CP-ABE for Circuits (and More) in the Symmetric Key Setting

Agrawal, Shweta; Yamada, Shota

doi:10.1007/978-3-030-64375-1_5

Shweta Agrawal¹⁰ &
Shota Yamada¹¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12550))

Included in the following conference series:

Theory of Cryptography Conference

861 Accesses
4 Citations

Abstract

The celebrated work of Gorbunov, Vaikuntanathan and Wee [GVW13] provided the first key policy attribute based encryption scheme (ABE) for circuits from the Learning With Errors (LWE) assumption. However, the arguably more natural ciphertext policy variant has remained elusive, and is a central primitive not yet known from LWE.

In this work, we construct the first symmetric key ciphertext policy attribute based encryption scheme (CP-ABE) for all polynomial sized circuits from the learning with errors (LWE) assumption. In more detail, the ciphertext for a message m is labelled with an access control policy f, secret keys are labelled with public attributes $\mathbf {x}$ from the domain of f and decryption succeeds to yield the hidden message m if and only if $f(\mathbf {x})=1$. The size of our public and secret key do not depend on the size of the circuits supported by the scheme – this enables our construction to support circuits of unbounded size (but bounded depth). Our construction is secure against collusions of unbounded size. We note that current best CP-ABE schemes [BSW07, Wat11, LOS+10, OT10, LW12, RW13, Att14, Wee14, AHY15, CGW15, AC17, KW19] rely on pairings and only support circuits in the class ${\mathsf {NC}}_1$ (albeit in the public key setting).

We adapt our construction to the public key setting for the case of bounded size circuits. The size of the ciphertext and secret key as well as running time of encryption, key generation and decryption satisfy the efficiency properties desired from CP-ABE, assuming that all algorithms have RAM access to the public key. However, the running time of the setup algorithm and size of the public key depends on the circuit size bound, restricting the construction to support circuits of a-priori bounded size. We remark that the inefficiency of setup is somewhat mitigated by the fact that setup must only be run once.

We generalize our construction to consider attribute and function hiding. The compiler of lockable obfuscation upgrades any attribute based encryption scheme to predicate encryption, i.e. with attribute hiding [GKW17, WZ17]. Since lockable obfuscation can be constructed from LWE, we achieve ciphertext policy predicate encryption immediately. For function privacy, we show that the most natural notion of function hiding ABE for circuits, even in the symmetric key setting, is sufficient to imply indistinguishability obfuscation. We define a suitable weakening of function hiding to sidestep the implication and provide a construction to achieve this notion for both the key policy and ciphertext policy case. Previously, the largest function class for which function private predicate encryption (supporting unbounded keys) could be achieved was inner product zero testing, by Shen, Shi and Waters [SSW09].

You have full access to this open access chapter, Download conference paper PDF

Circuit-ABE from LWE: Unbounded Attributes and Semi-adaptive Security

ABE for Circuits with Constant-Size Secret Keys and Adaptive Security

Attribute-Based Access Control for Inner Product Functional Encryption from LWE

1 Introduction

Attribute based encryption (ABE) [SW05] is a generalization of public key encryption that enables fine grained access control on encrypted data. In attribute based encryption, a message m is encrypted so that decryption succeeds if and only if the secret key holder is authorized to learn the message. Here, authorization is enforced via an access control policy modelled as a Boolean circuit f, which is computed over some public attributes $\mathbf {x}$ associated with the data/user. The access control policy may be embedded either in the key or the ciphertext, yielding key-policy (KP-ABE) or ciphertext-policy (CP-ABE) respectively.

In more detail, in a CP-ABE scheme, a ciphertext for a message m is labelled with an access control policy f, and secret keys are labelled with public attributes $\mathbf {x}$ from the domain of f. Decryption succeeds to yield the hidden message m if and only if the attribute satisfies the function, namely $f(\mathbf {x})=1$. In a KP-ABE, the placement of f and $\mathbf {x}$ are swapped.

Ciphertext Policy ABE for Circuits. Both KP-ABE [SW05, GPSW06, BW07, KSW08, LOS+10, OT10, OT12, CW14, AFV11, LW11, LW12, Wat12, GVW13, Wee14, Att14, BGG+14, GVW15, GV15, BV16, AF18] and CP-ABE schemes have received a lot of attention [BSW07, Wat11, LOS+10, OT10, LW12, RW13, Att14, Wee14, AHY15, CGW15, AC17, KW19] in the literature. While KP-ABE for the richest class of functions rely on the Learning With Errors (LWE) assumption and can support all polynomial sized circuits, the most general CP-ABE rely on pairings and can only support circuits in ${\mathsf {NC}}_1$ [BSW07, Wat11, LOS+10, OT10, LW12, RW13, Att14, Wee14, AHY15, CGW15, AC17, KW19].

Recently, Tsabary [Tsa19] provided a construction of (public key) CP-ABE from Learning With Errors (LWE) for the very restricted class of $t\text{- }\mathsf{CNF}$ formulae, where t is constant. However, for all polynomial sized circuits, any construction from standard assumptions^{Footnote 1} has remained elusive despite substantial research effort. Very recently, Brakerski and Vaikuntanathan do provide a construction of (public key) CP-ABE using lattice based techniques [BV20], but their construction lacks a security proof. Their work further highlights the technical barriers to providing a construction from LWE. Indeed, constructing CP-ABE for even $\mathsf {NC_1}$ from LWE is widely acknowledged as a central problem in lattice based cryptography and would be considered a major breakthrough.

Function Hiding. An ABE scheme encodes an attribute vector $\mathbf {x}$ and a Boolean circuit f. Hiding the attribute in these constructions, à la Predicate Encryption (PE) has met with fantastic success – the celebrated work of Gorbunov, Vaikuntanathan and Wee [GVW15] constructed a predicate encryption system for all circuits from LWE. More recently, Goyal, Koppula and Waters [GKW17] as well as Wichs and Zirdelis [WZ17] provided a powerful compiler for upgrading any ABE to PE by assuming LWE. However, much less is known about function hiding for ABE. For restricted functionalities such as identity based encryption and subspace membership testing, function hiding has received attention [BRS13a, BRS13b] in the public key setting, but serious technical barriers present themselves for more general function classes. We refer the reader to [BRS13a, BRS13b] for a detailed discussion.

In the symmetric key setting, function hiding for the stronger notion of functional encryption has been studied extensively [GTKP+13b, BS15] – however, since functional encryption is known to imply indistinguishability obfuscation [AJ15, BV15, BNPW16, KNT18] even without function hiding, there is limited optimism about achieving this notion for all circuits from standard assumptions, given current state of art. On the other hand, for the restricted inner product functionality, function hiding functional encryption can be achieved from standard assumptions [BJK15, KLM+16]. For the related (but distinct) functionality of inner product zero testing, Shen, Shi and Waters [SSW09] provided a construction of function hiding, symmetric key predicate encryption from bilinear maps.

The above state of affairs is dissatisfying and reveals several gaps in our understanding. Concretely, for general circuits and from standard assumptions, can we achieve function hiding in the symmetric key setting? Note that while attribute based encryption [GVW13, BGG+14] and predicate encryption [GVW15] are achievable from standard assumptions for all circuits, the richest functionality for which function hiding predicate encryption has been achieved is the inner product zero testing functionality [SSW09]. We emphasize that this question is not just of theoretical interest – as noted by Shen et al. [SSW09], function private predicate encryption in the symmetric key setting has many compelling applications. As an example [SSW09], a user may wish to store encrypted files on an untrusted server, and later retrieve only files that satisfy a given predicate. It is a natural security requirement that the server must learn nothing more about the predicate than minimum possible. We refer the reader to [SSW09] for a detailed discussion.

1.1 Our Results

In this work, we make substantial progress on both questions discussed above. Our results are summarized as follows:

1.
We construct the first symmetric key ciphertext policy attribute based encryption scheme (CP-ABE) for all polynomial sized circuits from the learning with errors (LWE) assumption. The sizes of our public and secret key do not depend on the size of the circuits supported by the scheme – this enables our construction to support circuits of unbounded size (but bounded depth). Our construction is secure against collusions of unbounded size in the multi-challenge ciphertext setting.^{Footnote 2}

This is the first construction of CP-ABE for polynomial circuits of unbounded size, supporting unbounded collusions, from standard assumptions.
2.
We adapt our construction to the public key setting for the case of bounded size circuits. The size of the ciphertext and secret key as well as the runtime of encryption, key generation and decryption satisfy the efficiency properties desired from CP-ABE. However, the running time of the setup algorithm and the size of the public key depend on the circuit size bound, restricting the construction to support circuits of a-priori bounded size. We remark that this inefficiency is mitigated by the fact that setup must only run once. We summarize our results in Table 1.
3.
We study the notion of function hiding attribute based encryption for circuits, in the symmetric key setting. In Sect. 5.3, we show that the most natural notion of function hiding ABE, even in the symmetric key setting is sufficient to imply indistinguishability obfuscation. We define a suitable weakening of function hiding to sidestep the implication and provide a construction in Sect. 5 to achieve this notion for both key policy and ciphertext policy predicate encryption. We instantiate our compiler with known constructions of PE to obtain the following theorems:

Table 1. $|f_{\max }|$ denotes the worst case size bound on circuit size, and |f| denotes the input circuit size. All the entries hide and logarithmic factors in $|f_{\max }|$. Due to space constraints, we include only the most recent pairings based $\mathsf {cpABE}$ in the table.

Theorem 1.1

(Informal). Assuming subexponential LWE, we have function hiding, semi-adaptively secure predicate encryption for all polynomial circuits.

Theorem 1.2

(Informal). Assuming subexponential LWE and DLIN, we have function hiding, adaptively secure predicate encryption for ${\mathsf {NC}}_1$ circuits.

Please see Sect. 5.1 for details.

1.2 Our Techniques

In this section, we provide an overview of our techniques.

CP-ABE for Circuits. For this construction, we leverage techniques developed recently by Agrawal, Maitra and Yamada [AMY19] to handle inputs of unbounded size in the context of ABE for finite automata. We notice that these techniques are quite a bit more general than discussed in that work and can be adapted to the setting of ciphertext policy ABE supporting unbounded collusions.

Folklore Approach. We begin with a folklore transformation of KP-ABE to CP-ABE – namely, via the universal circuit. In more detail, let $U(\cdot ,\cdot )$ be the universal circuit such that $f(\mathbf {x}) = U(\mathbf {x}, f)$. Next, let $U[\mathbf {x}]$ be the universal circuit with the input $\mathbf {x}$ hard-wired. Then, we may construct a CP-ABE scheme, denoted by $\mathsf {cpABE}$ using a KP-ABE scheme, denoted by $\mathsf {kpABE}$ as follows: the $\mathsf {cpABE}$ encryptor, given a message m and circuit f may compute $\mathsf {kpABE}$ ciphertext for (m, f) where f is viewed as a bit string representing $\mathsf {kpABE}$ attributes. The $\mathsf {cpABE}$ key generator, given an attribute string $\mathbf {x}$, may compute a $\mathsf {kpABE}$ function key for the circuit $U[\mathbf {x}]$. Decryption is straightforward using $\mathsf {kpABE}$ decryption as $U[\mathbf {x}](f) = U(\mathbf {x}, f) = f(\mathbf {x})$.

The above generic compiler has the drawback that the input of circuit $U[\mathbf {x}]$ is the circuit f. This limits the construction to only support circuits of a-priori bounded size $|f_{\max }|$ (say) and forces the size of the public key, ciphertext as well as runtime of setup, key generation, encryption and decryption to grow with $|f_{\max }|$ (please see Table 1). We emphasize that even the encryption and decryption algorithms, which must take time proportional to circuit size, now degrade with the worst case bound $|f_{\max }|$, rather than with input circuit |f|. The hit taken by key generation is significantly worse^{Footnote 3}.

Re-distributing Computation. Note that the only algorithms which are allowed to depend on the size of the circuit length are the encryption and decryption algorithms. Hence, inspired by [AMY19], we re-distribute the computation of $\mathsf {kpABE}.\mathsf{KeyGen}(U[\mathbf {x}])$ between the key generator and the encryptor to ensure that each algorithm satisfies the efficiency requirements of CP-ABE.

In more detail, the key generator may depend on the size of $\mathbf {x}$ but not on the size of f, while the encryptor and decryptor may depend on the size of f. In order to redistribute computation, we rely on single-key functional encryption (FE), which can be constructed based on the LWE assumption [GKP+13]. Now, the ciphertext of $\mathsf {cpABE}$ is $\mathsf {kpABE}.\mathsf {CT}(f, m)$ where f is treated as the attribute string. Additionally, the ciphertext contains $\mathsf {FE}.\mathsf{KeyGen}(C)$ where the circuit $C(\cdot ) = \mathsf {kpABE}.\mathsf{KeyGen}(U(\cdot ))$. The secret key of $\mathsf {cpABE}$ is $\mathsf {FE}.\mathsf {Enc}(\mathbf {x})$. Decryption in the $\mathsf {cpABE}$ scheme proceeds by first computing $\mathsf {FE}$ decryption to obtain $\mathsf {kpABE}.\mathsf {SK}(U[\mathbf {x}])$ and then computing $\mathsf {kpABE}$ decryption with $\mathsf {kpABE}.\mathsf {CT}(f, m)$ to obtain m iff $f(\mathbf {x})=1$. Care must be taken that single key security of the underlying FE scheme is not violated. For this, we ensure that the function key is generated for the same circuit $C(\cdot ) = \mathsf {kpABE}.\mathsf{KeyGen}(U(\cdot ))$ and using the same randomness (as specified in the master secret key), across all invocations of FE key generation.

In order to argue that the key generation algorithm does not depend on |f|, we rely on special properties of the FE scheme. Recall that the FE scheme of Goldwasser et al. is succinct which means that the running time of the encryption algorithm depends on the depth and output length of the circuits supported by the scheme but is independent of their size. The depth of the circuits supported by our construction is bounded by assumption and the depth of the $\mathsf {kpABE}$ key generation circuit is at most a polynomial factor larger than the depth of the circuit it supports. Hence, it remains to argue that the output length may be similarly bounded. To see this, note that in our construction, the function key is generated for circuit $C(\cdot ) = \mathsf {kpABE}.\mathsf{KeyGen}(U(\cdot ))$, whose output length depends on the size of the underlying $\mathsf {kpABE}$ function key. Fortunately, by using the $\mathsf {kpABE}$ scheme of Boneh et al. [BGG+14], we may bound the size of the $\mathsf {kpABE}$ scheme by a fixed polynomial.

Supporting Circuits of Unbounded Size. A detail brushed under the carpet in the above description is that the $\mathsf {kpABE}$ scheme which is used to encrypt f as an attribute string must be initialized with the length of f during the setup phase. Moreover, this input length is passed to all other $\mathsf {kpABE}$ algorithms, notably the key generation algorithm. Since we wish to support f of unbounded size, this poses a dilemma. An immediate question that arises is which algorithm of $\mathsf {cpABE}$ should invoke the setup algorithm of $\mathsf {kpABE}$? Evidently, the setup of $\mathsf {cpABE}$ does not have the size of f, so it must be the encrypt algorithm. Hence, the $\mathsf {cpABE}$ encrypt algorithm samples the $\mathsf {kpABE}$ scheme and provides an $\mathsf {FE}$ secret key for the circuit $\mathsf {kpABE}.\mathsf{KeyGen}(U(\cdot ))$. A subtlety is that the $\mathsf {kpABE}$ key generation algorithm must depend on the length of f as discussed above. Then, if f is of varying size across different ciphertexts, the description of $\mathsf {kpABE}.\mathsf{KeyGen}(U(\cdot ))$ and hence $\mathsf {FE}.\mathsf {SK}$ varies with the size of f. This is problematic – since $\mathsf {FE}$ only satisfies single key security!

We resolve the above conundrum by running $\lambda +1$ instances of $\mathsf {FE}$ and $\mathsf {kpABE}$ in parallel – each to support f of length $2^i$ where $i \in [0,\lambda ]$. The circuit size is padded to the next power of two – a trick used in many works, beginning with [GTKP+13a] – so that we only need to deal with $\lambda +1$ possible $\mathsf {FE}$, each of which supports the issuing of a single secret key, which will compute the $\mathsf {kpABE}$ key generation circuit for inputs of length $2^i$. The $\mathsf {cpABE}$ key generator does not know which instance of $\mathsf {FE}$ it must encrypt with, so it encrypts with all of them. For details, please see Sect. 3.

Security. Our $\mathsf {cpABE}$ scheme achieves selective, indistinguishability based security. At a high level, security relies on the security of the instances of the single key FE schemes and $\mathsf {kpABE}$ schemes. Similarly to [AMY19], we begin by showing that by security of $\mathsf {FE}$ adversary cannot get anything beyond $\{ \mathsf {FE}.\mathsf {Dec}( \mathsf {FE}.\mathsf{sk}_i, \mathsf {FE}.\mathsf {ct}_i ) = \mathsf {kpABE}.\mathsf{sk}_i \}$ for $i \in [0,\lambda ]$. Next, we rely on the security of $\mathsf {kpABE}$ to argue that the message bit is not revealed. As discussed above, we need to ensure that only single FE secret key is revealed to the adversary for each instance of FE. Fortunately, this can be guaranteed by the fact that for a given instance of $\mathsf {FE}$, we must only release a secret key (of the FE) for the key generation algorithm of the corresponding $\mathsf {kpABE}$.

Public Key Setting. Next, we construct a public key ciphertext policy ABE scheme for bounded sized circuits, where $|f_{\max }|$ is set as an upper bound on circuit size. In our construction, the size of the secret key and ciphertext satisfy the efficiency properties desired from CP-ABE (Definition 2.4). Additionally, the running time of the keygen, encrypt and decrypt algorithms depend only on the size of the input circuit f and not on the worst case circuit size $|f_{\max }|$, assuming that they have RAM access to the public key. However, the running time of the setup algorithm and the size of $\mathsf {PK}$ grows with the size $|f_{\max }|$ of the circuits supported by the scheme. We note that this inefficiency is mitigated since it must be only run once.

The construction is similar to the secret key $\mathsf {cpABE}$ provided in Sect. 3 but has some important differences. Let us try to adapt the secret key construction of Sect. 3 to the public key setting. Since the construction makes modular use of single key succinct $\mathsf {FE}$ [GKP+13] and key policy ABE [BGG+14], and both these schemes can be instantiated in the public key setting from LWE, a first attempt would be to use public key versions of these building blocks and compile a public key version of the secret key $\mathsf {cpABE}$ scheme. However this naive approach runs into multiple difficulties. For the key generation algorithm to be independent of the circuit size, it may not compute the circuit $U[\mathbf {x}]$ – indeed, this would render the role of $\mathsf {FE}$ useless and collapse back into the naive transformation of a $\mathsf {kpABE}$ to $\mathsf {cpABE}$ scheme via universal circuits. To avoid the dependence of keygen on circuit size, it is necessary for the encrypt algorithm to compute the $\mathsf {FE}$ secret key for the $\mathsf {kpABE}$ key generation algorithm, which in turn requires that the encrypt algorithm possess the master secret key $\mathsf {FE}.\mathsf {msk}$.

However, a crucial and useful property of the construction is that it only uses $\mathsf {FE}$ for a single fixed circuit – hence, to remove the dependence of $\mathsf {Enc}$ on $\mathsf {FE}.\mathsf {msk}$, an idea is to let setup compute the $\mathsf {FE}$ function key itself and provide it as part of the public key. The $\mathsf {cpABE}$ public key can contain the public keys of $\mathsf {FE}$ as well as $\mathsf {kpABE}$, along with the $\mathsf {FE}$ function key for the $\mathsf {kpABE}$ key generation algorithm. Now, the encryptor, given input circuit f and message $\mu $, can use the $\mathsf {kpABE}$ public key to compute a $\mathsf {kpABE}$ ciphertext for $(f, \mu )$. The key generator can compute the $\mathsf {FE}$ ciphertext for $\mathbf {x}$ and the decryptor can decrypt as before, by performing $\mathsf {FE}$ decryption to recover the $\mathsf {kpABE}$ function key, followed by $\mathsf {kpABE}$ decryption.

An immediate drawback is that this approach forces the circuit size to be fixed at setup time. Additionally, even if we assume an upper bound $|f_{\max }|$ on the size of supported circuits, this approach has the significant disadvantage that the runtime of encryption and decryption as well as the size of the ciphertext to depend on the upper bound $|f_{\max }|$ rather than the actual size of the circuit. When the input circuit is much smaller, this is a significant price to pay in terms of both communication and computation. Another disadvantage is that the size of the public key now grows with the upper bound $|f_{\max }|$. To see this, note that the $\mathsf {kpABE}$ public key in general depends on the size of the inputs supported by the scheme, which in this case can be as large as $|f_{\max }|$. There do exist clever ideas to make the size of the $\mathsf {kpABE}$ public key independent of the input size [BV16, GKW16], but they do so, unfortunately, at the expense of making the function key depend linearly on input size $|f_{\max }|$. But if the $\mathsf {kpABE}$ function key is large, then the size of the $\mathsf {FE}$ ciphertext would degrade to support this, making the $\mathsf {cpABE}$ function key large, which is precisely what we are trying to avoid!

These issues may be overcome if we assume that every algorithm has RAM access to $\mathsf {cpABE}.\mathsf {mpk}$. For simplicity, let us assume that circuit sizes come in powers of 2 – this assumption can be easily removed by padding circuits appropriately. In this case, we run $\eta := \lceil \log |f_{\max }| \rceil $ instances of $\mathsf {kpABE}$ in parallel, and let the $i^{th}$ instance handle inputs of length $2^i$, for $i \in [\eta ]$. Now, we have $\eta $ public keys for $\mathsf {kpABE}$, each of length $2^i$, which together (along with $\mathsf {FE}.\mathsf {mpk}_i$ and $\mathsf {FE}.\mathsf{sk}_i$) comprise the final public key. If every algorithm has RAM access to this public key, then it may choose the component according to the actual input length of the circuit, namely it may choose $i^*$ such that $|f| = 2^{i^*}$ and access only the ${i^*}^{th}$ component of the public key. Then, the runtime of the encrypt and decrypt algorithm depend on |f| rather than $|f_{\max }|$. For more details, please see Sect. 4.

Function Hiding Predicate Encryption. Next, we generalize our construction to consider attribute and function hiding. The compiler of lockable obfuscation upgrades any attribute based encryption scheme to predicate encryption, i.e. with attribute hiding [GKW17, WZ17]. Since lockable obfuscation can be constructed from LWE, we achieve ciphertext policy predicate encryption immediately. We then turn to the question of function hiding predicate encryption for circuits. Here, we show that the natural notion of function hiding predicate encryption, i.e. that considered by [SSW09], when applied to all polynomial sized circuits, is strong enough to imply indistinguishability obfuscation.

Consider a function private ciphertext-policy attribute based encryption scheme $\mathsf {cpABE}$^{Footnote 4}. The ciphertext is associated with a circuit f and a message m and the key is associated with an attribute vector $\mathbf {x}$. Intuitively, since the scheme is function hiding, $\mathbf {x}$ is hidden. Note that the attribute f is not hidden, since this an ABE scheme. A natural game of function hiding would allow an adversary to output challenge key queries $(\mathbf {x}_{0i}, \mathbf {x}_{1i})$ and ciphertext queries $(f_j,\mu _j)$ so that $f_j(\mathbf {x}_{0i}) = f_j(\mathbf {x}_{1i} )$ for all i, j. The challenger responds by choosing a random bit b and returning the corresponding secret keys for $\mathbf {x}_{bi}$, along with ciphertexts for $(f_j,\mu _j)$. The adversary wins if she guesses the bit correctly^{Footnote 5}.

We now show a reduction from secret key functional encryption ($\mathsf {FE}$) to function hiding $\mathsf {cpABE}$. Recall that in functional encryption, the ciphertext is associated with a vector $\mathbf {x}$, the secret key is associated with a circuit f and decryption enables the decryptor to recover $f(\mathbf {x})$. In the security game, the adversary must distinguish between encryptions of $\mathbf {x}_0$ and $\mathbf {x}_1$ given an arbitrary number of secret keys for circuits $f_i$ where $f_i(\mathbf {x}_0)=f_i(\mathbf {x}_1)$. In our reduction, if $\mathsf {cpABE}$ supports unbounded ciphertext queries, then $\mathsf {FE}$ supports unbounded key queries. Such a functional encryption scheme is known to imply indistinguishability obfuscation ($\mathsf {iO}$) [AJ15, BV15, BNPW16, KNT18].

It remains to outline the reduction. The reduction is remarkably simple: suppose that $\mathsf {FE}.\mathsf {Enc}(\mathbf {x},\mathsf {msk}) = \mathsf {cpABE}.\mathsf{KeyGen}( \mathbf {x}, \mathsf {msk})$ and that $\mathsf {FE}.\mathsf{KeyGen}(f, \mathsf {msk}) $ $= (m, \mathsf {cpABE}.\mathsf {Enc}(f, m, \mathsf {msk}))$ where m is a random bit. $\mathsf {FE}.{\mathsf {Dec}}$ computes $\mathsf {cpABE}.{\mathsf {Dec}}$ and outputs 1 if it recovers m correctly. Now, when the $\mathsf {FE}$ adversary outputs $\mathbf {x}_0, \mathbf {x}_1$ as challenge messages, the reduction outputs outputs $\mathbf {x}_0, \mathbf {x}_1$ as challenge keys and obtains the $\mathsf {cpABE}$ key for $\mathbf {x}_b$. When the $\mathsf {FE}$ adversary makes a key request for $f_i$, the reduction obtains the $\mathsf {cpABE}$ ciphertext for $(f_i, m_i)$ where $m_i$ is randomly chosen, and uses these to respond to the $\mathsf {FE}$ adversary. It is evident that if the $\mathsf {FE}$ adversary is legitimate, then so is the $\mathsf {cpABE}$ function hiding adversary. Also, clearly if the $\mathsf {cpABE}$ adversary wins the game, this translates to a win for the $\mathsf {FE}$ adversary.

To avoid the implication to $\mathsf {FE}$, we weaken the function hiding definition. We provide a restricted definition of function hiding (Definition 2.14), in which the adversary is disallowed from making queries for vectors $\mathbf {x}_0, \mathbf {x}_1$ such that $f_i(\mathbf {x}_0) =f_i(\mathbf {x}_1) =1$ for any requested $f_i$. The definition insists that $f_i(\mathbf {x}_0) =f_i(\mathbf {x}_1) =0$ for all requests. Note that an admissible $\mathsf {FE}$ adversary may request keys for any circuits $f_i$ as long as $f_i(\mathbf {x}_0) = f_i(\mathbf {x}_1)$, regardless of whether this value is 0 or 1. However, with the restriction on the function hiding definition, the above reduction fails and we fall back into “one sided security” that characterizes ${\mathsf {PE}}$ and is known to be achievable from standard assumptions. Please see Sect. 5.3 for the detailed argument.

In Sect. 5, we provide a construction of predicate encryption for circuits which achieves the above notion of function hiding. Our compiler is analogous to the compiler of Goldwasser et al. [GKP+13], which converts succinct functional encryption to reusable garbled circuits. In more detail, we construct function hiding ${\mathsf {PE}}$ from ${\mathsf {PE}}$ and a symmetric key encryption scheme $\mathsf {SKE}$. For simplicity, we consider the key-policy setting, we show how to extend the argument to the ciphertext-policy setting in Sect. 5.

Since we are in the symmetric key setting, the $\mathsf {SKE}$ secret key $\mathsf {SK}$ (say) is known both to the key generation and the encrypt algorithms. Now, the encryptor uses ${\mathsf {PE}}$ to encrypt its message with attribute $(\mathsf {SK}, \mathbf {x})$. The key generator, given input circuit f, computes the $\mathsf {SKE}$ encryption $\hat{f}$ of f provides a key for an augmented circuit $U_{\hat{f}}(\cdot )$, which given input $(\mathsf {SK}, \mathbf {x})$, first decrypts $\hat{f}$ to obtain f and then computes $f(\mathbf {x})$. Intuitively, since ${\mathsf {PE}}$ is attribute hiding, $\mathsf {SK}$ remains hidden, and since the key only reveals the encryption $\hat{f}$, the circuit f remains hidden. The formal argument is provided in Sect. 5.

1.3 Perspective and Open Problems

CP-ABE from LWE, for all polynomial sized circuits (or even ${\mathsf {NC}}_1$) is a long standing open problem. Our work settles the question in the symmetric key case, and makes significant progress in the public key case. Our constructions use prior constructions of KP-ABE [BGG+14] and FE [GTKP+13a] as building blocks and combine them carefully to obtain the desired efficiency for CP-ABE. These building blocks satisfy certain special properties such as succinctness of ciphertext [GTKP+13a] and short secret key [BGG+14]. By noticing that the efficiency properties of these schemes compose in a fortuitous way, we achieve the required efficiency of CP-ABE by doing very little work^{Footnote 6}! Similar tricks were used by [AMY19] in the context of constructing ABE for finite automata – indeed, our constructions are simpler than theirs.

An obvious open problem is to close the “efficiency” gap in setup time that remains open in our public key construction. The chief hurdle in doing so is that the computation of the FE secret key is a secret key operation but the only algorithms in the construction that are allowed the time required by this computation, namely encrypt and decrypt, are public key algorithms. An approach may be to delegate the FE secret key generation using garbled circuits, as in [DG17] but a natural implementation of this idea turns out to be insecure. We conjecture that new techniques may be required to overcome this hurdle. In the context of function privacy, we obtain the first attribute based encryption schemes for circuits with function hiding, in the symmetric key setting. A natural open question is to provide constructions in the public key setting. However, as observed by [BRS13a], function privacy in the public key setting is significantly more challenging, with even the right definition being unclear. We conjecture that this problem may require significantly new ideas to resolve.

2 Preliminaries

Notation. We begin by defining the notation that we will use throughout the paper. We use bold letters to denote vectors and the notation [a, b] to denote the set of integers $\{k\in \mathbb {N}~|~a\le k\le b\}$. We use [n] to denote the set [1, n]. Concatenation is denoted by the symbol $\Vert $. Vectors will be column vectors unless stated otherwise.

We say a function f(n) is negligible if it is $O(n^{-c})$ for all $c > 0$, and we use to denote a negligible function of n. We say f(n) is polynomial if it is $O(n^c)$ for some constant $c > 0$, and we use to denote a polynomial function of n. We use the abbreviation PPT for probabilistic polynomial-time. We say an event occurs with overwhelming probability if its probability is . The function $\log x$ is the base 2 logarithm of x. For any finite set S we denote $\mathcal{P}(S)$ to be the power set of S. For a circuit $C: \{0,1\}^{\ell _1 + \ell _2} \rightarrow \{0,1\}$ and a string $\mathbf {x}\in \{0,1\}^{\ell _1}$, $C[\mathbf {x}] : \{0,1\}^{\ell _2} \rightarrow \{0,1\}$ denotes a circuit that takes $\mathbf {y}$ and outputs $C(\mathbf {x},\mathbf {y})$. We construct $C[\mathbf {x}]$ in the following specified way. Namely, $C[\mathbf {x}]$ is the circuit that takes as input $\mathbf {y}$ and sets

$$ z_i = {\left\{ \begin{array}{ll} y_1 \wedge \lnot y_1 &{} \text{ if } x_i=0 \\ y_1 \vee \lnot y_1 &{} \text{ if } x_i=1 \end{array}\right. } $$

and then computes $C(\mathbf {z}, \mathbf {y})$, where $x_i$, $y_i$, and $z_i$ are the i-th bit of $\mathbf {x}$, $\mathbf {y}$, and $\mathbf {z}$, respectively. In the above, it is clear that $z_i = x_i$ and we have $C(\mathbf {z}, \mathbf {y}) = C(\mathbf {x},\mathbf {y})$. Furthermore, it is also easy to see that $\mathsf {depth}(C[\mathbf {x}]) \le \mathsf {depth}(C) + O(1) $ holds. Circuit Classes of Interest. For $\lambda \in \mathbb {N}$, let $\mathcal{C}_{\mathsf {inp},\mathsf {d},\mathsf s}$ denote a family of circuits with $\mathsf {inp}$ bit inputs, bounded depth $\mathsf {d}$, bounded size $\mathsf s$ and binary output. When the size $\mathsf s$ is unspecified, it means that the circuit family $\mathcal{C}_{\mathsf {inp},\mathsf {d}}$ can have unbounded size.

2.1 Attribute Based Encryption for Circuits

Attribute based encryption comes in two flavours: key policy or ciphertext policy, depending on where the policy (represented as a Boolean circuit) is embedded. We define these next.

Ciphertext Policy Attribute Based Encryption for Circuits. Let $\mathcal{C}= \{\mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda )}\}_{\lambda \in \mathbb {N}}$. A ciphertext policy attribute-based encryption (ABE) scheme $\mathsf {cpABE}$ for $\mathcal{C}$ over a message space $\mathcal {M}= \{\mathcal {M}_\lambda \}_{\lambda \in \mathbb {N}}$ consists of four algorithms:

$\mathsf {cpABE}.\mathsf {Setup}(1^\lambda ,1^\mathsf {inp}, 1^\mathsf {d})$ is a PPT algorithm takes as input the unary representation of the security parameter, the length $\mathsf {inp}= \mathsf {inp}(\lambda )$ of the input, the depth $\mathsf {d}= \mathsf {d}(\lambda )$ of the circuit family $\mathcal{C}$ to be supported. It outputs the master public key and the master secret key $(\mathsf {cpABE}.\mathsf {mpk}, \mathsf {cpABE}.\mathsf {msk})$.
${\mathsf {cpABE}.\mathsf {Enc}(\mathsf {cpABE}.\mathsf {mpk}}, C, m)$ is a PPT algorithm that takes as input the master public key $\mathsf {cpABE}.\mathsf {mpk}$, circuit $C\in \mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda )}$ and a message $m\in \mathcal {M}$. It outputs a ciphertext $\mathsf {cpABE}.\mathsf {ct}$.
$\mathsf {cpABE}.\mathsf{KeyGen}(\mathsf {cpABE}.\mathsf {mpk}, \mathsf {cpABE}.{\mathsf {msk}}, \mathbf {x})$ is a PPT algorithm that takes as input the master public key $\mathsf {cpABE}.\mathsf {mpk}$, the master secret key $\mathsf {cpABE}.\mathsf {msk}$, and a a string $\mathbf {x}\in \{0,1\}^\mathsf {inp}$ and outputs a corresponding secret key $\mathsf {cpABE}.\mathsf{sk}_\mathbf {x}$.
$\mathsf {cpABE}.\mathsf {Dec}(\mathsf {cpABE}.\mathsf {mpk}, \mathsf {cpABE}.\mathsf{sk}_\mathbf {x}, \mathbf {x}, \mathsf {cpABE}.\mathsf {ct}, C )$ is a deterministic algorithm that takes as input the secret key $\mathsf {cpABE}.\mathsf{sk}_\mathbf {x}$, its associated attribute string $\mathbf {x}$, a ciphertext $\mathsf {cpABE}.\mathsf {ct}$, and its associated circuit C and outputs either a message $m'$ or $\bot $.

Definition 2.1

(Correctness). A ciphertext policy ABE scheme for circuits $\mathsf {cpABE}$ is correct if for all $\lambda \in \mathbb {N}$, polynomially bounded $\mathsf {inp}$ and $\mathsf {d}$, all circuits $C \in \mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda )}$, all $\mathbf {x}\in \{0,1\}^\mathsf {inp}$ such that $C(\mathbf {x}) = 1$ and for all messages $m\in \mathcal {M}$,

where the probability is taken over the coins of $\mathsf {cpABE}.\mathsf {Setup}$, $\mathsf {cpABE}.\mathsf{KeyGen}$, and $\mathsf {cpABE}.\mathsf {Enc}$.

Definition 2.2

[Selective Security for $\mathsf {cpABE}$] The ABE scheme $\mathsf {cpABE}$ for a circuit family $\mathcal{C}= \{\mathcal{C}_{\mathsf {inp}(\lambda ),\mathsf {d}(\lambda )}\}_{\lambda \in \mathbb {N}}$ and a message space $\{\mathcal {M}_\lambda \}_{\lambda \in \mathbb {N}}$ is said to satisfy selective security if for any stateful PPT adversary $\mathsf {A}$, there exists a negligible function such that

for all sufficiently large $\lambda \in \mathbb {N}$, where for each $b\in \{0,1\}$ and $\lambda \in \mathbb {N}$, the experiment $\mathsf {Exp}^{(b)}_{\mathsf {cpABE},\mathsf {A}}$, modeled as a game between adversary $\mathsf {A}$ and a challenger, is defined as follows:

1.
Setup phase: On input $1^\lambda , \mathsf {A}$ submits $(1^\mathsf {inp}, 1^\mathsf {d})$ and the target circuit set ${\mathsf {ChalC}}\subset \mathcal{C}_{\mathsf {inp}(\lambda ),\mathsf {d}(\lambda )}$ (of possibly varying sizes), to the challenger. The challenger samples $(\mathsf {cpABE}.\mathsf {mpk}, \mathsf {cpABE}.\mathsf {msk}) \leftarrow \mathsf {cpABE}.\mathsf {Setup}(1^{\lambda },1^\mathsf {inp}, 1^\mathsf {d})$ and replies to $\mathsf {A}$ with $\mathsf {cpABE}.\mathsf {mpk}$.
2.
Query phase: During the game, $\mathsf {A}$ adaptively makes the following queries, in an arbitrary order and unbounded many times.
1. (a)
  Key Queries: $\mathsf {A}$ chooses an attribute string $\mathbf {x}\in \{0,1\}^\mathsf {inp}$ that satisfies $C(\mathbf {x}) =0$ for all $C \in {\mathsf {ChalC}}$. For each such query, the challenger replies with $\mathsf {cpABE}.\mathsf{sk}_\mathbf {x}\leftarrow \mathsf {cpABE}.\mathsf{KeyGen}(\mathsf {cpABE}.\mathsf {mpk},\mathsf {cpABE}.\mathsf {msk}, \mathbf {x})$.
2. (b)
  Challenge Queries: $\mathsf {A}$ submits a circuit $C \in {\mathsf {ChalC}}$ and a pair of equal length messages $(m_0, m_1)\in (\mathcal {M})^2$ to the challenger. The challenger replies to A with $\mathsf {cpABE}.\mathsf {ct}\leftarrow \mathsf {cpABE}.\mathsf {Enc}(\mathsf {cpABE}.\mathsf {mpk}, C, m_b)$.
3.
Output phase: A outputs a guess bit $b'$ as the output of the experiment.

Remark 2.3

The above definition allows an adversary to make challenge queries multiple times. A more standard (equivalent) notion of the security for an ABE restricts the adversary to make only single challenge query. As in [AMY19], we adopt the above definition since it is convenient for our purpose.

Symmetric Key Setting. In the symmetric key setting, the encryption algorithm additionally takes the master secret key as input and the adversary is permitted to make encryption queries in the security game. As for the security definition, we modify the above game so that the adversary is allowed to make the following type of queries in the query phase:

(c) Encryption Queries: $\mathsf {A}$ submits a circuit $C \in \mathcal{C}_{\mathsf {inp}(\lambda ),\mathsf {d}(\lambda )}$ and a pair of equal length messages $m \in \mathcal {M}$ to the challenger. The challenger replies to A with $\mathsf {cpABE}.\mathsf {ct}\leftarrow \mathsf {cpABE}.\mathsf {Enc}(\mathsf {cpABE}.\mathsf {msk}, C, m)$.

Unlike challenge queries, there is no restriction on C and the returned ciphertext may be decryptable by the adversary. Note that we did not have to consider above type of queries in the public key setting since the adversary can encrypt any message by itself. We also note that in the symmetric key setting, single-challenge ciphertext security and multi-challenge ciphertext security are not equivalent. We adopt the latter definition as the default security notion since it is stronger and more natural.

Definition 2.4

(Efficiency). For $\lambda \in \mathbb {N}$, let $\mathcal{C}_{\mathsf {inp},\mathsf {d}}$ denote a family of circuits with $\mathsf {inp}$ bit inputs, bounded depth $\mathsf {d}$ and binary output. Let $\mathcal{C}= \{\mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda ) }\}_{\lambda \in \mathbb {N}}$. We say a ciphertext policy attribute based encryption scheme $\mathsf {cpABE}$ for circuit class $\mathcal{C}$ is efficient if:

1.
Setup. The runtime of the setup algorithm, and the size of the public key depends only on the input length $\mathsf {inp}$ and depth bound $\mathsf {d}$ of the supported circuits.
2.
Key Generation. For an attribute $\mathbf {x}$, the runtime of the key generation and size of $\mathsf {SK}$ depends on the attribute size $|\mathbf {x}|$ and (possibly) on circuit depth $\mathsf {d}$.
3.
Encryption and Decryption. The runtime of the encrypt and decrypt algorithms, as well as the size of ciphertext depend on the size of the given input circuit |C|.

Our scheme presented in Sect. 3 supports unbounded circuits with the above efficiency properties.

Relaxation for Bounded Circuits. We also define a relaxed variant of efficiency for circuits of bounded size. In more detail, for $\lambda \in \mathbb {N}$, let $\mathcal{C}_{\mathsf {inp},\mathsf {d},\mathsf s}$ denote a family of circuits with $\mathsf {inp}$ bit inputs, bounded depth $\mathsf {d}$, bounded size $\mathsf s$ and binary output. Let $\mathcal{C}= \{\mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda ), \mathsf s}\}_{\lambda \in \mathbb {N}}$. Then $\mathsf {cpABE}$ for circuit class $\mathcal{C}$ allows the setup algorithm to take circuit size bound $1^\mathsf{s}$ as input and its runtime depends on this. However, the runtime of the key generation and size of $\mathsf {SK}$ depends on the attribute size $|\mathbf {x}|$ and (possibly) on circuit depth $\mathsf {d}$ but not circuit size bound $\mathsf s$. Similarly, the runtime of the encrypt and decrypt algorithms, as well as the size of ciphertext depend on the size of the given input circuit |C|, and not on worst case size bound $\mathsf s$. Our scheme presented in Sect. 4 supports bounded circuits with the aforementioned relaxation in the efficiency properties.

Key Policy Attribute Based Encryption for Circuits. The definition of key policy attribute based encryption ($\mathsf {kpABE}$) is exactly as above, with the role of the circuit C and the attribute $\mathbf {x}$ switched. For completeness, we provide this definition below.

For $\lambda \in \mathbb {N}$, let $\mathcal{C}_{\mathsf {inp},\mathsf {d}}$ denote a family of circuits with $\mathsf {inp}$ bit inputs, an a-priori bounded depth $\mathsf {d}$, and binary output and $\mathcal{C}= \{\mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda )}\}_{\lambda \in \mathbb {N}}$. An attribute-based encryption (ABE) scheme $\mathsf {kpABE}$ for $\mathcal{C}$ over a message space $\mathcal {M}= \{\mathcal {M}_\lambda \}_{\lambda \in \mathbb {N}}$ consists of four algorithms:

$\mathsf {kpABE}.\mathsf {Setup}(1^\lambda ,1^\mathsf {inp}, 1^\mathsf {d})$ is a PPT algorithm takes as input the unary representation of the security parameter, the length $\mathsf {inp}= \mathsf {inp}(\lambda )$ of the input and the depth $\mathsf {d}= \mathsf {d}(\lambda )$ of the circuit family $\mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda )}$ to be supported. It outputs the master public key and the master secret key $(\mathsf {kpABE}.\mathsf {mpk}, \mathsf {kpABE}.\mathsf {msk})$.
${\mathsf {kpABE}.\mathsf {Enc}(\mathsf {kpABE}.\mathsf {mpk}}, \mathbf {x}, m)$ is a PPT algorithm that takes as input the master public key $\mathsf {kpABE}.\mathsf {mpk}$, a string $\mathbf {x}\in \{0,1\}^\mathsf {inp}$ and a message $m\in \mathcal {M}$. It outputs a ciphertext $\mathsf {kpABE}.\mathsf {ct}$.
$\mathsf {kpABE}.\mathsf{KeyGen}(\mathsf {kpABE}.\mathsf {mpk}, \mathsf {kpABE}.{\mathsf {msk}}, C)$ is a PPT algorithm that takes as input the master secret key $\mathsf {kpABE}.\mathsf {msk}$ and a circuit $C\in \mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda )}$ and outputs a corresponding secret key $\mathsf {kpABE}.\mathsf{sk}_C$.
$\mathsf {kpABE}.\mathsf {Dec}(\mathsf {kpABE}.\mathsf {mpk}, \mathsf {kpABE}.\mathsf{sk}_C, C, \mathsf {kpABE}.\mathsf {ct}, \mathbf {x})$ is a deterministic algorithm that takes as input the secret key $\mathsf {kpABE}.\mathsf{sk}_C$, its associated circuit C, a ciphertext $\mathsf {kpABE}.\mathsf {ct}$, and its associated string $\mathbf {x}$ and outputs either a message $m'$ or $\bot $.

Definition 2.5

(Correctness). An ABE scheme for circuits $\mathsf {kpABE}$ is correct if for all $\lambda \in \mathbb {N}$, polynomially bounded $\mathsf {inp}$ and $\mathsf {d}$, all circuits $C \in \mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda )}$, all $\mathbf {x}\in \{0,1\}^\mathsf {inp}$ such that $C(\mathbf {x}) = 1$ and for all messages $m\in \mathcal {M}$,

where the probability is taken over the coins of $\mathsf {kpABE}.\mathsf {Setup}$, $\mathsf {kpABE}.\mathsf{KeyGen}$, and $\mathsf {kpABE}.\mathsf {Enc}$.

Definition 2.6

(Selective Security for $\mathsf {kpABE}$). The ABE scheme $\mathsf {kpABE}$ for a circuit family $\mathcal{C}= \{\mathcal{C}_{\mathsf {inp}(\lambda ),\mathsf {d}(\lambda )}\}_{\lambda \in \mathbb {N}}$ and a message space $\{\mathcal {M}_\lambda \}_{\lambda \in \mathbb {N}}$ is said to satisfy selective security if for any stateful PPT adversary $\mathsf {A}$, there exists a negligible function such that

for all sufficiently large $\lambda \in \mathbb {N}$, where for each $b\in \{0,1\}$ and $\lambda \in \mathbb {N}$, the experiment $\mathsf {Exp}^{(b)}_{\mathsf {kpABE},\mathsf {A}}$, modeled as a game between adversary $\mathsf {A}$ and a challenger, is defined as follows:

1.
Setup phase: On input $1^\lambda , \mathsf {A}$ submits $(1^\mathsf {inp}, 1^\mathsf {d})$ and the target $X \subset \{0,1\}^\mathsf {inp}$, which is a set of binary strings of length $\mathsf {inp}$, to the challenger. The challenger samples $(\mathsf {kpABE}.\mathsf {mpk}, \mathsf {kpABE}.\mathsf {msk}) \leftarrow \mathsf {kpABE}.\mathsf {Setup}(1^{\lambda },1^\mathsf {inp}, 1^\mathsf {d})$ and replies to $\mathsf {A}$ with $\mathsf {kpABE}.\mathsf {mpk}$.
2.
Query phase: During the game, $\mathsf {A}$ adaptively makes the following queries, in an arbitrary order and unbounded many times.
1. (a)
  Key Queries: $\mathsf {A}$ chooses a circuit $C \in \mathcal{C}_{\mathsf {inp},\mathsf {d}}$ that satisfies $C(\mathbf {x}) =0$ for all $\mathbf {x}\in X$. For each such query, the challenger replies with $\mathsf {kpABE}.\mathsf{sk}_C \leftarrow \mathsf {kpABE}.\mathsf{KeyGen}(\mathsf {kpABE}.\mathsf {mpk},\mathsf {kpABE}.\mathsf {msk}, C)$.
2. (b)
  Challenge Queries: $\mathsf {A}$ submits a string $\mathbf {x}\in X$ and a pair of equal length messages $(m_0, m_1)\in (\mathcal {M})^2$ to the challenger. The challenger replies to A with $\mathsf {kpABE}.\mathsf {ct}\leftarrow \mathsf {kpABE}.\mathsf {Enc}(\mathsf {kpABE}.\mathsf {mpk}, \mathbf {x}, m_b)$.
3.
Output phase: A outputs a guess bit $b'$ as the output of the experiment.

Remark 2.7

The above definition allows an adversary to make challenge queries multiple times. More standard notion of the security for an ABE restricts the adversary to make only a single challenge query. It is well-known that they are actually equivalent, which is shown by a simple hybrid argument. We adopt the above definition since it is convenient for our purpose.

Boneh et al. [BGG+14] provided a construction of $\mathsf {kpABE}$ which we will use in our construction of $\mathsf {cpABE}$. The following theorem, provided in [AMY19] summarizes the efficiency properties of their construction.

Theorem 2.8

(Adapted from [BGG+14]). There exists a selectively secure ABE scheme $\mathsf {kpABE}= (\mathsf {kpABE}.\mathsf {Setup},\mathsf {kpABE}.\mathsf{KeyGen}, \mathsf {kpABE}.\mathsf {Enc}, \mathsf {kpABE}.\mathsf {Dec})$ with the following properties under the LWE assumption.

1.
The circuit $\mathsf {kpABE}.\mathsf {Setup}(\cdot ,\cdot ,\cdot ;\cdot )$, which takes as input $1^\lambda , 1^\mathsf {inp}, 1^\mathsf {d}$, and a randomness r and outputs $\mathsf {kpABE}.\mathsf {msk}= \mathsf {kpABE}.\mathsf {Setup}(1^\lambda , 1^\mathsf {inp}, 1^\mathsf {d}; r )$, can be implemented with depth . In particular, the depth of the circuit is independent of $\mathsf {inp}$ and the length of the randomness r.
2.
We have for any ${C\in \mathcal{C}_{\mathsf {inp},\mathsf {d}}}$, where $(\mathsf {kpABE}.\mathsf {mpk},\mathsf {kpABE}.\mathsf {msk}) \leftarrow \mathsf {kpABE}.\mathsf {Setup}(1^\lambda ,1^\mathsf {inp}, 1^\mathsf {d})$ and $\mathsf {kpABE}.\mathsf{sk}_C \leftarrow \mathsf {kpABE}.\mathsf{KeyGen}(\mathsf {kpABE}.\mathsf {mpk},\mathsf {kpABE}.\mathsf {msk}, C)$. In particular, the length of the secret key is independent of the input length $\mathsf {inp}$ and the size of the circuit C.
3.
Let $C: \{0,1\}^{\mathsf {inp}+ \ell } \rightarrow \{0,1\}$ be a circuit such that we have $C[v] \in \mathcal{C}_{\mathsf {inp},d}$ for any $v \in \{0,1\}^{\ell }$. Then, the circuit $\mathsf {kpABE}.\mathsf{KeyGen}(\cdot , \cdot , C[\cdot ]; \cdot )$, that takes as input $\mathsf {kpABE}.\mathsf {mpk}$, $\mathsf {kpABE}.\mathsf {msk}$, v, and randomness $\widehat{\mathsf {R}}$ and outputs $\mathsf {kpABE}.\mathsf{KeyGen}(\mathsf {kpABE}.\mathsf {mpk}, \mathsf {kpABE}.\mathsf {msk}, C[v]; \widehat{\mathsf {R}})$, can be implemented with depth .

2.2 Key Policy Functional Encryption for Circuits

For $\lambda \in \mathbb {N}$, let $\mathcal{C}_{\mathsf {inp},\mathsf {d},\mathsf{out}}$ denote a family of circuits with $\mathsf {inp}$ bit inputs, depth $\mathsf {d}$, and output length $\mathsf{out}$ and $\mathcal{C}= \{\mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda ),\mathsf{out}(\lambda ) } \}_{\lambda \in \mathbb {N}}$. A functional encryption (FE) scheme $\mathsf {FE}=(\mathsf {FE}.\mathsf {Setup}, \mathsf {FE}.\mathsf{KeyGen}, \mathsf {FE}.\mathsf {Enc}, \mathsf {FE}.\mathsf {Dec})$ for $\mathcal{C}$ consists of four algorithms:

$\mathsf {FE}.\mathsf {Setup}(1^\lambda , 1^\mathsf {inp}, 1^\mathsf {d}, 1^\mathsf{out})$ is a PPT algorithm takes as input the unary representation of the security parameter, the length $\mathsf {inp}= \mathsf {inp}(\lambda )$ of the input, depth $\mathsf {d}=\mathsf {d}(\lambda )$, and the length of the output $\mathsf{out}= \mathsf{out}(\lambda )$ of the circuit family $\mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda ), \mathsf{out}(\lambda )}$ to be supported. It outputs the master public key $\mathsf {FE}.\mathsf {mpk}$ and the master secret key $ \mathsf {FE}.\mathsf {msk}$.
$\mathsf {FE}.\mathsf{KeyGen}(\mathsf {FE}.\mathsf {mpk}, \mathsf {FE}.\mathsf {msk}, C)$ is a PPT algorithm that takes as input the master public key $\mathsf {FE}.\mathsf {mpk}$, master secret key $\mathsf {FE}.\mathsf {msk}$, and a circuit $C \in \mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda ), \mathsf{out}(\lambda )}$ and outputs a corresponding secret key $\mathsf {FE}.\mathsf{sk}_C$. We assume that $\mathsf {FE}.\mathsf{sk}_C$ contains C and $\mathsf {FE}.\mathsf {mpk}$.
$\mathsf {FE}.\mathsf {Enc}(\mathsf {FE}.\mathsf {mpk}, \mathbf {x})$ is a PPT algorithm that takes as input the master public key $\mathsf {FE}.\mathsf {mpk}$ and an input message $\mathbf {x}\in \{0,1\}^{\mathsf {inp}(\lambda )}$ and outputs a ciphertext $\mathsf {FE}.\mathsf {ct}$.
$\mathsf {FE}.\mathsf {Dec}(\mathsf {FE}.\mathsf {mpk}, \mathsf {FE}.\mathsf{sk}_C, \mathsf {FE}.\mathsf {ct})$ is a deterministic algorithm that takes as input the master public key $\mathsf {FE}.\mathsf {mpk}$, a secret key $\mathsf {FE}.\mathsf{sk}_C$ and a ciphertext $\mathsf {FE}.\mathsf {ct}$ and outputs $C(\mathbf {x})$.

Definition 2.9

(Correctness). A functional encryption scheme $\mathsf {FE}$ is correct if for all $C \in \mathcal{C}_{\mathsf {inp}(\lambda ), \mathsf {d}(\lambda ), \mathsf{out}(\lambda )}$ and all $\mathbf {x}\in \{0,1\}^{\mathsf {inp}(\lambda )}$,

where the probability is taken over the coins of $\mathsf {FE}.\mathsf {Setup}$, $\mathsf {FE}.\mathsf{KeyGen}$, $\mathsf {FE}.\mathsf {Enc}$ and, $\mathsf {FE}.\mathsf {Dec})$.

We then define full simulation based security for single key FE as in [GKP+13, Defn 2.13].

Definition 2.10

($\mathsf {FULL}\text{- }\mathsf {SIM}$ Security). Let $\mathsf {FE}$ be a functional encryption scheme for a circuits. For a stateful PPT adversary $\mathsf {A}$ and a stateless PPT simulator $\mathrm {Sim}$, consider the following two experiments:

Here, $\mathsf {O}( \cdot )$ is an oracle that on input $\mathbf {x}$ from $\mathsf {A}$, runs $\mathrm {Sim}$ with inputs $(\mathsf {FE}.\mathsf {mpk}, \mathsf{sk}_C, C, C(\mathbf {x}), 1^{\mathsf {inp}})$ to obtain a ciphertext $\mathsf {FE}.\mathsf {ct}$ and returns it to the adversary $\mathsf {A}$.

The functional encryption scheme $\mathsf {FE}$ is then said to be single query $\mathsf {FULL}\text{- }\mathsf {SIM}$ secure if there exists a PPT simulator $\mathrm {Sim}$ such that for every PPT adversary $\mathsf {A}$, the following two distributions are computationally indistinguishable:

$$ \bigg \{ \mathsf {Exp}^{\mathsf {real}}_{\mathsf {FE}, \mathsf {A}}(1^\lambda ) \bigg \}_{\lambda \in {\mathbb {N}}} {\ {\mathop {\approx }\limits ^{c}}\ }\bigg \{ \mathsf {Exp}^{\mathsf {ideal}}_{\mathsf {FE}, \mathrm {Sim}}(1^\lambda ) \bigg \}_{\lambda \in {\mathbb {N}}} $$

Remark 2.11

Our definition of $\mathsf {FULL}\text{- }\mathsf {SIM}$ security game for FE differs from [GKP+13] in that we allow the adversary to access challenge oracle (either $\mathsf {O}(\cdot )$ or $\mathsf {FE}.\mathsf {Enc}(\mathsf {FE}.\mathsf {mpk}, \cdot )$) as many times as it wants whereas they only allow one-time access. However, it can be seen that these definitions are equivalent by a simple hybrid argument because the simulation of $\mathsf {FE}.\mathsf {Enc}(\cdot )$ and $\mathsf {O}(\cdot )$ does not require any secret information.

Gorbunov et al. [GKP+13] provided a construction of single key functional encryption from the learning with errors assumption. The following theorem summarizes the efficiency properties of their construction.

Theorem 2.12

([GKP+13]). There exists an FE scheme $\mathsf {FE}= (\mathsf {FE}.\mathsf {Setup}, \mathsf {FE}.\mathsf{KeyGen}, \mathsf {FE}.\mathsf {Enc}, \mathsf {FE}.\mathsf {Dec})$ with the following properties.

1.
For any polynomially bounded $\mathsf {inp}(\lambda ), \mathsf {d}(\lambda ), \mathsf{out}(\lambda )$, all the algorithms in $\mathsf {FE}$ run in polynomial time. Namely, the running time of $\mathsf {FE}.\mathsf {Setup}$ and $\mathsf {FE}.\mathsf {Enc}$ do not depend on the size of circuit description to be supported by the scheme.
2.
Assuming the subexponential hardness of the LWE problem, the scheme satisfies full-simulation-based security.

We note that the first property above is called succinctness or semi-compactness of FE. A stronger version of the efficiency property called compactness requires the running time of the encryption algorithm to be dependent only on the length of input message $\mathbf {x}$. An FE with compactness is known to imply indistinguishability obfuscation [AJ15, BV15].

IND Based Security for Unbounded Keys. A functional encryption scheme $\mathsf {FE}$ for a function family $\mathcal{C}$ is secure in the adaptive indistinguishability game, denoted as $\mathsf{ind}$ secure, if for all probabilistic polynomial-time adversaries $\mathsf {Adv}$, the advantage of $\mathsf {Adv}$ in the following experiment is negligible in the security parameter $\lambda $:

1.
Public Key. Challenger ${\mathsf {Ch}}$ returns $\mathsf {FE}.\mathsf {mpk}$ to $\mathsf {Adv}$.
2.
Pre-Challenge Key Queries. $\mathsf {Adv}$ may adaptively request keys for any circuits $C_1,\ldots ,C_{\ell } \in \mathcal{C}$. In response, $\mathsf {Adv}$ is given the corresponding keys $\mathsf {FE}.\mathsf{sk}_{C_i}$.
3.
Challenge. $\mathsf {Adv}$ outputs the challenges $(\mathbf {x}_0, \mathbf {x}_1)$ to the challenger, subject to the restriction that $C_i(\mathbf {x}_0)=C_i(\mathbf {x}_1)$ for all $i \in [\ell ]$. The challenger chooses a random bit b, and returns the ciphertext $\mathsf {CT}_{\mathbf {x}_b}$.
4.
Post-Challenge Key Queries. The adversary may continue to request keys for additional functions $C_i$, subject to the restriction that $C_i(\mathbf {x}_0)=C_i(\mathbf {x}_1)$ for all i. In response, $\mathsf {Adv}$ is given the corresponding keys $\mathsf {FE}.\mathsf{sk}_{C_i}$.
5.
Guess. $\mathsf {Adv}$ outputs a bit $b'$, and succeeds if $b' = b$.

The advantage of $\mathsf {Adv}$ is the absolute value of the difference between its success probability and 1/2. In the selective game, the adversary must announce the challenge in the first step, before receiving the public key. Note that without loss of generality, in the selective game, the challenge ciphertext can be returned along with the public key. In the semi-adaptive game, the adversary must announce the challenge after seeing the public key but before making any key requests.

Symmetric Key Variant. The symmetric key variant of the above definition follows naturally by removing the public key $\mathsf {FE}.\mathsf {mpk}$ from all the algorithms, and providing the encryptor the master secret key $\mathsf {FE}.\mathsf {msk}$. In the security definition, the adversary may request encryption queries in addition to the key queries.

2.3 Predicate Encryption for Circuits

A (Key-Policy) Predicate Encryption scheme ${\mathsf {PE}}$ for an attribute universe $\mathcal{X}$, a predicate universe $\mathcal{C}$, and a message space $\mathcal{M}$, consists of four algorithms

$({\mathsf {PE}}.\mathsf {Setup}, {\mathsf {PE}}.\mathsf {Enc}, {\mathsf {PE}}.\mathsf{KeyGen}, {\mathsf {PE}}.\mathsf {Dec})$:

${{\mathsf {PE}}.\mathsf {Setup}(1^\lambda , \mathcal{X}, \mathcal{C},\mathcal{M}) \rightarrow ({\mathsf {PE}}.\mathsf {mpk}, {\mathsf {PE}}.\mathsf {msk})}$. The setup algorithm gets as input the security parameter $\lambda $ and a description of $(\mathcal{X}, \mathcal{C}, \mathcal{M})$ and outputs the public parameter ${\mathsf {PE}}.\mathsf {mpk}$, and the master key ${\mathsf {PE}}.\mathsf {msk}$.
${\mathsf {PE}}.\mathsf {Enc}({\mathsf {PE}}.\mathsf {mpk}, \mathbf {x}, \mu ) \rightarrow \mathsf {CT}$. The encryption algorithm gets as input ${\mathsf {PE}}.\mathsf {mpk}$, an attribute $\mathbf {x}\in \mathcal{X}$ and a message $\mu \in \mathcal{M}$. It outputs a ciphertext $\mathsf {CT}$.
${\mathsf {PE}}.\mathsf{KeyGen}({\mathsf {PE}}.\mathsf {msk}, C) \rightarrow \mathsf {SK}_C$. The key generation algorithm gets as input ${\mathsf {PE}}.\mathsf {msk}$ and a predicate $C \in \mathcal{C}$. It outputs a secret key $\mathsf {SK}_C$.
${\mathsf {PE}}.\mathsf {Dec}((\mathsf {SK}_C , C),\mathsf {CT}) \rightarrow \mu \vee \bot $. The decryption algorithm gets as input the secret key $\mathsf {SK}_C$, a predicate C, and a ciphertext $\mathsf {CT}$. It outputs a message $\mu \in \mathcal{M}$ or $\bot $.

Correctness. We require that for all $({\mathsf {PE}}.\mathsf {mpk}, {\mathsf {PE}}.\mathsf {msk}) \leftarrow {\mathsf {PE}}.\mathsf {Setup}(1^\lambda , \mathcal{X}, \mathcal{C}, \mathcal{M}) $, for all $(\mathbf {x}, C) \in \mathcal{X}\times \mathcal{C}$ and for all $\mu \in \mathcal{M}$,

For 1-queries, namely $C(\mathbf {x}) =1$,
For 0-queries, namely $C(\mathbf {x}) =0$,

Semi-Adaptive Simulation Security. Below, we define the $\mathsf {SA}\text{- }\mathsf {SIM}$ security experiment for predicate encryption (PE) similarly to Gorbunov et al. [GVW15].

Definition 2.13

($\mathsf {SA}\text{- }\mathsf {SIM}$ Security). Let $\mathsf {PE}$ be a predicate encryption scheme for a circuit family $\mathcal {C}$. For every stateful p.p.t. adversary $\mathsf {Adv}$ and a stateful p.p.t. simulator $\mathrm {Sim}$, consider the following two experiments:

We say an adversary $\mathsf {Adv}$ is admissible if for all queries C that it makes, it holds that $C(\mathbf {x}) = 0$.

The predicate encryption scheme $\mathsf {PE}$ is said to be $\mathsf {SA}\text{- }\mathsf {SIM}$-attribute hiding if there exists a p.p.t. simulator $\mathrm {Sim}$ such that for every admissible p.p.t. adversary $\mathsf {Adv}$, the following two distributions are computationally indistinguishable:

$$ \bigg \{ \mathsf {Exp}^{\mathsf {real}}_{\mathsf {PE}, \mathsf {Adv}}(1^\lambda ) \bigg \}_{\lambda \in {\mathbb {N}}} {\ {\mathop {\approx }\limits ^{c}}\ }\bigg \{ \mathsf {Exp}^{\mathsf {ideal}}_{\mathsf {PE}, \mathrm {Sim}}(1^\lambda ) \bigg \}_{\lambda \in {\mathbb {N}}} $$

Symmetric Key Variant. The symmetric key variant of the above definition follows naturally by removing the public key ${\mathsf {PE}}.\mathsf {mpk}$ from all the algorithms, and providing the encryptor the master secret key ${\mathsf {PE}}.\mathsf {msk}$. In the security definition, the adversary is given access to the encryption oracle in addition to the key generation oracle.

Ciphertext Policy Variant. The ciphertext policy variant of the above definition reverses the role of the ciphertext and key. In more detail, the ciphertext encodes the circuit C along with message $\mu $, and the secret key contains the attribute $\mathbf {x}$. We require that the running time of the key generation algorithm does not depend on the size of the circuit |C| (but may depend on its depth).

2.4 Function Hiding Symmetric Key Predicate Encryption

A Function Hiding Symmetric Key Predicate Encryption scheme ${\mathsf {FHPE}}$ for an attribute universe $\mathcal{X}$, a predicate universe $\mathcal{C}$, and a message space $\mathcal{M}$, consists of four algorithms $({\mathsf {FHPE}}.\mathsf {Setup}, {\mathsf {FHPE}}.\mathsf {Enc}, {\mathsf {FHPE}}.\mathsf{KeyGen}, {\mathsf {FHPE}}.\mathsf {Dec})$:

${\mathsf {FHPE}}.\mathsf {Setup}(1^\lambda , \mathcal{X}, \mathcal{C},\mathcal{M}) \rightarrow {\mathsf {FHPE}}.\mathsf {msk}$. The setup algorithm gets as input the security parameter $\lambda $ and a description of $(\mathcal{X}, \mathcal{C}, \mathcal{M})$ and outputs the master key ${\mathsf {FHPE}}.\mathsf {msk}$.
${\mathsf {FHPE}}.\mathsf {Enc}({\mathsf {FHPE}}.\mathsf {msk}, \mathbf {x}, \mu ) \rightarrow \mathsf {CT}$. The encryption algorithm gets as input ${\mathsf {FHPE}}.\mathsf {msk}$, an attribute $\mathbf {x}\in \mathcal{X}$ and a message $\mu \in \mathcal{M}$. It outputs a ciphertext $\mathsf {CT}$.
${\mathsf {FHPE}}.\mathsf{KeyGen}({\mathsf {FHPE}}.\mathsf {msk}, C) \rightarrow \mathsf {SK}_C$. The key generation algorithm gets as input ${\mathsf {FHPE}}.\mathsf {msk}$ and a predicate $C \in \mathcal{C}$. It outputs a secret key $\mathsf {SK}_C$.
${\mathsf {FHPE}}.\mathsf {Dec}(\mathsf {SK}_C,\mathsf {CT}) \rightarrow \mu \vee \bot $. The decryption algorithm gets as input the secret key $\mathsf {SK}_C$ and a ciphertext $\mathsf {CT}$. It outputs a message $\mu \in \mathcal{M}$ or $\bot $.

Correctness. We require that for all $({\mathsf {FHPE}}.\mathsf {msk}) \leftarrow {\mathsf {FHPE}}.\mathsf {Setup}(1^\lambda , \mathcal{X}, \mathcal{C}, \mathcal{M}) $, for all $(\mathbf {x}, C) \in \mathcal{X}\times \mathcal{C}$ and for all $\mu \in \mathcal{M}$,

For 1-queries, namely $C(\mathbf {x}) =1$,
For 0-queries, namely $C(\mathbf {x}) =0$,

Function Hiding IND Security. The standard function hiding indistinguishability game for secret key predicate encryption may be defined as follows.

Definition 2.14

(Function hiding IND Security). A symmetric key predicate encryption scheme $\mathsf {PE}$ is function-hiding, if every admissible PPT adversary $\mathsf {Adv}$ has negligible advantage in the following game:

1.
Key Generation. The challenger ${\mathsf {Ch}}$ samples $\mathsf {msk}\leftarrow {\mathsf {FHPE}}.\mathsf {Setup}(1^\lambda )$.
2.
The challenger ${\mathsf {Ch}}$ chooses a random bit b and repeats the following with $\mathsf {Adv}$ for an arbitrary number of times determined by $\mathsf {Adv}$:
- Function Queries. Upon $\mathsf {Adv}$ choosing a pair of functions $(C_0, C_1)$, ${\mathsf {Ch}}$ sends $\mathsf {Adv}$ a function key $\mathsf {SK}\leftarrow {\mathsf {FHPE}}.\mathsf{KeyGen}(\mathsf {msk}, C_b)$.
- Message Queries. Upon $\mathsf {Adv}$ choosing a pair of attribute vectors $(\mathbf {x}_0, \mathbf {x}_1)$ and a message $\mu $, ${\mathsf {Ch}}$ sends $\mathsf {Adv}$ a ciphertext $ \mathsf {CT}\leftarrow {\mathsf {FHPE}}.\mathsf {Enc}(\mathsf {msk}, \mathbf {x}_b, \mu )$.
3.
The adversary outputs a guess $b'$ for the bit b and wins if $b=b'$.

We say an adversary is admissible if for all function and message queries, it holds that $C_0(\mathbf {x}_0) = C_1(\mathbf {x}_1) = 0$.

On Ciphertext Queries. A natural game would also allow the adversary to request ciphertexts for attribute vectors $\mathbf {x}_0, \mathbf {x}_1$ and message $\mu _0 = \mu _1 = \mu $ such that $C_0(\mathbf {x}_0) = C_1(\mathbf {x}_1) = 1$, enabling the adversary to recover $\mu $. However, as we show in Sect. 5.3, such a game renders the primitive strong enough to imply symmetric key functional encryption, which in turn is sufficient to imply $\mathsf {iO}$ [BNPW16].

Function Hiding SIM Security. Below, we define attribute and function hiding $\mathsf {SA}\text{- }\mathsf {SIM}$ security for predicate encryption (FHPE).

Definition 2.15

(Function Hiding $\mathsf {SA}\text{- }\mathsf {SIM}$ Security). Let $\mathsf {FHPE}$ be a function hiding, symmetric key predicate encryption scheme for a circuit family $\mathcal {C}$. For every stateful p.p.t. adversary $\mathsf {Adv}$ and a stateful p.p.t. simulator $\mathrm {Sim}$, consider the following two experiments:

Above, $\mathcal {O}$ is an oracle that upon receiving attribute and circuit queries from the adversary, returns ciphertexts and keys by running ${\mathsf {FHPE}}.\mathsf {Enc}$ and ${\mathsf {FHPE}}.\mathsf{KeyGen}$ respectively.

We say an adversary $\mathsf {Adv}$ is admissible if for all circuit queries $C_i$ and challenge circuits $C^*_i$, and for all attribute queries $\mathbf {x}_j$ and challenge attributes $\mathbf {x}^*_j$, it holds that $C_i(\mathbf {x}_j)= C^*_i(\mathbf {x}_j) = C_i(\mathbf {x}^*_j) = C^*_i(\mathbf {x}^*_j) = 0$.

The symmetric key predicate encryption scheme $\mathsf {PE}$ is said to be $\mathsf {SA}\text{- }\mathsf {SIM}$ secure with attribute and function hiding if there exists a p.p.t. simulator $\mathrm {Sim}$ such that for every admissible p.p.t. adversary $\mathsf {Adv}$, the following two distributions are computationally indistinguishable:

$$ \bigg \{ \mathsf {Exp}^{\mathsf {real}}_{\mathsf {PE}, \mathsf {Adv}}(1^\lambda ) \bigg \}_{\lambda \in {\mathbb {N}}} {\ {\mathop {\approx }\limits ^{c}}\ }\bigg \{ \mathsf {Exp}^{\mathsf {ideal}}_{\mathsf {PE}, \mathrm {Sim}}(1^\lambda ) \bigg \}_{\lambda \in {\mathbb {N}}} $$

Adaptive Variant of Security. We can consider stronger variant of the above security definition where the adversary interleaves the challenge queries $\mathbf {x}_i^*$ and $C^*_i$ in an arbitrary order instead of submitting them at the beginning of the game. We call this security notion adaptive simulation function hiding security.

On Ciphertext Queries. We note that the above definition restricts the adversary in its encryption queries. A more natural game would allow an adversary to request a key for a circuit C and encryption for pair $(\mathbf {x},\mu )$ such that $C(\mathbf {x})=1$. This enables the adversary to recover $\mu $ but intuitively does not violate security since $\mu $ was picked by the adversary. However, as discussed in the case of IND based function hiding, such a game renders the primitive strong enough to imply symmetric key functional encryption, which in turn is sufficient to imply $\mathsf {iO}$ [BNPW16].

3 Secret Key CP-ABE for Unbounded Circuits

We construct a secret key ciphertext policy ABE scheme for a family of circuits $\mathcal{C}_{\mathsf {n},\mathsf {d}}$ with $\mathsf {n}$ bit inputs, an a-priori bounded depth $\mathsf {d}$, and binary output. Our scheme is denoted by $\mathsf {cpABE}= (\mathsf {cpABE}.\mathsf {Setup},\mathsf {cpABE}.\mathsf{KeyGen},\mathsf {cpABE}.\mathsf {Enc},\mathsf {cpABE}.\mathsf {Dec})$ and is constructed using the following ingredients:

1.
$\mathsf{PRF}= (\mathsf{PRF}.\mathsf {Setup},\mathsf{PRF}.\mathsf {Eval})$: a pseudorandom function, where a PRF key $\mathsf {K}\leftarrow \mathsf{PRF}.\mathsf {Setup}(1^\lambda )$ defines a function $\mathsf{PRF}.\mathsf {Eval}(\mathsf {K},\cdot ): \{0,1\}^\lambda \rightarrow \{0,1\}$. We denote the length of $\mathsf {K}$ by $| \mathsf {K}|$.
2.
$\mathsf {FE}= (\mathsf {FE}.\mathsf {Setup},\mathsf {FE}.\mathsf{KeyGen}, \mathsf {FE}.\mathsf {Enc},\mathsf {FE}.\mathsf {Dec})$: a functional encryption scheme for circuit with the efficiency property described in Item 1 of Theorem 2.12. We can instantiate $\mathsf {FE}$ with the scheme proposed by Goldwasser et al. [GKP+13].
3.
$\mathsf {kpABE}= (\mathsf {kpABE}.\mathsf {Setup}, \mathsf {kpABE}.\mathsf{KeyGen}, \mathsf {kpABE}.\mathsf {Enc}, \mathsf {kpABE}.\mathsf {Dec})$: An ABE scheme that satisfies the efficiency properties described in Theorem 2.8. We can instantiate $\mathsf {kpABE}$ with the scheme proposed by Boneh et al. [BGG+14].
4.
$U(\cdot , \cdot )$: a universal circuit [CH85] that takes as input a circuit C of fixed depth and size and an input $\mathbf {x}$ to the circuit and outputs $C(\mathbf {x})$. We will denote by $U_y(\cdot ,\cdot )$ the above circuit when the size of the first input C is y. We denote by $U_y[\mathbf {x}](\cdot ) = U(\cdot ,\mathbf {x})$ the above circuit with the second input $\mathbf {x}$ being hardwired. By the construction of universal circuit [CH85], we have $\mathsf {depth}( U ) \le O( \mathsf {depth}(C) )$.

Below we provide our construction for secret key CP-ABE for circuits. Below, we overload notation and denote the randomness used in a PPT algorithm by a key $\mathsf {K}$ of a pseudorandom function $\mathsf{PRF}$. Namely, for a PPT algorithm (or circuit) $\mathsf {A}$ that takes as input x and a randomness $r \in \{0,1\}^\ell $ and outputs y, $\mathsf {A}(x;\mathsf {K})$ denotes an algorithm that computes $r:= \mathsf{PRF}.\mathsf {Eval}(\mathsf {K},1)\Vert \mathsf{PRF}.\mathsf {Eval}(\mathsf {K},2) \Vert \cdots \Vert \mathsf{PRF}.\mathsf {Eval}(\mathsf {K},\ell ) $ and runs $\mathsf {A}(x;r)$.

$\mathsf {cpABE}.\mathsf {Setup}(1^\lambda , 1^\mathsf {n}, 1^\mathsf {d})$: On input the security parameter $1^\lambda $ and the input length $\mathsf {n}$ and depth $\mathsf {d}$ of the circuit family, do the following:
1. 1.
  For all $j\in [0,\lambda ]$, sample $\mathsf{PRF}$ keys $\widehat{\mathsf {K}}_j, \mathsf {R}_j \leftarrow \mathsf{PRF}.\mathsf {Setup}(1^\lambda )$.
2. 2.
  For all $j\in [0,\lambda ]$, sample $(\mathsf {FE}.{\mathsf {mpk}}_j,\mathsf {FE}.{\mathsf {msk}}_j) \leftarrow \mathsf {FE}.\mathsf {Setup}(1^\lambda ,1^{ \mathsf {inp}(\lambda ) }, 1^{\mathsf{out}(\lambda )}, 1^{\mathsf {d}(\lambda )} )$.
  
  Here, we generate $\lambda + 1$ instances of FE. Note that all instances support a circuit class with input length $\mathsf {inp}(\lambda )= \mathsf {n}+ 2 |\mathsf {K}|$, output length $\mathsf{out}(\lambda )$, and depth $\mathsf {d}(\lambda )$, where $\mathsf{out}(\lambda )$ and $\mathsf {d}(\lambda )$ are polynomials in the security parameter that will be specified later.
3. 3.
  Output $\mathsf {cpABE}.\mathsf {msk}= (\{\widehat{\mathsf {K}}_j, \mathsf {R}_j, \mathsf {FE}.{\mathsf {mpk}}_j, \mathsf {FE}.{\mathsf {msk}}_j \}_{j\in [0,\lambda ]} )$.
$\mathsf {cpABE}.\mathsf {Enc}(\mathsf {cpABE}.\mathsf {msk}, C, m)$: On input the master secret key $\mathsf {cpABE}.\mathsf {msk}$, a circuit $C \in \mathcal{C}_{\mathsf {n},\mathsf {d}}$, and a message $m \in \mathcal{M}$, do the following:
1. 1.
  Parse the master secret key as $\mathsf {cpABE}.\mathsf {msk}\,{\rightarrow }\, ( \{\widehat{\mathsf {K}}_j, \mathsf {R}_j, \mathsf {FE}.{\mathsf {mpk}}_j, \mathsf {FE}.{\mathsf {msk}}_j \}_{j\in [0,\lambda ]} )$.
2. 2.
  Pad the circuit length to the next power of two: Let $\ell =\vert C\vert $ and $i= \lceil \log \ell \rceil $. Set $\hat{C} = C \Vert \bot ^{2^i - \ell }$.
3. 3.
  Sample a fresh $\mathsf {kpABE}$ scheme to support inputs of size $|\hat{C}|$: Compute a $\mathsf {kpABE}$ key pair
  $${(\mathsf {kpABE}.\mathsf {mpk}_i,\mathsf {kpABE}.\mathsf {msk}_i) = \mathsf {kpABE}.\mathsf {Setup}}(1^\lambda , 1^{2^i}, 1^{\hat{\mathsf {d}}}; \widehat{\mathsf {K}}_i )$$
  Here $\widehat{\mathsf {K}}_i$ is the randomness and $\hat{\mathsf {d}}$ is a parameter chosen later.
4. 4.
  Compute $\mathsf {kpABE}.\mathsf {ct}\leftarrow \mathsf {kpABE}.\mathsf {Enc}(\mathsf {kpABE}.\mathsf {mpk}_i, \hat{C}, m)$ as an $\mathsf {kpABE}$ ciphertext for the message m under attribute $\hat{C}$.
5. 5.
  Obtain $\mathsf {FE}.\mathsf{sk}_i = \mathsf {FE}.\mathsf{KeyGen}(\mathsf {FE}.\mathsf {mpk}_i, \mathsf {FE}.{\mathsf {msk}}_i,F_{ \mathsf {n},2^i} ; \mathsf {R}_i )$, where $F_{ \mathsf {n},2^i} $ is a circuit described in Fig. 1.
6. 6.
  Output $\mathsf {cpABE}.\mathsf {ct}= ( \mathsf {FE}.\mathsf{sk}_{i},\mathsf {kpABE}.\mathsf {mpk}_i,\mathsf {kpABE}.\mathsf {ct})$.
$\mathsf {cpABE}.\mathsf{KeyGen}(\mathsf {cpABE}.\mathsf {msk},\mathbf {x})$: On input the master secret key $\mathsf {cpABE}.\mathsf {msk}$ and the attribute vector $\mathbf {x}$, do the following:
1. 1.
  Parse the master secret key as $\mathsf {cpABE}.\mathsf {msk}\,{\rightarrow }\, (\{\widehat{\mathsf {K}}_j, \mathsf {R}_j, \mathsf {FE}.{\mathsf {mpk}}_j, \mathsf {FE}.{\mathsf {msk}}_j \}_{j\in [0,\lambda ]} )$.
2. 2.
  Sample $\widehat{\mathsf {R}}_j \leftarrow \mathsf{PRF}.\mathsf {Setup}(1^\lambda )$ for all $j\in [0,\lambda ]$.
3. 3.
  Compute ${{\mathsf {FE}.\mathsf {ct}}_j = \mathsf {FE}.\mathsf {Enc}}(\mathsf {FE}.{\mathsf {mpk}}_j, (\mathbf {x},\widehat{\mathsf {K}}_j, \widehat{\mathsf {R}}_j))$ for all $j\in [0,\lambda ]$.
4. 4.
  Output ${\mathsf {cpABE}.\mathsf{sk}}_{\mathbf {x}} = \{ {\mathsf {FE}.\mathsf {ct}}_j \}_{j\in [0,\lambda ]}$.
$\mathsf {cpABE}.\mathsf {Dec}(\mathsf {cpABE}.\mathsf{sk}_\mathbf {x}, \mathbf {x}, \mathsf {cpABE}.\mathsf {ct}, C )$: On input a secret key for attribute vector $\mathbf {x}$ and a ciphertext encoded for circuit C, do the following:
1. 1.
  Parse the secret key as $\mathsf {cpABE}.\mathsf{sk}_\mathbf {x}= \{{\mathsf {FE}.\mathsf {ct}}_j\}_{j\in [0,\lambda ]}$ and the ciphertext as $\mathsf {cpABE}.\mathsf {ct}= (\mathsf {FE}.\mathsf{sk}_{i}, \mathsf {kpABE}.\mathsf {mpk}_i,\mathsf {kpABE}.\mathsf {ct})$.
2. 2.
  Set $\ell = \vert C \vert $ and choose ${\mathsf {FE}.\mathsf {ct}}_i$ from $\mathsf {cpABE}.\mathsf{sk}_\mathbf {x}=\{{\mathsf {FE}.\mathsf {ct}}_j\}_{j\in [0,\lambda ]}$ such that $i = \left\lceil {\log \ell } \right\rceil < \lambda $.
3. 3.
  Compute $y= \mathsf {FE}.\mathsf {Dec}(\mathsf {FE}.\mathsf {mpk}_i, \mathsf {FE}.\mathsf{sk}_{i}, {\mathsf {FE}.\mathsf {ct}}_i)$.
4. 4.
  Compute and output $z = \mathsf {kpABE}.\mathsf {Dec}(\mathsf {kpABE}.\mathsf {mpk}_i, y, U_{2^i}[ \mathbf {x}], \mathsf {kpABE}.\mathsf {ct}_i, \hat{C})$, where we interpret y as an ABE secret key and $\hat{C}={C} \Vert \bot ^{2^{i} -\ell }$.

Efficiency. The following theorem asserts that our scheme is efficient.

Theorem 3.1

For appropriately chosen $\hat{\mathsf {d}}(\lambda )$, $\mathsf {out}(\lambda )$, and $\mathsf {d}(\lambda )$, each algorithm of our scheme $\mathsf {cpABE}$ runs in polynomial time of input length.

Correctness. Intuitively, correctness follows directly from the correctness of $\mathsf {kpABE}$ and $\mathsf {FE}$. The following theorem shows that our scheme is correct.

Theorem 3.2

For appropriately chosen $\hat{\mathsf {d}}(\lambda )$, $\mathsf {out}(\lambda )$, and $\mathsf {d}(\lambda )$, our scheme $\mathsf {cpABE}$ is correct for any polynomially bounded $\mathsf {n}(\lambda )$.

Security. We can prove that if $\mathsf {FE}$ and $\mathsf {kpABE}$ are secure then so is the $\mathsf {cpABE}$ defined above. Formally, we have the following theorem.

Theorem 3.3

Assume that $\mathsf {FE}$ satisfies full simulation based security, $\mathsf {kpABE}$ is selectively secure, and that $\mathsf{PRF}$ is a secure pseudorandom function. Then, $\mathsf {cpABE}$ satisfies selective security.

The proof of the above theorems will appear in the full version.

4 Public Key CP-ABE for Bounded Circuits

In this section, we construct a public key ciphertext policy ABE scheme for bounded sized circuits $\mathcal{C}_{\mathsf {n},\mathsf {d},\mathsf s}$, where $\mathsf {n}$ is the input length, $\mathsf {d}$ is the depth and $\mathsf s$ is the upper bound of the size . In our construction, the size of the secret key and ciphertext satisfy the efficiency properties desired from CP-ABE (Definition 2.4). Additionally, the running time of the encrypt and decrypt algorithms depend only on the size of the circuit C and not on the worst case circuit size $\mathsf s$. However, the running time of the setup algorithm grows with the size $\mathsf s$ of the circuits supported by the scheme. We note that the inefficiency of setup is mitigated since it is only run once.

We provide the construction next.

$\mathsf {cpABE}.\mathsf {Setup}(1^\lambda , 1^\mathsf {n}, 1^\mathsf {d},1^\mathsf{s})$: On input the security parameter $\lambda $ and the input length $\mathsf {n}$, depth $\mathsf {d}$ and the upper bound of the size $\mathsf s$ of the circuit family, set $\eta := \lceil \log \mathsf s\rceil $ and do the following:
1. 1.
  For all ${j\in [0,\eta ]}$, sample $\mathsf{PRF}$ keys $\widehat{\mathsf {K}}_j, \mathsf {R}_j \leftarrow \mathsf{PRF}.\mathsf {Setup}(1^\lambda )$.
2. 2.
  For all ${j\in [0,\eta ]}$, sample ${(\mathsf {kpABE}.\mathsf {mpk}_j,\mathsf {kpABE}.\mathsf {msk}_j) = \mathsf {kpABE}.\mathsf {Setup}}(1^\lambda , 1^{2^j }, 1^{\hat{\mathsf {d}}};\widehat{\mathsf {K}}_j)$. Here, ${\hat{\mathsf {d}}}$ is the depth of the universal circuit $U(\cdot , \cdot )$ for circuits of size $\mathsf{s}\ge 2^j$ and depth $\mathsf {d}$.
3. 3.
  For all ${j\in [0,\eta ]}$, sample $(\mathsf {FE}.{\mathsf {mpk}}_j,\mathsf {FE}.{\mathsf {msk}}_j) \leftarrow \mathsf {FE}.\mathsf {Setup}(1^\lambda ,1^{ \mathsf {inp}(\lambda ) }, 1^{\mathsf{out}(\lambda )}, 1^{\mathsf {d}(\lambda )} )$. Here, input length $\mathsf {inp}= \mathsf {n}+ 2|\mathsf {K}|$, output length $\mathsf{out}$ is the length of the $\mathsf {kpABE}$ secret key, and depth ${\tilde{\mathsf {d}}}$ is the depth of the $\mathsf {kpABE}.\mathsf{KeyGen}$ algorithm.
4. 4.
  For all ${j\in [0,\eta ]}$, obtain $\mathsf {FE}.\mathsf{sk}_j = \mathsf {FE}.\mathsf{KeyGen}(\mathsf {FE}.\mathsf {mpk}_j, \mathsf {FE}.{\mathsf {msk}}_j,F_{ \mathsf {n}, 2^j} ; \mathsf {R}_j )$, where $F_{ \mathsf {n}, 2^j} $ is a circuit described in Fig. 2.
5. 5.
  Output $\mathsf {cpABE}.\mathsf {mpk}=( \{ \mathsf {FE}.{\mathsf {mpk}}_j, \mathsf {kpABE}.\mathsf {mpk}_j, \mathsf {FE}.\mathsf{sk}_j \}_{j\in [0,\eta ]} )$ and $\mathsf {cpABE}.\mathsf {msk}= (\{\widehat{\mathsf {K}}_j \}_{j\in [0,\eta ]} )$.
$\mathsf {cpABE}.\mathsf {Enc}(\mathsf {cpABE}.\mathsf {mpk}, C, m)$: On input the master public key $\mathsf {cpABE}.\mathsf {mpk}$, a circuit C of size $|C|=\ell $, and a message $m \in \mathcal{M}$, do the following:
1. 1.
  Parse the master public key as $\mathsf {cpABE}.\mathsf {mpk}\rightarrow ( \{ \mathsf {FE}.{\mathsf {mpk}}_j, \mathsf {kpABE}.\mathsf {mpk}_j, \mathsf {FE}.\mathsf{sk}_j \}_{j\in [0,\eta ]} )$.
2. 2.
  Pad the circuit length to the next power of two: Set $i= \lceil \log \ell \rceil $ and $\hat{C} = C \Vert \bot ^{2^i - \ell }$.
3. 3.
  Compute $\mathsf {kpABE}.\mathsf {ct}\leftarrow \mathsf {kpABE}.\mathsf {Enc}(\mathsf {kpABE}.\mathsf {mpk}_i, \hat{C}, m)$ as an $\mathsf {kpABE}$ ciphertext for the message m under attribute $\hat{C}$.
4. 4.
  Output $\mathsf {cpABE}.\mathsf {ct}= \mathsf {kpABE}.\mathsf {ct}$.
$\mathsf {cpABE}.\mathsf{KeyGen}(\mathsf {cpABE}.\mathsf {mpk}, \mathsf {cpABE}.\mathsf {msk},\mathbf {x})$: On input the master secret key $\mathsf {cpABE}.\mathsf {msk}$ and the attribute vector $\mathbf {x}$, do the following:
1. 1.
  Parse the master public key as $\mathsf {cpABE}.\mathsf {mpk}\rightarrow ( \{ \mathsf {FE}.{\mathsf {mpk}}_j, \mathsf {kpABE}.\mathsf {mpk}_j, \mathsf {FE}.\mathsf{sk}_j \}_{j\in [0,\eta ]} )$ and the master secret key as $\mathsf {cpABE}.\mathsf {msk}\rightarrow (\{\widehat{\mathsf {K}}_j \}_{j\in [0,\eta ]} )$.
2. 2.
  Sample $\widehat{\mathsf {R}}_j \leftarrow \mathsf{PRF}.\mathsf {Setup}(1^\lambda )$ for all $j\in [0,\eta ]$.
3. 3.
  Compute ${{\mathsf {FE}.\mathsf {ct}}_j = \mathsf {FE}.\mathsf {Enc}}(\mathsf {FE}.{\mathsf {mpk}}_j, (\mathbf {x},\widehat{\mathsf {K}}_j, \widehat{\mathsf {R}}_j))$ for all $j\in [0,\eta ]$.
4. 4.
  Output ${\mathsf {cpABE}.\mathsf{sk}}_{\mathbf {x}} = \{ {\mathsf {FE}.\mathsf {ct}}_j \}_{j\in [0,\eta ]}$.
$\mathsf {cpABE}.\mathsf {Dec}(\mathsf {cpABE}.\mathsf {mpk}, \mathsf {cpABE}.\mathsf{sk}_\mathbf {x}, \mathbf {x}, \mathsf {cpABE}.\mathsf {ct}, C )$: On input a secret key for attribute vector $\mathbf {x}$ and a ciphertext encoded for circuit C, do the following:
1. 1.
  Parse the secret key as $\mathsf {cpABE}.\mathsf{sk}_\mathbf {x}= \{{\mathsf {FE}.\mathsf {ct}}_j\}_{j\in [0,\lambda ]}$ and the ciphertext as $\mathsf {cpABE}.\mathsf {ct}= \mathsf {kpABE}.\mathsf {ct}$.
2. 2.
  Compute $y= \mathsf {FE}.\mathsf {Dec}(\mathsf {FE}.\mathsf {mpk}_i, \mathsf {FE}.\mathsf{sk}_i, {\mathsf {FE}.\mathsf {ct}}_i)$.
3. 3.
  Compute and output $z = \mathsf {kpABE}.\mathsf {Dec}(\mathsf {kpABE}.\mathsf {mpk}_i, y, U_{2^i}[ \mathbf {x}], \mathsf {kpABE}.\mathsf {ct}, {C})$, where we interpret y as an ABE secret key.

Correctness and Efficiency. Correctness is evident from correctness of $\mathsf {FE}$ and $\mathsf {kpABE}$. By correctness of $\mathsf {FE}$, we get that $y = \mathsf {kpABE}.\mathsf{sk}_{ U_{2^i}[\mathbf {x}] }$. By correctness of $\mathsf {kpABE}$ we get that $z=m$ iff $U_{2^i}[\mathbf {x}](C) = C(\mathbf {x})=1$.

Next, we discuss the efficiency of the above scheme. We assume that each algorithm has RAM access to $\mathsf {cpABE}.\mathsf {mpk}$. Note that the encryption algorithm runs in time that depends only on the size of the input circuit |C| and not on $\mathsf s$. The key generation algorithm runs in polynomial time in $|\mathbf {x}|$ and $\lambda $, and the decryption algorithm runs in polynomial time in |C|, $|\mathbf {x}|$, and $\lambda $. Thus, the above scheme satisfies the relaxed efficiency of Definition 2.4. Note that this efficiency property does not hold if we remove the assumption that each algorithm has RAM access to $\mathsf {cpABE}.\mathsf {mpk}$, since the length of $\mathsf {cpABE}.\mathsf {mpk}$, which is input to these algorithms, is polynomially dependent on $\mathsf s$.

Security. The proof of security directly follows from the secret key case (Sect. 3). In more detail, we have the following theorem. The proof of the theorem will appear in the full version.

Theorem 4.1

Assume that $\mathsf {FE}$ satisfies full simulation based security (Definition 2.10), $\mathsf {kpABE}$ satisfies selectively security (Definition 2.6), and that $\mathsf{PRF}$ is a secure pseudorandom function. Then, the public key $\mathsf {cpABE}$ described above satisfies selective security (Definition 2.2).

5 Function Hiding Predicate Encryption for Circuits

In this section, we provide a construction for function hiding predicate encryption in the symmetric key setting. Let the attribute universe be $\mathcal{X}$, the predicate universe be $\mathcal{C}$, the message space be $\mathcal{M}$. Then, we construct the algorithms $({\mathsf {FHPE}}.\mathsf {Setup}, {\mathsf {FHPE}}.\mathsf {Enc}, {\mathsf {FHPE}}.\mathsf{KeyGen}, {\mathsf {FHPE}}.\mathsf {Dec})$ as follows:

${\mathsf {FHPE}}.\mathsf {Setup}(1^\lambda , \mathcal{X}, \mathcal{C},\mathcal{M})$: The setup algorithm gets as input the security parameter $\lambda $ and a description of $(\mathcal{X}, \mathcal{C}, \mathcal{M})$ and does the following:
1. 1.
  Sample a symmetric key encryption scheme $\mathsf {SKE}$. Let $\mathsf {SKE}.\mathsf {SK}\leftarrow \mathsf {SKE}.\mathsf {Setup}(1^\lambda )$.
2. 2.
  Sample a symmetric key predicate encryption scheme ${\mathsf {PE}}$ without function hiding. Let ${\mathsf {PE}}.\mathsf {msk}\leftarrow {\mathsf {PE}}.\mathsf {Setup}(1^\lambda )$.
3. 3.
  Output ${\mathsf {FHPE}}.\mathsf {msk}= ({\mathsf {PE}}.\mathsf {msk}, \mathsf {SKE}.\mathsf {SK})$.
${\mathsf {FHPE}}.\mathsf {Enc}({\mathsf {FHPE}}.\mathsf {msk}, \mathbf {x}, \mu )$: The encryption algorithm gets as input ${\mathsf {FHPE}}.\mathsf {msk}$, an attribute $\mathbf {x}\in \mathcal{X}$, a message $\mu \in \mathcal{M}$, and does the following:
1. 1.
  Interpret ${\mathsf {FHPE}}.\mathsf {msk}= ({\mathsf {PE}}.\mathsf {msk}, \mathsf {SKE}.\mathsf {SK})$.
2. 2.
  Define $\mathbf {a}= (\mathbf {x}, \mathsf {SKE}.\mathsf {SK})$ and compute $\mathsf {CT}\leftarrow {\mathsf {PE}}.\mathsf {Enc}({\mathsf {PE}}.\mathsf {msk}, \mathbf {a}, \mu )$.
3. 3.
  Output $\mathsf {CT}$.
${\mathsf {FHPE}}.\mathsf{KeyGen}({\mathsf {FHPE}}.\mathsf {msk}, C)$: The key generation algorithm gets as input ${\mathsf {FHPE}}.\mathsf {msk}$, a predicate $C \in \mathcal{C}$ and does the following:
1. 1.
  Let $\hat{C} = \mathsf {SKE}.\mathsf {Enc}(\mathsf {SKE}.\mathsf {SK}, C)$.
2. 2.
  Define the circuit $U_{\hat{C}}( \cdot )$ as in Fig. 3.
3. 3.
  Compute $\mathsf {SK}_C = {\mathsf {PE}}.\mathsf{KeyGen}({\mathsf {PE}}.\mathsf {msk}, U_{\hat{C}})$ and output it.
${\mathsf {FHPE}}.\mathsf {Dec}(\mathsf {SK}_C,\mathsf {CT})$: The decryption algorithm gets as input the secret key $\mathsf {SK}_C$ and a ciphertext $\mathsf {CT}$, runs ${\mathsf {PE}}.\mathsf {Dec}(\mathsf {SK}_C, \mathsf {CT})$ and outputs it.

Correctness. Correctness follows directly from the correctness of ${\mathsf {PE}}$ and $\mathsf {SKE}$. Note that, by correctness of ${\mathsf {PE}}$ we have that ${\mathsf {PE}}.\mathsf {Dec}(\mathsf {SK}_C, \mathsf {CT}) = U_{\hat{C}} (\mathbf {x}, \mathsf {SKE}.\mathsf {SK})$. Next, by correctness of $\mathsf {SKE}$ we have $\mathsf {SKE}.\mathsf {Dec}(\hat{C}, \mathsf {SKE}.\mathsf {SK}) = C$. Hence decryption outputs $\mu $ if and only if $U_{\hat{C}} (\mathbf {x}, \mathsf {SKE}.\mathsf {SK}) = C(\mathbf {x}) =1$.

Security. Next, we prove that the above construction satisfies function hiding as defined in Sect. 2.4. In more detail, we have:

Theorem 5.1

Suppose that ${\mathsf {PE}}$ is a symmetric key predicate encryption scheme satisfying $\mathsf {SA}\text{- }\mathsf {SIM}$^{Footnote 7} attribute hiding (Definition 2.13) and $\mathsf {SKE}$ is a semantically secure symmetric key encryption scheme. Then the function hiding predicate encryption scheme ${\mathsf {FHPE}}$ described above satisfies $\mathsf {SA}\text{- }\mathsf {SIM}$ attribute and function hiding (Definition 2.15).

The proof of the theorem will appear in the full version.

5.1 Instantiating Function Hiding PE from Concrete Assumptions

In this section, we provide instantiations of function hiding predicate encryption from concrete assumptions.

Semi-adaptively Secure Constructions for Circuits from LWE. Here, we explain that we can construct adaptively secure function hiding PE scheme for circuits from LWE. To do so, we start with semi-adaptively secure ABE for circuits [BV16, GKW16]. This construction can be upgraded to be PE by using lockable obfuscation [GKW17, WZ17]. Plugging the obtained PE scheme into our construction, we obtain the following theorem:

Theorem 5.2

Assuming LWE, we have function hiding $\mathsf {SA}\text{- }\mathsf {SIM}$ secure predicate encryption for all polynomial sized circuits.

Adaptive Simulation Secure Constructions for ${\mathsf {NC}}_1$ Circuits from Bilinear Maps and LWE. The above construction only achieves selective security. Here, we explain that we can construct adaptive simulation secure function hiding PE scheme for ${\mathsf {NC}}_1$ circuits by additionally using bilinear maps. To do so, we start with adaptively secure KP-ABE scheme for ${\mathsf {NC}}_1$ circuits [CGW15, KW19] from the decisional linear (DLIN) assumption on bilinear groups. By applying the ABE-to-PE conversion using lockable obfuscation [GKW17, WZ17], we obtain an adaptively secure (key-policy) PE scheme for ${\mathsf {NC}}_1$ circuits from the DLIN assumption and the LWE assumption. We can further upgrade its security to adaptive simulation security by the conversion shown by [GKW17, Appendix F]. We then instantiate our construction with this PE scheme. To do so, we need that $U_{\hat{C}}$ is implementable by an ${\mathsf {NC}}_1$ circuit. It suffices to show that we can implement Step 2a and 2c of $U_{\hat{C}}$ by an ${\mathsf {NC}}_1$ circuit. The former is possible by instantiating the underlying SKE scheme with the secret key version of the Regev encryption scheme [Reg09], which has ${\mathsf {NC}}_1$ decryption circuit. The latter is also possible by using the depth-preserving universal circuit [CH85] that takes as input C and x and outputs C(x) and whose depth is only constant time deeper than the depth of C. Summarizing the above discussion, we have the following theorem.

Theorem 5.3

Assuming LWE assumption and DLIN, we have function hiding adaptive simulation secure predicate encryption for ${\mathsf {NC}}_1$ circuits.

5.2 Ciphertext Policy Predicate Encryption with Function Hiding

Above, we presented a construction for function hiding predicate encryption in the key policy setting. Now, we leverage this to provide a construction for function hiding predicate encryption in the ciphertext policy setting. Note that the construction for $\mathsf {cpABE}$ presented in Sect. 3 constructions uses a single key functional encryption scheme ($\mathsf {FE}$) along with a key policy attribute based encryption scheme ($\mathsf {kpABE}$) in a modular way. We claim that if we replace the $\mathsf {kpABE}$ scheme with a function hiding predicate encryption scheme constructed above, then the resultant scheme achieves attribute and function hiding as well. We refer the reader to the full version for more details.

5.3 Strong Function Hiding Implies $\mathsf {iO}$

The function hiding predicate encryption scheme we constructed above achieves the weaker notion of security of Definition 2.14. As discussed in Sect. 1, if we have a scheme that satisfies a stronger, more natural version of the security, we can construct an $\mathsf {iO}$ from this scheme. We refer the reader to the full version for more details.

Notes

1.
We note that from strong assumptions such as the the existence of multilinear maps [GGH13a], witness encryption [GTKP+13a] or indistinguishability obfuscation [BGI+01, GGH+13b], attribute based encryption (indeed, even its generalization functional encryption) has been constructed for all circuits, but these are not considered standard assumptions.
2.
In the symmetric key setting, single-challenge ciphertext security and multi-challenge ciphertext security are not equivalent. In our paper, we adopt the latter as the default security notion for symmetric key ABE, since it is stronger and more natural.
3.
Although using the scheme by [BGG+14] allows for a small function key size.
4.
Note that we are starting with a weaker object – this only strengthens our result.
5.
Note that $(f_j, \mu _j)$ are ciphertext queries, not challenge ciphertexts, so the adversary is allowed to have decrypting keys for these in a function hiding game.
6.
Beyond what is already done by the “heavy hammers” of [BGG+14, GTKP+13b].
7.
We note that for PE, IND based security can be bootstrapped into SIM based security as shown by [GKW17, Appendix F].

References

Agrawal, S., Chase, M.: Simplifying design and analysis of complex predicate encryption schemes. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 627–656. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_22
Chapter Google Scholar
Ananth, P., Fan, X.: Attribute based encryption with sublinear decryption from LWE. Cryptology ePrint Archive, Report 2018/273 (2018). https://eprint.iacr.org/2018/273
Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_2
Chapter Google Scholar
Attrapadung, N., Hanaoka, G., Yamada, S.: Conversions among several classes of predicate encryption and applications to ABE with various compactness tradeoffs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 575–601. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_24
Chapter Google Scholar
Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 308–326. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_15
Chapter Google Scholar
Agrawal, S., Maitra, M., Yamada, S.: Attribute based encryption (and more) for nondeterministic finite automata from LWE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 765–797. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_26
Chapter Google Scholar
Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_31
Chapter Google Scholar
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Chapter Google Scholar
Barak, B., et al.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Chapter Google Scholar
Bishop, A., Jain, A., Kowalczyk, L.: Function-hiding inner product encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 470–491. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_20
Chapter Google Scholar
Bitansky, N., Nishimaki, R., Passelègue, A., Wichs, D.: From cryptomania to obfustopia through secret-key functional encryption. In: Hirt, M., Smith, A. (eds.) TCC 2016, Part II. LNCS, vol. 9986, pp. 391–418. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_15
Chapter Google Scholar
Boneh, D., Raghunathan, A., Segev, G.: Function-private identity-based encryption: hiding the function in functional encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 461–478. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_26
Chapter MATH Google Scholar
Boneh, D., Raghunathan, A., Segev, G.: Function-private subspace-membership encryption and its applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 255–275. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_14
Chapter Google Scholar
Brakerski, Z., Segev, G.: Function-private functional encryption in the private-key setting. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 306–324. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_12
Chapter Google Scholar
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy, pp. 321–334 (2007)
Google Scholar
Bitansky, N., Vaikuntanathan, V.: Indistinguishability obfuscation from functional encryption. In: FOCS 2015, p. 163 (2015)
Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Circuit-ABE from LWE: unbounded attributes and semi-adaptive security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 363–384. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_13
Chapter Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Lattice-inspired broadcast encryption and succinct ciphertext-policy ABE. Cryptology ePrint Archive, Report 2020/191 (2020). https://eprint.iacr.org/2020/191
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_29
Chapter Google Scholar
Chen, J., Gay, R., Wee, H.: Improved dual system ABE in prime-order groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_20
Chapter Google Scholar
Cook, S.A., Hoover, H.J.: A depth-universal circuit. SIAM J. Comput. 14(4), 833–839 (1985)
Article MathSciNet Google Scholar
Chen, J., Wee, H.: Semi-adaptive attribute-based encryption and improved delegation for boolean formula. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 277–297. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_16
Chapter Google Scholar
Döttling, N., Garg, S.: Identity-based encryption from the Diffie-Hellman assumption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 537–569. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_18
Chapter Google Scholar
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_1
Chapter Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013). http://eprint.iacr.org/
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC, pp. 555–564 (2013)
Google Scholar
Goyal, R., Koppula, V., Waters, B.: Semi-adaptive security and bundling functionalities made generic and easy. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 361–388. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_14
Chapter Google Scholar
Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: FOCS (2017)
Google Scholar
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006)
Google Scholar
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_30
Chapter Google Scholar
Goldwasser, S., Tauman Kalai, Y., Popa, R., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Proceedings of STOC, pp. 555–564. ACM Press (2013)
Google Scholar
Gorbunov, S., Vinayagamurthy, D.: Riding on asymmetry: efficient ABE for branching programs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 550–574. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_23
Chapter Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute based encryption for circuits. In: STOC (2013)
Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Chapter Google Scholar
Kim, S., Lewi, K., Mandal, A., Montgomery, H., Roy, A., Wu, D.J.: Function-hiding inner product encryption is practical. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 544–562. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_29
Chapter Google Scholar
Kitagawa, F., Nishimaki, R., Tanaka, K.: Obfustopia built on secret-key functional encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 603–648. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_20
Chapter Google Scholar
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_9
Chapter Google Scholar
Kowalczyk, L., Wee, H.: Compact adaptively secure ABE for $\sf NC^1$ from k-Lin. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 3–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_1
Chapter Google Scholar
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4
Chapter Google Scholar
Lewko, A., Waters, B.: Unbounded HIBE and attribute-based encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 547–567. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_30
Chapter Google Scholar
Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_12
Chapter Google Scholar
Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_11
Chapter Google Scholar
Okamoto, T., Takashima, K.: Adaptively attribute-hiding (hierarchical) inner product encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 591–608. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_35. Full version available at http://eprint.iacr.org/2011/543
Chapter Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Extended abstract in STOC 2005
Article MathSciNet Google Scholar
Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attribute-based encryption. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 463–474 (2013)
Google Scholar
Shen, E., Shi, E., Waters, B.: Predicate privacy in encryption systems. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 457–473. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_27
Chapter Google Scholar
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Chapter Google Scholar
Tsabary, R.: Fully Secure attribute-based encryption for t-CNF from LWE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 62–85. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_3
Chapter Google Scholar
Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_4
Chapter Google Scholar
Waters, B.: Functional encryption for regular languages. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 218–235. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_14
Chapter Google Scholar
Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_26
Chapter Google Scholar
Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: FOCS (2017)
Google Scholar

Download references

Acknowledgements

We would like to thank the anonymous reviewers of TCC 2020 for helpful comments. We would also like to thank the Simons Institute for the Theory of Computing, for hosting both authors during the program entitled “‘Lattices: Algorithms, Complexity, and Cryptography”. Dr. Agrawal is supported by the DST “Swarnajayanti” fellowship, an Indo-French CEFIPRA project and an “Indo-Israel” ISF-UGC project. The first author thanks Zvika Brakerski for suggesting that CP-ABE is interesting even for the case of bounded sized circuits which led to the construction of Sect. 4. The second author is supported by JST CREST Grant Number JPMJCR19F6 and JSPS KAKENHI Grant Number 19H01109.

Author information

Authors and Affiliations

IIT Madras, Chennai, India
Shweta Agrawal
National Institute of Advanced Industrial Science and Technology (AIST), Koto City, Japan
Shota Yamada

Authors

Shweta Agrawal
View author publications
You can also search for this author in PubMed Google Scholar
Shota Yamada
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shota Yamada .

Editor information

Editors and Affiliations

Cornell Tech, New York, NY, USA
Rafael Pass
Institute of Science and Technology Austria, Klosterneuburg, Austria
Krzysztof Pietrzak

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Agrawal, S., Yamada, S. (2020). CP-ABE for Circuits (and More) in the Symmetric Key Setting. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12550. Springer, Cham. https://doi.org/10.1007/978-3-030-64375-1_5

Download citation

DOI: https://doi.org/10.1007/978-3-030-64375-1_5
Published: 09 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64374-4
Online ISBN: 978-3-030-64375-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)