Adaptively Secure Functional Encryption for Finite Languages from DLIN Assumption

Transcription

1 daptively Secure Functional Encryption for Finite Languages from DLIN ssumption apas Pandit Stat-Math nit Indian Statistical Institute, Kolkata Rana Barua Stat-Math nit Indian Statistical Institute, Kolkata bstract In this paper, we present Functional Encryption (FE) schemes for finite languages from standard static assumption, viz., Decisional Linear (DLIN) assumption. hese finite languages are described by Deterministic Finite utomatas (DFs). Our first scheme is ciphertext-policy functional encryption (CP-FE), where a key SK w is labeled with a string w over a fixed alphabet Σ and a ciphertext C M is associated with a DF M over the same alphabet Σ. he key SK w can extract the message from the ciphertext C M if the DF M accepts the string w. his CP-FE scheme is constructed based on attribute-based encryption (BE) structure of Okamoto-akashima in siacrypt, 01. o achieve the adaptive security, we put bounds on number of occurrences of any symbol in a string and in the set of transition tuples of a DF. Due to this restriction, the size of key space (where the keys are indexed with strings) is reduced to finite. Hence, the functional scope of any DF in our system can capture only finite language. Similarly, we obtain our second adaptively secure FE scheme in key-policy flavor from DLIN assumption. Both the schemes are shown to be secure in the standard model. 1 Introduction Functional Encryption provides a smart way of setting a fine-grained share of a secret among many users in a distributed system. In this encryption, message (resp. user s key) is encoded with an expressive parameter Φ (called policy) and user s key (resp. message) is encoded with a less expressive parameter Ψ (called attributes). he decryption will be legitimate if relation R(Φ, Ψ) holds. here are two types of FE, viz, Ciphertext-Policy Functional Encryption (CP-FE) [BSW07, LOS + 10, O10, Wat11, LW1], where message is associated with a policy and key is encoded with a set of attributes and Key-Policy Functional Encryption (KP-FE) [GPSW0, OSW07, LOS + 10, O10, LdP11], where the role of policy and set of attributes are interchanged. FEs are partitioned again into two ways: FE with public index [LW1, GPSW0, Wat11, OSW07, LOS + 10, O10, LdP11], where message is hidden but not the function and the other is FE without public index [KSW08, SW08, O09, O11, O1a], where the ciphertext conceals both the plaintext and policy. ttribute-based Encryptions (BE) form one of the larger class of the former category. In BE, the policies (access structures) are represented by access trees, span programs or the sets of minimal sets. Other FEs that exist in the literature are spatial-encryption [Ham11, BH08], inner-product encryption [O1a, KSW08, O1b], hidden-vector encryption [BW07, IP08], identity-based broadcast encryption [BH08, SF07]. Sahai and Waters [SW05] introduced the concept of BE, through the construction of Fuzzy IBE, in which an identity was viewed as a set of attributes. lthough, the IBE is a special case of BE, where policy is equality of IDs, yet the Fuzzy IBE was the first step (in the sense of non-trivial functionalities) towards exploration of many FE schemes. Later, Boneh et al. [BSW11] formalized the functional encryption to capture all the FEs under the same template: he functionality f over (K X) is defined in [BSW11] as function f : K X {0, 1}, where K is the key space 1

2 and X is the message space. he message space may be of the form X = (M I), where M is the payload space and I is the policy space. Let c = enc(p P, x = (m, Φ)) be the encryption of the (m, Φ), then secret key SK Ψ, for Ψ K can evaluate f(ψ, x = (m, Φ)) as dec(p P, c, SK Ψ ). For all aforementioned FEs (or predicate encryptions), functionality f : K X {0, 1} is defined as f(ψ, x = (m, Φ)) = m if R(Φ, Ψ) holds and else it is defined as f(ψ, x = (m, Φ)) = (len(m), Φ) for public index and f(ψ, x = (m, Φ)) = len(m) for without public index. herefore, all the aforesaid FEs are sub-class of formalized FE. ill date, there are very few adaptively secure FE schemes [LW1, O10, LOS + 10, O1b] without random oracles, where the policy is more expressive and fine-grained and surprisingly, most of them belong to the BE family. However, the existing BE (FE) systems support only bounded policies, where the policies can give access to a bounded number of users, i.e., if the formula is defined over fixed n variables, then it supports at most exponential number of users. Recently, Waters [Wat1] proposed a Key-policy functional encryption for regular languages over an alphabet. Since, the size of a regular language may be unbounded, their system can support unbounded access control over the encrypted messages. he KP-FE scheme of [Wat1] was shown to be selectively secure under a non-static assumption, the decisional l-expanded BDHE assumption. Very recently, S.C.Ramanna [Ram13] proposed an adaptively secure DF-based FE over an alphabet in the standard model. o capture the adaptive security, they first obtained the basic FE construction by imposing two restrictions, viz., the DF (policy) must contain at most a single transition corresponding to each symbol and the string must contain at most a single occurrence of each symbol. In their full construction, these restriction are relaxed to support a large class of regular language but they put bounds on number of occurrences of any symbol in a string and in the set of transition tuples of a DF. his emphasizes that their system supports nothing but the finite languages over a fixed alphabet. However, their system is proven secure under non-standard assumptions, Decisional SubGroup (DSG) assumptions over composite order bilinear groups. 1.1 Our Contribution We propose an adaptively secure CP-FE scheme for finite language over an alphabet Σ. he security of the proposed scheme relies on standard, static assumption, DLIN in the standard model. Our construction follows the BE construction of [O1b] based on Dual Pairing Vector Spaces (DPVS) technique. In this construction, the ciphertext components are generated by the bases of a DPVS and the keys are obtained by it s dual. Let M = (Q, Σ, q 0, F, δ) be a deterministic finite automaton for which the ciphertext components will be generated. For each state q x Q, random d x is chosen from F q. here will be two initial components, viz, C m, the masking of the message m using a random exponent ξ and C 0, the encoding of initial state q 0 and it is connected with C m via the random ξ. For each transition t = (q x, q y, σ h ), there will be three ciphertext components, i.e., Ct,1, C t, and C t,3 which encode respectively the target state q y and transition t, the source state q x and the transition t, and the transition t. he common symbol σ h is embedded in all the above three components. For each final state q z F, the ciphertext component C z, represents the encoding of q z. Let SK w denote the secret key of a user for a string w = w 1 w l of length l over the alphabet Σ. Let r 0, r 1,..., r l be chosen at random from F q. he key SK w consists of the following components: One initial key component K 0, the encoding of r 0. For each i {1,..., l}, there are three key components, K i,1, K i, and K i,3, wherein the values r i, r i 1 and r i + r i 1 are embedded respectively. ll these three components are related via a common i th symbol w i. here is a final component K l+1, to embed the random r l. For all i {1,..., l}, j {1,, 3}, the components K i,j are connected chain-wise via the random values r 0..., r l. If the pairing between C 0 and K 0 is computed, we have 0 = g r0d0+ξ, where g is an element from target group of the pairing groups and since, C m = m.g ξ, we have to compute gξ from 0 using the others key and ciphertext components to unmask the message m. If the i th symbol w i of w matches 1 with a transition t = (q x, q y, σ h ), then we have e( C t,j, K i,j ) = gri(st+dy) g ( ri ri 1)st for j = 1. Similarly, for j = and j = 3, we have respectively g ri 1( st+dx). If we multiply last three terms, we have a coupling value of the form g ridy ri 1dx 1 It means the i th symbol w i is equal to the symbol σ h that appears in the transition t and. Now, if the DF

3 M accepts the string w, then there exist a sequence of l + 1 states q x0, q x1, q x,..., q xl and transitions t 1,..., t l, where x 0 = 0 and q xl F and for i = 1,,..., l, we have t i = (q xi 1, q xi, σ) with w i = σ. he first coupling value through this sequence, is computed as 1 = g r1dx 1 r0d0. Iteratively, the i th coupling value is obtained as i = i 1.g ridx i ri 1dx i 1 = g ri 1dx i 1 r0d0.g ridx i ri 1dx i 1 = g ridx i r0d0. Similarly, the l th coupling value through this path, is calculated as l = g r ld xl r 0d 0. hen, we compute the final value as l+1 = l.e( C xl,, K l+1, ) = g r ld xl r 0d 0.g r ld xl = g r0d0. hus, the message can be extracted from C m using 0 and l+1. Our KP-FE scheme is found in ppendix C. Limitation: Most of the adaptively secure FE schemes [LW1, O10, LOS + 10, O1b] supporting wide functionalities are proven by putting a burden on the functionalities. hese restrictions are required to pass through some crucial arguments to the sequence of hybrid games in dual system proof methodology [Wat09]. For example, in [O10, LOS + 10, O1b], an adaptively secure basic scheme is first constructed by imposing a restriction that the attributes must not repeat in the span programs. hen this basis scheme is lifted to a full adaptively secure scheme without the above restriction, but it imposes another restriction on degree of the span programs, i.e, maximum number of times an attribute can repeat in the span programs, are bounded by a pre-fixed threshold value. Similarly, we first impose some restrictions on the DFs and the strings to achieve a basic adaptively secure scheme under a standard static assumption. he imputed restrictions are: for each symbol, there is at most a single transition and the strings for key can have at most a single occurrence of symbol. Likewise, the above restrictions are relaxed but an additional burden is put on the DFs and the strings for keys to obtain full adaptively secure scheme for DFs under the same assumption. If t max and w max are the bounds on maximum number of times a symbol may repeat in the transitions of a DF and string respectively, then the size of the new alphabet Σ b will be t max w max times the size of old alphabet Σ. Indeed, for each symbol σ Σ, we have a matrix W σ with order t max w max of new symbols for Σ b. Suppose M and w are respectively the DF (to be embedded in ciphertext) and l-length string (for key) over the alphabet Σ without any restrictions on both the symbols and the transitions. hen, this DF M and string w are converted to DF N and a matrix W of order t max l over the new alphabet Σ b. If the DF M accepts w, there is exactly one string w b, comprising exactly one symbol from each column of the matrix W such that the DF N accepts w b. nd if DF M rejects the string w, then, for all possible strings w b, by choosing exactly one symbol from each column of W, the DF N rejects the strings w b. 1. Related Work From opening [SW05], many FE schemes [KSW08, SW08, O09, Wat11, LW1, O10, LOS + 10, O1b, LdP11] have been proposed on focusing several issues. But there are very few schemes [LW1, O10, LOS + 10, O1b] supporting wide functionalities and capture adaptive security in the standard model at the same time. he CP-BE and KP-BE schemes in [O10, LOS + 10, O1b], are proven adaptively secure under static assumption in the standard model but the policies are restricted by imposing a bound on the degree. In [Ram13], similar kinds of restrictions are imposed on DFs and strings to get the adaptive security from static, non-standard assumptions over composite order bilinear groups. he above bounds diminish the performance of the scheme by increasing either key size or ciphertext size by a factor or both. In contrast, there is no such imposition in the scheme of [LW1] but the adaptive security has to rely on non-static assumption and some other assumptions. Preliminaries Basic notation, definitions and hardness assumptions are provided in this section. For definition and security model of CP-FE for DFs, refer to ppendix. Deterministic Finite utomaton deterministic finite automaton (DF) M is a quintuple (Q, Σ, q 0, F, δ), where Q is a finite set of states, Σ is a set of symbols, called alphabet, q 0 Q is called the start state, F Q is called the set of final states and the function σ : Q Σ Q is called transition function. 3

4 Notation Let denote the set of all transitions t = (q x, q y, σ) of a DF M = (Q, Σ, q 0, F, δ), where t = (q x, q y, σ) carries meaning of δ(q x, σ) = q y. L(M) stands for the language recognized by the DF M. he notation [l] stands for the set {i N : 1 i l}. For a set X, x R X denotes that x is randomly picked from X according to the distribution, R. Likewise, x X indicates x is uniformly selected from X. For a basis B := ( b 1,..., b N ), (x 1,..., x N )B represents N i=1 x ib i. he vector e 1 and e stand for (1, 0) and (0, 1) respectively. Let F q stand for F q \ {0}.1 Dual Pairing Vector Spaces prime order bilinear pairing groups are a tuple (q, G, G, e), where q is prime, G and G are cyclic groups of prime order q and e : G G G is a efficiently computable map such that 1. (Bilinear) P 1, P G, a, b F q, e(ap 1, bp ) = e(p 1, P ) ab,. (Non-degenerate) P G such that e(p, P ) has order q in G. Let G bpg denote an algorithm that takes κ as input parameter and generates a description of a prime order bilinear pairing param G := (q, G, G, P, e). Definition.1 ([O1b]). Dual Pairing Vector Spaces (DPVS)(q, V, G,, e) is defined as a direct product over symmetric prime-order pairing groups (q, G, G, P, e), where V := N G... G is a N-dimensional vector space over F q G is a cyclic group of order q (as in the pairing) := ( a 1,..., a N ) is the canonical basis of V with a i = ( 0,..., 0, P, 0,..., 0) e : V V G is a bilinear map defined by e( x, y) = N i=1 e(x i, y i ), where x := (x 1,..., x N ) V and y := (y 1,..., y N ) V Let G dpvs denote an algorithm that takes κ, a dimension N and param G as input and outputs a description of a dual pairing vector spaces param V := (q, V, G,, e). o construct our encryption system based on DPVS, we need dual orthogonal bases for a DPVS. Let G ob denote the dual orthogonal basis generator. G ob (κ, N 0, N 1, N, N 3, N ): param G := (q, G, G, P, e) G bpg (κ), ψ F q, For t = 0,...,, param Vt := (q, V t, G, t, e) G dpvs (κ, N t, param G ), X t := (X t,i,j ) i,j=1,...,nt GL(Nt, F q ), Xt := (Y t,i,j ) i,j=1,...,nt := ψ(xt ) 1 GL(Nt, F q ), where X t,i and Y t,i respectively denote the i th vector of X t and Xt for i = 1,..., N t bt,i := ( X t,i ) t = N t j=1 X t,i,ja t,j for i = 1,..., N t, B t = ( b t,1,..., b t,nt ) b t,i := ( X t,i ) t = N t j=1 Y t,i,ja t,j for i = 1,..., N t, B t = ( b t,1,..., b t,n t ) g = e(p, P ) ψ, param:=({param Vt } t=0,1,...,, ψp, g ), return (param, {B t, B t } t=0,1,..., ) i 1 N i. Hardness ssumptions We describe here two Decisional SubSpace (DSS) assumptions, DSS1 and DSS in dual pairing vector spaces over prime order groups. We show that both the assumptions hold if DLIN assumption holds in the source groups. he assumption DSS1 (resp. DSS) is obtained by taking two parallel copies of 5 dimensional vector and three parallel copies of a 1 dimensional vector from assumption 1-BE (resp. -BE) of [O1b]. (Here, 1-BE (resp. -BE) is an assumption weaker than assumption DSS1 (resp. DSS)). But some of the scalars of interest are same for each

5 copy and some are independent for different copies. Due to this independence, we are unable to reduce DSS1 (resp. DSS) from 1-BE (resp. -BE). lthough the approach for obtaining reductions of 1-BE and -BE from DLIN is adapted from [O1b], we modify some of the intermediate basic problems to modified basic problems. brief reduction of DSS1 and DSS from DLIN is given in ppendix B. ssumption Decisional Linear (DLIN) Define the following distribution : param G := (q, G, G, P, e) G bpg (κ), ξ, λ, δ, σ D := (param G, ξp, λp, δξp, σλp ), 0 = (δ + σ)p, 1 F q Now, the advantage of an algorithm in breaking ssumption DLIN is defined by G dv DLIN (κ) = P r[ (D, 0 ) = 1] P r[ (D, 1 ) = 1] We say that the DLIN assumption holds if for every PP algorithm, the advantage dv DLIN (κ) is a negligible function in the security parameter κ. ssumption DSS1 Choose φ 0, φ, ω F q and τ F q. lso choose Z 1 h, Z h, Z3 h GL(, F q ) for h = 1,..., d. (param, (B 0, B 0), (B 1, B 1), (B, B ), (B 3, B 3), (B, B )) G ob (κ, 5, 1, 1, 1, 5) B j := ( b j,1, b j,3, b j,5 ), B j := ( b j,1, b j,3, b j,) for j = 0, B j := ( b j,1,..., b j,, b j,13, b j,1 ), B j := ( b j,1,..., b j,, b j,11, b j,1) for j = 1,, 3 e j 0 := (ω, 0, 0, 0, φ j)b j, e j 1 := (ω, τ, 0, 0, φ j)b j for j = 0, For h = 1,..., d, i = 1,, j = 1,, 3, choose δ j h,i, φj h,i,1, φj h,i, F q e j 0,h,i := ( δ j h,i (1, h), ω e i, e j 1,h,i := ( δ j h,i (1, h), ω e i, 0, { }} { 0, τ e i, 0, τ e i Z j h, 0, φ j h,i,1, φj h,i, φ j h,i,1, φj h,i, )B j )B j D := (param, { B j, B j } j=0,1,..., ) For β = 0, 1, define β := ({ e j β } j=0,, { e j β,h,i } h=1,...,d; i=1,; j=1,,3) Now, the advantage of an algorithm in breaking ssumption DSS1 is defined by dv DSS1 (κ) = P r[ (D, 0 ) = 1] P r[ (D, 1 ) = 1] We say that the DSS1 assumption holds if for every PP algorithm, the advantage dv DSS1 (κ) is a negligible function in the security parameter κ. Lemma.1. If the decisional linear (DLIN) assumption holds for a bilinear pairing group generator G, then the decisional subspace assumption, DSS1 also holds for G Proof. Proof of the lemma.1 is found in ppendix B.1 (lemma B.3). 5

6 ssumption DSS Choose φ 0, φ, η 0, η, ζ, ω h = 1,..., d, j = 1,, 3. F q and τ, ρ F q. lso choose Z 1 h, Z h, Z3 h GL(, F q ) and set j h = ((Zj h ) 1 ) for (param, (B 0, B 0), (B 1, B 1), (B, B ), (B 3, B 3), (B, B )) G ob (κ, 5, 1, 1, 1, 5) B j := ( b j,1, b j,3, b j,5 ), B j := ( b j,1,..., b j,) for j = 0, B j := ( b j,1,..., b j,, b j,13, b j,1 ), B j := ( b j,1,..., b j,, b j,11, b j,1) for j = 1,, 3 Υ j := (ω, τ, 0, 0, φ j )B j, Υ j 0 := (ζ, 0, 0, η j, 0)B j, Υ j 1 := (ζ, ρ, 0, η j, 0)B j for j = 0, For h = 1,..., d, i = 1,, j = 1,, 3, choose µ j h,i, δj h,i, ηj h,i,1, ηj h,i,, φj h,i,1, φj h,i, F q Υ j 0,h,i := ( Υ j 1,h,i := ( µ j h,i (h, 1), ζ e i, µ j h,i (h, 1), ζ e i, e j h,i := ( δ j h,i (1, h), ω e i, 0, { }} { 0, 0, ρ e i j h, 0, { }} { τ e i, 0, τ e i Z j h, 0, η j h,i,1, ηj h,i, η j h,i,1, ηj h,i, φ j h,i,1, φj h,i, )B j )B j )B j D := (param, { B j, B j } j=0,1,...,, { Υ j } j=0,, { e j h,i } h=1,...,d; i=1,; j=1,,3) For β = 0, 1, define β := ({ Υ j β } j=0,, { Υ j β,h,i } h=1,...,d; i=1,; j=1,,3) Now, the advantage of an algorithm in breaking ssumption DSS is defined by dv DSS (κ) = P r[ (D, 0 ) = 1] P r[ (D, 1 ) = 1] We say that the DSS assumption holds if for every PP algorithm, the advantage dv DSS (κ) is a negligible function in the security parameter κ. Lemma.. If the decisional linear (DLIN) assumption holds for a bilinear pairing group generator G, then the decisional subspace assumption, DSS also holds for G Proof. Proof of the lemma. is found in ppendix B. (lemma B.18). 3 Basic CP-FE Construction In this section, we describe a basic Ciphertext-Policy Functional Encryption scheme for DFs in the prime order bilinear pairing groups. his scheme is based on the structure of BE construction of [O1b], where encryption is done using the bases of a dual pairing vector spaces and the keys are generated by it s dual. In their basic construction([o1b]), they restricted the access structures by putting a limitation that the attributes must not repeat in the access structures. his type of restrictions is required to guarantee the adaptive security of the basic construction. Similarly, our basic construction involved here has the following restrictions (similar to [Ram13]). here is at most a single transition corresponding to each symbol in the DFs (policies) he strings for keys can have at most a single occurrence of each symbol (keys) We illustrate how to relax the above restrictions in section 5. Setup(κ): (param, (B 0, B 0), (B 1, B 1), (B, B ), (B 3, B 3), (B, B )) G ob (1 λ, 5, 1, 1, 1, 5) B j := ( b j,1, b j,3, b j,5 ), B j := ( b j,1, b j,3, b j, ) for j=0, B j := ( b j,1..., b j,, b j,11, b j,1 ), B j := ( b j,1,..., b j,, b j,13, b j,1 ) for j=1,,3

7 Choose a set, alphabet of symbols Σ = {σ 1,..., σ d } F q, where d = poly(κ). he public parameters and master secret are given by PP := (Σ, param, { B j } j=0,1,,3, ), MSK:= ({ B j } j=0,1,,3,). Encrypt(PP, M = (Q, Σ, q 0, F, δ), m): For each q x Q, pick d x Fq. For each q z F, choose φ z Fq. Pick random ξ F q. For each transition t = (q x, q y, σ h ), choose s t, δ t,1, δ t,, δ t,3 Fq ; φ t,1, φ t,, φ t,3 F q. Now, compute C 0 := ( d 0, 0, ξ, 0, φ 0 )B 0 C m := m.g ξ For each transition t = (q x, q y, σ h ), compute the ciphertext components C t,1 := ( δ t,1 (1, h), (s t + d y )(1, σ h ), 0, 0, C t, := ( C t,3 := ( δ t, (1, h), δ t,3 (1, h), ( s t + d x )(1, σ h ), s t (1, σ h ), 0, 0, 0 0, For each q z F, compute the ciphertext component C z, := ( d z, 0, 0, 0, φ z )B φ t,1 ) B 1 φ t, ) B φ t,3 ) B 3 C M := ( M, C m, C0, { C t,1, Ct,, Ct,3 } t=(qx,q y,σ h ), { C z, } qz F ) KeyGen(MSK, w = w 1 w l ): For each i [l], choose µ i,1, µ i,, µ i,3, θ i, r i r 0, η 0, η l+1 Fq. Now compute Fq ; η i,1, η i,, η i,3 F q. Pick K 0 := ( r 0, 0, 1, η 0, 0)B 0 For each i [l], (let w i = σ h, for some index h) continue to compute K i,1 := ( µ i,1 (h, 1), r i + θ i σ h, θ i, 0, η i,1, K i, := ( µ i, (h, 1), r i 1 + θ i σ h, θ i, K i,3 := ( µ i,3 (h, 1), r i r i 1 + θ i σ h, θ i, 0, 0, η i,, η i,3, 0 ) B 1 0 ) B 0 ) B 3 K l+1, := ( r l, 0, 0, η l+1, 0)B he secret key for the string w is given by SK w := ( w, K 0, { K i,1, K i,, K i,3 } i [l], K l+1, ) Decrypt(C M, SK w ): Suppose the DF M accepts the string w = w 1 w l, then there exist a sequence of l + 1 states q x0, q x1, q x,..., q xl and transitions t 1,..., t l, where x 0 = 0 and q xl F and for i = 1,,..., l, we have t i = (q xi 1, q xi, σ) with w i = σ. First, compute the initial value 0 = e( C 0, K 0 ) = g r0d0+ξ hen, compute the first value 1 of intermediate values as 1 = e( C t1,1, K 1,1 ).e( C t1,, K 1, ).e( C t1,3, K 1,3 ) = g r1dx 1 r0d0 Next, compute the intermediate values i (for i =,..., l) as follows: i = i 1.e( C ti,1, K i,1 ).e( C ti,, K i, ).e( C ti,3, K i,3 ) = g ri 1dx i 1 r0d0 g ridx i ri 1dx i 1 = g ridx i r0d0 7

8 Similarly, the l th intermediate value is obtained in the form l = g r ld xl r 0d 0 he final value l+1 is computed as l+1 = l.e( C xl,, K l+1, ) = g r ld xl r 0d 0 g r ld xl = g r0d0 sing 0, l+1 and C m, the message is extracted as m = C m /( 0 l+1 ). Security Proof We prove the adaptive security of our basic CP-FE construction by adopting the proof technique of Okamoto akashima [O1b] and the dual system methodology of Brent Waters [Wat09]. his methodology requires to define semi-functional ciphertexts and keys. Here, we define two types of semi-functional ciphertexts, viz., type 1 and type. hree forms of semi-functional keys are considered here type 1, type and type 3. In the sequence of games, challenge ciphertext is first changed from normal to semi-functional type 1. hen each queried key is changed from normal to semi-functional type 1, then semi-functional type 1 to type and lastly from semi-functional type to type 3. In the final game, the semi-functional type 1 ciphertext is changed to semi-functional type ciphertext, where the message is masked by an independently and uniformly chosen value. In the following material, the part framed by a box indicates that either it will be changed in next description or it has been changed from previous description. lso, we use the abbreviation sf for semi-functional. Semi-functional ype 1 Ciphertext. For each q x Q, pick d x Fq. For each transition t = (q x, q y, σ h ), choose ŝ t Fq ; Zh 1, Z h, Z3 h GL(, F q ). he sf-type 1 ciphertext is obtained by modifying normal ciphertext C M = (M, C m, C0, { C t,1, Ct,, Ct,3 } t=(qx,q y,σ h ), { C z, } qz F ) as given below: C 0 := ( d 0, d0, ξ, 0, φ 0 )B 0 C m := m.g ξ C t,1 := ( C t, := ( C t,3 := ( δ t,1 (1, h), δ t, (1, h), δ t,3 (1, h), (s t + d y )(1, σ h ), ( s t + d x )(1, σ h ), s t (1, σ h ), (ŝ t + d y )(1, σ h ), 0, (ŝ t + d y )(1, σ h )Z 1 h, ( s t + d x )(1, σ h ), 0, ( s t + d x )(1, σ h )Z h, ŝ t (1, σ h ), 0, ŝ t (1, σ h )Z 3 h, 0, 0 0, φ t,1 ) B 1 φ t, ) B φ t,3 ) B 3 C z, := ( d z, dz, 0, 0, φ z )B Semi-functional ype Ciphertext. his is same as sf-type 1 ciphertext except the following C 0 := ( d 0, d0, ξ, 0, φ 0 )B 0 C m := m.g ξ where ξ Fq (independent of ξ F q ) Semi-functional ype 1 Key. For each i [l], choose r i, θ i Fq. lso choose r 0 Fq. For i [l], let w i = σ h for some index h, choose Z j h GL(, F q ) for j = 1,, 3 and set j h = ((Zj h ) 1 ). he sf-type 1 key generation algorithm first creates a normal key SK w = ( w, K 0, { K i,1, K i,, K i,3 } i [l], K l+1,) and then modifies its components as shown below. K 0 := ( r 0, r 0, 1, η 0, 0)B 0 K i,1 := ( K i, := ( µ i,1 (h, 1), r i + θ i σ h, θ i, µ i, (h, 1), r i 1 + θ i σ h, θ i, 0, ( r i + θ i σ h, θ i ) 1 h, 0, ( r i 1 + θ i σ h, θ i ) h, η i,1, 0 ) B 1 η i,, 0 ) B 8

9 K i,3 := ( µ i,3 (h, 1), r i r i 1 + θ i σ h, θ i, K l+1, := ( r l, r l, 0, η l+1, 0)B 0, ( r i r i 1 + θ i σ h, θ i ) 3 h, η i,3, 0 ) B 3 Semi-functional ype Key. his is same as sf-type 1 key except K 0 K 0 := ( r 0, r, 1, η 0, 0)B 0, where r F q (independent of r 0 Fq ) Note that r 0 appears in K 1, and K 1,3 Semi-functional ype 3 Key. his is same as normal key except K 0 K 0 := ( r 0, r, 1, η 0, 0)B 0, where r F q legitimate normal key (resp. sf-type 1 key, sf-type key, sf-type 3 key) SK w can extract the message from an sftype 1 ciphertext (resp. normal ciphertext) C M. Similarly, a legitimate sf-type 1 key SK w can succeed in decrypting an sf-type 1 ciphertext C M, because the mimicked parts get canceled just like the normal components. But, if a legitimate sf-type key or sf-type key SK w runs decryption on an sf-type 1 ciphertext C M, it will get an extra term g r d 0 hampering the message extraction. heorem.1. he proposed Basic CP-FE scheme is adaptively secure under the DLIN assumption. Proof Sketch of heorem.1 he proof technique of the above theorem is adopted from that of BE of Okamoto akashima [O1b]. By applying hybrid arguments over the sequence of games Game Real, Game 0, {Game k,1, Game k,, Game k,3 } k [ν] and Game F inal, the game Game Real is changed to Game F inal. In Game 0, the challenge ciphertext is changed from normal to sf-type 1. If there are at most ν secret key queries made by an adversary, there are 3ν game changes from Game 0 (Game 0,3 ), Game 1,1, Game 1,, Game 1,3 through Game ν, and Game ν,3. In Game k,1 (for 1 k ν), the challenge ciphertext is sf-type 1, the first (k 1) keys are sf-type 3, k th key is sf-type 1 and the rest are normal. Game k, (for 1 k ν) is same as Game k,1 except that k th key is sf-type. Game k,3 (for 1 k ν) is same as Game k, except that k th key is sf-type 3. Game F inal is similar to Game ν,3 except that the challenge ciphertext is a sf-type ciphertext, i.e., in Game F inal, the challenge message is masked with an uniformly and independently chosen value implying that has no advantage in breaking the final game. We prove that the gap advantage between any two consecutive games are at most negligible. In lemma., we show that the advantage gap between Game Real and Game 0 is equivalent to that of DSS1: we establish a PP simulator B for Game Real and Game 0 against a PP adversary. he simulator B takes an instance of DSS1 (with β {0, 1}) and simulates either Game Real or Game 0 for adversary. We show that the distribution of secret keys and challenge ciphertext replied by B is equivalent to Game Real (resp. Game 0 ) if β = 0 (resp. β = 1). In lemma.1, we prove that assumption DSS1 holds for a bilinear pairing groups if DLIN assumption holds for the same pairing groups. herefore, Game Real and Game 0 are indistinguishable under DLIN assumption. Seemingly, this shows that the normal ciphertext and sf-type 1 ciphertext are indistinguishable under DLIN assumption. Similarly, in lemma.3, we show that the advantage gap between Game (k 1),3 and Game k,1 is bounded by the advantage of DSS. Likewise, in lemma., we prove that assumption DSS holds for a bilinear pairing groups if DLIN assumption holds for the same pairing groups. hus, Game (k 1),3 and Game k,1 are indistinguishable if DLIN assumption holds. In other words, it shows that the k th normal key and k th sf-type 1 key are indistinguishable if DLIN assumption holds. hen, we show that gap advantage between Game k,1 and Game k, is zero (without any assumption) (lemma.) as: the distribution of (PP, {SK w ι} ι=1,...,ν, C M ) in Game k,1 and that in Game k, are exactly same except at k th key, where w ι is ι th query string. So, we have to show that the joint distribution of k th key SK w k and the challenge 9

10 ciphertext in both the games are equivalent. In lemma., we basically show that the scalar r 0 in K 0 of k th key SK w k (described in definition of sf-type 1 key) is uniformly and independently distributed from the other variables in the joint distribution of s view. his shows that distribution of k th sf-type 1 key and k th sf-type key are indistinguishable by any polynomial time adversary. In a similar manner, we show that the advantage gap between Game k, and Game k,3 is bounded by the advantage of DSS adversary (lemma.5). his implies that k th sf-type key and k th sf-type 3 key are indistinguishable under DSS. Finally, we show that Game ν,3 and Game F inal are indistinguishable (without any assumption) (lemma.). In lemma., we first apply a suitable transformation to form new bases (D 0, D 0) from original bases (B 0, B 0). hen, we show that the distribution of keys and ciphertext over (B 0, B 0) (resp. (D 0, D 0)) is identical with Game ν,3 (resp. Game F inal ), Proof. he security proof consists of hybrid argument over a sequence of 3ν +3 games. he games are defined below: Game 0 (Game 0,3 ) is just like Game Real except that the challenge ciphertext is sf-type 1 ciphertext. In Game k,1 (for 1 k ν), challenge ciphertext is sf-type 1, the first k 1 keys returned to the adversary are sf-type 3, k th key is sf-type 1 and the rest are normal. In Game k, (for 1 k ν), challenge ciphertext is sf-type 1, the first k 1 keys returned to the adversary are sf-type 3, k th key is sf-type and the rest are normal. In Game k,3 (for 1 k ν), challenge ciphertext is sf-type 1, the first k keys returned to the adversary are sf-type 3 and the rest are normal. Game F inal is similar to Game ν,3 except that now the challenge ciphertext is a sf-type ciphertext. Let dv Real (κ), dv 0 (κ), dv k,1 (κ), dvk, (κ), dvk,3 (κ) and dvfinal (κ) denote the advantages of an adversary in Game Real, Game 0, Game k,1, Game k,, Game k,3 and Game F inal for 1 k ν respectively. In Game F inal, the value of b is independent from the adversary s view implying that dv Final (κ) = 0. sing lemmas.,.3,.,.5 and., we have the following inequalities dv CP FE (κ) = dv Real (κ) dv Real (κ) dv 0 (κ) + ν k=1 ( dv k 1,3 (κ) dv k,1 (κ) + dvk,1 (κ) dvk, (κ) + dv k, (κ) dvk,3 (κ) ) + dvν,3 (κ) dvfinal (κ) dv DSS1 (κ) + ν(dv DSS (κ) + /q + dv DSS (κ) + /q) + 1/q dv DSS1 (κ) + νdv DSS (κ) + (ν + 1)/q Final conclusion follows from lemmas.1 and.. Lemma.. Game Real and Game 0 are indistinguishable under the DSS1 assumption. hat is, dv Real (κ) dv 0 (κ) dv DSS1 (κ). Proof is in ppendix.3. Lemma.3. Game (k 1),3 and Game k,1 are indistinguishable under the DSS assumption. hat is, dv k 1,3 (κ) dv k,1 (κ) dvdss (κ) + /q for 1 k ν. Proof can be found in ppendix.. Lemma.. Game k,1 and Game k, are indistinguishable. hat is, dv k,1 (κ) = dvk,(κ) for 1 k ν. In both the games, Game k,1 and Game k, (for 1 k ν), the matrices Z j h in sf-type 1 ciphertext and the matrices j h in sf-type 1 key(resp. sf-type ) of Game k,1 (resp. Game k, ) are related by j h = ((Zj h ) 1 ) for j = 1,, 3 10

11 Refer to ppendix.5 for proof. Lemma.5. Game k, and Game k,3 are indistinguishable under the DSS assumption. hat is, dv k,3 (κ) (κ) dvdss (κ) + /q for 1 k ν. dv k, For proof, see ppendix.. Lemma.. Game ν,3 and Game F inal are indistinguishable. hat is, dv Final (κ) dv ν,3 (κ) 1/q Proof is described in ppendix.7. 5 Full CP-FE Construction In this section, we illustrate our full CP-FE construction for finite languages over an alphabet Σ accepted by a DF. he size of the language accepted by a DF may be infinite (unbounded). But our system supports only bounded number of users by restricting the size of strings. Let w max be a bound on maximum number of times a symbol may repeat in a string. So this bound automatically restricts the size of strings. Let rans σ = {(q x, q y, σ h ) : σ h = σ} for σ Σ. We also assume that for each symbol σ Σ, rans σ is bounded by t max, i.e., each symbol may repeat in the transitions of a DF M at most t max times. hese bounds are fixed during setup. Suppose, we are interested in full CP-FE construction for DFs over a fixed alphabet Σ. hen, this full construction is obtained from the basic construction over a new alphabet Σ b, where Σ b = {σς ι = Λ(σ, ς, ι) : σ Σ, ς [t max ], ι [w max ]}, Λ : Σ [t max ] [w max ] F q is an injective function i.e., Σ b can be thought of as a collection of t max w max copies of each symbol σ in Σ. herefore, for each symbol σ in Σ, we have a matrix W σ of order t max w max, with (ς, ι)-entry W σ [ς][ι] = σς ι = Λ(σ, ς, ι). string w = w 1 w l over Σ is converted to a matrix 3 W with order t max l of symbols from Σ b by the following rule for the i th occurrence w i = σ, the i th column W i of the matrix W is obtained as (σ1 i = Λ(σ, 1, i),..., σt i max = Λ(σ, t max, i)). Note that all the entries in W are distinct. set of transitions, of a DF M over Σ is converted to a set of transitions, b for DF N (satisfying the restrictions of basic construction as stated in Section 3) over Σ b by the following rules: for each σ Σ, first transfer the set rans σ to an another set rans E σ by enumerating the symbol σ in each transition of rans σ. (Seemingly, in rans E σ, all the transitions of rans σ are enumerated) hen for each transition t = (q x, q y, σ ς ) rans E σ, add the transitions t Λ(σ,ς,ι) = (q x, q y, σ ι ς) to b for each ι [w max ]. ( b is initially empty) In other words, the above rules convert a DF M = (Q, Σ, q 0, F, δ) to a restricted DF N = (Q, Σ b, q 0, F, δ b ). Note that if a string w is in L(M) over Σ, then there is exactly one string w b, comprising exactly one symbol from each column of the matrix W, is legitimate in L(N ) over Σ b and else, for all strings w b (by picking exactly one symbol from each column of W ), w b L(N ). Setup(κ): (param, (B 0, B 0), (B 1, B 1), (B, B ), (B 3, B 3), (B, B )) G ob (1 λ, 5, 1, 1, 1, 5) B j := ( b j,1, b j,3, b j,5 ), B j := ( b j,1, b j,3, b j, ) for j=0, B j := ( b j,1..., b j,, b j,11, b j,1 ), B j := ( b j,1,..., b j,, b j,13, b j,1 ) for j=1,,3 Choose a set, alphabet of symbols Σ = {σ 1,..., σ d } F q, where d = poly(κ). he public parameters and master secret are given by PP := (Σ, param, { B j } j=0,1,,3, ), MSK:= ({ B j } j=0,1,,3,). 3 For each occurrence of symbol w i = σ in w, we have t max copies of that symbol σ in i th column of the matrix W. Note that all the transitions have a common symbol σ in rans σ, but in rans E σ, σ is enumerated as σ ς to make all copies of σ distinct. 11

12 Remark : Σ b is not given in PP, since it can be computed using the public function Λ : Σ [t max ] [w max ] F q. he variable h appearing in key and ciphertext, indicates the index of the symbol Λ(σ, ς, ι) in Σ b. Encrypt(PP, M = (Q, Σ, q 0, F, δ), m): First, obtain the restricted DF N = (Q, Σ b, q 0, F, δ b ) from given DF M by applying the above rules. Let b be the set of transition for δ b. For each q x Q, pick d x Fq. For each q z F, choose φ z Fq. For each transition t Λ(σ,ς,ι) = (q x, q y, σς ι = Λ(σ, ς, ι)) b, choose s tλ(σ,ς,ι), δ tλ(σ,ς,ι),1, δ tλ(σ,ς,ι),, δ tλ(σ,ς,ι),3 F q, φtλ(σ,ς,ι),1, φtλ(σ,ς,ι),, φtλ(σ,ς,ι),3 F q. Pick random ξ F q. Now, compute C 0 := ( d 0, 0, ξ, 0, φ 0 )B 0 C m := m.g ξ For each transition t Λ(σ,ς,ι) = (q x, q y, σ ι ς = Λ(σ, ς, ι)) b, compute C tλ(σ,ς,ι),1 := ( C tλ(σ,ς,ι), := ( C tλ(σ,ς,ι),3 := ( δ tλ(σ,ς,ι),1(1, h), δ tλ(σ,ς,ι),(1, h), δ tλ(σ,ς,ι),3(1, h), (s tλ(σ,ς,ι) + d y )(1, σ ι ς = Λ(σ, ς, ι)), ( s tλ(σ,ς,ι) + d x )(1, σ ι ς = Λ(σ, ς, ι)), s tλ(σ,ς,ι) (1, σ ι ς = Λ(σ, ς, ι)), 0, 0, 0, 0, 0 0, φ tλ(σ,ς,ι),1 ) B 1 φ tλ(σ,ς,ι), ) B φ tλ(σ,ς,ι),3 ) B 3 For each q z F, compute the ciphertext component C z, := ( d z, 0, 0, 0, φ z )B C M := ( M, C m, C0, { C tλ(σ,ς,ι),1, CtΛ(σ,ς,ι),, CtΛ(σ,ς,ι),3} tλ(σ,ς,ι) =(q x,q y,σ ι ς =Λ(σ,ς,ι)) b, { C z, } qz F ) KeyGen(MSK, w = w 1 w l ): Convert this string w to the matrix W of order t max l by aforesaid law, i.e., if w i = σ is the i th occurrence in the string w, the i th column of the matrix W is (σ1 i = Λ(σ, 1, i),..., σt i max = Λ(σ, t max, i)). For each symbol Λ(σ, ς, i) of W, choose µ Λ(σ,ς,i),1, µ Λ(σ,ς,i),, µ Λ(σ,ς,i),3, θ Λ(σ,ς,i) Fq, η Λ(σ,ς,i),1, η Λ(σ,ς,i),, η Λ(σ,ς,i),3 compute K 0 := ( r 0, 0, 1, η 0, 0)B 0 F q. For each i [l] {0}, pick r i Fq. lso choose η 0, η l+1 Fq. Now For each symbol σς i = Λ(σ, ς, i) of the matrix W, compute K Λ(σ,ς,i),1 := ( µ Λ(σ,ς,i),1 (h, 1), r i + θ Λ(σ,ς,i) σς, i θ Λ(σ,ς,i), K Λ(σ,ς,i), := ( µ Λ(σ,ς,i), (h, 1), r i 1 + θ Λ(σ,ς,i) σς, i θ Λ(σ,ς,i), K Λ(σ,ς,i),3 := ( µ Λ(σ,ς,i),3 (h, 1), r i r i 1 + θ Λ(σ,ς,i) σς, i θ Λ(σ,ς,i), 0, 0, 0, η Λ(σ,ς,i),1, η Λ(σ,ς,i),, η Λ(σ,ς,i),3, 0 ) B 1 0 ) B 0 ) B 3 K l+1, := ( r l, 0, 0, η l+1, 0)B he secret key for the string w is given by SK w := ( w, K 0, { K Λ(σ,ς,i),1, K Λ(σ,ς,i),, K Λ(σ,ς,i),3 } i [l], ς [tmax], K l+1, ) Decrypt(C M, SK w ): Suppose the DF M accepts the string w = w 1 w l, then there exist a sequence of l + 1 states q x0, q x1, q x,..., q xl and transitions t 1,..., t l, where x 0 = 0 and q xl F and for i = 1,,..., l, we have t i = (q xi 1, q xi, σ) with w i = σ. First, compute the initial value 0 = e( C 0, K 0 ) = g r0d0+ξ For each transition 5 t i = (q xi 1, q xi, σ = σ ς ), there are w max many transitions t Λ(σ,ς,ι) = (q xi 1, q xi, σ ι ς = 5 Here, ς indicates that t i is the ς th transition in rans E σ. If i is changed then ς will change accordingly. In computation of 1

13 Λ(σ, ς, ι)) in b for ι [w max ]. lso, for each occurrence w i = σ in w, there are t max many symbols represented as the column vector W i = (σ i 1 = Λ(σ, 1, i),..., σ i t max = Λ(σ, t max, i)). o get the success in decryption, we have to choose an unique l length sequence of transitions from b and an unique l length string w b from the matrix W. he i th candidate of above is the pair < i th transition, i th bit of w b >, obtained by choosing a transition t Λ(σ,ς,ι) from {t Λ(σ,ς,ι) = (q xi 1, q xi, σς ι = Λ(σ, ς, ι)) : ι [w max ]} and a symbol Λ(σ, j, i) from W i = (σ1 i = Λ(σ, 1, i),..., σt i max = Λ(σ, t max, i)) such that i th symbol of w b is equal to the symbol of i th candidate transition, i.e., we have < t Λ(σ,ς,i), w b,i = Λ(σ, ς, i) >. herefore, to compute i for i [l], we use the ciphertext and key components corresponding to the transition t Λ(σ,ς,i) and symbol Λ(σ, ς, i) respectively. Compute the first value 1 of intermediate values as 1 = e( C tλ(σ,ς,1),1, K Λ(σ,ς,1),1 ).e( C tλ(σ,ς,1),, K Λ(σ,ς,1), ).e( C tλ(σ,ς,1),3, K Λ(σ,ς,1),3 ) = g r1dx 1 r0d0 Next, compute the intermediate values i (for i =,..., l) as follows: i = i 1.e( C tλ(σ,ς,i),1, K Λ(σ,ς,i),1 ).e( C tλ(σ,ς,i),, K Λ(σ,ς,i), ).e( C tλ(σ,ς,i),3, K Λ(σ,ς,i),3 ) = g ri 1dx i 1 r0d0 g ridx i ri 1dx i 1 = g ridx i r0d0 Similarly, the l th intermediate value has of the form: l = g r ld xl r 0d 0 he final value l+1 is computed as l+1 = l.e( C xl,, K l+1, ) = g r ld xl r 0d 0 g r ld xl = g r0d0 sing 0, l+1 and C m, the message is unmasked as m = C m /( 0 l+1 ). heorem 5.1. he proposed Full CP-FE scheme is adaptively secure under the DLIN assumption. Proof. Since each entry of W is distinct and there is at most a single transition of b corresponding to each symbol in Σ b, proof of this theorem follows from theorem.1. References [LdP11] Nuttapong ttrapadung, Benot Libert, and Elie de Panafieu. Expressive key-policy attribute-based encryption with constant-size ciphertexts. In Public Key Cryptography, pages , 011. [BH08] Dan Boneh and Mike Hamburg. Generalized identity-based and broadcast encryption schemes. In SICRYP, pages 55 70, 008. [BSW07] John Bethencourt, mit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryption. In IEEE Symposium on Security and Privacy, pages IEEE Computer Society, 007. [BSW11] [BW07] Dan Boneh, mit Sahai, and Brent Waters. Functional encryption: Definitions and challenges. In Yuval Ishai, editor, CC, volume 597 of Lecture Notes in Computer Science, pages Springer, 011. Dan Boneh and Brent Waters. Conjunctive, subset, and range queries on encrypted data. In CC, pages , 007. [GPSW0] Vipul Goyal, Omkant Pandey, mit Sahai, and Brent Waters. ttribute-based encryption for fine-grained access control of encrypted data. In ri Juels, Rebecca N. Wright, and Sabrina De Capitani di Vimercati, editors, CM Conference on Computer and Communications Security, pages CM, 00. [Ham11] [IP08] Mike Hamburg. Spatial encryption. Cryptology eprint rchive, Report 011/389, iacr.org/. Vincenzo Iovino and Giuseppe Persiano. Hidden-vector encryption with groups of prime order. In Pairing, pages 75 88, and i, we use the same σ and ς to reduce the complication of indexing. Note that if i changes, σ and ς change accordingly 13

14 [KSW08] Jonathan Katz, mit Sahai, and Brent Waters. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In Nigel P. Smart, editor, EROCRYP, volume 95 of Lecture Notes in Computer Science, pages 1 1. Springer, 008. [LOS + 10] llison B. Lewko, atsuaki Okamoto, mit Sahai, Katsuyuki akashima, and Brent Waters. Fully secure functional encryption: ttribute-based encryption and (hierarchical) inner product encryption. In Henri Gilbert, editor, EROCRYP, volume 110 of Lecture Notes in Computer Science, pages 91. Springer, 010. [LW1] llison Lewko and Brent Waters. New proof methods for attribute-based encryption: chieving full security through selective techniques. In Safavi-Naini and Canetti [SNC1], pages [OSW07] [O09] [O10] [O11] [O1a] [O1b] [Ram13] Rafail Ostrovsky, mit Sahai, and Brent Waters. ttribute-based encryption with non-monotonic access structures. In Peng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson, editors, CM Conference on Computer and Communications Security, pages CM, 007. atsuaki Okamoto and Katsuyuki akashima. Hierarchical predicate encryption for inner-products. In Mitsuru Matsui, editor, SICRYP, volume 591 of Lecture Notes in Computer Science, pages Springer, 009. atsuaki Okamoto and Katsuyuki akashima. Fully secure functional encryption with general relations from the decisional linear assumption. In al Rabin, editor, CRYPO, volume 3 of Lecture Notes in Computer Science, pages Springer, 010. atsuaki Okamoto and Katsuyuki akashima. daptively attribute-hiding (hierarchical) inner-product encryption. Cryptology eprint rchive, Report 011/53, atsuaki Okamoto and Katsuyuki akashima. daptively attribute-hiding (hierarchical) inner product encryption. In EROCRYP, pages , 01. atsuaki Okamoto and Katsuyuki akashima. Fully secure unbounded inner-product and attribute-based encryption. In SICRYP, pages 39 3, 01. Somindu C. Ramanna. Dfa-based functional encryption: daptive security from dual system encryption. Cryptology eprint rchive, Report 013/38, [SF07] Ryuichi Sakai and Jun Furukawa. Identity-based broadcast encryption. Cryptology eprint rchive, Report 007/17, [SNC1] Reihaneh Safavi-Naini and Ran Canetti, editors. dvances in Cryptology - CRYPO 01-3nd nnual Cryptology Conference, Santa Barbara, C, S, ugust 19-3, 01. Proceedings, volume 717 of Lecture Notes in Computer Science. Springer, 01. [SW05] mit Sahai and Brent Waters. Fuzzy identity-based encryption. In Ronald Cramer, editor, ERO- CRYP, volume 39 of Lecture Notes in Computer Science, pages Springer, 005. [SW08] [Wat09] [Wat11] [Wat1] Elaine Shi and Brent Waters. Delegating capabilities in predicate encryption systems. In utomata, Languages and Programming, pages , 008. Brent Waters. Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions. In Shai Halevi, editor, CRYPO, volume 577 of Lecture Notes in Computer Science, pages Springer, 009. Brent Waters. Ciphertext-policy attribute-based encryption: n expressive, efficient, and provably secure realization. In Public Key Cryptography, pages 53 70, 011. Brent Waters. Functional encryption for regular languages. In Safavi-Naini and Canetti [SNC1], pages

15 Ciphertext-Policy Functional Encryption for DFs.1 Definition ciphertext-policy functional encryption (CP-FE) scheme for DFs consists of four PP algorithms - Setup, KeyGen, Encrypt and Decrypt. Setup: It takes a security parameter κ, an alphabet Σ as input, outputs the public parameters PP which explicitly contains Σ and the master secret MSK. KeyGen: It takes as input a string w = w 1 w w l over Σ and master secret MSK and outputs a secret key SK w corresponding to w. Encrypt: takes a message m, the description of a DF M and public parameters PP and returns a ciphertext C M which implicitly contains M. Decrypt: It receives a ciphertext C M and secret key SK w as input. If the DF M accepts w, the algorithm returns m.. Security definition of CP-FE for DFs he adaptive security model is defined as an indistinguishability game, Game Real between a challenger C and an adversary, where the adversary has to distinguish the ciphertexts under a chosen plaintext attack (CP). he game, Game Real consists of the following phases: Setup: he challenger C runs the Setup algorithm to produce the master secret key MSK and the public parameter PP. hen, C gives PP to the adversary and keeps MSK to itself. Phase 1: he adversary queries for the secret keys corresponding to the strings w 1,..., w l. he challenger C returns the secret keys sk wi by running the KeyGen algorithm on w i, for i = 1,..., l. Challenge: he adversary provides two equal length messages m 0, m 1 and a challenge DF M = (Q, Σ, q0, F, δ ) with the condition that the DF M does not accept any queried string w i for i = 1,..., l. he challenger chooses β {0, 1} and encrypts the message m β using the challenge DF M and gives the challenge ciphertext C M to the adversary Phase : again queries for the secret keys corresponding to the strings w l+1,..., w ν with the restriction that no w i is accepted by the challenge DF M. C answers to the adversary in similar manner as in Phase 1. Guess: he challenger outputs a bit β. he advantage of in above game is defined by dv CP FE (κ) = Pr[β = β ] 1. he CP-FE scheme is said to be adaptively secure if all PP adversary, the advantage dv CP FE (κ) is at most a negligible function in security parameter κ. Lemma.1 ([O10]). For p F q, let C p = {( x, v) x. v = p} V V, where V is n-dimensional vector spaces F n q and V its dual. For all ( x, v) C p, for all ( Ψ, Φ) C p, P r[ x = Ψ vz = Φ] = P r[ xz = Ψ v = Φ] = 1/ C p, where Z GL(, F q ), = (Z 1 )..3 Proof of Lemma. We establish a PP algorithm B (Simulator) who receives an instance of DSS1, (param, { B j, B j } j=0,1,...,, { e j β } j=0,, { e j β,h,ς } h=1,...,d; ς=1,; j=1,,3) and depending on the distribution of β, B either simulates Game Real or Game 0. 15

16 Setup: B fixes an alphabet of symbols Σ = {σ 1,..., σ d } F q, where d = poly(κ). It provides PP = (Σ, param, { B j } j=0,1,,3, ) to and keeps MSK to itself. Key Query nswering: B can handle the key queries of, since the MSK is known to him. Challenge: provides two equal length messages m 0, m 1 and challenge restricted DF M = (Q, Σ, q0, F, δ ). B chooses b {0, 1}; d0, ϑ 0, ξ F q. For each state q x Q, B picks d x, ϑ x Fq. For each transition t = (q x, q y, σ h ), it chooses s t, f t Fq and encrypts m b to M as follows. C 0 := d 0 e 0 β + ϑ 0b 0,1 + ξ b 0,3, C m := m b.g ξ For each transition t = (q x, q y, σ h ), it computes C t,1 := ( e 1 β,h,1 + σ h e 1 β,h, )( d y + s t ) + (ϑ y + f t )(1, σ h )( b 1,3, b 1, ) C t, := ( e β,h,1 + σ h e β,h, )( d x s t ) + (ϑ x f t )(1, σ h )( b,3, b, ) C t,3 := ( e 3 β,h,1 + σ h e 3 β,h, ) s t + f t (1, σ h )( b 3,3, b 3, ) For each q z F, it computes C z, := d z e β + ϑ z b,1 B returns C M = (M, C m, C0, { C t,1, Ct,, Ct,3 } t=(qx,q y,σ h ), { C z, } qz F ) to. Guess: sends a guess b to B. If b = b then B returns 1; otherwise it returns 0. he simulator B implicitly sets s t = ω s t + f t, d y = ω d y + ϑ y, ŝ t = τ s t and d y = τ d y. Since s t, d y, f t and ϑ y are uniformly and independently distributed over F q, so are s t, d y, ŝ t and d y. It is obvious to show that if β = 1, then C M is properly distributed sf-type 1 ciphertext (Game 0 ), else it is properly distributed normal ciphertext (Game Real ).. Proof of Lemma.3 We establish a PP algorithm B to whom an instance (param, { B j, B j } j=0,1,...,, { Υ j } j=0,, { e j h,ς } h=1,...,d; ς=1,; j=1,,3, for β = 0, 1, β = ({ Υ j β } j=0,, { Υ j β,h,ς } h=1,...,d; ς=1,; j=1,,3)) of DSS is given and it simulates either Game k 1,3 or Game k,1 depending on the distribution of β. Setup: B fixes an alphabet of symbols Σ = {σ 1,..., σ d } F q, where d = poly(κ). It provides PP = (Σ, param, { B j } j=0,1,,3, ) to and keeps MSK to itself. Key Query nswering: For both the games, the first (k 1) keys are sf-type 3 and last (ν k) are normal keys. For Game k 1,3, the k th key is normal and it is sf-type 1 for Game k,1. Let w 1,..., w ν be the query strings issued by. he simulator B answers the key SK w ι for the string w ι depending on ι as follows. If ι > k, then B runs the KeyGen algorithm and gives the normal key to. If ι < k, then it is sf-type 3 key. First note that the distribution of sf-type 3 key and normal key are almost the same except K 0. B first generates SK w ι KeyGen(MSK, w ι ) and then modifies the component K 0 as shown below to obtain type 3 component K 0 K 0 K 0 + r b 0,, where r F q If ι = k then it is either normal or sf-type 1 key. B generates SK w k using the challenge β as bait from the instance of DSS. Let w k = w1 k wl k. For each i [l] {0}, B picks ϱ i, θ i, r i, π i Fq First, note that C t,j (resp. K i,j ) is represented as the linear combination of 1 dimensional basis vectors B j = ( b j,1,..., b j,1) (resp. B j = ( b j,1,..., b j,1). In lemmas.,.3 and.5, we only show that the scalars of 3rd, th, 5th, th, 9th and 10th basis vectors either in the ciphertext part or in the key part or in both are properly distributed, since the rest of the scalars are either defined to be zero or can be properly randomized by the supplied vectors from the problem. 1