_3,\ldots ,[z_n]_3)^\top = [\mathbf {{A}}\vec w]_3\). Note that this “shortcut evaluation” takes only two pairing evaluations for each \(j \in \{1,\ldots ,n\}\), which amounts to only 2n pairing evaluations in total.