Compact Adaptively Secure ABE for NC1 from k-Lin

Lucas Kowalczyk1,? and Hoeteck Wee2,??

1
Columbia University
[email protected]
2
CNRS, ENS, PSL
[email protected]

Abstract. We present compact attribute-based encryption (ABE) schemes for NC1 that are adaptively
secure under the k-Lin assumption with polynomial security loss. Our KP-ABE scheme achieves
ciphertext size that is linear in the attribute length and independent of the policy size even in the
many-use setting, and we achieve an analogous efficiency guarantee for CP-ABE. This resolves the central
open problem posed by Lewko and Waters (CRYPTO 2011). Previous adaptively secure constructions
either impose an attribute “one-use restriction” (or the ciphertext size grows with the policy size), or
require q-type assumptions.

1 Introduction

Attribute-based encryption (ABE) [SW05,GPSW06] is a generalization of public-key encryption to

support fine-grained access control for encrypted data. Here, ciphertexts and keys are associated with
descriptive values which determine whether decryption is possible. In a key-policy ABE (KP-ABE)
scheme for instance, ciphertexts are associated with attributes like ‘(author:Waters), (inst:UT), (topic:PK)’
and keys with access policies like ((topic:MPC) OR (topic:SK)) AND (NOT(inst:UCL)), and decryption is
possible only when the attributes satisfy the access policy. A ciphertext-policy (CP-ABE) scheme is
the dual of KP-ABE with ciphertexts associated with policies and keys with attributes.
Over past decade, substantial progress has been made in the design and analysis of ABE schemes,
leading to a large families of schemes that achieve various trade-offs between efficiency, security
and underlying assumptions. Meanwhile, ABE has found use as a tool for providing and enhancing
privacy in a variety of settings from electronic medical records to messaging systems and online social
networks. Moreover, we expect further deployment of ABE, thanks to the recent standardization
efforts of the European Telecommunications Standards Institute (ETSI).3
In this work, we consider KP-ABE schemes for access policies in NC1 that simultaneously:

(1) enjoy compact ciphertexts whose size grows only with the length of the attribute and is
independent of the policy size, even for complex policies that refer to each attribute many times;
(2) achieve adaptive security (with polynomial security loss);
(3) rely on simple hardness assumptions in the standard model;
(4) can be built with asymmetric prime-order bilinear groups.
?
Supported in part by an NSF Graduate Research Fellowship DGE-16-44869; The Leona M. & Harry B. Helmsley
Charitable Trust; ERC Project aSCEND (H2020 639554); the Defense Advanced Research Project Agency (DARPA)
and Army Research Office (ARO) under Contract W911NF-15-C-0236; and NSF grants CNS-1445424, CNS-1552932
and CCF-1423306. Any opinions, findings and conclusions or recommendations expressed are those of the authors
and do not necessarily reflect the views of the the Defense Advanced Research Projects Agency, Army Research
Office, the National Science Foundation, or the U.S. Government.
??
Supported in part by ERC Project aSCEND (H2020 639554).
3
https://www.etsi.org/news-events/news/1328-2018-08-press-etsi-releases-cryptographic-standards-for-secure-access-control
 reference adaptive compact assumption unbounded
GPSW [GPSW06] X static X
LOSTW [LOS+ 10,OT10] X static X
LW [LW12] X X q-type
OT [OT12] X 2-Lin X X
Att [Att16] X X q-type X
CGKW [CGKW18] X k-Lin X X
ours, Section 6 X X static X
ours, Section B X X static X X

Fig. 1. Summary of KP-ABE schemes for NC1

We also consider the analogous question for CP-ABE schemes with compact keys. In both KP and
CP-ABE, all four properties are highly desirable from both a practical and theoretical stand-
point and moreover, properties (1), (2) and (4) are crucial for many real-world applications
of ABE. In addition, properties (2), (3) and (4) are by now standard cryptographic require-
ments pertaining to speed and efficiency, strong security guarantees under realistic and natural
attack models, and minimal hardness assumptions. There is now a vast body of works on ABE
(e.g. [GPSW06,LOS+ 10,OT10,LW12,KLMM19], see Fig 1) showing how to achieve different combi-
nations of (1) – (4), culminating in several unifying frameworks that provide a solid understanding
of the design and analysis of these schemes [Att14,Wee14,CGW15,Att16,AC17]. Nonetheless, prior
to this work, it was not known how to even simultaneously realize (1) – (3) for NC1 access policies4 ;
indeed, this is widely regarded one of the main open problems in pairing-based ABE.

Our results. We present the first KP-ABE and CP-ABE schemes for NC1 that simultaneously
realize properties (1) – (4). Our KP-ABE scheme achieves ciphertext size that is linear in the attribute
length and independent of the policy size even in the many-use setting; the same holds for the key size
in our CP-ABE. Both schemes achieve adaptive security under the k-Lin assumption in asymmetric
prime-order bilinear groups with polynomial security loss. We also present an “unbounded” variant
of our compact KP-ABE scheme with constant-size public parameters.
As an immediate corollary, we obtain delegation schemes for NC1 with public verifiability and
adaptive soundness under the k-Lin assumption [PRV12,LW12,CW14].
Our construction leverages a refinement of the recent “partial selectivization” framework for
adaptive security [JKK+ 17] (which in turn builds upon [FKPR14,FJP15,HJO+ 16,JW16]) along
with the classic dual system encryption methodology [Wat09,LW12].

1.1 Technical overview

Our starting point is the Lewko-Waters framework for constructing compact adaptively secure ABE
[LW12] based on the dual system encryption methodology5 [Wat09,LW10,LOS+ 10]. Throughout,
we focus on monotone NC1 circuit access policies, and note that the constructions extend readily
4
Note that there exist constructions of ABE for more general access policies like monotone span programs / Boolean
formulas with threshold gates [GPSW06], and even polynomial-sized Boolean circuits [GVW13,GGH+ 13], as well
as constructions that support an exponentially large attribute universe [OT12], but all such constructions sacrifice
at least one of the properties (1)-(3). We view achieving (1)-(3) for any of these extensions as an interesting open
problem.
5
Essentially, the dual system proof method provides guidance for transforming suitably-designed functional encryption
schemes which are secure for one adversarial secret key request to the multi-key setting where multiple keys may be
requested by the adversary. Our main technical contribution involves the analysis of the initial single-key-secure
component, which we refer to later as our “Core 1-ABE” component.

2
to the non-monotone setting6 . Let (G1 , G2 , GT ) be an asymmetric bilinear group of prime order p,
where g, h are generators of G1 , G2 respectively.

Warm-up. We begin with the prior compact KP-ABE for monotone NC1 [LW12,LOS+ 10,GPSW06];
this is an adaptively secure scheme that comes with the downside of relying on q-type assumptions
(q-type assumptions are assumptions of size that grows with some parameter q. It is known that
many q-type assumptions become stronger as q grows [Che06], and in general such complex and
dynamic assumptions are not well-understood). The construction uses composite-order groups, but
here we’ll suppress the distinction between composite-order and prime-order groups for simplicity.
We associate ciphertexts ctx with attribute vectors7 x ∈ {0, 1}n and keys skf with Boolean formulas
f:

msk := (µ, w1 , . . . , wn ) (1)

w1 wn µ
mpk := (g, g ,...,g , e(g, h) ),
s swi
ctx := (g , {g }xi =1 , e(g, h)µs · M )
skf := ({hµj +rj wρ(j) , hrj }j∈[m] ), ρ : [m] → [n]

where µ1 , . . . , µm are shares of µ ∈ Zp w.r.t. the formula f ; the shares satisfy the requirement that
for any x ∈ {0, 1}n , the shares {µj }xρ(j) =1 determine µ if x satisfies f (i.e., f (x) = 1), and reveal
nothing about µ otherwise; and ρ is a mapping from the indices of the shares (in [m]) to the indices
of the attributes (in [n]) to which they are associated. For decryption, observe that we can compute
{e(g, h)µj s }xi =1 , from which we can compute the blinding factor e(g, h)µs via linear reconstruction
“in the exponent”.
Here, m is polynomial in the formula size, and we should think of m = poly(n)  n. Note
that the ciphertext consists only of O(n) group elements and therefore satisfies our compactness
requirement.

Proving adaptive security. The crux of the proof of adaptive security lies in proving that µ
remains computationally hidden given just a single ciphertext and a single key and no mpk (the
more general setting with mpk and multiple keys follows via what is by now a textbook application
of the dual system encryption methodology). In fact, it suffices to show that µ is hidden given just

ct0x := ({wi }xi =1 )

skf := ({hµj +rj wρ(j) , hrj }j∈[m] )

where x, f are adaptively chosen subject to the constraint f (x) = 0. Henceforth, we refer to (ct0x , skf )
as our “core 1-ABE component”. Looking ahead to our formalization of adaptive security for this
core 1-ABE, we actually require that µ is hidden even if the adversary sees hw1 , . . . , hwn ; this turns
out to be useful for the proof of our KP-ABE (for improved concrete efficiency).

Core technical contribution. The technical novelty of this work lies in proving adaptive security
of the core 1-ABE component under the DDH assumption. Previous analysis either relies on a
6
Most directly by pushing all NOT gates to the input nodes of each circuit and using new attributes to represent
the negation of each original attribute. It is likely that the efficiency hit introduced by this transformation can be
removed through more advanced techniques à la [OSW07,LSW10], but we leave this for future work.
7
Some works associate ciphertexts with a set S ⊆ [n] where [n] is referred to as the attribute universe, in which case
x ∈ {0, 1}n corresponds to the characteristic vector of S.

3
q-type assumption [LW12,BSW07,Att14,AC17], or imposes the one-use restriction (that is, ρ is
injective and m = n, in which case security can be achieved unconditionally) [LOS+ 10,Wee14]. Our
analysis relies on a piecewise guessing framework which refines and simplifies a recent framework of
Jafargholi et al. for proving adaptive security via pebbling games [JKK+ 17] (which in turn builds
upon [FKPR14,FJP15,HJO+ 16,JW16]).
Let G0 denote the view of the adversary (ct0x , skf ) in the real game, and G1 denote the same
thing except we replace {µj } in skf with shares of a random value independent of µ. Our goal is
to show that G0 ≈c G1 . First, let us define an additional family of games {HU } parameterized by
U ⊆ [m]: HU is the same as G0 except we replace {µj : j ∈ U } in skf with uniformly random values.
In particular, H∅ = G0 .
We begin with the “selective” setting, where the adversary specifies x at the start of the game.
Suppose we can show that G0 ≈c G1 in this simpler setting via a series of L + 1 hybrids of the form:

G0 = Hh0 (x) ≈c Hh1 (x) ≈c · · · ≈c HhL (x) = G1

where h0 , . . . , hL : {0, 1}n → {U ⊆ [m] : |U | ≤ R0 } are functions of the adversary’s choices x. Then,
the piecewise guessing framework basically tells us that G0 ≈c G1 in the adaptive setting with a
0 0
security loss roughly mR · L, where the factor L comes from the hybrid argument and the factor mR
0
comes from guessing hi (x) (a subset of [m] of size at most R0 ). Ideally, we would want mR  2n ,
where 2n is what we achieve from guessing x itself
First, we describe a straight-forward approach which achieves L = 2 and R0 = m implicit in
[LW12] (but incurs a huge security loss 2m  2n ) where

h1 (x) = {j : xρ(j) = 0}.

That is, Hh1 (x) is G0 with µj in skf replaced by fresh µ0j ← Zp for all j satisfying xρ(j) = 0. Here,
we have
– G0 ≈c Hh1 (x) via DDH, since hµj +wρ(j) rj , hrj computationally hides µj whenever xρ(j) = 0 and
wρ(j) is not leaked in ctx ;
– Hh1 (x) ≈s G1 via security of the secret-sharing scheme since the shares {µj : xρ(j) = 1} leak no
information about µ whenever f (x) = 0.
This approach is completely generic and works for any secret-sharing scheme.
In our construction, we use a variant of the secret-sharing scheme for NC1 in [JKK+ 17] (which
is in turn a variant of Yao’s secret-sharing scheme [VNS+ 03,IK02]), for which the authors also gave
a hybrid argument achieving L = 8d and R0 = O(d log m) where d is the depth of the formula;
this achieves a security loss 2O(d log m) . Recall that the circuit complexity class NC1 is captured by
Boolean formulas of logarithmic depth and fan-in two, so the security loss here is quasi-polynomial
in n. We provide a more detailed analysis of the functions h0 , h1 , . . . , hL used in their scheme, and
show that the subsets of size O(d) output by these functions can be described only O(d) bits instead
of O(d log m) bits. Roughly speaking, we show that the subsets are essentially determined by a path
of length d from the output gate to an input gate, which can be described using O(d) bits since the
gates have fan-in two. Putting everything together, this allows us to achieve adaptive security for
the core 1-ABE component with a security loss 2O(d) = poly(n).

Our ABE scheme. To complete the overview, we sketch our final ABE scheme which is secure
under the k-Linear Assumption in prime-order bilinear groups.
To obtain prime-order analogues of the composite-order examples, we rely on the previous
framework of Chen et al. [CGW15,GDCC16,BKP14] for simulating composite-order groups in

4
prime-order ones. Let (G1 , G2 , GT ) be a bilinear group of prime order p. We start with the KP-ABE
scheme in (1) and carry out the following substitutions:

g s 7→ [s> A]1 , hrj 7→ [rj ]2 , wi 7→ Wi ← Z(k+1)×k

p , µ 7→ v ← Zk+1
p (2)

where
A ← Zk×(k+1)
p , s, rj ← Zkp ,
k corresponds to the k-Lin assumption desired for security8 , and [·]1 , [·]2 correspond respectively to
exponentiations in the prime-order groups G1 , G2 . We note that the naive transformation following
[CGW15] would have required Wi of dimensions at least (k + 1) × (k + 1); here, we incorporated
optimizations from [GDCC16,BKP14]. This yields the following prime-order KP-ABE scheme for
NC1 :

msk := ( v, W1 , . . . , Wn )
mpk := ( [A]1 , [AW1 ]1 , . . . , [AWn ]1 , e([A]1 , [v]2 ) ),
!
> > >
ctx := [s A]1 , {[s AWi ]1 }xi =1 , e([s A]1 , [v]2 ) · M

skf := ( {[vj + Wρ(j) rj ]2 , [rj ]2 }j∈[m] )

where vj is the j’th share of v. Decryption proceeds as before by first computing

{e([s> A]1 , [vj ]2 )}ρ(j)=0∨xρ(j) =1

and relies on the associativity relations AWi · rj = A · Wi rj for all i, j [CW13].

In the proof, in place of the DDH assumption which allows us to argue that (hwi rj , hrj ) is
pseudorandom, we will rely on the fact that by the k-Lin assumption, we have

(A, AWi , [Wi rj ]2 , [rj ]2 ) ≈c (A, AWi , [Wi rj + δij a⊥ ]2 , [rj ]2 )

k×(k+1) (k+1)×2k ⊥ k+1 satisfies A · a⊥ = 0.
where A ← Zp , Wi ← Zp , rj ← Z2k
p and a ∈ Zp

Organization. We describe the piecewise guessing framework for adaptive security in Section 3
and a pebbling strategy (used to define h0 , . . . , hL ) in Section 4. We describe a secret-sharing scheme
and prove adaptive security of the core 1-ABE component in Section 5. We present our full KP-ABE
and CP-ABE schemes in Section 6 and Appendix A. We also present our unbounded KP-ABE
scheme in Section B.

2 Preliminaries

Notation. We denote by s ← S the fact that s is picked uniformly at random from a finite set S.
By PPT, we denote a probabilistic polynomial-time algorithm. Throughout this paper, we use 1λ
as the security parameter. We use lower case boldface to denote (column) vectors and upper case
boldcase to denote matrices. We use ≡ to denote two distributions being identically distributed, and
≈c to denote two distributions being computationally indistinguishable. For any two finite sets (also
including spaces and groups) S1 and S2 , the notation “S1 ≈c S2 ” means the uniform distributions
over them are computationally indistinguishable.
8
e.g: k = 1 corresponds to security under the Symmetric External Diffie-Hellman Assumption (SXDH), and k = 2
corresponds to security under the Decisional Linear Assumption (DLIN).

5
2.1 Monotone Boolean formulas and NC1

Monotone Boolean formula. A monotone Boolean formula f : {0, 1}n → {0, 1} is specified by
a directed acyclic graph (DAG) with three kinds of nodes: input gate nodes, gate nodes, and a
single output node. Input nodes have in-degree 0 and out-degree 1, AND/OR nodes have in-degree
(fan-in) 2 and out-degree (fan-out) 1, and the output node has in-degree 1 and out-degree 0. We
number the edges (wires) 1, 2, . . . , m, and each gate node is defined by a tuple (g, ag , bg , cg ) where
g : {0, 1}2 → {0, 1} is either AND or OR, ag , bg are the incoming wires, cg is the outgoing wire and
ag , bg < cg . The size of a formula m is the number of edges in the underlying DAG and the depth of
a formula d is the length of the longest path from the output node.

NC1 and log-depth formula. A standard fact from complexity theory tells us that the circuit
complexity class monotone NC1 is captured by monotone Boolean formulas of log-depth and fan-in
two. This follows from the fact that we can transform any depth d circuit with fan-in two and
unbounded fan-out into an equivalent circuit with fan-in two and fan-out one (for all gate nodes) of
the same depth, and a 2d blow-up in the size. To see this, note that one can start with the root gate
of an NC1 circuit and work downward by each level of depth. For each gate g considered at depth i,
if either of its two input wires are coming from the output wire of a gate (at depth i − 1) with more
than one output wire, then create a new copy of the gate at depth i − 1 with a single output wire
going to g (note that this copy may increase the output wire multiplicity of gates at depth strictly
lower than i − 1). This procedure preserves the functionality of the original circuit, and has the
result that at its end, each gate in the circuit has input wires which come from gates with output
multiplicity 1. The procedure does not increase the depth of the circuit (any duplicated gates are
added at a level that already exists), so the new circuit is a formula (all gates have fan-out 1) of
depth d with fan-in 2, so its size is at most 2d . d is logarithmic in the size of the input for NC1
circuits, so the blowup from this procedure is polynomial in n. Hence we will consider the class NC1
as a set of Boolean formulas (where gates have fan-in 2 and fan-out 1) of depth O(log n) and refer
to f ∈ NC1 formulas.

2.2 Secret sharing

A secret sharing scheme is a pair of algorithms (share, reconstruct) where share on input f : {0, 1}n →
{0, 1} and µ ∈ Zp outputs µ1 , . . . , µm ∈ Zp together with ρ : [m] → {0, 1, . . . , n}.

– Correctness stipulates that for every x ∈ {0, 1}n such that f (x) = 1, we have

reconstruct(f, x, {µj }ρ(j)=0∨xρ(j) =1 ) = µ.

– Security stipulates that for every x ∈ {0, 1}n such that f (x) = 0, the shares

{µj }ρ(j)=0∨xρ(j) =1

perfectly hide µ.

Note the inclusion of ρ(j) = 0 in both correctness and security. All the secret sharing schemes in
this work will in fact be linear (in the standard sense): share computes a linear function of the secret
µ andPrandomness over Zp , and reconstruct computes a linear function of the shares over Zp , that is,
µ = ρ(j)=0∨xρ(j)=1 ωj µj .

6
2.3 Attribute-based encryption
An attribute-based encryption (ABE) scheme for a predicate pred( · , · ) consists of four algorithms
(Setup, Enc, KeyGen, Dec):

Setup(1λ , X , Y, M) → (mpk, msk). The setup algorithm gets as input the security parameter λ, the
attribute universe X , the predicate universe Y, the message space M and outputs the public
parameter mpk, and the master key msk.
Enc(mpk, x, m) → ctx . The encryption algorithm gets as input mpk, an attribute x ∈ X and a
message m ∈ M. It outputs a ciphertext ctx . Note that x is public given ctx .
KeyGen(mpk, msk, y) → sky . The key generation algorithm gets as input msk and a value y ∈ Y. It
outputs a secret key sky . Note that y is public given sky .
Dec(mpk, sky , ctx ) → m. The decryption algorithm gets as input sky and ctx such that pred(x, y) = 1.
It outputs a message m.

Correctness. We require that for all (x, y) ∈ X × Y such that pred(x, y) = 1 and all m ∈ M,

Pr[Dec(mpk, sky , Enc(mpk, x, m)) = m] = 1,

where the probability is taken over (mpk, msk) ← Setup(1λ , X , Y, M), sky ← KeyGen(mpk, msk, y),
and the coins of Enc.

Security definition. For a stateful adversary A, we define the advantage function

(mpk, msk) ← Setup(1λ , X , Y, M);

 
∗ KeyGen(msk,·) (mpk); 
0 (x , m0 , m1 ) ← A − 1

Advabe
A (λ) := Pr b = b :
b ←r {0, 1}; ctx∗ ← Enc(mpk, x∗ , mb );  2


b0 ← AKeyGen(msk,·) (ctx∗ )

with the restriction that all queries y that A makes to KeyGen(msk, ·) satisfy pred(x∗ , y) = 0 (that is,
sky does not decrypt ctx∗ ). An ABE scheme is adaptively secure if for all PPT adversaries A, the
advantage AdvabeA (λ) is a negligible function in λ.

2.4 Prime-Order Bilinear Groups and the Matrix Diffie-Hellman Assumption

A generator G takes as input a security parameter λ and outputs a group description G :=
(p, G1 , G2 , GT , e), where p is a prime of Θ(λ) bits, G1 , G2 and GT are cyclic groups of order p,
and e : G1 × G2 → GT is a non-degenerate bilinear map. We require that the group operations
in G1 , G2 and GT as well the bilinear map e are computable in deterministic polynomial time
with respect to λ. Let g1 ∈ G1 , g2 ∈ G2 and gT = e(g1 , g2 ) ∈ GT be the respective generators.
We employ the implicit representation of group elements: for a matrix M over Zp , we define
[M]1 := g1M , [M]2 := g2M , [M]T := gTM , where exponentiation is carried out component-wise. Also,
given [A]1 , [B]2 , we let e([A]1 , [B]2 ) = [AB]T .
We define the matrix Diffie-Hellman (MDDH) assumption on G1 [EHK+ 13]:
Definition 1 (MDDHm k,` Assumption). Let ` > k ≥ 1 and m ≥ 1. We say that the MDDHk,`
m

assumption holds if for all PPT adversaries A, the following advantage function is negligible in λ.
MDDHm
k,`
AdvA (λ) := Pr[A(G, [M]1 , [MS]1 ) = 1] − Pr[A(G, [M]1 , [U]1 ) = 1]

where M ←r Z`×k k×m and U ← Z`×m .

p , S ←r Zp r p

7
The MDDH assumption on G2 can be defined in an analogous way. Escala et al. [EHK+ 13] showed
that
k-Lin ⇒ MDDH1k,k+1 ⇒ MDDHm k,` ∀` > k, m ≥ 1
MDDHm
with a tight security reduction (that is, AdvA k,`
(λ) = Advk-Lin
A0 (λ)). In fact, the MDDH assump-
tion is a generalization of the k-Lin assumption, such that the k-Lin assumption is equivalent to the
MDDH1k,k+1 Assumption as defined above.
Definition 2 (k-Lin assumption). Let k ≥ 1. We say that the k-Lin assumption holds if for all
PPT adversaries A, the following advantage function is negligible in λ.
MDDH1k,k+1
Advk-Lin
A (λ) := AdvA (λ)

Henceforth, we will use MDDHk to denote MDDH1k,k+1 . Lastly, we note that the k-Lin assump-
tion itself is a generalization, where setting k = 1 yields the Symmetric External Diffie-Hellman
Assumption (SXDH), and setting k = 2 yields the standard Decisional Linear Assumption (DLIN).

3 Piecewise Guessing Framework for Adaptive Security

We now refine the adaptive security framework of [JKK+ 17], making some simplifications along the
way to yield the piecewise guessing framework that will support our security proof. We use hA, Gi
to denote the output of an adversary A in an interactive game G, so the probability of A outputting
1 in game G is denoted by Pr[hA, Gi = 1].
Suppose we have two adaptive games G0 and G1 which we would like to show to be indistinguish-
able. In both games, an adversary A makes some adaptive choices that define z ∈ {0, 1}R . Informally,
the piecewise guessing framework tells us that if we can show that G0 , G1 are -indistinguishable in
the selective setting where all choices defining z are committed to in advance via a series of L + 1
hybrids, where each hybrid depends only on at most R0  R bits of information about z, then
0
G0 , G1 are 22R · L · -indistinguishable in the adaptive setting.

Overview. We begin with the selective setting where the adversary commits to z = z ∗ in advance.
Suppose we can show that G0 ≈c G1 in this simpler setting via a series of L + 1 hybrids of the form:
∗) ∗) ∗)
G0 = Hh0 (z ≈c Hh1 (z ≈c · · · ≈c HhL (z = G1
0
where h0 , . . . , hL : {0, 1}R → {0, 1}R and {Hu }u∈{0,1}R0 is a family of games where the messages
sent to the adversary in Hu depend on u.9 In particular, the `’th hybrid only depends on h` (z ∗ )
where |h` (z ∗ )|  |z ∗ |.
Next, we describe how to slightly strengthen this hybrid sequence so that we can deduce that
G0 ≈c G1 even for an adaptive choice of z. Note that {Hu }u∈{0,1}R0 is now a family of adaptive
games where z is adaptively defined as the game progresses. We have two requirements:
The first, end-point equivalence, just says the two equivalences
∗ ∗)
G0 = Hh0 (z ) , G1 = HhL (z
9
Informally, {Hu } describes the simulated games used in the security reduction, where the reduction guesses R0
bits of information described by u about some choices z made by the adversary; these R0 bits of information are
0
described by h` (z) in the `’th hybrid. In the `’th hybrid, the reduction guesses a u ∈ {0, 1}R and simulates the
u
game according to H and hopes that the adversary will pick an z such that h` (z) = u; note that the adversary is
not required to pick such an z. One way to think of Hu is that the reduction is commited to u, but the adversary
can do whatever it wants.

8
hold even in the adaptive setting, that is, even if the adversary’s behavior defines an z different from
z ∗ . In our instantiation, h0 and hL are constant functions, so this equivalence will be immediate.
The second, neighbor indistinguishability, basically says that for any ` ∈ [L], we have
0
Hu0 ≈c Hu1 , ∀ u0 , u1 ∈ {0, 1}R

as long as the adversary chooses z such that

h`−1 (z) = u0 ∧ h` (z) = u1

∗ ∗
It is easy to see that this is a generalization of Hh`−1 (z ) ≈c Hh` (z ) if we require z = z ∗ . To formalize
this statement, we need to formalize the restriction on the adversary’s choice of z by having the
game output 0 whenever the restriction is violated. That is, we define a pair of “selective” games
H b `,1 (u0 , u1 ) for any u0 , u1 ∈ {0, 1}R0 , where
b `,0 (u0 , u1 ), H

b `,b (u0 , u1 ) is the same as Hub , except we replace the output with 0 whenever
H
(h`−1 (z), h` (z)) 6= (u0 , u1 ).
That is, in both games, the adversary “commits” in advance to u0 , u1 . Proving indistinguishability
here is easier because the reduction knows u0 , u1 and only needs to handle adaptive choices of z
such that (h`−1 (z), h` (z)) = (u0 , u1 ).

Adaptive security lemma. The next lemma tells us that the two requirements above implies
0 0
that G0 ≈c G1 with a security loss 22R · L (stated in the contra-positive). In our applications, 2R
and L will be polynomial in the security parameter.
0
Lemma 1 (adaptive security lemma). Fix G0 , G1 along with h0 , h1 , . . . , hL : {0, 1}R → {0, 1}R
and {Hu }u∈{0,1}R0 such that
∗) ∗)
∀ z ∗ ∈ {0, 1}R : Hh0 (z = G0 , HhL (z = G1

Suppose there exists an adversary A such that

Pr[hA, G0 i = 1] − Pr[hA, G1 i = 1] ≥ 
0
then there exists ` ∈ [L] and u0 , u1 ∈ {0, 1}R such that

b `,0 (u0 , u1 )i = 1] − Pr[hA, H

b `,1 (u0 , u1 )i = 1] ≥ 
Pr[hA, H
22R0 L
This lemma is essentially a restatement of the main theorem of [JKK+ 17, Theorem 2]; we defer a
comparison to the end of this section.

Proof. For the proof, we need to define the game H` (z ∗ ) for all ` = 0, 1, . . . , L and all z ∗ ∈ {0, 1}R
∗
H` (z ∗ ) is the same as Hh` (z ) , except we replace the output with 0 whenever z 6= z ∗ .
Roughly speaking, in H` (z ∗ ), the adversary “commits” to making choices z = z ∗ in advance.

– Step 1. We begin the proof by using “random guessing” to deduce that


Pr [hA, H0 (z ∗ )i = 1] − Pr [hA, HL (z ∗ )i = 1] ≥
z ∗ ←{0,1}R z ∗ ←{0,1}R 2R

9
 This follows from the fact that Hh0 (z) = G0 , HhL (z) = G1 which implies
1
Pr [hA, H0 (z ∗ )i = 1] =
Pr[hA, G0 i = 1]
z ∗ ←{0,1}R 2R
1
Pr [hA, HL (z ∗ )i = 1] = R Pr[hA, G1 i = 1].
∗
z ←{0,1} R 2
– Step 2. Via a standard hybrid argument, we have that there exists ` such that

Pr [hA, H`−1 (z ∗ )i = 1] − Pr [hA, H` (z ∗ )i = 1] ≥
z ∗ ←{0,1}R z ∗ ←{0,1}R 2R L
which implies that:
X X 
[hA, H`−1 (z 0 )i = 1] − [hA, H` (z 0 )i = 1] ≥
L
z 0 ∈{0,1}R z 0 ∈{0,1}R

– Step 3. Next, we relate H

b `,0 , H
b `,1 and H`−1 , H` . First, we define the set
0 0
U` := {(h`−1 (z 0 ), h` (z 0 )) : z 0 ∈ {0, 1}R } ⊆ {0, 1}R × {0, 1}R , ` ∈ [L]
Observe that for all (u0 , u1 ) ∈ U` , we have
X
Pr[hA, H
b `,1 (u0 , u1 )i = 1] = Pr[hA, H` (z 0 )i = 1]
z 0 :(h`−1 (z 0 ),h` (z 0 ))=(u0 ,u1 )

Then, we have
X
Pr[hA, H` (z 0 )i = 1]
z 0 ∈{0,1}R
 
X X
=  Pr[hA, H` (z 0 )i = 1]
(u0 ,u1 )∈U` z 0 :(h`−1 (z 0 ),h` (z 0 ))=(u0 ,u1 )
X
= Pr[hA, H
b `,1 (u0 , u1 )i = 1]
(u0 ,u1 )∈U`

By the same reasoning, we also have

X X
Pr[hA, H`−1 (z 0 )i = 1] = Pr[hA, H
b `,0 (u0 , u1 )i = 1]
z 0 ∈{0,1}R (u0 ,u1 )∈U`

This means that

X  
b `,0 (u0 , u1 )i = 1] − Pr[hA, H
Pr[hA, H b `,1 (u0 , u1 )i = 1]
(u0 ,u1 )∈U`
X X 
= Pr[hA, H`−1 (z 0 )i = 1] − Pr[hA, H` (z 0 )i = 1] ≥
L
z 0 ∈{0,1}R z 0 ∈{0,1}R

where the last inequality follows from Step 2.

0
– Step 4. By an averaging argument, and using the fact that |U` | ≤ 22R , there exists (u0 , u1 ) ∈ U`
such that
b `,1 (u0 , u1 )i = 1] ≥  0
b `,0 (u0 , u1 )i = 1] − Pr[hA, H
Pr[hA, H
22R L
0
This completes the proof. Note that 22R can be replaced by max` |U` |. t
u

10
Comparison with [JKK+ 17]. Our piecewise guessing framework makes explicit the game Hu
which are described implicitly in the applications of the framework in [JKK+ 17]. Starting from Hu
and h0 , . . . , hL , we can generically specify the intermediate games H b `,1 as well as the games
b `,0 , H
+
H0 , . . . , HL used in the proof of security. The framework of [JKK 17] does the opposite: it starts
with the games H0 , . . . , HL , and the theorem statement assumes the existence of h0 , . . . , hL and
H
b `,0 , H
b `,1 that are “consistent” with H0 , . . . , HL (as defined via a “selectivization” operation). We
believe that starting from Hu and h0 , . . . , hL yields a simpler and clearer framework which enjoys the
advantage of not having to additionally construct and analyze H b `,0 , H
b `,1 and H` in the applications.
+
Finally, we point out that the sets U and W in [JKK 17, Theorem 2] corresponds to U` and
{0, 1}R over here (that is, we do obtain the same bounds), and the i’th function hi corresponds to
the `’th function h`−1 ◦ h` over here.

4 Pebbling Strategy for NC1

We now define a pebbling strategy for NC1 which will be used to define the functions h0 , . . . , hL
we’ll use in the piecewise guessing framework. Fix a formula f : {0, 1}n → {0, 1} of size m and an
input x ∈ {0, 1}n for which f (x) = 0. A pebbling strategy specifies a sequence of L subsets of [m],
corresponding to subsets of input nodes and gates in f that are pebbled. We refer to each subset in
the sequence as a pebbling configuration and the i’th term in this sequence is the output of hi (f, x)
(where the combination of f, x correspond to the adaptive choices z made in our security game that
will be later analyzed in the piecewise guessing framework).
Our pebbling strategy is essentially the same as that in [JKK+ 17, Section 4]; the main difference
is that we provide a better bound on the size of the description of each pebbling configuration in
Theorem 1.

4.1 Pebbling Rules

Fix a formula f : {0, 1}n → {0, 1} and an input x ∈ {0, 1}n for which f (x) = 0. We are allowed
to place or remove pebbles on input nodes and gates in f , subject to some rules. The goal of a
pebbling strategy is to find a sequence of pebbling instructions that follow the rules and starting
with the initial configuration (in which there are no pebbles at all), will end up in a configuration
where only the root gate has a pebble. Intuitively, the rules say that we can place a pebble a node
or a gate if we know that the out-going wire will be 0. More formally,
Definition 3 (Pebbling Rules).
1. Can place or remove a pebble on any AND gate for which (at least) one input wire comes out of
a node with a pebble on it.
2. Can place or remove a pebble on any OR gate for which all of the incoming wires come out of
nodes which have pebbles on them.
3. Can place or remove a pebble on any input node for which xi = 0.
Given (f, x), a pebbling strategy returns a sequence of pebbling instructions of the form PEBBLE g
or unPEBBLE g for some gate g, with the property that each successively applied instruction follows
the pebbling rules in Definition 3.

4.2 Pebbling Strategy

Given an NC1 formula f (recall Section 2.1) and an input x on which the formula evaluates to 0,
consider the pebbling instruction sequence returned by the following recursive procedure, which

11
maintains the invariant that the output wire evaluates to 0 for each gate that the procedure is called
upon. The strategy is described in Figure 2 and begins by calling Pebble(f, x, g ∗ ) on the root gate
g ∗ . We give an example in Figure 3.

Pebble(f, x, g):
Input: A node g of an NC1 formula f with children gL and gR along with input x defining values along the wires of f .

1. (Base Case) If g is an input node, Return “PEBBLE g”.

2. (Recursive Case) If g = OR, first call Pebble(f, x, gL ) to get a list of operations ΛL , then call Pebble(f, x, gR ) to
get a second list of operations ΛR .
Return ΛL ◦ ΛR ◦ “PEBBLE g” ◦ Reverse(ΛR ) ◦ Reverse(ΛL )
3. (Recursive Case) If g = AND, call Pebble(f, x, ·) on the first child gate whose output wire evaluates to 0 on input
x to get a list of operations Λ.
Return Λ◦ “PEBBLE g” ◦ Reverse(Λ)

Reverse(Λ):
Input: A list of instructions of the form “PEBBLE g” or “unPEBBLE g” for a gate g.

1. Return the list Λ in the reverse order, additionally changing each original “PEBBLE ” instruction to
“unPEBBLE ” and each original “unPEBBLE ” instruction to “PEBBLE ”.

Fig. 2. NC1 formula pebbling strategy.

Note that if this procedure is called on the root gate of a formula f with an input x such that
f (x) = 0, then every AND gate on which the Pebble() procedure is called will have at least one
child node with an output wire which evaluates to 0, and every OR gate on which the Pebble()
procedure is called will have child nodes with output wires which both evaluate to 0. Furthermore,
by inspection, Pebble(f, x, g ∗ ) returns a sequence of pebbling instructions for the circuit that follows
the rules in Definition 3.

4.3 Analysis.

To be useful in the piecewise guessing framework, we would like for the sequence of pebbling
instructions to have the property that each configuration formed by successive applications of
the instructions in the sequence is as short to describe as possible (i.e., minimize the maximum
representation size R0 ). One way to achieve this is to have, at any configuration along the way, as few
pebbles as possible. An even more succinct representation can be obtained if we allow many pebbles
but have a way to succinctly represent their location. Additionally, we would like to minimize the
worst-case length, L, of any sequence produced. We achieve these two goals in the following theorem.

Theorem 1 (pebbling NC1 ). For every input x ∈ {0, 1}n and any monotone formula f of depth
d and fan-in two for which f (x) = 0, there exists a sequence of L(d) = 8d pebbling instructions such
that every intermediate pebbling configuration can be described using R0 (d) = 3d bits.

Proof. Follows from the joint statements of Lemma 2 and Lemma 4 applied to the pebbling strategy
in Figure 2.

Comparison with [JKK+ 17]. Note that the strategy reproduced in Figure 2 is essentially the
same as one analyzed by [JKK+ 17], which argued that every configuration induced by the pebbling

12
 step move
1 pebble x1 (left)
output output 2 pebble x2
3 pebble ∨ (left)
4 unpebble x2
5 unpebble x1 (left)
∨ ∨ 6 pebble x1 (right)
7 pebble ∧
8 unpebble x1 (right)
∨ ∧ ∨ ∧ 9 pebble ∨ (right)
10 pebble x1 (right)
11 unpebble ∧
x1 x2 x1 x3 x1 x2 x3 12 unpebble x1 (right)
x1
13 pebble x1 (left)
0 0 0 1 0 0 0 1 14 pebble x2
after step 5: after step 6: 15 unpebble ∨ (left)
16 unpebble x2
17 unpebble x1 (left)

Fig. 3. Intermediate pebbling configurations on input x = 001. The thick black outline around a node corresponds to
having a pebble on the node. Note that steps 10-17 correspond to “undoing” steps 1-8 so that at the end of step 17,
there is exactly one pebble on the ∨ node leading to the output node.

instruction sequence it produces can be described using d(log m + 2) bits, where m is the number
of wires in the formula. This follows from the fact that each such pebbling configuration has at
most d gates with pebbled children, and we can specify each such gate using log m bits and the
pebble-status of its two children using an additional two bits. Our Lemma 4 analyzes the same
pebbling strategy but achieves a more succinct representation by leveraging the fact that not all
configurations of d pebbled gates are possible due to the pebbling strategy used, so we don’t need
the full generality allowed by d · log m bits. Instead, Lemmas 3 and 4 show that every configuration
produced follows a pattern that can be described using only 3d bits.
Lemma 2 ([JKK+ 17]). The pebbling strategy in Figure 2 called on the root gate g ∗ for a formula f
of depth d with assignment x such that f (x) = 0, Pebble(f, x, g ∗ ), returns a sequence of instructions
of length at most L(d) ≤ 8d .
This bound is a special case of that shown in [JKK+ 17, Lemma 2] for fan-in two circuits.
Proof. This statement follows inductively on the depth of the formula on which Pebble() is called.
For the base case, when d = 0 (and Pebble has therefore been called on an input node) there is
just one instruction returned, and:
1 ≤ 80
When Pebble() is called on a node at depth d > 0, the node is either an OR gate or an AND
gate.
When Pebble() is called on an OR gate, using our inductive hypothesis for the instructions
returned for the subformula of depth d − 1, notice that the number of instructions returned is:
L(d − 1) + L(d − 1) + 1 + L(d − 1) + L(d − 1) = 8d−1 + 8d−1 + 1 + 8d−1 + 8d−1 = 4 · 8d−1 + 1 ≤ 8d
When Pebble() is called on an AND gate, using our inductive hypothesis for the instructions
returned for the subformula of depth d − 1, notice that the number of instructions returned is:
L(d − 1) + 1 + L(d − 1) = 8d−1 + 1 + 8d−1 = 2 · 8d−1 + 1 ≤ 8d
t
u

13
 We note that the following lemma is new to this work and will be used to bound the representation
size R(d) of any configuration produced by application of the instructions output by the pebbling
strategy.
Lemma 3 (structure of pebbling configuration). Every configuration induced by application
of the instructions produced by the pebbling strategy in Figure 2 called on the root gate g ∗ of a formula
f of depth d with assignment x such that f (x) = 0, Pebble(f, x, g ∗ ), has the following property for
all gates g in f with children gL , gR :
If any node in the sub-tree rooted at gR is pebbled, then there exists at most one pebble on
the sub-tree rooted at gL , namely a pebble on gL itself

Proof. Call a node “good” if it satisfies the property above. First, we make the following observation
about the behavior of Reverse(): Applying Reverse() to a list of instructions inducing a list of
configurations for which all nodes are “good” produces a new list for which this is true. This
holds since Reverse() does not change the configurations induced by a list of instructions, just the
ordering (which is reversed). This follows from a simple proof by induction on the length of the
input instruction list and the fact that for an input list of instructions parsed as L1 ◦ L2 for two
smaller-length lists, we can implement Reverse(L1 ◦ L2 ) as Reverse(L2 ) ◦ Reverse(L1 ).
We proceed with our original proof via a proof by induction on the depth of the formula upon
which Pebble() is called.
Inductive Hypothesis: For formulas f of depth d − 1 with root gate g ∗ and assignment x such that
f (x) = 0, Pebble(f, x, g ∗ ) returns a sequence of instructions that induces a sequence of configurations
that (1) end with a configuration where g ∗ is the only pebbled node, and satisfies: (2) in every
configuration all nodes are “good.”
Base Case: when Pebble(f, x, g ∗ ) is called on a formula of depth 0, the formula consists of just
an input node g ∗ . The (single) returned instruction PEBBLE g ∗ then satisfies that in both the initial
and final configuration, the single node g ∗ is good. Also, the sequence ends in the configuration
where g ∗ is the only pebbled node.
Inductive Step: when Pebble(f, x, g ∗ ) is called on formula of depth d > 0. Let gL∗ , gR∗ denote the
∗
children of the root gate g (either an AND or OR gate). Note that the sub-formulas fgL∗ and fgR∗
rooted at gL∗ and gR ∗ have depth d − 1. We proceed via a case analysis:

If g ∗ is an AND gate, then suppose the sequence of instructions returned is

∗
Pebble(fgR∗ , x, gR ) ◦ PEBBLE g ∗ ◦ Reverse(Pebble(fgR∗ , x, gR ))

(The case with gL∗ instead of gR ∗ is handled analogously, even simpler). Suppose Pebble(f ∗ , x, g ∗ )
gR R
∗ ))) produces L instructions. We proceed via a case analysis:
(and thus Reverse(Pebble(fgR∗ , x, gR 0

– Take any of the first L0 configurations (starting from 0’th). Here, all pebbles are in the subformula
rooted at gR ∗ . We can then apply part (2) of the inductive hypothesis to the subformula f ∗
gR
∗
rooted at gR (of depth d − 1) to deduce that property “good” holds for all nodes in fgR∗ . All
nodes in fgL∗ are unpebbled in all configurations, so they are automatically good. Lastly, the
root gate g ∗ has no pebbled nodes in the subformula rooted at gL , so it is also good.
– For the (L0 + 1)’th configuration reached after PEBBLE g ∗ , there are only two pebbles, one on g ∗
(from the PEBBLE g ∗ instruction) and another on gR ∗ (from part (1) of our inductive hypothesis

applied to the (depth d − 1) subformula fgR∗ ). It is clear that all nodes in this configuration are
good.
– For the last L0 configurations, there is one pebble on g ∗ and all remaining pebbles are in the
subformula rooted at gR ∗ . Clearly, g ∗ is good. All nodes in f ∗ are unpebbled in all configurations,
gL

14
 so they are also good. Moreover, we can apply the inductive hypothesis to fgR∗ combined with
our observation that Reverse preserves property (2) of this hypothesis to deduce that all nodes
in the subformula are also good for all configurations.
Lastly, notice that since the last L0 instructions undo the first L0 instructions, the final configuration
features a single pebble on g ∗ .
If g ∗ is an OR gate, then the sequence of instructions returned is
∗ ∗ ∗ ∗ ∗
∗ , x, gL ) ◦ Pebble(fg ∗ , x, gR ) ◦ PEBBLE g ◦ Reverse(Pebble(fg ∗ , x, gR )) ◦ Reverse(Pebble(fg ∗ , x, gL ))
Pebble(fgL R R L

∗ ), Pebble(f ∗ , x, g ∗ ), and thus Reverse(Pebble(f ∗ , x, g ∗ )), Reverse(Pebble(f ∗ , x, g ∗ )),

Suppose Pebble(fgR∗ , x, gR gL L gR R gL L
produces L0 , L1 instructions. We proceed via a case analysis:
– Take any of the first L0 configurations (starting from 0’th). Here, all pebbles are in the subformula
fgL∗ rooted at gL∗ . We can then apply part (2) of the inductive hypothesis to (depth d − 1) fgL∗ to
deduce that property “good” holds for all nodes in fgL∗ . All nodes in the subformula rooted at
gR∗ , f ∗ , are unpebbled in all configurations, so they are automatically good. Lastly, the root
gR
gate g ∗ has no pebbled nodes in the subformula rooted at gR ∗ , so it is also good. Finally, by part

(1) of this application of the inductive hypothesis, we know that L0 th configuration features a
single pebble on gL∗ .
– Take any of the next L1 configurations (starting from the L0 ’th). Here, all pebbles are in the
subformula rooted at gR ∗ except for the single pebble on g ∗ . We can then apply part (2) of
L
the inductive hypothesis to (depth d − 1) fgR∗ (of depth d − 1) to deduce that property “good”
holds for all nodes in fgR∗ . All nodes in the subformula rooted at gL∗ have no pebbles in their
own subformulas, so they are automatically good. Lastly, the root gate g ∗ may have pebbled
nodes in the subformula rooted at gR ∗ but the only pebbled node in the subformula rooted at g ∗
L
is gL∗ itself, so it is also good. Finally, we know that the L0 + L1 th configuration features two
pebbles: a pebble on gL∗ (from the first L0 instructions), and a pebble on gR ∗ (by part (1) of this

application of the inductive hypothesis).

– For the (L0 + L1 + 1)’th configuration reached after PEBBLE g ∗ , there are only three pebbles,
one on g ∗ (from the PEBBLE g ∗ instruction), one on gL∗ (from the first L0 instructions), and
another on gR ∗ (from the next L instructions). It is clear that all nodes in this configuration are
1
good.
– For the next L1 configurations (reversing the instructions of the set of size L1 ), there is one
pebble on g ∗ , one pebble on gL∗ , and all remaining pebbles are in the subformula rooted at gR ∗,
∗ ∗ ∗
fgR∗ . g is good, since it only has one pebble in the subformula rooted at gL , on gL itself. All
nodes in the subformula rooted at gL∗ have no pebbles in their own subformulas, so they are
also good. Moreover, we can apply the inductive hypothesis to (depth d − 1) fgR∗ combined with
our observation that Reverse preserves property (2) of this hypothesis to deduce that all nodes
in fgR∗ are also good for all configurations. Note the final configuration in this sequence then
contains two pebbles, one of g ∗ and one on gL∗ .
– For the final L0 configurations (reversing the instructions of the set of size L0 ), there is one
pebble on g ∗ , and all remaining pebbles are in the subformula rooted at gL∗ . g ∗ is good, since it
has no pebbles in the subformula rooted at gR ∗ . Similarly, all nodes in the subformula rooted at
∗
gR are also good. Moreover, we can apply the inductive hypothesis to (depth d − 1) fgL∗ combined
with our observation that Reverse preserves property (2) of this hypothesis to deduce that all
nodes in fgL∗ are also good for all configurations.
Lastly, notice that since the last L0 + L1 instructions undo the first L0 + L1 instructions, the final
configuration features a single pebble on g ∗ .
t
u

15
Lemma 4 (R0 (d) = 3d). Every configuration induced by application of the instructions produced by
the pebbling strategy in Figure 2 for a formula f of depth d with assignment x such that f (x) = 0
can be described using R0 (d) = 3d bits.

Proof. We can interpret 3d bits in the following way to specify a pebbling: the first d bits specify a
path down the formula starting at the root gate (moving left or right based on the setting of each
bit), the next 2(d − 1) bits specify, for each of the (d − 1) non-input nodes along the path, which of
its children are pebbled. Finally one of the last 2 bits is used to denote if the root node is pebbled.
From Lemma 3, we know that for all gates g with children gL , gR , if any node in the sub-tree
rooted at gR is pebbled, then there exists at most one pebble on the sub-tree rooted at gL , namely
a pebble on gL itself. So, given a pebbling configuration, we can start at the root node and describe
the path defined by taking the child with more pebbles on its subtree using d bits. All pebbles in
the configuration are either on the root node or on children of nodes on this path and therefore
describable in the remaining 2d bits. t
u

5 Core Adaptive Security Component

In this section, we will describe the secret-sharing scheme (share, reconstruct) used in our ABE
construction. In addition, we describe a core component of our final ABE, and prove adaptive
security using the pebbling strategy defined and analyzed in Section 4 to define hybrids in the
piecewise guessing framework of Section 3.

Overview. As described in the overview in Section 1.1, we will consider the following “core 1-ABE
component”:

ct0x := ({wi }xi =1 )

skf := ({hµj }ρ(j)=0 ∪ {hµj +rj wρ(j) , hrj }ρ(j)6=0 )

where ({µj }, ρ) ← share(f, µ). We want to show that under the DDH assumption, µ is hidden given
just (ct0x , skf ) where x, f are adaptively chosen subject to the constraint f (x) = 0. We formalize
this via a pair of games G1-abe
0 , G1-abe
1 and the requirement G1-abe
0 ≈c G1-abe
1 . In fact, we will study a
more abstract construction based on any CPA-secure encryption with:

ct0x := ({wi }xi =1 )

sk0f := {µj }ρ(j)=0 ∪ {CPA.Enc(wρ(j) , µj )}ρ(j)6=0 where ({µj }, ρ) ← share(f, µ)

5.1 Linear secret sharing for NC1

We first describe a linear secret-sharing scheme for NC1 ; this is essentially the information-theoretic
version of Yao’s secret-sharing for NC1 in [JKK+ 17,VNS+ 03,IK02]. It suffices to work with Boolean
formulas where gates have fan-in 2 and fan-out 1, thanks to the transformation in Section 2.1. We
describe the scheme in Figure 4, and give an example in Figure 5. Note that our non-standard
definition of secret-sharing in Section 2.2 allows the setting of ρ(j) = 0 for shares that are available
for reconstruction for all x. We remark that the output of share satisfies |{µj }| ≤ 2m since each of
the m nodes adds a single µj to the output set, except for OR gates which add two: µja and µjb .
The reconstruction procedure reconstruct of the scheme is essentially applying the appropriate
linear operations to get the output wire value µ̂c at each node starting from the leaves of the formula
to get to the root µ̂m = µ.

16
 share(f, µ):
Input: A formula f : {0, 1}n → {0, 1} of size m and a secret µ ∈ Zp .

1. For each non-output wire j = 1, ..., m − 1, pick a uniformly random µ̂j ← Zp . For the output wire, set µ̂m = µ
2. For each outgoing wire j from input node i, add µj = µ̂j to the output set of shares and set ρ(j) = i.
3. For each AND gate g with input wires a, b and output wire c, add µc = µ̂c + µ̂a + µ̂b ∈ Zp to the output set of
shares and set ρ(c) = 0.
4. For each OR gate g with input wires a, b and output wire c, add µca = µ̂c + µ̂a ∈ Zp and µcb = µ̂c + µ̂b ∈ Zp to
the output set of shares and set ρ(ca ) = 0 and ρ(cb ) = 0.
5. Output {µj }, ρ.

Fig. 4. Information-theoretic linear secret sharing scheme share for NC1

output

7
j 1 2 3 4 5a
µj µ̂1 µ̂2 µ̂3 µ̂4 µ̂1 + µ̂5
∨
ρ(j) 1 2 1 3 0
5 6
j 5b 6 7a 7b
∨ ∧ µj µ̂2 + µ̂5 µ̂3 + µ̂4 + µ̂6 µ̂5 + µ µ̂6 + µ
ρ(j) 0 0 0 0
1 2 3 4

x1 x2 x1 x3

Fig. 5. Left: Formula (x1 ∨ x2 ) ∨ (x1 ∧ x3 ), where the wires are numbered 1, 2, . . . , 7. Right: Shares (µ1 , . . . , µ7b ) and
mapping ρ for the formula corresponding to secret µ ∈ Zp

– Given µ̂a , µ̂b associated with the input wires of an AND gate, we recover the gate’s output wire
value µ̂c by subtracting their values from µc (which is available since ρ(c) = 0).
– Given one of µ̂a , µ̂b associated with the input wires of an OR gate, we recover the gate’s output
wire value µ̂c by subtracting it from the appropriate choice of µca or µcb (which are both available
since ρ(ca ) = ρ(cb ) = 0).
Note that reconstruct(f, x, {µj }ρ(j)=0∨xρ(j) =1 ) computes a linear operation with respect to the
shares µj . This follows from the fact that the operation at each gate in reconstruction is a lin-
ear operation, and the composition of linear operations is itself a linear operation. Therefore,
reconstruct(f, x, {µj }ρ(j)=0∨xρ(j) =1 ) is equivalent to identifying the coefficients ωj of this linear
P
function, where µ = ρ(j)=0∨xρ(j)=1 ωj µj .
As with any linear secret-sharing scheme, share and reconstruct can be extended in the natural
way to accommodate vectors of secrets. Specifically, for a vector of secrets v ∈ Zkp , define:

share(f, v) := ({vj := (v1,j , ..., vk,j ))}, ρ) where ({vi,j }, ρ) ← share(f, vi )

(note that ρ is identical for all i). reconstruct can also be defined component-wise:
X
reconstruct(f, x, {vj }ρ(j)=0∨xρ(j) =1 ) := ωj vj where ωj are computed as above
ρ(j)=0∨xρ(j)=1

Our final ABE construction will use this extension.

17
5.2 Core 1-ABE Security Game

Definition 4 (Core 1-ABE Games G1-abe 0 , G1-abe

1 ). For a stateful adversary A, we define its
output in the following interactive games Gβ1-abe for β ∈ {0, 1}.

µ(0) , µ(1) ← Zp ; wi ← CPA.Setup(λ)

 
0
hA, G1-abe
β i := I b = 1 : 0
b ← AOF (·),OX (·),OE (·,·) (µ(0) )

where I is the indicator random variable and the adversary A adaptively interacts with three oracles:

OF (f ) := {sk0f = {µj }ρ(j)=0 ∪ {CPA.Enc(wρ(j) , µj )}ρ(j)6=0 where ({µj }, ρ) ← share(f, µ(β) )

OX (x) := (ct0x = {wi }xi =1 )
OE (i, m) := CPA.Encwi (m)

with the restrictions that (i) only one query is made to each of OF (·) and OX (·), and (ii) the queries
f and x to OF (·), OX (·) respectively, satisfy f (x) = 0.

To be clear, the β in G1-abe

β affects only the implementation of the oracle OF (where µ(β) is shared),
and A is given µ0 as input in both games. We will show that G1-abe
0 ≈c G1-abe
1 where we instantiate
share using the scheme in Section 5.1. That is, Theorem 2 will bound the quantity:

Pr[hA, G1-abe
0 i = 1] − Pr[hA, G1-abe
1 i = 1]

Comparison with [JKK+ 17]. Proving adaptive security for the core 1-ABE with share is very
similar to the proof for adaptive secret-sharing for circuits in [JKK+ 17]. One main difference is that
in our case, the adaptive choices z correspond to both (f, x), while in the adaptive secret-sharing
proof of [JKK+ 17], f is fixed, and the adaptive choices correspond to x, but revealed one bit at a
time (that is, OX (i, xi ) returns wi if xi = 1). Another difference is the OE oracle included in our
core 1-ABE game, which enables the component to be embedded in a standard dual-system hybrid
proof for our full ABE systems. Lastly, we leverage our improved analysis in Lemmas 3 and 4 to
achieve polynomial security loss, rather than the quasi-polynomial loss we would get from following
their proof more directly.

5.3 Adaptive Security for Core 1-ABE Component

We will show that G1-abe

0 ≈c G1-abe
1 as defined in Definition 4 using the piecewise guessing framework.
To do this, we need to first define a family of games {Hu } along with functions h0 , . . . , hL , using the
pebbling strategy in Section 4. First, we will describe shareu , which will be used to define Hu .

Defining shareu Recall that Lemma 4 describes how to parse a u ∈ {0, 1}3d as a pebbling
configuration: a subset of the nodes of f . Further, note that each node contains one output wire, so
we can equivalently view u as a subset of [m] denoting the output wires of pebbled gates. Given a
pebbling configuration u of an NC1 formula, the shares are generated as in the secret-sharing scheme
in Figure 4, except for each pebbled node with output wire c, we replace µc with an independent
random µc ← Zp (in the case of a pebbled OR gate, we replace both associated µca and µcb with
independent random µca , µcb ← Zp , i.e: both µca , µcb are associated with wire c.). In particular, we
get the procedure shareu (f, µ) defined in Figure 6.

18
 shareu (f, µ):
Input: A formula f : {0, 1}n → {0, 1}, a secret µ ∈ Zp , and a pebbling configuration u of the nodes of f .

1. Compute ({µ0j }, ρ) ← share(f, µ) as defined in Figure 4

2. For each µ0j , if j ∈ u (i.e: if j is the output wire of a pebbled node), then sample µj ← Zp . Otherwise, set µj := µ0j .
3. Output {µj }, ρ.

Fig. 6. Pebbling-modified secret sharing scheme shareu

Hybrid Distribution Hu We now define our hybrid games, and remark that Section 3 used
z ∈ {0, 1}R to denote the adaptive choices made by an adversary, and the functions h` that define
our hybrid games will depend on the adaptive choices of both the f ∈ NC1 and x ∈ {0, 1}n chosen
during the game, so in our application of the piecewise guessing framework of Section 3, z will
be (f, x). Note that the conclusion of the framework is independent of the size of the adaptive
input (R = |f | + n), and the framework allows its x to be defined in parts over time, though in our
application, x will be defined in one shot.

Definition 5 (Hu and h` ). Let Hu be G1-abe 0 with shareu (f, µ(0) ) used in the implementation
0
of oracle OF (f ) (replacing share (f, µ(0) )). Let h` : NC1 × {0, 1}n → {0, 1}R denote the function
that on formula f with root gate g ∗ and input x ∈ {0, 1}n where f (x) = 0, outputs the pebbling
configuration created from following the first ` instructions from Pebble(f, x, g ∗ ) of Figure 2.

Note that the first 0 instructions specify a configuration with no pebbles, so h0 is a constant
function for all f, x. Also, from the inductive proof in Lemma 3, we know that all sequences of
instructions from Pebble(f, x, g ∗ ) when f (x) = 0 result in a configuration with a single pebble on
the root gate g ∗ , so hL is a constant function for all f, x where f (x) = 0. Furthermore, note that for
all such f, x:
– Hh0 (f,x) is equivalent to G1-abe
0 (since shareh0 (f,x) (f, µ(0) ) = share(f, µ(0) ));
h
– H L (f,x) is equivalent to G11-abe (since sharehL (f,x) (f, µ(0) ) = share(f, µ(1) ) for an independently
random µ(1) which is implicitly defined by the independently random value associated with the
output wire of the pebbled root gate: µm ).
We now have a series of hybrids G1-abe 0 ≡ Hh0 (f,x) , Hh1 (f,x) , ..., HhL (f,x) ≡ G1-abe
1 which satisfy end-
point equivalence and, according to the piecewise guessing framework described in Section 3, define
games H b `,1 (u0 , u1 ) for ` ∈ [0, L].
b `,0 (u0 , u1 ), H
0
Lemma 5 (neighboring indistinguishability). For all ` ∈ [L] and u0 , u1 ∈ {0, 1}R ,
b `,1 (u0 , u1 )i = 1] ≤ n · AdvCPA (λ)
b `,0 (u0 , u1 )i = 1] − Pr[hA, H
Pr[hA, H B

Proof. First, observe that the difference between H b `,1 (u0 , u1 ) lies in OF (·): the
b `,0 (u0 , u1 ) and H
former uses shareu0 and the latter uses shareu1 . Now, fix the adaptive query f to OF . We consider
two cases.
First, suppose there does not exist x0 ∈ {0, 1}n such that h`−1 (f, x0 ) = u0 and h` (f, x0 ) = u1 .
Then, both hA, H b `,0 (u0 , u1 )i and hA, H
b `,1 (u0 , u1 )i output 0 (i.e., abort) with probability 1 and then
we are done.
In the rest of the proof, we deal with the second case, namely there exists x0 ∈ {0, 1}n such
that h`−1 (f, x0 ) = u0 and h` (f, x0 ) = u1 . This means that u0 and u1 are neighboring pebbling
configurations in Pebble(f, x0 , g ∗ ), so they differ by a pebbling instruction that follows one of the

19
rules in Definition 3. We proceed via a case analysis depending on what the instruction taking
configuration u0 to u1 is (the instruction is uniquely determined given u0 , u1 , f ):

– pebble/unpebble input node with out-going wire j : Here, the only difference from shareu0 (f, µ(0) )
to shareu1 (f, µ(0) ) is that we change µj to a random element of Zp (or vice-versa). The
pebbling rule for an input node requires that the input x to OX (·) in both H b `,0 (u0 , u1 ) and
H
b `,1 (u0 , u1 ) satisfies xρ(j) = 0. Indistinguishability then follows from the CPA security of
(CPA.Setup, CPA.Enc, CPA.Dec) under key wρ(j) ; this is because xρ(j) = 0 and therefore wρ(j)
will not need to be supplied in the answer to the query to OX (x). In fact, the two hybrids are
computationally indistinguishable even if the adversary sees all {wi : i 6= ρ(j)} (as may be
provided by OX (x)).
– pebble/unpebble AND gate with out-going wire c and input wires a, b corresponding to nodes
ga , gb . Here, the only difference from shareu0 (f, µ(0) ) to shareu1 (f, µ(0) ) is that we change µc
from an actual share µ̂a + µ̂b + µ̂c to a random element of Zp (or vice-versa). The pebbling
rules for an AND gate require that there is a pebble on either ga or gb , say ga . Therefore, µa is
independent and uniformly random in both distributions shareu0 (f, µ(0) ) and shareu1 (f, µ(0) ), and
thus µ̂a is fresh and independently random in both distributions (this uses the fact that ga has
fan-out 1) and makes the distribution of µc = µ̂a + µ̂b + µ̂c in hybrid ` − 1 independently random.
We may then deduce that shareu0 (f, µ(0) ) and shareu1 (f, µ(0) ) are identically distributed, and
therefore so is the output OF (f ). (This holds even if the adversary receives all of {wi : i ∈ [n]}
from its query to OX (x)).
– pebble/unpebble OR gate with out-going wire c and input wires a, b corresponding to nodes
ga , gb . Here, the only difference from shareu0 (f, µ(0) ) to shareu1 (f, µ(0) ) is that we change µca , µcb
from actual shares (µ̂a + µ̂c , µ̂b + µ̂c ) to random elements of Zp (or vice-versa). The pebbling
rules for an OR gate require that there are pebbles on both ga and gb . Therefore, µa and µb are
independent and uniformly random in both distributions shareu0 (f, µ(0) ) and shareu1 (f, µ(0) ),
and thus µ̂a , µ̂b are fresh and independently random in both distributions (using the fact that
ga , gb have fan-out 1), and make the distributions of µca = µ̂a + µ̂c , µcb = µ̂a + µ̂b in hybrid ` − 1
both independently random. We may then deduce that shareu0 (f, µ(0) ) and shareu1 (f, µ(0) ) are
identically distributed, and therefore so is the output OF (f ). (This holds even if the adversary
receives all of {wi : i ∈ [n]} in its query to OX (x)).

In all cases, the simulator can return an appropriately distributed answer to OX (x) = {wi }xi =1
since it has all wi except in the first case, where it is missing only a wi such that xi = 0. Additionally,
we note that in all cases, a simulator can return appropriately distributed answers to queries to the
encryption oracle OE (i, m) = Encwi (m), since only in the first case (an input node being pebbled
or unpebbled) is there a wi not directly available to be used to simulate the oracle, and in that
case, the simulator has oracle access to an Encwi (·) function in the CPA symmetric-key security
game, and it can uniformly guess which of the n variables is associated with the input node being
pebbled and answer OE requests to that variable with the CPA Encwi (·) oracle (the factor of n due
to guessing is introduced here since the simulator may not know which variable is associated with
the input node at the time of the oracle request, e.g: for requests to OE made before OX , so the
simulator must guess uniformly and take a security loss of n).
In all but the input node case, the two distributions hA, H b `,0 (u0 , u1 )i and hA, H
b `,1 (u0 , u1 )i are
identical, and in the input node case, we’ve bounded the difference by the distinguishing probability
of the symmetric key encryption scheme, the advantage function AdvCPA B (λ), conditioned on a
correct guess of which of the n input variables corresponds to the pebbled/unpebbled input node.

20
Therefore,
b `,1 (u0 , u1 )i = 1] ≤ n · AdvCPA (λ)
b `,0 (u0 , u1 )i = 1] − Pr[hA, H
Pr[hA, H B
t
u

5.4 CPA-secure symmetric encryption

We will instantiate (CPA.Setup, CPA.Enc, CPA.Dec) in our Core 1-ABE of Definition 4 with a variant
of a standard CPA-secure symmetric encryption scheme based on k-Lin from [EHK+ 13] that supports
messages [M ]2 ∈ G2 of an asymmetric prime-order bilinear group G:
CPA.Setup(1λ ) : Run G ← G(1λ ). Sample w ← Zkp , output sk := w
CPA.Enc(sk, [M ]2 ) : Sample r ← Zkp , output (ct1 , ct2 ) := ([M + w> r]2 , [r]2 )
CPA.Dec(sk, (ct1 , ct2 )) : Output ct1 · (sk> ct2 )−1 .

Correctness Note that: ct1 · (sk> ct2 )−1 = [M + w> r − w> r]2 = [M ]2 .
Lemma 6. AdvCPA
B (λ) ≤ AdvBk-Lin
0 (λ)
Proof. Consider the following adversary B ∗ , which, when given a MDDH1k,`+1 challenge: (G, [M]2 , [z]2 )
(where either [z]2 = [Ms]2 for s ← Zkp or [z]2 = [u]2 for u ← Z`+1 p ) where ` is the maximum
number of CPA encryption queries that will be requested, prepares the following challenge ciphertext:
(ct1 , ct2 ) := ([Mb + z`+1 ]2 , [M`+1 ]2 ), where z`+1 is the (` + 1)th coordinate of z and M`+1 is the
(` + 1)th row of M. To answer the ith CPA encryption oracle query for message [M ]2 , B ∗ returns
(ct1 , ct2 ) = ([M + zi ]2 , [Mi ]2 ).
If [z]2 = [Ms]2 , then zi = s> Mi and so the challenge ciphertext and responses to CPA queries are
distributed as a normal encryptions with sk = s and r = Mi . This is the normal CPA security
game.
If [z]2 = [u]2 , then z` (and all zi ) is independent and uniformly random, information-theoretically
hiding Mb in the challenge ciphertext and rendering its distribution independent of β. In this game
the adversary’s advantage is 0.
MDDH1k,`+1
It then follows that: AdvCPA
B (λ) ≤ AdvB∗ (λ).
MDDH1k,`+1
From Section 2.4 we have that: AdvB∗ (λ) = Advk-Lin
B0 (λ).
k-Lin
So, we have: AdvCPA
B (λ) ≤ Adv B 0 (λ).
Theorem 2. The Core 1-ABE component of Definition 4 implemented with (share, reconstruct)
from Section 5.1 and the CPA-secure symmetric encryption scheme (CPA.Setup, CPA.Enc, CPA.Dec)
from Section 5.4 satisfies:
Pr[hA, G1-abe
0 i = 1] − Pr[hA, G1-abe
1 i = 1] ≤ 26d · 8d · n · AdvBk-Lin
∗ (λ)
Proof. Recall the hybrids G1-abe
0 ≡ Hh0 (f,x) , Hh1 (f,x) , ..., HhL (f,x) ≡ G1-abe
1 defined in Section 5.3.
0
Lemma 5 tells us that: for all ` ∈ [L] and u0 , u1 ∈ {0, 1}R ,
b `,0 (u0 , u1 )i = 1] − Pr[hA, H
Pr[hA, H b `,1 (u0 , u1 )i = 1] ≤ n · AdvCPA (λ)
B

These hybrids satisfy the end-point equivalence requirement, so Lemma 1 then tells us that:
0
Pr[hA, G1-abe
0 i = 1] − Pr[hA, G1-abe
1 i = 1] ≤ 22R · L · n · AdvCPA
B (λ)
Lemma 4 tells us that R0 ≤ 3d, and Lemma 2 tells us that L ≤ 8d , where d is the depth of the
formula. Finally, Lemma 6 tells us that AdvCPA
B (λ) ≤ AdvBk-Lin
∗ (λ). So:
Pr[hA, G1-abe
0 i = 1] − Pr[hA, G1-abe
1 i = 1] ≤ 26d · 8d · n · AdvBk-Lin
∗ (λ)
t
u

21
6 Our KP-ABE Scheme

In this section, we present our compact KP-ABE for NC1 that is adaptively secure under the
MDDHk assumption in asymmetric prime-order bilinear groups. For attributes of length n, our
ciphertext comprises O(n) group elements, independent of the formula size, while simultaneously
allowing attribute reuse in the formula. As mentioned in the overview in Section 1.1, we incorporated
optimizations from [GDCC16,BKP14] to shrink Wi and thus the secret key, and hence the need for
the OE oracle in the core 1-ABE security game.

6.1 The scheme

Our KP-ABE scheme is as follows:
Setup(1λ , 1n ) : Run G = (p, G1 , G2 , GT , e) ← G(1λ ). Sample

A ← Zk×(k+1)
p , Wi ← Zp(k+1)×k ∀i ∈ [n], v ← Zk+1
p

and output:

msk := ( v, W1 , . . . , Wn )
mpk := ( [A]1 , [AW1 ]1 , . . . , [AWn ]1 , e([A]1 , [v]2 ) )

Enc(mpk, x, M ) : Sample s ← Zkp . Output:

ctx = (ct1 , {ct2,i }xi =1 , ct3 )

!
> > >
:= [s A]1 , {[s AWi ]1 }xi =1 , e([s A]1 , [v]2 ) · M

KeyGen(mpk, msk, f ) : Sample ({vj }, ρ) ← share(f, v), rj ← Zkp . Output:

skf = ({sk1,j , sk2,j })

:= ( {[vj + Wρ(j) rj ]2 , [rj ]2 } )

where W0 = 0. X
Dec(mpk, skf , ctx ) : Compute ωj such that v = ωj vj as described in Section 5.1.
ρ(j)=0∨xρ(j)=1
Output: ωj
e(ct2,ρ(j) , sk2,j )
Y 
ct3 ·
e(ct1 , sk1,j )
ρ(j)=0∨xρ(j)=1

6.2 Correctness
Correctness relies on the fact that for all j, we have
e(ct1 , sk1,j )
= [s> Avj ]T
e(ct2,ρ(j) , sk2,j )

which follows from the fact that

s> Avj = s|{z}

>
A ·(vj + Wρ(j) rj ) − s> AWρ(j) · rj
ct
| {z } | {z } |{z}
1 sk2,j
sk1,j ct2,ρ(j)

22
Therefore, for all f, x such that f (x) = 1, we have:
ωj
e(ct2,ρ(j) , sk2,j )

−ωj
Y Y
ct3 · = M · [s> Av]T · [s> Avj ]T
e(ct1 , sk1,j )
ρ(j)=0∨xρ(j)=1 ρ(j)=0∨xρ(j)=1
X
= M · [s> Av]T · [−s> A ωj vj ]T
ρ(j)=0∨xρ(j)=1

= M · [s> Av]T · [−s> Av]T

=M

6.3 Adaptive Security

Description of hybrids To describe the hybrid distributions, it would be helpful to first give
names to the various forms of ciphertext and keys that will be used. A ciphertext can be in one of
the following forms:

– Normal: generated as in the scheme.

– SF: same as a Normal ciphertext, except s> A replaced with c> ← Zk+1
p . That is,
!
> > >
ctx := [ c ]1 , {[ c Wi ]1 }xi =1 , e([ c ]1 , [v]2 ) · M

A secret key can be in one of the following forms:

– Normal: generated as in the scheme.

– SF: same as a Normal key, except v replaced with v + δa⊥ , where a fresh δ ← Zp is chosen per
SF key and a⊥ is any fixed a⊥ ∈ Zk+1
p \ {0} such that Aa⊥ = 0. That is,

skf := ( {[vj + Wρ(j) rj ]2 , [rj ]2 } )

where ({vj }, ρ) ← share(f, v + δa⊥ ), rj ← Zkp .

SF stands for semi-functional following the terminology in previous works [LW10,Wat09].

Hybrid sequence. Suppose the adversary A makes at most Q secret key queries. The hybrid
sequence is as follows:

– H0 : real game
– H1 : same as H0 , except we use a SF ciphertext.
– H2,` , ` = 0, . . . , Q: same as H1 , except the first ` keys are SF and the remaining Q − ` keys are
Normal.
– H3 : replace M with random M f.

Proof overview.

– We have H0 ≈c H1 ≡ H2,0 via k-Lin, which tells us ([A]1 , [s> A]1 ) ≈c ([A]1 , [c> ]1 ). Here, the
security reduction will pick W1 , . . . , Wn and v so that it can simulate the mpk, the ciphertext
and the secret keys.

23
 – We have H2,`−1 ≈c H2,` , for all ` ∈ [Q]. The difference between the two is that we switch the
`’th skf from Normal to SF using the adaptive security of our core 1-ABE component in G1-abe
from Section 5. The idea is to sample

v = ṽ + µa⊥ , Wi = W
f i + a⊥ w >
i

so that mpk can be computed using ṽ, W f i and perfectly hide µ, w1 , . . . , wn . Roughly speaking:
the reduction
• uses OX (x) in G1-abe to simulate the challenge ciphertext
• uses OF (f ) in G1-abe to simulate `’th secret key
• uses µ(0) from G1-abe together with OE (i, ·) = Enc(wi , ·) to simulate the remaining Q − `
secret keys
– We have H2,Q ≡ H3 . In H2,Q , the secret keys only leak v + δ1 a⊥ , . . . , v + δQ a⊥ . This means that
c> v is statistically random (as long as c> a⊥ 6= 0).

Lemma 7 (H0 ≈c H1 ≡ H2,0 ).

| Pr[hA, H0 i = 1] − Pr[hA, H1 i = 1]| ≤ AdvAk-Lin

0 (λ)

Proof. Given MDDHk challenge ([A]1 , [z> ]1 ), where either z> = s> A or z> = c> , an adversary A0
(k+1)×k
could simply choose Wi ← Zp , v ← Zk+1p , form the public parameters with A, Wi , v, and
choose its own rj ← Zp when responding to key requests. For the challenge ciphertext, A0 creates:
k

!
ctx := [z> ]1 , {[z> Wi ]1 }xi =1 , e([z> ]1 , [v]2 ) · M

If z> = s> A, A0 has simulated H0 ; If z> = c> , A0 has simulated H1 ≡ H2,0 . t

u

Lemma 8 (H2,`−1 ≈c H2,` ).

| Pr[hA, H2,`−1 i = 1] − Pr[hA, H2,` i = 1]| ≤ 26d · 8d · n · AdvBk-Lin

∗ (λ)

Proof. For each β ∈ {0, 1}, consider the following adversary A0 in G1-abe
β which internally simulates
A and the challenger in the ABE security game:
k×(k+1) f (k+1)×k
– First, A0 samples A ← Zp , Wi ← Zp , ṽ ← Zk+1 ⊥ k+1 \ {0} such
p , computes a ∈ Zp
that Aa⊥ = 0 and implicitly defines

v := ṽ + µ(0) a⊥ , Wi := W
f i + a⊥ w>
i

where wi ∈ Zkp , µ(0) ∈ Zp are chosen in G1-abe

β . Then, A0 outputs:

mpk := ( [A]1 , [AW

f 1 ]1 , . . . , [AW
f n ]1 , e([A]1 , [ṽ]2 ) )

– When A requests a challenge ciphertext for attribute x along with M0 , M1 , A0 queries OX (x) →
( {wi }xi =1 ) in G1-abe
β . A0 then samples c ← Zk+1p and b ← {0, 1} (the challenge bit in the
standard ABE security game) and returns the following (SF) challenge ciphertext for A:
!
ctx = [c> ]1 , {[c> (W
f + a⊥ w> )]1 }x =1 , e([c> ]1 , [ṽ + µ(0) a⊥ ]2 ) · Mb
| i {z i
} i
| {z }
=Wi =v

24
 – For the first ` − 1 secret keys requested, say for formula f , A0 computes
⊥
({vj }, ρ) ← share(f, ṽ
| +{zδ̃a })
=v+δa⊥

where δ̃ ← Zp is drawn independently for each key (here, the per-key δ = δ̃ − µ(0) implicitly).
> r ] , [r ] ) in G1-abe (since O (ρ(j), [0] ) =
Next, for each j, it queries OE (ρ(j), [0]2 ) → ([wρ(j) j 2 j 2 β E 2
CPA.Encwρ(j) ([0]2 )), and forms the following (SF) key:

f ρ(j) rj + a⊥ w> rj ]2 , [rj ]2 } )

skf = ( {[vj + W ρ(j)
| {z }
=vj +Wρ(j) rj

– For the last Q − ` secret keys requested, say for formula f , A0 proceeds as before for the first
` − 1 keys except
({vj }, ρ) ← share(f, ṽ + µ(0) a⊥ )
| {z }
=v

It is easy to see that it forms a Normal key.

– For the `th secret key requested, say for formula f , A0 computes ({vj }, ρ) ← share(f, ṽ), queries
> r ] , [r ] } ) in G1-abe , then uses these components to return:
OF (f ) → ( {[µj + wρ(j) j 2 j 2 β

f ρ(j) rj + a⊥ (µj + w> rj )]2 , [rj ]2 } )

skf = ( {[vj + W ρ(j)
| {z }
=(vj +µj a⊥ )+Wj rj

We claim that if β = 0, then skf is a Normal key, and if β = 1, then skf is a SF key. This follows
the fact that thanks to linearity, the shares

({vj + µj a⊥ }, ρ), where ({vj }, ρ) ← share(f, ṽ), ({µj }, ρ) ← share(f, µ(β) )

are identically distributed to share(f, ṽ + µ(β) a⊥ ). The claim then follows from the fact that
ṽ + µ(0) a⊥ = v and that ṽ + µ(1) a⊥ is identically distributed to v + δa⊥ (where δ = µ(1) − µ(0)
is a fresh random value for this key).

Putting everything together, for β ∈ {0, 1}, when A0 interacts with G1-abe
β , then A0 simulates
H2,`−1+β . It follows then that:

| Pr[hA, H2,`−1 i = 1] − Pr[hA, H2,` i = 1]| ≤ | Pr[hA0 , G1-abe

0 i = 1] − Pr[hA0 , G1-abe
1 i = 1]|

From Theorem 2, we then have:

| Pr[hA, H2,`−1 i = 1] − Pr[hA, H2,` i = 1]| ≤ 26d · 8d · n · AdvBk-Lin

∗ (λ)

t
u

Lemma 9 (H2,Q ≈s H3 ).

1
| Pr[hA, H2,Q i = 1] − Pr[hA, H3 i = 1]| ≤
p

25
Proof. These two hybrids are identically distributed conditioned on c> a⊥ = 6 0. To see this, consider
k+1 ⊥
two ways of sampling v: as ṽ ← Zp and as ṽ + m̃a for an independent m̃ ← Zp . Note that both
result in v having a uniform distribution.
Using ṽ to simulate hybrid H2,Q obviously results in H2,Q (where v = ṽ). However, using the
identically distributed v = ṽ + m̃a⊥ to simulate H2,Q results in H3 (where Mf = M · e([c> ]1 , [m̃a⊥ ]2 )
is randomly distributed as long as c> a⊥ 6= 0, and for redefined independently random δ̃i := δi + m̃
in the secret keys).
c is chosen at random and independent from a⊥ = 6 0, so c> a⊥ = 0 with probability p1 , and since
we know that H2,Q ≡ H3 conditioned on c> a⊥ 6= 0, then we have:

1
| Pr[hA, H2,Q i = 1] − Pr[hA, H3 i = 1]| ≤
p
t
u

Theorem 3 (adaptive KP-ABE). The KP-ABE construction in Section 6.1 is adaptively secure
under the MDDHk assumption.

Proof.

| Pr[hA, H0 i = 1] − Pr[hA, H3 i = 1]| ≤| Pr[hA, H0 i = 1] − Pr[hA, H1 i = 1]|

Q
X
+ | Pr[hA, H2,`−1 i = 1] − Pr[hA, H2,` i = 1]|
`=1
+ | Pr[hA, H2,Q i = 1] − Pr[hA, H3 i = 1]|

(Since H1 ≡ H2,0 ). Summing the results of Lemmas 7, 8, and 9, we then have:

1
| Pr[hA, H0 i = 1] − Pr[hA, H3 i = 1]| ≤ AdvBk-Lin
∗ (λ) + Q · 26d · 8d · n · AdvBk-Lin
∗ (λ) +
p

If d = O(log n), then under the k-Lin assumption this is a negligible function of λ (the number of
queries made Q and the attribute vector length n are both polynomial in λ, and p1 is a negligible
function of λ). It’s easy to see that Advabe
A (λ) = 0 in the H3 hybrid game (since a random message is
encrypted in the challenge ciphertext). So, any adversary in the real game (H0 ) will have advantage
negligibly close to 0, and our construction satisfies adaptive security. t
u

Acknowledgments. We thank Allison Bishop, Sanjam Garg, Rocco Servedio, and Daniel Wichs
for helpful discussions.

26
References
AC17. Shashank Agrawal and Melissa Chase. Simplifying design and analysis of complex predicate encryption
schemes. In Jean-Sébastien Coron and Jesper Buus Nielsen, editors, EUROCRYPT 2017, Part I, volume
10210 of LNCS, pages 627–656. Springer, Heidelberg, April / May 2017.
Att14. Nuttapong Attrapadung. Dual system encryption via doubly selective security: Framework, fully secure
functional encryption for regular languages, and more. In Phong Q. Nguyen and Elisabeth Oswald, editors,
EUROCRYPT 2014, volume 8441 of LNCS, pages 557–577. Springer, Heidelberg, May 2014.
Att16. Nuttapong Attrapadung. Dual system encryption framework in prime-order groups via computational
pair encodings. In Jung Hee Cheon and Tsuyoshi Takagi, editors, ASIACRYPT 2016, Part II, volume
10032 of LNCS, pages 591–623. Springer, Heidelberg, December 2016.
BKP14. Olivier Blazy, Eike Kiltz, and Jiaxin Pan. (Hierarchical) identity-based encryption from affine message
authentication. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of
LNCS, pages 408–425. Springer, Heidelberg, August 2014.
BSW07. John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryption. In 2007
IEEE Symposium on Security and Privacy, pages 321–334. IEEE Computer Society Press, May 2007.
CGKW18. Jie Chen, Junqing Gong, Lucas Kowalczyk, and Hoeteck Wee. Unbounded ABE via bilinear entropy
expansion, revisited. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018, Part I,
volume 10820 of LNCS, pages 503–534. Springer, Heidelberg, April / May 2018.
CGW15. Jie Chen, Romain Gay, and Hoeteck Wee. Improved dual system ABE in prime-order groups via predicate
encodings. In Elisabeth Oswald and Marc Fischlin, editors, EUROCRYPT 2015, Part II, volume 9057 of
LNCS, pages 595–624. Springer, Heidelberg, April 2015.
Che06. Jung Hee Cheon. Security analysis of the strong Diffie-Hellman problem. In Serge Vaudenay, editor,
EUROCRYPT 2006, volume 4004 of LNCS, pages 1–11. Springer, Heidelberg, May / June 2006.
CW13. Jie Chen and Hoeteck Wee. Fully, (almost) tightly secure IBE and dual system groups. In Ran Canetti
and Juan A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS, pages 435–460. Springer,
Heidelberg, August 2013.
CW14. Jie Chen and Hoeteck Wee. Semi-adaptive attribute-based encryption and improved delegation for Boolean
formula. In Michel Abdalla and Roberto De Prisco, editors, SCN 14, volume 8642 of LNCS, pages 277–297.
Springer, Heidelberg, September 2014.
EHK+ 13. Alex Escala, Gottfried Herold, Eike Kiltz, Carla Ràfols, and Jorge Villar. An algebraic framework for
Diffie-Hellman assumptions. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part II, volume
8043 of LNCS, pages 129–147. Springer, Heidelberg, August 2013.
FJP15. Georg Fuchsbauer, Zahra Jafargholi, and Krzysztof Pietrzak. A quasipolynomial reduction for generalized
selective decryption on trees. In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015,
Part I, volume 9215 of LNCS, pages 601–620. Springer, Heidelberg, August 2015.
FKPR14. Georg Fuchsbauer, Momchil Konstantinov, Krzysztof Pietrzak, and Vanishree Rao. Adaptive security of
constrained PRFs. In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part II, volume 8874 of
LNCS, pages 82–101. Springer, Heidelberg, December 2014.
GDCC16. Junqing Gong, Xiaolei Dong, Jie Chen, and Zhenfu Cao. Efficient IBE with tight reduction to stan-
dard assumption in the multi-challenge setting. In Jung Hee Cheon and Tsuyoshi Takagi, editors,
ASIACRYPT 2016, Part II, volume 10032 of LNCS, pages 624–654. Springer, Heidelberg, December 2016.
GGH+ 13. Sanjam Garg, Craig Gentry, Shai Halevi, Amit Sahai, and Brent Waters. Attribute-based encryption
for circuits from multilinear maps. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part II,
volume 8043 of LNCS, pages 479–499. Springer, Heidelberg, August 2013.
GPSW06. Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for fine-grained
access control of encrypted data. In Ari Juels, Rebecca N. Wright, and Sabrina De Capitani di Vimercati,
editors, ACM CCS 2006, pages 89–98. ACM Press, October / November 2006. Available as Cryptology
ePrint Archive Report 2006/309.
GVW13. Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Attribute-based encryption for circuits. In
Dan Boneh, Tim Roughgarden, and Joan Feigenbaum, editors, 45th ACM STOC, pages 545–554. ACM
Press, June 2013.
HJO+ 16. Brett Hemenway, Zahra Jafargholi, Rafail Ostrovsky, Alessandra Scafuro, and Daniel Wichs. Adaptively
secure garbled circuits from one-way functions. In Matthew Robshaw and Jonathan Katz, editors,
CRYPTO 2016, Part III, volume 9816 of LNCS, pages 149–178. Springer, Heidelberg, August 2016.
IK02. Yuval Ishai and Eyal Kushilevitz. Perfect constant-round secure computation via perfect randomizing
polynomials. In Peter Widmayer, Francisco Triguero Ruiz, Rafael Morales Bueno, Matthew Hennessy,
Stephan Eidenbenz, and Ricardo Conejo, editors, ICALP 2002, volume 2380 of LNCS, pages 244–256.
Springer, Heidelberg, July 2002.

27
JKK+ 17. Zahra Jafargholi, Chethan Kamath, Karen Klein, Ilan Komargodski, Krzysztof Pietrzak, and Daniel Wichs.
Be adaptive, avoid overcommitting. In Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017,
Part I, volume 10401 of LNCS, pages 133–163. Springer, Heidelberg, August 2017.
JW16. Zahra Jafargholi and Daniel Wichs. Adaptive security of Yao’s garbled circuits. In Martin Hirt and
Adam D. Smith, editors, TCC 2016-B, Part I, volume 9985 of LNCS, pages 433–458. Springer, Heidelberg,
October / November 2016.
KLMM19. Lucas Kowalczyk, Jiahui Liu, Tal Malkin, and Kailash Meiyappan. Mitigating the one-use restriction
in attribute-based encryption. In Kwangsu Lee, editor, ICISC 18, volume 11396 of LNCS, pages 23–36.
Springer, Heidelberg, November 2019.
LOS+ 10. Allison B. Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters. Fully secure
functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In Henri
Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 62–91. Springer, Heidelberg, May / June
2010.
LSW10. Allison B. Lewko, Amit Sahai, and Brent Waters. Revocation systems with very small private keys. In
2010 IEEE Symposium on Security and Privacy, pages 273–285. IEEE Computer Society Press, May 2010.
LW10. Allison B. Lewko and Brent Waters. New techniques for dual system encryption and fully secure HIBE
with short ciphertexts. In Daniele Micciancio, editor, TCC 2010, volume 5978 of LNCS, pages 455–479.
Springer, Heidelberg, February 2010.
LW11. Allison B. Lewko and Brent Waters. Unbounded HIBE and attribute-based encryption. In Kenneth G.
Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS, pages 547–567. Springer, Heidelberg, May
2011.
LW12. Allison B. Lewko and Brent Waters. New proof methods for attribute-based encryption: Achieving full
security through selective techniques. In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012,
volume 7417 of LNCS, pages 180–198. Springer, Heidelberg, August 2012.
OSW07. Rafail Ostrovsky, Amit Sahai, and Brent Waters. Attribute-based encryption with non-monotonic access
structures. In Peng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson, editors, ACM CCS
2007, pages 195–203. ACM Press, October 2007.
OT10. Tatsuaki Okamoto and Katsuyuki Takashima. Fully secure functional encryption with general relations
from the decisional linear assumption. In Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages
191–208. Springer, Heidelberg, August 2010.
OT12. Tatsuaki Okamoto and Katsuyuki Takashima. Fully secure unbounded inner-product and attribute-based
encryption. In Xiaoyun Wang and Kazue Sako, editors, ASIACRYPT 2012, volume 7658 of LNCS, pages
349–366. Springer, Heidelberg, December 2012.
PRV12. Bryan Parno, Mariana Raykova, and Vinod Vaikuntanathan. How to delegate and verify in public:
Verifiable computation from attribute-based encryption. In Ronald Cramer, editor, TCC 2012, volume
7194 of LNCS, pages 422–439. Springer, Heidelberg, March 2012.
SW05. Amit Sahai and Brent R. Waters. Fuzzy identity-based encryption. In Ronald Cramer, editor, EURO-
CRYPT 2005, volume 3494 of LNCS, pages 457–473. Springer, Heidelberg, May 2005.
VNS+ 03. V. Vinod, Arvind Narayanan, K. Srinathan, C. Pandu Rangan, and Kwangjo Kim. On the power of
computational secret sharing. In Thomas Johansson and Subhamoy Maitra, editors, INDOCRYPT 2003,
volume 2904 of LNCS, pages 162–176. Springer, Heidelberg, December 2003.
Wat09. Brent Waters. Dual system encryption: Realizing fully secure IBE and HIBE under simple assumptions. In
Shai Halevi, editor, CRYPTO 2009, volume 5677 of LNCS, pages 619–636. Springer, Heidelberg, August
2009.
Wee14. Hoeteck Wee. Dual system encryption via predicate encodings. In Yehuda Lindell, editor, TCC 2014,
volume 8349 of LNCS, pages 616–637. Springer, Heidelberg, February 2014.

28
A Our CP-ABE Scheme

In this section, we present our compact CP-ABE for NC1 that is adaptively secure under the
MDDHk assumption in asymmetric prime-order bilinear groups. The construction is analogous to
our KP-ABE scheme in Section 6. One notable difference is that we introduce Br in the secret keys,
and we need to introduce additional intermediate distributions in the proof of security (this also
removes the use of the OE oracle in the core 1-ABE security game); the reduction is also a bit more
complex as we need to embed the output of OF into the CP-ABE ciphertext.

A.1 CP-ABE Construction

Our CP-ABE scheme is as follows:

Setup(1λ , 1n ) : Run G = (p, G1 , G2 , GT , e) ← G(1λ ). Sample

A ← Zk×2k
p , B ← Z(k+1)×k
p , U0 , Wi ← Zp2k×(k+1) , v ← Z2k
p

and output:

msk := ( v, B, U0 , W1 , . . . , Wn )
mpk := ( [A]1 , [AU0 ]1 , [AW1 ]1 , . . . , [AWn ]1 , e([A]1 , [v]2 ) )

Enc(mpk, f, M ) : Sample ({u> > k

j }, ρ) ← share(f, s AU0 ), s, sj ← Zp . Output:

ctf = (ct1 , {ct2,j , ct3,j }, ct4 )

!
>
:= [s A]1 , {[u>
j + s> >
j AWρ(j) ]1 , [sj A]1 },
>
e([s A]1 , [v]2 ) · M

where W0 = 0.
KeyGen(mpk, msk, f ) : Sample r ← Zkp . Output:

skx = (sk1 , sk2 , {sk3,i }xi =1 })

:= ( [v + U0 Br]2 , [Br]2 , {[Wi Br]2 }xi =1 )
X
Dec(mpk, skx , ctf ) : Compute ωj such that s> AU0 = ωj uj as described in Section 5.1.
ρ(j)=0∨xρ(j)=1
Output:  ωj
ct4 Y e(ct2,j , sk2 )
·
e(ct1 , sk1 ) e(ct3,j , sk3,ρ(j) )
ρ(j)=0∨xρ(j)=1

A.2 Correctness

Correctness relies on the fact that for all j, we have

e(ct2,j , sk2 )
= [u>
j Br]T
e(ct3,j , sk3,ρ(j) )

29
which follows from the fact that

u> > >

Br − s>
j Br = (uj + sj AWρ(j) ) · |{z} j A · Wρ(j) Br
| {z } |{z} | {z }
ct2,j sk2 ct3,j sk3,ρ(j)

and also from the fact that

e(ct1 , sk1 ) = [s> Av + s> AU0 Br]T
Therefore, for all f, x such that f (x) = 1, we have:
ωj
M · [s> Av]T

ct4 Y e(ct2,j , sk2 ) Y ω
· = > · [u>
j Br]T
j

e(ct1 , sk1 ) e(ct3,j , sk3,ρ(j) ) [s Av + s> AU0 Br]T

ρ(j)=0∨xρ(j)=1 ρ(j)=0∨xρ(j)=1

M· [s> Av]
T
X
= ·[ ωj u>
j Br]T
[s> Av
+ s> AU0 Br]T
ρ(j)=0∨xρ(j)=1

M· [s> Av]
T
= · [s> AU0 Br]T
[s> Av >
+ s AU0 Br]T
M · [s> Av + s> AU0 Br]T
=
[s> Av + s> AU0 Br]T
=M

A.3 Adaptive Security

Description of hybrids A ciphertext can be in one of the following forms:
– Normal: generated as in the scheme.
– SF: same as a Normal ciphertext, except s> A, s> > > 2k
j A replaced with c , cj , where c, cj ← Zp .
That is,
!
ctf := [ c> ]1 , {[u> > >
j + cj Wρ(j) ]1 , [ cj ]1 }, e([ c> ]1 , [v]2 ) · M

A secret key can be in one of the following forms:

– Normal: generated as in the scheme.
– SF: same as a Normal key, except v replaced with v + A⊥ δ (q) , where a fresh δ (q) ← Zkp is chosen
per SF and A⊥ is any fixed A⊥ ∈ Z2k×k
p \ {0} such that AA⊥ = 0. That is,

skx := ( [ v + A⊥ δ (q) + U0 Br]2 , [Br]2 , {[Wi Br]2 }xi =1 )

– P-Normal: same as a Normal key, except Br replaced with d ← Zk+1

p . That is,

skx := ( [v + U0 d ]2 , [ d ]2 , {[Wi d ]2 }xi =1 )

– P-SF: same as a SF key, except Br replaced with d ← Zk+1

p . That is,

skx := ( [ v + A⊥ δ (q) + U0 d ]2 , [ d ]2 , {[Wi d ]2 }xi =1 )

Here, P stands for pseudo following [Wee14,CGW15].

30
Hybrid sequence. Suppose the adversary A makes at most Q secret key queries. The hybrid
sequence is as follows:

– H0 : real game
– H1 : same as H0 , except we use a SF ciphertext.
– H2,`,1 , ` = 0, . . . , Q: same as H1 , except the `’th key is P-Normal, the first ` − 1 keys are SF and
the last Q − ` keys are Normal.
– H2,`,2 : same as H2,`,1 except the `’th key is P-SF.
– H2,`,3 : same as H2,`,1 except the `’th key is SF.
– H3 : replace M with random.

Proof overview.

– We have H0 ≈c H1 ≡ H2,0,3 via k-Lin (and its self-reducibility), which tells us

([A]1 , [s> A]1 , {[s> > >

j A]1 }) ≈c ([A]1 , [c ]1 , {[cj ]1 })

Here, the security reduction will pick U0 , W1 , . . . , Wn and v so that it can simulate the mpk,
the ciphertext and the secret keys.
– We have H2,`−1,3 ≈c H2,`,1 for all ` ∈ [Q]. The difference between the two is that we switch the
`’th skf from Normal to P-Normal.
This follows again via k-Lin, which tells us ([B]2 , [Br]2 ) ≈c ([B]2 , [d]2 ). Again, the security
reduction will pick U0 , W1 , . . . , Wn and v so that it can simulate the mpk, the ciphertext and
the secret keys.
– We have H2,`,1 ≈c H2,`,2 for all ` ∈ [Q]. The difference between the two is that we switch the
`’th skf from P-Normal to P-SF. I The idea is to program:

f i + A⊥ wi (b⊥ )> , U0 = U
Wi = W e 0 + A⊥ u(b⊥ )>

where wi , b⊥ ∈ Zkp , A⊥ ∈ Z2k×k

p , u ∈ Zk+1
p and

AA⊥ = 0, (b⊥ )> B = 0

Note that the public parameters and the normal and SF keys information-theoretically hide a
random u and the wi ’s from G1-abe . Next, we focus on the SF ciphertext ctf , and the `’th secret
key skx , which is either P-Normal or P-SF.
First, we argue that if we ignore v + U0 d in skx , then u remains computationally hidden given
ctf , skx using the G1-abe security game. Theorem 2 tells us that u is computationally hidden
given
c, {[c> ⊥ > ⊥
j A ]1 , [µj + cj A wρ(j) ]1 }j , {wi }xi =1

where ({µj }, ρ) ← share(f, c> A⊥ u) and we treat c> ⊥ 1×k 2k

j A ∈ Zp , cj ← Zp as the randomness
used for CPA.Enc, even for adaptive choices of f, x. We can then use the entropy in u to hide
the A⊥ -component of v in v + A⊥ u (b⊥ )> d.
| {z }
6=0
– We have H2,`,2 ≈c H2,`,3 for all ` ∈ [Q]. The difference between the two is that we switch the
`’th skf from P-SF to SF.
This follows again via k-Lin, which tells us ([B]2 , [Br]2 ) ≈c ([B]2 , [d]2 ), symmetrically to the
proof for H2,`−1,3 ≈c H2,`,1 , except that v + A⊥ δ (`) is used instead of v in the `th secret key.

31
 – We have H2,Q,3 ≡ H3 . In H2,Q,3 , the secret keys only leak v + A⊥ δ (1) , . . . , v + A⊥ δ (Q) . This
means that c> v is statistically random (as long as c> A⊥ 6= 0).

Lemma 10 (H0 ≈c H1 ≡ H2,0,3 ).

| Pr[hA, H0 i = 1] − Pr[hA, H1 i = 1]| ≤ AdvAk-Lin

∗ (λ)
(2m+1)×k
Proof. Given MDDH2m+1 > > > >
k,2k challenge ([A]1 , [Z ]1 ), where either Z = S A for a S ← Zp or
(2m+1)×2k 2k×(k+1)
Z> = C> for a C> ← Zp , an adversary A0 could simply choose U0 , Wi ← Zp ,v ←
(k+1)×k
Z2k
p , form the public parameters with A, U0 , Wi , v, and choose its own B ← Zp k
, r ← Zp when
responding to key requests.
For the challenge ciphertext, A0 computes: ({u> >
j }, ρ) ← share(f, z2m+1 U0 ), parses the rows of
> >
Z as zj for j ∈ [m + 1], and returns:
!
ctx := [z> >
2m+1 ]1 , {[uj + z> >
j Wρ(j) ]1 , [zj ]1 }, e([z>
2m+1 ]1 , [v]2 ) · Mb

(note that |{uj }| ≤ 2m).

If Z> = S> A, then the challenge ciphertext is Normal and A0 has simulated H0 ;
If Z> = C> , then the challenge ciphertext is SF and A0 has simulated H1 ≡ H2,0,3 .
MDDH2m+1
Finally, recall from Section 2.4 that AdvA0 k,2k
(λ) = Advk-Lin
A∗ (λ) t
u

Lemma 11 (H2,`−1,3 ≈c H2,`,1 ).

| Pr[hA, H2,`−1,3 i = 1] − Pr[hA, H2,`,1 i = 1]| ≤ AdvAk-Lin

0 (λ)

Proof. Given MDDHk challenge ([B]2 , [z]2 ), where either z = Br for r ← Zkp or z = d, for d ← Zk+1
p ,
2k×(k+1)
an adversary A0 could simply choose A ← Zk×2k p , U0 , Wi ← Zp , v ← Z2k
p , and form the
0 ⊥ 2k×k
public parameters with A, U0 , Wi , v. A could then compute A ∈ Zp such that AA⊥ = 0 (to
be used in answering secret key queries).

– For the (SF) challenge ciphertext, A0 computes: ({u> > 2k

j }, ρ) ← share(f, c U0 ), draws c, cj ← Zp
for each j, and creates:
!
ctf := [c> ]1 , {[u> > >
j + cj Wρ(j) ]1 , [cj ]1 }, e([c> ]1 , [v]2 ) · Mb

– For the first ` − 1 secret keys requested, say the qth request is for x, A0 draws δ (q) , r(q) ← Zkp ,
and forms the following (SF) key:

skx := ( [v + A⊥ δ (q) + U0 Br(q) ]2 , [Br(q) ]2 , {[Wi Br(q) ]2 }xi =1 )

– For the last Q − ` secret keys requested, A0 proceeds as before for the first ` − 1 keys except
using just v instead of v + A⊥ δ (q) . It is easy to see that it forms a Normal key.
– For the `th secret key request, A0 forms the following key:

skx := ( [v + U0 z]2 , [z]2 , {[Wi z]2 }xi =1 )

32
If z = Br, then the `th key is Normal and A0 has simulated H2,`−1,3 ;
If z = d, then the `th key is P-Normal and A0 has simulated H2,`,1 . t
u

Lemma 12 (H2,`,1 ≈c H2,`,2 ).

| Pr[hA, H2,`,1 i = 1] − Pr[hA, H2,`,2 i = 1]| ≤ 26d · 8d · n · AdvBk-Lin

∗ (λ)

Proof. Consider the following adversary A0 in G1-abe

β which internally simulates A and the challenger
in the ABE security game:
(k+1)×k 2k×(k+1)
– First, A0 samples A ← Zk×2k
p , B ← Zp ,U f i ← Zp
e 0, W , ṽ ← Z2k ⊥
p , computes A ∈
(k+1)
Z2k×k
p \ {0}, b⊥ ∈ Zp such that AA⊥ = 0 and (b⊥ )> B = 0 and implicitly defines

µ(0) ((b⊥ )> d) ⊥ µ(b)

v := ṽ − A u, U 0 := U
e0 + A⊥ u(b⊥ )> , Wi := W
f i + A⊥ wi (b⊥ )>
(c> A⊥ u) (c> A⊥ u)

where wi ∈ Zkp , µ(b) ∈ Zp are chosen in G1-abe

β , c ← Z2k
p is chosen for use in the challenge
ciphertext, d ← Zp is chosen for use in the `th secret key, and u ← Zkp . Note that A0 can
k+1

compute v since it has µ(0) from G1-abe

β and knows all other vectors.
Then, A0 generates the public parameters as:

mpk := ( [A]1 , [AU

e 0 ]1 , [AW
f 1 ]1 , . . . , [AW
f n ]1 , e([A]1 , [ṽ]2 ) )

– When A requests a challenge ciphertext for formula f along with M0 , M1 , A0 queries OF (f ) →

( {[µj + r> 1-abe . A0 then samples c̃ ← Zk for each j and b ← {0, 1}
j wρ(j) ]1 , [rj ]1 } ) in Gβ j p
 ⊥ >
⊥ (A )
(the challenge bit in the standard ABE security game), defines AC := ∈ Z2k×2k
p
M
  
for a choice of M that makes A⊥ ⊥ −1 rj
C invertible, computes [cj ]1 := (AC ) c̃j 1
, computes:

({ũ> >e
j }, ρ) ← share(f, c U0 ), and returns the following appropriately distributed (SF) challenge
ciphertext:
!
ctf := [c> ]1 , {[ũ> + (µj + r> wρ(j) )(b⊥ )> + c> W
j j
f ρ(j) ]1 , [c> ]1 }, e([c> ]1 , [v]2 ) · Mb
j j
!
>
= [c ]1 , {[ũ>
j
⊥ >
+ µj (b ) + c>
j Wρ(j)
f + r> ⊥ > >
j wρ(j) (b ) ]1 , [cj ]1 },
>
e([c ]1 , [v]2 ) · Mb
| {z } | {z }
≡share(f,c> U0 ) =c>
j Wρ(j)

Note that {µj (b⊥ )> } is distributed like the output of share(f, µ(b) (b⊥ )> ), and therefore due to
linearity and the fact that c> U0 = c> U e 0 + µ(b) (b⊥ )> , then {ũ> + µj (b⊥ )> } is distributed like
j
share(f, c> U
e 0 + µ(b) (b⊥ )> ) ≡ share(f, c> U0 ). Also, note that c> Wi = c> W f i + rj wρ(j) b⊥ since
j j
c> ⊥
j A = rj .
– For the first ` − 1 secret keys requested, say the qth request is for x, A0 draws δ (q) , r(q) ← Zkp ,
and forms the following (SF) key:

skx = ( [v + A⊥ δ (q) + U
e Br(q) ] , [Br(q) ]2 , {[W
f Br(q) ] } )
| 0 {z } 2 | i{z } 2 xi =1
=U0 Br(q) =Wi Br(q)

33
 – For the last Q − ` secret keys requested, A0 proceeds as before for the first ` − 1 keys except
using just v instead of v + A⊥ δ (q) . It is easy to see that it forms a Normal key.
– For the `th secret key requested, say for x, queries OX (x) → ( {wi }xi =1 ) in G1-abe
β , then uses
these components to return:

skx = ( [ ṽ + U
e d f + A⊥ wi (b⊥ )> )d]2 }x =1 )
]2 , [d]2 , {[(W
| {z 0 } | i {z } i

(µ(0) −µ(b) )((b⊥ )> d) ⊥ =Wi d

=v+ A u+U0 d
(c> A⊥ u)

(µ(0) −µ(0) )((b⊥ )> d) ⊥

If β = 0, then the `th key is a P-Normal key since v + (c> A⊥ u)
A u = v.
(0) (1)
(µ −µ )((b ) d) ⊥ >
If β = 1, then the `th key is a P-SF key, where δ (`) = (c> A⊥ u)
u.

Putting everything together, for β ∈ {0, 1}, when A0 interacts with G1-abe
β , then A0 simulates H2,`,1+β .
So:

| Pr[hA, H2,`,1 i = 1] − Pr[hA, H2,`,2 i = 1]| ≤ | Pr[hA0 , G1-abe

0 i = 1] − Pr[hA0 , G1-abe
1 i = 1]|

and from Theorem 2, we then have:

| Pr[hA, H2,`−1 i = 1] − Pr[hA, H2,` i = 1]| ≤ 26d · 8d · n · AdvBk-Lin

∗ (λ)

t
u

Lemma 13 (H2,`,2 ≈c H2,`,3 ).

| Pr[hA, H2,`,2 i = 1] − Pr[hA, H2,`,3 i = 1]| ≤ AdvAk-Lin

0 (λ)

Proof. Omitted, since the proof is completely analogous to that of Lemma 11, using v + A⊥ δ (`) for
a new random δ (`) instead of v when creating the `th key.

Lemma 14 (H2,Q,3 ≈c H3 ).
1
| Pr[hA, H2,Q,3 i = 1] − Pr[hA, H3 i = 1]| ≤
p

Proof. These two hybrids are identically distributed conditioned on c> A⊥ 6= 0. To see this, consider
two ways of choosing v: v = ṽ ← Z2k ⊥ k
p and v = ṽ + A m̃ for an independently random m̃ ← Zp .
Note that both result in v having a uniform distribution.
Using ṽ to simulate hybrid H2,Q,3 obviously results in H2,Q,3 (where v = ṽ). However, using
the identically distributed v = ṽ + A⊥ m̃ to simulate H2,Q,3 results in H3 (where M · [c> A⊥ m̃]T
is a randomly distributed message as long as c> A⊥ 6= 0, and for redefined independently random
(i)
δ̃ = δ (i) + m̃ in the secret keys).
c is chosen at random and independent from A⊥ 6= 0, so c> A⊥ = 0 with probability p1 , and
since we know that H2,Q,3 ≡ H3 conditioned on c> A⊥ 6= 0, then we have:
1
| Pr[hA, H2,Q,3 i = 1] − Pr[hA, H3 i = 1]| ≤
p
t
u

Theorem 4 (adaptive CP-ABE). The CP-ABE construction in Appendix A.1 is adaptively

secure under the MDDHk assumption.

34
Proof. Note that since H1 ≡ H2,0,3 :

| Pr[hA, H0 i = 1] − Pr[hA, H3 i = 1]| ≤| Pr[hA, H0 i = 1] − Pr[hA, H1 i = 1]|

Q
X
+ | Pr[hA, H2,`−1,3 i = 1] − Pr[hA, H2,`,1 i = 1]|
`=1
XQ
+ | Pr[hA, H2,`,1 i = 1] − Pr[hA, H2,`,2 i = 1]|
`=1
XQ
+ | Pr[hA, H2,`,2 i = 1] − Pr[hA, H2,`,3 i = 1]|
`=1
+ | Pr[hA, H2,Q,3 i = 1] − Pr[hA, H3 i = 1]|

Summing the results of Lemmas 10, 11, 12, 13, and 14, we then have that:
1
| Pr[hA, H0 i = 1]−Pr[hA, H3 i = 1]| ≤ AdvBk-Lin
∗ (λ)+2·Q·AdvBk-Lin
∗ (λ)+Q·26d ·8d ·n·AdvBk-Lin
∗ (λ)+
p

If d = O(log n), then under the k-Lin assumption this quantity is a negligible function of λ (the
number of queries made Q and the attribute vector length n are both polynomial in λ, and p1 is a
negligible function of λ). It’s easy to see that Advabe
A (λ) = 0 in the H3 hybrid game (since a random
message is encrypted in the challenge ciphertext). So, any adversary in the real game (H0 ) will have
advantage negligibly close to 0, and our construction satisfies adaptive security. t
u

35
B Our Unbounded KP-ABE Scheme

In this section, we use the modular technique presented in [CGKW18] to transform our KP-ABE
construction from Section 6 (for NC1 that is compact and adaptively secure under the MDDHk
assumption in asymmetric prime-order bilinear groups) into a construction with the same properties
plus an added benefit that the scheme is unbounded (that is, the public parameters are of constant
size [LW11]).

B.1 Unbounded KP-ABE Construction

Setup(1λ , 1n ) : Run G = (p, G1 , G2 , GT , e) ← G(1λ ). Sample

A1 ← Zpk×(2k+1) , W, W0 , W1 ← Z(2k+1)×k
p , v ← Z2k+1
p

and output:

msk := ( v, W, W0 , W1 )
mpk := ( [A1 ]1 , [A1 W]1 , [A1 W0 ]1 , [A1 W1 ]1 , e([A1 ]1 , [v]2 ) )

Enc(mpk, x, M ) : Sample s, si ← Zkp . Output:

ctx = (ct1 , {ct2,i , ct3,i }xi =1 , ct4 )

:= ( [s> A1 ]1 , {[s> A1 W + s> > >
i A1 (W0 + i · W1 )]1 , [si A1 ]1 }xi =1 , e([s A1 ]1 , [v]2 ) · M )

KeyGen(mpk, msk, f ) : Sample ({vj }, ρ) ← share(f, v), rj ← Zkp . Output:

skf = ({sk1,j , sk2,j , sk3,j }, {sk4,j })

:= ( {[vj + Wrj ]2 , [rj ]2 , [(W0 + ρ(j) · W1 )rj ]2 }ρ(j)6=0 , {[vj ]2 }ρ(j)=0 )
X
Dec(mpk, skf , ctx ) : Compute ωj such that v = ωj vj as described in Section 5.1.
ρ(j)=0∨xρ(j)=1
Output: ωj
Y  e(ct2,ρ(j) , sk2,j ) Y
ct4 · · e(ct1 , sk4,j )−ωj
xρ(j)=1
e(ct1 , sk1,j ) · e(ct3,ρ(j) , sk3,j )
ρ(j)=0

B.2 Correctness
Correctness relies on the fact that for all j, we have
e(ct1 , sk1,j ) · e(ct3,ρ(j) , sk3,j )
= [s> A1 vj ]T
e(ct2,ρ(j) , sk2,j )

which follows from the fact that

s> A1 vj = s> A1 ·(vj + Wrj )−(s> A1 W + s> >

ρ(j) A1 (W0 + ρ(j) · W1 )) · rj + sρ(j) A1 · (W0 + ρ(j) · W1 )rj
| {z } | {z } | {z } |{z} | {z } | {z }
ct1 sk1,j ct2,ρ(j) sk2,j ct3,ρ(j) sk3,j

and also the fact that for all j,

e(ct1 , sk4,j ) = [s> A1 vj ]T

36
 Therefore, for all f, x such that f (x) = 1, we have:
ωj
Y  e(ct2,ρ(j) , sk2,j )) Y
ct4 · · e(ct1 , sk4,j )−ωj
xρ(j)=1
e(ct1 , sk1,j ) · e(ct3,ρ(j) , sk3,j )
ρ(j)=0
−ωj
Y
= M · [s> A1 v]T · [s> A1 vj ]T
ρ(j)=0∨xρ(j)=1
X
= M · [s> A1 v]T · [−s> A1 ωj vj ]T
ρ(j)=0∨xρ(j)=1
> >
= M · [s A1 v]T · [−s A1 v]T
=M

B.3 Adaptive Security

Entropy expansion lemma. Our security proof relies on the “entropy expansion lemma” in
[CGKW18]. First, we introduce some additional notation. Let A be a matrix over Zp . We use
span(A) to denote the column span of A, and we use span` (A) to denote matrices of width ` where
each column lies in span(A); this means M ←r span` (A) is a random matrix of width ` where each
column is chosen uniformly from span(A). We use basis(A) to denote a basis of span(A), and we
use (A1 | A2 ) to denote the concatenation of matrices A1 , A2 .
Pick random
A1 ←r Z`p1 ×` , A2 ←r Z`p2 ×` , A3 ←r Z`p3 ×`
k k k k
where ` := `1 + `2 + `3 . Let (A1 | A2 | A3 )> denote the inverse of (A> > >
1 | A2 | A3 ), so that Ai Ai = I
k
(known as non-degeneracy) and Ai Aj = 0 if i 6= j (known as orthogonality). Here, we focus on the
case (`1 , `2 , `3 ) = (k, 1, k) and so ` = 2k + 1.

Lemma 15 (entropy expansion lemma [CGKW18]). Under the MDDHk assumption, we have
 
 aux : [A1 ]1 , [A
  1 W]1 , [A1 W0 ]1 , [A1 W1 ]1 

ct : [c > ] , [c> W + c> (W + i · W )] , [c> ]
D0 :=  1 i 0 1 1 i 1 i∈[n]
 sk : [WDi ]2 , [Di ]2 , [(W0 + i · W1 )Di ]2
 

i∈[n]
≈c

aux : [A1 ]1 , [A1 W]1 , [A1 W0 ]1 , [A1 W1 ]1


 

(2) (2)
ct : [ c > ]1 , [ c > (W + Vi ) + ci > (W0 + i · W1 + Ui )]1 , [ ci >
  
D1 := ]1 i∈[n]
 
  (2) (2) 
sk : [(W + Vi )Di ]2 , [Di ]2 , [(W0 + i · W1 + Ui )Di ]2 i∈[n]
 

(2k+1)×k (2) (2) k

where W, W0 , W1 ←r Zp , Vi , Ui ←r spank (A2 ), Di ←r Zk×k p , and c, ci ←r span(A>
1)
> >
in the left distribution while c, ci ←r span(A1 , A2 ) in the right distribution, where the concrete
security loss | Pr[A0 (D0 ) = 1] − Pr[A0 (D1 ) = 1]| ≤ (5n + 1) · AdvBk-Lin
0 (λ).

This lemma allows us to use a hybrid proof to first transition to a game in which the challenge
ciphertext and secret keys have components in the A2 space which mirror those of our (bounded)
construction of Section 6. We then follow the same proof structure as in Section 6.

37
Description of hybrids A ciphertext can be in one of the following forms:

– Normal: generated as in the scheme.

– SF: same as a Normal ciphertext, except s> A1 , s> > > 2k+1 and we use
i A1 replaced with c , ci ← Zp
the substitution:

b i := W + V(2) in ith component, and W0 + i · W1 → U

W→V b i := W0 + i · W1 + U(2) (3)
i i

(2) (2) k
where Ui , Vi ← spank (A2 ). Concretely, a SF ciphertext is of the form:

ctx := ( [c> ]1 , {[c> V

b i + c> U
i
b i ]1 , [c> ]1 }x =1 , e([c> ]1 , [v]2 ) · M )
i i

A secret key can be in one of the following forms:

– Normal: generated as in the scheme.

– P-SF: same as a Normal key, except we use the same substitution as in (3), concretely making a
P-SF key of the form:

skf := ( {[vj + V b ρ(j) rj ]2 }ρ(j)6=0 , {[vj ]2 }ρ(j)=0 )

b ρ(j) rj ]2 , [rj ]2 , [U

– SF: same as a P-SF key, except v replaced with v + δa⊥ , where a fresh δ ← Zp is chosen per SF
k
key and a⊥ ← span(A2 ) \ {0}.

Hybrid sequence. Suppose the adversary A makes at most Q secret key queries. The hybrid
sequence is as follows:

– H0 : real game
– H1 : same as H0 , except all keys are P-SF, and we use a SF ciphertext.
– H2,` , ` = 0, . . . , Q: same as H1 , except the first ` keys are SF and the remaining Q − ` keys are
P-SF.
– H3 : replace M with random M f.

Proof overview.

– We have H0 ≈c H1 ≡ H2,0 via Lemma 15. In the reduction, on input

 
> > > >
 aux : [A1 ]1 , [A
  1 W]1 , [A1 W0 ]1 , [A1 W1 ]1 

ct : [C0 ]1 , [C1,i ]1 , [C2,i ]1 i∈[n] ,

 sk : [K0,i ]2 , [K1,i ]2 , [K2,i ]2
 

i∈[n]

we sample v ←r Z2k+1
p , compute ({vj }, ρ) ← share(f, v), draw r̃j,` ←r Zkp for shares j and keys
` ∈ [Q], and simulate the game with
 > 
 mpk : aux, e([A 1 ]1 , [v]2 ) 
ctx : [C0 ]1 , [C1,i ]1 , [C2,i ]1 i:x =1 , e([C0 ]1 , [v]2 ) · Mb .
 `  i 
skf : [vk + K0,ρ(j) r̃j,` ]2 , [K1,ρ(j) r̃j,` ]2 , [K2,ρ(j) r̃j,` ]2

In both cases, we set rj,` := Dρ (j)r̃j,` where Di ←r Zk×k

p as defined in the entropy expansion
lemma (Lemma 15). Therefore all rj,` are uniformly distributed over Zkp with high probability.

38
 – We have H2,`−1 ≈c H2,` , for all ` ∈ [Q]. The difference between the two is that we switch the
`’th skf from P-SF to SF using the adaptive security of our core 1-ABE component in G1-abe
from Section 5.
The idea is to sample
v = ṽ + µa⊥
k
where a⊥ ← span(A2 ) \ {0} so that mpk can be computed using ṽ and perfectly hides
µ, w1 , . . . , wn . Roughly speaking: the reduction
• uses OX (x) in G1-abe to simulate the challenge ciphertext
• uses OF (f ) in G1-abe to simulate `’th secret key
• uses µ(0) from G1-abe together with OE (i, ·) = Enc(wi , ·) to simulate the remaining Q − `
secret keys
– We have H2,Q ≡ H3 . In H2,Q , the secret keys only leak v + δ1 a⊥ , . . . , v + δQ a⊥ . This means that
c> v is statistically random (as long as c> a⊥ 6= 0).
Lemma 16 (H0 ≈c H1 ≡ H2,0 ).
| Pr[hA, H0 i = 1] − Pr[hA, H1 i = 1]| ≤ (5n + 1) · AdvBk-Lin
0 (λ)
Proof. Consider the following adversary A0 attempting to distinguish the distributions in the Entropy
Expansion Lemma 15, which internally simulates A and the challenger in the ABE security game:
– A0 receives input:
 
> > W] , [A> W ] , [A> W ] 
 aux : [A1 ]1 , [A
  1 1 1 0 1 1 1 1 
Dβ = ct : [C0 ]1 , [C1,i ]1 , [C2,i ]1 i∈[n]

 sk : [K0,i ]2 , [K1,i ]2 , [K2,i ]2
 

i∈[n]

– First, A0 samples v ←r Z2k+1

p and outputs:
mpk := ( [A1 ]1 , [A1 W]1 , [A1 W0 ]1 , [A1 W1 ]1 , e([A1 ]1 , [v]2 ) ),
– When A requests a challenge ciphertext for attribute x along with M0 , M1 , A0 samples b ← {0, 1}
(the challenge bit in the standard ABE security game) and returns the following challenge
ciphertext for A:

ctx := [C0 ]1 , [C1,i ]1 , [C2,i ]1 i:x =1 , e([C0 ]1 , [v]2 ) · Mb
i

– For any secret keys requested, say for formula f , A0

computes ({vj }, ρ) ← share(f, v), draws
k
r̃j ←r Zp and forms the following key:

skf := [vj + K0,ρ(j) r̃j ]2 , [K1,ρ(j) r̃j ]2 , [K2,ρ(j) r̃j ]2
Notice that if β = 0 (the input to A0 was drawn from distribution D0 defined in Lemma 15),
then the challenge ctx and all skf are Normal, and if β = 1 (the input to A0 was drawn from
distribution D1 ), then ctx is distributed as a SF ciphertext and all skf are distributed as P-SF
keys.
Putting everything together, for β ∈ {0, 1}, when A0 interacts with Dβ , then A0 simulates Hβ . It
follows then that:
| Pr[hA, H0 i = 1] − Pr[hA, H1 i = 1]| ≤ | Pr[A0 (D0 ) = 1] − Pr[A0 (D1 ) = 1]|
From Lemma 15, we then have:
| Pr[hA, H0 i = 1] − Pr[hA, H1 i = 1]| ≤ (5n + 1) · AdvBk-Lin
0 (λ)
t
u

39
Lemma 17 (H2,`−1 ≈c H2,` ).

| Pr[hA, H2,`−1 i = 1] − Pr[hA, H2,` i = 1]| ≤ 26d · 8d · n · AdvBk-Lin

∗ (λ)

Proof. For each β ∈ {0, 1}, consider the following adversary A0 in G1-abe
β which internally simulates
A and the challenger in the ABE security game:
k×(2k+1) 1×(2k+1) (2k+1)×k
– First, A0 samples A1 , A3 ← Zp , A2 ← Zp , W, W0 , W1 ← Zp , ṽ ← Z2k+1
p ,
(2) (2k+1)×k (2) (2k+1)×k k k
samples (Ui ∈ Zp ), (V
e
i ∈ Zp ) ← spank (A2 ) and (a⊥ ∈ Z2k+1
p ) ← span(A2 ) \
{0}, and implicitly defines
(2) (2)
v := ṽ + µ(0) a⊥ , Vi := V
e
i + a⊥ wi

where µ(0) ∈ Zp , wi ∈ Zkp is chosen in G1-abe

β . (Note that v is distributed randomly in Z2k+1
p and
(2) k
Vi is distributed like the output of spank (A2 )). Then, A0 outputs:

mpk := ( [A1 ]1 , [A1 W]1 , [A1 W0 ]1 , [A1 W1 ]1 , e([A1 ]1 , [ṽ]2 ) ),

– When A requests a challenge ciphertext for attribute x along with M0 , M1 , A0 queries OX (x) →
( {wi }xi =1 ) in G1-abe
β . A0 then samples c, ci ← Z2k+1
p and b ← {0, 1} (the challenge bit in the
standard ABE security game) and returns the following (SF) challenge ciphertext for A:
!
[c> ]1 , {[c> (W + e (2) + a⊥ wi ) +c> W0 + i · W1 +
(2)
Ui ]1 , [c> e([c> ]1 , [ṽ + µ(0) a⊥ ]2 )·Mb
ctx := V i ]1 }xi =1 ,
| i
{z } i | {z } | {z }
=v
V
bi U
bi

– For the first ` − 1 secret keys requested, say for formula f , A0 computes
⊥
({vj }, ρ) ← share(f, ṽ
| +{zδ̃a })
=v+δa⊥

where δ̃ ← Zp is drawn independently for each key (here, the per-key δ = δ̃ − µ(0) implicitly).
> r ] , [r ] ) in G1-abe (since O (ρ(j), [0] ) =
Next, for each j, it queries OE (ρ(j), [0]2 ) → ([wρ(j) j 2 j 2 β E 2
CPA.Encwρ(j) ([0]2 )), and forms the following (SF) key:

e (2) )rj + a⊥ w> rj ]2 , [rj ]2 , [(W0 + ρ(j) · W1 + U(2) )rj ]2 }ρ(j)6=0 , {[vj ]2 }ρ(j)=0 )
skf := ( {[vj + (W + V ρ(i) ρ(j) ρ(j)
| {z } | {z }
vj +V
b ρ(j) rj U
b ρ(j) rj

– For the last Q − ` secret keys requested, say for formula f , A0 proceeds as before for the first
` − 1 keys except
({vj }, ρ) ← share(f, ṽ + µ(0) a⊥ )
| {z }
=v
It is easy to see that it forms a P-SF key.
– For the `th secret key requested, say for formula f , A0 computes ({vj }, ρ) ← share(f, ṽ), queries
> r ] , [r ] } ) in G1-abe , then uses these components to return:
OF (f ) → ( {[µj + wρ(j) j 2 j 2 β

e (2) )rj + a⊥ (µj + w> rj )]2 , [rj ]2 , [(W0 + ρ(j) · W1 + U(2) )rj ]2 }ρ(j)6=0 , {[vj ]2 }ρ(j)=0 )
skf := ( {[vj + (W + V ρ(i) ρ(j) ρ(j)
| {z } | {z }
(vj +µj a⊥ )+V
b ρ(j) rj U
b ρ(j) rj

40
 We claim that if β = 0, then skf is a P-SF key, and if β = 1, then skf is a SF key. This follows
the fact that thanks to linearity, the shares

({vj + µj a⊥ }, ρ), where ({vj }, ρ) ← share(f, ṽ), ({µj }, ρ) ← share(f, µ(β) )

are identically distributed to share(f, ṽ + µ(β) a⊥ ). The claim then follows from the fact that
ṽ + µ(0) a⊥ = v and that ṽ + µ(1) a⊥ is identically distributed to v + δa⊥ (where δ = µ(1) − µ(0)
is a fresh random value for this key).

Putting everything together, for β ∈ {0, 1}, when A0 interacts with G1-abe
β , then A0 simulates
H2,`−1+β . It follows then that:

| Pr[hA, H2,`−1 i = 1] − Pr[hA, H2,` i = 1]| ≤ | Pr[hA0 , G1-abe

0 i = 1] − Pr[hA0 , G1-abe
1 i = 1]|

From Theorem 2, we then have:

| Pr[hA, H2,`−1 i = 1] − Pr[hA, H2,` i = 1]| ≤ 26d · 8d · n · AdvBk-Lin

∗ (λ)

t
u

Lemma 18 (H2,Q ≈s H3 ).

1
| Pr[hA, H2,Q i = 1] − Pr[hA, H3 i = 1]| ≤
p

Proof. These two hybrids are identically distributed conditioned on c> a⊥ = 6 0. To see this, consider
two ways of sampling v: as ṽ ← Zp 2k+1 ⊥
and as ṽ + m̃a for an independent m̃ ← Zp . Note that both
result in v having a uniform distribution.
Using ṽ to simulate hybrid H2,Q obviously results in H2,Q (where v = ṽ). However, using the
identically distributed v = ṽ + m̃a⊥ to simulate H2,Q results in H3 (where Mf = M · e([c> ]1 , [m̃a⊥ ]2 )
is randomly distributed as long as c> a⊥ 6= 0, and for redefined independently random δ̃i := δi + m̃
in the secret keys).
c is chosen at random and independent from a⊥ = 6 0, so c> a⊥ = 0 with probability p1 , and since
we know that H2,Q ≡ H3 conditioned on c> a⊥ 6= 0, then we have:

1
| Pr[hA, H2,Q i = 1] − Pr[hA, H3 i = 1]| ≤
p
t
u

Theorem 5 (adaptive unbounded KP-ABE). The unbounded KP-ABE construction in Ap-

pendix B.1 is adaptively secure under the MDDHk assumption.

Proof.

| Pr[hA, H0 i = 1] − Pr[hA, H3 i = 1]| ≤| Pr[hA, H0 i = 1] − Pr[hA, H1 i = 1]|

Q
X
+ | Pr[hA, H2,`−1 i = 1] − Pr[hA, H2,` i = 1]|
`=1
+ | Pr[hA, H2,Q i = 1] − Pr[hA, H3 i = 1]|

41
(Since H1 ≡ H2,0 ). Summing the results of Lemmas 16, 17, and 18, we then have:

1
| Pr[hA, H0 i = 1] − Pr[hA, H3 i = 1]| ≤ (5n + 1) · AdvBk-Lin
0 (λ) + Q · 26d · 8d · n · AdvBk-Lin
∗ (λ) +
p

If d = O(log n), then under the k-Lin assumption this is a negligible function of λ (the number of
queries made Q and the attribute vector length n are both polynomial in λ, and p1 is a negligible
function of λ). It’s easy to see that Advabe
A (λ) = 0 in the H3 hybrid game (since a random message is
encrypted in the challenge ciphertext). So, any adversary in the real game (H0 ) will have advantage
negligibly close to 0, and our construction satisfies adaptive security. t
u

42