Blind key-generation attribute-based encryption for general predicates

Attribute-based encryption (ABE) is a form of public-key encryption that allows fine-grained access control on encrypted data. Blind key-generation (BKG) attribute-based encryption (Rial, Designs, Codes and Cryptography 2016) is a variant in which the master authority issues secret keys without learning any information about the attributes associated to them. This extra functionality makes it an appealing building block for several applications. In this work, we extend the generic framework of ABE based on pair encodings (Attrapadung, Eurocrypt 2014) to support blind key-generation. In particular, we define two new notions of pair encodings that we coin BKG-compatible and algebraic pair encoding. We show that every encoding satisfies the former without loss of generality, whereas the latter is satisfied by all existing pair encodings from the literature. We then show how to enhance any ABE based on a BKG-compatible pair encoding to achieve honest-but-curious blind key-generation. In the case of algebraic encodings, our protocol admits a very efficient version, secure against malicious parties. The main advantage of our work is generality. Our protocol is designed over the recent and most advanced modular frameworks of ABE that can handle a rich variety of predicates.


Introduction
Attribute-based encryption (ABE), first conceived by Sahai and Waters [46] and later introduced by Goyal et al. [33], is a form of public-key encryption in which ciphertexts and keys Communicated 1 NTT Social Informatics Laboratories, Tokyo, Japan have attributes attached and the decryption ability of a key on a ciphertext is determined by a potentially complex access control policy involving these attributes. In particular, it is guaranteed that the decryption of a ciphertext ct x associated to attribute x with a secret key sk y associated to attribute y succeeds if and only if these values satisfy the predicate, that is, P(x, y) = 1. Note that this definition generalizes the original definition of ABE [33], introduced as key-policy ABE (KP-ABE), where values x correspond to Boolean vectors, while values y correspond to Boolean functions and the predicate P(x, y) is defined as y(x) = 1 (in its dual version, i.e., ciphertext-policy ABE, x represents a Boolean function, while y represents a Boolean vector). Efficient ABE schemes exist for different predicates. For example, identity-based encryption (IBE) [45] can be obtained with the predicate P(x, y):=(x = y), zero-inner product encryption (ZIPE) [34] can be obtained by setting P(x, y):=(x y = 0), where x, y belong to some vector space; other examples are span programs [35], hierarchical IBE [39], large universe ABE [44], non-monotonic access structures [41], or regular languages [7,48].
Predicate encryption (PE) [17,34] is a generalization of ABE where the main syntactical difference is that ciphertexts do not explicitly include x and, therefore, it gives cause to considering the property of attribute-hiding where ciphertexts leak no information about the value x they were associated to. On the other hand, blind key-generation attribute encryption (BKG-ABE) [43] allows one to hide the attributes associated to the secret keys from the master authority. Motivation. BKG-ABE is a powerful tool that achieves both fine tuning of access control and privacy protection. It can be of use in ABE scenarios where the user's value y associated to the requested key needs to remain private because, for example, it may leak sensitive information about the user. (It may, however, require zero-knowledge proofs for the authority to verify that the user is eligible for the key.) For example, several works evaluate the suitability of ABE for applications such as enforcing privacy of Electronic Medical Records (EMR) [6] in a system where healthcare organizations export EMRs to external storage locations. Other examples are Sieve [50] or Streamforce [25], systems that provide enforced access control for user data and stream data in untrusted clouds. These scenarios are a clear example where the privacy of parties requesting secret keys can be a concern. They would benefit from a BKG implementation of the underlying ABE.
Another application of BKG-ABE, proposed by Rial [43], is oblivious transfer with finegrained access control (OT-AC) [18,19]. It is a generalization of OT and k-out-of-n OT, where a sender associates an access policy f i to every message m i , for i ∈ [n], so that a receiver who owns a certificate on some Boolean vector y produced by a credential issuer obtains messages m i if and only if f i (y) = 1. Furthermore, the sender gains no information about y.
We further propose to use BKG-ABE on the framework of secure computation to achieve more security guarantees. The strongest notions of security for secure computation capture no leakage of information against malicious parties arbitrarily deviating from the protocol. However, it may be the case that the correctness of the input is defined according to some context and this is out of the scope of the secure computation defined to be modular for generality. Accordingly, an extra mechanism for defining and guaranteeing the correctness of inputs will be performed to prevent malicious parties from lying on their input to the computation. Now, consider a scenario of secure computation between two parties, where Alice (with input x) owns a commitment σ to Bob's input y and wants to make sure that Bob uses such input in the execution of the secure computation of f (x, y). This could be achieved by using an extra zero-knowledge proof. Other less modular solution would be to modify the circuit to be computed in such a way that it takes σ as an extra input from Alice; it takes the opening information δ as an extra input from Bob; and returns f (x, y) if δ is a valid opening of σ or ⊥ otherwise. These approaches however can introduce a prohibitive overhead in the performance of the original protocol. BKG-ABE would provide a solution with reasonable efficiency. Especially if the commitment scheme used is a Pedersen-like commitment as in the first round of our BKG protocol (Sect. 3). For example, consider an ABE scheme for the predicate P((i, γ ), y):=( y i = γ ), for X :=[n] × {0, 1} and Y = {0, 1} n (an encoding for this predicate can be found in [2]). Alice could create a garbled circuit for f , use ABE to encrypt every input label (i) b (corresponding to Bob's input) under value x:=(i, b) for all i ∈ [n], b ∈ {0, 1}. Then, she could send everything to Bob; together with the answer of the second round of our BKG protocol, having interpreted the commitment σ that she owns as the message from the first round. This way Bob will only be able to recover labels (i) y i , for i ∈ [n] (and use them to evaluate the garbled circuit), as desired.
We note that this application is not specific to BKG-ABE and could be achieved via OT-AC. However, our particular protocol for BKG-ABE is especially suitable for it. Modular frameworks for ABE. In 2014, Wee [49] and Attrapadung [7] independently proposed two generic and unifying frameworks for designing attribute-based encryption schemes for different predicates. Both works define a simple primitive called encoding and follow the dual system methodology by Lewko and Waters [38,47] to construct a compiler that on input an encoding (for certain predicate P), produces a fully secure attribute-based encryption scheme for P. Wee defines the so-called predicate encodings, an information-theoretic primitive inspired by linear secret sharing, while Attrapadung introduces the notion of pair encodings, a similar primitive that admits both information-theoretic and computational security definitions. These frameworks remarkably simplify the design and study of ABE schemes: the designer can focus on the construction of the simpler encodings (for the desired predicate), which require weaker security properties that are more easily verifiable. In fact, the potential of this new frameworks is evidenced by the invention of new constructions and performance improvements on existing primitives. Although these frameworks were designed over composite over groups, they were both extended in [20] and [8] respectively to the prime-order setting (under the Matrix-DH assumption).
Pair encodings are the building block in which Attrapadung's framework relies. Informally, a pair encoding is a function from attributes to polynomials, which will be evaluated in the exponent of an algebraic group by the key-generation and encryption ABE algorithms. Such polynomials are restricted in their form (Sect. 2.2, Definition 2), which is crucial for the keygeneration and encryption algorithms to be efficiently computable. In particular, they contain two types of variables: lone and non-lone variables. Lone variables always appear "alone" in degree-1 monomials (such monomials correspond to secret randomness generated during keygeneration and encryption), whereas non-lone variables always appear multiplied by another non-lone variable in a degree-2 monomial (such monomials represent the combination of secret randomness with the randomness contained in public parameters).

Our contribution
We pursue the study of attribute-based encryption in the framework of pair-encodings and provide new results to broaden its scope. New definitions about pair encodings. We define two new notions related to pair encodings: BKG-compatible encodings and algebraic encodings. The former notion establishes certain conditions on a pair encoding scheme that are sufficient for constructing very efficient blind key-generation protocols. Namely, we require that (i) the key-encoding polynomials that depend on the master secret α be independent of the value y associated to the key and (ii) the so-called lone variables can be linearly removed from all the key-encoding polynomials that depend on y. The first condition ensures that the computation of the key-generation that depends on the master secret key is independent of the value y and thus, can be performed by the authority without obtaining any information about y. The second condition guarantees that the user who requested the key will be able to remove the blinding factor (introduced by himself) after the communication with the authority. We show that any pair encoding can be transformed with minimal overhead 1 into an equivalent BKG-compatible pair encoding. In fact, we provide a stronger result: every pair encoding can be modified into an equivalent one that does not contain lone variables apart from α (Sect. 3.2, Lemma 1). This result is of independent interest, as it could lead to improvements on our understanding of pair-encodings and their expressivity. Generic framework for blind key-generation ABE. We equip the generic framework of attribute-based encryption from pair encodings with a protocol for blind key-generation (Sect. 3.3). Our protocol is two-round: (1) the user sends a key request that informationtheoretically hides its value y; (2) the authority replies back with a piece of information from which the user can derive a secret key sk y . The protocol is secure against honest-but-curious adversaries and it is defined for any attribute-based encryption scheme that is based on a BKG compatible pair encoding.
We then show that if the underlying encoding is algebraic, the zero-knowledge proof of knowledge sufficient for achieving active security can be implemented very efficiently with the -protocol that we provide in Appendix C. Implementation. We implement our protocol and compare its performance with the normal key-generation algorithm (of the ABE framework based on pair encodings). Our experiments show that both rounds of our protocol require a computational cost comparable to the one of the normal key-generation, making it suitable for real applications.

Overview of our protocol for blind key-generation
Normal key-generation for an ABE based on pair encodings requires several computations of the form where sk is the -th element of the secret key being generated; the exponents φ are the coefficients of the polynomials associated to the encoding of y, and the bases h are elements of a dual system group (DSG) [23,24]. A DSG is an abstraction that contains a bilinear group, i.e., a triple of abelian groups (G, H , G t ) and a non-degenerate bilinear map e : G×H → G t , these groups are usually implemented through prime-order groups, typically as vectors of prime-order group elements as in the DSG instantiation from k-lin, see Online Appendix. DSG are equipped with additional algorithms that can be used to simulate properties of composite-order groups that are they core of security proofs in the standard model, e.g., the existence of cyclic subgroups of unknown order.
Observe that h msk is only known to the authority and that the other group elements from the above formula are freshly sampled on every key-generation. On the other hand, the exponents are only known to the user requesting the key. In order to perform blind key-generation, it would be sufficient to have a two-party protocol for the functionality F A,U ((h 1 , . . . , h n ); (x 1 , . . . , x n )) → (⊥; i h x i i ). Below, we propose a simple protocol that implements such functionality over a group of prime-order p, based on the Diffie-Hellman assumption. (This is not the main construction proposed in this work, but serves as a warm-up example and could be adopted for simple ABE constructions.) Let g be a generator of the group: 1. Party A (Authority) masks every h i by sampling a random r i ← $ Z p , setting a i :=(h r i i , g r i ) and sending every a i to party U . 2. Party U (User) now samples t i ← $ Z p and computes b i :=(h r i i ) x i ·(g r i ) t i for every i, sending them back to A. 3. Finally, A computes c:= i b 1/r i i and sends it to U , who computes the desired value as c · i g −t i . The above protocol can be directly used on ABE constructions implemented over a primeorder group. Such constructions are only known to be secure in the generic group model [1]. For ABE schemes proven secure in the standard model, all existing constructions to date use a dual system group as underlying group. Known instantiations of DSGs [8,20,36] are based on the k-Lin assumption (or the Matrix-DH assumption [26,40]) and lead to groups that have prime exponent, but not prime order. (Such groups are typically implemented as vectors of prime-order groups.) In fact, such DS groups are not cyclic and thus, the multiplicative masking h r i i does not information-theoretically hide h i . Consequently, the above generic protocol may not be directly applicable to constructions based on DSG. One could, however, apply the technique from the above protocol coordinate-wise on the DSG elements, that way maskings would perfectly hide the corresponding value. (This approach would also require both parties to provide additional zero-knowledge proofs that they are acting consistently in each coordinate, e.g., that the user U has used the same exponent x i in all coordinates of the corresponding DSG element.) Our main construction is a blink-key generation protocol with better communication complexity (it does not need to operate coordinate-wise and it will not require the additional ZK proofs) and with only two rounds of interaction (note that the above protocol requires three rounds).
The main blind-key generation scheme proposed in this work exploits the specific structure of the dual system groups built from k-Lin, at the cost of not being generic for any DSG. In a nutshell, in the k-Lin implementation of dual system groups, the elements h {i,0} are sampled by taking r i ← $ Z k p and computing h {i,0} := B 2 r i , 2 whereas h {i, j} is computed as W j B 2 r i , for all i ∈ [m] and all j ∈ [n]. Here, B 2 and W j B 2 are part of the public key, where B and W j are matrices with coefficients over Z p .
For simplicity, we assume here that the encoding does not contain lone variables (i.e., the coefficients of the form φ ( ) i are all zero). The idea of our protocol is that the user will compute j φ ( ) {i,j} W j B 2 , for every i and , from the public key and will mask them with Z i ( ) B 2 , for uniformly sampled matrices Z ( ) i . The authority will instead sample the random vectors r i and use the previous values to compute Vectors r i will also need to be used by the authority in the computation of the rest of polynomials that are independent of y. Our requirements on BKG-compatible pair encodings guarantee that the extra terms Z ( ) i B r i , can be removed by the user, recovering a genuine secret key for y.

Related work
Blind key-generation. The notion of blind key-generation was first introduced by Green and Hohenberger [28] in the framework of identity-based encryption. The authors provide a protocol for blind key-generation of the Boneh-Boyen IBE [11] and show how to construct very efficient oblivious transfer (OT) [42] protocols from blind key-generation IBE schemes that satisfy some extra conditions. A subsequent work to [28] by Rial [43] extends the notion of blind key-generation to the framework of attribute-based encryption, and shows how to use it for building OT with fine-grained access control. The construction by Rial defines a blind key-generation algorithm for the CP-ABE of [16]. This ABE scheme has the property that secret keys are formed as a concatenation of pieces, each corresponding to one of the attributes included in the key. In a nutshell, Rial's idea for blind key-generation is that the authority will create a key for all attributes and the user will get only the parts corresponding to the attributes of their choice via a k-out-of-n adaptive OT. Note that Rial's technique allows to upgrade an adaptive k-out-of-n OT protocol to OT-AC. Observe that this approach is limited to CP-ABE schemes with the above property of separation between attributes in the key. Blind functional encryption. In a very recent work, Canard et al. [21] considered the notion of blind key-generation in the context of functional encryption. They argue that blind-key generation can be achieved generically (but somewhat inefficiently) by using homomorphic encryption and zero-knowledge proofs and give a specific efficient construction for the innerproduct functionality.
The main advantage of our work with respect to these related works is generality. Our protocol is designed over the recent and most advanced modular frameworks of ABE that provide a rich variety of predicates. In particular, it can be applied to all the encodings from the literature [3,4,[7][8][9]20].

Background
We consider a bilinear group generator G that, on input the security parameter λ, outputs an asymmetric bilinear group ( p, [26]. For a matrix A ∈ Z m×n p and a group element g, we abuse notation and write g A or A to represent the matrix formed by powering g to the elements of A. We use A i, j to denote the element of A that appears in the i-th row and the j-th column of A; the i-th element of a vector v is denoted as v i . Given a matrix of group elements A ∈ G m×n and a vector v ∈ Z n p , we denote by Av the vector of group elements obtained by multiplying each row of A by the scalar vector v as a scalar multi-exponentiation, that is the k-th element of Av is defined as n i=1 A v i k,i We denote by 0 n the zero vector of length n. We use the symbol for concatenation of lists or vectors. For a vector v we denote its length by |v|. Given a matrix A ∈ Z m×n p and a set of indices ⊆ [m], we define A as the matrix formed by the rows of A whose index is in . Given a predicate P : X ×Y →{0, 1}, we write (x, y) ∈ P to denote P(x, y) = 1. For a pair of integers m, n ∈ N we define [m, n] as the range {m, . . . , n} and we write [n] to represent [1, n]. In case m > n, [m, n] is defined as the empty set. For a finite set S, x ← $ S denotes that x is uniformly sampled from S. Given a multi-variate polynomial f (X) ∈ Z p [X], we denote by f (x) the evaluation of polynomial f on values x. This notation is extended to vectors of polynomials f if every polynomial in the vector is defined with respect to the same variables. We sometimes group variables in classes as f (X, Y ) ∈ Z p [X, Y ]. When the variables associated to a polynomial are clear from the context we simply write f instead of f (X, Y ).

Attribute-based encryption
Attribute-based encryption (ABE) [46] is a form of of public-key encryption that supports fine-grained access control for encrypted data. An attribute-based encryption scheme for a predicate P guarantees that decryption of a ciphertext ct x with a secret key sk y is allowed if, and only if, the value x associated to the ciphertext ct and the value y associated to the secret key sk verify the predicate P, i.e., (x, y) ∈ P.
Definition 1 (Attribute-based encryption) Given a predicate P : X × Y → {0, 1}, an attribute-based encryption scheme is tuple of polynomial-time algorithms {Setup, Enc, K eyGen, Dec} where: , on input the security parameter λ and value universes X , Y, outputs a master public key and a master secret key. • Enc(mpk, m, x) → ct x , on input mpk, a message and x ∈ X , outputs ct x .
• K eyGen(msk, y) → sk y , on input msk and y ∈ Y, outputs a secret key sk y .
Without loss of generality and even if we do not make it explicit, we assume msk always contains mpk. In blind key-generation ABE there exists an extra two-party protocol executed between a user U and the master authority A: • Blind-K G U,A ((mpk, y); msk) → (sk y ; ⊥), on input the master public key and a value y from the user and on input the master secret key from the authority, the user gets a secret key for y, whereas the authority learns nothing.

Pair encodings
Pair encodings are the building block for constructing ABE on which Attrapadung [7][8][9] and Agrawal and Chase [3,4] rely. Note that, in this work, we adopt the most modern definition of pair encodings, introduced in [4], where some of the structural constraints on the polynomials are explicit thanks to the separation between lone and non-lone variables.
Definition 2 (Pair encoding) Let P : X × Y → {0, 1} be a binary predicate over finite sets X and Y. For a prime p ∈ N and ϒ = (w, w,ŵ,m, m,m, n) ∈ N 7 , let be formal variables. A ϒ-pair encoding scheme (PES) for P consists of three deterministic and efficiently computable algorithms: • EncK ey( p, y): maps y ∈ Y into a vector ofm polynomials, k y , in Z p [r,r, b].
• Pair( p, x, y): maps x ∈ X and y ∈ Y into a pair of matrices E x,y , F x,y with coefficients in Z p of dimensions w ×m andw × m respectively. We require that the following properties be satisfied (for all p prime): . Furthermore, for every y ∈ Y, the polynomials in EncK ey( p, y) only contain monomials of the form α,r i or . Thus,ŝ,r are called lone variables, whereas s, r are called non-lone variables. security (non-reconstructability): For every (x, y) / ∈ P, and for every pair of matrices E and F with coefficients in Z p , s E k + c F r = αs 1 , where c ← EncCt( p, x) and k ← EncK ey( p, y).
When it is clear from the context, we may omit p from the input to the encoding algorithms.
Remark 1 There exist several security notions for pair encodings (information-theoretic and also computational) [7]. The one we adopted in Definition 2 was introduced by Agrawal and Chase [4]. Our blind KG protocol works for all pair encodings, independently of the security notion. [3,4,9] define pair encodings for a family of predicates P κ : X κ × Y κ → {0, 1}, indexed by κ = ( p, par), where par specifies some parameters (including the security parameter λ) and consider one extra algorithm, Param, that on input par, outputs n ∈ N specifying the number of common variables. In our definition, for the sake of simplicity, we omit such algorithm. However, one could think of the elements in ϒ as polynomials 3 (over Z) in the security parameter λ. And one could define Param as the algorithm that evaluates the polynomial n(λ) on the given security parameter and outputs the corresponding integer.

Attribute-based encryption from pair encodings
The compiler from pair encodings to attribute-based encryption is defined over bilinear groups (implemented as dual system groups) and, roughly, works as follows. To encrypt a message M ∈ G t , this is multiplied by a blinding factor g αs t , where s is fresh randomness and g α t is part of the public key, being g t :=e(g 1 , g 2 ). Ciphertexts contain additional group elements that can be combined with the elements of a valid secret key in order to recover the blinding factor and, consequently, the message. In short, and following the notation from Definition 2, the compiler could be summarized as: For the purpose of this paper, a formal definition of the setup and the key-generation algorithm is sufficient. For the sake of simplicity, we omit the description of the other algorithms and include a complete definition of the compiler in Online Appendix. (We refer to [4,Sect. 5.4] for further details.) Observe that in the following definition we have already adopted the DSG implementation based on k-Lin (see Online Appendix and also [20]), because our blind key-generation protocol is defined for this instantiation.

Blind key-generation ABE
In this section we first introduce a formal security definition for blind key-generation ABE (Sect. 3.1), we then present our BKG scheme (Sect. 3.2), which is compatible with the compiler of ABE based on pair encodings [4,8].

Security definition
The security notion of blind key-generation ABE is formally captured by the following ideal functionality.
Definition 4 (Ideal functionality for blind key-generation) The ideal functionality F for blind key-generation is defined as follows.
1. On input a pair (mpk, y) from the user, F sends the master public key mpk to the authority and waits for a response. 2. If the authority allows the computation, it replies back to F with a secret key msk and some randomness r . 3. Now, F checks if (mpk, msk) ∈ K, i.e., if the secret key is valid with respect to the received mpk from the user. If so, it executes sk y ← K eyGen(msk, y; r ) and sends sk y to the user; otherwise it sends ⊥ to the user.
Here, we denote by (mpk, msk) ∈ K the fact that there exists some randomness s such that

Remark 3
Observe that deciding whether (mpk, msk) ∈ K can be done efficiently for the ABE scheme from Definition 3. We will assume, without loss of generality, that the master secret key includes the master public key. That way, for every valid msk there exists exactly one mpk such that (mpk, msk) ∈ K.
Security of blind key-generation ABE, defined with respect to the above ideal functionality, is schematized in Fig. 1. In words, let A and U be two arbitrary stateful algorithms. Let Real U,A (mpk, y, msk) be the following distribution. Algorithm U takes as input (mpk, y), whereas A takes as input msk; both U and A execute the Blind-K G protocol on their inputs, but may deviate arbitrarily from the protocol; let view U and view A be their respective final view. Return (view U , view A ). Let Ideal U,A (mpk, y, msk) be the distribution where algorithm U takes as input (mpk, y) and produces a (possibly modified) pair (mpk , y ) that is sent to the ideal functionality F (Definition 4); analogously, A takes as input msk, and when it receives mpk from F , if it decides to allow the computation, it produces a (possibly modified) key msk and randomness r , which sends to F ; otherwise, it sends ⊥ to F . Let view U and view A be their respective final views. Return (view U , view A ).
Definition 5 (Security from malicious users) Protocol Blind-K G is said to be secure against malicious users if and only if, for every PPT algorithm U there exists a PPT simulator S such that for all (mpk, y, msk), where A 1 is an algorithm that honestly follows the Blind-K G protocol (as the authority) and A 2 is an algorithm that passes its input to F without modification.

Remark 4
The above definition expresses the standard simulation-based security which guarantees that all existing attacks in the real world are in fact inherent: they can also be mounted in the ideal world, where parties (authority and user) interact through an incorruptible and trusted third party.
Definition 6 (Security from malicious authorities) Protocol Blind-K G is said to be secure against malicious authorities if and only if, for every PPT algorithm A there exists a PPT simulator S such that for all (mpk, y, msk),

Real world Ideal world
User Authority Fig. 1 Protocol Blind-K G is secure if algorithm D, who can control mpk, y and msk, cannot distinguish between the real world and the ideal world based on the views (view U , view A ). For security against malicious users (Definition 5), algorithm U real is arbitrary, U ideal is a simulator, and A real , A ideal are honest algorithms. For security against malicious authorities (Definition 6), A real is arbitrary, A ideal is a simulator, and U real , U ideal are honest where U 1 is an algorithm that honestly follows the Blind-K G protocol (as a user) and U 2 is an algorithm that does not modify its input and passes it to F .

Blind-KG compatible pair encodings
We consider a restricted class of pair encodings, that we coin blind key-generation compatible (or BKG-compatible, for short) pair encodings. This class is necessary for our blind keygeneration algorithm described in the next section.  ey1( p, y).
We now show that we can assume, without loss of generality, that a pair encoding is BKGcompatible. More precisely, that any pair encoding can be transformed into an equivalent BK G-compatible pair encoding with minimal impact on its size and number of variables. In fact, in Lemma 2, we prove a stronger result: any pair encoding admits an equivalent encoding that does not have lone variables and such that variable α appears only in one polynomial (which is independent of y).

Lemma 1 Let
We prove the lemma in Appendix A.

Remark 5
Our Lemma 1 suggests that w.l.o.g. we can consider pair encodings that do not contain lone variables. However, in the most recent definitions of pair encodings, all nonlone variables are given "in the clear" as part of the key. What our lemma really implies is that, after our transformation, giving out all variables in the clear does not compromise security. Nonetheless, not all variables are used for correctness and so, not all need to be always given. Actually, existing encodings for large universe ABE or regular languages involve an exponential number of lone variables and giving all of them in the clear after our transformation would be impractical (and unnecessary). When such encodings are used for blind key-generation, the authority must select a subset of variables to be given in the clear. This imposes a bound on the size of the value y that users can request, leaking some information on size of y. Observe that this leakage seems inherent and it is usually admitted in cryptography (e.g. encryption schemes hide the content of messages, but not necessarily their length).

Lemma 2 (BKG-compatibility) Let ϒ = (w, w,ŵ,m, m,m, n) and let (EncCt, EncK ey, Pair) be a ϒ-pair encoding for predicate P. There exists a ϒ -BKG-compatible pair encoding for P, where
See Appendix A for a proof.  Fig. 2, on inputs (mpk, y) for the user and msk for the authority, such that (mpk, msk) ∈ K, then the final output of the user is identically distributed to the output of K eyGen(msk, y) (see Definition 3), over the coins of the protocol and the K eyGen algorithm.

Theorem 1 (Correctness) If both parties honestly execute the Blind-K G protocol described in
Our following theorems establish that the protocol is secure against honest-but-curious adversaries. In the following, let U 1 be an algorithm that honestly follows the Blind-K G protocol (as a user) and let U 2 be an algorithm that does not modify its input and passes it to the ideal functionality (as the user). Analogously, let A 1 be an algorithm that honestly follows the Blind-K G protocol (as the authority) and let A 2 be an algorithm that does not modify its input and passes it (together with true randomness) to the ideal functionality (as the authority). S (mpk, y, msk). Theorem 3 (Security against honest-but-curious users) There exists a simulator S such that for all (mpk, y, msk) and every PPT distinguisher, A 2 (mpk, y, msk).

Theorem 2 (Security against honest-but-curious authorities) There exists a simulator S such that for all (mpk, y, msk) and every PPT distinguisher,
We refer to Appendix A for a proof of all three theorems.

Achieving active security
The standard way of achieving active security on a passively secure protocol is to add zeroknowledge proofs of honest behavior (see the Supplementary Material). That way, only honest users will be able to produce valid proofs and honest-but-curious security applies.
For security against malicious users, we could add the following zero-knowledge proof of knowledge : to the message computed by the user in Round 1 of the protocol from Fig. 2. However, although zero-knowledge proofs of knowledge [14,30] can be constructed for any NP statement [32], using generic methods to implement the above relation may be inefficient, given that EncK ey1 can be an arbitrarily complex (still efficiently computable) circuit. Instead, we introduce the notion of invertible pair encoding and use it to significantly simplify the above NP relation.

Invertible pair encodings
For every p ∈ N, the function EncK ey1( p, ·) of any BKG-compatible pair encoding can be considered injective. Note that if EncK ey1( p, y 1 ) = EncK ey1( p, y 2 ) for two different y 1 , y 2 , then, correctness and security of the encoding imply that ∀x, P(x, y 1 ) ⇔ P(x, y 2 ) and thus, y 1 and y 2 can be considered "equivalent" under P. Consequently, we can consider the inverse function that on input a list, k, of polynomials over Z p [r,r, b], produces a value y such that k = EncK ey1( p, y). 5 if there exists an efficiently computable decoding algorithm DecK ey that ∀ p ∈ N, on input a list in Z p [r,r, b], outputs y ∈ Y such that, ∀ k : ∃y ∈ Y s.t. EncK ey( p, y) = k, it holds EncK ey( p, DecK ey(k)) = k .

Definition 8 (Invertible pair encoding) We say a (EncCt, EncK ey, Pair) encoding is invertible
We leave as an open problem to (dis)prove that any pair encoding admits an equivalent invertible pair encoding. To the best of our knowledge, all pair encodings from the literature are invertible.
We require pair encodings be invertible so that it is enough for the user to prove that it knows the coefficients that are committed inside the messages M ( ) i . This way, the simulator (for the malicious user) can extract the coefficients from the proof of knowledge and, because the encoding is invertible, find a value y ∈ Y such that EncK ey( p, y) equals the polynomials associated to them. However, note that invertibility may not be enough: what happens if there exists no y satisfying the requirements? Invertibility only guarantees that it is possible to efficiently find y in case it exists. In order to solve this problem, we observe that all pair encodings from the literature are designed in a similar way. Namely, polynomials are built by adding monomials whose coefficient depends on the value y, or whose variables are chosen based on the value. We abstract this idea in the notion of algebraic pair encoding. ϒ = (w, w,ŵ,m, m,m, n). We say a pair encoding ϒ-pair encoding (EncCt, EncK ey, Pair) is algebraic if algorithm EncK ey defines polynomials as sums of monomials of the following three types:

Definition 9 (Algebraic pair encoding) Let
• public monomials: their coefficient and variables are independent of y, • secret-coefficient monomials: monomials of the form μ yri or μ y r i b j for some, i ∈ [m] or i ∈ [m], j ∈ [n] and some μ y ∈ Z p (that depends on y). • secret-variable monomials: monomials of the formrη y or r η y b j or Furthermore, we require an algebraic pair encoding be surjective, that is, for all possible values μ ∈ Z * p of the coefficients of secret-coefficient monomials, there exists some y ∈ Y such that EncK ey( p, y) has secret-coefficients matching μ.
Our Example 1 (in Appendix B) illustrates the three types of monomial from the above definition.

Remark 6
Note that the structure of an algebraic pair encoding is fixed and only the secret coefficients or the secret variables can depend on value y ∈ Y. To the best of our knowledge, all existing pair encodings are algebraic.
Given an algebraic pair encoding, the zero-knowledge proof of knowledge from (1) can be done very efficiently. This is because if the pair encoding is algebraic, there exist disjoint sets , ⊂ N × N × N of public coefficients and binary coefficients respectively, there exists a function f : → Z p and there exist clusters = {( s , g s , γ s )} s∈ , where for every s ∈ , s ⊂ N × N × N, g s : s → Z p and γ s ∈ Z p , such that, for any value of the coefficients φ ( ) for certain arbitrary φ ( ) i . We refer to Appendix B for some examples. We describe the actively secure version of our protocol in Fig. 3. Note that if the encoding is algebraic, the proof of knowledge from (1) is equivalent to the proof of knowledge described  Fig. 3. In fact, we leverage techniques from [12] to design a very efficient -protocol for implementing such a proof. We present it in Appendix C. Theorems 4 and 5 are relative to the modification of our protocol, described in Fig. 3. As in the previous section, we define honest algorithms U 1 , A 1 , that follow the Blind-K G protocol and U 2 , A 2 , honest algorithms that pass their input to F and do not modify their output. ι = (mpk, y, msk), all PPT distinguishers D, and all sufficiently large λ ∈ N, ι = (mpk, y, msk), all PPT distinguishers D, and all sufficiently large λ ∈ N,

Theorem 5 (Security against malicious users) For every algorithm U (acting as a user in the real world) there exists a simulator S s.t. for all
where Adv G 2 DL OG is an upper-bound on the probability of PPT machines solving the discrete logarithm problem in G 2 .

Implementation
We implement a general library for attribute-based encryption based on predicate and pair encodings with support for blind key-generation. Our library is based on the Relic-Toolkit [5] for pairings with a 256-bits Barreto-Naehrig Curve [15]. We evaluate our blind key-generation protocol and compare it to the normal key-generation algorithm. All the experiments were executed on a 8-core machine with 4.00GHz Intel Core i7-4790K CPU and 16GB of RAM. Our source code 6 will be publicly available and open source for reproducibility and verifiability.
Our experimental results, described in Table 1, correspond to an implementation of attribute-based encryption based on the SXDH assumption (1-Lin). The first block corresponds to the pair encoding for zero inner-product described in our Example 2 (in Appendix B). The second, corresponds to an encoding for CP-ABE [20,22,33]. The third is an encoding for broadcast encryption, described in our Example 3.
In every block, we compare the three different algorithms of our protocol for blind keygeneration described in Fig. 2 (Round 1, Round 2 and Finalize key) and the normal keygeneration algorithm, in terms of the execution time, size of the output and number of group operations over the group G 2 . Group operations over G 2 are represented by a pair of integers separated by |, corresponding to the number of group law operations and group exponentiations respectively.
We show results for the median times of 10 executions of randomly selected instances of different problem sizes. In the case of inner-product, keys are generated with respect to randomly sampled vectors of the given lengths. In the case of Boolean-formulae, keys are generated with respect to randomly selected sets of attributes of the given cardinalities. In the case of broadcast encryption, keys are generated with respect to a random identity over a system of n identities. Note that in this encoding, keys have approximately t elements, and ciphertexts approximately n t group elements. Numbers in the above table correspond to the honest-but-curious version of our protocol.
We have also implemented an interactive ZK proof of knowledge based on our -protocol from Appendix C. In order to give an intuition of the overhead introduced by this proof (to achieve active security), we present the numbers corresponding to proof for the inner-product encoding:

Concluding remarks
We have presented an efficient protocol for blind key-generation, built on top of the general framework for attribute-based encryption introduced by Attrapadung [7]. Our construction can be instantiated with any BKG-compatible pair encoding, a new notion that we define in this work. Furthermore, we provide theoretical results that establish that every pair encoding can be transformed with minimal overhead into a BKG-compatible one. Consequently, our work significantly broadens the scope of blind key-generation ABE in terms of predicate expressivity and it can lead to more efficient constructions of oblivious transfer with finegrained access control.
Our experimental results show that our blind key-generation protocol introduces a reasonable overhead, comparable to the cost of normal key-generation, being suitable for real applications. We leave for future work to prove explicit asymptotic bounds on the complexity of our construction. Finally, we have focused on synthetic case studies. Combining our methods with more realistic case studies (such as electronic medical records or streaming of data over untrusted clouds) is a very interesting direction for future work.
Funding Not applicable.

Code availability Available now upon request (open source in the future).
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Proof of Lemma 1
Note that our notation allows us to handle the different cases w <ŵ and w ≥ŵ (or m <m and m ≥m) simultaneously. (Observe that the range [w+1,ŵ] is defined as empty if w ≥ŵ.) w, w,ŵ,m, m,m, n) and let (EncCt, EncK ey, Pair) be a ϒ-pair encoding for P. We define a new ϒ -pair encoding, (EncCt , EncK ey , Pair ), below, where ϒ = (w, max (w,ŵ), 0,m, max (m,m), 0, n+2) and then argue that it is a valid encoding for the same predicate P.

Define vectors 8s
To see reconstructability, note that, due to the correctness of the original encoding, for every (x, y) ∈ P, s E k y (r, (α,r), b) + c x (s,ŝ, b) F r = αs 1 and, because the right-hand side does not contain variablesŝ norr, it must be ( p, x), and k y (r , b ) ← EncK ey ( p, y) and (E , F ) ← Pair ( p, x, y).
The above is a polynomial equality and so, it must hold when we only consider the monomials that contain b n+2 , which gives us But now, looking at the coefficient of s i , for every i ∈ [w] in the above equality, we get E 1 k y (0 m , (0,r), 0 n ) = 0 w and, by linearity, we have that ( * ) the vector of polynomials E 1 k y (r, (α,r), b) does not depend onr.
By a very similar analysis based on variable b n+1 and the coefficient of r i , for i ∈ [m], we can deduce that 7 Observe that if w ≥ŵ, s = s. Analogously, if m ≥m, r = r. 8 Note that if w ≤ŵ,s = s and otherwise,s equals the firstŵ components of s. Analogously forr. 9 c x (s, b n+1s , b) denotes evaluation of polynomial c x : Z w p × Zŵ p × Z n p → Z p on value (s, (b n+1s1 , . . . , b n+1sŵ ), b).

Proof of Lemma 2
Proof It is known that, without loss of generality, we can consider pair encodings where the first polynomial of EncK ey is the only one that contains α and it is of the form α + r 1 b 1 .
This fact has already been used in the literature [4,9] for other purposes. It can be easily derived by applying generic dual transformation defined in [10] twice. (Note that the dual transformation is an involution and does not modify the predicate after being applied twice.) Lemma 2 is a direct consequence of the combination of the previous fact with our Lemma 1.

Proof of Theorem 1
Proof Observe that the part of the secret key that does not depend on y, i.e., r and EncK ey2( p), has been given to the user as {ρ i } i∈ [m] and {σ } ∈[m 2 ] respectively and these values have been computed exactly as in K eyGen. The remaining elements of the key have been computed (for every ∈ [m 1 ]) as: which is identically distributed to the output of K eyGen.

Proof of Theorem 2
Proof Note that view A 1 in the real world contains mpk and the messages from the user corresponding to M

Proof of Theorem 3
Proof In the real world, if (mpk, msk) ∈ K, the user's view will be formed by where φ ( ) i is the coefficient ofr i in the -th polynomial of EncK ey1( p, y), for every i ∈ [m]. Because every party is honest, note that view A 1 ≡ (mpk, msk) = view A 2 and observe that the simulated view is identically distributed to the real view view U 1 for any (mpk, y, msk) such that (mpk, msk) ∈ K. Finally, if (mpk, msk) / ∈ K, note that the user's view in the real world will consist only of random matrices (the authority will interrupt the Blind-K G protocol in Round 2), which can be easily simulated.

Proof of Theorem 4, security against malicious authorities
Proof In the real world, view A contains msk, mpk, the messages from the user corresponding to M i B and simulating a zero knowledge proof of knowledge π 1 for the NP-statement described in Round 1 of Fig. 3. Observe that the simulation is perfect, except for the zero-knowledge simulation error. Now from these simulated values, S will proceed exactly as algorithm A does in the real world, eventually producing some values { ρ i } i∈ [m] , { σ } ∈[m 2 ] and { τ } ∈[m 1 ] , together with a proof of knowledge π 2 for the NP-relation described in Round 2 of Fig. 3 w.r.t these values. The simulator will verify π 2 and if the proof is rejected, it will interrupt its execution (it will not send any message to the ideal functionality F ). If it is accepted, it will run the extractor algorithm on π 2 , to obtain values msk , and r = {r i } i∈ [m] , Then, the simulator will allow the secret key-generation by sending (msk , r ) to the ideal functionality F . Observe that if the extraction is successful, the secret key that U 2 will receive in the ideal world is distributed as the secret key that U 1 will obtain after finishing the protocol from Fig. 3. Note that there is only one msk that satisfies the above relation, but there exist many different values r . However, observe that all values of r that satisfy the relation will lead to the same secret key, since the actual key can be seen as a function of values V Therefore, the only difference between the real and the simulated views is due to the zeroknowledge error. To finished the proof note that we could convert any any distinguisher between the real and ideal views into a distinguisher for for the zero-knowledge property of the ZK scheme. To conclude, note that all the steps where conditioned on the event that extraction was successful. Therefore, the final bound must take into account the extraction error ε ext .

Proof of Theorem 5, security against malicious users
Proof On input (mpk, y), the authority will proceed exactly as algorithm U, producing mpk , and a proof π 1 , identically distributed to the values that U will send to A 1 in the real world.
The simulator will then verify π 1 with respect to the produced values and the relation described and Round 1 of Fig. 3. If the verification fails, S will interrupt its execution. Note that this happens with exactly the same probability A 1 rejects the proof in the real world and halts. If the proof is accepted, the simulator will run the extractor to obtain witness values {φ Observe that the Pedersen-like commitments M ( ) i are computationally binding under the discrete logarithm assumption in G 2 . Therefore, although there exist several witnesses for the NP relation, the extractor algorithm can only provide one of them (or otherwise, it can be used to solve the discrete logarithm problem). This guarantees that the witness that the simulator extracts is identically distributed to the witness that the malicious user may also extract (from its own proof) in the real world. Now, let k 1 be the vector of polynomials Because the pair encoding is algebraic, there exists y ∈ Y such that EncK ey1(y ) → k 1 . And, because the pair encoding is invertible, the simulator can find such y by running DecK ey(k 1 EncK ey2). Now, the simulator sends (mpk , y ) to the ideal functionality, obtaining sk y :=(sk 1 , . . . , sk m , sk 1 , . . . , skm) or ⊥. The case of ⊥ will occur only when the master secret key msk owned by A 2 , and mpk do not form a valid pair. In such a case, the simulator halts. Observe that, in the real world, A 1 (who owns the same msk) will detect that (mpk , msk) at the beginning of Round 2, with exactly the same probability S received ⊥ from F . In case of receiving a key, the simulator sets where φ ( ) i is the coefficient ofr i in the -th polynomial of EncK ey1( p, y), for every i ∈ [m]. As in the proof of honest-but-curious security, the above simulated values are identically distributed to the real view view U . We can conclude as in the proof of Theorem 4. For coefficients φ j ∈ Z p for all j ∈ [n], and a matrix Z over Z p of dimension (k+1)×(k+1), we define 10 Com mpk (φ 1 , . . . , φ n ; Z ):= j∈[n] φ j W j B + Z B 2 . In Fig. 4, we provide a zero-knowledge proof of knowledge for the relation : ∀i ∈[m], M i = Com mpk (φ {i,1} , . . . , φ {i,n} ; Z i ) ∧ ∀(i, j) ∈ , φ {i, j} = f (i, j) ∧ ∀(i, j) ∈ , φ {i, j} ∈{0, 1} ∧ ∀s ∈ , γ s = (i, j)∈ s g s (i, j)φ {i, j} ⎫ ⎬ ⎭ Such a protocol can be used to prove the relation described in the first round of Fig. 3. Note that, for the sake of simplicity in the notation, we have not considered the ∈ [m 1 ] indices in R 1 . In the majority of pair encodings, where the clusters do not involve elements between different polynomials, the generic conjunction of -protocols is enough to handle the necessary relation. For the rest of pair encodings (an example is the encoding from Example 3), it is not complicated to modify our -protocol consider all polynomials at the same time. Fig. 4 is perfectly complete, perfect special honest verifier zero-knowledge and 3-special sound.

Lemma 3 The protocol described in
For the sake of space, we do not include an explicit protocol for the relation in Round 2 of Fig. 3. We note that such a proof is necessary to satisfy the strong simulation-based security.
In practice, such a proof is not so critical. The user is interested in receiving a valid secret key for y and it can check the validity of the obtained key by encrypting messages for different values x and decrypting them with the key, verifying that decryption is successful whenever (x, y) ∈ P.   • Special honest verifier zero-knowledge. If the challenge e is known. A simulator can produce a valid transcript that is identically distributed to a transcript created by an honest prover, as follows.

Proof Of
(i) For every (i, j) ∈ , set β {i, j} :=e f (i, j) and ∀(i, j) / ∈ , sample β {i, j} ← $ Z p . (ii) For every s ∈ , pick some (i s , j s ) ∈ s such that g s (i s , j s ) = 0 and modify the value of β {i, j} so that (i, j)∈ s g s (i, j)β {i, j} = γ s e.  . Note that the simulation is perfect because in both a real transcript and the simulated transcript variables β {i, j} for all (i, j) / ∈ and matrices i and i for all i ∈ [m] are independent and uniformly random, modulo the condition (i, j)∈ s g s (i, j)β {i, j} = γ s e for all s ∈ . Furthermore, the value of β {i, j} for all (i, j) ∈ is completely determined, as well as matrices A i and C i for all i ∈ [m], in both kinds of proof.  evaluates to 0 in both e andê. If there existed a third valid answer to a different challenge but the first same message, the polynomial would have three roots, but its degree is at most 2. Therefore, it must be the zero polynomial (Z p is a field), and thus, the coefficient for x 2 must be zero: φ {i, j} ∈{0, 1}.