A multi-authority approach to various predicate encryption types

We propose a generic construction for fully secure decentralized multiauthority predicate encryption. In such multiauthority predicate encryption scheme, ciphertexts are associated with one or more predicates from various authorities and only if a user has a set of decryption keys that evaluates all predicates to true , the user is able to recover the message. In our decentralized system, anyone can create a new authority and issue decryption keys for their own predicates. We introduce the concept of a multi-authorityadmissiblepairencodingscheme and, based on these encodings, we give a generic conversion algorithm that allows us to easily combine various predicate encryption schemes into a multi-authority predicate encryption variant. The resulting encryption schemes are proven fully secure under standard subgroup decision assumptions in the random oracle model. Finally, by instantiating several concrete multi-authority admissible pair encoding schemes and applying our conversion algorithm, we are able to create a variety of novel multi-authority predicate encryption schemes.

testing with wildcard support), and innerproduct predicate encryption (IPPE) [18] (testing whether two vectors are orthogonal). Even more advanced schemes, such as schemes capable of evaluating relations based on regular languages, exist as well [30].
A drawback of standard PE is that a single party, the authority, is responsible for creating the decryption keys for all users in the system. As a direct consequence, this authority can decrypt all messages since the authority has to be able to create every possible decryption key. Thus, relying on a single authority has not only consequences for the scalability of the system, but also for the trust relations. In natural situations, we would rather appoint multiple authorities, where each authority is responsible for issuing keys in their own realm. For example, when handling data from a clinical trial, we demand that only medical doctors affiliated to a research institute have access to the data. A hospital could then be responsible for issuing a decryption key for "medical doctor," while a university would be responsible for issuing the decryption key for "researcher." The question whether it is possible to construct such a multi-authority scheme was first raised by Sahai and Waters [28]. In a multi-authority predicate encryption (MA-PE) scheme, ciphertexts are associated with one or more predicates from various authorities. Users are then only able to decrypt the ciphertext if their keys make all predicates associated with the ciphertext evaluate to true. The first proposed MA-PE constructions [12,13,25] either require interaction between all authorities, or solely address the scalability problem and still require a master secret which can be used to decrypt all messages. To address both problems at the same time, Lewko and Waters [21] proposed a decentralized scheme. However, a limitation of all previous proposed MA-PE constructions, is that they only address the special case of multiauthority attribute-based encryption (MA-ABE), rather than the more general MA-PE.
We propose a generic framework for creating decentralized multi-authority predicate encryption. Our framework supports several predicate types, such as multi-authority IBE, multi-authority ABE, and multi-authority IPPE. We also provide an instantiation for each of these predicate families. Since our solution is decentralized, we address both the trust and scalability issues: no party is required to hold a master secret and new authorities can be created without requiring any form of interaction. Lastly, we prove that the encryption schemes resulting from our framework are fully secure.
Our construction for an MA-PE scheme can be seen as the combination of multiple parallel instantiations of a (modified) single authority PE scheme with a "multi-authority layer" on top. Basically, the MA-PE scheme first fixes the group parameters and then instantiates a new PE scheme in this group for every new authority. To encrypt a message, a user blinds the message with a random number and split this random number using additive secret sharing into various shares. Next, each of the shares are encrypted using the PE scheme's public key. Decryption works by first decrypting all shares to recover the random number and then unblinding the blinded message. However, described as such, the scheme would be vulnerable to a collusion attack, i.e., users combining knowledge to gain access to messages they should not have access to. To see this, assume we have a ciphertext that may only be decrypted by students older than 21. Now, two colluding users, one with the "student" attribute and another one with the "over-21" attribute, can each obtain part of the shares. If they combine their shares they are able to unblind the blinded message, while neither of them should have been able to. To prevent this attack, we make sure that during the decryption of a share, randomness specific to the user is added. Only if the shares of the same user are combined, this user specific randomness cancels out.
To support a variety of PE schemes for the use in a decentralized MA-PE scheme, we introduce the concept of multi-authority admissible pair encoding schemes (MA-PESs). An MA-PES can be "compiled" into PE scheme compatible with MA-PE scheme using our conversion algorithm. The definition of an MA-PES is an extended variant of the recently introduced concept of pair encoding schemes (PESs) [2,3,5]. Such a (multi-authority admissible) pair encoding scheme describes how a predicate can be encoded in an encryption scheme, without having to consider the group structure the scheme is instantiated in. This separation of encoding and group structure greatly simplifies the construction of new (multi-authority) PE schemes since it is relatively easy to prove an MA-PES secure compared to proving the entire encryption scheme secure. After proving the MA-PES secure, we can simply apply our conversion algorithm to turn the secure MA-PES into a secure MA-PE scheme.
Using the proposed conversion algorithm, we are able to combine various PE schemes for different predicates (e.g., IBE, ABE, or IPPE) into an MA-PE scheme using and gates between the predicates. While the need for or gates can be circumvented by writing the global policy in disjunctive normal form (DNF) and encrypting the plaintext for each of the conjunctive clauses, we could also directly support or gates by slightly chaning the algorithm: By using Shamir secret sharing (SSS) instead of additive secret sharing, policies can also contain or gates [21].
We prove that applying our conversion algorithm on a secure MA-PES results in a fully secure MA-PE scheme in the random oracle model. In our full security game for multiple authorities, several authorities may be corrupted while the adversary may query the challenger for both the creation of new authorities and for decryption keys of its choice. We use a variant of the dual system encryption technique to prove our construction secure. The dual system proof technique, first introduced in the seminal work by Waters [29] and later refined by a series of subsequent work [14,20,22,23], uses semi-functional ciphertexts and keys in the proofs. A semi-functional ciphertext can be decrypted using a normal key, and a normal ciphertext can be decrypted by a semi-functional key (of course, in both cases we still require that the relation R holds). However, a semi-functional ciphertext can never be decrypted by a semi-functional key, not even if the relation R holds. To prove a scheme secure, we use a series of hybrid games. In the final game, the adversary receives a semifunctional challenge ciphertext and only semi-functional keys, meaning that the adversary has no chance in correctly decrypting the challenge ciphertext, and thus making it impossible for the adversary to gain a non-negligible advantage in winning the game.

Our contributions
We summarize our contributions as follows. Firstly, we introduce new multi-authority encryption schemes with novel functionality. This newly introduced functionality has two distinct advantages; it allows for -the creation of ciphertexts with predicates spanning multiple authoritative domains. Our construction allows for different predicate types per authority. For example, it allows for policies over two authorities where one authority uses ABE, while the other uses IPPE. -the combination of various PE types to obtain more efficient or more expressive predicates. For example, combining a large-universe PE scheme with PE scheme supporting non-monotonic access structures to allow for revocation.
Secondly, we introduce MA-PESs and their security requirement, give a conversion algorithm from MA-PES to MA-PE, and prove that the resulting MA-PE scheme is fully secure. We do so by unifying and extending several works. This leads to new insights, such as the symmetry in the definition of EncCt and EncKey in MA-PESs. These insights help in constructing more efficient MA-PE schemes and conversions among MA-PESs (e.g., dual predicate).
Finally, we give examples of various MA-PESs and also prove them secure. By applying our construction to these examples we achieve novel types of MA-PE for IBE, ABE, and IPPE.

Organization of the work
After the related work in Sect. 2, we continue with the preliminaries in Sect. 3, containing the definition of an MA-PE scheme and its security. In Sect. 4, we detail the definition of our MA-PES, and in Sect. 5, we explain how to convert an MA-PES into MA-PE scheme. The security proof of our conversion algorithm is in Sect. 6. Finally, in Sect. 7, we give several examples of MA-PESs for predicates of the type IBE, ABE, and IPPE.

Related work
Up until now, the vast majority of multi-authority predicate encryption (MA-PE) schemes proposed in literature are MA-ABE schemes. The first MA-ABE schemes either require the introduction of a central party that is even able to decrypt all ciphertexts [12,25] or do not allow for the addition of new authorities once the system is set up [13]. The first practical MA-ABE scheme came with the introduction of decentralized MA-ABE [21]. A decentralized MA-PE scheme does not require any central party and anyone can start a new authority completely independent of all other parties. However, the current decentralized MA-ABE schemes [21,26,27] only support a single fixed construction and lack the ability to be used with any predicate family other than ABE. Moreover, in our construction, each authority can choose its own predicate family, which allows for the combination of several predicate systems, e.g., we can combine ABE and IPPE in a single MA-PE scheme.
In 2014, both Wee [31] and Attrapadung [5] observed that many of the schemes proven secure under the dual system encryption technique could be split into an encoding of the predicate and the group structure this encoding is instantiated in. Three variants of these encodings exist: predicate encoding [31], pair encoding [5], and the later introduced tagbased encoding [19]. Several newer works build on various improvements of the concepts of predicate encodings [4,16] and pair encodings [2][3][4]. Because pair encodings are the most general of the three, we base our work on pair encodings. For the instantiation of the group structure, composite order and prime order groups can be used [2,14,15]. In this work, we instantiate our decentralized MA-PE scheme in a composite order group setting, resulting in the first generic MA-PE scheme. The previously proposed prime order group structure cannot be directly used, since our construction uses a system based on three subgroups, instead of the more common two subgroups.
The MA-PE schemes resulting from our conversion algorithm are fully secure, similar to notions used before [21,26]. Our notion is slightly more permissive in the sense that not all authorities need to be announced at the start of the game, but the adversary can query for new authorities throughout the game. Weaker security notions, e.g., selective or static security games [27], or the use of the generic group model often allow for simpler and more efficient constructions at the costs of security.
A special use of our MA-PE construction is the combination of various predicate families into a single authority PE scheme, i.e., the (single) authority creates multiple key pairs, each for a distinct predicate family. Constructions of these combined PE schemes was first studied for the combination of ciphertext-policy attribute-based encryption (CP-ABE) with key-policy attribute-based encryption (KP-ABE) [6,7]. Recently, Ambrona, Barthe, and Schmidt [4] give generic transformations to combine arbitrary predicate encodings into a new (single authority) predicate encoding scheme. Their approach differs from ours, since we do not transform encodings into an encoding for a combined predicate, but convert special encodings into an encryption scheme for combined predicates.
Our achieved functionality of decentralized multi-authority inner-product predicate encryption (MA-IPPE) is different from the works on multi-input inner product encryption (MI-IPE) [1,17]. In inner product encryption" the decryption algorithm outputs the inner product of two encrypted vectors, while in IPPE, the orthogonality of two vectors determines whether an encrypted message can be decrypted. The work by Michalevsky and Joye [24] achieves a specific form of MA-IPPE under a notion of decentralization that requires a semihonest authority and coordination among the authorities during key generation. Their paper brings up the challenge to realize what the authors call "full decentralization" which we tackle in this paper. Moreover, our construction achieves this type of "full" decentralization for various MA-PE types, including MA-IPPE.

Preliminaries
In this work, we use lower case variables for vectors, denoted as v. For matrices we use upper case variables such as M. We often work with vectors of group elements (g v 1 , . . . , g v n ), written as g v . To denote that we draw an element uniformly at random from a finite set S, we use x R ←S. If an element x ∈ S is a uniformly random element from the finite set S, we write x ∈ R S. The ordered set of number {1, . . . , n} is denoted by [n], while we denote the set {0, . . . , n} by [n] + . Computational indistinguishability is denoted by the binary relation ≈ c .
We use the notation for a predicate family by Attrapadung [5]. Let P = {P κ } κ∈N c , for some constant c ∈ N, denote the predicate family for relations P κ : Here, a relation is equivalent to a predicate function where X κ , the ciphertext attribute space, and Y κ , the key attribute space, are mapped to a true/false output. A predicate P κ can be described by its family index κ. We often use κ(a) to denote that the index is specific to an authority a.

Composite order bilinear map
Our construction uses a composite order bilinear map. [21]) Let G, G T be cyclic multiplicative groups of composite order N = p 1 p 2 p 3 , where p 1 , p 2 , and p 3 are distinct large primes of bit length (λ) for some security parameter λ. The map e : G × G → G T is a composite order bilinear map if the following two conditions hold.

Definition 1 (Composite order bilinear map of three primes
-The map is bilinear; ∀g, h ∈ G a, b ∈ Z N : e(g a , h b ) = e(g, h) ab . -The map is non-degenerate; generator g of the group G is chosen such that the order of the element e(g, g) ∈ G T equals N , the order of group G T .
We use the function G(1 λ ) to generate the parameters for a composite order bilinear map for security parameter λ. We refer to the subgroups of G of prime order p 1 , p 2 , and p 3 , as G 1 , G 2 , and G 3 , respectively. Similarly, we write g 1 , g 2 , and g 3 for the generators of the respective subgroups. The orthogonality property of composite order bilinear groups, i.e., e(g i , g j ) = 1 for i = j, is a crucial property used in the security proofs.

Multi-authority predicate encryption
A decentralized multi-authority predicate encryption (MA-PE) scheme differs from a single authority PE scheme in several key aspects. Most importantly, any party can use the global public parameters to create a new authority a. Using these global parameters, it creates its own public/private key pair for a predicate indexed by κ(a). Furthermore, since every authority has its own public key, the encryption algorithm requires one or more public keys as input. Naturally, only the public keys of the authorities A involved in the access policy are required to encrypt a message. Besides the public keys, the algorithm also requires the ciphertext values x a for each of the authorities a ∈ A.
Note that these values may come from distinct domains, as this value space X κ(a) depends on the predicate index κ(a).
Finally, to prevent user collusion, every user in the system get its own globally unique identity gid from an identity space I. Decryption keys are issued to a specific user and are bound to their personal gid. This prevents collusion attacks in which distinct users try to combine their key to decrypt a ciphertext that may only be decrypted by users that possess all required keys themselves.
A decentralized multi-authority predicate encryption (MA-PE) scheme is a collection of the following five probabilistic polynomial time algorithms.
where the probability is taken over the coins of GlobalSetup, AuthoritySetup, Encrypt, and KeyGen.

Multi-authority predicate encryption security
We define security in terms of an indistinguishability game where the adversary may query for several decryption keys and has to decide on the message encrypted in the challenge ciphertext. The adversary may also query for the creation of new authorities and also statically corrupt new authorities. The static corruption of an authority is modeled by letting the adversary create a public/private key pair for a new authority. The adversary may then request the challenger to encrypt the challenge message using the public keys of uncorrupted and corrupted authorities. Note that this implies a static corruption model similar to [21], as none of the authorities associated with the challenge ciphertext may be corrupted after the challenge phase. The difference is that we do not require all authorities to be specified during Setup, but allow for "Authority Setup" queries.

Definition 3 (Full security)
A multi-authority predicate encryption scheme is fully secure if any p.p.t. adversary A has at most a negligible advantage in winning the following game.

Setup
The GlobalSetup algorithm is run and the challenger creates an empty set I to hold the uncorrupted authorities in the system.

Query 1
The adversary may query the challenger for two types of queries. Additionally, it can also create new authorities using the global parameters, i.e., without needing to query the challenger.
-Authority setup The adversary queries for a new authority by sending the parameters par a (describing a predicate) to the challenger. The challenger runs AuthoritySetup using par a and gives the resulting public key pk a to the adversary. Additionally, it adds a to the set of uncorrupted authorities I .
-User secret key By sending a tuple (a, y ∈ Y κ(a) , gid), where a ∈ I , to the challenger, the adversary requests the user secret key usk y,gid ← KeyGen(pp, ask a , y, gid) from the challenger. If the challenger has received a key request for the combination (a, gid) before, it aborts the game. 1 Otherwise, it returns the user secret key usk y,gid .
Challenge The adversary sends a tuple (m 0 , m 1 , {x * a } a∈A * ) to the challenger, where A * is a set of authorities chosen by the adversary. For each authority a ∈ A * the adversary created itself, it also sends the public key pk a to the challenger. We denote these authorities created by the adversary by the setĨ = A * \ I .
For each gid that was used in a key query, the challenger checks if there exists an uncorrupted authority a ∈ A * ∩ I , such that either no query (a , y a , gid) has been made, or P κ(a ) (x * a , y a ) = false for the queried (a , y a , gid). If so, it chooses a bit b R ←{0, 1} and returns the challenge Encrypt(pp, {pk a } a∈A * , {x * a } a∈A * , m b ). Otherwise, the challenger aborts the game.
Query 2 Same as Query 1, with the additional restriction that new key queries must not violate the constraint described in Challenge.

Guess
The adversary makes a guess b for bit b. We define the advantage of the adversary in winning the game as

Complexity assumptions
The security of our construction relies on several instances of the family of the General Subgroup Decision Assumption [8]. These assumptions are identical to the assumptions used by the MA-ABE scheme of Lewko and Waters [21].

Assumption 1 Let the bilinear map parameters gp
That is, the advantage of any p.p.t. adversary A in distinguishing, is negligible in the security parameter λ.

Assumption 2 Let the bilinear map parameters gp
it is hard to distinguishĥ 1 fromĥ 1ĥ2 . That is, the advantage of any p.p.t. adversary A in distinguishing, is negligible in the security parameter λ.

Assumption 3 Let the bilinear map parameters gp
Given g 1 , h 1 h 3 , and h 2 h 3 , it is hard to distinguishĥ 1ĥ2 fromĥ 1ĥ3 . That is, the advantage of any p.p.t. adversary A in distinguishing, is negligible in the security parameter λ.

Assumption 4 Let the bilinear map parameters gp
it is hard to distinguish e(g 1 , g 1 ) abc from e(g, g) ξ . That is, the advantage of any p.p.t. adversary A in distinguishing, is negligible in the security parameter λ.

Multi-authority admissible pair encoding
We extend the definition of a pair encoding [3,5] to a multi-authority setting. A multiauthority admissible pair encoding scheme (MA-PES) is defined for a single authority a. We will later show how we can convert several MA-PESs into a single MA-PE scheme.
We choose to extend the definition of PES as defined by Agrawal and Chase [3] since it is well-structured-although it may be a bit difficult to grasp at first. To get a better understanding of the scheme, it is convenient to think of the encodings as the variables in the exponents in the encryption scheme. The values b correspond to an authority's public key, while s,ŝ and r,r correspond to the randomness used in the encryption and key generation algorithms, respectively. The algorithms EncCt and EncKey encode the ciphertext value x and key value y, respectively, by returning one or more multivariate polynomials of a restricted form. The variables b 1 , . . . , b n can occur in both the ciphertext and the key encoding, so they are termed common. These common variables may be multiplied with non-lone a variable s i (in a ciphertext encoding) or r i (in a key encoding). A lone variable, indicated by a hat, e.g.,r i , is never multiplied with a common variable, but may be added as an independent term to the polynomial. Two special variables, α in the key encodings-corresponding to the authority's secret key-and ω in the ciphertext encodings, are always present in at least one of the polynomials. Basically, the encodings of a ciphertext contain linear combinations of monomials ω,ŝ i , and s i b j , while key encodings contain linear combinations of α,r i , and r i b j .
Recall that our construction can be understood as a combination of several multi-authority admissible PE schemes using a "multi-authority layer" that withstands collusion attacks. During the decryption of such a multi-authority admissible PE scheme, randomness specific to the user is added to prevent collusion attacks. In our MA-PES, this randomness is represented in the correctness requirement by the newly added term ωr 0 , where r 0 corresponds to the user's gid.
Our changes with respect to the PES definition by Agrawal and Chase [3] are highlighted in red.
Definition 4 (Multi-authority admissible pair encoding scheme) A multiauthority admissible pair encoding scheme (MA-PES) for a predicate function P κ : X κ × Y κ → {false, true} indexed by κ = (N , par), where par specifies some parameters, is given by the following four deterministic polynomial-time algorithms.
For clarity, in cases where the specific MA-PES that is being used is relevant, we index the algorithms by the authority that chooses to use the scheme, e.g., EncCt a (N , x) or EncKey a (N , y).
Note that in this extended definition EncCt and EncKey are up to the variable names identically defined. Furthermore, if we set ω = 0, then we have the definition of pair encodings back as defined by [3] (except for the extra term r 0 , however, we can see this as an alternative numbering of the components in r).

Security
For a multi-authority pair encoding scheme to be secure, we require statistical security, similar to the perfect security notion by Attrapadung [5]. For the security of the encoding, it is helpful to realize that we will apply the dual system encryption technique by (partially) replicating the scheme in the various subgroups. The security properties of the encoding will be used in the semi-functional subgroups, allowing us to prove indistinguishability among several variants of semi-functional ciphertexts and keys.
Instead of requiring that the value α is hidden in the adversary's view, as required in a PES, we require, as a security property for our MA-PES, that the value ω is hidden in the adversary's view. This property allows us to prove that an adversary cannot distinguish a correctly distributed challenge ciphertext from a challenge ciphertext taken from a more restricted distribution. The property should hold even if user secret keys are given, but only as long as the values y associated to these keys do not let the predicate evaluate to true.  c(0, s,ŝ, b), r, k(0, r,r, b) and s, c(ω, s,ŝ, b), r, k(0, r,r, b) are statistically indistinguishable, where the probability is taken over b , the distributions need to be statistically close in the size of p), for every prime p|N .
In our security proof for the conversion algorithm (see Sect. 6), we additionally need to restrict the output of EncKey(N , y) of an MA-PES. We require that if, for some ∈ [m 3 ], the polynomial k contains α, also r 0 b 1 needs to be present in the polynomial. More specifically, we require that φ = φ ,0,1 . Note that combining this constraint with the correctness property, we also have that η = η ,0,1 .
We give several examples of an MA-PES in Sect. 7.

Conversion from encoding to encryption
A collection of statistically secure MA-PESs can be converted to a fully secure MA-PE scheme using a generic algorithm. The encryption algorithm can be seen as a combination of the encryption algorithms of several (modified) PE schemes. First, we encrypt a message m ∈ G T by blinding the message with a random element e(g 1 , g 1 ) . Next, we (additively) secret share into shares δ a for each of the involved authorities a ∈ A. For each authority, we encrypt the value e(g 1 , g 1 ) δ a using the randomness α a s a,0 . From the correctness of the MA-PES, we know that a user having the appropriate keys can combine the ciphertext and keys in such a way that it obtains the value α a s a,0 − ω a r 0 . Hence, the user can recover the value e(g 1 , g 1 ) δ a up to a newly introduced random element that has ω a r 0 in the exponent. We use this randomness ω a r 0 to prevent user collusion. Recall that EncCt determines the value ω a , while EncKey determines the value r 0 . So, if we additively secret share 0 into the values ω a and choose a fixed value r 0 for each gid, we have that, only if a user is able to obtain e(g 1 , g 1 ) δ a +ω a r 0 for all all authorities a, the user can combine these values to obtain the randomness used in the encryption of the message m, e(g 1 , g 1 ) a δ a +0 = e(g 1 , g 1 ) .
Although our employed technique is similar to conversion algorithms used in single authority predicate encryption (SA-PE) [2,3,15], we use the fact that the symbol ω, an element part of the ciphertext, is statistically hidden. In contrast, SA-PE requires α, an element part of a key, to be statistically hidden. Therefore, in our employed proof technique, we can only randomize ω as part of the ciphertext and not α as part of the keys. As an consequence, we require a composite order pairing group with three subgroups, instead of the common two subgroups. This also implies that we cannot use the existing constructions for dual system groups [2,15].
We require that identities are random elements from the identity space I = G. We achieve this by choosing a cryptographic hash function H : {0, 1} * → G and hash the gid to obtain a random element in G. In our security proof, we require that the challenger can decide on the image of H (gid), Im(H ) = G ⊆ G. This requirement is fulfilled by proving the construction secure in the programmable random oracle model. The authority's pk a is g v  1 , e(g 1 , sk a ) . The authority's ask a is (v, sk a ).
Encrypt(pp, {(pk a , x a )} a∈A , m) Choose an a ∈ A, pick ω a R ←Z N for each authority a ∈ A \ a , and set ω a = − a∈A\a ω a . Additionally, pick δ a R ←Z N for all a ∈ A and define e(g 1 , g 1 ) = a∈A e(g 1 , g 1 ) δ a . Blind the message m ∈ G T using e(g 1 , g 1 ) to obtain ct 0 = m · e(g 1 , g 1 ) .
KeyGen(pp, ask a , y, gid) The algorithm EncKey a (N , y) is run to obtain m 1 , m 2 , and poly-  (N , x a , y a ) to obtain E a andÊ a . Now compute ,2, , usk a,1,i ) (g 1 , sk a ) s a,0 e(g 1 , g 1 ) α a s a,0 −ω a r 0 −1 = e(g 1 , g 1 ) δ a · e(g 1 , g 1 ) αs a,0 · e(g 1 , g 1 ) −α a s a,0 +ω a r 0 = e(g 1 , g 1 ) δ a · e(g 1 , g 1 ) ω a r 0 for some value r 0 independent of a. We can now combine these results to obtain a∈A e(g 1 , g 1 ) δ a · e(g 1 , g 1 ) ω a r 0 = e(g 1 , g 1 ) a∈A δ a · e(g 1 , g 1 ) a∈A ω a r 0 = e(g 1 , g 1 ) · e(g 1 , g 1 ) 0r 0 = e(g 1 , g 1 ) , and recover the plaintext m = ct 0 · e(g 1 , g 1 ) − . Remark 1 (One-use requirement) If the values b of an MA-PES are used multiple times in the same ciphertext, they might not be statistically hidden anymore and information on ω might be leaked. Therefore, if we want to make sure to avoid using (part) of the same b multiple times, we may require that an authority may occur only once in a ciphertext of a corresponding MA-PE scheme. Such a requirement is similar to the one-use requirement as found in several ABE schemes [5,21,23] where the attributes may only occur once.
Remark 2 (Type of secret sharing) Instead of using additive secret sharing as described above, we could have also decided to use SSS. By using SSS, we allow for combining the predicates from different authorities in the ciphertext using both and and or gates-like in the MA-ABE scheme by Lewko and Waters [21]-while additive secret sharing only allows for combining them using and gates. However, we can easily emulate or gates by writing the desired combination of predicates for different authorities in DNF and creating a new ciphertext for each of the conjunctive clauses. The main advantage of choosing to use additive secret sharing, is that it simplifies the construction and the corresponding security proofs.

Security of the conversion algorithm
We prove security similarly to the dual system encryption technique [29] variant that was used to prove MA-ABE secure before [21]. As such, we first introduce semi-functional ciphertext and semi-functional keys. These semi-functional ciphertexts and keys are solely used in the security proofs and not in the actual scheme.

Semi-functional ciphertext
A semi-functional ciphertext can be created by slightly modifying the encryption algorithm for normal ciphertexts as given before. We define the various types of semi-functional ciphertext through the algorithm Encrypt.
. This algorithm is similar to Encrypt, but also takes a set C ⊆ {1, 2, 3} and the authorities' sk a as input.
While in normal ciphertext, we use g ω a 1 , where a∈A ω a = 0, in semi-functional ciphertext, we use g ω a,1 1 g ω a,2 2 g ω a, 3 3 and require a∈A ω a,i = 0 only for i ∈ C. For the values i ∈ {1, 2, 3} \ C, we pick ω a,i R ←Z N without any constraint on the sum of these values. Additionally, the construction of the values ct a,1,i and ct a,2, is dependent on whether the authority a was created by the challenger (i.e., a ∈ I ) or by the adversary (i.e., a ∈Ĩ ). If a ∈ I , all of the encoding variables (s a , c a (ω a , s a ,ŝ a , b a ) are mapped to elements in G. However, if a ∈Ĩ , only ω is mapped to an element in G (i.e., g ω a,1 1 g ω a,2 2 g ω a, 3 3 ), while all other encoding variables are mapped to elements in G 1 ⊂ G just like in normal ciphertext.
Pseudo normal ciphertext In case we use C = {1, 2, 3}, we say that the ciphertext is pseudo normal. 3 Encrypt(pp, (pk, x * ) , random ; 1 , sk ) KeyGen(pp, ask, y; g 13 , u gid ) Fig. 1 Summary of the sequence of games used in the proof. An explanation of the difference between the games is given in Sect. 6.3 Normal key Note that a normal key cannot be described using KeyGen: While we can set g ∈ G 1 , the hash function H is defined as H : {0, 1} * → G and not as H : {0, 1} * → G 1 .
Pseudo normal key A pseudo normal key is created using KeyGen with g ∈ G 1 . It differs from a normal key in that H maps to an element in G 1 , H : {0, 1} → G 1 , instead of mapping to an element in G.
Semi-functional key of type I A semi-functional key of type I is created using KeyGen with g = g 1 g 2 , where g 1 ∈ G 1 and g 2 ∈ G 2 .
Semi-functional key of type II A semi-functional key of type II is created using KeyGen with g = g 1 g 3 , where g 1 ∈ G 1 and g 3 ∈ G 3 .

Hybrids and proof outline
We will prove security through a series of hybrid games. Let Game original be the original full security game as defined in Definition 3. Game 0 is defined similarly, except that in this game only pseudo normal keys are used, by both the challenger and the adversary, instead of normal keys. In Game 1 the challenger answers the challenge query with a semi-functional ciphertext instead of a normal ciphertext as used in Game 0 . Let q denote the number of distinct gids for which the adversary queries keys for. We define two types of games for each j from 1 to q. In Game 2, j,1 , the queries for the first j − 1 identities are answered with semi-functional keys of type II, while key queries for the jth identity are answered with a semi-functional key of type I. In Game 2, j,2 , the challenger answers key queries for the first j identities with a semi-functional key of type II. We define Game 3 as the game where all key queries are answered by semi-functional keys of type II and where the challenge ciphertext is replaced by an encryption of a random message. A summary of the sequence of games can be found in Fig. 1. In this figure, we also indicate the exact type of semi-functional challenge ciphertext the adversary receives by specifying the input C to Encrypt. In the cases where the values ω a,2 or ω a,3 sum to a random value (i.e., C = {1, 2} and C = {1}), we have to show that the adversary cannot distinguish this from the case where the values ω a,2 and ω a,3 are guaranteed to sum to zero (i.e., C = {1, 2, 3}).
For example, in the hybrid from Game 2, j,1 to Game 2, j,2 , we have to show that the adversary A cannot distinguish a ciphertext created with a∈A * ω a,2 = 0 from a ciphertext created with a∈A * ω a,2 ∈ R Z p 2 . In this case, we know that P {x * a } a∈A * , {y gid,a } a∈A * = false, i.e., there exists at least one a ∈ A * such that P κ(a ) (x * a , y gid,a ) = false or no query for (a , y a , gid) has been made. Furthermore, observe that the value ω a ,2 only occurs in the ciphertext part (ct a ,2,0 , . . . , ct a ,2,w 3 ) of authority a , corresponding to the values c a of EncCt a . By the statistical security requirement (see Definition 6), we know that this ω a ,2 is statistically hidden in the adversary's view. From this fact, it clearly follows that the sum of all ω a,2 (i.e., a∈A * ω a,2 ) includes ω a ,2 and thus the value of the sum is statistically hidden in the adversary's view as well. Hence, the adversary cannot distinguishing whether it received a ciphertext where the ω a,2 are shares of zero, or independently random shares.
In Game 2,q,2 , all key queries are answered with a type II key, and we know that the values ω a, 3 do not need to sum to 0. Since there are no further constraints on ω a,3 , we can set all ω a,3 R ←Z N . Thus, we essentially have that an adversary cannot distinguish whether the ciphertext components for any authority have been randomized or not. We use this fact to show that the sum of the values δ i , as appearing in the semi-functional ciphertext, is computationally indistinguishable from random as well.
We prove indistinguishability of the hybrids using several lemmas. Combining Lemmata 1, 2, 3, 4, and 5 proves the following theorem. Hash oracle Upon receiving oracle query gid for the hash function H , the challenger B checks if it received the query before, and if so, answers with the same reply as before.
If A has not queried for the hash value of gid before, B picks a value u gid R ←Z N and replies with T u gid .

Setup
The challenger B sets pp = (gp, g 1 ) and sends pp to the adversary A.
Authority queries Request for a new authority a using par a are answered by the challenger by running AuthoritySetup(pp, par a ). The challenger first uses AuthorityParam(par a ) to obtain n, picks v R ←Z n N and α R ←G 1 , and sets sk a = g α 1 . It sets the public key pk a as (g v 1 , e(g 1 , sk a )) and the authority secret key ask a as (v, sk a ). It sends pk a to the adversary and adds a to the set I .
Challenge ciphertext Whenever A requests the ciphertext challenge by sending (m 0 , m 1 , {x * a } a∈A * ) along with the public keys {pk a } a∈A * ∩Ĩ , the challenger B picks b R ←{0, 1} and encrypts message m b as a normal challenge ciphertext using Therefore, if A has a non-negligible advantage in deciding which game it is playing, B has a non-negligible advantage in breaking Assumption 1.
Lemma 2 (Game 0 ≈ c Game 1 ) Any adversary A having at most a negligible advantage in breaking Assumption 1, has at most a negligible advantage in distinguishing Game 0 from Game 1 .
Proof The challenger B receives {(gp, g 1 ), T } as input, where either T ∈ R G or T ∈ R G 1 . Now, B plays the game with A as follows.
Hash oracle Upon receiving oracle query gid for the hash function H , the challenger B checks if it received the query before, and if so, answers with the same reply as before. It sets the public key pk a as (g v 1 , e(g 1 , sk a )) and the authority secret key ask a as (v, sk a ). It sends pk a to the adversary and adds a to the set I .
Key queries Upon receiving a key query (a, y ∈ Y κ(a) , gid) for an uncorrupted authority a ∈ I , B answers the query using a pseudo normal key using u gid as r 0 , KeyGen(pp, ask a , y; g 1 , u gid ). Choose an a ∈ A * , pick ω a R ←Z N for each authority a ∈ A * \ a , and set ω a = − a∈A * \a ω a . Additionally, pick δ a R ←Z N , set e(g 1 , g 1 ) δ a for all a ∈ A * , and define e(g 1 , g 1 ) = a∈A * e(g 1 , g 1 ) δ a . Blind the message m b ∈ G T using e(g 1 , g 1 ) to obtain ct 0 = m b · e(g 1 , g 1 ) . Now, for each authority a ∈ A * continue as follows (we frequently drop the index awhen there is no ambiguity-to simplify notation). Run EncCt a (N , x) to obtain w 1 , w 2 , and polynomials (c 1 , . . . , c w 3 ).
for unknown t, and so we have implicitly used s a,i = ts a,i in ct a,2,i , making the ciphertext identically distributed to a normal ciphertext if T ∈ G 1 . Moreover, we have ω a,1 = tω a (mod p 1 ), ω a,2 = tω a (mod p 2 ), and ω a,3 =  tω a (mod p 3 ). Thus, if T ∈ R G 1 the resulting ciphertext is normal, while if T ∈ R G, the resulting ciphertext is pseudo normal, with a∈A * ω a,1 = a∈A * ω a,2 = a∈A * ω a,3 = 0. Moreover, depending on the value of T , B either plays Game 0 or Game 1 .
Proof The challenger B receives {(gp, g 1 , h 1 h 2 , g 3 ), T } as input, where either T ∈ R G 1 or T ∈ R G 12 . Now, B plays the game with A as follows.
Hash oracle Upon receiving oracle query gid for the hash function H , the challenger B checks if it received the query before, and if so, answers with the same reply as before.
If A has not queried for the hash value of gid before, B picks a value u gid R ←Z N . Then, the first j − 1 queries for some gid are answered with (g 1 g 3 ) u gid , the jth query is answered with T u gid , while other queries are answered with g u gid

.
Setup The challenger B sets pp = (gp, g 1 ) and sends pp to the adversary A.
Authority queries Request for a new authority a using par a are answered by the challenger by running AuthoritySetup(pp, par a ). The challenger first uses AuthorityParam(par a ) to obtain n, picks v R ←Z n N and α R ←G 1 , and sets sk a = g α 1 . It sets the public key pk a as (g v 1 , e(g 1 , sk a )) and the authority secret key ask a as (v, sk a ). It sends pk a to the adversary and adds a to the set I .
Key queries Upon receiving a key query (a, y ∈ Y κ(a) , gid) for an uncorrupted authority a ∈ I , B answers the query depending on the number distinct gid that have been queried before.
If gid is one of the ( j − 1)th first gids being queried, B answers with a semi-functional key of type II by sending KeyGen(pp, ask a , y; g 1 g 3 , u gid ). If the query is for the jth gid, B answers by sending KeyGen(pp, ask a , y; T , u gid ). Otherwise, B answers with a pseudo normal key by sending KeyGen(pp, ask a , y; g 1 , u gid ). Note that all in cases the key queries are answered with elements from the hash oracle's range, creating properly distributed (semi-functional) keys. Also, observe that if T ∈ R G 1 , a query for the jth gid is answered with a pseudo normal key. Otherwise, if T ∈ R G 12 , the query is answered with a semi-functional key of type I. Choose an a ∈ A * , pick ω a,12 R ←Z N for each authority a ∈ A * \ a , and set ω a ,12 = − a∈A * \a ω a,12 . Additionally, pick ω a,3 , δ a R ←Z N , and set e(g 1 , g 1 ) δ a for all a ∈ A * , and define e(g 1 , g 1 ) = a∈A * e(g 1 , g 1 ) δ a . Blind the message m b ∈ G T using e(g 1 , g 1 ) to obtain ct 0 = m b · e(g 1 , g 1 ) .

Challenge ciphertext Whenever
Now, for each authority a ∈ A * continue as follows (we frequently drop the index awhen there is no ambiguity-to simplify notation). Run EncCt a (N , x) to obtain w 1 , w 2 , and  polynomials (c 1 , . . . , c w 3 ).
To see that this is properly distributed as a nominally semi-functional ciphertext, observe that ω a,12 (mod p 1 ) is independent of ω a,12 (mod p 2 ). Moreover, note that (for all i) the values s a,i (mod p 1 ), s a,i (mod p 2 ), and s a,i (mod p 3 ) are mutually independent. So, the given ciphertext is distributed as a nominally semi-functional one, and thus, we are left to prove that adversary A cannot distinguish a pseudo normal ciphertext (with C = {1, 2, 3}) from a nominally semi-functional ciphertext (with C = {1, 2}).
Let a ∈ A * ∩ I be an authority for which A cannot decrypt the ciphertext component ct a ,0 because P a (x * a , y a ) = false. Such an authority exists as otherwise A would be able to trivially decrypt the challenge ciphertext. Now, observe that all values ω a,3 look random for a ∈ A * \ a , while ω a ,3 ∈ R Z N for nominally semi-functional ciphertext and ω a ,3 = − a∈A * \a ω a,3 for pseudo normal ciphertext. Hence, A's view can at most contain  information about ω a,3 on the values {s a , c a (0, s a ,ŝ a , b a ), r a , k a (0, r a ,r a , b a )} in the subgroup G 3 (remember, P a (x * a , y a ) = false for the y a of the jth gid). No other information about the values in these subgroups is given by any of the key query responses (note b a is independent of b a ). By the statistical security property (see Definition 6), we know that this view is now indistinguishable from {s a , c a (ω a , s a ,ŝ a , b a ), r a , k a (0, r a ,r a , b a )}, the view of a nominally semi-functional ciphertext. Hence, the ciphertext is distributed correctly according to the adversary's view. Moreover, depending on the value of T , B either plays Game 2, j−1,2 or Game 2, j,1 .
Lemma 4 (Game 2, j,1 ≈ c Game 2, j,2 ) Any adversary A having at most a negligible advantage in breaking Assumption 3, has at most a negligible advantage in distinguishing Game 2, j,1 from Game 2, j,2 .
Proof The challenger B receives {(gp, g 1 , h 1 h 3 , h 2 h 3 ), T } as input, where either T ∈ R G 12 or T ∈ R G 13 . Now, B plays the game with A as follows.
Hash oracle Upon receiving oracle query gid for the hash function H , the challenger B checks if it received the query before, and if so, answers with the same reply as before.
If A has not queried for the hash value of gid before, B picks a value u gid R ←Z N . Then, the first j − 1 queries for some gid are answered with (h 1 h 3 ) u gid , the jth query is answered with T u gid , while other queries are answered with g u gid

.
Setup The challenger B sets pp = (gp, g 1 ) and sends pp to the adversary A.
Authority queries Request for a new authority a using par a are answered by the challenger by running AuthoritySetup(pp, par a ). The challenger first uses AuthorityParam(par a ) to obtain n, picks v R ←Z n N and α R ←G 1 , and sets sk a = g α 1 . It sets the public key pk a as (g v 1 , e(g 1 , sk a )) and the authority secret key ask a as (v, sk a ). It sends pk a to the adversary and adds a to the set I .
Key queries Upon receiving a key query (a, y ∈ Y κ(a) , gid) for an uncorrupted authority a ∈ I , B answers the query depending on the number distinct gid that have been queried before.
If gid is one of the ( j − 1)th first gids being queried, B answers with a semi-functional key of type II by sending KeyGen(pp, ask a , y; h 1 h 3 , u gid ). If the query is for the jth gid, B answers by sending KeyGen(pp, ask a , y; T , u gid ). Otherwise, B answers with a pseudo normal key by sending KeyGen(pp, ask a , y; g 1 , u gid ). Note that all cases the key queries are answered with elements from the hash oracle's range, creating properly distributed semi-functional keys. Also, observe that if T ∈ R G 12 , a query for the jth gid is answered with a semi-functional key of type I, and otherwise, if T ∈ R G 13 , the query is answered with a semi-functional key of type II. Choose an a ∈ A * , pick ω a,1 R ←Z N for each authority a ∈ A * \ a , and set ω a ,1 = − a∈A * \a ω a,1 . Additionally, pick ω a,23 , δ a R ←Z N , and set e(g 1 , g 1 ) δ a for all a ∈ A * , and define e(g 1 , g 1 ) = a∈A * e(g 1 , g 1 ) δ a . Blind the message m b ∈ G T using e(g 1 , g 1 ) to obtain ct 0 = m b · e(g 1 , g 1 ) .

Challenge ciphertext Whenever
Now, for each authority a ∈ A * continue as follows (we frequently drop the index awhen there is no ambiguity-to simplify notation). Run EncCt a (N , x) to obtain w 1 , w 2 , and  polynomials (c 1 , . . . , c w 3 ).
To see that this is properly distributed as a semi-functional ciphertext, first observe that ω a,23 (mod p 2 ) is independent of ω a,23 (mod p 3 ). Moreover, note that (for all i) the values s a,i (mod p 1 ), s a,i (mod p 2 ), and s a,i (mod p 3 ) are mutually independent. So, the given ciphertext is distributed as a semi-functional one, and thus, we are left to prove that adversary A cannot distinguish a nominally semi-functional ciphertext (with C = {1, 2}) from a semi-functional ciphertext (with C = {1}).
Let a ∈ A * ∩ I be an authority for which A cannot decrypt the ciphertext component ct a ,0 because P a (x * a , y a ) = false. Such an authority exists, as otherwise B would have aborted the game or A would have been able to trivially decrypt the challenge ciphertext. Now, observe that all values ω a,23 (mod p 2 ) look random for a ∈ A * \ a , while  , c a (0, s a ,ŝ a , b a ), r a , k a (0, r a ,r a , b a )} in the subgroup G 2 (remember, P a (x * a , y a ) = false for the y a of the jth gid). No other information about the values in these subgroups is given by any of the key query responses (note b a is independent of b a ). By the statistical security property (see Definition 6), we know that this view is now indistin- guishable from {s a , c a (ω a , s a ,ŝ a , b a ), r a , k a (0, r a ,r a , b a )}, the view corresponding to a semi-functional ciphertext. Hence, the ciphertext is distributed correctly according to the adversary's view. Moreover, depending on the value of T , B either plays Game 2, j,1 or Game 2, j,2 .
Lemma 5 (Game 2,q,2 ≈ c Game 3 ) Any p.p.t. adversary A, making at most q key queries for distinct gids and having at most a negligible advantage in breaking Assumption 4, has at most a negligible advantage in distinguishing Game 2,q,2 from Game 3 .
Proof Note that in Game 2,q,2 , the challenge ciphertext is semi-functional and all key queries are answered with a semi-functional key of type II. We have to prove that the adversary A cannot distinguish whether, for some a ∈ A, ct a,0 is replaced by a random element in Z N or not.
The challenger B receives {(gp, g 1 , g 2 , g 3 , g a 1 , (g 1 g 3 , T }, where either T = e(g 1 , g 1 ) abc or T ∈ R G T . Now, B plays the game with A as follows.
Hash oracle Upon receiving oracle query gid for the hash function H , the challenger B checks if it received the query before, and if so, answers with the same reply as before. If A has not queried for the hash value of gid before, B picks a value u gid R ←Z N . It answers the query with B −1 (g 1 g 3 ) u gid = (g 1 g 3 ) −b+u gid .

Setup
The challenger B sets pp = (gp, g 1 ) and sends pp to the adversary A.
Authority queries Request for a new authority a using par a are answered by the challenger by running AuthoritySetup(pp, par a ). The challenger first uses Authority-Param(par a ) to obtain n, picks v R ←Z n N andα R ←Z N , and sets the public key pk a as (g a+ṽ 1 1 , g v 2 1 , . . . , g v n 1 , e(g a 1 , (g 1 g 3 ) b )e(g 1 , g 1 )α) and (thereby indirectly) setting the authority secret key ask a = (v 1 = a +ṽ 1 , v 2 , . . . , v n , g ab+α 1 ). It sends pk a to the adversary and adds a to the set I .
Key queries Upon receiving a key query (a, y ∈ Y κ(a) , gid) for an uncorrupted authority a ∈ I , B answers the query with a semi-functional key of type II. The challenger B computes KeyGen(pp, sk a , y; g 1 g 3 , u gid ) as follows. First, it sets usk a,1,0 = (g 1 g 3 ) −b+u gid and usk a,1,i = (g 1 g 3 ) r i . Next, to construct the values usk a,2, , consider two cases. Either k contains both the symbol α and b 1 r 0 , or it does not contain this combination (i.e., φ = φ ,0,1 , see Sect. 4.1; symbols b 1 and r 0 may occur separately, but not in the combination b 1 r 0 ). In the case that α and b 1 r 0 do not occur in k , B can create usk a,2, using the values usk a,1,0 and r 1 , . . . , r m 2 ; and g a+ṽ 1 1 gṽ 1 3 and v 2 , . . . , v n (and, of course, the values φ , φ ,z , and φ ,i, j ). In the case that both α and b 1 r 0 occur in k , observe that B needs to compute And so it sets (we slightly abuse notation and write (g Note that the key queries are answered with elements from the hash oracle's range and create properly distributed semi-functional keys of type II. Choose an uncorrupted authority a ∈ A * ∩ I . For each authority a ∈ A * \ a , pick ω a,1 , δ a R ←Z N , and set ω a ,1 = − a∈A * \a ω a,1 and indirectly set δ a = abc − a∈A * \a δ a .

Challenge ciphertext Whenever
Additionally, pick ω a,23 R ←Z N for all a ∈ A * . Blind the message m b ∈ G T using T to obtain ct 0 = m b · T . Note that if T = e(g 1 , g 1 ) abc , the challenger simulates Game 2,q,2 using = abc and otherwise, if T ∈ R G T , the challenger simulates Game 3 . Now, for each authority a ∈ A * continue as follows (we frequently drop the index awhen there is no ambiguity-to simplify notation). Run EncCt a (N , x) to obtain w 1 , w 2 , and polynomials (c 1 , . . . , c w 3 ).
If a = a , picks a ,0 R ←Z N and s a ,k R ←Z N for k ∈ [w 1 + w 2 ]. Set ct a ,1,0 = (g c 1 ) −1 (g 1 g 2 g 3 )s a ,0 and ct a ,1,i = (g 1 g 2 g 3 ) s a ,i for i ∈ [w 1 ]. Next, B constructs the values ct a ,2, . The challenger B needs to compute (among others) where the occurance of s 0 b 1 in c can be computed by So, B sets (we slightly abuse notation and write (g 1 g 2 g 3 ) v 1 for (g a 1 )ṽ 1 (g 2 g 3 )ṽ 1 and Note that by using this, B indirectly uses (ω a ,23 − d · η ,0,1 /η ) in subgroup G 3 instead of ω a ,23 . However, since ω a ,23 ∈ R Z N and no constraint is imposed on the sum a∈A * ω a , 23 , the distribution of the ciphertext component is identical to a semi-functional ciphertext. Blind the value e(g 1 , g 1 ) δ a by setting ct a ,0 = e(g 1 , g 1 ) δ a · e(g 1 , g 1 ) α a s a ,0 = e(g 1 , g 1 ) abc− a∈A * \a δ a +(ab+α a )(−c+s a ,0 ) = e(g 1 , g 1 ) − a∈A * \a δ a +abs a ,0 −cα a +α a s a ,0 = e(g 1 , g 1 ) − a∈A * \a δ a +α a s a ,0 e g a 1 , ( If a = a , but a ∈ I , pick s a,k ∈ Z N for k ∈ [w 1 + w 2 ] + , and set ct a,1,i = (g 1 g 2 g 3 ) s a,i for i ∈ [w 1 ] + and, for ∈ [w 3 ], set (we slightly abuse notation and write (g Blind the value e(g 1 , g 1 ) δ a by setting ct a,0 = e(g 1 , g 1 ) δ a · e(g 1 , g 1 ) α a s a,0 = e(g 1 , g 1 ) δ a · e g a 1 , (g 1 g 3 ) b e(g  (g 1 , g 1 ) δ a by setting ct a,0 = e(g 1 , g 1 ) δ a · e(g 1 , sk a )  This semi-functional ciphertext is properly distributed, with a∈A * e(g 1 , g 1 ) δ a = e(g 1 , g 1 ) abc . So, if T = e(g 1 , g 1 ) abc , the adversary A is playing Game 2,q,2 and otherwise, if T ∈ R G T , A is playing Game 3 .
Finally, note that in Game 3 , the challenger gives the adversary an encryption of a random message. Hence, A has no advantage in winning the game.

Multi-authority pair encoding examples
We give several examples of multi-authority admissible pair encoding schemes (MAPESs) for various predicate families.

Multi-authority identity-based encoding
We can see the MA-ABE construction by Lewko and Waters [21] as a special case of our general MA-PE scheme. Their construction combines the same IBE scheme multiple times with a "multi-authority layer" on top. Based on their scheme, we extract the underlying MA-PES for an identity-based predicate. However, note that if we apply our conversion algorithm on the resulting encoding, we obtain a multi-authority IBE scheme, not an MA-ABE scheme, since our conversion uses additive secret sharing instead of Shamir secret sharing. Furthermore, the resulting MA-PES can be seen as an encoding for an IBE scheme which only allows for a single identity.
Example 1 (MA-PES based on [21]) We derive an MA-PES for multi-authority identitybased encryption from the MA-ABE scheme by Lewko and Waters [21]. The pair encoding for an authority a is the following: For Pair we have Correctness follows by simple substitutions, We can extend the construction to obtain a small universe construction for t identities, by setting where ρ is an injective function that maps an identity to an identity index in [t].
Remark 3 (One-use requirement) Similar to the one-use requirement for attributes, as found in several ABE schemes [5,21,23], the MA-PES of Example 1 has this one-use requirement as well, i.e., a ciphertext ct from a corresponding MA-PE scheme may only contain the identity x, encoded by b ρ(x) , once.
Proof If P κ (x, y) = false, we have to show that the distributions ←Z p for any prime p, log 2 p = (λ). Since P κ (x, y) = false, we know that x = y and thus ρ(x) = ρ(y).
We distinguish two cases: s 0 ∈ Z * p , i.e., s 0 is a generator of the multiplicative group Z * p . Then, b ρ(x) s 0 is uniformly distributed in Z p . On the other hand, ω + b ρ(x) s 0 is also uniformly distributed in Z p . Hence, the distributions are identical. s 0 = 0, i.e., s 0 is not a generator for the multiplicative group Z * p . Then, b ρ(x) s 0 = 0, while ω + b ρ(x) s 0 ∈ R Z p . However, this case only occurs with a probability negligible in λ.
Combining the two cases, we have proven that the two distributions are statistically indistinguishable.

Multi-authority attribute-based encoding
We adapt the PES for CP-ABE from the full version of Attrapadung [5,Scheme 11] to MA-PES. The PES is, in its turn, based on a small universe CP-ABE scheme by Lewko et al. [23].
Example 2 (MA-PES based on [5,23]) The PES by Attrapadung [5] can be turned into an MA-PES. Let t denote the number of attributes in the universe. For a linear secret sharing scheme (LSSS) using (A w 3 ×w 2 , π), where we denote the ith row of A by a i and π is an injective function that maps a row in A to an attribute index in [t], the pair encoding for an authority a is the following: The matrices returned by the Pair algorithm are indirectly defined by the combination of keys required to satisfy the access policy as described in the ciphertext.

Proof
The proof is very similar to the proof presented in the full version of [5].
When P(x, y) = false, we have that (A, π) does not accept y. We need to prove that ω is hidden. We may assume s 1 = 0 since the probability of s 1 = 0 is negligible in λ. For j = 1, . . . , w 3 , we consider two cases. If π( j) / ∈ y, then b π( j) does not appear anywhere except for in c i and hence the information on ω + s 0 b will not be leaked from c i . Now consider π( j) ∈ y. In this case, both s 1 and b π( j) are available (since r 0 and r 0 b π( j) are), hence a i (ω + s 0 b ,ŝ 2 , . . . ,ŝ w 2 ) T is known. Now from the lemma of LSSS (similar to [5, Proposition 40]), there exists a vector u ∈ Z w 3 N with u 1 = 0, such that u is orthogonal to all a j , where π( j) ∈ y. Hence, a j (ω +s 0 b ,ŝ 2 , . . . ,ŝ w 2 ) T = a j (ω +s 0 b ,ŝ 2 , . . . ,ŝ w 2 ) T + zu T for any unknown random z ∈ Z N . Therefore, a j (ω + s 0 b ,ŝ 2 , . . . ,ŝ w 2 ) T does not leak information on ω + s 0 b as u 1 = 0. In either case ω + s 0 b is hidden in the encoding. Since ω only occurs in this expression ω + s 0 b , no information on ω is revealed.

Multi-authority inner-product encoding
To create a multi-authority admissible pair encoding scheme (MA-PES) for an inner-product predicate, we extend the "short secret key encoding" presented by Wee [31, Section 5.1] Example 3 (MA-PES based on [9,31]) Based on the predicate encoding of Wee [31] for an IPPE scheme, which, in its turn, is based on the scheme of Boneh and Boyen [9], we create an MA-PES for the inner-product predicate. Such a predicate evaluates to true if and only if the inner product of the, with the ciphertext associated, vector x and the, with the key associated, vector y equals 0, i.e., if x, y = 0. Let t be the length of the vectors x and y.
The pair encoding for an authority a is the following: Proof When P(x, y) = false, we have that x, y = 0. We need to prove that ω is hidden. We may assume s 0 = 0 since the probability of s 0 = 0 is negligible in λ.
Since ω only appears in c 0 , we need to show that b s 0 is uniformly distributed in Z p and therefore no information on ω is revealed. The value b only appears in the adversary's view elsewhere as r 0 (b + b + , y ) in k 1 . Thus, we now need to show that r 0 b + , y is statistically hidden. The value b + only appears as s 0 (b x + b + ) in the adversary's view. However, no information on the value of b is revealed and so, if x, y = 0, the value b + , y is hidden. We may conclude that b is hidden and so is ω.

Conclusion
We show that the concept of a multi-authority attribute-based encryption scheme can be generalized to a multi-authority predicate encryption (MA-PE) scheme for a variety of predicate families. Our generic approach allows us to combine the best features of several predicates into a single MA-PE scheme specific to an application's needs. We achieve our result by defining a multi-authority admissible pair encoding scheme (MA-PES) and proposing a conversion technique from such an encoding to an MA-PE scheme. The obtained MA-PE schemes are decentralized, meaning that new authorities can be created without requiring any form of interaction, while no party needs to have access to a master secret. If started from statistically secure MA-PESs, the resulting MA-PE schemes are proven to be fully secure-allowing for the static corruption of authorities-in the random oracle model.