Shorter Identity-Based Encryption via Asymmetric Pairings

Shorter Identity-Based Encryption via symmetric Pairings Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee 2, Division of Mathematical Sciences School of Physical & Mathematical Sciences Nanyang Technological University, Singapore 2 George Washington University, US s08000@entuedusg hoonwei,lingsan,hxwang@ntuedusg hoeteck@gwuedu bstract We present efficient Identity-Based Encryption IBE) under the Symmetric External Diffie- Hellman SXDH) assumption in bilinear groups In our IBE scheme, all parameters have constant numbers of group elements, and are shorter than those of previous constructions based on Decisional Linear DLIN) assumption Our construction uses both dual system encryption Waters, Crypto 09) and dual pairing vector spaces Okamoto and Takashima, Pairing 08, siacrypt 09) Specifically, we show how to adapt the recent DLIN-based instantiation of Lewko Eurocrypt 2) to the SXDH assumption To our knowledge, this is the first work to instantiate either dual system encryption or dual pairing vector spaces under the SXDH assumption Furthermore, our work could be extended to many other Functional Encryption Particularly, we show how to instantiate our framework to Inner Product Encryption IPE) and Key-Policy Functional Encryption KP-FE) ll parameters of our constructions are shorter than those of DLIN-based constructions Research of the authors is supported in part by the National Research Foundation of Singapore under Research Grant NRF-CRP2-2007-03 Hoeteck Wee s work is also supported by NSF CREER ward CNS-237429

Introduction Identity-Based Encryption The idea of using a user s identity as her public encryption key, and thus eliminating the need for a public key certificate, was conceived by Shamir [34] Such a primitive is known as Identity-Based Encryption IBE), which has been extensively studied particularly over the last decade We now have constructions of IBE schemes from a large class of assumptions, namely pairings, quadratic residuosity and lattices, starting with the early constructions in the random oracle model [9, 7, 23], to more recent constructions in the standard model [5, 7, 8, 6, ] Short IBE It is desirable that an IBE scheme be as efficient as possible, if it were to have any impact on practical applications Ideally, we would like to have constant-size public parameters, secret keys, and ciphertexts Moreover, the scheme should ideally achieve full security, namely to be resilient even against an adversary that adaptively selects an identity to attack based on previous secret keys The first fully secure efficient IBE with constant-size public parameters and ciphertexts under standard assumptions was obtained by Waters [37] in 2009; this scheme relied on the Decisional Bilinear Diffie-Hellman DBDH) and Decisional Linear DLIN) assumptions Since then, Lewko and Waters [27] and Lewko [26] gave additional fully secure efficient IBE schemes that achieve incomparable guarantees Prior to these works, all known IBEs in the standard model) were either selectively secure [5, 7, 6, ], or require long parameters [8, 36, 6, ], or were based on less standard assumptions that depended on the query complexity of the adversary [22] From a practical stand-point, Waters fully secure IBE [37] is still not very efficient as it has relatively large ciphertexts and secret keys, ie, eleven and nine group elements, respectively Lewko s scheme [26] improved on both of these parameters at the cost of larger public parameters and master key Shorter IBE? In his work, Waters also suggested obtaining even more efficient IBE schemes by turning to asymmetric bilinear groups: Using the SXDH assumption we might hope to shave off three group elements from both ciphertexts and private keys In fact, improving the efficiency of a scheme using asymmetric pairings was first observed by Boneh, Boyen and Shacham [0] t a fixed security level, group elements in the asymmetric setting are smaller and pairings can be computed more efficiently [20] Estimated bit sizes of group elements for bilinear group generators are given in next paragraph) Informally, the SXDH assumption states that there are prime-order groups G, G 2, G T ) that admits a bilinear map e : G G 2 G T such that the Decisional Diffie-Hellman DDH) assumption holds in both G and G 2 The SXDH assumption was formally defined by Ballard et al [3] in their construction of a searchable encryption scheme, and has since been used in a number of different contexts, including secret-handshake schemes [2], anonymous IBE [8], continual leakage-resilience [3], and most notably, Groth-Sahai proofs [24] Evidence for the validity of this assumption were presented in the works of Verheul [35] and Galbraith and Rotger [2] Here, we do not separately consider group elements from target groups of pairings, although a ciphertext typically has a group element that is from an associated target group In Table 2, we give more accurate sizes comparing existing and our scheme

Symmetric vs symmetric Pairings The ordinary elliptic curves that give the best performance while providing discrete log security comparable to three commonly proposed levels of ES security are given in Table 80-bit ES 28-bit ES 256-bit ES Pairings G G 2 G T G G 2 G T G G 2 G T symmetric 70 340 020 256 52 3072 640 2560 5360 Symmetric 76 76 056 52 52 3072 2560 2560 5360 Table Estimated bit sizes of elements in bilinear groups The group sizes follow the 2007 NIST recommendations [4], descriptions of the elliptic curves are in [9]: 80-bit security, a 70-bit MNT curve [29] with embedding degree k = 6; 28-bit security, a 256-bit Barreto-Naehrig curve [5] with k = 2; 256-bit security, a 640-bit Brezing-Weng curve [4] with k = 24 Note that we assume that curves that support sextic twists are used for k = 2 and k = 24 as this allows elements of G 2 to be /6 the size of elements of G T We also assume that point compression is used to represent a group element We further note that a symmetric pairing only exists on supersingular elliptic curves The restriction to supersingular elliptic curves means that at high security levels the group G will be much larger than the group G on an equivalent ordinary curve Our Contributions In this work, we present a more efficient IBE scheme under the SXDH assumption; our scheme also achieves anonymity 2 The ciphertexts and secret keys consist of only five and four group elements, respectively That is, we shave off two group elements from both ciphertexts and private keys in Lewko s DLIN-based IBE [26] Table 2 gives a summary of comparisons between existing and our IBE schemes Source PP SK CT # pairing anonymity assumptions Waters [36] 4 + λ) G 0 2 G 0 2 G 0 + G T 2 No DBDH Waters [37] 2 G 0 + G T 8 G 0 + Z q 9 G 0 + G T + Z q 9 No DLIN DBDH Lewko [26] 24 G + G T 6 G 2 6 G + G T 6 Yes DLIN RCS [33] 8 G + G T 6 G 2 + Z q 8 G + G T 7 No XDH DLIN DBDH Ours 8 G + G T 4 G 2 4 G + G T 4 Yes SXDH Table 2 Comparison between existing and our IBE schemes, where λ is the security parameter and it depends on the curve we use) Here, PP, SK, CT, # pairing stand for public parameters size, secret key size, ciphertext size, the number of pairing for decryption, respectively; G x represents bit length of group G x, where x 0,, 2, T, and G 0 refers to a group in the symmetric pairing setting 2 It follows from our analysis that Lewko s IBE [26] is also anonymous, although this was not pointed out in her paper 2

Our approach s with all known fully secure efficient IBEs, our construction relies on Waters dual system encryption framework [37] Following Lewko s DLIN-based IBE [26], we instantiate dual system encryption under the SXDH assumption via dual pairing vector spaces [30, 3], which is a technique to achieve orthogonality in prime-order groups This is the first work to instantiate either dual system encryption or dual pairing vector spaces under the SXDH assumption We proceed to highlight several salient features of our IBE scheme in relation to Lewko s IBE [26]: Our scheme has an extremely simple structure, similar to the selectively secure IBE of Boneh and Boyen [7], as well as the fully secure analogues given by Lewko and Waters [27] and Lewko [26] By shifting from the DLIN assumption to the simpler SXDH assumption, we obtain an IBE scheme that is syntactically simpler and achieves shorter parameters Specifically, Lewko s IBE scheme [26] relies on 6 basis vectors to simulate the subgroup structure in the Lewko-Waters IBE scheme [27], whereas our construction uses only 4 basis vectors This means that we can use a 4-dimensional vector space instead of a 6-dimensional one s a result, we save two group elements in both the secret key and the ciphertext, that is, by a factor of /3 The savings for the public parameters and master key is even more substantial, because we use only two basis vectors for the main scheme, as opposed to four basis vectors in Lewko s scheme In both our scheme and in Lewko s, the remaining two basis vectors are used for the semi-functional components in the proof of security The final step of the proof of security after switching to semi-functional secret keys and ciphertexts) is different from that of Lewko s We rely on an information theoretic argument similar to that in [32] instead of computational arguments Finally, we believe that our SXDH instantiation constitutes a simpler demonstration of the power of dual pairing vector spaces We also show how to instantiate our framework to Inner Product Encryption IPE) [25] and Key-Policy Functional Encryption KP-FE) [32] ll parameters of our constructions are shorter than those of DLIN-based constructions [32] Table 3 gives a summary of comparisons between the IPE/KP-FE schemes of [32] and ours IPE Source PP SK CT # pairing assumptions OT [32] 3n 2 G 0 + G T 3n G 0 3n G 0 + G T 3n DLIN Ours 2n 2 G + G T 2n G 2 2n G + G T 2n SXDH KP-FE OT [32] 3n2 d G 0 + G T 3nâ G 0 3nd G 0 + G T 3nâ DLIN Ours 2n 2 d G + G T 2nâ G 2 2nd G + G T 2nâ SXDH Table 3 Comparison between the IPE/KP-FE schemes of [32] and ours ll measurements are rough estimations after removing small terms) Here, n refers to the dimension parameter in IPE setting or the parameter for the maximal dimension of attribute vector in KP-FE setting; d denotes size of the attribute set; and â is the number of rows in the matrix of the access structure Independent work of Ramanna et al n independent work of Ramanna, Chatterjee and Sarkar [33] also demonstrated how to obtain more efficient fully secure IBE via asymmetric pairings Similar to our work, their constructions rely on dual system encryption; however, they do not make use of dual pairing vector spaces Our constructions achieve shorter ciphertexts and secret keys than 3

their work, while relying on a single assumption whereas their construction relies on a triplet of assumptions) Moreover, our scheme achieves anonymity; theirs does not Finally, they obtain their schemes via careful optimizations, whereas our scheme is derived via a more general framework 2 Preliminaries In what follows, we borrow the definition and the game-based security model for Functional Encryption FE) from [2] which are adequate to define all encryption systems in this paper 2 Functional Encryption s in [2], we first describe a functionality ˆF of the syntactic definition of FE The functionality ˆF describes the functions of a plaintext that can be learned from the ciphertext: Definition functionality ˆF defined over K, X ) is a function ˆF : K X 0, described as a deterministic) Turing Machine The set K is called the key space and the set X is called the plaintext space We require that the key space K contain a special key called the empty key denoted ϱ n FE scheme for the functionality ˆF enables one to evaluate ˆF v, x) given the encryption of x and a secret key SK v for v The algorithm for evaluation ˆF v, x) using SK v is called decrypt More precisely, an FE scheme is defined as follows: Definition 2 functional encryption scheme FE) for a functionality ˆF defined over K, X ) is a tuple of four probabilistic polynomial-time PPT) algorithms Setup, KeyGen, Enc, Dec) satisfying the following correctness condition for all v K and x X : PP, MK) Setup λ ) generate a public and master secret key pair) SK v KeyGenPP, MK, v) generate a secret key for v) CT EncPP, x) encrypt plaintext x) y DecPP, SK v, CT) then we require that y = ˆF v, x) with probability use SK v to compute ˆF v, x) from CT) The empty key ϱ: The special key ϱ in K captures all the information about the plaintext that intentionally leaks from the ciphertext The secret key for ϱ is empty and also denoted by ϱ Thus, anyone can run DecPP, ϱ, CT) on a ciphertext CT EncPP, x) and obtain all the information about x that intentionally leaks from CT Take IBE for example, ˆF ϱ, id, m)) outputs only m the length of message m) in the attribute-hiding setting while it outputs m and the identity id in the payload-hiding setting Henceforth, we assume that every FE scheme contains the empty key ϱ in the key space K and we will not explicitly mention it We now define the security model for FE For the plaintext pair x 0, x ) of an adversary s choice, we need the following requirement to make the experiment non-trivial: ˆF v, x 0 ) = ˆF v, x ) for all v for which the adversary has SK v ) Then we define a security game for an FE scheme as follows: 4

Definition 3 For β = 0, define an experiment β for an adversary as follows: Setup: It runs PP, MK) Setup λ ) and gives PP to Query: adaptively submits key queries v i in K for i =, 2, and is given SK vi KeyGenPP, MK, v i ) Challenge: submits two plaintexts x 0, x X satisfying requirement ) and in return, it receives EncPP, x β ) Guess: continues to issue key queries as before subject to requirement ) and eventually outputs a bit in 0, For β = 0, let W β be the event that the adversary outputs in Experiment β and define dv FE λ) := Pr[W 0 ] Pr[W ] Definition 4 n FE scheme is fully secure if for all PPT adversaries the function dv FE λ) is negligible In all encryption systems of this paper, a plaintext x X is itself a pair ind, m) I M where ind is called an index and m is called the payload message Let x 0 = ind 0, m 0 ), x = ind, m ) X be the adversary s choice of plaintext pair, we then consider the following variations: If the adversary s choice subjects to the restriction that ind 0 = ind, the security game is then under the payload-hiding model; If the adversary s queries subject to the restriction that ˆF vi, ind 0, m 0 )) m 0 and ˆF v i, ind, m )) m for all the key queries v i, the security game is then under the weakly attribute-hiding or anonymous) model 22 Identity-Based Encryption In the IBE setting, a functionality ˆF is defined over a key space and an index space using sets of identities The key space K and index space I for IBE then corresponds to all identities id Here ˆF id, id m if id = id, m)) := otherwise 23 Inner Product Encryption In the IPE setting, a functionality ˆF is defined over a key space and an index space using sets of vectors The key space K resp index space I) for IPE then corresponds to all non-zero vectors v resp x)) Here m if x v = 0 ˆF v, x, m)) := otherwise 24 Key-Policy Functional Encryption We first describe the concept of span programs typically required by BE 5

Definition 5 Span Programs [6]) Let p,, p n be a set of variables span program over Z q is a labeled matrix Â, ˆρ) where  is an â ˆb) matrix over Z q and ˆρ is a labeling of the rows of  by literals from p,, p n, p,, p n every row is labeled by one literal), ie, ˆρ : [â] p,, p n, p,, p n span program accepts or rejects an input by the following criterion For every input sequence δ 0, n define the submatrix Âδ of  consisting of those rows whose labels are set to by the input, ie, either rows labeled by some p i such that δ i = or rows labeled by some p i such that δ i = 0 ie, ˆγ : [â] 0, is defined by ˆγj) = if [ˆρj) = p i ] [δ i = ] or [ˆρj) = p i ] [δ i = 0], and ˆγj) = 0 otherwise Let Âδ := Âj)ˆγj)=, where Âj is the j-th row of Â) The span program Â, ˆρ) accepts δ if and only if span Âδ, ie, some linear combination of the rows of Âδ gives the all one vector, where =,, ) span program computes a Boolean function ˆf if it accepts exactly those inputs δ where ˆfδ) = span program is called monotone if the labels of the rows are only the positive literals p,, p n Otherwise, it is non-monotone We first give the notion of a non-monotone access structure with evaluating map γ by using inner-products of attribute vectors Definition 6 Inner Products of ttribute Vectors and ccess Structures [32]) U i i =,, d and U i 0, ) is a sub-universe, a set of attributes, each of which is expressed by a pair of sub-universe id and n i -dimensional vector, ie, i, v), where i [d] and v Z n i q \0 We denote such structure as n := d; n,, n d ) We define such an attribute to be a variable p of a span program Â, ˆρ), ie, p := i, x) n access structure is a span program Â, ˆρ) along with variables p := i, x), p := i, x ),, ie, := Â, ˆρ) such that ˆρ : [â] i, x), i, x ),, i, x), i, x ), Let Γ be a set of attributes, ie, Γ := i, v i ) v i Z n i q \0, i d, where i d means that i is an element of some subset of [d] When Γ is given the access structure, map ˆγ : [â] 0, for span program Â, ˆρ) is defined as follows: For all j [â], set ˆγj) = if [ˆρj) = i, x j )] [i, v i ) Γ ] [x j v i = 0] or [ˆρj) = i, x j )] [i, v i ) Γ ] [x j v i 0] Set ˆγj) = 0 otherwise ccess structure := Â, ˆρ) accepts Γ iff span Âj)ˆγj)= We use the following secret-sharing scheme for a non-monotone access structure or span program Definition 7 secret-sharing scheme for access structure is a linear secret-sharing scheme LSSS) in Z q and is represented by Â, ˆρ) if it consists of two efficient algorithms: LinShare Â,ˆρ) : Let  be â ˆb share-generating matrix Let f := w,, wˆb) r Zˆb q Then, s 0 := w is the secret to be shared, and s := s,, sâ) :=  w is the vector of â shares of the secret s 0 and the share s j belongs to ˆρj) LinRecon Â,ˆρ) : If the span program Â, ˆρ) accept δ, or access structure := Â, ˆρ) accepts Γ, ie, span Âj)ˆγj)= with ˆγ : [â] 0,, then there exist constants α j Z q j Π such that Π j [â] ˆγj) = and Σ j Π α j s j = s 0 Furthermore, these constants α j can be computed in time polynomial in the size of matrix  6

In a KP-FE scheme supporting non-monotone access structure, a functionality ˆF is defined over a key space and an index space using sets of non-monotone access structures and attribute vector tuples, respectively see Definition 6) The key space K corresponds to all non-monotone access structures := Â, ˆρ), while the index space I corresponds to all attribute sets Γ Here, m if := Â, ˆρ) accepts Γ ˆF, Γ, m)) := otherwise 25 Dual Pairing Vector Spaces Our constructions are based on dual pairing vector spaces proposed by Okamoto and Takashima [30, 3] In this paper, we concentrate on the asymmetric version [32] We only briefly describe how to generate random dual orthonormal bases See [30, 3, 32] for a full definition of dual pairing vector spaces Definition 8 symmetric bilinear pairing groups) symmetric bilinear pairing groups q, G, G 2, G T, g, g 2, e) are a tuple of a prime q, cyclic multiplicative) groups G, G 2 and G T of order q, g G, g 2 G 2, and a polynomial-time computable nondegenerate bilinear pairing e : G G 2 G T ie, eg s, gt 2 ) = eg, g 2 ) st and eg, g 2 ) In addition to referring to individual elements of G or G 2, we will also consider vectors of group elements For v = v,, v n ) Z n q and g β G β, we write gβ v to denote a n-tuple of elements of G β for β =, 2: gβ v := gv β,, gv n β ) For any a Z q and v, w Z n q, we have: Then we define gβ av := gav β,, gavn β ), g v+w eg v, g w 2 ) := Here, the dot product is taken modulo q n i= β := g v +w β eg v i, gw i 2 ) = eg, g 2 ) v w,, g vn+wn β ) Dual Pairing Vector Spaces For a fixed constant) dimension n, we will choose two random bases B := b,, b n ) and B := b,, b n) of Z n q, subject to the constraint that they are dual orthonormal, meaning that b j b k = 0 mod q) whenever j k, and b j b j = ψ mod q) for all j, where ψ is a random element of Z q We denote such algorithm as DualZ n q ) Then for generators g G and g 2 G 2, we have eg b j, gb k 2 ) = whenever j k, where here denotes the identity element in G T 7

More generally, we can sample multiple tuple of dual orthonormal bases Namely, for fixed constant) dimension n,, n d, we will choose d tuples of two random bases B i := b,i,, b ni,i) and B i := b,i,, b n i,i ) of Zn i q, subject to the constraint that they are dual orthonormal, meaning that b j,i b k,i = 0 mod q) whenever j k, and b j,i b j,i = ψ mod q) for all j and i, where ψ is a random element of Z q We denote such algorithm as DualZ n q,, Z n d q ) 26 SXDH ssumptions Definition 9 DDH: Decisional Diffie-Hellman ssumption in G ) Given a group generator G, we define the following distribution: G := q, G, G 2, G T, g, g 2, e) r G, a, b, c r Z q, D := G; g, g 2, g a, g b ) We assume that for any PPT algorithm with output in 0, ), dv DDH λ) := Pr[D, g ab ) Pr[D, g ab+c )] is negligible in the security parameter λ The dual of above assumption is Decisional Diffie-Hellman assumption in G 2 denoted as DDH2), which is identical to Definitions 9 with the roles of G and G 2 reversed We say that: Definition 0 The Symmetric External Diffie-Hellman assumption holds if DDH problems are intractable in both G and G 2 27 Statistical Indistinguishability Lemma We require the following lemma for our security proofs, which is derived from [32] Lemma For p Z q, let C p := x, v) x v = p, 0 x, 0 v Z n q For all x, v) Cp, for all z, w) C p, and r Z n n q is invertible with overwhelming probability), 3 Subspace ssumptions via SXDH Pr[x = z v = w] = #C p In this section, we present Subspace assumptions derived from the SXDH assumption We will rely on these assumptions later to instantiate our encryption schemes These are analogues of the DLIN-based Subspace assumptions given in [26, 32] 8

3 Decisional Subspace ssumption Definition DS: Decisional Subspace ssumption in G ) Given a group generator G ), define the following distribution: G := q, G, G 2, G T, g, g 2, e) r G λ ), B, B ) r DualZ N q ); τ, τ 2, µ, µ 2 r Z q, U := g µ b +µ 2b K+ 2,, U K := g µ b K +µ 2b 2K 2, V := g τ b,, V K := g τ b K, W := g τ b +τ 2 b K+,, W K := g τ b K +τ 2 b 2K, D := G; g b 2,, gb K 2, g b 2K+ 2,, g b N 2, g b,, gb N, U,, U K, µ 2 ) where K, N are fixed positive integers that satisfy 2K N We assume that for any PPT algorithm with output in 0, ), dv DS λ) := Pr[D, V,, V K ) = ] Pr[D, W,, W K ) = ] is negligible in the security parameter λ Lemma 2 If the DDH assumption in G holds, then the Subspace assumption in G stated in Definition also holds More precisely, for any adversary against the Subspace assumption in G, there exist probabilistic algorithms B whose running times are essentially the same as that of, such that dv DS λ) dv DDH B λ) Proof We assume there exists a PPT algorithm breaking the Subspace assumption with nonnegligible advantage dv DS λ) for some fixed positive integers K, N satisfying N 2K) We create a PPT algorithm B which breaks the DDH assumption in G with non-negligible advantage dv DS λ) B is given g, g 2, g a, gb, T, where T is either gab or T is a uniformly random element of G B first samples random dual orthonormal bases, denoted by f,, f N and f,, f N From the definition, B chooses vectors f,, f N, f,, f N randomly, subject to the constraints that f i fj 0 mod q) when j k, and f j fj ψ mod q) for all j from to N, where ψ is a random element of Z q Then, B implicitly sets: B also sets the dual basis as: b := f + af K+,, b K := f K + af 2K, b K+ := f K+,, b N := f N b := f,, b K := f K, b K+ := f K+ af,, b 2K := f 2K af K, b 2K+ := f 2K+,, b N := f N We observe that under these definitions, b j b k 0 mod q) when j k, and b j b j ψ mod q) for all j from to N We note that B can produce all of g b,, gb N given g, g a ) as well as 9

g b 2,, gb K 2 and g b 2K+ 2,, g b N 2 given g 2 ) However, B cannot produce g b K+ 2,, g b 2K 2 these require knowledge of g2 a) It is not difficult to check that b,, b N and b,, b N are properly distributed Now B creates U,, U K by choosing random values µ, µ 2 Z q and setting: U := g µ b +µ 2 f K+ 2 := g µ +aµ 2 )b +µ 2 b K+ 2 In other words, B has implicitly set µ := µ + aµ 2 and µ 2 := µ 2 We note that these values are uniformly random, and µ 2 is known to B B can then form U 2,, U K as: U 2 := g µ b 2 +µ 2 f K+2 2,, U K := g µ b K +µ 2 f 2K 2 B implicitly sets τ := b, τ 2 := c and computes: T := T f K+ g b ) f,, T K := T f 2K g b ) f K If T = g ab, then these are distributed as V,, V K, since T f K+j g b ) f j = g τ b j If T = g ab+c, then these are distributed as W,, W K, since B then gives T f k+j g b ) f j = g τ b j +τ 2 b K+j D := G; g b 2,, gb K 2, g b 2K+ 2,, g b N 2, g b,, gb N, U,, U K, µ 2 ) to, along with T,, T K B can then leverage s advantage dv DS λ) in distinguishing be- λ) in tween the distributions V,, V K ) and W,, W K ) to achieve an advantage dv DDH B distinguishing T = g ab from T = gab+c, hence violating the DDH assumption in G The dual of the Subspace assumption in G is Subspace assumption in G 2 denoted as DS2), which is identical to Definition with the roles of G and G 2 reversed Similarly, we can prove that the Subspace assumption holds in G 2 if the DDH assumption in G 2 holds 32 Generalized Decisional Subspace ssumption We generalize the Decisional Subspace ssumption for Multiple Tuple of Dual Orthonormal Bases Definition 2 GDS: Generalized Decisional Subspace ssumption in G ) Given a group generator G ), define the following distribution: D := G := q, G, G 2, G T, g, g 2, e) r G λ ), B, B ) r DualZ N q,, Z N d q ); τ, τ 2, µ, µ 2 r Z q, U,i := g µ b,i +µ 2b K i +,i 2,, U Ki,i := g µ b K i,i +µ 2b 2K i,i 2 V,i := g τ b,i,, V Ki,i := g τ b Ki,i i [d], W,i := g τ b,i +τ 2 b Ki +,i,, W Ki,i := g τ b Ki,i+τ 2 b 2Ki,i i [d], i [d], G; g b,i 2,, g b K i,i 2, g b 2K i +,i 2,, g b N i,i 2, g b,i,, g b N i,i, U,i,, U Ki,i i [d], µ 2 ) 0

where K i, N i are fixed positive integers that satisfy 2K i N i for i [d] We assume that for any PPT algorithm with output in 0, ), dv GDS λ) := Pr[D, V,i,, V Ki i [d] ) = ] Pr[D, W,i,, W Ki,i i [d] ) = ] is negligible in the security parameter λ Lemma 3 If the DDH assumption in G holds, then the Generalized Subspace assumption in G stated in Definition 2 also holds More precisely, for any adversary against the Generalized Subspace assumption in G, there exist probabilistic algorithms B whose running times are essentially the same as that of, such that dv GDS λ) dv DDH B λ) The proof for above lemma is essentially the same as those of Lemma 2 The dual of the Generalized Subspace assumption in G is Generalized Subspace assumption in G 2 denoted as GDS2), which is identical to Definition 2 with the roles of G and G 2 reversed Similarly, we can prove that the Generalized Subspace assumption holds in G 2 if the DDH assumption in G 2 holds 4 Identity-Based Encryption We first present our IBE construction along with our proof of its security under the SXDH assumption Construction We begin with our IBE scheme: Setup λ ) This algorithm takes in the security parameter λ and generates a bilinear pairing G := q, G, G 2, G T, g, g 2, e) for sufficiently large prime order q The algorithm samples random dual orthonormal bases, D, D ) r DualZ 4 q) Let d,, d 4 denote the elements of D and d,, d 4 denote the elements of D It also picks α r Z q, computes gt α := eg, g 2 ) αd d, and outputs the public parameters as PP := G; gt α, g d, gd 2, and the master key MK := α, g d 2, gd 2 2 KeyGenPP, MK, id) This algorithm picks r r Z q The secret key is computed as SK id := g αd +ridd d 2 ) 2 EncPP, id, m) This algorithm picks z r Z q and forms the ciphertext as CT id := C := m gt α ) z, C 0 := g zd +idd 2 ) DecPP, SK id, CT id ) This algorithm computes the message as m := C/eC 0, SK id ) We note that applying Naor s transform [9, ] to our scheme, we can also obtain an efficient signature scheme

Correctness Correctness is straight-forward: ec 0, SK id ) = eg zd +idd 2 ), g αd +ridd d 2 ) 2 ) = eg, g 2 ) αzd d eg, g 2 ) zridd d zridd 2 d 2 = g αz T Proof of Security We prove the following theorem by showing a series of lemmas Theorem The IBE scheme is fully secure and weakly attribute-hiding anonymous) under the SXDH assumption More precisely, for any adversary against the IBE scheme, there exist probabilistic algorithms B 0, B,, B qn whose running times are essentially the same as that of, such that dv IBE λ) dv DDH B 0 λ) + q n κ= where q n is the maximum number of s key queries dv DDH2 B κ λ) + 6q n + 3)/q We adopt the dual system encryption methodology by Waters [37] to prove the security of our IBE scheme We use the concepts of semi-functional ciphertexts and semi-functional keys in our proof and provide algorithms that generate them We note that these algorithms are only provided for definitional purposes, and are not part of the IBE system In particular, they do not need to be efficiently computable from the public parameters and the master key KeyGenSF The algorithm picks r, ν, ν 2 r Z q and forms a semi-functional secret key as SK SF) v := g αd +ridd d 2 )+[ν d 3 +ν 2d 4 ] 2 2) EncryptSF The algorithm picks z, χ, χ 2 r Z q and forms a semi-functional ciphertext as CT x SF) := C := m gt α ) z, C 0 := g zd +idd 2 )+[χ d 3 +χ 2 d 4 ] 3) We observe that if one applies the decryption procedure with a semi-functional key and a normal ciphertext, decryption will succeed because d 3, d 4 are orthogonal to all of the vectors in exponent of C 0, and hence have no effect on decryption Similarly, decryption of a semi-functional ciphertext by a normal key will also succeed because d 3, d 4 are orthogonal to all of the vectors in the exponent of the key When both the ciphertext and key are semi-functional, the result of ec 0, SK v ) will have an additional term, namely eg, g 2 ) ν χ d 3 d 3+ν 2 χ 2 d 4 d 4 = g ν χ +ν 2 χ 2 ) T Decryption will then fail unless ν χ + ν 2 χ 2 0 mod q If this modular equation holds, we say that the key and ciphertext pair is nominally semi-functional For a probabilistic polynomial-time adversary which makes q n key queries v,, v qn, our proof of security consists of the following sequence of games between and a challenger B Game Real : is the real security game Game 0 : is the same as Game Real except that the challenge ciphertext is semi-functional 2

Game κ : for κ from to q n, Game κ is the same as Game 0 except that the first κ keys are semifunctional and the remaining keys are normal Game Final : is the same as Game qn, except that the challenge ciphertext is a semi-functional encryption of a random message in G T and under a random identity in Z q We denote the challenge ciphertext in Game Final as CT R) id R We prove following lemmas to show the above games are indistinguishable by following an analogous strategy of [26, 28] Our main arguments are computational indistinguishability guaranteed by the Subspace assumptions, which are implied by the SXDH assumption) and statistical indistinguishability The advantage gap between Game Real and Game 0 is bounded by the advantage of the Subspace assumption in G dditionally, we require a statistical indistinguishability argument to show that the distribution of the challenge ciphertext remains the same from the adversary s view For κ from to q n, the advantage gap between Game κ and Game κ is bounded by the advantage of Subspace assumption in G 2 Similarly, we require a statistical indistinguishability argument to show that the distribution of the the κ-th semi-functional key remains the same from the adversary s view Finally, we statistically transform Game qn joint distributions of ) PP, CT SF) id, β SK SF) id l l=,,q n and to Game Final in one step, ie, we show the ) PP, CT R) id R, SK SF) id l l=,,q n are equivalent for the adversary s view We let dv Game Real denote an adversary s advantage in the real game Lemma 4 Suppose that there exists an adversary where dv Game Real λ) dv Game 0 λ) = ϵ Then there exists an algorithm B 0 such that dv DS B 0 λ) = ϵ 2/q, with K = 2 and N = 4 Proof B 0 is given D := G; g b 2, gb 2 2, gb,, gb 4, U, U 2, µ 2 ) along with T, T 2 We require that B 0 decides whether T, T 2 are distributed as g τ b, g τ b 2 or g τ b +τ 2 b 3, g τ b 2 +τ 2 b 4 B 0 simulates Game Real or Game 0 with, depending on the distribution of T, T 2 To compute the public parameters and master secret key, B 0 first chooses a random invertible matrix Z 2 2 q We implicitly set dual orthonormal bases D, D to: d := b, d 2 := b 2, d 3,, d 4 ) := b 3, b 4 ), d := b, d 2 := b 2, d 3,, d 4) := b 3, b 4) ) We note that D, D are properly distributed, and reveal no information about Moreover, B 0 cannot generate g d 3 2, gd 4 2, but these will not be needed for creating normal keys B 0 chooses random value α Z q and computes gt α := eg, g 2 ) αd d It then gives the public parameters PP := G; gt α, g d, gd 2 3

The master key MK := α, g d 2, gd 2 2 is known to B 0, which allows B 0 to respond to all of s key queries by calling the normal key generation algorithm sends B 0 two pairs m 0, id 0) and m, id ) B 0 chooses a random bit β 0, and encrypts m β under id β as follows: ) α C := m β et, g b 2 ) = mβ gt α ) z, C 0 := T T id β 2, where B 0 has implicitly set z := τ It gives the ciphertext C, C 0 ) to Now, if T, T 2 are equal to g τ b, g τ b 2, then this is a properly distributed normal encryption of m β In this case, B 0 has properly simulated Game Real If T, T 2 are equal to g τ b +τ 2 b 3, g τ b 2 +τ 2 b 4 instead, then the ciphertext element C 0 has an additional term of τ 2 b 3 + id β b 4) in its exponent The coefficients here in the basis b 3, b 4 form the vector τ 2, id β ) To compute the coefficients in the basis d 3, d 4, we multiply the matrix by the transpose of this vector, obtaining τ 2, id β ) Since is random everything else given to has been distributed independently of ), these coefficients are uniformly random except with probability 2/q namely, the cases τ 2 defined in Subspace problem is zero, χ 3, χ 4 ) defined in Equation 3 is the zero vector ) from Lemma Therefore, in this case, B 0 has properly simulated Game 0 This allows B 0 to leverage s advantage ϵ between Game Real and Game 0 to achieve an advantage ϵ 2 q against the Subspace assumption in G, namely dv DS B 0 λ) = ϵ 2 q Lemma 5 Suppose that there exists an adversary where dv Game κ λ) dv Gameκ λ) = ϵ Then there exists an algorithm B κ such that dv DS2 B κ λ) = ϵ 6/q, with K = 2 and N = 4 Proof B κ is given D := G; g b, gb 2, gb 2,, gb 4 2, U, U 2, µ 2 ) along with T, T 2 We require that B κ decides whether T, T 2 are distributed as g τ b 2, g τ b 2 2 or g τ b +τ 2b 3 2, g τ b 2 +τ 2b 4 2 B κ simulates Game κ or Game κ with, depending on the distribution of T, T 2 To compute the public parameters and master secret key, B κ chooses a random invertible matrix Z 2 2 q We then implicitly set dual orthonormal bases D, D to: d := b, d 2 := b 2, d 3, d 4 ) := b 3, b 4 ), d := b, d 2 := b 2, d 3, d 4) := b 3, b 4) ) We note that D, D are properly distributed, and reveal no information about B κ chooses random value α Z q and compute gt α := eg, g 2 ) αd d B can gives the public parameters PP := G; gt α, g d, gd 2 4

The master key MK := α, g d 2, gd 2 2 is known to B κ, which allows B κ to respond to all of s key queries by calling the normal key generation algorithm Since B κ also knows g d 3 2, gd 4 2, it can easily produce semi-functional keys To answer the first κ key queries that makes, B κ runs the semi-functional key generation algorithm to produce semi-functional keys and gives these to To answer the κ-th key query for id κ, B κ responds with: SK idκ := g b 2 )α T id κ T2 This implicitly sets r := τ If T, T 2 are equal to g τ b 2, g τ b 2 2, then this is a properly distributed normal key If T, T 2 are equal to g τ b +τ 2b 3 2, g τ b 2 +τ 2b 4 2, then this is a semi-functional key, whose exponent vector includes τ 2 id κ b 3 b 4) 4) as its component in the span of b 3, b 4 To respond to the remaining key queries, B κ simply runs the normal key generation algorithm t some point, sends B κ two pairs m 0, id 0) and m, id ) B κ chooses a random bit β 0, and encrypts m β under id β C := m β as follows: eu, g b 2 ) ) α = mβ g α T ) z, C 0 := U U id β 2, where B κ has implicitly set z := µ The semi-functional part of the exponent vector here is: µ 2 b 3 + id β b 4) 5) We observe that if id β = id κ which is not allowed), then vectors 4 and 5 would be orthogonal, resulting in a nominally semi-functional ciphertext and key pair It gives the ciphertext C, C 0 ) to We now argue that since id β id κ, in s view the vectors 4 and 5 are distributed as random vectors in the spans of d 3, d 4 and d 3, d 4 respectively To see this, we take the coefficients of vectors 4 and 5 in terms of the bases b 3, b 4 and b 3, b 4 respectively and translate them into coefficients in terms of the bases d 3, d 4 and d 3, d 4 Using the change of basis matrix, we obtain the new coefficients in vector form) as: τ 2 id κ, ), µ 2, id β ) Since the distribution of everything given to except for the κ-th key and the challenge ciphertext is independent of the random matrix and id β id κ, we can conclude that these coefficients are uniformly except with probability 4/q namely, the cases µ 2 or τ 2 defined in Subspace problem is zero, χ, χ 2 ) or ν, ν 2 ) defined in Equations 3 and 2 is the zero vector) from Lemma Thus, B κ has properly simulated Game κ in this case If T, T 2 are equal to g τ b 2, g τ b 2 2, then the coefficients of the vector 5 are uniformly except with probability 2/q namely, the cases µ 2 = defined in Subspace problem is zero, χ, χ 2 ) defined in Equations 3 is the zero vector) from Lemma Thus, B κ has properly simulated Game κ in this case In summary, B κ has properly simulated either Game κ or Game κ for, depending on the distribution of T, T 2 It can therefore leverage s advantage ϵ between these games to obtain an advantage ϵ 6/q against the Subspace assumption in G 2, namely dv DS2 B κ λ) = ϵ 6/q 5

Lemma 6 For any adversary, dv Game Final λ) dv Game qn λ) + /q Proof To prove this lemma, we show the joint distributions of ) PP, CT SF) id, SK SF) β id l l [q n ] in Game qn and that of ) PP, CT R) id R, SK SF) id l l [q n ] in Game Final are equivalent for the adversary s view, where CT R) id R is a semi-functional encryption of a random message in G T and under a random vector in Z n q For this purpose, we pick := ξ i,j ) r Z 2 2 q and define new dual orthonormal bases F := f,, f 4 ), and F := f,, f 4 ) as follows: f 0 0 0 d f 0 ξ, ξ 2, d f 2 f 3 := 0 0 0 d 2 ξ, ξ,2 0 d 3, f2 := 0 ξ,2 ξ 2,2 d 2 0 0 0 f 4 ξ 2, ξ 2,2 0 d 4 0 0 0 It is easy to verify that F and F are also dual orthonormal, and are distributed the same as D and D Then the public parameters, challenge ciphertext, and queried secret keys, PP, CT SF) id, SK SF) β id l l [qn]) in Game qn are expressed over bases D and D as PP := G; gt α, g d, gd 2, CT SF) x β f 3 f 4 := SK SF) id l := g αd +r lid l d d 2 )+[ν,ld 3 +ν 2,ld 4 ] 2 C := m g α T ) z, C 0 := g zd +id β d 2)+[χ d 3 +χ 2 d 4 ] l [q n] Then we can express them over bases F and F as PP := G; gt α, g f, g f 2, CT SF) x := C := m gt α ) z, C 0 := g z f +z 2 f 2)+[χ d 3 +χ 2 d 4 ], β SK SF) id l := g αf +r lid l f f 2 )+[ν,l f 3 +ν 2,l f 4 ] 2 where z := z χ ξ, χ 2 ξ 2,,, l [q n] z 2 := zid β χ ξ,2 χ 2 ξ 2,2, ν,l := ν,l + αξ, + r l id l ξ, ξ,2 ) ν 2,l := ν 2,l + αξ,2 + r l id l ξ 2, ξ 2,2 ), l [q n], d 3 d 4 6

which are all uniformly distributed if χ, χ 2 ) defined in Equation 3 is a non-zero vector since z, ξ i,j i [d],j [2], ν,l, ν 2,l l [qn] are all uniformly picked from Z q In other words, the coefficients s, id β ) of d, d 2 in the C term of the challenge ciphertext is changed to random coefficients z, z 2 ) Zn q of f, f 2, thus the challenge ciphertext can be viewed as a semi-functional encryption of a random message in G T and under a random identity in Z q Moreover, all coefficients ν,l, ν 2,l ) l [q n] of f3, f 4 in the SKSF) id l l [qn] are all uniformly distributed since ν,l, ν 2,l ) l [qn ] of d 3, d 4 are all independent random values Thus ) PP, CT SF) id, SK SF) β id l l [q n ] expressed over bases F and F is properly distributed as ) PP, CT R) id R, SK SF) id l l [q n ] in Game Final In the adversary s view, both D, D ) and F, F ) are consistent with the same public parameters Therefore, the challenge ciphertext and queried secret keys above can be expressed as keys and ciphertext in two ways, in Game qn over bases D, D ) and in Game Final over bases F, F ) Thus, Game qn and Game Final are statistically indistinguishable except with probability /q namely, the case χ, χ 2 ) = 0) Lemma 7 For any adversary, dv Game Final λ) = 0 Proof The value of β is independent from the adversary s view in Game Final Hence, dv Game Final λ) = 0 In Game Final, the challenge ciphertext is a semi-functional encryption of a random message in G T and under a random identity in Z q, independent of the two messages and the challenge identities provided by Thus, our IBE scheme is weakly attribute-hiding anonymous) 5 Inner Product Encryption We now present our IPE scheme, the construction and security proof of which are essentially the same as our IBE except that we extend the embedded equality relation to general inner product relation Construction We begin with our IPE scheme: Setup λ ) This algorithm takes in the security parameter λ and generates a bilinear pairing G := q, G, G 2, G T, g, g 2, e) for sufficiently large prime order q The algorithm samples random dual orthonormal bases, D, D ) r DualZ 2n q ) Let d,, d 2n denote the elements of D and d,, d 2n denote the elements of D It also picks α r Z q, computes g T := eg, g 2 ) d d, and outputs the public parameters as PP := G; gt α, g d,, gdn, and the master key MK := α, g d 2,, gd n 2 7

KeyGenPP, MK, v := v,, v n )) This algorithm picks r r Z q The secret key is computed as SK v := g αd +rv d + +v nd n) 2 EncPP, x := x,, x n ), m) WLOG, we assume that x = This algorithm picks z r Z q and forms the ciphertext as CT x := C := m gt α ) z, C 0 := g zx d + +x nd n) DecPP, SK v, CT x ) This algorithm computes the message as Correctness Correctness is straight-forward: m := C/eC 0, SK v ) ec 0, SK v ) = eg zx d + +x n d n ), g αd +rv d + +vnd n) 2 ) = eg, g 2 ) αzx d d eg, g 2 ) zrv x d d + +vnxndn d n) = g αz T = g αz T g zrv x T Proof of Security We prove the following theorem by showing a series of lemmas Theorem 2 The IPE scheme is fully secure and weakly attribute-hiding under the SXDH assumption More precisely, for any adversary against the IPE scheme, there exist probabilistic algorithms B 0, B,, B qn whose running times are essentially the same as that of, such that dv IPE λ) dv DDH B 0 λ) + q n κ= where q n is the maximum number of s key queries dv DDH2 B κ λ) + 6q n + 3)/q We adopt the dual system encryption methodology by Waters [37] to prove the security of our IPE scheme, the strategy is essentially the same as our IBE scheme We first define semi-functional ciphertexts and semi-functional keys in our proof and provide algorithms that generate them KeyGenSF The algorithm picks r, ν,, ν n r Z q and forms a semi-functional secret key as SK SF) v := g αd +rv d ++vnd n)+[ν d n+ + +νnd 2n ] 2 6) EncryptSF The algorithm picks z, χ,, χ n r Z q and forms a semi-functional ciphertext as CT x SF) := C := m gt α ) z, C 0 := g zx d ++x n d n )+[χ d n+ + +χ n d 2n ] 7) We observe that if one applies the decryption procedure with a semi-functional key and a normal ciphertext, decryption will succeed because d n+,, d 2n are orthogonal to all of the vectors in exponent of C 0, and hence have no effect on decryption Similarly, decryption of a semi-functional ciphertext by a normal key will also succeed because d n+,, d 2n are orthogonal to all of the 8

vectors in the exponent of the key When both the ciphertext and key are semi-functional, the result of ec 0, SK v ) will have an additional term, namely eg, g 2 ) ν χ d n+ d n+++ν n χ n d 2n d 2n = g ν χ ++ν n χ n ) T Decryption will then fail unless ν χ + + ν n χ n 0 mod q If this modular equation holds, we say that the key and ciphertext pair is nominally semi-functional For a probabilistic polynomial-time adversary which makes q n key queries v,, v qn, our proof of security consists of the following sequence of games between and a challenger B Game Real : is the real security game Game 0 : is the same as Game Real except that the challenge ciphertext is semi-functional Game κ : for κ from to q n, Game κ is the same as Game 0 except that the first κ keys are semifunctional and the remaining keys are normal Game Final : is the same as Game qn, except that the challenge ciphertext is a semi-functional encryption of a random message in G T and under a random vector in Z n q We denote the challenge ciphertext in Game Final as CT R) x R We let dv Game Real denote an adversary s advantage in the real game Lemma 8 Suppose that there exists an adversary where dv Game Real λ) dv Game 0 λ) = ϵ Then there exists an algorithm B 0 such that dv DS B 0 λ) = ϵ 2/q, with K = n and N = 2n Proof B 0 is given D := G; g b 2,, gb n 2, gb,, gb 2n, U,, U n, µ 2 ) along with T,, T n We require that B 0 decides whether T,, T n are distributed as g τ b,, g τ b n or g τ b +τ 2 b n+,, g τ b n+τ 2 b 2n B 0 simulates Game Real or Game 0 with, depending on the distribution of T,, T n To compute the public parameters and master secret key, B 0 first chooses a random invertible matrix Z n n q We implicitly set dual orthonormal bases D, D to: d := b,, d n := b n, d n+,, d 2n ) := b n+,, b 2n ), d := b,, d n := b n, d n+,, d 2n) := b n+,, b 2n) ) We note that D, D are properly distributed, and reveal no information about Moreover, B 0 cannot generate g d n+ 2,, g d 2n 2, but these will not be needed for creating normal keys B 0 chooses random value α Z q and computes eg, g 2 ) αd d It then gives the public parameters PP := G; gt α, g d,, gd n The master key MK := α, g d 2,, gd n 2 is known to B 0, which allows B 0 to respond to all of s key queries by calling the normal key generation algorithm 9

sends B 0 two pairs m 0, x 0 ) and m, x ) B 0 chooses a random bit β 0, and encrypts m β under x β := x,β,, x n,β ) as follows: ) α C := m β et, g b 2 ) = mβ gt α ) z, C 0 := T x,β T x n,β n, where B 0 has implicitly set z := τ It gives the ciphertext C, C 0 ) to Now, if T,, T n are equal to g τ b,, g τ b n, then this is a properly distributed normal encryption of m β In this case, B 0 has properly simulated Game Real If T,, T n are equal to g τ b +τ 2 b n+,, g τ b n+τ 2 b 2n instead, then the ciphertext element C 0 has an additional term of τ 2 x,β b n+ + + x n,β b 2n) in its exponent The coefficients here in the basis b n+,, b 2n form the vector τ 2 x,β,, x n,β ) To compute the coefficients in the basis d n+,, d 2n, we multiply the matrix by the transpose of this vector, obtaining τ 2 x,β,, x n,β ) Since is random everything else given to has been distributed independently of ), these coefficients are uniformly random except with probability 2/q namely, the cases τ 2 defined in Subspace problem is zero, χ,, χ n ) defined in Equation 7 is the zero vector) from Lemma Therefore, in this case, B 0 has properly simulated Game 0 This allows B 0 to leverage s advantage ϵ between Game Real and Game 0 to achieve an advantage ϵ 2 q against the Subspace assumption in G, namely dv DS B 0 λ) = ϵ 2 q Lemma 9 Suppose that there exists an adversary where dv Game κ λ) dv Gameκ λ) = ϵ Then there exists an algorithm B κ such that dv DS2 B κ λ) = ϵ 6/q, with K = n and N = 2n Proof B κ is given D := G; g b,, gb n, gb 2,, gb 2n 2, U,, U n, µ 2 ) along with T,, T n We require that B κ decides whether T,, T n are distributed as g τ b 2,, g τ b n 2 or g τ b +τ 2b n+ 2,, g τ b n+τ 2 b 2n 2 B κ simulates Game κ or Game κ with, depending on the distribution of T,, T n To compute the public parameters and master secret key, B κ chooses a random invertible matrix Z n n q We then implicitly set dual orthonormal bases D, D to: d := b,, d n := b n, d n+,, d 2n ) := b n+,, b 2n ), d := b,, d n := b n, d n+,, d 2n) := b n+,, b 2n) ) We note that D, D are properly distributed, and reveal no information about B κ chooses random value α Z q and compute eg, g 2 ) αd d B can gives the public parameters PP := G; gt α, g d,, gdn The master key MK := α, g d 2,, gd n 2 20

is known to B κ, which allows B κ to respond to all of s key queries by calling the normal key generation algorithm Since B κ also knows g d n+ 2,, g d 2n 2, it can easily produce semi-functional keys To answer the first κ key queries that makes, B κ runs the semi-functional key generation algorithm to produce semi-functional keys and gives these to To answer the κ-th key query for v κ := v,, v n ), B κ responds with: SK vκ := g b 2 )α T v T v n n This implicitly sets r := τ If T,, T n are equal to g τ b 2,, g τ b n 2, then this is a properly distributed normal key If T,, T n are equal to g τ b +τ 2b n+ 2,, g τ b n+τ 2 b 2n 2, then this is a semifunctional key, whose exponent vector includes τ 2 v b n+ + + v n b 2n) 8) as its component in the span of b n+,, b 2n To respond to the remaining key queries, B κ simply runs the normal key generation algorithm t some point, sends B κ two pairs m 0, x 0 ) and m, x ) B κ chooses a random bit β 0, and encrypts m β under x β := x,β,, x n,β ) as follows: ) α C := m β eu, g b 2 ) = mβ gt α ) z, C 0 := U x,β U x n,β n, where B κ has implicitly set z := µ The semi-functional part of the exponent vector here is: µ 2 x,β b n+ + + x n,β b 2n) 9) We observe that if x β v κ = 0 which is not allowed), then vectors 8 and 9 would be orthogonal, resulting in a nominally semi-functional ciphertext and key pair It gives the ciphertext C, C 0 ) to We now argue that since x β v κ 0, in s view the vectors 8 and 9 are distributed as random vectors in the spans of d n+,, d 2n and d n+,, d 2n respectively To see this, we take the coefficients of vectors 8 and 9 in terms of the bases b n+,, b 2n and b n+,, b 2n respectively and translate them into coefficients in terms of the bases d n+,, d 2n and d n+,, d 2n Using the change of basis matrix, we obtain the new coefficients in vector form) as: τ 2 v,, v n ), µ 2 x,β,, x n,β ) Since the distribution of everything given to except for the κ-th key and the challenge ciphertext is independent of the random matrix and x β v κ 0, we can conclude that these coefficients are uniformly except with probability 4/q namely, the cases µ 2 or τ 2 defined in Subspace problem is zero, χ,, χ n ) or ν,, ν n ) defined in Equations 7 and 6 is the zero vector) from Lemma Thus, B κ has properly simulated Game κ in this case If T,, T n are equal to g τ b 2,, g τ b n 2, then the coefficients of the vector 9 are uniformly except with probability 2/q namely, the cases µ 2 defined in Subspace problem is zero, χ,, χ n ) defined in Equation 7 is the zero vector) from Lemma Thus, B κ has properly simulated Game κ in this case In summary, B κ has properly simulated either Game κ or Game κ for, depending on the distribution of T,, T n It can therefore leverage s advantage ϵ between these games to obtain an advantage ϵ 6/q against the Subspace assumption in G 2, namely dv DS2 B κ λ) = ϵ 6/q 2