1 Introduction

Attribute-based encryption (ABE) is a form of public-key encryption that generalizes the traditional single-recipient variant, providing fine-grained access control on the encrypted data. In this new paradigm, ciphertexts and keys have attributes attached and the decryption ability of a key on a ciphertext is determined by a potentially complex access control policy involving these attributes. More concretely, an ABE scheme for predicate \(P\) guarantees that the decryption of a ciphertext \(\mathsf {ct}_x\) with a secret key \(\mathsf {sk}_y\) is successful if and only if the ciphertext attribute x and the key attribute y verify the predicate, i.e., \(P(x,y) = 1\).

ABE was first conceived by Sahai and Waters [30] and later introduced by Goyal et al. [19]. Originally, ABE was designed in the flavour of key-policy ABE (KP-ABE), where value x is a Boolean vector, value y is a Boolean function and predicate \(P(x,y)\) is defined as . On the other hand, in the analogous version, ciphertext-policy ABE (CP-ABE), the roles of values x and y are swapped. Nowadays, the notion of ABE has been generalized and, thanks to a considerable effort by the community of cryptographers, there exist efficient schemes for a rich variety of predicates. For example, identity-based encryption (IBE) [31] can be obtained as , zero-inner product encryption (ZIPE) [23] can be obtained by setting , where \(\varvec{x}\) and \(\varvec{y}\) belong to some vector space; other examples are span programs [22], non-monotonic access structures [28], hierarchical IBE [26], large universe ABE [29], polynomial size circuits [18], or regular languages [33]. Despite such a great progress in the field, designing better schemes in terms of size, performance, security and expressivity became an excessively hard and tedious task. Until two astonishing works appeared in 2014.

Modular Frameworks for ABE. In 2014, Wee [34] and Attrapadung [4] independently proposed two generic and unifying frameworks for designing attribute-based encryption schemes for different predicates. Both works define a simple primitive called encoding and follow the dual system methodology by Lewko and Waters [25, 32] to construct a compiler that, on input an encoding (for certain predicate \(P\)), produces a fully secure attribute-based encryption scheme for \(P\). Wee defines so-called predicate encodings, an information-theoretic primitive inspired by linear secret sharing, while Attrapadung introduces the notion of pair encodings, a similar primitive that admits both information-theoretic and computational security definitions. These frameworks remarkably simplify the design and study of ABE schemes: the designer can focus on the construction of the simpler encoding (for the desired predicate), which requires weaker security properties that are more easily verifiable. In fact, the potential of this new frameworks is evidenced by the invention of new constructions and performance improvements on existing primitives. Although these frameworks were designed over composite-order groups, they were both extended, in [15] and [5] respectively, to the prime-order setting (under the Matrix-DH assumption). Subsequent works propose variations and extensions of these modular frameworks [1, 2, 14], some of them even redefining the core encoding primitive [24] (defining so-called tag-based encodings). However, note that the frameworks based on pair encodings are the most general and expressiveFootnote 1 and they have led to breakthrough constructions such as constant-size ciphertext KP-ABE (with large universes) [4], fully-secure functional encryption for regular languages [4], constant-size ciphertext CP-ABE [1] or completely-unbounded KP-ABE for non-monotone span programs (NSP) over large universes [6]. Note that, even nowadays, it is still unknown how to construct any of these powerful schemes based on predicate encodings or tag-based encodings.

Generic Predicate Transformations. In order to further simplify the design of these encodings, a common practice is to develop techniques to modify or combine existing ones. For example, the DUAL transformation, that swaps the ciphertext attribute and the key attribute, or the AND transformation, that joins two predicates in conjunction, can be achieved for pair encodings [4, 10]. Among many applications, these transformations can be used to build dual-policy attribute-based encryption (DP-ABE) [7, 10]; or to enhance any encoding with direct revocation of keys by combining (in conjunction) the original encoding with, e.g., an encoding for broadcast encryption.

In the framework of [15], Ambrona et al. [3] designed new general transformations for the DUAL, OR and AND connectors and, remarkably, the NOT transformation (that negates the predicate of the encoding). This functionally complete set of Boolean transformers provides a rich combination of predicates and arguably broadens the expressivity of the framework, however, such a negation is limited to the framework based on predicate encodings. Designing a similar negation transformation that is applicable to all pair encoding schemes (PES) is a very appealing problem, since it would facilitate the design of new encodings and would immediately expand the expressivity of the PES framework by applying it to all existing ones. Note that, as we have already mentioned, pair encodings have proven themselves to be significantly more expressive than any other related framework.

However, recent works have considered the problem of designing such a general negation to be intrinsically hard [2, 6] (see our discussion in Sect. 3, we also refer to this section for more details about relevant related works). To the best of our knowledge, a general NOT transformation that is applicable to the framework of pair encodings does not exist in the literature.

1.1 Our Contribution

We pursue the study of pair encoding schemes and establish several general results that can lead to performance improvements, and new encodings that broaden their scope.

Generic Negation of Pair Encodings. We propose a generic transformation that takes any pair encoding scheme for a predicate \(P\) and produces a pair encoding scheme for its negated predicate, \(\bar{P}\). Our transformation is applicable to pair encodings that follow the most recent and refined definition given in [2]. Our construction finally solves a problem that was open since 2015, when several other transformation for pair encodings (like conjunction or duality) were proposed [10], but no generic negation was provided (nor designed in subsequent works). In fact, several works had suggested that finding such a transformation was non-obvious [2, 6], since it relates to the problem of generically finding a short “certificate” of security of the encoding. We elaborate on this idea in Sect. 3.

Algebraic Characterization of Pair Encodings. En route to designing our generic negation, we define an algebraic characterization of PES that brings new insight to their expressivity and generality and can be of independent interest. Our characterization allows us to express the security of a pair encoding scheme as the (in)existence of solutions to a system of matrix equations. This is the bridge that allows us to leverage Lemma 1, a very powerful result from linear algebra (commonly used in cryptography), in order to design and prove our generic negation.

New Encodings. Our generic negation facilitates the design of new pair encoding schemes. It will immediately provide us with a negated version of any encoding, something particularly useful for encodings for which a negated counterpart is not known. A relevant example of a PES with (previously) unknown negation is the case of doubly spatial encryption.

Doubly spatial encryption [20] is an important primitive that generalizes both spatial encryption and negated spatial encryption [8]. A negated doubly spatial encryption scheme serves as its revocation analogue and can lead to powerful generalizations in the same way that negated (standard) spatial encryption unifies existing primitives, e.g. it subsumes non-zero-mode inner-product encryption (IPE) [8]. In Sect. 6.1 we provide, to the best of our knowledge, the first pair encoding scheme for negated doubly spatial encryption, obtained with our transformation.

Other Implications of Our Results. We believe the results presented in this work improve our understanding of pair encodings and how expressive they are. In particular, we now know that the set of predicates that can be expressed with PES is closed under negation. In Sect. 6.2, we elaborate on the conclusions we could derive from this fact as well as discuss how our generic transformation can also lead to performance improvements when implementing ABE schemes. Furthermore, note that our generic negation is compatible with the very recent framework proposed by Attrapadung [6], designed to perform dynamic pair encoding compositions. We believe our new transformation complements his work, where the proposed non-monotone formulae composition was only semi-generic (but dynamic), because he had to rely on encodings for which a negated version was available.

2 Preliminaries

2.1 Notation

We write to denote that s is uniformly sampled from a set S. For integers mn, we define [mn] as the range \(\{m,\dots ,n\}\) and we denote by [n] the range [1, n]. We use the same conventions for matrix-representations of linear maps on finite-dimensional spaces. For a ring R, we define vectors \(\varvec{v} \in R^n\) as column matrices, denote the transpose of a matrix A by and its trace by \(\mathrm{tr}(A)\). We denote by \(|\varvec{v}|\) the length or dimension of vector \(\varvec{v}\) and by \(v_i\) its i-th component, for all \(i \in \{1,\dots ,|\varvec{v}|\}\). Similarly, \(A_i\) denotes the i-th row of matrix A (we do not use this notation when the name of the matrix already contains a subindex). We denote by \(\mathrm{span}(A)\) the linear column span of matrix A. We denote the identity matrix of dimension n by \(I_{\text {{n}}}\), a zero vector of length n by \(\varvec{0}_{\text {{n}}}\) and a zero matrix of m rows and n columns by . We denote by \(\varvec{e}_{\text {{i}}}^{n}\) the i-th vector of the standard basis of an n-dimensional space, for all \(i \in [n]\). We sometimes denote \(\varvec{e}_{\text {{1}}}^{n}\) by \(\varvec{1}_{\text {{n}}}\). Similarly, we denote by the matrix , i.e., a null matrix of m rows and n columns whose component in the first row and first column is 1. Given two matrices A and B, we denote by \(A \otimes B\) their Kronecker product.

We consider a bilinear group generator \(\mathcal{G}\) that takes a security parameter \(\lambda \in \mathbb {N}\) and outputs the description of a bilinear group \((p, G_{\mathsf{1}}, G_{\mathsf{2}}, G_{\mathsf{t}}, g_\mathsf{1}, g_\mathsf{2}, e)\) where \(G_{\mathsf{1}}\), \(G_{\mathsf{2}}\) and \(G_{\mathsf{t}}\) are cyclic groups of order p (for a \(\lambda \)-bits prime p), \(g_\mathsf{1}\) and \(g_\mathsf{2}\) are generators of \(G_{\mathsf{1}}\) and \(G_{\mathsf{2}}\) respectively and \(e : G_{\mathsf{1}}\times G_{\mathsf{2}}\rightarrow G_{\mathsf{t}}\) is a (non-degenerate) bilinear map, satisfying \(e(g_\mathsf{1}^a, g_\mathsf{2}^b) = e(g_\mathsf{1}, g_\mathsf{2})^{ab}\) for all \(a,b \in \mathbb {N}\). Observe that the element \(g_\mathsf{t}= e(g_\mathsf{1}, g_\mathsf{2})\) generates \(G_{\mathsf{t}}\).

2.2 Attribute-Based Encryption

Attribute-based encryption (ABE) [30] is a form of of public-key encryption that supports fine-grained access control of encrypted data.

Definition 1

(Attribute-based encryption). An ABE scheme for predicate \(P: \mathcal{X}\times \mathcal{Y}\rightarrow \{0,1\}\) consists of four probabilistic polynomial-time algorithms:

  • \(\mathsf{Setup}(1^\lambda ,\mathcal{X},\mathcal{Y}) \rightarrow (\mathsf {mpk}, \mathsf {msk})\), on input the security parameter \(\lambda \) and attribute universes \(\mathcal{X}, \mathcal{Y}\), outputs a master public key and a master secret key, defining a key space \(\mathcal{K}\).

  • \(\mathsf{Enc}(\mathsf {mpk}, x)\rightarrow (\mathsf {ct}_x, \tau )\), on input \(\mathsf {mpk}\) and a ciphertext attribute \(x \,{\in }\,\mathcal{X}\), outputs a ciphertext \(\mathsf {ct}_x\) and a symmetric encryption key \(\tau \in \mathcal{K}\).

  • \(\mathsf{KeyGen}(\mathsf {msk},y) \rightarrow \mathsf {sk}_y\), on input the master secret key and a key attribute \(y \in \mathcal{Y}\), outputs a secret key \(\mathsf {sk}_y\).

  • \(\mathsf{Dec}(\mathsf {mpk},\mathsf {sk}_y,\mathsf {ct}_x,x) \rightarrow \tau /\bot \), on input \(\mathsf {sk}_y\) and \(\mathsf {ct}_x\), outputs a symmetric key \(\tau \in \mathcal{K}\) if \(P(x,y) = 1\) or \(\bot \) otherwise.

Correctness. For all \(\lambda \in \mathbb {N}\), \(x \in \mathcal{X}\) and \(y \in \mathcal{Y}\) such that \(P(x,y) = 1\), it holds:

$$ \Pr \left[ \begin{array}{rcl} (\mathsf {msk},\mathsf {pk}) &{} \leftarrow &{} \mathsf{Setup}(1^\lambda )\\ \mathsf {sk}_y &{} \leftarrow &{} \mathsf{KeyGen}(\mathsf {msk}, y)\\ (\mathsf {ct}_x, \tau ) &{} \leftarrow &{} \mathsf{Enc}(\mathsf {mpk}, x) \end{array} \,:\, \mathsf{Dec}(\mathsf {mpk},\mathsf {sk}_y, \mathsf {ct}_x, x) = \tau \right] = 1 . $$

Security. Informally, an ABE scheme is secure if no probabilistic polynomial-time (PPT) adversary can distinguish the symmetric encryption key associated to a ciphertext \(\mathsf {ct}_{x^{\!\star }}\) (for some attribute \(x^\star \)) from a uniformly chosen one from \(\mathcal{K}\), even after requesting several secret keys for attributes y of their choice, as long as they all satisfy \(P(x^\star , y) = 0\).

In this work we focus on pair encodings (see the next section) as a building block for constructing ABE schemes and we refer to Appendix B.1 for a formal security definition of ABE, which we do not state here. Instead, we will formally state and reason about the security requirements for pair encodings.

2.3 Pair Encodings

We consider the refined definition of pair encodings introduced by Agrawal and Chase in [2].

Definition 2

(Pair encoding). A pair encoding scheme (PES) for a predicate family \(P_{\kappa } : \mathcal{X}_{\kappa } \times \mathcal{Y}_{\kappa } \rightarrow \{0,1\}\) indexed by \(\kappa = (N,\mathsf{par})\) consists of the following deterministic and efficiently computable algorithms:

  • \(\mathsf{Param}(\mathsf{par})\): on input certain parameters outputs an integer n, specifying the number of common variables, denoted by \(\varvec{b} = (b_1,\dots ,b_n)\).

  • \(\mathsf{EncKey}(N,y)\): on input \(N \in \mathbb {N}\) and \(y \in \mathcal{Y}_{(N,\mathsf{par})}\), outputs a vector of polynomials \(\varvec{k} = (k_1,\dots ,k_{m_3})\) in the non-lone variables \(\varvec{r} = (r_1,\dots ,r_{m_1})\), the lone variables \(\hat{\varvec{r}} = (\alpha , \hat{r}_1, \dots , \hat{r}_{m_2})\) and the common variables \(\varvec{b}\).

  • \(\mathsf{EncCt}(N,x)\): on input \(N \in \mathbb {N}\) and \(x \in \mathcal{X}_{(N,\mathsf{par})}\), outputs a vector of polynomials \(\varvec{c} = (c_1,\dots ,c_{w_3})\) in the non-lone variables \(\varvec{s} = (s_0,s_1,\dots ,s_{w_1{-}1})\), the lone variables \(\hat{\varvec{s}} = (\hat{s}_1,\dots ,\hat{s}_{w_2})\) and the common variables \(\varvec{b}\).

  • \(\mathsf{Pair}(N,x,y)\): on input \(N \in \mathbb {N}\) and attributes x and y, outputs a pair of matrices \((E, E')\) with coefficients in \(\mathbb {Z}_N\) of dimensions \(w_1 \times m_3\) and \(w_3 \times m_1\) respectively.

We require that the following properties be satisfied:

  • reconstructability: For every \(\kappa = (N,\mathsf{par})\), \(x \in \mathcal{X}_{\kappa }\) and \(y \in \mathcal{Y}_{\kappa }\) such that \(P_{\kappa }(x,y) = 1\), the following equation holds symbolically:

    figure a

    where \(\varvec{k} \leftarrow \mathsf{EncKey}(N,x)\), \(\varvec{c} \leftarrow \mathsf{EncCt}(N,y)\) and \((E,E') \leftarrow \mathsf{Pair}(N,x,y)\).

  • structural constraints: The polynomials produced by \(\mathsf{EncKey}\) only contain monomials of the form \(\alpha \), \(r_i b_j\) or \(\hat{r}_{i'}\) for some \(i \in [m_1]\), \(j \in [n]\) and \(i' \in [m_2]\).

    On the other hand, the polynomials produced by \(\mathsf{EncCt}\) only contain monomials of the form \(s_{i}b_j\) or \(\hat{s}_{i'}\) for some \(i \in [0,w_1{-}1]\), \(j \in [n]\) and \(i' \in [w_2]\).

  • security (non-reconstructability): For all \(\kappa \,{\in }\,(N,\mathsf{par})\), \(x \,{\in }\,\mathcal{X}_{\kappa }\) and \(y \,{\in }\,\mathcal{Y}_{\kappa }\) such that \(P_{\kappa }(x,y) = 0\), and for every pair of matrices \(E\) and \(E'\), over \(\mathbb {Z}_N\), , where \(\varvec{k} \leftarrow \mathsf{EncKey}(N,x)\) and \(\varvec{c} \leftarrow \mathsf{EncCt}(N,y)\).

Remark 1

Observe that \(m_1\) and \(w_1\) representFootnote 2 the number of non-lone variables \(\varvec{r}\) and \(\varvec{s}\) respectively; \(m_2\) and \(w_2\) represent the number of lone variables \(\hat{\varvec{r}}\) and \(\hat{\varvec{s}}\) respectively; and \(m_3\) and \(w_3\) represent the number of polynomials produced by \(\mathsf{EncKey}\) and \(\mathsf{EncCt}\) respectively. Also note that \(m_3\) may depend on the key attribute y and \(w_3\) may depend on the ciphertext attribute x. We will use this notation throughout the paper.

Agrawal and Chase [2] showed that an encoding with the non-reconstructability property (coined non-trivially broken) satisfies the symbolic property, a concept introduced by them which is a sufficient condition to build attribute-based encryption in the standard model under the so-called q-ratio assumption.

We refer to Appendix B.2 for details about how the compiler from PES to fully secure ABE works. In this work we directly reason about PES and do not need to explicitly define such a compiler. However, for the sake of understanding, we provide an intuition of how a PES can be used to create an ABE scheme in the following section.

Example 1

(PES for identity-based encryption). The following is a pair encoding scheme for the IBE predicate , for \(x,y \in \mathbb {Z}_N\). (With \(m_1 = 1\), \(m_2 = 0\), \(m_3 = 2\) and \(w_1 = 2\), \(w_2 = 0\), \(w_3 = 1\).)

figure b

Furthermore, in this case \(\mathsf{Param}\) is an algorithm that simply outputs \(n = 3\) and \(\mathsf{Pair}(N,x,y)\) returns matrices \(E = I_{\text {{2}}}\) and \(E' = {-}I_{\text {{1}}}\). For reconstructability, observe that equals \(s_0\alpha + s_1r_1(yb_2 + b_3) - s_1r_1 (xb_2 + b_3)\) which equals \(\alpha s_0\) whenever \(x = y\), as desired.

Arguing security, i.e., non-reconstructability whenever \(x \ne y\), is a little trickier. One needs to show that for all matrices \(E \in \mathbb {Z}_N^{2\times 2}\), \(E' \in \mathbb {Z}_N\), the above linear combination is never equal to \(\alpha s_0\). This could be done by unfolding the list of polynomials in \(\varvec{s} \otimes \varvec{k}\), \(\varvec{c} \otimes \varvec{r}\) into a matrix A with \(w_1 m_3 + w_3 m_1\) rows (as many as polynomials) and as many columns as different monomials appear in them, where the element at row i and column j of the matrix represents the coefficient of the j-th monomial in the i-th polynomial. (Let the first column be the one associated to monomial \(\alpha s_0\).) One could then argue security by checking that the row span of A does not contain the vector \((1\,0\,\dots \,0)\) when \(P(x,y) = 0\).

However, there is a simpler way of proving non-reconstructability. Simply evaluate the polynomials produced by \(\mathsf{EncKey}\) and \(\mathsf{EncCt}\) in:

$$ b_1 \leftarrow -1 \qquad b_2, s_0, r_1, \alpha \leftarrow 1 \qquad b_3 \leftarrow -y \qquad s_1 \leftarrow (x{-}y)^{{-}1} . $$

Since all the polynomials evaluate to 0, but \(\alpha s_0\) evaluates to \(1 \ne 0\), it must be impossible to symbolically reconstruct \(\alpha s_0\) with some pair of matrices \(E,E'\). Otherwise, we would have a contradiction:

figure c

The above variable substitution that vanishes all polynomials, but does not vanish polynomial \(\alpha s_0\) can be considered to be a short “certificate” of the security of the scheme (and it is well-defined as long as \(x \,{\ne }\, y\)). We elaborate on this interesting method for arguing security in Sect. 3. \(\blacksquare \)

2.4 ABE from PES

The compiler from pair encodings to attribute-based encryption is defined over bilinear groups implemented as dual system groups (DSG) [2, 16, 17]. Here, we define a simplified version of the compiler and avoid DSG for simplicity, but note that the actual scheme produced by these compilers uses vectors of group elements where we write single group elements. We provide a complete description of the compiler from [2] in Appendix B.2.

Informally, the symmetric encryption key is computed as , where \(s_0\) is fresh randomness and \(g_\mathsf{t}^{\alpha }\) is part of the master public key. Both ciphertexts and keys are made of group elements (created based on the recipe given by the corresponding PES polynomials). It is possible to recover \(\tau \) when the predicate is satisfied. More concretely, for \(\varvec{k} \leftarrow \mathsf{EncKey}(x)\) and \(\varvec{c} \leftarrow \mathsf{EncCt}(y)\), the compiler could be summarized as follows:

Decryption is done by pairing \(g_\mathsf{1}^{\varvec{s}}\) with \(g_\mathsf{2}^{\varvec{k}}\), \(g_\mathsf{1}^{\varvec{c}}\) with \(g_\mathsf{2}^{\varvec{r}}\), and linearly combining the resulting elements, according to the coefficients given by \(\mathsf{Pair}(x,y)\), obtaining \(\alpha s_0\) in the exponent.

2.5 Linear Algebra Tools

In order to prove the validity of our generic negation of pair encodings, we will use a very powerful result from linear algebra that has been widely used in the literature [1,2,3, 11]. It states that given a field K, a matrix \(A \in K^{m \times n}\) and a vector \(\varvec{z} \in K^m\), it holds that \(A\varvec{v} \ne \varvec{z}\) for all \(\varvec{v} \in K^{n}\) if and only if there exists a vector \(\varvec{w} \in K^{m}\) such that and . We refer to [11, Claim 2] for a formal proof.

Here, for the sake of presentation, we state a variant of the above result, which can be shown to be equivalent, but that facilitates its application in the proof of Lemma 2.

Lemma 1

Let V and W be vector spaces over a field K. Let \(f : V \rightarrow W\) be a linear operator and let \(\varvec{z} \in W\). We have that:

$$ \varvec{z} \not \in \mathrm{Im}(f) \quad \Leftrightarrow \quad \exists \varphi \in W^{*} \text { such that } \varphi \circ f = 0 \,\wedge \, \varphi (\varvec{z}) = 1 . $$

Here, \(W^{*}\!\!\) denotes the dual space of W, i.e., the set of all linear maps \(\varphi : W \rightarrow K\).

3 Overview of Our Generic Negation Transformation

Our starting point is the generic negation for the (less expressive) framework of predicate encodings from [3]. In order to achieve their transformation, Ambrona, Barthe, and Schmidt first defined an algebraic characterization of predicate encodings where the security of the encoding (previously defined as an equality between distributions) was redefined into a purely algebraic statement related to the existence of solutions to a linear system of equations. This observation allowed them to link the notions of security and non-reconstructability and define what they coined the implicit predicate of an encoding. This implies, in a nutshell, that all functions mapping attributes into matrices define a valid predicate encoding for a certain predicate, informally defined as all pairs of attributes (xy) that map into matrices that lead to reconstructability.

Now that security has been proven to be equivalent to non-reconstructability, and given the simple structure of predicate encodings (which are essentially matrices over \(\mathbb {Z}_p\)), it is possible to find a short “witness” of non-reconstructability by simply finding a solution to a dual system of equations.Footnote 3 What we want to highlight here is that their new understanding of predicate encodings allows them to view both reconstructability and non-reconstructability as essentially the same kind of property. This suggests that one may be able to build a generic negation of predicate encodings by transposing the matrices induced by them.Footnote 4 This is in fact what the negation by Ambrona et al. does, but extra care is needed to make things really work.

Unfortunately, in the case of pair encodings things are not as simple. Their structure is significantly more convoluted, involving abstract polynomials that do not allow the kind of reasoning that was possible before (standard linear algebra). However, in 2017, Agrawal and Chase introduced a new security notion applicable to pair encodings called the symbolic property [2]. They also showed how to adapt the previous modular frameworks [1, 5] to define a compiler that takes pair encodings satisfying the symbolic property and produces fully secure predicate encryption schemes under the q-ratio assumption, a new q-type assumption proposed by them that is implied by other assumptions of this kind [27]. This symbolic property can be seen as a generalization of the “trick” that we have used in Example 1 to argue the security of the encoding. The main difference is that scalar variables in the PES may be substituted by vectors or matrices (not necessarily scalars as in our example) in such a way that, after the substitution, all the polynomials evaluate to zero, but there is an extra constraint relating the inner product of the vectors that replaced the special variables that guarantees that \(\alpha s_0\) is non-zero. As mentioned by Attrapadung [6], the above methodology generalizes the well-known Boneh-Boyen cancellation technique for identity-based encryption [12]. What is remarkable about this idea is that the substitution can be used as a “witness” or “certificate” (as coined by the authors of [2]) of the security of the scheme. Furthermore, Agrawal and Chase also showed that any pair encoding that is not trivially broken satisfies the symbolic property, a result that is closely related to the algebraic characterization of privacy on predicate encodings from [3].

It may seem that after these relevant results on pair encodings, and the similarity with those in the framework of predicate encodings, we are in a position to define a generic negation transformation for pair encodings. However, the more involved structure of pair encodings makes it difficult to find and prove a valid conversion. In fact, recent works have considered the problem of designing such a general negation to be non-trivial (see [6, Appendix L.5]), since in the framework of pair encodings it is generally hard to find the mentioned “certificates” that can be interpreted as a short proof of security. (Note that any possible NOT transformation would, at least implicitly, use such certificates as decryption credentials for the transformed encoding, whereas the decryption credentials of the original encoding would become the security certificate of the negated one.)

In order to construct a valid negation of pair encodings, we first need to treat them in a simplified manner, closer to linear algebra. To do so, we provide an algebraic characterization of pair encodings (Sect. 4), whose security can be expressed as a system of matrix equations, very similar to the statement i) from Lemma 2. Intuitively, we split the polynomials produced by the encoding into layers, each being a matrix that corresponds to one of the (common, lone or non-lone) variables. We then show how the security of the scheme can be expressed as a linear system involving these matrices. Our characterization makes an structural assumption on the form of the pair encoding (that can be made without loss of generality and has been used in the literature for other purposes [2, 6]). Namely, we assume that \(\mathsf{EncKey}\) only produces one polynomial that depends on \(\alpha \), which is of the form \(\alpha + r_1 b_1\). This assumption introduces a “symmetry” between the nature of key and ciphertext polynomials (now that the special variable \(\alpha \) is out of the way) that allows us to express the security of the PES as the symmetric algebraic statement of Definition 3. The next step is to leverage Lemma 1 in order to prove our following lemma, linking the inexistence of a solution to the system in i) with the existence of a solution to ii). This is the main tool on which we base our negation transformation. The last (but non-trivial) step is to define a new encoding (in algebraic form) such that the solution from statement ii) serves as a decryption credential for it.

Lemma 2

Let K be a field, let \(n \in \mathbb {N}\) and let \(\{A_i, B_i, C_i\}_{i \in [n]}\), \(\hat{A}, \hat{B}\) be matrices:

for certain \(\ell ,m,r,s,\hat{m},\hat{r} \in \mathbb {N}\) and every \(i \in [n]\). The following are equivalent:

  1. i)

    There do not exist XY with \(X \in K^{r \times \ell }\), \(Y \in K^{s \times m}\) such that:

    figure d
  2. ii)

    There exist \(Z_1,\dots ,Z_n \in K^{m \times r}\) and , such that

    figure e

Proof

Let f be the linear map defined as

$$ f : (X,Y) \mapsto (XA_1 \!+\! B_1Y,\,\, \dots ,\,\, XA_n \!+\! B_nY,\,\, X\hat{A},\,\, \hat{B}Y) . $$

Observe that the first statement of the lemma is equivalent to saying that

figure f

which, by Lemma 1 is equivalent to the existence of \(\varphi : W \rightarrow K\), where in this case , such that

figure g

which is equivalent to the existence of matrices \(Z_1,\dots ,Z_n \in K^{m \times r}\) and , such that

(1)
(2)

which is equivalent to the second statement of the lemma, quod erat demonstrandum. To see why, note that Eq. (2) is present in both cases and observe that if the second statement of the lemma holds, then (for any XY) we have

where in \(\dag \) we have used the fact that the trace is invariant under cyclic permutations. Finally, to see the converse, note that if Eq. (1) holds for any X,Y, it must hold for , which would imply that for every \(X \in K^{r\times \ell }\),

figure h

but that can only happen if is the zero matrix.

Analogously, evaluating (1) on , we get

figure i

for every \(Y \in K^{s \times m}\), which can only happen if is the null matrix. \(\square \)

4 Characterization of Pair Encodings

In this section we propose a characterization of pair encodings that will be used to define our generic transformation for the negated predicate.

The first step towards our characterization is to assume that only one polynomial from \(\mathsf{EncKey}\) depends on \(\alpha \) and is of the form \(\alpha + r_1b_1\). This assumption is without loss of generalityFootnote 5, and has been utilized before in the literature [2, 6]. The rest of polynomials can be expressed as \(\varvec{k} = B_y \varvec{r} + C_y \hat{\varvec{r}}\), for some matrix \(B_y\) whose terms are linear polynomials in \(\mathbb {Z}_N[b_1,\dots ,b_n]\), and some matrix \(C_y\) with coefficients in \(\mathbb {Z}_N\). Given that \(\alpha + r_1b_1\) is always present, for the sake of notation, we redefine \(m_3\) to be the total number of polynomials produced by \(\mathsf{KeyGen}\) excluding \(\alpha + r_1b_1\). Similarly, the polynomials from \(\mathsf{EncCt}\) can be expressed as \(\varvec{c} = B'_x \varvec{s} + C'_x \hat{\varvec{s}}\). Such an analogy in the form of \(\varvec{k}\) and \(\varvec{c}\) (only achieved after getting rid of variable \(\alpha \)) allows us to express the encodings in an algebraic form, amenable to be combined with different results of linear algebra.

Definition 3

(Algebraic pair encoding). An algebraic pair encoding scheme for a predicate family \(P_{\kappa } : \mathcal{X}_{\kappa } \times \mathcal{Y}_{\kappa } \rightarrow \{0,1\}\) indexed by \(\kappa = (N,\mathsf{par})\) consists of the following deterministic and efficiently computable algorithms:

  • \(\mathsf{Param}^{\mathsf{alg}}(\mathsf{par})\): on input certain parameters outputs an integer \(n \in \mathbb {N}\).

  • \(\mathsf{EncKey}^{\mathsf{alg}}(N,x)\): on input \(N \in \mathbb {N}\) and \(x \in \mathcal{X}_{(N,\mathsf{par})}\), outputs a list of \(n{+}1\) matrices with coefficients in \(\mathbb {Z}_N\), \((B_1, \dots , B_n,C)\), where \(B_j\) has dimension \(m_3 \times m_1\), for \(j \in [n]\), and \(C\) has dimension \(m_3 \times m_2\).

  • \(\mathsf{EncCt}^{\mathsf{alg}}(N,y)\): on input \(N \in \mathbb {N}\) and \(y \in \mathcal{Y}_{(N,\mathsf{par})}\), outputs a list of \(n{+}1\) matrices with coefficients in \(\mathbb {Z}_N\), \((B'_1, \dots , B'_n, C')\), where \(B'_j\) has dimension \(w_3 \times w_1\), for \(j \in [n]\), and \(C'\) has dimension \(w_3 \times w_2\).

Furthermore, for every \(\kappa = (N,\mathsf{par})\), \(x \in \mathcal{X}_{\kappa }\) and \(y \in \mathcal{Y}_{\kappa }\), \(P_{\kappa }(x,y) = 1\) if and only if there exist matrices \(E \in \mathbb {Z}_N^{w_1 \times m_3}\) and \(E' \in \mathbb {Z}_N^{w_3 \times m_1}\) such that

(3)

where \((B_1,\dots ,B_n,C) \leftarrow \mathsf{EncKey}^{\mathsf{alg}}(N,x)\) and \((B'_1,\dots ,B'_n,C') \leftarrow \mathsf{EncCt}^{\mathsf{alg}}(N,y)\).

Theorem 1

(Characterization). There exists a pair encoding for predicate family \(P_{\kappa }\) if and only if there exists an algebraic pair encoding for \(P_{\kappa }\). Furthermore, there is an efficient conversion in both directions.

The above theorem is a consequence of our following two lemmas.

Lemma 3

(From algebraic to standard). Let \((\mathsf{Param}^{\mathsf{alg}}, \mathsf{EncKey}^{\mathsf{alg}}, \mathsf{EncCt}^{\mathsf{alg}})\) be an algebraic pair encoding scheme for predicate family \(P_{\kappa } : \mathcal{X}_{\kappa } \times \mathcal{Y}_{\kappa } \rightarrow \{0,1\}\). Then, algorithms \((\mathsf{Param}, \mathsf{EncKey}, \mathsf{EncCt}, \mathsf{Pair})\) (defined below) constitute a pair encoding scheme for \(P_{\kappa }\).

  • run \(n \leftarrow \mathsf{Param}^{\mathsf{alg}}(\mathsf{par})\), output n and let \(\varvec{b} = (b_1,\dots ,b_n)\).

  • run \((B_1,\dots , B_n, C) \leftarrow \mathsf{EncKey}^{\mathsf{alg}}(N,x)\), output the vector of polynomials given by \(\alpha + r_1b_1\) and \((b_1 B_1 + \dots + b_n B_n)\varvec{r} + C \hat{\varvec{r}}\), where \(\varvec{r} = (r_1,\dots ,r_{m_{\!\!\,1}})\) and \(\hat{\varvec{r}} = (\hat{r}_1,\dots ,\hat{r}_{m_{\!\!\,2}})\).

  • run \((B'_1,\dots ,B'_n,C') \leftarrow \mathsf{EncCt}^{\mathsf{alg}}(N,y)\), output the vector of polynomials given by \((b_1 B'_1 + \dots + b_n B'_n)\varvec{s} + C' \hat{\varvec{s}}\), where \(\varvec{s} = (s_0,\dots ,s_{w_{\!\!\,1}{-}1})\) and \(\hat{\varvec{s}} = (\hat{s}_1,\dots ,\hat{s}_{w_{\!\!\,2}})\).

  • find matrices \((E,E')\) satisfying Eq. (3), that exist if and only if \(P_{\kappa }(x,y) = 1\), output .

Proof

Observe that the structural constraints on the polynomials of \(\mathsf{EncKey}\) and \(\mathsf{EncCt}\) are satisfied. To see reconstructability, simply note that for any \(N \in \mathbb {N}\), \(x \in \mathcal{X}_{\kappa }\) and \(y \in \mathcal{Y}_{\kappa }\) with \(P(x,y) = 1\), and for \((E,E')\) satisfying (3), it holds:

For security, note that if the new pair encoding were trivially broken, there would exist a pair \((x,y) \in \mathcal{X}_{\kappa } \times \mathcal{Y}_{\kappa }\) with \(P_{\kappa }(x,y) = 0\), and matrices \(E,E'\) satisfying Eq. (3). For details about this fact, we refer to the proof Lemma 4 (the part about reconstructability). \(\square \)

Lemma 4

(From standard to algebraic). Let \((\mathsf{Param}, \mathsf{EncKey}, \mathsf{EncCt}, \mathsf{Pair})\) be a pair encoding schemeFootnote 6 for predicate family \(P_{\kappa } : \mathcal{X}_{\kappa } \times \mathcal{Y}_{\kappa } \rightarrow \{0,1\}\). Then, algorithms \((\mathsf{Param}^{\mathsf{alg}}, \mathsf{EncKey}^{\mathsf{alg}}, \mathsf{EncCt}^{\mathsf{alg}})\) (defined below) constitute an algebraic pair encoding scheme for \(P_{\kappa }\).

  • .

  • run \((\alpha + r_1b_1, \varvec{k}) \leftarrow \mathsf{EncKey}(N,x)\), and let \(m_3 = |\varvec{k}|\). For \(j \in [n]\), define matrix \(B_j\) as the matrix whose element at the \(\ell \)-th row and i-th column is the coefficient of monomial \(r_ib_j\) in polynomial \(k_{\ell }\). Define \(C\) as the matrix whose element at the \(\ell \)-th row and \(i'\)-th column is the coefficient of monomial \(\hat{r}_{i'}\) in polynomial \(k_{\ell }\), for \(i \in [m_1]\), \(i' \in [m_2]\) and \(\ell \in [m_3]\). Output \((B_1,\dots , B_n, C)\).

  • run \(\varvec{c} \leftarrow \mathsf{EncCt}(N,y)\). For \(j \in [n]\), define matrix \(B'_j\) as the matrix whose element at the \(\ell \)-th row and \((i{+}1)\)-th column is the coefficient of monomial \(s_ib_j\) in polynomial \(c_{\ell }\). Define \(C'\) as the matrix whose element at the \(\ell \)-th row and \(i'\)-th column is the coefficient of monomial \(\hat{s}_{i'}\) in polynomial \(c_{\ell }\), for \(i \in [0,w_{\!\!\,1}{-}1]\), \(i' \in [w_{\!\!\,2}]\) and \(\ell \in [w_3]\). Output \((B'_1,\dots , B'_n, C')\).

Proof

Note that the structural constraints on the PES enforce that for every \(N \in \mathbb {N}\), \(x \in \mathcal{X}_{\kappa }\) and \(y \in \mathcal{Y}_{\kappa }\), \((\alpha + r_1b_1, \varvec{k}) \leftarrow \mathsf{EncKey}(N,x)\), \(\varvec{c} \leftarrow \mathsf{EncCt}(N,y)\), \((B_1, \dots , B_n, C) \leftarrow \mathsf{EncKey}^{\mathsf{alg}}(N,x)\), \((B'_1, \dots , B'_n, C') \leftarrow \mathsf{EncCt}^{\mathsf{alg}}(N,y)\), it holds:

$$ \varvec{k} = (b_1 B_1 + \dots + b_n B_n)\varvec{r} + C \hat{\varvec{r}} \quad \text {and} \quad \varvec{c} = (b_1 B'_1 + \dots + b_n B'_n)\varvec{s} + C' \hat{\varvec{s}} . $$

Now, note that, due to reconstructability of the original encoding, for any \(N \in \mathbb {N}\), \(x \in \mathcal{X}_{\kappa }\) and \(y \in \mathcal{Y}_{\kappa }\) such that \(P(x,y) = 1\), if we let , it holds:

figure j

which is equivalent to , but then:

figure k

and because the above equality must hold symbolically, it must be the case that and for every \(j \in [2,n]\). Moreover, and . Finally, note that the non-reconstructability of the original encoding enforces that the above system does not have a solution when \(P_{\kappa }(x,y) = 0\). \(\square \)

5 Generic Negation of Algebraic Pair Encodings

Although the general definition of pair encodings defines polynomials with coefficients over \(\mathbb {Z}_N\) for an arbitrary integer \(N \in \mathbb {N}\). In this section we assume that N is a prime number and write p instead. The reason is that our transformation for the negated encoding leverages a result from linear algebra (our Lemma 2) which requires that the underlying structure be a field. Note that this restriction does not significantly weaken our result, since prime-order groups are preferred over composite over groups.

Fig. 1.
figure 1

Generic negation of algebraic pair encoding schemes.

Full size image

Theorem 2

Let \((\mathsf{Param}^{\mathsf{alg}}, \mathsf{EncKey}^{\mathsf{alg}}, \mathsf{EncCt}^{\mathsf{alg}})\) be an algebraic pair encoding for a predicate family \(P_{\kappa } : \mathcal{X}_{\kappa } \times \mathcal{Y}_{\kappa } \rightarrow \{0,1\}\). The encoding \((\bar{\mathsf{Pair}}, \bar{\mathsf{EncKey}}, \bar{\mathsf{EncCt}})\) described in Fig. 1 is an algebraic pair encoding for the predicate family \(\bar{P}_{\kappa }\) given by \(\bar{P}(x,y) = 1 \Leftrightarrow P(x,y) = 0\) for all \(x \in \mathcal{X}_{\kappa }\), \(y \in \mathcal{Y}_{\kappa }\).

Proof

We need to show that whenever \(P(x,y) \,{=}\, 0\), there exist matrices \(\bar{E}\) and \(\bar{E}'\) of dimension \(w_{\!\!\,1}{\times }(1{+}m_{\!\!\,1}n {+} m_{\!\!\,2})\) and \((w_{\!\!\,1}{+}w_{\!\!\,1}n{+}w_{\!\!\,2}){\times } m_{\!\!\,1}\) respectively, with coefficients in \(\mathbb {Z}_p\), such that:

(4)

where \((\bar{B}_0,\dots ,\bar{B}_{n{+}1},\bar{C}) \leftarrow \bar{\mathsf{EncKey}}(p,x)\), \((\bar{B}'_0,\dots ,\bar{B}'_{n{+}1},\bar{C}') \leftarrow \bar{\mathsf{EncCt}}(p,y)\). Now, our original encoding guarantees that \(P(x,y) = 0\) if and only if there do not exist matrices \(E\), \(E'\) such that:

for \((B_1, \dots , B_n, C) \leftarrow \mathsf{EncKey}(p,x)\) and \((B'_1, \dots , B'_n, C') \leftarrow \mathsf{EncCt}(p,y)\). But that is equivalent, in virtue of Lemma 2, to the existence of \(Z_1,\dots ,Z_n \in \mathbb {Z}_p^{m_{\!\!\,1}\times w_{\!\!\,1}}\), and such that:Footnote 7

(5)

Now, for certain \(\varvec{v} \in \mathbb {Z}_p^{w_{\!\!\,1}}\) and \(V \in \mathbb {Z}_p^{m_{\!\!\,1}\times w_{\!\!\,1}}\) we can consider the matrices:

(6)

and observe that they satisfy all the equations in (4) if we set \(\varvec{v}\) to be the first column of multiplied by \({-}1\) (with the exception that \(v_1 = 0\)) and we set V to be the null matrix except for its first row, that is set to .

To conclude, observe that the converse is also true, i.e., if the equations in (4) admit a solution, then (5) is satisfiable. To see this, note that the left-hand side equations of (4) imply that any solution to them must be of the form of (6) for certain \(\varvec{v}\), V, . Furthermore, the right-hand side equations of (4) guarantee that such matrices \(Z_i\), for \(i \in \{1,\dots ,n,\text {{A}}, \text {{B}}\}\) satisfy (5). Therefore, we have shown that \(P(x,y) = 0\) iff the equations in (4) have a solution. \(\square \)

Observe that, in general, if \((m_{\!\!\,1}, m_{\!\!\,2}, m_{\!\!\,3}, w_{\!\!\,1}, w_{\!\!\,2}, w_{\!\!\,3}, n)\) are the parameters of the original encoding, our negated transformation will produce an encoding with parameters \(\bar{n} = n{+}2\) and:

$$\begin{aligned} \bar{m}_1&= m_{\!\!\,1}&\bar{m}_2&= m_{\!\!\,3}&\bar{m}_3&= 1 + m_{\!\!\,1}n + m_{\!\!\,2}\\ \bar{w}_1&= w_{\!\!\,1}&\bar{w}_2&= w_{\!\!\,3}&\bar{w}_3&= w_{\!\!\,1}(1+n) + w_{\!\!\,2}- 1 . \end{aligned}$$

Note that, although the negated encoding may seem to have a much larger size compared to the original one, the matrices associated to the new encoding are actually very sparse and thus, our transformation will barely impact the performance of the ABE scheme build from the negated encoding.

Furthermore, note that our generic negation is compatible with the promising dynamic pair encoding composition technique very recently proposed by Attrapadung [6]. We believe our new transformation complements his work which could only achieve non-monotone formulae composition in a semi-generic (but dynamic) manner, since the composition had to rely on encodings for which a negated version was available.

6 Consequences of Our Results

Since Attrapadung introduced the notion of pair encoding schemes and the modular framework for constructing fully secure ABE from them [4], there have been several works [1, 2, 6] refining this framework and proposing new encoding schemes for different predicates, that sometimes enjoy extra properties (e.g., constant ciphertext size). The community has made a significant effort on building the negated version of most of the encodings from the literature, which in some cases is significantly more involved. However, there are still encodings for which not negation is known. Our generic transformation puts an end to this situation, since we can now take any encoding and immediately obtain its negated counterpart. A relevant example of a PES with (previously) unknown negation is the case of doubly spatial encryption.

6.1 PES for Negated Doubly Spatial Encryption

Doubly spatial encryption [20] is an important primitive that generalizes both spatial encryptionFootnote 8 [13] and negated spatial encryption, defined by Attrapadung and Libert [8]. It can be used to capture complex predicates and build flexible revocation systems. Its relevance is evidenced by the fact that a variant of it, called key-policy over doubly spatial encryption (defined by Attrapadung [4]), generalizes KP-ABE and leads to efficient unbounded KP-ABE schemes with large universes and KP-ABE with short ciphertexts. Given a field K, the doubly spatial predicate, over sets and , \(P((\varvec{x},X),(\varvec{y},Y))\), is defined as 1 if and only if the affine spaces \(\varvec{x} + \mathrm{span}(X)\) and \(\varvec{y} + \mathrm{span}(Y)\) intersect.

In the same way that negated spatial encryption generalizes spatial encryption and serves as its revocation analogue, unifying existing primitives (for example, it subsumes non-zero-mode IPE), negated doubly spatial encryption is a more expressive and very powerful primitive that deserves our attention. However, to the best of our knowledge, there does not exist a general pair encoding scheme for negated doubly spatial encryption in the literature. Attrapadung [4] provided a pair encoding for doubly spatial encryption and a negated version, for which he had to restrict one of the attributes (originally the ciphertext attribute) to be confined to just a vector instead of a general affine space. This encoding gave birth to the first fully-secure negated spatial encryption scheme, but it is not the negated version of doubly spatial encryption. In the rest of this section, we describe how to obtain the first, to the best of our knowledge, pair encoding scheme for negated doubly spatial encryption without restrictions.

We start from the following PES for doubly spatial encryption (over \(\mathbb {Z}_N\)) from [4]. (With \(m_1 = 1\), \(m_2 = 0\), \(m_3 = \ell '{+}1\) and \(w_1 = 1\), \(w_2 = 0\), \(w_3 = \ell {+}1\).)

We refer to [4] for a proof of security and reconstructability.

In order to apply our negated transformation to this encoding, we first need to modify it so that it satisfies our structural assumption (see the first paragraph of our Sect. 4). For this, we can apply the conversion defined by Attrapadung [6, Section 4]. If we do so, we will get and encoding with \(m_1 = 2\), \(m_2 = 0\), \(m_3 = \ell '{+}1\) and \(w_1 = 2\), \(w_2 = 0\), \(w_3 = \ell {+}2\) that looks as follows (after renaming some variables):

Fig. 2.
figure 2

Simplified PES for negated doubly spatial encryption.

Full size image

Applying our negation transformation to the above encoding, we obtain the pair encoding described in Fig. 3 (presented in Appendix A), where we have renamedFootnote 9 some common variables for the sake of readability. In Appendix A.1 we show how we can slightly simplify the encoding from Fig. 3 and derive the encoding that we present in Fig. 2. Our Theorem 2 guarantees that it is a valid encoding for the negated doubly spatial encryption predicate, but we provide an independent proof in Appendix A.2.

The process of applying our generic negation by hand may seem tedious (but it seems necessary if we want to give an explicit description of an encoding that is parametric in size, like the one for negated doubly spatial encryption). However, notice that this process can be easily delegated to a computer, which does not need to have an explicit definition of the negated encoding. Instead, it can start from the non-negated encoding and apply the negation on the fly.

6.2 Other Implications of Our Transformation

Expressivity of Pair Encoding Schemes. A very important and long-standing open question about pair encoding schemes is how expressive they really are. They have led to breakthrough constructions such as constant-size ciphertext KP-ABE (with large universes) [4], fully-secure functional encryption for regular languages [4], completely-unbounded KP-ABE for non-monotone span programs (NSP) over large universes [6]. However, it is still unknown where their limit is. We believe our results bring new insight to answer this question and improve our understanding of pair encodings and their expressivity.

For example, there exist pair encodings for regular languages, where key attributes represent deterministic finite-state automata (DFSA), ciphertext attributes represent (arbitrarily long) words, and the predicate is defined as 1 iff the automaton accepts the word. However, building ABE for context-free languages (CFL) from pairings is still an important open problem, so it would be desirable to understand whether CFL can be constructed from pair encoding schemes. Our results imply that:

The set of predicates that can be expressed with PES is closed under negation.

This tells us new non-trivial information about what predicates can be expressed with a PES. In particular, it suggests that building PES for context-free languages may be harder than we think or even impossible. Note that context-free languages are not closed under complementation [21] and, consequently, if we can build a PES for CFL, we could build a PES for a predicate class that is strictly more powerful than CFL (at least the union of CFL and coCFLFootnote 10). Of course, this reasoning does not allow us to roundly conclude anything, but it serves as an evidence of the difficulty of this problem.

Potential Performance Improvements. Not only does our generic transformation broaden the class of predicates that can be captured by pair encoding schemes, but it also can lead to efficiency improvements in actual ABE constructions. Observe the peculiar structure of the negated encodings produced with our transformation from Fig. 1. All of the matrices associated to common variables, \(\bar{B}_i\) and \(\bar{B}'_i\), have a fixed structure that is independent of the key attribute and the ciphertext attribute respectively (only the part associated to lone variables is dependent on the attributes). Furthermore, observe that they are arguably sparse. We can conclude that all pair encoding schemes admit a representation (an encoding for the same predicate) in this form, since we can always apply our transformation twice, leveraging the fact that the negation is an involution. However, in many cases it may be simpler to arrive at the mentioned structure more directly, by simply applying linear combinations and variable substitutions. What is important is that such a representation always exists.

This observation opens the possibility of splitting the computation of ciphertexts and secret keys into an offline part (before the attribute value is known) and an online part (once the attribute has been determined). Observe that such a strategy can bring significant performance improvements, given that operations involving common variables require a group exponentiation per matrix coefficient (since the common variables are available in the master public key in the form of group elements, with unknown discrete logarithm)Footnote 11, whereas operations involving lone variables can be batched together, reducing the number of exponentiations (one can do linear algebra over the field \(\mathbb {Z}_N\) and perform one single exponentiation at the end). This is because the value of lone variables is freshly sampled during the computation and, therefore, known. This approach would not only reduce the online encryption and key generation time, but also the total time, since the offline computation can be reused for different attributes after it has been computed once.

7 Conclusions and Future Work

Pair encodings are a simple, yet powerful, tool for building complex fully secure attribute-based encryption schemes. In this work, we have presented a generic transformation that takes any pair encoding scheme and negates its predicate. This construction finally solves a problem that was open since 2015 [10] and that has been considered to be non-obvious by several recent works [2, 6]. Along the way, we have defined new results that improve our understanding of pair encodings and can be of independent interest, including a new encoding (previously unknown) for negated doubly spatial encryption, obtained with our transformation.

We propose several directions for future work. On the theoretical side, it would be interesting to explore whether our negation transformation can lead to simpler encodings as in [3]. In their work, Ambrona et al. show how, applying their negation to an encoding for monotone span programs [22] and after performing some simplifications, the new encoding is more compact and leads to an ABE that is twice as fast as the original one. The fact that the encoding is negated does not spoil its usage, since span programs are closed under negation and can be tweaked to implement the original functionality. The same technique of negating the encoding also results into a successful simplification in the case of arithmetic span programs. We believe the same kind of phenomenon can occur when negating pair encodings with our technique, potentially producing simpler encodings.

A very recent work [9] provides a new framework for constructing ABE schemes that support unbounded and dynamic predicate compositions whose security is proven under the standard matrix Diffie-Hellman assumption (generalizing the result by Attrapadung [6], which achieved the same kind of composition under the q-ratio assumption). The work by Attrapadung and Tomida [9] enables generic conjunctive and disjunctive compositions (which lead to monotone Boolean formula compositions). Extending their techniques in order to design a generic negation under standard assumptions is a very appealing direction for future work. (Note that the negation that we have provided in this work is applicable to the framework of Agrawal and Chase [2], thus it also relies on the less standard q-ratio assumption.)

On the practical side, it would be interesting to implement and evaluate the performance improvements that we propose in Sect. 6.2, exploiting the singular structure of the encodings produced by our transformation.