Blind key-generation attribute-based encryption for general predicates

Abstract

Attribute-based encryption (ABE) is a form of public-key encryption that allows fine-grained access control on encrypted data. Blind key-generation (BKG) attribute-based encryption (Rial, Designs, Codes and Cryptography 2016) is a variant in which the master authority issues secret keys without learning any information about the attributes associated to them. This extra functionality makes it an appealing building block for several applications. In this work, we extend the generic framework of ABE based on pair encodings (Attrapadung, Eurocrypt 2014) to support blind key-generation. In particular, we define two new notions of pair encodings that we coin BKG-compatible and algebraic pair encoding. We show that every encoding satisfies the former without loss of generality, whereas the latter is satisfied by all existing pair encodings from the literature. We then show how to enhance any ABE based on a BKG-compatible pair encoding to achieve honest-but-curious blind key-generation. In the case of algebraic encodings, our protocol admits a very efficient version, secure against malicious parties. The main advantage of our work is generality. Our protocol is designed over the recent and most advanced modular frameworks of ABE that can handle a rich variety of predicates.

1 Introduction

Attribute-based encryption (ABE), first conceived by Sahai and Waters [46] and later introduced by Goyal et al. [33], is a form of public-key encryption in which ciphertexts and keys have attributes attached and the decryption ability of a key on a ciphertext is determined by a potentially complex access control policy involving these attributes. In particular, it is guaranteed that the decryption of a ciphertext \(\textsf {ct}_x\) associated to attribute x with a secret key \(\textsf {sk}_y\) associated to attribute y succeeds if and only if these values satisfy the predicate, that is, \(P(x,y) = 1\). Note that this definition generalizes the original definition of ABE [33], introduced as key-policy ABE (KP-ABE), where values x correspond to Boolean vectors, while values y correspond to Boolean functions and the predicate \(P(x,y)\) is defined as \(y(x) = 1\) (in its dual version, i.e., ciphertext-policy ABE, x represents a Boolean function, while y represents a Boolean vector). Efficient ABE schemes exist for different predicates. For example, identity-based encryption (IBE) [45] can be obtained with the predicate \(P(x,y) {:}{=}(x = y)\), zero-inner product encryption (ZIPE) [34] can be obtained by setting , where \({\varvec{x}},{\varvec{y}}\) belong to some vector space; other examples are span programs [35], hierarchical IBE [39], large universe ABE [44], non-monotonic access structures [41], or regular languages [7, 48].

Predicate encryption (PE) [17, 34] is a generalization of ABE where the main syntactical difference is that ciphertexts do not explicitly include x and, therefore, it gives cause to considering the property of attribute-hiding where ciphertexts leak no information about the value x they were associated to. On the other hand, blind key-generation attribute encryption (BKG-ABE) [43] allows one to hide the attributes associated to the secret keys from the master authority.

Motivation. BKG-ABE is a powerful tool that achieves both fine tuning of access control and privacy protection. It can be of use in ABE scenarios where the user’s value y associated to the requested key needs to remain private because, for example, it may leak sensitive information about the user. (It may, however, require zero-knowledge proofs for the authority to verify that the user is eligible for the key.) For example, several works evaluate the suitability of ABE for applications such as enforcing privacy of Electronic Medical Records (EMR) [6] in a system where healthcare organizations export EMRs to external storage locations. Other examples are Sieve [50] or Streamforce [25], systems that provide enforced access control for user data and stream data in untrusted clouds. These scenarios are a clear example where the privacy of parties requesting secret keys can be a concern. They would benefit from a BKG implementation of the underlying ABE.

Another application of BKG-ABE, proposed by Rial [43], is oblivious transfer with fine-grained access control (OT-AC) [18, 19]. It is a generalization of OT and k-out-of-n OT, where a sender associates an access policy \(f_i\) to every message \(m_i\), for \(i \in [n]\), so that a receiver who owns a certificate on some Boolean vector y produced by a credential issuer obtains messages \(m_i\) if and only if \(f_i(y) = 1\). Furthermore, the sender gains no information about y.

We further propose to use BKG-ABE on the framework of secure computation to achieve more security guarantees. The strongest notions of security for secure computation capture no leakage of information against malicious parties arbitrarily deviating from the protocol. However, it may be the case that the correctness of the input is defined according to some context and this is out of the scope of the secure computation defined to be modular for generality. Accordingly, an extra mechanism for defining and guaranteeing the correctness of inputs will be performed to prevent malicious parties from lying on their input to the computation. Now, consider a scenario of secure computation between two parties, where Alice (with input x) owns a commitment \(\sigma \) to Bob’s input y and wants to make sure that Bob uses such input in the execution of the secure computation of f(x, y). This could be achieved by using an extra zero-knowledge proof. Other less modular solution would be to modify the circuit to be computed in such a way that it takes \(\sigma \) as an extra input from Alice; it takes the opening information \(\delta \) as an extra input from Bob; and returns f(x, y) if \(\delta \) is a valid opening of \(\sigma \) or \(\bot \) otherwise. These approaches however can introduce a prohibitive overhead in the performance of the original protocol. BKG-ABE would provide a solution with reasonable efficiency. Especially if the commitment scheme used is a Pedersen-like commitment as in the first round of our BKG protocol (Sect. 3). For example, consider an ABE scheme for the predicate \(P((i,\gamma ), {\varvec{y}}) {:}{=}({\varvec{y}}_i = \gamma )\), for \(\mathcal {X}{:}{=}[n] \times \{0,1\}\) and \(\mathcal {Y}= \{0,1\}^n\) (an encoding for this predicate can be found in [2]). Alice could create a garbled circuit for f, use ABE to encrypt every input label \(\ell _b^{(i)}\) (corresponding to Bob’s input) under value \(x {:}{=}(i, b)\) for all \(i \in [n]\), \(b \in \{0,1\}\). Then, she could send everything to Bob; together with the answer of the second round of our BKG protocol, having interpreted the commitment \(\sigma \) that she owns as the message from the first round. This way Bob will only be able to recover labels \(\ell _{y_{i}}^{(i)}\), for \(i \in [n]\) (and use them to evaluate the garbled circuit), as desired.

We note that this application is not specific to BKG-ABE and could be achieved via OT-AC. However, our particular protocol for BKG-ABE is especially suitable for it.

Modular frameworks for ABE. In 2014, Wee [49] and Attrapadung [7] independently proposed two generic and unifying frameworks for designing attribute-based encryption schemes for different predicates. Both works define a simple primitive called encoding and follow the dual system methodology by Lewko and Waters [38, 47] to construct a compiler that on input an encoding (for certain predicate \(P\)), produces a fully secure attribute-based encryption scheme for \(P\). Wee defines the so-called predicate encodings, an information-theoretic primitive inspired by linear secret sharing, while Attrapadung introduces the notion of pair encodings, a similar primitive that admits both information-theoretic and computational security definitions. These frameworks remarkably simplify the design and study of ABE schemes: the designer can focus on the construction of the simpler encodings (for the desired predicate), which require weaker security properties that are more easily verifiable. In fact, the potential of this new frameworks is evidenced by the invention of new constructions and performance improvements on existing primitives. Although these frameworks were designed over composite over groups, they were both extended in [20] and [8] respectively to the prime-order setting (under the Matrix-DH assumption).

Pair encodings are the building block in which Attrapadung’s framework relies. Informally, a pair encoding is a function from attributes to polynomials, which will be evaluated in the exponent of an algebraic group by the key-generation and encryption ABE algorithms. Such polynomials are restricted in their form (Sect. 2.2, Definition 2), which is crucial for the key-generation and encryption algorithms to be efficiently computable. In particular, they contain two types of variables: lone and non-lone variables. Lone variables always appear “alone” in degree-1 monomials (such monomials correspond to secret randomness generated during key-generation and encryption), whereas non-lone variables always appear multiplied by another non-lone variable in a degree-2 monomial (such monomials represent the combination of secret randomness with the randomness contained in public parameters).

1.1 Our contribution

We pursue the study of attribute-based encryption in the framework of pair-encodings and provide new results to broaden its scope.

New definitions about pair encodings. We define two new notions related to pair encodings: BKG-compatible encodings and algebraic encodings. The former notion establishes certain conditions on a pair encoding scheme that are sufficient for constructing very efficient blind key-generation protocols. Namely, we require that (i) the key-encoding polynomials that depend on the master secret \(\alpha \) be independent of the value y associated to the key and (ii) the so-called lone variables can be linearly removed from all the key-encoding polynomials that depend on y. The first condition ensures that the computation of the key-generation that depends on the master secret key is independent of the value y and thus, can be performed by the authority without obtaining any information about y. The second condition guarantees that the user who requested the key will be able to remove the blinding factor (introduced by himself) after the communication with the authority. We show that any pair encoding can be transformed with minimal overhead¹ into an equivalent BKG-compatible pair encoding. In fact, we provide a stronger result: every pair encoding can be modified into an equivalent one that does not contain lone variables apart from \(\alpha \) (Sect.  3.2, Lemma 1). This result is of independent interest, as it could lead to improvements on our understanding of pair-encodings and their expressivity.

Generic framework for blind key-generation ABE. We equip the generic framework of attribute-based encryption from pair encodings with a protocol for blind key-generation (Sect. 3.3). Our protocol is two-round: (1) the user sends a key request that information-theoretically hides its value y; (2) the authority replies back with a piece of information from which the user can derive a secret key \(\textsf {sk}_y\). The protocol is secure against honest-but-curious adversaries and it is defined for any attribute-based encryption scheme that is based on a \({{{BKG}}}\) compatible pair encoding.

We then show that if the underlying encoding is algebraic, the zero-knowledge proof of knowledge sufficient for achieving active security can be implemented very efficiently with the \(\Sigma \)-protocol that we provide in Appendix .

Implementation. We implement our protocol and compare its performance with the normal key-generation algorithm (of the ABE framework based on pair encodings). Our experiments show that both rounds of our protocol require a computational cost comparable to the one of the normal key-generation, making it suitable for real applications.

1.2 Overview of our protocol for blind key-generation

Normal key-generation for an ABE based on pair encodings requires several computations of the form

$$\begin{aligned} \widetilde{\textsf {sk}}_\ell {:}{=}h_\textsf {msk}^{\phi ^{{{(\ell )}}}} \,{\cdot }\, \textstyle \prod _{i \in [{\hat{m}}]} {\hat{h}}_{\{i,0\}}^{\phi ^{{{(\ell )}}}_{i}} \cdot \prod _{\begin{array}{c} i \in [m]\\ j \in [n] \end{array}} h_{\{i,j\}}^{\phi ^{{{(\ell )}}}_{\{i,j\}}}, \end{aligned}$$

where \(\widetilde{\textsf {sk}}_\ell \) is the \(\ell \)-th element of the secret key being generated; the exponents \(\phi \) are the coefficients of the polynomials associated to the encoding of y, and the bases h are elements of a dual system group (DSG) [23, 24]. A DSG is an abstraction that contains a bilinear group, i.e., a triple of abelian groups \((\mathsf{G},\mathsf{H},\mathsf{G}_{\mathsf{t}})\) and a non-degenerate bilinear map \(e : \mathsf{G}\times \mathsf{H}\rightarrow \mathsf{G}_{\mathsf{t}}\), these groups are usually implemented through prime-order groups, typically as vectors of prime-order group elements as in the DSG instantiation from k-lin, see Online Appendix. DSG are equipped with additional algorithms that can be used to simulate properties of composite-order groups that are they core of security proofs in the standard model, e.g., the existence of cyclic subgroups of unknown order.

Observe that \(h_\textsf {msk}\) is only known to the authority and that the other group elements from the above formula are freshly sampled on every key-generation. On the other hand, the exponents are only known to the user requesting the key. In order to perform blind key-generation, it would be sufficient to have a two-party protocol for the functionality \({{\mathcal {F}}}_{A,U}((h_1,\dots ,h_n); (x_1,\dots ,x_n)) \rightarrow (\bot ;\, \textstyle \prod _{i}h_i^{x_i})\).

Below, we propose a simple protocol that implements such functionality over a group of prime-order p, based on the Diffie-Hellman assumption. (This is not the main construction proposed in this work, but serves as a warm-up example and could be adopted for simple ABE constructions.) Let g be a generator of the group:

1. 1.

   Party A (Authority) masks every \(h_i\) by sampling a random , setting \(a_i {:}{=}(h_i^{r_i}, g^{r_i})\) and sending every \(a_i\) to party U.

2. 2.

   Party U (User) now samples and computes \(b_i {:}{=}(h_i^{r_i})^{x_i}{\cdot } (g^{r_i})^{t_i}\) for every i, sending them back to A.

3. 3.

   Finally, A computes \(c {:}{=}\prod _{i}b_i^{{{1\!/\!r_i}}}\) and sends it to U, who computes the desired value as \(c\cdot \prod _{i}g^{-t_i}\).

The above protocol can be directly used on ABE constructions implemented over a prime-order group. Such constructions are only known to be secure in the generic group model [1]. For ABE schemes proven secure in the standard model, all existing constructions to date use a dual system group as underlying group. Known instantiations of DSGs [8, 20, 36] are based on the k-Lin assumption (or the Matrix-DH assumption [26, 40]) and lead to groups that have prime exponent, but not prime order. (Such groups are typically implemented as vectors of prime-order groups.) In fact, such DS groups are not cyclic and thus, the multiplicative masking \(h_i^{r_i}\) does not information-theoretically hide \(h_i\). Consequently, the above generic protocol may not be directly applicable to constructions based on DSG. One could, however, apply the technique from the above protocol coordinate-wise on the DSG elements, that way maskings would perfectly hide the corresponding value. (This approach would also require both parties to provide additional zero-knowledge proofs that they are acting consistently in each coordinate, e.g., that the user U has used the same exponent \(x_i\) in all coordinates of the corresponding DSG element.) Our main construction is a blink-key generation protocol with better communication complexity (it does not need to operate coordinate-wise and it will not require the additional ZK proofs) and with only two rounds of interaction (note that the above protocol requires three rounds).

The main blind-key generation scheme proposed in this work exploits the specific structure of the dual system groups built from k-Lin, at the cost of not being generic for any DSG. In a nutshell, in the k-Lin implementation of dual system groups, the elements \(h_{\{i,0\}}\) are sampled by taking and computing \(h_{\{i,0\}} {:}{=}\llbracket B \rrbracket _{\mathsf{2}} {\varvec{r_i}}\),² whereas \(h_{\{i,j\}}\) is computed as \(\llbracket W_jB \rrbracket _{\mathsf{2}} {\varvec{r}}_i\), for all \(i \in [m]\) and all \(j \in [n]\). Here, \(\llbracket B \rrbracket _{\mathsf{2}}\) and \(\llbracket W_jB \rrbracket _{\mathsf{2}}\) are part of the public key, where B and \(W_j\) are matrices with coefficients over \(\mathbb {Z}_p\).

For simplicity, we assume here that the encoding does not contain lone variables (i.e., the coefficients of the form \(\phi _i^{{{(\ell )}}}\) are all zero). The idea of our protocol is that the user will compute , for every i and \(\ell \), from the public key and will mask them with \(\llbracket Z_{i}\!^{{{(\ell )}}}B \rrbracket _{\mathsf{2}}\), for uniformly sampled matrices \(Z_i^{{{(\ell )}}}\). The authority will instead sample the random vectors \({\varvec{r}}_i\) and use the previous values to compute

Vectors \({\varvec{r}}_i\) will also need to be used by the authority in the computation of the rest of polynomials that are independent of y. Our requirements on BKG-compatible pair encodings guarantee that the extra terms \(\llbracket Z_i^{{{(\ell )}}}B \rrbracket {\varvec{r}}_i\), can be removed by the user, recovering a genuine secret key for y.

1.3 Related work

Blind key-generation. The notion of blind key-generation was first introduced by Green and Hohenberger [28] in the framework of identity-based encryption. The authors provide a protocol for blind key-generation of the Boneh-Boyen IBE [11] and show how to construct very efficient oblivious transfer (OT) [42] protocols from blind key-generation IBE schemes that satisfy some extra conditions. A subsequent work to [28] by Rial [43] extends the notion of blind key-generation to the framework of attribute-based encryption, and shows how to use it for building OT with fine-grained access control. The construction by Rial defines a blind key-generation algorithm for the CP-ABE of [16]. This ABE scheme has the property that secret keys are formed as a concatenation of pieces, each corresponding to one of the attributes included in the key. In a nutshell, Rial’s idea for blind key-generation is that the authority will create a key for all attributes and the user will get only the parts corresponding to the attributes of their choice via a k-out-of-n adaptive OT. Note that Rial’s technique allows to upgrade an adaptive k-out-of-n OT protocol to OT-AC. Observe that this approach is limited to CP-ABE schemes with the above property of separation between attributes in the key.

Blind functional encryption. In a very recent work, Canard et al. [21] considered the notion of blind key-generation in the context of functional encryption. They argue that blind-key generation can be achieved generically (but somewhat inefficiently) by using homomorphic encryption and zero-knowledge proofs and give a specific efficient construction for the inner-product functionality.

The main advantage of our work with respect to these related works is generality. Our protocol is designed over the recent and most advanced modular frameworks of ABE that provide a rich variety of predicates. In particular, it can be applied to all the encodings from the literature [3, 4, 7,8,9, 20].

2 Background

We consider a bilinear group generator \({{\mathcal {G}}}\) that, on input the security parameter \(\lambda \), outputs an asymmetric bilinear group \((p, G_{\mathsf{1}}, G_{\mathsf{2}}, G_{\mathsf{t}}, g_\mathsf{1}, g_\mathsf{2}, e : G_{\mathsf{1}}\times G_{\mathsf{2}}\rightarrow G_{\mathsf{t}})\), where \(g_\mathsf{t} {:}{=}e(g_\mathsf{1},g_\mathsf{2})\) is a generator of \(G_{\mathsf{t}}\). For \(a \in \mathbb {Z}_p\), we use \(\llbracket a \rrbracket _{i}\) to denote the implicit representation \(g_i^a\) of a in \(G_i\), for \(i \in \{\mathsf{1},\mathsf{2},\mathsf{t}\}\), following [26]. For a matrix \(A \in \mathbb {Z}_p^{m\times n}\) and a group element g, we abuse notation and write \(g^{A}\) or \(\llbracket A \rrbracket \) to represent the matrix formed by powering g to the elements of A. We use \(A_{i,j}\) to denote the element of A that appears in the i-th row and the j-th column of A; the i-th element of a vector \({\varvec{v}}\) is denoted as \(v_i\). Given a matrix of group elements \(A \in G^{m\times n}\) and a vector \({\varvec{v}} \in \mathbb {Z}_p^n\), we denote by \(A {\varvec{v}}\) the vector of group elements obtained by multiplying each row of A by the scalar vector \({\varvec{v}}\) as a scalar multi-exponentiation, that is the k-th element of \(A{\varvec{v}}\) is defined as \(\prod _{i = 1}^{n}A_{k,i}^{v_i}\) We denote by \({\varvec{0}}_{\text {{n}}}\) the zero vector of length n. We use the \(\parallel \) symbol for concatenation of lists or vectors. For a vector \({\varvec{v}}\) we denote its length by \(|{\varvec{v}}|\). Given a matrix \(A \in \mathbb {Z}_p^{m \times n}\) and a set of indices \(\Phi \subseteq [m]\), we define \(A_{\Phi }\) as the matrix formed by the rows of A whose index is in \(\Phi \).

Given a predicate \(P: \mathcal {X}\times \mathcal {Y}\!\rightarrow \! \{0,1\}\), we write \((x,y) \!\in \! P\) to denote \(P(x,y)\,{=}\,1\). For a pair of integers \(m,n \in \mathbb {N}\) we define [m, n] as the range \(\{m,\dots ,n\}\) and we write [n] to represent [1, n]. In case \(m > n\), [m, n] is defined as the empty set. For a finite set S, denotes that x is uniformly sampled from S. Given a multi-variate polynomial \(f({\varvec{X}}) \in \mathbb {Z}_p[{\varvec{X}}]\), we denote by \(f({\varvec{x}})\) the evaluation of polynomial f on values \({\varvec{x}}\). This notation is extended to vectors of polynomials \({\varvec{f}}\) if every polynomial in the vector is defined with respect to the same variables. We sometimes group variables in classes as \(f({\varvec{X}}, {\varvec{Y}}) \in \mathbb {Z}_p[{\varvec{X}}, {\varvec{Y}}]\). When the variables associated to a polynomial are clear from the context we simply write f instead of \(f({\varvec{X}}, {\varvec{Y}})\).

2.1 Attribute-based encryption

Attribute-based encryption (ABE) [46] is a form of of public-key encryption that supports fine-grained access control for encrypted data. An attribute-based encryption scheme for a predicate \(P\) guarantees that decryption of a ciphertext \(\textsf {ct}_x\) with a secret key \(\textsf {sk}_y\) is allowed if, and only if, the value x associated to the ciphertext \(\textsf {ct}\) and the value y associated to the secret key \(\textsf {sk}\) verify the predicate \(P\), i.e., \((x,y) \in P\).

Definition 1

(Attribute-based encryption) Given a predicate \(P: \mathcal {X}\times \mathcal {Y}\rightarrow \{0,1\}\), an attribute-based encryption scheme is tuple of polynomial-time algorithms \(\{\mathsf{Setup}, \mathsf{Enc}, \mathsf{KeyGen}, \mathsf{Dec}\}\) where:

• \(\mathsf{Setup}(1^\lambda ,\mathcal {X},\mathcal {Y}) \rightarrow (\textsf {mpk}, \textsf {msk})\), on input the security parameter \(\lambda \) and value universes \(\mathcal {X}, \mathcal {Y}\), outputs a master public key and a master secret key.

• \(\mathsf{Enc}(\textsf {mpk},m, x)\rightarrow \textsf {ct}_x\), on input \(\textsf {mpk}\), a message and \(x \in \mathcal {X}\), outputs \(\textsf {ct}_x\).

• \(\mathsf{KeyGen}(\textsf {msk},y) \rightarrow \textsf {sk}_y\), on input \(\textsf {msk}\) and \(y \in \mathcal {Y}\), outputs a secret key \(\textsf {sk}_y\).

• \(\mathsf{Dec}(\textsf {mpk},\textsf {sk}_y,\textsf {ct}_x,x) \rightarrow m/\bot \), on input \(\textsf {sk}_y\) and \(\textsf {ct}_x\), outputs a message m if \(P(x,y) = 1\) or \(\bot \) otherwise.

Without loss of generality and even if we do not make it explicit, we assume \(\textsf {msk}\) always contains \(\textsf {mpk}\). In blind key-generation ABE there exists an extra two-party protocol executed between a user U and the master authority A:

• \(\mathsf{Blind\text {-}KG}_{{\textsc {U}},{\textsc {A}}}((\textsf {mpk}, y); \textsf {msk}) \rightarrow (\textsf {sk}_y;\, \bot )\), on input the master public key and a value y from the user and on input the master secret key from the authority, the user gets a secret key for y, whereas the authority learns nothing.

2.2 Pair encodings

Pair encodings are the building block for constructing ABE on which Attrapadung [7,8,9] and Agrawal and Chase [3, 4] rely. Note that, in this work, we adopt the most modern definition of pair encodings, introduced in [4], where some of the structural constraints on the polynomials are explicit thanks to the separation between lone and non-lone variables.

Definition 2

(Pair encoding) Let \(P: \mathcal {X}\times \mathcal {Y}\rightarrow \{0,1\}\) be a binary predicate over finite sets \(\mathcal {X}\) and \(\mathcal {Y}\). For a prime \(p \in \mathbb {N}\) and \(\Upsilon = ({\bar{w}},w,{\hat{w}},{\bar{m}},m,{\hat{m}},n) \in \mathbb {N}^7\), let

$$\begin{aligned}&{\varvec{b}} = (b_1,\dots ,b_n)&{\varvec{s}} = (s_1,\dots ,s_w)&{\varvec{r}} = (r_1, \dots , r_m) \\&{\varvec{{\hat{s}}}} = ({\hat{s}}_1,\dots , {\hat{s}}_{{\hat{w}}})&{\varvec{{\hat{r}}}} = (\alpha ,{\hat{r}}_1,\dots , {\hat{r}}_{{\hat{m}}})\\ \end{aligned}$$

be formal variables. A \(\Upsilon \)-pair encoding scheme (PES) for \(P\) consists of three deterministic and efficiently computable algorithms:

• \(\mathsf{EncCt}(p,x)\): maps \(x \in \mathcal {X}\) into a vector of \({\bar{w}}\) polynomials, \({\varvec{c}}_x\), in \(\mathbb {Z}_p[{\varvec{s}},{\varvec{{\hat{s}}}},{\varvec{b}}]\).

• \(\mathsf{EncKey}(p,y)\): maps \(y \in \mathcal {Y}\) into a vector of \({\bar{m}}\) polynomials, \({\varvec{k}}_y\), in \(\mathbb {Z}_p[{\varvec{r}},{\varvec{{\hat{r}}}},{\varvec{b}}]\).

• \(\mathsf{Pair}(p,x,y)\): maps \(x \in \mathcal {X}\) and \(y \in \mathcal {Y}\) into a pair of matrices \(E^{x,y}, F^{x,y}\) with coefficients in \(\mathbb {Z}_p\) of dimensions \(w \times {\bar{m}}\) and \({\bar{w}} \times m\) respectively.

We require that the following properties be satisfied (for all p prime):

reconstructability::

  For every \((x,y) \in P\), holds symbolically, where \({\varvec{c}} \leftarrow \mathsf{EncCt}(p,x)\), \({\varvec{k}} \leftarrow \mathsf{EncKey}(p,y)\), \((E, F) \leftarrow \mathsf{Pair}(p,x,y)\).

polynomial constraints::

For every \(x \in \mathcal {X}\), the polynomials in \(\mathsf{EncCt}(p,x)\) only contain monomials of the form \({\hat{s}}_{i'}\), or \(s_ib_j\), for \(i' \in [{\hat{w}}], i \in [w]\), \(j \in [n]\). Furthermore, for every \(y \in \mathcal {Y}\), the polynomials in \(\mathsf{EncKey}(p,y)\) only contain monomials of the form \(\alpha \), \({\hat{r}}_{i'}\) or \(r_ib_j\) for \(i' \in [{\hat{m}}], i \in [m]\), \(j \in [n]\). Thus, \({\varvec{{\hat{s}}}}, {\varvec{{\hat{r}}}}\) are called lone variables, whereas \({\varvec{s}},{\varvec{r}}\) are called non-lone variables.

security (non-reconstructability)::

For every \((x,y) \not \in P\), and for every pair of matrices E and F with coefficients in \(\mathbb {Z}_p\), , where \({\varvec{c}} \leftarrow \mathsf{EncCt}(p,x)\) and \({\varvec{k}} \leftarrow \mathsf{EncKey}(p,y)\).

When it is clear from the context, we may omit p from the input to the encoding algorithms.

Remark 1

There exist several security notions for pair encodings (information-theoretic and also computational) [7]. The one we adopted in Definition 2 was introduced by Agrawal and Chase [4]. Our blind KG protocol works for all pair encodings, independently of the security notion.

Remark 2

Other works [3, 4, 9] define pair encodings for a family of predicates \(P_{\kappa } : \mathcal {X}_{\kappa } \times \mathcal {Y}_{\kappa } \rightarrow \{0,1\}\), indexed by \(\kappa = (p, \mathsf{par})\), where \(\mathsf{par}\) specifies some parameters (including the security parameter \(\lambda \)) and consider one extra algorithm, \(\mathsf{Param}\), that on input \(\mathsf{par}\), outputs \(n \in \mathbb {N}\) specifying the number of common variables. In our definition, for the sake of simplicity, we omit such algorithm. However, one could think of the elements in \(\Upsilon \) as polynomials³ (over \(\mathbb {Z}\)) in the security parameter \(\lambda \). And one could define \(\mathsf{Param}\) as the algorithm that evaluates the polynomial \(n(\lambda )\) on the given security parameter and outputs the corresponding integer.

2.3 Attribute-based encryption from pair encodings

The compiler from pair encodings to attribute-based encryption is defined over bilinear groups (implemented as dual system groups) and, roughly, works as follows. To encrypt a message \(M \in G_{\mathsf{t}}\), this is multiplied by a blinding factor \(g_\mathsf{t}^{\alpha s}\), where s is fresh randomness and \(g_\mathsf{t}^{\alpha }\) is part of the public key, being \(g_\mathsf{t}{:}{=}e(g_\mathsf{1}, g_\mathsf{2})\). Ciphertexts contain additional group elements that can be combined with the elements of a valid secret key in order to recover the blinding factor and, consequently, the message. In short, and following the notation from Definition 2, the compiler could be summarized as:

$$\begin{aligned}&\textsf {mpk}= \big \{ g_\mathsf{t}^{\alpha },\, g_\mathsf{1}^{{\varvec{b}}},\, g_\mathsf{2}^{{\varvec{b}}} \big \}&\textsf {ct}_x = \bigg \{ g_\mathsf{1}^{{\varvec{s}}},\, g_\mathsf{1}^{{\varvec{c}}_x({\varvec{s}},{\varvec{{\hat{s}}}},{\varvec{b}})},\, M \,{\cdot }\, g_\mathsf{t}^{\alpha s_1} \bigg \} \\&\textsf {msk}= \{g_\mathsf{2}^\alpha \}&\textsf {sk}_y = \bigg \{ g_\mathsf{2}^{{\varvec{r}}},\, g_\mathsf{2}^{{\varvec{k}}_y({\varvec{r}},(\alpha , {\varvec{{\hat{r}}}}),{\varvec{b}})} \bigg \} \end{aligned}$$

For the purpose of this paper, a formal definition of the setup and the key-generation algorithm is sufficient. For the sake of simplicity, we omit the description of the other algorithms and include a complete definition of the compiler in Online Appendix. (We refer to [4, Sect. 5.4] for further details.) Observe that in the following definition we have already adopted the DSG implementation based on k-Lin (see Online Appendix and also [20]), because our blind key-generation protocol is defined for this instantiation.

Definition 3

(Attribute-based encryption from pair encodings) Given a \(\Upsilon \)-pair encoding \((\mathsf{EncCt}, \mathsf{EncKey}, \mathsf{Pair})\), with \(\Upsilon = ({\bar{w}},w,{\hat{w}},{\bar{m}},m,{\hat{m}},n)\), for predicate \(P: \mathcal {X}\times \mathcal {Y}\rightarrow \{0,1\}\), we can construct an attribute-based encryption scheme whose setup and key-generation algorithms are as follows:

• \(\mathsf{Setup}(1^\lambda ,\mathcal {X},\mathcal {Y})\): sample a bilinear group \((p,G_{\mathsf{1}},G_{\mathsf{2}},G_{\mathsf{t}},g_\mathsf{1},g_\mathsf{2},{\hat{e}}) \leftarrow {{\mathcal {G}}}(1^\lambda )\) and sample matrices from the k-Lin distribution⁴\((A,{\varvec{a^{\bot }}}) \leftarrow {{\mathcal {D}}}_k\), \((B,{\varvec{b^{\bot }}}) \leftarrow {{\mathcal {D}}}_k\). Sample matrices \(W_1, \dots , W_n\) uniformly over \(\mathbb {Z}_p\) of dimension \((k{+}1)\times (k{+}1)\). Sample , let \(h_\textsf {msk}{:}{=}\llbracket {\varvec{\alpha }} \rrbracket _{\mathsf{2}}\) and set

  

  Output \((\textsf {mpk}, \textsf {msk})\).

• \(\mathsf{KeyGen}(\textsf {msk},y)\): run \(\mathsf{EncKey}(p,y)\) to obtain polynomials \({\varvec{k}}_y({\varvec{r}},{\varvec{{\hat{r}}}},{\varvec{b}})\). For every \(\ell \in [k]\), let the \(\ell \)-th polynomial in \({\varvec{k}}_y\) be

  $$\begin{aligned} \phi ^{{{(\ell )}}}\alpha + \sum _{i \in [{\hat{m}}]} \phi ^{{{(\ell )}}}_i {\hat{r}}_i + \sum _{i \in [m]}\sum _{j \in [n]} \phi ^{{{(\ell )}}}_{\{i,j\}} r_i b_j \end{aligned}$$

  for some coefficients \(\phi ^{{{(\ell )}}}\), \(\phi ^{{{(\ell )}}}_i\) and \(\phi ^{{{(\ell )}}}_{\{i,j\}}\) in \(\mathbb {Z}_p\). Now do:

  

  Let the secret key \(\textsf {sk}_y\) be \( \textsf {sk}_y {:}{=}\left( \textsf {sk}_1, \dots , \textsf {sk}_m,\, \widetilde{\textsf {sk}}_1, \dots ,\, \widetilde{\textsf {sk}}_k \right) \) where for every \(i \in [m]\), \(\textsf {sk}_i {:}{=}h_{\{i,0\}}\); and for every \(\ell \in [k]\), \(\widetilde{\textsf {sk}}_{\ell }\) is computed as

  $$\begin{aligned} \widetilde{\textsf {sk}}_\ell {:}{=}h_\textsf {msk}^{\phi ^{{{(\ell )}}}} \,{\cdot }\, \prod _{i \in [{\hat{m}}]} {\hat{h}}_{\{i,0\}}^{\phi ^{{{(\ell )}}}_{i}} \cdot \prod _{i \in [m]} \prod _{j \in [n]} h_{\{i,j\}}^{\phi ^{{{(\ell )}}}_{\{i,j\}}}. \end{aligned}$$

  Output \(\textsf {sk}_y\).

3 Blind key-generation ABE

In this section we first introduce a formal security definition for blind key-generation ABE (Sect. 3.1), we then present our BKG scheme (Sect. 3.2), which is compatible with the compiler of ABE based on pair encodings [4, 8].

3.1 Security definition

The security notion of blind key-generation ABE is formally captured by the following ideal functionality.

Definition 4

(Ideal functionality for blind key-generation) The ideal functionality \({{\mathcal {F}}}\) for blind key-generation is defined as follows.

1. 1.

   On input a pair \((\textsf {mpk}, y)\) from the user, \({{\mathcal {F}}}\) sends the master public key \(\textsf {mpk}\) to the authority and waits for a response.

2. 2.

   If the authority allows the computation, it replies back to \({{\mathcal {F}}}\) with a secret key \(\textsf {msk}\) and some randomness r.

3. 3.

   Now, \({{\mathcal {F}}}\) checks if \((\textsf {mpk}, \textsf {msk}) \in {{\mathcal {K}}}\), i.e., if the secret key is valid with respect to the received \(\textsf {mpk}\) from the user. If so, it executes \(\textsf {sk}_y \leftarrow \mathsf{KeyGen}(\textsf {msk},y; r)\) and sends \(\textsf {sk}_y\) to the user; otherwise it sends \(\bot \) to the user.

Here, we denote by \((\textsf {mpk}, \textsf {msk}) \in {{\mathcal {K}}}\) the fact that there exists some randomness s such that \((\textsf {mpk}, \textsf {msk}) \leftarrow \mathsf{Setup}(1^\lambda , \mathcal {X}, \mathcal {Y}; s)\).

Remark 3

Observe that deciding whether \((\textsf {mpk}, \textsf {msk}) \in {{\mathcal {K}}}\) can be done efficiently for the ABE scheme from Definition 3. We will assume, without loss of generality, that the master secret key includes the master public key. That way, for every valid \(\textsf {msk}\) there exists exactly one \(\textsf {mpk}\) such that \((\textsf {mpk}, \textsf {msk}) \in {{\mathcal {K}}}\).

Security of blind key-generation ABE, defined with respect to the above ideal functionality, is schematized in Fig. 1. In words, let \({\textsc {A}}\) and \({\textsc {U}}\) be two arbitrary stateful algorithms. Let \( Real _{{\textsc {U}},{\textsc {A}}}(\textsf {mpk},y,\textsf {msk})\) be the following distribution. Algorithm \({\textsc {U}}\) takes as input \((\textsf {mpk},y)\), whereas \({\textsc {A}}\) takes as input \(\textsf {msk}\); both \({\textsc {U}}\) and \({\textsc {A}}\) execute the \(\mathsf{Blind\text {-}KG}\) protocol on their inputs, but may deviate arbitrarily from the protocol; let \({\textsf {view}}_{{\textsc {U}}}\) and \({\textsf {view}}_{{\textsc {A}}}\) be their respective final view. Return \(({\textsf {view}}_{\textsc {U}}, {\textsf {view}}_{\textsc {A}})\). Let \( Ideal _{{\textsc {U}},{\textsc {A}}}(\textsf {mpk},y,\textsf {msk})\) be the distribution where algorithm \({\textsc {U}}\) takes as input \((\textsf {mpk},y)\) and produces a (possibly modified) pair \((\textsf {mpk}', y')\) that is sent to the ideal functionality \({{\mathcal {F}}}\) (Definition 4); analogously, \({\textsc {A}}\) takes as input \(\textsf {msk}\), and when it receives \(\textsf {mpk}\) from \({{\mathcal {F}}}\), if it decides to allow the computation, it produces a (possibly modified) key \(\textsf {msk}'\) and randomness r, which sends to \({{\mathcal {F}}}\); otherwise, it sends \(\bot \) to \({{\mathcal {F}}}\). Let \({\textsf {view}}_{\textsc {U}}\) and \({\textsf {view}}_{\textsc {A}}\) be their respective final views. Return \(({\textsf {view}}_{\textsc {U}}, {\textsf {view}}_{\textsc {A}})\).

Fig. 1

Protocol \(\mathsf{Blind\text {-}KG}\) is secure if algorithm D, who can control \(\textsf {mpk}, y\) and \(\textsf {msk}\), cannot distinguish between the real world and the ideal world based on the views \(({\textsf {view}}_{\textsc {U}}, {\textsf {view}}_{\textsc {A}})\). For security against malicious users (Definition 5), algorithm \({\textsc {U}}_\mathrm{real}\) is arbitrary, \({\textsc {U}}_\mathrm{ideal}\) is a simulator, and \({\textsc {A}}_\mathrm{real}\), \({\textsc {A}}_\mathrm{ideal}\) are honest algorithms. For security against malicious authorities (Definition 6), \({\textsc {A}}_\mathrm{real}\) is arbitrary, \({\textsc {A}}_\mathrm{ideal}\) is a simulator, and \({\textsc {U}}_\mathrm{real}\), \({\textsc {U}}_\mathrm{ideal}\) are honest

Definition 5

(Security from malicious users) Protocol \(\mathsf{Blind\text {-}KG}\) is said to be secure against malicious users if and only if, for every PPT algorithm \({{\mathcal {U}}}\) there exists a PPT simulator \({{\mathcal {S}}}\) such that for all \((\textsf {mpk}, y, \textsf {msk})\),

$$\begin{aligned} Real _{{{\mathcal {U}}},{\textsc {A}}_1}(\textsf {mpk},y,\textsf {msk}) \, \approx _{c}\, Ideal _{{{\mathcal {S}}},{\textsc {A}}_2}(\textsf {mpk},y,\textsf {msk}) \end{aligned}$$

where \({\textsc {A}}_1\) is an algorithm that honestly follows the \(\mathsf{Blind\text {-}KG}\) protocol (as the authority) and \({\textsc {A}}_2\) is an algorithm that passes its input to \({{\mathcal {F}}}\) without modification.

Remark 4

The above definition expresses the standard simulation-based security which guarantees that all existing attacks in the real world are in fact inherent: they can also be mounted in the ideal world, where parties (authority and user) interact through an incorruptible and trusted third party.

Definition 6

(Security from malicious authorities) Protocol \(\mathsf{Blind\text {-}KG}\) is said to be secure against malicious authorities if and only if, for every PPT algorithm \({{\mathcal {A}}}\) there exists a PPT simulator \({{\mathcal {S}}}\) such that for all \((\textsf {mpk}, y, \textsf {msk})\),

$$\begin{aligned} Real _{{\textsc {U}}_1,{{\mathcal {A}}}}(\textsf {mpk},y,\textsf {msk}) \, \approx _{c}\, Ideal _{{\textsc {U}}_2,{{\mathcal {S}}}}(\textsf {mpk},y,\textsf {msk}) \end{aligned}$$

where \({\textsc {U}}_1\) is an algorithm that honestly follows the \(\mathsf{Blind\text {-}KG}\) protocol (as a user) and \({\textsc {U}}_2\) is an algorithm that does not modify its input and passes it to \({{\mathcal {F}}}\).

3.2 Blind-KG compatible pair encodings

We consider a restricted class of pair encodings, that we coin blind key-generation compatible (or BKG-compatible, for short) pair encodings. This class is necessary for our blind key-generation algorithm described in the next section.

Definition 7

(BKG-compatible pair encoding) We say a \(\Upsilon \)-pair encoding, \((\mathsf{EncCt}, \mathsf{EncKey}, \mathsf{Pair})\), is BKG-compatible if and only if there exist two deterministic and efficiently computable algorithms,

• \(\mathsf{EncKey1}(p,y)\): maps \((p,y) \in \mathbb {N}\times \mathcal {Y}\) into a vector of polynomials, in \(\mathbb {Z}_p[{\varvec{r}},{\varvec{{\hat{r}}}},{\varvec{b}}]\).

• \(\mathsf{EncKey2}(p)\): maps \(p \in \mathbb {N}\) into a vector of polynomials, in \(\mathbb {Z}_p[{\varvec{r}},{\varvec{{\hat{r}}}},{\varvec{b}}]\).

satisfying the following conditions, for every \(p \in \mathbb {N}\):

1. (i)

   \(\mathsf{EncKey}\) can be expressed as \(\mathsf{EncKey}(p,y) {:}{=}\mathsf{EncKey1}(p,y) \parallel \mathsf{EncKey2}(p)\).

2. (ii)

   For every \(y \in \mathcal {Y}\), variable \(\alpha \) does not appear in \(\mathsf{EncKey1}(p,y)\).

3. (iii)

   For every \(i' \in [{\hat{m}}]\), either

   • one of the polynomials in \(\mathsf{EncKey2}(p)\) is exactly \({\hat{r}}_{i'}\), or

   • for every \(y \in \mathcal {Y}\), variable \({\hat{r}}_{i'}\) does not appear in \(\mathsf{EncKey1}(p,y)\).

We now show that we can assume, without loss of generality, that a pair encoding is BKG-compatible. More precisely, that any pair encoding can be transformed into an equivalent BKG-compatible pair encoding with minimal impact on its size and number of variables. In fact, in Lemma 2, we prove a stronger result: any pair encoding admits an equivalent encoding that does not have lone variables and such that variable \(\alpha \) appears only in one polynomial (which is independent of y).

Our first lemma shows that, without loss of generality, we can consider pair encodings that do not contain lone variables (except \(\alpha \)).

Lemma 1

Let \(\Upsilon = ({\bar{w}},w,{\hat{w}},{\bar{m}},m,{\hat{m}},n)\) and let \((\mathsf{EncCt}, \mathsf{EncKey}, \mathsf{Pair})\) be a \(\Upsilon \)-pair encoding for \(P\). There exists a \(\Upsilon '\)-pair encoding for the same \(P\), where \(\Upsilon ' = ({\bar{w}}, \, \max {(w,{\hat{w}})},\, 0,\, {\bar{m}}, \, \max {(m,{\hat{m}})},\, 0,\, n{+}2)\).

We prove the lemma in Appendix A.

Remark 5

Our Lemma 1 suggests that w.l.o.g. we can consider pair encodings that do not contain lone variables. However, in the most recent definitions of pair encodings, all non-lone variables are given “in the clear” as part of the key. What our lemma really implies is that, after our transformation, giving out all variables in the clear does not compromise security. Nonetheless, not all variables are used for correctness and so, not all need to be always given. Actually, existing encodings for large universe ABE or regular languages involve an exponential number of lone variables and giving all of them in the clear after our transformation would be impractical (and unnecessary). When such encodings are used for blind key-generation, the authority must select a subset of variables to be given in the clear. This imposes a bound on the size of the value y that users can request, leaking some information on size of y. Observe that this leakage seems inherent and it is usually admitted in cryptography (e.g. encryption schemes hide the content of messages, but not necessarily their length).

We are ready to establish the result on which our blind key-generation protocol from the next section relies.

Lemma 2

(BKG-compatibility) Let \(\Upsilon = ({\bar{w}},w,{\hat{w}},{\bar{m}},m,{\hat{m}},n)\) and let \((\mathsf{EncCt}, \mathsf{EncKey}, \mathsf{Pair})\) be a \(\Upsilon \)-pair encoding for predicate \(P\). There exists a \(\Upsilon '\)-BKG-compatible pair encoding for \(P\), where

$$\begin{aligned} \Upsilon ' = ({\bar{w}}{+}1, \, \max {(w{+}1,{\hat{w}})}, \, 0, \, {\bar{m}}{+}1, \max {(m{+}1,{\hat{m}})}, \, 0, \,n{+}4). \end{aligned}$$

See Appendix A for a proof.

3.3 Blind key-generation ABE from pair encodings

Figure 2 summarizes our blind key-generation protocol, compatible with the ABE compiler from pair encodings [3, 4, 8] (see Definition 2), where for \(\Upsilon = ({\bar{w}}, w, {\hat{w}}, {\bar{m}},m, {\hat{m}}, n)\), \((\mathsf{EncCt}, \mathsf{EncKey1}, \mathsf{EncKey2}, \mathsf{Pair})\) is a BKG-compatible \(\Upsilon \)-pair encoding scheme.

Fig. 2

Description of our \(\mathsf{Blind\text {-}KG}\) for ABE for any \({{{BKG}}}\)-compatible pair encoding in the framework of dual system groups instantiated from the k-Lin assumption

Theorem 1

(Correctness) If both parties honestly execute the \(\mathsf{Blind\text {-}KG}\) protocol described in Fig. 2, on inputs \((\textsf {mpk},y)\) for the user and \(\textsf {msk}\) for the authority, such that \((\textsf {mpk}, \textsf {msk}) \in {{\mathcal {K}}}\), then the final output of the user is identically distributed to the output of \(\mathsf{KeyGen}(\textsf {msk},y)\) (see Definition 3), over the coins of the protocol and the \(\mathsf{KeyGen}\) algorithm.

Our following theorems establish that the protocol is secure against honest-but-curious adversaries. In the following, let \({\textsc {U}}_1\) be an algorithm that honestly follows the \(\mathsf{Blind\text {-}KG}\) protocol (as a user) and let \({\textsc {U}}_2\) be an algorithm that does not modify its input and passes it to the ideal functionality (as the user). Analogously, let \({\textsc {A}}_1\) be an algorithm that honestly follows the \(\mathsf{Blind\text {-}KG}\) protocol (as the authority) and let \({\textsc {A}}_2\) be an algorithm that does not modify its input and passes it (together with true randomness) to the ideal functionality (as the authority).

Theorem 2

(Security against honest-but-curious authorities) There exists a simulator \({{\mathcal {S}}}\) such that for all \((\textsf {mpk}, y, \textsf {msk})\) and every PPT distinguisher,

$$\begin{aligned} Real _{{\textsc {U}}_1,{\textsc {A}}_1}(\textsf {mpk},y,\textsf {msk}) \, \equiv \, Ideal _{{\textsc {U}}_2,{{\mathcal {S}}}}(\textsf {mpk},y,\textsf {msk}). \end{aligned}$$

Intuitively, the factor , added by the user, information-theoretically hides the coefficients , which contain the information about y. That is why the authority cannot learn any information about y from the first round of the protocol and it can be easily simulated. (Note that does not distribute uniformly over \(\mathbb {Z}_p^{k{+}1}\), but it does distribute uniformly over the subspace of \(\mathbb {Z}_p^{k{+}1}\) on which the information about y has been encoded.)

Theorem 3

(Security against honest-but-curious users) There exists a simulator \({{\mathcal {S}}}\) such that for all \((\textsf {mpk}, y, \textsf {msk})\) and every PPT distinguisher,

$$\begin{aligned} Real _{{\textsc {U}}_1,{\textsc {A}}_1}(\textsf {mpk},y,\textsf {msk}) \, \equiv \, Ideal _{{{\mathcal {S}}},{\textsc {A}}_2}(\textsf {mpk},y,\textsf {msk}). \end{aligned}$$

We refer to Appendix A for a proof of all three theorems.

4 Achieving active security

The standard way of achieving active security on a passively secure protocol is to add zero-knowledge proofs of honest behavior (see the Supplementary Material). That way, only honest users will be able to produce valid proofs and honest-but-curious security applies.

For security against malicious users, we could add the following zero-knowledge proof of knowledge

(1)

to the message computed by the user in Round 1 of the protocol from Fig. 2. However, although zero-knowledge proofs of knowledge [14, 30] can be constructed for any NP statement [32], using generic methods to implement the above relation may be inefficient, given that \(\mathsf{EncKey1}\) can be an arbitrarily complex (still efficiently computable) circuit.

Instead, we introduce the notion of invertible pair encoding and use it to significantly simplify the above NP relation.

4.1 Invertible pair encodings

For every \(p \in \mathbb {N}\), the function \(\mathsf{EncKey1}(p,\cdot )\) of any \({{{BKG}}}\)-compatible pair encoding can be considered injective. Note that if \(\mathsf{EncKey1}(p,y_1) \,{=}\, \mathsf{EncKey1}(p,y_2)\) for two different \(y_1,y_2\), then, correctness and security of the encoding imply that \(\forall x,\, P(x,y_1) \Leftrightarrow P(x,y_2)\) and thus, \(y_1\) and \(y_2\) can be considered “equivalent” under \(P\). Consequently, we can consider the inverse function that on input a list, \({\varvec{k}}\), of polynomials over \(\mathbb {Z}_p[{\varvec{r}},{\varvec{{\hat{r}}}},{\varvec{b}}]\), produces a value y such that \({\varvec{k}} = \mathsf{EncKey1}(p,y)\).

Definition 8

(Invertible pair encoding) We say a \((\mathsf{EncCt}, \mathsf{EncKey}, \mathsf{Pair})\) encoding is invertible⁵ if there exists an efficiently computable decoding algorithm \(\mathsf{DecKey}\) that \(\forall p \in \mathbb {N}\), on input a list in \(\mathbb {Z}_p[{\varvec{r}},{\varvec{{\hat{r}}}},{\varvec{b}}]\), outputs \(y \in \mathcal {Y}\) such that,

$$\begin{aligned} \forall \,{\varvec{k}} \, : \, \exists y \in \mathcal {Y}\text { s.t. }\mathsf{EncKey}(p,y) = {\varvec{k}} \text {, it holds } \mathsf{EncKey}(p, \mathsf{DecKey}({\varvec{k}})) = {\varvec{k}}. \end{aligned}$$

We leave as an open problem to (dis)prove that any pair encoding admits an equivalent invertible pair encoding. To the best of our knowledge, all pair encodings from the literature are invertible.

We require pair encodings be invertible so that it is enough for the user to prove that it knows the coefficients that are committed inside the messages . This way, the simulator (for the malicious user) can extract the coefficients from the proof of knowledge and, because the encoding is invertible, find a value \(y \in \mathcal {Y}\) such that \(\mathsf{EncKey}(p,y)\) equals the polynomials associated to them. However, note that invertibility may not be enough: what happens if there exists no y satisfying the requirements? Invertibility only guarantees that it is possible to efficiently find y in case it exists. In order to solve this problem, we observe that all pair encodings from the literature are designed in a similar way. Namely, polynomials are built by adding monomials whose coefficient depends on the value y, or whose variables are chosen based on the value. We abstract this idea in the notion of algebraic pair encoding.

Definition 9

(Algebraic pair encoding) Let \(\Upsilon = ({\bar{w}},w,{\hat{w}},{\bar{m}},m,{\hat{m}},n)\). We say a pair encoding \(\Upsilon \)-pair encoding \((\mathsf{EncCt}, \mathsf{EncKey}, \mathsf{Pair})\) is algebraic if algorithm \(\mathsf{EncKey}\) defines polynomials as sums of monomials of the following three types:

• public monomials: their coefficient and variables are independent of y,

• secret-coefficient monomials: monomials of the form \(\mu _y {\hat{r}}_{i'}\) or \(\mu _y r_i b_j\) for some, \(i' \in [{\hat{m}}]\) or \(i \in [m]\), \(j \in [n]\) and some \(\mu _y \in \mathbb {Z}_p\) (that depends on y).

• secret-variable monomials: monomials of the form \({\hat{r}}_{{\hat{\eta }}_y}\) or \(r_{\eta _y} b_{j}\) or \(r_i b_{\nu _y}\) for some \(j \in [n]\), \(i \in [m]\) and \({\hat{\eta }}_y \in [{\hat{m}}]\), \(\eta _y \in [m]\) or \(\nu _y \in [n]\) (dependent on y).

Furthermore, we require an algebraic pair encoding be surjective, that is, for all possible values \({\varvec{\mu }} \in \mathbb {Z}_p^*\) of the coefficients of secret-coefficient monomials, there exists some \(y \in \mathcal {Y}\) such that \(\mathsf{EncKey}(p,y)\) has secret-coefficients matching \({\varvec{\mu }}\).

Our Example 1 (in Appendix B) illustrates the three types of monomial from the above definition.

Remark 6

Note that the structure of an algebraic pair encoding is fixed and only the secret coefficients or the secret variables can depend on value \(y \in \mathcal {Y}\). To the best of our knowledge, all existing pair encodings are algebraic.

Given an algebraic pair encoding, the zero-knowledge proof of knowledge from (1) can be done very efficiently. This is because if the pair encoding is algebraic, there exist disjoint sets \(\Pi , \Phi \subset \mathbb {N}\times \mathbb {N}\times \mathbb {N}\) of public coefficients and binary coefficients respectively, there exists a function \(f : \Pi \rightarrow \mathbb {Z}_p\) and there exist clusters \(\Lambda = \{(\Lambda _s, g_s, \gamma _s)\}_{s \in \Theta }\), where for every \(s \in \Theta \), \(\Lambda _s \subset \mathbb {N}\times \mathbb {N}\times \mathbb {N}\), \(g_s : \Lambda _s \rightarrow \mathbb {Z}_p\) and \(\gamma _s \in \mathbb {Z}_p\), such that, for any value of the coefficients (for \(i \in [m]\), \(j \in [n]\) and \(\ell \in [{\bar{m}}_1]\)) satisfying

there exists \(y \in \mathcal {Y}\) such that

for certain arbitrary \(\phi ^{{{(\ell )}}}_i\). We refer to Appendix B for some examples.

Fig. 3

Modification of the protocol from Fig. 2 to achieve active security in the case of algebraic pair encodings

We describe the actively secure version of our protocol in Fig. 3. Note that if the encoding is algebraic, the proof of knowledge from (1) is equivalent to the proof of knowledge described in Round 1 of Fig. 3. In fact, we leverage techniques from [12] to design a very efficient \(\Sigma \)-protocol for implementing such a proof. We present it in Appendix C.

Theorems 4 and 5 are relative to the modification of our protocol, described in Fig. 3. As in the previous section, we define honest algorithms \({\textsc {U}}_1\), \({\textsc {A}}_1\), that follow the \(\mathsf{Blind\text {-}KG}\) protocol and \({\textsc {U}}_2\), \({\textsc {A}}_2\), honest algorithms that pass their input to \({{\mathcal {F}}}\) and do not modify their output.

Theorem 4

(Security against malicious authorities) For every algorithm \({{\mathcal {A}}}\) (acting as the authority in the real world) there exists a simulator \({{\mathcal {S}}}\) s.t. for all \(\iota = (\textsf {mpk}, y, \textsf {msk})\), all PPT distinguishers \({{\mathcal {D}}}\), and all sufficiently large \(\lambda \in \mathbb {N}\),

$$\begin{aligned} \big | \Pr \left[ {{\mathcal {D}}}( Real _{{\textsc {U}}_1\!,{{\mathcal {A}}}}(\iota )) {=} 1\right] - \Pr \left[ {{\mathcal {D}}}( Ideal _{{\textsc {U}}_2\!,{{\mathcal {S}}}}(\iota )) {=} 1 \right] \big | \le \varepsilon _{\mathsf{zk}}(\lambda ) + \varepsilon _{\mathsf{ext}}(\lambda ). \end{aligned}$$

Theorem 5

(Security against malicious users) For every algorithm \({{\mathcal {U}}}\) (acting as a user in the real world) there exists a simulator \({{\mathcal {S}}}\) s.t. for all \(\iota = (\textsf {mpk}, y, \textsf {msk})\), all PPT distinguishers \({{\mathcal {D}}}\), and all sufficiently large \(\lambda \in \mathbb {N}\),

$$\begin{aligned} \big | \Pr \left[ {{\mathcal {D}}}( Real _{{{\mathcal {U}}}\!,{\textsc {A}}_1}(\iota )) {=} 1\right] - \Pr \left[ {{\mathcal {D}}}( Ideal _{{{\mathcal {S}}}\!,{\textsc {A}}_2}(\iota )) {=} 1 \right] \big | \le \varepsilon _{\mathsf{zk}}(\lambda ) + \varepsilon _{\mathsf{ext}}(\lambda ) + \mathsf{Adv}_{\mathsf{DLOG}}^{G_{\mathsf{2}}}(\lambda ) \end{aligned}$$

where \(\mathsf{Adv}_{\mathsf{DLOG}}^{G_{\mathsf{2}}}\) is an upper-bound on the probability of PPT machines solving the discrete logarithm problem in \(G_{\mathsf{2}}\).

5 Implementation

We implement a general library for attribute-based encryption based on predicate and pair encodings with support for blind key-generation. Our library is based on the Relic-Toolkit [5] for pairings with a 256-bits Barreto-Naehrig Curve [15]. We evaluate our blind key-generation protocol and compare it to the normal key-generation algorithm. All the experiments were executed on a 8-core machine with 4.00GHz Intel Core i7-4790K CPU and 16GB of RAM. Our source code⁶ will be publicly available and open source for reproducibility and verifiability.

Table 1 Evaluation results. Comparison between blind and normal key-generation. For the honest-but-curious version of our protocol

Our experimental results, described in Table 1, correspond to an implementation of attribute-based encryption based on the SXDH assumption (1-Lin). The first block corresponds to the pair encoding for zero inner-product described in our Example 2 (in Appendix B). The second, corresponds to an encoding for CP-ABE [20, 22, 33]. The third is an encoding for broadcast encryption, described in our Example 3.

In every block, we compare the three different algorithms of our protocol for blind key-generation described in Fig. 2 (Round 1, Round 2 and Finalize key) and the normal key-generation algorithm, in terms of the execution time, size of the output and number of group operations over the group \(\mathsf{G}_2\). Group operations over \(\mathsf{G}_2\) are represented by a pair of integers separated by |, corresponding to the number of group law operations and group exponentiations respectively.

We show results for the median times of 10 executions of randomly selected instances of different problem sizes. In the case of inner-product, keys are generated with respect to randomly sampled vectors of the given lengths. In the case of Boolean-formulae, keys are generated with respect to randomly selected sets of attributes of the given cardinalities. In the case of broadcast encryption, keys are generated with respect to a random identity over a system of n identities. Note that in this encoding, keys have approximately t elements, and ciphertexts approximately \(\frac{n}{t}\) group elements. Numbers in the above table correspond to the honest-but-curious version of our protocol.

We have also implemented an interactive ZK proof of knowledge based on our \(\Sigma \)-protocol from Appendix C. In order to give an intuition of the overhead introduced by this proof (to achieve active security), we present the numbers corresponding to proof for the inner-product encoding:

$$\begin{aligned} \begin{array}{rllllll} \text {Vector length:} &{} \,\,\,\,\, &{} \text {100} &{} \,\,\,\,\, &{} \text {1000} &{} \,\,\,\,\, &{} \text {10000} \\ \hline \\ \text {User's total execution time:} &{} \,\,\,\,\, &{} \text {0.17 s} &{} \,\,\,\,\, &{} \text {1.61 s} &{} \,\,\,\,\, &{} \text {16.8 s} \\ \text {User's total information transmitted:} &{} \,\,\,\,\, &{} \text {3.58 {KB}} &{} \,\,\,\,\, &{} \text {32.3 {KB}} &{} \,\,\,\,\, &{} \text {0.32 {MB}} \\ \text {Authority's total execution time:} &{} \,\,\,\,\, &{} \text {0.15 s} &{} \,\,\,\,\, &{} \text {1.53 s} &{} \,\,\,\,\, &{} \text {16.53 s} \\ \text {Authority's total information transmitted:} &{} \,\,\,\,\, &{} \text {96 {B}} &{} \,\,\,\,\, &{} \text {96 {B}} &{} \,\,\,\,\, &{} \text {96 {B}} \end{array} \end{aligned}$$

6 Concluding remarks

We have presented an efficient protocol for blind key-generation, built on top of the general framework for attribute-based encryption introduced by Attrapadung [7]. Our construction can be instantiated with any BKG-compatible pair encoding, a new notion that we define in this work. Furthermore, we provide theoretical results that establish that every pair encoding can be transformed with minimal overhead into a BKG-compatible one. Consequently, our work significantly broadens the scope of blind key-generation ABE in terms of predicate expressivity and it can lead to more efficient constructions of oblivious transfer with fine-grained access control.

Our experimental results show that our blind key-generation protocol introduces a reasonable overhead, comparable to the cost of normal key-generation, being suitable for real applications. We leave for future work to prove explicit asymptotic bounds on the complexity of our construction. Finally, we have focused on synthetic case studies. Combining our methods with more realistic case studies (such as electronic medical records or streaming of data over untrusted clouds) is a very interesting direction for future work.

Appendices

A Proofs of the main body

1.1 A.1 Lemmas from Sect. 3

1.1.1 Proof of Lemma 1

Note that our notation allows us to handle the different cases \(w < {\hat{w}}\) and \(w \ge {\hat{w}}\) (or \(m < {\hat{m}}\) and \(m \ge {\hat{m}}\)) simultaneously. (Observe that the range \([w{+}1, {\hat{w}}]\) is defined as empty if \(w \ge {\hat{w}}\).)

Proof

Let \(\Upsilon = ({\bar{w}},w,{\hat{w}},{\bar{m}},m,{\hat{m}},n)\) and let \((\mathsf{EncCt}, \mathsf{EncKey}, \mathsf{Pair})\) be a \(\Upsilon \)-pair encoding for \(P\). We define a new \(\Upsilon '\)-pair encoding, \((\mathsf{EncCt}', \mathsf{EncKey}', \mathsf{Pair}')\), below, where \(\Upsilon ' = ({\bar{w}}, \, \max {(w,{\hat{w}})},\, 0,\, {\bar{m}}, \, \max {(m,{\hat{m}})},\, 0,\, n{+}2)\) and then argue that it is a valid encoding for the same predicate \(P\).

Let \({\varvec{b}}\), \({\varvec{s}}\), \({\varvec{{\hat{s}}}}\), \({\varvec{r}}\), \((\alpha , {\varvec{{\hat{r}}}})\) be the variables of the original encoding. (Note that \(|{\varvec{b}}| = n\), \(|{\varvec{s}}| = w\), \(|{\varvec{{\hat{s}}}}| = {\hat{w}}\), \(|{\varvec{r}}| = m\), \(|{\varvec{{\hat{r}}}}| = {\hat{m}}\).) Consider fresh variables \(b_{n{+}1}\), \(b_{n{+}2}\), \(s_{i}\), \(r_{j}\), for \(i \in [w{+}1,{\hat{w}}]\) and \(j \in [m{+}1,{\hat{m}}]\) and let the variables of the new encoding be \({\varvec{{\hat{s}}}}' = \emptyset \), \((\alpha ', {\varvec{{\hat{r}}}}') = (\alpha , \emptyset )\) and ⁷

$$\begin{aligned} {\varvec{b}}' = ({\varvec{b}}, b_{n{+}1}, b_{n{+}2}) \quad {\varvec{s}}' = ({\varvec{s}}, s_{w{+}1},\dots ,s_{{\hat{w}}}) \quad {\varvec{r}}' = ({\varvec{r}}, r_{m{+}1}, \dots , r_{{\hat{m}}}). \end{aligned}$$

Define vectors⁸\(\tilde{{\varvec{s}}} = (s_1,\dots ,s_{{\hat{w}}})\) and \(\tilde{{\varvec{r}}} = (r_1,\dots ,r_{{\hat{m}}})\), and let the encoding be

• \(\mathsf{EncCt}'(p,x)\): run \({\varvec{c}}_x \leftarrow \mathsf{EncCt}(p,x)\), output \({\varvec{c}}'_x({\varvec{s}}', {\varvec{b}}') {:}{=}\) \({\varvec{c}}_x({\varvec{s}}, b_{n{+}1}\tilde{{\varvec{s}}}, {\varvec{b}})\).⁹

• \(\mathsf{EncKey}'(p,y)\): run \({\varvec{k}}_y \leftarrow \mathsf{EncKey}(p,y)\), output \({\varvec{k}}'_y({\varvec{r}}', {\varvec{b}}') {:}{=}\) \({\varvec{k}}_y({\varvec{r}}, (\alpha , b_{n{+}2}\tilde{{\varvec{r}}}), {\varvec{b}})\).

• \(\mathsf{Pair}'(p,x,y)\): run \((E,F) \leftarrow \mathsf{Pair}(p,x,y)\) and output \((E',F')\) defined as

  

  where \(w' {:}{=}\max {({\hat{w}}{-}w, 0)}\) and \(m' {:}{=}\max {({\hat{m}}{-}m, 0)}\).

Observe that the presented encoding does not contain lone variables (except \(\alpha \)), since all variables in \({\varvec{s}}'\) and \({\varvec{r}}'\) always appear multiplied by \(b_j\), for some \(j \in [n{+}2]\). Also, observe that all structural constraints are satisfied.

To see reconstructability, note that, due to the correctness of the original encoding, for every \((x,y) \in P\), and, because the right-hand side does not contain variables \({\varvec{{\hat{s}}}}\) nor \({\varvec{{\hat{r}}}}\), it must be

where \({\varvec{c}}_{x}'({\varvec{s}}', {\varvec{b}}') \leftarrow \mathsf{EncCt}'(p,x)\), and \({\varvec{k}}_{y}'({\varvec{r}}', {\varvec{b}}') \leftarrow \mathsf{EncKey}'(p,y)\) and \((E',F') \leftarrow \mathsf{Pair}'(p,x,y)\).

Finally, for security (non-reconstructability), we proceed by contradiction. Assume that there exist \((x,y) \not \in P\) and there exist matrices \(E_1,E_2,F_1,F_2\) s.t.

(2)

The above is a polynomial equality and so, it must hold when we only consider the monomials that contain \(b_{n{+}2}\), which gives us

But now, looking at the coefficient of \(s_i\), for every \(i \in [w]\) in the above equality, we get \(E_1 {\varvec{k}}_{y}({\varvec{0}}_{\text {{m}}},(0,\tilde{{\varvec{r}}}),{\varvec{0}}_{\text {{n}}}) = {\varvec{0}}_{\text {{w}}}\) and, by linearity, we have that

\((*)\):

the vector of polynomials \(E_1 {\varvec{k}}_{y}({\varvec{r}},(\alpha ,{\varvec{{\hat{r}}}}),{\varvec{b}})\) does not depend on \({\varvec{{\hat{r}}}}\).

By a very similar analysis based on variable \(b_{n{+}1}\) and the coefficient of \(r_i\), for \(i \in [m]\), we can deduce that

\((**)\):

the vector of polynomials does not depend on \({\varvec{{\hat{s}}}}\).

Now, substituting variables \(s_{w{+}1}, \dots , s_{{\hat{w}}}\) and \(r_{m{+}1}, \dots , r_{{\hat{m}}}\) by 0 in Eq. (2), and using facts \((*)\) and \((**)\), we get

which contradicts the security of the original encoding. \(\square \)

1.1.2 Proof of Lemma 2

Proof

It is known that, without loss of generality, we can consider pair encodings where the first polynomial of \(\mathsf{EncKey}\) is the only one that contains \(\alpha \) and it is of the form \(\alpha + r_1 b_1\).

This fact has already been used in the literature [4, 9] for other purposes. It can be easily derived by applying generic dual transformation defined in [10] twice. (Note that the dual transformation is an involution and does not modify the predicate after being applied twice.) Lemma 2 is a direct consequence of the combination of the previous fact with our Lemma 1. \(\square \)

1.2 A.2 Theorems from Sect. 3.3

1.2.1 Proof of Theorem 1

Proof

Observe that the part of the secret key that does not depend on y, i.e., \({\varvec{r}}\) and \(\mathsf{EncKey2}(p)\), has been given to the user as \(\{\rho _i\}_{i \in [m]}\) and \(\{\sigma _{\ell }\}_{\ell \in [{\bar{m}}_2]}\) respectively and these values have been computed exactly as in \(\mathsf{KeyGen}\). The remaining elements of the key have been computed (for every \(\ell \in [{\bar{m}}_1]\)) as:

$$\begin{aligned} \widetilde{\textsf {sk}}_{\ell } {:}{=}&\,\, \tau _\ell - \textstyle \sum _{i=1}^{m} Z^{{{(\ell )}}}_i \rho _i + \sum _{i=1}^{{\hat{m}}} \phi ^{{{(\ell )}}}_i \sigma _{\pi (i)}\\ =&\,\, \textstyle \sum _{i=1}^{m}\Big (Z^{{{(\ell )}}}_i + \sum _{j=1}^{n}\phi ^{{{(\ell )}}}_{\{i,j\}}W_j \Big )B {\varvec{r_i}} - \sum _{i=1}^{m} Z^{{{(\ell )}}}_i B {\varvec{r_i}} + \sum _{i=1}^{{\hat{m}}} \phi ^{{{(\ell )}}}_i \sigma _{\pi (i)} \\ =&\textstyle \,\, \sum _{i=1}^{m}\Big (\sum _{j=1}^{n}\phi ^{{{(\ell )}}}_{\{i,j\}}W_j B {\varvec{r_i}}\Big ) + \sum _{i=1}^{{\hat{m}}} \phi ^{{{(\ell )}}}_i B {\varvec{{\hat{r}}_i}} \end{aligned}$$

which is identically distributed to the output of \(\mathsf{KeyGen}\). \(\square \)

1.2.2 Proof of Theorem 2

Proof

Note that \(\mathsf{view}_{{\textsc {A}}_1}\) in the real world contains \(\textsf {mpk}\) and the messages from the user corresponding to for \(i \in [m]\) and \(\ell \in [{\bar{m}}_1]\), whereas in the ideal world, \(\mathsf{view}_{{{\mathcal {S}}}}\) only contains \(\textsf {mpk}\). The simulator can complete the view by sampling a uniform random matrix of dimension \((k{+}1) \times (k{+}1)\) (with coefficients over \(\mathbb {Z}_p\)), for every \(i \in [m]\) and \(\ell \in [{\bar{m}}_1]\) and simulating as . Observe that the simulation is perfect. \(\square \)

1.2.3 Proof of Theorem 3

Proof

In the real world, if \((\textsf {mpk}, \textsf {msk}) \in {{\mathcal {K}}}\), the user’s view will be formed by

$$\begin{aligned} \mathsf{view}_{{\textsc {U}}1} = \left( \{Z_i^{\ell }\}_{i \in [m], \ell \in [{\bar{m}}_1]} ,\quad \{\rho _i\}_{i \in [m]} ,\quad \{\sigma _\ell \}_{\ell \in [{\bar{m}}_2]} ,\quad \{\tau _\ell \}_{\ell \in [{\bar{m}}_1]} \right) \end{aligned}$$

where are an independent uniformly sampled random matrices of dimension \((k{+}1) \!\times \! (k{+}1)\), and where \(\rho _i\), \(\sigma _\ell \) and \(\tau _\ell \) are computed as in Fig. 2 (based on and y). The simulator can sample matrices uniformly at random of dimension \((k{+}1)\! \times \! (k{+}1)\), then call the ideal functionality \({{\mathcal {F}}}\) on \((\textsf {mpk},y)\), receiving \(\textsf {sk}_y {:}{=}(\textsf {sk}_1,\dots ,\textsf {sk}_m, \widetilde{\textsf {sk}}_1, \dots , \widetilde{\textsf {sk}}_{{\bar{m}}})\). It now sets

$$\begin{aligned} {\widetilde{\rho }}_i {:}{=}\textsf {sk}_i \,\text { for every } i \in [m] \qquad \quad {\widetilde{\sigma }}_\ell {:}{=}\widetilde{\textsf {sk}}_{{\bar{m}}_1{+}\ell } \,\text { for every } \ell \in [{\bar{m}}_2] \quad \text {and} \\ \\ \textstyle {\widetilde{\tau }}_\ell {:}{=}\widetilde{\textsf {sk}}_{\ell } + \sum _{i=1}^{m}{\widetilde{Z}}_i {\widetilde{\rho }}_i - \sum _{i=1}^{{\hat{m}}} \phi ^{{{(\ell )}}}_i {\widetilde{\sigma }}_{\pi (i)} \,\text { for every } \ell \in [{\bar{m}}_1] \end{aligned}$$

where is the coefficient of \({\hat{r}}_i\) in the \(\ell \)-th polynomial of \(\mathsf{EncKey1}(p,y)\), for every \(i \in [{\hat{m}}]\). Because every party is honest, note that \(\mathsf{view}_{{\textsc {A}}_1} \equiv (\textsf {mpk}, \textsf {msk}) = \mathsf{view}_{{\textsc {A}}_2}\) and observe that the simulated view

$$\begin{aligned} \mathsf{view}_{{{\mathcal {S}}}} = \left( \{{\widetilde{Z}}_i^{\ell }\}_{i \in [m], \ell \in [{\bar{m}}_1]} ,\quad \{{\widetilde{\rho }}_i\}_{i \in [m]} ,\quad \{{\widetilde{\sigma }}_\ell \}_{\ell \in [{\bar{m}}_2]} ,\quad \{{\widetilde{\tau }}_\ell \}_{\ell \in [{\bar{m}}_1]} \right) \end{aligned}$$

is identically distributed to the real view \(\mathsf{view}_{{\textsc {U}}_1}\) for any \((\textsf {mpk}, y, \textsf {msk})\) such that \((\textsf {mpk}, \textsf {msk}) \in {{\mathcal {K}}}\). Finally, if \((\textsf {mpk}, \textsf {msk}) \not \in {{\mathcal {K}}}\), note that the user’s view in the real world will consist only of random matrices (the authority will interrupt the \(\mathsf{Blind\text {-}KG}\) protocol in Round 2), which can be easily simulated. \(\square \)

1.2.4 Proof of Theorem 4, security against malicious authorities

Proof

In the real world, \({\textsf {view}}_{{{\mathcal {A}}}}\) contains \(\textsf {msk}\), \(\textsf {mpk}\), the messages from the user corresponding to \(M^{{{(\ell )}}}_{i}\) for all \(i \in [m]\), \(\ell \in [{\bar{m}}_1]\) and the zero-knowledge proof of knowledge \(\pi _1\). On the other hand, in the ideal world, the initial view of the simulator only contains \(\textsf {msk}\) and, after receiving the first message from \({{\mathcal {F}}}\), \({\textsf {view}}_{{{\mathcal {S}}}}\) additionally contains \(\textsf {mpk}\). The simulator can complete the view by sampling uniform random matrices \(V^{{{(\ell )}}}_{i}\) of dimension \((k{+}1)\times (k{+}1)\) for every \(i \in [m]\) and \(\ell \in [{\bar{m}}_1]\), simulating \(M^{{{(\ell )}}}_{i}\) as \(V^{{{(\ell )}}}_{i}B\) and simulating a zero knowledge proof of knowledge \({\widetilde{\pi }}_1\) for the NP-statement described in Round 1 of Fig. 3. Observe that the simulation is perfect, except for the zero-knowledge simulation error.

Now from these simulated values, \({{\mathcal {S}}}\) will proceed exactly as algorithm \({{\mathcal {A}}}\) does in the real world, eventually producing some values \(\{{\widetilde{\rho }}_i\}_{i \in [m]}\), \(\{{\widetilde{\sigma }}_\ell \}_{\ell \in [{\bar{m}}_2]}\) and \(\{{\widetilde{\tau }}_\ell \}_{\ell \in [{\bar{m}}_1]}\), together with a proof of knowledge \({\widetilde{\pi }}_2\) for the NP-relation described in Round 2 of Fig. 3 w.r.t these values. The simulator will verify \({\widetilde{\pi }}_2\) and if the proof is rejected, it will interrupt its execution (it will not send any message to the ideal functionality \({{\mathcal {F}}}\)). If it is accepted, it will run the extractor algorithm on \({\widetilde{\pi }}_2\), to obtain values \(\textsf {msk}'\), and \(r = \big (\{{\varvec{r_i}}\}_{i \in [m]}\), \(\{{\varvec{{\hat{r}}_{i'}}}\}_{i' \in [{\hat{m}}]}\big )\) such that \((\textsf {mpk}, \textsf {msk}') \in {{\mathcal {K}}}\) and

Then, the simulator will allow the secret key-generation by sending \((\textsf {msk}',r)\) to the ideal functionality \({{\mathcal {F}}}\). Observe that if the extraction is successful, the secret key that \({\textsc {U}}_2\) will receive in the ideal world is distributed as the secret key that \({\textsc {U}}_1\) will obtain after finishing the protocol from Fig. 3. Note that there is only one \(\textsf {msk}'\) that satisfies the above relation, but there exist many different values r. However, observe that all values of r that satisfy the relation will lead to the same secret key, since the actual key can be seen as a function of values \(V^{{{(\ell )}}}_i\), \(\rho _i\), \(\sigma _\ell \) and \(\tau _\ell \), which are invariant for every r.

Therefore, the only difference between the real and the simulated views is due to the zero-knowledge error. To finished the proof note that we could convert any any distinguisher between the real and ideal views into a distinguisher for for the zero-knowledge property of the ZK scheme. To conclude, note that all the steps where conditioned on the event that extraction was successful. Therefore, the final bound must take into account the extraction error \(\varepsilon _{\mathsf{ext}}\). \(\square \)

1.2.5 Proof of Theorem 5, security against malicious users

Proof

On input \((\textsf {mpk},y)\), the authority will proceed exactly as algorithm \({{\mathcal {U}}}\), producing \(\textsf {mpk}'\), some values \(\{{\widetilde{M}}^{{{(\ell )}}}_{i}\}_{\ell \in [{\bar{m}}_1], i \in [m]}\) and a proof \({\widetilde{\pi }}_1\), identically distributed to the values that \({{\mathcal {U}}}\) will send to \({\textsc {A}}_1\) in the real world.

The simulator will then verify \({\widetilde{\pi }}_1\) with respect to the produced values and the relation described and Round 1 of Fig. 3. If the verification fails, \({{\mathcal {S}}}\) will interrupt its execution. Note that this happens with exactly the same probability \({\textsc {A}}_1\) rejects the proof in the real world and halts. If the proof is accepted, the simulator will run the extractor to obtain witness values \(\{\phi ^{{{(\ell )}}}_{\{i,j\}}\}_{i \in [m], j \in [n]}\) in \(\mathbb {Z}_p\) and matrices \(\{Z_i^{{{(\ell )}}}\}_{\ell \in [{\bar{m}}_1], i \in [m]}\) in \(\mathbb {Z}_p\) of dimension \((k{+}1)\times (k{+}1)\) such that

Observe that the Pedersen-like commitments \(M^{{{(\ell )}}}_i\) are computationally binding under the discrete logarithm assumption in \(G_{\mathsf{2}}\). Therefore, although there exist several witnesses for the NP relation, the extractor algorithm can only provide one of them (or otherwise, it can be used to solve the discrete logarithm problem). This guarantees that the witness that the simulator extracts is identically distributed to the witness that the malicious user may also extract (from its own proof) in the real world. Now, let \({\varvec{k}}_1\) be the vector of polynomials

Because the pair encoding is algebraic, there exists \(y' \in \mathcal {Y}\) such that \(\mathsf{EncKey1}(y') \rightarrow {\varvec{k}}_1\). And, because the pair encoding is invertible, the simulator can find such \(y'\) by running \(\mathsf{DecKey}({\varvec{k}}_1 \parallel \mathsf{EncKey2})\). Now, the simulator sends \((\textsf {mpk}', y')\) to the ideal functionality, obtaining \(\textsf {sk}_{y'} {:}{=}(\textsf {sk}_1,\dots ,\textsf {sk}_m, \widetilde{\textsf {sk}}_1, \dots , \widetilde{\textsf {sk}}_{{\bar{m}}})\) or \(\bot \). The case of \(\bot \) will occur only when the master secret key \(\textsf {msk}\) owned by \({\textsc {A}}_2\), and \(\textsf {mpk}'\) do not form a valid pair. In such a case, the simulator halts. Observe that, in the real world, \({\textsc {A}}_1\) (who owns the same \(\textsf {msk}\)) will detect that \((\textsf {mpk}', \textsf {msk})\) at the beginning of Round 2, with exactly the same probability \({{\mathcal {S}}}\) received \(\bot \) from \({{\mathcal {F}}}\). In case of receiving a key, the simulator sets

$$\begin{aligned} {\widetilde{\rho }}_i {:}{=}\textsf {sk}_i \,\text { for every } i \in [m] \qquad \quad {\widetilde{\sigma }}_\ell {:}{=}\widetilde{\textsf {sk}}_{{\bar{m}}_1{+}\ell } \,\text { for every } \ell \in [{\bar{m}}_2] \quad \text {and} \\ \end{aligned}$$

$$\begin{aligned} \textstyle {\widetilde{\tau }}_\ell {:}{=}\widetilde{\textsf {sk}}_{\ell } + \sum _{i=1}^{m}{\widetilde{Z}}_i {\widetilde{\rho }}_i - \sum _{i=1}^{{\hat{m}}} \phi ^{{{(\ell )}}}_i {\widetilde{\sigma }}_{\pi (i)} \,\text { for every } \ell \in [{\bar{m}}_1] \end{aligned}$$

where is the coefficient of \({\hat{r}}_i\) in the \(\ell \)-th polynomial of \(\mathsf{EncKey1}(p,y)\), for every \(i \in [{\hat{m}}]\). As in the proof of honest-but-curious security, the above simulated values are identically distributed to the real view \(\mathsf{view}_{{{\mathcal {U}}}}\). We can conclude as in the proof of Theorem 4. \(\square \)

B Examples

Example 1

Consider the following pair encoding for the IBE predicate. That is, \(P(x,y) = 1\) iff \(x = y\), for \(x,y \in \mathbb {Z}_p\):

$$\begin{aligned} \mathsf{EncKey}(y) {:}{=}(\alpha + r_1b_1, \,\,y r_1b_2 + r_1b_3) \qquad \mathsf{EncCt}(x) {:}{=}s_1b_1 + x s_2b_2 + s_2b_3 \end{aligned}$$

The second polynomial of \(\mathsf{EncKey}(y)\) contains a secret-coefficient monomial: \(y r_1b_2\). On the other hand, \(r_1b_3\) is a public monomial. Note that this polynomial contains other public monomials (with 0 coefficient), e.g. \(0 r_1b_1\).

Now, consider the pair encoding for KP-ABE corresponding to the scheme by Lewko et al. [37]. For attribute universe \({{\mathcal {U}}}\), \(X \in {{\mathcal {U}}}\), a linear secret sharing matrix \(A \in \mathbb {Z}_p^{\ell \times k}\) and \(\pi : [\ell ] \rightarrow {{\mathcal {U}}}\),

$$\begin{aligned} \mathsf{EncKey}(A,\pi ) {:}{=}\{A_i {\varvec{{\hat{r}}}} + r_i b_{\pi (i)}\}_{i \in [\ell ]} \qquad \mathsf{EncCt}(X) {:}{=}\{s_1b_x\}_{x \in X} \end{aligned}$$

where , and \(P(X, (A,\pi ))\) is defined as 1 iff \(\exists \Phi \subseteq [\ell ] : \pi (\Phi ) \subseteq X \text { and } (1,0,\dots ,0)\) is in the row span of \(A_{\Phi }\).

In this case, every monomial in \(A_{i}{\varvec{{\hat{r}}}}\) is a secret-coefficient monomial, whereas monomials of the from \(r_i b_{\pi (i)}\) are secret-variable monomials. Note that both pair encodings presented above are surjective. \(\square \)

Example 2

(Pair encoding for zero-inner product [11]) Let \({\varvec{x}},{\varvec{y}} \in \mathbb {Z}_p^n\) and let the predicate \(P\) be defined as \(P({\varvec{x}},{\varvec{y}}) = 1\) iff . The following is a pair encoding for \(P\):

$$\begin{aligned} \mathsf{EncKey}({\varvec{y}}) {:}{=}(\alpha + r_1b_0, \,\,\, r_1b_0 + \textstyle \sum _{i \in [n]} y_i r_1b_i) \quad \mathsf{EncCt}({\varvec{x}}) {:}{=}\{ x_i s_1b_{n{+}1} + s_1b_i \}_{i \in [n]} \end{aligned}$$

In this case, \(\mathsf{EncKey1}(y)\) is formed by the second polynomial of \(\mathsf{EncKey}\) and so, \({\bar{m}}_1 = 1\). Furthermore, the encoding is algebraic, where:

• (public coeffs) \(\Pi {:}{=}\{(1,\!0,\!1), (1,\!n{+}1,\!1)\}\) and \(f(1,\!0,\!1) {:}{=}1\), \(f(1,\!n{+}1,\!1) {:}{=}0\).

• (binary coeffs) \(\Phi {:}{=}\emptyset \).             (clusters) \(\Lambda {:}{=}\emptyset \). \(\blacksquare \)

Example 3

(Pair encoding for broadcast encryption [20, 27]) For \(t,n \in \mathbb {N}\) such that t|n, let \({\varvec{x}} \in (\{0,1\}^{\frac{n}{t}})^t\), \(y \in [t] \times [\frac{n}{t}]\) and let the predicate \(P\) be defined as \(P(({\varvec{x}}_1, \dots , {\varvec{x}}_{t}), (y_1,y_2)) = 1\) iff \(({\varvec{x}}_{y_1})_{y_2} = 1\). The following is a pair encoding for \(P\):

$$\begin{aligned}&\mathsf{EncKey}(y_1,y_2) {:}{=}(\alpha {+} r_1b_0, \,\,\, \{(\ell = y_2)(r_1b_0 {+}r_1 b_{y_1}) {+} r_1 b_{t{+}\ell }\}_{\ell \in [\frac{n}{t}]}) \\&\mathsf{EncCt}({\varvec{x}}) {:}{=}\{ s_1 b_\ell + \textstyle \sum _{j \in [\frac{n}{t}]} ({\varvec{x}}_{\ell })_{j} s_1b_{t+j}\}_{\ell \in [t]} \end{aligned}$$

In this case, \(\mathsf{EncKey1}(y)\) is formed all the polynomials of \(\mathsf{EncKey}\) except the first one and so, \({\bar{m}}_1 = \frac{n}{t}\). Furthermore, the encoding is algebraic, where:

• (public coeffs) \(\Pi {:}{=}\{(1,\!t{+}j,\!\ell )\}_{j,\ell \in [\frac{t}{n}]}\) where \(\forall \ell \), \(f(1,\!t{+}\ell ,\!\ell ) {:}{=}1\), and \(\forall j,\ell \ne j\), \(f(1,\!t{+}j,\!\ell ) {:}{=}0\).

• (binary coeffs) \(\Phi {:}{=}\Phi _1 \cup \Phi _2\), with \(\Phi _1 {:}{=}\{(1,j,\ell )\}_{j,\ell \in [\frac{n}{t}]}\), \(\Phi _2 {:}{=}\{(1,0,\ell )\}_{\ell \in [\frac{n}{t}]}\).

• (clusters) \(\Lambda {:}{=}\{(\Phi _1, (\lambda x. 1), 1),\,\, \{(\Lambda _\ell , g, 0)\}_{\ell \in [\frac{n}{t}]} \}\).

where \(\lambda x. 1\) denotes the constant function 1; \(\forall \ell \in [\frac{n}{t}]\), \(\Lambda _\ell {:}{=}\{(1,j,\ell )\}_{j \in [0,\frac{n}{t}]}\); and g is a function defined as \({-}1\) if the second argument is 0, or 1 otherwise. \(\square \)

C\(\Sigma \)-protocol for the PoK of Fig. 3

For coefficients \(\phi _{j} \in \mathbb {Z}_p\) for all \(j \in [n]\), and a matrix Z over \(\mathbb {Z}_p\) of dimension \((k{+}1) \times (k{+}1)\), we define¹⁰

Fig. 4

\(\Sigma \)-protocol for relation \({{\mathcal {R}}}_1\). Operator \(\circ \) denotes element-wise product

In Fig. 4, we provide a zero-knowledge proof of knowledge for the relation

Such a protocol can be used to prove the relation described in the first round of Fig. 3. Note that, for the sake of simplicity in the notation, we have not considered the \(\ell \in [{\bar{m}}_1]\) indices in \({{\mathcal {R}}}_1\). In the majority of pair encodings, where the clusters do not involve elements between different polynomials, the generic conjunction of \(\Sigma \)-protocols is enough to handle the necessary relation. For the rest of pair encodings (an example is the encoding from Example 3), it is not complicated to modify our \(\Sigma \)-protocol consider all polynomials at the same time.

Lemma 3

The protocol described in Fig. 4 is perfectly complete, perfect special honest verifier zero-knowledge and 3-special sound.

For the sake of space, we do not include an explicit protocol for the relation in Round 2 of Fig. 3. We note that such a proof is necessary to satisfy the strong simulation-based security. In practice, such a proof is not so critical. The user is interested in receiving a valid secret key for y and it can check the validity of the obtained key by encrypting messages for different values x and decrypting them with the key, verifying that decryption is successful whenever \((x,y) \in P\).

Proof Of Lemma 3

• Perfect completeness. Note that if the prover knows a valid witness and follows the protocol all verification equations are satisfied. In particular, \(\forall (i,j) \!\in \! \Pi \), \(a_{\{i,j\}} \!\!{:}{=}0\), and so, for the first verification equation,

  $$\begin{aligned} { \forall (i,j)\in \Pi }, \,\, \beta _{\{i,j\}} = e\, \phi _{\{i,j\}} {+} a_{\{i,j\}} = e\, \phi _{\{i,j\}} = e\, f(i,j). \end{aligned}$$

  For the second equation,

  $$\begin{aligned} { \forall s \in \Theta }, \,\, \textstyle \sum _{(i,j) \in \Lambda _s}g_s(i,j)\beta _{\{i,j\}}&= \textstyle \sum _{(i,j) \in \Lambda _s}\big (g_s(i,j)e\,\phi _{\{i,j\}} {+} a_{\{i,j\}}\big ) \\&= e \textstyle \sum _{(i,j) \in \Lambda _s}g_s(i,j)\phi _{\{i,j\}} = e\, \gamma _s . \end{aligned}$$

  For the third, for all \(i \in [m]\):

  

  Finally, the fourth also holds, for all \(i \in [m]\):

  $$\begin{aligned}&B^e_i \circ C_i = \mathrm{Com}_{\textsf {mpk}}(\{b_{\{i,j\}}\}_{j \in [n]}; S_i)^e \circ \mathrm{Com}_{\textsf {mpk}}(\{c_{\{i,j\}}\}_{j \in [n]}; T_i) \\&\quad \, = \mathrm{Com}_{\textsf {mpk}}(\{e\, b_{\{i,j\}} {+} c_{\{i,j\}}\}_{j \in [n]}; e\,S_i {+} T_i) = \mathrm{Com}_{\textsf {mpk}}(\eta _{\{i,1\}}, \dots , \eta _{\{i,n\}}; \Psi _i) \, . \end{aligned}$$

  because, \(\forall (i,j) \not \in \Phi \)\(,\, b_{\{i,j\}} \,{=}\, c_{\{i,j\}} \,{=}\, \eta _{\{i,j\}} \,{=}\, 0\) and \(\forall (i,j) \in \Phi \), we have \(\phi _{\{i,j\}} \in \{0,1\}\) and so, \(\phi _{\{i,j\}}^2 = \phi _{\{i,j\}}\). Therefore,¹¹

  $$\begin{aligned}&e\, b_{\{i,j\}} \,{+}\, c_{\{i,j\}} = e\, a_{\{i,j\}}(1\,{-}\,2\,\phi _{\{i,j\}}) \,{-}\, a_{\{i,j\}}^2 \\&\quad \, = e\, a_{\{i,j\}}(1\,{-}\,2\,\phi _{\{i,j\}}) \,{-}\, a_{\{i,j\}}^2 + e^2(\phi _{\{i,j\}} \,{-}\, \phi _{\{i,j\}}^2) \\&\quad \, = (e\, \phi _{\{i,j\}} + a_{\{i,j\}})(e {-} (e\, \phi _{\{i,j\}} + a_{\{i,j\}})) = \beta _{\{i,j\}} (e \,{-}\, \beta _{\{i,j\}}) = \eta _{\{i,j\}}. \end{aligned}$$

• Special honest verifier zero-knowledge. If the challenge e is known. A simulator can produce a valid transcript that is identically distributed to a transcript created by an honest prover, as follows.

  1. (i)

     For every \((i,j) \in \Pi \), set \(\beta _{\{i,j\}} {:}{=}e\, f(i,j)\) and \(\forall (i,j) \not \in \Pi \), sample .

  2. (ii)

     For every \(s \in \Theta \), pick some \((i_s, j_s) \in \Lambda _s\) such that \(g_s(i_s, j_s) \ne 0\) and modify the value of \(\beta _{\{i,j\}}\) so that \(\sum _{(i,j) \in \Lambda _s} g_s(i,j)\beta _{\{i,j\}} = \gamma _s\, e\).

  3. (iii)

     Define \(\eta _{\{i,j\}}\) as \(\eta _{\{i,j\}}(e\,{-}\,\eta _{\{i,j\}})\) for every \((i,j) \in \Phi \) and 0 otherwise.

  4. (iv)

     Sample matrices \(\Gamma _i, \Psi _i, S_i\) uniformly from \(\mathbb {Z}_p^{(k{+}1)\times (k{+}1)}\) for every \(i \in [m]\).

  5. (v)

     Set \(B_i {:}{=}\llbracket S_i B \rrbracket _{\mathsf{2}}\) for every \(i \in [m]\).

  6. (vi)

     Set \(A_i {:}{=}M^{{-}e}_i \! \circ \mathrm{Com}_{\textsf {mpk}}(\beta _{\{i,1\}},\dots ,\beta _{\{i,n\}}; \Gamma _i)\) for every \(i \in [m]\).

  7. (vi)

     Set \(C_i {:}{=}B^{{-}e}_i \! \circ \mathrm{Com}_{\textsf {mpk}}(\eta _{\{i,1\}},\dots ,\eta _{\{i,n\}}; \Psi _i)\) for every \(i \in [m]\).

  Note that the simulation is perfect because in both a real transcript and the simulated transcript variables \(\beta _{\{i,j\}}\) for all \((i,j) \not \in \Pi \) and matrices \(\Gamma _i\) and \(\Psi _i\) for all \(i \in [m]\) are independent and uniformly random, modulo the condition \(\sum _{(i,j) \in \Lambda _s} g_s(i,j)\beta _{\{i,j\}} = \gamma _s\, e\) for all \(s \in \Theta \). Furthermore, the value of \(\beta _{\{i,j\}}\) for all \((i,j) \in \Pi \) is completely determined, as well as matrices \(A_i\) and \(C_i\) for all \(i \in [m]\), in both kinds of proof.

• 3-special soundness. Note that two answers, say \(\{\beta _{\{i,j\}}\!\}_{i,j},\, \{\Gamma _i, \Psi _i\}_{i \in [m]}\) and \(\{{\hat{\beta }}_{\{i,j\}}\!\}_{i,j},\, \{{\hat{\Gamma }}_i, {\hat{\Psi }}_i\}_{i \in [m]}\) to 2 different challenges, say e and \({\hat{e}}\) (respectively), with the same first message lead to a valid witness. It is enough to set

  $$\begin{aligned} \phi _{\{i,j\}} {:}{=}\frac{\beta _{\{i,j\}} \,{-}\, {\hat{\beta }}_{\{i,j\}}}{e\,{-}\,{\hat{e}}} \,\, \forall (i,j) \in [m]\!\times \![n] \,\,\,\, \text {and} \,\,\,\, Z_{i} = \frac{\Gamma _{i} \,{-}\, {\hat{\Gamma }}_{i}}{e \,{-}\, {\hat{e}}} \,\, \forall i \in [m] \end{aligned}$$

  Note that such an opening satisfies,

  $$\begin{aligned} \forall (i,j) \in \Pi ,\, \phi _{\{i,j\}} = \frac{\beta _{\{i,j\}} \,{-}\, {\hat{\beta }}_{\{i,j\}}}{e\,{-}\,{\hat{e}}} = \frac{e\, f(i,j) \,{-}\, {\hat{e}}\, f(i,j)}{e\,{-}\,{\hat{e}}} = f(i,j) \end{aligned}$$

  Furthermore,

  $$\begin{aligned} \forall s \in \Theta ,\,\!\!\!\! \sum _{(i,j) \in \Lambda _s}\!\!\!\!g_s(i,j)\phi _{\{i,j\}} = \sum _{(i,j) \in \Lambda _s}g_s(i,j)\frac{(\beta _{\{i,j\}} \,{-}\, {\hat{\beta }}_{\{i,j\}})}{e\,{-}\,{\hat{e}}} = \gamma _s \end{aligned}$$

  Finally, the last verification equation tells us that for every \((i,j) \in \Phi \), the following polynomial in x

  $$\begin{aligned} x^2(\phi _{\{i,j\}} \,{-}\, \phi _{\{i,j\}}^2) + x(a_{\{i,j\}}(1\,{-}\,2\,\phi _{\{i,j\}} - b_{\{i,j\}}) \,{-}\, a_{\{i,j\}}^2 - c_{\{i,j\}} \end{aligned}$$

  evaluates to 0 in both e and \({\hat{e}}\). If there existed a third valid answer to a different challenge but the first same message, the polynomial would have three roots, but its degree is at most 2. Therefore, it must be the zero polynomial (\(\mathbb {Z}_p\) is a field), and thus, the coefficient for \(x^2\) must be zero: \(\phi _{\{i,j\}} \!\in \! \{0,1\}\). \(\square \)